Release linux (4.12.13-1).

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlnBUMkACgkQ57/I7JWG
 EQkU2hAAo/L20PPbaPfnnCTppx1+UD9UHNfoGhY7eoy+GYt36YjNTeqcbDUcnmGS
 oqILWJq8Qwb4r2zBgnrLL+Ek3spErVtmcIi7HoCKK9pRdqDCIQUkkHQQjQob1o5f
 fMAr+qTcGAm9/yEIclCrAJmrYPtS1e4ryBmwu4ZGzeeGS0PG/WFsGOLq9Tiq2cIh
 pmszRX59ZqpMcTHuBs2Fi6xz7YWXqGUXxJiax5fqwF6j/9CpbReFhv2ZFH2HcPA5
 4sTtGLsGTwz7lzXLljp0IN7aFkW830FGE4WuTRe2fOkFKgXlj+8wtor7D2vFB7Ou
 FHhyVrMc6y32+K9LG955ECXgwN2wGioKEMyEi67ci9qxvCGf/EA9vtEj3ytzm8+j
 fiJ1gRjk0Ec2D5Aewl2L0i2bYYf4RqTriRHmEQa14kk70U8oK4AmOilyU+d1t3WC
 xwo6ZdThvBGJGlHzrkjWxutWz3aQiL7AC2Ora51BhrR83chmxWeRa4mvo6yH6yfs
 kmSHfqIgHklwLBVpF1/9tam8E5W6KkHgW3tTX9Duz6dM+mrVxKTJz1iKbnt1213t
 xco667k4txs5k+K2JkJfUUEMlH+lCicAqEHB2EZIV0R7FCf+n4dENJ/FwXUF7XE+
 41h3BqWbxZDYcuBxBYmmoF7B3QgeFylSbbYb1W4E6Erd6j7AHj0=
 =Thw/
 -----END PGP SIGNATURE-----

Merge tag 'debian/4.12.13-1'

Release linux (4.12.13-1).

Drop ABI reference files.

debian/changelog

@@ -62,6 +62,51 @@ linux (4.13~rc5-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 14 Aug 2017 23:20:50 +0100
 
+linux (4.12.13-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.13
+    - mtd: nand: make Samsung SLC NAND usable again
+    - mtd: nand: hynix: add support for 20nm NAND chips
+    - [armhf] mtd: nand: mxc: Fix mxc_v1 ooblayout
+    - nvme-fabrics: generate spec-compliant UUID NQNs
+    - btrfs: resume qgroup rescan on rw remount
+    - rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be
+    - radix-tree: must check __radix_tree_preload() return value
+    - mm: kvfree the swap cluster info if the swap file is unsatisfactory
+    - mm/swapfile.c: fix swapon frontswap_map memory leak on error
+    - mm/memory.c: fix mem_cgroup_oom_disable() call missing
+    - [i386] ALSA: msnd: Optimize / harden DSP and MIDI loops
+    - [x86] KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest
+    - rt2800: fix TX_PIN_CFG setting for non MT7620 chips
+    - Bluetooth: Properly check L2CAP config option output buffer length
+      (CVE-2017-1000251) (Closes: #875881)
+    - [arm64] dts: marvell: armada-37xx: Fix GIC maintenance interrupt
+    - [armel,armhf] 8692/1: mm: abort uaccess retries upon fatal signal
+    - NFS: Fix 2 use after free issues in the I/O code
+    - NFS: Sync the correct byte range during synchronous writes
+    - NFSv4: Fix up mirror allocation
+    - xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+      (CVE-2017-14340)
+
+  [ Salvatore Bonaccorso ]
+  * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558)
+  * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
+  * Add ABI reference for 4.12.0-2
+
+  [ Ben Hutchings ]
+  * nl80211: check for the required netlink attributes presence (CVE-2017-12153)
+  * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
+  * video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+    (CVE-2017-14156)
+  * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+    (CVE-2017-14489)
+  * packet: Don't write vnet header beyond end of buffer (CVE-2017-14497)
+  * [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252)
+  * nfs: Ignore ABI change
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Tue, 19 Sep 2017 01:59:17 +0100
+
 linux (4.12.12-2) unstable; urgency=medium
 
   * debian/source/lintian-overrides: Override license-problem-gfdl-invariants

debian/config/defines

@@ -27,6 +27,7 @@ ignore-changes:
  module:drivers/usb/chipidea/**
  module:drivers/usb/host/**
  module:drivers/usb/musb/**
+ module:fs/nfs/**
  module:net/ceph/libceph
  module:net/l2tp/l2tp_core
  module:sound/firewire/snd-firewire-lib

debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch

@@ -0,0 +1,36 @@
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Tue, 12 Sep 2017 22:21:21 +0000
+Subject: nl80211: check for the required netlink attributes presence
+Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
+
+nl80211_set_rekey_data() does not check if the required attributes
+NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
+NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
+users with CAP_NET_ADMIN privilege and may result in NULL dereference
+and a system crash. Add a check for the required attributes presence.
+This patch is based on the patch by bo Zhang.
+
+This fixes CVE-2017-12153.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
+Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
+Cc: <stable@vger.kernel.org> # v3.1-rc1
+Reported-by: bo Zhang <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
+ 	if (err)
+ 		return err;
+ 
++	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++	    !tb[NL80211_REKEY_DATA_KCK])
++		return -EINVAL;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ 		return -ERANGE;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)

debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch

@@ -0,0 +1,55 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 27 Aug 2017 20:25:26 +0800
+Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+Origin: https://patchwork.kernel.org/patch/9923803/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
+
+ChunYu found a kernel crash by syzkaller:
+
+[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
+[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[  651.618731] general protection fault: 0000 [#1] SMP KASAN
+[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
+[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
+[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
+[...]
+[  651.627260] Call Trace:
+[  651.629156]  skb_release_all+0x4f/0x60
+[  651.629450]  consume_skb+0x1a5/0x600
+[  651.630705]  netlink_unicast+0x505/0x720
+[  651.632345]  netlink_sendmsg+0xab2/0xe70
+[  651.633704]  sock_sendmsg+0xcf/0x110
+[  651.633942]  ___sys_sendmsg+0x833/0x980
+[  651.637117]  __sys_sendmsg+0xf3/0x240
+[  651.638820]  SyS_sendmsg+0x32/0x50
+[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+It's caused by skb_shared_info at the end of sk_buff was overwritten by
+ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
+
+During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
+ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
+new value to skb_shinfo(SKB)->nr_frags by ev->type.
+
+This patch is to fix it by checking nlh->nlmsg_len properly there to
+avoid over accessing sk_buff.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Chris Leech <cleech@redhat.com>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ 		uint32_t group;
+ 
+ 		nlh = nlmsg_hdr(skb);
+-		if (nlh->nlmsg_len < sizeof(*nlh) ||
++		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+ 		    skb->len < nlh->nlmsg_len) {
+ 			break;
+ 		}

debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch

@@ -0,0 +1,64 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Aug 2017 16:30:35 +0300
+Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code
+Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051
+
+The value of "size" comes from the user.  When we add "start + size" it
+could lead to an integer overflow bug.
+
+It means we vmalloc() a lot more memory than we had intended.  I believe
+that on 64 bit systems vmalloc() can succeed even if we ask it to
+allocate huge 4GB buffers.  So we would get memory corruption and likely
+a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
+
+Only root can trigger this bug.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+
+Cc: <stable@vger.kernel.org>
+Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
+Reported-by: shqking <shqking@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 08a1feb3a195..8c6ff1682fb1 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		return -EINVAL;
+ 	if (start > ha->optrom_size)
+ 		return -EINVAL;
++	if (size > ha->optrom_size - start)
++		size = ha->optrom_size - start;
+ 
+ 	mutex_lock(&ha->optrom_mutex);
+ 	switch (val) {
+@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SREADING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ 		}
+ 
+ 		ha->optrom_region_start = start;
+-		ha->optrom_region_size = start + size > ha->optrom_size ?
+-		    ha->optrom_size - start : size;
++		ha->optrom_region_size = start + size;
+ 
+ 		ha->optrom_state = QLA_SWRITING;
+ 		ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+-- 
+2.11.0
+

debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch

@@ -0,0 +1,30 @@
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
+ userspace
+Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106@126.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+---
+ drivers/video/fbdev/aty/atyfb_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ 	case ATYIO_CLKR:
+ 		if (M64_HAS(INTEGRATED)) {
+-			struct atyclk clk;
++			struct atyclk clk = { 0 };
+ 			union aty_pll *pll = &par->pll;
+ 			u32 dsp_config = pll->ct.dsp_config;
+ 			u32 dsp_on_off = pll->ct.dsp_on_off;

debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch

@@ -0,0 +1,34 @@
+From: Jim Mattson <jmattson@google.com>
+Date: Tue, 12 Sep 2017 13:02:54 -0700
+Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
+Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
+
+If L1 does not specify the "use TPR shadow" VM-execution control in
+vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
+exiting" VM-execution controls in vmcs02. Failure to do so will give
+the L2 VM unrestricted read/write access to the hardware CR8.
+
+This fixes CVE-2017-12154.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
+ 	if (exec_control & CPU_BASED_TPR_SHADOW) {
+ 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
+ 		vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
++	} else {
++#ifdef CONFIG_X86_64
++		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
++				CPU_BASED_CR8_STORE_EXITING;
++#endif
+ 	}
+ 
+ 	/*

debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch

@@ -0,0 +1,52 @@
+From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
+Date: Thu, 7 Sep 2017 19:02:30 +0100
+Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
+
+The value of the guest_irq argument to vmx_update_pi_irte() is
+ultimately coming from a KVM_IRQFD API call. Do not BUG() in
+vmx_update_pi_irte() if the value is out-of bounds. (Especially,
+since KVM as a whole seems to hang after that.)
+
+Instead, print a message only once if we find that we don't have a
+route for a certain IRQ (which can be out-of-bounds or within the
+array).
+
+This fixes CVE-2017-1000252.
+
+Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
+ 	struct kvm_lapic_irq irq;
+ 	struct kvm_vcpu *vcpu;
+ 	struct vcpu_data vcpu_info;
+-	int idx, ret = -EINVAL;
++	int idx, ret = 0;
+ 
+ 	if (!kvm_arch_has_assigned_device(kvm) ||
+ 		!irq_remapping_cap(IRQ_POSTING_CAP) ||
+@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
+ 
+ 	idx = srcu_read_lock(&kvm->irq_srcu);
+ 	irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
+-	BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
++	if (guest_irq >= irq_rt->nr_rt_entries ||
++	    hlist_empty(&irq_rt->map[guest_irq])) {
++		pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
++			     guest_irq, irq_rt->nr_rt_entries);
++		goto out;
++	}
+ 
+ 	hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
+ 		if (e->type != KVM_IRQ_ROUTING_MSI)

debian/patches/series

@@ -112,6 +112,12 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
+bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch