debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.13.9 

Drop many patches which are now upstream.

Avoid/ignore ABI changes as appropriate.
This commit is contained in:
Ben Hutchings 2017-10-26 11:12:11 +02:00
parent de909222d8
commit 48bb38a3f7
21 changed files with 537 additions and 1041 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

327
debian/changelog vendored
View File

@ -1,9 +1,334 @@
linux (4.13.4-3) UNRELEASED; urgency=medium
linux (4.13.9-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
- cifs: check rsp for NULL before dereferencing in SMB2_open
- cifs: release cifs root_cred after exit_cifs
- cifs: release auth_key.response for reconnect.
- nvme-pci: fix host memory buffer allocation fallback
- nvme-pci: use appropriate initial chunk size for HMB allocation
- nvme-pci: propagate (some) errors from host memory buffer setup
- dax: remove the pmem_dax_ops->flush abstraction
- dm integrity: do not check integrity for failed read operations
- mmc: block: Fix incorrectly initialized requests
- fs/proc: Report eip/esp in /prod/PID/stat for coredumping
- scsi: scsi_transport_fc: fix NULL pointer dereference in
fc_bsg_job_timeout
- cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later)
- mac80211: fix VLAN handling with TXQs
- mac80211_hwsim: Use proper TX power
- mac80211: flush hw_roc_start work before cancelling the ROC
- genirq: Make sparse_irq_lock protect what it should protect
- genirq/msi: Fix populating multiple interrupts
- genirq: Fix cpumask check in __irq_startup_managed()
- [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to
kvmppc_update_lpcr
- [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored
incorrectly
- [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using
byte accesses
- tracing: Fix trace_pipe behavior for instance traces
- tracing: Erase irqsoff trace with empty write
- tracing: Remove RCU work arounds from stack tracer
- md/raid5: fix a race condition in stripe batch
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
- scsi: aacraid: Fix 2T+ drives on SmartIOC-2000
- scsi: aacraid: Add a small delay after IOP reset
- [armhf] drm/exynos: Fix locking in the suspend/resume paths
- [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting
- Revert "drm/i915/bxt: Disable device ready before shutdown command"
- drm/amdgpu: revert tile table update for oland
- drm/radeon: disable hard reset in hibernate for APUs
- crypto: drbg - fix freeing of resources
- security/keys: properly zero out sensitive key material in big_key
- security/keys: rewrite all of big_key crypto
- KEYS: fix writing past end of user-supplied buffer in keyring_read()
- KEYS: prevent creating a different user's keyrings
- [x86] libnvdimm, namespace: fix btt claim class crash
- [powerpc*] eeh: Create PHB PEs after EEH is initialized
- [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
- [powerpc*] tm: Flush TM only if CPU has TM feature
- [mips*] Fix perf event init
- [s390x] perf: fix bug when creating per-thread event
- [s390x] mm: make pmdp_invalidate() do invalidation only
- [s390x] mm: fix write access check in gup_huge_pmd()
- PM: core: Fix device_pm_check_callbacks()
- Revert "IB/ipoib: Update broadcast object if PKey value was changed in
index 0"
- cifs: Fix SMB3.1.1 guest authentication to Samba
- cifs: SMB3: Fix endian warning
- cifs: SMB3: Warn user if trying to sign connection that authenticated as
guest
- cifs: SMB: Validate negotiate (to protect against downgrade) even if
signing off
- cifs: SMB3: handle new statx fields
- cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
- libceph: don't allow bidirectional swap of pg-upmap-items
- brd: fix overflow in __brd_direct_access
- gfs2: Fix debugfs glocks dump
- bsg-lib: don't free job in bsg_prepare_job
- iw_cxgb4: drop listen destroy replies if no ep found
- iw_cxgb4: remove the stid on listen create failure
- iw_cxgb4: put ep reference in pass_accept_req()
- rcu: Allow for page faults in NMI handlers
- mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
- extable: Consolidate *kernel_text_address() functions
- extable: Enable RCU if it is not watching in kernel_text_address()
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
- [arm64] Make sure SPsel is always set
- [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table
- [arm64] fault: Route pte translation faults via do_translation_fault
- [x86] KVM: VMX: extract __pi_post_block
- [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
- [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
- [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache
- [x86] kvm: Handle async PF in RCU read-side critical sections
- xfs: validate bdev support for DAX inode flag
- sched/sysctl: Check user input value of sysctl_sched_time_avg
- irq/generic-chip: Don't replace domain's name
- mtd: Fix partition alignment check on multi-erasesize devices
- [armhf] etnaviv: fix submit error path
- [armhf] etnaviv: fix gem object list corruption
- futex: Fix pi_state->owner serialization
- md: fix a race condition for flush request handling
- md: separate request handling
- PCI: Fix race condition with driver_override
- btrfs: fix NULL pointer dereference from free_reloc_roots()
- btrfs: clear ordered flag on cleaning up ordered extents
- btrfs: finish ordered extent cleaning if no progress is found
- btrfs: propagate error to btrfs_cmp_data_prepare caller
- btrfs: prevent to set invalid default subvolid
- [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt
- PM / OPP: Call notifier without holding opp_table->lock
- [x86] mm: Fix fault error path using unsafe vma pointer
- [x86] fpu: Don't let userspace set bogus xcomp_bv
- [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
