debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.18.9 

This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
This commit is contained in:
Romain Perier 2018-09-23 18:12:55 +02:00
parent d112adae70
commit 5ea1715db4
6 changed files with 189 additions and 343 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
debian/changelog vendored
View File

@ -1,4 +1,153 @@
linux (4.18.8-2) UNRELEASED; urgency=medium
linux (4.18.9-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.9
- i2c: xiic: Make the start and the byte count write atomic
- i2c: i801: fix DNV's SMBCTRL register offset
- HID: multitouch: fix Elan panels with 2 input modes declaration
- HID: core: fix grouping by application
- HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen
- HID: input: fix leaking custom input node name
- mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not
supported.
- mac80211: don't update the PM state of a peer upon a multicast frame
- scsi: lpfc: Correct MDS diag and nvmet configuration
- nbd: don't allow invalid blocksize settings
- block: don't warn when doing fsync on read-only devices
- block: bfq: swap puts in bfqg_and_blkg_put
- android: binder: fix the race mmap and alloc_new_buf_locked
- [mips*] VDSO: Match data page cache colouring when D$ aliases
- smb3: Backup intent flag missing for directory opens with backupuid mounts
- smb3: check for and properly advertise directory lease support
- cifs: connect to servername instead of IP for IPC$ share
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata
- btrfs: fix data corruption when deduplicating between different files
- [arm64] KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
- [armhf, arm64] KVM: Clean dcache to PoC when changing PTE due to CoW
- [[powerpc*] KVM: Book3S HV: Use correct pagesize in kvm_unmap_radix()
- [s390x] KVM: vsie: copy wrapping keys to right place
- [x86] KVM: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation
- [x86] KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO
instr
- [x86] KVM: Invert emulation re-execute behavior to make it opt-in
- [x86] KVM: Merge EMULTYPE_RETRY and EMULTYPE_ALLOW_REEXECUTE
- [x86] KVM: Default to not allowing emulation retry in kvm_mmu_page_fault
- [x86] KVM: Do not re-{try,execute} after failed emulation in L2
- ACPI / LPSS: Force LPSS quirks on boot
- memory: ti-aemif: fix a potential NULL-pointer dereference
- ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
- cpu/hotplug: Adjust misplaced smb() in cpuhp_thread_fun()
- cpu/hotplug: Prevent state corruption on error rollback
- [x86] microcode: Make sure boot_cpu_data.microcode is up-to-date
- [x86] microcode: Update the new microcode revision unconditionally
- [x86] process: Don't mix user/kernel regs in 64bit __show_regs()
- [x86] apic/vector: Make error return value negative
- switchtec: Fix Spectre v1 vulnerability
- misc: mic: SCIF Fix scif_get_new_port() error handling
- ALSA: hda/realtek - Add mute LED quirk for HP Spectre x360
- ethtool: Remove trailing semicolon for static inline
- i2c: aspeed: Add an explicit type casting for *get_clk_reg_val
- Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
- gpio: tegra: Move driver registration to subsys_init level
- [powerpc*] powernv: Fix concurrency issue with npu->mmio_atsd_usage
- [powerpc*] 4xx: Fix error return path in ppc4xx_msi_probe()
- media: davinci: vpif_display: Mix memory leak on probe error path
- media: dw2102: Fix memleak on sequence of probes
- net: phy: Fix the register offsets in Broadcom iProc mdio mux driver
- scsi: qla2xxx: Fix unintended Logout
- scsi: qla2xxx: Fix session state stuck in Get Port DB
- scsi: qla2xxx: Silent erroneous message
- clk: scmi: Fix the rounding of clock rate
- blk-mq: fix updating tags depth
- scsi: lpfc: Fix driver crash when re-registering NVME rports.
- scsi: target: fix __transport_register_session locking
- md/raid5: fix data corruption of replacements after originals dropped
- timers: Clear timer_base::must_forward_clk with timer_base::lock held
- gpu: ipu-v3: default to id 0 on missing OF alias
- misc: ti-st: Fix memory leak in the error path of probe()
- uio: potential double frees if __uio_register_device() fails
- firmware: vpd: Fix section enabled flag on vpd_section_destroy
- [x86] Drivers: hv: vmbus: Cleanup synic memory free path
- tty: rocket: Fix possible buffer overwrite on register_PCI
- uio: fix possible circular locking dependency
- iwlwifi: pcie: don't access periphery registers when not available
- IB/IPoIB: Set ah valid flag in multicast send flow
- f2fs: fix to active page in lru list for read path
- f2fs: do not set free of current section
- f2fs: Keep alloc_valid_block_count in sync
- f2fs: issue discard align to section in LFS mode
- f2fs: fix defined but not used build warnings
- f2fs: fix to detect looped node chain correctly
- ASoC: soc-pcm: Use delay set in component pointer function
- perf tools: Allow overriding MAX_NR_CPUS at compile time
- device-dax: avoid hang on error before devm_memremap_pages()
- NFSv4.0 fix client reference leak in callback
- perf c2c report: Fix crash for empty browser
- perf evlist: Fix error out while applying initial delay and LBR
- [powerpc*] pseries: fix EEH recovery of some IOV devices
- [powerpc*] macintosh/via-pmu: Add missing mmio accessors
- ath9k: report tx status on EOSP
- ath9k_hw: fix channel maximum power level test
- ath10k: prevent active scans on potential unusable channels
- wlcore: Set rx_status boottime_ns field on rx
- rpmsg: core: add support to power domains for devices
- mtd: rawnand: make subop helpers return unsigned values
- scsi: tcmu: do not set max_blocks if data_bitmap has been setup
- [mips*] Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
- ata: libahci: Allow reconfigure of DEVSLP register
- ata: libahci: Correct setting of DEVSLP register
- nfs: Referrals not inheriting proto setting from parent
- scsi: 3ware: fix return 0 on the error path of probe
- tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
- ath10k: disable bundle mgmt tx completion event support
- media: em28xx: explicitly disable TS packet filter
- PCI: mobiveil: Fix struct mobiveil_pcie.pcie_reg_base address type
- [powerpc*] mm: Don't report PUDs as memory leaks when using kmemleak
- Bluetooth: hidp: Fix handling of strncpy for hid->name information
- [x86] mm: Remove in_nmi() warning from vmalloc_fault()
- [armhf] pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
- gpio: pxa: disable pinctrl calls for PXA3xx
- gpio: ml-ioh: Fix buffer underwrite on probe error path
- [x86, arm64] pinctrl/amd: only handle irq if it is pending and unmasked
- [armhf, arm64] net: mvneta: fix mtu change on port without link
- f2fs: try grabbing node page lock aggressively in sync scenario
- pktcdvd: Fix possible Spectre-v1 for pkt_devs
- f2fs: fix to skip GC if type in SSA and SIT is inconsistent
- [x86] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
- f2fs: fix to do sanity check with reserved blkaddr of inline inode
(CVE-2018-13099)
- [mips*] Octeon: add missing of_node_put()
- [mips*] generic: fix missing of_node_put()
- thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources
- thermal_hwmon: Sanitize attribute name passed to hwmon
- net: dcb: For wild-card lookups, use priority -1, not 0
- dm cache: only allow a single io_mode cache feature to be requested
- Input: atmel_mxt_ts - only use first T9 instance
- [powerpc*] partitions/aix: append null character to print data from disk
- [powerpc*] partitions/aix: fix usage of uninitialized lv_info and lvname
structures
- drm/amd/display: Prevent PSR from being enabled if initialization fails
- media: em28xx: Fix dual transport stream operation
- [arm64] iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in
kdump kernel
- f2fs: fix to wait on page writeback before updating page
- f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
- media: em28xx: Fix DualHD disconnect oops
- f2fs: avoid potential deadlock in f2fs_sbi_store
- f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100)
- [armhf] mfd: ti_am335x_tscadc: Fix struct clk memory leak
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
- f2fs: fix to propagate return value of scan_nat_page()
- f2fs: fix to do sanity check with extra_attr feature
- RDMA/hns: Add illegal hop_num judgement
- NFSv4.1: Fix a potential layoutget/layoutrecall deadlock
- RDMA/hns: Update the data type of immediate data
- [mips*] WARN_ON invalid DMA cache maintenance, not BUG_ON
- [mips*] mscc: ocelot: fix length of memory address space for MIIM
- RDMA/cma: Do not ignore net namespace for unbound cm_id
- clocksource: Revert "Remove kthread"
- autofs: fix autofs_sbi() does not check super block type
- mm: get rid of vmacache_flush_all() entirely
[ Vagrant Cascadian ]
* debian/rules.real: Generate linux-source tarball with root user and

63
debian/patches-rt/irqwork-push_most_work_into_softirq_context.patch vendored
View File

@ -22,14 +22,16 @@ Mike Galbraith,
hard and soft variant]
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
include/linux/irq_work.h | 8 ++++++
kernel/irq_work.c | 60 ++++++++++++++++++++++++++++++++++++-----------
kernel/rcu/tree.c | 1
kernel/sched/topology.c | 1
kernel/time/tick-sched.c | 1
kernel/time/timer.c | 1
6 files changed, 59 insertions(+), 13 deletions(-)
include/linux/irq_work.h | 8 ++++++
kernel/irq_work.c | 59 ++++++++++++++++++++++++++++++++--------
kernel/rcu/tree.c | 1 +
kernel/sched/topology.c | 1 +
kernel/time/tick-sched.c | 1 +
kernel/time/timer.c | 2 ++
6 files changed, 60 insertions(+), 12 deletions(-)
diff --git a/include/linux/irq_work.h b/include/linux/irq_work.h
index b11fcdfd0770..c1afbba27902 100644
--- a/include/linux/irq_work.h
+++ b/include/linux/irq_work.h
@@ -18,6 +18,8 @@
@ -41,17 +43,19 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
#define IRQ_WORK_CLAIMED (IRQ_WORK_PENDING | IRQ_WORK_BUSY)
@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(vo
@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(void) { return false; }
static inline void irq_work_run(void) { }
#endif
+#if defined(CONFIG_IRQ_WORK) && defined(CONFIG_PREEMPT_RT_FULL)
+void irq_work_tick_soft(void);
+#else
+else
+static inline void irq_work_tick_soft(void) { }
+#endif
+
#endif /* _LINUX_IRQ_WORK_H */
diff --git a/kernel/irq_work.c b/kernel/irq_work.c
index 6b7cdf17ccf8..e765a79ef48b 100644
--- a/kernel/irq_work.c
+++ b/kernel/irq_work.c
@@ -17,6 +17,7 @@
@ -71,7 +75,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
/* All work should have been flushed before going offline */
WARN_ON_ONCE(cpu_is_offline(cpu));
@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work *
@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work *work, int cpu)
if (!irq_work_claim(work))
return false;
@ -85,7 +89,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
arch_send_call_function_single_ipi(cpu);
#else /* #ifdef CONFIG_SMP */
@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work *
@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work *work, int cpu)
/* Enqueue the irq work @work on the current CPU */
bool irq_work_queue(struct irq_work *work)
{
@ -95,7 +99,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
/* Only queue if not already pending */
if (!irq_work_claim(work))
return false;
@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *wor
@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *work)
/* Queue the entry and raise the IPI if needed. */
preempt_disable();
@ -130,7 +134,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
/* All work should have been flushed before going offline */
WARN_ON_ONCE(cpu_is_offline(smp_processor_id()));
@@ -135,8 +147,12 @@ static void irq_work_run_list(struct lli
@@ -135,7 +147,12 @@ static void irq_work_run_list(struct llist_head *list)
struct llist_node *llnode;
unsigned long flags;
@ -139,12 +143,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+ * nort: On RT IRQ-work may run in SOFTIRQ context.
+ */
BUG_ON(!irqs_disabled());
-
+#endif
if (llist_empty(list))
return;
@@ -168,7 +184,16 @@ static void irq_work_run_list(struct lli
@@ -168,7 +185,16 @@ static void irq_work_run_list(struct llist_head *list)
void irq_work_run(void)
{
irq_work_run_list(this_cpu_ptr(&raised_list));
@ -162,7 +165,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
}
EXPORT_SYMBOL_GPL(irq_work_run);
@@ -178,8 +203,17 @@ void irq_work_tick(void)
@@ -178,8 +204,17 @@ void irq_work_tick(void)
if (!llist_empty(raised) && !arch_irq_work_has_interrupt())
irq_work_run_list(raised);
@ -180,9 +183,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
/*
* Synchronize against the irq_work @entry, ensures the entry is not
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index aa7cade1b9f3..131fe93756c4 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -1294,6 +1294,7 @@ static int rcu_implicit_dynticks_qs(stru
@@ -1259,6 +1259,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp)
!rdp->rcu_iw_pending && rdp->rcu_iw_gpnum != rnp->gpnum &&
(rnp->ffmask & rdp->grpmask)) {
init_irq_work(&rdp->rcu_iw, rcu_iw_handler);
@ -190,9 +195,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
rdp->rcu_iw_pending = true;
rdp->rcu_iw_gpnum = rnp->gpnum;
irq_work_queue_on(&rdp->rcu_iw, rdp->cpu);
diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
index 56a0fed30c0a..dc7fd09d66fa 100644
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_d
@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_domain *rd)
rd->rto_cpu = -1;
raw_spin_lock_init(&rd->rto_lock);
init_irq_work(&rd->rto_push_work, rto_push_irq_work_func);
@ -200,9 +207,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
#endif
init_dl_bw(&rd->dl_bw);
diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
index 5b33e2f5c0ed..2fd4a37ffdc2 100644
--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -232,6 +232,7 @@ static void nohz_full_kick_func(struct i
@@ -227,6 +227,7 @@ static void nohz_full_kick_func(struct irq_work *work)
static DEFINE_PER_CPU(struct irq_work, nohz_full_kick_work) = {
.func = nohz_full_kick_func,
@ -210,13 +219,19 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
};
/*
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 786f8c014e7e..6c996ba08e0a 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1717,6 +1717,7 @@ static __latent_entropy void run_timer_s
@@ -1692,6 +1692,8 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
{
struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
+ irq_work_tick_soft();
/*
* must_forward_clk must be cleared before running timers so that any
* timer functions that call mod_timer will not try to forward the
+
__run_timers(base);
if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
__run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
--
2.19.0

155
debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch vendored
View File

@ -1,155 +0,0 @@
From: Chao Yu <yuchao0@huawei.com>
Date: Sat, 30 Jun 2018 18:13:40 +0800
Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode
Origin: https://git.kernel.org/linus/4dbe38dc386910c668c75ae616b99b823b59f3eb
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13099
As Wen Xu reported in bugzilla, after image was injected with random data
by fuzzing, inline inode would contain invalid reserved blkaddr, then
during inline conversion, we will encounter illegal memory accessing
reported by KASAN, the root cause of this is when writing out converted
inline page, we will use invalid reserved blkaddr to update sit bitmap,
result in accessing memory beyond sit bitmap boundary.
In order to fix this issue, let's do sanity check with reserved block
address of inline inode to avoid above condition.
https://bugzilla.kernel.org/show_bug.cgi?id=200179
[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.846860] Call Trace:
[ 1428.846868] dump_stack+0x71/0xab
[ 1428.846875] print_address_description+0x6b/0x290
[ 1428.846881] kasan_report+0x28e/0x390
[ 1428.846888] ? update_sit_entry+0x80/0x7f0
[ 1428.846898] update_sit_entry+0x80/0x7f0
[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
[ 1428.846920] do_write_page+0xc8/0x150
[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
[ 1428.846951] ? inc_zone_page_state+0x54/0x100
[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.846978] ? __get_node_page+0x335/0x6b0
[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
[ 1428.847024] f2fs_file_mmap+0x79/0xc0
[ 1428.847029] mmap_region+0x58b/0x880
[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
[ 1428.847042] do_mmap+0x55b/0x7a0
[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.847068] ? do_sys_open+0x206/0x2a0
[ 1428.847073] ? __fget+0xb4/0x100
[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
[ 1428.847091] do_syscall_64+0x73/0x160
[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847102] RIP: 0033:0x7fb1430766ba
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.847252] Allocated by task 2683:
[ 1428.847372] kasan_kmalloc+0xa6/0xd0
[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
[ 1428.847385] getname_flags+0x73/0x2b0
[ 1428.847390] user_path_at_empty+0x1d/0x40
[ 1428.847395] vfs_statx+0xc1/0x150
[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
[ 1428.847405] do_syscall_64+0x73/0x160
[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847466] Freed by task 2683:
[ 1428.847566] __kasan_slab_free+0x137/0x190
[ 1428.847571] kmem_cache_free+0x85/0x1e0
[ 1428.847575] filename_lookup+0x191/0x280
[ 1428.847580] vfs_statx+0xc1/0x150
[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
[ 1428.847590] do_syscall_64+0x73/0x160
[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847648] The buggy address belongs to the object at ffff880194483300
which belongs to the cache names_cache of size 4096
[ 1428.847946] The buggy address is located 576 bytes inside of
4096-byte region [ffff880194483300, ffff880194484300)
[ 1428.848234] The buggy address belongs to the page:
[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 1428.849122] page dumped because: kasan: bad access detected
[ 1428.849305] Memory state around the buggy address:
[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849985] ^
[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850498] ==================================================================
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
fs/f2fs/inline.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
index 9a245d2d5b7c..2bcb2d36f024 100644
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page)
if (err)
return err;
+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
+ f2fs_put_dnode(dn);
+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
+ f2fs_msg(fio.sbi->sb, KERN_WARNING,
+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+ "run fsck to fix.",
+ __func__, dn->inode->i_ino, dn->data_blkaddr);
+ return -EINVAL;
+ }
+
f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
f2fs_do_read_inline_data(page, dn->inode_page);
@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage,
if (err)
goto out;
+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
+ f2fs_put_dnode(&dn);
+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+ "run fsck to fix.",
+ __func__, dir->i_ino, dn.data_blkaddr);
+ err = -EINVAL;
+ goto out;
+ }
+
f2fs_wait_on_page_writeback(page, DATA, true);
dentry_blk = page_address(page);
--
2.11.0

98
debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch vendored
View File

@ -1,98 +0,0 @@
From: Chao Yu <yuchao0@huawei.com>
Date: Sat, 23 Jun 2018 00:12:36 +0800
Subject: f2fs: fix to do sanity check with secs_per_zone
Origin: https://git.kernel.org/linus/42bf546c1fe3f3654bdf914e977acbc2b80a5be5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13100
As Wen Xu reported in below link:
https://bugzilla.kernel.org/show_bug.cgi?id=200183
- Overview
Divide zero in reset_curseg() when mounting a crafted f2fs image
- Reproduce
- Kernel message
[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI
[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
[ 588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
[ 588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
[ 588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
[ 588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
[ 588.306822] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
[ 588.311085] Call Trace:
[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410
[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0
[ 588.317031] ? set_blocksize+0x90/0x140
[ 588.319473] f2fs_mount+0x15/0x20
[ 588.320166] mount_fs+0x60/0x1a0
[ 588.320847] ? alloc_vfsmnt+0x309/0x360
[ 588.321647] vfs_kern_mount+0x6b/0x1a0
[ 588.322432] do_mount+0x34a/0x18c0
[ 588.323175] ? strndup_user+0x46/0x70
[ 588.323937] ? copy_mount_string+0x20/0x20
[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0
[ 588.325702] ? kasan_check_write+0x14/0x20
[ 588.326562] ? _copy_from_user+0x6a/0x90
[ 588.327375] ? memdup_user+0x42/0x60
[ 588.328118] ksys_mount+0x83/0xd0
[ 588.328808] __x64_sys_mount+0x67/0x80
[ 588.329607] do_syscall_64+0x78/0x170
[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 588.331461] RIP: 0033:0x7fad848e8b9a
[ 588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
[ 588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
[ 588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[ 588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
[ 588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
[ 588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
[ 588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
[ 588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
[ 588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
[ 588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
[ 588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
[ 588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
[ 588.370057] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
- Location
https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
If secs_per_zone is corrupted due to fuzzing test, it will cause divide
zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
sanity check with secs_per_zone during mount to avoid this issue.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
fs/f2fs/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 01d1cb6081fc..a041ee20492d 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2227,9 +2227,9 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
return 1;
}
- if (secs_per_zone > total_sections) {
+ if (secs_per_zone > total_sections || !secs_per_zone) {
f2fs_msg(sb, KERN_INFO,
- "Wrong secs_per_zone (%u > %u)",
+ "Wrong secs_per_zone / total_sections (%u, %u)",
secs_per_zone, total_sections);
return 1;
}
--
2.11.0

62
debian/patches/bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch vendored
View File

@ -1,62 +0,0 @@
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date: Mon, 20 Aug 2018 13:56:07 +0300
Subject: mac80211: don't update the PM state of a peer upon a multicast frame
Origin: https://git.kernel.org/linus/20932750d9c78d307e4f2f18f9c6a32b82b1e0e8
Bug-Debian: https://bugs.debian.org/887045
Bug-Debian: https://bugs.debian.org/886292
I changed the way mac80211 updates the PM state of the peer.
I forgot that we could also have multicast frames from the
peer and that those frame should of course not change the
PM state of the peer: A peer goes to power save when it
needs to scan, but it won't send the broadcast Probe Request
with the PM bit set.
This made us mark the peer as awake when it wasn't and then
Intel's firmware would fail to transmit because the peer is
asleep according to its database. The driver warned about
this and it looked like this:
WARNING: CPU: 0 PID: 184 at /usr/src/linux-4.16.14/drivers/net/wireless/intel/iwlwifi/mvm/tx.c:1369 iwl_mvm_rx_tx_cmd+0x53b/0x860
CPU: 0 PID: 184 Comm: irq/124-iwlwifi Not tainted 4.16.14 #1
RIP: 0010:iwl_mvm_rx_tx_cmd+0x53b/0x860
Call Trace:
iwl_pcie_rx_handle+0x220/0x880
iwl_pcie_irq_handler+0x6c9/0xa20
? irq_forced_thread_fn+0x60/0x60
? irq_thread_dtor+0x90/0x90
The relevant code that spits the WARNING is:
case TX_STATUS_FAIL_DEST_PS:
/* the FW should have stopped the queue and not
* return this status
*/
WARN_ON(1);
info->flags |= IEEE80211_TX_STAT_TX_FILTERED;
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199967.
Fixes: 9fef65443388 ("mac80211: always update the PM state of a peer on MGMT / DATA frames")
Cc: <stable@vger.kernel.org> #4.16+
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/rx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 932985ca4e66..3f80a5ca4050 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1612,6 +1612,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
*/
if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
!ieee80211_has_morefrags(hdr->frame_control) &&
+ !is_multicast_ether_addr(hdr->addr1) &&
(ieee80211_is_mgmt(hdr->frame_control) ||
ieee80211_is_data(hdr->frame_control)) &&
!(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
--
2.19.0

3
debian/patches/series vendored
View File

@ -98,7 +98,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/netfilter-ipvs-Fix-invalid-bytes-in-IP_VS_MH_TAB_IND.patch
bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch
# Miscellaneous features
features/all/kbuild-add-build-salt-to-the-kernel-and-modules.patch
@ -144,8 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch