From f26f2a520dba14faf15a49c868fe32a05cc4f26e Mon Sep 17 00:00:00 2001 From: Lukas Wunner Date: Wed, 19 Apr 2017 11:30:57 +0200 Subject: [PATCH] Update to 4.11-rc6 Remove merged patches and rebase remaining patches. A portion of the secureboot patches have been upstreamed, but were changed substantially during review, primarily to avoid code duplication among arches. I've stripped the patches of the merged bits and rebased the remainder. Signed-off-by: Lukas Wunner [bwh: Undo some incorrect context changes in bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch] --- debian/changelog | 6 + ...-polling-mode-when-GPE-is-not-enable.patch | 167 ------------------ ...-redundant-log-messages-from-drivers.patch | 106 +++++------ ...ftdep-declarations-for-hard-coded-cr.patch | 16 -- ...overflow-in-check-for-priv-area-size.patch | 34 ---- ...ix-overflow-in-check-for-tp_frame_nr.patch | 31 ---- ...fix-overflow-in-check-for-tp_reserve.patch | 27 --- ...eck-length-passed-to-sg_next_cmd_len.patch | 29 --- ...t-fix-use-of-uninitialized-variables.patch | 20 --- ...m_msg_newae-incoming-esn-size-harder.patch | 34 ---- ...e-xfrma_replay_esn_val-replay_window.patch | 42 ----- ...a-move-exports-to-actual-definitions.patch | 2 +- .../rtc-tegra-implement-clock-handling.patch | 120 ------------- ...ert-m68k-move-exports-to-definitions.patch | 6 +- ...ix-condition-for-including-cpudata.h.patch | 30 ---- ...ct-dw_dmac_core-since-it-s-mandatory.patch | 107 ----------- ...overflow-in-vmw_surface_define_ioctl.patch | 33 ---- ...-fix-page-struct-leak-in-handle_vmon.patch | 40 ----- ...r-wmi-setup-accelerometer-when-machi.patch | 79 --------- ...eference-in-vmw_surface_define_ioctl.patch | 29 --- ...ix-apic-id-mismatch-warning-on-intel.patch | 57 ------ ...warn-about-expected-w+x-pages-on-xen.patch | 2 +- .../debian/fjes-disable-autoload.patch | 2 +- debian/patches/debian/kernelvariables.patch | 2 +- .../debian/sched-autogroup-disabled.patch | 4 +- .../time-mark-timer_stats-as-broken.patch | 21 --- .../patches/debian/tools-perf-version.patch | 5 +- debian/patches/debian/version.patch | 8 +- .../debian/yama-disable-by-default.patch | 2 +- .../features/all/aufs4/aufs4-mmap.patch | 8 +- ...i-table-override-if-securelevel-is-s.patch | 8 +- ...tomatically-set-securelevel-when-in-.patch | 74 +------- ...-config-option-to-set-securelevel-wh.patch | 19 -- ...e-secure-boot-if-shim-is-in-insecure.patch | 59 ------- ...ure-boot-if-shim-is-in-insecure-mode.patch | 66 ------- .../enable-cold-boot-attack-mitigation.patch | 8 +- ...-port-access-when-securelevel-is-ena.patch | 2 +- ...mnia-add-support-for-ethernet-switch.patch | 102 ----------- debian/patches/series | 19 -- 39 files changed, 93 insertions(+), 1333 deletions(-) delete mode 100644 debian/patches/bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch delete mode 100644 debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch delete mode 100644 debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch delete mode 100644 debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch delete mode 100644 debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch delete mode 100644 debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch delete mode 100644 debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch delete mode 100644 debian/patches/bugfix/arm64/rtc-tegra-implement-clock-handling.patch delete mode 100644 debian/patches/bugfix/sparc/sparc-topology_64.h-fix-condition-for-including-cpudata.h.patch delete mode 100644 debian/patches/bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch delete mode 100644 debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch delete mode 100644 debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch delete mode 100644 debian/patches/bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch delete mode 100644 debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch delete mode 100644 debian/patches/bugfix/x86/x86-xen-fix-apic-id-mismatch-warning-on-intel.patch delete mode 100644 debian/patches/debian/time-mark-timer_stats-as-broken.patch delete mode 100644 debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch delete mode 100644 debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch delete mode 100644 debian/patches/features/arm/arm-dts-turris-omnia-add-support-for-ethernet-switch.patch diff --git a/debian/changelog b/debian/changelog index cf4442309..da354eb71 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.11~rc6-1~exp1) UNRELEASED; urgency=medium + + * New upstream release candidate + + -- Lukas Wunner Sun, 16 Apr 2017 16:09:27 +0200 + linux (4.10.7-1~exp1) experimental; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch b/debian/patches/bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch deleted file mode 100644 index ad94bb58b..000000000 --- a/debian/patches/bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch +++ /dev/null @@ -1,167 +0,0 @@ -From: Lv Zheng -Date: Fri, 20 Jan 2017 16:42:48 +0800 -Subject: ACPI / EC: Use busy polling mode when GPE is not enabled -Origin: https://git.kernel.org/linus/c3a696b6e8f8f75f9f75e556a9f9f6472eae2655 -Bug: https://bugzilla.kernel.org/show_bug.cgi?id=191561 -Bug-Debian: https://bugs.debian.org/846792 - -When GPE is not enabled, it is not efficient to use the wait polling mode -as it introduces an unexpected scheduler delay. -So before the GPE handler is installed, this patch uses busy polling mode -for all EC(s) and the logic can be applied to non boot EC(s) during the -suspend/resume process. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=191561 -Tested-by: Jakobus Schurz -Tested-by: Chen Yu -Signed-off-by: Lv Zheng -Signed-off-by: Rafael J. Wysocki ---- - drivers/acpi/ec.c | 62 ++++++++++++++++++++++++------------------------- - drivers/acpi/internal.h | 4 ++-- - 2 files changed, 32 insertions(+), 34 deletions(-) - -diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c -index 6a32cd4ec9da..c24235d8fb52 100644 ---- a/drivers/acpi/ec.c -+++ b/drivers/acpi/ec.c -@@ -704,12 +704,12 @@ static void start_transaction(struct acpi_ec *ec) - - static int ec_guard(struct acpi_ec *ec) - { -- unsigned long guard = usecs_to_jiffies(ec_polling_guard); -+ unsigned long guard = usecs_to_jiffies(ec->polling_guard); - unsigned long timeout = ec->timestamp + guard; - - /* Ensure guarding period before polling EC status */ - do { -- if (ec_busy_polling) { -+ if (ec->busy_polling) { - /* Perform busy polling */ - if (ec_transaction_completed(ec)) - return 0; -@@ -973,6 +973,28 @@ static void acpi_ec_stop(struct acpi_ec *ec, bool suspending) - spin_unlock_irqrestore(&ec->lock, flags); - } - -+static void acpi_ec_enter_noirq(struct acpi_ec *ec) -+{ -+ unsigned long flags; -+ -+ spin_lock_irqsave(&ec->lock, flags); -+ ec->busy_polling = true; -+ ec->polling_guard = 0; -+ ec_log_drv("interrupt blocked"); -+ spin_unlock_irqrestore(&ec->lock, flags); -+} -+ -+static void acpi_ec_leave_noirq(struct acpi_ec *ec) -+{ -+ unsigned long flags; -+ -+ spin_lock_irqsave(&ec->lock, flags); -+ ec->busy_polling = ec_busy_polling; -+ ec->polling_guard = ec_polling_guard; -+ ec_log_drv("interrupt unblocked"); -+ spin_unlock_irqrestore(&ec->lock, flags); -+} -+ - void acpi_ec_block_transactions(void) - { - struct acpi_ec *ec = first_ec; -@@ -1253,7 +1275,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, - if (function != ACPI_READ && function != ACPI_WRITE) - return AE_BAD_PARAMETER; - -- if (ec_busy_polling || bits > 8) -+ if (ec->busy_polling || bits > 8) - acpi_ec_burst_enable(ec); - - for (i = 0; i < bytes; ++i, ++address, ++value) -@@ -1261,7 +1283,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, - acpi_ec_read(ec, address, value) : - acpi_ec_write(ec, address, *value); - -- if (ec_busy_polling || bits > 8) -+ if (ec->busy_polling || bits > 8) - acpi_ec_burst_disable(ec); - - switch (result) { -@@ -1304,6 +1326,8 @@ static struct acpi_ec *acpi_ec_alloc(void) - spin_lock_init(&ec->lock); - INIT_WORK(&ec->work, acpi_ec_event_handler); - ec->timestamp = jiffies; -+ ec->busy_polling = true; -+ ec->polling_guard = 0; - return ec; - } - -@@ -1365,6 +1389,7 @@ static int ec_install_handlers(struct acpi_ec *ec, bool handle_events) - acpi_ec_start(ec, false); - - if (!test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) { -+ acpi_ec_enter_noirq(ec); - status = acpi_install_address_space_handler(ec->handle, - ACPI_ADR_SPACE_EC, - &acpi_ec_space_handler, -@@ -1404,6 +1429,7 @@ static int ec_install_handlers(struct acpi_ec *ec, bool handle_events) - /* This is not fatal as we can poll EC events */ - if (ACPI_SUCCESS(status)) { - set_bit(EC_FLAGS_GPE_HANDLER_INSTALLED, &ec->flags); -+ acpi_ec_leave_noirq(ec); - if (test_bit(EC_FLAGS_STARTED, &ec->flags) && - ec->reference_count >= 1) - acpi_ec_enable_gpe(ec, true); -@@ -1786,34 +1812,6 @@ int __init acpi_ec_ecdt_probe(void) - } - - #ifdef CONFIG_PM_SLEEP --static void acpi_ec_enter_noirq(struct acpi_ec *ec) --{ -- unsigned long flags; -- -- if (ec == first_ec) { -- spin_lock_irqsave(&ec->lock, flags); -- ec->saved_busy_polling = ec_busy_polling; -- ec->saved_polling_guard = ec_polling_guard; -- ec_busy_polling = true; -- ec_polling_guard = 0; -- ec_log_drv("interrupt blocked"); -- spin_unlock_irqrestore(&ec->lock, flags); -- } --} -- --static void acpi_ec_leave_noirq(struct acpi_ec *ec) --{ -- unsigned long flags; -- -- if (ec == first_ec) { -- spin_lock_irqsave(&ec->lock, flags); -- ec_busy_polling = ec->saved_busy_polling; -- ec_polling_guard = ec->saved_polling_guard; -- ec_log_drv("interrupt unblocked"); -- spin_unlock_irqrestore(&ec->lock, flags); -- } --} -- - static int acpi_ec_suspend_noirq(struct device *dev) - { - struct acpi_ec *ec = -diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h -index 0c452265c111..219b90bc0922 100644 ---- a/drivers/acpi/internal.h -+++ b/drivers/acpi/internal.h -@@ -172,8 +172,8 @@ struct acpi_ec { - struct work_struct work; - unsigned long timestamp; - unsigned long nr_pending_queries; -- bool saved_busy_polling; -- unsigned int saved_polling_guard; -+ bool busy_polling; -+ unsigned int polling_guard; - }; - - extern struct acpi_ec *first_ec; --- -2.11.0 - diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch index 2e36aeea8..fe0d5f1b1 100644 --- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch +++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch @@ -53,7 +53,7 @@ upstream submission. /* disable MPU */ --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -918,10 +918,8 @@ static enum ucode_state request_microcod +@@ -734,10 +734,8 @@ static enum ucode_state request_microcod if (c->x86 >= 0x15) snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); @@ -96,7 +96,7 @@ upstream submission. fw_size = firmware->size / sizeof(u32); --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c -@@ -422,10 +422,8 @@ static int ath3k_load_patch(struct usb_d +@@ -424,10 +424,8 @@ static int ath3k_load_patch(struct usb_d le32_to_cpu(fw_version.rom_version)); ret = request_firmware(&firmware, filename, &udev->dev); @@ -108,7 +108,7 @@ upstream submission. pt_rom_version = get_unaligned_le32(firmware->data + firmware->size - 8); -@@ -485,10 +483,8 @@ static int ath3k_load_syscfg(struct usb_ +@@ -487,10 +485,8 @@ static int ath3k_load_syscfg(struct usb_ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); ret = request_firmware(&firmware, filename, &udev->dev); @@ -233,7 +233,7 @@ upstream submission. where = 0; --- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c +++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c -@@ -1793,10 +1793,8 @@ gf100_gr_ctor_fw_legacy(struct gf100_gr +@@ -1821,10 +1821,8 @@ gf100_gr_ctor_fw_legacy(struct gf100_gr if (ret) { snprintf(f, sizeof(f), "nouveau/%s", fwname); ret = request_firmware(&fw, f, device->dev); @@ -364,9 +364,9 @@ upstream submission. + if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev)) return -ENODEV; - } else { -- deb_info("%s: firmware read %Zu bytes.\n", __func__, state->frontend_firmware->size); +- deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size); - } -+ deb_info("%s: firmware read %Zu bytes.\n", __func__, state->frontend_firmware->size); ++ deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size); stk9090m_config.microcode_B_fe_size = state->frontend_firmware->size; stk9090m_config.microcode_B_fe_buffer = state->frontend_firmware->data; @@ -379,15 +379,15 @@ upstream submission. + if (request_firmware(&state->frontend_firmware, "dib9090.fw", &adap->dev->udev->dev)) return -EIO; - } else { -- deb_info("%s: firmware read %Zu bytes.\n", __func__, state->frontend_firmware->size); +- deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size); - } -+ deb_info("%s: firmware read %Zu bytes.\n", __func__, state->frontend_firmware->size); ++ deb_info("%s: firmware read %zu bytes.\n", __func__, state->frontend_firmware->size); nim9090md_config[0].microcode_B_fe_size = state->frontend_firmware->size; nim9090md_config[0].microcode_B_fe_buffer = state->frontend_firmware->data; nim9090md_config[1].microcode_B_fe_size = state->frontend_firmware->size; --- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c +++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c -@@ -79,13 +79,9 @@ int dvb_usb_download_firmware(struct usb +@@ -88,13 +88,9 @@ int dvb_usb_download_firmware(struct usb int ret; const struct firmware *fw = NULL; @@ -439,7 +439,7 @@ upstream submission. p = kmalloc(fw->size, GFP_KERNEL); --- a/drivers/media/dvb-frontends/af9013.c +++ b/drivers/media/dvb-frontends/af9013.c -@@ -1380,16 +1380,8 @@ static int af9013_download_firmware(stru +@@ -1376,16 +1376,8 @@ static int af9013_download_firmware(stru /* request the firmware, this will block and timeout */ ret = request_firmware(&fw, fw_file, state->i2c->dev.parent); @@ -491,7 +491,7 @@ upstream submission. * during loading */ --- a/drivers/media/dvb-frontends/drxd_hard.c +++ b/drivers/media/dvb-frontends/drxd_hard.c -@@ -905,10 +905,8 @@ static int load_firmware(struct drxd_sta +@@ -901,10 +901,8 @@ static int load_firmware(struct drxd_sta { const struct firmware *fw; @@ -505,7 +505,7 @@ upstream submission. if (state->microcode == NULL) { --- a/drivers/media/dvb-frontends/drxk_hard.c +++ b/drivers/media/dvb-frontends/drxk_hard.c -@@ -6284,10 +6284,6 @@ static void load_firmware_cb(const struc +@@ -6280,10 +6280,6 @@ static void load_firmware_cb(const struc dprintk(1, ": %s\n", fw ? "firmware loaded" : "firmware not loaded"); if (!fw) { @@ -534,7 +534,7 @@ upstream submission. if (ret) --- a/drivers/media/dvb-frontends/nxt200x.c +++ b/drivers/media/dvb-frontends/nxt200x.c -@@ -890,12 +890,8 @@ static int nxt2002_init(struct dvb_front +@@ -886,12 +886,8 @@ static int nxt2002_init(struct dvb_front __func__, NXT2002_DEFAULT_FIRMWARE); ret = request_firmware(&fw, NXT2002_DEFAULT_FIRMWARE, state->i2c->dev.parent); @@ -548,7 +548,7 @@ upstream submission. ret = nxt2002_load_firmware(fe, fw); release_firmware(fw); -@@ -957,12 +953,8 @@ static int nxt2004_init(struct dvb_front +@@ -953,12 +949,8 @@ static int nxt2004_init(struct dvb_front __func__, NXT2004_DEFAULT_FIRMWARE); ret = request_firmware(&fw, NXT2004_DEFAULT_FIRMWARE, state->i2c->dev.parent); @@ -564,7 +564,7 @@ upstream submission. release_firmware(fw); --- a/drivers/media/dvb-frontends/or51132.c +++ b/drivers/media/dvb-frontends/or51132.c -@@ -341,10 +341,8 @@ static int or51132_set_parameters(struct +@@ -337,10 +337,8 @@ static int or51132_set_parameters(struct printk("or51132: Waiting for firmware upload(%s)...\n", fwname); ret = request_firmware(&fw, fwname, state->i2c->dev.parent); @@ -578,7 +578,7 @@ upstream submission. if (ret) { --- a/drivers/media/dvb-frontends/or51211.c +++ b/drivers/media/dvb-frontends/or51211.c -@@ -375,11 +375,8 @@ static int or51211_init(struct dvb_front +@@ -371,11 +371,8 @@ static int or51211_init(struct dvb_front OR51211_DEFAULT_FIRMWARE); ret = config->request_firmware(fe, &fw, OR51211_DEFAULT_FIRMWARE); @@ -629,7 +629,7 @@ upstream submission. - __func__); return -EIO; } else { - printk(KERN_INFO "%s: firmware read %Zu bytes.\n", + printk(KERN_INFO "%s: firmware read %zu bytes.\n", --- a/drivers/media/dvb-frontends/tda1004x.c +++ b/drivers/media/dvb-frontends/tda1004x.c @@ -401,10 +401,8 @@ static int tda10045_fwupload(struct dvb_ @@ -670,7 +670,7 @@ upstream submission. for (i = 0; i < ARRAY_SIZE(tab2); i++) { --- a/drivers/media/pci/ngene/ngene-core.c +++ b/drivers/media/pci/ngene/ngene-core.c -@@ -1260,13 +1260,8 @@ static int ngene_load_firm(struct ngene +@@ -1256,13 +1256,8 @@ static int ngene_load_firm(struct ngene break; } @@ -685,7 +685,7 @@ upstream submission. if (size == 0) size = fw->size; if (size != fw->size) { -@@ -1274,8 +1269,6 @@ static int ngene_load_firm(struct ngene +@@ -1270,8 +1265,6 @@ static int ngene_load_firm(struct ngene ": Firmware %s has invalid size!", fw_name); err = -1; } else { @@ -696,7 +696,7 @@ upstream submission. } --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c -@@ -1162,10 +1162,8 @@ static int smscore_load_firmware_from_fi +@@ -1158,10 +1158,8 @@ static int smscore_load_firmware_from_fi return -EINVAL; rc = request_firmware(&fw, fw_filename, coredev->device); @@ -710,7 +710,7 @@ upstream submission. SMS_ALLOC_ALIGNMENT), GFP_KERNEL | GFP_DMA); --- a/drivers/media/pci/ttpci/av7110.c +++ b/drivers/media/pci/ttpci/av7110.c -@@ -1513,13 +1513,8 @@ static int get_firmware(struct av7110* a +@@ -1510,13 +1510,8 @@ static int get_firmware(struct av7110* a /* request the av7110 firmware, this will block until someone uploads it */ ret = request_firmware(&fw, "dvb-ttpci-01.fw", &av7110->dev->pci->dev); if (ret) { @@ -728,7 +728,7 @@ upstream submission. --- a/drivers/media/pci/ttpci/av7110_hw.c +++ b/drivers/media/pci/ttpci/av7110_hw.c -@@ -250,11 +250,8 @@ int av7110_bootarm(struct av7110 *av7110 +@@ -247,11 +247,8 @@ int av7110_bootarm(struct av7110 *av7110 //saa7146_setgpio(dev, 3, SAA7146_GPIO_INPUT); ret = request_firmware(&fw, fw_name, &dev->pci->dev); @@ -757,7 +757,7 @@ upstream submission. b[0] = 0xaa; --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c -@@ -1348,11 +1348,8 @@ static int ttusb_dec_boot_dsp(struct ttu +@@ -1344,11 +1344,8 @@ static int ttusb_dec_boot_dsp(struct ttu dprintk("%s\n", __func__); result = request_firmware(&fw_entry, dec->firmware_name, &dec->udev->dev); @@ -772,7 +772,7 @@ upstream submission. firmware_size = fw_entry->size; --- a/drivers/media/radio/radio-wl1273.c +++ b/drivers/media/radio/radio-wl1273.c -@@ -514,11 +514,8 @@ static int wl1273_fm_upload_firmware_pat +@@ -510,11 +510,8 @@ static int wl1273_fm_upload_firmware_pat * Uploading the firmware patch is not always necessary, * so we only print an info message. */ @@ -787,7 +787,7 @@ upstream submission. packet_num = ptr[0]; --- a/drivers/media/radio/wl128x/fmdrv_common.c +++ b/drivers/media/radio/wl128x/fmdrv_common.c -@@ -1246,10 +1246,8 @@ static int fm_download_firmware(struct f +@@ -1242,10 +1242,8 @@ static int fm_download_firmware(struct f ret = request_firmware(&fw_entry, fw_name, &fmdev->radio_dev->dev); @@ -815,7 +815,7 @@ upstream submission. btv->c.nr, (rc < 0) ? "failed" : "ok"); --- a/drivers/media/usb/cpia2/cpia2_core.c +++ b/drivers/media/usb/cpia2/cpia2_core.c -@@ -907,11 +907,8 @@ static int apply_vp_patch(struct camera_ +@@ -904,11 +904,8 @@ static int apply_vp_patch(struct camera_ struct cpia2_command cmd; ret = request_firmware(&fw, fw_name, &cam->dev->dev); @@ -830,7 +830,7 @@ upstream submission. cmd.direction = TRANSFER_WRITE; --- a/drivers/media/pci/cx18/cx18-av-firmware.c +++ b/drivers/media/pci/cx18/cx18-av-firmware.c -@@ -84,10 +84,8 @@ int cx18_av_loadfw(struct cx18 *cx) +@@ -79,10 +79,8 @@ int cx18_av_loadfw(struct cx18 *cx) int i; int retries1 = 0; @@ -844,7 +844,7 @@ upstream submission. retries, both at byte level and at the firmware load level. */ --- a/drivers/media/pci/cx18/cx18-dvb.c +++ b/drivers/media/pci/cx18/cx18-dvb.c -@@ -141,9 +141,7 @@ static int yuan_mpc718_mt352_reqfw(struc +@@ -137,9 +137,7 @@ static int yuan_mpc718_mt352_reqfw(struc int ret; ret = request_firmware(fw, fn, &cx->pci_dev->dev); @@ -857,7 +857,7 @@ upstream submission. CX18_ERR("Firmware %s has a bad size: %lu bytes\n", --- a/drivers/media/pci/cx18/cx18-firmware.c +++ b/drivers/media/pci/cx18/cx18-firmware.c -@@ -106,11 +106,8 @@ static int load_cpu_fw_direct(const char +@@ -101,11 +101,8 @@ static int load_cpu_fw_direct(const char u32 __iomem *dst = (u32 __iomem *)mem; const u32 *src; @@ -870,7 +870,7 @@ upstream submission. src = (const u32 *)fw->data; -@@ -151,8 +148,6 @@ static int load_apu_fw_direct(const char +@@ -146,8 +143,6 @@ static int load_apu_fw_direct(const char int sz; if (request_firmware(&fw, fn, &cx->pci_dev->dev)) { @@ -881,7 +881,7 @@ upstream submission. } --- a/drivers/media/usb/cx231xx/cx231xx-417.c +++ b/drivers/media/usb/cx231xx/cx231xx-417.c -@@ -999,11 +999,6 @@ static int cx231xx_load_firmware(struct +@@ -995,11 +995,6 @@ static int cx231xx_load_firmware(struct dev->dev); if (retval != 0) { @@ -925,7 +925,7 @@ upstream submission. release_firmware(fw); --- a/drivers/media/i2c/cx25840/cx25840-firmware.c +++ b/drivers/media/i2c/cx25840/cx25840-firmware.c -@@ -126,10 +126,8 @@ int cx25840_loadfw(struct i2c_client *cl +@@ -122,10 +122,8 @@ int cx25840_loadfw(struct i2c_client *cl if (is_cx231xx(state) && max_buf_size > 16) max_buf_size = 16; @@ -955,7 +955,7 @@ upstream submission. pr_err("Firmware size mismatch (have %zd, expected %d)\n", --- a/drivers/media/usb/gspca/vicam.c +++ b/drivers/media/usb/gspca/vicam.c -@@ -243,10 +243,8 @@ static int sd_init(struct gspca_dev *gsp +@@ -239,10 +239,8 @@ static int sd_init(struct gspca_dev *gsp ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, &gspca_dev->dev->dev); @@ -980,7 +980,7 @@ upstream submission. --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c -@@ -1381,25 +1381,6 @@ static int pvr2_locate_firmware(struct p +@@ -1377,25 +1377,6 @@ static int pvr2_locate_firmware(struct p "request_firmware fatal error with code=%d",ret); return ret; } @@ -1008,7 +1008,7 @@ upstream submission. --- a/drivers/media/usb/s2255/s2255drv.c +++ b/drivers/media/usb/s2255/s2255drv.c -@@ -2308,10 +2308,8 @@ static int s2255_probe(struct usb_interf +@@ -2304,10 +2304,8 @@ static int s2255_probe(struct usb_interf } /* load the first chunk */ if (request_firmware(&dev->fw_data->fw, @@ -1036,7 +1036,7 @@ upstream submission. release_firmware(fw_blob); --- a/drivers/media/pci/saa7164/saa7164-fw.c +++ b/drivers/media/pci/saa7164/saa7164-fw.c -@@ -420,11 +420,8 @@ int saa7164_downloadfirmware(struct saa7 +@@ -416,11 +416,8 @@ int saa7164_downloadfirmware(struct saa7 __func__, fwname); ret = request_firmware(&fw, fwname, &dev->pci->dev); @@ -1047,7 +1047,7 @@ upstream submission. return -ENOMEM; - } - printk(KERN_INFO "%s() firmware read %Zu bytes.\n", + printk(KERN_INFO "%s() firmware read %zu bytes.\n", __func__, fw->size); --- a/drivers/misc/ti-st/st_kim.c +++ b/drivers/misc/ti-st/st_kim.c @@ -1161,7 +1161,7 @@ upstream submission. if (bp->mips_firmware->size < sizeof(*mips_fw) || --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -@@ -13492,11 +13492,8 @@ static int bnx2x_init_firmware(struct bn +@@ -13490,11 +13490,8 @@ static int bnx2x_init_firmware(struct bn BNX2X_DEV_INFO("Loading %s\n", fw_file_name); rc = request_firmware(&bp->firmware, fw_file_name, &bp->pdev->dev); @@ -1176,7 +1176,7 @@ upstream submission. if (rc) { --- a/drivers/net/ethernet/broadcom/tg3.c +++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -11349,11 +11349,8 @@ static int tg3_request_firmware(struct t +@@ -11350,11 +11350,8 @@ static int tg3_request_firmware(struct t { const struct tg3_firmware_hdr *fw_hdr; @@ -1259,7 +1259,7 @@ upstream submission. netif_info(nic, probe, nic->netdev, --- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c -@@ -596,8 +596,6 @@ static int myri10ge_load_hotplug_firmwar +@@ -581,8 +581,6 @@ static int myri10ge_load_hotplug_firmwar unsigned i; if ((status = request_firmware(&fw, mgp->fw_name, dev)) < 0) { @@ -1270,7 +1270,7 @@ upstream submission. } --- a/drivers/net/ethernet/smsc/smc91c92_cs.c +++ b/drivers/net/ethernet/smsc/smc91c92_cs.c -@@ -646,10 +646,8 @@ static int osi_load_firmware(struct pcmc +@@ -647,10 +647,8 @@ static int osi_load_firmware(struct pcmc int i, err; err = request_firmware(&fw, FIRMWARE_NAME, &link->dev); @@ -1509,13 +1509,13 @@ upstream submission. else --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -@@ -224,10 +224,8 @@ static int iwl_request_firmware(struct i +@@ -222,10 +222,8 @@ static int iwl_request_firmware(struct i sprintf(tag, "%d", drv->fw_index); } -- if (drv->fw_index < drv->cfg->ucode_api_min) { +- if (drv->fw_index < drv->trans->cfg->ucode_api_min) { - IWL_ERR(drv, "no suitable firmware found!\n"); -+ if (drv->fw_index < drv->cfg->ucode_api_min) ++ if (drv->fw_index < drv->trans->cfg->ucode_api_min) return -ENOENT; - } @@ -1534,7 +1534,7 @@ upstream submission. } --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c -@@ -524,11 +524,8 @@ static void mwifiex_fw_dpc(const struct +@@ -521,11 +521,8 @@ static void mwifiex_fw_dpc(const struct struct wireless_dev *wdev; struct completion *fw_done = adapter->fw_done; @@ -1628,7 +1628,7 @@ upstream submission. --- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c -@@ -1667,7 +1667,6 @@ static int ezusb_probe(struct usb_interf +@@ -1665,7 +1665,6 @@ static int ezusb_probe(struct usb_interf if (ezusb_firmware_download(upriv, &firmware) < 0) goto error; } else { @@ -1906,7 +1906,7 @@ upstream submission. } --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -5652,8 +5652,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, +@@ -6420,8 +6420,6 @@ qla2x00_load_risc(scsi_qla_host_t *vha, /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1915,7 +1915,7 @@ upstream submission. ql_log(ql_log_info, vha, 0x0084, "Firmware images can be retrieved from: "QLA_FW_URL ".\n"); return QLA_FUNCTION_FAILED; -@@ -5755,8 +5753,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * +@@ -6523,8 +6521,6 @@ qla24xx_load_risc_blob(scsi_qla_host_t * /* Load firmware blob. */ blob = qla2x00_request_firmware(vha); if (!blob) { @@ -1941,7 +1941,7 @@ upstream submission. if (qla82xx_validate_firmware_blob(vha, --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -5841,8 +5841,6 @@ qla2x00_request_firmware(scsi_qla_host_t +@@ -5956,8 +5956,6 @@ qla2x00_request_firmware(scsi_qla_host_t goto out; if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) { @@ -2316,7 +2316,7 @@ upstream submission. } --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c -@@ -299,11 +299,8 @@ static void update_edgeport_E2PROM(struc +@@ -379,11 +379,8 @@ static void update_edgeport_E2PROM(struc response = request_ihex_firmware(&fw, fw_name, &edge_serial->serial->dev->dev); @@ -2342,7 +2342,7 @@ upstream submission. --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -1706,10 +1706,8 @@ static int ti_download_firmware(struct t +@@ -1702,10 +1702,8 @@ static int ti_download_firmware(struct t } check_firmware: @@ -2445,7 +2445,7 @@ upstream submission. snd_printk(KERN_INFO "sscape: MIDI firmware loaded %zu KBs\n", --- a/sound/isa/wavefront/wavefront_synth.c +++ b/sound/isa/wavefront/wavefront_synth.c -@@ -1956,10 +1956,8 @@ wavefront_download_firmware (snd_wavefro +@@ -1957,10 +1957,8 @@ wavefront_download_firmware (snd_wavefro const struct firmware *firmware; err = request_firmware(&firmware, path, dev->card->dev); @@ -2499,7 +2499,7 @@ upstream submission. snd_emu1010_fpga_read(emu, EMU_HANA_ID, ®); --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c -@@ -1815,10 +1815,8 @@ static void azx_firmware_cb(const struct +@@ -1827,10 +1827,8 @@ static void azx_firmware_cb(const struct struct azx *chip = card->private_data; struct pci_dev *pci = chip->pci; diff --git a/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch index 83360e99c..af00757a0 100644 --- a/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch +++ b/debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch @@ -16,22 +16,6 @@ Signed-off-by: Ben Hutchings MODULE_LICENSE("GPL"); +MODULE_SOFTDEP("pre: crypto-crc32c"); ---- a/fs/cifs/cifsfs.c -+++ b/fs/cifs/cifsfs.c -@@ -1365,5 +1365,13 @@ MODULE_DESCRIPTION - ("VFS to access servers complying with the SNIA CIFS Specification " - "e.g. Samba and Windows"); - MODULE_VERSION(CIFS_VERSION); -+ -+#ifdef CONFIG_CIFS_SMB2 -+#define CIFS_SMB2_EXTRA_SOFTDEPS " crypto-aes crypto-cmac crypto-sha256" -+#else -+#define CIFS_SMB2_EXTRA_SOFTDEPS "" -+#endif -+MODULE_SOFTDEP("pre: crypto-arc4 crypto-des crypto-ecb crypto-hmac crypto-md4 crypto-md5" CIFS_SMB2_EXTRA_SOFTDEPS); -+ - module_init(init_cifs) - module_exit(exit_cifs) --- a/fs/crypto/crypto.c +++ b/fs/crypto/crypto.c @@ -614,3 +614,4 @@ static void __exit fscrypt_exit(void) diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch deleted file mode 100644 index 51b6937bc..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Andrey Konovalov -Date: Wed, 29 Mar 2017 16:11:20 +0200 -Subject: net/packet: fix overflow in check for priv area size -Origin: https://patchwork.ozlabs.org/patch/744811/ -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308 - -Subtracting tp_sizeof_priv from tp_block_size and casting to int -to check whether one is less then the other doesn't always work -(both of them are unsigned ints). - -Compare them as is instead. - -Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as -it can overflow inside BLK_PLUS_PRIV otherwise. - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet ---- - net/packet/af_packet.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -4235,8 +4235,8 @@ static int packet_set_ring(struct sock * - if (unlikely(!PAGE_ALIGNED(req->tp_block_size))) - goto out; - if (po->tp_version >= TPACKET_V3 && -- (int)(req->tp_block_size - -- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) -+ req->tp_block_size <= -+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) - goto out; - if (unlikely(req->tp_frame_size < po->tp_hdrlen + - po->tp_reserve)) diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch deleted file mode 100644 index 02434c882..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Andrey Konovalov -Date: Wed, 29 Mar 2017 16:11:21 +0200 -Subject: net/packet: fix overflow in check for tp_frame_nr -Origin: https://patchwork.ozlabs.org/patch/744812/ -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308 - -When calculating rb->frames_per_block * req->tp_block_nr the result -can overflow. - -Add a check that tp_block_size * tp_block_nr <= UINT_MAX. - -Since frames_per_block <= tp_block_size, the expression would -never overflow. - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet ---- - net/packet/af_packet.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock * - rb->frames_per_block = req->tp_block_size / req->tp_frame_size; - if (unlikely(rb->frames_per_block == 0)) - goto out; -+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) -+ goto out; - if (unlikely((rb->frames_per_block * req->tp_block_nr) != - req->tp_frame_nr)) - goto out; diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch deleted file mode 100644 index 491c30a97..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Andrey Konovalov -Date: Wed, 29 Mar 2017 16:11:22 +0200 -Subject: net/packet: fix overflow in check for tp_reserve -Origin: https://patchwork.ozlabs.org/patch/744813/ -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308 - -When calculating po->tp_hdrlen + po->tp_reserve the result can overflow. - -Fix by checking that tp_reserve <= INT_MAX on assign. - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet ---- - net/packet/af_packet.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i - return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; -+ if (val > INT_MAX) -+ return -EINVAL; - po->tp_reserve = val; - return 0; - } diff --git a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch deleted file mode 100644 index 7def878e3..000000000 --- a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: peter chang -Date: Wed, 15 Feb 2017 14:11:54 -0800 -Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN -Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187 - -The user can control the size of the next command passed along, but the -value passed to the ioctl isn't checked against the usable max command -size. - -Cc: -Signed-off-by: Peter Chang -Acked-by: Douglas Gilbert -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/sg.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int - result = get_user(val, ip); - if (result) - return result; -+ if (val > SG_MAX_CDB_SIZE) -+ return -ENOMEM; - sfp->next_cmd_len = (val > 0) ? val : 0; - return 0; - case SG_GET_VERSION_NUM: diff --git a/debian/patches/bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch b/debian/patches/bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch index a3564d77c..a9f91a3e1 100644 --- a/debian/patches/bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch +++ b/debian/patches/bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch @@ -12,16 +12,6 @@ Fix a number of correct warnings from gcc: 'index' is initialized only if indentation is wanted. Move the printing of indentation using 'index' into the same if-statement. -> kbuffer-parse.c:339:27: warning: 'length' may be used uninitialized in this function [-Wmaybe-uninitialized] -> kbuf->next = kbuf->index + length; -> ^ -> kbuffer-parse.c:297:15: note: 'length' was declared here -> unsigned int length; -> ^ - -'length' is not initialized when handling an OLD_RINGBUF_TYPE_TIME_EXTEND -record. Based on what trace-cmd does, set length = 0 in this case. - > kbuffer-parse.c: In function 'kbuffer_read_at_offset': > kbuffer-parse.c:632:9: warning: 'data' may be used uninitialized in this function [-Wmaybe-uninitialized] > return data; @@ -33,16 +23,6 @@ large. Signed-off-by: Ben Hutchings --- ---- a/tools/lib/traceevent/kbuffer-parse.c -+++ b/tools/lib/traceevent/kbuffer-parse.c -@@ -314,6 +314,7 @@ static unsigned int old_update_pointers( - extend <<= TS_SHIFT; - extend += delta; - delta = extend; -+ length = 0; - ptr += 4; - break; - @@ -613,7 +614,7 @@ unsigned long long kbuffer_timestamp(str void *kbuffer_read_at_offset(struct kbuffer *kbuf, int offset, unsigned long long *ts) diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch deleted file mode 100644 index faf3861a5..000000000 --- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Andy Whitcroft -Date: Thu, 23 Mar 2017 07:45:44 +0000 -Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size - harder -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184 - -Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to -wrapping issues. To ensure we are correctly ensuring that the two ESN -structures are the same size compare both the overall size as reported -by xfrm_replay_state_esn_len() and the internal length are the same. - -CVE-2017-7184 -Signed-off-by: Andy Whitcroft ---- - net/xfrm/xfrm_user.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 81c4112..87e0c22 100644 ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es - up = nla_data(rp); - ulen = xfrm_replay_state_esn_len(up); - -- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) -+ /* Check the overall length and the internal bitmap length to avoid -+ * potential overflow. */ -+ if (nla_len(rp) < ulen || -+ xfrm_replay_state_esn_len(replay_esn) != ulen || -+ replay_esn->bmp_len != up->bmp_len) - return -EINVAL; - - if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch deleted file mode 100644 index 758973ece..000000000 --- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Andy Whitcroft -Date: Wed, 22 Mar 2017 07:29:31 +0000 -Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL - replay_window -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184 - -When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate -the user supplied replay_esn to ensure that the size is valid and to ensure -that the replay_window size is within the allocated buffer. However later -it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. -There we again validate the size of the supplied buffer matches the -existing state and if so inject the contents. We do not at this point -check that the replay_window is within the allocated memory. This leads -to out-of-bounds reads and writes triggered by netlink packets. This leads -to memory corruption and the potential for priviledge escalation. - -We already attempt to validate the incoming replay information in -xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the -user is not trying to change the size of the replay state buffer which -includes the replay_esn. It however does not check the replay_window -remains within that buffer. Add validation of the contained replay_window. - -CVE-2017-7184 -Signed-off-by: Andy Whitcroft ---- - net/xfrm/xfrm_user.