Update to 4.18.13

debian/changelog

@@ -1,4 +1,4 @@
-linux (4.18.12-1) UNRELEASED; urgency=medium
+linux (4.18.13-1) UNRELEASED; urgency=medium
 
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
@@ -256,12 +256,145 @@ linux (4.18.12-1) UNRELEASED; urgency=medium
     - [powerpc*] fix csum_ipv6_magic() on little endian platforms
     - [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property
     - [powerpc*] pseries: Fix unitialized timer reset on migration
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.13
+    - mac80211: Run TXQ teardown code before de-registering interfaces
+    - mac80211_hwsim: require at least one channel
+    - Btrfs: fix unexpected failure of nocow buffered writes after snapshotting
+      when low on space
+    - [powerpc*] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate
+      function
+    - cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule)
+    - btrfs: btrfs_shrink_device should call commit transaction at the end
+    - scsi: csiostor: add a check for NULL pointer after kmalloc()
+    - scsi: csiostor: fix incorrect port capabilities
+    - scsi: libata: Add missing newline at end of file
+    - scsi: aacraid: fix a signedness bug
+    - bpf, sockmap: fix potential use after free in bpf_tcp_close
+    - bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg
+    - bpf: sockmap, decrement copied count correctly in redirect error case
+    - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+    - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
+    - cfg80211: make wmm_rule part of the reg_rule structure
+    - mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom
+    - nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP
+    - nl80211: Pass center frequency in kHz instead of MHz
+    - bpf: fix several offset tests in bpf_msg_pull_data
+    - mac80211: mesh: fix HWMP sequence numbering to follow standard
+    - mac80211: avoid kernel panic when building AMSDU from non-linear SKB
+    - bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data
+    - bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data
+    - bpf: fix sg shift repair start offset in bpf_msg_pull_data
+    - [arm64] net: hns: add the code for cleaning pkt in chip
+    - [arm64] net: hns: add netif_carrier_off before change speed and duplex
+    - [arm64, armhf] net: mvpp2: initialize port of_node pointer
+    - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
+    - mac80211: do not convert to A-MSDU if frag/subframe limited
+    - mac80211: always account for A-MSDU header changes
+    - Revert "blk-throttle: fix race between blkcg_bio_issue_check() and
+      cgroup_rmdir()"
+    - md/raid5-cache: disable reshape completely
+    - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
+    - bpf: Fix bpf_msg_pull_data()
+    - bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP
+    - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
+    - mac80211: fix an off-by-one issue in A-MSDU max_subframe computation
+    - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
+    - mac80211: fix WMM TXOP calculation
+    - mac80211: fix a race between restart and CSA flows
+    - mac80211: Fix station bandwidth setting after channel switch
+    - mac80211: don't Tx a deauth frame if the AP forbade Tx
+    - mac80211: shorten the IBSS debug messages
+    - [powerpc*] net/ibm/emac: wrong emac_calc_base call was used by typo
+    - ceph: avoid a use-after-free in ceph_destroy_options()
+    - firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
+    - afs: Fix cell specification to permit an empty address list
+    - mm: madvise(MADV_DODUMP): allow hugetlbfs pages
+    - netfilter: xt_cluster: add dependency on conntrack module
+    - [x86] HID: intel-ish-hid: Enable Sunrise Point-H ish driver
+    - HID: add support for Apple Magic Keyboards
+    - HID: hid-saitek: Add device ID for RAT 7 Contagion
+    - scsi: iscsi: target: Set conn->sess to NULL when
+      iscsi_login_set_conn_values fails
+    - scsi: iscsi: target: Fix conn_ops double free
+    - perf annotate: Properly interpret indirect call
+    - perf evsel: Fix potential null pointer dereference in
+      perf_evsel__new_idx()
+    - perf util: Fix bad memory access in trace info.
+    - [powerpc*] perf probe: Ignore SyS symbols irrespective of endianness
+    - [arm64] perf annotate: Fix parsing aarch64 branch instructions after
+      objdump update
+    - netfilter: nf_tables: release chain in flushing set
+    - HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub
+      report
+    - USB: yurex: Check for truncation in yurex_read()
+    - nvmet-rdma: fix possible bogus dereference under heavy load
+    - net/mlx5: Consider PCI domain in search for next dev
+    - [x86] HID: i2c-hid: Don't reset device upon system resume
+    - dm raid: fix reshape race on small devices
+    - drm/nouveau: fix oops in client init failure path
+    - drm/nouveau/mmu: don't attempt to dereference vmm without valid instance
+      pointer
+    - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
+    - drm/nouveau/disp: fix DP disable race
+    - drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for
+      LVDS/eDP panels
+    - dm raid: fix stripe adding reshape deadlock
+    - dm raid: fix rebuild of specific devices by updating superblock
+    - dm raid: fix RAID leg rebuild errors
+    - r8169: set TxConfig register after TX / RX is enabled, just like RxConfig
+    - fs/cifs: suppress a string overflow warning
+    - net: ena: fix surprise unplug NULL dereference kernel crash
+    - net: ena: fix driver when PAGE_SIZE == 64kB
+    - net: ena: fix device destruction to gracefully free resources
+    - net: ena: fix potential double ena_destroy_device()
+    - net: ena: fix missing lock during device destruction
+    - net: ena: fix missing calls to READ_ONCE
+    - sched/topology: Set correct NUMA topology type
+    - dm thin metadata: try to avoid ever aborting transactions
+    - netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for
+      NF_REPEAT
+    - netfilter: xt_hashlimit: use s->file instead of s->private
+    - drm/amdgpu: Fix SDMA hang in prt mode v2
+    - drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
+    - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
+    - [s390x] qeth: use vzalloc for QUERY OAT buffer
+    - [s390x] qeth: don't dump past end of unknown HW header
+    - cifs: read overflow in is_valid_oplock_break()
+    - asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP &&
+      CONFIG_INDIRECT_PIO
+    - xen/manage: don't complain about an empty value in control/sysrq node
+    - [mips*, x86, s390x] xen: avoid crash in disable_hotplug_cpu
+    - new primitive: discard_new_inode()
+    - vfs: don't evict uninitialized inode
+    - ovl: set I_CREATING on inode being created
+    - ovl: fix access beyond unterminated strings
+    - ovl: fix memory leak on unlink of indexed file
+    - ovl: fix format of setxattr debug
+    - sysfs: Do not return POSIX ACL xattrs via listxattr
+    - b43: fix DMA error related regression with proprietary firmware
+    - firmware: Fix security issue with request_firmware_into_buf()
+    - firmware: Always initialize the fw_priv list object
+    - smb2: fix missing files in root share directory listing
+    - [x86] iommu/amd: Clear memory encryption mask from physical address
+    - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
+    - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
+    - crypto: chelsio - Fix memory corruption in DMA Mapped buffers.
+    - [arm64, armhf, x86, powerpc*] gpiolib: Free the last requested descriptor
+    - [x86] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()
+    - proc: restrict kernel stack dumps to root
+    - ocfs2: fix locking for res->tracking and dlm->tracking_list
+    - [x86] HID: i2c-hid: disable runtime PM operations on hantick touchpad
+    - ixgbe: check return value of napi_complete_done()
+    - dm thin metadata: fix __udivdi3 undefined on 32-bit
+    - Revert "drm/amd/pp: Send khz clock values to DC for smu7/8"
 
   [ Ben Hutchings ]
   * linux-perf: Fix BPF feature detection
 
   [ Romain Perier ]
   * [rt] Update to 4.18.12-rt7
+  * Fixed FTBFS caused by wireless-disable-regulatory.db-direct-loading.patch,
+    due to conflicting types for 'reg_query_regdb_wmm'
 
   [ Vagrant Cascadian ]
   * [arm64] Update pinebook/teres-i device-tree patches to 4.19.x:

debian/patches/bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch

@@ -1,60 +0,0 @@
-From: Jann Horn <jannh@google.com>
-Date: Fri, 5 Oct 2018 18:17:59 +0200
-Subject: bpf: 32-bit RSH verification must truncate input before the ALU op
-Origin: https://git.kernel.org/linus/b799207e1e1816b09e7a5920fbb2d5fcf6edd681
-Bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1686
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18445
-
-When I wrote commit 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification"), I
-assumed that, in order to emulate 64-bit arithmetic with 32-bit logic, it
-is sufficient to just truncate the output to 32 bits; and so I just moved
-the register size coercion that used to be at the start of the function to
-the end of the function.
-
-That assumption is true for almost every op, but not for 32-bit right
-shifts, because those can propagate information towards the least
-significant bit. Fix it by always truncating inputs for 32-bit ops to 32
-bits.
-
-Also get rid of the coerce_reg_to_size() after the ALU op, since that has
-no effect.
-
-Fixes: 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification")
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
----
- kernel/bpf/verifier.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index bb07e74b34a2..465952a8e465 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 	u64 umin_val, umax_val;
- 	u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
- 
-+	if (insn_bitness == 32) {
-+		/* Relevant for 32-bit RSH: Information can propagate towards
-+		 * LSB, so it isn't sufficient to only truncate the output to
-+		 * 32 bits.
-+		 */
-+		coerce_reg_to_size(dst_reg, 4);
-+		coerce_reg_to_size(&src_reg, 4);
-+	}
-+
- 	smin_val = src_reg.smin_value;
- 	smax_val = src_reg.smax_value;
- 	umin_val = src_reg.umin_value;
-@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 	if (BPF_CLASS(insn->code) != BPF_ALU64) {
- 		/* 32-bit ALU ops are (32,32)->32 */
- 		coerce_reg_to_size(dst_reg, 4);
--		coerce_reg_to_size(&src_reg, 4);
- 	}
- 
- 	__reg_deduce_bounds(dst_reg);
--- 
-2.19.1
-

debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch

@@ -12,7 +12,7 @@ Index: debian-kernel/net/wireless/reg.c
 ===================================================================
 --- debian-kernel.orig/net/wireless/reg.c
 +++ debian-kernel/net/wireless/reg.c
-@@ -489,6 +489,7 @@ static void reg_regdb_apply(struct work_
+@@ -476,6 +476,7 @@ static void reg_regdb_apply(struct work_
  
  static DECLARE_WORK(reg_regdb_work, reg_regdb_apply);
  
@@ -20,7 +20,7 @@ Index: debian-kernel/net/wireless/reg.c
  static int reg_schedule_apply(const struct ieee80211_regdomain *regdom)
  {
  	struct reg_regdb_apply_request *request;
-@@ -508,6 +509,7 @@ static int reg_schedule_apply(const stru
+@@ -495,6 +496,7 @@ static int reg_schedule_apply(const stru
  	schedule_work(&reg_regdb_work);
  	return 0;
  }
@@ -28,7 +28,7 @@ Index: debian-kernel/net/wireless/reg.c
  
  #ifdef CONFIG_CFG80211_CRDA_SUPPORT
  /* Max number of consecutive attempts to communicate with CRDA  */
-@@ -587,6 +589,36 @@ static inline int call_crda(const char *
+@@ -574,6 +576,36 @@ static inline int call_crda(const char *
  /* code to directly load a firmware database through request_firmware */
  static const struct fwdb_header *regdb;
  
@@ -53,8 +53,8 @@ Index: debian-kernel/net/wireless/reg.c
 +	return -ENOENT;
 +}
 +
-+int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
-+			struct ieee80211_wmm_rule *rule)
++int reg_query_regdb_wmm(char *alpha2, int freq,
++			struct ieee80211_reg_rule *rule)
 +{
 +	return -ENODATA;
 +}
@@ -65,7 +65,7 @@ Index: debian-kernel/net/wireless/reg.c
  struct fwdb_country {
  	u8 alpha2[2];
  	__be16 coll_ptr;
-@@ -1152,6 +1184,8 @@ int reg_reload_regdb(void)
+@@ -1090,6 +1122,8 @@ int reg_reload_regdb(void)
  	return err;
  }
  

debian/patches/series

@@ -146,7 +146,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
 bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
-bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch