debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.15.10 

Add CVE ids for two issues fixed in 4.15.10

Drop bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch

Drop bugfix/all/nospec-kill-array_index_nospec_mask_check.patch

Cleanup debian/changelog file
This commit is contained in:
Salvatore Bonaccorso 2018-03-16 06:56:13 +01:00
parent 8039021914
commit 677fae7f88
4 changed files with 150 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.15.9-1) UNRELEASED; urgency=medium
linux (4.15.10-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.5
@ -380,6 +380,155 @@ linux (4.15.9-1) UNRELEASED; urgency=medium
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload
- [x86] KVM: fix backward migration with async_PF
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.10
- RDMA/ucma: Limit possible option size
- RDMA/ucma: Check that user doesn't overflow QP state
- RDMA/mlx5: Fix integer overflow while resizing CQ
- bpf: cpumap: use GFP_KERNEL instead of GFP_ATOMIC in
__cpu_map_entry_alloc()
- IB/uverbs: Improve lockdep_check
- mac80211_hwsim: don't use WQ_MEM_RECLAIM
- [x86] drm/i915: Check for fused or unused pipes
- [x86] drm/i915/audio: fix check for av_enc_map overflow
- [x86] drm/i915: Fix rsvd2 mask when out-fence is returned
- [x86] drm/i915: Clear the in-use marker on execbuf failure
- [x86] drm/i915: Disable DC states around GMBUS on GLK
- [x86] drm/i915: Update watermark state correctly in sanitize_watermarks
- [x86] drm/i915: Try EDID bitbanging on HDMI after failed read
- [x86] drm/i915/perf: fix perf stream opening lock
- scsi: core: Avoid that ATA error handling can trigger a kernel hang or
oops (Closes: #891467)
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
- [x86] drm/i915: Always call to intel_display_set_init_power() in
resume_early.
- workqueue: Allow retrieval of current task's work struct
- drm: Allow determining if current task is output poll worker
- drm/nouveau: Fix deadlock on runtime suspend
- drm/radeon: Fix deadlock on runtime suspend
- drm/amdgpu: Fix deadlock on runtime suspend
- drm/nouveau: prefer XBGR2101010 for addfb ioctl
- drm/amd/powerplay/smu7: allow mclk switching with no displays
- drm/amd/powerplay/vega10: allow mclk switching with no displays
- Revert "drm/radeon/pm: autoswitch power state when in balanced mode"
- drm/amd/display: check for ipp before calling cursor operations
- drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
- drm/amd/powerplay: fix power over limit on Fiji
- drm/amd/display: Default HDMI6G support to true. Log VBIOS table error.
- drm/amdgpu: used cached pcie gen info for SI (v2)
- drm/amdgpu: Notify sbios device ready before send request
- drm/radeon: fix KV harvesting
- drm/amdgpu: fix KV harvesting
- drm/amdgpu:Correct max uvd handles
- drm/amdgpu:Always save uvd vcpu_bo in VM Mode
- ovl: redirect_dir=nofollow should not follow redirect for opaque lower
- [mips*/octeon] irq: Check for null return on kzalloc allocation
- PCI: dwc: Fix enumeration end when reaching root subordinate
- Revert "Input: synaptics - Lenovo Thinkpad T460p devices should use RMI"
- bug: use %pB in BUG and stack protector failure
- lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()
- mm/memblock.c: hardcode the end_pfn being -1
- Documentation/sphinx: Fix Directive import error
- loop: Fix lost writes caused by missing flag
- virtio_ring: fix num_free handling in error case
- [x390x] KVM: fix memory overwrites when not using SCA entries
- [arm64] mm: fix thinko in non-global page table attribute check
- IB/core: Fix missing RDMA cgroups release in case of failure to register
device
- Revert "nvme: create 'slaves' and 'holders' entries for hidden
controllers"
- kbuild: Handle builtin dtb file names containing hyphens
- dm bufio: avoid false-positive Wmaybe-uninitialized warning
- IB/mlx5: Fix incorrect size of klms in the memory region
- bcache: fix crashes in duplicate cache device register
- bcache: don't attach backing with duplicate UUID
- [x86] MCE: Save microcode revision in machine check records
- [x86] MCE: Serialize sysfs changes (CVE-2018-7995)
- perf tools: Fix trigger class trigger_on()
- [x86] spectre_v2: Don't check microcode versions when running under
hypervisors
- ALSA: hda/realtek - Add support headset mode for DELL WYSE
- ALSA: hda/realtek - Add headset mode support for Dell laptop
- ALSA: hda/realtek: Limit mic boost on T480
- ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
- ALSA: hda/realtek - Make dock sound work on ThinkPad L570
- ALSA: seq: Don't allow resizing pool in use
- ALSA: seq: More protection for concurrent write and ioctl races
- ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines
- ALSA: hda: add dock and led support for HP EliteBook 820 G3
- ALSA: hda: add dock and led support for HP ProBook 640 G2
- scsi: qla2xxx: Fix NULL pointer crash due to probe failure
- scsi: qla2xxx: Fix recursion while sending terminate exchange
- dt-bindings: Document mti,mips-cpc binding
- nospec: Kill array_index_nospec_mask_check()
- nospec: Include <asm/barrier.h> dependency
- [x86] entry: Reduce the code footprint of the 'idtentry' macro
- [x86] entry/64: Use 'xorl' for faster register clearing
- [x86] mm: Remove stale comment about KMEMCHECK
- [x86] asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers
- [x86] IO-APIC: Avoid warning in 32-bit builds
- [x86] LDT: Avoid warning in 32-bit builds with older gcc
- x86-64/realmode: Add instruction suffix
- Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
- [x86] speculation: Use IBRS if available before calling into firmware
- [x86] retpoline: Support retpoline builds with Clang
- [x86] speculation, objtool: Annotate indirect calls/jumps for objtool
- [x86] speculation: Move firmware_restrict_branch_speculation_*() from C
to CPP
- [x86] paravirt, objtool: Annotate indirect calls
- [x86] boot, objtool: Annotate indirect jump in secondary_startup_64()
- [x86] mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
- objtool: Use existing global variables for options
- objtool: Add retpoline validation
- objtool: Add module specific retpoline rules
- objtool, retpolines: Integrate objtool with retpoline support more
closely
- objtool: Fix another switch table detection issue
- objtool: Fix 32-bit build
- [x86] kprobes: Fix kernel crash when probing .entry_trampoline code
- watchdog: hpwdt: SMBIOS check
- watchdog: hpwdt: Check source of NMI
- watchdog: hpwdt: fix unused variable warning
- watchdog: hpwdt: Remove legacy NMI sourcing.
- netfilter: add back stackpointer size checks (CVE-2018-1065)
- netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
- netfilter: xt_hashlimit: fix lock imbalance
- netfilter: x_tables: fix missing timer initialization in xt_LED
- netfilter: nat: cope with negative port range
- netfilter: IDLETIMER: be syzkaller friendly
- netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
(CVE-2018-1068)
- netfilter: bridge: ebt_among: add missing match size checks
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
- netfilter: use skb_to_full_sk in ip6_route_me_harder
- tpm_tis: Move ilb_base_addr to tpm_tis_data
- tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd()
- tpm: delete the TPM_TIS_CLK_ENABLE flag
- tpm: remove unused variables
- tpm: only attempt to disable the LPC CLKRUN if is already enabled
- [x86] xen: Calculate __max_logical_packages on PV domains
- scsi: qla2xxx: Fix system crash for Notify ack timeout handling
- scsi: qla2xxx: Fix gpnid error processing
- scsi: qla2xxx: Move session delete to driver work queue
- scsi: qla2xxx: Skip IRQ affinity for Target QPairs
- scsi: qla2xxx: Fix re-login for Nport Handle in use
- scsi: qla2xxx: Retry switch command on time out
- scsi: qla2xxx: Serialize GPNID for multiple RSCN
- scsi: qla2xxx: Fix login state machine stuck at GPDB
- scsi: qla2xxx: Fix NPIV host cleanup in target mode
- scsi: qla2xxx: Relogin to target port on a cable swap
- scsi: qla2xxx: Fix Relogin being triggered too fast
- scsi: qla2xxx: Fix PRLI state check
- scsi: qla2xxx: Fix abort command deadlock due to spinlock
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
- scsi: qla2xxx: Fix scan state field for fcport
- scsi: qla2xxx: Clear loop id after delete
- scsi: qla2xxx: Defer processing of GS IOCB calls
- scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout.
- scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref
- scsi: qla2xxx: Fix memory leak in dual/target mode
- NFS: Fix an incorrect type in struct nfs_direct_req
- pNFS: Prevent the layout header refcount going to zero in pnfs_roc()
- NFS: Fix unstable write completion
[ Ben Hutchings ]
* aufs: gen-patch: Fix Subject generation to skip SPDX-License-Identifier
@ -391,7 +540,6 @@ linux (4.15.9-1) UNRELEASED; urgency=medium
(Closes: #892629)
* firmware_class: Refer to Debian wiki page when logging missing firmware
(Closes: #888405)
* nospec: Kill array_index_nospec_mask_check()
* amdgpu: Abort probing if firmware is not installed, as we do in radeon
* Bump ABI to 2
* [amd64] udeb: Add vmd to scsi-modules, required for NVMe on some systems
@ -413,10 +561,6 @@ linux (4.15.9-1) UNRELEASED; urgency=medium
* [arm64] Apply patch from linux-next to fix eMMC corruption on
Odroid-C2 (Closes: #879072).
[ Salvatore Bonaccorso ]
* scsi: core: Avoid that ATA error handling can trigger a kernel hang or
oops (Closes: #891467)
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 20 Feb 2018 21:51:39 +0100
linux (4.15.4-1) unstable; urgency=medium

77
debian/patches/bugfix/all/nospec-kill-array_index_nospec_mask_check.patch vendored
View File

@ -1,77 +0,0 @@
From: Dan Williams <dan.j.williams@intel.com>
Date: Fri, 16 Feb 2018 13:20:42 -0800
Subject: nospec: Kill array_index_nospec_mask_check()
Origin: https://git.kernel.org/linus/1d91c1d2c80cb70e2e553845e278b87a960c04da
There are multiple problems with the dynamic sanity checking in
array_index_nospec_mask_check():
* It causes unnecessary overhead in the 32-bit case since integer sized
@index values will no longer cause the check to be compiled away like
in the 64-bit case.
* In the 32-bit case it may trigger with user controllable input when
the expectation is that should only trigger during development of new
kernel enabling.
* The macro reuses the input parameter in multiple locations which is
broken if someone passes an expression like 'index++' to
array_index_nospec().
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
include/linux/nospec.h | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -30,26 +30,6 @@ static inline unsigned long array_index_
#endif
/*
- * Warn developers about inappropriate array_index_nospec() usage.
- *
- * Even if the CPU speculates past the WARN_ONCE branch, the
- * sign bit of @index is taken into account when generating the
- * mask.
- *
- * This warning is compiled out when the compiler can infer that
- * @index and @size are less than LONG_MAX.
- */
-#define array_index_mask_nospec_check(index, size) \
-({ \
- if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \
- "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \
- _mask = 0; \
- else \
- _mask = array_index_mask_nospec(index, size); \
- _mask; \
-})
-
-/*
* array_index_nospec - sanitize an array index after a bounds check
*
* For a code sequence like:
@@ -67,7 +47,7 @@ static inline unsigned long array_index_
({ \
typeof(index) _i = (index); \
typeof(size) _s = (size); \
- unsigned long _mask = array_index_mask_nospec_check(_i, _s); \
+ unsigned long _mask = array_index_mask_nospec(_i, _s); \
\
BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \

128
debian/patches/bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch vendored
View File

@ -1,128 +0,0 @@
From: Bart Van Assche <bart.vanassche@wdc.com>
Date: Thu, 22 Feb 2018 11:30:20 -0800
Subject: scsi: core: Avoid that ATA error handling can trigger a kernel hang
or oops
Origin: https://git.kernel.org/linus/3be8828fc507cdafe7040a3dcf361a2bcd8e305b
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=198861
Bug-Debian: https://bugs.debian.org/891467
Avoid that the recently introduced call_rcu() call in the SCSI core
triggers a double call_rcu() call.
Reported-by: Natanael Copa <ncopa@alpinelinux.org>
Reported-by: Damien Le Moal <damien.lemoal@wdc.com>
References: https://bugzilla.kernel.org/show_bug.cgi?id=198861
Fixes: 3bd6f43f5cb3 ("scsi: core: Ensure that the SCSI error handler gets woken up")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Tested-by: Damien Le Moal <damien.lemoal@wdc.com>
Cc: Natanael Copa <ncopa@alpinelinux.org>
Cc: Damien Le Moal <damien.lemoal@wdc.com>
Cc: Alexandre Oliva <oliva@gnu.org>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/hosts.c | 3 ---
drivers/scsi/scsi_error.c | 5 +++--
drivers/scsi/scsi_lib.c | 2 ++
include/scsi/scsi_cmnd.h | 3 +++
include/scsi/scsi_host.h | 2 --
5 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index 57bf43e34863..dd9464920456 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -328,8 +328,6 @@ static void scsi_host_dev_release(struct device *dev)
if (shost->work_q)
destroy_workqueue(shost->work_q);
- destroy_rcu_head(&shost->rcu);
-
if (shost->shost_state == SHOST_CREATED) {
/*
* Free the shost_dev device name here if scsi_host_alloc()
@@ -404,7 +402,6 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
INIT_LIST_HEAD(&shost->starved_list);
init_waitqueue_head(&shost->host_wait);
mutex_init(&shost->scan_mutex);
- init_rcu_head(&shost->rcu);
index = ida_simple_get(&host_index_ida, 0, 0, GFP_KERNEL);
if (index < 0)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index d042915ce895..ca53a5f785ee 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -223,7 +223,8 @@ static void scsi_eh_reset(struct scsi_cmnd *scmd)
static void scsi_eh_inc_host_failed(struct rcu_head *head)
{
- struct Scsi_Host *shost = container_of(head, typeof(*shost), rcu);
+ struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu);
+ struct Scsi_Host *shost = scmd->device->host;
unsigned long flags;
spin_lock_irqsave(shost->host_lock, flags);
@@ -259,7 +260,7 @@ void scsi_eh_scmd_add(struct scsi_cmnd *scmd)
* Ensure that all tasks observe the host state change before the
* host_failed change.
*/
- call_rcu(&shost->rcu, scsi_eh_inc_host_failed);
+ call_rcu(&scmd->rcu, scsi_eh_inc_host_failed);
}
/**
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 5cbc69b2b1ae..4af1682f5ff5 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -670,6 +670,7 @@ static bool scsi_end_request(struct request *req, blk_status_t error,
if (!blk_rq_is_scsi(req)) {
WARN_ON_ONCE(!(cmd->flags & SCMD_INITIALIZED));
cmd->flags &= ~SCMD_INITIALIZED;
+ destroy_rcu_head(&cmd->rcu);
}
if (req->mq_ctx) {
@@ -1150,6 +1151,7 @@ static void scsi_initialize_rq(struct request *rq)
struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
scsi_req_init(&cmd->req);
+ init_rcu_head(&cmd->rcu);
cmd->jiffies_at_alloc = jiffies;
cmd->retries = 0;
}
diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
index 949a016dd7fa..0382ceab2eba 100644
--- a/include/scsi/scsi_cmnd.h
+++ b/include/scsi/scsi_cmnd.h
@@ -69,6 +69,9 @@ struct scsi_cmnd {
struct list_head list; /* scsi_cmnd participates in queue lists */
struct list_head eh_entry; /* entry for the host eh_cmd_q */
struct delayed_work abort_work;
+
+ struct rcu_head rcu;
+
int eh_eflags; /* Used by error handlr */
/*
diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h
index 1a1df0d21ee3..a8b7bf879ced 100644
--- a/include/scsi/scsi_host.h
+++ b/include/scsi/scsi_host.h
@@ -571,8 +571,6 @@ struct Scsi_Host {
struct blk_mq_tag_set tag_set;
};
- struct rcu_head rcu;
-
atomic_t host_busy; /* commands actually active on low-level */
atomic_t host_blocked;
--
2.11.0

2
debian/patches/series vendored
View File

@ -80,7 +80,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/crypto-ecc-fix-null-pointer-deref.-on-no-default_rng.patch
bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch
# Miscellaneous features
@ -121,7 +120,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/nospec-kill-array_index_nospec_mask_check.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch