debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.14.11

This commit is contained in:
Salvatore Bonaccorso 2018-01-05 12:46:27 +01:00
parent 304afa4414
commit 96dad8ed7e
9 changed files with 42 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
debian/changelog vendored
View File

@ -1,9 +1,43 @@
linux (4.14.10-1) UNRELEASED; urgency=medium
linux (4.14.11-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.9
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.10
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE
- x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y
- x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3
switching
- x86/mm/pti: Add infrastructure for page table isolation
- x86/pti: Add the pti= cmdline option and documentation
- x86/mm/pti: Add mapping helper functions
- x86/mm/pti: Allow NX poison to be set in p4d/pgd
- x86/mm/pti: Allocate a separate user PGD
- x86/mm/pti: Populate user PGD
- x86/mm/pti: Add functions to clone kernel PMDs
- x86/mm/pti: Force entry through trampoline when PTI active
- x86/mm/pti: Share cpu_entry_area with user space page tables
- x86/entry: Align entry text section to PMD boundary
- x86/mm/pti: Share entry text PMD
- x86/mm/pti: Map ESPFIX into user space
- x86/cpu_entry_area: Add debugstore entries to cpu_entry_area
- x86/events/intel/ds: Map debug buffers in cpu_entry_area
- x86/mm/64: Make a full PGD-entry size hole in the memory map
- x86/pti: Put the LDT in its own PGD if PTI is on
- x86/pti: Map the vsyscall page if needed
- x86/mm: Allow flushing for future ASID switches
- x86/mm: Abstract switching CR3
- x86/mm: Use/Fix PCID to optimize user/kernel switches
- x86/mm: Optimize RESTORE_CR3
- x86/mm: Use INVPCID for __native_flush_tlb_single()
- x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming
- x86/dumpstack: Indicate in Oops whether PTI is configured and enabled
- x86/mm/pti: Add Kconfig
- net: Fix double free and memory corruption in get_net_ns_by_id()
(CVE-2017-15129)
* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
(CVE-2017-5754)
[ Ben Hutchings ]
* e1000e: Fix e1000_check_for_copper_link_ich8lan return value.

70
debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch vendored
View File

@ -1,70 +0,0 @@
From: Mohamed Ghannam <simo.ghannam@gmail.com>
Date: Sun, 10 Dec 2017 03:50:58 +0000
Subject: net: ipv4: fix for a race condition in raw_sendmsg
Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712
inet->hdrincl is racy, and could lead to uninitialized stack pointer
usage, so its value should be read only once.
Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/raw.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk,
int err;
struct ip_options_data opt_copy;
struct raw_frag_vec rfv;
+ int hdrincl;
err = -EMSGSIZE;
if (len > 0xFFFF)
goto out;
+ /* hdrincl should be READ_ONCE(inet->hdrincl)
+ * but READ_ONCE() doesn't work with bit fields
+ */
+ hdrincl = inet->hdrincl;
/*
* Check the flags.
*/
@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk,
/* Linux does not mangle headers on raw sockets,
* so that IP options + IP_HDRINCL is non-sense.
*/
- if (inet->hdrincl)
+ if (hdrincl)
goto done;
if (ipc.opt->opt.srr) {
if (!daddr)
@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk,
flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
RT_SCOPE_UNIVERSE,
- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
inet_sk_flowi_flags(sk) |
- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
daddr, saddr, 0, 0, sk->sk_uid);
- if (!inet->hdrincl) {
+ if (!hdrincl) {
rfv.msg = msg;
rfv.hlen = 0;
@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk,
goto do_confirm;
back_from_confirm:
- if (inet->hdrincl)
+ if (hdrincl)
err = raw_send_hdrinc(sk, &fl4, msg, len,
&rt, msg->msg_flags, &ipc.sockc);

39
debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch vendored
View File

@ -1,39 +0,0 @@
From: Kevin Cernekee <cernekee@chromium.org>
Date: Wed, 6 Dec 2017 12:12:27 -0800
Subject: netlink: Add netns check on taps
Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity. Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.
Test case:
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
ip link set nlmon0 up; \
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
spi 0x1 mode transport \
auth sha1 0x6162633132330000000000000000000000000000 \
enc aes 0x00000000000000000000000000000000
grep --binary abc123 /tmp/nlmon.pcap
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/netlink/af_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str
struct sock *sk = skb->sk;
int ret = -ENOMEM;
+ if (!net_eq(dev_net(dev), sock_net(sk)))
+ return 0;
+
dev_hold(dev);
if (is_vmalloc_addr(skb->head))

76
debian/patches/features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch vendored
View File

@ -1,76 +0,0 @@
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
Date: Fri, 22 Dec 2017 15:51:12 +0100
Subject: [PATCH 1/4] timer: Use deferrable base independent of
base::nohz_active
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz
During boot and before base::nohz_active is set in the timer bases, deferrable
timers are enqueued into the standard timer base. This works correctly as
long as base::nohz_active is false.
Once it base::nohz_active is set and a timer which was enqueued before that
is accessed the lock selector code choses the lock of the deferred
base. This causes unlocked access to the standard base and in case the
timer is removed it does not clear the pending flag in the standard base
bitmap which causes get_next_timer_interrupt() to return bogus values.
To prevent that, the deferrable timers must be enqueued in the deferrable
base, even when base::nohz_active is not set. Those deferrable timers also
need to be expired unconditional.
Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Cc: rt@linutronix.de
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
kernel/time/timer.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index f2674a056c26..fdfaf4f3bcfa 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -814,11 +814,10 @@ static inline struct timer_base *get_timer_cpu_base(u32 tflags, u32 cpu)
struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu);
/*
- * If the timer is deferrable and nohz is active then we need to use
- * the deferrable base.
+ * If the timer is deferrable and NO_HZ_COMMON is set then we need
+ * to use the deferrable base.
*/
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
- (tflags & TIMER_DEFERRABLE))
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu);
return base;
}
@@ -828,11 +827,10 @@ static inline struct timer_base *get_timer_this_cpu_base(u32 tflags)
struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
/*
- * If the timer is deferrable and nohz is active then we need to use
- * the deferrable base.
+ * If the timer is deferrable and NO_HZ_COMMON is set then we need
+ * to use the deferrable base.
*/
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
- (tflags & TIMER_DEFERRABLE))
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
base = this_cpu_ptr(&timer_bases[BASE_DEF]);
return base;
}
@@ -1644,7 +1642,7 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
base->must_forward_clk = false;
__run_timers(base);
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active)
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
__run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
}
--
2.15.1

45
debian/patches/features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch vendored
View File

@ -1,45 +0,0 @@
From: Thomas Gleixner <tglx@linutronix.de>
Date: Fri, 22 Dec 2017 15:51:14 +0100
Subject: [PATCH 3/4] timer: Invoke timer_start_debug() where it makes sense
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz
The timer start debug function is called before the proper timer base is
set. As a consequence the trace data contains the stale CPU and flags
values.
Call the debug function after setting the new base and flags.
Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Cc: rt@linutronix.de
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
kernel/time/timer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index fdfaf4f3bcfa..a4d095e1010e 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
if (!ret && pending_only)
goto out_unlock;
- debug_activate(timer, expires);
-
new_base = get_target_base(base, timer->flags);
if (base != new_base) {
@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
}
}
+ debug_activate(timer, expires);
+
timer->expires = expires;
/*
* If 'idx' was calculated above and the base time did not advance
--
2.15.1

4
debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch vendored
View File

@ -115,7 +115,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
return period;
}
@@ -684,10 +689,10 @@ static ktime_t tick_nohz_stop_sched_tick
@@ -689,10 +694,10 @@ static ktime_t tick_nohz_stop_sched_tick
/* Read jiffies and the time when jiffies were updated last */
do {
@ -127,7 +127,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ } while (read_seqcount_retry(&jiffies_seq, seq));
ts->last_jiffies = basejiff;
if (rcu_needs_cpu(basemono, &next_rcu) ||
/*
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -2326,8 +2326,10 @@ EXPORT_SYMBOL(hardpps);

10
debian/patches/features/all/rt/x86-preempt-lazy.patch vendored
View File

@ -76,7 +76,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
call preempt_schedule_irq
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -750,7 +750,23 @@ retint_kernel:
@@ -761,7 +761,23 @@ retint_kernel:
bt $9, EFLAGS(%rsp) /* were interrupts off? */
jnc 1f
0: cmpl $0, PER_CPU_VAR(__preempt_count)
@ -205,7 +205,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
/*
--- a/arch/x86/kernel/asm-offsets.c
+++ b/arch/x86/kernel/asm-offsets.c
@@ -37,6 +37,7 @@ void common(void) {
@@ -38,6 +38,7 @@ void common(void) {
BLANK();
OFFSET(TASK_TI_flags, task_struct, thread_info.flags);
@ -213,11 +213,11 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
OFFSET(TASK_addr_limit, task_struct, thread.addr_limit);
BLANK();
@@ -93,6 +94,7 @@ void common(void) {
@@ -94,6 +95,7 @@ void common(void) {
BLANK();
DEFINE(PTREGS_SIZE, sizeof(struct pt_regs));
+ DEFINE(_PREEMPT_ENABLED, PREEMPT_ENABLED);
/* Layout info for cpu_entry_area */
OFFSET(CPU_ENTRY_AREA_tss, cpu_entry_area, tss);
/* TLB state for the entry code */
OFFSET(TLB_STATE_user_pcid_flush_mask, tlb_state, user_pcid_flush_mask);

2
debian/patches/series vendored
View File

@ -119,9 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
bugfix/all/netlink-add-netns-check-on-taps.patch
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch

2
debian/patches/series-rt vendored
View File

@ -16,9 +16,7 @@ features/all/rt/rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch
############################################################
# Timer/NOHZ fixups
features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch
features/all/rt/0002-nohz-Prevent-erroneous-tick-stop-invocations.patch
features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch
features/all/rt/0004-timerqueue-Document-return-values-of-timerqueue_add-.patch
# soft hrtimer patches (v4)