Update to 4.13.9
Drop many patches which are now upstream. Avoid/ignore ABI changes as appropriate.
This commit is contained in:
parent
de909222d8
commit
48bb38a3f7
|
@ -1,9 +1,334 @@
|
|||
linux (4.13.4-3) UNRELEASED; urgency=medium
|
||||
linux (4.13.9-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
|
||||
- cifs: check rsp for NULL before dereferencing in SMB2_open
|
||||
- cifs: release cifs root_cred after exit_cifs
|
||||
- cifs: release auth_key.response for reconnect.
|
||||
- nvme-pci: fix host memory buffer allocation fallback
|
||||
- nvme-pci: use appropriate initial chunk size for HMB allocation
|
||||
- nvme-pci: propagate (some) errors from host memory buffer setup
|
||||
- dax: remove the pmem_dax_ops->flush abstraction
|
||||
- dm integrity: do not check integrity for failed read operations
|
||||
- mmc: block: Fix incorrectly initialized requests
|
||||
- fs/proc: Report eip/esp in /prod/PID/stat for coredumping
|
||||
- scsi: scsi_transport_fc: fix NULL pointer dereference in
|
||||
fc_bsg_job_timeout
|
||||
- cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later)
|
||||
- mac80211: fix VLAN handling with TXQs
|
||||
- mac80211_hwsim: Use proper TX power
|
||||
- mac80211: flush hw_roc_start work before cancelling the ROC
|
||||
- genirq: Make sparse_irq_lock protect what it should protect
|
||||
- genirq/msi: Fix populating multiple interrupts
|
||||
- genirq: Fix cpumask check in __irq_startup_managed()
|
||||
- [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to
|
||||
kvmppc_update_lpcr
|
||||
- [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored
|
||||
incorrectly
|
||||
- [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using
|
||||
byte accesses
|
||||
- tracing: Fix trace_pipe behavior for instance traces
|
||||
- tracing: Erase irqsoff trace with empty write
|
||||
- tracing: Remove RCU work arounds from stack tracer
|
||||
- md/raid5: fix a race condition in stripe batch
|
||||
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
|
||||
- scsi: aacraid: Fix 2T+ drives on SmartIOC-2000
|
||||
- scsi: aacraid: Add a small delay after IOP reset
|
||||
- [armhf] drm/exynos: Fix locking in the suspend/resume paths
|
||||
- [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting
|
||||
- Revert "drm/i915/bxt: Disable device ready before shutdown command"
|
||||
- drm/amdgpu: revert tile table update for oland
|
||||
- drm/radeon: disable hard reset in hibernate for APUs
|
||||
- crypto: drbg - fix freeing of resources
|
||||
- security/keys: properly zero out sensitive key material in big_key
|
||||
- security/keys: rewrite all of big_key crypto
|
||||
- KEYS: fix writing past end of user-supplied buffer in keyring_read()
|
||||
- KEYS: prevent creating a different user's keyrings
|
||||
- [x86] libnvdimm, namespace: fix btt claim class crash
|
||||
- [powerpc*] eeh: Create PHB PEs after EEH is initialized
|
||||
- [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
|
||||
- [powerpc*] tm: Flush TM only if CPU has TM feature
|
||||
- [mips*] Fix perf event init
|
||||
- [s390x] perf: fix bug when creating per-thread event
|
||||
- [s390x] mm: make pmdp_invalidate() do invalidation only
|
||||
- [s390x] mm: fix write access check in gup_huge_pmd()
|
||||
- PM: core: Fix device_pm_check_callbacks()
|
||||
- Revert "IB/ipoib: Update broadcast object if PKey value was changed in
|
||||
index 0"
|
||||
- cifs: Fix SMB3.1.1 guest authentication to Samba
|
||||
- cifs: SMB3: Fix endian warning
|
||||
- cifs: SMB3: Warn user if trying to sign connection that authenticated as
|
||||
guest
|
||||
- cifs: SMB: Validate negotiate (to protect against downgrade) even if
|
||||
signing off
|
||||
- cifs: SMB3: handle new statx fields
|
||||
- cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
|
||||
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
|
||||
- libceph: don't allow bidirectional swap of pg-upmap-items
|
||||
- brd: fix overflow in __brd_direct_access
|
||||
- gfs2: Fix debugfs glocks dump
|
||||
- bsg-lib: don't free job in bsg_prepare_job
|
||||
- iw_cxgb4: drop listen destroy replies if no ep found
|
||||
- iw_cxgb4: remove the stid on listen create failure
|
||||
- iw_cxgb4: put ep reference in pass_accept_req()
|
||||
- rcu: Allow for page faults in NMI handlers
|
||||
- mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
|
||||
- extable: Consolidate *kernel_text_address() functions
|
||||
- extable: Enable RCU if it is not watching in kernel_text_address()
|
||||
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
|
||||
- [arm64] Make sure SPsel is always set
|
||||
- [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table
|
||||
- [arm64] fault: Route pte translation faults via do_translation_fault
|
||||
- [x86] KVM: VMX: extract __pi_post_block
|
||||
- [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
|
||||
- [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
|
||||
- [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache
|
||||
- [x86] kvm: Handle async PF in RCU read-side critical sections
|
||||
- xfs: validate bdev support for DAX inode flag
|
||||
- sched/sysctl: Check user input value of sysctl_sched_time_avg
|
||||
- irq/generic-chip: Don't replace domain's name
|
||||
- mtd: Fix partition alignment check on multi-erasesize devices
|
||||
- [armhf] etnaviv: fix submit error path
|
||||
- [armhf] etnaviv: fix gem object list corruption
|
||||
- futex: Fix pi_state->owner serialization
|
||||
- md: fix a race condition for flush request handling
|
||||
- md: separate request handling
|
||||
- PCI: Fix race condition with driver_override
|
||||
- btrfs: fix NULL pointer dereference from free_reloc_roots()
|
||||
- btrfs: clear ordered flag on cleaning up ordered extents
|
||||
- btrfs: finish ordered extent cleaning if no progress is found
|
||||
- btrfs: propagate error to btrfs_cmp_data_prepare caller
|
||||
- btrfs: prevent to set invalid default subvolid
|
||||
- [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt
|
||||
- PM / OPP: Call notifier without holding opp_table->lock
|
||||
- [x86] mm: Fix fault error path using unsafe vma pointer
|
||||
- [x86] fpu: Don't let userspace set bogus xcomp_bv
|
||||
- [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
|
||||
- [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
|
||||
- [x86] KVM: VMX: use cmpxchg64
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6
|
||||
- [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on
|
||||
ep0
|
||||
- mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+
|
||||
- net: bonding: Fix transmit load balancing in balance-alb mode if
|
||||
specified by sysfs
|
||||
- openvswitch: Fix an error handling path in
|
||||
'ovs_nla_init_match_and_action()'
|
||||
- net: bonding: fix tlb_dynamic_lb default value
|
||||
- net_sched: gen_estimator: fix scaling error in bytes/packets samples
|
||||
- net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
|
||||
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
|
||||
- tcp: update skb->skb_mstamp more carefully
|
||||
- bpf/verifier: reject BPF_ALU64|BPF_END
|
||||
- tcp: fix data delivery rate
|
||||
- udpv6: Fix the checksum computation when HW checksum does not apply
|
||||
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
|
||||
- net: phy: Fix mask value write on gmii2rgmii converter speed register
|
||||
- ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
|
||||
- net/sched: cls_matchall: fix crash when used with classful qdisc
|
||||
- 8139too: revisit napi_complete_done() usage
|
||||
- bpf: do not disable/enable BH in bpf_map_free_id()
|
||||
- tcp: fastopen: fix on syn-data transmit failure
|
||||
- [powerpc*] net: emac: Fix napi poll list corruption
|
||||
- net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure
|
||||
- packet: hold bind lock when rebinding to fanout hook
|
||||
- net: change skb->mac_header when Generic XDP calls adjust_head
|
||||
- net_sched: always reset qdisc backlog in qdisc_reset()
|
||||
- [armhf,arm64] net: stmmac: Cocci spatch "of_table"
|
||||
- [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer
|
||||
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
|
||||
- l2tp: fix race condition in l2tp_tunnel_delete
|
||||
- tun: bail out from tun_get_user() if the skb is empty
|
||||
- [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple
|
||||
vlans
|
||||
- [armhf,arm64] net: dsa: Fix network device registration order
|
||||
- packet: in packet_do_bind, test fanout with bind_lock held
|
||||
- packet: only test po->has_vnet_hdr once in packet_snd
|
||||
- [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs
|
||||
- net: Set sk_prot_creator when cloning sockets to the right proto
|
||||
- net/mlx5e: IPoIB, Fix access to invalid memory address
|
||||
- netlink: do not proceed if dump's start() errs
|
||||
- ip6_gre: ip6gre_tap device should keep dst
|
||||
- ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
|
||||
- IPv4: early demux can return an error code
|
||||
- tipc: use only positive error codes in messages
|
||||
- l2tp: fix l2tp_eth module loading
|
||||
- socket, bpf: fix possible use after free
|
||||
- net: rtnetlink: fix info leak in RTM_GETSTATS call
|
||||
- [amd64] bpf: fix bpf_tail_call() x64 JIT
|
||||
- usb: gadget: core: fix ->udc_set_speed() logic
|
||||
- USB: gadgetfs: Fix crash caused by inadequate synchronization
|
||||
- USB: gadgetfs: fix copy_to_user while holding spinlock
|
||||
- usb: gadget: udc: atmel: set vbus irqflags explicitly
|
||||
- usb-storage: unusual_devs entry to fix write-access regression for
|
||||
Seagate external drives
|
||||
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices
|
||||
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
|
||||
- usb: pci-quirks.c: Corrected timeout values used in handshake
|
||||
- USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
|
||||
- USB: dummy-hcd: fix connection failures (wrong speed)
|
||||
- USB: dummy-hcd: fix infinite-loop resubmission bug
|
||||
- USB: dummy-hcd: Fix erroneous synchronization change
|
||||
- USB: devio: Prevent integer overflow in proc_do_submiturb()
|
||||
- USB: devio: Don't corrupt user memory
|
||||
- USB: g_mass_storage: Fix deadlock when driver is unbound
|
||||
- USB: uas: fix bug in handling of alternate settings
|
||||
- USB: core: harden cdc_parse_cdc_header
|
||||
- usb: Increase quirk delay for USB devices
|
||||
- USB: fix out-of-bounds in usb_set_configuration
|
||||
- usb: xhci: Free the right ring in xhci_add_endpoint()
|
||||
- xhci: fix finding correct bus_state structure for USB 3.1 hosts
|
||||
- xhci: fix wrong endpoint ESIT value shown in tracing
|
||||
- usb: host: xhci-plat: allow sysdev to inherit from ACPI
|
||||
- xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
|
||||
- xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
|
||||
- [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
|
||||
- [armhf] iio: adc: twl4030: Fix an error handling path in
|
||||
'twl4030_madc_probe()'
|
||||
- [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
|
||||
handling path of 'twl4030_madc_probe()'
|
||||
- iio: core: Return error for failed read_reg
|
||||
- uwb: properly check kthread_run return value
|
||||
- uwb: ensure that endpoint is interrupt
|
||||
- ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
|
||||
- mm, hugetlb, soft_offline: save compound page order before page migration
|
||||
- mm, oom_reaper: skip mm structs with mmu notifiers
|
||||
- mm: fix RODATA_TEST failure "rodata_test: test data was not read only"
|
||||
- mm: avoid marking swap cached page as lazyfree
|
||||
- mm: fix data corruption caused by lazyfree page
|
||||
- userfaultfd: non-cooperative: fix fork use after free
|
||||
- ALSA: compress: Remove unused variable
|
||||
- Revert "ALSA: echoaudio: purge contradictions between dimension matrix
|
||||
members and total number of members"
|
||||
- ALSA: usx2y: Suppress kernel warning at page allocation failures
|
||||
- [powerpc*] powernv: Increase memory block size to 1GB on radix
|
||||
- [powerpc*] Fix action argument for cpufeatures-based TLB flush
|
||||
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
|
||||
- [x86] intel_th: pci: Add Lewisburg PCH support
|
||||
- driver core: platform: Don't read past the end of "driver_override" buffer
|
||||
- cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute()
|
||||
returns
|
||||
- [x86] Drivers: hv: fcopy: restore correct transfer length
|
||||
- [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
|
||||
- ftrace: Fix kmemleak in unregister_ftrace_graph
|
||||
- ovl: fix error value printed in ovl_lookup_index()
|
||||
- ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
|
||||
- ovl: fix dentry leak in ovl_indexdir_cleanup()
|
||||
- ovl: fix missing unlock_rename() in ovl_do_copy_up()
|
||||
- ovl: fix regression caused by exclusive upper/work dir protection
|
||||
- [arm64] dt marvell: Fix AP806 system controller size
|
||||
- [arm64] Ensure the instruction emulation is ready for userspace
|
||||
- HID: rmi: Make sure the HID device is opened on resume
|
||||
- HID: i2c-hid: allocate hid buffers for real worst case
|
||||
- HID: wacom: leds: Don't try to control the EKR's read-only LEDs
|
||||
- HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
|
||||
- HID: wacom: Correct coordinate system of touchring and pen twist
|
||||
- HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
|
||||
- HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
|
||||
- HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
|
||||
- HID: wacom: bits shifted too much for 9th and 10th buttons
|
||||
- btrfs: avoid overflow when sector_t is 32 bit
|
||||
- Btrfs: fix overlap of fs_info::flags values
|
||||
- dm crypt: reject sector_size feature if device length is not aligned to it
|
||||
- dm ioctl: fix alignment of event number in the device list
|
||||
- dm crypt: fix memory leak in crypt_ctr_cipher_old()
|
||||
- [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive()
|
||||
- [x86] kvm: Avoid async PF preempting the kernel incorrectly
|
||||
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
|
||||
- scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
|
||||
- scsi: sd: Do not override max_sectors_kb sysfs setting
|
||||
- brcmfmac: setup passive scan if requested by user-space
|
||||
- [x86] drm/i915: always update ELD connector type after get modes
|
||||
- [x86] drm/i915/bios: ignore HDMI on port A
|
||||
- bsg-lib: fix use-after-free under memory-pressure
|
||||
- nvme-pci: Use PCI bus address for data/queues in CMB
|
||||
- mmc: core: add driver strength selection when selecting hs400es
|
||||
- nl80211: Define policy for packet pattern attributes
|
||||
- [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for
|
||||
suspend/resume cycle
|
||||
- udp: perform source validation for mcast early demux
|
||||
- udp: fix bcast packet reception
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7
|
||||
- watchdog: Revert "iTCO_wdt: all versions count down twice"
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8
|
||||
- USB: dummy-hcd: Fix deadlock caused by disconnect detection
|
||||
- [mips*] math-emu: Remove pr_err() calls from fpu_emu()
|
||||
- [mips*] bpf: Fix uninitialised target compiler error
|
||||
- [x86] mei: always use domain runtime pm callbacks.
|
||||
- [armhf] dmaengine: edma: Align the memcpy acnt array size with the
|
||||
transfer
|
||||
- [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
|
||||
dma_inuse
|
||||
- NFS: Fix uninitialized rpc_wait_queue
|
||||
- nfs/filelayout: fix oops when freeing filelayout segment
|
||||
- HID: usbhid: fix out-of-bounds bug
|
||||
- crypto: skcipher - Fix crash on zero-length input
|
||||
- crypto: shash - Fix zero-length shash ahash digest crash
|
||||
- [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
|
||||
- [x86] pinctrl/amd: Fix build dependency on pinmux code
|
||||
- [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
|
||||
- device property: Track owner device of device property
|
||||
- Revert "vmalloc: back off when the current task is killed"
|
||||
- fs/mpage.c: fix mpage_writepage() for pages with buffers
|
||||
- ALSA: usb-audio: Kill stray URB at exiting
|
||||
- ALSA: seq: Fix copy_from_user() call inside lock
|
||||
- ALSA: caiaq: Fix stray URB at probe error path
|
||||
- ALSA: line6: Fix NULL dereference at podhd_disconnect()
|
||||
- ALSA: line6: Fix missing initialization before error path
|
||||
- ALSA: line6: Fix leftover URB at error-path during probe
|
||||
- drm/atomic: Unref duplicated drm_atomic_state in
|
||||
drm_atomic_helper_resume()
|
||||
- [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
|
||||
- [x86] drm/i915: Read timings from the correct transcoder in
|
||||
intel_crtc_mode_get()
|
||||
- [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
|
||||
AUX channel
|
||||
- [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
|
||||
- usb: gadget: configfs: Fix memory leak of interface directory data
|
||||
- usb: gadget: composite: Fix use-after-free in
|
||||
usb_composite_overwrite_options
|
||||
- [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping
|
||||
functions
|
||||
- [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory"
|
||||
- direct-io: Prevent NULL pointer access in submit_page_section
|
||||
- fix unbalanced page refcounting in bio_map_user_iov
|
||||
- more bio_map_user_iov() leak fixes
|
||||
- bio_copy_user_iov(): don't ignore ->iov_offset
|
||||
- perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
|
||||
- genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
|
||||
- genirq/cpuhotplug: Add sanity check for effective affinity mask
|
||||
- USB: serial: cp210x: fix partnum regression
|
||||
- USB: serial: console: fix use-after-free on disconnect
|
||||
- USB: serial: console: fix use-after-free after failed setup
|
||||
- RAS/CEC: Use the right length for "cec_disable"
|
||||
- [x86] alternatives: Fix alt_max_short macro to really be a max()
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9
|
||||
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs
|
||||
without the feature
|
||||
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on
|
||||
hypervisors
|
||||
- [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events
|
||||
with explicit PMU
|
||||
- mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock
|
||||
- HID: hid-elecom: extend to fix descriptor for HUGE trackball
|
||||
- [x86] Drivers: hv: vmbus: Fix rescind handling issues
|
||||
- [x86] Drivers: hv: vmbus: Fix bugs in rescind handling
|
||||
- [x86] vmbus: simplify hv_ringbuffer_read
|
||||
- [x86] vmbus: refactor hv_signal_on_read
|
||||
- [x86] vmbus: eliminate duplicate cached index
|
||||
- [x86] vmbus: more host signalling avoidance
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
|
||||
* Update build dependencies on libbabeltrace[,-ctf}-dev
|
||||
* linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
|
||||
modules
|
||||
* dax: Avoid most ABI changes in 4.13.5
|
||||
* SCSI: Avoid ABI change in 4.13.6
|
||||
* [x86] kvm: Ignore ABI change in 4.13.6
|
||||
* seq-virmidi: Ignore ABI change in 4.13.8
|
||||
* Revert "bpf: one perf event close won't free bpf program attached ..."
|
||||
to avoid an ABI change
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 18 Oct 2017 20:03:01 +0100
|
||||
|
||||
|
|
|
@ -4,7 +4,9 @@ ignore-changes:
|
|||
__cpuhp_*
|
||||
bpf_analyzer
|
||||
cxl_*
|
||||
dax_flush
|
||||
iommu_device_*
|
||||
kvm_async_pf_task_wait
|
||||
mm_iommu_*
|
||||
perf_*
|
||||
register_cxl_calls
|
||||
|
@ -30,6 +32,7 @@ ignore-changes:
|
|||
module:fs/nfs/**
|
||||
module:net/ceph/libceph
|
||||
module:net/l2tp/l2tp_core
|
||||
module:sound/core/seq/snd-seq-virmidi
|
||||
module:sound/firewire/snd-firewire-lib
|
||||
# btree library is only selected by few drivers so not useful OOT
|
||||
btree_*
|
||||
|
|
|
@ -1,141 +0,0 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 9 Oct 2017 11:09:20 +0200
|
||||
Subject: ALSA: seq: Fix use-after-free at creating a port
|
||||
Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
|
||||
|
||||
There is a potential race window opened at creating and deleting a
|
||||
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
|
||||
a port object and returns its pointer, but it doesn't take the
|
||||
refcount, thus it can be deleted immediately by another thread.
|
||||
Meanwhile, snd_seq_ioctl_create_port() still calls the function
|
||||
snd_seq_system_client_ev_port_start() with the created port object
|
||||
that is being deleted, and this triggers use-after-free like:
|
||||
|
||||
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
|
||||
=============================================================================
|
||||
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
|
||||
-----------------------------------------------------------------------------
|
||||
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
|
||||
___slab_alloc+0x425/0x460
|
||||
__slab_alloc+0x20/0x40
|
||||
kmem_cache_alloc_trace+0x150/0x190
|
||||
snd_seq_create_port+0x94/0x9b0 [snd_seq]
|
||||
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
|
||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
do_vfs_ioctl+0x54b/0xda0
|
||||
SyS_ioctl+0x79/0x90
|
||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
||||
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
|
||||
__slab_free+0x204/0x310
|
||||
kfree+0x15f/0x180
|
||||
port_delete+0x136/0x1a0 [snd_seq]
|
||||
snd_seq_delete_port+0x235/0x350 [snd_seq]
|
||||
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
|
||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
do_vfs_ioctl+0x54b/0xda0
|
||||
SyS_ioctl+0x79/0x90
|
||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
||||
Call Trace:
|
||||
[<ffffffff81b03781>] dump_stack+0x63/0x82
|
||||
[<ffffffff81531b3b>] print_trailer+0xfb/0x160
|
||||
[<ffffffff81536db4>] object_err+0x34/0x40
|
||||
[<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
|
||||
[<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
||||
[<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
|
||||
[<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
||||
[<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
|
||||
[<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
|
||||
[<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
[<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
[<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
|
||||
[<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
|
||||
.....
|
||||
|
||||
We may fix this in a few different ways, and in this patch, it's fixed
|
||||
simply by taking the refcount properly at snd_seq_create_port() and
|
||||
letting the caller unref the object after use. Also, there is another
|
||||
potential use-after-free by sprintf() call in snd_seq_create_port(),
|
||||
and this is moved inside the lock.
|
||||
|
||||
This fix covers CVE-2017-15265.
|
||||
|
||||
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/seq/seq_clientmgr.c | 6 +++++-
|
||||
sound/core/seq/seq_ports.c | 7 +++++--
|
||||
2 files changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
||||
index ea2d0ae85bd3..6c9cba2166d9 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.c
|
||||
+++ b/sound/core/seq/seq_clientmgr.c
|
||||
@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
struct snd_seq_port_info *info = arg;
|
||||
struct snd_seq_client_port *port;
|
||||
struct snd_seq_port_callback *callback;
|
||||
+ int port_idx;
|
||||
|
||||
/* it is not allowed to create the port for an another client */
|
||||
if (info->addr.client != client->number)
|
||||
@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
return -ENOMEM;
|
||||
|
||||
if (client->type == USER_CLIENT && info->kernel) {
|
||||
- snd_seq_delete_port(client, port->addr.port);
|
||||
+ port_idx = port->addr.port;
|
||||
+ snd_seq_port_unlock(port);
|
||||
+ snd_seq_delete_port(client, port_idx);
|
||||
return -EINVAL;
|
||||
}
|
||||
if (client->type == KERNEL_CLIENT) {
|
||||
@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
|
||||
snd_seq_set_port_info(port, info);
|
||||
snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
|
||||
+ snd_seq_port_unlock(port);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
|
||||
index 0a7020c82bfc..d21ece9f8d73 100644
|
||||
--- a/sound/core/seq/seq_ports.c
|
||||
+++ b/sound/core/seq/seq_ports.c
|
||||
@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
|
||||
}
|
||||
|
||||
|
||||
-/* create a port, port number is returned (-1 on failure) */
|
||||
+/* create a port, port number is returned (-1 on failure);
|
||||
+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
|
||||
+ */
|
||||
struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
int port)
|
||||
{
|
||||
@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
snd_use_lock_init(&new_port->use_lock);
|
||||
port_subs_info_init(&new_port->c_src);
|
||||
port_subs_info_init(&new_port->c_dest);
|
||||
+ snd_use_lock_use(&new_port->use_lock);
|
||||
|
||||
num = port >= 0 ? port : 0;
|
||||
mutex_lock(&client->ports_mutex);
|
||||
@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
list_add_tail(&new_port->list, &p->list);
|
||||
client->num_ports++;
|
||||
new_port->addr.port = num; /* store the port number in the port */
|
||||
+ sprintf(new_port->name, "port-%d", num);
|
||||
write_unlock_irqrestore(&client->ports_lock, flags);
|
||||
mutex_unlock(&client->ports_mutex);
|
||||
- sprintf(new_port->name, "port-%d", num);
|
||||
|
||||
return new_port;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From: Eric Biggers <ebiggers@google.com>
|
||||
Date: Mon, 18 Sep 2017 11:37:23 -0700
|
||||
Subject: KEYS: prevent KEYCTL_READ on negative key
|
||||
Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192
|
||||
|
||||
Because keyctl_read_key() looks up the key with no permissions
|
||||
requested, it may find a negatively instantiated key. If the key is
|
||||
also possessed, we went ahead and called ->read() on the key. But the
|
||||
key payload will actually contain the ->reject_error rather than the
|
||||
normal payload. Thus, the kernel oopses trying to read the
|
||||
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
|
||||
|
||||
Fortunately the payload data is stored inline, so it shouldn't be
|
||||
possible to abuse this as an arbitrary memory read primitive...
|
||||
|
||||
Reproducer:
|
||||
keyctl new_session
|
||||
keyctl request2 user desc '' @s
|
||||
keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
|
||||
|
||||
It causes a crash like the following:
|
||||
BUG: unable to handle kernel paging request at 00000000ffffff92
|
||||
IP: user_read+0x33/0xa0
|
||||
PGD 36a54067 P4D 36a54067 PUD 0
|
||||
Oops: 0000 [#1] SMP
|
||||
CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
|
||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
|
||||
task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
|
||||
RIP: 0010:user_read+0x33/0xa0
|
||||
RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
|
||||
RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
|
||||
RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
|
||||
RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
|
||||
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
|
||||
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
|
||||
FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
|
||||
Call Trace:
|
||||
keyctl_read_key+0xac/0xe0
|
||||
SyS_keyctl+0x99/0x120
|
||||
entry_SYSCALL_64_fastpath+0x1f/0xbe
|
||||
RIP: 0033:0x7f58ec787bb9
|
||||
RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
|
||||
RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
|
||||
RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
|
||||
RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
|
||||
R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
|
||||
R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
|
||||
Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
|
||||
RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
|
||||
CR2: 00000000ffffff92
|
||||
|
||||
Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
|
||||
Cc: <stable@vger.kernel.org> [v3.13+]
|
||||
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/keyctl.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
||||
index aa1d11a29136..365ff85d7e27 100644
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
|
||||
|
||||
key = key_ref_to_ptr(key_ref);
|
||||
|
||||
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
|
||||
+ ret = -ENOKEY;
|
||||
+ goto error2;
|
||||
+ }
|
||||
+
|
||||
/* see if we can read it directly */
|
||||
ret = key_permission(key_ref, KEY_NEED_READ);
|
||||
if (ret == 0)
|
||||
--
|
||||
2.15.0.rc0
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
|
||||
Date: Tue, 12 Sep 2017 10:47:53 +0200
|
||||
Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
||||
Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
|
||||
|
||||
Upon handling the firmware notification for scans the length was
|
||||
checked properly and may result in corrupting kernel heap memory
|
||||
due to buffer overruns. This fix addresses CVE-2017-0786.
|
||||
|
||||
Cc: stable@vger.kernel.org # v4.0.x
|
||||
Cc: Kevin Cernekee <cernekee@chromium.org>
|
||||
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
||||
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
||||
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
||||
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
index aaed4ab503ad..26a0de371c26 100644
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
|
||||
s32 status;
|
||||
struct brcmf_escan_result_le *escan_result_le;
|
||||
+ u32 escan_buflen;
|
||||
struct brcmf_bss_info_le *bss_info_le;
|
||||
struct brcmf_bss_info_le *bss = NULL;
|
||||
u32 bi_length;
|
||||
@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
|
||||
if (status == BRCMF_E_STATUS_PARTIAL) {
|
||||
brcmf_dbg(SCAN, "ESCAN Partial result\n");
|
||||
+ if (e->datalen < sizeof(*escan_result_le)) {
|
||||
+ brcmf_err("invalid event data length\n");
|
||||
+ goto exit;
|
||||
+ }
|
||||
escan_result_le = (struct brcmf_escan_result_le *) data;
|
||||
if (!escan_result_le) {
|
||||
brcmf_err("Invalid escan result (NULL pointer)\n");
|
||||
goto exit;
|
||||
}
|
||||
+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
|
||||
+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
|
||||
+ escan_buflen > e->datalen ||
|
||||
+ escan_buflen < sizeof(*escan_result_le)) {
|
||||
+ brcmf_err("Invalid escan buffer length: %d\n",
|
||||
+ escan_buflen);
|
||||
+ goto exit;
|
||||
+ }
|
||||
if (le16_to_cpu(escan_result_le->bss_count) != 1) {
|
||||
brcmf_err("Invalid bss_count %d: ignoring\n",
|
||||
escan_result_le->bss_count);
|
||||
@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
}
|
||||
|
||||
bi_length = le32_to_cpu(bss_info_le->length);
|
||||
- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
|
||||
- WL_ESCAN_RESULTS_FIXED_SIZE)) {
|
||||
- brcmf_err("Invalid bss_info length %d: ignoring\n",
|
||||
+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
|
||||
+ brcmf_err("Ignoring invalid bss_info length: %d\n",
|
||||
bi_length);
|
||||
goto exit;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,66 +0,0 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Fri, 29 Sep 2017 13:43:15 -0400
|
||||
Subject: fix infoleak in waitid(2)
|
||||
Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
|
||||
|
||||
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
|
||||
case and waitid(2) rusage should've been copied out exactly in that case, *not*
|
||||
whenever kernel_waitid() has not returned an error. Compat variant shares that
|
||||
braino; none of kernel_wait4() callers do, so the below ought to fix it.
|
||||
|
||||
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
|
||||
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
|
||||
Cc: stable@vger.kernel.org # v4.13
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
kernel/exit.c | 23 ++++++++++-------------
|
||||
1 file changed, 10 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index 3481ababd06a..f2cd53e92147 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
struct waitid_info info = {.status = 0};
|
||||
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
|
||||
int signo = 0;
|
||||
+
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
||||
return -EFAULT;
|
||||
}
|
||||
@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err && uru) {
|
||||
- /* kernel_waitid() overwrites everything in ru */
|
||||
- if (COMPAT_USE_64BIT_TIME)
|
||||
- err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
- else
|
||||
- err = put_compat_rusage(&ru, uru);
|
||||
- if (err)
|
||||
- return -EFAULT;
|
||||
+ if (uru) {
|
||||
+ /* kernel_waitid() overwrites everything in ru */
|
||||
+ if (COMPAT_USE_64BIT_TIME)
|
||||
+ err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
+ else
|
||||
+ err = put_compat_rusage(&ru, uru);
|
||||
+ if (err)
|
||||
+ return -EFAULT;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (!infop)
|
||||
--
|
||||
2.14.2
|
||||
|
|
@ -1,151 +0,0 @@
|
|||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Wed, 6 Sep 2017 15:01:42 +0200
|
||||
Subject: mac80211: fix deadlock in driver-managed RX BA session start
|
||||
Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828
|
||||
Bug-Debian: https://bugs.debian.org/878092
|
||||
|
||||
When an RX BA session is started by the driver, and it has to tell
|
||||
mac80211 about it, the corresponding bit in tid_rx_manage_offl gets
|
||||
set and the BA session work is scheduled. Upon testing this bit, it
|
||||
will call __ieee80211_start_rx_ba_session(), thus deadlocking as it
|
||||
already holds the ampdu_mlme.mtx, which that acquires again.
|
||||
|
||||
Fix this by adding ___ieee80211_start_rx_ba_session(), a version of
|
||||
the function that requires the mutex already held.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue")
|
||||
Reported-by: Matteo Croce <mcroce@redhat.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
net/mac80211/agg-rx.c | 32 +++++++++++++++++++++-----------
|
||||
net/mac80211/ht.c | 6 +++---
|
||||
net/mac80211/ieee80211_i.h | 4 ++++
|
||||
3 files changed, 28 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
|
||||
index 2b36eff5d97e..2849a1fc41c5 100644
|
||||
--- a/net/mac80211/agg-rx.c
|
||||
+++ b/net/mac80211/agg-rx.c
|
||||
@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
|
||||
ieee80211_tx_skb(sdata, skb);
|
||||
}
|
||||
|
||||
-void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
- u8 dialog_token, u16 timeout,
|
||||
- u16 start_seq_num, u16 ba_policy, u16 tid,
|
||||
- u16 buf_size, bool tx, bool auto_seq)
|
||||
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
+ u8 dialog_token, u16 timeout,
|
||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
||||
+ u16 buf_size, bool tx, bool auto_seq)
|
||||
{
|
||||
struct ieee80211_local *local = sta->sdata->local;
|
||||
struct tid_ampdu_rx *tid_agg_rx;
|
||||
@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
ht_dbg(sta->sdata,
|
||||
"STA %pM requests BA session on unsupported tid %d\n",
|
||||
sta->sta.addr, tid);
|
||||
- goto end_no_lock;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
if (!sta->sta.ht_cap.ht_supported) {
|
||||
@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
"STA %pM erroneously requests BA session on tid %d w/o QoS\n",
|
||||
sta->sta.addr, tid);
|
||||
/* send a response anyway, it's an error case if we get here */
|
||||
- goto end_no_lock;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
|
||||
ht_dbg(sta->sdata,
|
||||
"Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
|
||||
sta->sta.addr, tid);
|
||||
- goto end_no_lock;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
/* sanity check for incoming parameters:
|
||||
@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
ht_dbg_ratelimited(sta->sdata,
|
||||
"AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
|
||||
sta->sta.addr, tid, ba_policy, buf_size);
|
||||
- goto end_no_lock;
|
||||
+ goto end;
|
||||
}
|
||||
/* determine default buffer size */
|
||||
if (buf_size == 0)
|
||||
@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
buf_size, sta->sta.addr);
|
||||
|
||||
/* examine state machine */
|
||||
- mutex_lock(&sta->ampdu_mlme.mtx);
|
||||
+ lockdep_assert_held(&sta->ampdu_mlme.mtx);
|
||||
|
||||
if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
|
||||
if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
|
||||
@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
__clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
|
||||
sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
|
||||
}
|
||||
- mutex_unlock(&sta->ampdu_mlme.mtx);
|
||||
|
||||
-end_no_lock:
|
||||
if (tx)
|
||||
ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
|
||||
dialog_token, status, 1, buf_size,
|
||||
timeout);
|
||||
}
|
||||
|
||||
+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
+ u8 dialog_token, u16 timeout,
|
||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
||||
+ u16 buf_size, bool tx, bool auto_seq)
|
||||
+{
|
||||
+ mutex_lock(&sta->ampdu_mlme.mtx);
|
||||
+ ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
|
||||
+ start_seq_num, ba_policy, tid,
|
||||
+ buf_size, tx, auto_seq);
|
||||
+ mutex_unlock(&sta->ampdu_mlme.mtx);
|
||||
+}
|
||||
+
|
||||
void ieee80211_process_addba_request(struct ieee80211_local *local,
|
||||
struct sta_info *sta,
|
||||
struct ieee80211_mgmt *mgmt,
|
||||
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
|
||||
index 4cba7fca10d4..d6d0b4201e40 100644
|
||||
--- a/net/mac80211/ht.c
|
||||
+++ b/net/mac80211/ht.c
|
||||
@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
|
||||
|
||||
if (test_and_clear_bit(tid,
|
||||
sta->ampdu_mlme.tid_rx_manage_offl))
|
||||
- __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
|
||||
- IEEE80211_MAX_AMPDU_BUF,
|
||||
- false, true);
|
||||
+ ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
|
||||
+ IEEE80211_MAX_AMPDU_BUF,
|
||||
+ false, true);
|
||||
|
||||
if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
|
||||
sta->ampdu_mlme.tid_rx_manage_offl))
|
||||
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
|
||||
index 2197c62a0a6e..9675814f64db 100644
|
||||
--- a/net/mac80211/ieee80211_i.h
|
||||
+++ b/net/mac80211/ieee80211_i.h
|
||||
@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
u8 dialog_token, u16 timeout,
|
||||
u16 start_seq_num, u16 ba_policy, u16 tid,
|
||||
u16 buf_size, bool tx, bool auto_seq);
|
||||
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
|
||||
+ u8 dialog_token, u16 timeout,
|
||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
||||
+ u16 buf_size, bool tx, bool auto_seq);
|
||||
void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
|
||||
enum ieee80211_agg_stop_reason reason);
|
||||
void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
|
||||
--
|
||||
2.15.0.rc0
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Tue, 12 Sep 2017 22:21:21 +0000
|
||||
Subject: nl80211: check for the required netlink attributes presence
|
||||
Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
|
||||
|
||||
nl80211_set_rekey_data() does not check if the required attributes
|
||||
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
|
||||
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
|
||||
users with CAP_NET_ADMIN privilege and may result in NULL dereference
|
||||
and a system crash. Add a check for the required attributes presence.
|
||||
This patch is based on the patch by bo Zhang.
|
||||
|
||||
This fixes CVE-2017-12153.
|
||||
|
||||
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
|
||||
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
|
||||
Cc: <stable@vger.kernel.org> # v3.1-rc1
|
||||
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
net/wireless/nl80211.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/wireless/nl80211.c
|
||||
+++ b/net/wireless/nl80211.c
|
||||
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
|
||||
+ !tb[NL80211_REKEY_DATA_KCK])
|
||||
+ return -EINVAL;
|
||||
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
|
||||
return -ERANGE;
|
||||
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
|
|
@ -1,79 +0,0 @@
|
|||
From: Cyril Bur <cyrilbur@gmail.com>
|
||||
Date: Thu, 17 Aug 2017 20:42:26 +1000
|
||||
Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
|
||||
checks
|
||||
Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
|
||||
|
||||
When using transactional memory (TM), the CPU can be in one of six
|
||||
states as far as TM is concerned, encoded in the Machine State
|
||||
Register (MSR). Certain state transitions are illegal and if attempted
|
||||
trigger a "TM Bad Thing" type program check exception.
|
||||
|
||||
If we ever hit one of these exceptions it's treated as a bug, ie. we
|
||||
oops, and kill the process and/or panic, depending on configuration.
|
||||
|
||||
One case where we can trigger a TM Bad Thing, is when returning to
|
||||
userspace after a system call or interrupt, using RFID. When this
|
||||
happens the CPU first restores the user register state, in particular
|
||||
r1 (the stack pointer) and then attempts to update the MSR. However
|
||||
the MSR update is not allowed and so we take the program check with
|
||||
the user register state, but the kernel MSR.
|
||||
|
||||
This tricks the exception entry code into thinking we have a bad
|
||||
kernel stack pointer, because the MSR says we're coming from the
|
||||
kernel, but r1 is pointing to userspace.
|
||||
|
||||
To avoid this we instead always switch to the emergency stack if we
|
||||
take a TM Bad Thing from the kernel. That way none of the user
|
||||
register values are used, other than for printing in the oops message.
|
||||
|
||||
This is the fix for CVE-2017-1000255.
|
||||
|
||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||
Cc: stable@vger.kernel.org # v4.9+
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
[mpe: Rewrite change log & comments, tweak asm slightly]
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
|
||||
index 48da0f5d2f7f..b82586c53560 100644
|
||||
--- a/arch/powerpc/kernel/exceptions-64s.S
|
||||
+++ b/arch/powerpc/kernel/exceptions-64s.S
|
||||
@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
|
||||
EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
|
||||
TRAMP_KVM(PACA_EXGEN, 0x700)
|
||||
EXC_COMMON_BEGIN(program_check_common)
|
||||
- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
||||
+ /*
|
||||
+ * It's possible to receive a TM Bad Thing type program check with
|
||||
+ * userspace register values (in particular r1), but with SRR1 reporting
|
||||
+ * that we came from the kernel. Normally that would confuse the bad
|
||||
+ * stack logic, and we would report a bad kernel stack pointer. Instead
|
||||
+ * we switch to the emergency stack if we're taking a TM Bad Thing from
|
||||
+ * the kernel.
|
||||
+ */
|
||||
+ li r10,MSR_PR /* Build a mask of MSR_PR .. */
|
||||
+ oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
|
||||
+ and r10,r10,r12 /* Mask SRR1 with that. */
|
||||
+ srdi r10,r10,8 /* Shift it so we can compare */
|
||||
+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
|
||||
+ bne 1f /* If != go to normal path. */
|
||||
+
|
||||
+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
|
||||
+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
|
||||
+ /* 3 in EXCEPTION_PROLOG_COMMON */
|
||||
+ mr r10,r1 /* Save r1 */
|
||||
+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */
|
||||
+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
|
||||
+ b 3f /* Jump into the macro !! */
|
||||
+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
||||
bl save_nvgprs
|
||||
RECONCILE_IRQ_STATE(r10, r11)
|
||||
addi r3,r1,STACK_FRAME_OVERHEAD
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
||||
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
||||
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
||||
|
||||
Currently it's possible that on returning from the signal handler
|
||||
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
||||
caught due to a `trap` instruction executed in the middle of an HTM
|
||||
block, or a deliberately constructed sigframe) an illegal TM state
|
||||
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
||||
implicitly the MSR register from SRR1 register on return to userspace
|
||||
it causes a TM Bad Thing exception.
|
||||
|
||||
That illegal state can be set (a) by a malicious user that disables
|
||||
the TM bit by tweaking the bits in uc_mcontext before returning from
|
||||
the signal handler or (b) by a sufficient number of context switches
|
||||
occurring such that the load_tm counter overflows and TM is disabled
|
||||
whilst in the signal handler.
|
||||
|
||||
This commit fixes the illegal TM state by ensuring that TM bit is
|
||||
always enabled before we return from restore_tm_sigcontexts(). A small
|
||||
comment correction is made as well.
|
||||
|
||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||
Cc: stable@vger.kernel.org # v4.9+
|
||||
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Signed-off-by: Breno Leitao <leitao@debian.org>
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
||||
index c83c115858c1..b2c002993d78 100644
|
||||
--- a/arch/powerpc/kernel/signal_64.c
|
||||
+++ b/arch/powerpc/kernel/signal_64.c
|
||||
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
||||
if (MSR_TM_RESV(msr))
|
||||
return -EINVAL;
|
||||
|
||||
- /* pull in MSR TM from user context */
|
||||
+ /* pull in MSR TS bits from user context */
|
||||
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
||||
|
||||
+ /*
|
||||
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
||||
+ * handler. It could be the case that (a) user disabled the TM bit
|
||||
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
||||
+ * TM bit was disabled because a sufficient number of context switches
|
||||
+ * happened whilst in the signal handler and load_tm overflowed,
|
||||
+ * disabling the TM bit. In either case we can end up with an illegal
|
||||
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
||||
+ */
|
||||
+ regs->msr |= MSR_TM;
|
||||
+
|
||||
/* pull in MSR LE from user context */
|
||||
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From: Xin Long <lucien.xin@gmail.com>
|
||||
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
||||
Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
|
||||
Origin: https://patchwork.kernel.org/patch/9923803/
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
|
||||
|
||||
ChunYu found a kernel crash by syzkaller:
|
||||
|
||||
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
||||
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
||||
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
||||
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
||||
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
||||
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
||||
[...]
|
||||
[ 651.627260] Call Trace:
|
||||
[ 651.629156] skb_release_all+0x4f/0x60
|
||||
[ 651.629450] consume_skb+0x1a5/0x600
|
||||
[ 651.630705] netlink_unicast+0x505/0x720
|
||||
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
||||
[ 651.633704] sock_sendmsg+0xcf/0x110
|
||||
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
||||
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
||||
[ 651.638820] SyS_sendmsg+0x32/0x50
|
||||
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
||||
|
||||
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
||||
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
||||
|
||||
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
||||
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
||||
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
||||
|
||||
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
||||
avoid over accessing sk_buff.
|
||||
|
||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||
Acked-by: Chris Leech <cleech@redhat.com>
|
||||
---
|
||||
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/scsi/scsi_transport_iscsi.c
|
||||
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
||||
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
||||
uint32_t group;
|
||||
|
||||
nlh = nlmsg_hdr(skb);
|
||||
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
||||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
||||
skb->len < nlh->nlmsg_len) {
|
||||
break;
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Mon, 4 Sep 2017 16:00:50 +0200
|
||||
Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
|
||||
userspace
|
||||
Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
|
||||
|
||||
'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
|
||||
field unitialized, leaking data from the stack. Fix this ensuring all of
|
||||
'clk' is initialized to zero.
|
||||
|
||||
References: https://github.com/torvalds/linux/pull/441
|
||||
Reported-by: sohu0106 <sohu0106@126.com>
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
|
||||
---
|
||||
drivers/video/fbdev/aty/atyfb_base.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/video/fbdev/aty/atyfb_base.c
|
||||
+++ b/drivers/video/fbdev/aty/atyfb_base.c
|
||||
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
|
||||
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
|
||||
case ATYIO_CLKR:
|
||||
if (M64_HAS(INTEGRATED)) {
|
||||
- struct atyclk clk;
|
||||
+ struct atyclk clk = { 0 };
|
||||
union aty_pll *pll = &par->pll;
|
||||
u32 dsp_config = pll->ct.dsp_config;
|
||||
u32 dsp_on_off = pll->ct.dsp_on_off;
|
|
@ -1,47 +0,0 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 9 Oct 2017 11:36:52 -0700
|
||||
Subject: waitid(): Add missing access_ok() checks
|
||||
Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
|
||||
|
||||
Adds missing access_ok() checks.
|
||||
|
||||
CVE-2017-5123
|
||||
|
||||
Reported-by: Chris Salls <chrissalls5@gmail.com>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
|
||||
Cc: stable@kernel.org # 4.13
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/exit.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index f2cd53e92147..cf28528842bc 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
--
|
||||
2.15.0.rc0
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 11:10:23 +0200
|
||||
Subject: KVM: MMU: always terminate page walks at level 1
|
||||
Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
||||
|
||||
is_last_gpte() is not equivalent to the pseudo-code given in commit
|
||||
6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
|
||||
value of last_nonleaf_level may override the result even if level == 1.
|
||||
|
||||
It is critical for is_last_gpte() to return true on level == 1 to
|
||||
terminate page walks. Otherwise memory corruption may occur as level
|
||||
is used as an index to various data structures throughout the page
|
||||
walking code. Even though the actual bug would be wherever the MMU is
|
||||
initialized (as in the previous patch), be defensive and ensure here
|
||||
that is_last_gpte() returns the correct value.
|
||||
|
||||
This patch is also enough to fix CVE-2017-12188.
|
||||
|
||||
Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Andy Honig <ahonig@google.com>
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
[Panic if walk_addr_generic gets an incorrect level; this is a serious
|
||||
bug and it's not worth a WARN_ON where the recovery path might hide
|
||||
further exploitable issues; suggested by Andrew Honig. - Paolo]
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mmu.c | 14 +++++++-------
|
||||
arch/x86/kvm/paging_tmpl.h | 3 ++-
|
||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
||||
index 3c25f20115bc..7a69cf053711 100644
|
||||
--- a/arch/x86/kvm/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu.c
|
||||
@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
|
||||
unsigned level, unsigned gpte)
|
||||
{
|
||||
/*
|
||||
- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
||||
- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
||||
- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
||||
- */
|
||||
- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
||||
-
|
||||
- /*
|
||||
* The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
|
||||
* If it is clear, there are no large pages at this level, so clear
|
||||
* PT_PAGE_SIZE_MASK in gpte if that is the case.
|
||||
*/
|
||||
gpte &= level - mmu->last_nonleaf_level;
|
||||
|
||||
+ /*
|
||||
+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
||||
+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
||||
+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
||||
+ */
|
||||
+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
||||
+
|
||||
return gpte & PT_PAGE_SIZE_MASK;
|
||||
}
|
||||
|
||||
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
|
||||
index 86b68dc5a649..f18d1f8d332b 100644
|
||||
--- a/arch/x86/kvm/paging_tmpl.h
|
||||
+++ b/arch/x86/kvm/paging_tmpl.h
|
||||
@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
|
||||
--walker->level;
|
||||
|
||||
index = PT_INDEX(addr, walker->level);
|
||||
-
|
||||
table_gfn = gpte_to_gfn(pte);
|
||||
offset = index * sizeof(pt_element_t);
|
||||
pte_gpa = gfn_to_gpa(table_gfn) + offset;
|
||||
+
|
||||
+ BUG_ON(walker->level < 1);
|
||||
walker->table_gfn[walker->level - 1] = table_gfn;
|
||||
walker->pte_gpa[walker->level - 1] = pte_gpa;
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 11:10:22 +0200
|
||||
Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
|
||||
Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
||||
|
||||
The function updates context->root_level but didn't call
|
||||
update_last_nonleaf_level so the previous and potentially wrong value
|
||||
was used for page walks. For example, a zero value of last_nonleaf_level
|
||||
would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
|
||||
walk_addr_generic function (CVE-2017-12188).
|
||||
|
||||
Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mmu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
||||
index 106d4a029a8a..3c25f20115bc 100644
|
||||
--- a/arch/x86/kvm/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu.c
|
||||
@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
|
||||
|
||||
update_permission_bitmask(vcpu, context, true);
|
||||
update_pkru_bitmask(vcpu, context, true);
|
||||
+ update_last_nonleaf_level(vcpu, context);
|
||||
reset_rsvds_bits_mask_ept(vcpu, context, execonly);
|
||||
reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From: Jim Mattson <jmattson@google.com>
|
||||
Date: Tue, 12 Sep 2017 13:02:54 -0700
|
||||
Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
|
||||
Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
|
||||
|
||||
If L1 does not specify the "use TPR shadow" VM-execution control in
|
||||
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
|
||||
exiting" VM-execution controls in vmcs02. Failure to do so will give
|
||||
the L2 VM unrestricted read/write access to the hardware CR8.
|
||||
|
||||
This fixes CVE-2017-12154.
|
||||
|
||||
Signed-off-by: Jim Mattson <jmattson@google.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/vmx.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
|
||||
if (exec_control & CPU_BASED_TPR_SHADOW) {
|
||||
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
|
||||
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
|
||||
+ } else {
|
||||
+#ifdef CONFIG_X86_64
|
||||
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
|
||||
+ CPU_BASED_CR8_STORE_EXITING;
|
||||
+#endif
|
||||
}
|
||||
|
||||
/*
|
|
@ -1,52 +0,0 @@
|
|||
From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
|
||||
Date: Thu, 7 Sep 2017 19:02:30 +0100
|
||||
Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
|
||||
|
||||
The value of the guest_irq argument to vmx_update_pi_irte() is
|
||||
ultimately coming from a KVM_IRQFD API call. Do not BUG() in
|
||||
vmx_update_pi_irte() if the value is out-of bounds. (Especially,
|
||||
since KVM as a whole seems to hang after that.)
|
||||
|
||||
Instead, print a message only once if we find that we don't have a
|
||||
route for a certain IRQ (which can be out-of-bounds or within the
|
||||
array).
|
||||
|
||||
This fixes CVE-2017-1000252.
|
||||
|
||||
Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
|
||||
Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/vmx.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
|
||||
struct kvm_lapic_irq irq;
|
||||
struct kvm_vcpu *vcpu;
|
||||
struct vcpu_data vcpu_info;
|
||||
- int idx, ret = -EINVAL;
|
||||
+ int idx, ret = 0;
|
||||
|
||||
if (!kvm_arch_has_assigned_device(kvm) ||
|
||||
!irq_remapping_cap(IRQ_POSTING_CAP) ||
|
||||
@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
|
||||
|
||||
idx = srcu_read_lock(&kvm->irq_srcu);
|
||||
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
|
||||
- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
|
||||
+ if (guest_irq >= irq_rt->nr_rt_entries ||
|
||||
+ hlist_empty(&irq_rt->map[guest_irq])) {
|
||||
+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
|
||||
+ guest_irq, irq_rt->nr_rt_entries);
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
|
||||
if (e->type != KVM_IRQ_ROUTING_MSI)
|
|
@ -0,0 +1,141 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Thu, 26 Oct 2017 22:16:38 +0200
|
||||
Subject: dax: Avoid ABI change in 4.13.5
|
||||
Forwarded: not-needed
|
||||
|
||||
Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush
|
||||
abstraction") removed dax_operations::flush and
|
||||
target_type::dax_flush, resulting in an ABI change. Add these
|
||||
operations back but don't restore any of the calls to them. To keep
|
||||
existing callers working during an incomplete kernel upgrade, change
|
||||
all the implementations to directly do arch_wb_cache_pmem(), just as
|
||||
dax_flush() does in the new kernel.
|
||||
|
||||
Don't change dax_flush() back; it shouldn't have any out-of-tree
|
||||
callers.
|
||||
|
||||
---
|
||||
--- a/drivers/md/dm-linear.c
|
||||
+++ b/drivers/md/dm-linear.c
|
||||
@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter(
|
||||
return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i);
|
||||
}
|
||||
|
||||
+static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||
+ size_t size)
|
||||
+{
|
||||
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||
+ arch_wb_cache_pmem(addr, size);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static struct target_type linear_target = {
|
||||
.name = "linear",
|
||||
.version = {1, 4, 0},
|
||||
@@ -198,6 +206,7 @@ static struct target_type linear_target
|
||||
.iterate_devices = linear_iterate_devices,
|
||||
.direct_access = linear_dax_direct_access,
|
||||
.dax_copy_from_iter = linear_dax_copy_from_iter,
|
||||
+ .dax_flush = linear_dax_flush,
|
||||
};
|
||||
|
||||
int __init dm_linear_init(void)
|
||||
--- a/drivers/md/dm-stripe.c
|
||||
+++ b/drivers/md/dm-stripe.c
|
||||
@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta
|
||||
blk_limits_io_opt(limits, chunk_size * sc->stripes);
|
||||
}
|
||||
|
||||
+static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||
+ size_t size)
|
||||
+{
|
||||
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||
+ arch_wb_cache_pmem(addr, size);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static struct target_type stripe_target = {
|
||||
.name = "striped",
|
||||
.version = {1, 6, 0},
|
||||
@@ -472,6 +480,7 @@ static struct target_type stripe_target
|
||||
.io_hints = stripe_io_hints,
|
||||
.direct_access = stripe_dax_direct_access,
|
||||
.dax_copy_from_iter = stripe_dax_copy_from_iter,
|
||||
+ .dax_flush = stripe_dax_flush,
|
||||
};
|
||||
|
||||
int __init dm_stripe_init(void)
|
||||
--- a/drivers/md/dm.c
|
||||
+++ b/drivers/md/dm.c
|
||||
@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr,
|
||||
+ size_t size)
|
||||
+{
|
||||
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||
+ arch_wb_cache_pmem(addr, size);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* A target may call dm_accept_partial_bio only from the map routine. It is
|
||||
* allowed for all bio types except REQ_PREFLUSH.
|
||||
@@ -2980,6 +2988,7 @@ static const struct block_device_operati
|
||||
static const struct dax_operations dm_dax_ops = {
|
||||
.direct_access = dm_dax_direct_access,
|
||||
.copy_from_iter = dm_dax_copy_from_iter,
|
||||
+ .flush = dm_dax_flush,
|
||||
};
|
||||
|
||||
/*
|
||||
--- a/drivers/nvdimm/pmem.c
|
||||
+++ b/drivers/nvdimm/pmem.c
|
||||
@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct
|
||||
return copy_from_iter_flushcache(addr, bytes, i);
|
||||
}
|
||||
|
||||
+static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff,
|
||||
+ void *addr, size_t size)
|
||||
+{
|
||||
+ arch_wb_cache_pmem(addr, size);
|
||||
+}
|
||||
+
|
||||
static const struct dax_operations pmem_dax_ops = {
|
||||
.direct_access = pmem_dax_direct_access,
|
||||
.copy_from_iter = pmem_copy_from_iter,
|
||||
+ .flush = pmem_dax_flush,
|
||||
};
|
||||
|
||||
static const struct attribute_group *pmem_attribute_groups[] = {
|
||||
--- a/include/linux/dax.h
|
||||
+++ b/include/linux/dax.h
|
||||
@@ -19,6 +19,8 @@ struct dax_operations {
|
||||
/* copy_from_iter: required operation for fs-dax direct-i/o */
|
||||
size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t,
|
||||
struct iov_iter *);
|
||||
+ /* flush: should be unused */
|
||||
+ void (*flush)(struct dax_device *, pgoff_t, void *, size_t);
|
||||
};
|
||||
|
||||
extern struct attribute_group dax_attribute_group;
|
||||
--- a/include/linux/device-mapper.h
|
||||
+++ b/include/linux/device-mapper.h
|
||||
@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn)
|
||||
long nr_pages, void **kaddr, pfn_t *pfn);
|
||||
typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff,
|
||||
void *addr, size_t bytes, struct iov_iter *i);
|
||||
+typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||
+ size_t size);
|
||||
#define PAGE_SECTORS (PAGE_SIZE / 512)
|
||||
|
||||
void dm_error(const char *message);
|
||||
@@ -184,6 +186,7 @@ struct target_type {
|
||||
dm_io_hints_fn io_hints;
|
||||
dm_dax_direct_access_fn direct_access;
|
||||
dm_dax_copy_from_iter_fn dax_copy_from_iter;
|
||||
+ dm_dax_flush_fn dax_flush;
|
||||
|
||||
/* For internal device-mapper use. */
|
||||
struct list_head list;
|
40
debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
vendored
Normal file
40
debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
vendored
Normal file
|
@ -0,0 +1,40 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Thu, 26 Oct 2017 22:38:57 +0200
|
||||
Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
|
||||
Forwarded: not-needed
|
||||
|
||||
This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
|
||||
commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces
|
||||
an ABI break that's not easily avoidable. The bug it fixes doesn't seem
|
||||
to have any security impact.
|
||||
|
||||
---
|
||||
--- a/include/linux/trace_events.h
|
||||
+++ b/include/linux/trace_events.h
|
||||
@@ -277,7 +277,6 @@ struct trace_event_call {
|
||||
int perf_refcount;
|
||||
struct hlist_head __percpu *perf_events;
|
||||
struct bpf_prog *prog;
|
||||
- struct perf_event *bpf_prog_owner;
|
||||
|
||||
int (*perf_perm)(struct trace_event_call *,
|
||||
struct perf_event *);
|
||||
--- a/kernel/events/core.c
|
||||
+++ b/kernel/events/core.c
|
||||
@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc
|
||||
}
|
||||
}
|
||||
event->tp_event->prog = prog;
|
||||
- event->tp_event->bpf_prog_owner = event;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str
|
||||
return;
|
||||
|
||||
prog = event->tp_event->prog;
|
||||
- if (prog && event->tp_event->bpf_prog_owner == event) {
|
||||
+ if (prog) {
|
||||
event->tp_event->prog = NULL;
|
||||
bpf_prog_put(prog);
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Thu, 26 Oct 2017 11:59:43 +0200
|
||||
Subject: SCSI: Avoid ABI change in 4.13.6
|
||||
Forwarded: not-needed
|
||||
|
||||
Hide the new bitfield from genksyms, as it's using what used to be a
|
||||
padding bit.
|
||||
|
||||
---
|
||||
--- a/include/scsi/scsi_device.h
|
||||
+++ b/include/scsi/scsi_device.h
|
||||
@@ -182,7 +182,10 @@ struct scsi_device {
|
||||
unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
|
||||
unsigned broken_fua:1; /* Don't set FUA bit */
|
||||
unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
|
||||
+#ifndef __GENKSYMS__
|
||||
unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
|
||||
+ /* 19 unused bits */
|
||||
+#endif
|
||||
|
||||
atomic_t disk_events_disable_depth; /* disable depth for disk events */
|
||||
|
|
@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
|||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
||||
bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
|
||||
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
|
||||
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
|
||||
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
||||
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
||||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
||||
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
||||
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
|
||||
bugfix/all/waitid-Add-missing-access_ok-checks.patch
|
||||
bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
|
||||
bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
|
||||
bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
# Tools bug fixes
|
||||
bugfix/all/usbip-document-tcp-wrappers.patch
|
||||
bugfix/all/kbuild-fix-recordmcount-dependency.patch
|
||||
|
@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
|
|||
bugfix/all/cpupower-bump-soname-version.patch
|
||||
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
|
||||
bugfix/all/tools-lib-lockdep-define-pr_cont.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/scsi-avoid-abi-change-in-4.13.6.patch
|
||||
debian/dax-avoid-abi-change-in-4.13.5.patch
|
||||
debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
|
||||
|
|
Loading…
Reference in New Issue