diff --git a/debian/changelog b/debian/changelog index 27d9a1131..fee1a09ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.15.9-1) UNRELEASED; urgency=medium +linux (4.15.10-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.5 @@ -380,6 +380,155 @@ linux (4.15.9-1) UNRELEASED; urgency=medium - scsi: mpt3sas: fix oops in error handlers after shutdown/unload - scsi: mpt3sas: wait for and flush running commands on shutdown/unload - [x86] KVM: fix backward migration with async_PF + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.10 + - RDMA/ucma: Limit possible option size + - RDMA/ucma: Check that user doesn't overflow QP state + - RDMA/mlx5: Fix integer overflow while resizing CQ + - bpf: cpumap: use GFP_KERNEL instead of GFP_ATOMIC in + __cpu_map_entry_alloc() + - IB/uverbs: Improve lockdep_check + - mac80211_hwsim: don't use WQ_MEM_RECLAIM + - [x86] drm/i915: Check for fused or unused pipes + - [x86] drm/i915/audio: fix check for av_enc_map overflow + - [x86] drm/i915: Fix rsvd2 mask when out-fence is returned + - [x86] drm/i915: Clear the in-use marker on execbuf failure + - [x86] drm/i915: Disable DC states around GMBUS on GLK + - [x86] drm/i915: Update watermark state correctly in sanitize_watermarks + - [x86] drm/i915: Try EDID bitbanging on HDMI after failed read + - [x86] drm/i915/perf: fix perf stream opening lock + - scsi: core: Avoid that ATA error handling can trigger a kernel hang or + oops (Closes: #891467) + - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS + - [x86] drm/i915: Always call to intel_display_set_init_power() in + resume_early. + - workqueue: Allow retrieval of current task's work struct + - drm: Allow determining if current task is output poll worker + - drm/nouveau: Fix deadlock on runtime suspend + - drm/radeon: Fix deadlock on runtime suspend + - drm/amdgpu: Fix deadlock on runtime suspend + - drm/nouveau: prefer XBGR2101010 for addfb ioctl + - drm/amd/powerplay/smu7: allow mclk switching with no displays + - drm/amd/powerplay/vega10: allow mclk switching with no displays + - Revert "drm/radeon/pm: autoswitch power state when in balanced mode" + - drm/amd/display: check for ipp before calling cursor operations + - drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE + - drm/amd/powerplay: fix power over limit on Fiji + - drm/amd/display: Default HDMI6G support to true. Log VBIOS table error. + - drm/amdgpu: used cached pcie gen info for SI (v2) + - drm/amdgpu: Notify sbios device ready before send request + - drm/radeon: fix KV harvesting + - drm/amdgpu: fix KV harvesting + - drm/amdgpu:Correct max uvd handles + - drm/amdgpu:Always save uvd vcpu_bo in VM Mode + - ovl: redirect_dir=nofollow should not follow redirect for opaque lower + - [mips*/octeon] irq: Check for null return on kzalloc allocation + - PCI: dwc: Fix enumeration end when reaching root subordinate + - Revert "Input: synaptics - Lenovo Thinkpad T460p devices should use RMI" + - bug: use %pB in BUG and stack protector failure + - lib/bug.c: exclude non-BUG/WARN exceptions from report_bug() + - mm/memblock.c: hardcode the end_pfn being -1 + - Documentation/sphinx: Fix Directive import error + - loop: Fix lost writes caused by missing flag + - virtio_ring: fix num_free handling in error case + - [x390x] KVM: fix memory overwrites when not using SCA entries + - [arm64] mm: fix thinko in non-global page table attribute check + - IB/core: Fix missing RDMA cgroups release in case of failure to register + device + - Revert "nvme: create 'slaves' and 'holders' entries for hidden + controllers" + - kbuild: Handle builtin dtb file names containing hyphens + - dm bufio: avoid false-positive Wmaybe-uninitialized warning + - IB/mlx5: Fix incorrect size of klms in the memory region + - bcache: fix crashes in duplicate cache device register + - bcache: don't attach backing with duplicate UUID + - [x86] MCE: Save microcode revision in machine check records + - [x86] MCE: Serialize sysfs changes (CVE-2018-7995) + - perf tools: Fix trigger class trigger_on() + - [x86] spectre_v2: Don't check microcode versions when running under + hypervisors + - ALSA: hda/realtek - Add support headset mode for DELL WYSE + - ALSA: hda/realtek - Add headset mode support for Dell laptop + - ALSA: hda/realtek: Limit mic boost on T480 + - ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 + - ALSA: hda/realtek - Make dock sound work on ThinkPad L570 + - ALSA: seq: Don't allow resizing pool in use + - ALSA: seq: More protection for concurrent write and ioctl races + - ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines + - ALSA: hda: add dock and led support for HP EliteBook 820 G3 + - ALSA: hda: add dock and led support for HP ProBook 640 G2 + - scsi: qla2xxx: Fix NULL pointer crash due to probe failure + - scsi: qla2xxx: Fix recursion while sending terminate exchange + - dt-bindings: Document mti,mips-cpc binding + - nospec: Kill array_index_nospec_mask_check() + - nospec: Include dependency + - [x86] entry: Reduce the code footprint of the 'idtentry' macro + - [x86] entry/64: Use 'xorl' for faster register clearing + - [x86] mm: Remove stale comment about KMEMCHECK + - [x86] asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers + - [x86] IO-APIC: Avoid warning in 32-bit builds + - [x86] LDT: Avoid warning in 32-bit builds with older gcc + - x86-64/realmode: Add instruction suffix + - Revert "x86/retpoline: Simplify vmexit_fill_RSB()" + - [x86] speculation: Use IBRS if available before calling into firmware + - [x86] retpoline: Support retpoline builds with Clang + - [x86] speculation, objtool: Annotate indirect calls/jumps for objtool + - [x86] speculation: Move firmware_restrict_branch_speculation_*() from C + to CPP + - [x86] paravirt, objtool: Annotate indirect calls + - [x86] boot, objtool: Annotate indirect jump in secondary_startup_64() + - [x86] mm/sme, objtool: Annotate indirect call in sme_encrypt_execute() + - objtool: Use existing global variables for options + - objtool: Add retpoline validation + - objtool: Add module specific retpoline rules + - objtool, retpolines: Integrate objtool with retpoline support more + closely + - objtool: Fix another switch table detection issue + - objtool: Fix 32-bit build + - [x86] kprobes: Fix kernel crash when probing .entry_trampoline code + - watchdog: hpwdt: SMBIOS check + - watchdog: hpwdt: Check source of NMI + - watchdog: hpwdt: fix unused variable warning + - watchdog: hpwdt: Remove legacy NMI sourcing. + - netfilter: add back stackpointer size checks (CVE-2018-1065) + - netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation + - netfilter: xt_hashlimit: fix lock imbalance + - netfilter: x_tables: fix missing timer initialization in xt_LED + - netfilter: nat: cope with negative port range + - netfilter: IDLETIMER: be syzkaller friendly + - netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets + (CVE-2018-1068) + - netfilter: bridge: ebt_among: add missing match size checks + - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt + - netfilter: use skb_to_full_sk in ip6_route_me_harder + - tpm_tis: Move ilb_base_addr to tpm_tis_data + - tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd() + - tpm: delete the TPM_TIS_CLK_ENABLE flag + - tpm: remove unused variables + - tpm: only attempt to disable the LPC CLKRUN if is already enabled + - [x86] xen: Calculate __max_logical_packages on PV domains + - scsi: qla2xxx: Fix system crash for Notify ack timeout handling + - scsi: qla2xxx: Fix gpnid error processing + - scsi: qla2xxx: Move session delete to driver work queue + - scsi: qla2xxx: Skip IRQ affinity for Target QPairs + - scsi: qla2xxx: Fix re-login for Nport Handle in use + - scsi: qla2xxx: Retry switch command on time out + - scsi: qla2xxx: Serialize GPNID for multiple RSCN + - scsi: qla2xxx: Fix login state machine stuck at GPDB + - scsi: qla2xxx: Fix NPIV host cleanup in target mode + - scsi: qla2xxx: Relogin to target port on a cable swap + - scsi: qla2xxx: Fix Relogin being triggered too fast + - scsi: qla2xxx: Fix PRLI state check + - scsi: qla2xxx: Fix abort command deadlock due to spinlock + - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport + - scsi: qla2xxx: Fix scan state field for fcport + - scsi: qla2xxx: Clear loop id after delete + - scsi: qla2xxx: Defer processing of GS IOCB calls + - scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout. + - scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref + - scsi: qla2xxx: Fix memory leak in dual/target mode + - NFS: Fix an incorrect type in struct nfs_direct_req + - pNFS: Prevent the layout header refcount going to zero in pnfs_roc() + - NFS: Fix unstable write completion [ Ben Hutchings ] * aufs: gen-patch: Fix Subject generation to skip SPDX-License-Identifier @@ -391,7 +540,6 @@ linux (4.15.9-1) UNRELEASED; urgency=medium (Closes: #892629) * firmware_class: Refer to Debian wiki page when logging missing firmware (Closes: #888405) - * nospec: Kill array_index_nospec_mask_check() * amdgpu: Abort probing if firmware is not installed, as we do in radeon * Bump ABI to 2 * [amd64] udeb: Add vmd to scsi-modules, required for NVMe on some systems @@ -413,10 +561,6 @@ linux (4.15.9-1) UNRELEASED; urgency=medium * [arm64] Apply patch from linux-next to fix eMMC corruption on Odroid-C2 (Closes: #879072). - [ Salvatore Bonaccorso ] - * scsi: core: Avoid that ATA error handling can trigger a kernel hang or - oops (Closes: #891467) - -- Salvatore Bonaccorso Tue, 20 Feb 2018 21:51:39 +0100 linux (4.15.4-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/nospec-kill-array_index_nospec_mask_check.patch b/debian/patches/bugfix/all/nospec-kill-array_index_nospec_mask_check.patch deleted file mode 100644 index 1eb9c54e7..000000000 --- a/debian/patches/bugfix/all/nospec-kill-array_index_nospec_mask_check.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Dan Williams -Date: Fri, 16 Feb 2018 13:20:42 -0800 -Subject: nospec: Kill array_index_nospec_mask_check() -Origin: https://git.kernel.org/linus/1d91c1d2c80cb70e2e553845e278b87a960c04da - -There are multiple problems with the dynamic sanity checking in -array_index_nospec_mask_check(): - -* It causes unnecessary overhead in the 32-bit case since integer sized - @index values will no longer cause the check to be compiled away like - in the 64-bit case. - -* In the 32-bit case it may trigger with user controllable input when - the expectation is that should only trigger during development of new - kernel enabling. - -* The macro reuses the input parameter in multiple locations which is - broken if someone passes an expression like 'index++' to - array_index_nospec(). - -Reported-by: Linus Torvalds -Signed-off-by: Dan Williams -Cc: Andy Lutomirski -Cc: Arjan van de Ven -Cc: Borislav Petkov -Cc: Dave Hansen -Cc: David Woodhouse -Cc: Greg Kroah-Hartman -Cc: Josh Poimboeuf -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: Will Deacon -Cc: linux-arch@vger.kernel.org -Link: http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.stgit@dwillia2-desk3.amr.corp.intel.com -Signed-off-by: Ingo Molnar ---- - include/linux/nospec.h | 22 +--------------------- - 1 file changed, 1 insertion(+), 21 deletions(-) - ---- a/include/linux/nospec.h -+++ b/include/linux/nospec.h -@@ -30,26 +30,6 @@ static inline unsigned long array_index_ - #endif - - /* -- * Warn developers about inappropriate array_index_nospec() usage. -- * -- * Even if the CPU speculates past the WARN_ONCE branch, the -- * sign bit of @index is taken into account when generating the -- * mask. -- * -- * This warning is compiled out when the compiler can infer that -- * @index and @size are less than LONG_MAX. -- */ --#define array_index_mask_nospec_check(index, size) \ --({ \ -- if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \ -- "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \ -- _mask = 0; \ -- else \ -- _mask = array_index_mask_nospec(index, size); \ -- _mask; \ --}) -- --/* - * array_index_nospec - sanitize an array index after a bounds check - * - * For a code sequence like: -@@ -67,7 +47,7 @@ static inline unsigned long array_index_ - ({ \ - typeof(index) _i = (index); \ - typeof(size) _s = (size); \ -- unsigned long _mask = array_index_mask_nospec_check(_i, _s); \ -+ unsigned long _mask = array_index_mask_nospec(_i, _s); \ - \ - BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ - BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ diff --git a/debian/patches/bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch b/debian/patches/bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch deleted file mode 100644 index b1abb23e5..000000000 --- a/debian/patches/bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch +++ /dev/null @@ -1,128 +0,0 @@ -From: Bart Van Assche -Date: Thu, 22 Feb 2018 11:30:20 -0800 -Subject: scsi: core: Avoid that ATA error handling can trigger a kernel hang - or oops -Origin: https://git.kernel.org/linus/3be8828fc507cdafe7040a3dcf361a2bcd8e305b -Bug: https://bugzilla.kernel.org/show_bug.cgi?id=198861 -Bug-Debian: https://bugs.debian.org/891467 - -Avoid that the recently introduced call_rcu() call in the SCSI core -triggers a double call_rcu() call. - -Reported-by: Natanael Copa -Reported-by: Damien Le Moal -References: https://bugzilla.kernel.org/show_bug.cgi?id=198861 -Fixes: 3bd6f43f5cb3 ("scsi: core: Ensure that the SCSI error handler gets woken up") -Signed-off-by: Bart Van Assche -Reviewed-by: Damien Le Moal -Tested-by: Damien Le Moal -Cc: Natanael Copa -Cc: Damien Le Moal -Cc: Alexandre Oliva -Cc: Pavel Tikhomirov -Cc: Hannes Reinecke -Cc: Johannes Thumshirn -Cc: -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/hosts.c | 3 --- - drivers/scsi/scsi_error.c | 5 +++-- - drivers/scsi/scsi_lib.c | 2 ++ - include/scsi/scsi_cmnd.h | 3 +++ - include/scsi/scsi_host.h | 2 -- - 5 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c -index 57bf43e34863..dd9464920456 100644 ---- a/drivers/scsi/hosts.c -+++ b/drivers/scsi/hosts.c -@@ -328,8 +328,6 @@ static void scsi_host_dev_release(struct device *dev) - if (shost->work_q) - destroy_workqueue(shost->work_q); - -- destroy_rcu_head(&shost->rcu); -- - if (shost->shost_state == SHOST_CREATED) { - /* - * Free the shost_dev device name here if scsi_host_alloc() -@@ -404,7 +402,6 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize) - INIT_LIST_HEAD(&shost->starved_list); - init_waitqueue_head(&shost->host_wait); - mutex_init(&shost->scan_mutex); -- init_rcu_head(&shost->rcu); - - index = ida_simple_get(&host_index_ida, 0, 0, GFP_KERNEL); - if (index < 0) -diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c -index d042915ce895..ca53a5f785ee 100644 ---- a/drivers/scsi/scsi_error.c -+++ b/drivers/scsi/scsi_error.c -@@ -223,7 +223,8 @@ static void scsi_eh_reset(struct scsi_cmnd *scmd) - - static void scsi_eh_inc_host_failed(struct rcu_head *head) - { -- struct Scsi_Host *shost = container_of(head, typeof(*shost), rcu); -+ struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); -+ struct Scsi_Host *shost = scmd->device->host; - unsigned long flags; - - spin_lock_irqsave(shost->host_lock, flags); -@@ -259,7 +260,7 @@ void scsi_eh_scmd_add(struct scsi_cmnd *scmd) - * Ensure that all tasks observe the host state change before the - * host_failed change. - */ -- call_rcu(&shost->rcu, scsi_eh_inc_host_failed); -+ call_rcu(&scmd->rcu, scsi_eh_inc_host_failed); - } - - /** -diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 5cbc69b2b1ae..4af1682f5ff5 100644 ---- a/drivers/scsi/scsi_lib.c -+++ b/drivers/scsi/scsi_lib.c -@@ -670,6 +670,7 @@ static bool scsi_end_request(struct request *req, blk_status_t error, - if (!blk_rq_is_scsi(req)) { - WARN_ON_ONCE(!(cmd->flags & SCMD_INITIALIZED)); - cmd->flags &= ~SCMD_INITIALIZED; -+ destroy_rcu_head(&cmd->rcu); - } - - if (req->mq_ctx) { -@@ -1150,6 +1151,7 @@ static void scsi_initialize_rq(struct request *rq) - struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); - - scsi_req_init(&cmd->req); -+ init_rcu_head(&cmd->rcu); - cmd->jiffies_at_alloc = jiffies; - cmd->retries = 0; - } -diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h -index 949a016dd7fa..0382ceab2eba 100644 ---- a/include/scsi/scsi_cmnd.h -+++ b/include/scsi/scsi_cmnd.h -@@ -69,6 +69,9 @@ struct scsi_cmnd { - struct list_head list; /* scsi_cmnd participates in queue lists */ - struct list_head eh_entry; /* entry for the host eh_cmd_q */ - struct delayed_work abort_work; -+ -+ struct rcu_head rcu; -+ - int eh_eflags; /* Used by error handlr */ - - /* -diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h -index 1a1df0d21ee3..a8b7bf879ced 100644 ---- a/include/scsi/scsi_host.h -+++ b/include/scsi/scsi_host.h -@@ -571,8 +571,6 @@ struct Scsi_Host { - struct blk_mq_tag_set tag_set; - }; - -- struct rcu_head rcu; -- - atomic_t host_busy; /* commands actually active on low-level */ - atomic_t host_blocked; - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 2de37226e..609e26f3b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -80,7 +80,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/crypto-ecc-fix-null-pointer-deref.-on-no-default_rng.patch -bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch # Miscellaneous features @@ -121,7 +120,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/nospec-kill-array_index_nospec_mask_check.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch