diff --git a/debian/changelog b/debian/changelog index d60b7e575..66e97e388 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.18.7-1) UNRELEASED; urgency=medium +linux (4.18.8-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.7 @@ -139,6 +139,205 @@ linux (4.18.7-1) UNRELEASED; urgency=medium - udf: Fix mounting of Win7 created UDF filesystems - cpuidle: menu: Retain tick when shallow state is selected - [arm64] mm: always enable CONFIG_HOLES_IN_ZONE + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.8 + - act_ife: fix a potential use-after-free + - ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT + state + - net: sched: Fix memory exposure from short TCA_U32_SEL + - qlge: Fix netdev features configuration. + - r8152: disable RX aggregation on new Dell TB16 dock + - tcp: do not restart timewait timer on rst reception + - vti6: remove !skb->ignore_df check from vti6_xmit() + - act_ife: move tcfa_lock down to where necessary + - act_ife: fix a potential deadlock + - net: sched: action_ife: take reference to meta module + - bnxt_en: Clean up unused functions. + - bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA. + - net/sched: act_pedit: fix dump of extended layered op + - tipc: fix a missing rhashtable_walk_exit() + - [x86] hv_netvsc: Fix a deadlock by getting rtnl lock earlier in + netvsc_probe() + - tipc: fix the big/little endian issue in tipc_dest + - sctp: remove useless start_fail from sctp_ht_iter in proc + - erspan: set erspan_ver to 1 by default when adding an erspan dev + - ipv6: don't get lwtstate twice in ip6_rt_copy_init() + - net/ipv6: init ip6 anycast rt->dst.input as ip6_input + - net/ipv6: Only update MTU metric if it set + - net/ipv6: Put lwtstate when destroying fib6_info + - net/mlx5: Fix SQ offset in QPs with small RQ + - r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices + - [armhf,arm64] Revert "net: stmmac: Do not keep rearming the coalesce + timer in stmmac_xmit" + - ip6_vti: fix creating fallback tunnel device for vti6 + - ip6_vti: fix a null pointer deference when destroy vti6 tunnel + - nfp: wait for posted reconfigs when disabling the device + - sctp: hold transport before accessing its asoc in sctp_transport_get_next + - vhost: correctly check the iova range when waking virtqueue + - [x86] hv_netvsc: ignore devices that are not PCI + - cifs: check if SMB2 PDU size has been padded and suppress the warning + - hfsplus: don't return 0 when fill_super() failed + - hfs: prevent crash on exit from failed search + - sunrpc: Don't use stack buffer with scatterlist + - fork: don't copy inconsistent signal handler state to child + - fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds + - reiserfs: change j_timestamp type to time64_t + - [armhf,arm64] iommu/rockchip: Handle errors returned from PM framework + - hfsplus: fix NULL dereference in hfsplus_lookup() (CVE-2018-14617) + - [armhf,arm64] iommu/rockchip: Move irq request past pm_runtime_enable + - fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries + - fat: validate ->i_start before using + - workqueue: skip lockdep wq dependency in cancel_work_sync() + - workqueue: re-add lockdep dependencies for flushing + - scripts: modpost: check memory allocation results + - apparmor: fix an error code in __aa_create_ns() + - virtio: pci-legacy: Validate queue pfn + - [x86] mce: Add notifier_block forward declaration + - i2c: core: ACPI: Make acpi_gsb_i2c_read_bytes() check i2c_transfer return + value + - IB/hfi1: Invalid NUMA node information can cause a divide by zero + - [armhf,arm64] pwm: meson: Fix mux clock names + - [powerpc*] topology: Get topology for shared processors at boot + - mm/fadvise.c: fix signed overflow UBSAN complaint + - mm: make DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM + - fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() + - [x86] platform: intel_punit_ipc: fix build errors + - bpf, sockmap: fix map elem deletion race with smap_stop_sock + - tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach + - bpf, sockmap: fix sock_map_ctx_update_elem race with exist/noexist + - net/xdp: Fix suspicious RCU usage warning + - bpf, sockmap: fix leakage of smap_psock_map_entry + - netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses + - [s390x] kdump: Fix memleak in nt_vmcoreinfo + - ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() + - mfd: sm501: Set coherent_dma_mask when creating subdevices + - netfilter: x_tables: do not fail xt_alloc_table_info too easilly + - [x86] platform: asus-nb-wmi: Add keymap entry for lid flip action on + UX360 + - netfilter: fix memory leaks on netlink_dump_start error + - tcp, ulp: add alias for all ulp modules + - ubi: Initialize Fastmap checkmapping correctly + - ACPICA: ACPICA: add status check for acpi_hw_read before assigning return + value + - [arm*] perf arm spe: Fix uninitialized record error variable + - [arm64] net: hns3: Fix for command format parsing error in + hclge_is_all_function_id_zero + - block: don't warn for flush on read-only device + - [arm64] net: hns3: Fix for phy link issue when using marvell phy driver + - PCI: Match Root Port's MPS to endpoint's MPSS as necessary + - drm/amd/display: Guard against null crtc in CRC IRQ + - perf tools: Check for null when copying nsinfo. + - f2fs: avoid race between zero_range and background GC + - f2fs: fix avoid race between truncate and background GC + - net/9p/trans_fd.c: fix race by holding the lock + - net/9p: fix error path of p9_virtio_probe + - f2fs: fix to clear PG_checked flag in set_page_dirty() + - [armhf,arm64] pinctrl: axp209: Fix NULL pointer dereference after + allocation + - bpf: fix bpffs non-array map seq_show issue + - [powerpc*] uaccess: Enable get_user(u64, *p) on 32-bit + - [powerpc*] Fix size calculation using resource_size() + - [powerpc*] perf probe powerpc: Fix trace event post-processing + - block: bvec_nr_vecs() returns value for wrong slab + - brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference + - [s390x] dasd: fix hanging offline processing due to canceled worker + - [s390x] dasd: fix panic for failed online processing + - ACPI / scan: Initialize status to ACPI_STA_DEFAULT + - blk-mq: count the hctx as active before allocating tag + - scsi: aic94xx: fix an error code in aic94xx_init() + - NFSv4: Fix error handling in nfs4_sp4_select_mode() + - Input: do not use WARN() in input_alloc_absinfo() + - xen/balloon: fix balloon initialization for PVH Dom0 + - [armhf] PCI: mvebu: Fix I/O space end address calculation + - dm kcopyd: avoid softlockup in run_complete_job + - [x86] staging: comedi: ni_mio_common: fix subdevice flags for PFI + subdevice + - ASoC: rt5677: Fix initialization of rt5677_of_match.data + - [armhf] iommu/omap: Fix cache flushes on L2 table entries + - selinux: cleanup dentry and inodes on error in selinuxfs + - RDS: IB: fix 'passing zero to ERR_PTR()' warning + - cfq: Suppress compiler warnings about comparisons + - smb3: fix reset of bytes read and written stats + - CIFS: fix memory leak and remove dead code + - SMB3: Number of requests sent should be displayed for SMB3 not just CIFS + - smb3: if server does not support posix do not allow posix mount option + - [powerpcspe] platforms/85xx: fix t1042rdb_diu.c build errors & warning + - [powerpc*] 64s: Make rfi_flush_fallback a little more robust + - [powerpc*] pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX. + - [armhf,arm64] clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in + rk3399 + - drm/amd/display: Read back max backlight value at boot + - [x86] KVM: vmx: track host_state.loaded using a loaded_vmcs pointer + - [x86] kvm: nVMX: Fix fault vector for VMX operation at CPL > 0 + - [armhf] drm/etnaviv: fix crash in GPU suspend when init failed due to + buffer placement + - btrfs: Exit gracefully when chunk map cannot be inserted to the tree + - btrfs: replace: Reset on-disk dev stats value after replace + - btrfs: fix in-memory value of total_devices after seed device deletion + - btrfs: relocation: Only remove reloc rb_trees if reloc control has been + initialized (CVE-2018-14609) + - btrfs: tree-checker: Detect invalid and empty essential trees + (CVE-2018-14612) + - btrfs: check-integrity: Fix NULL pointer dereference for degraded mount + - btrfs: lift uuid_mutex to callers of btrfs_open_devices + - btrfs: Don't remove block group that still has pinned down bytes + - btrfs: Fix a C compliance issue + - [armhf,arm64] rockchip: Force CONFIG_PM on Rockchip systems + - btrfs: do btrfs_free_stale_devices outside of device_list_add + - btrfs: extend locked section when adding a new device in device_list_add + - btrfs: rename local devices for fs_devices in btrfs_free_stale_devices( + - btrfs: use device_list_mutex when removing stale devices + - btrfs: lift uuid_mutex to callers of btrfs_scan_one_device + - btrfs: lift uuid_mutex to callers of btrfs_parse_early_options + - btrfs: reorder initialization before the mount locks uuid_mutex + - btrfs: fix mount and ioctl device scan ioctl race + - [x86] drm/i915/lpe: Mark LPE audio runtime pm as "no callbacks" + - [x86] drm/i915: Nuke the LVDS lid notifier + - [x86] drm/i915: Increase LSPCON timeout + - [x86] drm/i915: Free write_buf that we allocated with kzalloc. + - drm/amdgpu: update uvd_v6_0_ring_vm_funcs to use new nop packet + - drm/amdgpu: fix a reversed condition + - drm/amdgpu: Fix RLC safe mode test in gfx_v9_0_enter_rlc_safe_mode + - drm/amd/pp: Convert voltage unit in mV*4 to mV on CZ/ST + - drm/amd/powerplay: fixed uninitialized value + - drm/amd/pp/Polaris12: Fix a chunk of registers missed to program + - drm/edid: Quirk Vive Pro VR headset non-desktop. + - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 + - drm/amd/display: fix type of variable + - drm/amd/display: Don't share clk source between DP and HDMI + - drm/amd/display: update clk for various HDMI color depths + - drm/amd/display: Use requested HDMI aspect ratio + - drm/amd/display: Report non-DP display as disconnected without EDID + - [armhf,arm64] drm/rockchip: lvds: add missing of_node_put + - [armhf,arm64] drm/rockchip: vop: split out core clock enablement into + separate functions + - [armhf,arm64] drm/rockchip: vop: fix irq disabled after vop driver probed + - drm/amd/display: Pass connector id when executing VBIOS CT + - drm/amd/display: Check if clock source in use before disabling + - drm/amdgpu: update tmr mc address + - drm/amdgpu:add tmr mc address into amdgpu_firmware_info + - drm/amdgpu:add new firmware id for VCN + - drm/amdgpu:add VCN support in PSP driver + - drm/amdgpu:add VCN booting with firmware loaded by PSP + - drm/amdgpu: fix incorrect use of fcheck + - drm/amdgpu: fix incorrect use of drm_file->pid + - [x86] drm/i915: Re-apply "Perform link quality check, unconditionally + during long pulse" + - uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member + name + - mm: respect arch_dup_mmap() return value + - [x86] drm/i915: set DP Main Stream Attribute for color range on DDI + platforms + - [i386] tsc: Prevent result truncation on 32bit + - drm/amdgpu: Keep track of amount of pinned CPU visible VRAM + - drm/amdgpu: Make pin_size values atomic + - drm/amdgpu: Warn and update pin_size values when destroying a pinned BO + - drm/amdgpu: Don't warn on destroying a pinned BO + - debugobjects: Make stack check warning more informative + - [i386] pae: use 64 bit atomic xchg function in native_ptep_get_and_clear + - [x86] xen: don't write ptes directly in 32-bit PV guests + - [x86] kvm: Set highest physical address bits in non-present/reserved SPTEs + - [x86] kvm: avoid unused variable warning + - HID: redragon: fix num lock and caps lock LEDs [ Ben Hutchings ] * [x86] wireless: Enable R8822BE as module (Closes: #908330) @@ -155,9 +354,6 @@ linux (4.18.7-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * mac80211: don't update the PM state of a peer upon a multicast frame (Closes: #887045, #886292) - * btrfs: relocation: Only remove reloc rb_trees if reloc control has been - initialized (CVE-2018-14609) - * hfsplus: fix NULL dereference in hfsplus_lookup() (CVE-2018-14617) [ Romain Perier ] * [x86] Enable TI TPS6598x USB Power Delivery controller family diff --git a/debian/patches/bugfix/all/btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch b/debian/patches/bugfix/all/btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch deleted file mode 100644 index b9a8c2556..000000000 --- a/debian/patches/bugfix/all/btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Qu Wenruo -Date: Tue, 3 Jul 2018 17:10:07 +0800 -Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has - been initialized -Origin: https://git.kernel.org/linus/389305b2aa68723c754f88d9dbd268a400e10664 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14609 - -Invalid reloc tree can cause kernel NULL pointer dereference when btrfs -does some cleanup of the reloc roots. - -It turns out that fs_info::reloc_ctl can be NULL in -btrfs_recover_relocation() as we allocate relocation control after all -reloc roots have been verified. -So when we hit: note, we haven't called set_reloc_control() thus -fs_info::reloc_ctl is still NULL. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833 -Reported-by: Xu Wen -Signed-off-by: Qu Wenruo -Tested-by: Gu Jinxiang -Reviewed-by: David Sterba -Signed-off-by: David Sterba ---- - fs/btrfs/relocation.c | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c -index 229f721cbde9..b98d7a594542 100644 ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -1281,18 +1281,19 @@ static void __del_reloc_root(struct btrfs_root *root) - struct mapping_node *node = NULL; - struct reloc_control *rc = fs_info->reloc_ctl; - -- spin_lock(&rc->reloc_root_tree.lock); -- rb_node = tree_search(&rc->reloc_root_tree.rb_root, -- root->node->start); -- if (rb_node) { -- node = rb_entry(rb_node, struct mapping_node, rb_node); -- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); -+ if (rc) { -+ spin_lock(&rc->reloc_root_tree.lock); -+ rb_node = tree_search(&rc->reloc_root_tree.rb_root, -+ root->node->start); -+ if (rb_node) { -+ node = rb_entry(rb_node, struct mapping_node, rb_node); -+ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); -+ } -+ spin_unlock(&rc->reloc_root_tree.lock); -+ if (!node) -+ return; -+ BUG_ON((struct btrfs_root *)node->data != root); - } -- spin_unlock(&rc->reloc_root_tree.lock); -- -- if (!node) -- return; -- BUG_ON((struct btrfs_root *)node->data != root); - - spin_lock(&fs_info->trans_lock); - list_del_init(&root->root_list); --- -2.19.0 - diff --git a/debian/patches/bugfix/all/hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch b/debian/patches/bugfix/all/hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch deleted file mode 100644 index cca99b968..000000000 --- a/debian/patches/bugfix/all/hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= - -Date: Thu, 23 Aug 2018 17:00:25 -0700 -Subject: hfsplus: fix NULL dereference in hfsplus_lookup() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 - -An HFS+ filesystem can be mounted read-only without having a metadata -directory, which is needed to support hardlinks. But if the catalog -data is corrupted, a directory lookup may still find dentries claiming -to be hardlinks. - -hfsplus_lookup() does check that ->hidden_dir is not NULL in such a -situation, but mistakenly does so after dereferencing it for the first -time. Reorder this check to prevent a crash. - -This happens when looking up corrupted catalog data (dentry) on a -filesystem with no metadata directory (this could only ever happen on a -read-only mount). Wen Xu sent the replication steps in detail to the -fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297 - -Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf -Signed-off-by: Ernesto A. Fernández -Reported-by: Wen Xu -Cc: Viacheslav Dubeyko -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - fs/hfsplus/dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c -index c5a70f83dbe7..f37662675c3a 100644 ---- a/fs/hfsplus/dir.c -+++ b/fs/hfsplus/dir.c -@@ -77,13 +77,13 @@ static struct dentry *hfsplus_lookup(struct inode *dir, struct dentry *dentry, - cpu_to_be32(HFSP_HARDLINK_TYPE) && - entry.file.user_info.fdCreator == - cpu_to_be32(HFSP_HFSPLUS_CREATOR) && -+ HFSPLUS_SB(sb)->hidden_dir && - (entry.file.create_date == - HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)-> - create_date || - entry.file.create_date == - HFSPLUS_I(d_inode(sb->s_root))-> -- create_date) && -- HFSPLUS_SB(sb)->hidden_dir) { -+ create_date)) { - struct qstr str; - char name[32]; - --- -2.19.0 - diff --git a/debian/patches/debian/abi/mm-avoid-abi-change-in-4.18.7.patch b/debian/patches/debian/abi/mm-avoid-abi-change-in-4.18.7.patch new file mode 100644 index 000000000..ea0bd0b08 --- /dev/null +++ b/debian/patches/debian/abi/mm-avoid-abi-change-in-4.18.7.patch @@ -0,0 +1,30 @@ +From: Ben Hutchings +Date: Mon, 17 Sep 2018 01:11:22 +0100 +Subject: mm: Avoid ABI change in 4.18.7 +Forwarded: not-needed + +Commit 8bfd9029bc79 "powerpc/64s: Fix page table fragment refcount race +vs speculative references" introduced a union with another alternate use +for one of the words in struct page. + +The layout of the structure is unchanged, and this use is private to +the powerpc page table allocator, so it's not actually an ABI change. +Therefore hide it from genksyms. +--- +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -139,10 +139,14 @@ struct page { + unsigned long _pt_pad_1; /* compound_head */ + pgtable_t pmd_huge_pte; /* protected by page->ptl */ + unsigned long _pt_pad_2; /* mapping */ ++#ifndef __GENKSYMS__ + union { + struct mm_struct *pt_mm; /* x86 pgds only */ + atomic_t pt_frag_refcount; /* powerpc */ + }; ++#else ++ struct mm_struct *pt_mm; /* x86 pgds only */ ++#endif + #if ALLOC_SPLIT_PTLOCKS + spinlock_t *ptl; + #else diff --git a/debian/patches/series b/debian/patches/series index 723842c2f..be2e7448d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,8 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch -bugfix/all/btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch -bugfix/all/hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch @@ -168,3 +166,4 @@ bugfix/all/usbip-fix-misuse-of-strncpy.patch debian/wireless-disable-regulatory.db-direct-loading.patch # ABI maintenance +debian/abi/mm-avoid-abi-change-in-4.18.7.patch