diff --git a/debian/changelog b/debian/changelog index 288828167..39345a189 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.17.5-1) UNRELEASED; urgency=medium +linux (4.17.6-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.4 @@ -274,6 +274,52 @@ linux (4.17.5-1) UNRELEASED; urgency=medium - [arm64] dts: meson-gxl-s905x-p212: Add phy-supply for usb0 - [x86] mm: Don't free P4D table when it is folded at runtime - [armhf] dts: imx6q: Use correct SDMA script for SPI5 core + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.6 + - userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access + - mm: hugetlb: yield when prepping struct pages + - mm: teach dump_page() to correctly output poisoned struct pages + - PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM + - ACPICA: Drop leading newlines from error messages + - ACPI / battery: Safe unregistering of hooks + - tracing: Avoid string overflow + - tracing: Fix missing return symbol in function_graph output + - scsi: sg: mitigate read/write abuse + - scsi: aacraid: Fix PD performance regression over incorrect qd being set + - scsi: target: Fix truncated PR-in ReadKeys response + - [s390x] Correct register corruption in critical section cleanup + - drbd: fix access after free + - vfio: Use get_user_pages_longterm correctly + - [armhf] dts: imx51-zii-rdu1: fix touchscreen pinctrl + - [armhf] dts: omap3: Fix am3517 mdio and emac clock references + - [armhf] dts: dra7: Disable metastability workaround for USB2 + - cifs: Fix use after free of a mid_q_entry + - cifs: Fix memory leak in smb2_set_ea() + - cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting + - cifs: Fix infinite loop when using hard mount option + - drm: Use kvzalloc for allocating blob property memory + - drm/udl: fix display corruption of the last line + - drm/amdgpu: Add amdgpu_atpx_get_dhandle() + - drm/amdgpu: Dynamically probe for ATIF handle (v2) + - ext4: include the illegal physical block in the bad map ext4_error msg + - ext4: add more mount time checks of the superblock + - ext4: check superblock mapped prior to committing + - HID: i2c-hid: Fix "incomplete report" noise + - HID: hiddev: fix potential Spectre v1 (CVE-2017-5715) + - HID: debug: check length before copy_to_user() + - HID: core: allow concurrent registration of drivers + - i2c: core: smbus: fix a potential missing-check bug + - i2c: smbus: kill memory leak on emulated and failed DMA SMBus xfers + - fs: allow per-device dax status checking for filesystems + - dax: change bdev_dax_supported() to support boolean returns + - dax: check for QUEUE_FLAG_DAX in bdev_dax_supported() + - dm: prevent DAX mounts if not supported + - mtd: cfi_cmdset_0002: Change definition naming to retry write operation + - mtd: cfi_cmdset_0002: Change erase functions to retry for error + - mtd: cfi_cmdset_0002: Change erase functions to check chip good only + - netfilter: nf_log: don't hold nf_log_mutex during user access + - [x86] staging: comedi: quatech_daqp_cs: fix no-op loop + daqp_ao_insn_write() + - Revert mm/vmstat.c: fix vmstat_update() preemption BUG [ Sjoerd Simons ] * [armhf] DRM: Enable CONFIG_DRM_IMX_PARALLEL_DISPLAY @@ -291,6 +337,8 @@ linux (4.17.5-1) UNRELEASED; urgency=medium native tools built by kbuild * fs: Fix up non-directory creation in SGID directories (CVE-2018-13405) * sound/pci/hda: Ignore ABI changes + * HID: Avoid ABI change in 4.17.6 + * dax: Avoid ABI change in 4.17.6 [ Cyril Brulebois ] * udeb: Add virtio_console to virtio-modules (Closes: #903122). diff --git a/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch deleted file mode 100644 index 8c4c722af..000000000 --- a/debian/patches/bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 13 Jun 2018 00:23:11 -0400 -Subject: ext4: add corruption check in ext4_xattr_set_entry() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=4fda60bbdbb61de76e3d3c48ed77c9e9b96b00d1 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879 - -In theory this should have been caught earlier when the xattr list was -verified, but in case it got missed, it's simple enough to add check -to make sure we don't overrun the xattr buffer. - -This addresses CVE-2018-10879. - -https://bugzilla.kernel.org/show_bug.cgi?id=200001 - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger ---- - fs/ext4/xattr.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index fc4ced59c565..230ba79715f6 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, - handle_t *handle, struct inode *inode, - bool is_block) - { -- struct ext4_xattr_entry *last; -+ struct ext4_xattr_entry *last, *next; - struct ext4_xattr_entry *here = s->here; - size_t min_offs = s->end - s->base, name_len = strlen(i->name); - int in_inode = i->in_inode; -@@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, - - /* Compute min_offs and last. */ - last = s->first; -- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { -+ for (; !IS_LAST_ENTRY(last); last = next) { -+ next = EXT4_XATTR_NEXT(last); -+ if ((void *)next >= s->end) { -+ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); -+ ret = -EFSCORRUPTED; -+ goto out; -+ } - if (!last->e_value_inum && last->e_value_size) { - size_t offs = le16_to_cpu(last->e_value_offs); - if (offs < min_offs) diff --git a/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch b/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch deleted file mode 100644 index 5a509ea49..000000000 --- a/debian/patches/bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Theodore Ts'o -Date: Sun, 17 Jun 2018 00:41:14 -0400 -Subject: ext4: add more inode number paranoia checks -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=a0b4bd6c4418a8d2ba51f27968f5af005e5dbbdd -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10882 - -If there is a directory entry pointing to a system inode (such as a -journal inode), complain and declare the file system to be corrupted. - -Also, if the superblock's first inode number field is too small, -refuse to mount the file system. - -This addresses CVE-2018-10882. - -https://bugzilla.kernel.org/show_bug.cgi?id=200069 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4.h | 5 ----- - fs/ext4/inode.c | 3 ++- - fs/ext4/super.c | 5 +++++ - 3 files changed, 7 insertions(+), 6 deletions(-) - ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -1501,11 +1501,6 @@ static inline struct ext4_inode_info *EX - static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) - { - return ino == EXT4_ROOT_INO || -- ino == EXT4_USR_QUOTA_INO || -- ino == EXT4_GRP_QUOTA_INO || -- ino == EXT4_BOOT_LOADER_INO || -- ino == EXT4_JOURNAL_INO || -- ino == EXT4_RESIZE_INO || - (ino >= EXT4_FIRST_INO(sb) && - ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); - } ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct i - int inodes_per_block, inode_offset; - - iloc->bh = NULL; -- if (!ext4_valid_inum(sb, inode->i_ino)) -+ if (inode->i_ino < EXT4_ROOT_INO || -+ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) - return -EFSCORRUPTED; - - iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3817,6 +3817,11 @@ static int ext4_fill_super(struct super_ - } else { - sbi->s_inode_size = le16_to_cpu(es->s_inode_size); - sbi->s_first_ino = le32_to_cpu(es->s_first_ino); -+ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { -+ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", -+ sbi->s_first_ino); -+ goto failed_mount; -+ } - if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || - (!is_power_of_2(sbi->s_inode_size)) || - (sbi->s_inode_size > blocksize)) { diff --git a/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch b/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch deleted file mode 100644 index 8516b36ae..000000000 --- a/debian/patches/bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 13 Jun 2018 23:00:48 -0400 -Subject: ext4: always check block group bounds in ext4_init_block_bitmap() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=dcf37fefac3f699aa1341f86bcd7808ccc651c33 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878 - -Regardless of whether the flex_bg feature is set, we should always -check to make sure the bits we are setting in the block bitmap are -within the block group bounds. - -https://bugzilla.kernel.org/show_bug.cgi?id=199865 - -Signed-off-by: Theodore Ts'o -[bwh: Backported to 4.17: adjust context] ---- - fs/ext4/balloc.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct - unsigned int bit, bit_max; - struct ext4_sb_info *sbi = EXT4_SB(sb); - ext4_fsblk_t start, tmp; -- int flex_bg = 0; - struct ext4_group_info *grp; - - J_ASSERT_BH(bh, buffer_locked(bh)); -@@ -217,22 +216,19 @@ static int ext4_init_block_bitmap(struct - - start = ext4_group_first_block_no(sb, block_group); - -- if (ext4_has_feature_flex_bg(sb)) -- flex_bg = 1; -- - /* Set bits for block and inode bitmaps, and inode table */ - tmp = ext4_block_bitmap(sb, gdp); -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - - tmp = ext4_inode_bitmap(sb, gdp); -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - - tmp = ext4_inode_table(sb, gdp); - for (; tmp < ext4_inode_table(sb, gdp) + - sbi->s_itb_per_group; tmp++) { -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - } - diff --git a/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch deleted file mode 100644 index 2522bcb4c..000000000 --- a/debian/patches/bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 13 Jun 2018 00:51:28 -0400 -Subject: ext4: always verify the magic number in xattr blocks -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3345c50533c6a17ebc0284362ca7b69aaef37ac4 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10879 - -If there an inode points to a block which is also some other type of -metadata block (such as a block allocation bitmap), the -buffer_verified flag can be set when it was validated as that other -metadata block type; however, it would make a really terrible external -attribute block. The reason why we use the verified flag is to avoid -constantly reverifying the block. However, it doesn't take much -overhead to make sure the magic number of the xattr block is correct, -and this will avoid potential crashes. - -This addresses CVE-2018-10879. - -https://bugzilla.kernel.org/show_bug.cgi?id=200001 - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger ---- - fs/ext4/xattr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index 230ba79715f6..0263692979ec 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, - { - int error = -EFSCORRUPTED; - -- if (buffer_verified(bh)) -- return 0; -- - if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || - BHDR(bh)->h_blocks != cpu_to_le32(1)) - goto errout; -+ if (buffer_verified(bh)) -+ return 0; -+ - error = -EFSBADCRC; - if (!ext4_xattr_block_csum_verify(inode, bh)) - goto errout; diff --git a/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch b/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch deleted file mode 100644 index 911fcac74..000000000 --- a/debian/patches/bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch +++ /dev/null @@ -1,120 +0,0 @@ -From: Theodore Ts'o -Date: Sat, 16 Jun 2018 23:41:59 -0400 -Subject: ext4: avoid running out of journal credits when appending to an - inline file -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=3886651521995071fab29401094e675b6ebfdc8c -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883 - -Use a separate journal transaction if it turns out that we need to -convert an inline file to use an data block. Otherwise we could end -up failing due to not having journal credits. - -This addresses CVE-2018-10883. - -https://bugzilla.kernel.org/show_bug.cgi?id=200071 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4.h | 3 --- - fs/ext4/inline.c | 38 +------------------------------------- - fs/ext4/xattr.c | 19 ++----------------- - 3 files changed, 3 insertions(+), 57 deletions(-) - ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -3005,9 +3005,6 @@ extern int ext4_inline_data_fiemap(struc - struct iomap; - extern int ext4_inline_data_iomap(struct inode *inode, struct iomap *iomap); - --extern int ext4_try_to_evict_inline_data(handle_t *handle, -- struct inode *inode, -- int needed); - extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline); - - extern int ext4_convert_inline_data(struct inode *inode); ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -887,11 +887,11 @@ retry_journal: - flags |= AOP_FLAG_NOFS; - - if (ret == -ENOSPC) { -+ ext4_journal_stop(handle); - ret = ext4_da_convert_inline_data_to_extent(mapping, - inode, - flags, - fsdata); -- ext4_journal_stop(handle); - if (ret == -ENOSPC && - ext4_should_retry_alloc(inode->i_sb, &retries)) - goto retry_journal; -@@ -1891,42 +1891,6 @@ out: - return (error < 0 ? error : 0); - } - --/* -- * Called during xattr set, and if we can sparse space 'needed', -- * just create the extent tree evict the data to the outer block. -- * -- * We use jbd2 instead of page cache to move data to the 1st block -- * so that the whole transaction can be committed as a whole and -- * the data isn't lost because of the delayed page cache write. -- */ --int ext4_try_to_evict_inline_data(handle_t *handle, -- struct inode *inode, -- int needed) --{ -- int error; -- struct ext4_xattr_entry *entry; -- struct ext4_inode *raw_inode; -- struct ext4_iloc iloc; -- -- error = ext4_get_inode_loc(inode, &iloc); -- if (error) -- return error; -- -- raw_inode = ext4_raw_inode(&iloc); -- entry = (struct ext4_xattr_entry *)((void *)raw_inode + -- EXT4_I(inode)->i_inline_off); -- if (EXT4_XATTR_LEN(entry->e_name_len) + -- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { -- error = -ENOSPC; -- goto out; -- } -- -- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); --out: -- brelse(iloc.bh); -- return error; --} -- - int ext4_inline_data_truncate(struct inode *inode, int *has_inline) - { - handle_t *handle; ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -2212,23 +2212,8 @@ int ext4_xattr_ibody_inline_set(handle_t - if (EXT4_I(inode)->i_extra_isize == 0) - return -ENOSPC; - error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); -- if (error) { -- if (error == -ENOSPC && -- ext4_has_inline_data(inode)) { -- error = ext4_try_to_evict_inline_data(handle, inode, -- EXT4_XATTR_LEN(strlen(i->name) + -- EXT4_XATTR_SIZE(i->value_len))); -- if (error) -- return error; -- error = ext4_xattr_ibody_find(inode, i, is); -- if (error) -- return error; -- error = ext4_xattr_set_entry(i, s, handle, inode, -- false /* is_block */); -- } -- if (error) -- return error; -- } -+ if (error) -+ return error; - header = IHDR(inode, ext4_raw_inode(&is->iloc)); - if (!IS_LAST_ENTRY(s->first)) { - header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); diff --git a/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch b/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch deleted file mode 100644 index f4344dd1f..000000000 --- a/debian/patches/bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Theodore Ts'o -Date: Fri, 15 Jun 2018 12:28:16 -0400 -Subject: ext4: clear i_data in ext4_inode_info when removing inline data -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=cd75e020ee28aa21985c6d8ebafc7457b4c51531 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10881 - -When converting from an inode from storing the data in-line to a data -block, ext4_destroy_inline_data_nolock() was only clearing the on-disk -copy of the i_blocks[] array. It was not clearing copy of the -i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually -used by ext4_map_blocks(). - -This didn't matter much if we are using extents, since the extents -header would be invalid and thus the extents could would re-initialize -the extents tree. But if we are using indirect blocks, the previous -contents of the i_blocks array will be treated as block numbers, with -potentially catastrophic results to the file system integrity and/or -user data. - -This gets worse if the file system is using a 1k block size and -s_first_data is zero, but even without this, the file system can get -quite badly corrupted. - -This addresses CVE-2018-10881. - -https://bugzilla.kernel.org/show_bug.cgi?id=200015 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -437,6 +437,7 @@ static int ext4_destroy_inline_data_nolo - - memset((void *)ext4_raw_inode(&is.iloc)->i_block, - 0, EXT4_MIN_INLINE_DATA_SIZE); -+ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); - - if (ext4_has_feature_extents(inode->i_sb)) { - if (S_ISDIR(inode->i_mode) || diff --git a/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch b/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch deleted file mode 100644 index a1b2cfefd..000000000 --- a/debian/patches/bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 13 Jun 2018 23:08:26 -0400 -Subject: ext4: make sure bitmaps and the inode table don't overlap with bg - descriptors -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=6b506a7d09854128b1da9571d879ee9dea3ffb02 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10878 - -It's really bad when the allocation bitmaps and the inode table -overlap with the block group descriptors, since it causes random -corruption of the bg descriptors. So we really want to head those off -at the pass. - -https://bugzilla.kernel.org/show_bug.cgi?id=199865 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/super.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -2307,6 +2307,7 @@ static int ext4_check_descriptors(struct - struct ext4_sb_info *sbi = EXT4_SB(sb); - ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); - ext4_fsblk_t last_block; -+ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; - ext4_fsblk_t block_bitmap; - ext4_fsblk_t inode_bitmap; - ext4_fsblk_t inode_table; -@@ -2339,6 +2340,14 @@ static int ext4_check_descriptors(struct - if (!sb_rdonly(sb)) - return 0; - } -+ if (block_bitmap >= sb_block + 1 && -+ block_bitmap <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Block bitmap for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (block_bitmap < first_block || block_bitmap > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " - "Block bitmap for group %u not in group " -@@ -2353,6 +2362,14 @@ static int ext4_check_descriptors(struct - if (!sb_rdonly(sb)) - return 0; - } -+ if (inode_bitmap >= sb_block + 1 && -+ inode_bitmap <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Inode bitmap for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (inode_bitmap < first_block || inode_bitmap > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " - "Inode bitmap for group %u not in group " -@@ -2367,6 +2384,14 @@ static int ext4_check_descriptors(struct - if (!sb_rdonly(sb)) - return 0; - } -+ if (inode_table >= sb_block + 1 && -+ inode_table <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Inode table for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (inode_table < first_block || - inode_table + sbi->s_itb_per_group - 1 > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " diff --git a/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch b/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch deleted file mode 100644 index ea530a7a2..000000000 --- a/debian/patches/bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Theodore Ts'o -Date: Sat, 16 Jun 2018 15:40:48 -0400 -Subject: ext4: never move the system.data xattr out of the inode body -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=896003d9fd652666080a06411d4238ee6eb4fb76 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10880 - -When expanding the extra isize space, we must never move the -system.data xattr out of the inode body. For performance reasons, it -doesn't make any sense, and the inline data implementation assumes -that system.data xattr is never in the external xattr block. - -This addresses CVE-2018-10880 - -https://bugzilla.kernel.org/show_bug.cgi?id=200005 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/xattr.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(h - last = IFIRST(header); - /* Find the entry best suited to be pushed into EA block */ - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { -+ /* never move system.data out of the inode */ -+ if ((last->e_name_len == 4) && -+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && -+ !memcmp(last->e_name, "data", 4)) -+ continue; - total_size = EXT4_XATTR_LEN(last->e_name_len); - if (!last->e_value_inum) - total_size += EXT4_XATTR_SIZE( diff --git a/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch b/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch deleted file mode 100644 index 1eba51ee7..000000000 --- a/debian/patches/bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: Theodore Ts'o -Date: Thu, 14 Jun 2018 00:58:00 -0400 -Subject: ext4: only look at the bg_flags field if it is valid -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=32a82d31527ae9cb568f5d7fa5ad27b2860324ed -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10876 - -The bg_flags field in the block group descripts is only valid if the -uninit_bg or metadata_csum feature is enabled. We were not -consistently looking at this field; fix this. - -Also block group #0 must never have uninitialized allocation bitmaps, -or need to be zeroed, since that's where the root inode, and other -special inodes are set up. Check for these conditions and mark the -file system as corrupted if they are detected. - -This addresses CVE-2018-10876. - -https://bugzilla.kernel.org/show_bug.cgi?id=199403 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/balloc.c | 11 ++++++++++- - fs/ext4/ialloc.c | 14 ++++++++++++-- - fs/ext4/mballoc.c | 6 ++++-- - fs/ext4/super.c | 11 ++++++++++- - 4 files changed, 36 insertions(+), 6 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -451,7 +451,16 @@ ext4_read_block_bitmap_nowait(struct sup - goto verify; - } - ext4_lock_group(sb, block_group); -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { -+ if (block_group == 0) { -+ ext4_unlock_group(sb, block_group); -+ unlock_buffer(bh); -+ ext4_error(sb, "Block bitmap for bg 0 marked " -+ "uninitialized"); -+ err = -EFSCORRUPTED; -+ goto out; -+ } - err = ext4_init_block_bitmap(sb, bh, block_group, desc); - set_bitmap_uptodate(bh); - set_buffer_uptodate(bh); ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -155,7 +155,16 @@ ext4_read_inode_bitmap(struct super_bloc - } - - ext4_lock_group(sb, block_group); -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { -+ if (block_group == 0) { -+ ext4_unlock_group(sb, block_group); -+ unlock_buffer(bh); -+ ext4_error(sb, "Inode bitmap for bg 0 marked " -+ "uninitialized"); -+ err = -EFSCORRUPTED; -+ goto out; -+ } - memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); - ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), - sb->s_blocksize * 8, bh->b_data); -@@ -1000,7 +1009,8 @@ got: - - /* recheck and clear flag under lock if we still need to */ - ext4_lock_group(sb, group); -- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); - ext4_free_group_clusters_set(sb, gdp, - ext4_free_clusters_after_init(sb, group, gdp)); ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_b - * initialize bb_free to be able to skip - * empty groups without initialization - */ -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - meta_group_info[i]->bb_free = - ext4_free_clusters_after_init(sb, group, desc); - } else { -@@ -3011,7 +3012,8 @@ ext4_mb_mark_diskspace_used(struct ext4_ - #endif - ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, - ac->ac_b_ex.fe_len); -- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); - ext4_free_group_clusters_set(sb, gdp, - ext4_free_clusters_after_init(sb, ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3098,13 +3098,22 @@ static ext4_group_t ext4_has_uninit_itab - ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; - struct ext4_group_desc *gdp = NULL; - -+ if (!ext4_has_group_desc_csum(sb)) -+ return ngroups; -+ - for (group = 0; group < ngroups; group++) { - gdp = ext4_get_group_desc(sb, group, NULL); - if (!gdp) - continue; - -- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) -+ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) -+ continue; -+ if (group != 0) - break; -+ ext4_error(sb, "Inode table for bg 0 marked as " -+ "needing zeroing"); -+ if (sb_rdonly(sb)) -+ return ngroups; - } - - return group; diff --git a/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch b/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch deleted file mode 100644 index 06220d2f2..000000000 --- a/debian/patches/bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Theodore Ts'o -Date: Thu, 14 Jun 2018 12:55:10 -0400 -Subject: ext4: verify the depth of extent tree in ext4_find_extent() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=0a8173832987f52ab6926dbdf1cd3991ca615000 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10877 - -If there is a corupted file system where the claimed depth of the -extent tree is -1, this can cause a massive buffer overrun leading to -sadness. - -This addresses CVE-2018-10877. - -https://bugzilla.kernel.org/show_bug.cgi?id=199417 - -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4_extents.h | 1 + - fs/ext4/extents.c | 6 ++++++ - 2 files changed, 7 insertions(+) - ---- a/fs/ext4/ext4_extents.h -+++ b/fs/ext4/ext4_extents.h -@@ -91,6 +91,7 @@ struct ext4_extent_header { - }; - - #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) -+#define EXT4_MAX_EXTENT_DEPTH 5 - - #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ - (sizeof(struct ext4_extent_header) + \ ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ex - - eh = ext_inode_hdr(inode); - depth = ext_depth(inode); -+ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { -+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", -+ depth); -+ ret = -EFSCORRUPTED; -+ goto err; -+ } - - if (path) { - ext4_ext_drop_refs(path); diff --git a/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch b/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch deleted file mode 100644 index 2db452039..000000000 --- a/debian/patches/bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Theodore Ts'o -Date: Sat, 16 Jun 2018 20:21:45 -0400 -Subject: jbd2: don't mark block as modified if the handle is out of credits -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=aa18d2cefac6c34885659d12c3fdcffcd6c54e9a -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10883 - -Do not set the b_modified flag in block's journal head should not -until after we're sure that jbd2_journal_dirty_metadat() will not -abort with an error due to there not being enough space reserved in -the jbd2 handle. - -Otherwise, future attempts to modify the buffer may lead a large -number of spurious errors and warnings. - -This addresses CVE-2018-10883. - -https://bugzilla.kernel.org/show_bug.cgi?id=200071 - -Signed-off-by: Theodore Ts'o ---- - fs/jbd2/transaction.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t - if (jh->b_transaction == transaction && - jh->b_jlist != BJ_Metadata) { - jbd_lock_bh_state(bh); -+ if (jh->b_transaction == transaction && -+ jh->b_jlist != BJ_Metadata) -+ pr_err("JBD2: assertion failure: h_type=%u " -+ "h_line_no=%u block_no=%llu jlist=%u\n", -+ handle->h_type, handle->h_line_no, -+ (unsigned long long) bh->b_blocknr, -+ jh->b_jlist); - J_ASSERT_JH(jh, jh->b_transaction != transaction || - jh->b_jlist == BJ_Metadata); - jbd_unlock_bh_state(bh); -@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t - * of the transaction. This needs to be done - * once a transaction -bzzz - */ -- jh->b_modified = 1; - if (handle->h_buffer_credits <= 0) { - ret = -ENOSPC; - goto out_unlock_bh; - } -+ jh->b_modified = 1; - handle->h_buffer_credits--; - } - diff --git a/debian/patches/debian/dax-avoid-abi-change-in-4.17.6.patch b/debian/patches/debian/dax-avoid-abi-change-in-4.17.6.patch new file mode 100644 index 000000000..eda8d3ed9 --- /dev/null +++ b/debian/patches/debian/dax-avoid-abi-change-in-4.17.6.patch @@ -0,0 +1,63 @@ +From: Ben Hutchings +Date: Thu, 12 Jul 2018 01:02:13 +0100 +Subject: dax: Avoid ABI change in 4.17.6 +Forwarded: not-needed + +The return type and first parameter type for bdev_dax_supported() and +__bdev_dax_supported() were changed by commits ba23cba9b3bd "fs: allow +per-device dax status checking for filesystems" and 80660f20252d "dax: +change bdev_dax_supported() to support boolean returns". + +Avoid an ABI break by renaming the new version of +__bdev_dax_supported() and reintroducing the old version as a wrapper +for it. Add a #define so that the old version is hidden from the API, +i.e. newly built modules must use the new API. + +--- +--- a/drivers/dax/super.c ++++ b/drivers/dax/super.c +@@ -72,6 +72,8 @@ struct dax_device *fs_dax_get_by_bdev(st + EXPORT_SYMBOL_GPL(fs_dax_get_by_bdev); + #endif + ++#undef __bdev_dax_supported ++ + /** + * __bdev_dax_supported() - Check if the device supports dax for filesystem + * @bdev: block device to check +@@ -82,7 +84,7 @@ EXPORT_SYMBOL_GPL(fs_dax_get_by_bdev); + * + * Return: true if supported, false if unsupported + */ +-bool __bdev_dax_supported(struct block_device *bdev, int blocksize) ++bool __bdev_dax_supported_new(struct block_device *bdev, int blocksize) + { + struct dax_device *dax_dev; + struct request_queue *q; +@@ -152,6 +154,13 @@ bool __bdev_dax_supported(struct block_d + + return true; + } ++EXPORT_SYMBOL_GPL(__bdev_dax_supported_new); ++ ++int __bdev_dax_supported(struct super_block *sb, int blocksize) ++{ ++ return __bdev_dax_supported_bdev(sb->s_bdev, blocksize) ++ ? 0 : -EOPNOTSUPP; ++} + EXPORT_SYMBOL_GPL(__bdev_dax_supported); + #endif + +--- a/include/linux/dax.h ++++ b/include/linux/dax.h +@@ -64,7 +64,9 @@ static inline bool dax_write_cache_enabl + struct writeback_control; + int bdev_dax_pgoff(struct block_device *, sector_t, size_t, pgoff_t *pgoff); + #if IS_ENABLED(CONFIG_FS_DAX) +-bool __bdev_dax_supported(struct block_device *bdev, int blocksize); ++int __bdev_dax_supported(struct super_block *sb, int blocksize); ++bool __bdev_dax_supported_new(struct block_device *bdev, int blocksize); ++#define __bdev_dax_supported __bdev_dax_supported_new + static inline bool bdev_dax_supported(struct block_device *bdev, int blocksize) + { + return __bdev_dax_supported(bdev, blocksize); diff --git a/debian/patches/debian/hid-avoid-abi-change-in-4.17.6.patch b/debian/patches/debian/hid-avoid-abi-change-in-4.17.6.patch new file mode 100644 index 000000000..050bdf2b4 --- /dev/null +++ b/debian/patches/debian/hid-avoid-abi-change-in-4.17.6.patch @@ -0,0 +1,80 @@ +From: Ben Hutchings +Date: Thu, 12 Jul 2018 00:39:38 +0100 +Subject: HID: Avoid ABI change in 4.17.6 +Forwarded: not-needed + +Commit 8f732850df1b "HID: core: allow concurrent registration of +drivers" introduced atomic bit-operations on hid_device::status, and +changed its type from unsigned int to unsigned long as required for +those operations. + +Revert the type change and use cmpxchg() for the bit-operations, +since it supports unsigned int. + +--- +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1929,6 +1929,34 @@ static int hid_bus_match(struct device * + return hid_match_device(hdev, hdrv) != NULL; + } + ++static void clear_status_flag(unsigned int flag, unsigned int *status) ++{ ++ unsigned int expect, old; ++ ++ expect = READ_ONCE(*status); ++ for (;;) { ++ old = cmpxchg(status, expect, expect & ~flag); ++ if (old == expect) ++ break; ++ expect = old; ++ } ++} ++ ++static bool test_and_set_status_flag(unsigned int flag, unsigned int *status) ++{ ++ unsigned int expect, old; ++ ++ expect = READ_ONCE(*status); ++ for (;;) { ++ old = cmpxchg(status, expect, expect | flag); ++ if (old == expect) ++ break; ++ expect = old; ++ } ++ ++ return old & flag; ++} ++ + static int hid_device_probe(struct device *dev) + { + struct hid_driver *hdrv = to_hid_driver(dev->driver); +@@ -1942,7 +1970,7 @@ static int hid_device_probe(struct devic + } + hdev->io_started = false; + +- clear_bit(ffs(HID_STAT_REPROBED), &hdev->status); ++ clear_status_flag(HID_STAT_REPROBED, &hdev->status); + + if (!hdev->driver) { + id = hid_match_device(hdev, hdrv); +@@ -2208,7 +2236,7 @@ static int __hid_bus_reprobe_drivers(str + + if (hdev->driver == hdrv && + !hdrv->match(hdev, hid_ignore_special_drivers) && +- !test_and_set_bit(ffs(HID_STAT_REPROBED), &hdev->status)) ++ !test_and_set_status_flag(HID_STAT_REPROBED, &hdev->status)) + return device_reprobe(dev); + + return 0; +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -569,7 +569,7 @@ struct hid_device { /* device repo + bool battery_avoid_query; + #endif + +- unsigned long status; /* see STAT flags above */ ++ unsigned int status; /* see STAT flags above */ + unsigned claimed; /* Claimed by hidinput, hiddev? */ + unsigned quirks; /* Various quirks the device can pull on us */ + bool io_started; /* If IO has started */ diff --git a/debian/patches/series b/debian/patches/series index d6716d163..db045dd78 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -133,17 +133,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch -bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch -bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch -bugfix/all/ext4-make-sure-bitmaps-and-the-inode-table-don-t-ove.patch -bugfix/all/ext4-only-look-at-the-bg_flags-field-if-it-is-valid.patch -bugfix/all/ext4-verify-the-depth-of-extent-tree-in-ext4_find_ex.patch -bugfix/all/ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch -bugfix/all/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch -bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch -bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch -bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch bugfix/all/fix-up-non-directory-creation-in-sgid-directories.patch @@ -166,3 +155,5 @@ bugfix/all/lockdep-stub-nmi-watchdog-reset.patch debian/wireless-disable-regulatory.db-direct-loading.patch # ABI maintenance +debian/hid-avoid-abi-change-in-4.17.6.patch +debian/dax-avoid-abi-change-in-4.17.6.patch