debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.14.16

This commit is contained in:
Salvatore Bonaccorso 2018-01-31 21:08:15 +01:00
parent e49ee939aa
commit edfb7d0f0e
9 changed files with 146 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.14.15-1) UNRELEASED; urgency=medium
linux (4.14.16-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14
@ -196,12 +196,83 @@ linux (4.14.15-1) UNRELEASED; urgency=medium
- mm, page_vma_mapped: Drop faulty pointer arithmetics in check_pte()
- [arm64, armhf] net: mvpp2: do not disable GMAC padding
- [mips]: AR7: ensure the port type's FCR value is used
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.16
- mm, page_alloc: fix potential false positive in __zone_watermark_ok
- xfrm: Fix a race in the xdst pcpu cache.
- Revert "module: Add retpoline tag to VERMAGIC"
- Input: xpad - add support for PDP Xbox One controllers
- Input: trackpoint - force 3 buttons if 0 button is reported
- Input: trackpoint - only expose supported controls for Elan, ALPS and
NXP
- Btrfs: fix stale entries in readdir
- [s390x] KVM: add proper locking for CMMA migration bitmap
- [arm*] net: bpf: avoid 'bx' instruction on non-Thumb capable CPUs
- [arm*] net: bpf: fix tail call jumps
- [arm*] net: bpf: fix stack alignment
- [arm*] net: bpf: move stack documentation
- [arm*] net: bpf: correct stack layout documentation
- [arm*] net: bpf: fix register saving
- [arm*] net: bpf: fix LDX instructions
- [arm*] net: bpf: clarify tail_call index
- [arm64,armhf] drm/vc4: Fix NULL pointer dereference in
vc4_save_hang_state()
- net: Allow neigh contructor functions ability to modify the primary_key
- ipv4: Make neigh lookup keys for loopback/point-to-point devices be
INADDR_ANY
- dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
- ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL
- ipv6: fix udpv6 sendmsg crash caused by too small MTU
- ipv6: ip6_make_skb() needs to clear cork.base.dst
- lan78xx: Fix failure in USB Full Speed
- net: igmp: fix source address check for IGMPv3 reports
- net: qdisc_pkt_len_init() should be more robust
- net: tcp: close sock if net namespace is exiting
- net/tls: Fix inverted error codes to avoid endless loop
- net: vrf: Add support for sends to local broadcast address
- pppoe: take ->needed_headroom of lower device into account on xmit
- r8169: fix memory corruption on retrieval of hardware statistics.
- sctp: do not allow the v4 socket to bind a v4mapped v6 address
- sctp: return error if the asoc has been peeled off in
sctp_wait_for_sndbuf
- tipc: fix a memory leak in tipc_nl_node_get_link()
- {net,ib}/mlx5: Don't disable local loopback multicast traffic when
needed
- net/mlx5: Fix get vector affinity helper function
- ppp: unlock all_ppp_mutex before registering device
- be2net: restore properly promisc mode after queues reconfiguration
- ip6_gre: init dev->mtu and dev->hard_header_len correctly
- gso: validate gso_type in GSO handlers
- tun: fix a memory leak for tfile->tx_array
- flow_dissector: properly cap thoff field
- sctp: reinit stream if stream outcnt has been change by sinit in sendmsg
- netlink: extack needs to be reset each time through loop
- net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare
- nfp: use the correct index for link speed table
- netlink: reset extack earlier in netlink_rcv_skb
- net/tls: Only attach to sockets in ESTABLISHED state
- tls: fix sw_ctx leak
- tls: return -EBUSY if crypto_info is already set
- tls: reset crypto_info when do_tls_setsockopt_tx fails
- net: ipv4: Make "ip route get" match iif lo rules again.
- vmxnet3: repair memory leak
- perf/x86/amd/power: Do not load AMD power module on !AMD platforms
- [x86] microcode/intel: Extend BDW late-loading further with LLC size
check
- [x86] microcode: Fix again accessing initrd after having been freed
- [x86] mm/64: Fix vmapped stack syncing on very-large-memory 4-level
systems
- hrtimer: Reset hrtimer cpu base proper on CPU hotplug
- bpf: introduce BPF_JIT_ALWAYS_ON config
- bpf: fix divides by zero
- bpf: fix 32-bit divide by zero
- bpf: reject stores into ctx via st and xadd
- [arm64] bpf: fix stack_depth tracking in combination with tail calls
- cpufreq: governor: Ensure sufficiently large sampling intervals
- nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028)
[ Salvatore Bonaccorso ]
* loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
* Revert "module: Add retpoline tag to VERMAGIC"
* [rt] Update to 4.14.15-rt11
* nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028)
* [rt] Update to 4.14.15-rt13
[ Ben Hutchings ]

74
debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch vendored
View File

@ -1,74 +0,0 @@
From: Kevin Cernekee <cernekee@chromium.org>
Date: Sun, 3 Dec 2017 12:12:45 -0800
Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, nfnl_cthelper_list is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
$ nfct helper list
nfct v1.4.4: netlink error: Operation not permitted
$ vpnns -- nfct helper list
{
.name = ftp,
.queuenum = 0,
.l3protonum = 2,
.l4protonum = 6,
.priv_data_len = 24,
.status = enabled,
};
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
trying to generalize the solution.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
#include <linux/types.h>
#include <linux/list.h>
#include <linux/errno.h>
+#include <linux/capability.h>
#include <net/netlink.h>
#include <net/sock.h>
@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net
struct nfnl_cthelper *nlcth;
int ret = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
return -EINVAL;
@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net
struct nfnl_cthelper *nlcth;
bool tuple_set = false;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = {
.dump = nfnl_cthelper_dump_table,
@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net
struct nfnl_cthelper *nlcth, *n;
int j = 0, ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (tb[NFCTH_NAME])
helper_name = nla_data(tb[NFCTH_NAME]);

56
debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch vendored
View File

@ -1,56 +0,0 @@
From: Kevin Cernekee <cernekee@chromium.org>
Date: Tue, 5 Dec 2017 15:42:41 -0800
Subject: netfilter: xt_osf: Add missing permission checks
Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, xt_osf_fingers is shared by all net namespaces on the
system. An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:
vpnns -- nfnl_osf -f /tmp/pf.os
vpnns -- nfnl_osf -f /tmp/pf.os -d
These non-root operations successfully modify the systemwide OS
fingerprint list. Add new capable() checks so that they can't.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_osf.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
#include <linux/module.h>
#include <linux/kernel.h>
+#include <linux/capability.h>
#include <linux/if.h>
#include <linux/inetdevice.h>
#include <linux/ip.h>
@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne
struct xt_osf_finger *kf = NULL, *sf;
int err = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;
@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct
struct xt_osf_finger *sf;
int err = -ENOENT;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (!osf_attrs[OSF_ATTR_FINGER])
return -EINVAL;

46
debian/patches/bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch vendored
View File

@ -1,46 +0,0 @@
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
Date: Mon, 22 Jan 2018 20:11:06 +0000
Subject: nfsd: auth: Fix gid sorting when rootsquash enabled
Origin: https://git.kernel.org/linus/1995266727fa8143897e89b55f5d3c79aa828420
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000028
Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility
group_info allocators") appears to break nfsd rootsquash in a pretty
major way.
It adds a call to groups_sort() inside the loop that copies/squashes
gids, which means the valid gids are sorted along with the following
garbage. The net result is that the highest numbered valid gids are
replaced with any lower-valued garbage gids, possibly including 0.
We should sort only once, after filling in all the gids.
Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/nfsd/auth.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index f650e475d8f0..fdf2aad73470 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -60,10 +60,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
gi->gid[i] = exp->ex_anon_gid;
else
gi->gid[i] = rqgi->gid[i];
-
- /* Each thread allocates its own gi, no race */
- groups_sort(gi);
}
+
+ /* Each thread allocates its own gi, no race */
+ groups_sort(gi);
} else {
gi = get_group_info(rqgi);
}
--
2.11.0

59
debian/patches/debian/revert-bpf-avoid-false-sharing-of-map-refcount-with-.patch vendored Normal file
View File

@ -0,0 +1,59 @@
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 2 Feb 2018 13:33:53 +0100
Subject: Revert "bpf: avoid false sharing of map refcount with max_entries"
Origin: https://git.kernel.org/linus/d5b555516e042378f54c1640ba61265e76a8b6e9
This reverts commit 3ea4247ec1b7efc423cf4f75450ebf5cffab9ed8 which is
commit be95a845cc4402272994ce290e3ad928aff06cb9 upstream. This commit
heavily modifies the bpf_map structure to split it on two cachelines and
prevent sharing reference counter with other, read-only fields in order
to mitigate Spectre attacks. This modification changes the ABI, so
revert the mitigation for now since the infrastructure is not yet
complete for Spectre mitigation anyway.
---
include/linux/bpf.h | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 5c5be80ce802..0bcf803f20de 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -42,14 +42,7 @@ struct bpf_map_ops {
};
struct bpf_map {
- /* 1st cacheline with read-mostly members of which some
- * are also accessed in fast-path (e.g. ops, max_entries).
- */
- const struct bpf_map_ops *ops ____cacheline_aligned;
- struct bpf_map *inner_map_meta;
-#ifdef CONFIG_SECURITY
- void *security;
-#endif
+ atomic_t refcnt;
enum bpf_map_type map_type;
u32 key_size;
u32 value_size;
@@ -59,15 +52,11 @@ struct bpf_map {
u32 id;
int numa_node;
bool unpriv_array;
- /* 7 bytes hole */
-
- /* 2nd cacheline with misc members to avoid false sharing
- * particularly with refcounting.
- */
- struct user_struct *user ____cacheline_aligned;
- atomic_t refcnt;
- atomic_t usercnt;
+ struct user_struct *user;
+ const struct bpf_map_ops *ops;
struct work_struct work;
+ atomic_t usercnt;
+ struct bpf_map *inner_map_meta;
};
/* function argument constraints */
--
2.11.0

52
debian/patches/debian/revert-module-add-retpoline-tag-to-vermagic.patch vendored
View File

@ -1,52 +0,0 @@
From 5132ede0fe8092b043dae09a7cc32b8ae7272baa Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 24 Jan 2018 15:28:17 +0100
Subject: Revert "module: Add retpoline tag to VERMAGIC"
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5132ede0fe8092b043dae09a7cc32b8ae7272baa upstream.
This reverts commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12.
Turns out distros do not want to make retpoline as part of their "ABI",
so this patch should not have been merged. Sorry Andi, this was my
fault, I suggested it when your original patch was the "correct" way of
doing this instead.
Reported-by: Jiri Kosina <jikos@kernel.org>
Fixes: 6cfb521ac0d5 ("module: Add retpoline tag to VERMAGIC")
Acked-by: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: rusty@rustcorp.com.au
Cc: arjan.van.de.ven@intel.com
Cc: jeyu@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/vermagic.h | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -31,17 +31,11 @@
#else
#define MODULE_RANDSTRUCT_PLUGIN
#endif
-#ifdef RETPOLINE
-#define MODULE_VERMAGIC_RETPOLINE "retpoline "
-#else
-#define MODULE_VERMAGIC_RETPOLINE ""
-#endif
#define VERMAGIC_STRING \
UTS_RELEASE " " \
MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
MODULE_ARCH_VERMAGIC \
- MODULE_RANDSTRUCT_PLUGIN \
- MODULE_VERMAGIC_RETPOLINE
+ MODULE_RANDSTRUCT_PLUGIN

12
debian/patches/features/all/rt/0013-hrtimer-Reduce-conditional-code-hres_active.patch vendored
View File

@ -123,15 +123,15 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
* Reprogram the event source with checking both queues for the
* next event
* Called with interrupts disabled and base->lock held
@@ -661,7 +662,6 @@ static void hrtimer_reprogram(struct hrt
static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
@@ -662,7 +663,6 @@ static inline void hrtimer_init_hres(str
{
base->expires_next = KTIME_MAX;
base->hang_detected = 0;
- base->hres_active = 0;
base->next_timer = NULL;
}
/*
@@ -720,8 +720,6 @@ void clock_was_set_delayed(void)
@@ -722,8 +722,6 @@ void clock_was_set_delayed(void)
#else
@ -140,9 +140,9 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
static inline int hrtimer_is_hres_enabled(void) { return 0; }
static inline void hrtimer_switch_to_hres(void) { }
static inline void
@@ -1602,6 +1600,7 @@ int hrtimers_prepare_cpu(unsigned int cp
}
@@ -1605,6 +1603,7 @@ int hrtimers_prepare_cpu(unsigned int cp
cpu_base->active_bases = 0;
cpu_base->cpu = cpu;
+ cpu_base->hres_active = 0;
hrtimer_init_hres(cpu_base);

10
debian/patches/features/all/rt/0015-hrtimer-Make-the-remote-enqueue-check-unconditional.patch vendored
View File

@ -95,7 +95,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
}
static inline
@@ -657,14 +652,6 @@ static void hrtimer_reprogram(struct hrt
@@ -657,16 +652,6 @@ static void hrtimer_reprogram(struct hrt
}
/*
@ -104,13 +104,15 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
-{
- base->expires_next = KTIME_MAX;
- base->hang_detected = 0;
- base->next_timer = NULL;
-}
-
-/*
* Retrigger next event is called after clock was set
*
* Called with interrupts disabled via on_each_cpu()
@@ -729,7 +716,6 @@ static inline int hrtimer_reprogram(stru
@@ -731,7 +716,6 @@ static inline int hrtimer_reprogram(stru
{
return 0;
}
@ -118,8 +120,8 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
static inline void retrigger_next_event(void *arg) { }
#endif /* CONFIG_HIGH_RES_TIMERS */
@@ -1601,7 +1587,7 @@ int hrtimers_prepare_cpu(unsigned int cp
@@ -1604,7 +1588,7 @@ int hrtimers_prepare_cpu(unsigned int cp
cpu_base->active_bases = 0;
cpu_base->cpu = cpu;
cpu_base->hres_active = 0;
- hrtimer_init_hres(cpu_base);

5
debian/patches/series vendored
View File

@ -118,13 +118,10 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
bugfix/all/nfsd-auth-Fix-gid-sorting-when-rootsquash-enabled.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
@ -155,5 +152,5 @@ features/arm/dwmac-sun8i/0008-ARM-dts-sunxi-h3-h5-represent-the-mdio-switch-used
features/arm64/tegra210-smp/0001-arm64-tegra-Add-CPU-and-PSCI-nodes-for-NVIDIA-Tegra2.patch
# ABI maintenance
debian/revert-bpf-avoid-false-sharing-of-map-refcount-with-.patch
debian/bpf-avoid-abi-change-in-4.14.14.patch
debian/revert-module-add-retpoline-tag-to-vermagic.patch