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 0889209..81c4112 100644 ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es - if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) - return -EINVAL; - -+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) -+ return -EINVAL; -+ - return 0; - } - diff --git a/debian/patches/bugfix/alpha/revert-alpha-move-exports-to-actual-definitions.patch b/debian/patches/bugfix/alpha/revert-alpha-move-exports-to-actual-definitions.patch index aec9cb539..18998a5c4 100644 --- a/debian/patches/bugfix/alpha/revert-alpha-move-exports-to-actual-definitions.patch +++ b/debian/patches/bugfix/alpha/revert-alpha-move-exports-to-actual-definitions.patch @@ -56,8 +56,8 @@ index bf8475ce85ee..ffd9cf5ec8c4 100644 --- a/arch/alpha/include/asm/Kbuild +++ b/arch/alpha/include/asm/Kbuild @@ -3,7 +3,6 @@ + generic-y += clkdev.h - generic-y += cputime.h generic-y += exec.h -generic-y += export.h generic-y += irq_work.h diff --git a/debian/patches/bugfix/arm64/rtc-tegra-implement-clock-handling.patch b/debian/patches/bugfix/arm64/rtc-tegra-implement-clock-handling.patch deleted file mode 100644 index 178573f3f..000000000 --- a/debian/patches/bugfix/arm64/rtc-tegra-implement-clock-handling.patch +++ /dev/null @@ -1,120 +0,0 @@ -From: Thierry Reding -Date: Thu, 12 Jan 2017 17:07:43 +0100 -Subject: rtc: tegra: Implement clock handling -Origin: https://git.kernel.org/linus/5fa4086987506b2ab8c92f8f99f2295db9918856 -Bug-Debian: https://bugs.debian.org/858514 - -Accessing the registers of the RTC block on Tegra requires the module -clock to be enabled. This only works because the RTC module clock will -be enabled by default during early boot. However, because the clock is -unused, the CCF will disable it at late_init time. This causes the RTC -to become unusable afterwards. This can easily be reproduced by trying -to use the RTC: - - $ hwclock --rtc /dev/rtc1 - -This will hang the system. I ran into this by following up on a report -by Martin Michlmayr that reboot wasn't working on Tegra210 systems. It -turns out that the rtc-tegra driver's ->shutdown() implementation will -hang the CPU, because of the disabled clock, before the system can be -rebooted. - -What confused me for a while is that the same driver is used on prior -Tegra generations where the hang can not be observed. However, as Peter -De Schrijver pointed out, this is because on 32-bit Tegra chips the RTC -clock is enabled by the tegra20_timer.c clocksource driver, which uses -the RTC to provide a persistent clock. This code is never enabled on -64-bit Tegra because the persistent clock infrastructure does not exist -on 64-bit ARM. - -The proper fix for this is to add proper clock handling to the RTC -driver in order to ensure that the clock is enabled when the driver -requires it. All device trees contain the clock already, therefore -no additional changes are required. - -Reported-by: Martin Michlmayr -Acked-By Peter De Schrijver -Signed-off-by: Thierry Reding -Signed-off-by: Alexandre Belloni -[bwh: Backported to 4.9: adjust context] ---- - drivers/rtc/rtc-tegra.c | 28 ++++++++++++++++++++++++++-- - 1 file changed, 26 insertions(+), 2 deletions(-) - ---- a/drivers/rtc/rtc-tegra.c -+++ b/drivers/rtc/rtc-tegra.c -@@ -18,6 +18,7 @@ - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - */ - #include -+#include - #include - #include - #include -@@ -59,6 +60,7 @@ struct tegra_rtc_info { - struct platform_device *pdev; - struct rtc_device *rtc_dev; - void __iomem *rtc_base; /* NULL if not initialized. */ -+ struct clk *clk; - int tegra_rtc_irq; /* alarm and periodic irq */ - spinlock_t tegra_rtc_lock; - }; -@@ -326,6 +328,14 @@ static int __init tegra_rtc_probe(struct - if (info->tegra_rtc_irq <= 0) - return -EBUSY; - -+ info->clk = devm_clk_get(&pdev->dev, NULL); -+ if (IS_ERR(info->clk)) -+ return PTR_ERR(info->clk); -+ -+ ret = clk_prepare_enable(info->clk); -+ if (ret < 0) -+ return ret; -+ - /* set context info. */ - info->pdev = pdev; - spin_lock_init(&info->tegra_rtc_lock); -@@ -346,7 +356,7 @@ static int __init tegra_rtc_probe(struct - ret = PTR_ERR(info->rtc_dev); - dev_err(&pdev->dev, "Unable to register device (err=%d).\n", - ret); -- return ret; -+ goto disable_clk; - } - - ret = devm_request_irq(&pdev->dev, info->tegra_rtc_irq, -@@ -356,12 +366,25 @@ static int __init tegra_rtc_probe(struct - dev_err(&pdev->dev, - "Unable to request interrupt for device (err=%d).\n", - ret); -- return ret; -+ goto disable_clk; - } - - dev_notice(&pdev->dev, "Tegra internal Real Time Clock\n"); - - return 0; -+ -+disable_clk: -+ clk_disable_unprepare(info->clk); -+ return ret; -+} -+ -+static int tegra_rtc_remove(struct platform_device *pdev) -+{ -+ struct tegra_rtc_info *info = platform_get_drvdata(pdev); -+ -+ clk_disable_unprepare(info->clk); -+ -+ return 0; - } - - #ifdef CONFIG_PM_SLEEP -@@ -413,6 +436,7 @@ static void tegra_rtc_shutdown(struct pl - - MODULE_ALIAS("platform:tegra_rtc"); - static struct platform_driver tegra_rtc_driver = { -+ .remove = tegra_rtc_remove, - .shutdown = tegra_rtc_shutdown, - .driver = { - .name = "tegra_rtc", diff --git a/debian/patches/bugfix/m68k/revert-m68k-move-exports-to-definitions.patch b/debian/patches/bugfix/m68k/revert-m68k-move-exports-to-definitions.patch index 844375b3e..b0ed3f483 100644 --- a/debian/patches/bugfix/m68k/revert-m68k-move-exports-to-definitions.patch +++ b/debian/patches/bugfix/m68k/revert-m68k-move-exports-to-definitions.patch @@ -96,7 +96,7 @@ index 8dffd36ec4f2..37234c2df47f 100644 - #define BITS_PER_UNIT 8 - typedef int SItype __attribute__ ((mode (SI))); + typedef int SItype __mode(SI); @@ -58,4 +55,3 @@ __ashldi3 (DItype u, word_type b) return w.ll; @@ -115,7 +115,7 @@ index e6565a3ee2c3..1d59345f36c6 100644 - #define BITS_PER_UNIT 8 - typedef int SItype __attribute__ ((mode (SI))); + typedef int SItype __mode(SI); @@ -59,4 +56,3 @@ __ashrdi3 (DItype u, word_type b) return w.ll; @@ -152,7 +152,7 @@ index 039779737c7d..49e1ec8f2cc2 100644 - #define BITS_PER_UNIT 8 - typedef int SItype __attribute__ ((mode (SI))); + typedef int SItype __mode(SI); @@ -58,4 +55,3 @@ __lshrdi3 (DItype u, word_type b) return w.ll; diff --git a/debian/patches/bugfix/sparc/sparc-topology_64.h-fix-condition-for-including-cpudata.h.patch b/debian/patches/bugfix/sparc/sparc-topology_64.h-fix-condition-for-including-cpudata.h.patch deleted file mode 100644 index 040f1ed80..000000000 --- a/debian/patches/bugfix/sparc/sparc-topology_64.h-fix-condition-for-including-cpudata.h.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Ben Hutchings -Date: Wed, 01 Feb 2017 22:45:06 +0000 -Subject: sparc: topology_64.h: Fix condition for including cpudata.h - -We currently define macros referring to cpu_data if CONFIG_SMP is -defined, but only include the declaration if CONFIG_NUMA is defined. - -Fixes: 541cc39433a8 ("sparc: fix a building error reported by kbuild") -Signed-off-by: Ben Hutchings ---- ---- a/arch/sparc/include/asm/topology_64.h -+++ b/arch/sparc/include/asm/topology_64.h -@@ -4,7 +4,6 @@ - #ifdef CONFIG_NUMA - - #include --#include - - static inline int cpu_to_node(int cpu) - { -@@ -42,6 +41,9 @@ int __node_distance(int, int); - #endif /* !(CONFIG_NUMA) */ - - #ifdef CONFIG_SMP -+ -+#include -+ - #define topology_physical_package_id(cpu) (cpu_data(cpu).proc_id) - #define topology_core_id(cpu) (cpu_data(cpu).core_id) - #define topology_core_cpumask(cpu) (&cpu_core_sib_map[cpu]) diff --git a/debian/patches/bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch b/debian/patches/bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch deleted file mode 100644 index 17c54ad75..000000000 --- a/debian/patches/bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Andy Shevchenko -Date: Mon, 16 Jan 2017 15:12:26 +0200 -Subject: ASoC: Intel: select DW_DMAC_CORE since it's mandatory -Origin: https://git.kernel.org/linus/ebf79091bf85d9b2270ab29191de9cd3aaf888c5 -Bug-Debian: https://bugs.debian.org/851916 - -Select DW_DMAC_CORE like the rest of glue drivers do, e.g. -drivers/dma/dw/Kconfig. - -While here group selectors under SND_SOC_INTEL_HASWELL and -SND_SOC_INTEL_BAYTRAIL. - -Make platforms, which are using a common SST firmware driver, to be -dependent on DMADEVICES. - -Signed-off-by: Andy Shevchenko -Acked-by: Liam Girdwood -Signed-off-by: Mark Brown ---- - sound/soc/intel/Kconfig | 31 +++++++++++++------------------ - 1 file changed, 13 insertions(+), 18 deletions(-) - ---- a/sound/soc/intel/Kconfig -+++ b/sound/soc/intel/Kconfig -@@ -33,11 +33,9 @@ config SND_SOC_INTEL_SST - select SND_SOC_INTEL_SST_MATCH if ACPI - depends on (X86 || COMPILE_TEST) - --# firmware stuff depends DW_DMAC_CORE; since there is no depends-on from --# the reverse selection, each machine driver needs to select --# SND_SOC_INTEL_SST_FIRMWARE carefully depending on DW_DMAC_CORE - config SND_SOC_INTEL_SST_FIRMWARE - tristate -+ select DW_DMAC_CORE - - config SND_SOC_INTEL_SST_ACPI - tristate -@@ -47,16 +45,18 @@ config SND_SOC_INTEL_SST_MATCH - - config SND_SOC_INTEL_HASWELL - tristate -+ select SND_SOC_INTEL_SST - select SND_SOC_INTEL_SST_FIRMWARE - - config SND_SOC_INTEL_BAYTRAIL - tristate -+ select SND_SOC_INTEL_SST -+ select SND_SOC_INTEL_SST_FIRMWARE - - config SND_SOC_INTEL_HASWELL_MACH - tristate "ASoC Audio DSP support for Intel Haswell Lynxpoint" - depends on X86_INTEL_LPSS && I2C && I2C_DESIGNWARE_PLATFORM -- depends on DW_DMAC_CORE -- select SND_SOC_INTEL_SST -+ depends on DMADEVICES - select SND_SOC_INTEL_HASWELL - select SND_SOC_RT5640 - help -@@ -99,9 +99,8 @@ config SND_SOC_INTEL_BXT_RT298_MACH - config SND_SOC_INTEL_BYT_RT5640_MACH - tristate "ASoC Audio driver for Intel Baytrail with RT5640 codec" - depends on X86_INTEL_LPSS && I2C -- depends on DW_DMAC_CORE && (SND_SST_IPC_ACPI = n) -- select SND_SOC_INTEL_SST -- select SND_SOC_INTEL_SST_FIRMWARE -+ depends on DMADEVICES -+ depends on SND_SST_IPC_ACPI = n - select SND_SOC_INTEL_BAYTRAIL - select SND_SOC_RT5640 - help -@@ -112,9 +111,8 @@ config SND_SOC_INTEL_BYT_RT5640_MACH - config SND_SOC_INTEL_BYT_MAX98090_MACH - tristate "ASoC Audio driver for Intel Baytrail with MAX98090 codec" - depends on X86_INTEL_LPSS && I2C -- depends on DW_DMAC_CORE && (SND_SST_IPC_ACPI = n) -- select SND_SOC_INTEL_SST -- select SND_SOC_INTEL_SST_FIRMWARE -+ depends on DMADEVICES -+ depends on SND_SST_IPC_ACPI = n - select SND_SOC_INTEL_BAYTRAIL - select SND_SOC_MAX98090 - help -@@ -123,9 +121,8 @@ config SND_SOC_INTEL_BYT_MAX98090_MACH - - config SND_SOC_INTEL_BDW_RT5677_MACH - tristate "ASoC Audio driver for Intel Broadwell with RT5677 codec" -- depends on X86_INTEL_LPSS && GPIOLIB && I2C && DW_DMAC -- depends on DW_DMAC_CORE=y -- select SND_SOC_INTEL_SST -+ depends on X86_INTEL_LPSS && GPIOLIB && I2C -+ depends on DMADEVICES - select SND_SOC_INTEL_HASWELL - select SND_SOC_RT5677 - help -@@ -134,10 +131,8 @@ config SND_SOC_INTEL_BDW_RT5677_MACH - - config SND_SOC_INTEL_BROADWELL_MACH - tristate "ASoC Audio DSP support for Intel Broadwell Wildcatpoint" -- depends on X86_INTEL_LPSS && I2C && DW_DMAC && \ -- I2C_DESIGNWARE_PLATFORM -- depends on DW_DMAC_CORE -- select SND_SOC_INTEL_SST -+ depends on X86_INTEL_LPSS && I2C && I2C_DESIGNWARE_PLATFORM -+ depends on DMADEVICES - select SND_SOC_INTEL_HASWELL - select SND_SOC_RT286 - help diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch deleted file mode 100644 index 85146707b..000000000 --- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch +++ /dev/null @@ -1,33 +0,0 @@ -Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() -From: Li Qiang -Date: Tue, 28 Mar 2017 03:10:53 +0000 -Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294 - -In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the -'req->mip_levels' array. This array can be assigned any value from -the user space. As both the 'num_sizes' and the array is uint32_t, -it is easy to make 'num_sizes' overflow. The later 'mip_levels' is -used as the loop count. This can lead an oob write. Add the check of -'req->mip_levels' to avoid this. - -Signed-off-by: Li Qiang ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_ - 128; - - num_sizes = 0; -- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) -+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) { -+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS) -+ return -EINVAL; - num_sizes += req->mip_levels[i]; -+ } - - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || - num_sizes == 0) diff --git a/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch b/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch deleted file mode 100644 index f83a5234d..000000000 --- a/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 24 Jan 2017 11:56:21 +0100 -Subject: kvm: fix page struct leak in handle_vmon -Origin: https://git.kernel.org/linus/06ce521af9558814b8606c0476c54497cf83a653 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2596 - -handle_vmon gets a reference on VMXON region page, -but does not release it. Release the reference. - -Found by syzkaller; based on a patch by Dmitry. - -Reported-by: Dmitry Vyukov -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/vmx.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct - } - - page = nested_get_page(vcpu, vmptr); -- if (page == NULL || -- *(u32 *)kmap(page) != VMCS12_REVISION) { -+ if (page == NULL) { - nested_vmx_failInvalid(vcpu); -+ return kvm_skip_emulated_instruction(vcpu); -+ } -+ if (*(u32 *)kmap(page) != VMCS12_REVISION) { - kunmap(page); -+ nested_release_page_clean(page); -+ nested_vmx_failInvalid(vcpu); - return kvm_skip_emulated_instruction(vcpu); - } - kunmap(page); -+ nested_release_page_clean(page); - vmx->nested.vmxon_ptr = vmptr; - break; - case EXIT_REASON_VMCLEAR: diff --git a/debian/patches/bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch b/debian/patches/bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch deleted file mode 100644 index 4c7805c5d..000000000 --- a/debian/patches/bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: "Lee, Chun-Yi" -Date: Thu, 3 Nov 2016 08:18:52 +0800 -Subject: platform/x86: acer-wmi: setup accelerometer when machine has - appropriate notify event -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/98d610c3739ac354319a6590b915f4624d9151e6 -Bug-Debian: https://bugs.debian.org/853067 - -The accelerometer event relies on the ACERWMID_EVENT_GUID notify. -So, this patch changes the codes to setup accelerometer input device -when detected ACERWMID_EVENT_GUID. It avoids that the accel input -device created on every Acer machines. - -In addition, patch adds a clearly parsing logic of accelerometer hid -to acer_wmi_get_handle_cb callback function. It is positive matching -the "SENR" name with "BST0001" device to avoid non-supported hardware. - -Reported-by: Bjørn Mork -Cc: Darren Hart -Signed-off-by: Lee, Chun-Yi -[andy: slightly massage commit message] -Signed-off-by: Andy Shevchenko ---- - drivers/platform/x86/acer-wmi.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - ---- a/drivers/platform/x86/acer-wmi.c -+++ b/drivers/platform/x86/acer-wmi.c -@@ -1808,11 +1808,24 @@ static int __init acer_wmi_enable_lm(voi - return status; - } - -+#define ACER_WMID_ACCEL_HID "BST0001" -+ - static acpi_status __init acer_wmi_get_handle_cb(acpi_handle ah, u32 level, - void *ctx, void **retval) - { -+ struct acpi_device *dev; -+ -+ if (!strcmp(ctx, "SENR")) { -+ if (acpi_bus_get_device(ah, &dev)) -+ return AE_OK; -+ if (!strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev))) -+ return AE_OK; -+ } else -+ return AE_OK; -+ - *(acpi_handle *)retval = ah; -- return AE_OK; -+ -+ return AE_CTRL_TERMINATE; - } - - static int __init acer_wmi_get_handle(const char *name, const char *prop, -@@ -1839,7 +1852,7 @@ static int __init acer_wmi_accel_setup(v - { - int err; - -- err = acer_wmi_get_handle("SENR", "BST0001", &gsensor_handle); -+ err = acer_wmi_get_handle("SENR", ACER_WMID_ACCEL_HID, &gsensor_handle); - if (err) - return err; - -@@ -2177,10 +2190,11 @@ static int __init acer_wmi_init(void) - err = acer_wmi_input_setup(); - if (err) - return err; -+ err = acer_wmi_accel_setup(); -+ if (err) -+ return err; - } - -- acer_wmi_accel_setup(); -- - err = platform_driver_register(&acer_platform_driver); - if (err) { - pr_err("Unable to register platform driver\n"); diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch deleted file mode 100644 index b4dac5cc1..000000000 --- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Murray McAllister -Date: Fri, 24 Mar 2017 20:33:00 -0700 -Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() -Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261 - -Before memory allocations vmw_surface_define_ioctl() checks the -upper-bounds of a user-supplied size, but does not check if the -supplied size is 0. - -Add check to avoid NULL pointer dereferences. - -Signed-off-by: Murray McAllister -Reviewed-by: Sinclair Yeh -[bwh: Fix filename] ---- ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_ - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || -+ num_sizes == 0) - return -EINVAL; - - size = vmw_user_surface_size + 128 + diff --git a/debian/patches/bugfix/x86/x86-xen-fix-apic-id-mismatch-warning-on-intel.patch b/debian/patches/bugfix/x86/x86-xen-fix-apic-id-mismatch-warning-on-intel.patch deleted file mode 100644 index 93830d110..000000000 --- a/debian/patches/bugfix/x86/x86-xen-fix-apic-id-mismatch-warning-on-intel.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Mohit Gambhir -Date: Thu, 26 Jan 2017 13:12:27 -0500 -Subject: x86/xen: Fix APIC id mismatch warning on Intel -Origin: https://git.kernel.org/linus/cc272163ea554a97dac180fa8dd6cd54c2810bd1 -Bug-Debian: https://bugs.debian.org/853193 - -This patch fixes the following warning message seen when booting the -kernel as Dom0 with Xen on Intel machines. - -[0.003000] [Firmware Bug]: CPU1: APIC id mismatch. Firmware: 0 APIC: 1] - -The code generating the warning in validate_apic_and_package_id() matches -cpu_data(cpu).apicid (initialized in init_intel()-> -detect_extended_topology() using cpuid) against the apicid returned from -xen_apic_read(). Now, xen_apic_read() makes a hypercall to retrieve apicid -for the boot cpu but returns 0 otherwise. Hence the warning gets thrown -for all but the boot cpu. - -The idea behind xen_apic_read() returning 0 for apicid is that the -guests (even Dom0) should not need to know what physical processor their -vcpus are running on. This is because we currently do not have topology -information in Xen and also because xen allows more vcpus than physical -processors. However, boot cpu's apicid is required for loading -xen-acpi-processor driver on AMD machines. Look at following patch for -details: - -commit 558daa289a40 ("xen/apic: Return the APIC ID (and version) for CPU -0.") - -So to get rid of the warning, this patch modifies -xen_cpu_present_to_apicid() to return cpu_data(cpu).apicid instead of -calling xen_apic_read(). - -The warning is not seen on AMD machines because init_amd() populates -cpu_data(cpu).apicid by calling hard_smp_processor_id()->xen_apic_read() -as opposed to using apicid from cpuid as is done on Intel machines. - -Signed-off-by: Mohit Gambhir -Reviewed-by: Juergen Gross -Signed-off-by: Boris Ostrovsky ---- - arch/x86/xen/apic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/xen/apic.c b/arch/x86/xen/apic.c -index 44c88ad1841a..bcea81f36fc5 100644 ---- a/arch/x86/xen/apic.c -+++ b/arch/x86/xen/apic.c -@@ -145,7 +145,7 @@ static void xen_silent_inquire(int apicid) - static int xen_cpu_present_to_apicid(int cpu) - { - if (cpu_present(cpu)) -- return xen_get_apic_id(xen_apic_read(APIC_ID)); -+ return cpu_data(cpu).apicid; - else - return BAD_APICID; - } diff --git a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch index e6225da79..6cb31f913 100644 --- a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch +++ b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch @@ -19,8 +19,8 @@ other W+X cases. So add a condition to the WARN_ON. #include +#include + #include #include - @@ -220,7 +221,7 @@ static void note_page(struct seq_file *m pgprotval_t pr = pgprot_val(st->current_prot); diff --git a/debian/patches/debian/fjes-disable-autoload.patch b/debian/patches/debian/fjes-disable-autoload.patch index 0461fadb0..be845023b 100644 --- a/debian/patches/debian/fjes-disable-autoload.patch +++ b/debian/patches/debian/fjes-disable-autoload.patch @@ -13,7 +13,7 @@ auto-loading. --- a/drivers/net/fjes/fjes_main.c +++ b/drivers/net/fjes/fjes_main.c @@ -81,7 +81,7 @@ static const struct acpi_device_id fjes_ - {"PNP0C02", 0}, + {ACPI_MOTHERBOARD_RESOURCE_HID, 0}, {"", 0}, }; -MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch index f59d00b7d..d2bdec0b1 100644 --- a/debian/patches/debian/kernelvariables.patch +++ b/debian/patches/debian/kernelvariables.patch @@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this. export KCONFIG_CONFIG @@ -373,6 +337,44 @@ LDFLAGS_vmlinux = - CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized + CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,) CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,) +-include $(obj)/.kernelvariables diff --git a/debian/patches/debian/sched-autogroup-disabled.patch b/debian/patches/debian/sched-autogroup-disabled.patch index f95389d84..cc75a05c1 100644 --- a/debian/patches/debian/sched-autogroup-disabled.patch +++ b/debian/patches/debian/sched-autogroup-disabled.patch @@ -6,8 +6,8 @@ Forwarded: not-needed We want to provide the option of autogrouping but without enabling it by default yet. ---- a/kernel/sched/auto_group.c -+++ b/kernel/sched/auto_group.c +--- a/kernel/sched/autogroup.c ++++ b/kernel/sched/autogroup.c @@ -9,7 +9,7 @@ #include #include diff --git a/debian/patches/debian/time-mark-timer_stats-as-broken.patch b/debian/patches/debian/time-mark-timer_stats-as-broken.patch deleted file mode 100644 index 4c35d732a..000000000 --- a/debian/patches/debian/time-mark-timer_stats-as-broken.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Ben Hutchings -Date: Sun, 26 Feb 2017 21:01:50 +0000 -Subject: time: Mark TIMER_STATS as broken -Forwarded: not-needed -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5967 - -This is a substitute for upstream commit dfb4357da6dd "time: Remove -CONFIG_TIMER_STATS", which avoids the need to resolve conflicts with -the PREEMPT_RT patch series. - ---- ---- a/lib/Kconfig.debug -+++ b/lib/Kconfig.debug -@@ -964,6 +964,7 @@ config DEBUG_TIMEKEEPING - config TIMER_STATS - bool "Collect kernel timers statistics" - depends on DEBUG_KERNEL && PROC_FS -+ depends on BROKEN - help - If you say Y here, additional code will be inserted into the - timer routines to collect statistics about kernel timers being diff --git a/debian/patches/debian/tools-perf-version.patch b/debian/patches/debian/tools-perf-version.patch index aa5abc8be..cb4bad671 100644 --- a/debian/patches/debian/tools-perf-version.patch +++ b/debian/patches/debian/tools-perf-version.patch @@ -9,7 +9,7 @@ version-dependent name. And do the same for trace.] --- a/tools/perf/Makefile.perf +++ b/tools/perf/Makefile.perf -@@ -649,22 +649,22 @@ endif +@@ -649,23 +649,23 @@ endif install-tools: all install-gtk $(call QUIET_INSTALL, binaries) \ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(bindir_SQ)'; \ @@ -31,6 +31,7 @@ version-dependent name. And do the same for trace.] endif ifndef NO_JVMTI $(call QUIET_INSTALL, $(LIBJVMTI)) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \ $(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)'; endif - $(call QUIET_INSTALL, libexec) \ @@ -84,9 +85,9 @@ version-dependent name. And do the same for trace.] --- a/tools/perf/util/Build +++ b/tools/perf/util/Build @@ -162,6 +162,7 @@ CFLAGS_rbtree.o += -Wno-unused-pa - CFLAGS_libstring.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ETC_PERFCONFIG_SQ))" CFLAGS_hweight.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ETC_PERFCONFIG_SQ))" CFLAGS_parse-events.o += -Wno-redundant-decls + CFLAGS_header.o += -include $(OUTPUT)PERF-VERSION-FILE +CFLAGS_vdso.o += -DPERFEXECDIR='"$(perfexec_instdir_SQ)"' $(OUTPUT)util/kallsyms.o: ../lib/symbol/kallsyms.c FORCE diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch index ed327b283..46bd7527a 100644 --- a/debian/patches/debian/version.patch +++ b/debian/patches/debian/version.patch @@ -48,8 +48,8 @@ are set. --- a/arch/x86/um/sysrq_64.c +++ b/arch/x86/um/sysrq_64.c @@ -8,6 +8,7 @@ - #include #include + #include #include +#include #include @@ -114,9 +114,9 @@ are set. --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -45,6 +45,7 @@ - #include - #include - #include + #include + #include + #include +#include #include diff --git a/debian/patches/debian/yama-disable-by-default.patch b/debian/patches/debian/yama-disable-by-default.patch index bbf8f21a5..270d90344 100644 --- a/debian/patches/debian/yama-disable-by-default.patch +++ b/debian/patches/debian/yama-disable-by-default.patch @@ -21,6 +21,6 @@ Forwarded: not-needed { - pr_info("Yama: becoming mindful.\n"); + pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n"); - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks)); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); yama_init_sysctl(); } diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index 394dfac9e..0e27b79eb 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -150,7 +150,7 @@ index 295bd7a..14fa1c8 100644 +++ b/mm/Makefile @@ -37,7 +37,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ mm_init.o mmu_context.o percpu.o slab_common.o \ - compaction.o vmacache.o \ + compaction.o vmacache.o swap_slots.o \ interval_tree.o list_lru.o workingset.o \ - debug.o $(mmu-y) + prfile.o debug.o $(mmu-y) @@ -165,8 +165,8 @@ index b772a33..1c11f45 100644 int ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); -- file_update_time(vma->vm_file); -+ vma_file_update_time(vma); +- file_update_time(vmf->vma->vm_file); ++ vma_file_update_time(vmf->vma); lock_page(page); if (page->mapping != inode->i_mapping) { unlock_page(page); @@ -238,7 +238,7 @@ index dc4291d..4b3a2aa 100644 + file = vma->vm_file; + prfile = vma->vm_prfile; ret = do_mmap_pgoff(vma->vm_file, start, size, - prot, flags, pgoff, &populate); + prot, flags, pgoff, &populate, NULL); + if (!IS_ERR_VALUE(ret) && file && prfile) { + struct vm_area_struct *new_vma; + diff --git a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch b/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch index 0491b2f65..fc914bd15 100644 --- a/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch +++ b/debian/patches/features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch @@ -24,11 +24,11 @@ Signed-off-by: Linn Crosetto --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1153,6 +1153,12 @@ void __init setup_arch(char **cmdline_p) - /* Allocate bigger log buffer */ - setup_log_buf(1); + } + } +#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL -+ if (boot_params.secure_boot) { ++ if (boot_params.secure_boot == efi_secureboot_mode_enabled) { + set_securelevel(1); + } +#endif @@ -41,7 +41,7 @@ Signed-off-by: Linn Crosetto io_delay_init(); -#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL -- if (boot_params.secure_boot) { +- if (boot_params.secure_boot == efi_secureboot_mode_enabled) { - set_securelevel(1); - } -#endif diff --git a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch b/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch index c76d6edf1..2f3518073 100644 --- a/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch +++ b/debian/patches/features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch @@ -12,24 +12,10 @@ when enabled. Signed-off-by: Matthew Garrett --- - Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 13 +++++++++++++ - arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 7 +++++++ 5 files changed, 60 insertions(+), 1 deletion(-) ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -31,6 +31,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Secure boot is enabled in the firmware - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1754,6 +1754,19 @@ config EFI_MIXED @@ -62,67 +48,15 @@ Signed-off-by: Matthew Garrett #include "../string.h" #include "eboot.h" -@@ -1050,6 +1051,37 @@ void setup_graphics(struct boot_params * - } - } - -+static int get_secure_boot(void) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ -+ - /* - * Because the x86 boot code expects to be passed a boot_params we - * need to create one ourselves (usually the bootloader would create -@@ -1432,6 +1464,10 @@ struct boot_params *efi_main(struct efi_ +@@ -1432,6 +1464,8 @@ struct boot_params *efi_main(struct efi_ else setup_boot_services32(efi_early); + sanitize_boot_params(boot_params); + -+ boot_params->secure_boot = get_secure_boot(); -+ - setup_graphics(boot_params); - - setup_efi_pci(boot_params); ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -134,7 +134,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * + * If the boot loader gave us a value for secure_boot then we use that, + * otherwise we ask the BIOS. --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -50,6 +50,7 @@ @@ -138,7 +72,7 @@ Signed-off-by: Matthew Garrett io_delay_init(); +#ifdef CONFIG_EFI_SECURE_BOOT_SECURELEVEL -+ if (boot_params.secure_boot) { ++ if (boot_params.secure_boot == efi_secureboot_mode_enabled) { + set_securelevel(1); + } +#endif diff --git a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch b/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch index d583775f2..4e7931559 100644 --- a/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch +++ b/debian/patches/features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch @@ -82,25 +82,6 @@ v2: }; static __initdata struct params xen_fdt_params[] = { ---- a/drivers/firmware/efi/libstub/arm-stub.c -+++ b/drivers/firmware/efi/libstub/arm-stub.c -@@ -20,7 +20,7 @@ - - bool __nokaslr; - --static int efi_get_secureboot(efi_system_table_t *sys_table_arg) -+int efi_get_secureboot(efi_system_table_t *sys_table_arg) - { - static efi_char16_t const sb_var_name[] = { - 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 }; ---- a/drivers/firmware/efi/libstub/efistub.h -+++ b/drivers/firmware/efi/libstub/efistub.h -@@ -65,4 +65,5 @@ efi_status_t check_platform_features(efi - - efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg); - -+int efi_get_secureboot(efi_system_table_t *sys_table_arg); - #endif --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c @@ -134,6 +134,13 @@ static efi_status_t update_fdt(efi_syste diff --git a/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch b/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch deleted file mode 100644 index 59fd4226b..000000000 --- a/debian/patches/features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Linn Crosetto -Date: Mon, 22 Feb 2016 12:54:37 -0700 -Subject: arm64/efi: Disable secure boot if shim is in insecure mode - -Port to arm64 a patch originally written by Josh Boyer for the x86 EFI -stub. - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Linn Crosetto -Cc: Josh Boyer ---- - drivers/firmware/efi/libstub/arm-stub.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - ---- a/drivers/firmware/efi/libstub/arm-stub.c -+++ b/drivers/firmware/efi/libstub/arm-stub.c -@@ -26,11 +26,14 @@ static int efi_get_secureboot(efi_system - 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 }; - static efi_char16_t const sm_var_name[] = { - 'S', 'e', 't', 'u', 'p', 'M', 'o', 'd', 'e', 0 }; -+ static efi_char16_t const mk_var_name[] = { -+ 'M', 'o', 'k', 'S', 'B', 'S', 't', 'a', 't', 'e', 0 }; - - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable; - u8 val; - unsigned long size = sizeof(val); -+ u32 attr; - efi_status_t status; - - status = f_getvar((efi_char16_t *)sb_var_name, (efi_guid_t *)&var_guid, -@@ -51,6 +54,22 @@ static int efi_get_secureboot(efi_system - if (val == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = f_getvar((efi_char16_t *)mk_var_name, (efi_guid_t *)&var_guid, -+ &attr, &size, &val); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (val == 1) -+ return 0; -+ } -+ - return 1; - - out_efi_err: diff --git a/debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch b/debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch deleted file mode 100644 index 98cd43c6d..000000000 --- a/debian/patches/features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ /dev/null @@ -1,66 +0,0 @@ -From: Josh Boyer -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [13/18] efi: Disable secure boot if shim is in insecure mode -Origin: https://github.com/mjg59/linux/commit/f444a5ecb0ab09d6cf661b4520dd8e6fffacb8be - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - include/linux/efi.h | 3 +++ - 2 files changed, 22 insertions(+), 1 deletion(-) - ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -1053,8 +1053,9 @@ void setup_graphics(struct boot_params * - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -1078,6 +1079,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -629,6 +629,9 @@ typedef struct { - #define EFI_1_10_SYSTEM_TABLE_REVISION ((1 << 16) | (10)) - #define EFI_1_02_SYSTEM_TABLE_REVISION ((1 << 16) | (02)) - -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_table_hdr_t hdr; - u64 fw_vendor; /* physical addr of CHAR16 vendor string */ diff --git a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch b/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch index 14d5a3bda..26580e012 100644 --- a/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch +++ b/debian/patches/features/all/securelevel/enable-cold-boot-attack-mitigation.patch @@ -31,9 +31,9 @@ index 28c24d80d0a0..b0413ba639af 100644 + EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), val); +} + - static int get_secure_boot(void) - { - u8 sb, setup, moksbstate; + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create @@ -1482,6 +1498,12 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -46,4 +46,4 @@ index 28c24d80d0a0..b0413ba639af 100644 + sanitize_boot_params(boot_params); - boot_params->secure_boot = get_secure_boot(); + /* diff --git a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch b/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch index 8201450f2..d47ce64a9 100644 --- a/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch +++ b/debian/patches/features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch @@ -22,8 +22,8 @@ Signed-off-by: Matthew Garrett #include +#include #include + #include - /* @@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) diff --git a/debian/patches/features/arm/arm-dts-turris-omnia-add-support-for-ethernet-switch.patch b/debian/patches/features/arm/arm-dts-turris-omnia-add-support-for-ethernet-switch.patch deleted file mode 100644 index 80b7a7ad3..000000000 --- a/debian/patches/features/arm/arm-dts-turris-omnia-add-support-for-ethernet-switch.patch +++ /dev/null @@ -1,102 +0,0 @@ -From: Uwe Kleine-König -Date: Tue, 3 Jan 2017 20:35:01 +0100 -Subject: [PATCH] ARM: dts: turris-omnia: add support for ethernet switch -Origin: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=7b7db5ab33d2292d9b037cda0c41a795b094d940 - -The Turris Omnia features a Marvell MV88E6176 ethernet switch. Add it to -the dts. - -Signed-off-by: Uwe Kleine-König -Reviewed-by: Andrew Lunn -Tested-by: Andreas Färber -Signed-off-by: Gregory CLEMENT ---- - arch/arm/boot/dts/armada-385-turris-omnia.dts | 58 +++++++++++++++++++++++++-- - 1 file changed, 55 insertions(+), 3 deletions(-) - -diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts -index ab49acb2d452..28eede180e4f 100644 ---- a/arch/arm/boot/dts/armada-385-turris-omnia.dts -+++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts -@@ -122,7 +122,7 @@ - pinctrl-names = "default"; - pinctrl-0 = <&ge0_rgmii_pins>; - status = "okay"; -- phy-mode = "rgmii-id"; -+ phy-mode = "rgmii"; - - fixed-link { - speed = <1000>; -@@ -135,7 +135,7 @@ - pinctrl-names = "default"; - pinctrl-0 = <&ge1_rgmii_pins>; - status = "okay"; -- phy-mode = "rgmii-id"; -+ phy-mode = "rgmii"; - - fixed-link { - speed = <1000>; -@@ -273,7 +273,59 @@ - /* irq is connected to &pcawan pin 7 */ - }; - -- /* Switch MV88E7176 at address 0x10 */ -+ /* Switch MV88E6176 at address 0x10 */ -+ switch@10 { -+ compatible = "marvell,mv88e6085"; -+ #address-cells = <1>; -+ #size-cells = <0>; -+ dsa,member = <0 0>; -+ -+ reg = <0x10>; -+ -+ ports { -+ #address-cells = <1>; -+ #size-cells = <0>; -+ -+ ports@0 { -+ reg = <0>; -+ label = "lan0"; -+ }; -+ -+ ports@1 { -+ reg = <1>; -+ label = "lan1"; -+ }; -+ -+ ports@2 { -+ reg = <2>; -+ label = "lan2"; -+ }; -+ -+ ports@3 { -+ reg = <3>; -+ label = "lan3"; -+ }; -+ -+ ports@4 { -+ reg = <4>; -+ label = "lan4"; -+ }; -+ -+ ports@5 { -+ reg = <5>; -+ label = "cpu"; -+ ethernet = <ð1>; -+ phy-mode = "rgmii-id"; -+ -+ fixed-link { -+ speed = <1000>; -+ full-duplex; -+ }; -+ }; -+ -+ /* port 6 is connected to eth0 */ -+ }; -+ }; - }; - - &pinctrl { --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index d2e16f5db..212f52f4a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -51,12 +51,7 @@ debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch # Arch bug fixes -bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch -bugfix/sparc/sparc-topology_64.h-fix-condition-for-including-cpudata.h.patch -bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch -bugfix/x86/x86-xen-fix-apic-id-mismatch-warning-on-intel.patch bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch -bugfix/arm64/rtc-tegra-implement-clock-handling.patch # Arch features features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch @@ -64,7 +59,6 @@ features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch features/mips/MIPS-octeon-Add-support-for-the-UBNT-E200-board.patch features/x86/x86-memtest-WARN-if-bad-RAM-found.patch features/x86/x86-make-x32-syscall-support-conditional.patch -features/arm/arm-dts-turris-omnia-add-support-for-ethernet-switch.patch # Miscellaneous bug fixes bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch @@ -74,7 +68,6 @@ bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/media-dvb-usb-dibusb-mc-common-add-module_license.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch -bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch # Miscellaneous features @@ -91,7 +84,6 @@ features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch -features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch @@ -99,21 +91,10 @@ features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.pa features/all/securelevel/enable-cold-boot-attack-mitigation.patch features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch # same for arm64 -features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch -debian/time-mark-timer_stats-as-broken.patch -bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch -bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch -bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch -bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch -bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch -bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch -bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch -bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch