Update to 4.13.9
Drop many patches which are now upstream. Avoid/ignore ABI changes as appropriate.
This commit is contained in:
parent
de909222d8
commit
48bb38a3f7
|
@ -1,9 +1,334 @@
|
||||||
linux (4.13.4-3) UNRELEASED; urgency=medium
|
linux (4.13.9-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* New upstream stable update:
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
|
||||||
|
- cifs: check rsp for NULL before dereferencing in SMB2_open
|
||||||
|
- cifs: release cifs root_cred after exit_cifs
|
||||||
|
- cifs: release auth_key.response for reconnect.
|
||||||
|
- nvme-pci: fix host memory buffer allocation fallback
|
||||||
|
- nvme-pci: use appropriate initial chunk size for HMB allocation
|
||||||
|
- nvme-pci: propagate (some) errors from host memory buffer setup
|
||||||
|
- dax: remove the pmem_dax_ops->flush abstraction
|
||||||
|
- dm integrity: do not check integrity for failed read operations
|
||||||
|
- mmc: block: Fix incorrectly initialized requests
|
||||||
|
- fs/proc: Report eip/esp in /prod/PID/stat for coredumping
|
||||||
|
- scsi: scsi_transport_fc: fix NULL pointer dereference in
|
||||||
|
fc_bsg_job_timeout
|
||||||
|
- cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later)
|
||||||
|
- mac80211: fix VLAN handling with TXQs
|
||||||
|
- mac80211_hwsim: Use proper TX power
|
||||||
|
- mac80211: flush hw_roc_start work before cancelling the ROC
|
||||||
|
- genirq: Make sparse_irq_lock protect what it should protect
|
||||||
|
- genirq/msi: Fix populating multiple interrupts
|
||||||
|
- genirq: Fix cpumask check in __irq_startup_managed()
|
||||||
|
- [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to
|
||||||
|
kvmppc_update_lpcr
|
||||||
|
- [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored
|
||||||
|
incorrectly
|
||||||
|
- [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using
|
||||||
|
byte accesses
|
||||||
|
- tracing: Fix trace_pipe behavior for instance traces
|
||||||
|
- tracing: Erase irqsoff trace with empty write
|
||||||
|
- tracing: Remove RCU work arounds from stack tracer
|
||||||
|
- md/raid5: fix a race condition in stripe batch
|
||||||
|
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
|
||||||
|
- scsi: aacraid: Fix 2T+ drives on SmartIOC-2000
|
||||||
|
- scsi: aacraid: Add a small delay after IOP reset
|
||||||
|
- [armhf] drm/exynos: Fix locking in the suspend/resume paths
|
||||||
|
- [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting
|
||||||
|
- Revert "drm/i915/bxt: Disable device ready before shutdown command"
|
||||||
|
- drm/amdgpu: revert tile table update for oland
|
||||||
|
- drm/radeon: disable hard reset in hibernate for APUs
|
||||||
|
- crypto: drbg - fix freeing of resources
|
||||||
|
- security/keys: properly zero out sensitive key material in big_key
|
||||||
|
- security/keys: rewrite all of big_key crypto
|
||||||
|
- KEYS: fix writing past end of user-supplied buffer in keyring_read()
|
||||||
|
- KEYS: prevent creating a different user's keyrings
|
||||||
|
- [x86] libnvdimm, namespace: fix btt claim class crash
|
||||||
|
- [powerpc*] eeh: Create PHB PEs after EEH is initialized
|
||||||
|
- [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
|
||||||
|
- [powerpc*] tm: Flush TM only if CPU has TM feature
|
||||||
|
- [mips*] Fix perf event init
|
||||||
|
- [s390x] perf: fix bug when creating per-thread event
|
||||||
|
- [s390x] mm: make pmdp_invalidate() do invalidation only
|
||||||
|
- [s390x] mm: fix write access check in gup_huge_pmd()
|
||||||
|
- PM: core: Fix device_pm_check_callbacks()
|
||||||
|
- Revert "IB/ipoib: Update broadcast object if PKey value was changed in
|
||||||
|
index 0"
|
||||||
|
- cifs: Fix SMB3.1.1 guest authentication to Samba
|
||||||
|
- cifs: SMB3: Fix endian warning
|
||||||
|
- cifs: SMB3: Warn user if trying to sign connection that authenticated as
|
||||||
|
guest
|
||||||
|
- cifs: SMB: Validate negotiate (to protect against downgrade) even if
|
||||||
|
signing off
|
||||||
|
- cifs: SMB3: handle new statx fields
|
||||||
|
- cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
|
||||||
|
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
|
||||||
|
- libceph: don't allow bidirectional swap of pg-upmap-items
|
||||||
|
- brd: fix overflow in __brd_direct_access
|
||||||
|
- gfs2: Fix debugfs glocks dump
|
||||||
|
- bsg-lib: don't free job in bsg_prepare_job
|
||||||
|
- iw_cxgb4: drop listen destroy replies if no ep found
|
||||||
|
- iw_cxgb4: remove the stid on listen create failure
|
||||||
|
- iw_cxgb4: put ep reference in pass_accept_req()
|
||||||
|
- rcu: Allow for page faults in NMI handlers
|
||||||
|
- mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
|
||||||
|
- extable: Consolidate *kernel_text_address() functions
|
||||||
|
- extable: Enable RCU if it is not watching in kernel_text_address()
|
||||||
|
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
|
||||||
|
- [arm64] Make sure SPsel is always set
|
||||||
|
- [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table
|
||||||
|
- [arm64] fault: Route pte translation faults via do_translation_fault
|
||||||
|
- [x86] KVM: VMX: extract __pi_post_block
|
||||||
|
- [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
|
||||||
|
- [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
|
||||||
|
- [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache
|
||||||
|
- [x86] kvm: Handle async PF in RCU read-side critical sections
|
||||||
|
- xfs: validate bdev support for DAX inode flag
|
||||||
|
- sched/sysctl: Check user input value of sysctl_sched_time_avg
|
||||||
|
- irq/generic-chip: Don't replace domain's name
|
||||||
|
- mtd: Fix partition alignment check on multi-erasesize devices
|
||||||
|
- [armhf] etnaviv: fix submit error path
|
||||||
|
- [armhf] etnaviv: fix gem object list corruption
|
||||||
|
- futex: Fix pi_state->owner serialization
|
||||||
|
- md: fix a race condition for flush request handling
|
||||||
|
- md: separate request handling
|
||||||
|
- PCI: Fix race condition with driver_override
|
||||||
|
- btrfs: fix NULL pointer dereference from free_reloc_roots()
|
||||||
|
- btrfs: clear ordered flag on cleaning up ordered extents
|
||||||
|
- btrfs: finish ordered extent cleaning if no progress is found
|
||||||
|
- btrfs: propagate error to btrfs_cmp_data_prepare caller
|
||||||
|
- btrfs: prevent to set invalid default subvolid
|
||||||
|
- [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt
|
||||||
|
- PM / OPP: Call notifier without holding opp_table->lock
|
||||||
|
- [x86] mm: Fix fault error path using unsafe vma pointer
|
||||||
|
- [x86] fpu: Don't let userspace set bogus xcomp_bv
|
||||||
|
- [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
|
||||||
|
- [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
|
||||||
|
- [x86] KVM: VMX: use cmpxchg64
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6
|
||||||
|
- [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on
|
||||||
|
ep0
|
||||||
|
- mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+
|
||||||
|
- net: bonding: Fix transmit load balancing in balance-alb mode if
|
||||||
|
specified by sysfs
|
||||||
|
- openvswitch: Fix an error handling path in
|
||||||
|
'ovs_nla_init_match_and_action()'
|
||||||
|
- net: bonding: fix tlb_dynamic_lb default value
|
||||||
|
- net_sched: gen_estimator: fix scaling error in bytes/packets samples
|
||||||
|
- net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
|
||||||
|
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
|
||||||
|
- tcp: update skb->skb_mstamp more carefully
|
||||||
|
- bpf/verifier: reject BPF_ALU64|BPF_END
|
||||||
|
- tcp: fix data delivery rate
|
||||||
|
- udpv6: Fix the checksum computation when HW checksum does not apply
|
||||||
|
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
|
||||||
|
- net: phy: Fix mask value write on gmii2rgmii converter speed register
|
||||||
|
- ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
|
||||||
|
- net/sched: cls_matchall: fix crash when used with classful qdisc
|
||||||
|
- 8139too: revisit napi_complete_done() usage
|
||||||
|
- bpf: do not disable/enable BH in bpf_map_free_id()
|
||||||
|
- tcp: fastopen: fix on syn-data transmit failure
|
||||||
|
- [powerpc*] net: emac: Fix napi poll list corruption
|
||||||
|
- net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure
|
||||||
|
- packet: hold bind lock when rebinding to fanout hook
|
||||||
|
- net: change skb->mac_header when Generic XDP calls adjust_head
|
||||||
|
- net_sched: always reset qdisc backlog in qdisc_reset()
|
||||||
|
- [armhf,arm64] net: stmmac: Cocci spatch "of_table"
|
||||||
|
- [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer
|
||||||
|
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
|
||||||
|
- l2tp: fix race condition in l2tp_tunnel_delete
|
||||||
|
- tun: bail out from tun_get_user() if the skb is empty
|
||||||
|
- [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple
|
||||||
|
vlans
|
||||||
|
- [armhf,arm64] net: dsa: Fix network device registration order
|
||||||
|
- packet: in packet_do_bind, test fanout with bind_lock held
|
||||||
|
- packet: only test po->has_vnet_hdr once in packet_snd
|
||||||
|
- [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs
|
||||||
|
- net: Set sk_prot_creator when cloning sockets to the right proto
|
||||||
|
- net/mlx5e: IPoIB, Fix access to invalid memory address
|
||||||
|
- netlink: do not proceed if dump's start() errs
|
||||||
|
- ip6_gre: ip6gre_tap device should keep dst
|
||||||
|
- ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
|
||||||
|
- IPv4: early demux can return an error code
|
||||||
|
- tipc: use only positive error codes in messages
|
||||||
|
- l2tp: fix l2tp_eth module loading
|
||||||
|
- socket, bpf: fix possible use after free
|
||||||
|
- net: rtnetlink: fix info leak in RTM_GETSTATS call
|
||||||
|
- [amd64] bpf: fix bpf_tail_call() x64 JIT
|
||||||
|
- usb: gadget: core: fix ->udc_set_speed() logic
|
||||||
|
- USB: gadgetfs: Fix crash caused by inadequate synchronization
|
||||||
|
- USB: gadgetfs: fix copy_to_user while holding spinlock
|
||||||
|
- usb: gadget: udc: atmel: set vbus irqflags explicitly
|
||||||
|
- usb-storage: unusual_devs entry to fix write-access regression for
|
||||||
|
Seagate external drives
|
||||||
|
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices
|
||||||
|
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
|
||||||
|
- usb: pci-quirks.c: Corrected timeout values used in handshake
|
||||||
|
- USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
|
||||||
|
- USB: dummy-hcd: fix connection failures (wrong speed)
|
||||||
|
- USB: dummy-hcd: fix infinite-loop resubmission bug
|
||||||
|
- USB: dummy-hcd: Fix erroneous synchronization change
|
||||||
|
- USB: devio: Prevent integer overflow in proc_do_submiturb()
|
||||||
|
- USB: devio: Don't corrupt user memory
|
||||||
|
- USB: g_mass_storage: Fix deadlock when driver is unbound
|
||||||
|
- USB: uas: fix bug in handling of alternate settings
|
||||||
|
- USB: core: harden cdc_parse_cdc_header
|
||||||
|
- usb: Increase quirk delay for USB devices
|
||||||
|
- USB: fix out-of-bounds in usb_set_configuration
|
||||||
|
- usb: xhci: Free the right ring in xhci_add_endpoint()
|
||||||
|
- xhci: fix finding correct bus_state structure for USB 3.1 hosts
|
||||||
|
- xhci: fix wrong endpoint ESIT value shown in tracing
|
||||||
|
- usb: host: xhci-plat: allow sysdev to inherit from ACPI
|
||||||
|
- xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
|
||||||
|
- xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
|
||||||
|
- [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
|
||||||
|
- [armhf] iio: adc: twl4030: Fix an error handling path in
|
||||||
|
'twl4030_madc_probe()'
|
||||||
|
- [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
|
||||||
|
handling path of 'twl4030_madc_probe()'
|
||||||
|
- iio: core: Return error for failed read_reg
|
||||||
|
- uwb: properly check kthread_run return value
|
||||||
|
- uwb: ensure that endpoint is interrupt
|
||||||
|
- ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
|
||||||
|
- mm, hugetlb, soft_offline: save compound page order before page migration
|
||||||
|
- mm, oom_reaper: skip mm structs with mmu notifiers
|
||||||
|
- mm: fix RODATA_TEST failure "rodata_test: test data was not read only"
|
||||||
|
- mm: avoid marking swap cached page as lazyfree
|
||||||
|
- mm: fix data corruption caused by lazyfree page
|
||||||
|
- userfaultfd: non-cooperative: fix fork use after free
|
||||||
|
- ALSA: compress: Remove unused variable
|
||||||
|
- Revert "ALSA: echoaudio: purge contradictions between dimension matrix
|
||||||
|
members and total number of members"
|
||||||
|
- ALSA: usx2y: Suppress kernel warning at page allocation failures
|
||||||
|
- [powerpc*] powernv: Increase memory block size to 1GB on radix
|
||||||
|
- [powerpc*] Fix action argument for cpufeatures-based TLB flush
|
||||||
|
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
|
||||||
|
- [x86] intel_th: pci: Add Lewisburg PCH support
|
||||||
|
- driver core: platform: Don't read past the end of "driver_override" buffer
|
||||||
|
- cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute()
|
||||||
|
returns
|
||||||
|
- [x86] Drivers: hv: fcopy: restore correct transfer length
|
||||||
|
- [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
|
||||||
|
- ftrace: Fix kmemleak in unregister_ftrace_graph
|
||||||
|
- ovl: fix error value printed in ovl_lookup_index()
|
||||||
|
- ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
|
||||||
|
- ovl: fix dentry leak in ovl_indexdir_cleanup()
|
||||||
|
- ovl: fix missing unlock_rename() in ovl_do_copy_up()
|
||||||
|
- ovl: fix regression caused by exclusive upper/work dir protection
|
||||||
|
- [arm64] dt marvell: Fix AP806 system controller size
|
||||||
|
- [arm64] Ensure the instruction emulation is ready for userspace
|
||||||
|
- HID: rmi: Make sure the HID device is opened on resume
|
||||||
|
- HID: i2c-hid: allocate hid buffers for real worst case
|
||||||
|
- HID: wacom: leds: Don't try to control the EKR's read-only LEDs
|
||||||
|
- HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
|
||||||
|
- HID: wacom: Correct coordinate system of touchring and pen twist
|
||||||
|
- HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
|
||||||
|
- HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
|
||||||
|
- HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
|
||||||
|
- HID: wacom: bits shifted too much for 9th and 10th buttons
|
||||||
|
- btrfs: avoid overflow when sector_t is 32 bit
|
||||||
|
- Btrfs: fix overlap of fs_info::flags values
|
||||||
|
- dm crypt: reject sector_size feature if device length is not aligned to it
|
||||||
|
- dm ioctl: fix alignment of event number in the device list
|
||||||
|
- dm crypt: fix memory leak in crypt_ctr_cipher_old()
|
||||||
|
- [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive()
|
||||||
|
- [x86] kvm: Avoid async PF preempting the kernel incorrectly
|
||||||
|
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
|
||||||
|
- scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
|
||||||
|
- scsi: sd: Do not override max_sectors_kb sysfs setting
|
||||||
|
- brcmfmac: setup passive scan if requested by user-space
|
||||||
|
- [x86] drm/i915: always update ELD connector type after get modes
|
||||||
|
- [x86] drm/i915/bios: ignore HDMI on port A
|
||||||
|
- bsg-lib: fix use-after-free under memory-pressure
|
||||||
|
- nvme-pci: Use PCI bus address for data/queues in CMB
|
||||||
|
- mmc: core: add driver strength selection when selecting hs400es
|
||||||
|
- nl80211: Define policy for packet pattern attributes
|
||||||
|
- [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for
|
||||||
|
suspend/resume cycle
|
||||||
|
- udp: perform source validation for mcast early demux
|
||||||
|
- udp: fix bcast packet reception
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7
|
||||||
|
- watchdog: Revert "iTCO_wdt: all versions count down twice"
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8
|
||||||
|
- USB: dummy-hcd: Fix deadlock caused by disconnect detection
|
||||||
|
- [mips*] math-emu: Remove pr_err() calls from fpu_emu()
|
||||||
|
- [mips*] bpf: Fix uninitialised target compiler error
|
||||||
|
- [x86] mei: always use domain runtime pm callbacks.
|
||||||
|
- [armhf] dmaengine: edma: Align the memcpy acnt array size with the
|
||||||
|
transfer
|
||||||
|
- [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
|
||||||
|
dma_inuse
|
||||||
|
- NFS: Fix uninitialized rpc_wait_queue
|
||||||
|
- nfs/filelayout: fix oops when freeing filelayout segment
|
||||||
|
- HID: usbhid: fix out-of-bounds bug
|
||||||
|
- crypto: skcipher - Fix crash on zero-length input
|
||||||
|
- crypto: shash - Fix zero-length shash ahash digest crash
|
||||||
|
- [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
|
||||||
|
- [x86] pinctrl/amd: Fix build dependency on pinmux code
|
||||||
|
- [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
|
||||||
|
- device property: Track owner device of device property
|
||||||
|
- Revert "vmalloc: back off when the current task is killed"
|
||||||
|
- fs/mpage.c: fix mpage_writepage() for pages with buffers
|
||||||
|
- ALSA: usb-audio: Kill stray URB at exiting
|
||||||
|
- ALSA: seq: Fix copy_from_user() call inside lock
|
||||||
|
- ALSA: caiaq: Fix stray URB at probe error path
|
||||||
|
- ALSA: line6: Fix NULL dereference at podhd_disconnect()
|
||||||
|
- ALSA: line6: Fix missing initialization before error path
|
||||||
|
- ALSA: line6: Fix leftover URB at error-path during probe
|
||||||
|
- drm/atomic: Unref duplicated drm_atomic_state in
|
||||||
|
drm_atomic_helper_resume()
|
||||||
|
- [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
|
||||||
|
- [x86] drm/i915: Read timings from the correct transcoder in
|
||||||
|
intel_crtc_mode_get()
|
||||||
|
- [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
|
||||||
|
AUX channel
|
||||||
|
- [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
|
||||||
|
- usb: gadget: configfs: Fix memory leak of interface directory data
|
||||||
|
- usb: gadget: composite: Fix use-after-free in
|
||||||
|
usb_composite_overwrite_options
|
||||||
|
- [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping
|
||||||
|
functions
|
||||||
|
- [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory"
|
||||||
|
- direct-io: Prevent NULL pointer access in submit_page_section
|
||||||
|
- fix unbalanced page refcounting in bio_map_user_iov
|
||||||
|
- more bio_map_user_iov() leak fixes
|
||||||
|
- bio_copy_user_iov(): don't ignore ->iov_offset
|
||||||
|
- perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
|
||||||
|
- genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
|
||||||
|
- genirq/cpuhotplug: Add sanity check for effective affinity mask
|
||||||
|
- USB: serial: cp210x: fix partnum regression
|
||||||
|
- USB: serial: console: fix use-after-free on disconnect
|
||||||
|
- USB: serial: console: fix use-after-free after failed setup
|
||||||
|
- RAS/CEC: Use the right length for "cec_disable"
|
||||||
|
- [x86] alternatives: Fix alt_max_short macro to really be a max()
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9
|
||||||
|
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs
|
||||||
|
without the feature
|
||||||
|
- [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on
|
||||||
|
hypervisors
|
||||||
|
- [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events
|
||||||
|
with explicit PMU
|
||||||
|
- mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock
|
||||||
|
- HID: hid-elecom: extend to fix descriptor for HUGE trackball
|
||||||
|
- [x86] Drivers: hv: vmbus: Fix rescind handling issues
|
||||||
|
- [x86] Drivers: hv: vmbus: Fix bugs in rescind handling
|
||||||
|
- [x86] vmbus: simplify hv_ringbuffer_read
|
||||||
|
- [x86] vmbus: refactor hv_signal_on_read
|
||||||
|
- [x86] vmbus: eliminate duplicate cached index
|
||||||
|
- [x86] vmbus: more host signalling avoidance
|
||||||
|
|
||||||
|
[ Ben Hutchings ]
|
||||||
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
|
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
|
||||||
* Update build dependencies on libbabeltrace[,-ctf}-dev
|
* Update build dependencies on libbabeltrace[,-ctf}-dev
|
||||||
* linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
|
* linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
|
||||||
modules
|
modules
|
||||||
|
* dax: Avoid most ABI changes in 4.13.5
|
||||||
|
* SCSI: Avoid ABI change in 4.13.6
|
||||||
|
* [x86] kvm: Ignore ABI change in 4.13.6
|
||||||
|
* seq-virmidi: Ignore ABI change in 4.13.8
|
||||||
|
* Revert "bpf: one perf event close won't free bpf program attached ..."
|
||||||
|
to avoid an ABI change
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 18 Oct 2017 20:03:01 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Wed, 18 Oct 2017 20:03:01 +0100
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,9 @@ ignore-changes:
|
||||||
__cpuhp_*
|
__cpuhp_*
|
||||||
bpf_analyzer
|
bpf_analyzer
|
||||||
cxl_*
|
cxl_*
|
||||||
|
dax_flush
|
||||||
iommu_device_*
|
iommu_device_*
|
||||||
|
kvm_async_pf_task_wait
|
||||||
mm_iommu_*
|
mm_iommu_*
|
||||||
perf_*
|
perf_*
|
||||||
register_cxl_calls
|
register_cxl_calls
|
||||||
|
@ -30,6 +32,7 @@ ignore-changes:
|
||||||
module:fs/nfs/**
|
module:fs/nfs/**
|
||||||
module:net/ceph/libceph
|
module:net/ceph/libceph
|
||||||
module:net/l2tp/l2tp_core
|
module:net/l2tp/l2tp_core
|
||||||
|
module:sound/core/seq/snd-seq-virmidi
|
||||||
module:sound/firewire/snd-firewire-lib
|
module:sound/firewire/snd-firewire-lib
|
||||||
# btree library is only selected by few drivers so not useful OOT
|
# btree library is only selected by few drivers so not useful OOT
|
||||||
btree_*
|
btree_*
|
||||||
|
|
|
@ -1,141 +0,0 @@
|
||||||
From: Takashi Iwai <tiwai@suse.de>
|
|
||||||
Date: Mon, 9 Oct 2017 11:09:20 +0200
|
|
||||||
Subject: ALSA: seq: Fix use-after-free at creating a port
|
|
||||||
Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
|
|
||||||
|
|
||||||
There is a potential race window opened at creating and deleting a
|
|
||||||
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
|
|
||||||
a port object and returns its pointer, but it doesn't take the
|
|
||||||
refcount, thus it can be deleted immediately by another thread.
|
|
||||||
Meanwhile, snd_seq_ioctl_create_port() still calls the function
|
|
||||||
snd_seq_system_client_ev_port_start() with the created port object
|
|
||||||
that is being deleted, and this triggers use-after-free like:
|
|
||||||
|
|
||||||
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
|
|
||||||
=============================================================================
|
|
||||||
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
|
|
||||||
-----------------------------------------------------------------------------
|
|
||||||
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
|
|
||||||
___slab_alloc+0x425/0x460
|
|
||||||
__slab_alloc+0x20/0x40
|
|
||||||
kmem_cache_alloc_trace+0x150/0x190
|
|
||||||
snd_seq_create_port+0x94/0x9b0 [snd_seq]
|
|
||||||
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
|
|
||||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
|
||||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
|
||||||
do_vfs_ioctl+0x54b/0xda0
|
|
||||||
SyS_ioctl+0x79/0x90
|
|
||||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
|
||||||
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
|
|
||||||
__slab_free+0x204/0x310
|
|
||||||
kfree+0x15f/0x180
|
|
||||||
port_delete+0x136/0x1a0 [snd_seq]
|
|
||||||
snd_seq_delete_port+0x235/0x350 [snd_seq]
|
|
||||||
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
|
|
||||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
|
||||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
|
||||||
do_vfs_ioctl+0x54b/0xda0
|
|
||||||
SyS_ioctl+0x79/0x90
|
|
||||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
|
||||||
Call Trace:
|
|
||||||
[<ffffffff81b03781>] dump_stack+0x63/0x82
|
|
||||||
[<ffffffff81531b3b>] print_trailer+0xfb/0x160
|
|
||||||
[<ffffffff81536db4>] object_err+0x34/0x40
|
|
||||||
[<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
|
|
||||||
[<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
|
||||||
[<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
|
|
||||||
[<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
|
||||||
[<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
|
|
||||||
[<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
|
|
||||||
[<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
|
||||||
[<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
|
|
||||||
[<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
|
|
||||||
[<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
|
|
||||||
.....
|
|
||||||
|
|
||||||
We may fix this in a few different ways, and in this patch, it's fixed
|
|
||||||
simply by taking the refcount properly at snd_seq_create_port() and
|
|
||||||
letting the caller unref the object after use. Also, there is another
|
|
||||||
potential use-after-free by sprintf() call in snd_seq_create_port(),
|
|
||||||
and this is moved inside the lock.
|
|
||||||
|
|
||||||
This fix covers CVE-2017-15265.
|
|
||||||
|
|
||||||
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
|
|
||||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Cc: <stable@vger.kernel.org>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
---
|
|
||||||
sound/core/seq/seq_clientmgr.c | 6 +++++-
|
|
||||||
sound/core/seq/seq_ports.c | 7 +++++--
|
|
||||||
2 files changed, 10 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
|
||||||
index ea2d0ae85bd3..6c9cba2166d9 100644
|
|
||||||
--- a/sound/core/seq/seq_clientmgr.c
|
|
||||||
+++ b/sound/core/seq/seq_clientmgr.c
|
|
||||||
@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
|
||||||
struct snd_seq_port_info *info = arg;
|
|
||||||
struct snd_seq_client_port *port;
|
|
||||||
struct snd_seq_port_callback *callback;
|
|
||||||
+ int port_idx;
|
|
||||||
|
|
||||||
/* it is not allowed to create the port for an another client */
|
|
||||||
if (info->addr.client != client->number)
|
|
||||||
@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
if (client->type == USER_CLIENT && info->kernel) {
|
|
||||||
- snd_seq_delete_port(client, port->addr.port);
|
|
||||||
+ port_idx = port->addr.port;
|
|
||||||
+ snd_seq_port_unlock(port);
|
|
||||||
+ snd_seq_delete_port(client, port_idx);
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
if (client->type == KERNEL_CLIENT) {
|
|
||||||
@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
|
||||||
|
|
||||||
snd_seq_set_port_info(port, info);
|
|
||||||
snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
|
|
||||||
+ snd_seq_port_unlock(port);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
|
|
||||||
index 0a7020c82bfc..d21ece9f8d73 100644
|
|
||||||
--- a/sound/core/seq/seq_ports.c
|
|
||||||
+++ b/sound/core/seq/seq_ports.c
|
|
||||||
@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
-/* create a port, port number is returned (-1 on failure) */
|
|
||||||
+/* create a port, port number is returned (-1 on failure);
|
|
||||||
+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
|
|
||||||
+ */
|
|
||||||
struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
|
||||||
int port)
|
|
||||||
{
|
|
||||||
@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
|
||||||
snd_use_lock_init(&new_port->use_lock);
|
|
||||||
port_subs_info_init(&new_port->c_src);
|
|
||||||
port_subs_info_init(&new_port->c_dest);
|
|
||||||
+ snd_use_lock_use(&new_port->use_lock);
|
|
||||||
|
|
||||||
num = port >= 0 ? port : 0;
|
|
||||||
mutex_lock(&client->ports_mutex);
|
|
||||||
@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
|
||||||
list_add_tail(&new_port->list, &p->list);
|
|
||||||
client->num_ports++;
|
|
||||||
new_port->addr.port = num; /* store the port number in the port */
|
|
||||||
+ sprintf(new_port->name, "port-%d", num);
|
|
||||||
write_unlock_irqrestore(&client->ports_lock, flags);
|
|
||||||
mutex_unlock(&client->ports_mutex);
|
|
||||||
- sprintf(new_port->name, "port-%d", num);
|
|
||||||
|
|
||||||
return new_port;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,81 +0,0 @@
|
||||||
From: Eric Biggers <ebiggers@google.com>
|
|
||||||
Date: Mon, 18 Sep 2017 11:37:23 -0700
|
|
||||||
Subject: KEYS: prevent KEYCTL_READ on negative key
|
|
||||||
Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192
|
|
||||||
|
|
||||||
Because keyctl_read_key() looks up the key with no permissions
|
|
||||||
requested, it may find a negatively instantiated key. If the key is
|
|
||||||
also possessed, we went ahead and called ->read() on the key. But the
|
|
||||||
key payload will actually contain the ->reject_error rather than the
|
|
||||||
normal payload. Thus, the kernel oopses trying to read the
|
|
||||||
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
|
|
||||||
|
|
||||||
Fortunately the payload data is stored inline, so it shouldn't be
|
|
||||||
possible to abuse this as an arbitrary memory read primitive...
|
|
||||||
|
|
||||||
Reproducer:
|
|
||||||
keyctl new_session
|
|
||||||
keyctl request2 user desc '' @s
|
|
||||||
keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
|
|
||||||
|
|
||||||
It causes a crash like the following:
|
|
||||||
BUG: unable to handle kernel paging request at 00000000ffffff92
|
|
||||||
IP: user_read+0x33/0xa0
|
|
||||||
PGD 36a54067 P4D 36a54067 PUD 0
|
|
||||||
Oops: 0000 [#1] SMP
|
|
||||||
CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
|
|
||||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
|
|
||||||
task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
|
|
||||||
RIP: 0010:user_read+0x33/0xa0
|
|
||||||
RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
|
|
||||||
RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
|
|
||||||
RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
|
|
||||||
RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
|
|
||||||
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
|
|
||||||
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
|
|
||||||
FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
|
|
||||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
|
||||||
CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
|
|
||||||
Call Trace:
|
|
||||||
keyctl_read_key+0xac/0xe0
|
|
||||||
SyS_keyctl+0x99/0x120
|
|
||||||
entry_SYSCALL_64_fastpath+0x1f/0xbe
|
|
||||||
RIP: 0033:0x7f58ec787bb9
|
|
||||||
RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
|
|
||||||
RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
|
|
||||||
RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
|
|
||||||
RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
|
|
||||||
R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
|
|
||||||
R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
|
|
||||||
Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
|
|
||||||
RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
|
|
||||||
CR2: 00000000ffffff92
|
|
||||||
|
|
||||||
Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
|
|
||||||
Cc: <stable@vger.kernel.org> [v3.13+]
|
|
||||||
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
||||||
---
|
|
||||||
security/keys/keyctl.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
|
|
||||||
index aa1d11a29136..365ff85d7e27 100644
|
|
||||||
--- a/security/keys/keyctl.c
|
|
||||||
+++ b/security/keys/keyctl.c
|
|
||||||
@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
|
|
||||||
|
|
||||||
key = key_ref_to_ptr(key_ref);
|
|
||||||
|
|
||||||
+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
|
|
||||||
+ ret = -ENOKEY;
|
|
||||||
+ goto error2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* see if we can read it directly */
|
|
||||||
ret = key_permission(key_ref, KEY_NEED_READ);
|
|
||||||
if (ret == 0)
|
|
||||||
--
|
|
||||||
2.15.0.rc0
|
|
||||||
|
|
|
@ -1,72 +0,0 @@
|
||||||
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
|
|
||||||
Date: Tue, 12 Sep 2017 10:47:53 +0200
|
|
||||||
Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
|
||||||
Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
|
|
||||||
|
|
||||||
Upon handling the firmware notification for scans the length was
|
|
||||||
checked properly and may result in corrupting kernel heap memory
|
|
||||||
due to buffer overruns. This fix addresses CVE-2017-0786.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org # v4.0.x
|
|
||||||
Cc: Kevin Cernekee <cernekee@chromium.org>
|
|
||||||
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
|
||||||
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
|
||||||
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
|
||||||
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
||||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
||||||
---
|
|
||||||
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
|
|
||||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
||||||
index aaed4ab503ad..26a0de371c26 100644
|
|
||||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
||||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
||||||
@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
|
||||||
struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
|
|
||||||
s32 status;
|
|
||||||
struct brcmf_escan_result_le *escan_result_le;
|
|
||||||
+ u32 escan_buflen;
|
|
||||||
struct brcmf_bss_info_le *bss_info_le;
|
|
||||||
struct brcmf_bss_info_le *bss = NULL;
|
|
||||||
u32 bi_length;
|
|
||||||
@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
|
||||||
|
|
||||||
if (status == BRCMF_E_STATUS_PARTIAL) {
|
|
||||||
brcmf_dbg(SCAN, "ESCAN Partial result\n");
|
|
||||||
+ if (e->datalen < sizeof(*escan_result_le)) {
|
|
||||||
+ brcmf_err("invalid event data length\n");
|
|
||||||
+ goto exit;
|
|
||||||
+ }
|
|
||||||
escan_result_le = (struct brcmf_escan_result_le *) data;
|
|
||||||
if (!escan_result_le) {
|
|
||||||
brcmf_err("Invalid escan result (NULL pointer)\n");
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
|
|
||||||
+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
|
|
||||||
+ escan_buflen > e->datalen ||
|
|
||||||
+ escan_buflen < sizeof(*escan_result_le)) {
|
|
||||||
+ brcmf_err("Invalid escan buffer length: %d\n",
|
|
||||||
+ escan_buflen);
|
|
||||||
+ goto exit;
|
|
||||||
+ }
|
|
||||||
if (le16_to_cpu(escan_result_le->bss_count) != 1) {
|
|
||||||
brcmf_err("Invalid bss_count %d: ignoring\n",
|
|
||||||
escan_result_le->bss_count);
|
|
||||||
@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
|
||||||
}
|
|
||||||
|
|
||||||
bi_length = le32_to_cpu(bss_info_le->length);
|
|
||||||
- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
|
|
||||||
- WL_ESCAN_RESULTS_FIXED_SIZE)) {
|
|
||||||
- brcmf_err("Invalid bss_info length %d: ignoring\n",
|
|
||||||
+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
|
|
||||||
+ brcmf_err("Ignoring invalid bss_info length: %d\n",
|
|
||||||
bi_length);
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,66 +0,0 @@
|
||||||
From: Al Viro <viro@zeniv.linux.org.uk>
|
|
||||||
Date: Fri, 29 Sep 2017 13:43:15 -0400
|
|
||||||
Subject: fix infoleak in waitid(2)
|
|
||||||
Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
|
|
||||||
|
|
||||||
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
|
|
||||||
case and waitid(2) rusage should've been copied out exactly in that case, *not*
|
|
||||||
whenever kernel_waitid() has not returned an error. Compat variant shares that
|
|
||||||
braino; none of kernel_wait4() callers do, so the below ought to fix it.
|
|
||||||
|
|
||||||
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
|
|
||||||
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
|
|
||||||
Cc: stable@vger.kernel.org # v4.13
|
|
||||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
||||||
---
|
|
||||||
kernel/exit.c | 23 ++++++++++-------------
|
|
||||||
1 file changed, 10 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
|
||||||
index 3481ababd06a..f2cd53e92147 100644
|
|
||||||
--- a/kernel/exit.c
|
|
||||||
+++ b/kernel/exit.c
|
|
||||||
@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
|
||||||
struct waitid_info info = {.status = 0};
|
|
||||||
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
|
|
||||||
int signo = 0;
|
|
||||||
+
|
|
||||||
if (err > 0) {
|
|
||||||
signo = SIGCHLD;
|
|
||||||
err = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err) {
|
|
||||||
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
|
||||||
return -EFAULT;
|
|
||||||
}
|
|
||||||
@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
|
||||||
if (err > 0) {
|
|
||||||
signo = SIGCHLD;
|
|
||||||
err = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!err && uru) {
|
|
||||||
- /* kernel_waitid() overwrites everything in ru */
|
|
||||||
- if (COMPAT_USE_64BIT_TIME)
|
|
||||||
- err = copy_to_user(uru, &ru, sizeof(ru));
|
|
||||||
- else
|
|
||||||
- err = put_compat_rusage(&ru, uru);
|
|
||||||
- if (err)
|
|
||||||
- return -EFAULT;
|
|
||||||
+ if (uru) {
|
|
||||||
+ /* kernel_waitid() overwrites everything in ru */
|
|
||||||
+ if (COMPAT_USE_64BIT_TIME)
|
|
||||||
+ err = copy_to_user(uru, &ru, sizeof(ru));
|
|
||||||
+ else
|
|
||||||
+ err = put_compat_rusage(&ru, uru);
|
|
||||||
+ if (err)
|
|
||||||
+ return -EFAULT;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!infop)
|
|
||||||
--
|
|
||||||
2.14.2
|
|
||||||
|
|
|
@ -1,151 +0,0 @@
|
||||||
From: Johannes Berg <johannes.berg@intel.com>
|
|
||||||
Date: Wed, 6 Sep 2017 15:01:42 +0200
|
|
||||||
Subject: mac80211: fix deadlock in driver-managed RX BA session start
|
|
||||||
Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828
|
|
||||||
Bug-Debian: https://bugs.debian.org/878092
|
|
||||||
|
|
||||||
When an RX BA session is started by the driver, and it has to tell
|
|
||||||
mac80211 about it, the corresponding bit in tid_rx_manage_offl gets
|
|
||||||
set and the BA session work is scheduled. Upon testing this bit, it
|
|
||||||
will call __ieee80211_start_rx_ba_session(), thus deadlocking as it
|
|
||||||
already holds the ampdu_mlme.mtx, which that acquires again.
|
|
||||||
|
|
||||||
Fix this by adding ___ieee80211_start_rx_ba_session(), a version of
|
|
||||||
the function that requires the mutex already held.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue")
|
|
||||||
Reported-by: Matteo Croce <mcroce@redhat.com>
|
|
||||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
||||||
---
|
|
||||||
net/mac80211/agg-rx.c | 32 +++++++++++++++++++++-----------
|
|
||||||
net/mac80211/ht.c | 6 +++---
|
|
||||||
net/mac80211/ieee80211_i.h | 4 ++++
|
|
||||||
3 files changed, 28 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
|
|
||||||
index 2b36eff5d97e..2849a1fc41c5 100644
|
|
||||||
--- a/net/mac80211/agg-rx.c
|
|
||||||
+++ b/net/mac80211/agg-rx.c
|
|
||||||
@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
|
|
||||||
ieee80211_tx_skb(sdata, skb);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
- u8 dialog_token, u16 timeout,
|
|
||||||
- u16 start_seq_num, u16 ba_policy, u16 tid,
|
|
||||||
- u16 buf_size, bool tx, bool auto_seq)
|
|
||||||
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
+ u8 dialog_token, u16 timeout,
|
|
||||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
|
||||||
+ u16 buf_size, bool tx, bool auto_seq)
|
|
||||||
{
|
|
||||||
struct ieee80211_local *local = sta->sdata->local;
|
|
||||||
struct tid_ampdu_rx *tid_agg_rx;
|
|
||||||
@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
ht_dbg(sta->sdata,
|
|
||||||
"STA %pM requests BA session on unsupported tid %d\n",
|
|
||||||
sta->sta.addr, tid);
|
|
||||||
- goto end_no_lock;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!sta->sta.ht_cap.ht_supported) {
|
|
||||||
@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
"STA %pM erroneously requests BA session on tid %d w/o QoS\n",
|
|
||||||
sta->sta.addr, tid);
|
|
||||||
/* send a response anyway, it's an error case if we get here */
|
|
||||||
- goto end_no_lock;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
|
|
||||||
ht_dbg(sta->sdata,
|
|
||||||
"Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
|
|
||||||
sta->sta.addr, tid);
|
|
||||||
- goto end_no_lock;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* sanity check for incoming parameters:
|
|
||||||
@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
ht_dbg_ratelimited(sta->sdata,
|
|
||||||
"AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
|
|
||||||
sta->sta.addr, tid, ba_policy, buf_size);
|
|
||||||
- goto end_no_lock;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
/* determine default buffer size */
|
|
||||||
if (buf_size == 0)
|
|
||||||
@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
buf_size, sta->sta.addr);
|
|
||||||
|
|
||||||
/* examine state machine */
|
|
||||||
- mutex_lock(&sta->ampdu_mlme.mtx);
|
|
||||||
+ lockdep_assert_held(&sta->ampdu_mlme.mtx);
|
|
||||||
|
|
||||||
if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
|
|
||||||
if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
|
|
||||||
@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
__clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
|
|
||||||
sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
|
|
||||||
}
|
|
||||||
- mutex_unlock(&sta->ampdu_mlme.mtx);
|
|
||||||
|
|
||||||
-end_no_lock:
|
|
||||||
if (tx)
|
|
||||||
ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
|
|
||||||
dialog_token, status, 1, buf_size,
|
|
||||||
timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
+ u8 dialog_token, u16 timeout,
|
|
||||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
|
||||||
+ u16 buf_size, bool tx, bool auto_seq)
|
|
||||||
+{
|
|
||||||
+ mutex_lock(&sta->ampdu_mlme.mtx);
|
|
||||||
+ ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
|
|
||||||
+ start_seq_num, ba_policy, tid,
|
|
||||||
+ buf_size, tx, auto_seq);
|
|
||||||
+ mutex_unlock(&sta->ampdu_mlme.mtx);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void ieee80211_process_addba_request(struct ieee80211_local *local,
|
|
||||||
struct sta_info *sta,
|
|
||||||
struct ieee80211_mgmt *mgmt,
|
|
||||||
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
|
|
||||||
index 4cba7fca10d4..d6d0b4201e40 100644
|
|
||||||
--- a/net/mac80211/ht.c
|
|
||||||
+++ b/net/mac80211/ht.c
|
|
||||||
@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
|
|
||||||
|
|
||||||
if (test_and_clear_bit(tid,
|
|
||||||
sta->ampdu_mlme.tid_rx_manage_offl))
|
|
||||||
- __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
|
|
||||||
- IEEE80211_MAX_AMPDU_BUF,
|
|
||||||
- false, true);
|
|
||||||
+ ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
|
|
||||||
+ IEEE80211_MAX_AMPDU_BUF,
|
|
||||||
+ false, true);
|
|
||||||
|
|
||||||
if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
|
|
||||||
sta->ampdu_mlme.tid_rx_manage_offl))
|
|
||||||
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
|
|
||||||
index 2197c62a0a6e..9675814f64db 100644
|
|
||||||
--- a/net/mac80211/ieee80211_i.h
|
|
||||||
+++ b/net/mac80211/ieee80211_i.h
|
|
||||||
@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
u8 dialog_token, u16 timeout,
|
|
||||||
u16 start_seq_num, u16 ba_policy, u16 tid,
|
|
||||||
u16 buf_size, bool tx, bool auto_seq);
|
|
||||||
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
|
|
||||||
+ u8 dialog_token, u16 timeout,
|
|
||||||
+ u16 start_seq_num, u16 ba_policy, u16 tid,
|
|
||||||
+ u16 buf_size, bool tx, bool auto_seq);
|
|
||||||
void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
|
|
||||||
enum ieee80211_agg_stop_reason reason);
|
|
||||||
void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
|
|
||||||
--
|
|
||||||
2.15.0.rc0
|
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
From: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
Date: Tue, 12 Sep 2017 22:21:21 +0000
|
|
||||||
Subject: nl80211: check for the required netlink attributes presence
|
|
||||||
Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
|
|
||||||
|
|
||||||
nl80211_set_rekey_data() does not check if the required attributes
|
|
||||||
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
|
|
||||||
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
|
|
||||||
users with CAP_NET_ADMIN privilege and may result in NULL dereference
|
|
||||||
and a system crash. Add a check for the required attributes presence.
|
|
||||||
This patch is based on the patch by bo Zhang.
|
|
||||||
|
|
||||||
This fixes CVE-2017-12153.
|
|
||||||
|
|
||||||
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
|
|
||||||
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
|
|
||||||
Cc: <stable@vger.kernel.org> # v3.1-rc1
|
|
||||||
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
|
|
||||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
---
|
|
||||||
net/wireless/nl80211.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
--- a/net/wireless/nl80211.c
|
|
||||||
+++ b/net/wireless/nl80211.c
|
|
||||||
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
|
|
||||||
if (err)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
|
|
||||||
+ !tb[NL80211_REKEY_DATA_KCK])
|
|
||||||
+ return -EINVAL;
|
|
||||||
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
|
|
||||||
return -ERANGE;
|
|
||||||
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
|
|
|
@ -1,79 +0,0 @@
|
||||||
From: Cyril Bur <cyrilbur@gmail.com>
|
|
||||||
Date: Thu, 17 Aug 2017 20:42:26 +1000
|
|
||||||
Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
|
|
||||||
checks
|
|
||||||
Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
|
|
||||||
|
|
||||||
When using transactional memory (TM), the CPU can be in one of six
|
|
||||||
states as far as TM is concerned, encoded in the Machine State
|
|
||||||
Register (MSR). Certain state transitions are illegal and if attempted
|
|
||||||
trigger a "TM Bad Thing" type program check exception.
|
|
||||||
|
|
||||||
If we ever hit one of these exceptions it's treated as a bug, ie. we
|
|
||||||
oops, and kill the process and/or panic, depending on configuration.
|
|
||||||
|
|
||||||
One case where we can trigger a TM Bad Thing, is when returning to
|
|
||||||
userspace after a system call or interrupt, using RFID. When this
|
|
||||||
happens the CPU first restores the user register state, in particular
|
|
||||||
r1 (the stack pointer) and then attempts to update the MSR. However
|
|
||||||
the MSR update is not allowed and so we take the program check with
|
|
||||||
the user register state, but the kernel MSR.
|
|
||||||
|
|
||||||
This tricks the exception entry code into thinking we have a bad
|
|
||||||
kernel stack pointer, because the MSR says we're coming from the
|
|
||||||
kernel, but r1 is pointing to userspace.
|
|
||||||
|
|
||||||
To avoid this we instead always switch to the emergency stack if we
|
|
||||||
take a TM Bad Thing from the kernel. That way none of the user
|
|
||||||
register values are used, other than for printing in the oops message.
|
|
||||||
|
|
||||||
This is the fix for CVE-2017-1000255.
|
|
||||||
|
|
||||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
|
||||||
Cc: stable@vger.kernel.org # v4.9+
|
|
||||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
|
||||||
[mpe: Rewrite change log & comments, tweak asm slightly]
|
|
||||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
|
||||||
---
|
|
||||||
arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
|
|
||||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
|
|
||||||
index 48da0f5d2f7f..b82586c53560 100644
|
|
||||||
--- a/arch/powerpc/kernel/exceptions-64s.S
|
|
||||||
+++ b/arch/powerpc/kernel/exceptions-64s.S
|
|
||||||
@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
|
|
||||||
EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
|
|
||||||
TRAMP_KVM(PACA_EXGEN, 0x700)
|
|
||||||
EXC_COMMON_BEGIN(program_check_common)
|
|
||||||
- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
|
||||||
+ /*
|
|
||||||
+ * It's possible to receive a TM Bad Thing type program check with
|
|
||||||
+ * userspace register values (in particular r1), but with SRR1 reporting
|
|
||||||
+ * that we came from the kernel. Normally that would confuse the bad
|
|
||||||
+ * stack logic, and we would report a bad kernel stack pointer. Instead
|
|
||||||
+ * we switch to the emergency stack if we're taking a TM Bad Thing from
|
|
||||||
+ * the kernel.
|
|
||||||
+ */
|
|
||||||
+ li r10,MSR_PR /* Build a mask of MSR_PR .. */
|
|
||||||
+ oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
|
|
||||||
+ and r10,r10,r12 /* Mask SRR1 with that. */
|
|
||||||
+ srdi r10,r10,8 /* Shift it so we can compare */
|
|
||||||
+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
|
|
||||||
+ bne 1f /* If != go to normal path. */
|
|
||||||
+
|
|
||||||
+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
|
|
||||||
+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
|
|
||||||
+ /* 3 in EXCEPTION_PROLOG_COMMON */
|
|
||||||
+ mr r10,r1 /* Save r1 */
|
|
||||||
+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */
|
|
||||||
+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
|
|
||||||
+ b 3f /* Jump into the macro !! */
|
|
||||||
+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
|
||||||
bl save_nvgprs
|
|
||||||
RECONCILE_IRQ_STATE(r10, r11)
|
|
||||||
addi r3,r1,STACK_FRAME_OVERHEAD
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,62 +0,0 @@
|
||||||
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
|
||||||
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
|
||||||
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
|
||||||
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
|
||||||
|
|
||||||
Currently it's possible that on returning from the signal handler
|
|
||||||
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
|
||||||
caught due to a `trap` instruction executed in the middle of an HTM
|
|
||||||
block, or a deliberately constructed sigframe) an illegal TM state
|
|
||||||
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
|
||||||
implicitly the MSR register from SRR1 register on return to userspace
|
|
||||||
it causes a TM Bad Thing exception.
|
|
||||||
|
|
||||||
That illegal state can be set (a) by a malicious user that disables
|
|
||||||
the TM bit by tweaking the bits in uc_mcontext before returning from
|
|
||||||
the signal handler or (b) by a sufficient number of context switches
|
|
||||||
occurring such that the load_tm counter overflows and TM is disabled
|
|
||||||
whilst in the signal handler.
|
|
||||||
|
|
||||||
This commit fixes the illegal TM state by ensuring that TM bit is
|
|
||||||
always enabled before we return from restore_tm_sigcontexts(). A small
|
|
||||||
comment correction is made as well.
|
|
||||||
|
|
||||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
|
||||||
Cc: stable@vger.kernel.org # v4.9+
|
|
||||||
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
|
||||||
Signed-off-by: Breno Leitao <leitao@debian.org>
|
|
||||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
|
||||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
|
||||||
---
|
|
||||||
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
|
||||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
|
||||||
index c83c115858c1..b2c002993d78 100644
|
|
||||||
--- a/arch/powerpc/kernel/signal_64.c
|
|
||||||
+++ b/arch/powerpc/kernel/signal_64.c
|
|
||||||
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
|
||||||
if (MSR_TM_RESV(msr))
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
- /* pull in MSR TM from user context */
|
|
||||||
+ /* pull in MSR TS bits from user context */
|
|
||||||
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
|
||||||
+ * handler. It could be the case that (a) user disabled the TM bit
|
|
||||||
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
|
||||||
+ * TM bit was disabled because a sufficient number of context switches
|
|
||||||
+ * happened whilst in the signal handler and load_tm overflowed,
|
|
||||||
+ * disabling the TM bit. In either case we can end up with an illegal
|
|
||||||
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
|
||||||
+ */
|
|
||||||
+ regs->msr |= MSR_TM;
|
|
||||||
+
|
|
||||||
/* pull in MSR LE from user context */
|
|
||||||
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,55 +0,0 @@
|
||||||
From: Xin Long <lucien.xin@gmail.com>
|
|
||||||
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
|
||||||
Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
|
|
||||||
Origin: https://patchwork.kernel.org/patch/9923803/
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
|
|
||||||
|
|
||||||
ChunYu found a kernel crash by syzkaller:
|
|
||||||
|
|
||||||
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
|
||||||
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
|
||||||
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
|
||||||
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
|
||||||
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
|
||||||
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
|
||||||
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
|
||||||
[...]
|
|
||||||
[ 651.627260] Call Trace:
|
|
||||||
[ 651.629156] skb_release_all+0x4f/0x60
|
|
||||||
[ 651.629450] consume_skb+0x1a5/0x600
|
|
||||||
[ 651.630705] netlink_unicast+0x505/0x720
|
|
||||||
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
|
||||||
[ 651.633704] sock_sendmsg+0xcf/0x110
|
|
||||||
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
|
||||||
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
|
||||||
[ 651.638820] SyS_sendmsg+0x32/0x50
|
|
||||||
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
|
||||||
|
|
||||||
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
|
||||||
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
|
||||||
|
|
||||||
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
|
||||||
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
|
||||||
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
|
||||||
|
|
||||||
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
|
||||||
avoid over accessing sk_buff.
|
|
||||||
|
|
||||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
|
||||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
|
||||||
Acked-by: Chris Leech <cleech@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/drivers/scsi/scsi_transport_iscsi.c
|
|
||||||
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
|
||||||
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
|
||||||
uint32_t group;
|
|
||||||
|
|
||||||
nlh = nlmsg_hdr(skb);
|
|
||||||
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
|
||||||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
|
||||||
skb->len < nlh->nlmsg_len) {
|
|
||||||
break;
|
|
||||||
}
|
|
|
@ -1,30 +0,0 @@
|
||||||
From: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
Date: Mon, 4 Sep 2017 16:00:50 +0200
|
|
||||||
Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
|
|
||||||
userspace
|
|
||||||
Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
|
|
||||||
|
|
||||||
'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
|
|
||||||
field unitialized, leaking data from the stack. Fix this ensuring all of
|
|
||||||
'clk' is initialized to zero.
|
|
||||||
|
|
||||||
References: https://github.com/torvalds/linux/pull/441
|
|
||||||
Reported-by: sohu0106 <sohu0106@126.com>
|
|
||||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
|
|
||||||
---
|
|
||||||
drivers/video/fbdev/aty/atyfb_base.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/drivers/video/fbdev/aty/atyfb_base.c
|
|
||||||
+++ b/drivers/video/fbdev/aty/atyfb_base.c
|
|
||||||
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
|
|
||||||
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
|
|
||||||
case ATYIO_CLKR:
|
|
||||||
if (M64_HAS(INTEGRATED)) {
|
|
||||||
- struct atyclk clk;
|
|
||||||
+ struct atyclk clk = { 0 };
|
|
||||||
union aty_pll *pll = &par->pll;
|
|
||||||
u32 dsp_config = pll->ct.dsp_config;
|
|
||||||
u32 dsp_on_off = pll->ct.dsp_on_off;
|
|
|
@ -1,47 +0,0 @@
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Mon, 9 Oct 2017 11:36:52 -0700
|
|
||||||
Subject: waitid(): Add missing access_ok() checks
|
|
||||||
Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
|
|
||||||
|
|
||||||
Adds missing access_ok() checks.
|
|
||||||
|
|
||||||
CVE-2017-5123
|
|
||||||
|
|
||||||
Reported-by: Chris Salls <chrissalls5@gmail.com>
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
||||||
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
|
|
||||||
Cc: stable@kernel.org # 4.13
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
kernel/exit.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
|
||||||
index f2cd53e92147..cf28528842bc 100644
|
|
||||||
--- a/kernel/exit.c
|
|
||||||
+++ b/kernel/exit.c
|
|
||||||
@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
|
||||||
if (!infop)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
|
||||||
+ goto Efault;
|
|
||||||
+
|
|
||||||
user_access_begin();
|
|
||||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
|
||||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
|
||||||
@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
|
||||||
if (!infop)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
|
||||||
+ goto Efault;
|
|
||||||
+
|
|
||||||
user_access_begin();
|
|
||||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
|
||||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
|
||||||
--
|
|
||||||
2.15.0.rc0
|
|
||||||
|
|
|
@ -1,83 +0,0 @@
|
||||||
From: Ladi Prosek <lprosek@redhat.com>
|
|
||||||
Date: Thu, 5 Oct 2017 11:10:23 +0200
|
|
||||||
Subject: KVM: MMU: always terminate page walks at level 1
|
|
||||||
Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
|
||||||
|
|
||||||
is_last_gpte() is not equivalent to the pseudo-code given in commit
|
|
||||||
6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
|
|
||||||
value of last_nonleaf_level may override the result even if level == 1.
|
|
||||||
|
|
||||||
It is critical for is_last_gpte() to return true on level == 1 to
|
|
||||||
terminate page walks. Otherwise memory corruption may occur as level
|
|
||||||
is used as an index to various data structures throughout the page
|
|
||||||
walking code. Even though the actual bug would be wherever the MMU is
|
|
||||||
initialized (as in the previous patch), be defensive and ensure here
|
|
||||||
that is_last_gpte() returns the correct value.
|
|
||||||
|
|
||||||
This patch is also enough to fix CVE-2017-12188.
|
|
||||||
|
|
||||||
Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Cc: Andy Honig <ahonig@google.com>
|
|
||||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
|
||||||
[Panic if walk_addr_generic gets an incorrect level; this is a serious
|
|
||||||
bug and it's not worth a WARN_ON where the recovery path might hide
|
|
||||||
further exploitable issues; suggested by Andrew Honig. - Paolo]
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/mmu.c | 14 +++++++-------
|
|
||||||
arch/x86/kvm/paging_tmpl.h | 3 ++-
|
|
||||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
|
||||||
index 3c25f20115bc..7a69cf053711 100644
|
|
||||||
--- a/arch/x86/kvm/mmu.c
|
|
||||||
+++ b/arch/x86/kvm/mmu.c
|
|
||||||
@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
|
|
||||||
unsigned level, unsigned gpte)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
|
||||||
- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
|
||||||
- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
|
||||||
- */
|
|
||||||
- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
* The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
|
|
||||||
* If it is clear, there are no large pages at this level, so clear
|
|
||||||
* PT_PAGE_SIZE_MASK in gpte if that is the case.
|
|
||||||
*/
|
|
||||||
gpte &= level - mmu->last_nonleaf_level;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
|
||||||
+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
|
||||||
+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
|
||||||
+ */
|
|
||||||
+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
|
||||||
+
|
|
||||||
return gpte & PT_PAGE_SIZE_MASK;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
|
|
||||||
index 86b68dc5a649..f18d1f8d332b 100644
|
|
||||||
--- a/arch/x86/kvm/paging_tmpl.h
|
|
||||||
+++ b/arch/x86/kvm/paging_tmpl.h
|
|
||||||
@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
|
|
||||||
--walker->level;
|
|
||||||
|
|
||||||
index = PT_INDEX(addr, walker->level);
|
|
||||||
-
|
|
||||||
table_gfn = gpte_to_gfn(pte);
|
|
||||||
offset = index * sizeof(pt_element_t);
|
|
||||||
pte_gpa = gfn_to_gpa(table_gfn) + offset;
|
|
||||||
+
|
|
||||||
+ BUG_ON(walker->level < 1);
|
|
||||||
walker->table_gfn[walker->level - 1] = table_gfn;
|
|
||||||
walker->pte_gpa[walker->level - 1] = pte_gpa;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
From: Ladi Prosek <lprosek@redhat.com>
|
|
||||||
Date: Thu, 5 Oct 2017 11:10:22 +0200
|
|
||||||
Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
|
|
||||||
Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
|
||||||
|
|
||||||
The function updates context->root_level but didn't call
|
|
||||||
update_last_nonleaf_level so the previous and potentially wrong value
|
|
||||||
was used for page walks. For example, a zero value of last_nonleaf_level
|
|
||||||
would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
|
|
||||||
walk_addr_generic function (CVE-2017-12188).
|
|
||||||
|
|
||||||
Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
|
|
||||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/mmu.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
|
||||||
index 106d4a029a8a..3c25f20115bc 100644
|
|
||||||
--- a/arch/x86/kvm/mmu.c
|
|
||||||
+++ b/arch/x86/kvm/mmu.c
|
|
||||||
@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
|
|
||||||
|
|
||||||
update_permission_bitmask(vcpu, context, true);
|
|
||||||
update_pkru_bitmask(vcpu, context, true);
|
|
||||||
+ update_last_nonleaf_level(vcpu, context);
|
|
||||||
reset_rsvds_bits_mask_ept(vcpu, context, execonly);
|
|
||||||
reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
From: Jim Mattson <jmattson@google.com>
|
|
||||||
Date: Tue, 12 Sep 2017 13:02:54 -0700
|
|
||||||
Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
|
|
||||||
Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
|
|
||||||
|
|
||||||
If L1 does not specify the "use TPR shadow" VM-execution control in
|
|
||||||
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
|
|
||||||
exiting" VM-execution controls in vmcs02. Failure to do so will give
|
|
||||||
the L2 VM unrestricted read/write access to the hardware CR8.
|
|
||||||
|
|
||||||
This fixes CVE-2017-12154.
|
|
||||||
|
|
||||||
Signed-off-by: Jim Mattson <jmattson@google.com>
|
|
||||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/vmx.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
|
|
||||||
if (exec_control & CPU_BASED_TPR_SHADOW) {
|
|
||||||
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
|
|
||||||
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
|
|
||||||
+ } else {
|
|
||||||
+#ifdef CONFIG_X86_64
|
|
||||||
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
|
|
||||||
+ CPU_BASED_CR8_STORE_EXITING;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
|
@ -1,52 +0,0 @@
|
||||||
From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
|
|
||||||
Date: Thu, 7 Sep 2017 19:02:30 +0100
|
|
||||||
Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
|
|
||||||
|
|
||||||
The value of the guest_irq argument to vmx_update_pi_irte() is
|
|
||||||
ultimately coming from a KVM_IRQFD API call. Do not BUG() in
|
|
||||||
vmx_update_pi_irte() if the value is out-of bounds. (Especially,
|
|
||||||
since KVM as a whole seems to hang after that.)
|
|
||||||
|
|
||||||
Instead, print a message only once if we find that we don't have a
|
|
||||||
route for a certain IRQ (which can be out-of-bounds or within the
|
|
||||||
array).
|
|
||||||
|
|
||||||
This fixes CVE-2017-1000252.
|
|
||||||
|
|
||||||
Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
|
|
||||||
Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/vmx.c | 9 +++++++--
|
|
||||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
|
|
||||||
struct kvm_lapic_irq irq;
|
|
||||||
struct kvm_vcpu *vcpu;
|
|
||||||
struct vcpu_data vcpu_info;
|
|
||||||
- int idx, ret = -EINVAL;
|
|
||||||
+ int idx, ret = 0;
|
|
||||||
|
|
||||||
if (!kvm_arch_has_assigned_device(kvm) ||
|
|
||||||
!irq_remapping_cap(IRQ_POSTING_CAP) ||
|
|
||||||
@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
|
|
||||||
|
|
||||||
idx = srcu_read_lock(&kvm->irq_srcu);
|
|
||||||
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
|
|
||||||
- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
|
|
||||||
+ if (guest_irq >= irq_rt->nr_rt_entries ||
|
|
||||||
+ hlist_empty(&irq_rt->map[guest_irq])) {
|
|
||||||
+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
|
|
||||||
+ guest_irq, irq_rt->nr_rt_entries);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
|
|
||||||
if (e->type != KVM_IRQ_ROUTING_MSI)
|
|
|
@ -0,0 +1,141 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Thu, 26 Oct 2017 22:16:38 +0200
|
||||||
|
Subject: dax: Avoid ABI change in 4.13.5
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush
|
||||||
|
abstraction") removed dax_operations::flush and
|
||||||
|
target_type::dax_flush, resulting in an ABI change. Add these
|
||||||
|
operations back but don't restore any of the calls to them. To keep
|
||||||
|
existing callers working during an incomplete kernel upgrade, change
|
||||||
|
all the implementations to directly do arch_wb_cache_pmem(), just as
|
||||||
|
dax_flush() does in the new kernel.
|
||||||
|
|
||||||
|
Don't change dax_flush() back; it shouldn't have any out-of-tree
|
||||||
|
callers.
|
||||||
|
|
||||||
|
---
|
||||||
|
--- a/drivers/md/dm-linear.c
|
||||||
|
+++ b/drivers/md/dm-linear.c
|
||||||
|
@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter(
|
||||||
|
return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||||
|
+ size_t size)
|
||||||
|
+{
|
||||||
|
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||||
|
+ arch_wb_cache_pmem(addr, size);
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static struct target_type linear_target = {
|
||||||
|
.name = "linear",
|
||||||
|
.version = {1, 4, 0},
|
||||||
|
@@ -198,6 +206,7 @@ static struct target_type linear_target
|
||||||
|
.iterate_devices = linear_iterate_devices,
|
||||||
|
.direct_access = linear_dax_direct_access,
|
||||||
|
.dax_copy_from_iter = linear_dax_copy_from_iter,
|
||||||
|
+ .dax_flush = linear_dax_flush,
|
||||||
|
};
|
||||||
|
|
||||||
|
int __init dm_linear_init(void)
|
||||||
|
--- a/drivers/md/dm-stripe.c
|
||||||
|
+++ b/drivers/md/dm-stripe.c
|
||||||
|
@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta
|
||||||
|
blk_limits_io_opt(limits, chunk_size * sc->stripes);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||||
|
+ size_t size)
|
||||||
|
+{
|
||||||
|
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||||
|
+ arch_wb_cache_pmem(addr, size);
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static struct target_type stripe_target = {
|
||||||
|
.name = "striped",
|
||||||
|
.version = {1, 6, 0},
|
||||||
|
@@ -472,6 +480,7 @@ static struct target_type stripe_target
|
||||||
|
.io_hints = stripe_io_hints,
|
||||||
|
.direct_access = stripe_dax_direct_access,
|
||||||
|
.dax_copy_from_iter = stripe_dax_copy_from_iter,
|
||||||
|
+ .dax_flush = stripe_dax_flush,
|
||||||
|
};
|
||||||
|
|
||||||
|
int __init dm_stripe_init(void)
|
||||||
|
--- a/drivers/md/dm.c
|
||||||
|
+++ b/drivers/md/dm.c
|
||||||
|
@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr,
|
||||||
|
+ size_t size)
|
||||||
|
+{
|
||||||
|
+#ifdef CONFIG_ARCH_HAS_PMEM_API
|
||||||
|
+ arch_wb_cache_pmem(addr, size);
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* A target may call dm_accept_partial_bio only from the map routine. It is
|
||||||
|
* allowed for all bio types except REQ_PREFLUSH.
|
||||||
|
@@ -2980,6 +2988,7 @@ static const struct block_device_operati
|
||||||
|
static const struct dax_operations dm_dax_ops = {
|
||||||
|
.direct_access = dm_dax_direct_access,
|
||||||
|
.copy_from_iter = dm_dax_copy_from_iter,
|
||||||
|
+ .flush = dm_dax_flush,
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
--- a/drivers/nvdimm/pmem.c
|
||||||
|
+++ b/drivers/nvdimm/pmem.c
|
||||||
|
@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct
|
||||||
|
return copy_from_iter_flushcache(addr, bytes, i);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff,
|
||||||
|
+ void *addr, size_t size)
|
||||||
|
+{
|
||||||
|
+ arch_wb_cache_pmem(addr, size);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static const struct dax_operations pmem_dax_ops = {
|
||||||
|
.direct_access = pmem_dax_direct_access,
|
||||||
|
.copy_from_iter = pmem_copy_from_iter,
|
||||||
|
+ .flush = pmem_dax_flush,
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct attribute_group *pmem_attribute_groups[] = {
|
||||||
|
--- a/include/linux/dax.h
|
||||||
|
+++ b/include/linux/dax.h
|
||||||
|
@@ -19,6 +19,8 @@ struct dax_operations {
|
||||||
|
/* copy_from_iter: required operation for fs-dax direct-i/o */
|
||||||
|
size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t,
|
||||||
|
struct iov_iter *);
|
||||||
|
+ /* flush: should be unused */
|
||||||
|
+ void (*flush)(struct dax_device *, pgoff_t, void *, size_t);
|
||||||
|
};
|
||||||
|
|
||||||
|
extern struct attribute_group dax_attribute_group;
|
||||||
|
--- a/include/linux/device-mapper.h
|
||||||
|
+++ b/include/linux/device-mapper.h
|
||||||
|
@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn)
|
||||||
|
long nr_pages, void **kaddr, pfn_t *pfn);
|
||||||
|
typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff,
|
||||||
|
void *addr, size_t bytes, struct iov_iter *i);
|
||||||
|
+typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr,
|
||||||
|
+ size_t size);
|
||||||
|
#define PAGE_SECTORS (PAGE_SIZE / 512)
|
||||||
|
|
||||||
|
void dm_error(const char *message);
|
||||||
|
@@ -184,6 +186,7 @@ struct target_type {
|
||||||
|
dm_io_hints_fn io_hints;
|
||||||
|
dm_dax_direct_access_fn direct_access;
|
||||||
|
dm_dax_copy_from_iter_fn dax_copy_from_iter;
|
||||||
|
+ dm_dax_flush_fn dax_flush;
|
||||||
|
|
||||||
|
/* For internal device-mapper use. */
|
||||||
|
struct list_head list;
|
40
debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
vendored
Normal file
40
debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
vendored
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Thu, 26 Oct 2017 22:38:57 +0200
|
||||||
|
Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
|
||||||
|
commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces
|
||||||
|
an ABI break that's not easily avoidable. The bug it fixes doesn't seem
|
||||||
|
to have any security impact.
|
||||||
|
|
||||||
|
---
|
||||||
|
--- a/include/linux/trace_events.h
|
||||||
|
+++ b/include/linux/trace_events.h
|
||||||
|
@@ -277,7 +277,6 @@ struct trace_event_call {
|
||||||
|
int perf_refcount;
|
||||||
|
struct hlist_head __percpu *perf_events;
|
||||||
|
struct bpf_prog *prog;
|
||||||
|
- struct perf_event *bpf_prog_owner;
|
||||||
|
|
||||||
|
int (*perf_perm)(struct trace_event_call *,
|
||||||
|
struct perf_event *);
|
||||||
|
--- a/kernel/events/core.c
|
||||||
|
+++ b/kernel/events/core.c
|
||||||
|
@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc
|
||||||
|
}
|
||||||
|
}
|
||||||
|
event->tp_event->prog = prog;
|
||||||
|
- event->tp_event->bpf_prog_owner = event;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str
|
||||||
|
return;
|
||||||
|
|
||||||
|
prog = event->tp_event->prog;
|
||||||
|
- if (prog && event->tp_event->bpf_prog_owner == event) {
|
||||||
|
+ if (prog) {
|
||||||
|
event->tp_event->prog = NULL;
|
||||||
|
bpf_prog_put(prog);
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Thu, 26 Oct 2017 11:59:43 +0200
|
||||||
|
Subject: SCSI: Avoid ABI change in 4.13.6
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
Hide the new bitfield from genksyms, as it's using what used to be a
|
||||||
|
padding bit.
|
||||||
|
|
||||||
|
---
|
||||||
|
--- a/include/scsi/scsi_device.h
|
||||||
|
+++ b/include/scsi/scsi_device.h
|
||||||
|
@@ -182,7 +182,10 @@ struct scsi_device {
|
||||||
|
unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
|
||||||
|
unsigned broken_fua:1; /* Don't set FUA bit */
|
||||||
|
unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
|
||||||
|
+#ifndef __GENKSYMS__
|
||||||
|
unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
|
||||||
|
+ /* 19 unused bits */
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
atomic_t disk_events_disable_depth; /* disable depth for disk events */
|
||||||
|
|
|
@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
||||||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||||
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
||||||
bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
|
|
||||||
|
|
||||||
# Miscellaneous features
|
# Miscellaneous features
|
||||||
|
|
||||||
|
@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
|
|
||||||
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
|
|
||||||
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
|
|
||||||
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
|
||||||
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
|
||||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
|
||||||
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
|
||||||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
|
||||||
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
|
||||||
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
|
|
||||||
bugfix/all/waitid-Add-missing-access_ok-checks.patch
|
|
||||||
bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
|
|
||||||
bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
|
|
||||||
bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
|
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
||||||
# ABI maintenance
|
|
||||||
|
|
||||||
# Tools bug fixes
|
# Tools bug fixes
|
||||||
bugfix/all/usbip-document-tcp-wrappers.patch
|
bugfix/all/usbip-document-tcp-wrappers.patch
|
||||||
bugfix/all/kbuild-fix-recordmcount-dependency.patch
|
bugfix/all/kbuild-fix-recordmcount-dependency.patch
|
||||||
|
@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
|
||||||
bugfix/all/cpupower-bump-soname-version.patch
|
bugfix/all/cpupower-bump-soname-version.patch
|
||||||
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
|
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
|
||||||
bugfix/all/tools-lib-lockdep-define-pr_cont.patch
|
bugfix/all/tools-lib-lockdep-define-pr_cont.patch
|
||||||
|
|
||||||
|
# ABI maintenance
|
||||||
|
debian/scsi-avoid-abi-change-in-4.13.6.patch
|
||||||
|
debian/dax-avoid-abi-change-in-4.13.5.patch
|
||||||
|
debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
|
||||||
|
|
Loading…
Reference in New Issue