- [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
- [x86] KVM: VMX: use cmpxchg64
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6
- [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on
ep0
- mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+
- net: bonding: Fix transmit load balancing in balance-alb mode if
specified by sysfs
- openvswitch: Fix an error handling path in
'ovs_nla_init_match_and_action()'
- net: bonding: fix tlb_dynamic_lb default value
- net_sched: gen_estimator: fix scaling error in bytes/packets samples
- net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
- tcp: update skb->skb_mstamp more carefully
- bpf/verifier: reject BPF_ALU64|BPF_END
- tcp: fix data delivery rate
- udpv6: Fix the checksum computation when HW checksum does not apply
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
- net: phy: Fix mask value write on gmii2rgmii converter speed register
- ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
- net/sched: cls_matchall: fix crash when used with classful qdisc
- 8139too: revisit napi_complete_done() usage
- bpf: do not disable/enable BH in bpf_map_free_id()
- tcp: fastopen: fix on syn-data transmit failure
- [powerpc*] net: emac: Fix napi poll list corruption
- net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure
- packet: hold bind lock when rebinding to fanout hook
- net: change skb->mac_header when Generic XDP calls adjust_head
- net_sched: always reset qdisc backlog in qdisc_reset()
- [armhf,arm64] net: stmmac: Cocci spatch "of_table"
- [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
- l2tp: fix race condition in l2tp_tunnel_delete
- tun: bail out from tun_get_user() if the skb is empty
- [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple
vlans
- [armhf,arm64] net: dsa: Fix network device registration order
- packet: in packet_do_bind, test fanout with bind_lock held
- packet: only test po->has_vnet_hdr once in packet_snd
- [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs
- net: Set sk_prot_creator when cloning sockets to the right proto
- net/mlx5e: IPoIB, Fix access to invalid memory address
- netlink: do not proceed if dump's start() errs
- ip6_gre: ip6gre_tap device should keep dst
- ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
- IPv4: early demux can return an error code
- tipc: use only positive error codes in messages
- l2tp: fix l2tp_eth module loading
- socket, bpf: fix possible use after free
- net: rtnetlink: fix info leak in RTM_GETSTATS call
- [amd64] bpf: fix bpf_tail_call() x64 JIT
- usb: gadget: core: fix ->udc_set_speed() logic
- USB: gadgetfs: Fix crash caused by inadequate synchronization
- USB: gadgetfs: fix copy_to_user while holding spinlock
- usb: gadget: udc: atmel: set vbus irqflags explicitly
- usb-storage: unusual_devs entry to fix write-access regression for
Seagate external drives
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
- usb: pci-quirks.c: Corrected timeout values used in handshake
- USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
- USB: dummy-hcd: fix connection failures (wrong speed)
- USB: dummy-hcd: fix infinite-loop resubmission bug
- USB: dummy-hcd: Fix erroneous synchronization change
- USB: devio: Prevent integer overflow in proc_do_submiturb()
- USB: devio: Don't corrupt user memory
- USB: g_mass_storage: Fix deadlock when driver is unbound
- USB: uas: fix bug in handling of alternate settings
- USB: core: harden cdc_parse_cdc_header
- usb: Increase quirk delay for USB devices
- USB: fix out-of-bounds in usb_set_configuration
- usb: xhci: Free the right ring in xhci_add_endpoint()
- xhci: fix finding correct bus_state structure for USB 3.1 hosts
- xhci: fix wrong endpoint ESIT value shown in tracing
- usb: host: xhci-plat: allow sysdev to inherit from ACPI
- xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
- xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
- [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
- [armhf] iio: adc: twl4030: Fix an error handling path in
'twl4030_madc_probe()'
- [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
handling path of 'twl4030_madc_probe()'
- iio: core: Return error for failed read_reg
- uwb: properly check kthread_run return value
- uwb: ensure that endpoint is interrupt
- ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
- mm, hugetlb, soft_offline: save compound page order before page migration
- mm, oom_reaper: skip mm structs with mmu notifiers
- mm: fix RODATA_TEST failure "rodata_test: test data was not read only"
- mm: avoid marking swap cached page as lazyfree
- mm: fix data corruption caused by lazyfree page
- userfaultfd: non-cooperative: fix fork use after free
- ALSA: compress: Remove unused variable
- Revert "ALSA: echoaudio: purge contradictions between dimension matrix
members and total number of members"
- ALSA: usx2y: Suppress kernel warning at page allocation failures
- [powerpc*] powernv: Increase memory block size to 1GB on radix
- [powerpc*] Fix action argument for cpufeatures-based TLB flush
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
- [x86] intel_th: pci: Add Lewisburg PCH support
- driver core: platform: Don't read past the end of "driver_override" buffer
- cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute()
returns
- [x86] Drivers: hv: fcopy: restore correct transfer length
- [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
- ftrace: Fix kmemleak in unregister_ftrace_graph
- ovl: fix error value printed in ovl_lookup_index()
- ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
- ovl: fix dentry leak in ovl_indexdir_cleanup()
- ovl: fix missing unlock_rename() in ovl_do_copy_up()
- ovl: fix regression caused by exclusive upper/work dir protection
- [arm64] dt marvell: Fix AP806 system controller size
- [arm64] Ensure the instruction emulation is ready for userspace
- HID: rmi: Make sure the HID device is opened on resume
- HID: i2c-hid: allocate hid buffers for real worst case
- HID: wacom: leds: Don't try to control the EKR's read-only LEDs
- HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
- HID: wacom: Correct coordinate system of touchring and pen twist
- HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
- HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
- HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
- HID: wacom: bits shifted too much for 9th and 10th buttons
- btrfs: avoid overflow when sector_t is 32 bit
- Btrfs: fix overlap of fs_info::flags values
- dm crypt: reject sector_size feature if device length is not aligned to it
- dm ioctl: fix alignment of event number in the device list
- dm crypt: fix memory leak in crypt_ctr_cipher_old()
- [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive()
- [x86] kvm: Avoid async PF preempting the kernel incorrectly
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
- scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
- scsi: sd: Do not override max_sectors_kb sysfs setting
- brcmfmac: setup passive scan if requested by user-space
- [x86] drm/i915: always update ELD connector type after get modes
- [x86] drm/i915/bios: ignore HDMI on port A
- bsg-lib: fix use-after-free under memory-pressure
- nvme-pci: Use PCI bus address for data/queues in CMB
- mmc: core: add driver strength selection when selecting hs400es
- nl80211: Define policy for packet pattern attributes
- [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for
suspend/resume cycle
- udp: perform source validation for mcast early demux
- udp: fix bcast packet reception
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7
- watchdog: Revert "iTCO_wdt: all versions count down twice"
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8
- USB: dummy-hcd: Fix deadlock caused by disconnect detection
- [mips*] math-emu: Remove pr_err() calls from fpu_emu()
- [mips*] bpf: Fix uninitialised target compiler error
- [x86] mei: always use domain runtime pm callbacks.
- [armhf] dmaengine: edma: Align the memcpy acnt array size with the
transfer
- [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
dma_inuse
- NFS: Fix uninitialized rpc_wait_queue
- nfs/filelayout: fix oops when freeing filelayout segment
- HID: usbhid: fix out-of-bounds bug
- crypto: skcipher - Fix crash on zero-length input
- crypto: shash - Fix zero-length shash ahash digest crash
- [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
- [x86] pinctrl/amd: Fix build dependency on pinmux code
- [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
- device property: Track owner device of device property
- Revert "vmalloc: back off when the current task is killed"
- fs/mpage.c: fix mpage_writepage() for pages with buffers
- ALSA: usb-audio: Kill stray URB at exiting
- ALSA: seq: Fix copy_from_user() call inside lock
- ALSA: caiaq: Fix stray URB at probe error path
- ALSA: line6: Fix NULL dereference at podhd_disconnect()
- ALSA: line6: Fix missing initialization before error path
- ALSA: line6: Fix leftover URB at error-path during probe
- drm/atomic: Unref duplicated drm_atomic_state in
drm_atomic_helper_resume()
- [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
- [x86] drm/i915: Read timings from the correct transcoder in
intel_crtc_mode_get()
- [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
AUX channel
- [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
- usb: gadget: configfs: Fix memory leak of interface directory data
- usb: gadget: composite: Fix use-after-free in
usb_composite_overwrite_options
- [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping
functions
- [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory"
- direct-io: Prevent NULL pointer access in submit_page_section
- fix unbalanced page refcounting in bio_map_user_iov
- more bio_map_user_iov() leak fixes
- bio_copy_user_iov(): don't ignore ->iov_offset
- perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
- genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
- genirq/cpuhotplug: Add sanity check for effective affinity mask
- USB: serial: cp210x: fix partnum regression
- USB: serial: console: fix use-after-free on disconnect
- USB: serial: console: fix use-after-free after failed setup
- RAS/CEC: Use the right length for "cec_disable"
- [x86] alternatives: Fix alt_max_short macro to really be a max()
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs
without the feature
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on
hypervisors
- [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events
with explicit PMU
- mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock
- HID: hid-elecom: extend to fix descriptor for HUGE trackball
- [x86] Drivers: hv: vmbus: Fix rescind handling issues
- [x86] Drivers: hv: vmbus: Fix bugs in rescind handling
- [x86] vmbus: simplify hv_ringbuffer_read
- [x86] vmbus: refactor hv_signal_on_read
- [x86] vmbus: eliminate duplicate cached index
- [x86] vmbus: more host signalling avoidance
[ Ben Hutchings ]
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
* Update build dependencies on libbabeltrace[,-ctf}-dev
* linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
modules
* dax: Avoid most ABI changes in 4.13.5
* SCSI: Avoid ABI change in 4.13.6
* [x86] kvm: Ignore ABI change in 4.13.6
* seq-virmidi: Ignore ABI change in 4.13.8
* Revert "bpf: one perf event close won't free bpf program attached ..."
to avoid an ABI change
-- Ben Hutchings <ben@decadent.org.uk> Wed, 18 Oct 2017 20:03:01 +0100

3
debian/config/defines vendored
View File

@ -4,7 +4,9 @@ ignore-changes:
__cpuhp_*
bpf_analyzer
cxl_*
dax_flush
iommu_device_*
kvm_async_pf_task_wait
mm_iommu_*
perf_*
register_cxl_calls
@ -30,6 +32,7 @@ ignore-changes:
module:fs/nfs/**
module:net/ceph/libceph
module:net/l2tp/l2tp_core
module:sound/core/seq/snd-seq-virmidi
module:sound/firewire/snd-firewire-lib
# btree library is only selected by few drivers so not useful OOT
btree_*

141
debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch vendored
View File

@ -1,141 +0,0 @@
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 9 Oct 2017 11:09:20 +0200
Subject: ALSA: seq: Fix use-after-free at creating a port
Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
___slab_alloc+0x425/0x460
__slab_alloc+0x20/0x40
kmem_cache_alloc_trace+0x150/0x190
snd_seq_create_port+0x94/0x9b0 [snd_seq]
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
__slab_free+0x204/0x310
kfree+0x15f/0x180
port_delete+0x136/0x1a0 [snd_seq]
snd_seq_delete_port+0x235/0x350 [snd_seq]
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
snd_seq_ioctl+0x40/0x80 [snd_seq]
do_vfs_ioctl+0x54b/0xda0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x16/0x75
Call Trace:
[<ffffffff81b03781>] dump_stack+0x63/0x82
[<ffffffff81531b3b>] print_trailer+0xfb/0x160
[<ffffffff81536db4>] object_err+0x34/0x40
[<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
[<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
[<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
[<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
[<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
[<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
[<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
[<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
[<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
.....
We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use. Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.
This fix covers CVE-2017-15265.
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/seq/seq_clientmgr.c | 6 +++++-
sound/core/seq/seq_ports.c | 7 +++++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index ea2d0ae85bd3..6c9cba2166d9 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
struct snd_seq_port_info *info = arg;
struct snd_seq_client_port *port;
struct snd_seq_port_callback *callback;
+ int port_idx;
/* it is not allowed to create the port for an another client */
if (info->addr.client != client->number)
@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
return -ENOMEM;
if (client->type == USER_CLIENT && info->kernel) {
- snd_seq_delete_port(client, port->addr.port);
+ port_idx = port->addr.port;
+ snd_seq_port_unlock(port);
+ snd_seq_delete_port(client, port_idx);
return -EINVAL;
}
if (client->type == KERNEL_CLIENT) {
@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
snd_seq_set_port_info(port, info);
snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
+ snd_seq_port_unlock(port);
return 0;
}
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 0a7020c82bfc..d21ece9f8d73 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
}
-/* create a port, port number is returned (-1 on failure) */
+/* create a port, port number is returned (-1 on failure);
+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
+ */
struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
int port)
{
@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
snd_use_lock_init(&new_port->use_lock);
port_subs_info_init(&new_port->c_src);
port_subs_info_init(&new_port->c_dest);
+ snd_use_lock_use(&new_port->use_lock);
num = port >= 0 ? port : 0;
mutex_lock(&client->ports_mutex);
@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
list_add_tail(&new_port->list, &p->list);
client->num_ports++;
new_port->addr.port = num; /* store the port number in the port */
+ sprintf(new_port->name, "port-%d", num);
write_unlock_irqrestore(&client->ports_lock, flags);
mutex_unlock(&client->ports_mutex);
- sprintf(new_port->name, "port-%d", num);
return new_port;
}
--
2.11.0

81
debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch vendored
View File

@ -1,81 +0,0 @@
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 18 Sep 2017 11:37:23 -0700
Subject: KEYS: prevent KEYCTL_READ on negative key
Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192
Because keyctl_read_key() looks up the key with no permissions
requested, it may find a negatively instantiated key. If the key is
also possessed, we went ahead and called ->read() on the key. But the
key payload will actually contain the ->reject_error rather than the
normal payload. Thus, the kernel oopses trying to read the
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
Fortunately the payload data is stored inline, so it shouldn't be
possible to abuse this as an arbitrary memory read primitive...
Reproducer:
keyctl new_session
keyctl request2 user desc '' @s
keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
It causes a crash like the following:
BUG: unable to handle kernel paging request at 00000000ffffff92
IP: user_read+0x33/0xa0
PGD 36a54067 P4D 36a54067 PUD 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
RIP: 0010:user_read+0x33/0xa0
RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
Call Trace:
keyctl_read_key+0xac/0xe0
SyS_keyctl+0x99/0x120
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f58ec787bb9
RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
CR2: 00000000ffffff92
Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
Cc: <stable@vger.kernel.org> [v3.13+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/keyctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index aa1d11a29136..365ff85d7e27 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
key = key_ref_to_ptr(key_ref);
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+ ret = -ENOKEY;
+ goto error2;
+ }
+
/* see if we can read it directly */
ret = key_permission(key_ref, KEY_NEED_READ);
if (ret == 0)
--
2.15.0.rc0

72
debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch vendored
View File

@ -1,72 +0,0 @@
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
Date: Tue, 12 Sep 2017 10:47:53 +0200
Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
Upon handling the firmware notification for scans the length was
checked properly and may result in corrupting kernel heap memory
due to buffer overruns. This fix addresses CVE-2017-0786.
Cc: stable@vger.kernel.org # v4.0.x
Cc: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index aaed4ab503ad..26a0de371c26 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
s32 status;
struct brcmf_escan_result_le *escan_result_le;
+ u32 escan_buflen;
struct brcmf_bss_info_le *bss_info_le;
struct brcmf_bss_info_le *bss = NULL;
u32 bi_length;
@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
if (status == BRCMF_E_STATUS_PARTIAL) {
brcmf_dbg(SCAN, "ESCAN Partial result\n");
+ if (e->datalen < sizeof(*escan_result_le)) {
+ brcmf_err("invalid event data length\n");
+ goto exit;
+ }
escan_result_le = (struct brcmf_escan_result_le *) data;
if (!escan_result_le) {
brcmf_err("Invalid escan result (NULL pointer)\n");
goto exit;
}
+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
+ escan_buflen > e->datalen ||
+ escan_buflen < sizeof(*escan_result_le)) {
+ brcmf_err("Invalid escan buffer length: %d\n",
+ escan_buflen);
+ goto exit;
+ }
if (le16_to_cpu(escan_result_le->bss_count) != 1) {
brcmf_err("Invalid bss_count %d: ignoring\n",
escan_result_le->bss_count);
@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
}
bi_length = le32_to_cpu(bss_info_le->length);
- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
- WL_ESCAN_RESULTS_FIXED_SIZE)) {
- brcmf_err("Invalid bss_info length %d: ignoring\n",
+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
+ brcmf_err("Ignoring invalid bss_info length: %d\n",
bi_length);
goto exit;
}
--
2.11.0

66
debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch vendored
View File

@ -1,66 +0,0 @@
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri, 29 Sep 2017 13:43:15 -0400
Subject: fix infoleak in waitid(2)
Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
case and waitid(2) rusage should've been copied out exactly in that case, *not*
whenever kernel_waitid() has not returned an error. Compat variant shares that
braino; none of kernel_wait4() callers do, so the below ought to fix it.
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
Cc: stable@vger.kernel.org # v4.13
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
kernel/exit.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/kernel/exit.c b/kernel/exit.c
index 3481ababd06a..f2cd53e92147 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
struct waitid_info info = {.status = 0};
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
int signo = 0;
+
if (err > 0) {
signo = SIGCHLD;
err = 0;
- }
-
- if (!err) {
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
return -EFAULT;
}
@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
if (err > 0) {
signo = SIGCHLD;
err = 0;
- }
-
- if (!err && uru) {
- /* kernel_waitid() overwrites everything in ru */
- if (COMPAT_USE_64BIT_TIME)
- err = copy_to_user(uru, &ru, sizeof(ru));
- else
- err = put_compat_rusage(&ru, uru);
- if (err)
- return -EFAULT;
+ if (uru) {
+ /* kernel_waitid() overwrites everything in ru */
+ if (COMPAT_USE_64BIT_TIME)
+ err = copy_to_user(uru, &ru, sizeof(ru));
+ else
+ err = put_compat_rusage(&ru, uru);
+ if (err)
+ return -EFAULT;
+ }
}
if (!infop)
--
2.14.2

151
debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch vendored
View File

@ -1,151 +0,0 @@
From: Johannes Berg <johannes.berg@intel.com>
Date: Wed, 6 Sep 2017 15:01:42 +0200
Subject: mac80211: fix deadlock in driver-managed RX BA session start
Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828
Bug-Debian: https://bugs.debian.org/878092
When an RX BA session is started by the driver, and it has to tell
mac80211 about it, the corresponding bit in tid_rx_manage_offl gets
set and the BA session work is scheduled. Upon testing this bit, it
will call __ieee80211_start_rx_ba_session(), thus deadlocking as it
already holds the ampdu_mlme.mtx, which that acquires again.
Fix this by adding ___ieee80211_start_rx_ba_session(), a version of
the function that requires the mutex already held.
Cc: stable@vger.kernel.org
Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue")
Reported-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/agg-rx.c | 32 +++++++++++++++++++++-----------
net/mac80211/ht.c | 6 +++---
net/mac80211/ieee80211_i.h | 4 ++++
3 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 2b36eff5d97e..2849a1fc41c5 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
ieee80211_tx_skb(sdata, skb);
}
-void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- u8 dialog_token, u16 timeout,
- u16 start_seq_num, u16 ba_policy, u16 tid,
- u16 buf_size, bool tx, bool auto_seq)
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
+ u8 dialog_token, u16 timeout,
+ u16 start_seq_num, u16 ba_policy, u16 tid,
+ u16 buf_size, bool tx, bool auto_seq)
{
struct ieee80211_local *local = sta->sdata->local;
struct tid_ampdu_rx *tid_agg_rx;
@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
ht_dbg(sta->sdata,
"STA %pM requests BA session on unsupported tid %d\n",
sta->sta.addr, tid);
- goto end_no_lock;
+ goto end;
}
if (!sta->sta.ht_cap.ht_supported) {
@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
"STA %pM erroneously requests BA session on tid %d w/o QoS\n",
sta->sta.addr, tid);
/* send a response anyway, it's an error case if we get here */
- goto end_no_lock;
+ goto end;
}
if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
ht_dbg(sta->sdata,
"Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
sta->sta.addr, tid);
- goto end_no_lock;
+ goto end;
}
/* sanity check for incoming parameters:
@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
ht_dbg_ratelimited(sta->sdata,
"AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
sta->sta.addr, tid, ba_policy, buf_size);
- goto end_no_lock;
+ goto end;
}
/* determine default buffer size */
if (buf_size == 0)
@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
buf_size, sta->sta.addr);
/* examine state machine */
- mutex_lock(&sta->ampdu_mlme.mtx);
+ lockdep_assert_held(&sta->ampdu_mlme.mtx);
if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
__clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
}
- mutex_unlock(&sta->ampdu_mlme.mtx);
-end_no_lock:
if (tx)
ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
dialog_token, status, 1, buf_size,
timeout);
}
+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
+ u8 dialog_token, u16 timeout,
+ u16 start_seq_num, u16 ba_policy, u16 tid,
+ u16 buf_size, bool tx, bool auto_seq)
+{
+ mutex_lock(&sta->ampdu_mlme.mtx);
+ ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
+ start_seq_num, ba_policy, tid,
+ buf_size, tx, auto_seq);
+ mutex_unlock(&sta->ampdu_mlme.mtx);
+}
+
void ieee80211_process_addba_request(struct ieee80211_local *local,
struct sta_info *sta,
struct ieee80211_mgmt *mgmt,
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 4cba7fca10d4..d6d0b4201e40 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
if (test_and_clear_bit(tid,
sta->ampdu_mlme.tid_rx_manage_offl))
- __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
- IEEE80211_MAX_AMPDU_BUF,
- false, true);
+ ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
+ IEEE80211_MAX_AMPDU_BUF,
+ false, true);
if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
sta->ampdu_mlme.tid_rx_manage_offl))
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 2197c62a0a6e..9675814f64db 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
u8 dialog_token, u16 timeout,
u16 start_seq_num, u16 ba_policy, u16 tid,
u16 buf_size, bool tx, bool auto_seq);
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
+ u8 dialog_token, u16 timeout,
+ u16 start_seq_num, u16 ba_policy, u16 tid,
+ u16 buf_size, bool tx, bool auto_seq);
void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
enum ieee80211_agg_stop_reason reason);
void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
--
2.15.0.rc0

36
debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch vendored
View File

@ -1,36 +0,0 @@
From: Vladis Dronov <vdronov@redhat.com>
Date: Tue, 12 Sep 2017 22:21:21 +0000
Subject: nl80211: check for the required netlink attributes presence
Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.
This fixes CVE-2017-12153.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Cc: <stable@vger.kernel.org> # v3.1-rc1
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)

79
debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch vendored
View File

@ -1,79 +0,0 @@
From: Cyril Bur <cyrilbur@gmail.com>
Date: Thu, 17 Aug 2017 20:42:26 +1000
Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
checks
Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
When using transactional memory (TM), the CPU can be in one of six
states as far as TM is concerned, encoded in the Machine State
Register (MSR). Certain state transitions are illegal and if attempted
trigger a "TM Bad Thing" type program check exception.
If we ever hit one of these exceptions it's treated as a bug, ie. we
oops, and kill the process and/or panic, depending on configuration.
One case where we can trigger a TM Bad Thing, is when returning to
userspace after a system call or interrupt, using RFID. When this
happens the CPU first restores the user register state, in particular
r1 (the stack pointer) and then attempts to update the MSR. However
the MSR update is not allowed and so we take the program check with
the user register state, but the kernel MSR.
This tricks the exception entry code into thinking we have a bad
kernel stack pointer, because the MSR says we're coming from the
kernel, but r1 is pointing to userspace.
To avoid this we instead always switch to the emergency stack if we
take a TM Bad Thing from the kernel. That way none of the user
register values are used, other than for printing in the oops message.
This is the fix for CVE-2017-1000255.
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
[mpe: Rewrite change log & comments, tweak asm slightly]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index 48da0f5d2f7f..b82586c53560 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
TRAMP_KVM(PACA_EXGEN, 0x700)
EXC_COMMON_BEGIN(program_check_common)
- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
+ /*
+ * It's possible to receive a TM Bad Thing type program check with
+ * userspace register values (in particular r1), but with SRR1 reporting
+ * that we came from the kernel. Normally that would confuse the bad
+ * stack logic, and we would report a bad kernel stack pointer. Instead
+ * we switch to the emergency stack if we're taking a TM Bad Thing from
+ * the kernel.
+ */
+ li r10,MSR_PR /* Build a mask of MSR_PR .. */
+ oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
+ and r10,r10,r12 /* Mask SRR1 with that. */
+ srdi r10,r10,8 /* Shift it so we can compare */
+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
+ bne 1f /* If != go to normal path. */
+
+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
+ /* 3 in EXCEPTION_PROLOG_COMMON */
+ mr r10,r1 /* Save r1 */
+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */
+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
+ b 3f /* Jump into the macro !! */
+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
bl save_nvgprs
RECONCILE_IRQ_STATE(r10, r11)
addi r3,r1,STACK_FRAME_OVERHEAD
--
2.11.0

62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch vendored
View File

@ -1,62 +0,0 @@
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
Date: Tue, 22 Aug 2017 17:20:09 -0400
Subject: powerpc/tm: Fix illegal TM state in signal handler
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
Currently it's possible that on returning from the signal handler
through the restore_tm_sigcontexts() code path (e.g. from a signal
caught due to a `trap` instruction executed in the middle of an HTM
block, or a deliberately constructed sigframe) an illegal TM state
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
implicitly the MSR register from SRR1 register on return to userspace
it causes a TM Bad Thing exception.
That illegal state can be set (a) by a malicious user that disables
the TM bit by tweaking the bits in uc_mcontext before returning from
the signal handler or (b) by a sufficient number of context switches
occurring such that the load_tm counter overflows and TM is disabled
whilst in the signal handler.
This commit fixes the illegal TM state by ensuring that TM bit is
always enabled before we return from restore_tm_sigcontexts(). A small
comment correction is made as well.
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index c83c115858c1..b2c002993d78 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
if (MSR_TM_RESV(msr))
return -EINVAL;
- /* pull in MSR TM from user context */
+ /* pull in MSR TS bits from user context */
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
+ /*
+ * Ensure that TM is enabled in regs->msr before we leave the signal
+ * handler. It could be the case that (a) user disabled the TM bit
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
+ * TM bit was disabled because a sufficient number of context switches
+ * happened whilst in the signal handler and load_tm overflowed,
+ * disabling the TM bit. In either case we can end up with an illegal
+ * TM state leading to a TM Bad Thing when we return to userspace.
+ */
+ regs->msr |= MSR_TM;
+
/* pull in MSR LE from user context */
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
--
2.11.0

55
debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch vendored
View File

@ -1,55 +0,0 @@
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 27 Aug 2017 20:25:26 +0800
Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
Origin: https://patchwork.kernel.org/patch/9923803/
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
ChunYu found a kernel crash by syzkaller:
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[ 651.627260] Call Trace:
[ 651.629156] skb_release_all+0x4f/0x60
[ 651.629450] consume_skb+0x1a5/0x600
[ 651.630705] netlink_unicast+0x505/0x720
[ 651.632345] netlink_sendmsg+0xab2/0xe70
[ 651.633704] sock_sendmsg+0xcf/0x110
[ 651.633942] ___sys_sendmsg+0x833/0x980
[ 651.637117] __sys_sendmsg+0xf3/0x240
[ 651.638820] SyS_sendmsg+0x32/0x50
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.
This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.
Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
---
drivers/scsi/scsi_transport_iscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
uint32_t group;
nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) ||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
skb->len < nlh->nlmsg_len) {
break;
}

30
debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch vendored
View File

@ -1,30 +0,0 @@
From: Vladis Dronov <vdronov@redhat.com>
Date: Mon, 4 Sep 2017 16:00:50 +0200
Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
userspace
Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.
References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
---
drivers/video/fbdev/aty/atyfb_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
case ATYIO_CLKR:
if (M64_HAS(INTEGRATED)) {
- struct atyclk clk;
+ struct atyclk clk = { 0 };
union aty_pll *pll = &par->pll;
u32 dsp_config = pll->ct.dsp_config;
u32 dsp_on_off = pll->ct.dsp_on_off;

47
debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch vendored
View File

@ -1,47 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Mon, 9 Oct 2017 11:36:52 -0700
Subject: waitid(): Add missing access_ok() checks
Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
Adds missing access_ok() checks.
CVE-2017-5123
Reported-by: Chris Salls <chrissalls5@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
Cc: stable@kernel.org # 4.13
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
kernel/exit.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/exit.c b/kernel/exit.c
index f2cd53e92147..cf28528842bc 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
if (!infop)
return err;
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+ goto Efault;
+
user_access_begin();
unsafe_put_user(signo, &infop->si_signo, Efault);
unsafe_put_user(0, &infop->si_errno, Efault);
@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
if (!infop)
return err;
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+ goto Efault;
+
user_access_begin();
unsafe_put_user(signo, &infop->si_signo, Efault);
unsafe_put_user(0, &infop->si_errno, Efault);
--
2.15.0.rc0

83
debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch vendored
View File

@ -1,83 +0,0 @@
From: Ladi Prosek <lprosek@redhat.com>
Date: Thu, 5 Oct 2017 11:10:23 +0200
Subject: KVM: MMU: always terminate page walks at level 1
Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
is_last_gpte() is not equivalent to the pseudo-code given in commit
6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
value of last_nonleaf_level may override the result even if level == 1.
It is critical for is_last_gpte() to return true on level == 1 to
terminate page walks. Otherwise memory corruption may occur as level
is used as an index to various data structures throughout the page
walking code. Even though the actual bug would be wherever the MMU is
initialized (as in the previous patch), be defensive and ensure here
that is_last_gpte() returns the correct value.
This patch is also enough to fix CVE-2017-12188.
Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
Cc: stable@vger.kernel.org
Cc: Andy Honig <ahonig@google.com>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
[Panic if walk_addr_generic gets an incorrect level; this is a serious
bug and it's not worth a WARN_ON where the recovery path might hide
further exploitable issues; suggested by Andrew Honig. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/mmu.c | 14 +++++++-------
arch/x86/kvm/paging_tmpl.h | 3 ++-
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 3c25f20115bc..7a69cf053711 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
unsigned level, unsigned gpte)
{
/*
- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
- */
- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
-
- /*
* The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
* If it is clear, there are no large pages at this level, so clear
* PT_PAGE_SIZE_MASK in gpte if that is the case.
*/
gpte &= level - mmu->last_nonleaf_level;
+ /*
+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
+ */
+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
+
return gpte & PT_PAGE_SIZE_MASK;
}
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 86b68dc5a649..f18d1f8d332b 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
--walker->level;
index = PT_INDEX(addr, walker->level);
-
table_gfn = gpte_to_gfn(pte);
offset = index * sizeof(pt_element_t);
pte_gpa = gfn_to_gpa(table_gfn) + offset;
+
+ BUG_ON(walker->level < 1);
walker->table_gfn[walker->level - 1] = table_gfn;
walker->pte_gpa[walker->level - 1] = pte_gpa;
--
2.11.0

34
debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch vendored
View File

@ -1,34 +0,0 @@
From: Ladi Prosek <lprosek@redhat.com>
Date: Thu, 5 Oct 2017 11:10:22 +0200
Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
The function updates context->root_level but didn't call
update_last_nonleaf_level so the previous and potentially wrong value
was used for page walks. For example, a zero value of last_nonleaf_level
would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
walk_addr_generic function (CVE-2017-12188).
Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/mmu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 106d4a029a8a..3c25f20115bc 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
update_permission_bitmask(vcpu, context, true);
update_pkru_bitmask(vcpu, context, true);
+ update_last_nonleaf_level(vcpu, context);
reset_rsvds_bits_mask_ept(vcpu, context, execonly);
reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
}
--
2.11.0

34
debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch vendored
View File

@ -1,34 +0,0 @@
From: Jim Mattson <jmattson@google.com>
Date: Tue, 12 Sep 2017 13:02:54 -0700
Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.
This fixes CVE-2017-12154.
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/vmx.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
if (exec_control & CPU_BASED_TPR_SHADOW) {
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
+ } else {
+#ifdef CONFIG_X86_64
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
+ CPU_BASED_CR8_STORE_EXITING;
+#endif
}
/*

52
debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch vendored
View File

@ -1,52 +0,0 @@
From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
Date: Thu, 7 Sep 2017 19:02:30 +0100
Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
The value of the guest_irq argument to vmx_update_pi_irte() is
ultimately coming from a KVM_IRQFD API call. Do not BUG() in
vmx_update_pi_irte() if the value is out-of bounds. (Especially,
since KVM as a whole seems to hang after that.)
Instead, print a message only once if we find that we don't have a
route for a certain IRQ (which can be out-of-bounds or within the
array).
This fixes CVE-2017-1000252.
Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/vmx.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
struct kvm_lapic_irq irq;
struct kvm_vcpu *vcpu;
struct vcpu_data vcpu_info;
- int idx, ret = -EINVAL;
+ int idx, ret = 0;
if (!kvm_arch_has_assigned_device(kvm) ||
!irq_remapping_cap(IRQ_POSTING_CAP) ||
@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
idx = srcu_read_lock(&kvm->irq_srcu);
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
+ if (guest_irq >= irq_rt->nr_rt_entries ||
+ hlist_empty(&irq_rt->map[guest_irq])) {
+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
+ guest_irq, irq_rt->nr_rt_entries);
+ goto out;
+ }
hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
if (e->type != KVM_IRQ_ROUTING_MSI)

141
debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch vendored Normal file
View File

@ -0,0 +1,141 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 26 Oct 2017 22:16:38 +0200
Subject: dax: Avoid ABI change in 4.13.5
Forwarded: not-needed
Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush
abstraction") removed dax_operations::flush and
target_type::dax_flush, resulting in an ABI change. Add these
operations back but don't restore any of the calls to them. To keep
existing callers working during an incomplete kernel upgrade, change
all the implementations to directly do arch_wb_cache_pmem(), just as
dax_flush() does in the new kernel.
Don't change dax_flush() back; it shouldn't have any out-of-tree
callers.
---
--- a/drivers/md/dm-linear.c
+++ b/drivers/md/dm-linear.c
@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter(
return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i);
}
+static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
+ size_t size)
+{
+#ifdef CONFIG_ARCH_HAS_PMEM_API
+ arch_wb_cache_pmem(addr, size);
+#endif
+}
+
static struct target_type linear_target = {
.name = "linear",
.version = {1, 4, 0},
@@ -198,6 +206,7 @@ static struct target_type linear_target
.iterate_devices = linear_iterate_devices,
.direct_access = linear_dax_direct_access,
.dax_copy_from_iter = linear_dax_copy_from_iter,
+ .dax_flush = linear_dax_flush,
};
int __init dm_linear_init(void)
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta
blk_limits_io_opt(limits, chunk_size * sc->stripes);
}
+static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
+ size_t size)
+{
+#ifdef CONFIG_ARCH_HAS_PMEM_API
+ arch_wb_cache_pmem(addr, size);
+#endif
+}
+
static struct target_type stripe_target = {
.name = "striped",
.version = {1, 6, 0},
@@ -472,6 +480,7 @@ static struct target_type stripe_target
.io_hints = stripe_io_hints,
.direct_access = stripe_dax_direct_access,
.dax_copy_from_iter = stripe_dax_copy_from_iter,
+ .dax_flush = stripe_dax_flush,
};
int __init dm_stripe_init(void)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru
return ret;
}
+static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr,
+ size_t size)
+{
+#ifdef CONFIG_ARCH_HAS_PMEM_API
+ arch_wb_cache_pmem(addr, size);
+#endif
+}
+
/*
* A target may call dm_accept_partial_bio only from the map routine. It is
* allowed for all bio types except REQ_PREFLUSH.
@@ -2980,6 +2988,7 @@ static const struct block_device_operati
static const struct dax_operations dm_dax_ops = {
.direct_access = dm_dax_direct_access,
.copy_from_iter = dm_dax_copy_from_iter,
+ .flush = dm_dax_flush,
};
/*
--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct
return copy_from_iter_flushcache(addr, bytes, i);
}
+static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff,
+ void *addr, size_t size)
+{
+ arch_wb_cache_pmem(addr, size);
+}
+
static const struct dax_operations pmem_dax_ops = {
.direct_access = pmem_dax_direct_access,
.copy_from_iter = pmem_copy_from_iter,
+ .flush = pmem_dax_flush,
};
static const struct attribute_group *pmem_attribute_groups[] = {
--- a/include/linux/dax.h
+++ b/include/linux/dax.h
@@ -19,6 +19,8 @@ struct dax_operations {
/* copy_from_iter: required operation for fs-dax direct-i/o */
size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t,
struct iov_iter *);
+ /* flush: should be unused */
+ void (*flush)(struct dax_device *, pgoff_t, void *, size_t);
};
extern struct attribute_group dax_attribute_group;
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn)
long nr_pages, void **kaddr, pfn_t *pfn);
typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff,
void *addr, size_t bytes, struct iov_iter *i);
+typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr,
+ size_t size);
#define PAGE_SECTORS (PAGE_SIZE / 512)
void dm_error(const char *message);
@@ -184,6 +186,7 @@ struct target_type {
dm_io_hints_fn io_hints;
dm_dax_direct_access_fn direct_access;
dm_dax_copy_from_iter_fn dax_copy_from_iter;
+ dm_dax_flush_fn dax_flush;
/* For internal device-mapper use. */
struct list_head list;

40
debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 26 Oct 2017 22:38:57 +0200
Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
Forwarded: not-needed
This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces
an ABI break that's not easily avoidable. The bug it fixes doesn't seem
to have any security impact.
---
--- a/include/linux/trace_events.h
+++ b/include/linux/trace_events.h
@@ -277,7 +277,6 @@ struct trace_event_call {
int perf_refcount;
struct hlist_head __percpu *perf_events;
struct bpf_prog *prog;
- struct perf_event *bpf_prog_owner;
int (*perf_perm)(struct trace_event_call *,
struct perf_event *);
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc
}
}
event->tp_event->prog = prog;
- event->tp_event->bpf_prog_owner = event;
return 0;
}
@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str
return;
prog = event->tp_event->prog;
- if (prog && event->tp_event->bpf_prog_owner == event) {
+ if (prog) {
event->tp_event->prog = NULL;
bpf_prog_put(prog);
}

22
debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch vendored Normal file
View File

@ -0,0 +1,22 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 26 Oct 2017 11:59:43 +0200
Subject: SCSI: Avoid ABI change in 4.13.6
Forwarded: not-needed
Hide the new bitfield from genksyms, as it's using what used to be a
padding bit.
---
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -182,7 +182,10 @@ struct scsi_device {
unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
unsigned broken_fua:1; /* Don't set FUA bit */
unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
+#ifndef __GENKSYMS__
unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
+ /* 19 unused bits */
+#endif
atomic_t disk_events_disable_depth; /* disable depth for disk events */

22
debian/patches/series vendored
View File

@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
# Miscellaneous features
@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
bugfix/all/fix-infoleak-in-waitid-2.patch
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
bugfix/all/waitid-Add-missing-access_ok-checks.patch
bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
bugfix/all/module-disable-matching-missing-version-crc.patch
# ABI maintenance
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/cpupower-bump-soname-version.patch
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
bugfix/all/tools-lib-lockdep-define-pr_cont.patch
# ABI maintenance
debian/scsi-avoid-abi-change-in-4.13.6.patch
debian/dax-avoid-abi-change-in-4.13.5.patch
debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch