From 63b0a734297593a1750b253ac77d02b9b73410a3 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Thu, 18 Oct 2018 13:59:26 +0200 Subject: [PATCH] Update to 4.18.13 --- debian/changelog | 135 +++++++++++++++++- ...erification-must-truncate-input-befo.patch | 60 -------- ...disable-regulatory.db-direct-loading.patch | 12 +- debian/patches/series | 1 - 4 files changed, 140 insertions(+), 68 deletions(-) delete mode 100644 debian/patches/bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch diff --git a/debian/changelog b/debian/changelog index 28b7a3fc6..42ab211ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.18.12-1) UNRELEASED; urgency=medium +linux (4.18.13-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11 @@ -256,12 +256,145 @@ linux (4.18.12-1) UNRELEASED; urgency=medium - [powerpc*] fix csum_ipv6_magic() on little endian platforms - [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property - [powerpc*] pseries: Fix unitialized timer reset on migration + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.13 + - mac80211: Run TXQ teardown code before de-registering interfaces + - mac80211_hwsim: require at least one channel + - Btrfs: fix unexpected failure of nocow buffered writes after snapshotting + when low on space + - [powerpc*] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate + function + - cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule) + - btrfs: btrfs_shrink_device should call commit transaction at the end + - scsi: csiostor: add a check for NULL pointer after kmalloc() + - scsi: csiostor: fix incorrect port capabilities + - scsi: libata: Add missing newline at end of file + - scsi: aacraid: fix a signedness bug + - bpf, sockmap: fix potential use after free in bpf_tcp_close + - bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg + - bpf: sockmap, decrement copied count correctly in redirect error case + - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X + - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X + - cfg80211: make wmm_rule part of the reg_rule structure + - mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom + - nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP + - nl80211: Pass center frequency in kHz instead of MHz + - bpf: fix several offset tests in bpf_msg_pull_data + - mac80211: mesh: fix HWMP sequence numbering to follow standard + - mac80211: avoid kernel panic when building AMSDU from non-linear SKB + - bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data + - bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data + - bpf: fix sg shift repair start offset in bpf_msg_pull_data + - [arm64] net: hns: add the code for cleaning pkt in chip + - [arm64] net: hns: add netif_carrier_off before change speed and duplex + - [arm64, armhf] net: mvpp2: initialize port of_node pointer + - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE + - mac80211: do not convert to A-MSDU if frag/subframe limited + - mac80211: always account for A-MSDU header changes + - Revert "blk-throttle: fix race between blkcg_bio_issue_check() and + cgroup_rmdir()" + - md/raid5-cache: disable reshape completely + - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 + - bpf: Fix bpf_msg_pull_data() + - bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP + - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash + - mac80211: fix an off-by-one issue in A-MSDU max_subframe computation + - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() + - mac80211: fix WMM TXOP calculation + - mac80211: fix a race between restart and CSA flows + - mac80211: Fix station bandwidth setting after channel switch + - mac80211: don't Tx a deauth frame if the AP forbade Tx + - mac80211: shorten the IBSS debug messages + - [powerpc*] net/ibm/emac: wrong emac_calc_base call was used by typo + - ceph: avoid a use-after-free in ceph_destroy_options() + - firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero + - afs: Fix cell specification to permit an empty address list + - mm: madvise(MADV_DODUMP): allow hugetlbfs pages + - netfilter: xt_cluster: add dependency on conntrack module + - [x86] HID: intel-ish-hid: Enable Sunrise Point-H ish driver + - HID: add support for Apple Magic Keyboards + - HID: hid-saitek: Add device ID for RAT 7 Contagion + - scsi: iscsi: target: Set conn->sess to NULL when + iscsi_login_set_conn_values fails + - scsi: iscsi: target: Fix conn_ops double free + - perf annotate: Properly interpret indirect call + - perf evsel: Fix potential null pointer dereference in + perf_evsel__new_idx() + - perf util: Fix bad memory access in trace info. + - [powerpc*] perf probe: Ignore SyS symbols irrespective of endianness + - [arm64] perf annotate: Fix parsing aarch64 branch instructions after + objdump update + - netfilter: nf_tables: release chain in flushing set + - HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub + report + - USB: yurex: Check for truncation in yurex_read() + - nvmet-rdma: fix possible bogus dereference under heavy load + - net/mlx5: Consider PCI domain in search for next dev + - [x86] HID: i2c-hid: Don't reset device upon system resume + - dm raid: fix reshape race on small devices + - drm/nouveau: fix oops in client init failure path + - drm/nouveau/mmu: don't attempt to dereference vmm without valid instance + pointer + - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS + - drm/nouveau/disp: fix DP disable race + - drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for + LVDS/eDP panels + - dm raid: fix stripe adding reshape deadlock + - dm raid: fix rebuild of specific devices by updating superblock + - dm raid: fix RAID leg rebuild errors + - r8169: set TxConfig register after TX / RX is enabled, just like RxConfig + - fs/cifs: suppress a string overflow warning + - net: ena: fix surprise unplug NULL dereference kernel crash + - net: ena: fix driver when PAGE_SIZE == 64kB + - net: ena: fix device destruction to gracefully free resources + - net: ena: fix potential double ena_destroy_device() + - net: ena: fix missing lock during device destruction + - net: ena: fix missing calls to READ_ONCE + - sched/topology: Set correct NUMA topology type + - dm thin metadata: try to avoid ever aborting transactions + - netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for + NF_REPEAT + - netfilter: xt_hashlimit: use s->file instead of s->private + - drm/amdgpu: Fix SDMA hang in prt mode v2 + - drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk + - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED + - [s390x] qeth: use vzalloc for QUERY OAT buffer + - [s390x] qeth: don't dump past end of unknown HW header + - cifs: read overflow in is_valid_oplock_break() + - asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP && + CONFIG_INDIRECT_PIO + - xen/manage: don't complain about an empty value in control/sysrq node + - [mips*, x86, s390x] xen: avoid crash in disable_hotplug_cpu + - new primitive: discard_new_inode() + - vfs: don't evict uninitialized inode + - ovl: set I_CREATING on inode being created + - ovl: fix access beyond unterminated strings + - ovl: fix memory leak on unlink of indexed file + - ovl: fix format of setxattr debug + - sysfs: Do not return POSIX ACL xattrs via listxattr + - b43: fix DMA error related regression with proprietary firmware + - firmware: Fix security issue with request_firmware_into_buf() + - firmware: Always initialize the fw_priv list object + - smb2: fix missing files in root share directory listing + - [x86] iommu/amd: Clear memory encryption mask from physical address + - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 + - [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() + - crypto: chelsio - Fix memory corruption in DMA Mapped buffers. + - [arm64, armhf, x86, powerpc*] gpiolib: Free the last requested descriptor + - [x86] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect() + - proc: restrict kernel stack dumps to root + - ocfs2: fix locking for res->tracking and dlm->tracking_list + - [x86] HID: i2c-hid: disable runtime PM operations on hantick touchpad + - ixgbe: check return value of napi_complete_done() + - dm thin metadata: fix __udivdi3 undefined on 32-bit + - Revert "drm/amd/pp: Send khz clock values to DC for smu7/8" [ Ben Hutchings ] * linux-perf: Fix BPF feature detection [ Romain Perier ] * [rt] Update to 4.18.12-rt7 + * Fixed FTBFS caused by wireless-disable-regulatory.db-direct-loading.patch, + due to conflicting types for 'reg_query_regdb_wmm' [ Vagrant Cascadian ] * [arm64] Update pinebook/teres-i device-tree patches to 4.19.x: diff --git a/debian/patches/bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch b/debian/patches/bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch deleted file mode 100644 index 2b0cc5b8b..000000000 --- a/debian/patches/bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Jann Horn -Date: Fri, 5 Oct 2018 18:17:59 +0200 -Subject: bpf: 32-bit RSH verification must truncate input before the ALU op -Origin: https://git.kernel.org/linus/b799207e1e1816b09e7a5920fbb2d5fcf6edd681 -Bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1686 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18445 - -When I wrote commit 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification"), I -assumed that, in order to emulate 64-bit arithmetic with 32-bit logic, it -is sufficient to just truncate the output to 32 bits; and so I just moved -the register size coercion that used to be at the start of the function to -the end of the function. - -That assumption is true for almost every op, but not for 32-bit right -shifts, because those can propagate information towards the least -significant bit. Fix it by always truncating inputs for 32-bit ops to 32 -bits. - -Also get rid of the coerce_reg_to_size() after the ALU op, since that has -no effect. - -Fixes: 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") -Acked-by: Daniel Borkmann -Signed-off-by: Jann Horn -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index bb07e74b34a2..465952a8e465 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - u64 umin_val, umax_val; - u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; - -+ if (insn_bitness == 32) { -+ /* Relevant for 32-bit RSH: Information can propagate towards -+ * LSB, so it isn't sufficient to only truncate the output to -+ * 32 bits. -+ */ -+ coerce_reg_to_size(dst_reg, 4); -+ coerce_reg_to_size(&src_reg, 4); -+ } -+ - smin_val = src_reg.smin_value; - smax_val = src_reg.smax_value; - umin_val = src_reg.umin_value; -@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - if (BPF_CLASS(insn->code) != BPF_ALU64) { - /* 32-bit ALU ops are (32,32)->32 */ - coerce_reg_to_size(dst_reg, 4); -- coerce_reg_to_size(&src_reg, 4); - } - - __reg_deduce_bounds(dst_reg); --- -2.19.1 - diff --git a/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch b/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch index 60f3ec6e6..92964d2e0 100644 --- a/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch +++ b/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch @@ -12,7 +12,7 @@ Index: debian-kernel/net/wireless/reg.c =================================================================== --- debian-kernel.orig/net/wireless/reg.c +++ debian-kernel/net/wireless/reg.c -@@ -489,6 +489,7 @@ static void reg_regdb_apply(struct work_ +@@ -476,6 +476,7 @@ static void reg_regdb_apply(struct work_ static DECLARE_WORK(reg_regdb_work, reg_regdb_apply); @@ -20,7 +20,7 @@ Index: debian-kernel/net/wireless/reg.c static int reg_schedule_apply(const struct ieee80211_regdomain *regdom) { struct reg_regdb_apply_request *request; -@@ -508,6 +509,7 @@ static int reg_schedule_apply(const stru +@@ -495,6 +496,7 @@ static int reg_schedule_apply(const stru schedule_work(®_regdb_work); return 0; } @@ -28,7 +28,7 @@ Index: debian-kernel/net/wireless/reg.c #ifdef CONFIG_CFG80211_CRDA_SUPPORT /* Max number of consecutive attempts to communicate with CRDA */ -@@ -587,6 +589,36 @@ static inline int call_crda(const char * +@@ -574,6 +576,36 @@ static inline int call_crda(const char * /* code to directly load a firmware database through request_firmware */ static const struct fwdb_header *regdb; @@ -53,8 +53,8 @@ Index: debian-kernel/net/wireless/reg.c + return -ENOENT; +} + -+int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr, -+ struct ieee80211_wmm_rule *rule) ++int reg_query_regdb_wmm(char *alpha2, int freq, ++ struct ieee80211_reg_rule *rule) +{ + return -ENODATA; +} @@ -65,7 +65,7 @@ Index: debian-kernel/net/wireless/reg.c struct fwdb_country { u8 alpha2[2]; __be16 coll_ptr; -@@ -1152,6 +1184,8 @@ int reg_reload_regdb(void) +@@ -1090,6 +1122,8 @@ int reg_reload_regdb(void) return err; } diff --git a/debian/patches/series b/debian/patches/series index 6a8eb84c4..817ef4f3f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -146,7 +146,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch -bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch