Update to 4.9.14

Drop a patch applied upstream.

Ignore ABI changes as they shouldn't affect OOT modules.

debian/changelog

@@ -1,5 +1,141 @@
-linux (4.9.13-2) UNRELEASED; urgency=medium
+linux (4.9.14-1) UNRELEASED; urgency=medium
 
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14
+    - [mips*] Fix special case in 64 bit IP checksumming.
+    - [mips*/octeon] Fix copy_from_user fault handling for large buffers
+    - mmc: sdhci-acpi: support deferred probe
+    - uvcvideo: Fix a wrong macro
+    - media: fix dm1105.c build error
+    - lirc_dev: LIRC_{G,S}ET_REC_MODE do not work
+    - media: Properly pass through media entity types in entity enumeration
+    - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
+    - [x86] ALSA: hda/realtek - Cannot adjust speaker's volume on a Dell AIO
+    - [x86] ALSA: hda - fix Lewisburg audio issue
+    - ALSA: timer: Reject user params with too small ticks
+    - ALSA: ctxfi: Fallback DMA mask to 32bit
+    - ALSA: seq: Fix link corruption by event error handling
+    - [x86] ALSA: hda - Add subwoofer support for Dell Inspiron 17 7000 Gaming
+    - [x86] ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine
+    - hwmon: (it87) Do not overwrite bit 2..6 of pwm control registers
+    - hwmon: (it87) Ensure that pwm control cache is current before updating
+      values
+    - [x86] staging/lustre/lnet: Fix allocation size for sv_cpt_data
+    - staging: rtl: fix possible NULL pointer dereference
+    - regulator: Fix regulator_summary for deviceless consumers
+    - tpm_tis: fix the error handling of init_tis()
+    - [x86] iommu/vt-d: Fix some macros that are incorrectly specified in
+      intel-iommu
+    - [x86] iommu/vt-d: Tylersburg isoch identity map check is done too late.
+    - CIFS: Fix splice read for non-cached files
+    - [x86] mm, devm_memremap_pages: hold device_hotplug lock over
+      mem_hotplug_{begin, done}
+    - mm/page_alloc: fix nodes for reclaim in fast path
+    - mm: vmpressure: fix sending wrong events on underflow
+    - mm: do not access page->mapping directly on page_endio
+    - mm balloon: umount balloon_mnt when removing vb device
+    - mm, vmscan: cleanup lru size claculations
+    - mm, vmscan: consider eligible zones in get_scan_count
+    - sigaltstack: support SS_AUTODISARM for CONFIG_COMPAT
+    - PM / devfreq: Fix available_governor sysfs
+    - PM / devfreq: Fix wrong trans_stat of passive devfreq device
+    - dm cache: fix corruption seen when using cache > 2TB
+    - dm stats: fix a leaked s->histogram_boundaries array
+    - dm round robin: revert "use percpu 'repeat_count' and 'current_path'"
+    - dm raid: fix data corruption on reshape request
+    - [x86] scsi: storvsc: use tagged SRB requests if supported by the device
+    - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is
+      present
+    - [x86] scsi: storvsc: properly set residual data length on errors
+    - scsi: aacraid: Reorder Adapter status check
+    - scsi: use 'scsi_device_from_queue()' for scsi_dh
+    - Fix: Disable sys_membarrier when nohz_full is enabled
+    - jbd2: don't leak modified metadata buffers on an aborted journal
+    - block/loop: fix race between I/O and set_status
+    - loop: fix LO_FLAGS_PARTSCAN hang
+    - ext4: Include forgotten start block on fallocate insert range
+    - ext4: do not polute the extents cache while shifting extents
+    - ext4: trim allocation requests to group size
+    - ext4: fix data corruption in data=journal mode
+    - ext4: fix use-after-iput when fscrypt contexts are inconsistent
+    - ext4: fix inline data error paths
+    - ext4: preserve the needs_recovery flag when the journal is aborted
+    - ext4: return EROFS if device is r/o and journal replay is needed
+    - mei: remove support for broken parallel read
+    - ath10k: fix boot failure in UTF mode/testmode
+    - ath5k: drop bogus warning on drv_set_key with unsupported cipher
+    - ath9k: fix race condition in enabling/disabling IRQs
+    - ath9k: use correct OTP register offsets for the AR9340 and AR9550
+    - [x86] PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
+    - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
+    - perf callchain: Reference count maps
+    - crypto: testmgr - Pad aes_ccm_enc_tv_template vector
+    - fuse: add missing FR_FORCE
+    - [x86] pkeys: Check against max pkey to avoid overflows
+    - [armhf,arm64] KVM: Enforce unconditional flush to PoC when mapping to
+      stage-2
+    - [arm64] dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB
+    - [arm64] fix erroneous __raw_read_system_reg() cases
+    - [armhf,arm64] KVM: vgic: Stop injecting the MSI occurrence twice
+    - can: gs_usb: Don't use stack memory for USB transfers
+    - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
+    - w1: don't leak refcount on slave attach failure in
+      w1_attach_slave_device()
+    - w1: ds2490: USB transfer buffers need to be DMAable
+    - usb: dwc3: gadget: skip Set/Clear Halt when invalid
+    - usb: host: xhci: plat: check hcc_params after add hcd
+    - usb: gadget: udc-core: Rescan pending list on driver unbind
+    - usb: gadget: f_hid: fix: Free out requests
+    - usb: gadget: f_hid: fix: Prevent accessing released memory
+    - usb: gadget: f_hid: Use spinlock instead of mutex
+    - [x86] hv: allocate synic pages for all present CPUs
+    - [x86] hv: init percpu_list in hv_synic_alloc()
+    - [x86] hv: don't reset hv_context.tsc_page on crash
+    - [x86] Drivers: hv: vmbus: Prevent sending data on a rescinded channel
+    - [x86] Drivers: hv: vmbus: Fix a rescind handling bug
+    - [x86] Drivers: hv: util: kvp: Fix a rescind processing issue
+    - [x86] Drivers: hv: util: Fcopy: Fix a rescind processing issue
+    - [x86] Drivers: hv: util: Backup: Fix a rescind processing issue
+    - RDMA/core: Fix incorrect structure packing for booleans
+    - rdma_cm: fail iwarp accepts w/o connection params
+    - gfs2: Add missing rcu locking for glock lookup
+    - [arm64] remoteproc: qcom: mdt_loader: Don't overwrite firmware object
+    - rtlwifi: Fix alignment issues
+    - rtlwifi: rtl8192c-common: Fix "BUG: KASAN:
+    - [m68k] VME: restore bus_remove function causing incomplete module unload
+    - nfsd: minor nfsd_setattr cleanup
+    - nfsd: special case truncates some more
+    - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
+    - NFSv4: Fix reboot recovery in copy offload
+    - pNFS/flexfiles: If the layout is invalid, it must be updated before
+      retrying
+    - NFSv4: fix getacl head length estimation
+    - NFSv4: fix getacl ERANGE for some ACL buffer sizes
+    - f2fs: fix a problem of using memory after free
+    - f2fs: fix multiple f2fs_add_link() calls having same name
+    - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
+    - f2fs: avoid to issue redundant discard commands
+    - [armhf] rtc: sun6i: Disable the build as a module
+    - [armhf] rtc: sun6i: Add some locking
+    - [armhf] rtc: sun6i: Switch to the external oscillator
+    - md linear: fix a race between linear_add() and linear_congested()
+    - bcma: use (get|put)_device when probing/removing device driver
+    - [armhf] dmaengine: ipu: Make sure the interrupt routine checks all
+      interrupts.
+    - xprtrdma: Fix Read chunk padding
+    - xprtrdma: Per-connection pad optimization
+    - xprtrdma: Disable pad optimization by default
+    - xprtrdma: Reduce required number of send SGEs
+    - [powerpc*] xmon: Fix data-breakpoint
+    - [powerpc*] mm: Add MMU_FTR_KERNEL_RO to possible feature mask
+    - [powerpc*] mm/hash: Always clear UPRT and Host Radix bits when setting up
+      CPU
+    - scsi: lpfc: Correct WQ creation for pagesize
+    - ceph: update readpages osd request according to size of pages
+    - netfilter: conntrack: remove GC_MAX_EVICTS break
+    - netfilter: conntrack: refine gc worker heuristics, redux
+
+  [ Ben Hutchings ]
   * [media] dvb-usb: don't use stack for firmware load or reset
     (Closes: #853894)
   * Kbuild.include: addtree: Remove quotes before matching path

debian/config/defines

@@ -2,6 +2,7 @@
 abiname: 2
 ignore-changes:
  __cpuhp_*
+ module:drivers/hv/*
  module:drivers/iio/common/st_sensors/**
  module:drivers/net/wireless/**
  module:drivers/power/supply/bq27xxx_battery
@@ -14,6 +15,12 @@ ignore-changes:
 # Exported for related protocols only
  can_rx_register
  ip6_xmit
+# devfreq is unlikely to be useful for OOT modules
+ devfreq_*
+ devm_devfreq_*
+ update_devfreq
+# Assume IB drivers are added/updated through OFED, which also updates IB core
+ module:drivers/infiniband/**
 
 [base]
 arches:

debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch

@@ -1,70 +0,0 @@
-From: Davidlohr Bueso <dave@stgolabs.net>
-Date: Thu, 23 Feb 2017 11:41:32 +1100
-Subject: ipc/shm: Fix shmat mmap nil-page protection
-Origin: https://marc.info/?l=linux-mm&m=148605021927245&w=2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
-
-The issue is described here, with a nice testcase:
-
-    https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the
-address rounded down to 0.  For the regular mmap case, the protection
-mentioned above is that the kernel gets to generate the address --
-arch_get_unmapped_area() will always check for MAP_FIXED and return that
-address.  So by the time we do security_mmap_addr(0) things get funky for
-shmat().
-
-The testcase itself shows that while a regular user crashes, root will not
-have a problem attaching a nil-page.  There are two possible fixes to
-this.  The first, and which this patch does, is to simply allow root to
-crash as well -- this is also regular mmap behavior, ie when hacking up
-the testcase and adding mmap(...  |MAP_FIXED).  While this approach is the
-safer option, the second alternative is to ignore SHM_RND if the rounded
-address is 0, thus only having MAP_SHARED flags.  This makes the behavior
-of shmat() identical to the mmap() case.  The downside of this is
-obviously user visible, but does make sense in that it maintains semantics
-after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
-Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
-Cc: Manfred Spraul <manfred@colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1085,8 +1085,8 @@ out_unlock1:
-  * "raddr" thing points to kernel space, and there has to be a wrapper around
-  * this.
-  */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
--	      unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+	      ulong *raddr, unsigned long shmlba)
- {
- 	struct shmid_kernel *shp;
- 	unsigned long addr;
-@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *sh
- 		goto out;
- 	else if ((addr = (ulong)shmaddr)) {
- 		if (addr & (shmlba - 1)) {
--			if (shmflg & SHM_RND)
--				addr &= ~(shmlba - 1);	   /* round down */
-+			/*
-+			 * Round down to the nearest multiple of shmlba.
-+			 * For sane do_mmap_pgoff() parameters, avoid
-+			 * round downs that trigger nil-page and MAP_FIXED.
-+			 */
-+			if ((shmflg & SHM_RND) && addr >= shmlba)
-+				addr &= ~(shmlba - 1);
- 			else
- #ifndef __ARCH_FORCE_SHMLBA
- 				if (addr & ~PAGE_MASK)

debian/patches/series

@@ -112,7 +112,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
-bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
 debian/time-mark-timer_stats-as-broken.patch
 bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
 bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch