From 96dad8ed7e8df2be5a6ee2308c72c244ca68370d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 5 Jan 2018 12:46:27 +0100 Subject: [PATCH] Update to 4.14.11 --- debian/changelog | 36 ++++++++- ...-for-a-race-condition-in-raw_sendmsg.patch | 70 ----------------- .../all/netlink-add-netns-check-on-taps.patch | 39 ---------- ...able-base-independent-of-base-nohz_a.patch | 76 ------------------- ...mer_start_debug-where-it-makes-sense.patch | 45 ----------- .../rt/timekeeping-split-jiffies-lock.patch | 4 +- .../features/all/rt/x86-preempt-lazy.patch | 10 +-- debian/patches/series | 2 - debian/patches/series-rt | 2 - 9 files changed, 42 insertions(+), 242 deletions(-) delete mode 100644 debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch delete mode 100644 debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch delete mode 100644 debian/patches/features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch delete mode 100644 debian/patches/features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch diff --git a/debian/changelog b/debian/changelog index 105b1a547..ca7220c0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,43 @@ -linux (4.14.10-1) UNRELEASED; urgency=medium +linux (4.14.11-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.9 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.10 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11 + - x86/cpufeatures: Add X86_BUG_CPU_INSECURE + - x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y + - x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 + switching + - x86/mm/pti: Add infrastructure for page table isolation + - x86/pti: Add the pti= cmdline option and documentation + - x86/mm/pti: Add mapping helper functions + - x86/mm/pti: Allow NX poison to be set in p4d/pgd + - x86/mm/pti: Allocate a separate user PGD + - x86/mm/pti: Populate user PGD + - x86/mm/pti: Add functions to clone kernel PMDs + - x86/mm/pti: Force entry through trampoline when PTI active + - x86/mm/pti: Share cpu_entry_area with user space page tables + - x86/entry: Align entry text section to PMD boundary + - x86/mm/pti: Share entry text PMD + - x86/mm/pti: Map ESPFIX into user space + - x86/cpu_entry_area: Add debugstore entries to cpu_entry_area + - x86/events/intel/ds: Map debug buffers in cpu_entry_area + - x86/mm/64: Make a full PGD-entry size hole in the memory map + - x86/pti: Put the LDT in its own PGD if PTI is on + - x86/pti: Map the vsyscall page if needed + - x86/mm: Allow flushing for future ASID switches + - x86/mm: Abstract switching CR3 + - x86/mm: Use/Fix PCID to optimize user/kernel switches + - x86/mm: Optimize RESTORE_CR3 + - x86/mm: Use INVPCID for __native_flush_tlb_single() + - x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming + - x86/dumpstack: Indicate in Oops whether PTI is configured and enabled + - x86/mm/pti: Add Kconfig + - net: Fix double free and memory corruption in get_net_ns_by_id() + (CVE-2017-15129) + * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER) + (CVE-2017-5754) [ Ben Hutchings ] * e1000e: Fix e1000_check_for_copper_link_ich8lan return value. diff --git a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch deleted file mode 100644 index 23ec66984..000000000 --- a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Mohamed Ghannam -Date: Sun, 10 Dec 2017 03:50:58 +0000 -Subject: net: ipv4: fix for a race condition in raw_sendmsg -Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712 - -inet->hdrincl is racy, and could lead to uninitialized stack pointer -usage, so its value should be read only once. - -Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") -Signed-off-by: Mohamed Ghannam -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/raw.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, - int err; - struct ip_options_data opt_copy; - struct raw_frag_vec rfv; -+ int hdrincl; - - err = -EMSGSIZE; - if (len > 0xFFFF) - goto out; - -+ /* hdrincl should be READ_ONCE(inet->hdrincl) -+ * but READ_ONCE() doesn't work with bit fields -+ */ -+ hdrincl = inet->hdrincl; - /* - * Check the flags. - */ -@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, - /* Linux does not mangle headers on raw sockets, - * so that IP options + IP_HDRINCL is non-sense. - */ -- if (inet->hdrincl) -+ if (hdrincl) - goto done; - if (ipc.opt->opt.srr) { - if (!daddr) -@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, - - flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, - RT_SCOPE_UNIVERSE, -- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, -+ hdrincl ? IPPROTO_RAW : sk->sk_protocol, - inet_sk_flowi_flags(sk) | -- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), -+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), - daddr, saddr, 0, 0, sk->sk_uid); - -- if (!inet->hdrincl) { -+ if (!hdrincl) { - rfv.msg = msg; - rfv.hlen = 0; - -@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, - goto do_confirm; - back_from_confirm: - -- if (inet->hdrincl) -+ if (hdrincl) - err = raw_send_hdrinc(sk, &fl4, msg, len, - &rt, msg->msg_flags, &ipc.sockc); - diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch deleted file mode 100644 index d037380e2..000000000 --- a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Kevin Cernekee -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: netlink: Add netns check on taps -Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449 - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - - vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & - sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ - spi 0x1 mode transport \ - auth sha1 0x6162633132330000000000000000000000000000 \ - enc aes 0x00000000000000000000000000000000 - grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee -Signed-off-by: David S. Miller ---- - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) diff --git a/debian/patches/features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch b/debian/patches/features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch deleted file mode 100644 index b1167e785..000000000 --- a/debian/patches/features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Anna-Maria Gleixner -Date: Fri, 22 Dec 2017 15:51:12 +0100 -Subject: [PATCH 1/4] timer: Use deferrable base independent of - base::nohz_active -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz - -During boot and before base::nohz_active is set in the timer bases, deferrable -timers are enqueued into the standard timer base. This works correctly as -long as base::nohz_active is false. - -Once it base::nohz_active is set and a timer which was enqueued before that -is accessed the lock selector code choses the lock of the deferred -base. This causes unlocked access to the standard base and in case the -timer is removed it does not clear the pending flag in the standard base -bitmap which causes get_next_timer_interrupt() to return bogus values. - -To prevent that, the deferrable timers must be enqueued in the deferrable -base, even when base::nohz_active is not set. Those deferrable timers also -need to be expired unconditional. - -Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") -Signed-off-by: Anna-Maria Gleixner -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org -Cc: rt@linutronix.de -Signed-off-by: Sebastian Andrzej Siewior ---- - kernel/time/timer.c | 16 +++++++--------- - 1 file changed, 7 insertions(+), 9 deletions(-) - -diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index f2674a056c26..fdfaf4f3bcfa 100644 ---- a/kernel/time/timer.c -+++ b/kernel/time/timer.c -@@ -814,11 +814,10 @@ static inline struct timer_base *get_timer_cpu_base(u32 tflags, u32 cpu) - struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu); - - /* -- * If the timer is deferrable and nohz is active then we need to use -- * the deferrable base. -+ * If the timer is deferrable and NO_HZ_COMMON is set then we need -+ * to use the deferrable base. - */ -- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active && -- (tflags & TIMER_DEFERRABLE)) -+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE)) - base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu); - return base; - } -@@ -828,11 +827,10 @@ static inline struct timer_base *get_timer_this_cpu_base(u32 tflags) - struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); - - /* -- * If the timer is deferrable and nohz is active then we need to use -- * the deferrable base. -+ * If the timer is deferrable and NO_HZ_COMMON is set then we need -+ * to use the deferrable base. - */ -- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active && -- (tflags & TIMER_DEFERRABLE)) -+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE)) - base = this_cpu_ptr(&timer_bases[BASE_DEF]); - return base; - } -@@ -1644,7 +1642,7 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h) - base->must_forward_clk = false; - - __run_timers(base); -- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active) -+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON)) - __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF])); - } - --- -2.15.1 - diff --git a/debian/patches/features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch b/debian/patches/features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch deleted file mode 100644 index 896a46d8d..000000000 --- a/debian/patches/features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Thomas Gleixner -Date: Fri, 22 Dec 2017 15:51:14 +0100 -Subject: [PATCH 3/4] timer: Invoke timer_start_debug() where it makes sense -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz - -The timer start debug function is called before the proper timer base is -set. As a consequence the trace data contains the stale CPU and flags -values. - -Call the debug function after setting the new base and flags. - -Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org -Cc: rt@linutronix.de -Signed-off-by: Sebastian Andrzej Siewior ---- - kernel/time/timer.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/kernel/time/timer.c b/kernel/time/timer.c -index fdfaf4f3bcfa..a4d095e1010e 100644 ---- a/kernel/time/timer.c -+++ b/kernel/time/timer.c -@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only) - if (!ret && pending_only) - goto out_unlock; - -- debug_activate(timer, expires); -- - new_base = get_target_base(base, timer->flags); - - if (base != new_base) { -@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only) - } - } - -+ debug_activate(timer, expires); -+ - timer->expires = expires; - /* - * If 'idx' was calculated above and the base time did not advance --- -2.15.1 - diff --git a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch index db46aff04..52e246ce8 100644 --- a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch +++ b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch @@ -115,7 +115,7 @@ Signed-off-by: Thomas Gleixner return period; } -@@ -684,10 +689,10 @@ static ktime_t tick_nohz_stop_sched_tick +@@ -689,10 +694,10 @@ static ktime_t tick_nohz_stop_sched_tick /* Read jiffies and the time when jiffies were updated last */ do { @@ -127,7 +127,7 @@ Signed-off-by: Thomas Gleixner + } while (read_seqcount_retry(&jiffies_seq, seq)); ts->last_jiffies = basejiff; - if (rcu_needs_cpu(basemono, &next_rcu) || + /* --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -2326,8 +2326,10 @@ EXPORT_SYMBOL(hardpps); diff --git a/debian/patches/features/all/rt/x86-preempt-lazy.patch b/debian/patches/features/all/rt/x86-preempt-lazy.patch index 89009c6e3..cd1c7ee71 100644 --- a/debian/patches/features/all/rt/x86-preempt-lazy.patch +++ b/debian/patches/features/all/rt/x86-preempt-lazy.patch @@ -76,7 +76,7 @@ Signed-off-by: Thomas Gleixner call preempt_schedule_irq --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S -@@ -750,7 +750,23 @@ retint_kernel: +@@ -761,7 +761,23 @@ retint_kernel: bt $9, EFLAGS(%rsp) /* were interrupts off? */ jnc 1f 0: cmpl $0, PER_CPU_VAR(__preempt_count) @@ -205,7 +205,7 @@ Signed-off-by: Thomas Gleixner /* --- a/arch/x86/kernel/asm-offsets.c +++ b/arch/x86/kernel/asm-offsets.c -@@ -37,6 +37,7 @@ void common(void) { +@@ -38,6 +38,7 @@ void common(void) { BLANK(); OFFSET(TASK_TI_flags, task_struct, thread_info.flags); @@ -213,11 +213,11 @@ Signed-off-by: Thomas Gleixner OFFSET(TASK_addr_limit, task_struct, thread.addr_limit); BLANK(); -@@ -93,6 +94,7 @@ void common(void) { +@@ -94,6 +95,7 @@ void common(void) { BLANK(); DEFINE(PTREGS_SIZE, sizeof(struct pt_regs)); + DEFINE(_PREEMPT_ENABLED, PREEMPT_ENABLED); - /* Layout info for cpu_entry_area */ - OFFSET(CPU_ENTRY_AREA_tss, cpu_entry_area, tss); + /* TLB state for the entry code */ + OFFSET(TLB_STATE_user_pcid_flush_mask, tlb_state, user_pcid_flush_mask); diff --git a/debian/patches/series b/debian/patches/series index efad9006c..cd8f5cc29 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,9 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch -bugfix/all/netlink-add-netns-check-on-taps.patch bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch -bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch diff --git a/debian/patches/series-rt b/debian/patches/series-rt index a4a279318..31c5232fb 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -16,9 +16,7 @@ features/all/rt/rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch ############################################################ # Timer/NOHZ fixups -features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch features/all/rt/0002-nohz-Prevent-erroneous-tick-stop-invocations.patch -features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch features/all/rt/0004-timerqueue-Document-return-values-of-timerqueue_add-.patch # soft hrtimer patches (v4)