diff --git a/debian/changelog b/debian/changelog index 9bdf8295e..af37f246a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +linux (4.15~rc5-1~exp1) UNRELEASED; urgency=medium + + * New upstream release candidate + + [ Ben Hutchings ] + * aufs: Update support patchset to aufs4.x-rcN-20171218 + * lockdown: Update patchset to 2017-11-10 version + + -- Ben Hutchings Tue, 26 Dec 2017 16:25:55 +0000 + linux (4.14.7-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch deleted file mode 100644 index 074953d00..000000000 --- a/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:59 -0800 -Subject: [7/9] bpf: don't prune branches when a scalar is replaced with a - pointer -Origin: https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14 - -This could be made safe by passing through a reference to env and checking -for env->allow_ptr_leaks, but it would only work one way and is probably -not worth the hassle - not doing it will not directly lead to program -rejection. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -3366,15 +3366,14 @@ static bool regsafe(struct bpf_reg_state - return range_within(rold, rcur) && - tnum_in(rold->var_off, rcur->var_off); - } else { -- /* if we knew anything about the old value, we're not -- * equal, because we can't know anything about the -- * scalar value of the pointer in the new value. -+ /* We're trying to use a pointer in place of a scalar. -+ * Even if the scalar was unbounded, this could lead to -+ * pointer leaks because scalars are allowed to leak -+ * while pointers are not. We could make this safe in -+ * special cases if root is calling us, but it's -+ * probably not worth the hassle. - */ -- return rold->umin_value == 0 && -- rold->umax_value == U64_MAX && -- rold->smin_value == S64_MIN && -- rold->smax_value == S64_MAX && -- tnum_is_unknown(rold->var_off); -+ return false; - } - case PTR_TO_MAP_VALUE: - /* If the new min/max/var_off satisfy the old ones and diff --git a/debian/patches/bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch b/debian/patches/bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch deleted file mode 100644 index bf0f1c5b0..000000000 --- a/debian/patches/bugfix/all/bpf-encapsulate-verifier-log-state-into-a-structure.patch +++ /dev/null @@ -1,201 +0,0 @@ -From: Jakub Kicinski -Date: Mon, 9 Oct 2017 10:30:10 -0700 -Subject: bpf: encapsulate verifier log state into a structure -Origin: https://git.kernel.org/linus/e7bf8249e8f1bac64885eeccb55bcf6111901a81 - -Put the loose log_* variables into a structure. This will make -it simpler to remove the global verifier state in following patches. - -Signed-off-by: Jakub Kicinski -Reviewed-by: Simon Horman -Acked-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - include/linux/bpf_verifier.h | 13 ++++++++++ - kernel/bpf/verifier.c | 57 +++++++++++++++++++++++--------------------- - 2 files changed, 43 insertions(+), 27 deletions(-) - ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -115,6 +115,19 @@ struct bpf_insn_aux_data { - - #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */ - -+struct bpf_verifer_log { -+ u32 level; -+ char *kbuf; -+ char __user *ubuf; -+ u32 len_used; -+ u32 len_total; -+}; -+ -+static inline bool bpf_verifier_log_full(const struct bpf_verifer_log *log) -+{ -+ return log->len_used >= log->len_total - 1; -+} -+ - struct bpf_verifier_env; - struct bpf_ext_analyzer_ops { - int (*insn_hook)(struct bpf_verifier_env *env, ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -156,8 +156,7 @@ struct bpf_call_arg_meta { - /* verbose verifier prints what it's seeing - * bpf_check() is called under lock, so no race to access these global vars - */ --static u32 log_level, log_size, log_len; --static char *log_buf; -+static struct bpf_verifer_log verifier_log; - - static DEFINE_MUTEX(bpf_verifier_lock); - -@@ -167,13 +166,15 @@ static DEFINE_MUTEX(bpf_verifier_lock); - */ - static __printf(1, 2) void verbose(const char *fmt, ...) - { -+ struct bpf_verifer_log *log = &verifier_log; - va_list args; - -- if (log_level == 0 || log_len >= log_size - 1) -+ if (!log->level || bpf_verifier_log_full(log)) - return; - - va_start(args, fmt); -- log_len += vscnprintf(log_buf + log_len, log_size - log_len, fmt, args); -+ log->len_used += vscnprintf(log->kbuf + log->len_used, -+ log->len_total - log->len_used, fmt, args); - va_end(args); - } - -@@ -834,7 +835,7 @@ static int check_map_access(struct bpf_v - * need to try adding each of min_value and max_value to off - * to make sure our theoretical access will be safe. - */ -- if (log_level) -+ if (verifier_log.level) - print_verifier_state(state); - /* The minimum value is only important with signed - * comparisons where we can't assume the floor of a -@@ -2915,7 +2916,7 @@ static int check_cond_jmp_op(struct bpf_ - verbose("R%d pointer comparison prohibited\n", insn->dst_reg); - return -EACCES; - } -- if (log_level) -+ if (verifier_log.level) - print_verifier_state(this_branch); - return 0; - } -@@ -3633,7 +3634,7 @@ static int do_check(struct bpf_verifier_ - return err; - if (err == 1) { - /* found equivalent state, can prune the search */ -- if (log_level) { -+ if (verifier_log.level) { - if (do_print_state) - verbose("\nfrom %d to %d: safe\n", - prev_insn_idx, insn_idx); -@@ -3646,8 +3647,9 @@ static int do_check(struct bpf_verifier_ - if (need_resched()) - cond_resched(); - -- if (log_level > 1 || (log_level && do_print_state)) { -- if (log_level > 1) -+ if (verifier_log.level > 1 || -+ (verifier_log.level && do_print_state)) { -+ if (verifier_log.level > 1) - verbose("%d:", insn_idx); - else - verbose("\nfrom %d to %d:", -@@ -3656,7 +3658,7 @@ static int do_check(struct bpf_verifier_ - do_print_state = false; - } - -- if (log_level) { -+ if (verifier_log.level) { - verbose("%d: ", insn_idx); - print_bpf_insn(env, insn); - } -@@ -4307,7 +4309,7 @@ static void free_states(struct bpf_verif - - int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) - { -- char __user *log_ubuf = NULL; -+ struct bpf_verifer_log *log = &verifier_log; - struct bpf_verifier_env *env; - int ret = -EINVAL; - -@@ -4332,23 +4334,23 @@ int bpf_check(struct bpf_prog **prog, un - /* user requested verbose verifier output - * and supplied buffer to store the verification trace - */ -- log_level = attr->log_level; -- log_ubuf = (char __user *) (unsigned long) attr->log_buf; -- log_size = attr->log_size; -- log_len = 0; -+ log->level = attr->log_level; -+ log->ubuf = (char __user *) (unsigned long) attr->log_buf; -+ log->len_total = attr->log_size; -+ log->len_used = 0; - - ret = -EINVAL; -- /* log_* values have to be sane */ -- if (log_size < 128 || log_size > UINT_MAX >> 8 || -- log_level == 0 || log_ubuf == NULL) -+ /* log attributes have to be sane */ -+ if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 || -+ !log->level || !log->ubuf) - goto err_unlock; - - ret = -ENOMEM; -- log_buf = vmalloc(log_size); -- if (!log_buf) -+ log->kbuf = vmalloc(log->len_total); -+ if (!log->kbuf) - goto err_unlock; - } else { -- log_level = 0; -+ log->level = 0; - } - - env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); -@@ -4385,15 +4387,16 @@ skip_full_check: - if (ret == 0) - ret = fixup_bpf_calls(env); - -- if (log_level && log_len >= log_size - 1) { -- BUG_ON(log_len >= log_size); -+ if (log->level && bpf_verifier_log_full(log)) { -+ BUG_ON(log->len_used >= log->len_total); - /* verifier log exceeded user supplied buffer */ - ret = -ENOSPC; - /* fall through to return what was recorded */ - } - - /* copy verifier log back to user space including trailing zero */ -- if (log_level && copy_to_user(log_ubuf, log_buf, log_len + 1) != 0) { -+ if (log->level && copy_to_user(log->ubuf, log->kbuf, -+ log->len_used + 1) != 0) { - ret = -EFAULT; - goto free_log_buf; - } -@@ -4420,8 +4423,8 @@ skip_full_check: - } - - free_log_buf: -- if (log_level) -- vfree(log_buf); -+ if (log->level) -+ vfree(log->kbuf); - if (!env->prog->aux->used_maps) - /* if we didn't copy map pointers into bpf_prog_info, release - * them now. Otherwise free_bpf_prog_info() will release them. -@@ -4458,7 +4461,7 @@ int bpf_analyzer(struct bpf_prog *prog, - /* grab the mutex to protect few globals used by verifier */ - mutex_lock(&bpf_verifier_lock); - -- log_level = 0; -+ verifier_log.level = 0; - - env->strict_alignment = false; - if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) diff --git a/debian/patches/bugfix/all/bpf-fix-32-bit-alu-op-verification.patch b/debian/patches/bugfix/all/bpf-fix-32-bit-alu-op-verification.patch deleted file mode 100644 index c1e08c881..000000000 --- a/debian/patches/bugfix/all/bpf-fix-32-bit-alu-op-verification.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:56 -0800 -Subject: [4/9] bpf: fix 32-bit ALU op verification -Origin: https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a - -32-bit ALU ops operate on 32-bit values and have 32-bit outputs. -Adjust the verifier accordingly. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2010,6 +2010,10 @@ static int adjust_ptr_min_max_vals(struc - return 0; - } - -+/* WARNING: This function does calculations on 64-bit values, but the actual -+ * execution may occur on 32-bit values. Therefore, things like bitshifts -+ * need extra checks in the 32-bit case. -+ */ - static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - struct bpf_insn *insn, - struct bpf_reg_state *dst_reg, -@@ -2020,12 +2024,8 @@ static int adjust_scalar_min_max_vals(st - bool src_known, dst_known; - s64 smin_val, smax_val; - u64 umin_val, umax_val; -+ u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; - -- if (BPF_CLASS(insn->code) != BPF_ALU64) { -- /* 32-bit ALU ops are (32,32)->64 */ -- coerce_reg_to_size(dst_reg, 4); -- coerce_reg_to_size(&src_reg, 4); -- } - smin_val = src_reg.smin_value; - smax_val = src_reg.smax_value; - umin_val = src_reg.umin_value; -@@ -2161,9 +2161,9 @@ static int adjust_scalar_min_max_vals(st - __update_reg_bounds(dst_reg); - break; - case BPF_LSH: -- if (umax_val > 63) { -- /* Shifts greater than 63 are undefined. This includes -- * shifts by a negative number. -+ if (umax_val >= insn_bitness) { -+ /* Shifts greater than 31 or 63 are undefined. -+ * This includes shifts by a negative number. - */ - mark_reg_unknown(env, regs, insn->dst_reg); - break; -@@ -2189,9 +2189,9 @@ static int adjust_scalar_min_max_vals(st - __update_reg_bounds(dst_reg); - break; - case BPF_RSH: -- if (umax_val > 63) { -- /* Shifts greater than 63 are undefined. This includes -- * shifts by a negative number. -+ if (umax_val >= insn_bitness) { -+ /* Shifts greater than 31 or 63 are undefined. -+ * This includes shifts by a negative number. - */ - mark_reg_unknown(env, regs, insn->dst_reg); - break; -@@ -2227,6 +2227,12 @@ static int adjust_scalar_min_max_vals(st - break; - } - -+ if (BPF_CLASS(insn->code) != BPF_ALU64) { -+ /* 32-bit ALU ops are (32,32)->32 */ -+ coerce_reg_to_size(dst_reg, 4); -+ coerce_reg_to_size(&src_reg, 4); -+ } -+ - __reg_deduce_bounds(dst_reg); - __reg_bound_offset(dst_reg); - return 0; diff --git a/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch b/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch deleted file mode 100644 index ebb9ee8fa..000000000 --- a/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch +++ /dev/null @@ -1,112 +0,0 @@ -From: Alexei Starovoitov -Date: Wed, 22 Nov 2017 16:42:05 -0800 -Subject: bpf: fix branch pruning logic -Origin: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467 - -when the verifier detects that register contains a runtime constant -and it's compared with another constant it will prune exploration -of the branch that is guaranteed not to be taken at runtime. -This is all correct, but malicious program may be constructed -in such a way that it always has a constant comparison and -the other branch is never taken under any conditions. -In this case such path through the program will not be explored -by the verifier. It won't be taken at run-time either, but since -all instructions are JITed the malicious program may cause JITs -to complain about using reserved fields, etc. -To fix the issue we have to track the instructions explored by -the verifier and sanitize instructions that are dead at run time -with NOPs. We cannot reject such dead code, since llvm generates -it for valid C code, since it doesn't do as much data flow -analysis as the verifier does. - -Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") -Signed-off-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: Daniel Borkmann ---- - include/linux/bpf_verifier.h | 2 +- - kernel/bpf/verifier.c | 27 +++++++++++++++++++++++++++ - 2 files changed, 28 insertions(+), 1 deletion(-) - ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -110,7 +110,7 @@ struct bpf_insn_aux_data { - struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */ - }; - int ctx_field_size; /* the ctx field size for load insn, maybe 0 */ -- int converted_op_size; /* the valid value width after perceived conversion */ -+ bool seen; /* this insn was processed by the verifier */ - }; - - #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */ ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -3695,6 +3695,7 @@ static int do_check(struct bpf_verifier_ - if (err) - return err; - -+ env->insn_aux_data[insn_idx].seen = true; - if (class == BPF_ALU || class == BPF_ALU64) { - err = check_alu_op(env, insn); - if (err) -@@ -3885,6 +3886,7 @@ process_bpf_exit: - return err; - - insn_idx++; -+ env->insn_aux_data[insn_idx].seen = true; - } else { - verbose(env, "invalid BPF_LD mode\n"); - return -EINVAL; -@@ -4067,6 +4069,7 @@ static int adjust_insn_aux_data(struct b - u32 off, u32 cnt) - { - struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; -+ int i; - - if (cnt == 1) - return 0; -@@ -4076,6 +4079,8 @@ static int adjust_insn_aux_data(struct b - memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); - memcpy(new_data + off + cnt - 1, old_data + off, - sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); -+ for (i = off; i < off + cnt - 1; i++) -+ new_data[i].seen = true; - env->insn_aux_data = new_data; - vfree(old_data); - return 0; -@@ -4094,6 +4099,25 @@ static struct bpf_prog *bpf_patch_insn_d - return new_prog; - } - -+/* The verifier does more data flow analysis than llvm and will not explore -+ * branches that are dead at run time. Malicious programs can have dead code -+ * too. Therefore replace all dead at-run-time code with nops. -+ */ -+static void sanitize_dead_code(struct bpf_verifier_env *env) -+{ -+ struct bpf_insn_aux_data *aux_data = env->insn_aux_data; -+ struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0); -+ struct bpf_insn *insn = env->prog->insnsi; -+ const int insn_cnt = env->prog->len; -+ int i; -+ -+ for (i = 0; i < insn_cnt; i++) { -+ if (aux_data[i].seen) -+ continue; -+ memcpy(insn + i, &nop, sizeof(nop)); -+ } -+} -+ - /* convert load instructions that access fields of 'struct __sk_buff' - * into sequence of instructions that access fields of 'struct sk_buff' - */ -@@ -4410,6 +4434,9 @@ skip_full_check: - free_states(env); - - if (ret == 0) -+ sanitize_dead_code(env); -+ -+ if (ret == 0) - /* program is valid, convert *(u32*)(ctx + off) accesses */ - ret = convert_ctx_accesses(env); - diff --git a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch deleted file mode 100644 index 62d451056..000000000 --- a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:54 -0800 -Subject: [2/9] bpf: fix incorrect sign extension in check_alu_op() -Origin: https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f - -Distinguish between -BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) -and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); -only perform sign extension in the first case. - -Starting with v4.14, this is exploitable by unprivileged users as long as -the unprivileged_bpf_disabled sysctl isn't set. - -Debian assigned CVE-2017-16995 for this issue. - -v3: - - add CVE number (Ben Hutchings) - -Fixes: 484611357c19 ("bpf: allow access into map value arrays") -Signed-off-by: Jann Horn -Acked-by: Edward Cree -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2401,7 +2401,13 @@ static int check_alu_op(struct bpf_verif - * remember the value we stored into this reg - */ - regs[insn->dst_reg].type = SCALAR_VALUE; -- __mark_reg_known(regs + insn->dst_reg, insn->imm); -+ if (BPF_CLASS(insn->code) == BPF_ALU64) { -+ __mark_reg_known(regs + insn->dst_reg, -+ insn->imm); -+ } else { -+ __mark_reg_known(regs + insn->dst_reg, -+ (u32)insn->imm); -+ } - } - - } else if (opcode > BPF_END) { diff --git a/debian/patches/bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch b/debian/patches/bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch deleted file mode 100644 index e43e9da78..000000000 --- a/debian/patches/bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch +++ /dev/null @@ -1,119 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:55 -0800 -Subject: [3/9] bpf: fix incorrect tracking of register size truncation -Origin: https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958 - -Properly handle register truncation to a smaller size. - -The old code first mirrors the clearing of the high 32 bits in the bitwise -tristate representation, which is correct. But then, it computes the new -arithmetic bounds as the intersection between the old arithmetic bounds and -the bounds resulting from the bitwise tristate representation. Therefore, -when coerce_reg_to_32() is called on a number with bounds -[0xffff'fff8, 0x1'0000'0007], the verifier computes -[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number. -This is incorrect: The truncated number could also be in the range [0, 7], -and no meaningful arithmetic bounds can be computed in that case apart from -the obvious [0, 0xffff'ffff]. - -Starting with v4.14, this is exploitable by unprivileged users as long as -the unprivileged_bpf_disabled sysctl isn't set. - -Debian assigned CVE-2017-16996 for this issue. - -v2: - - flip the mask during arithmetic bounds calculation (Ben Hutchings) -v3: - - add CVE number (Ben Hutchings) - -Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") -Signed-off-by: Jann Horn -Acked-by: Edward Cree -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann -[bwh: Backported to 4.14] ---- - kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++----------------- - 1 file changed, 27 insertions(+), 17 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1079,6 +1079,29 @@ static int check_ptr_alignment(struct bp - strict); - } - -+/* truncate register to smaller size (in bytes) -+ * must be called with size < BPF_REG_SIZE -+ */ -+static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) -+{ -+ u64 mask; -+ -+ /* clear high bits in bit representation */ -+ reg->var_off = tnum_cast(reg->var_off, size); -+ -+ /* fix arithmetic bounds */ -+ mask = ((u64)1 << (size * 8)) - 1; -+ if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { -+ reg->umin_value &= mask; -+ reg->umax_value &= mask; -+ } else { -+ reg->umin_value = 0; -+ reg->umax_value = mask; -+ } -+ reg->smin_value = reg->umin_value; -+ reg->smax_value = reg->umax_value; -+} -+ - /* check whether memory at (regno + off) is accessible for t = (read | write) - * if t==write, value_regno is a register which value is stored into memory - * if t==read, value_regno is a register which will receive the value from memory -@@ -1217,9 +1240,7 @@ static int check_mem_access(struct bpf_v - if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && - state->regs[value_regno].type == SCALAR_VALUE) { - /* b/h/w load zero-extends, mark upper bits as known 0 */ -- state->regs[value_regno].var_off = tnum_cast( -- state->regs[value_regno].var_off, size); -- __update_reg_bounds(&state->regs[value_regno]); -+ coerce_reg_to_size(&state->regs[value_regno], size); - } - return err; - } -@@ -1765,14 +1786,6 @@ static int check_call(struct bpf_verifie - return 0; - } - --static void coerce_reg_to_32(struct bpf_reg_state *reg) --{ -- /* clear high 32 bits */ -- reg->var_off = tnum_cast(reg->var_off, 4); -- /* Update bounds */ -- __update_reg_bounds(reg); --} -- - static bool signed_add_overflows(s64 a, s64 b) - { - /* Do the add in u64, where overflow is well-defined */ -@@ -2010,8 +2023,8 @@ static int adjust_scalar_min_max_vals(st - - if (BPF_CLASS(insn->code) != BPF_ALU64) { - /* 32-bit ALU ops are (32,32)->64 */ -- coerce_reg_to_32(dst_reg); -- coerce_reg_to_32(&src_reg); -+ coerce_reg_to_size(dst_reg, 4); -+ coerce_reg_to_size(&src_reg, 4); - } - smin_val = src_reg.smin_value; - smax_val = src_reg.smax_value; -@@ -2391,10 +2404,7 @@ static int check_alu_op(struct bpf_verif - return -EACCES; - } - mark_reg_unknown(env, regs, insn->dst_reg); -- /* high 32 bits are known zero. */ -- regs[insn->dst_reg].var_off = tnum_cast( -- regs[insn->dst_reg].var_off, 4); -- __update_reg_bounds(®s[insn->dst_reg]); -+ coerce_reg_to_size(®s[insn->dst_reg], 4); - } - } else { - /* case: R = imm diff --git a/debian/patches/bugfix/all/bpf-fix-integer-overflows.patch b/debian/patches/bugfix/all/bpf-fix-integer-overflows.patch deleted file mode 100644 index 745014a71..000000000 --- a/debian/patches/bugfix/all/bpf-fix-integer-overflows.patch +++ /dev/null @@ -1,121 +0,0 @@ -From: Alexei Starovoitov -Date: Mon, 18 Dec 2017 20:12:00 -0800 -Subject: [8/9] bpf: fix integer overflows -Origin: https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03 - -There were various issues related to the limited size of integers used in -the verifier: - - `off + size` overflow in __check_map_access() - - `off + reg->off` overflow in check_mem_access() - - `off + reg->var_off.value` overflow or 32-bit truncation of - `reg->var_off.value` in check_mem_access() - - 32-bit truncation in check_stack_boundary() - -Make sure that any integer math cannot overflow by not allowing -pointer math with large values. - -Also reduce the scope of "scalar op scalar" tracking. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Reported-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - include/linux/bpf_verifier.h | 4 ++-- - kernel/bpf/verifier.c | 48 ++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 50 insertions(+), 2 deletions(-) - ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -15,11 +15,11 @@ - * In practice this is far bigger than any realistic pointer offset; this limit - * ensures that umax_value + (int)off + (int)size cannot overflow a u64. - */ --#define BPF_MAX_VAR_OFF (1ULL << 31) -+#define BPF_MAX_VAR_OFF (1 << 29) - /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO]. This ensures - * that converting umax_value to int cannot overflow. - */ --#define BPF_MAX_VAR_SIZ INT_MAX -+#define BPF_MAX_VAR_SIZ (1 << 29) - - /* Liveness marks, used for registers and spilled-regs (in stack slots). - * Read marks propagate upwards until they find a write mark; they record that ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1812,6 +1812,41 @@ static bool signed_sub_overflows(s64 a, - return res > a; - } - -+static bool check_reg_sane_offset(struct bpf_verifier_env *env, -+ const struct bpf_reg_state *reg, -+ enum bpf_reg_type type) -+{ -+ bool known = tnum_is_const(reg->var_off); -+ s64 val = reg->var_off.value; -+ s64 smin = reg->smin_value; -+ -+ if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { -+ verbose(env, "math between %s pointer and %lld is not allowed\n", -+ reg_type_str[type], val); -+ return false; -+ } -+ -+ if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { -+ verbose(env, "%s pointer offset %d is not allowed\n", -+ reg_type_str[type], reg->off); -+ return false; -+ } -+ -+ if (smin == S64_MIN) { -+ verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n", -+ reg_type_str[type]); -+ return false; -+ } -+ -+ if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { -+ verbose(env, "value %lld makes %s pointer be out of bounds\n", -+ smin, reg_type_str[type]); -+ return false; -+ } -+ -+ return true; -+} -+ - /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. - * Caller should also handle BPF_MOV case separately. - * If we return -EACCES, caller may want to try again treating pointer as a -@@ -1880,6 +1915,10 @@ static int adjust_ptr_min_max_vals(struc - dst_reg->type = ptr_reg->type; - dst_reg->id = ptr_reg->id; - -+ if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || -+ !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) -+ return -EINVAL; -+ - switch (opcode) { - case BPF_ADD: - /* We can take a fixed offset as long as it doesn't overflow -@@ -2010,6 +2049,9 @@ static int adjust_ptr_min_max_vals(struc - return -EACCES; - } - -+ if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) -+ return -EINVAL; -+ - __update_reg_bounds(dst_reg); - __reg_deduce_bounds(dst_reg); - __reg_bound_offset(dst_reg); -@@ -2039,6 +2081,12 @@ static int adjust_scalar_min_max_vals(st - src_known = tnum_is_const(src_reg.var_off); - dst_known = tnum_is_const(dst_reg->var_off); - -+ if (!src_known && -+ opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { -+ __mark_reg_unknown(dst_reg); -+ return 0; -+ } -+ - switch (opcode) { - case BPF_ADD: - if (signed_add_overflows(dst_reg->smin_value, smin_val) || diff --git a/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch b/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch deleted file mode 100644 index e80bde378..000000000 --- a/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:57 -0800 -Subject: [5/9] bpf: fix missing error return in check_stack_boundary() -Origin: https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469 - -Prevent indirect stack accesses at non-constant addresses, which would -permit reading and corrupting spilled pointers. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1320,6 +1320,7 @@ static int check_stack_boundary(struct b - tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); - verbose(env, "invalid variable stack read R%d var_off=%s\n", - regno, tn_buf); -+ return -EACCES; - } - off = regs[regno].off + regs[regno].var_off.value; - if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || diff --git a/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch b/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch deleted file mode 100644 index db7e55799..000000000 --- a/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Jann Horn -Date: Mon, 18 Dec 2017 20:11:58 -0800 -Subject: [6/9] bpf: force strict alignment checks for stack pointers -Origin: https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f - -Force strict alignment checks for stack pointers because the tracking of -stack spills relies on it; unaligned stack accesses can lead to corruption -of spilled registers, which is exploitable. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1071,6 +1071,11 @@ static int check_ptr_alignment(struct bp - break; - case PTR_TO_STACK: - pointer_desc = "stack "; -+ /* The stack spill tracking logic in check_stack_write() -+ * and check_stack_read() relies on stack accesses being -+ * aligned. -+ */ -+ strict = true; - break; - default: - break; diff --git a/debian/patches/bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch b/debian/patches/bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch deleted file mode 100644 index a64445733..000000000 --- a/debian/patches/bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch +++ /dev/null @@ -1,1665 +0,0 @@ -From: Jakub Kicinski -Date: Mon, 9 Oct 2017 10:30:11 -0700 -Subject: bpf: move global verifier log into verifier environment -Origin: https://git.kernel.org/linus/61bd5218eef349fcacc4976a251bc83a4748b4af - -The biggest piece of global state protected by the verifier lock -is the verifier_log. Move that log to struct bpf_verifier_env. -struct bpf_verifier_env has to be passed now to all invocations -of verbose(). - -Signed-off-by: Jakub Kicinski -Reviewed-by: Simon Horman -Acked-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller -[bwh: Backported to 4.14] ---- - include/linux/bpf_verifier.h | 2 + - kernel/bpf/verifier.c | 491 +++++++++++++++++++++++-------------------- - 2 files changed, 261 insertions(+), 232 deletions(-) - ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -152,6 +152,8 @@ struct bpf_verifier_env { - bool allow_ptr_leaks; - bool seen_direct_write; - struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */ -+ -+ struct bpf_verifer_log log; - }; - - int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops, ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -153,20 +153,16 @@ struct bpf_call_arg_meta { - int access_size; - }; - --/* verbose verifier prints what it's seeing -- * bpf_check() is called under lock, so no race to access these global vars -- */ --static struct bpf_verifer_log verifier_log; -- - static DEFINE_MUTEX(bpf_verifier_lock); - - /* log_level controls verbosity level of eBPF verifier. - * verbose() is used to dump the verification trace to the log, so the user - * can figure out what's wrong with the program - */ --static __printf(1, 2) void verbose(const char *fmt, ...) -+static __printf(2, 3) void verbose(struct bpf_verifier_env *env, -+ const char *fmt, ...) - { -- struct bpf_verifer_log *log = &verifier_log; -+ struct bpf_verifer_log *log = &env->log; - va_list args; - - if (!log->level || bpf_verifier_log_full(log)) -@@ -207,7 +203,8 @@ static const char *func_id_name(int id) - return "unknown"; - } - --static void print_verifier_state(struct bpf_verifier_state *state) -+static void print_verifier_state(struct bpf_verifier_env *env, -+ struct bpf_verifier_state *state) - { - struct bpf_reg_state *reg; - enum bpf_reg_type t; -@@ -218,21 +215,21 @@ static void print_verifier_state(struct - t = reg->type; - if (t == NOT_INIT) - continue; -- verbose(" R%d=%s", i, reg_type_str[t]); -+ verbose(env, " R%d=%s", i, reg_type_str[t]); - if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && - tnum_is_const(reg->var_off)) { - /* reg->off should be 0 for SCALAR_VALUE */ -- verbose("%lld", reg->var_off.value + reg->off); -+ verbose(env, "%lld", reg->var_off.value + reg->off); - } else { -- verbose("(id=%d", reg->id); -+ verbose(env, "(id=%d", reg->id); - if (t != SCALAR_VALUE) -- verbose(",off=%d", reg->off); -+ verbose(env, ",off=%d", reg->off); - if (t == PTR_TO_PACKET) -- verbose(",r=%d", reg->range); -+ verbose(env, ",r=%d", reg->range); - else if (t == CONST_PTR_TO_MAP || - t == PTR_TO_MAP_VALUE || - t == PTR_TO_MAP_VALUE_OR_NULL) -- verbose(",ks=%d,vs=%d", -+ verbose(env, ",ks=%d,vs=%d", - reg->map_ptr->key_size, - reg->map_ptr->value_size); - if (tnum_is_const(reg->var_off)) { -@@ -240,38 +237,38 @@ static void print_verifier_state(struct - * could be a pointer whose offset is too big - * for reg->off - */ -- verbose(",imm=%llx", reg->var_off.value); -+ verbose(env, ",imm=%llx", reg->var_off.value); - } else { - if (reg->smin_value != reg->umin_value && - reg->smin_value != S64_MIN) -- verbose(",smin_value=%lld", -+ verbose(env, ",smin_value=%lld", - (long long)reg->smin_value); - if (reg->smax_value != reg->umax_value && - reg->smax_value != S64_MAX) -- verbose(",smax_value=%lld", -+ verbose(env, ",smax_value=%lld", - (long long)reg->smax_value); - if (reg->umin_value != 0) -- verbose(",umin_value=%llu", -+ verbose(env, ",umin_value=%llu", - (unsigned long long)reg->umin_value); - if (reg->umax_value != U64_MAX) -- verbose(",umax_value=%llu", -+ verbose(env, ",umax_value=%llu", - (unsigned long long)reg->umax_value); - if (!tnum_is_unknown(reg->var_off)) { - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); -- verbose(",var_off=%s", tn_buf); -+ verbose(env, ",var_off=%s", tn_buf); - } - } -- verbose(")"); -+ verbose(env, ")"); - } - } - for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { - if (state->stack_slot_type[i] == STACK_SPILL) -- verbose(" fp%d=%s", -MAX_BPF_STACK + i, -+ verbose(env, " fp%d=%s", -MAX_BPF_STACK + i, - reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]); - } -- verbose("\n"); -+ verbose(env, "\n"); - } - - static const char *const bpf_class_string[] = { -@@ -326,21 +323,21 @@ static const char *const bpf_jmp_string[ - [BPF_EXIT >> 4] = "exit", - }; - --static void print_bpf_insn(const struct bpf_verifier_env *env, -+static void print_bpf_insn(struct bpf_verifier_env *env, - const struct bpf_insn *insn) - { - u8 class = BPF_CLASS(insn->code); - - if (class == BPF_ALU || class == BPF_ALU64) { - if (BPF_SRC(insn->code) == BPF_X) -- verbose("(%02x) %sr%d %s %sr%d\n", -+ verbose(env, "(%02x) %sr%d %s %sr%d\n", - insn->code, class == BPF_ALU ? "(u32) " : "", - insn->dst_reg, - bpf_alu_string[BPF_OP(insn->code) >> 4], - class == BPF_ALU ? "(u32) " : "", - insn->src_reg); - else -- verbose("(%02x) %sr%d %s %s%d\n", -+ verbose(env, "(%02x) %sr%d %s %s%d\n", - insn->code, class == BPF_ALU ? "(u32) " : "", - insn->dst_reg, - bpf_alu_string[BPF_OP(insn->code) >> 4], -@@ -348,46 +345,46 @@ static void print_bpf_insn(const struct - insn->imm); - } else if (class == BPF_STX) { - if (BPF_MODE(insn->code) == BPF_MEM) -- verbose("(%02x) *(%s *)(r%d %+d) = r%d\n", -+ verbose(env, "(%02x) *(%s *)(r%d %+d) = r%d\n", - insn->code, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->dst_reg, - insn->off, insn->src_reg); - else if (BPF_MODE(insn->code) == BPF_XADD) -- verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n", -+ verbose(env, "(%02x) lock *(%s *)(r%d %+d) += r%d\n", - insn->code, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->dst_reg, insn->off, - insn->src_reg); - else -- verbose("BUG_%02x\n", insn->code); -+ verbose(env, "BUG_%02x\n", insn->code); - } else if (class == BPF_ST) { - if (BPF_MODE(insn->code) != BPF_MEM) { -- verbose("BUG_st_%02x\n", insn->code); -+ verbose(env, "BUG_st_%02x\n", insn->code); - return; - } -- verbose("(%02x) *(%s *)(r%d %+d) = %d\n", -+ verbose(env, "(%02x) *(%s *)(r%d %+d) = %d\n", - insn->code, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->dst_reg, - insn->off, insn->imm); - } else if (class == BPF_LDX) { - if (BPF_MODE(insn->code) != BPF_MEM) { -- verbose("BUG_ldx_%02x\n", insn->code); -+ verbose(env, "BUG_ldx_%02x\n", insn->code); - return; - } -- verbose("(%02x) r%d = *(%s *)(r%d %+d)\n", -+ verbose(env, "(%02x) r%d = *(%s *)(r%d %+d)\n", - insn->code, insn->dst_reg, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->src_reg, insn->off); - } else if (class == BPF_LD) { - if (BPF_MODE(insn->code) == BPF_ABS) { -- verbose("(%02x) r0 = *(%s *)skb[%d]\n", -+ verbose(env, "(%02x) r0 = *(%s *)skb[%d]\n", - insn->code, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->imm); - } else if (BPF_MODE(insn->code) == BPF_IND) { -- verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n", -+ verbose(env, "(%02x) r0 = *(%s *)skb[r%d + %d]\n", - insn->code, - bpf_ldst_string[BPF_SIZE(insn->code) >> 3], - insn->src_reg, insn->imm); -@@ -402,36 +399,37 @@ static void print_bpf_insn(const struct - if (map_ptr && !env->allow_ptr_leaks) - imm = 0; - -- verbose("(%02x) r%d = 0x%llx\n", insn->code, -+ verbose(env, "(%02x) r%d = 0x%llx\n", insn->code, - insn->dst_reg, (unsigned long long)imm); - } else { -- verbose("BUG_ld_%02x\n", insn->code); -+ verbose(env, "BUG_ld_%02x\n", insn->code); - return; - } - } else if (class == BPF_JMP) { - u8 opcode = BPF_OP(insn->code); - - if (opcode == BPF_CALL) { -- verbose("(%02x) call %s#%d\n", insn->code, -+ verbose(env, "(%02x) call %s#%d\n", insn->code, - func_id_name(insn->imm), insn->imm); - } else if (insn->code == (BPF_JMP | BPF_JA)) { -- verbose("(%02x) goto pc%+d\n", -+ verbose(env, "(%02x) goto pc%+d\n", - insn->code, insn->off); - } else if (insn->code == (BPF_JMP | BPF_EXIT)) { -- verbose("(%02x) exit\n", insn->code); -+ verbose(env, "(%02x) exit\n", insn->code); - } else if (BPF_SRC(insn->code) == BPF_X) { -- verbose("(%02x) if r%d %s r%d goto pc%+d\n", -+ verbose(env, "(%02x) if r%d %s r%d goto pc%+d\n", - insn->code, insn->dst_reg, - bpf_jmp_string[BPF_OP(insn->code) >> 4], - insn->src_reg, insn->off); - } else { -- verbose("(%02x) if r%d %s 0x%x goto pc%+d\n", -+ verbose(env, "(%02x) if r%d %s 0x%x goto pc%+d\n", - insn->code, insn->dst_reg, - bpf_jmp_string[BPF_OP(insn->code) >> 4], - insn->imm, insn->off); - } - } else { -- verbose("(%02x) %s\n", insn->code, bpf_class_string[class]); -+ verbose(env, "(%02x) %s\n", -+ insn->code, bpf_class_string[class]); - } - } - -@@ -470,7 +468,7 @@ static struct bpf_verifier_state *push_s - env->head = elem; - env->stack_size++; - if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { -- verbose("BPF program is too complex\n"); -+ verbose(env, "BPF program is too complex\n"); - goto err; - } - return &elem->st; -@@ -508,10 +506,11 @@ static void __mark_reg_known_zero(struct - __mark_reg_known(reg, 0); - } - --static void mark_reg_known_zero(struct bpf_reg_state *regs, u32 regno) -+static void mark_reg_known_zero(struct bpf_verifier_env *env, -+ struct bpf_reg_state *regs, u32 regno) - { - if (WARN_ON(regno >= MAX_BPF_REG)) { -- verbose("mark_reg_known_zero(regs, %u)\n", regno); -+ verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); - /* Something bad happened, let's kill all regs */ - for (regno = 0; regno < MAX_BPF_REG; regno++) - __mark_reg_not_init(regs + regno); -@@ -596,10 +595,11 @@ static void __mark_reg_unknown(struct bp - __mark_reg_unbounded(reg); - } - --static void mark_reg_unknown(struct bpf_reg_state *regs, u32 regno) -+static void mark_reg_unknown(struct bpf_verifier_env *env, -+ struct bpf_reg_state *regs, u32 regno) - { - if (WARN_ON(regno >= MAX_BPF_REG)) { -- verbose("mark_reg_unknown(regs, %u)\n", regno); -+ verbose(env, "mark_reg_unknown(regs, %u)\n", regno); - /* Something bad happened, let's kill all regs */ - for (regno = 0; regno < MAX_BPF_REG; regno++) - __mark_reg_not_init(regs + regno); -@@ -614,10 +614,11 @@ static void __mark_reg_not_init(struct b - reg->type = NOT_INIT; - } - --static void mark_reg_not_init(struct bpf_reg_state *regs, u32 regno) -+static void mark_reg_not_init(struct bpf_verifier_env *env, -+ struct bpf_reg_state *regs, u32 regno) - { - if (WARN_ON(regno >= MAX_BPF_REG)) { -- verbose("mark_reg_not_init(regs, %u)\n", regno); -+ verbose(env, "mark_reg_not_init(regs, %u)\n", regno); - /* Something bad happened, let's kill all regs */ - for (regno = 0; regno < MAX_BPF_REG; regno++) - __mark_reg_not_init(regs + regno); -@@ -626,22 +627,23 @@ static void mark_reg_not_init(struct bpf - __mark_reg_not_init(regs + regno); - } - --static void init_reg_state(struct bpf_reg_state *regs) -+static void init_reg_state(struct bpf_verifier_env *env, -+ struct bpf_reg_state *regs) - { - int i; - - for (i = 0; i < MAX_BPF_REG; i++) { -- mark_reg_not_init(regs, i); -+ mark_reg_not_init(env, regs, i); - regs[i].live = REG_LIVE_NONE; - } - - /* frame pointer */ - regs[BPF_REG_FP].type = PTR_TO_STACK; -- mark_reg_known_zero(regs, BPF_REG_FP); -+ mark_reg_known_zero(env, regs, BPF_REG_FP); - - /* 1st arg to a function */ - regs[BPF_REG_1].type = PTR_TO_CTX; -- mark_reg_known_zero(regs, BPF_REG_1); -+ mark_reg_known_zero(env, regs, BPF_REG_1); - } - - enum reg_arg_type { -@@ -675,26 +677,26 @@ static int check_reg_arg(struct bpf_veri - struct bpf_reg_state *regs = env->cur_state.regs; - - if (regno >= MAX_BPF_REG) { -- verbose("R%d is invalid\n", regno); -+ verbose(env, "R%d is invalid\n", regno); - return -EINVAL; - } - - if (t == SRC_OP) { - /* check whether register used as source operand can be read */ - if (regs[regno].type == NOT_INIT) { -- verbose("R%d !read_ok\n", regno); -+ verbose(env, "R%d !read_ok\n", regno); - return -EACCES; - } - mark_reg_read(&env->cur_state, regno); - } else { - /* check whether register used as dest operand can be written to */ - if (regno == BPF_REG_FP) { -- verbose("frame pointer is read only\n"); -+ verbose(env, "frame pointer is read only\n"); - return -EACCES; - } - regs[regno].live |= REG_LIVE_WRITTEN; - if (t == DST_OP) -- mark_reg_unknown(regs, regno); -+ mark_reg_unknown(env, regs, regno); - } - return 0; - } -@@ -718,7 +720,8 @@ static bool is_spillable_regtype(enum bp - /* check_stack_read/write functions track spill/fill of registers, - * stack boundary and alignment are checked in check_mem_access() - */ --static int check_stack_write(struct bpf_verifier_state *state, int off, -+static int check_stack_write(struct bpf_verifier_env *env, -+ struct bpf_verifier_state *state, int off, - int size, int value_regno) - { - int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; -@@ -731,7 +734,7 @@ static int check_stack_write(struct bpf_ - - /* register containing pointer is being spilled into stack */ - if (size != BPF_REG_SIZE) { -- verbose("invalid size of register spill\n"); -+ verbose(env, "invalid size of register spill\n"); - return -EACCES; - } - -@@ -766,7 +769,8 @@ static void mark_stack_slot_read(const s - } - } - --static int check_stack_read(struct bpf_verifier_state *state, int off, int size, -+static int check_stack_read(struct bpf_verifier_env *env, -+ struct bpf_verifier_state *state, int off, int size, - int value_regno) - { - u8 *slot_type; -@@ -776,12 +780,12 @@ static int check_stack_read(struct bpf_v - - if (slot_type[0] == STACK_SPILL) { - if (size != BPF_REG_SIZE) { -- verbose("invalid size of register spill\n"); -+ verbose(env, "invalid size of register spill\n"); - return -EACCES; - } - for (i = 1; i < BPF_REG_SIZE; i++) { - if (slot_type[i] != STACK_SPILL) { -- verbose("corrupted spill memory\n"); -+ verbose(env, "corrupted spill memory\n"); - return -EACCES; - } - } -@@ -797,14 +801,14 @@ static int check_stack_read(struct bpf_v - } else { - for (i = 0; i < size; i++) { - if (slot_type[i] != STACK_MISC) { -- verbose("invalid read from stack off %d+%d size %d\n", -+ verbose(env, "invalid read from stack off %d+%d size %d\n", - off, i, size); - return -EACCES; - } - } - if (value_regno >= 0) - /* have read misc data from the stack */ -- mark_reg_unknown(state->regs, value_regno); -+ mark_reg_unknown(env, state->regs, value_regno); - return 0; - } - } -@@ -816,7 +820,7 @@ static int __check_map_access(struct bpf - struct bpf_map *map = env->cur_state.regs[regno].map_ptr; - - if (off < 0 || size <= 0 || off + size > map->value_size) { -- verbose("invalid access to map value, value_size=%d off=%d size=%d\n", -+ verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n", - map->value_size, off, size); - return -EACCES; - } -@@ -835,8 +839,8 @@ static int check_map_access(struct bpf_v - * need to try adding each of min_value and max_value to off - * to make sure our theoretical access will be safe. - */ -- if (verifier_log.level) -- print_verifier_state(state); -+ if (env->log.level) -+ print_verifier_state(env, state); - /* The minimum value is only important with signed - * comparisons where we can't assume the floor of a - * value is 0. If we are using signed variables for our -@@ -844,13 +848,14 @@ static int check_map_access(struct bpf_v - * will have a set floor within our range. - */ - if (reg->smin_value < 0) { -- verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", -+ verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", - regno); - return -EACCES; - } - err = __check_map_access(env, regno, reg->smin_value + off, size); - if (err) { -- verbose("R%d min value is outside of the array range\n", regno); -+ verbose(env, "R%d min value is outside of the array range\n", -+ regno); - return err; - } - -@@ -859,13 +864,14 @@ static int check_map_access(struct bpf_v - * If reg->umax_value + off could overflow, treat that as unbounded too. - */ - if (reg->umax_value >= BPF_MAX_VAR_OFF) { -- verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n", -+ verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n", - regno); - return -EACCES; - } - err = __check_map_access(env, regno, reg->umax_value + off, size); - if (err) -- verbose("R%d max value is outside of the array range\n", regno); -+ verbose(env, "R%d max value is outside of the array range\n", -+ regno); - return err; - } - -@@ -904,7 +910,7 @@ static int __check_packet_access(struct - struct bpf_reg_state *reg = ®s[regno]; - - if (off < 0 || size <= 0 || (u64)off + size > reg->range) { -- verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", -+ verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", - off, size, regno, reg->id, reg->off, reg->range); - return -EACCES; - } -@@ -927,13 +933,13 @@ static int check_packet_access(struct bp - * detail to prove they're safe. - */ - if (reg->smin_value < 0) { -- verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", -+ verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", - regno); - return -EACCES; - } - err = __check_packet_access(env, regno, off, size); - if (err) { -- verbose("R%d offset is outside of the packet\n", regno); -+ verbose(env, "R%d offset is outside of the packet\n", regno); - return err; - } - return err; -@@ -969,7 +975,7 @@ static int check_ctx_access(struct bpf_v - return 0; - } - -- verbose("invalid bpf_context access off=%d size=%d\n", off, size); -+ verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size); - return -EACCES; - } - -@@ -987,7 +993,8 @@ static bool is_pointer_value(struct bpf_ - return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); - } - --static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg, -+static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, -+ const struct bpf_reg_state *reg, - int off, int size, bool strict) - { - struct tnum reg_off; -@@ -1012,7 +1019,8 @@ static int check_pkt_ptr_alignment(const - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); -- verbose("misaligned packet access off %d+%s+%d+%d size %d\n", -+ verbose(env, -+ "misaligned packet access off %d+%s+%d+%d size %d\n", - ip_align, tn_buf, reg->off, off, size); - return -EACCES; - } -@@ -1020,7 +1028,8 @@ static int check_pkt_ptr_alignment(const - return 0; - } - --static int check_generic_ptr_alignment(const struct bpf_reg_state *reg, -+static int check_generic_ptr_alignment(struct bpf_verifier_env *env, -+ const struct bpf_reg_state *reg, - const char *pointer_desc, - int off, int size, bool strict) - { -@@ -1035,7 +1044,7 @@ static int check_generic_ptr_alignment(c - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); -- verbose("misaligned %saccess off %s+%d+%d size %d\n", -+ verbose(env, "misaligned %saccess off %s+%d+%d size %d\n", - pointer_desc, tn_buf, reg->off, off, size); - return -EACCES; - } -@@ -1053,7 +1062,7 @@ static int check_ptr_alignment(struct bp - switch (reg->type) { - case PTR_TO_PACKET: - /* special case, because of NET_IP_ALIGN */ -- return check_pkt_ptr_alignment(reg, off, size, strict); -+ return check_pkt_ptr_alignment(env, reg, off, size, strict); - case PTR_TO_MAP_VALUE: - pointer_desc = "value "; - break; -@@ -1066,7 +1075,8 @@ static int check_ptr_alignment(struct bp - default: - break; - } -- return check_generic_ptr_alignment(reg, pointer_desc, off, size, strict); -+ return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, -+ strict); - } - - /* check whether memory at (regno + off) is accessible for t = (read | write) -@@ -1098,27 +1108,27 @@ static int check_mem_access(struct bpf_v - if (reg->type == PTR_TO_MAP_VALUE) { - if (t == BPF_WRITE && value_regno >= 0 && - is_pointer_value(env, value_regno)) { -- verbose("R%d leaks addr into map\n", value_regno); -+ verbose(env, "R%d leaks addr into map\n", value_regno); - return -EACCES; - } - - err = check_map_access(env, regno, off, size); - if (!err && t == BPF_READ && value_regno >= 0) -- mark_reg_unknown(state->regs, value_regno); -+ mark_reg_unknown(env, state->regs, value_regno); - - } else if (reg->type == PTR_TO_CTX) { - enum bpf_reg_type reg_type = SCALAR_VALUE; - - if (t == BPF_WRITE && value_regno >= 0 && - is_pointer_value(env, value_regno)) { -- verbose("R%d leaks addr into ctx\n", value_regno); -+ verbose(env, "R%d leaks addr into ctx\n", value_regno); - return -EACCES; - } - /* ctx accesses must be at a fixed offset, so that we can - * determine what type of data were returned. - */ - if (reg->off) { -- verbose("dereference of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not\n", -+ verbose(env, "dereference of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not\n", - regno, reg->off, off - reg->off); - return -EACCES; - } -@@ -1126,7 +1136,8 @@ static int check_mem_access(struct bpf_v - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); -- verbose("variable ctx access var_off=%s off=%d size=%d", -+ verbose(env, -+ "variable ctx access var_off=%s off=%d size=%d", - tn_buf, off, size); - return -EACCES; - } -@@ -1137,9 +1148,10 @@ static int check_mem_access(struct bpf_v - * the offset is zero. - */ - if (reg_type == SCALAR_VALUE) -- mark_reg_unknown(state->regs, value_regno); -+ mark_reg_unknown(env, state->regs, value_regno); - else -- mark_reg_known_zero(state->regs, value_regno); -+ mark_reg_known_zero(env, state->regs, -+ value_regno); - state->regs[value_regno].id = 0; - state->regs[value_regno].off = 0; - state->regs[value_regno].range = 0; -@@ -1155,13 +1167,14 @@ static int check_mem_access(struct bpf_v - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); -- verbose("variable stack access var_off=%s off=%d size=%d", -+ verbose(env, "variable stack access var_off=%s off=%d size=%d", - tn_buf, off, size); - return -EACCES; - } - off += reg->var_off.value; - if (off >= 0 || off < -MAX_BPF_STACK) { -- verbose("invalid stack off=%d size=%d\n", off, size); -+ verbose(env, "invalid stack off=%d size=%d\n", off, -+ size); - return -EACCES; - } - -@@ -1172,28 +1185,31 @@ static int check_mem_access(struct bpf_v - if (!env->allow_ptr_leaks && - state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL && - size != BPF_REG_SIZE) { -- verbose("attempt to corrupt spilled pointer on stack\n"); -+ verbose(env, "attempt to corrupt spilled pointer on stack\n"); - return -EACCES; - } -- err = check_stack_write(state, off, size, value_regno); -+ err = check_stack_write(env, state, off, size, -+ value_regno); - } else { -- err = check_stack_read(state, off, size, value_regno); -+ err = check_stack_read(env, state, off, size, -+ value_regno); - } - } else if (reg->type == PTR_TO_PACKET) { - if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { -- verbose("cannot write into packet\n"); -+ verbose(env, "cannot write into packet\n"); - return -EACCES; - } - if (t == BPF_WRITE && value_regno >= 0 && - is_pointer_value(env, value_regno)) { -- verbose("R%d leaks addr into packet\n", value_regno); -+ verbose(env, "R%d leaks addr into packet\n", -+ value_regno); - return -EACCES; - } - err = check_packet_access(env, regno, off, size); - if (!err && t == BPF_READ && value_regno >= 0) -- mark_reg_unknown(state->regs, value_regno); -+ mark_reg_unknown(env, state->regs, value_regno); - } else { -- verbose("R%d invalid mem access '%s'\n", -+ verbose(env, "R%d invalid mem access '%s'\n", - regno, reg_type_str[reg->type]); - return -EACCES; - } -@@ -1214,7 +1230,7 @@ static int check_xadd(struct bpf_verifie - - if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || - insn->imm != 0) { -- verbose("BPF_XADD uses reserved fields\n"); -+ verbose(env, "BPF_XADD uses reserved fields\n"); - return -EINVAL; - } - -@@ -1229,7 +1245,7 @@ static int check_xadd(struct bpf_verifie - return err; - - if (is_pointer_value(env, insn->src_reg)) { -- verbose("R%d leaks addr into mem\n", insn->src_reg); -+ verbose(env, "R%d leaks addr into mem\n", insn->src_reg); - return -EACCES; - } - -@@ -1270,7 +1286,7 @@ static int check_stack_boundary(struct b - register_is_null(regs[regno])) - return 0; - -- verbose("R%d type=%s expected=%s\n", regno, -+ verbose(env, "R%d type=%s expected=%s\n", regno, - reg_type_str[regs[regno].type], - reg_type_str[PTR_TO_STACK]); - return -EACCES; -@@ -1281,13 +1297,13 @@ static int check_stack_boundary(struct b - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); -- verbose("invalid variable stack read R%d var_off=%s\n", -+ verbose(env, "invalid variable stack read R%d var_off=%s\n", - regno, tn_buf); - } - off = regs[regno].off + regs[regno].var_off.value; - if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || - access_size <= 0) { -- verbose("invalid stack type R%d off=%d access_size=%d\n", -+ verbose(env, "invalid stack type R%d off=%d access_size=%d\n", - regno, off, access_size); - return -EACCES; - } -@@ -1303,7 +1319,7 @@ static int check_stack_boundary(struct b - - for (i = 0; i < access_size; i++) { - if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { -- verbose("invalid indirect read from stack off %d+%d size %d\n", -+ verbose(env, "invalid indirect read from stack off %d+%d size %d\n", - off, i, access_size); - return -EACCES; - } -@@ -1345,7 +1361,8 @@ static int check_func_arg(struct bpf_ver - - if (arg_type == ARG_ANYTHING) { - if (is_pointer_value(env, regno)) { -- verbose("R%d leaks addr into helper function\n", regno); -+ verbose(env, "R%d leaks addr into helper function\n", -+ regno); - return -EACCES; - } - return 0; -@@ -1353,7 +1370,7 @@ static int check_func_arg(struct bpf_ver - - if (type == PTR_TO_PACKET && - !may_access_direct_pkt_data(env, meta, BPF_READ)) { -- verbose("helper access to the packet is not allowed\n"); -+ verbose(env, "helper access to the packet is not allowed\n"); - return -EACCES; - } - -@@ -1389,7 +1406,7 @@ static int check_func_arg(struct bpf_ver - goto err_type; - meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; - } else { -- verbose("unsupported arg_type %d\n", arg_type); -+ verbose(env, "unsupported arg_type %d\n", arg_type); - return -EFAULT; - } - -@@ -1407,7 +1424,7 @@ static int check_func_arg(struct bpf_ver - * we have to check map_key here. Otherwise it means - * that kernel subsystem misconfigured verifier - */ -- verbose("invalid map_ptr to access map->key\n"); -+ verbose(env, "invalid map_ptr to access map->key\n"); - return -EACCES; - } - if (type == PTR_TO_PACKET) -@@ -1423,7 +1440,7 @@ static int check_func_arg(struct bpf_ver - */ - if (!meta->map_ptr) { - /* kernel subsystem misconfigured verifier */ -- verbose("invalid map_ptr to access map->value\n"); -+ verbose(env, "invalid map_ptr to access map->value\n"); - return -EACCES; - } - if (type == PTR_TO_PACKET) -@@ -1443,7 +1460,8 @@ static int check_func_arg(struct bpf_ver - */ - if (regno == 0) { - /* kernel subsystem misconfigured verifier */ -- verbose("ARG_CONST_SIZE cannot be first argument\n"); -+ verbose(env, -+ "ARG_CONST_SIZE cannot be first argument\n"); - return -EACCES; - } - -@@ -1460,7 +1478,7 @@ static int check_func_arg(struct bpf_ver - meta = NULL; - - if (reg->smin_value < 0) { -- verbose("R%d min value is negative, either use unsigned or 'var &= const'\n", -+ verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", - regno); - return -EACCES; - } -@@ -1474,7 +1492,7 @@ static int check_func_arg(struct bpf_ver - } - - if (reg->umax_value >= BPF_MAX_VAR_SIZ) { -- verbose("R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", -+ verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", - regno); - return -EACCES; - } -@@ -1485,12 +1503,13 @@ static int check_func_arg(struct bpf_ver - - return err; - err_type: -- verbose("R%d type=%s expected=%s\n", regno, -+ verbose(env, "R%d type=%s expected=%s\n", regno, - reg_type_str[type], reg_type_str[expected_type]); - return -EACCES; - } - --static int check_map_func_compatibility(struct bpf_map *map, int func_id) -+static int check_map_func_compatibility(struct bpf_verifier_env *env, -+ struct bpf_map *map, int func_id) - { - if (!map) - return 0; -@@ -1576,7 +1595,7 @@ static int check_map_func_compatibility( - - return 0; - error: -- verbose("cannot pass map_type %d into func %s#%d\n", -+ verbose(env, "cannot pass map_type %d into func %s#%d\n", - map->map_type, func_id_name(func_id), func_id); - return -EINVAL; - } -@@ -1611,7 +1630,7 @@ static void clear_all_pkt_pointers(struc - for (i = 0; i < MAX_BPF_REG; i++) - if (regs[i].type == PTR_TO_PACKET || - regs[i].type == PTR_TO_PACKET_END) -- mark_reg_unknown(regs, i); -+ mark_reg_unknown(env, regs, i); - - for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { - if (state->stack_slot_type[i] != STACK_SPILL) -@@ -1635,7 +1654,8 @@ static int check_call(struct bpf_verifie - - /* find function prototype */ - if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { -- verbose("invalid func %s#%d\n", func_id_name(func_id), func_id); -+ verbose(env, "invalid func %s#%d\n", func_id_name(func_id), -+ func_id); - return -EINVAL; - } - -@@ -1643,13 +1663,14 @@ static int check_call(struct bpf_verifie - fn = env->prog->aux->ops->get_func_proto(func_id); - - if (!fn) { -- verbose("unknown func %s#%d\n", func_id_name(func_id), func_id); -+ verbose(env, "unknown func %s#%d\n", func_id_name(func_id), -+ func_id); - return -EINVAL; - } - - /* eBPF programs must be GPL compatible to use GPL-ed functions */ - if (!env->prog->gpl_compatible && fn->gpl_only) { -- verbose("cannot call GPL only function from proprietary program\n"); -+ verbose(env, "cannot call GPL only function from proprietary program\n"); - return -EINVAL; - } - -@@ -1663,7 +1684,7 @@ static int check_call(struct bpf_verifie - */ - err = check_raw_mode(fn); - if (err) { -- verbose("kernel subsystem misconfigured func %s#%d\n", -+ verbose(env, "kernel subsystem misconfigured func %s#%d\n", - func_id_name(func_id), func_id); - return err; - } -@@ -1696,14 +1717,14 @@ static int check_call(struct bpf_verifie - - /* reset caller saved regs */ - for (i = 0; i < CALLER_SAVED_REGS; i++) { -- mark_reg_not_init(regs, caller_saved[i]); -+ mark_reg_not_init(env, regs, caller_saved[i]); - check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); - } - - /* update return register (already marked as written above) */ - if (fn->ret_type == RET_INTEGER) { - /* sets type to SCALAR_VALUE */ -- mark_reg_unknown(regs, BPF_REG_0); -+ mark_reg_unknown(env, regs, BPF_REG_0); - } else if (fn->ret_type == RET_VOID) { - regs[BPF_REG_0].type = NOT_INIT; - } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { -@@ -1711,14 +1732,15 @@ static int check_call(struct bpf_verifie - - regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; - /* There is no offset yet applied, variable or fixed */ -- mark_reg_known_zero(regs, BPF_REG_0); -+ mark_reg_known_zero(env, regs, BPF_REG_0); - regs[BPF_REG_0].off = 0; - /* remember map_ptr, so that check_map_access() - * can check 'value_size' boundary of memory access - * to map element returned from bpf_map_lookup_elem() - */ - if (meta.map_ptr == NULL) { -- verbose("kernel subsystem misconfigured verifier\n"); -+ verbose(env, -+ "kernel subsystem misconfigured verifier\n"); - return -EINVAL; - } - regs[BPF_REG_0].map_ptr = meta.map_ptr; -@@ -1729,12 +1751,12 @@ static int check_call(struct bpf_verifie - else if (insn_aux->map_ptr != meta.map_ptr) - insn_aux->map_ptr = BPF_MAP_PTR_POISON; - } else { -- verbose("unknown return type %d of func %s#%d\n", -+ verbose(env, "unknown return type %d of func %s#%d\n", - fn->ret_type, func_id_name(func_id), func_id); - return -EINVAL; - } - -- err = check_map_func_compatibility(meta.map_ptr, func_id); -+ err = check_map_func_compatibility(env, meta.map_ptr, func_id); - if (err) - return err; - -@@ -1793,39 +1815,42 @@ static int adjust_ptr_min_max_vals(struc - dst_reg = ®s[dst]; - - if (WARN_ON_ONCE(known && (smin_val != smax_val))) { -- print_verifier_state(&env->cur_state); -- verbose("verifier internal error: known but bad sbounds\n"); -+ print_verifier_state(env, &env->cur_state); -+ verbose(env, -+ "verifier internal error: known but bad sbounds\n"); - return -EINVAL; - } - if (WARN_ON_ONCE(known && (umin_val != umax_val))) { -- print_verifier_state(&env->cur_state); -- verbose("verifier internal error: known but bad ubounds\n"); -+ print_verifier_state(env, &env->cur_state); -+ verbose(env, -+ "verifier internal error: known but bad ubounds\n"); - return -EINVAL; - } - - if (BPF_CLASS(insn->code) != BPF_ALU64) { - /* 32-bit ALU ops on pointers produce (meaningless) scalars */ - if (!env->allow_ptr_leaks) -- verbose("R%d 32-bit pointer arithmetic prohibited\n", -+ verbose(env, -+ "R%d 32-bit pointer arithmetic prohibited\n", - dst); - return -EACCES; - } - - if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { - if (!env->allow_ptr_leaks) -- verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", -+ verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", - dst); - return -EACCES; - } - if (ptr_reg->type == CONST_PTR_TO_MAP) { - if (!env->allow_ptr_leaks) -- verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", -+ verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", - dst); - return -EACCES; - } - if (ptr_reg->type == PTR_TO_PACKET_END) { - if (!env->allow_ptr_leaks) -- verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", -+ verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", - dst); - return -EACCES; - } -@@ -1890,7 +1915,7 @@ static int adjust_ptr_min_max_vals(struc - if (dst_reg == off_reg) { - /* scalar -= pointer. Creates an unknown scalar */ - if (!env->allow_ptr_leaks) -- verbose("R%d tried to subtract pointer from scalar\n", -+ verbose(env, "R%d tried to subtract pointer from scalar\n", - dst); - return -EACCES; - } -@@ -1900,7 +1925,7 @@ static int adjust_ptr_min_max_vals(struc - */ - if (ptr_reg->type == PTR_TO_STACK) { - if (!env->allow_ptr_leaks) -- verbose("R%d subtraction from stack pointer prohibited\n", -+ verbose(env, "R%d subtraction from stack pointer prohibited\n", - dst); - return -EACCES; - } -@@ -1955,13 +1980,13 @@ static int adjust_ptr_min_max_vals(struc - * ptr &= ~3 which would reduce min_value by 3.) - */ - if (!env->allow_ptr_leaks) -- verbose("R%d bitwise operator %s on pointer prohibited\n", -+ verbose(env, "R%d bitwise operator %s on pointer prohibited\n", - dst, bpf_alu_string[opcode >> 4]); - return -EACCES; - default: - /* other operators (e.g. MUL,LSH) produce non-pointer results */ - if (!env->allow_ptr_leaks) -- verbose("R%d pointer arithmetic with %s operator prohibited\n", -+ verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", - dst, bpf_alu_string[opcode >> 4]); - return -EACCES; - } -@@ -2127,7 +2152,7 @@ static int adjust_scalar_min_max_vals(st - /* Shifts greater than 63 are undefined. This includes - * shifts by a negative number. - */ -- mark_reg_unknown(regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->dst_reg); - break; - } - /* We lose all sign bit information (except what we can pick -@@ -2155,7 +2180,7 @@ static int adjust_scalar_min_max_vals(st - /* Shifts greater than 63 are undefined. This includes - * shifts by a negative number. - */ -- mark_reg_unknown(regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->dst_reg); - break; - } - /* BPF_RSH is an unsigned shift, so make the appropriate casts */ -@@ -2183,7 +2208,7 @@ static int adjust_scalar_min_max_vals(st - __update_reg_bounds(dst_reg); - break; - default: -- mark_reg_unknown(regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->dst_reg); - break; - } - -@@ -2215,12 +2240,12 @@ static int adjust_reg_min_max_vals(struc - * an arbitrary scalar. - */ - if (!env->allow_ptr_leaks) { -- verbose("R%d pointer %s pointer prohibited\n", -+ verbose(env, "R%d pointer %s pointer prohibited\n", - insn->dst_reg, - bpf_alu_string[opcode >> 4]); - return -EACCES; - } -- mark_reg_unknown(regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->dst_reg); - return 0; - } else { - /* scalar += pointer -@@ -2272,13 +2297,13 @@ static int adjust_reg_min_max_vals(struc - - /* Got here implies adding two SCALAR_VALUEs */ - if (WARN_ON_ONCE(ptr_reg)) { -- print_verifier_state(&env->cur_state); -- verbose("verifier internal error: unexpected ptr_reg\n"); -+ print_verifier_state(env, &env->cur_state); -+ verbose(env, "verifier internal error: unexpected ptr_reg\n"); - return -EINVAL; - } - if (WARN_ON(!src_reg)) { -- print_verifier_state(&env->cur_state); -- verbose("verifier internal error: no src_reg\n"); -+ print_verifier_state(env, &env->cur_state); -+ verbose(env, "verifier internal error: no src_reg\n"); - return -EINVAL; - } - return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); -@@ -2296,14 +2321,14 @@ static int check_alu_op(struct bpf_verif - if (BPF_SRC(insn->code) != 0 || - insn->src_reg != BPF_REG_0 || - insn->off != 0 || insn->imm != 0) { -- verbose("BPF_NEG uses reserved fields\n"); -+ verbose(env, "BPF_NEG uses reserved fields\n"); - return -EINVAL; - } - } else { - if (insn->src_reg != BPF_REG_0 || insn->off != 0 || - (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || - BPF_CLASS(insn->code) == BPF_ALU64) { -- verbose("BPF_END uses reserved fields\n"); -+ verbose(env, "BPF_END uses reserved fields\n"); - return -EINVAL; - } - } -@@ -2314,7 +2339,7 @@ static int check_alu_op(struct bpf_verif - return err; - - if (is_pointer_value(env, insn->dst_reg)) { -- verbose("R%d pointer arithmetic prohibited\n", -+ verbose(env, "R%d pointer arithmetic prohibited\n", - insn->dst_reg); - return -EACCES; - } -@@ -2328,7 +2353,7 @@ static int check_alu_op(struct bpf_verif - - if (BPF_SRC(insn->code) == BPF_X) { - if (insn->imm != 0 || insn->off != 0) { -- verbose("BPF_MOV uses reserved fields\n"); -+ verbose(env, "BPF_MOV uses reserved fields\n"); - return -EINVAL; - } - -@@ -2338,7 +2363,7 @@ static int check_alu_op(struct bpf_verif - return err; - } else { - if (insn->src_reg != BPF_REG_0 || insn->off != 0) { -- verbose("BPF_MOV uses reserved fields\n"); -+ verbose(env, "BPF_MOV uses reserved fields\n"); - return -EINVAL; - } - } -@@ -2358,11 +2383,12 @@ static int check_alu_op(struct bpf_verif - } else { - /* R1 = (u32) R2 */ - if (is_pointer_value(env, insn->src_reg)) { -- verbose("R%d partial copy of pointer\n", -+ verbose(env, -+ "R%d partial copy of pointer\n", - insn->src_reg); - return -EACCES; - } -- mark_reg_unknown(regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->dst_reg); - /* high 32 bits are known zero. */ - regs[insn->dst_reg].var_off = tnum_cast( - regs[insn->dst_reg].var_off, 4); -@@ -2377,14 +2403,14 @@ static int check_alu_op(struct bpf_verif - } - - } else if (opcode > BPF_END) { -- verbose("invalid BPF_ALU opcode %x\n", opcode); -+ verbose(env, "invalid BPF_ALU opcode %x\n", opcode); - return -EINVAL; - - } else { /* all other ALU ops: and, sub, xor, add, ... */ - - if (BPF_SRC(insn->code) == BPF_X) { - if (insn->imm != 0 || insn->off != 0) { -- verbose("BPF_ALU uses reserved fields\n"); -+ verbose(env, "BPF_ALU uses reserved fields\n"); - return -EINVAL; - } - /* check src1 operand */ -@@ -2393,7 +2419,7 @@ static int check_alu_op(struct bpf_verif - return err; - } else { - if (insn->src_reg != BPF_REG_0 || insn->off != 0) { -- verbose("BPF_ALU uses reserved fields\n"); -+ verbose(env, "BPF_ALU uses reserved fields\n"); - return -EINVAL; - } - } -@@ -2405,7 +2431,7 @@ static int check_alu_op(struct bpf_verif - - if ((opcode == BPF_MOD || opcode == BPF_DIV) && - BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { -- verbose("div by zero\n"); -+ verbose(env, "div by zero\n"); - return -EINVAL; - } - -@@ -2414,7 +2440,7 @@ static int check_alu_op(struct bpf_verif - int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; - - if (insn->imm < 0 || insn->imm >= size) { -- verbose("invalid shift %d\n", insn->imm); -+ verbose(env, "invalid shift %d\n", insn->imm); - return -EINVAL; - } - } -@@ -2775,13 +2801,13 @@ static int check_cond_jmp_op(struct bpf_ - int err; - - if (opcode > BPF_JSLE) { -- verbose("invalid BPF_JMP opcode %x\n", opcode); -+ verbose(env, "invalid BPF_JMP opcode %x\n", opcode); - return -EINVAL; - } - - if (BPF_SRC(insn->code) == BPF_X) { - if (insn->imm != 0) { -- verbose("BPF_JMP uses reserved fields\n"); -+ verbose(env, "BPF_JMP uses reserved fields\n"); - return -EINVAL; - } - -@@ -2791,13 +2817,13 @@ static int check_cond_jmp_op(struct bpf_ - return err; - - if (is_pointer_value(env, insn->src_reg)) { -- verbose("R%d pointer comparison prohibited\n", -+ verbose(env, "R%d pointer comparison prohibited\n", - insn->src_reg); - return -EACCES; - } - } else { - if (insn->src_reg != BPF_REG_0) { -- verbose("BPF_JMP uses reserved fields\n"); -+ verbose(env, "BPF_JMP uses reserved fields\n"); - return -EINVAL; - } - } -@@ -2913,11 +2939,12 @@ static int check_cond_jmp_op(struct bpf_ - /* pkt_end <= pkt_data' */ - find_good_pkt_pointers(this_branch, ®s[insn->src_reg], true); - } else if (is_pointer_value(env, insn->dst_reg)) { -- verbose("R%d pointer comparison prohibited\n", insn->dst_reg); -+ verbose(env, "R%d pointer comparison prohibited\n", -+ insn->dst_reg); - return -EACCES; - } -- if (verifier_log.level) -- print_verifier_state(this_branch); -+ if (env->log.level) -+ print_verifier_state(env, this_branch); - return 0; - } - -@@ -2936,11 +2963,11 @@ static int check_ld_imm(struct bpf_verif - int err; - - if (BPF_SIZE(insn->code) != BPF_DW) { -- verbose("invalid BPF_LD_IMM insn\n"); -+ verbose(env, "invalid BPF_LD_IMM insn\n"); - return -EINVAL; - } - if (insn->off != 0) { -- verbose("BPF_LD_IMM64 uses reserved fields\n"); -+ verbose(env, "BPF_LD_IMM64 uses reserved fields\n"); - return -EINVAL; - } - -@@ -2998,14 +3025,14 @@ static int check_ld_abs(struct bpf_verif - int i, err; - - if (!may_access_skb(env->prog->type)) { -- verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); -+ verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); - return -EINVAL; - } - - if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || - BPF_SIZE(insn->code) == BPF_DW || - (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { -- verbose("BPF_LD_[ABS|IND] uses reserved fields\n"); -+ verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n"); - return -EINVAL; - } - -@@ -3015,7 +3042,8 @@ static int check_ld_abs(struct bpf_verif - return err; - - if (regs[BPF_REG_6].type != PTR_TO_CTX) { -- verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); -+ verbose(env, -+ "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); - return -EINVAL; - } - -@@ -3028,7 +3056,7 @@ static int check_ld_abs(struct bpf_verif - - /* reset caller saved regs to unreadable */ - for (i = 0; i < CALLER_SAVED_REGS; i++) { -- mark_reg_not_init(regs, caller_saved[i]); -+ mark_reg_not_init(env, regs, caller_saved[i]); - check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); - } - -@@ -3036,7 +3064,7 @@ static int check_ld_abs(struct bpf_verif - * the value fetched from the packet. - * Already marked as written above. - */ -- mark_reg_unknown(regs, BPF_REG_0); -+ mark_reg_unknown(env, regs, BPF_REG_0); - return 0; - } - -@@ -3100,7 +3128,7 @@ static int push_insn(int t, int w, int e - return 0; - - if (w < 0 || w >= env->prog->len) { -- verbose("jump out of range from insn %d to %d\n", t, w); -+ verbose(env, "jump out of range from insn %d to %d\n", t, w); - return -EINVAL; - } - -@@ -3117,13 +3145,13 @@ static int push_insn(int t, int w, int e - insn_stack[cur_stack++] = w; - return 1; - } else if ((insn_state[w] & 0xF0) == DISCOVERED) { -- verbose("back-edge from insn %d to %d\n", t, w); -+ verbose(env, "back-edge from insn %d to %d\n", t, w); - return -EINVAL; - } else if (insn_state[w] == EXPLORED) { - /* forward- or cross-edge */ - insn_state[t] = DISCOVERED | e; - } else { -- verbose("insn state internal bug\n"); -+ verbose(env, "insn state internal bug\n"); - return -EFAULT; - } - return 0; -@@ -3217,7 +3245,7 @@ peek_stack: - mark_explored: - insn_state[t] = EXPLORED; - if (cur_stack-- <= 0) { -- verbose("pop stack internal bug\n"); -+ verbose(env, "pop stack internal bug\n"); - ret = -EFAULT; - goto err_free; - } -@@ -3226,7 +3254,7 @@ mark_explored: - check_state: - for (i = 0; i < insn_cnt; i++) { - if (insn_state[i] != EXPLORED) { -- verbose("unreachable insn %d\n", i); -+ verbose(env, "unreachable insn %d\n", i); - ret = -EINVAL; - goto err_free; - } -@@ -3606,7 +3634,7 @@ static int do_check(struct bpf_verifier_ - int insn_processed = 0; - bool do_print_state = false; - -- init_reg_state(regs); -+ init_reg_state(env, regs); - state->parent = NULL; - insn_idx = 0; - for (;;) { -@@ -3615,7 +3643,7 @@ static int do_check(struct bpf_verifier_ - int err; - - if (insn_idx >= insn_cnt) { -- verbose("invalid insn idx %d insn_cnt %d\n", -+ verbose(env, "invalid insn idx %d insn_cnt %d\n", - insn_idx, insn_cnt); - return -EFAULT; - } -@@ -3624,7 +3652,8 @@ static int do_check(struct bpf_verifier_ - class = BPF_CLASS(insn->code); - - if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { -- verbose("BPF program is too large. Processed %d insn\n", -+ verbose(env, -+ "BPF program is too large. Processed %d insn\n", - insn_processed); - return -E2BIG; - } -@@ -3634,12 +3663,12 @@ static int do_check(struct bpf_verifier_ - return err; - if (err == 1) { - /* found equivalent state, can prune the search */ -- if (verifier_log.level) { -+ if (env->log.level) { - if (do_print_state) -- verbose("\nfrom %d to %d: safe\n", -+ verbose(env, "\nfrom %d to %d: safe\n", - prev_insn_idx, insn_idx); - else -- verbose("%d: safe\n", insn_idx); -+ verbose(env, "%d: safe\n", insn_idx); - } - goto process_bpf_exit; - } -@@ -3647,19 +3676,18 @@ static int do_check(struct bpf_verifier_ - if (need_resched()) - cond_resched(); - -- if (verifier_log.level > 1 || -- (verifier_log.level && do_print_state)) { -- if (verifier_log.level > 1) -- verbose("%d:", insn_idx); -+ if (env->log.level > 1 || (env->log.level && do_print_state)) { -+ if (env->log.level > 1) -+ verbose(env, "%d:", insn_idx); - else -- verbose("\nfrom %d to %d:", -+ verbose(env, "\nfrom %d to %d:", - prev_insn_idx, insn_idx); -- print_verifier_state(&env->cur_state); -+ print_verifier_state(env, &env->cur_state); - do_print_state = false; - } - -- if (verifier_log.level) { -- verbose("%d: ", insn_idx); -+ if (env->log.level) { -+ verbose(env, "%d: ", insn_idx); - print_bpf_insn(env, insn); - } - -@@ -3716,7 +3744,7 @@ static int do_check(struct bpf_verifier_ - * src_reg == stack|map in some other branch. - * Reject it. - */ -- verbose("same insn cannot be used with different pointers\n"); -+ verbose(env, "same insn cannot be used with different pointers\n"); - return -EINVAL; - } - -@@ -3756,14 +3784,14 @@ static int do_check(struct bpf_verifier_ - } else if (dst_reg_type != *prev_dst_type && - (dst_reg_type == PTR_TO_CTX || - *prev_dst_type == PTR_TO_CTX)) { -- verbose("same insn cannot be used with different pointers\n"); -+ verbose(env, "same insn cannot be used with different pointers\n"); - return -EINVAL; - } - - } else if (class == BPF_ST) { - if (BPF_MODE(insn->code) != BPF_MEM || - insn->src_reg != BPF_REG_0) { -- verbose("BPF_ST uses reserved fields\n"); -+ verbose(env, "BPF_ST uses reserved fields\n"); - return -EINVAL; - } - /* check src operand */ -@@ -3786,7 +3814,7 @@ static int do_check(struct bpf_verifier_ - insn->off != 0 || - insn->src_reg != BPF_REG_0 || - insn->dst_reg != BPF_REG_0) { -- verbose("BPF_CALL uses reserved fields\n"); -+ verbose(env, "BPF_CALL uses reserved fields\n"); - return -EINVAL; - } - -@@ -3799,7 +3827,7 @@ static int do_check(struct bpf_verifier_ - insn->imm != 0 || - insn->src_reg != BPF_REG_0 || - insn->dst_reg != BPF_REG_0) { -- verbose("BPF_JA uses reserved fields\n"); -+ verbose(env, "BPF_JA uses reserved fields\n"); - return -EINVAL; - } - -@@ -3811,7 +3839,7 @@ static int do_check(struct bpf_verifier_ - insn->imm != 0 || - insn->src_reg != BPF_REG_0 || - insn->dst_reg != BPF_REG_0) { -- verbose("BPF_EXIT uses reserved fields\n"); -+ verbose(env, "BPF_EXIT uses reserved fields\n"); - return -EINVAL; - } - -@@ -3826,7 +3854,7 @@ static int do_check(struct bpf_verifier_ - return err; - - if (is_pointer_value(env, BPF_REG_0)) { -- verbose("R0 leaks addr as return value\n"); -+ verbose(env, "R0 leaks addr as return value\n"); - return -EACCES; - } - -@@ -3858,19 +3886,19 @@ process_bpf_exit: - - insn_idx++; - } else { -- verbose("invalid BPF_LD mode\n"); -+ verbose(env, "invalid BPF_LD mode\n"); - return -EINVAL; - } - } else { -- verbose("unknown insn class %d\n", class); -+ verbose(env, "unknown insn class %d\n", class); - return -EINVAL; - } - - insn_idx++; - } - -- verbose("processed %d insns, stack depth %d\n", -- insn_processed, env->prog->aux->stack_depth); -+ verbose(env, "processed %d insns, stack depth %d\n", insn_processed, -+ env->prog->aux->stack_depth); - return 0; - } - -@@ -3882,7 +3910,8 @@ static int check_map_prealloc(struct bpf - !(map->map_flags & BPF_F_NO_PREALLOC); - } - --static int check_map_prog_compatibility(struct bpf_map *map, -+static int check_map_prog_compatibility(struct bpf_verifier_env *env, -+ struct bpf_map *map, - struct bpf_prog *prog) - - { -@@ -3893,12 +3922,12 @@ static int check_map_prog_compatibility( - */ - if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { - if (!check_map_prealloc(map)) { -- verbose("perf_event programs can only use preallocated hash map\n"); -+ verbose(env, "perf_event programs can only use preallocated hash map\n"); - return -EINVAL; - } - if (map->inner_map_meta && - !check_map_prealloc(map->inner_map_meta)) { -- verbose("perf_event programs can only use preallocated inner hash map\n"); -+ verbose(env, "perf_event programs can only use preallocated inner hash map\n"); - return -EINVAL; - } - } -@@ -3921,14 +3950,14 @@ static int replace_map_fd_with_map_ptr(s - for (i = 0; i < insn_cnt; i++, insn++) { - if (BPF_CLASS(insn->code) == BPF_LDX && - (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { -- verbose("BPF_LDX uses reserved fields\n"); -+ verbose(env, "BPF_LDX uses reserved fields\n"); - return -EINVAL; - } - - if (BPF_CLASS(insn->code) == BPF_STX && - ((BPF_MODE(insn->code) != BPF_MEM && - BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { -- verbose("BPF_STX uses reserved fields\n"); -+ verbose(env, "BPF_STX uses reserved fields\n"); - return -EINVAL; - } - -@@ -3939,7 +3968,7 @@ static int replace_map_fd_with_map_ptr(s - if (i == insn_cnt - 1 || insn[1].code != 0 || - insn[1].dst_reg != 0 || insn[1].src_reg != 0 || - insn[1].off != 0) { -- verbose("invalid bpf_ld_imm64 insn\n"); -+ verbose(env, "invalid bpf_ld_imm64 insn\n"); - return -EINVAL; - } - -@@ -3948,19 +3977,20 @@ static int replace_map_fd_with_map_ptr(s - goto next_insn; - - if (insn->src_reg != BPF_PSEUDO_MAP_FD) { -- verbose("unrecognized bpf_ld_imm64 insn\n"); -+ verbose(env, -+ "unrecognized bpf_ld_imm64 insn\n"); - return -EINVAL; - } - - f = fdget(insn->imm); - map = __bpf_map_get(f); - if (IS_ERR(map)) { -- verbose("fd %d is not pointing to valid bpf_map\n", -+ verbose(env, "fd %d is not pointing to valid bpf_map\n", - insn->imm); - return PTR_ERR(map); - } - -- err = check_map_prog_compatibility(map, env->prog); -+ err = check_map_prog_compatibility(env, map, env->prog); - if (err) { - fdput(f); - return err; -@@ -4082,7 +4112,7 @@ static int convert_ctx_accesses(struct b - cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, - env->prog); - if (cnt >= ARRAY_SIZE(insn_buf)) { -- verbose("bpf verifier is misconfigured\n"); -+ verbose(env, "bpf verifier is misconfigured\n"); - return -EINVAL; - } else if (cnt) { - new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); -@@ -4130,7 +4160,7 @@ static int convert_ctx_accesses(struct b - u8 size_code; - - if (type == BPF_WRITE) { -- verbose("bpf verifier narrow ctx access misconfigured\n"); -+ verbose(env, "bpf verifier narrow ctx access misconfigured\n"); - return -EINVAL; - } - -@@ -4149,7 +4179,7 @@ static int convert_ctx_accesses(struct b - &target_size); - if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || - (ctx_field_size && !target_size)) { -- verbose("bpf verifier is misconfigured\n"); -+ verbose(env, "bpf verifier is misconfigured\n"); - return -EINVAL; - } - -@@ -4231,7 +4261,7 @@ static int fixup_bpf_calls(struct bpf_ve - - cnt = map_ptr->ops->map_gen_lookup(map_ptr, insn_buf); - if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { -- verbose("bpf verifier is misconfigured\n"); -+ verbose(env, "bpf verifier is misconfigured\n"); - return -EINVAL; - } - -@@ -4275,7 +4305,8 @@ patch_call_imm: - * programs to call them, must be real in-kernel functions - */ - if (!fn->func) { -- verbose("kernel subsystem misconfigured func %s#%d\n", -+ verbose(env, -+ "kernel subsystem misconfigured func %s#%d\n", - func_id_name(insn->imm), insn->imm); - return -EFAULT; - } -@@ -4309,8 +4340,8 @@ static void free_states(struct bpf_verif - - int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) - { -- struct bpf_verifer_log *log = &verifier_log; - struct bpf_verifier_env *env; -+ struct bpf_verifer_log *log; - int ret = -EINVAL; - - /* 'struct bpf_verifier_env' can be global, but since it's not small, -@@ -4319,6 +4350,7 @@ int bpf_check(struct bpf_prog **prog, un - env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); - if (!env) - return -ENOMEM; -+ log = &env->log; - - env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * - (*prog)->len); -@@ -4337,7 +4369,6 @@ int bpf_check(struct bpf_prog **prog, un - log->level = attr->log_level; - log->ubuf = (char __user *) (unsigned long) attr->log_buf; - log->len_total = attr->log_size; -- log->len_used = 0; - - ret = -EINVAL; - /* log attributes have to be sane */ -@@ -4349,8 +4380,6 @@ int bpf_check(struct bpf_prog **prog, un - log->kbuf = vmalloc(log->len_total); - if (!log->kbuf) - goto err_unlock; -- } else { -- log->level = 0; - } - - env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); -@@ -4461,8 +4490,6 @@ int bpf_analyzer(struct bpf_prog *prog, - /* grab the mutex to protect few globals used by verifier */ - mutex_lock(&bpf_verifier_lock); - -- verifier_log.level = 0; -- - env->strict_alignment = false; - if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) - env->strict_alignment = true; diff --git a/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch b/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch deleted file mode 100644 index 990d196a2..000000000 --- a/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Edward Cree -Date: Mon, 18 Dec 2017 20:11:53 -0800 -Subject: [1/9] bpf/verifier: fix bounds calculation on BPF_RSH -Origin: https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941 - -Incorrect signed bounds were being computed. -If the old upper signed bound was positive and the old lower signed bound was -negative, this could cause the new upper signed bound to be too low, -leading to security issues. - -Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") -Reported-by: Jann Horn -Signed-off-by: Edward Cree -Acked-by: Alexei Starovoitov -[jannh@google.com: changed description to reflect bug impact] -Signed-off-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann ---- - kernel/bpf/verifier.c | 30 ++++++++++++++++-------------- - 1 file changed, 16 insertions(+), 14 deletions(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2183,20 +2183,22 @@ static int adjust_scalar_min_max_vals(st - mark_reg_unknown(env, regs, insn->dst_reg); - break; - } -- /* BPF_RSH is an unsigned shift, so make the appropriate casts */ -- if (dst_reg->smin_value < 0) { -- if (umin_val) { -- /* Sign bit will be cleared */ -- dst_reg->smin_value = 0; -- } else { -- /* Lost sign bit information */ -- dst_reg->smin_value = S64_MIN; -- dst_reg->smax_value = S64_MAX; -- } -- } else { -- dst_reg->smin_value = -- (u64)(dst_reg->smin_value) >> umax_val; -- } -+ /* BPF_RSH is an unsigned shift. If the value in dst_reg might -+ * be negative, then either: -+ * 1) src_reg might be zero, so the sign bit of the result is -+ * unknown, so we lose our signed bounds -+ * 2) it's known negative, thus the unsigned bounds capture the -+ * signed bounds -+ * 3) the signed bounds cross zero, so they tell us nothing -+ * about the result -+ * If the value in dst_reg is known nonnegative, then again the -+ * unsigned bounts capture the signed bounds. -+ * Thus, in all cases it suffices to blow away our signed bounds -+ * and rely on inferring new ones from the unsigned bounds and -+ * var_off of the result. -+ */ -+ dst_reg->smin_value = S64_MIN; -+ dst_reg->smax_value = S64_MAX; - if (src_known) - dst_reg->var_off = tnum_rshift(dst_reg->var_off, - umin_val); diff --git a/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch index be5f528f4..dc52771cb 100644 --- a/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch +++ b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch @@ -5,10 +5,9 @@ Forwarded: https://marc.info/?l=linux-pm&m=149248268214265 Calls to cpufreq_cpu_exists(cpu) were converted to cpupower_is_cpu_online(cpu) when libcpupower was introduced and the -former function was deleted. However, cpupower_is_cpu_online() -returns 1 on success whereas cpufreq_cpu_exists() returned 0 on -success. It also does not distinguish physically absent and offline -CPUs, and does not set errno. +former function was deleted. However, cpupower_is_cpu_online() does +not distinguish physically absent and offline CPUs, and does not set +errno. cpufreq-set has already been fixed (commit c25badc9ceb6). @@ -16,6 +15,7 @@ In cpufreq-bench, which prints an error message for offline CPUs, properly distinguish and report the zero and negative cases. Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library") +Fixes: 53d1cd6b125f ("cpupowerutils: bench - Fix cpu online check") Signed-off-by: Ben Hutchings --- --- a/tools/power/cpupower/bench/system.c @@ -28,7 +28,7 @@ Signed-off-by: Ben Hutchings dprintf("set %s as cpufreq governor\n", governor); -- if (cpupower_is_cpu_online(cpu) != 0) { +- if (cpupower_is_cpu_online(cpu) != 1) { - perror("cpufreq_cpu_exists"); - fprintf(stderr, "error: cpu %u does not exist\n", cpu); + rc = cpupower_is_cpu_online(cpu); diff --git a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch deleted file mode 100644 index 44c4b4f43..000000000 --- a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Eric Biggers -Date: Tue, 28 Nov 2017 18:01:38 -0800 -Subject: crypto: hmac - require that the underlying hash algorithm is unkeyed -Origin: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17806 - -Because the HMAC template didn't check that its underlying hash -algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" -through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC -being used without having been keyed, resulting in sha3_update() being -called without sha3_init(), causing a stack buffer overflow. - -This is a very old bug, but it seems to have only started causing real -problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) -because the innermost hash's state is ->import()ed from a zeroed buffer, -and it just so happens that other hash algorithms are fine with that, -but SHA-3 is not. However, there could be arch or hardware-dependent -hash algorithms also affected; I couldn't test everything. - -Fix the bug by introducing a function crypto_shash_alg_has_setkey() -which tests whether a shash algorithm is keyed. Then update the HMAC -template to require that its underlying hash algorithm is unkeyed. - -Here is a reproducer: - - #include - #include - - int main() - { - int algfd; - struct sockaddr_alg addr = { - .salg_type = "hash", - .salg_name = "hmac(hmac(sha3-512-generic))", - }; - char key[4096] = { 0 }; - - algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); - bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); - setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); - } - -Here was the KASAN report from syzbot: - - BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] - BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 - Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044 - - CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - __dump_stack lib/dump_stack.c:17 [inline] - dump_stack+0x194/0x257 lib/dump_stack.c:53 - print_address_description+0x73/0x250 mm/kasan/report.c:252 - kasan_report_error mm/kasan/report.c:351 [inline] - kasan_report+0x25b/0x340 mm/kasan/report.c:409 - check_memory_region_inline mm/kasan/kasan.c:260 [inline] - check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 - memcpy+0x37/0x50 mm/kasan/kasan.c:303 - memcpy include/linux/string.h:341 [inline] - sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 - crypto_shash_update+0xcb/0x220 crypto/shash.c:109 - shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 - crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 - hmac_finup+0x182/0x330 crypto/hmac.c:152 - crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 - shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 - crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 - hmac_setkey+0x36a/0x690 crypto/hmac.c:66 - crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 - shash_async_setkey+0x47/0x60 crypto/shash.c:207 - crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 - hash_setkey+0x40/0x90 crypto/algif_hash.c:446 - alg_setkey crypto/af_alg.c:221 [inline] - alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 - SYSC_setsockopt net/socket.c:1851 [inline] - SyS_setsockopt+0x189/0x360 net/socket.c:1830 - entry_SYSCALL_64_fastpath+0x1f/0x96 - -Reported-by: syzbot -Cc: -Signed-off-by: Eric Biggers -Signed-off-by: Herbert Xu ---- - crypto/hmac.c | 6 +++++- - crypto/shash.c | 5 +++-- - include/crypto/internal/hash.h | 8 ++++++++ - 3 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/crypto/hmac.c b/crypto/hmac.c -index 92871dc2a63e..e74730224f0a 100644 ---- a/crypto/hmac.c -+++ b/crypto/hmac.c -@@ -195,11 +195,15 @@ static int hmac_create(struct crypto_template *tmpl, struct rtattr **tb) - salg = shash_attr_alg(tb[1], 0, 0); - if (IS_ERR(salg)) - return PTR_ERR(salg); -+ alg = &salg->base; - -+ /* The underlying hash algorithm must be unkeyed */ - err = -EINVAL; -+ if (crypto_shash_alg_has_setkey(salg)) -+ goto out_put_alg; -+ - ds = salg->digestsize; - ss = salg->statesize; -- alg = &salg->base; - if (ds > alg->cra_blocksize || - ss < alg->cra_blocksize) - goto out_put_alg; -diff --git a/crypto/shash.c b/crypto/shash.c -index 325a14da5827..e849d3ee2e27 100644 ---- a/crypto/shash.c -+++ b/crypto/shash.c -@@ -25,11 +25,12 @@ - - static const struct crypto_type crypto_shash_type; - --static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, -- unsigned int keylen) -+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, -+ unsigned int keylen) - { - return -ENOSYS; - } -+EXPORT_SYMBOL_GPL(shash_no_setkey); - - static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, - unsigned int keylen) -diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h -index f0b44c16e88f..c2bae8da642c 100644 ---- a/include/crypto/internal/hash.h -+++ b/include/crypto/internal/hash.h -@@ -82,6 +82,14 @@ int ahash_register_instance(struct crypto_template *tmpl, - struct ahash_instance *inst); - void ahash_free_instance(struct crypto_instance *inst); - -+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, -+ unsigned int keylen); -+ -+static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) -+{ -+ return alg->setkey != shash_no_setkey; -+} -+ - int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn, - struct hash_alg_common *alg, - struct crypto_instance *inst); --- -2.11.0 - diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch deleted file mode 100644 index 4418d7f77..000000000 --- a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Eric Biggers -Date: Tue, 28 Nov 2017 20:56:59 -0800 -Subject: crypto: salsa20 - fix blkcipher_walk API usage -Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805 - -When asked to encrypt or decrypt 0 bytes, both the generic and x86 -implementations of Salsa20 crash in blkcipher_walk_done(), either when -doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)', -because walk->buffer and walk->page have not been initialized. - -The bug is that Salsa20 is calling blkcipher_walk_done() even when -nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to -be called when a nonzero number of bytes have been provided. - -The broken code is part of an optimization that tries to make only one -call to salsa20_encrypt_bytes() to process inputs that are not evenly -divisible by 64 bytes. To fix the bug, just remove this "optimization" -and use the blkcipher_walk API the same way all the other users do. - -Reproducer: - - #include - #include - #include - - int main() - { - int algfd, reqfd; - struct sockaddr_alg addr = { - .salg_type = "skcipher", - .salg_name = "salsa20", - }; - char key[16] = { 0 }; - - algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); - bind(algfd, (void *)&addr, sizeof(addr)); - reqfd = accept(algfd, 0, 0); - setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); - read(reqfd, key, sizeof(key)); - } - -Reported-by: syzbot -Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing") -Cc: # v2.6.25+ -Signed-off-by: Eric Biggers -Signed-off-by: Herbert Xu ---- - arch/x86/crypto/salsa20_glue.c | 7 ------- - crypto/salsa20_generic.c | 7 ------- - 2 files changed, 14 deletions(-) - -diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c -index 399a29d067d6..cb91a64a99e7 100644 ---- a/arch/x86/crypto/salsa20_glue.c -+++ b/arch/x86/crypto/salsa20_glue.c -@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc, - - salsa20_ivsetup(ctx, walk.iv); - -- if (likely(walk.nbytes == nbytes)) -- { -- salsa20_encrypt_bytes(ctx, walk.src.virt.addr, -- walk.dst.virt.addr, nbytes); -- return blkcipher_walk_done(desc, &walk, 0); -- } -- - while (walk.nbytes >= 64) { - salsa20_encrypt_bytes(ctx, walk.src.virt.addr, - walk.dst.virt.addr, -diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c -index f550b5d94630..d7da0eea5622 100644 ---- a/crypto/salsa20_generic.c -+++ b/crypto/salsa20_generic.c -@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc, - - salsa20_ivsetup(ctx, walk.iv); - -- if (likely(walk.nbytes == nbytes)) -- { -- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, -- walk.src.virt.addr, nbytes); -- return blkcipher_walk_done(desc, &walk, 0); -- } -- - while (walk.nbytes >= 64) { - salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, - walk.src.virt.addr, --- -2.11.0 - diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch deleted file mode 100644 index 3772ee858..000000000 --- a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Mohamed Ghannam -Date: Tue, 5 Dec 2017 20:58:35 +0000 -Subject: dccp: CVE-2017-8824: use-after-free in DCCP code -Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824 - -Whenever the sock object is in DCCP_CLOSED state, -dccp_disconnect() must free dccps_hc_tx_ccid and -dccps_hc_rx_ccid and set to NULL. - -Signed-off-by: Mohamed Ghannam -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/dccp/proto.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/net/dccp/proto.c -+++ b/net/dccp/proto.c -@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int - { - struct inet_connection_sock *icsk = inet_csk(sk); - struct inet_sock *inet = inet_sk(sk); -+ struct dccp_sock *dp = dccp_sk(sk); - int err = 0; - const int old_state = sk->sk_state; - -@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int - sk->sk_err = ECONNRESET; - - dccp_clear_xmit_timers(sk); -+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); -+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); -+ dp->dccps_hc_rx_ccid = NULL; -+ dp->dccps_hc_tx_ccid = NULL; - - __skb_queue_purge(&sk->sk_receive_queue); - __skb_queue_purge(&sk->sk_write_queue); diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch index d6be1f655..300479d24 100644 --- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch +++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch @@ -53,7 +53,7 @@ upstream submission. /* disable MPU */ --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -732,10 +732,8 @@ static enum ucode_state request_microcod +@@ -739,10 +739,8 @@ static enum ucode_state request_microcod if (c->x86 >= 0x15) snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); @@ -81,7 +81,7 @@ upstream submission. rec = (const struct ihex_binrec *)fw->data; --- a/drivers/atm/fore200e.c +++ b/drivers/atm/fore200e.c -@@ -2496,10 +2496,9 @@ static int fore200e_load_and_start_fw(st +@@ -2504,10 +2504,9 @@ static int fore200e_load_and_start_fw(st return err; sprintf(buf, "%s%s", fore200e->bus->proc_name, FW_EXT); @@ -96,7 +96,7 @@ upstream submission. fw_size = firmware->size / sizeof(u32); --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c -@@ -424,10 +424,8 @@ static int ath3k_load_patch(struct usb_d +@@ -425,10 +425,8 @@ static int ath3k_load_patch(struct usb_d le32_to_cpu(fw_version.rom_version)); ret = request_firmware(&firmware, filename, &udev->dev); @@ -108,7 +108,7 @@ upstream submission. pt_rom_version = get_unaligned_le32(firmware->data + firmware->size - 8); -@@ -487,10 +485,8 @@ static int ath3k_load_syscfg(struct usb_ +@@ -488,10 +486,8 @@ static int ath3k_load_syscfg(struct usb_ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); ret = request_firmware(&firmware, filename, &udev->dev); @@ -203,7 +203,7 @@ upstream submission. fw->size, fw_name); --- a/drivers/dma/imx-sdma.c +++ b/drivers/dma/imx-sdma.c -@@ -1453,11 +1453,8 @@ static void sdma_load_firmware(const str +@@ -1461,11 +1461,8 @@ static void sdma_load_firmware(const str const struct sdma_script_start_addrs *addr; unsigned short *ram_code; @@ -233,7 +233,7 @@ upstream submission. where = 0; --- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c +++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c -@@ -1833,10 +1833,8 @@ gf100_gr_ctor_fw_legacy(struct gf100_gr +@@ -1839,10 +1839,8 @@ gf100_gr_ctor_fw_legacy(struct gf100_gr if (ret) { snprintf(f, sizeof(f), "nouveau/%s", fwname); ret = request_firmware(&fw, f, device->dev); @@ -313,7 +313,7 @@ upstream submission. ret = qib_ibsd_ucode_loaded(dd->pport, fw); --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c -@@ -2715,10 +2715,8 @@ static int mxt_load_fw(struct device *de +@@ -2717,10 +2717,8 @@ static int mxt_load_fw(struct device *de int ret; ret = request_firmware(&fw, fn, dev); @@ -384,7 +384,7 @@ upstream submission. nim9090md_config[1].microcode_B_fe_size = state->frontend_firmware->size; --- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c +++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c -@@ -88,13 +88,9 @@ int dvb_usb_download_firmware(struct usb +@@ -89,13 +89,9 @@ int dvb_usb_download_firmware(struct usb int ret; const struct firmware *fw = NULL; @@ -469,7 +469,7 @@ upstream submission. b = fw->data; --- a/drivers/media/dvb-frontends/cx24116.c +++ b/drivers/media/dvb-frontends/cx24116.c -@@ -495,13 +495,8 @@ static int cx24116_firmware_ondemand(str +@@ -491,13 +491,8 @@ static int cx24116_firmware_ondemand(str __func__, CX24116_DEFAULT_FIRMWARE); ret = request_firmware(&fw, CX24116_DEFAULT_FIRMWARE, state->i2c->dev.parent); @@ -486,7 +486,7 @@ upstream submission. * during loading */ --- a/drivers/media/dvb-frontends/drxd_hard.c +++ b/drivers/media/dvb-frontends/drxd_hard.c -@@ -901,10 +901,8 @@ static int load_firmware(struct drxd_sta +@@ -903,10 +903,8 @@ static int load_firmware(struct drxd_sta { const struct firmware *fw; @@ -497,7 +497,7 @@ upstream submission. - } state->microcode = kmemdup(fw->data, fw->size, GFP_KERNEL); - if (state->microcode == NULL) { + if (!state->microcode) { --- a/drivers/media/dvb-frontends/drxk_hard.c +++ b/drivers/media/dvb-frontends/drxk_hard.c @@ -6287,10 +6287,6 @@ static void load_firmware_cb(const struc @@ -513,7 +513,7 @@ upstream submission. /* --- a/drivers/media/dvb-frontends/ds3000.c +++ b/drivers/media/dvb-frontends/ds3000.c -@@ -362,12 +362,8 @@ static int ds3000_firmware_ondemand(stru +@@ -360,12 +360,8 @@ static int ds3000_firmware_ondemand(stru DS3000_DEFAULT_FIRMWARE); ret = request_firmware(&fw, DS3000_DEFAULT_FIRMWARE, state->i2c->dev.parent); @@ -691,7 +691,7 @@ upstream submission. } --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c -@@ -1158,10 +1158,8 @@ static int smscore_load_firmware_from_fi +@@ -1156,10 +1156,8 @@ static int smscore_load_firmware_from_fi return -EINVAL; rc = request_firmware(&fw, fw_filename, coredev->device); @@ -906,7 +906,7 @@ upstream submission. pr_err("ERROR: Firmware size mismatch (have %zu, expected %d)\n", --- a/drivers/media/pci/cx23885/cx23885-cards.c +++ b/drivers/media/pci/cx23885/cx23885-cards.c -@@ -2339,10 +2339,7 @@ void cx23885_card_setup(struct cx23885_d +@@ -2345,10 +2345,7 @@ void cx23885_card_setup(struct cx23885_d cinfo.rev, filename); ret = request_firmware(&fw, filename, &dev->pci->dev); @@ -1003,7 +1003,7 @@ upstream submission. --- a/drivers/media/usb/s2255/s2255drv.c +++ b/drivers/media/usb/s2255/s2255drv.c -@@ -2306,10 +2306,8 @@ static int s2255_probe(struct usb_interf +@@ -2307,10 +2307,8 @@ static int s2255_probe(struct usb_interf } /* load the first chunk */ if (request_firmware(&dev->fw_data->fw, @@ -1156,7 +1156,7 @@ upstream submission. if (bp->mips_firmware->size < sizeof(*mips_fw) || --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -@@ -13490,11 +13490,8 @@ static int bnx2x_init_firmware(struct bn +@@ -13495,11 +13495,8 @@ static int bnx2x_init_firmware(struct bn BNX2X_DEV_INFO("Loading %s\n", fw_file_name); rc = request_firmware(&bp->firmware, fw_file_name, &bp->pdev->dev); @@ -1171,7 +1171,7 @@ upstream submission. if (rc) { --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -11357,11 +11357,8 @@ static int tg3_request_firmware(struct t +@@ -11355,11 +11355,8 @@ static int tg3_request_firmware(struct t { const struct tg3_firmware_hdr *fw_hdr; @@ -1200,7 +1200,7 @@ upstream submission. *bfi_image_size = fw->size/sizeof(u32); --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c -@@ -1033,12 +1033,8 @@ int t3_get_edc_fw(struct cphy *phy, int +@@ -1037,12 +1037,8 @@ int t3_get_edc_fw(struct cphy *phy, int fw_name = get_edc_fw_name(edc_idx); if (fw_name) ret = request_firmware(&fw, fw_name, &adapter->pdev->dev); @@ -1214,7 +1214,7 @@ upstream submission. /* check size, take checksum in account */ if (fw->size > size + 4) { -@@ -1075,11 +1071,8 @@ static int upgrade_fw(struct adapter *ad +@@ -1079,11 +1075,8 @@ static int upgrade_fw(struct adapter *ad struct device *dev = &adap->pdev->dev; ret = request_firmware(&fw, FW_FNAME, dev); @@ -1227,7 +1227,7 @@ upstream submission. ret = t3_load_fw(adap, fw->data, fw->size); release_firmware(fw); -@@ -1124,11 +1117,8 @@ static int update_tpsram(struct adapter +@@ -1128,11 +1121,8 @@ static int update_tpsram(struct adapter snprintf(buf, sizeof(buf), TPSRAM_NAME, rev); ret = request_firmware(&tpsram, buf, dev); @@ -1386,7 +1386,7 @@ upstream submission. --- a/drivers/net/wireless/atmel/atmel.c +++ b/drivers/net/wireless/atmel/atmel.c -@@ -3911,12 +3911,8 @@ static int reset_atmel_card(struct net_d +@@ -3908,12 +3908,8 @@ static int reset_atmel_card(struct net_d strcpy(priv->firmware_id, "atmel_at76c502.bin"); } err = request_firmware(&fw_entry, priv->firmware_id, priv->sys_dev); @@ -1480,7 +1480,7 @@ upstream submission. --- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c +++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c -@@ -3416,10 +3416,8 @@ static int ipw_get_fw(struct ipw_priv *p +@@ -3417,10 +3417,8 @@ static int ipw_get_fw(struct ipw_priv *p /* ask firmware_class module to get the boot firmware off disk */ rc = request_firmware(raw, name, &priv->pci_dev->dev); @@ -1504,7 +1504,7 @@ upstream submission. else --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -@@ -234,8 +234,6 @@ static int iwl_request_firmware(struct i +@@ -235,8 +235,6 @@ static int iwl_request_firmware(struct i } if (drv->fw_index < cfg->ucode_api_min) { @@ -1526,7 +1526,7 @@ upstream submission. } --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c -@@ -526,11 +526,8 @@ static int _mwifiex_fw_dpc(const struct +@@ -525,11 +525,8 @@ static int _mwifiex_fw_dpc(const struct struct wireless_dev *wdev; struct completion *fw_done = adapter->fw_done; @@ -1620,7 +1620,7 @@ upstream submission. --- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c -@@ -1679,7 +1679,6 @@ static int ezusb_probe(struct usb_interf +@@ -1677,7 +1677,6 @@ static int ezusb_probe(struct usb_interf if (ezusb_firmware_download(upriv, &firmware) < 0) goto error; } else { @@ -1705,7 +1705,7 @@ upstream submission. } --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c -@@ -91,7 +91,6 @@ static void rtl92se_fw_cb(const struct f +@@ -92,7 +92,6 @@ static void rtl92se_fw_cb(const struct f "Firmware callback routine entered!\n"); complete(&rtlpriv->firmware_loading_complete); if (!firmware) { @@ -1850,7 +1850,7 @@ upstream submission. if (err) { --- a/drivers/scsi/bfa/bfad.c +++ b/drivers/scsi/bfa/bfad.c -@@ -1758,7 +1758,6 @@ bfad_read_firmware(struct pci_dev *pdev, +@@ -1756,7 +1756,6 @@ bfad_read_firmware(struct pci_dev *pdev, const struct firmware *fw; if (request_firmware(&fw, fw_name, &pdev->dev)) { @@ -1860,7 +1860,7 @@ upstream submission. } --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c -@@ -4083,10 +4083,8 @@ static ssize_t ipr_store_update_fw(struc +@@ -4094,10 +4094,8 @@ static ssize_t ipr_store_update_fw(struc if (endline) *endline = '\0'; @@ -1874,7 +1874,7 @@ upstream submission. --- a/drivers/scsi/pm8001/pm8001_ctl.c +++ b/drivers/scsi/pm8001/pm8001_ctl.c -@@ -685,10 +685,6 @@ static ssize_t pm8001_store_update_fw(st +@@ -737,10 +737,6 @@ static ssize_t pm8001_store_update_fw(st pm8001_ha->dev); if (ret) { @@ -1898,7 +1898,7 @@ upstream submission. } --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -6651,8 +6651,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, +@@ -6906,8 +6906,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1907,7 +1907,7 @@ upstream submission. ql_log(ql_log_info, vha, 0x0084, "Firmware images can be retrieved from: "QLA_FW_URL ".\n"); return QLA_FUNCTION_FAILED; -@@ -6754,8 +6752,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * +@@ -7009,8 +7007,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1933,7 +1933,7 @@ upstream submission. if (qla82xx_validate_firmware_blob(vha, --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -6149,8 +6149,6 @@ qla2x00_request_firmware(scsi_qla_host_t +@@ -6269,8 +6269,6 @@ qla2x00_request_firmware(scsi_qla_host_t goto out; if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) { @@ -2017,11 +2017,11 @@ upstream submission. if (0 != ret) { --- a/drivers/staging/media/lirc/lirc_zilog.c +++ b/drivers/staging/media/lirc/lirc_zilog.c -@@ -753,9 +753,6 @@ static int fw_load(struct IR_tx *tx) +@@ -752,9 +752,6 @@ static int fw_load(struct IR_tx *tx) /* Request codeset data file */ - ret = request_firmware(&fw_entry, "haup-ir-blaster.bin", tx->ir->l.dev); + ret = request_firmware(&fw_entry, "haup-ir-blaster.bin", tx->ir->dev); if (ret != 0) { -- dev_err(tx->ir->l.dev, +- dev_err(tx->ir->dev, - "firmware haup-ir-blaster.bin not available (%d)\n", - ret); ret = ret < 0 ? ret : -EFAULT; @@ -2029,7 +2029,7 @@ upstream submission. } --- a/drivers/staging/rtl8192u/r819xU_firmware.c +++ b/drivers/staging/rtl8192u/r819xU_firmware.c -@@ -244,10 +244,8 @@ bool init_firmware(struct net_device *de +@@ -245,10 +245,8 @@ bool init_firmware(struct net_device *de */ if (rst_opt == OPT_SYSTEM_RESET) { rc = request_firmware(&fw_entry, fw_name[init_step], &priv->udev->dev); @@ -2097,7 +2097,7 @@ upstream submission. if (!buffer) --- a/drivers/tty/cyclades.c +++ b/drivers/tty/cyclades.c -@@ -3492,10 +3492,8 @@ static int cyz_load_fw(struct pci_dev *p +@@ -3489,10 +3489,8 @@ static int cyz_load_fw(struct pci_dev *p int retval; retval = request_firmware(&fw, "cyzfirm.bin", &pdev->dev); @@ -2111,7 +2111,7 @@ upstream submission. positive, skip this board */ --- a/drivers/tty/moxa.c +++ b/drivers/tty/moxa.c -@@ -866,13 +866,8 @@ static int moxa_init_board(struct moxa_b +@@ -862,13 +862,8 @@ static int moxa_init_board(struct moxa_b } ret = request_firmware(&fw, file, dev); @@ -2128,7 +2128,7 @@ upstream submission. --- a/drivers/tty/serial/icom.c +++ b/drivers/tty/serial/icom.c -@@ -374,7 +374,6 @@ static void load_code(struct icom_port * +@@ -360,7 +360,6 @@ static void load_code(struct icom_port * /* Load Call Setup into Adapter */ if (request_firmware(&fw, "icom_call_setup.bin", &dev->dev) < 0) { @@ -2136,7 +2136,7 @@ upstream submission. status = -1; goto load_code_exit; } -@@ -394,7 +393,6 @@ static void load_code(struct icom_port * +@@ -380,7 +379,6 @@ static void load_code(struct icom_port * /* Load Resident DCE portion of Adapter */ if (request_firmware(&fw, "icom_res_dce.bin", &dev->dev) < 0) { @@ -2144,7 +2144,7 @@ upstream submission. status = -1; goto load_code_exit; } -@@ -439,7 +437,6 @@ static void load_code(struct icom_port * +@@ -425,7 +423,6 @@ static void load_code(struct icom_port * } if (request_firmware(&fw, "icom_asc.bin", &dev->dev) < 0) { @@ -2154,7 +2154,7 @@ upstream submission. } --- a/drivers/tty/serial/ucc_uart.c +++ b/drivers/tty/serial/ucc_uart.c -@@ -1167,10 +1167,8 @@ static void uart_firmware_cont(const str +@@ -1165,10 +1165,8 @@ static void uart_firmware_cont(const str struct device *dev = context; int ret; @@ -2168,7 +2168,7 @@ upstream submission. --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c -@@ -1088,8 +1088,6 @@ static int cxacru_find_firmware(struct c +@@ -1082,8 +1082,6 @@ static int cxacru_find_firmware(struct c return -ENOENT; } @@ -2179,7 +2179,7 @@ upstream submission. --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c -@@ -649,10 +649,8 @@ static void uea_upload_pre_firmware(cons +@@ -650,10 +650,8 @@ static void uea_upload_pre_firmware(cons int ret, size; uea_enters(usb); @@ -2191,7 +2191,7 @@ upstream submission. pfw = fw_entry->data; size = fw_entry->size; -@@ -747,10 +745,6 @@ static int uea_load_firmware(struct usb_ +@@ -748,10 +746,6 @@ static int uea_load_firmware(struct usb_ ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev, GFP_KERNEL, usb, uea_upload_pre_firmware); @@ -2202,7 +2202,7 @@ upstream submission. uea_leaves(usb); return ret; -@@ -912,12 +906,8 @@ static int request_dsp(struct uea_softc +@@ -913,12 +907,8 @@ static int request_dsp(struct uea_softc } ret = request_firmware(&sc->dsp_firm, dsp_name, &sc->usb_dev->dev); @@ -2216,7 +2216,7 @@ upstream submission. if (UEA_CHIP_VERSION(sc) == EAGLE_IV) ret = check_dsp_e4(sc->dsp_firm->data, sc->dsp_firm->size); -@@ -1630,12 +1620,8 @@ static int request_cmvs_old(struct uea_s +@@ -1631,12 +1621,8 @@ static int request_cmvs_old(struct uea_s cmvs_file_name(sc, cmv_name, 1); ret = request_firmware(fw, cmv_name, &sc->usb_dev->dev); @@ -2230,7 +2230,7 @@ upstream submission. data = (u8 *) (*fw)->data; size = (*fw)->size; -@@ -1672,9 +1658,6 @@ static int request_cmvs(struct uea_softc +@@ -1673,9 +1659,6 @@ static int request_cmvs(struct uea_softc "try to get older cmvs\n", cmv_name); return request_cmvs_old(sc, cmvs, fw); } @@ -2240,7 +2240,7 @@ upstream submission. return ret; } -@@ -1957,11 +1940,8 @@ static int load_XILINX_firmware(struct u +@@ -1958,11 +1941,8 @@ static int load_XILINX_firmware(struct u uea_enters(INS_TO_USBDEV(sc)); ret = request_firmware(&fw_entry, fw_name, &sc->usb_dev->dev); @@ -2255,7 +2255,7 @@ upstream submission. size = fw_entry->size; --- a/drivers/usb/misc/emi26.c +++ b/drivers/usb/misc/emi26.c -@@ -88,21 +88,17 @@ static int emi26_load_firmware (struct u +@@ -85,21 +85,17 @@ static int emi26_load_firmware (struct u err = request_ihex_firmware(&loader_fw, "emi26/loader.fw", &dev->dev); if (err) @@ -2282,7 +2282,7 @@ upstream submission. err = emi26_set_reset(dev,1); --- a/drivers/usb/misc/ezusb.c +++ b/drivers/usb/misc/ezusb.c -@@ -79,12 +79,8 @@ static int ezusb_ihex_firmware_download( +@@ -76,12 +76,8 @@ static int ezusb_ihex_firmware_download( const struct ihex_binrec *record; if (request_ihex_firmware(&firmware, firmware_path, @@ -2298,7 +2298,7 @@ upstream submission. if (ret < 0) --- a/drivers/usb/misc/isight_firmware.c +++ b/drivers/usb/misc/isight_firmware.c -@@ -48,7 +48,6 @@ static int isight_firmware_load(struct u +@@ -45,7 +45,6 @@ static int isight_firmware_load(struct u return -ENOMEM; if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) { @@ -2308,7 +2308,7 @@ upstream submission. } --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c -@@ -379,11 +379,8 @@ static void update_edgeport_E2PROM(struc +@@ -375,11 +375,8 @@ static void update_edgeport_E2PROM(struc response = request_ihex_firmware(&fw, fw_name, &edge_serial->serial->dev->dev); @@ -2323,7 +2323,7 @@ upstream submission. BootMajorVersion = rec->data[0]; --- a/drivers/usb/serial/io_ti.c +++ b/drivers/usb/serial/io_ti.c -@@ -1014,8 +1014,6 @@ static int download_fw(struct edgeport_s +@@ -1010,8 +1010,6 @@ static int download_fw(struct edgeport_s status = request_firmware(&fw, fw_name, dev); if (status) { @@ -2334,7 +2334,7 @@ upstream submission. --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -1696,10 +1696,8 @@ static int ti_download_firmware(struct t +@@ -1692,10 +1692,8 @@ static int ti_download_firmware(struct t } check_firmware: @@ -2505,7 +2505,7 @@ upstream submission. if (!chip->disabled) { --- a/sound/pci/korg1212/korg1212.c +++ b/sound/pci/korg1212/korg1212.c -@@ -2350,7 +2350,6 @@ static int snd_korg1212_create(struct sn +@@ -2349,7 +2349,6 @@ static int snd_korg1212_create(struct sn err = request_firmware(&dsp_code, "korg/k1212.dsp", &pci->dev); if (err < 0) { release_firmware(dsp_code); @@ -2561,7 +2561,7 @@ upstream submission. if (err) { --- a/sound/pci/rme9652/hdsp.c +++ b/sound/pci/rme9652/hdsp.c -@@ -5136,11 +5136,8 @@ static int hdsp_request_fw_loader(struct +@@ -5132,11 +5132,8 @@ static int hdsp_request_fw_loader(struct return -EINVAL; } diff --git a/debian/patches/bugfix/all/i40e-fix-flags-declaration.patch b/debian/patches/bugfix/all/i40e-fix-flags-declaration.patch deleted file mode 100644 index 070e4074a..000000000 --- a/debian/patches/bugfix/all/i40e-fix-flags-declaration.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Jacob Keller -Date: Thu, 7 Sep 2017 15:19:12 -0700 -Subject: i40e: fix flags declaration -Origin: https://git.kernel.org/linus/b48be9978e4b21b28b7349f57574dae21378ddd5 - -Since we don't yet have more than 32 flags, we'll use a u32 for both the -hw_features and flag field. Should we gain more flags in the future, we -may need to convert to a u64 or separate flags out into two fields. - -This was overlooked in the previous commit 2781de2134c4 ("i40e/i40evf: -organize and re-number feature flags"), where the feature flag was not -converted form u64 to u32. - -Signed-off-by: Jacob Keller -Reviewed-by: Mitch Williams -Tested-by: Andrew Bowers -Signed-off-by: Jeff Kirsher ---- - drivers/net/ethernet/intel/i40e/i40e.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/intel/i40e/i40e.h -+++ b/drivers/net/ethernet/intel/i40e/i40e.h -@@ -422,7 +422,7 @@ struct i40e_pf { - #define I40E_HW_PORT_ID_VALID BIT(17) - #define I40E_HW_RESTART_AUTONEG BIT(18) - -- u64 flags; -+ u32 flags; - #define I40E_FLAG_RX_CSUM_ENABLED BIT(0) - #define I40E_FLAG_MSI_ENABLED BIT(1) - #define I40E_FLAG_MSIX_ENABLED BIT(2) diff --git a/debian/patches/bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch b/debian/patches/bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch deleted file mode 100644 index d7477b672..000000000 --- a/debian/patches/bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch +++ /dev/null @@ -1,203 +0,0 @@ -From: Jacob Keller -Date: Fri, 1 Sep 2017 13:54:07 -0700 -Subject: i40e/i40evf: organize and re-number feature flags -Origin: https://git.kernel.org/linus/b74f571f59a8a3dae998e3b95e0f88fac39bfef3 - -Now that we've reduced the number of flags, organize similar flags -together and re-number them accordingly. - -Since we don't yet have more than 32 flags, we'll use a u32 for both the -hw_features and flag field. Should we gain more flags in the future, we -may need to convert to a u64 or separate flags out into two fields. - -One alternative approach considered, but not implemented here, was to -use an enumeration for the flag variables, and create a macro -I40E_FLAG() which used string concatenation to generate BIT_ULL values. -This has the advantage of making the actual bit values compile-time -dynamic so that we do not need to worry about matching the order to the -bit value. However, this does produce a high level of code churn, and -makes it more difficult to read a dumped flags value when debugging. - -Change-ID: I8653fff69453cd547d6fe98d29dfa9d8710387d1 -Signed-off-by: Jacob Keller -Reviewed-by: Mitch Williams -Tested-by: Andrew Bowers -Signed-off-by: Jeff Kirsher -[bwh: Backported to 4.14: leave out I40E_FLAG_LINK_DOWN_ON_CLOSE_ENABLED, - I40E_FLAG_SOURCE_PRUNING_DISABLED, I40EVF_FLAG_REINIT_ITR_NEEDED] ---- - drivers/net/ethernet/intel/i40e/i40e.h | 98 +++++++++++++------------- - drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 6 +- - drivers/net/ethernet/intel/i40evf/i40evf.h | 32 ++++----- - 3 files changed, 68 insertions(+), 68 deletions(-) - ---- a/drivers/net/ethernet/intel/i40e/i40e.h -+++ b/drivers/net/ethernet/intel/i40e/i40e.h -@@ -401,55 +401,55 @@ struct i40e_pf { - struct timer_list service_timer; - struct work_struct service_task; - -- u64 hw_features; --#define I40E_HW_RSS_AQ_CAPABLE BIT_ULL(0) --#define I40E_HW_128_QP_RSS_CAPABLE BIT_ULL(1) --#define I40E_HW_ATR_EVICT_CAPABLE BIT_ULL(2) --#define I40E_HW_WB_ON_ITR_CAPABLE BIT_ULL(3) --#define I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE BIT_ULL(4) --#define I40E_HW_NO_PCI_LINK_CHECK BIT_ULL(5) --#define I40E_HW_100M_SGMII_CAPABLE BIT_ULL(6) --#define I40E_HW_NO_DCB_SUPPORT BIT_ULL(7) --#define I40E_HW_USE_SET_LLDP_MIB BIT_ULL(8) --#define I40E_HW_GENEVE_OFFLOAD_CAPABLE BIT_ULL(9) --#define I40E_HW_PTP_L4_CAPABLE BIT_ULL(10) --#define I40E_HW_WOL_MC_MAGIC_PKT_WAKE BIT_ULL(11) --#define I40E_HW_MPLS_HDR_OFFLOAD_CAPABLE BIT_ULL(12) --#define I40E_HW_HAVE_CRT_RETIMER BIT_ULL(13) --#define I40E_HW_OUTER_UDP_CSUM_CAPABLE BIT_ULL(14) --#define I40E_HW_PHY_CONTROLS_LEDS BIT_ULL(15) --#define I40E_HW_STOP_FW_LLDP BIT_ULL(16) --#define I40E_HW_PORT_ID_VALID BIT_ULL(17) --#define I40E_HW_RESTART_AUTONEG BIT_ULL(18) -+ u32 hw_features; -+#define I40E_HW_RSS_AQ_CAPABLE BIT(0) -+#define I40E_HW_128_QP_RSS_CAPABLE BIT(1) -+#define I40E_HW_ATR_EVICT_CAPABLE BIT(2) -+#define I40E_HW_WB_ON_ITR_CAPABLE BIT(3) -+#define I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE BIT(4) -+#define I40E_HW_NO_PCI_LINK_CHECK BIT(5) -+#define I40E_HW_100M_SGMII_CAPABLE BIT(6) -+#define I40E_HW_NO_DCB_SUPPORT BIT(7) -+#define I40E_HW_USE_SET_LLDP_MIB BIT(8) -+#define I40E_HW_GENEVE_OFFLOAD_CAPABLE BIT(9) -+#define I40E_HW_PTP_L4_CAPABLE BIT(10) -+#define I40E_HW_WOL_MC_MAGIC_PKT_WAKE BIT(11) -+#define I40E_HW_MPLS_HDR_OFFLOAD_CAPABLE BIT(12) -+#define I40E_HW_HAVE_CRT_RETIMER BIT(13) -+#define I40E_HW_OUTER_UDP_CSUM_CAPABLE BIT(14) -+#define I40E_HW_PHY_CONTROLS_LEDS BIT(15) -+#define I40E_HW_STOP_FW_LLDP BIT(16) -+#define I40E_HW_PORT_ID_VALID BIT(17) -+#define I40E_HW_RESTART_AUTONEG BIT(18) - - u64 flags; --#define I40E_FLAG_RX_CSUM_ENABLED BIT_ULL(1) --#define I40E_FLAG_MSI_ENABLED BIT_ULL(2) --#define I40E_FLAG_MSIX_ENABLED BIT_ULL(3) --#define I40E_FLAG_HW_ATR_EVICT_ENABLED BIT_ULL(4) --#define I40E_FLAG_RSS_ENABLED BIT_ULL(6) --#define I40E_FLAG_VMDQ_ENABLED BIT_ULL(7) --#define I40E_FLAG_IWARP_ENABLED BIT_ULL(10) --#define I40E_FLAG_FILTER_SYNC BIT_ULL(15) --#define I40E_FLAG_SERVICE_CLIENT_REQUESTED BIT_ULL(16) --#define I40E_FLAG_SRIOV_ENABLED BIT_ULL(19) --#define I40E_FLAG_DCB_ENABLED BIT_ULL(20) --#define I40E_FLAG_FD_SB_ENABLED BIT_ULL(21) --#define I40E_FLAG_FD_ATR_ENABLED BIT_ULL(22) --#define I40E_FLAG_FD_SB_AUTO_DISABLED BIT_ULL(23) --#define I40E_FLAG_FD_ATR_AUTO_DISABLED BIT_ULL(24) --#define I40E_FLAG_PTP BIT_ULL(25) --#define I40E_FLAG_MFP_ENABLED BIT_ULL(26) --#define I40E_FLAG_UDP_FILTER_SYNC BIT_ULL(27) --#define I40E_FLAG_DCB_CAPABLE BIT_ULL(29) --#define I40E_FLAG_VEB_STATS_ENABLED BIT_ULL(37) --#define I40E_FLAG_LINK_POLLING_ENABLED BIT_ULL(39) --#define I40E_FLAG_VEB_MODE_ENABLED BIT_ULL(40) --#define I40E_FLAG_TRUE_PROMISC_SUPPORT BIT_ULL(51) --#define I40E_FLAG_CLIENT_RESET BIT_ULL(54) --#define I40E_FLAG_TEMP_LINK_POLLING BIT_ULL(55) --#define I40E_FLAG_CLIENT_L2_CHANGE BIT_ULL(56) --#define I40E_FLAG_LEGACY_RX BIT_ULL(58) -+#define I40E_FLAG_RX_CSUM_ENABLED BIT(0) -+#define I40E_FLAG_MSI_ENABLED BIT(1) -+#define I40E_FLAG_MSIX_ENABLED BIT(2) -+#define I40E_FLAG_RSS_ENABLED BIT(3) -+#define I40E_FLAG_VMDQ_ENABLED BIT(4) -+#define I40E_FLAG_FILTER_SYNC BIT(5) -+#define I40E_FLAG_SRIOV_ENABLED BIT(6) -+#define I40E_FLAG_DCB_CAPABLE BIT(7) -+#define I40E_FLAG_DCB_ENABLED BIT(8) -+#define I40E_FLAG_FD_SB_ENABLED BIT(9) -+#define I40E_FLAG_FD_ATR_ENABLED BIT(10) -+#define I40E_FLAG_FD_SB_AUTO_DISABLED BIT(11) -+#define I40E_FLAG_FD_ATR_AUTO_DISABLED BIT(12) -+#define I40E_FLAG_MFP_ENABLED BIT(13) -+#define I40E_FLAG_UDP_FILTER_SYNC BIT(14) -+#define I40E_FLAG_HW_ATR_EVICT_ENABLED BIT(15) -+#define I40E_FLAG_VEB_MODE_ENABLED BIT(16) -+#define I40E_FLAG_VEB_STATS_ENABLED BIT(17) -+#define I40E_FLAG_LINK_POLLING_ENABLED BIT(18) -+#define I40E_FLAG_TRUE_PROMISC_SUPPORT BIT(19) -+#define I40E_FLAG_TEMP_LINK_POLLING BIT(20) -+#define I40E_FLAG_LEGACY_RX BIT(21) -+#define I40E_FLAG_PTP BIT(22) -+#define I40E_FLAG_IWARP_ENABLED BIT(23) -+#define I40E_FLAG_SERVICE_CLIENT_REQUESTED BIT(24) -+#define I40E_FLAG_CLIENT_L2_CHANGE BIT(25) -+#define I40E_FLAG_CLIENT_RESET BIT(26) - - struct i40e_client_instance *cinst; - bool stat_offsets_loaded; ---- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c -+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c -@@ -4090,7 +4090,7 @@ static int i40e_set_priv_flags(struct ne - struct i40e_netdev_priv *np = netdev_priv(dev); - struct i40e_vsi *vsi = np->vsi; - struct i40e_pf *pf = vsi->back; -- u64 orig_flags, new_flags, changed_flags; -+ u32 orig_flags, new_flags, changed_flags; - u32 i, j; - - orig_flags = READ_ONCE(pf->flags); -@@ -4142,12 +4142,12 @@ flags_complete: - return -EOPNOTSUPP; - - /* Compare and exchange the new flags into place. If we failed, that -- * is if cmpxchg64 returns anything but the old value, this means that -+ * is if cmpxchg returns anything but the old value, this means that - * something else has modified the flags variable since we copied it - * originally. We'll just punt with an error and log something in the - * message buffer. - */ -- if (cmpxchg64(&pf->flags, orig_flags, new_flags) != orig_flags) { -+ if (cmpxchg(&pf->flags, orig_flags, new_flags) != orig_flags) { - dev_warn(&pf->pdev->dev, - "Unable to update pf->flags as it was modified by another thread...\n"); - return -EAGAIN; ---- a/drivers/net/ethernet/intel/i40evf/i40evf.h -+++ b/drivers/net/ethernet/intel/i40evf/i40evf.h -@@ -220,21 +220,21 @@ struct i40evf_adapter { - - u32 flags; - #define I40EVF_FLAG_RX_CSUM_ENABLED BIT(0) --#define I40EVF_FLAG_IMIR_ENABLED BIT(5) --#define I40EVF_FLAG_MQ_CAPABLE BIT(6) --#define I40EVF_FLAG_PF_COMMS_FAILED BIT(8) --#define I40EVF_FLAG_RESET_PENDING BIT(9) --#define I40EVF_FLAG_RESET_NEEDED BIT(10) --#define I40EVF_FLAG_WB_ON_ITR_CAPABLE BIT(11) --#define I40EVF_FLAG_OUTER_UDP_CSUM_CAPABLE BIT(12) --#define I40EVF_FLAG_ADDR_SET_BY_PF BIT(13) --#define I40EVF_FLAG_SERVICE_CLIENT_REQUESTED BIT(14) --#define I40EVF_FLAG_CLIENT_NEEDS_OPEN BIT(15) --#define I40EVF_FLAG_CLIENT_NEEDS_CLOSE BIT(16) --#define I40EVF_FLAG_CLIENT_NEEDS_L2_PARAMS BIT(17) --#define I40EVF_FLAG_PROMISC_ON BIT(18) --#define I40EVF_FLAG_ALLMULTI_ON BIT(19) --#define I40EVF_FLAG_LEGACY_RX BIT(20) -+#define I40EVF_FLAG_IMIR_ENABLED BIT(1) -+#define I40EVF_FLAG_MQ_CAPABLE BIT(2) -+#define I40EVF_FLAG_PF_COMMS_FAILED BIT(3) -+#define I40EVF_FLAG_RESET_PENDING BIT(4) -+#define I40EVF_FLAG_RESET_NEEDED BIT(5) -+#define I40EVF_FLAG_WB_ON_ITR_CAPABLE BIT(6) -+#define I40EVF_FLAG_OUTER_UDP_CSUM_CAPABLE BIT(7) -+#define I40EVF_FLAG_ADDR_SET_BY_PF BIT(8) -+#define I40EVF_FLAG_SERVICE_CLIENT_REQUESTED BIT(9) -+#define I40EVF_FLAG_CLIENT_NEEDS_OPEN BIT(10) -+#define I40EVF_FLAG_CLIENT_NEEDS_CLOSE BIT(11) -+#define I40EVF_FLAG_CLIENT_NEEDS_L2_PARAMS BIT(12) -+#define I40EVF_FLAG_PROMISC_ON BIT(13) -+#define I40EVF_FLAG_ALLMULTI_ON BIT(14) -+#define I40EVF_FLAG_LEGACY_RX BIT(15) - /* duplicates for common code */ - #define I40E_FLAG_DCB_ENABLED 0 - #define I40E_FLAG_RX_CSUM_ENABLED I40EVF_FLAG_RX_CSUM_ENABLED diff --git a/debian/patches/bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch b/debian/patches/bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch index 28b8767fe..4e98a7bda 100644 --- a/debian/patches/bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch +++ b/debian/patches/bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch @@ -22,7 +22,7 @@ Signed-off-by: Ben Hutchings --- --- a/scripts/Kbuild.include +++ b/scripts/Kbuild.include -@@ -121,7 +121,7 @@ CC_OPTION_CFLAGS = $(filter-out $(GCC_PL +@@ -194,7 +194,7 @@ CC_OPTION_CFLAGS = $(filter-out $(GCC_PL # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586) cc-option = $(call __cc-option, $(CC),\ @@ -31,47 +31,47 @@ Signed-off-by: Ben Hutchings # hostcc-option # Usage: cflags-y += $(call hostcc-option,-march=winchip-c6,-march=i586) -@@ -131,23 +131,24 @@ hostcc-option = $(call __cc-option, $(HO +@@ -204,23 +204,24 @@ hostcc-option = $(call __cc-option, $(HO # cc-option-yn # Usage: flag := $(call cc-option-yn,-march=winchip-c6) - cc-option-yn = $(call try-run,\ + cc-option-yn = $(call try-run-cached,\ - $(CC) -Werror $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",y,n) + $(CC) -Werror $(NOSTDINC_FLAGS) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",y,n) # cc-disable-warning # Usage: cflags-y += $(call cc-disable-warning,unused-but-set-variable) - cc-disable-warning = $(call try-run,\ + cc-disable-warning = $(call try-run-cached,\ - $(CC) -Werror $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) + $(CC) -Werror $(NOSTDINC_FLAGS) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) # cc-name # Expands to either gcc or clang - cc-name = $(shell $(CC) -v 2>&1 | grep -q "clang version" && echo clang || echo gcc) + cc-name = $(call shell-cached,$(CC) -v 2>&1 | grep -q "clang version" && echo clang || echo gcc) # cc-version --cc-version = $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-version.sh $(CC)) -+cc-version = $(shell $(CONFIG_SHELL) \ +-cc-version = $(call shell-cached,$(CONFIG_SHELL) $(srctree)/scripts/gcc-version.sh $(CC)) ++cc-version = $(call shell-cached,$(CONFIG_SHELL) \ + $(srctree)/scripts/gcc-version.sh $(CC) $(NOSTDINC_FLAGS)) # cc-fullversion - cc-fullversion = $(shell $(CONFIG_SHELL) \ + cc-fullversion = $(call shell-cached,$(CONFIG_SHELL) \ - $(srctree)/scripts/gcc-version.sh -p $(CC)) + $(srctree)/scripts/gcc-version.sh -p $(CC) $(NOSTDINC_FLAGS)) # cc-ifversion # Usage: EXTRA_CFLAGS += $(call cc-ifversion, -lt, 0402, -O1) -@@ -165,7 +166,7 @@ cc-ldoption = $(call try-run,\ +@@ -238,7 +239,7 @@ cc-ldoption = $(call try-run-cached,\ # ld-option # Usage: LDFLAGS += $(call ld-option, -X) - ld-option = $(call try-run,\ -- $(CC) -x c /dev/null -c -o "$$TMPO" ; $(LD) $(1) "$$TMPO" -o "$$TMP",$(1),$(2)) -+ $(CC) $(NOSTDINC_FLAGS) -x c /dev/null -c -o "$$TMPO" ; $(LD) $(1) "$$TMPO" -o "$$TMP",$(1),$(2)) + ld-option = $(call try-run-cached,\ +- $(CC) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -x c /dev/null -c -o "$$TMPO"; \ ++ $(CC) $(NOSTDINC_FLAGS) $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -x c /dev/null -c -o "$$TMPO"; \ + $(LD) $(LDFLAGS) $(1) "$$TMPO" -o "$$TMP",$(1),$(2)) # ar-option - # Usage: KBUILD_ARFLAGS := $(call ar-option,D) --- a/Makefile +++ b/Makefile -@@ -650,6 +650,8 @@ endif +@@ -667,6 +667,8 @@ endif KBUILD_CFLAGS += $(call cc-ifversion, -lt, 0409, \ $(call cc-disable-warning,maybe-uninitialized,)) @@ -80,12 +80,12 @@ Signed-off-by: Ben Hutchings # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) -@@ -790,7 +792,7 @@ KBUILD_CFLAGS += $(call cc-option,-fdata +@@ -776,7 +778,7 @@ KBUILD_CFLAGS += $(call cc-option,-fdata endif # arch Makefile may override CC so keep this after arch Makefile is included --NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include) -+NOSTDINC_FLAGS += -isystem $(shell $(CC) -print-file-name=include) +-NOSTDINC_FLAGS += -nostdinc -isystem $(call shell-cached,$(CC) -print-file-name=include) ++NOSTDINC_FLAGS += -isystem $(call shell-cached,$(CC) -print-file-name=include) CHECKFLAGS += $(NOSTDINC_FLAGS) # warn about C99 declaration after statement diff --git a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch deleted file mode 100644 index c460e89c5..000000000 --- a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch +++ /dev/null @@ -1,153 +0,0 @@ -From: Wanpeng Li -Date: Thu, 14 Dec 2017 17:40:50 -0800 -Subject: KVM: Fix stack-out-of-bounds read in write_mmio -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741 - -Reported by syzkaller: - - BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] - Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298 - - CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 - Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 - Call Trace: - dump_stack+0xab/0xe1 - print_address_description+0x6b/0x290 - kasan_report+0x28a/0x370 - write_mmio+0x11e/0x270 [kvm] - emulator_read_write_onepage+0x311/0x600 [kvm] - emulator_read_write+0xef/0x240 [kvm] - emulator_fix_hypercall+0x105/0x150 [kvm] - em_hypercall+0x2b/0x80 [kvm] - x86_emulate_insn+0x2b1/0x1640 [kvm] - x86_emulate_instruction+0x39a/0xb90 [kvm] - handle_exception+0x1b4/0x4d0 [kvm_intel] - vcpu_enter_guest+0x15a0/0x2640 [kvm] - kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] - kvm_vcpu_ioctl+0x479/0x880 [kvm] - do_vfs_ioctl+0x142/0x9a0 - SyS_ioctl+0x74/0x80 - entry_SYSCALL_64_fastpath+0x23/0x9a - -The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) -to the guest memory, however, write_mmio tracepoint always prints 8 bytes -through *(u64 *)val since kvm splits the mmio access into 8 bytes. This -leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes -it by just accessing the bytes which we operate on. - -Before patch: - -syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f - -After patch: - -syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f - -Reported-by: Dmitry Vyukov -Reviewed-by: Darren Kenny -Reviewed-by: Marc Zyngier -Tested-by: Marc Zyngier -Cc: Paolo Bonzini -Cc: Radim Krčmář -Cc: Marc Zyngier -Cc: Christoffer Dall -Signed-off-by: Wanpeng Li -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/x86.c | 8 ++++---- - include/trace/events/kvm.h | 7 +++++-- - virt/kvm/arm/mmio.c | 6 +++--- - 3 files changed, 12 insertions(+), 9 deletions(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -4362,7 +4362,7 @@ static int vcpu_mmio_read(struct kvm_vcp - addr, n, v)) - && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) - break; -- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); -+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); - handled += n; - addr += n; - len -= n; -@@ -4621,7 +4621,7 @@ static int read_prepare(struct kvm_vcpu - { - if (vcpu->mmio_read_completed) { - trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, -- vcpu->mmio_fragments[0].gpa, *(u64 *)val); -+ vcpu->mmio_fragments[0].gpa, val); - vcpu->mmio_read_completed = 0; - return 1; - } -@@ -4643,14 +4643,14 @@ static int write_emulate(struct kvm_vcpu - - static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) - { -- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); -+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); - return vcpu_mmio_write(vcpu, gpa, bytes, val); - } - - static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, - void *val, int bytes) - { -- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); -+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); - return X86EMUL_IO_NEEDED; - } - ---- a/include/trace/events/kvm.h -+++ b/include/trace/events/kvm.h -@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq, - { KVM_TRACE_MMIO_WRITE, "write" } - - TRACE_EVENT(kvm_mmio, -- TP_PROTO(int type, int len, u64 gpa, u64 val), -+ TP_PROTO(int type, int len, u64 gpa, void *val), - TP_ARGS(type, len, gpa, val), - - TP_STRUCT__entry( -@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio, - __entry->type = type; - __entry->len = len; - __entry->gpa = gpa; -- __entry->val = val; -+ __entry->val = 0; -+ if (val) -+ memcpy(&__entry->val, val, -+ min_t(u32, sizeof(__entry->val), len)); - ), - - TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", ---- a/virt/kvm/arm/mmio.c -+++ b/virt/kvm/arm/mmio.c -@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vc - } - - trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, -- data); -+ &data); - data = vcpu_data_host_to_guest(vcpu, data, len); - vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); - } -@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, - data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), - len); - -- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); -+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); - kvm_mmio_write_buf(data_buf, len, data); - - ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, - data_buf); - } else { - trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, -- fault_ipa, 0); -+ fault_ipa, NULL); - - ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, - data_buf); diff --git a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch deleted file mode 100644 index 23ec66984..000000000 --- a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Mohamed Ghannam -Date: Sun, 10 Dec 2017 03:50:58 +0000 -Subject: net: ipv4: fix for a race condition in raw_sendmsg -Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712 - -inet->hdrincl is racy, and could lead to uninitialized stack pointer -usage, so its value should be read only once. - -Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") -Signed-off-by: Mohamed Ghannam -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/raw.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, - int err; - struct ip_options_data opt_copy; - struct raw_frag_vec rfv; -+ int hdrincl; - - err = -EMSGSIZE; - if (len > 0xFFFF) - goto out; - -+ /* hdrincl should be READ_ONCE(inet->hdrincl) -+ * but READ_ONCE() doesn't work with bit fields -+ */ -+ hdrincl = inet->hdrincl; - /* - * Check the flags. - */ -@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, - /* Linux does not mangle headers on raw sockets, - * so that IP options + IP_HDRINCL is non-sense. - */ -- if (inet->hdrincl) -+ if (hdrincl) - goto done; - if (ipc.opt->opt.srr) { - if (!daddr) -@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, - - flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, - RT_SCOPE_UNIVERSE, -- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, -+ hdrincl ? IPPROTO_RAW : sk->sk_protocol, - inet_sk_flowi_flags(sk) | -- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), -+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), - daddr, saddr, 0, 0, sk->sk_uid); - -- if (!inet->hdrincl) { -+ if (!hdrincl) { - rfv.msg = msg; - rfv.hlen = 0; - -@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, - goto do_confirm; - back_from_confirm: - -- if (inet->hdrincl) -+ if (hdrincl) - err = raw_send_hdrinc(sk, &fl4, msg, len, - &rt, msg->msg_flags, &ipc.sockc); - diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch deleted file mode 100644 index effd6591c..000000000 --- a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Kevin Cernekee -Date: Sun, 3 Dec 2017 12:12:45 -0800 -Subject: netfilter: nfnetlink_cthelper: Add missing permission checks -Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448 - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, nfnl_cthelper_list is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - $ nfct helper list - nfct v1.4.4: netlink error: Operation not permitted - $ vpnns -- nfct helper list - { - .name = ftp, - .queuenum = 0, - .l3protonum = 2, - .l4protonum = 6, - .priv_data_len = 24, - .status = enabled, - }; - -Add capable() checks in nfnetlink_cthelper, as this is cleaner than -trying to generalize the solution. - -Signed-off-by: Kevin Cernekee -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net - struct nfnl_cthelper *nlcth; - int ret = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) - return -EINVAL; - -@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net - struct nfnl_cthelper *nlcth; - bool tuple_set = false; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (nlh->nlmsg_flags & NLM_F_DUMP) { - struct netlink_dump_control c = { - .dump = nfnl_cthelper_dump_table, -@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net - struct nfnl_cthelper *nlcth, *n; - int j = 0, ret; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tb[NFCTH_NAME]) - helper_name = nla_data(tb[NFCTH_NAME]); - diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch deleted file mode 100644 index fcaacd725..000000000 --- a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Kevin Cernekee -Date: Tue, 5 Dec 2017 15:42:41 -0800 -Subject: netfilter: xt_osf: Add missing permission checks -Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450 - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, xt_osf_fingers is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - vpnns -- nfnl_osf -f /tmp/pf.os - - vpnns -- nfnl_osf -f /tmp/pf.os -d - -These non-root operations successfully modify the systemwide OS -fingerprint list. Add new capable() checks so that they can't. - -Signed-off-by: Kevin Cernekee -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/xt_osf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/net/netfilter/xt_osf.c -+++ b/net/netfilter/xt_osf.c -@@ -19,6 +19,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne - struct xt_osf_finger *kf = NULL, *sf; - int err = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - -@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct - struct xt_osf_finger *sf; - int err = -ENOENT; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch deleted file mode 100644 index d037380e2..000000000 --- a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Kevin Cernekee -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: netlink: Add netns check on taps -Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449 - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - - vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & - sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ - spi 0x1 mode transport \ - auth sha1 0x6162633132330000000000000000000000000000 \ - enc aes 0x00000000000000000000000000000000 - grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee -Signed-off-by: David S. Miller ---- - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) diff --git a/debian/patches/bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch b/debian/patches/bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch index f213371f7..420deae30 100644 --- a/debian/patches/bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch +++ b/debian/patches/bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch @@ -26,16 +26,16 @@ missing, except for the pre-R600 case. --- --- a/drivers/gpu/drm/radeon/radeon_drv.c +++ b/drivers/gpu/drm/radeon/radeon_drv.c -@@ -44,6 +44,8 @@ +@@ -43,6 +43,8 @@ + #include #include - #include "radeon_kfd.h" +#include +#include /* * KMS wrapper. -@@ -312,6 +314,29 @@ static struct drm_driver kms_driver; +@@ -311,6 +313,29 @@ static struct drm_driver kms_driver; bool radeon_device_is_virtual(void); @@ -65,7 +65,7 @@ missing, except for the pre-R600 case. static int radeon_kick_out_firmware_fb(struct pci_dev *pdev) { struct apertures_struct *ap; -@@ -349,6 +374,12 @@ static int radeon_pci_probe(struct pci_d +@@ -340,6 +365,12 @@ static int radeon_pci_probe(struct pci_d if (vga_switcheroo_client_probe_defer(pdev)) return -EPROBE_DEFER; diff --git a/debian/patches/bugfix/all/tools-lib-lockdep-define-pr_cont.patch b/debian/patches/bugfix/all/tools-lib-lockdep-define-pr_cont.patch deleted file mode 100644 index 2975cfae9..000000000 --- a/debian/patches/bugfix/all/tools-lib-lockdep-define-pr_cont.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Ben Hutchings -Date: Sun, 01 Oct 2017 15:39:34 +0100 -Subject: tools/lib/lockdep: Define pr_cont() - -lockdep.c now also uses pr_cont(), so we need to implement it in -liblockdep. - -It is currently always used to continue warning lines, so define -pr_cont() the same as pr_warn(). If this changes, we might need to -record the last log level in a TLS variable and have pr_cont() check -that. - -Signed-off-by: Ben Hutchings ---- ---- a/tools/include/linux/lockdep.h -+++ b/tools/include/linux/lockdep.h -@@ -47,6 +47,8 @@ static inline int debug_locks_off(void) - #define printk(...) dprintf(STDOUT_FILENO, __VA_ARGS__) - #define pr_err(format, ...) fprintf (stderr, format, ## __VA_ARGS__) - #define pr_warn pr_err -+/* XXX we assume pr_cont() is only used for warnings */ -+#define pr_cont pr_warn - - #define list_del_rcu list_del - diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch deleted file mode 100644 index 13e050e03..000000000 --- a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Alan Stern -Date: Tue, 12 Dec 2017 14:25:13 -0500 -Subject: USB: core: prevent malicious bNumInterfaces overflow -Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558 - -A malicious USB device with crafted descriptors can cause the kernel -to access unallocated memory by setting the bNumInterfaces value too -high in a configuration descriptor. Although the value is adjusted -during parsing, this adjustment is skipped in one of the error return -paths. - -This patch prevents the problem by setting bNumInterfaces to 0 -initially. The existing code already sets it to the proper value -after parsing is complete. - -Signed-off-by: Alan Stern -Reported-by: Andrey Konovalov -CC: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/config.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/usb/core/config.c -+++ b/drivers/usb/core/config.c -@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc - unsigned iad_num = 0; - - memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); -+ nintf = nintf_orig = config->desc.bNumInterfaces; -+ config->desc.bNumInterfaces = 0; // Adjusted later -+ - if (config->desc.bDescriptorType != USB_DT_CONFIG || - config->desc.bLength < USB_DT_CONFIG_SIZE || - config->desc.bLength > size) { -@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc - buffer += config->desc.bLength; - size -= config->desc.bLength; - -- nintf = nintf_orig = config->desc.bNumInterfaces; - if (nintf > USB_MAXINTERFACES) { - dev_warn(ddev, "config %d has too many interfaces: %d, " - "using maximum allowed: %d\n", diff --git a/debian/patches/bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch b/debian/patches/bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch deleted file mode 100644 index b5382d09f..000000000 --- a/debian/patches/bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch +++ /dev/null @@ -1,200 +0,0 @@ -From: Dongli Zhang -Date: Wed, 1 Nov 2017 09:46:33 +0800 -Subject: xen/time: do not decrease steal time after live migration on xen -Origin: https://git.kernel.org/linus/5e25f5db6abb96ca8ee2aaedcb863daa6dfcc07a -Bug-Debian: https://bugs.debian.org/871608 - -After guest live migration on xen, steal time in /proc/stat -(cpustat[CPUTIME_STEAL]) might decrease because steal returned by -xen_steal_lock() might be less than this_rq()->prev_steal_time which is -derived from previous return value of xen_steal_clock(). - -For instance, steal time of each vcpu is 335 before live migration. - -cpu 198 0 368 200064 1962 0 0 1340 0 0 -cpu0 38 0 81 50063 492 0 0 335 0 0 -cpu1 65 0 97 49763 634 0 0 335 0 0 -cpu2 38 0 81 50098 462 0 0 335 0 0 -cpu3 56 0 107 50138 374 0 0 335 0 0 - -After live migration, steal time is reduced to 312. - -cpu 200 0 370 200330 1971 0 0 1248 0 0 -cpu0 38 0 82 50123 500 0 0 312 0 0 -cpu1 65 0 97 49832 634 0 0 312 0 0 -cpu2 39 0 82 50167 462 0 0 312 0 0 -cpu3 56 0 107 50207 374 0 0 312 0 0 - -Since runstate times are cumulative and cleared during xen live migration -by xen hypervisor, the idea of this patch is to accumulate runstate times -to global percpu variables before live migration suspend. Once guest VM is -resumed, xen_get_runstate_snapshot_cpu() would always return the sum of new -runstate times and previously accumulated times stored in global percpu -variables. - -Comment above HYPERVISOR_suspend() has been removed as it is inaccurate: -the call can return an error code (e.g., possibly -EPERM in the future). - -Similar and more severe issue would impact prior linux 4.8-4.10 as -discussed by Michael Las at -https://0xstubs.org/debugging-a-flaky-cpu-steal-time-counter-on-a-paravirtualized-xen-guest, -which would overflow steal time and lead to 100% st usage in top command -for linux 4.8-4.10. A backport of this patch would fix that issue. - -[boris: added linux/slab.h to driver/xen/time.c, slightly reformatted - commit message] - -References: https://0xstubs.org/debugging-a-flaky-cpu-steal-time-counter-on-a-paravirtualized-xen-guest -Signed-off-by: Dongli Zhang -Reviewed-by: Boris Ostrovsky -Signed-off-by: Boris Ostrovsky ---- - drivers/xen/manage.c | 7 ++--- - drivers/xen/time.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++-- - include/xen/xen-ops.h | 1 + - 3 files changed, 73 insertions(+), 7 deletions(-) - -diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c -index c425d03d37d2..8835065029d3 100644 ---- a/drivers/xen/manage.c -+++ b/drivers/xen/manage.c -@@ -72,18 +72,15 @@ static int xen_suspend(void *data) - } - - gnttab_suspend(); -+ xen_manage_runstate_time(-1); - xen_arch_pre_suspend(); - -- /* -- * This hypercall returns 1 if suspend was cancelled -- * or the domain was merely checkpointed, and 0 if it -- * is resuming in a new domain. -- */ - si->cancelled = HYPERVISOR_suspend(xen_pv_domain() - ? virt_to_gfn(xen_start_info) - : 0); - - xen_arch_post_suspend(si->cancelled); -+ xen_manage_runstate_time(si->cancelled ? 1 : 0); - gnttab_resume(); - - if (!si->cancelled) { -diff --git a/drivers/xen/time.c b/drivers/xen/time.c -index ac5f23fcafc2..8c46f555d82a 100644 ---- a/drivers/xen/time.c -+++ b/drivers/xen/time.c -@@ -5,6 +5,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -19,6 +20,8 @@ - /* runstate info updated by Xen */ - static DEFINE_PER_CPU(struct vcpu_runstate_info, xen_runstate); - -+static DEFINE_PER_CPU(u64[4], old_runstate_time); -+ - /* return an consistent snapshot of 64-bit time/counter value */ - static u64 get64(const u64 *p) - { -@@ -47,8 +50,8 @@ static u64 get64(const u64 *p) - return ret; - } - --static void xen_get_runstate_snapshot_cpu(struct vcpu_runstate_info *res, -- unsigned int cpu) -+static void xen_get_runstate_snapshot_cpu_delta( -+ struct vcpu_runstate_info *res, unsigned int cpu) - { - u64 state_time; - struct vcpu_runstate_info *state; -@@ -66,6 +69,71 @@ static void xen_get_runstate_snapshot_cpu(struct vcpu_runstate_info *res, - (state_time & XEN_RUNSTATE_UPDATE)); - } - -+static void xen_get_runstate_snapshot_cpu(struct vcpu_runstate_info *res, -+ unsigned int cpu) -+{ -+ int i; -+ -+ xen_get_runstate_snapshot_cpu_delta(res, cpu); -+ -+ for (i = 0; i < 4; i++) -+ res->time[i] += per_cpu(old_runstate_time, cpu)[i]; -+} -+ -+void xen_manage_runstate_time(int action) -+{ -+ static struct vcpu_runstate_info *runstate_delta; -+ struct vcpu_runstate_info state; -+ int cpu, i; -+ -+ switch (action) { -+ case -1: /* backup runstate time before suspend */ -+ if (unlikely(runstate_delta)) -+ pr_warn_once("%s: memory leak as runstate_delta is not NULL\n", -+ __func__); -+ -+ runstate_delta = kmalloc_array(num_possible_cpus(), -+ sizeof(*runstate_delta), -+ GFP_ATOMIC); -+ if (unlikely(!runstate_delta)) { -+ pr_warn("%s: failed to allocate runstate_delta\n", -+ __func__); -+ return; -+ } -+ -+ for_each_possible_cpu(cpu) { -+ xen_get_runstate_snapshot_cpu_delta(&state, cpu); -+ memcpy(runstate_delta[cpu].time, state.time, -+ sizeof(runstate_delta[cpu].time)); -+ } -+ -+ break; -+ -+ case 0: /* backup runstate time after resume */ -+ if (unlikely(!runstate_delta)) { -+ pr_warn("%s: cannot accumulate runstate time as runstate_delta is NULL\n", -+ __func__); -+ return; -+ } -+ -+ for_each_possible_cpu(cpu) { -+ for (i = 0; i < 4; i++) -+ per_cpu(old_runstate_time, cpu)[i] += -+ runstate_delta[cpu].time[i]; -+ } -+ -+ break; -+ -+ default: /* do not accumulate runstate time for checkpointing */ -+ break; -+ } -+ -+ if (action != -1 && runstate_delta) { -+ kfree(runstate_delta); -+ runstate_delta = NULL; -+ } -+} -+ - /* - * Runstate accounting - */ -diff --git a/include/xen/xen-ops.h b/include/xen/xen-ops.h -index 218e6aae5433..09072271f122 100644 ---- a/include/xen/xen-ops.h -+++ b/include/xen/xen-ops.h -@@ -32,6 +32,7 @@ void xen_resume_notifier_unregister(struct notifier_block *nb); - bool xen_vcpu_stolen(int vcpu); - void xen_setup_runstate_info(int cpu); - void xen_time_setup_guest(void); -+void xen_manage_runstate_time(int action); - void xen_get_runstate_snapshot(struct vcpu_runstate_info *res); - u64 xen_steal_clock(int cpu); - --- -2.15.1 - diff --git a/debian/patches/bugfix/arm/arm-dts-exynos-add-dwc3-susphy-quirk.patch b/debian/patches/bugfix/arm/arm-dts-exynos-add-dwc3-susphy-quirk.patch deleted file mode 100644 index 84b4ac959..000000000 --- a/debian/patches/bugfix/arm/arm-dts-exynos-add-dwc3-susphy-quirk.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Andrzej Pietrasiewicz -Date: Mon, 18 Sep 2017 12:02:13 +0200 -Subject: ARM: dts: exynos: Add dwc3 SUSPHY quirk -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux.git/commit?id=3bf689f9275ff73de1ffad3e571837c8bff41d27 -Bug-Debian: https://bugs.debian.org/843448 - -Odroid XU4 board does not enumerate SuperSpeed devices. -This patch makes exynos5 series chips use USB SUSPHY quirk, -which solves the problem. - -Signed-off-by: Andrzej Pietrasiewicz -Signed-off-by: Krzysztof Kozlowski ---- - arch/arm/boot/dts/exynos54xx.dtsi | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/arm/boot/dts/exynos54xx.dtsi b/arch/arm/boot/dts/exynos54xx.dtsi -index 0389e8a10d0b..8ca4fef8b1ce 100644 ---- a/arch/arm/boot/dts/exynos54xx.dtsi -+++ b/arch/arm/boot/dts/exynos54xx.dtsi -@@ -134,6 +134,7 @@ - interrupts = ; - phys = <&usbdrd_phy0 0>, <&usbdrd_phy0 1>; - phy-names = "usb2-phy", "usb3-phy"; -+ snps,dis_u3_susphy_quirk; - }; - }; - -@@ -154,6 +155,7 @@ - reg = <0x12400000 0x10000>; - phys = <&usbdrd_phy1 0>, <&usbdrd_phy1 1>; - phy-names = "usb2-phy", "usb3-phy"; -+ snps,dis_u3_susphy_quirk; - }; - }; - diff --git a/debian/patches/bugfix/x86/mmap-remember-the-map_fixed-flag-as-vm_fixed.patch b/debian/patches/bugfix/x86/mmap-remember-the-map_fixed-flag-as-vm_fixed.patch index 08158451a..0e5a51171 100644 --- a/debian/patches/bugfix/x86/mmap-remember-the-map_fixed-flag-as-vm_fixed.patch +++ b/debian/patches/bugfix/x86/mmap-remember-the-map_fixed-flag-as-vm_fixed.patch @@ -2,35 +2,39 @@ From: Ben Hutchings Date: Wed, 5 Jul 2017 13:32:43 +0100 Subject: mmap: Remember the MAP_FIXED flag as VM_FIXED +Since 4.15 there are no spare bits, but we can use VM_ARCH_1 as +VM_FIXED wil only be needed on x86. + Signed-off-by: Ben Hutchings --- include/linux/mm.h | 1 + include/linux/mman.h | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 43edf659453b..1f84cc52389e 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -190,6 +190,7 @@ extern unsigned int kobjsize(const void *objp); - #define VM_ACCOUNT 0x00100000 /* Is a VM accounted object */ - #define VM_NORESERVE 0x00200000 /* should the VM suppress accounting */ +@@ -201,6 +201,11 @@ extern unsigned int kobjsize(const void #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */ -+#define VM_FIXED 0x00800000 /* Allocated at fixed address */ + #define VM_SYNC 0x00800000 /* Synchronous page faults */ #define VM_ARCH_1 0x01000000 /* Architecture-specific flag */ ++#ifdef CONFIG_X86 ++#define VM_FIXED VM_ARCH_1 /* Allocated at fixed address */ ++#else ++#define VM_FIXED 0 ++#endif #define VM_WIPEONFORK 0x02000000 /* Wipe VMA contents in child. */ #define VM_DONTDUMP 0x04000000 /* Do not include in the core dump */ -diff --git a/include/linux/mman.h b/include/linux/mman.h -index 7c87b6652244..f22c15d5e24c 100644 + --- a/include/linux/mman.h +++ b/include/linux/mman.h -@@ -87,7 +87,8 @@ calc_vm_flag_bits(unsigned long flags) - { +@@ -131,7 +131,9 @@ calc_vm_flag_bits(unsigned long flags) return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_DENYWRITE, VM_DENYWRITE ) | -- _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ); -+ _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | -+ _calc_vm_trans(flags, MAP_FIXED, VM_FIXED ); + _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | +- _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ); ++ _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | ++ (VM_FIXED ? ++ _calc_vm_trans(flags, MAP_FIXED, VM_FIXED ) : 0); } unsigned long vm_commit_limit(void); diff --git a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch index f3cec3f5b..55edbc75c 100644 --- a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch +++ b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch @@ -15,7 +15,7 @@ Signed-off-by: Serge Hallyn --- --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -87,6 +87,11 @@ +@@ -102,6 +102,11 @@ #define CREATE_TRACE_POINTS #include @@ -27,7 +27,7 @@ Signed-off-by: Serge Hallyn /* * Minimum number of threads to boot the kernel -@@ -1252,6 +1257,10 @@ static struct task_struct *copy_process( +@@ -1550,6 +1555,10 @@ static __latent_entropy struct task_stru if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -38,7 +38,7 @@ Signed-off-by: Serge Hallyn /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -1944,6 +1953,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, +@@ -2343,6 +2352,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -53,7 +53,7 @@ Signed-off-by: Serge Hallyn goto bad_unshare_out; --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -102,6 +102,9 @@ extern int core_uses_pid; +@@ -105,6 +105,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -63,7 +63,7 @@ Signed-off-by: Serge Hallyn extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -489,6 +492,15 @@ static struct ctl_table kern_table[] = { +@@ -512,6 +515,15 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, @@ -81,9 +81,9 @@ Signed-off-by: Serge Hallyn { --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -23,6 +23,9 @@ - #include - #include +@@ -26,6 +26,9 @@ + #include + #include +/* sysctl */ +int unprivileged_userns_clone; diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch index 77d44b431..3806f94bd 100644 --- a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch +++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch @@ -12,8 +12,8 @@ actually used. --- --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c -@@ -847,6 +847,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano - #endif +@@ -866,6 +866,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano + if (mask & ~valid_mask) return -EINVAL; +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS diff --git a/debian/patches/debian/gitignore.patch b/debian/patches/debian/gitignore.patch index e9edd7265..3932721d5 100644 --- a/debian/patches/debian/gitignore.patch +++ b/debian/patches/debian/gitignore.patch @@ -7,8 +7,8 @@ Forwarded: not-needed --- a/.gitignore +++ b/.gitignore -@@ -53,23 +53,11 @@ Module.symvers - /Module.markers +@@ -61,23 +61,11 @@ modules.builtin + /*.spec # -# Debian directory (make deb-pkg) @@ -31,7 +31,7 @@ Forwarded: not-needed # Generated include files # include/config -@@ -114,3 +102,10 @@ all.config +@@ -122,3 +110,10 @@ all.config # Kdevelop4 *.kdev4 diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch index a890a8c2b..93c8c0bef 100644 --- a/debian/patches/debian/kernelvariables.patch +++ b/debian/patches/debian/kernelvariables.patch @@ -14,7 +14,7 @@ use of $(ARCH) needs to be moved after this. --- a/Makefile +++ b/Makefile -@@ -251,42 +251,6 @@ SUBARCH := $(shell uname -m | sed -e s/i +@@ -314,39 +314,6 @@ SUBARCH := $(shell uname -m | sed -e s/i ARCH ?= $(SUBARCH) CROSS_COMPILE ?= $(CONFIG_CROSS_COMPILE:"%"=%) @@ -50,14 +50,11 @@ use of $(ARCH) needs to be moved after this. -ifeq ($(ARCH),tilegx) - SRCARCH := tile -endif -- --# Where to locate arch specific headers --hdr-arch := $(SRCARCH) - KCONFIG_CONFIG ?= .config export KCONFIG_CONFIG -@@ -374,6 +338,45 @@ CFLAGS_KERNEL = +@@ -395,6 +362,38 @@ CFLAGS_KERNEL = AFLAGS_KERNEL = LDFLAGS_vmlinux = @@ -92,14 +89,7 @@ use of $(ARCH) needs to be moved after this. +ifeq ($(ARCH),tilegx) + SRCARCH := tile +endif -+ -+# Where to locate arch specific headers -+hdr-arch := $(SRCARCH) -+ -+ifeq ($(ARCH),m68knommu) -+ hdr-arch := m68k -+endif + # Use USERINCLUDE when you must reference the UAPI directories only. USERINCLUDE := \ - -I$(srctree)/arch/$(hdr-arch)/include/uapi \ + -I$(srctree)/arch/$(SRCARCH)/include/uapi \ diff --git a/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch b/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch index 4fbb8dfc0..954156583 100644 --- a/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch +++ b/debian/patches/debian/revert-gpu-host1x-add-iommu-support.patch @@ -176,7 +176,7 @@ and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe #include "bus.h" #include "channel.h" -@@ -177,38 +176,11 @@ static int host1x_probe(struct platform_ +@@ -218,37 +217,11 @@ static int host1x_probe(struct platform_ return err; } @@ -201,8 +201,7 @@ and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe - - order = __ffs(host->domain->pgsize_bitmap); - init_iova_domain(&host->iova, 1UL << order, -- geometry->aperture_start >> order, -- geometry->aperture_end >> order); +- geometry->aperture_start >> order); - host->iova_end = geometry->aperture_end; - } - @@ -216,7 +215,7 @@ and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe } err = clk_prepare_enable(host->clk); -@@ -253,15 +225,6 @@ fail_unprepare_disable: +@@ -293,15 +266,6 @@ fail_unprepare_disable: clk_disable_unprepare(host->clk); fail_free_channels: host1x_channel_list_free(&host->channel_list); @@ -232,7 +231,7 @@ and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe return err; } -@@ -275,12 +238,6 @@ static int host1x_remove(struct platform +@@ -315,12 +279,6 @@ static int host1x_remove(struct platform reset_control_assert(host->rst); clk_disable_unprepare(host->clk); @@ -256,7 +255,7 @@ and commit 8b3f5ac6b55f5f3f60723a58f14ec235a5b8cfe #include #include -@@ -112,10 +110,6 @@ struct host1x { +@@ -117,10 +115,6 @@ struct host1x { struct clk *clk; struct reset_control *rst; diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch index 9a9f43464..547b85f45 100644 --- a/debian/patches/debian/version.patch +++ b/debian/patches/debian/version.patch @@ -9,7 +9,7 @@ are set. --- a/Makefile +++ b/Makefile -@@ -1055,7 +1055,7 @@ endif +@@ -1048,7 +1048,7 @@ endif prepare2: prepare3 prepare-compiler-check outputmakefile asm-generic prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ @@ -18,7 +18,7 @@ are set. $(cmd_crmodverdir) archprepare: archheaders archscripts prepare1 scripts_basic -@@ -1116,6 +1116,16 @@ define filechk_version.h +@@ -1118,6 +1118,16 @@ define filechk_version.h echo '#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))';) endef @@ -35,7 +35,7 @@ are set. $(version_h): $(srctree)/Makefile FORCE $(call filechk,version.h) $(Q)rm -f $(old_version_h) -@@ -1123,6 +1133,9 @@ $(version_h): $(srctree)/Makefile FORCE +@@ -1125,6 +1135,9 @@ $(version_h): $(srctree)/Makefile FORCE include/generated/utsrelease.h: include/config/kernel.release FORCE $(call filechk,utsrelease.h) @@ -69,7 +69,7 @@ are set. printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs), --- a/arch/ia64/kernel/process.c +++ b/arch/ia64/kernel/process.c -@@ -34,6 +34,7 @@ +@@ -35,6 +35,7 @@ #include #include #include @@ -77,7 +77,7 @@ are set. #include #include -@@ -107,9 +108,9 @@ show_regs (struct pt_regs *regs) +@@ -108,9 +109,9 @@ show_regs (struct pt_regs *regs) print_modules(); printk("\n"); show_regs_print_info(KERN_DEFAULT); @@ -99,13 +99,13 @@ are set. #include #include -@@ -1382,8 +1383,9 @@ void show_regs(struct pt_regs * regs) +@@ -1403,8 +1404,9 @@ void show_regs(struct pt_regs * regs) printk("NIP: "REG" LR: "REG" CTR: "REG"\n", regs->nip, regs->link, regs->ctr); -- printk("REGS: %p TRAP: %04lx %s (%s)\n", +- printk("REGS: %px TRAP: %04lx %s (%s)\n", - regs, regs->trap, print_tainted(), init_utsname()->release); -+ printk("REGS: %p TRAP: %04lx %s (%s%s)\n", ++ printk("REGS: %px TRAP: %04lx %s (%s%s)\n", + regs, regs->trap, print_tainted(), init_utsname()->release, + LINUX_PACKAGE_ID); printk("MSR: "REG" ", regs->msr); diff --git a/debian/patches/features/all/aufs4/aufs4-base.patch b/debian/patches/features/all/aufs4/aufs4-base.patch index 4af786153..f1e01ceb4 100644 --- a/debian/patches/features/all/aufs4/aufs4-base.patch +++ b/debian/patches/features/all/aufs4/aufs4-base.patch @@ -1,18 +1,19 @@ From: J. R. Okajima -Date: Thu Nov 16 10:20:27 2017 +0900 -Subject: aufs4.14 base patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/bf518fb574cee10c6112f0e9ca5c67b277426630 +Date: Sat Dec 16 15:29:33 2017 +0900 +Subject: SPDX-License-Identifier: GPL-2.0 +Origin: https://github.com/sfjro/aufs4-standalone/tree/8b9c1be851f351af1104f55952e211ae541695ee Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch -aufs4.14 base patch +SPDX-License-Identifier: GPL-2.0 +aufs4.x-rcN base patch diff --git a/MAINTAINERS b/MAINTAINERS -index 2811a21..02b6deb 100644 +index 82ad0ea..7d8b461 100644 --- a/MAINTAINERS +++ b/MAINTAINERS -@@ -2465,6 +2465,19 @@ F: include/linux/audit.h +@@ -2478,6 +2478,19 @@ F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit* @@ -33,10 +34,10 @@ index 2811a21..02b6deb 100644 M: Miguel Ojeda Sandonis W: http://miguelojeda.es/auxdisplay.htm diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index 85de673..d44de9d 100644 +index bc8e615..e51a59d 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -686,6 +686,24 @@ static inline int is_loop_device(struct file *file) +@@ -691,6 +691,24 @@ static inline int is_loop_device(struct file *file) return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; } @@ -62,7 +63,7 @@ index 85de673..d44de9d 100644 static ssize_t loop_attr_show(struct device *dev, char *page, diff --git a/fs/dcache.c b/fs/dcache.c -index f901413..e3719a5 100644 +index 5c7df1d..019f14b 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1197,7 +1197,7 @@ enum d_walk_ret { @@ -75,7 +76,7 @@ index f901413..e3719a5 100644 void (*finish)(void *)) { diff --git a/fs/fcntl.c b/fs/fcntl.c -index 8d78ffd..cffefab 100644 +index 0522e28..74c255d 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -32,7 +32,7 @@ @@ -97,7 +98,7 @@ index 8d78ffd..cffefab 100644 return error; diff --git a/fs/inode.c b/fs/inode.c -index d1e35b5..f7800d6 100644 +index 03102d6..517883c 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1655,7 +1655,7 @@ EXPORT_SYMBOL(generic_update_time); @@ -110,7 +111,7 @@ index d1e35b5..f7800d6 100644 int (*update_time)(struct inode *, struct timespec *, int); diff --git a/fs/namespace.c b/fs/namespace.c -index d18deb4..e5a4a7f 100644 +index e158ec6..312bdbd8 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -846,6 +846,12 @@ static inline int check_mnt(struct mount *mnt) @@ -127,7 +128,7 @@ index d18deb4..e5a4a7f 100644 * vfsmount lock must be held for write */ diff --git a/fs/read_write.c b/fs/read_write.c -index 0046d72..2388284 100644 +index f8547b8..0a5c47b 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -484,6 +484,28 @@ ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, @@ -160,7 +161,7 @@ index 0046d72..2388284 100644 { mm_segment_t old_fs; diff --git a/fs/splice.c b/fs/splice.c -index f3084cc..eb888c6 100644 +index 39e2dc0..c5fb195 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -837,8 +837,8 @@ EXPORT_SYMBOL(generic_splice_sendpage); @@ -188,7 +189,7 @@ index f3084cc..eb888c6 100644 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); diff --git a/fs/sync.c b/fs/sync.c -index 83ac79a..fe15900 100644 +index 6e0a2cb..a6891ee 100644 --- a/fs/sync.c +++ b/fs/sync.c @@ -28,7 +28,7 @@ @@ -213,7 +214,7 @@ index 279720d..76e38ea 100644 static inline void fput_light(struct file *file, int fput_needed) { diff --git a/include/linux/fs.h b/include/linux/fs.h -index 885266a..e489e42 100644 +index 511fbaa..96e05b3 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1265,6 +1265,7 @@ extern void fasync_free(struct fasync_struct *); @@ -224,7 +225,7 @@ index 885266a..e489e42 100644 extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force); extern int f_setown(struct file *filp, unsigned long arg, int force); extern void f_delown(struct file *filp); -@@ -1711,6 +1712,7 @@ struct file_operations { +@@ -1712,6 +1713,7 @@ struct file_operations { ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); int (*check_flags)(int); @@ -232,7 +233,7 @@ index 885266a..e489e42 100644 int (*flock) (struct file *, int, struct file_lock *); ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); -@@ -1781,6 +1783,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, +@@ -1782,6 +1784,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, struct iovec *fast_pointer, struct iovec **ret_pointer); @@ -245,7 +246,7 @@ index 885266a..e489e42 100644 extern ssize_t __vfs_read(struct file *, char __user *, size_t, loff_t *); extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *); extern ssize_t vfs_write(struct file *, const char __user *, size_t, loff_t *); -@@ -2183,6 +2191,7 @@ extern int current_umask(void); +@@ -2201,6 +2209,7 @@ extern int current_umask(void); extern void ihold(struct inode * inode); extern void iput(struct inode *); extern int generic_update_time(struct inode *, struct timespec *, int); @@ -253,7 +254,7 @@ index 885266a..e489e42 100644 /* /sys/fs */ extern struct kobject *fs_kobj; -@@ -2463,6 +2472,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) +@@ -2481,6 +2490,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) return false; } #endif @@ -262,7 +263,7 @@ index 885266a..e489e42 100644 extern const struct file_operations def_blk_fops; extern const struct file_operations def_chr_fops; diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h -index f301d31..c26f5b4 100644 +index a842551..453e941 100644 --- a/include/linux/lockdep.h +++ b/include/linux/lockdep.h @@ -406,6 +406,8 @@ static inline int lockdep_match_key(struct lockdep_map *lock, @@ -274,7 +275,7 @@ index f301d31..c26f5b4 100644 /* * Acquire a lock. * -@@ -530,6 +532,7 @@ struct lock_class_key { }; +@@ -535,6 +537,7 @@ struct lockdep_map { }; #define lockdep_depth(tsk) (0) @@ -317,10 +318,10 @@ index 74b4911..19789fb 100644 + unsigned int flags); #endif diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c -index e36e652..bc97a97 100644 +index 670d8d7..2cd0282 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c -@@ -144,7 +144,7 @@ static struct lock_list list_entries[MAX_LOCKDEP_ENTRIES]; +@@ -156,7 +156,7 @@ static struct lock_list list_entries[MAX_LOCKDEP_ENTRIES]; unsigned long nr_lock_classes; static struct lock_class lock_classes[MAX_LOCKDEP_KEYS]; @@ -329,7 +330,7 @@ index e36e652..bc97a97 100644 { if (!hlock->class_idx) { /* -@@ -155,6 +155,7 @@ static inline struct lock_class *hlock_class(struct held_lock *hlock) +@@ -167,6 +167,7 @@ static inline struct lock_class *hlock_class(struct held_lock *hlock) } return lock_classes + hlock->class_idx - 1; } diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index 613cdbbcf..b1a9c0240 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -1,18 +1,19 @@ From: J. R. Okajima -Date: Thu Nov 16 10:20:27 2017 +0900 -Subject: aufs4.14 mmap patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/bf518fb574cee10c6112f0e9ca5c67b277426630 +Date: Sat Dec 16 15:29:33 2017 +0900 +Subject: SPDX-License-Identifier: GPL-2.0 +Origin: https://github.com/sfjro/aufs4-standalone/tree/8b9c1be851f351af1104f55952e211ae541695ee Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch -aufs4.14 mmap patch +SPDX-License-Identifier: GPL-2.0 +aufs4.x-rcN mmap patch diff --git a/fs/proc/base.c b/fs/proc/base.c -index 9d357b2..11f4f23 100644 +index 60316b5..ce5314e 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c -@@ -1988,7 +1988,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) +@@ -1987,7 +1987,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) down_read(&mm->mmap_sem); vma = find_exact_vma(mm, vm_start, vm_end); if (vma && vma->vm_file) { @@ -38,10 +39,10 @@ index 7563437..7c0dc0f 100644 ino = inode->i_ino; } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 6744bd7..6d4dea3 100644 +index 339e4c1..1138098 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -310,7 +310,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) +@@ -306,7 +306,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) const char *name = NULL; if (file) { @@ -53,7 +54,7 @@ index 6744bd7..6d4dea3 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; -@@ -1739,7 +1742,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1736,7 +1739,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) struct proc_maps_private *proc_priv = &numa_priv->proc_maps; struct vm_area_struct *vma = v; struct numa_maps *md = &numa_priv->md; @@ -79,10 +80,10 @@ index 5b62f57..dfb4a3b 100644 ino = inode->i_ino; pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT; diff --git a/include/linux/mm.h b/include/linux/mm.h -index 43edf65..3f9acd9 100644 +index ea818ff..fbd4799 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -1349,6 +1349,28 @@ static inline int fixup_user_fault(struct task_struct *tsk, +@@ -1362,6 +1362,28 @@ static inline int fixup_user_fault(struct task_struct *tsk, } #endif @@ -112,10 +113,10 @@ index 43edf65..3f9acd9 100644 unsigned int gup_flags); extern int access_remote_vm(struct mm_struct *mm, unsigned long addr, diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index c85f11d..a63875a 100644 +index cfd0ac4..135e11c 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h -@@ -261,6 +261,7 @@ struct vm_region { +@@ -255,6 +255,7 @@ struct vm_region { unsigned long vm_top; /* region allocated to here */ unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */ struct file *vm_file; /* the backing file or NULL */ @@ -123,7 +124,7 @@ index c85f11d..a63875a 100644 int vm_usage; /* region usage count (access under nommu_region_sem) */ bool vm_icache_flushed : 1; /* true if the icache has been flushed for -@@ -335,6 +336,7 @@ struct vm_area_struct { +@@ -329,6 +330,7 @@ struct vm_area_struct { unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE units */ struct file * vm_file; /* File we map to (can be NULL). */ @@ -132,7 +133,7 @@ index c85f11d..a63875a 100644 atomic_long_t swap_readahead_info; diff --git a/kernel/fork.c b/kernel/fork.c -index 07cc743..b1d2b43 100644 +index 432eadf..8b2ba5b 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -676,7 +676,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, @@ -145,10 +146,10 @@ index 07cc743..b1d2b43 100644 atomic_dec(&inode->i_writecount); i_mmap_lock_write(mapping); diff --git a/mm/Makefile b/mm/Makefile -index 4659b93..84488841 100644 +index e669f02..9c36567 100644 --- a/mm/Makefile +++ b/mm/Makefile -@@ -40,7 +40,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ +@@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ mm_init.o mmu_context.o percpu.o slab_common.o \ compaction.o vmacache.o swap_slots.o \ interval_tree.o list_lru.o workingset.o \ @@ -158,10 +159,10 @@ index 4659b93..84488841 100644 obj-y += init-mm.o diff --git a/mm/filemap.c b/mm/filemap.c -index 594d73f..7183aef 100644 +index ee83baa..7677d13 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -2590,7 +2590,7 @@ int filemap_page_mkwrite(struct vm_fault *vmf) +@@ -2704,7 +2704,7 @@ int filemap_page_mkwrite(struct vm_fault *vmf) int ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); @@ -171,7 +172,7 @@ index 594d73f..7183aef 100644 if (page->mapping != inode->i_mapping) { unlock_page(page); diff --git a/mm/mmap.c b/mm/mmap.c -index 680506f..081406a 100644 +index a4d5468..cb06cbd 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -171,7 +171,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) @@ -192,7 +193,7 @@ index 680506f..081406a 100644 } if (next->anon_vma) anon_vma_merge(vma, next); -@@ -1746,8 +1746,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1761,8 +1761,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return addr; unmap_and_free_vma: @@ -202,7 +203,7 @@ index 680506f..081406a 100644 /* Undo any partial mapping done by a device driver. */ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -@@ -2569,7 +2569,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2586,7 +2586,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, goto out_free_mpol; if (new->vm_file) @@ -211,7 +212,7 @@ index 680506f..081406a 100644 if (new->vm_ops && new->vm_ops->open) new->vm_ops->open(new); -@@ -2588,7 +2588,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2605,7 +2605,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, if (new->vm_ops && new->vm_ops->close) new->vm_ops->close(new); if (new->vm_file) @@ -220,7 +221,7 @@ index 680506f..081406a 100644 unlink_anon_vmas(new); out_free_mpol: mpol_put(vma_policy(new)); -@@ -2750,7 +2750,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2767,7 +2767,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, struct vm_area_struct *vma; unsigned long populate = 0; unsigned long ret = -EINVAL; @@ -229,7 +230,7 @@ index 680506f..081406a 100644 pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.\n", current->comm, current->pid); -@@ -2825,10 +2825,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2842,10 +2842,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, } } @@ -258,7 +259,7 @@ index 680506f..081406a 100644 out: up_write(&mm->mmap_sem); if (populate) -@@ -3136,7 +3153,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -3153,7 +3170,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, if (anon_vma_clone(new_vma, vma)) goto out_free_mempol; if (new_vma->vm_file) @@ -313,11 +314,12 @@ index 17c00d9..4bcdf94 100644 diff --git a/mm/prfile.c b/mm/prfile.c new file mode 100644 -index 0000000..1ef053b +index 0000000..3f56669 --- /dev/null +++ b/mm/prfile.c -@@ -0,0 +1,85 @@ +@@ -0,0 +1,86 @@ +/* ++ * SPDX-License-Identifier: GPL-2.0 + * Mainly for aufs which mmap(2) different file and wants to print different + * path in /proc/PID/maps. + * Call these functions via macros defined in linux/mm.h. diff --git a/debian/patches/features/all/aufs4/aufs4-standalone.patch b/debian/patches/features/all/aufs4/aufs4-standalone.patch index 085dc2fd8..603c5ed49 100644 --- a/debian/patches/features/all/aufs4/aufs4-standalone.patch +++ b/debian/patches/features/all/aufs4/aufs4-standalone.patch @@ -1,16 +1,19 @@ From: J. R. Okajima -Date: Thu Nov 16 10:20:27 2017 +0900 -Subject: aufs4.14 standalone patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/bf518fb574cee10c6112f0e9ca5c67b277426630 +Date: Sat Dec 16 15:29:33 2017 +0900 +Subject: SPDX-License-Identifier: GPL-2.0 +Origin: https://github.com/sfjro/aufs4-standalone/tree/8b9c1be851f351af1104f55952e211ae541695ee Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch -aufs4.14 standalone patch +SPDX-License-Identifier: GPL-2.0 +aufs4.x-rcN standalone patch +diff --git a/fs/dcache.c b/fs/dcache.c +index 019f14b..10c1a6d 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -1305,6 +1305,7 @@ rename_retry: +@@ -1305,6 +1305,7 @@ void d_walk(struct dentry *parent, void *data, seq = 1; goto again; } @@ -18,7 +21,7 @@ aufs4.14 standalone patch struct check_mount { struct vfsmount *mnt; -@@ -2894,6 +2895,7 @@ void d_exchange(struct dentry *dentry1, +@@ -2892,6 +2893,7 @@ void d_exchange(struct dentry *dentry1, struct dentry *dentry2) write_sequnlock(&rename_lock); } @@ -26,9 +29,11 @@ aufs4.14 standalone patch /** * d_ancestor - search for an ancestor +diff --git a/fs/exec.c b/fs/exec.c +index 6be2aa0..1e003f9 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path +@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path) return (path->mnt->mnt_flags & MNT_NOEXEC) || (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC); } @@ -36,9 +41,11 @@ aufs4.14 standalone patch #ifdef CONFIG_USELIB /* +diff --git a/fs/fcntl.c b/fs/fcntl.c +index 74c255d..ec53ee1 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c -@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, un +@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, unsigned long arg) out: return error; } @@ -46,9 +53,11 @@ aufs4.14 standalone patch static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, int force) +diff --git a/fs/file_table.c b/fs/file_table.c +index 2dc9f38..7bf57df 100644 --- a/fs/file_table.c +++ b/fs/file_table.c -@@ -148,6 +148,7 @@ over: +@@ -148,6 +148,7 @@ struct file *get_empty_filp(void) } return ERR_PTR(-ENFILE); } @@ -80,9 +89,11 @@ aufs4.14 standalone patch void __init files_init(void) { +diff --git a/fs/inode.c b/fs/inode.c +index 517883c..5cece5e 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1664,6 +1664,7 @@ int update_time(struct inode *inode, str +@@ -1664,6 +1664,7 @@ int update_time(struct inode *inode, struct timespec *time, int flags) return update_time(inode, time, flags); } @@ -90,9 +101,11 @@ aufs4.14 standalone patch /** * touch_atime - update the access time +diff --git a/fs/namespace.c b/fs/namespace.c +index 312bdbd8..a5baeb5 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *m +@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *mnt) mnt_dec_writers(real_mount(mnt)); preempt_enable(); } @@ -100,7 +113,7 @@ aufs4.14 standalone patch /** * mnt_drop_write - give up write access to a mount -@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *m +@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *mnt) { return check_mnt(real_mount(mnt)); } @@ -108,7 +121,7 @@ aufs4.14 standalone patch /* * vfsmount lock must be held for write -@@ -1887,6 +1889,7 @@ int iterate_mounts(int (*f)(struct vfsmo +@@ -1887,6 +1889,7 @@ int iterate_mounts(int (*f)(struct vfsmount *, void *), void *arg, } return 0; } @@ -116,6 +129,8 @@ aufs4.14 standalone patch static void cleanup_group_ids(struct mount *mnt, struct mount *end) { +diff --git a/fs/notify/group.c b/fs/notify/group.c +index b7a4b6a..5a69d60 100644 --- a/fs/notify/group.c +++ b/fs/notify/group.c @@ -22,6 +22,7 @@ @@ -126,23 +141,23 @@ aufs4.14 standalone patch #include #include "fsnotify.h" -@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_ +@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_group *group) { - atomic_inc(&group->refcnt); + refcount_inc(&group->refcnt); } +EXPORT_SYMBOL_GPL(fsnotify_get_group); /* * Drop a reference to a group. Free it if it's through. -@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_ - if (atomic_dec_and_test(&group->refcnt)) +@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_group *group) + if (refcount_dec_and_test(&group->refcnt)) fsnotify_final_destroy_group(group); } +EXPORT_SYMBOL_GPL(fsnotify_put_group); /* * Create a new fsnotify_group and hold a reference for the group returned. -@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_gr +@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *ops) return group; } @@ -150,17 +165,19 @@ aufs4.14 standalone patch int fsnotify_fasync(int fd, struct file *file, int on) { +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index e9191b4..1f8ccfa 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c -@@ -245,6 +245,7 @@ void fsnotify_put_mark(struct fsnotify_m - queue_delayed_work(system_unbound_wq, &reaper_work, - FSNOTIFY_REAPER_DELAY); +@@ -108,6 +108,7 @@ void fsnotify_get_mark(struct fsnotify_mark *mark) + WARN_ON_ONCE(!refcount_read(&mark->refcnt)); + refcount_inc(&mark->refcnt); } +EXPORT_SYMBOL_GPL(fsnotify_put_mark); - /* - * Get mark reference when we found the mark via lockless traversal of object -@@ -392,6 +393,7 @@ void fsnotify_destroy_mark(struct fsnoti + static void __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) + { +@@ -392,6 +393,7 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark, mutex_unlock(&group->mark_mutex); fsnotify_free_mark(mark); } @@ -168,7 +185,7 @@ aufs4.14 standalone patch /* * Sorting function for lists of fsnotify marks. -@@ -604,6 +606,7 @@ err: +@@ -606,6 +608,7 @@ int fsnotify_add_mark_locked(struct fsnotify_mark *mark, struct inode *inode, fsnotify_put_mark(mark); return ret; } @@ -176,7 +193,7 @@ aufs4.14 standalone patch int fsnotify_add_mark(struct fsnotify_mark *mark, struct inode *inode, struct vfsmount *mnt, int allow_dups) -@@ -739,6 +742,7 @@ void fsnotify_init_mark(struct fsnotify_ +@@ -741,6 +744,7 @@ void fsnotify_init_mark(struct fsnotify_mark *mark, fsnotify_get_group(group); mark->group = group; } @@ -184,9 +201,11 @@ aufs4.14 standalone patch /* * Destroy all marks in destroy_list, waits for SRCU period to finish before +diff --git a/fs/open.c b/fs/open.c +index 7ea1184..6e2e241 100644 --- a/fs/open.c +++ b/fs/open.c -@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, l +@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, inode_unlock(dentry->d_inode); return ret; } @@ -202,9 +221,11 @@ aufs4.14 standalone patch static int do_dentry_open(struct file *f, struct inode *inode, +diff --git a/fs/read_write.c b/fs/read_write.c +index 0a5c47b..d423a5f 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -454,6 +454,7 @@ ssize_t vfs_read(struct file *file, char +@@ -454,6 +454,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) return ret; } @@ -220,7 +241,7 @@ aufs4.14 standalone patch vfs_writef_t vfs_writef(struct file *file) { -@@ -505,6 +507,7 @@ vfs_writef_t vfs_writef(struct file *fil +@@ -505,6 +507,7 @@ vfs_writef_t vfs_writef(struct file *file) return new_sync_write; return ERR_PTR(-ENOSYS); } @@ -228,7 +249,7 @@ aufs4.14 standalone patch ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { -@@ -574,6 +577,7 @@ ssize_t vfs_write(struct file *file, con +@@ -574,6 +577,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ return ret; } @@ -236,9 +257,11 @@ aufs4.14 standalone patch static inline loff_t file_pos_read(struct file *file) { +diff --git a/fs/splice.c b/fs/splice.c +index c5fb195..ce01a74 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_in +@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out, return splice_write(pipe, out, ppos, len, flags); } @@ -246,7 +269,7 @@ aufs4.14 standalone patch /* * Attempt to initiate a splice from a file to a pipe. -@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_ +@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_t *ppos, return splice_read(in, ppos, pipe, len, flags); } @@ -254,9 +277,11 @@ aufs4.14 standalone patch /** * splice_direct_to_actor - splices data directly between two non-pipes +diff --git a/fs/sync.c b/fs/sync.c +index a6891ee..47a78bd 100644 --- a/fs/sync.c +++ b/fs/sync.c -@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block +@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block *sb, int wait) sb->s_op->sync_fs(sb, wait); return __sync_blockdev(sb->s_bdev, wait); } @@ -264,9 +289,11 @@ aufs4.14 standalone patch /* * Write out and wait upon all dirty data associated with this +diff --git a/fs/xattr.c b/fs/xattr.c +index 61cd28b..35570cd 100644 --- a/fs/xattr.c +++ b/fs/xattr.c -@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry +@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, *xattr_value = value; return error; } @@ -274,9 +301,11 @@ aufs4.14 standalone patch ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 2cd0282..af59768 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c -@@ -155,6 +155,7 @@ inline struct lock_class *lockdep_hlock_ +@@ -167,6 +167,7 @@ inline struct lock_class *lockdep_hlock_class(struct held_lock *hlock) } return lock_classes + hlock->class_idx - 1; } @@ -284,6 +313,8 @@ aufs4.14 standalone patch #define hlock_class(hlock) lockdep_hlock_class(hlock) #ifdef CONFIG_LOCK_STAT +diff --git a/kernel/task_work.c b/kernel/task_work.c +index 0fef395..83fb1ec 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -116,3 +116,4 @@ void task_work_run(void) @@ -291,9 +322,11 @@ aufs4.14 standalone patch } } +EXPORT_SYMBOL_GPL(task_work_run); +diff --git a/security/commoncap.c b/security/commoncap.c +index 4f8e093..f1e0544 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -1270,12 +1270,14 @@ int cap_mmap_addr(unsigned long addr) +@@ -1333,12 +1333,14 @@ int cap_mmap_addr(unsigned long addr) } return ret; } @@ -308,6 +341,8 @@ aufs4.14 standalone patch #ifdef CONFIG_SECURITY +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index c65b39b..e363d22 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -8,6 +8,7 @@ @@ -318,17 +353,16 @@ aufs4.14 standalone patch #include #include #include -@@ -850,6 +851,7 @@ int __devcgroup_inode_permission(struct - return __devcgroup_check_permission(type, imajor(inode), iminor(inode), - access); - } -+EXPORT_SYMBOL_GPL(__devcgroup_inode_permission); +@@ -824,3 +825,4 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor, - int devcgroup_inode_mknod(int mode, dev_t dev) - { + return 0; + } ++EXPORT_SYMBOL_GPL(__devcgroup_check_permission); +diff --git a/security/security.c b/security/security.c +index 1cd8526..f2e4736 100644 --- a/security/security.c +++ b/security/security.c -@@ -530,6 +530,7 @@ int security_path_rmdir(const struct pat +@@ -531,6 +531,7 @@ int security_path_rmdir(const struct path *dir, struct dentry *dentry) return 0; return call_int_hook(path_rmdir, 0, dir, dentry); } @@ -336,7 +370,7 @@ aufs4.14 standalone patch int security_path_unlink(const struct path *dir, struct dentry *dentry) { -@@ -546,6 +547,7 @@ int security_path_symlink(const struct p +@@ -547,6 +548,7 @@ int security_path_symlink(const struct path *dir, struct dentry *dentry, return 0; return call_int_hook(path_symlink, 0, dir, dentry, old_name); } @@ -344,7 +378,7 @@ aufs4.14 standalone patch int security_path_link(struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry) -@@ -554,6 +556,7 @@ int security_path_link(struct dentry *ol +@@ -555,6 +557,7 @@ int security_path_link(struct dentry *old_dentry, const struct path *new_dir, return 0; return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry); } @@ -352,7 +386,7 @@ aufs4.14 standalone patch int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, -@@ -581,6 +584,7 @@ int security_path_truncate(const struct +@@ -582,6 +585,7 @@ int security_path_truncate(const struct path *path) return 0; return call_int_hook(path_truncate, 0, path); } @@ -360,7 +394,7 @@ aufs4.14 standalone patch int security_path_chmod(const struct path *path, umode_t mode) { -@@ -588,6 +592,7 @@ int security_path_chmod(const struct pat +@@ -589,6 +593,7 @@ int security_path_chmod(const struct path *path, umode_t mode) return 0; return call_int_hook(path_chmod, 0, path, mode); } @@ -368,7 +402,7 @@ aufs4.14 standalone patch int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) { -@@ -595,6 +600,7 @@ int security_path_chown(const struct pat +@@ -596,6 +601,7 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) return 0; return call_int_hook(path_chown, 0, path, uid, gid); } @@ -376,7 +410,7 @@ aufs4.14 standalone patch int security_path_chroot(const struct path *path) { -@@ -680,6 +686,7 @@ int security_inode_readlink(struct dentr +@@ -681,6 +687,7 @@ int security_inode_readlink(struct dentry *dentry) return 0; return call_int_hook(inode_readlink, 0, dentry); } @@ -384,7 +418,7 @@ aufs4.14 standalone patch int security_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) -@@ -695,6 +702,7 @@ int security_inode_permission(struct ino +@@ -696,6 +703,7 @@ int security_inode_permission(struct inode *inode, int mask) return 0; return call_int_hook(inode_permission, 0, inode, mask); } @@ -392,7 +426,7 @@ aufs4.14 standalone patch int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { -@@ -866,6 +874,7 @@ int security_file_permission(struct file +@@ -867,6 +875,7 @@ int security_file_permission(struct file *file, int mask) return fsnotify_perm(file, mask); } @@ -400,7 +434,7 @@ aufs4.14 standalone patch int security_file_alloc(struct file *file) { -@@ -925,6 +934,7 @@ int security_mmap_file(struct file *file +@@ -926,6 +935,7 @@ int security_mmap_file(struct file *file, unsigned long prot, return ret; return ima_file_mmap(file, prot); } diff --git a/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch new file mode 100644 index 000000000..271291015 --- /dev/null +++ b/debian/patches/features/all/lockdown/0001-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -0,0 +1,165 @@ +From: David Howells +Date: Wed, 8 Nov 2017 15:11:31 +0000 +Subject: [01/29] Add the ability to lock down access to the running kernel + image +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=6d350e2534bfaaaa3e523484b2ca44d22377e951 + +Provide a single call to allow kernel code to determine whether the system +should be locked down, thereby disallowing various accesses that might +allow the running kernel image to be changed including the loading of +modules that aren't validly signed with a key we recognise, fiddling with +MSR registers and disallowing hibernation, + +Signed-off-by: David Howells +Acked-by: James Morris +--- + include/linux/kernel.h | 17 ++++++++++++++ + include/linux/security.h | 8 +++++++ + security/Kconfig | 8 +++++++ + security/Makefile | 3 +++ + security/lock_down.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 96 insertions(+) + create mode 100644 security/lock_down.c + +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 0ad4c3044cf9..362da2e4bf53 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -287,6 +287,23 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err) + { } + #endif + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern bool __kernel_is_locked_down(const char *what, bool first); ++#else ++static inline bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ return false; ++} ++#endif ++ ++#define kernel_is_locked_down(what) \ ++ ({ \ ++ static bool message_given; \ ++ bool locked_down = __kernel_is_locked_down(what, !message_given); \ ++ message_given = true; \ ++ locked_down; \ ++ }) ++ + /* Internal, do not use. */ + int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); + int __must_check _kstrtol(const char *s, unsigned int base, long *res); +diff --git a/include/linux/security.h b/include/linux/security.h +index ce6265960d6c..310775476b68 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -1753,5 +1753,13 @@ static inline void free_secdata(void *secdata) + { } + #endif /* CONFIG_SECURITY */ + ++#ifdef CONFIG_LOCK_DOWN_KERNEL ++extern void __init init_lockdown(void); ++#else ++static inline void __init init_lockdown(void) ++{ ++} ++#endif ++ + #endif /* ! __LINUX_SECURITY_H */ + +diff --git a/security/Kconfig b/security/Kconfig +index e8e449444e65..8e01fd59ae7e 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -205,6 +205,14 @@ config STATIC_USERMODEHELPER_PATH + If you wish for all usermode helper programs to be disabled, + specify an empty string here (i.e. ""). + ++config LOCK_DOWN_KERNEL ++ bool "Allow the kernel to be 'locked down'" ++ help ++ Allow the kernel to be locked down under certain circumstances, for ++ instance if UEFI secure boot is enabled. Locking down the kernel ++ turns off various features that might otherwise allow access to the ++ kernel image (eg. setting MSR registers). ++ + source security/selinux/Kconfig + source security/smack/Kconfig + source security/tomoyo/Kconfig +diff --git a/security/Makefile b/security/Makefile +index f2d71cdb8e19..8c4a43e3d4e0 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/ ++ ++# Allow the kernel to be locked down ++obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o +diff --git a/security/lock_down.c b/security/lock_down.c +new file mode 100644 +index 000000000000..d8595c0e6673 +--- /dev/null ++++ b/security/lock_down.c +@@ -0,0 +1,60 @@ ++/* Lock down the kernel ++ * ++ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#include ++#include ++ ++static __ro_after_init bool kernel_locked_down; ++ ++/* ++ * Put the kernel into lock-down mode. ++ */ ++static void __init lock_kernel_down(const char *where) ++{ ++ if (!kernel_locked_down) { ++ kernel_locked_down = true; ++ pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n", ++ where); ++ } ++} ++ ++static int __init lockdown_param(char *ignored) ++{ ++ lock_kernel_down("command line"); ++ return 0; ++} ++ ++early_param("lockdown", lockdown_param); ++ ++/* ++ * Lock the kernel down from very early in the arch setup. This must happen ++ * prior to things like ACPI being initialised. ++ */ ++void __init init_lockdown(void) ++{ ++#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT ++ if (efi_enabled(EFI_SECURE_BOOT)) ++ lock_kernel_down("EFI secure boot"); ++#endif ++} ++ ++/** ++ * kernel_is_locked_down - Find out if the kernel is locked down ++ * @what: Tag to use in notice generated if lockdown is in effect ++ */ ++bool __kernel_is_locked_down(const char *what, bool first) ++{ ++ if (what && first && kernel_locked_down) ++ pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", ++ what); ++ return kernel_locked_down; ++} ++EXPORT_SYMBOL(__kernel_is_locked_down); diff --git a/debian/patches/features/all/lockdown/0043-Add-a-sysrq-option-to-exit-secure-boot-mode.patch b/debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch similarity index 52% rename from debian/patches/features/all/lockdown/0043-Add-a-sysrq-option-to-exit-secure-boot-mode.patch rename to debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch index b388639bf..bcaa67678 100644 --- a/debian/patches/features/all/lockdown/0043-Add-a-sysrq-option-to-exit-secure-boot-mode.patch +++ b/debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch @@ -1,103 +1,55 @@ From: Kyle McMartin -Date: Wed, 5 Apr 2017 17:40:30 +0100 -Subject: [43/61] Add a sysrq option to exit secure boot mode -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=e26d9e1cb0218082265875505edc284a63385010 +Date: Wed, 8 Nov 2017 15:11:31 +0000 +Subject: [02/29] Add a SysRq option to lift kernel lockdown +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=47a04d29e952d4dd896f2ec4c2ecee6971ab364d -Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running -kernel image to be modified. This lifts the lockdown. +Make an option to provide a sysrq key that will lift the kernel lockdown, +thereby allowing the running kernel image to be accessed and modified. + +On x86 this is triggered with SysRq+x, but this key may not be available on +all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. +Since this macro must be defined in an arch to be able to use this facility +for that arch, the Kconfig option is restricted to arches that support it. Signed-off-by: Kyle McMartin Signed-off-by: David Howells -[bwh: For 4.12, adjust context] +cc: x86@kernel.org +[bwh: Forward-ported to 4.15] --- - arch/x86/Kconfig | 10 ++++++++++ - arch/x86/kernel/setup.c | 31 +++++++++++++++++++++++++++++++ - drivers/input/misc/uinput.c | 1 + - drivers/tty/sysrq.c | 19 +++++++++++++------ - include/linux/input.h | 5 +++++ - include/linux/sysrq.h | 8 +++++++- - kernel/debug/kdb/kdb_main.c | 2 +- - 7 files changed, 68 insertions(+), 8 deletions(-) + arch/x86/include/asm/setup.h | 2 ++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 ++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + security/Kconfig | 10 ++++++++++ + security/lock_down.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 86 insertions(+), 8 deletions(-) ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1898,6 +1898,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN - image. Say Y here to automatically lock down the kernel when a - system boots with UEFI Secure Boot enabled. +--- a/arch/x86/include/asm/setup.h ++++ b/arch/x86/include/asm/setup.h +@@ -9,6 +9,8 @@ + #include + #include -+config EFI_ALLOW_SECURE_BOOT_EXIT -+ def_bool n -+ depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ -+ select ALLOW_LOCKDOWN_LIFT -+ prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard" -+ ---help--- -+ Allow secure boot mode to be exited and the kernel lockdown lifted by -+ typing SysRq+x on a keyboard attached to the system (not permitted -+ through procfs). ++#define LOCKDOWN_LIFT_KEY 'x' + - config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -72,6 +72,11 @@ - #include - #include + #ifdef __i386__ -+#include -+#include -+#include -+#include -+ - #include - #include