diff --git a/debian/changelog b/debian/changelog index 2b1b1cdd3..457c2fed0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,153 @@ -linux (4.18.8-2) UNRELEASED; urgency=medium +linux (4.18.9-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.9 + - i2c: xiic: Make the start and the byte count write atomic + - i2c: i801: fix DNV's SMBCTRL register offset + - HID: multitouch: fix Elan panels with 2 input modes declaration + - HID: core: fix grouping by application + - HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen + - HID: input: fix leaking custom input node name + - mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not + supported. + - mac80211: don't update the PM state of a peer upon a multicast frame + - scsi: lpfc: Correct MDS diag and nvmet configuration + - nbd: don't allow invalid blocksize settings + - block: don't warn when doing fsync on read-only devices + - block: bfq: swap puts in bfqg_and_blkg_put + - android: binder: fix the race mmap and alloc_new_buf_locked + - [mips*] VDSO: Match data page cache colouring when D$ aliases + - smb3: Backup intent flag missing for directory opens with backupuid mounts + - smb3: check for and properly advertise directory lease support + - cifs: connect to servername instead of IP for IPC$ share + - btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata + - btrfs: fix data corruption when deduplicating between different files + - [arm64] KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD + - [armhf, arm64] KVM: Clean dcache to PoC when changing PTE due to CoW + - [[powerpc*] KVM: Book3S HV: Use correct pagesize in kvm_unmap_radix() + - [s390x] KVM: vsie: copy wrapping keys to right place + - [x86] KVM: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation + - [x86] KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO + instr + - [x86] KVM: Invert emulation re-execute behavior to make it opt-in + - [x86] KVM: Merge EMULTYPE_RETRY and EMULTYPE_ALLOW_REEXECUTE + - [x86] KVM: Default to not allowing emulation retry in kvm_mmu_page_fault + - [x86] KVM: Do not re-{try,execute} after failed emulation in L2 + - ACPI / LPSS: Force LPSS quirks on boot + - memory: ti-aemif: fix a potential NULL-pointer dereference + - ALSA: hda - Fix cancel_work_sync() stall from jackpoll work + - cpu/hotplug: Adjust misplaced smb() in cpuhp_thread_fun() + - cpu/hotplug: Prevent state corruption on error rollback + - [x86] microcode: Make sure boot_cpu_data.microcode is up-to-date + - [x86] microcode: Update the new microcode revision unconditionally + - [x86] process: Don't mix user/kernel regs in 64bit __show_regs() + - [x86] apic/vector: Make error return value negative + - switchtec: Fix Spectre v1 vulnerability + - misc: mic: SCIF Fix scif_get_new_port() error handling + - ALSA: hda/realtek - Add mute LED quirk for HP Spectre x360 + - ethtool: Remove trailing semicolon for static inline + - i2c: aspeed: Add an explicit type casting for *get_clk_reg_val + - Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV + - gpio: tegra: Move driver registration to subsys_init level + - [powerpc*] powernv: Fix concurrency issue with npu->mmio_atsd_usage + - [powerpc*] 4xx: Fix error return path in ppc4xx_msi_probe() + - media: davinci: vpif_display: Mix memory leak on probe error path + - media: dw2102: Fix memleak on sequence of probes + - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver + - scsi: qla2xxx: Fix unintended Logout + - scsi: qla2xxx: Fix session state stuck in Get Port DB + - scsi: qla2xxx: Silent erroneous message + - clk: scmi: Fix the rounding of clock rate + - blk-mq: fix updating tags depth + - scsi: lpfc: Fix driver crash when re-registering NVME rports. + - scsi: target: fix __transport_register_session locking + - md/raid5: fix data corruption of replacements after originals dropped + - timers: Clear timer_base::must_forward_clk with timer_base::lock held + - gpu: ipu-v3: default to id 0 on missing OF alias + - misc: ti-st: Fix memory leak in the error path of probe() + - uio: potential double frees if __uio_register_device() fails + - firmware: vpd: Fix section enabled flag on vpd_section_destroy + - [x86] Drivers: hv: vmbus: Cleanup synic memory free path + - tty: rocket: Fix possible buffer overwrite on register_PCI + - uio: fix possible circular locking dependency + - iwlwifi: pcie: don't access periphery registers when not available + - IB/IPoIB: Set ah valid flag in multicast send flow + - f2fs: fix to active page in lru list for read path + - f2fs: do not set free of current section + - f2fs: Keep alloc_valid_block_count in sync + - f2fs: issue discard align to section in LFS mode + - f2fs: fix defined but not used build warnings + - f2fs: fix to detect looped node chain correctly + - ASoC: soc-pcm: Use delay set in component pointer function + - perf tools: Allow overriding MAX_NR_CPUS at compile time + - device-dax: avoid hang on error before devm_memremap_pages() + - NFSv4.0 fix client reference leak in callback + - perf c2c report: Fix crash for empty browser + - perf evlist: Fix error out while applying initial delay and LBR + - [powerpc*] pseries: fix EEH recovery of some IOV devices + - [powerpc*] macintosh/via-pmu: Add missing mmio accessors + - ath9k: report tx status on EOSP + - ath9k_hw: fix channel maximum power level test + - ath10k: prevent active scans on potential unusable channels + - wlcore: Set rx_status boottime_ns field on rx + - rpmsg: core: add support to power domains for devices + - mtd: rawnand: make subop helpers return unsigned values + - scsi: tcmu: do not set max_blocks if data_bitmap has been setup + - [mips*] Fix ISA virt/bus conversion for non-zero PHYS_OFFSET + - ata: libahci: Allow reconfigure of DEVSLP register + - ata: libahci: Correct setting of DEVSLP register + - nfs: Referrals not inheriting proto setting from parent + - scsi: 3ware: fix return 0 on the error path of probe + - tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access() + - ath10k: disable bundle mgmt tx completion event support + - media: em28xx: explicitly disable TS packet filter + - PCI: mobiveil: Fix struct mobiveil_pcie.pcie_reg_base address type + - [powerpc*] mm: Don't report PUDs as memory leaks when using kmemleak + - Bluetooth: hidp: Fix handling of strncpy for hid->name information + - [x86] mm: Remove in_nmi() warning from vmalloc_fault() + - [armhf] pinctrl: imx: off by one in imx_pinconf_group_dbg_show() + - gpio: pxa: disable pinctrl calls for PXA3xx + - gpio: ml-ioh: Fix buffer underwrite on probe error path + - [x86, arm64] pinctrl/amd: only handle irq if it is pending and unmasked + - [armhf, arm64] net: mvneta: fix mtu change on port without link + - f2fs: try grabbing node page lock aggressively in sync scenario + - pktcdvd: Fix possible Spectre-v1 for pkt_devs + - f2fs: fix to skip GC if type in SSA and SIT is inconsistent + - [x86] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) + - f2fs: fix to do sanity check with reserved blkaddr of inline inode + (CVE-2018-13099) + - [mips*] Octeon: add missing of_node_put() + - [mips*] generic: fix missing of_node_put() + - thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources + - thermal_hwmon: Sanitize attribute name passed to hwmon + - net: dcb: For wild-card lookups, use priority -1, not 0 + - dm cache: only allow a single io_mode cache feature to be requested + - Input: atmel_mxt_ts - only use first T9 instance + - [powerpc*] partitions/aix: append null character to print data from disk + - [powerpc*] partitions/aix: fix usage of uninitialized lv_info and lvname + structures + - drm/amd/display: Prevent PSR from being enabled if initialization fails + - media: em28xx: Fix dual transport stream operation + - [arm64] iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in + kdump kernel + - f2fs: fix to wait on page writeback before updating page + - f2fs: Fix uninitialized return in f2fs_ioc_shutdown() + - media: em28xx: Fix DualHD disconnect oops + - f2fs: avoid potential deadlock in f2fs_sbi_store + - f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100) + - [armhf] mfd: ti_am335x_tscadc: Fix struct clk memory leak + - f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize + - f2fs: fix to propagate return value of scan_nat_page() + - f2fs: fix to do sanity check with extra_attr feature + - RDMA/hns: Add illegal hop_num judgement + - NFSv4.1: Fix a potential layoutget/layoutrecall deadlock + - RDMA/hns: Update the data type of immediate data + - [mips*] WARN_ON invalid DMA cache maintenance, not BUG_ON + - [mips*] mscc: ocelot: fix length of memory address space for MIIM + - RDMA/cma: Do not ignore net namespace for unbound cm_id + - clocksource: Revert "Remove kthread" + - autofs: fix autofs_sbi() does not check super block type + - mm: get rid of vmacache_flush_all() entirely [ Vagrant Cascadian ] * debian/rules.real: Generate linux-source tarball with root user and diff --git a/debian/patches-rt/irqwork-push_most_work_into_softirq_context.patch b/debian/patches-rt/irqwork-push_most_work_into_softirq_context.patch index 7a91a2a1c..8acd79ff5 100644 --- a/debian/patches-rt/irqwork-push_most_work_into_softirq_context.patch +++ b/debian/patches-rt/irqwork-push_most_work_into_softirq_context.patch @@ -22,14 +22,16 @@ Mike Galbraith, hard and soft variant] Signed-off-by: Sebastian Andrzej Siewior --- - include/linux/irq_work.h | 8 ++++++ - kernel/irq_work.c | 60 ++++++++++++++++++++++++++++++++++++----------- - kernel/rcu/tree.c | 1 - kernel/sched/topology.c | 1 - kernel/time/tick-sched.c | 1 - kernel/time/timer.c | 1 - 6 files changed, 59 insertions(+), 13 deletions(-) + include/linux/irq_work.h | 8 ++++++ + kernel/irq_work.c | 59 ++++++++++++++++++++++++++++++++-------- + kernel/rcu/tree.c | 1 + + kernel/sched/topology.c | 1 + + kernel/time/tick-sched.c | 1 + + kernel/time/timer.c | 2 ++ + 6 files changed, 60 insertions(+), 12 deletions(-) +diff --git a/include/linux/irq_work.h b/include/linux/irq_work.h +index b11fcdfd0770..c1afbba27902 100644 --- a/include/linux/irq_work.h +++ b/include/linux/irq_work.h @@ -18,6 +18,8 @@ @@ -41,17 +43,19 @@ Signed-off-by: Sebastian Andrzej Siewior #define IRQ_WORK_CLAIMED (IRQ_WORK_PENDING | IRQ_WORK_BUSY) -@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(vo +@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(void) { return false; } static inline void irq_work_run(void) { } #endif +#if defined(CONFIG_IRQ_WORK) && defined(CONFIG_PREEMPT_RT_FULL) +void irq_work_tick_soft(void); -+#else ++else +static inline void irq_work_tick_soft(void) { } +#endif + #endif /* _LINUX_IRQ_WORK_H */ +diff --git a/kernel/irq_work.c b/kernel/irq_work.c +index 6b7cdf17ccf8..e765a79ef48b 100644 --- a/kernel/irq_work.c +++ b/kernel/irq_work.c @@ -17,6 +17,7 @@ @@ -71,7 +75,7 @@ Signed-off-by: Sebastian Andrzej Siewior /* All work should have been flushed before going offline */ WARN_ON_ONCE(cpu_is_offline(cpu)); -@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work * +@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work *work, int cpu) if (!irq_work_claim(work)) return false; @@ -85,7 +89,7 @@ Signed-off-by: Sebastian Andrzej Siewior arch_send_call_function_single_ipi(cpu); #else /* #ifdef CONFIG_SMP */ -@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work * +@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work *work, int cpu) /* Enqueue the irq work @work on the current CPU */ bool irq_work_queue(struct irq_work *work) { @@ -95,7 +99,7 @@ Signed-off-by: Sebastian Andrzej Siewior /* Only queue if not already pending */ if (!irq_work_claim(work)) return false; -@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *wor +@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *work) /* Queue the entry and raise the IPI if needed. */ preempt_disable(); @@ -130,7 +134,7 @@ Signed-off-by: Sebastian Andrzej Siewior /* All work should have been flushed before going offline */ WARN_ON_ONCE(cpu_is_offline(smp_processor_id())); -@@ -135,8 +147,12 @@ static void irq_work_run_list(struct lli +@@ -135,7 +147,12 @@ static void irq_work_run_list(struct llist_head *list) struct llist_node *llnode; unsigned long flags; @@ -139,12 +143,11 @@ Signed-off-by: Sebastian Andrzej Siewior + * nort: On RT IRQ-work may run in SOFTIRQ context. + */ BUG_ON(!irqs_disabled()); -- +#endif + if (llist_empty(list)) return; - -@@ -168,7 +184,16 @@ static void irq_work_run_list(struct lli +@@ -168,7 +185,16 @@ static void irq_work_run_list(struct llist_head *list) void irq_work_run(void) { irq_work_run_list(this_cpu_ptr(&raised_list)); @@ -162,7 +165,7 @@ Signed-off-by: Sebastian Andrzej Siewior } EXPORT_SYMBOL_GPL(irq_work_run); -@@ -178,8 +203,17 @@ void irq_work_tick(void) +@@ -178,8 +204,17 @@ void irq_work_tick(void) if (!llist_empty(raised) && !arch_irq_work_has_interrupt()) irq_work_run_list(raised); @@ -180,9 +183,11 @@ Signed-off-by: Sebastian Andrzej Siewior /* * Synchronize against the irq_work @entry, ensures the entry is not +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index aa7cade1b9f3..131fe93756c4 100644 --- a/kernel/rcu/tree.c +++ b/kernel/rcu/tree.c -@@ -1294,6 +1294,7 @@ static int rcu_implicit_dynticks_qs(stru +@@ -1259,6 +1259,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp) !rdp->rcu_iw_pending && rdp->rcu_iw_gpnum != rnp->gpnum && (rnp->ffmask & rdp->grpmask)) { init_irq_work(&rdp->rcu_iw, rcu_iw_handler); @@ -190,9 +195,11 @@ Signed-off-by: Sebastian Andrzej Siewior rdp->rcu_iw_pending = true; rdp->rcu_iw_gpnum = rnp->gpnum; irq_work_queue_on(&rdp->rcu_iw, rdp->cpu); +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 56a0fed30c0a..dc7fd09d66fa 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c -@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_d +@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_domain *rd) rd->rto_cpu = -1; raw_spin_lock_init(&rd->rto_lock); init_irq_work(&rd->rto_push_work, rto_push_irq_work_func); @@ -200,9 +207,11 @@ Signed-off-by: Sebastian Andrzej Siewior #endif init_dl_bw(&rd->dl_bw); +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 5b33e2f5c0ed..2fd4a37ffdc2 100644 --- a/kernel/time/tick-sched.c +++ b/kernel/time/tick-sched.c -@@ -232,6 +232,7 @@ static void nohz_full_kick_func(struct i +@@ -227,6 +227,7 @@ static void nohz_full_kick_func(struct irq_work *work) static DEFINE_PER_CPU(struct irq_work, nohz_full_kick_work) = { .func = nohz_full_kick_func, @@ -210,13 +219,19 @@ Signed-off-by: Sebastian Andrzej Siewior }; /* +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 786f8c014e7e..6c996ba08e0a 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c -@@ -1717,6 +1717,7 @@ static __latent_entropy void run_timer_s +@@ -1692,6 +1692,8 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h) { struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + irq_work_tick_soft(); - /* - * must_forward_clk must be cleared before running timers so that any - * timer functions that call mod_timer will not try to forward the ++ + __run_timers(base); + if (IS_ENABLED(CONFIG_NO_HZ_COMMON)) + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF])); +-- +2.19.0 + diff --git a/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch b/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch deleted file mode 100644 index e0d1d2fae..000000000 --- a/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch +++ /dev/null @@ -1,155 +0,0 @@ -From: Chao Yu -Date: Sat, 30 Jun 2018 18:13:40 +0800 -Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode -Origin: https://git.kernel.org/linus/4dbe38dc386910c668c75ae616b99b823b59f3eb -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13099 - -As Wen Xu reported in bugzilla, after image was injected with random data -by fuzzing, inline inode would contain invalid reserved blkaddr, then -during inline conversion, we will encounter illegal memory accessing -reported by KASAN, the root cause of this is when writing out converted -inline page, we will use invalid reserved blkaddr to update sit bitmap, -result in accessing memory beyond sit bitmap boundary. - -In order to fix this issue, let's do sanity check with reserved block -address of inline inode to avoid above condition. - -https://bugzilla.kernel.org/show_bug.cgi?id=200179 - -[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0 -[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741 - -[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1 -[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 -[ 1428.846860] Call Trace: -[ 1428.846868] dump_stack+0x71/0xab -[ 1428.846875] print_address_description+0x6b/0x290 -[ 1428.846881] kasan_report+0x28e/0x390 -[ 1428.846888] ? update_sit_entry+0x80/0x7f0 -[ 1428.846898] update_sit_entry+0x80/0x7f0 -[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70 -[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590 -[ 1428.846920] do_write_page+0xc8/0x150 -[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210 -[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170 -[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130 -[ 1428.846946] ? __mod_node_page_state+0x22/0xa0 -[ 1428.846951] ? inc_zone_page_state+0x54/0x100 -[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0 -[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0 -[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0 -[ 1428.846978] ? __get_node_page+0x335/0x6b0 -[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500 -[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0 -[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40 -[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0 -[ 1428.847024] f2fs_file_mmap+0x79/0xc0 -[ 1428.847029] mmap_region+0x58b/0x880 -[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370 -[ 1428.847042] do_mmap+0x55b/0x7a0 -[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0 -[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50 -[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160 -[ 1428.847068] ? do_sys_open+0x206/0x2a0 -[ 1428.847073] ? __fget+0xb4/0x100 -[ 1428.847079] ksys_mmap_pgoff+0x278/0x360 -[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50 -[ 1428.847091] do_syscall_64+0x73/0x160 -[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -[ 1428.847102] RIP: 0033:0x7fb1430766ba -[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 -[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 -[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba -[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 -[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000 -[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000 -[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000 - -[ 1428.847252] Allocated by task 2683: -[ 1428.847372] kasan_kmalloc+0xa6/0xd0 -[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0 -[ 1428.847385] getname_flags+0x73/0x2b0 -[ 1428.847390] user_path_at_empty+0x1d/0x40 -[ 1428.847395] vfs_statx+0xc1/0x150 -[ 1428.847401] __do_sys_newlstat+0x7e/0xd0 -[ 1428.847405] do_syscall_64+0x73/0x160 -[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -[ 1428.847466] Freed by task 2683: -[ 1428.847566] __kasan_slab_free+0x137/0x190 -[ 1428.847571] kmem_cache_free+0x85/0x1e0 -[ 1428.847575] filename_lookup+0x191/0x280 -[ 1428.847580] vfs_statx+0xc1/0x150 -[ 1428.847585] __do_sys_newlstat+0x7e/0xd0 -[ 1428.847590] do_syscall_64+0x73/0x160 -[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -[ 1428.847648] The buggy address belongs to the object at ffff880194483300 - which belongs to the cache names_cache of size 4096 -[ 1428.847946] The buggy address is located 576 bytes inside of - 4096-byte region [ffff880194483300, ffff880194484300) -[ 1428.848234] The buggy address belongs to the page: -[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0 -[ 1428.848606] flags: 0x17fff8000008100(slab|head) -[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380 -[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 -[ 1428.849122] page dumped because: kasan: bad access detected - -[ 1428.849305] Memory state around the buggy address: -[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 1428.849985] ^ -[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 1428.850498] ================================================================== - -Reported-by: Wen Xu -Signed-off-by: Chao Yu -Signed-off-by: Jaegeuk Kim ---- - fs/f2fs/inline.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c -index 9a245d2d5b7c..2bcb2d36f024 100644 ---- a/fs/f2fs/inline.c -+++ b/fs/f2fs/inline.c -@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page) - if (err) - return err; - -+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) { -+ f2fs_put_dnode(dn); -+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK); -+ f2fs_msg(fio.sbi->sb, KERN_WARNING, -+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " -+ "run fsck to fix.", -+ __func__, dn->inode->i_ino, dn->data_blkaddr); -+ return -EINVAL; -+ } -+ - f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page)); - - f2fs_do_read_inline_data(page, dn->inode_page); -@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage, - if (err) - goto out; - -+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) { -+ f2fs_put_dnode(&dn); -+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK); -+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING, -+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " -+ "run fsck to fix.", -+ __func__, dir->i_ino, dn.data_blkaddr); -+ err = -EINVAL; -+ goto out; -+ } -+ - f2fs_wait_on_page_writeback(page, DATA, true); - - dentry_blk = page_address(page); --- -2.11.0 - diff --git a/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch b/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch deleted file mode 100644 index eaf13d5b1..000000000 --- a/debian/patches/bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch +++ /dev/null @@ -1,98 +0,0 @@ -From: Chao Yu -Date: Sat, 23 Jun 2018 00:12:36 +0800 -Subject: f2fs: fix to do sanity check with secs_per_zone -Origin: https://git.kernel.org/linus/42bf546c1fe3f3654bdf914e977acbc2b80a5be5 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13100 - -As Wen Xu reported in below link: - -https://bugzilla.kernel.org/show_bug.cgi?id=200183 - -- Overview -Divide zero in reset_curseg() when mounting a crafted f2fs image - -- Reproduce - -- Kernel message -[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI -[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4 -[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 -[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0 -[ 588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 -[ 588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b -[ 588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 -[ 588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 -[ 588.306822] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 -[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 -[ 588.311085] Call Trace: -[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410 -[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0 -[ 588.317031] ? set_blocksize+0x90/0x140 -[ 588.319473] f2fs_mount+0x15/0x20 -[ 588.320166] mount_fs+0x60/0x1a0 -[ 588.320847] ? alloc_vfsmnt+0x309/0x360 -[ 588.321647] vfs_kern_mount+0x6b/0x1a0 -[ 588.322432] do_mount+0x34a/0x18c0 -[ 588.323175] ? strndup_user+0x46/0x70 -[ 588.323937] ? copy_mount_string+0x20/0x20 -[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0 -[ 588.325702] ? kasan_check_write+0x14/0x20 -[ 588.326562] ? _copy_from_user+0x6a/0x90 -[ 588.327375] ? memdup_user+0x42/0x60 -[ 588.328118] ksys_mount+0x83/0xd0 -[ 588.328808] __x64_sys_mount+0x67/0x80 -[ 588.329607] do_syscall_64+0x78/0x170 -[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -[ 588.331461] RIP: 0033:0x7fad848e8b9a -[ 588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 -[ 588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a -[ 588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0 -[ 588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 -[ 588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0 -[ 588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003 -[ 588.354891] ---[ end trace 4ce02f25ff7d3df5 ]--- -[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0 -[ 588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 -[ 588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b -[ 588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 -[ 588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f -[ 588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700 -[ 588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 -[ 588.370057] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 -[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 - -- Location -https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147 - curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno); - -If secs_per_zone is corrupted due to fuzzing test, it will cause divide -zero operation when using GET_ZONE_FROM_SEG macro, so we should do more -sanity check with secs_per_zone during mount to avoid this issue. - -Signed-off-by: Chao Yu -Signed-off-by: Jaegeuk Kim ---- - fs/f2fs/super.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c -index 01d1cb6081fc..a041ee20492d 100644 ---- a/fs/f2fs/super.c -+++ b/fs/f2fs/super.c -@@ -2227,9 +2227,9 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, - return 1; - } - -- if (secs_per_zone > total_sections) { -+ if (secs_per_zone > total_sections || !secs_per_zone) { - f2fs_msg(sb, KERN_INFO, -- "Wrong secs_per_zone (%u > %u)", -+ "Wrong secs_per_zone / total_sections (%u, %u)", - secs_per_zone, total_sections); - return 1; - } --- -2.11.0 - diff --git a/debian/patches/bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch b/debian/patches/bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch deleted file mode 100644 index 1c7b5c77d..000000000 --- a/debian/patches/bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Emmanuel Grumbach -Date: Mon, 20 Aug 2018 13:56:07 +0300 -Subject: mac80211: don't update the PM state of a peer upon a multicast frame -Origin: https://git.kernel.org/linus/20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 -Bug-Debian: https://bugs.debian.org/887045 -Bug-Debian: https://bugs.debian.org/886292 - -I changed the way mac80211 updates the PM state of the peer. -I forgot that we could also have multicast frames from the -peer and that those frame should of course not change the -PM state of the peer: A peer goes to power save when it -needs to scan, but it won't send the broadcast Probe Request -with the PM bit set. - -This made us mark the peer as awake when it wasn't and then -Intel's firmware would fail to transmit because the peer is -asleep according to its database. The driver warned about -this and it looked like this: - - WARNING: CPU: 0 PID: 184 at /usr/src/linux-4.16.14/drivers/net/wireless/intel/iwlwifi/mvm/tx.c:1369 iwl_mvm_rx_tx_cmd+0x53b/0x860 - CPU: 0 PID: 184 Comm: irq/124-iwlwifi Not tainted 4.16.14 #1 - RIP: 0010:iwl_mvm_rx_tx_cmd+0x53b/0x860 - Call Trace: - iwl_pcie_rx_handle+0x220/0x880 - iwl_pcie_irq_handler+0x6c9/0xa20 - ? irq_forced_thread_fn+0x60/0x60 - ? irq_thread_dtor+0x90/0x90 - -The relevant code that spits the WARNING is: - - case TX_STATUS_FAIL_DEST_PS: - /* the FW should have stopped the queue and not - * return this status - */ - WARN_ON(1); - info->flags |= IEEE80211_TX_STAT_TX_FILTERED; - -This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199967. - -Fixes: 9fef65443388 ("mac80211: always update the PM state of a peer on MGMT / DATA frames") -Cc: #4.16+ -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - net/mac80211/rx.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c -index 932985ca4e66..3f80a5ca4050 100644 ---- a/net/mac80211/rx.c -+++ b/net/mac80211/rx.c -@@ -1612,6 +1612,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) - */ - if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) && - !ieee80211_has_morefrags(hdr->frame_control) && -+ !is_multicast_ether_addr(hdr->addr1) && - (ieee80211_is_mgmt(hdr->frame_control) || - ieee80211_is_data(hdr->frame_control)) && - !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && --- -2.19.0 - diff --git a/debian/patches/series b/debian/patches/series index e2a7ba594..43b35a6e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -98,7 +98,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/netfilter-ipvs-Fix-invalid-bytes-in-IP_VS_MH_TAB_IND.patch -bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch # Miscellaneous features features/all/kbuild-add-build-salt-to-the-kernel-and-modules.patch @@ -144,8 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch -bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch -bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch