[linux] 01/01: Update to 3.16.47
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Aug 31 21:24:54 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 8f2c169756fa6d6750997efee70f49c0885e39c1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Aug 31 20:34:47 2017 +0100
Update to 3.16.47
Drop many patches that are included in it.
Revert one commit to avoid an ABI change.
---
debian/changelog | 437 ++++++++++-
debian/config/defines | 6 +
...-timer-fix-missing-queue-indices-reset-at.patch | 52 --
...lsa-timer-fix-race-between-read-and-ioctl.patch | 69 --
...fix-possible-integer-overflow-in-lp_setup.patch | 39 -
...ash-fix-einprogress-notification-callback.patch | 226 ------
...cp-tcp-do-not-inherit-mc_list-from-parent.patch | 37 -
.../patches/bugfix/all/dentry-name-snapshots.patch | 233 ------
...x-fencepost-in-s_first_meta_bg-validation.patch | 30 -
.../fs-exec.c-account-for-argv-envp-pointers.patch | 91 ---
...overflow-of-offset-in-ip6_find_1stfragopt.patch | 55 --
...ip6_find_1stfragopt-return-value-properly.patch | 85 ---
...p-do-not-inherit-ipv6_mc_list-from-parent.patch | 60 --
...-out-of-bound-writes-in-__ip6_append_data.patch | 62 --
...nt-overrun-when-parsing-v6-header-options.patch | 221 ------
...-use-consistent-conditional-judgement-for.patch | 38 -
.../ipx-call-ipxitf_put-in-ioctl-error-path.patch | 36 -
...ow-keyrings-beginning-with-.-to-be-joined.patch | 76 --
...yctl_set_reqkey_keyring-to-not-leak-threa.patch | 174 -----
...ate-eperm-for-a-key-type-name-beginning-w.patch | 41 --
...special-dot-prefixed-keyring-name-bug-fix.patch | 50 --
.../media-dvb-usb-v2-avoid-use-after-free.patch | 55 --
...mm-fix-new-crash-in-unmapped_area_topdown.patch | 46 --
...ory.c-fix-up-mm-huge_memory.c-respect-fol.patch | 59 --
.../mm-larger-stack-guard-gap-between-vmas.patch | 807 ---------------------
...y.c-fix-error-handling-in-set_mempolicy-a.patch | 72 --
...eue-fix-a-use-after-free-in-sys_mq_notify.patch | 50 --
...-fix-overflow-in-check-for-priv-area-size.patch | 35 -
...ket-fix-overflow-in-check-for-tp_frame_nr.patch | 32 -
...cket-fix-overflow-in-check-for-tp_reserve.patch | 28 -
...sd-check-for-oversized-nfsv2-v3-arguments.patch | 99 ---
...icter-decoding-of-write-like-nfsv2-v3-ops.patch | 56 --
...sd4-minor-nfsv2-v3-write-decoding-cleanup.patch | 79 --
...et-fix-tp_reserve-race-in-packet_set_ring.patch | 46 --
.../bugfix/all/ping-implement-proper-locking.patch | 49 --
...ore-Fix-regualtor_ena_gpio_free-not-to-ac.patch | 27 -
...everal-cases-where-a-padded-len-isn-t-che.patch | 207 ------
...-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch | 29 -
...protect-the-might-cancel-mechanism-proper.patch | 91 ---
...-strlcpy-instead-of-strcpy-in-__trace_fin.patch | 34 -
...p-consistently-apply-ufo-or-fragmentation.patch | 88 ---
.../usb-iowarrior-fix-null-deref-at-probe.patch | 52 --
...io_ti-fix-information-leak-in-completion-.patch | 31 -
...erial-omninet-fix-reference-leaks-at-open.patch | 33 -
...k-don-t-leak-stack-data-via-response-ring.patch | 130 ----
...e-xfrm_msg_newae-incoming-esn-size-harder.patch | 34 -
..._newae-xfrma_replay_esn_val-replay_window.patch | 45 --
...x-Make-sure-backup_handle-is-always-valid.patch | 48 --
...eger-overflow-in-vmw_surface_define_ioctl.patch | 35 -
...limit-the-number-of-mip-levels-in-vmw_gb_.patch | 33 -
.../kvm-x86-fix-singlestepping-over-syscall.patch | 128 ----
...mm-Tighten-x86-dev-mem-with-zeroing-reads.patch | 212 ------
...r-dereference-in-vmw_surface_define_ioctl.patch | 34 -
...ror-count-medium-access-timeout-only-once.patch | 121 +++
...ge-for-ttm_ref_object_add-require_existed.patch | 41 ++
debian/patches/series | 53 +-
56 files changed, 597 insertions(+), 4540 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index c6ea638..ecd68f5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,17 +1,434 @@
-linux (3.16.43-2+deb8u4) UNRELEASED; urgency=medium
+linux (3.16.47-1) UNRELEASED; urgency=medium
- * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.44
+ - [x86] drm/i915: relax uncritical udelay_range()
+ - adm80211: return an error if adm8211_alloc_rings() fails
+ - iio: st_pressure: Fix data sign
+ - rtlwifi: Fix alignment issues
+ - [mips*] Clear ISA bit correctly in get_frame_info()
+ - [mips*] Prevent unaligned accesses during stack unwinding
+ - [mips*] Fix get_frame_info() handling of microMIPS function size
+ - [mips*] Fix is_jump_ins() handling of 16b microMIPS instructions
+ - [mips*] Calculate microMIPS ra properly when unwinding the stack
+ - [mips*] Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
+ - [x86] scsi: storvsc: use tagged SRB requests if supported by the device
+ - [x86] scsi: storvsc: Fix a bug in the handling of SRB status flags
+ - [x86] scsi: storvsc: properly handle SRB_ERROR when sense message is
+ present
+ - [x86] scsi: storvsc: properly set residual data length on errors
+ - IB/mlx5: Fix retrieval of index to first hi class bfreg
+ - samples/seccomp: fix 64-bit comparison macros
+ - clk: wm831x: fix usleep_range with bad range
+ - [x86] hv: vmbus_post_msg: retry the hypercall on some transient errors
+ - [x86] hv_vmbus: Add gradually increased delay for retries in
+ vmbus_post_msg()
+ - [x86] Drivers: hv: vmbus: Reduce the delay between retries in
+ vmbus_post_msg()
+ - [x86] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
+ - [x86] hv: allocate synic pages for all present CPUs
+ - [x86] hv: init percpu_list in hv_synic_alloc()
+ - perf evlist: Fix typo in perf_evlist__start_workload()
+ - ext4: avoid deadlock when expanding inode size
+ - ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
+ - tty: serial: msm: Fix module autoload
+ - ath5k: drop bogus warning on drv_set_key with unsupported cipher
+ - ASoC: rt5640: use msleep() for long delays
+ - RDMA/core: Fix incorrect structure packing for booleans
+ - IB/ipoib: Set device connection mode only when needed
+ - IB/ipoib: Fix deadlock over vlan_mutex
+ - IB/ipoib: Fix deadlock between rmmod and set_mode
+ - IB/ipoib: rtnl_unlock can not come after free_netdev
+ - IB/ipoib: Replace list_del of the neigh->list with list_del_init
+ - IB/ipoib: Change list_del to list_del_init in the tx object
+ - locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER
+ - USB: serial: ch341: fix modem-status handling
+ - USB: serial: ark3116: fix register-accessor error handling
+ - USB: serial: ark3116: fix open error handling
+ - USB: serial: ftdi_sio: fix modem-status error handling
+ - USB: serial: ftdi_sio: fix latency-timer error handling
+ - USB: serial: io_edgeport: fix epic-descriptor handling
+ - USB: serial: io_edgeport: fix descriptor error handling
+ - USB: serial: mct_u232: fix modem-status error handling
+ - USB: serial: quatech2: fix control-message error handling
+ - USB: serial: spcp8x5: fix modem-status handling
+ - USB: serial: ssu100: fix control-message error handling
+ - USB: serial: ti_usb_3410_5052: fix control-message error handling
+ - USB: serial: opticon: fix CTS retrieval at open
+ - staging: rtl: fix possible NULL pointer dereference
+ - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+ - blk-mq: Make bt_clear_tag() easier to read
+ - sbitmap: fix wakeup hang after sbq resize
+ - [armhf] usb: dwc3: gadget: skip Set/Clear Halt when invalid
+ - usb: gadget: define free_ep_req as universal function
+ - usb: gadget: f_hid: fix: Free out requests
+ - usb: gadget: f_hid: fix: Prevent accessing released memory
+ - usb: gadget: f_hid: Use spinlock instead of mutex
+ - W1: ds2490: Increase timeout when waiting for status
+ - w1: ds2490: USB transfer buffers need to be DMAable
+ - w1: don't leak refcount on slave attach failure in
+ w1_attach_slave_device()
+ - USB: serial: ftdi_sio: fix extreme low-latency setting
+ - iwlwifi: mvm: rs: Remove unused 'mcs' variable
+ - drm/ttm: Make sure BOs being swapped out are cacheable
+ - [armhf] clk: samsung: mark s3c...._clk_sleep_init() as __init
+ - drm/radeon: handle vfct with multiple vbios images
+ - ext4: trim allocation requests to group size
+ - ext4: use private version of page_zero_new_buffers() for data=journal mode
+ - ext4: fix data corruption in data=journal mode
+ - [arm*] KVM: Enforce unconditional flush to PoC when mapping to stage-2
+ - bcma: use (get|put)_device when probing/removing device driver
+ - staging: wlan-ng: add missing byte order conversion
+ - [x86] iommu/vt-d: Don't over-free page table directories
+ - uvcvideo: Fix a wrong macro
+ - USB: serial: digi_acceleport: fix OOB data sanity check
+ - USB: serial: digi_acceleport: fix incomplete rx sanity check
+ - USB: serial: keyspan_pda: fix receive sanity checks
+ - usb: misc: adutux: remove redundant error check on copy_to_user return
+ code
+ - [s390*] qdio: clear DSCI prior to scanning multiple input queues
+ - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+ - ext4: fix inline data error paths
+ - jbd2: don't leak modified metadata buffers on an aborted journal
+ - ext4: preserve the needs_recovery flag when the journal is aborted
+ - ext4: return EROFS if device is r/o and journal replay is needed
+ - [s390*] KVM: Disable dirty log retrieval for UCONTROL guests
+ - USB: serial: ftdi_sio: fix line-status over-reporting
+ - USB: serial: sierra: fix bogus alternate-setting assumption
+ - mwifiex: Avoid skipping WEP key deletion for AP
+ - ath9k: fix race condition in enabling/disabling IRQs
+ - NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
+ - USB: serial: mos7840: fix another NULL-deref at open
+ - i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio
+ - KEYS: Fix an error code in request_master_key()
+ - serial: exar: Fix initialization of EXAR registers for ports > 0
+ - [x86] drivers: hv: Turn off write permission on the hypercall page
+ - [armhf] mmc: host: omap_hsmmc: avoid possible overflow of timeout value
+ - md linear: fix a race between linear_add() and linear_congested()
+ - md: ensure md devices are freed before module is unloaded.
+ - nlm: Ensure callback code also checks that the files match
+ - IB/mlx5: Fix out-of-bound access
+ - IB/mlx5: Return error for unsupported signature type
+ - [powerpc*] xmon: Fix data-breakpoint
+ - ath9k: use correct OTP register offsets for the AR9340 and AR9550
+ - dm cache: fix corruption seen when using cache > 2TB
+ - [mips*] Fix special case in 64 bit IP checksumming.
+ - [mips*] OCTEON: Fix copy_from_user fault handling for large buffers
+ - sfc: do not device_attach if a reset is pending
+ - PM / QoS: Fix memory leak on resume_latency.notifiers
+ - mlx4: reduce OOM risk on arches with large pages
+ - [x86] KVM: VMX: use correct vmcs_read/write for guest segment
+ selector/base
+ - nfsd: update mtime on truncate
+ - nfsd: minor nfsd_setattr cleanup
+ - nfsd: special case truncates some more
+ - batman-adv: Fix double free during fragment merge error
+ - batman-adv: Fix transmission of final, 16th fragment
+ - drm/ttm: fix use-after-free races in vm fault handling
+ - NFSv4: Fix the underestimation of delegation XDR space reservation
+ - fuse: add missing FR_FORCE
+ - rdma_cm: fail iwarp accepts w/o connection params
+ - l2tp: Avoid schedule while atomic in exit_net
+ - net/dccp: fix use after free in tw_timer_handler()
+ - tcp: account for ts offset only if tsecr not zero
+ - scsi: aacraid: Fix memory leak in fib init path
+ - scsi: aacraid: Reorder Adapter status check
+ - mm: fix <linux/pagemap.h> stray kernel-doc notation
+ - [s390*] chsc: Add exception handler for CHSC instruction
+ - net/mlx4: Spoofcheck and zero MAC can't coexist
+ - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on
+ new probed PFs
+ - net/mlx4_en: Use __skb_fill_page_desc()
+ - f2fs: use for_each_set_bit to simplify the code
+ - f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
+ - NFSv4: fix getacl head length estimation
+ - NFSv4: fix getacl ERANGE for some ACL buffer sizes
+ - vxlan: correctly validate VXLAN ID against VXLAN_N_VID
+ - mm/page_alloc: fix nodes for reclaim in fast path
+ - mm: vmpressure: fix sending wrong events on underflow
+ - mm: do not access page->mapping directly on page_endio
+ - ipv4: mask tos for input route
+ - net sched actions: decrement module reference count after table flush.
+ - mac80211: flush delayed work when entering suspend
+ - drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
+ - ALSA: timer: Reject user params with too small ticks
+ - ALSA: ctxfi: Fallback DMA mask to 32bit
+ - ALSA: seq: Fix link corruption by event error handling
+ - net/mlx4: && vs & typo
+ - net: net_enable_timestamp() can be called from irq contexts
+ - can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
+ - virtio-console: avoid DMA from stack
+ - net: ipv6: check route protocol when deleting routes
+ - [x86] platform: acer-wmi: setup accelerometer when machine has
+ appropriate notify event
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.45
+ - Allow stack to grow up to address space limit
+ - [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.46
+ - xfrm: policy: init locks early
+ - xen: do not re-use pirq number cached in pci device msi msg data
+ - scsi: libiscsi: add lock around task lists to fix list corruption
+ regression
+ - [x86] kprobes: Fix kernel panic when certain exception-handling addresses
+ are probed
+ - [s390*] KVM: Fix guest migration for huge guests resulting in panic
+ - batman-adv: Keep fragments equally sized
+ - net: phy: Do not perform software reset for Generic PHY
+ - [armhf] usb: dwc3: gadget: make Set Endpoint Configuration macros safe
+ - usb: gadget: function: f_fs: pass companion descriptor along
+ - USB: serial: digi_acceleport: fix OOB-event processing
+ - scsi: aacraid: Fix typo in blink status
+ - libceph: don't set weight to IN when OSD is destroyed
+ - [powerpc*] boot: Fix zImage TOC alignment
+ - scsi: lpfc: Add shutdown method for kexec
+ - target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
+ - target: Fix VERIFY_16 handling in sbc_parse_cdb
+ - [mips*] End spinlocks with .insn
+ - USB: serial: io_ti: fix NULL-deref in interrupt callback
+ - USB: serial: safe_serial: fix information leak in completion handler
+ - dvb-usb: don't use stack for firmware load
+ - dvb-usb-firmware: don't do DMA on stack
+ - USB: iowarrior: fix NULL-deref in write
+ - md/raid1/10: fix potential deadlock
+ - udp: avoid ufo handling on IP payload compression packets
+ - [x86] platform/intel-mid: Correct MSI IRQ line for watchdog device
+ - NFSv4: fix a reference leak caused WARNING messages
+ - ipv6: make ECMP route replacement less greedy
+ - isdn/gigaset: fix NULL-deref at probe
+ - net: wimax/i2400m: fix NULL-deref at probe
+ - dccp/tcp: fix routing redirect race
+ - USB: idmouse: fix NULL-deref at probe
+ - USB: uss720: fix NULL-deref at probe
+ - USB: wusbcore: fix NULL-deref at probe
+ - uwb: hwa-rc: fix NULL-deref at probe
+ - uwb: i1480-dfu: fix NULL-deref at probe
+ - usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
+ - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
+ - futex: Add missing error handling to FUTEX_REQUEUE_PI
+ - ext4: mark inode dirty after converting inline directory
+ - [armhf] iio: adc: ti_am335x_adc: fix fifo overrun recovery
+ - net: properly release sk_frag.page
+ - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
+ - nl80211: fix dumpit error path RTNL deadlocks
+ - perf/core: Fix event inheritance on fork()
+ - mmc: ushc: fix NULL-deref at probe
+ - Input: iforce - validate number of endpoints before using them
+ - Input: cm109 - validate number of endpoints before using them
+ - Input: ims-pcu - validate number of endpoints before using them
+ - Input: yealink - validate number of endpoints before using them
+ - Input: hanwang - validate number of endpoints before using them
+ - Input: kbtab - validate number of endpoints before using them
+ - Input: sur40 - validate number of endpoints before using them
+ - net: ipv6: set route type for anycast routes
+ - USB: usbtmc: add missing endpoint sanity check
+ - ACM gadget: fix endianness in notifications
+ - usb: hub: Fix crash after failure to read BOS descriptor
+ - perf symbols: Fix symbols__fixup_end heuristic for corner cases
+ - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
+ - scsi: libsas: fix ata xfer length
+ - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
+ - net: unix: properly re-increment inflight counter of GC discarded
+ candidates
+ - bpf: try harder on clones when writing into skb
+ - sch_dsmark: fix invalid skb_cow() usage
+ - bna: integer overflow bug in debugfs
+ - [s390*] decompressor: fix initrd corruption caused by bss clear
+ - usb: gadget: uvc: Fix endianness mismatches
+ - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
+ wBytesPerInterval
+ - net/mlx5: Increase number of max QPs in default profile
+ - mmc: sdhci: Do not disable interrupts while waiting for clock
+ - libceph: force GFP_NOIO for socket allocations
+ - xen/acpi: upload PM state from init-domain to Xen
+ - [x86] KVM: clear bus pointer when destroyed
+ - KVM: kvm_io_bus_unregister_dev() should never fail
+ - hwmon: (asus_atk0110) fix uninitialized data access
+ - ALSA: seq: Fix race during FIFO resize
+ - net: phy: handle state correctly in phy_stop_machine
+ - IB/qib: fix false-postive maybe-uninitialized warning
+ - ext4: lock the xattr block before checksuming it
+ - USB: fix linked-list corruption in rh_call_control()
+ - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+ - [powerpc*] Disable HFSCR[TM] if TM is not supported
+ - virtio_balloon: init 1st buffer in stats vq
+ - virtio_balloon: prevent uninitialized variable use
+ - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
+ - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
+ - ACPI: Fix incompatibility with mcount-based function graph tracing
+ - xhci: Manually give back cancelled URB if we can't queue it for cancel
+ - l2tp: purge socket queues in the .destruct() callback
+ - [s390x] uaccess: get_user() should zero on failure (again)
+ - ubi/upd: Always flush after prepared for an update
+ - iscsi-target: Fix TMR reference leak during session shutdown
+ - [x86] drm/vmwgfx: Type-check lookups of fence objects
+ - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
+ vmw_get_cap_3d_ioctl()
+ - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
+ - [x86] drm/vmwgfx: Remove getparam error message
+ - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
+ - l2tp: fix race in l2tp_recv_common()
+ - l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
+ - l2tp: fix duplicate session creation
+ - l2tp: take a reference on sessions used in genetlink handlers
+ - kernel.h: make abs() work with 64-bit types
+ - include/linux/kernel.h: change abs() macro so it uses consistent return
+ type
+ - iio: core: Fix IIO_VAL_FRACTIONAL_LOG2 for negative values
+ - iio: hid-sensor-attributes: Fix sensor property setting failure.
+ - iscsi-target: Drop work-around for legacy GlobalSAN initiator
+ - af_key: Add lock to key dump
+ - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
+ - [powerpc*] Don't try to fix up misaligned load-with-reservation
+ instructions
+ - l2tp: take reference on sessions being dumped
+ - [powerpc*] kernel: Use kprobe blacklist for asm functions
+ - [powerpc*/*64*] Fix flush_(d|i)cache_range() called from modules
+ - crypto: caam - fix RNG deinstantiation error checking
+ - ring-buffer: Fix return value check in test_ringbuffer()
+ - CIFS: Handle mismatched open calls
+ - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
+ - virtio_console: fix uninitialized variable use
+ - xen, fbfront: fix connecting to backend
+ - scsi: sr: Sanity check returned mode data
+ - ptrace: fix PTRACE_LISTEN race corrupting task->state
+ - l2tp: don't mask errors in pppol2tp_setsockopt()
+ - l2tp: don't mask errors in pppol2tp_getsockopt()
+ - [x86] vdso: Ensure vdso32_enabled gets set to valid values only
+ - [x86] vdso: Plug race between mapping and ELF header setup
+ - CIFS: remove bad_network_name flag
+ - [s390x] mm: fix CMMA vs KSM vs others
+ - [mips*] KGDB: Use kernel context for sleeping threads
+ - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
+ - zram: do not use copy_page with non-page aligned address
+ - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
+ - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram
+ - p9_client_readdir() fix
+ - cifs: Do not send echoes before Negotiate is complete
+ - KEYS: Change the name of the dead type to ".dead" to prevent user access
+ - [x86] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
+ - tracing: Allocate the snapshot buffer before enabling probe
+ - ACPI / power: Avoid maybe-uninitialized warning
+ - ring-buffer: Have ring_buffer_iter_empty() return true when empty
+ - mac80211: reject ToDS broadcast data frames
+ - smsc75xx: use skb_cow_head() to deal with cloned skbs
+ - cx82310_eth: use skb_cow_head() to deal with cloned skbs
+ - sr9700: use skb_cow_head() to deal with cloned skbs
+ - net: ipv6: send unsolicited NA if enabled for all interfaces
+ - [x86] Input: i8042 - add Clevo P650RS to the i8042 reset list
+ - macvlan: Fix device ref leak when purging bc_queue
+ - team: fix memory leaks
+ - ipv6: move stub initialization after ipv6 setup completion
+ - ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
+ - ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
+ - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+ (CVE-2017-1000380)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.47
+ - pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+ - [x86] staging: comedi: jr3_pci: fix possible null pointer dereference
+ - [x86] staging: comedi: jr3_pci: cope with jiffies wraparound
+ - zd1211rw: fix NULL-deref at probe
+ - usb: hub: Fix error loop seen after hub communication errors
+ - usb: hub: Do not attempt to autosuspend disconnected devices
+ - serial_ir: iommap is a memory address, not bool
+ - mceusb: fix NULL-deref at probe
+ - USB: Proper handling of Race Condition when two USB class drivers try to
+ call init_usb_class simultaneously
+ - cdc-acm: fix possible invalid access when processing notification
+ - ath9k_htc: fix NULL-deref at probe
+ - IPoIB: Remove unnecessary test for NULL before debugfs_remove()
+ - IB/IPoIB: ibX: failed to create mcg debug file
+ - gspca: konica: add missing endpoint sanity check
+ - dib0700: fix NULL-deref at probe
+ - usbvision: fix NULL-deref at probe
+ - cx231xx-cards: fix NULL-deref at probe
+ - cx231xx-audio: fix init error path
+ - cx231xx-audio: fix NULL-deref at probe
+ - uvcvideo: Fix empty packet statistic
+ - padata: free correct variable
+ - [armhf] serial: omap: fix runtime-pm handling on unbind
+ - [armhf] serial: omap: suspend device on probe errors
+ - PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
+ - vfio/type1: Remove locked page accounting workqueue
+ - [x86] perf/pebs: Fix handling of PEBS buffer overflows
+ - [x86] perf: Fix spurious NMI with PEBS Load Latency event
+ - ftrace: Fix removing of second function probe
+ - net: ipv6: send unsolicited NA on admin up
+ - digitv: limit messages to buffer size
+ - zr364xx: enforce minimum size when reading header
+ - PCI: Ignore write combining when mapping I/O port space
+ - PCI: Fix another sanity check bug in /proc/pci mmap
+ - PCI: Only allow WC mmap on prefetchable resources
+ - PCI: Freeze PME scan before suspending devices
+ - ttusb2: limit messages to buffer size
+ - dw2102: limit messages to buffer size
+ - ov2640: fix vflip control
+ - ath9k: off by one in ath9k_hw_nvram_read_array()
+ - [armhf,arm64] KVM: fix races in kvm_psci_vcpu_on
+ - usb: host: xhci: print correct command ring address
+ - mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
+ - [x86] boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
+ - NFS: Use GFP_NOIO for two allocations in writeback
+ - IB/ipoib: Update broadcast object if PKey value was changed in index 0
+ - HSI: ssi_protocol: double free in ssip_pn_xmit()
+ - IB/mlx4: Fix ib device initialization error flow
+ - [powerpc*] pseries: Fix of_node_put() underflow during DLPAR remove
+ - [powerpc*] sysfs: Fix reference leak of cpu device_nodes present at boot
+ - netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice
+ - netfilter: ctnetlink: make it safer when updating ct->status
+ - dm btree: fix for dm_btree_find_lowest_key()
+ - dm era: save spacemap metadata root after the pre-commit
+ - PCI: Disable boot interrupt quirk for ASUS M2N-LR
+ - fanotify: don't expose EOPENSTALE to userspace
+ - usb: Make sure usb/phy/of gets built-in
+ - [x86] mm: Fix flush_tlb_page() on Xen
+ - usb: misc: legousbtower: Fix buffers on stack
+ - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
+ - dm ioctl: prevent stack leak in dm ioctl call
+ - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
+ - IB/core: If the MGID/MLID pair is not on the list return an error
+ - IB/core: For multicast functions, verify that LIDs are multicast LIDs
+ - libata: reject passthrough WRITE SAME requests
+ - ext4: evict inline data when writing to memory map
+ - Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
+ - [armhf] Input: twl4030-pwrbutton - use correct device for irq request
+ - ip6_tunnel: Fix missing tunnel encapsulation limit option
+ - ipv6: Need to export ipv6_push_frag_opts for tunneling now.
+ - dm bufio: avoid a possible ABBA deadlock
+ - [arm64] KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses
+ - [x86] drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
+ - [powerpc*] eeh: Avoid use after free in eeh_handle_special_event()
+ - tcp: fix wraparound issue in tcp_lp
+ - cifs: small underflow in cnvrtDosUnixTm()
+ - CIFS: Set unicode flag on cifs echo request to avoid Mac error
+ - tg3: don't clear stats while tg3_close
+ - CIFS: fix oplock break deadlocks
+ - CIFS: SMB3: Work around mount failure when using SMB3 dialect to Macs
+ - ceph: fix memory leak in __ceph_setxattr()
+ - of: fix sparse warning in of_pci_range_parser_one
+ - target/fileio: Fix zero-length READ and WRITE handling
+ - fs/xattr.c: zero out memory copied to userspace in getxattr
+ - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init()
+ - virtio_net: fix support for small rings
+ - net/mlx4_en: Change the error print to debug print
+ - net/mlx4_en: Avoid adding steering rules with invalid ring
+ - [arm64] ensure extension of smp_store_release value
+ - [arm64] uaccess: ensure extension of access_ok() addr
+ - timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
+ - packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
+ - ipv6: Should use consistent conditional judgement for ip6 fragment
+ between __ip6_append_data and ip6_finish_output
+ - udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ - usb: misc: legousbtower: Fix memory leak
+ - net/mlx4: Fix the check in attaching steering rules
+
+ [ Ben Hutchings ]
* binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
CVE-2017-1000371)
- * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
- * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
- (CVE-2017-1000380)
- * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
* xfrm: policy: check policy direction value (CVE-2017-11600)
- * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
- * ipv6: Should use consistent conditional judgement for ip6 fragment
- between __ip6_append_data and ip6_finish_output
- * udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ * SCSI: Revert "scsi: scsi_error: count medium access timeout only once per
+ EH run" to avoid ABI change
+ * ttm: Avoid ABI change for ttm_ref_object_add() require_existing param
+ * cxgbi, IB, libiscsi, l2tp, rds: Ignore ABI changes
-- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 22:03:56 +0100
diff --git a/debian/config/defines b/debian/config/defines
index 8ae9c33..f64fc21 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -10,11 +10,15 @@ ignore-changes:
module:drivers/net/can/can-dev
module:drivers/net/ethernet/**
module:drivers/net/wireless/**
+ module:drivers/scsi/cxgbi/*
+ module:drivers/scsi/libiscs*
module:drivers/scsi/qla2xxx/qla2xxx
module:drivers/target/iscsi/iscsi_target_mod
module:drivers/target/target_core_mod
module:drivers/usb/musb/*
module:net/ceph/libceph
+ module:net/l2tp/l2tp_core
+ module:net/rds/rds
module:sound/firewire/snd-firewire-lib
module:sound/i2c/other/snd-ak4113
module:sound/i2c/other/snd-ak4114
@@ -69,6 +73,8 @@ ignore-changes:
# Private to *notify
fsnotify_*_group
fsnotify_*_mark
+# Assume IB drivers are added/updated through OFED, which also updates IB core
+ module:drivers/infiniband/**
[base]
arches:
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
deleted file mode 100644
index bd5481a..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Fri, 2 Jun 2017 17:26:56 +0200
-Subject: ALSA: timer: Fix missing queue indices reset at
- SNDRV_TIMER_IOCTL_SELECT
-Origin: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
-
-snd_timer_user_tselect() reallocates the queue buffer dynamically, but
-it forgot to reset its indices. Since the read may happen
-concurrently with ioctl and snd_timer_user_tselect() allocates the
-buffer via kmalloc(), this may lead to the leak of uninitialized
-kernel-space data, as spotted via KMSAN:
-
- BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
- CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- Call Trace:
- __dump_stack lib/dump_stack.c:16
- dump_stack+0x143/0x1b0 lib/dump_stack.c:52
- kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
- kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
- copy_to_user ./arch/x86/include/asm/uaccess.h:725
- snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
- do_loop_readv_writev fs/read_write.c:716
- __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
- do_readv_writev fs/read_write.c:894
- vfs_readv fs/read_write.c:908
- do_readv+0x52a/0x5d0 fs/read_write.c:934
- SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
- SyS_readv+0x87/0xb0 fs/read_write.c:1018
-
-This patch adds the missing reset of queue indices. Together with the
-previous fix for the ioctl/read race, we cover the whole problem.
-
-Reported-by: Alexander Potapenko <glider at google.com>
-Tested-by: Alexander Potapenko <glider at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1636,6 +1636,7 @@ static int snd_timer_user_tselect(struct
- if (err < 0)
- goto __err;
-
-+ tu->qhead = tu->qtail = tu->qused = 0;
- kfree(tu->queue);
- tu->queue = NULL;
- kfree(tu->tqueue);
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
deleted file mode 100644
index 96cabbe..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Fri, 2 Jun 2017 15:03:38 +0200
-Subject: ALSA: timer: Fix race between read and ioctl
-Origin: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
-
-The read from ALSA timer device, the function snd_timer_user_tread(),
-may access to an uninitialized struct snd_timer_user fields when the
-read is concurrently performed while the ioctl like
-snd_timer_user_tselect() is invoked. We have already fixed the races
-among ioctls via a mutex, but we seem to have forgotten the race
-between read vs ioctl.
-
-This patch simply applies (more exactly extends the already applied
-range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
-race window.
-
-Reported-by: Alexander Potapenko <glider at google.com>
-Tested-by: Alexander Potapenko <glider at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- sound/core/timer.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1964,6 +1964,7 @@ static ssize_t snd_timer_user_read(struc
-
- tu = file->private_data;
- unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
-+ mutex_lock(&tu->ioctl_lock);
- spin_lock_irq(&tu->qlock);
- while ((long)count - result >= unit) {
- while (!tu->qused) {
-@@ -1979,7 +1980,9 @@ static ssize_t snd_timer_user_read(struc
- add_wait_queue(&tu->qchange_sleep, &wait);
-
- spin_unlock_irq(&tu->qlock);
-+ mutex_unlock(&tu->ioctl_lock);
- schedule();
-+ mutex_lock(&tu->ioctl_lock);
- spin_lock_irq(&tu->qlock);
-
- remove_wait_queue(&tu->qchange_sleep, &wait);
-@@ -1999,7 +2002,6 @@ static ssize_t snd_timer_user_read(struc
- tu->qused--;
- spin_unlock_irq(&tu->qlock);
-
-- mutex_lock(&tu->ioctl_lock);
- if (tu->tread) {
- if (copy_to_user(buffer, &tu->tqueue[qhead],
- sizeof(struct snd_timer_tread)))
-@@ -2009,7 +2011,6 @@ static ssize_t snd_timer_user_read(struc
- sizeof(struct snd_timer_read)))
- err = -EFAULT;
- }
-- mutex_unlock(&tu->ioctl_lock);
-
- spin_lock_irq(&tu->qlock);
- if (err < 0)
-@@ -2019,6 +2020,7 @@ static ssize_t snd_timer_user_read(struc
- }
- _error:
- spin_unlock_irq(&tu->qlock);
-+ mutex_unlock(&tu->ioctl_lock);
- return result > 0 ? result : err;
- }
-
diff --git a/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch b/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
deleted file mode 100644
index 40d2f9d..0000000
--- a/debian/patches/bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Willy Tarreau <w at 1wt.eu>
-Date: Tue, 16 May 2017 19:18:55 +0200
-Subject: char: lp: fix possible integer overflow in lp_setup()
-Origin: https://git.kernel.org/linus/3e21f4af170bebf47c187c1ff8bf155583c9f3b1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000363
-
-The lp_setup() code doesn't apply any bounds checking when passing
-"lp=none", and only in this case, resulting in an overflow of the
-parport_nr[] array. All versions in Git history are affected.
-
-Reported-By: Roee Hay <roee.hay at hcl.com>
-Cc: Ben Hutchings <ben at decadent.org.uk>
-Cc: stable at vger.kernel.org
-Signed-off-by: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/char/lp.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/lp.c b/drivers/char/lp.c
-index 565e4cf04a02..8249762192d5 100644
---- a/drivers/char/lp.c
-+++ b/drivers/char/lp.c
-@@ -859,7 +859,11 @@ static int __init lp_setup (char *str)
- } else if (!strcmp(str, "auto")) {
- parport_nr[0] = LP_PARPORT_AUTO;
- } else if (!strcmp(str, "none")) {
-- parport_nr[parport_ptr++] = LP_PARPORT_NONE;
-+ if (parport_ptr < LP_NO)
-+ parport_nr[parport_ptr++] = LP_PARPORT_NONE;
-+ else
-+ printk(KERN_INFO "lp: too many ports, %s ignored.\n",
-+ str);
- } else if (!strcmp(str, "reset")) {
- reset = 1;
- }
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch b/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
deleted file mode 100644
index 47c2299..0000000
--- a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From: Herbert Xu <herbert at gondor.apana.org.au>
-Date: Mon, 10 Apr 2017 17:27:57 +0800
-Subject: crypto: ahash - Fix EINPROGRESS notification callback
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit?id=ef0579b64e93188710d48667cb5e014926af9f1b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7618
-
-The ahash API modifies the request's callback function in order
-to clean up after itself in some corner cases (unaligned final
-and missing finup).
-
-When the request is complete ahash will restore the original
-callback and everything is fine. However, when the request gets
-an EBUSY on a full queue, an EINPROGRESS callback is made while
-the request is still ongoing.
-
-In this case the ahash API will incorrectly call its own callback.
-
-This patch fixes the problem by creating a temporary request
-object on the stack which is used to relay EINPROGRESS back to
-the original completion function.
-
-This patch also adds code to preserve the original flags value.
-
-Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
-Cc: <stable at vger.kernel.org>
-Reported-by: Sabrina Dubroca <sd at queasysnail.net>
-Tested-by: Sabrina Dubroca <sd at queasysnail.net>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 79 ++++++++++++++++++++++++++----------------
- include/crypto/internal/hash.h | 10 ++++++
- 2 files changed, 60 insertions(+), 29 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -31,6 +31,7 @@ struct ahash_request_priv {
- crypto_completion_t complete;
- void *data;
- u8 *result;
-+ u32 flags;
- void *ubuf[] CRYPTO_MINALIGN_ATTR;
- };
-
-@@ -263,6 +264,8 @@ static int ahash_save_req(struct ahash_r
- priv->result = req->result;
- priv->complete = req->base.complete;
- priv->data = req->base.data;
-+ priv->flags = req->base.flags;
-+
- /*
- * WARNING: We do not backup req->priv here! The req->priv
- * is for internal use of the Crypto API and the
-@@ -277,38 +280,44 @@ static int ahash_save_req(struct ahash_r
- return 0;
- }
-
--static void ahash_restore_req(struct ahash_request *req)
-+static void ahash_restore_req(struct ahash_request *req, int err)
- {
- struct ahash_request_priv *priv = req->priv;
-
-+ if (!err)
-+ memcpy(priv->result, req->result,
-+ crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
- /* Restore the original crypto request. */
- req->result = priv->result;
-- req->base.complete = priv->complete;
-- req->base.data = priv->data;
-+
-+ ahash_request_set_callback(req, priv->flags,
-+ priv->complete, priv->data);
- req->priv = NULL;
-
- /* Free the req->priv.priv from the ADJUSTED request. */
- kzfree(priv);
- }
-
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+static void ahash_notify_einprogress(struct ahash_request *req)
- {
- struct ahash_request_priv *priv = req->priv;
-+ struct crypto_async_request oreq;
-
-- if (err == -EINPROGRESS)
-- return;
--
-- if (!err)
-- memcpy(priv->result, req->result,
-- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+ oreq.data = priv->data;
-
-- ahash_restore_req(req);
-+ priv->complete(&oreq, -EINPROGRESS);
- }
-
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- struct ahash_request *areq = req->data;
-
-+ if (err == -EINPROGRESS) {
-+ ahash_notify_einprogress(areq);
-+ return;
-+ }
-+
- /*
- * Restore the original request, see ahash_op_unaligned() for what
- * goes where.
-@@ -319,7 +328,7 @@ static void ahash_op_unaligned_done(stru
- */
-
- /* First copy req->result into req->priv.result */
-- ahash_op_unaligned_finish(areq, err);
-+ ahash_restore_req(areq, err);
-
- /* Complete the ORIGINAL request. */
- areq->base.complete(&areq->base, err);
-@@ -335,7 +344,12 @@ static int ahash_op_unaligned(struct aha
- return err;
-
- err = op(req);
-- ahash_op_unaligned_finish(req, err);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-+
-+ ahash_restore_req(req, err);
-
- return err;
- }
-@@ -370,25 +384,14 @@ int crypto_ahash_digest(struct ahash_req
- }
- EXPORT_SYMBOL_GPL(crypto_ahash_digest);
-
--static void ahash_def_finup_finish2(struct ahash_request *req, int err)
-+static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
-- struct ahash_request_priv *priv = req->priv;
-+ struct ahash_request *areq = req->data;
-
- if (err == -EINPROGRESS)
- return;
-
-- if (!err)
-- memcpy(priv->result, req->result,
-- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
-- ahash_restore_req(req);
--}
--
--static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
--{
-- struct ahash_request *areq = req->data;
--
-- ahash_def_finup_finish2(areq, err);
-+ ahash_restore_req(areq, err);
-
- areq->base.complete(&areq->base, err);
- }
-@@ -399,11 +402,15 @@ static int ahash_def_finup_finish1(struc
- goto out;
-
- req->base.complete = ahash_def_finup_done2;
-- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- err = crypto_ahash_reqtfm(req)->final(req);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-
- out:
-- ahash_def_finup_finish2(req, err);
-+ ahash_restore_req(req, err);
- return err;
- }
-
-@@ -411,7 +418,16 @@ static void ahash_def_finup_done1(struct
- {
- struct ahash_request *areq = req->data;
-
-+ if (err == -EINPROGRESS) {
-+ ahash_notify_einprogress(areq);
-+ return;
-+ }
-+
-+ areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- err = ahash_def_finup_finish1(areq, err);
-+ if (areq->priv)
-+ return;
-
- areq->base.complete(&areq->base, err);
- }
-@@ -426,6 +442,11 @@ static int ahash_def_finup(struct ahash_
- return err;
-
- err = tfm->update(req);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-+
- return ahash_def_finup_finish1(req, err);
- }
-
---- a/include/crypto/internal/hash.h
-+++ b/include/crypto/internal/hash.h
-@@ -164,6 +164,16 @@ static inline struct ahash_instance *aha
- return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
- }
-
-+static inline void ahash_request_complete(struct ahash_request *req, int err)
-+{
-+ req->base.complete(&req->base, err);
-+}
-+
-+static inline u32 ahash_request_flags(struct ahash_request *req)
-+{
-+ return req->base.flags;
-+}
-+
- static inline struct crypto_ahash *crypto_spawn_ahash(
- struct crypto_ahash_spawn *spawn)
- {
diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
deleted file mode 100644
index 655d98c..0000000
--- a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: dccp/tcp: do not inherit mc_list from parent
-Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Pray3r <pray3r.z at gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -677,6 +677,8 @@ struct sock *inet_csk_clone_lock(const s
- inet_sk(newsk)->inet_sport = htons(inet_rsk(req)->ir_num);
- newsk->sk_write_space = sk_stream_write_space;
-
-+ inet_sk(newsk)->mc_list = NULL;
-+
- newsk->sk_mark = inet_rsk(req)->ir_mark;
-
- newicsk->icsk_retransmits = 0;
diff --git a/debian/patches/bugfix/all/dentry-name-snapshots.patch b/debian/patches/bugfix/all/dentry-name-snapshots.patch
deleted file mode 100644
index 4350b60..0000000
--- a/debian/patches/bugfix/all/dentry-name-snapshots.patch
+++ /dev/null
@@ -1,233 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 7 Jul 2017 14:51:19 -0400
-Subject: dentry name snapshots
-Origin: https://git.kernel.org/linus/49d31c2f389acfe83417083e1208422b4091cd9e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7533
-
-take_dentry_name_snapshot() takes a safe snapshot of dentry name;
-if the name is a short one, it gets copied into caller-supplied
-structure, otherwise an extra reference to external name is grabbed
-(those are never modified). In either case the pointer to stable
-string is stored into the same structure.
-
-dentry must be held by the caller of take_dentry_name_snapshot(),
-but may be freely dropped afterwards - the snapshot will stay
-until destroyed by release_dentry_name_snapshot().
-
-Intended use:
- struct name_snapshot s;
-
- take_dentry_name_snapshot(&s, dentry);
- ...
- access s.name
- ...
- release_dentry_name_snapshot(&s);
-
-Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
-to pass down with event.
-
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-[carnil: backport 4.9: adjust context]
-[bwh: Backported to 3.16:
- - External names are not ref-counted, so copy them
- - Adjust context]
----
---- a/fs/dcache.c
-+++ b/fs/dcache.c
-@@ -244,6 +244,43 @@ static void __d_free(struct rcu_head *he
- kmem_cache_free(dentry_cache, dentry);
- }
-
-+void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry)
-+{
-+ spin_lock(&dentry->d_lock);
-+ if (unlikely(dname_external(dentry))) {
-+ u32 len;
-+ char *p;
-+
-+ for (;;) {
-+ len = dentry->d_name.len;
-+ spin_unlock(&dentry->d_lock);
-+
-+ p = kmalloc(len + 1, GFP_KERNEL | __GFP_NOFAIL);
-+
-+ spin_lock(&dentry->d_lock);
-+ if (dentry->d_name.len <= len)
-+ break;
-+ kfree(p);
-+ }
-+ memcpy(p, dentry->d_name.name, dentry->d_name.len + 1);
-+ spin_unlock(&dentry->d_lock);
-+
-+ name->name = p;
-+ } else {
-+ memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
-+ spin_unlock(&dentry->d_lock);
-+ name->name = name->inline_name;
-+ }
-+}
-+EXPORT_SYMBOL(take_dentry_name_snapshot);
-+
-+void release_dentry_name_snapshot(struct name_snapshot *name)
-+{
-+ if (unlikely(name->name != name->inline_name))
-+ kfree(name->name);
-+}
-+EXPORT_SYMBOL(release_dentry_name_snapshot);
-+
- static void dentry_free(struct dentry *dentry)
- {
- WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -620,7 +620,7 @@ struct dentry *debugfs_rename(struct den
- {
- int error;
- struct dentry *dentry = NULL, *trap;
-- const char *old_name;
-+ struct name_snapshot old_name;
-
- trap = lock_rename(new_dir, old_dir);
- /* Source or destination directories don't exist? */
-@@ -635,19 +635,19 @@ struct dentry *debugfs_rename(struct den
- if (IS_ERR(dentry) || dentry == trap || dentry->d_inode)
- goto exit;
-
-- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
-+ take_dentry_name_snapshot(&old_name, old_dentry);
-
- error = simple_rename(old_dir->d_inode, old_dentry, new_dir->d_inode,
- dentry);
- if (error) {
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
- goto exit;
- }
- d_move(old_dentry, dentry);
-- fsnotify_move(old_dir->d_inode, new_dir->d_inode, old_name,
-+ fsnotify_move(old_dir->d_inode, new_dir->d_inode, old_name.name,
- S_ISDIR(old_dentry->d_inode->i_mode),
- NULL, old_dentry);
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
- unlock_rename(new_dir, old_dir);
- dput(dentry);
- return old_dentry;
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -4082,11 +4082,11 @@ int vfs_rename(struct inode *old_dir, st
- {
- int error;
- bool is_dir = d_is_dir(old_dentry);
-- const unsigned char *old_name;
- struct inode *source = old_dentry->d_inode;
- struct inode *target = new_dentry->d_inode;
- bool new_is_dir = false;
- unsigned max_links = new_dir->i_sb->s_max_links;
-+ struct name_snapshot old_name;
-
- if (source == target)
- return 0;
-@@ -4136,7 +4136,7 @@ int vfs_rename(struct inode *old_dir, st
- if (error)
- return error;
-
-- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
-+ take_dentry_name_snapshot(&old_name, old_dentry);
- dget(new_dentry);
- if (!is_dir || (flags & RENAME_EXCHANGE))
- lock_two_nondirectories(source, target);
-@@ -4195,14 +4195,14 @@ out:
- mutex_unlock(&target->i_mutex);
- dput(new_dentry);
- if (!error) {
-- fsnotify_move(old_dir, new_dir, old_name, is_dir,
-+ fsnotify_move(old_dir, new_dir, old_name.name, is_dir,
- !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
- if (flags & RENAME_EXCHANGE) {
- fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
- new_is_dir, NULL, new_dentry);
- }
- }
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
-
- return error;
- }
---- a/fs/notify/fsnotify.c
-+++ b/fs/notify/fsnotify.c
-@@ -105,16 +105,20 @@ int __fsnotify_parent(struct path *path,
- if (unlikely(!fsnotify_inode_watches_children(p_inode)))
- __fsnotify_update_child_dentry_flags(p_inode);
- else if (p_inode->i_fsnotify_mask & mask) {
-+ struct name_snapshot name;
-+
- /* we are notifying a parent so come up with the new mask which
- * specifies these are events which came from a child. */
- mask |= FS_EVENT_ON_CHILD;
-
-+ take_dentry_name_snapshot(&name, dentry);
- if (path)
- ret = fsnotify(p_inode, mask, path, FSNOTIFY_EVENT_PATH,
-- dentry->d_name.name, 0);
-+ name.name, 0);
- else
- ret = fsnotify(p_inode, mask, dentry->d_inode, FSNOTIFY_EVENT_INODE,
-- dentry->d_name.name, 0);
-+ name.name, 0);
-+ release_dentry_name_snapshot(&name);
- }
-
- dput(parent);
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -530,4 +530,11 @@ static inline struct dentry *d_backing_d
- return upper;
- }
-
-+struct name_snapshot {
-+ const char *name;
-+ char inline_name[DNAME_INLINE_LEN];
-+};
-+void take_dentry_name_snapshot(struct name_snapshot *, struct dentry *);
-+void release_dentry_name_snapshot(struct name_snapshot *);
-+
- #endif /* __LINUX_DCACHE_H */
---- a/include/linux/fsnotify.h
-+++ b/include/linux/fsnotify.h
-@@ -310,35 +310,4 @@ static inline void fsnotify_change(struc
- }
- }
-
--#if defined(CONFIG_FSNOTIFY) /* notify helpers */
--
--/*
-- * fsnotify_oldname_init - save off the old filename before we change it
-- */
--static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
--{
-- return kstrdup(name, GFP_KERNEL);
--}
--
--/*
-- * fsnotify_oldname_free - free the name we got from fsnotify_oldname_init
-- */
--static inline void fsnotify_oldname_free(const unsigned char *old_name)
--{
-- kfree(old_name);
--}
--
--#else /* CONFIG_FSNOTIFY */
--
--static inline const char *fsnotify_oldname_init(const unsigned char *name)
--{
-- return NULL;
--}
--
--static inline void fsnotify_oldname_free(const unsigned char *old_name)
--{
--}
--
--#endif /* CONFIG_FSNOTIFY */
--
- #endif /* _LINUX_FS_NOTIFY_H */
diff --git a/debian/patches/bugfix/all/ext4-fix-fencepost-in-s_first_meta_bg-validation.patch b/debian/patches/bugfix/all/ext4-fix-fencepost-in-s_first_meta_bg-validation.patch
deleted file mode 100644
index dd34e28..0000000
--- a/debian/patches/bugfix/all/ext4-fix-fencepost-in-s_first_meta_bg-validation.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Theodore Ts'o <tytso at mit.edu>
-Date: Wed, 15 Feb 2017 01:26:39 -0500
-Subject: ext4: fix fencepost in s_first_meta_bg validation
-Origin: https://git.kernel.org/linus/2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2
-
-It is OK for s_first_meta_bg to be equal to the number of block group
-descriptor blocks. (It rarely happens, but it shouldn't cause any
-problems.)
-
-https://bugzilla.kernel.org/show_bug.cgi?id=194567
-
-Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
-Signed-off-by: Theodore Ts'o <tytso at mit.edu>
-Cc: stable at vger.kernel.org
-[bwh: Backported to 3.16: adjust context]
----
- fs/ext4/super.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3914,7 +3914,7 @@ static int ext4_fill_super(struct super_
- db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- EXT4_DESC_PER_BLOCK(sb);
- if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
-- if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+ if (le32_to_cpu(es->s_first_meta_bg) > db_count) {
- ext4_msg(sb, KERN_WARNING,
- "first meta block group too large: %u "
- "(group descriptor block count %u)",
diff --git a/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch b/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
deleted file mode 100644
index ac379d8..0000000
--- a/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Fri, 23 Jun 2017 15:08:57 -0700
-Subject: fs/exec.c: account for argv/envp pointers
-Origin: https://git.kernel.org/linus/98da7d08850fb8bdeb395d6368ed15753304aa0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000365
-
-When limiting the argv/envp strings during exec to 1/4 of the stack limit,
-the storage of the pointers to the strings was not included. This means
-that an exec with huge numbers of tiny strings could eat 1/4 of the stack
-limit in strings and then additional space would be later used by the
-pointers to the strings.
-
-For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
-single-byte strings would consume less than 2MB of stack, the max (8MB /
-4) amount allowed, but the pointers to the strings would consume the
-remaining additional stack space (1677721 * 4 == 6710884).
-
-The result (1677721 + 6710884 == 8388605) would exhaust stack space
-entirely. Controlling this stack exhaustion could result in
-pathological behavior in setuid binaries (CVE-2017-1000365).
-
-[akpm at linux-foundation.org: additional commenting from Kees]
-Fixes: b6a2fea39318 ("mm: variable length argument support")
-Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Rik van Riel <riel at redhat.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Cc: Alexander Viro <viro at zeniv.linux.org.uk>
-Cc: Qualys Security Advisory <qsa at qualys.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.16: use ACCESS_ONCE() instead of READ_ONCE()]
----
- fs/exec.c | 28 ++++++++++++++++++++++++----
- 1 file changed, 24 insertions(+), 4 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 8cb7fc4ab789..b5af6a256cf7 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -205,8 +205,26 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
-
- if (write) {
- unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
-+ unsigned long ptr_size;
- struct rlimit *rlim;
-
-+ /*
-+ * Since the stack will hold pointers to the strings, we
-+ * must account for them as well.
-+ *
-+ * The size calculation is the entire vma while each arg page is
-+ * built, so each time we get here it's calculating how far it
-+ * is currently (rather than each call being just the newly
-+ * added size from the arg page). As a result, we need to
-+ * always add the entire size of the pointers, so that on the
-+ * last call to get_arg_page() we'll actually have the entire
-+ * correct size.
-+ */
-+ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
-+ if (ptr_size > ULONG_MAX - size)
-+ goto fail;
-+ size += ptr_size;
-+
- acct_arg_size(bprm, size / PAGE_SIZE);
-
- /*
-@@ -224,13 +242,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- * to work from.
- */
- rlim = current->signal->rlim;
-- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
-- put_page(page);
-- return NULL;
-- }
-+ if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
-+ goto fail;
- }
-
- return page;
-+
-+fail:
-+ put_page(page);
-+ return NULL;
- }
-
- static void put_arg_page(struct page *page)
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
deleted file mode 100644
index d1b4d72..0000000
--- a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Sabrina Dubroca <sd at queasysnail.net>
-Date: Wed, 19 Jul 2017 22:28:55 +0200
-Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
-Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
-
-In some cases, offset can overflow and can cause an infinite loop in
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
-
-This problem has been here since before the beginning of git history.
-
-Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/output_core.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index e9065b8d3af8..abb2c307fbe8 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
-- u16 offset = sizeof(struct ipv6hdr);
-+ unsigned int offset = sizeof(struct ipv6hdr);
- unsigned int packet_len = skb_tail_pointer(skb) -
- skb_network_header(skb);
- int found_rhdr = 0;
-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- while (offset <= packet_len) {
- struct ipv6_opt_hdr *exthdr;
-+ unsigned int len;
-
- switch (**nexthdr) {
-
-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-- offset += ipv6_optlen(exthdr);
-+ len = ipv6_optlen(exthdr);
-+ if (len + offset >= IPV6_MAXPLEN)
-+ return -EINVAL;
-+ offset += len;
- *nexthdr = &exthdr->nexthdr;
- }
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
deleted file mode 100644
index 671561e..0000000
--- a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Wed, 17 May 2017 22:54:11 -0400
-Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
-Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
-
-Do not use unsigned variables to see if it returns a negative
-error or not.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Julia Lawall <julia.lawall at lip6.fr>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- net/ipv6/ip6_offload.c | 9 ++++-----
- net/ipv6/ip6_output.c | 7 +++----
- net/ipv6/udp_offload.c | 8 +++++---
- 3 files changed, 12 insertions(+), 12 deletions(-)
-
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -86,7 +86,6 @@ static struct sk_buff *ipv6_gso_segment(
- const struct net_offload *ops;
- int proto;
- struct frag_hdr *fptr;
-- unsigned int unfrag_ip6hlen;
- u8 *prevhdr;
- int offset = 0;
- bool encap, udpfrag;
-@@ -144,10 +143,10 @@ static struct sk_buff *ipv6_gso_segment(
- skb->network_header = (u8 *)ipv6h - skb->head;
-
- if (udpfrag) {
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
-+ int err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
-+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
- fptr->frag_off = htons(offset);
- if (skb->next != NULL)
- fptr->frag_off |= htons(IP6_MF);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -566,11 +566,10 @@ int ip6_fragment(struct sk_buff *skb, in
- u8 *prevhdr, nexthdr = 0;
- struct net *net = dev_net(skb_dst(skb)->dev);
-
-- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (hlen < 0) {
-- err = hlen;
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
- goto fail;
-- }
-+ hlen = err;
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp_offload.c
-+++ b/net/ipv6/udp_offload.c
-@@ -51,6 +51,7 @@ static struct sk_buff *udp6_ufo_fragment
- int offset;
- __wsum csum;
- int tnl_hlen;
-+ int err;
-
- mss = skb_shinfo(skb)->gso_size;
- if (unlikely(skb->len <= mss))
-@@ -101,9 +102,10 @@ static struct sk_buff *udp6_ufo_fragment
- /* Find the unfragmentable header and shift it left by frag_hdr_sz
- * bytes to insert fragment header.
- */
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
-+ unfrag_ip6hlen = err;
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
deleted file mode 100644
index 507b447..0000000
--- a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- net/dccp/ipv6.c | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -486,6 +486,9 @@ static struct sock *dccp_v6_request_recv
- newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- newnp->pktoptions = NULL;
- newnp->opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- newnp->mcast_oif = inet6_iif(skb);
- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
-
-@@ -561,6 +564,9 @@ static struct sock *dccp_v6_request_recv
- /* Clone RX bits */
- newnp->rxopt.all = np->rxopt.all;
-
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- /* Clone pktoptions received with SYN */
- newnp->pktoptions = NULL;
- if (ireq->pktopts != NULL) {
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1177,6 +1177,7 @@ static struct sock *tcp_v6_syn_recv_sock
- newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
-
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
- newnp->pktoptions = NULL;
-@@ -1246,6 +1247,7 @@ static struct sock *tcp_v6_syn_recv_sock
- First: no IPv4 options.
- */
- newinet->inet_opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
-
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
deleted file mode 100644
index e3722bd..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 19 May 2017 14:17:48 -0700
-Subject: ipv6: fix out of bound writes in __ip6_append_data()
-Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
-
-Andrey Konovalov and idaifish at gmail.com reported crashes caused by
-one skb shared_info being overwritten from __ip6_append_data()
-
-Andrey program lead to following state :
-
-copy -4200 datalen 2000 fraglen 2040
-maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
-
-The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
-fraggap, 0); is overwriting skb->head and skb_shared_info
-
-Since we apparently detect this rare condition too late, move the
-code earlier to even avoid allocating skb and risking crashes.
-
-Once again, many thanks to Andrey and syzkaller team.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Reported-by: <idaifish at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1368,6 +1368,11 @@ alloc_new_skb:
- */
- alloclen += sizeof(struct frag_hdr);
-
-+ copy = datalen - transhdrlen - fraggap;
-+ if (copy < 0) {
-+ err = -EINVAL;
-+ goto error;
-+ }
- if (transhdrlen) {
- skb = sock_alloc_send_skb(sk,
- alloclen + hh_len,
-@@ -1420,13 +1425,9 @@ alloc_new_skb:
- data += fraggap;
- pskb_trim_unique(skb_prev, maxfraglen);
- }
-- copy = datalen - transhdrlen - fraggap;
--
-- if (copy < 0) {
-- err = -EINVAL;
-- kfree_skb(skb);
-- goto error;
-- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
-+ if (copy > 0 &&
-+ getfrag(from, data + transhdrlen, offset,
-+ copy, fraggap, skb) < 0) {
- err = -EFAULT;
- kfree_skb(skb);
- goto error;
diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
deleted file mode 100644
index de40a74..0000000
--- a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From: Craig Gallek <kraig at google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-The KASAN warning repoted below was discovered with a syzkaller
-program. The reproducer is basically:
- int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
- send(s, &one_byte_of_data, 1, MSG_MORE);
- send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option. Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[ 42.361487] ==================================================================
-[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[ 42.366469]
-[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[ 42.368824] Call Trace:
-[ 42.369183] dump_stack+0xb3/0x10b
-[ 42.369664] print_address_description+0x73/0x290
-[ 42.370325] kasan_report+0x252/0x370
-[ 42.370839] ? ip6_fragment+0x11c8/0x3730
-[ 42.371396] check_memory_region+0x13c/0x1a0
-[ 42.371978] memcpy+0x23/0x50
-[ 42.372395] ip6_fragment+0x11c8/0x3730
-[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
-[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
-[ 42.374263] ? ip6_forward+0x2e30/0x2e30
-[ 42.374803] ip6_finish_output+0x584/0x990
-[ 42.375350] ip6_output+0x1b7/0x690
-[ 42.375836] ? ip6_finish_output+0x990/0x990
-[ 42.376411] ? ip6_fragment+0x3730/0x3730
-[ 42.376968] ip6_local_out+0x95/0x160
-[ 42.377471] ip6_send_skb+0xa1/0x330
-[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
-[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
-[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
-[ 42.379633] ? _copy_from_user+0x84/0xe0
-[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
-[ 42.380878] ? ___sys_sendmsg+0x162/0x930
-[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
-[ 42.382074] ? sock_has_perm+0x1f6/0x290
-[ 42.382614] ? ___sys_sendmsg+0x167/0x930
-[ 42.383173] ? lock_downgrade+0x660/0x660
-[ 42.383727] inet_sendmsg+0x123/0x500
-[ 42.384226] ? inet_sendmsg+0x123/0x500
-[ 42.384748] ? inet_recvmsg+0x540/0x540
-[ 42.385263] sock_sendmsg+0xca/0x110
-[ 42.385758] SYSC_sendto+0x217/0x380
-[ 42.386249] ? SYSC_connect+0x310/0x310
-[ 42.386783] ? __might_fault+0x110/0x1d0
-[ 42.387324] ? lock_downgrade+0x660/0x660
-[ 42.387880] ? __fget_light+0xa1/0x1f0
-[ 42.388403] ? __fdget+0x18/0x20
-[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
-[ 42.389472] ? SyS_setsockopt+0x17f/0x260
-[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[ 42.390650] SyS_sendto+0x40/0x50
-[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.391731] RIP: 0033:0x7fbbb711e383
-[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[ 42.397257]
-[ 42.397411] Allocated by task 3789:
-[ 42.397702] save_stack_trace+0x16/0x20
-[ 42.398005] save_stack+0x46/0xd0
-[ 42.398267] kasan_kmalloc+0xad/0xe0
-[ 42.398548] kasan_slab_alloc+0x12/0x20
-[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
-[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
-[ 42.399654] __alloc_skb+0xf8/0x580
-[ 42.400003] sock_wmalloc+0xab/0xf0
-[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
-[ 42.400813] ip6_append_data+0x1a8/0x2f0
-[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
-[ 42.401505] inet_sendmsg+0x123/0x500
-[ 42.401860] sock_sendmsg+0xca/0x110
-[ 42.402209] ___sys_sendmsg+0x7cb/0x930
-[ 42.402582] __sys_sendmsg+0xd9/0x190
-[ 42.402941] SyS_sendmsg+0x2d/0x50
-[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.403718]
-[ 42.403871] Freed by task 1794:
-[ 42.404146] save_stack_trace+0x16/0x20
-[ 42.404515] save_stack+0x46/0xd0
-[ 42.404827] kasan_slab_free+0x72/0xc0
-[ 42.405167] kfree+0xe8/0x2b0
-[ 42.405462] skb_free_head+0x74/0xb0
-[ 42.405806] skb_release_data+0x30e/0x3a0
-[ 42.406198] skb_release_all+0x4a/0x60
-[ 42.406563] consume_skb+0x113/0x2e0
-[ 42.406910] skb_free_datagram+0x1a/0xe0
-[ 42.407288] netlink_recvmsg+0x60d/0xe40
-[ 42.407667] sock_recvmsg+0xd7/0x110
-[ 42.408022] ___sys_recvmsg+0x25c/0x580
-[ 42.408395] __sys_recvmsg+0xd6/0x190
-[ 42.408753] SyS_recvmsg+0x2d/0x50
-[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.409513]
-[ 42.409665] The buggy address belongs to the object at ffff88000969e780
-[ 42.409665] which belongs to the cache kmalloc-512 of size 512
-[ 42.410846] The buggy address is located 24 bytes inside of
-[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
-[ 42.411941] The buggy address belongs to the page:
-[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
-[ 42.413298] flags: 0x100000000008100(slab|head)
-[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[ 42.415074] page dumped because: kasan: bad access detected
-[ 42.415604]
-[ 42.415757] Memory state around the buggy address:
-[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 42.418273] ^
-[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_offload.c | 2 ++
- net/ipv6/ip6_output.c | 4 ++++
- net/ipv6/output_core.c | 14 ++++++++------
- net/ipv6/udp_offload.c | 2 ++
- 4 files changed, 16 insertions(+), 6 deletions(-)
-
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -145,6 +145,8 @@ static struct sk_buff *ipv6_gso_segment(
-
- if (udpfrag) {
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
- fptr->frag_off = htons(offset);
- if (skb->next != NULL)
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -567,6 +567,10 @@ int ip6_fragment(struct sk_buff *skb, in
- struct net *net = dev_net(skb_dst(skb)->dev);
-
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (hlen < 0) {
-+ err = hlen;
-+ goto fail;
-+ }
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -45,14 +45,13 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- u16 offset = sizeof(struct ipv6hdr);
-- struct ipv6_opt_hdr *exthdr =
-- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- unsigned int packet_len = skb_tail_pointer(skb) -
- skb_network_header(skb);
- int found_rhdr = 0;
- *nexthdr = &ipv6_hdr(skb)->nexthdr;
-
-- while (offset + 1 <= packet_len) {
-+ while (offset <= packet_len) {
-+ struct ipv6_opt_hdr *exthdr;
-
- switch (**nexthdr) {
-
-@@ -73,13 +72,16 @@ int ip6_find_1stfragopt(struct sk_buff *
- return offset;
- }
-
-- offset += ipv6_optlen(exthdr);
-- *nexthdr = &exthdr->nexthdr;
-+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+ return -EINVAL;
-+
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-+ offset += ipv6_optlen(exthdr);
-+ *nexthdr = &exthdr->nexthdr;
- }
-
-- return offset;
-+ return -EINVAL;
- }
- EXPORT_SYMBOL(ip6_find_1stfragopt);
-
---- a/net/ipv6/udp_offload.c
-+++ b/net/ipv6/udp_offload.c
-@@ -102,6 +102,8 @@ static struct sk_buff *udp6_ufo_fragment
- * bytes to insert fragment header.
- */
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
deleted file mode 100644
index 3b9969a..0000000
--- a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Zheng Li <james.z.li at ericsson.com>
-Date: Wed, 28 Dec 2016 23:23:46 +0800
-Subject: ipv6: Should use consistent conditional judgement for ip6 fragment
- between __ip6_append_data and ip6_finish_output
-Origin: https://git.kernel.org/linus/e4c5e13aa45c23692e4acf56f0b3533f328199b2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
-
-There is an inconsistent conditional judgement between __ip6_append_data
-and ip6_finish_output functions, the variable length in __ip6_append_data
-just include the length of application's payload and udp6 header, don't
-include the length of ipv6 header, but in ip6_finish_output use
-(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
-length of ipv6 header.
-
-That causes some particular application's udp6 payloads whose length are
-between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
-though the rst->dev support UFO feature.
-
-Add the length of ipv6 header to length in __ip6_append_data to keep
-consistent conditional judgement as ip6_finish_output for ip6 fragment.
-
-Signed-off-by: Zheng Li <james.z.li at ericsson.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1291,7 +1291,7 @@ emsgsize:
-
- skb = skb_peek_tail(&sk->sk_write_queue);
- cork->length += length;
-- if (((length > mtu) ||
-+ if ((((length + fragheaderlen) > mtu) ||
- (skb && skb_is_gso(skb))) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
diff --git a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
deleted file mode 100644
index 84bae07..0000000
--- a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Tue, 2 May 2017 13:58:53 +0300
-Subject: ipx: call ipxitf_put() in ioctl error path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7487
-
-We should call ipxitf_put() if the copy_to_user() fails.
-
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipx/af_ipx.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
-index 8a9219ff2e77..fa31ef29e3fa 100644
---- a/net/ipx/af_ipx.c
-+++ b/net/ipx/af_ipx.c
-@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
- sipx->sipx_network = ipxif->if_netnum;
- memcpy(sipx->sipx_node, ipxif->if_node,
- sizeof(sipx->sipx_node));
-- rc = -EFAULT;
-+ rc = 0;
- if (copy_to_user(arg, &ifr, sizeof(ifr)))
-- break;
-+ rc = -EFAULT;
- ipxitf_put(ipxif);
-- rc = 0;
- break;
- }
- case SIOCAIPXITFCRT:
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
deleted file mode 100644
index 1e5c4f5..0000000
--- a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 18 Apr 2017 15:31:07 +0100
-Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
- keyrings
-Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
-
-This fixes CVE-2016-9604.
-
-Keyrings whose name begin with a '.' are special internal keyrings and so
-userspace isn't allowed to create keyrings by this name to prevent
-shadowing. However, the patch that added the guard didn't fix
-KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
-it can also subscribe to them as a session keyring if they grant SEARCH
-permission to the user.
-
-This, for example, allows a root process to set .builtin_trusted_keys as
-its session keyring, at which point it has full access because now the
-possessor permissions are added. This permits root to add extra public
-keys, thereby bypassing module verification.
-
-This also affects kexec and IMA.
-
-This can be tested by (as root):
-
- keyctl session .builtin_trusted_keys
- keyctl add user a a @s
- keyctl list @s
-
-which on my test box gives me:
-
- 2 keys in keyring:
- 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
- 801382539: --alswrv 0 0 user: a
-
-
-Fix this by rejecting names beginning with a '.' in the keyctl.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-cc: linux-ima-devel at lists.sourceforge.net
-cc: stable at vger.kernel.org
----
- security/keys/keyctl.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -275,7 +275,8 @@ error:
- * Create and join an anonymous session keyring or join a named session
- * keyring, creating it if necessary. A named session keyring must have Search
- * permission for it to be joined. Session keyrings without this permit will
-- * be skipped over.
-+ * be skipped over. It is not permitted for userspace to create or join
-+ * keyrings whose name begin with a dot.
- *
- * If successful, the ID of the joined session keyring will be returned.
- */
-@@ -292,12 +293,16 @@ long keyctl_join_session_keyring(const c
- ret = PTR_ERR(name);
- goto error;
- }
-+
-+ ret = -EPERM;
-+ if (name[0] == '.')
-+ goto error_name;
- }
-
- /* join the session */
- ret = join_session_keyring(name);
-+error_name:
- kfree(name);
--
- error:
- return ret;
- }
diff --git a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch b/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
deleted file mode 100644
index 0706a31..0000000
--- a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 18 Apr 2017 15:31:09 +0100
-Subject: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
-Origin: https://git.kernel.org/linus/c9f838d104fed6f2f61d68164712e3204bf5271b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7472
-
-This fixes CVE-2017-7472.
-
-Running the following program as an unprivileged user exhausts kernel
-memory by leaking thread keyrings:
-
- #include <keyutils.h>
-
- int main()
- {
- for (;;)
- keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
- }
-
-Fix it by only creating a new thread keyring if there wasn't one before.
-To make things more consistent, make install_thread_keyring_to_cred()
-and install_process_keyring_to_cred() both return 0 if the corresponding
-keyring is already present.
-
-Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
-Cc: stable at vger.kernel.org # 2.6.29+
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/keyctl.c | 11 ++++-------
- security/keys/process_keys.c | 44 +++++++++++++++++++++++++++-----------------
- 2 files changed, 31 insertions(+), 24 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1249,8 +1249,8 @@ error:
- * Read or set the default keyring in which request_key() will cache keys and
- * return the old setting.
- *
-- * If a process keyring is specified then this will be created if it doesn't
-- * yet exist. The old setting will be returned if successful.
-+ * If a thread or process keyring is specified then it will be created if it
-+ * doesn't yet exist. The old setting will be returned if successful.
- */
- long keyctl_set_reqkey_keyring(int reqkey_defl)
- {
-@@ -1275,11 +1275,8 @@ long keyctl_set_reqkey_keyring(int reqke
-
- case KEY_REQKEY_DEFL_PROCESS_KEYRING:
- ret = install_process_keyring_to_cred(new);
-- if (ret < 0) {
-- if (ret != -EEXIST)
-- goto error;
-- ret = 0;
-- }
-+ if (ret < 0)
-+ goto error;
- goto set;
-
- case KEY_REQKEY_DEFL_DEFAULT:
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -125,13 +125,18 @@ error:
- }
-
- /*
-- * Install a fresh thread keyring directly to new credentials. This keyring is
-- * allowed to overrun the quota.
-+ * Install a thread keyring to the given credentials struct if it didn't have
-+ * one already. This is allowed to overrun the quota.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
- */
- int install_thread_keyring_to_cred(struct cred *new)
- {
- struct key *keyring;
-
-+ if (new->thread_keyring)
-+ return 0;
-+
- keyring = keyring_alloc("_tid", new->uid, new->gid, new,
- KEY_POS_ALL | KEY_USR_VIEW,
- KEY_ALLOC_QUOTA_OVERRUN, NULL);
-@@ -143,7 +148,9 @@ int install_thread_keyring_to_cred(struc
- }
-
- /*
-- * Install a fresh thread keyring, discarding the old one.
-+ * Install a thread keyring to the current task if it didn't have one already.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
- */
- static int install_thread_keyring(void)
- {
-@@ -154,8 +161,6 @@ static int install_thread_keyring(void)
- if (!new)
- return -ENOMEM;
-
-- BUG_ON(new->thread_keyring);
--
- ret = install_thread_keyring_to_cred(new);
- if (ret < 0) {
- abort_creds(new);
-@@ -166,17 +171,17 @@ static int install_thread_keyring(void)
- }
-
- /*
-- * Install a process keyring directly to a credentials struct.
-+ * Install a process keyring to the given credentials struct if it didn't have
-+ * one already. This is allowed to overrun the quota.
- *
-- * Returns -EEXIST if there was already a process keyring, 0 if one installed,
-- * and other value on any other error
-+ * Return: 0 if a process keyring is now present; -errno on failure.
- */
- int install_process_keyring_to_cred(struct cred *new)
- {
- struct key *keyring;
-
- if (new->process_keyring)
-- return -EEXIST;
-+ return 0;
-
- keyring = keyring_alloc("_pid", new->uid, new->gid, new,
- KEY_POS_ALL | KEY_USR_VIEW,
-@@ -189,11 +194,9 @@ int install_process_keyring_to_cred(stru
- }
-
- /*
-- * Make sure a process keyring is installed for the current process. The
-- * existing process keyring is not replaced.
-+ * Install a process keyring to the current task if it didn't have one already.
- *
-- * Returns 0 if there is a process keyring by the end of this function, some
-- * error otherwise.
-+ * Return: 0 if a process keyring is now present; -errno on failure.
- */
- static int install_process_keyring(void)
- {
-@@ -207,14 +210,18 @@ static int install_process_keyring(void)
- ret = install_process_keyring_to_cred(new);
- if (ret < 0) {
- abort_creds(new);
-- return ret != -EEXIST ? ret : 0;
-+ return ret;
- }
-
- return commit_creds(new);
- }
-
- /*
-- * Install a session keyring directly to a credentials struct.
-+ * Install the given keyring as the session keyring of the given credentials
-+ * struct, replacing the existing one if any. If the given keyring is NULL,
-+ * then install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
- */
- int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
- {
-@@ -249,8 +256,11 @@ int install_session_keyring_to_cred(stru
- }
-
- /*
-- * Install a session keyring, discarding the old one. If a keyring is not
-- * supplied, an empty one is invented.
-+ * Install the given keyring as the session keyring of the current task,
-+ * replacing the existing one if any. If the given keyring is NULL, then
-+ * install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
- */
- static int install_session_keyring(struct key *keyring)
- {
diff --git a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
deleted file mode 100644
index 68fb771..0000000
--- a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 16 Sep 2014 17:29:03 +0100
-Subject: KEYS: Reinstate EPERM for a key type name beginning with a '.'
-Origin: https://git.kernel.org/linus/54e2c2c1a9d6cbb270b0999a38545fa9a69bee43
-
-Reinstate the generation of EPERM for a key type name beginning with a '.' in
-a userspace call. Types whose name begins with a '.' are internal only.
-
-The test was removed by:
-
- commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
- Author: Mimi Zohar <zohar at linux.vnet.ibm.com>
- Date: Thu May 22 14:02:23 2014 -0400
- Subject: KEYS: special dot prefixed keyring name bug fix
-
-I think we want to keep the restriction on type name so that userspace can't
-add keys of a special internal type.
-
-Note that removal of the test causes several of the tests in the keyutils
-testsuite to fail.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Vivek Goyal <vgoyal at redhat.com>
-cc: Mimi Zohar <zohar at linux.vnet.ibm.com>
----
- security/keys/keyctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index e26f860e5f2e..eff88a5f5d40 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *type,
- return ret;
- if (ret == 0 || ret >= len)
- return -EINVAL;
-+ if (type[0] == '.')
-+ return -EPERM;
- type[len - 1] = '\0';
- return 0;
- }
diff --git a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
deleted file mode 100644
index 6229475..0000000
--- a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Date: Thu, 22 May 2014 14:02:23 -0400
-Subject: KEYS: special dot prefixed keyring name bug fix
-Origin: https://git.kernel.org/linus/a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-
-Dot prefixed keyring names are supposed to be reserved for the
-kernel, but add_key() calls key_get_type_from_user(), which
-incorrectly verifies the 'type' field, not the 'description' field.
-This patch verifies the 'description' field isn't dot prefixed,
-when creating a new keyring, and removes the dot prefix test in
-key_get_type_from_user().
-
-Changelog v6:
-- whitespace and other cleanup
-
-Changelog v5:
-- Only prevent userspace from creating a dot prefixed keyring, not
- regular keys - Dmitry
-
-Reported-by: Dmitry Kasatkin <d.kasatkin at samsung.com>
-Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Acked-by: David Howells <dhowells at redhat.com>
----
- security/keys/keyctl.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index cd5bd0cef25d..8a8c23357291 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *type,
- return ret;
- if (ret == 0 || ret >= len)
- return -EINVAL;
-- if (type[0] == '.')
-- return -EPERM;
- type[len - 1] = '\0';
- return 0;
- }
-@@ -86,6 +84,10 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
- if (!*description) {
- kfree(description);
- description = NULL;
-+ } else if ((description[0] == '.') &&
-+ (strncmp(type, "keyring", 7) == 0)) {
-+ ret = -EPERM;
-+ goto error2;
- }
- }
-
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-avoid-use-after-free.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-avoid-use-after-free.patch
deleted file mode 100644
index 2343e8a..0000000
--- a/debian/patches/bugfix/all/media-dvb-usb-v2-avoid-use-after-free.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Arnd Bergmann <arnd at arndb.de>
-Date: Thu, 2 Feb 2017 12:36:01 -0200
-Subject: [media] dvb-usb-v2: avoid use-after-free
-Origin: https://git.kernel.org/linus/005145378c9ad7575a01b6ce1ba118fb427f583a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8064
-
-I ran into a stack frame size warning because of the on-stack copy of
-the USB device structure:
-
-drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect':
-drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
-
-Copying a device structure like this is wrong for a number of other reasons
-too aside from the possible stack overflow. One of them is that the
-dev_info() call will print the name of the device later, but AFAICT
-we have only copied a pointer to the name earlier and the actual name
-has been freed by the time it gets printed.
-
-This removes the on-stack copy of the device and instead copies the
-device name using kstrdup(). I'm ignoring the possible failure here
-as both printk() and kfree() are able to deal with NULL pointers.
-
-Signed-off-by: Arnd Bergmann <arnd at arndb.de>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
-[bwh: Backported to 3.16: adjust context]
----
- drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
-+++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
-@@ -942,8 +942,9 @@ EXPORT_SYMBOL(dvb_usbv2_probe);
- void dvb_usbv2_disconnect(struct usb_interface *intf)
- {
- struct dvb_usb_device *d = usb_get_intfdata(intf);
-- const char *name = d->name;
-- struct device dev = d->udev->dev;
-+ const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL);
-+ const char *drvname = d->name;
-+
- dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__,
- intf->cur_altsetting->desc.bInterfaceNumber);
-
-@@ -952,8 +953,9 @@ void dvb_usbv2_disconnect(struct usb_int
-
- dvb_usbv2_exit(d);
-
-- dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n",
-- KBUILD_MODNAME, name);
-+ pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n",
-+ KBUILD_MODNAME, drvname, devname);
-+ kfree(devname);
- }
- EXPORT_SYMBOL(dvb_usbv2_disconnect);
-
diff --git a/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch b/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
deleted file mode 100644
index 3765867..0000000
--- a/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Hugh Dickins <hughd at google.com>
-Date: Tue, 20 Jun 2017 02:10:44 -0700
-Subject: mm: fix new crash in unmapped_area_topdown()
-Origin: https://git.kernel.org/linus/f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
-
-Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
-mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
-end of unmapped_area_topdown(). Linus points out how MAP_FIXED
-(which does not have to respect our stack guard gap intentions)
-could result in gap_end below gap_start there. Fix that, and
-the similar case in its alternative, unmapped_area().
-
-Cc: stable at vger.kernel.org
-Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
-Reported-by: Dave Jones <davej at codemonkey.org.uk>
-Debugged-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mmap.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1750,7 +1750,8 @@ check_current:
- /* Check if current node has a suitable gap */
- if (gap_start > high_limit)
- return -ENOMEM;
-- if (gap_end >= low_limit && gap_end - gap_start >= length)
-+ if (gap_end >= low_limit &&
-+ gap_end > gap_start && gap_end - gap_start >= length)
- goto found;
-
- /* Visit right subtree if it looks promising */
-@@ -1853,7 +1854,8 @@ check_current:
- gap_end = vm_start_gap(vma);
- if (gap_end < low_limit)
- return -ENOMEM;
-- if (gap_start <= high_limit && gap_end - gap_start >= length)
-+ if (gap_start <= high_limit &&
-+ gap_end > gap_start && gap_end - gap_start >= length)
- goto found;
-
- /* Visit left subtree if it looks promising */
diff --git a/debian/patches/bugfix/all/mm-huge_memory.c-fix-up-mm-huge_memory.c-respect-fol.patch b/debian/patches/bugfix/all/mm-huge_memory.c-fix-up-mm-huge_memory.c-respect-fol.patch
deleted file mode 100644
index 23759ed..0000000
--- a/debian/patches/bugfix/all/mm-huge_memory.c-fix-up-mm-huge_memory.c-respect-fol.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: Michal Hocko <mhocko at suse.com>
-Date: Tue, 28 Mar 2017 15:17:26 +0200
-Subject: mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=2ea6895123eb8604c1c0c153e2fcd1305fb96aca
-Bug-Debian: https://bugs.debian.org/861313
-
-This is a stable follow up fix for an incorrect backport. The issue is
-not present in the upstream kernel.
-
-Miroslav has noticed the following splat when testing my 3.2 forward
-port of 8310d48b125d ("mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for
-thp") to 3.12:
-
-BUG: Bad page state in process a.out pfn:26400
-page:ffffea000085e000 count:0 mapcount:1 mapping: (null) index:0x7f049d600
-page flags: 0x1fffff80108018(uptodate|dirty|head|swapbacked)
-page dumped because: nonzero mapcount
-[iii]
-CPU: 2 PID: 5926 Comm: a.out Tainted: G E 3.12.61-0-default #1
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
- 0000000000000000 ffffffff81515830 ffffea000085e000 ffffffff81800ad7
- ffffffff815118a5 ffffea000085e000 0000000000000000 000fffff80000000
- ffffffff81140f18 fff000007c000000 ffffea000085e000 0000000000000009
-Call Trace:
- [<ffffffff8100475d>] dump_trace+0x7d/0x2d0
- [<ffffffff81004a44>] show_stack_log_lvl+0x94/0x170
- [<ffffffff81005ce1>] show_stack+0x21/0x50
- [<ffffffff81515830>] dump_stack+0x5d/0x78
- [<ffffffff815118a5>] bad_page.part.67+0xe8/0x102
- [<ffffffff81140f18>] free_pages_prepare+0x198/0x1b0
- [<ffffffff81141275>] __free_pages_ok+0x15/0xd0
- [<ffffffff8116444c>] __access_remote_vm+0x7c/0x1e0
- [<ffffffff81205afb>] mem_rw.isra.13+0x14b/0x1a0
- [<ffffffff811a3b18>] vfs_write+0xb8/0x1e0
- [<ffffffff811a469b>] SyS_pwrite64+0x6b/0xa0
- [<ffffffff81523b49>] system_call_fastpath+0x16/0x1b
- [<00007f049da18573>] 0x7f049da18572
-
-The problem is that the original 3.2 backport didn't return NULL page on
-the FOLL_COW page and so the page got reused.
-
-Reported-and-tested-by: Miroslav Beneš <mbenes at suse.com>
-Signed-off-by: Michal Hocko <mhocko at suse.com>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- mm/huge_memory.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -1226,7 +1226,7 @@ struct page *follow_trans_huge_pmd(struc
- VM_BUG_ON_PAGE(!PageHead(page), page);
-
- if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
-- goto out;
-+ return NULL;
-
- if (flags & FOLL_TOUCH) {
- pmd_t _pmd;
diff --git a/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch b/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
deleted file mode 100644
index 7d4fd1b..0000000
--- a/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
+++ /dev/null
@@ -1,807 +0,0 @@
-From: Hugh Dickins <hughd at google.com>
-Date: Mon, 19 Jun 2017 04:03:24 -0700
-Subject: mm: larger stack guard gap, between vmas
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications. For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Original-patch-by: Oleg Nesterov <oleg at redhat.com>
-Original-patch-by: Michal Hocko <mhocko at suse.com>
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Tested-by: Helge Deller <deller at gmx.de> # parisc
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
-Here's what I thought the 3.16.45 version of the stack guard gap
-patch would look like. This one is easy and uncontroversial (if
-Willy and I get to agreeing about FOLL_MLOCK). Whereas 3.2...
-
-Hugh
-
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -3150,6 +3150,13 @@ bytes respectively. Such letter suffixes
- spia_pedr=
- spia_peddr=
-
-+ stack_guard_gap= [MM]
-+ override the default stack gap protection. The value
-+ is in page units and it defines how many pages prior
-+ to (for stacks growing down) resp. after (for stacks
-+ growing up) the main stack are reserved for no other
-+ mapping. Default value is 256 pages.
-+
- stacktrace [FTRACE]
- Enabled the stack tracer on boot up.
-
---- a/arch/arc/mm/mmap.c
-+++ b/arch/arc/mm/mmap.c
-@@ -64,7 +64,7 @@ arch_get_unmapped_area(struct file *filp
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -89,7 +89,7 @@ arch_get_unmapped_area(struct file *filp
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -140,7 +140,7 @@ arch_get_unmapped_area_topdown(struct fi
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@ unsigned long arch_get_unmapped_area(str
- addr = PAGE_ALIGN(addr);
- vma = find_vma(current->mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- goto success;
- }
-
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -92,7 +92,7 @@ static unsigned long arch_get_unmapped_a
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/parisc/kernel/sys_parisc.c
-+++ b/arch/parisc/kernel/sys_parisc.c
-@@ -88,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
- unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- struct mm_struct *mm = current->mm;
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- unsigned long task_size = TASK_SIZE;
- int do_color_align, last_mmap;
- struct vm_unmapped_area_info info;
-@@ -115,9 +115,10 @@ unsigned long arch_get_unmapped_area(str
- else
- addr = PAGE_ALIGN(addr);
-
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- goto found_addr;
- }
-
-@@ -141,7 +142,7 @@ arch_get_unmapped_area_topdown(struct fi
- const unsigned long len, const unsigned long pgoff,
- const unsigned long flags)
- {
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct mm_struct *mm = current->mm;
- unsigned long addr = addr0;
- int do_color_align, last_mmap;
-@@ -175,9 +176,11 @@ arch_get_unmapped_area_topdown(struct fi
- addr = COLOR_ALIGN(addr, last_mmap, pgoff);
- else
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- goto found_addr;
- }
-
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -103,7 +103,7 @@ static int slice_area_is_free(struct mm_
- if ((mm->task_size - len) < addr)
- return 0;
- vma = find_vma(mm, addr);
-- return (!vma || (addr + len) <= vma->vm_start);
-+ return (!vma || (addr + len) <= vm_start_gap(vma));
- }
-
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -63,7 +63,7 @@ unsigned long arch_get_unmapped_area(str
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -113,7 +113,7 @@ arch_get_unmapped_area_topdown(struct fi
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -118,7 +118,7 @@ unsigned long arch_get_unmapped_area(str
-
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -181,7 +181,7 @@ arch_get_unmapped_area_topdown(struct fi
-
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -115,7 +115,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, HPAGE_SIZE);
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -265,7 +265,7 @@ unsigned long hugetlb_get_unmapped_area(
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (current->mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -127,7 +127,7 @@ arch_get_unmapped_area(struct file *filp
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (end - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -166,7 +166,7 @@ arch_get_unmapped_area_topdown(struct fi
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -156,7 +156,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/xtensa/kernel/syscall.c
-+++ b/arch/xtensa/kernel/syscall.c
-@@ -86,7 +86,7 @@ unsigned long arch_get_unmapped_area(str
- /* At this point: (!vmm || addr < vmm->vm_end). */
- if (TASK_SIZE - len < addr)
- return -ENOMEM;
-- if (!vmm || addr + len <= vmm->vm_start)
-+ if (!vmm || addr + len <= vm_start_gap(vmm))
- return addr;
- addr = vmm->vm_end;
- if (flags & MAP_SHARED)
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -171,7 +171,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -276,11 +276,7 @@ show_map_vma(struct seq_file *m, struct
-
- /* We don't show the stack guard page in /proc/maps */
- start = vma->vm_start;
-- if (stack_guard_page_start(vma, start))
-- start += PAGE_SIZE;
- end = vma->vm_end;
-- if (stack_guard_page_end(vma, end))
-- end -= PAGE_SIZE;
-
- seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
- seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1263,34 +1263,6 @@ int set_page_dirty_lock(struct page *pag
- int clear_page_dirty_for_io(struct page *page);
- int get_cmdline(struct task_struct *task, char *buffer, int buflen);
-
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
-- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
-- unsigned long addr)
--{
-- return (vma->vm_flags & VM_GROWSDOWN) &&
-- (vma->vm_start == addr) &&
-- !vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
-- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
-- unsigned long addr)
--{
-- return (vma->vm_flags & VM_GROWSUP) &&
-- (vma->vm_end == addr) &&
-- !vma_growsup(vma->vm_next, addr);
--}
--
- extern pid_t
- vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
-
-@@ -1936,6 +1908,7 @@ void page_cache_async_readahead(struct a
-
- unsigned long max_sane_readahead(unsigned long nr);
-
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
-
-@@ -1964,6 +1937,30 @@ static inline struct vm_area_struct * fi
- return vma;
- }
-
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+ unsigned long vm_start = vma->vm_start;
-+
-+ if (vma->vm_flags & VM_GROWSDOWN) {
-+ vm_start -= stack_guard_gap;
-+ if (vm_start > vma->vm_start)
-+ vm_start = 0;
-+ }
-+ return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+ unsigned long vm_end = vma->vm_end;
-+
-+ if (vma->vm_flags & VM_GROWSUP) {
-+ vm_end += stack_guard_gap;
-+ if (vm_end < vma->vm_end)
-+ vm_end = -PAGE_SIZE;
-+ }
-+ return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
---- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -266,11 +266,6 @@ static int faultin_page(struct task_stru
- unsigned int fault_flags = 0;
- int ret;
-
-- /* For mlock, just skip the stack guard page. */
-- if ((*flags & FOLL_MLOCK) &&
-- (stack_guard_page_start(vma, address) ||
-- stack_guard_page_end(vma, address + PAGE_SIZE)))
-- return -ENOENT;
- if (*flags & FOLL_WRITE)
- fault_flags |= FAULT_FLAG_WRITE;
- if (nonblocking)
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2589,40 +2589,6 @@ out_release:
- }
-
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
-- address &= PAGE_MASK;
-- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
-- struct vm_area_struct *prev = vma->vm_prev;
--
-- /*
-- * Is there a mapping abutting this one below?
-- *
-- * That's only ok if it's the same stack mapping
-- * that has gotten split..
-- */
-- if (prev && prev->vm_end == address)
-- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
-- return expand_downwards(vma, address - PAGE_SIZE);
-- }
-- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
-- struct vm_area_struct *next = vma->vm_next;
--
-- /* As VM_GROWSDOWN but s/below/above/ */
-- if (next && next->vm_start == address + PAGE_SIZE)
-- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
-- return expand_upwards(vma, address + PAGE_SIZE);
-- }
-- return 0;
--}
--
--/*
- * We enter with non-exclusive mmap_sem (to exclude vma changes,
- * but allow concurrent faults), and pte mapped but not yet locked.
- * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2641,10 +2607,6 @@ static int do_anonymous_page(struct mm_s
- if (vma->vm_flags & VM_SHARED)
- return VM_FAULT_SIGBUS;
-
-- /* Check if we need to add a guard page to the stack */
-- if (check_stack_guard_page(vma, address) < 0)
-- return VM_FAULT_SIGSEGV;
--
- /* Use the zero-page for reads */
- if (!(flags & FAULT_FLAG_WRITE)) {
- entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -266,6 +266,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- unsigned long rlim, retval;
- unsigned long newbrk, oldbrk;
- struct mm_struct *mm = current->mm;
-+ struct vm_area_struct *next;
- unsigned long min_brk;
- bool populate;
-
-@@ -311,7 +312,8 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- }
-
- /* Check against existing mmap mappings. */
-- if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+ next = find_vma(mm, oldbrk);
-+ if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- goto out;
-
- /* Ok, looks good - let it rip. */
-@@ -334,10 +336,22 @@ out:
-
- static long vma_compute_subtree_gap(struct vm_area_struct *vma)
- {
-- unsigned long max, subtree_gap;
-- max = vma->vm_start;
-- if (vma->vm_prev)
-- max -= vma->vm_prev->vm_end;
-+ unsigned long max, prev_end, subtree_gap;
-+
-+ /*
-+ * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
-+ * allow two stack_guard_gaps between them here, and when choosing
-+ * an unmapped area; whereas when expanding we only require one.
-+ * That's a little inconsistent, but keeps the code here simpler.
-+ */
-+ max = vm_start_gap(vma);
-+ if (vma->vm_prev) {
-+ prev_end = vm_end_gap(vma->vm_prev);
-+ if (max > prev_end)
-+ max -= prev_end;
-+ else
-+ max = 0;
-+ }
- if (vma->vm_rb.rb_left) {
- subtree_gap = rb_entry(vma->vm_rb.rb_left,
- struct vm_area_struct, vm_rb)->rb_subtree_gap;
-@@ -426,7 +440,7 @@ static void validate_mm(struct mm_struct
- anon_vma_unlock_read(anon_vma);
- }
-
-- highest_address = vma->vm_end;
-+ highest_address = vm_end_gap(vma);
- vma = vma->vm_next;
- i++;
- }
-@@ -594,7 +608,7 @@ void __vma_link_rb(struct mm_struct *mm,
- if (vma->vm_next)
- vma_gap_update(vma->vm_next);
- else
-- mm->highest_vm_end = vma->vm_end;
-+ mm->highest_vm_end = vm_end_gap(vma);
-
- /*
- * vma->vm_prev wasn't known when we followed the rbtree to find the
-@@ -846,7 +860,7 @@ again: remove_next = 1 + (end > next->
- vma_gap_update(vma);
- if (end_changed) {
- if (!next)
-- mm->highest_vm_end = end;
-+ mm->highest_vm_end = vm_end_gap(vma);
- else if (!adjust_next)
- vma_gap_update(next);
- }
-@@ -889,7 +903,7 @@ again: remove_next = 1 + (end > next->
- else if (next)
- vma_gap_update(next);
- else
-- mm->highest_vm_end = end;
-+ VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
- }
- if (insert && file)
- uprobe_mmap(insert);
-@@ -1720,7 +1734,7 @@ unsigned long unmapped_area(struct vm_un
-
- while (true) {
- /* Visit left subtree if it looks promising */
-- gap_end = vma->vm_start;
-+ gap_end = vm_start_gap(vma);
- if (gap_end >= low_limit && vma->vm_rb.rb_left) {
- struct vm_area_struct *left =
- rb_entry(vma->vm_rb.rb_left,
-@@ -1731,7 +1745,7 @@ unsigned long unmapped_area(struct vm_un
- }
- }
-
-- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+ gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- check_current:
- /* Check if current node has a suitable gap */
- if (gap_start > high_limit)
-@@ -1758,8 +1772,8 @@ check_current:
- vma = rb_entry(rb_parent(prev),
- struct vm_area_struct, vm_rb);
- if (prev == vma->vm_rb.rb_left) {
-- gap_start = vma->vm_prev->vm_end;
-- gap_end = vma->vm_start;
-+ gap_start = vm_end_gap(vma->vm_prev);
-+ gap_end = vm_start_gap(vma);
- goto check_current;
- }
- }
-@@ -1823,7 +1837,7 @@ unsigned long unmapped_area_topdown(stru
-
- while (true) {
- /* Visit right subtree if it looks promising */
-- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+ gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- if (gap_start <= high_limit && vma->vm_rb.rb_right) {
- struct vm_area_struct *right =
- rb_entry(vma->vm_rb.rb_right,
-@@ -1836,7 +1850,7 @@ unsigned long unmapped_area_topdown(stru
-
- check_current:
- /* Check if current node has a suitable gap */
-- gap_end = vma->vm_start;
-+ gap_end = vm_start_gap(vma);
- if (gap_end < low_limit)
- return -ENOMEM;
- if (gap_start <= high_limit && gap_end - gap_start >= length)
-@@ -1862,7 +1876,7 @@ check_current:
- struct vm_area_struct, vm_rb);
- if (prev == vma->vm_rb.rb_right) {
- gap_start = vma->vm_prev ?
-- vma->vm_prev->vm_end : 0;
-+ vm_end_gap(vma->vm_prev) : 0;
- goto check_current;
- }
- }
-@@ -1900,7 +1914,7 @@ arch_get_unmapped_area(struct file *filp
- unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- struct mm_struct *mm = current->mm;
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct vm_unmapped_area_info info;
-
- if (len > TASK_SIZE - mmap_min_addr)
-@@ -1911,9 +1925,10 @@ arch_get_unmapped_area(struct file *filp
-
- if (addr) {
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- return addr;
- }
-
-@@ -1936,7 +1951,7 @@ arch_get_unmapped_area_topdown(struct fi
- const unsigned long len, const unsigned long pgoff,
- const unsigned long flags)
- {
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct mm_struct *mm = current->mm;
- unsigned long addr = addr0;
- struct vm_unmapped_area_info info;
-@@ -1951,9 +1966,10 @@ arch_get_unmapped_area_topdown(struct fi
- /* requesting a specific address */
- if (addr) {
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- return addr;
- }
-
-@@ -2079,21 +2095,19 @@ find_vma_prev(struct mm_struct *mm, unsi
- * update accounting. This is shared with both the
- * grow-up and grow-down cases.
- */
--static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
-+static int acct_stack_growth(struct vm_area_struct *vma,
-+ unsigned long size, unsigned long grow)
- {
- struct mm_struct *mm = vma->vm_mm;
- struct rlimit *rlim = current->signal->rlim;
-- unsigned long new_start, actual_size;
-+ unsigned long new_start;
-
- /* address space limit tests */
- if (!may_expand_vm(mm, grow))
- return -ENOMEM;
-
- /* Stack limit test */
-- actual_size = size;
-- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
-- actual_size -= PAGE_SIZE;
-- if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
-+ if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
- return -ENOMEM;
-
- /* mlock limit tests */
-@@ -2134,17 +2148,30 @@ static int acct_stack_growth(struct vm_a
- */
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
-+ struct vm_area_struct *next;
-+ unsigned long gap_addr;
- int error = 0;
-
- if (!(vma->vm_flags & VM_GROWSUP))
- return -EFAULT;
-
- /* Guard against wrapping around to address 0. */
-- if (address < PAGE_ALIGN(address+4))
-- address = PAGE_ALIGN(address+4);
-- else
-+ address &= PAGE_MASK;
-+ address += PAGE_SIZE;
-+ if (!address)
- return -ENOMEM;
-
-+ /* Enforce stack_guard_gap */
-+ gap_addr = address + stack_guard_gap;
-+ if (gap_addr < address)
-+ return -ENOMEM;
-+ next = vma->vm_next;
-+ if (next && next->vm_start < gap_addr) {
-+ if (!(next->vm_flags & VM_GROWSUP))
-+ return -ENOMEM;
-+ /* Check that both stack segments have the same anon_vma? */
-+ }
-+
- /* We must make sure the anon_vma is allocated. */
- if (unlikely(anon_vma_prepare(vma)))
- return -ENOMEM;
-@@ -2185,7 +2212,7 @@ int expand_upwards(struct vm_area_struct
- if (vma->vm_next)
- vma_gap_update(vma->vm_next);
- else
-- vma->vm_mm->highest_vm_end = address;
-+ vma->vm_mm->highest_vm_end = vm_end_gap(vma);
- spin_unlock(&vma->vm_mm->page_table_lock);
-
- perf_event_mmap(vma);
-@@ -2205,6 +2232,8 @@ int expand_upwards(struct vm_area_struct
- int expand_downwards(struct vm_area_struct *vma,
- unsigned long address)
- {
-+ struct vm_area_struct *prev;
-+ unsigned long gap_addr;
- int error;
-
- address &= PAGE_MASK;
-@@ -2212,6 +2241,17 @@ int expand_downwards(struct vm_area_stru
- if (error)
- return error;
-
-+ /* Enforce stack_guard_gap */
-+ gap_addr = address - stack_guard_gap;
-+ if (gap_addr > address)
-+ return -ENOMEM;
-+ prev = vma->vm_prev;
-+ if (prev && prev->vm_end > gap_addr) {
-+ if (!(prev->vm_flags & VM_GROWSDOWN))
-+ return -ENOMEM;
-+ /* Check that both stack segments have the same anon_vma? */
-+ }
-+
- /* We must make sure the anon_vma is allocated. */
- if (unlikely(anon_vma_prepare(vma)))
- return -ENOMEM;
-@@ -2263,28 +2303,25 @@ int expand_downwards(struct vm_area_stru
- return error;
- }
-
--/*
-- * Note how expand_stack() refuses to expand the stack all the way to
-- * abut the next virtual mapping, *unless* that mapping itself is also
-- * a stack mapping. We want to leave room for a guard page, after all
-- * (the guard page itself is not added here, that is done by the
-- * actual page faulting logic)
-- *
-- * This matches the behavior of the guard page logic (see mm/memory.c:
-- * check_stack_guard_page()), which only allows the guard page to be
-- * removed under these circumstances.
-- */
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+ unsigned long val;
-+ char *endptr;
-+
-+ val = simple_strtoul(p, &endptr, 10);
-+ if (!*endptr)
-+ stack_guard_gap = val << PAGE_SHIFT;
-+
-+ return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-- struct vm_area_struct *next;
--
-- address &= PAGE_MASK;
-- next = vma->vm_next;
-- if (next && next->vm_start == address + PAGE_SIZE) {
-- if (!(next->vm_flags & VM_GROWSUP))
-- return -ENOMEM;
-- }
- return expand_upwards(vma, address);
- }
-
-@@ -2306,14 +2343,6 @@ find_extend_vma(struct mm_struct *mm, un
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-- struct vm_area_struct *prev;
--
-- address &= PAGE_MASK;
-- prev = vma->vm_prev;
-- if (prev && prev->vm_end == address) {
-- if (!(prev->vm_flags & VM_GROWSDOWN))
-- return -ENOMEM;
-- }
- return expand_downwards(vma, address);
- }
-
-@@ -2409,7 +2438,7 @@ detach_vmas_to_be_unmapped(struct mm_str
- vma->vm_prev = prev;
- vma_gap_update(vma);
- } else
-- mm->highest_vm_end = prev ? prev->vm_end : 0;
-+ mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
- tail_vma->vm_next = NULL;
-
- /* Kill the cache */
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
deleted file mode 100644
index 2343369..0000000
--- a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Chris Salls <salls at cs.ucsb.edu>
-Date: Fri, 7 Apr 2017 23:48:11 -0700
-Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
-Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
-
-In the case that compat_get_bitmap fails we do not want to copy the
-bitmap to the user as it will contain uninitialized stack data and leak
-sensitive data.
-
-Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mempolicy.c | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1559,7 +1559,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, in
- COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
- compat_ulong_t, maxnode)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- DECLARE_BITMAP(bm, MAX_NUMNODES);
-@@ -1568,14 +1567,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, in
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(bm, nmask, nr_bits);
-+ if (compat_get_bitmap(bm, nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, bm, alloc_size);
-+ if (copy_to_user(nm, bm, alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_set_mempolicy(mode, nm, nr_bits+1);
- }
-
-@@ -1583,7 +1581,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
- compat_ulong_t, mode, compat_ulong_t __user *, nmask,
- compat_ulong_t, maxnode, compat_ulong_t, flags)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- nodemask_t bm;
-@@ -1592,14 +1589,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
-+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
-+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
- }
-
diff --git a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
deleted file mode 100644
index 109dc1a..0000000
--- a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Cong Wang <xiyou.wangcong at gmail.com>
-Date: Sun, 9 Jul 2017 13:19:55 -0700
-Subject: mqueue: fix a use-after-free in sys_mq_notify()
-Origin: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11176
-
-The retry logic for netlink_attachskb() inside sys_mq_notify()
-is nasty and vulnerable:
-
-1) The sock refcnt is already released when retry is needed
-2) The fd is controllable by user-space because we already
- release the file refcnt
-
-so we when retry but the fd has been just closed by user-space
-during this small window, we end up calling netlink_detachskb()
-on the error path which releases the sock again, later when
-the user-space closes this socket a use-after-free could be
-triggered.
-
-Setting 'sock' to NULL here should be sufficient to fix it.
-
-Reported-by: GeneBlue <geneblue.mail at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: stable at kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- ipc/mqueue.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ipc/mqueue.c b/ipc/mqueue.c
-index c9ff943f19ab..eb1391b52c6f 100644
---- a/ipc/mqueue.c
-+++ b/ipc/mqueue.c
-@@ -1270,8 +1270,10 @@ static int do_mq_notify(mqd_t mqdes, const struct sigevent *notification)
-
- timeo = MAX_SCHEDULE_TIMEOUT;
- ret = netlink_attachskb(sock, nc, &timeo, NULL);
-- if (ret == 1)
-+ if (ret == 1) {
-+ sock = NULL;
- goto retry;
-+ }
- if (ret) {
- sock = NULL;
- nc = NULL;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
deleted file mode 100644
index 10955f5..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:20 +0200
-Subject: [1/3] net/packet: fix overflow in check for priv area size
-Origin: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-Subtracting tp_sizeof_priv from tp_block_size and casting to int
-to check whether one is less then the other doesn't always work
-(both of them are unsigned ints).
-
-Compare them as is instead.
-
-Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
-it can overflow inside BLK_PLUS_PRIV otherwise.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3842,8 +3842,8 @@ static int packet_set_ring(struct sock *
- if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- goto out;
- if (po->tp_version >= TPACKET_V3 &&
-- (int)(req->tp_block_size -
-- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+ req->tp_block_size <=
-+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
- goto out;
- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- po->tp_reserve))
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
deleted file mode 100644
index a40ed9d..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:21 +0200
-Subject: [2/3] net/packet: fix overflow in check for tp_frame_nr
-Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating rb->frames_per_block * req->tp_block_nr the result
-can overflow.
-
-Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
-
-Since frames_per_block <= tp_block_size, the expression would
-never overflow.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3854,6 +3854,8 @@ static int packet_set_ring(struct sock *
- rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
- if (unlikely(rb->frames_per_block <= 0))
- goto out;
-+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+ goto out;
- if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- req->tp_frame_nr))
- goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
deleted file mode 100644
index 4f9aacb..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:22 +0200
-Subject: [3/3] net/packet: fix overflow in check for tp_reserve
-Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
-
-Fix by checking that tp_reserve <= INT_MAX on assign.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3349,6 +3349,8 @@ packet_setsockopt(struct socket *sock, i
- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
-+ if (val > INT_MAX)
-+ return -EINVAL;
- po->tp_reserve = val;
- return 0;
- }
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
deleted file mode 100644
index 28e54fc..0000000
--- a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 16:10:18 -0400
-Subject: nfsd: check for oversized NFSv2/v3 arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply. This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE). But a client that sends an incorrectly long reply
-can violate those assumptions. This was observed to cause crashes.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-So, following a suggestion from Neil Brown, add a central check to
-enforce our expectation that no NFSv2/v3 call has both a large call and
-a large reply.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-We may also consider rejecting calls that have any extra garbage
-appended. That would be safer, and within our rights by spec, but given
-the age of our server and the NFS protocol, and the fact that we've
-never enforced this before, we may need to balance that against the
-possibility of breaking some oddball client.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Cc: stable at vger.kernel.org
-Reviewed-by: NeilBrown <neilb at suse.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
---- a/fs/nfsd/nfssvc.c
-+++ b/fs/nfsd/nfssvc.c
-@@ -642,6 +642,37 @@ static __be32 map_new_errors(u32 vers, _
- return nfserr;
- }
-
-+/*
-+ * A write procedure can have a large argument, and a read procedure can
-+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
-+ * reply that can both be larger than a page. The xdr code has taken
-+ * advantage of this assumption to be a sloppy about bounds checking in
-+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
-+ * problem, we enforce these assumptions here:
-+ */
-+static bool nfs_request_too_big(struct svc_rqst *rqstp,
-+ struct svc_procedure *proc)
-+{
-+ /*
-+ * The ACL code has more careful bounds-checking and is not
-+ * susceptible to this problem:
-+ */
-+ if (rqstp->rq_prog != NFS_PROGRAM)
-+ return false;
-+ /*
-+ * Ditto NFSv4 (which can in theory have argument and reply both
-+ * more than a page):
-+ */
-+ if (rqstp->rq_vers >= 4)
-+ return false;
-+ /* The reply will be small, we're OK: */
-+ if (proc->pc_xdrressize > 0 &&
-+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
-+ return false;
-+
-+ return rqstp->rq_arg.len > PAGE_SIZE;
-+}
-+
- int
- nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- {
-@@ -654,6 +685,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
- rqstp->rq_vers, rqstp->rq_proc);
- proc = rqstp->rq_procinfo;
-
-+ if (nfs_request_too_big(rqstp, proc)) {
-+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
-+ *statp = rpc_garbage_args;
-+ return 1;
-+ }
- /*
- * Give the xdr decoder a chance to change this if it wants
- * (necessary in the NFSv4.0 compound case)
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
deleted file mode 100644
index 1214357..0000000
--- a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 15:26:30 -0400
-Subject: [2/2] nfsd: stricter decoding of write-like NFSv2/v3 ops
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-The NFSv2/v3 code does not systematically check whether we decode past
-the end of the buffer. This generally appears to be harmless, but there
-are a few places where we do arithmetic on the pointers involved and
-don't account for the possibility that a length could be negative. Add
-checks to catch these.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Reviewed-by: NeilBrown <neilb at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs3xdr.c | 4 ++++
- fs/nfsd/nfsxdr.c | 2 ++
- 2 files changed, 6 insertions(+)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -373,6 +373,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- args->count = ntohl(*p++);
- args->stable = ntohl(*p++);
- len = args->len = ntohl(*p++);
-+ if ((void *)p > head->iov_base + head->iov_len)
-+ return 0;
- /*
- * The count must equal the amount of data passed.
- */
-@@ -476,6 +478,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
- /* first copy and check from the first page */
- old = (char*)p;
- vec = &rqstp->rq_arg.head[0];
-+ if ((void *)old > vec->iov_base + vec->iov_len)
-+ return 0;
- avail = vec->iov_len - (old - (char*)vec->iov_base);
- while (len && avail && *old) {
- *new++ = *old++;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -303,6 +303,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- * bytes.
- */
- hdr = (void*)p - head->iov_base;
-+ if (hdr > head->iov_len)
-+ return 0;
- dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
diff --git a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
deleted file mode 100644
index 5eeda9a..0000000
--- a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Tue, 25 Apr 2017 16:21:34 -0400
-Subject: [1/2] nfsd4: minor NFSv2/v3 write decoding cleanup
-Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-Use a couple shortcuts that will simplify a following bugfix.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[bwh: Backported to 3.16: in nfs3svc_decode_writeargs(), dlen doesn't include
- tail]
----
- fs/nfsd/nfs3xdr.c | 9 +++++----
- fs/nfsd/nfsxdr.c | 8 ++++----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -363,6 +363,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- {
- unsigned int len, v, hdr, dlen;
- u32 max_blocksize = svc_max_payload(rqstp);
-+ struct kvec *head = rqstp->rq_arg.head;
-
- p = decode_fh(p, &args->fh);
- if (!p)
-@@ -382,9 +383,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
- /*
- * Round the length of the data which was specified up to
- * the next multiple of XDR units and then compare that
-@@ -401,7 +401,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- len = args->len = max_blocksize;
- }
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -281,6 +281,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- struct nfsd_writeargs *args)
- {
- unsigned int len, hdr, dlen;
-+ struct kvec *head = rqstp->rq_arg.head;
- int v;
-
- p = decode_fh(p, &args->fh);
-@@ -301,9 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
- * Round the length of the data which was specified up to
-@@ -317,7 +317,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- return 0;
-
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
deleted file mode 100644
index 235098b..0000000
--- a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Thu, 10 Aug 2017 12:41:58 -0400
-Subject: packet: fix tp_reserve race in packet_set_ring
-Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
-
-Updates to tp_reserve can race with reads of the field in
-packet_set_ring. Avoid this by holding the socket lock during
-updates in setsockopt PACKET_RESERVE.
-
-This bug was discovered by syzkaller.
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3345,14 +3345,19 @@ packet_setsockopt(struct socket *sock, i
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- if (val > INT_MAX)
- return -EINVAL;
-- po->tp_reserve = val;
-- return 0;
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_reserve = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_LOSS:
- {
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
deleted file mode 100644
index 0d8e5f3..0000000
--- a/debian/patches/bugfix/all/ping-implement-proper-locking.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: ping: implement proper locking
-Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
-Reported-by: Solar Designer <solar at openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -154,17 +154,18 @@ void ping_hash(struct sock *sk)
- void ping_unhash(struct sock *sk)
- {
- struct inet_sock *isk = inet_sk(sk);
-+
- pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+ write_lock_bh(&ping_table.lock);
- if (sk_hashed(sk)) {
-- write_lock_bh(&ping_table.lock);
- hlist_nulls_del(&sk->sk_nulls_node);
- sk_nulls_node_init(&sk->sk_nulls_node);
- sock_put(sk);
- isk->inet_num = 0;
- isk->inet_sport = 0;
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-- write_unlock_bh(&ping_table.lock);
- }
-+ write_unlock_bh(&ping_table.lock);
- }
- EXPORT_SYMBOL_GPL(ping_unhash);
-
diff --git a/debian/patches/bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch b/debian/patches/bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
deleted file mode 100644
index d38678c..0000000
--- a/debian/patches/bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Seung-Woo Kim <sw0312.kim at samsung.com>
-Date: Thu, 4 Dec 2014 19:17:17 +0900
-Subject: regulator: core: Fix regualtor_ena_gpio_free not to access pin after
- freeing
-Origin: https://git.kernel.org/linus/60a2362f769cf549dc466134efe71c8bf9fbaaba
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-9940
-
-After freeing pin from regulator_ena_gpio_free, loop can access
-the pin. So this patch fixes not to access pin after freeing.
-
-Signed-off-by: Seung-Woo Kim <sw0312.kim at samsung.com>
-Signed-off-by: Mark Brown <broonie at kernel.org>
----
- drivers/regulator/core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/regulator/core.c
-+++ b/drivers/regulator/core.c
-@@ -1709,6 +1709,8 @@ static void regulator_ena_gpio_free(stru
- gpio_free(pin->gpio);
- list_del(&pin->list);
- kfree(pin);
-+ rdev->ena_pin = NULL;
-+ return;
- } else {
- pin->request_count--;
- }
diff --git a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch b/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
deleted file mode 100644
index 2b01c55..0000000
--- a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
+++ /dev/null
@@ -1,207 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Thu, 15 Jun 2017 00:12:24 +0100
-Subject: rxrpc: Fix several cases where a padded len isn't checked in ticket
- decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7482
-
-This fixes CVE-2017-7482.
-
-When a kerberos 5 ticket is being decoded so that it can be loaded into an
-rxrpc-type key, there are several places in which the length of a
-variable-length field is checked to make sure that it's not going to
-overrun the available data - but the data is padded to the nearest
-four-byte boundary and the code doesn't check for this extra. This could
-lead to the size-remaining variable wrapping and the data pointer going
-over the end of the buffer.
-
-Fix this by making the various variable-length data checks use the padded
-length.
-
-Reported-by: 石磊 <shilei-c at 360.cn>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Reviewed-by: Marc Dionne <marc.c.dionne at auristor.com>
-Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust filename, context]
----
- net/rxrpc/ar-key.c | 64 +++++++++++++++++++++++++++++-------------------------
- 1 file changed, 34 insertions(+), 30 deletions(-)
-
-diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
-index 0ad080790a32..99d5a5ff812e 100644
---- a/net/rxrpc/ar-key.c
-+++ b/net/rxrpc/ar-key.c
-@@ -213,7 +213,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, n_parts, loop, tmp;
-+ unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen;
-
- /* there must be at least one name, and at least #names+1 length
- * words */
-@@ -243,16 +243,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- toklen -= 4;
- if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX)
- return -EINVAL;
-- if (tmp > toklen)
-+ paddedlen = (tmp + 3) & ~3;
-+ if (paddedlen > toklen)
- return -EINVAL;
- princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL);
- if (!princ->name_parts[loop])
- return -ENOMEM;
- memcpy(princ->name_parts[loop], xdr, tmp);
- princ->name_parts[loop][tmp] = 0;
-- tmp = (tmp + 3) & ~3;
-- toklen -= tmp;
-- xdr += tmp >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- if (toklen < 4)
-@@ -261,16 +261,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- toklen -= 4;
- if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX)
- return -EINVAL;
-- if (tmp > toklen)
-+ paddedlen = (tmp + 3) & ~3;
-+ if (paddedlen > toklen)
- return -EINVAL;
- princ->realm = kmalloc(tmp + 1, GFP_KERNEL);
- if (!princ->realm)
- return -ENOMEM;
- memcpy(princ->realm, xdr, tmp);
- princ->realm[tmp] = 0;
-- tmp = (tmp + 3) & ~3;
-- toklen -= tmp;
-- xdr += tmp >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- _debug("%s/...@%s", princ->name_parts[0], princ->realm);
-
-@@ -289,7 +289,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, len;
-+ unsigned int toklen = *_toklen, len, paddedlen;
-
- /* there must be at least one tag and one length word */
- if (toklen <= 8)
-@@ -303,15 +303,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- toklen -= 8;
- if (len > max_data_size)
- return -EINVAL;
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > toklen)
-+ return -EINVAL;
- td->data_len = len;
-
- if (len > 0) {
- td->data = kmemdup(xdr, len, GFP_KERNEL);
- if (!td->data)
- return -ENOMEM;
-- len = (len + 3) & ~3;
-- toklen -= len;
-- xdr += len >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- _debug("tag %x len %x", td->tag, td->data_len);
-@@ -383,7 +385,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- const __be32 **_xdr, unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, len;
-+ unsigned int toklen = *_toklen, len, paddedlen;
-
- /* there must be at least one length word */
- if (toklen <= 4)
-@@ -395,6 +397,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- toklen -= 4;
- if (len > AFSTOKEN_K5_TIX_MAX)
- return -EINVAL;
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > toklen)
-+ return -EINVAL;
- *_tktlen = len;
-
- _debug("ticket len %u", len);
-@@ -403,9 +408,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- *_ticket = kmemdup(xdr, len, GFP_KERNEL);
- if (!*_ticket)
- return -ENOMEM;
-- len = (len + 3) & ~3;
-- toklen -= len;
-- xdr += len >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- *_xdr = xdr;
-@@ -549,7 +553,7 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal
- {
- const __be32 *xdr = data, *token;
- const char *cp;
-- unsigned int len, tmp, loop, ntoken, toklen, sec_ix;
-+ unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix;
- int ret;
-
- _enter(",{%x,%x,%x,%x},%zu",
-@@ -574,22 +578,21 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal
- if (len < 1 || len > AFSTOKEN_CELL_MAX)
- goto not_xdr;
- datalen -= 4;
-- tmp = (len + 3) & ~3;
-- if (tmp > datalen)
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > datalen)
- goto not_xdr;
-
- cp = (const char *) xdr;
- for (loop = 0; loop < len; loop++)
- if (!isprint(cp[loop]))
- goto not_xdr;
-- if (len < tmp)
-- for (; loop < tmp; loop++)
-- if (cp[loop])
-- goto not_xdr;
-+ for (; loop < paddedlen; loop++)
-+ if (cp[loop])
-+ goto not_xdr;
- _debug("cellname: [%u/%u] '%*.*s'",
-- len, tmp, len, len, (const char *) xdr);
-- datalen -= tmp;
-- xdr += tmp >> 2;
-+ len, paddedlen, len, len, (const char *) xdr);
-+ datalen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- /* get the token count */
- if (datalen < 12)
-@@ -610,10 +613,11 @@ static int rxrpc_instantiate_xdr(struct key *key, const void *data, size_t datal
- sec_ix = ntohl(*xdr);
- datalen -= 4;
- _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix);
-- if (toklen < 20 || toklen > datalen)
-+ paddedlen = (toklen + 3) & ~3;
-+ if (toklen < 20 || toklen > datalen || paddedlen > datalen)
- goto not_xdr;
-- datalen -= (toklen + 3) & ~3;
-- xdr += (toklen + 3) >> 2;
-+ datalen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- } while (--loop > 0);
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
deleted file mode 100644
index 4f322b1..0000000
--- a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 17 May 2017 07:16:40 -0700
-Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
-Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
-
-SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
-ipv6_mc_list from parent"), otherwise bad things can happen.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/ipv6.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -659,6 +659,9 @@ static struct sock *sctp_v6_create_accep
- newnp = inet6_sk(newsk);
-
- memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
-
- rcu_read_lock();
- opt = rcu_dereference(np->opt);
diff --git a/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch b/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
deleted file mode 100644
index e8dea18..0000000
--- a/debian/patches/bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Thomas Gleixner <tglx at linutronix.de>
-Date: Tue, 31 Jan 2017 15:24:03 +0100
-Subject: timerfd: Protect the might cancel mechanism proper
-Origin: https://git.kernel.org/linus/1e38da300e1e395a15048b0af1e5305bd91402f6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10661
-
-The handling of the might_cancel queueing is not properly protected, so
-parallel operations on the file descriptor can race with each other and
-lead to list corruptions or use after free.
-
-Protect the context for these operations with a seperate lock.
-
-The wait queue lock cannot be reused for this because that would create a
-lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
-atomic (atomic_t or atomic bit) does not help either because it still can
-race vs. the actual list operation.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
-Cc: "linux-fsdevel at vger.kernel.org"
-Cc: syzkaller <syzkaller at googlegroups.com>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Cc: linux-fsdevel at vger.kernel.org
-Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
-Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
----
- fs/timerfd.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
---- a/fs/timerfd.c
-+++ b/fs/timerfd.c
-@@ -39,6 +39,7 @@ struct timerfd_ctx {
- int clockid;
- struct rcu_head rcu;
- struct list_head clist;
-+ spinlock_t cancel_lock;
- bool might_cancel;
- };
-
-@@ -111,7 +112,7 @@ void timerfd_clock_was_set(void)
- rcu_read_unlock();
- }
-
--static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+static void __timerfd_remove_cancel(struct timerfd_ctx *ctx)
- {
- if (ctx->might_cancel) {
- ctx->might_cancel = false;
-@@ -121,6 +122,13 @@ static void timerfd_remove_cancel(struct
- }
- }
-
-+static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
-+{
-+ spin_lock(&ctx->cancel_lock);
-+ __timerfd_remove_cancel(ctx);
-+ spin_unlock(&ctx->cancel_lock);
-+}
-+
- static bool timerfd_canceled(struct timerfd_ctx *ctx)
- {
- if (!ctx->might_cancel || ctx->moffs.tv64 != KTIME_MAX)
-@@ -131,6 +139,7 @@ static bool timerfd_canceled(struct time
-
- static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
- {
-+ spin_lock(&ctx->cancel_lock);
- if ((ctx->clockid == CLOCK_REALTIME ||
- ctx->clockid == CLOCK_REALTIME_ALARM) &&
- (flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) {
-@@ -140,9 +149,10 @@ static void timerfd_setup_cancel(struct
- list_add_rcu(&ctx->clist, &cancel_list);
- spin_unlock(&cancel_lock);
- }
-- } else if (ctx->might_cancel) {
-- timerfd_remove_cancel(ctx);
-+ } else {
-+ __timerfd_remove_cancel(ctx);
- }
-+ spin_unlock(&ctx->cancel_lock);
- }
-
- static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
-@@ -326,6 +336,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clo
- return -ENOMEM;
-
- init_waitqueue_head(&ctx->wqh);
-+ spin_lock_init(&ctx->cancel_lock);
- ctx->clockid = clockid;
-
- if (isalarm(ctx))
diff --git a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch b/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
deleted file mode 100644
index 7f0e65e..0000000
--- a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Amey Telawane <ameyt at codeaurora.org>
-Date: Wed, 3 May 2017 15:41:14 +0530
-Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
-Origin: https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0605
-
-Strcpy is inherently not safe, and strlcpy() should be used instead.
-__trace_find_cmdline() uses strcpy() because the comms saved must have a
-terminating nul character, but it doesn't hurt to add the extra protection
-of using strlcpy() instead of strcpy().
-
-Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
-
-Signed-off-by: Amey Telawane <ameyt at codeaurora.org>
-[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
-https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
-Signed-off-by: Amit Pundir <amit.pundir at linaro.org>
-[ Updated change log and removed the "- 1" from len parameter ]
-Signed-off-by: Steven Rostedt (VMware) <rostedt at goodmis.org>
----
- kernel/trace/trace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -1567,7 +1567,7 @@ static void __trace_find_cmdline(int pid
-
- map = savedcmd->map_pid_to_cmdline[pid];
- if (map != NO_CMDLINE_MAP)
-- strcpy(comm, get_saved_cmdlines(map));
-+ strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN);
- else
- strcpy(comm, "<...>");
- }
diff --git a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
deleted file mode 100644
index fc87b8a..0000000
--- a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Thu, 10 Aug 2017 12:29:19 -0400
-Subject: udp: consistently apply ufo or fragmentation
-Origin: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
-
-When iteratively building a UDP datagram with MSG_MORE and that
-datagram exceeds MTU, consistently choose UFO or fragmentation.
-
-Once skb_is_gso, always apply ufo. Conversely, once a datagram is
-split across multiple skbs, do not consider ufo.
-
-Sendpage already maintains the first invariant, only add the second.
-IPv6 does not have a sendpage implementation to modify.
-
-A gso skb must have a partial checksum, do not follow sk_no_check_tx
-in udp_send_skb.
-
-Found by syzkaller.
-
-Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.16:
- - ip6_append_data() doesn't take a queue parameter; use &sk->sk_write_queue
- - Adjust context]
----
- net/ipv4/ip_output.c | 7 +++++--
- net/ipv4/udp.c | 2 +-
- net/ipv6/ip6_output.c | 7 ++++---
- 3 files changed, 10 insertions(+), 6 deletions(-)
-
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -885,10 +885,12 @@ static int __ip_append_data(struct sock
- csummode = CHECKSUM_PARTIAL;
-
- cork->length += length;
-- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
-+ if ((skb && skb_is_gso(skb)) ||
-+ ((length > mtu) &&
-+ (skb_queue_len(queue) <= 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
-- (sk->sk_type == SOCK_DGRAM)) {
-+ (sk->sk_type == SOCK_DGRAM))) {
- err = ip_ufo_append_data(sk, queue, getfrag, from, length,
- hh_len, fragheaderlen, transhdrlen,
- maxfraglen, flags);
-@@ -1203,6 +1205,7 @@ ssize_t ip_append_page(struct sock *sk,
-
- cork->length += size;
- if ((size + skb->len > mtu) &&
-+ (skb_queue_len(&sk->sk_write_queue) == 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO)) {
- skb_shinfo(skb)->gso_size = mtu - fragheaderlen;
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -824,7 +824,7 @@ static int udp_send_skb(struct sk_buff *
- if (is_udplite) /* UDP-Lite */
- csum = udplite_csum(skb);
-
-- else if (sk->sk_no_check_tx) { /* UDP csum disabled */
-+ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */
-
- skb->ip_summed = CHECKSUM_NONE;
- goto send;
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1291,11 +1291,12 @@ emsgsize:
-
- skb = skb_peek_tail(&sk->sk_write_queue);
- cork->length += length;
-- if ((((length + fragheaderlen) > mtu) ||
-- (skb && skb_is_gso(skb))) &&
-+ if ((skb && skb_is_gso(skb)) ||
-+ (((length + fragheaderlen) > mtu) &&
-+ (skb_queue_len(&sk->sk_write_queue) <= 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
-- (sk->sk_type == SOCK_DGRAM)) {
-+ (sk->sk_type == SOCK_DGRAM))) {
- err = ip6_ufo_append_data(sk, getfrag, from, length,
- hh_len, fragheaderlen, exthdrlen,
- transhdrlen, mtu, flags, rt);
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
deleted file mode 100644
index f662d55..0000000
--- a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Tue, 7 Mar 2017 16:11:03 +0100
-Subject: USB: iowarrior: fix NULL-deref at probe
-Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
-
-Make sure to check for the required interrupt-in endpoint to avoid
-dereferencing a NULL-pointer should a malicious device lack such an
-endpoint.
-
-Note that a fairly recent change purported to fix this issue, but added
-an insufficient test on the number of endpoints only, a test which can
-now be removed.
-
-Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
-Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
-Cc: stable <stable at vger.kernel.org> # 2.6.21
-Signed-off-by: Johan Hovold <johan at kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/misc/iowarrior.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in
- iface_desc = interface->cur_altsetting;
- dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
-
-- if (iface_desc->desc.bNumEndpoints < 1) {
-- dev_err(&interface->dev, "Invalid number of endpoints\n");
-- retval = -EINVAL;
-- goto error;
-- }
--
- /* set up the endpoint information */
- for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- endpoint = &iface_desc->endpoint[i].desc;
-@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in
- /* this one will match for the IOWarrior56 only */
- dev->int_out_endpoint = endpoint;
- }
-+
-+ if (!dev->int_in_endpoint) {
-+ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
-+ retval = -ENODEV;
-+ goto error;
-+ }
-+
- /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
- dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch b/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
deleted file mode 100644
index a868e23..0000000
--- a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:40 +0100
-Subject: USB: serial: io_ti: fix information leak in completion handler
-Origin: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8924
-
-Add missing sanity check to the bulk-in completion handler to avoid an
-integer underflow that can be triggered by a malicious device.
-
-This avoids leaking 128 kB of memory content from after the URB transfer
-buffer to user space.
-
-Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable <stable at vger.kernel.org> # 2.6.30
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/io_ti.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/serial/io_ti.c
-+++ b/drivers/usb/serial/io_ti.c
-@@ -1626,7 +1626,7 @@ static void edge_bulk_in_callback(struct
-
- port_number = edge_port->port->port_number;
-
-- if (edge_port->lsr_event) {
-+ if (urb->actual_length > 0 && edge_port->lsr_event) {
- edge_port->lsr_event = 0;
- dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n",
- __func__, port_number, edge_port->lsr_mask, *data);
diff --git a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch b/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
deleted file mode 100644
index 647642a..0000000
--- a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:38 +0100
-Subject: USB: serial: omninet: fix reference leaks at open
-Origin: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8925
-
-This driver needlessly took another reference to the tty on open, a
-reference which was then never released on close. This lead to not just
-a leak of the tty, but also a driver reference leak that prevented the
-driver from being unloaded after a port had once been opened.
-
-Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
-Cc: stable <stable at vger.kernel.org> # 2.6.28
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/omninet.c | 6 ------
- 1 file changed, 6 deletions(-)
-
---- a/drivers/usb/serial/omninet.c
-+++ b/drivers/usb/serial/omninet.c
-@@ -142,12 +142,6 @@ static int omninet_port_remove(struct us
-
- static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
- {
-- struct usb_serial *serial = port->serial;
-- struct usb_serial_port *wport;
--
-- wport = serial->port[1];
-- tty_port_tty_set(&wport->port, tty);
--
- return usb_serial_generic_open(tty, port);
- }
-
diff --git a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
deleted file mode 100644
index e2f89e0..0000000
--- a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From: Jan Beulich <jbeulich at suse.com>
-Date: Tue, 13 Jun 2017 16:28:27 -0400
-Subject: xen-blkback: don't leak stack data via response ring
-Origin: https://git.kernel.org/linus/089bc0143f489bd3a4578bdff5f4ca68fb26f341
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10911
-
-Rather than constructing a local structure instance on the stack, fill
-the fields directly on the shared ring, just like other backends do.
-Build on the fact that all response structure flavors are actually
-identical (the old code did make this assumption too).
-
-This is XSA-216.
-
-Cc: stable at vger.kernel.org
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: Backported to 3.16: adjust context]
----
- drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
- drivers/block/xen-blkback/common.h | 25 +++++--------------------
- 2 files changed, 17 insertions(+), 31 deletions(-)
-
-diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
-index c42c22e778d8..5bc220aefdd2 100644
---- a/drivers/block/xen-blkback/blkback.c
-+++ b/drivers/block/xen-blkback/blkback.c
-@@ -1346,33 +1346,34 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
- static void make_response(struct xen_blkif *blkif, u64 id,
- unsigned short op, int st)
- {
-- struct blkif_response resp;
-+ struct blkif_response *resp;
- unsigned long flags;
- union blkif_back_rings *blk_rings = &blkif->blk_rings;
- int notify;
-
-- resp.id = id;
-- resp.operation = op;
-- resp.status = st;
--
- spin_lock_irqsave(&blkif->blk_ring_lock, flags);
- /* Place on the response ring for the relevant domain. */
- switch (blkif->blk_protocol) {
- case BLKIF_PROTOCOL_NATIVE:
-- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->native,
-+ blk_rings->native.rsp_prod_pvt);
- break;
- case BLKIF_PROTOCOL_X86_32:
-- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
-+ blk_rings->x86_32.rsp_prod_pvt);
- break;
- case BLKIF_PROTOCOL_X86_64:
-- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
-+ blk_rings->x86_64.rsp_prod_pvt);
- break;
- default:
- BUG();
- }
-+
-+ resp->id = id;
-+ resp->operation = op;
-+ resp->status = st;
-+
- blk_rings->common.rsp_prod_pvt++;
- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
- spin_unlock_irqrestore(&blkif->blk_ring_lock, flags);
-diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
-index ef64f59921a7..62f6067f8f83 100644
---- a/drivers/block/xen-blkback/common.h
-+++ b/drivers/block/xen-blkback/common.h
-@@ -70,9 +70,8 @@
- struct blkif_common_request {
- char dummy;
- };
--struct blkif_common_response {
-- char dummy;
--};
-+
-+/* i386 protocol version */
-
- struct blkif_x86_32_request_rw {
- uint8_t nr_segments; /* number of segments */
-@@ -124,14 +123,6 @@ struct blkif_x86_32_request {
- } u;
- } __attribute__((__packed__));
-
--/* i386 protocol version */
--#pragma pack(push, 4)
--struct blkif_x86_32_response {
-- uint64_t id; /* copied from request */
-- uint8_t operation; /* copied from request */
-- int16_t status; /* BLKIF_RSP_??? */
--};
--#pragma pack(pop)
- /* x86_64 protocol version */
-
- struct blkif_x86_64_request_rw {
-@@ -188,18 +179,12 @@ struct blkif_x86_64_request {
- } u;
- } __attribute__((__packed__));
-
--struct blkif_x86_64_response {
-- uint64_t __attribute__((__aligned__(8))) id;
-- uint8_t operation; /* copied from request */
-- int16_t status; /* BLKIF_RSP_??? */
--};
--
- DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
-- struct blkif_common_response);
-+ struct blkif_response);
- DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
-- struct blkif_x86_32_response);
-+ struct blkif_response __packed);
- DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
-- struct blkif_x86_64_response);
-+ struct blkif_response);
-
- union blkif_back_rings {
- struct blkif_back_ring native;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
deleted file mode 100644
index 116d3e4..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Thu, 23 Mar 2017 07:45:44 +0000
-Subject: [2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-Origin: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
-wrapping issues. To ensure we are correctly ensuring that the two ESN
-structures are the same size compare both the overall size as reported
-by xfrm_replay_state_esn_len() and the internal length are the same.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -387,7 +387,11 @@ static inline int xfrm_replay_verify_len
- up = nla_data(rp);
- ulen = xfrm_replay_state_esn_len(up);
-
-- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
-+ /* Check the overall length and the internal bitmap length to avoid
-+ * potential overflow. */
-+ if (nla_len(rp) < ulen ||
-+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
-+ replay_esn->bmp_len != up->bmp_len)
- return -EINVAL;
-
- if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
deleted file mode 100644
index 5ef3ea6..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Wed, 22 Mar 2017 07:29:31 +0000
-Subject: [1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
- replay_window
-Origin: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-When a new xfrm state is created during an XFRM_MSG_NEWSA call we
-validate the user supplied replay_esn to ensure that the size is valid
-and to ensure that the replay_window size is within the allocated
-buffer. However later it is possible to update this replay_esn via a
-XFRM_MSG_NEWAE call. There we again validate the size of the supplied
-buffer matches the existing state and if so inject the contents. We do
-not at this point check that the replay_window is within the allocated
-memory. This leads to out-of-bounds reads and writes triggered by
-netlink packets. This leads to memory corruption and the potential for
-priviledge escalation.
-
-We already attempt to validate the incoming replay information in
-xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
-is not trying to change the size of the replay state buffer which
-includes the replay_esn. It however does not check the replay_window
-remains within that buffer. Add validation of the contained
-replay_window.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -390,6 +390,9 @@ static inline int xfrm_replay_verify_len
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
- return -EINVAL;
-
-+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-+ return -EINVAL;
-+
- return 0;
- }
-
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch b/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
deleted file mode 100644
index 3c604e7..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Sinclair Yeh <syeh at vmware.com>
-Date: Fri, 2 Jun 2017 07:50:57 +0200
-Subject: drm/vmwgfx: Make sure backup_handle is always valid
-Origin: https://git.kernel.org/linus/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9605
-
-When vmw_gb_surface_define_ioctl() is called with an existing buffer,
-we end up returning an uninitialized variable in the backup_handle.
-
-The fix is to first initialize backup_handle to 0 just to be sure, and
-second, when a user-provided buffer is found, we will use the
-req->buffer_handle as the backup_handle.
-
-Cc: <stable at vger.kernel.org>
-Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Signed-off-by: Sinclair Yeh <syeh at vmware.com>
-Reviewed-by: Deepak Rawat <drawat at vmware.com>
-[bwh: Backported to 3.16: There's no size check after vmw_user_dmabuf_lookup(),
- so only check ret == 0.]
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index 17c78638f34a..22f94030d995 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -1245,7 +1245,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- int ret;
- uint32_t size;
- const struct svga3d_surface_desc *desc;
-- uint32_t backup_handle;
-+ uint32_t backup_handle = 0;
-
- if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
- return -EINVAL;
-@@ -1317,6 +1317,8 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
- &res->backup,
- &user_srf->backup_base);
-+ if (ret == 0)
-+ backup_handle = req->buffer_handle;
- } else if (req->drm_surface_flags &
- drm_vmw_surface_flag_create_buffer)
- ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index 6a24a7c..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Li Qiang <liq3ea at gmail.com>
-Date: Mon, 27 Mar 2017 20:10:53 -0700
-Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
-
-In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
-'req->mip_levels' array. This array can be assigned any value from
-the user space. As both the 'num_sizes' and the array is uint32_t,
-it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
-used as the loop count. This can lead an oob write. Add the check of
-'req->mip_levels' to avoid this.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
-Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -711,8 +711,11 @@ int vmw_surface_define_ioctl(struct drm_
- 128;
-
- num_sizes = 0;
-- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
-+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
-+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
- num_sizes += req->mip_levels[i];
-+ }
-
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
- num_sizes == 0)
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch b/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
deleted file mode 100644
index eed84ba..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Fri, 2 Jun 2017 07:42:09 +0200
-Subject: drm/vmwgfx: limit the number of mip levels in
- vmw_gb_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7346
-
-The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
-a user-controlled 'uint32_t' value which is used as a loop count limit.
-This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
-
-References:
-https://bugzilla.redhat.com/show_bug.cgi?id=1437431
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -1251,6 +1251,9 @@ int vmw_gb_surface_define_ioctl(struct d
- const struct svga3d_surface_desc *desc;
- uint32_t backup_handle;
-
-+ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
-+
- if (unlikely(vmw_user_surface_size == 0))
- vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
- 128;
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch b/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
deleted file mode 100644
index aff369e..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Wed, 7 Jun 2017 15:13:14 +0200
-Subject: KVM: x86: fix singlestepping over syscall
-Origin: https://git.kernel.org/linus/c8401dda2f0a00cd25c0af6a95ed50e478d25de4
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7518
-
-TF is handled a bit differently for syscall and sysret, compared
-to the other instructions: TF is checked after the instruction completes,
-so that the OS can disable #DB at a syscall by adding TF to FMASK.
-When the sysret is executed the #DB is taken "as if" the syscall insn
-just completed.
-
-KVM emulates syscall so that it can trap 32-bit syscall on Intel processors.
-Fix the behavior, otherwise you could get #DB on a user stack which is not
-nice. This does not affect Linux guests, as they use an IST or task gate
-for #DB.
-
-This fixes CVE-2017-7518.
-
-Reported-by: Andy Lutomirski <luto at kernel.org>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
-[bwh: Backported to 3.16:
- - kvm_vcpu_check_singlestep() did not take an rflags parameter but
- called get_rflags() itself; delete that code
- - kvm_vcpu_check_singlestep() sets some flags differently
- - Drop changes to kvm_skip_emulated_instruction()]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/arch/x86/include/asm/kvm_emulate.h
-+++ b/arch/x86/include/asm/kvm_emulate.h
-@@ -274,6 +274,7 @@ struct x86_emulate_ctxt {
- bool guest_mode; /* guest running a nested guest */
- bool perm_ok; /* do not check permissions if true */
- bool ud; /* inject an #UD if host doesn't support insn */
-+ bool tf; /* TF value before instruction (after for syscall/sysret) */
-
- bool have_exception;
- struct x86_exception exception;
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2312,6 +2312,7 @@ static int em_syscall(struct x86_emulate
- ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
- }
-
-+ ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
- return X86EMUL_CONTINUE;
- }
-
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4966,6 +4966,8 @@ static void init_emulate_ctxt(struct kvm
- kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
-
- ctxt->eflags = kvm_get_rflags(vcpu);
-+ ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
-+
- ctxt->eip = kvm_rip_read(vcpu);
- ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
- (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
-@@ -5156,38 +5158,26 @@ static int kvm_vcpu_check_hw_bp(unsigned
- return dr6;
- }
-
--static void kvm_vcpu_check_singlestep(struct kvm_vcpu *vcpu, int *r)
-+static void kvm_vcpu_do_singlestep(struct kvm_vcpu *vcpu, int *r)
- {
- struct kvm_run *kvm_run = vcpu->run;
-
-- /*
-- * Use the "raw" value to see if TF was passed to the processor.
-- * Note that the new value of the flags has not been saved yet.
-- *
-- * This is correct even for TF set by the guest, because "the
-- * processor will not generate this exception after the instruction
-- * that sets the TF flag".
-- */
-- unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
--
-- if (unlikely(rflags & X86_EFLAGS_TF)) {
-- if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
-- kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1;
-- kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
-- kvm_run->debug.arch.exception = DB_VECTOR;
-- kvm_run->exit_reason = KVM_EXIT_DEBUG;
-- *r = EMULATE_USER_EXIT;
-- } else {
-- vcpu->arch.emulate_ctxt.eflags &= ~X86_EFLAGS_TF;
-- /*
-- * "Certain debug exceptions may clear bit 0-3. The
-- * remaining contents of the DR6 register are never
-- * cleared by the processor".
-- */
-- vcpu->arch.dr6 &= ~15;
-- vcpu->arch.dr6 |= DR6_BS;
-- kvm_queue_exception(vcpu, DB_VECTOR);
-- }
-+ if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
-+ kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1;
-+ kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
-+ kvm_run->debug.arch.exception = DB_VECTOR;
-+ kvm_run->exit_reason = KVM_EXIT_DEBUG;
-+ *r = EMULATE_USER_EXIT;
-+ } else {
-+ vcpu->arch.emulate_ctxt.eflags &= ~X86_EFLAGS_TF;
-+ /*
-+ * "Certain debug exceptions may clear bit 0-3. The
-+ * remaining contents of the DR6 register are never
-+ * cleared by the processor".
-+ */
-+ vcpu->arch.dr6 &= ~15;
-+ vcpu->arch.dr6 |= DR6_BS;
-+ kvm_queue_exception(vcpu, DB_VECTOR);
- }
- }
-
-@@ -5340,8 +5330,9 @@ restart:
- kvm_make_request(KVM_REQ_EVENT, vcpu);
- vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
- kvm_rip_write(vcpu, ctxt->eip);
-- if (r == EMULATE_DONE)
-- kvm_vcpu_check_singlestep(vcpu, &r);
-+ if (r == EMULATE_DONE &&
-+ (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
-+ kvm_vcpu_do_singlestep(vcpu, &r);
- kvm_set_rflags(vcpu, ctxt->eflags);
- } else
- vcpu->arch.emulate_regs_need_sync_to_vcpu = true;
diff --git a/debian/patches/bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch b/debian/patches/bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
deleted file mode 100644
index 292a787..0000000
--- a/debian/patches/bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 5 Apr 2017 09:39:08 -0700
-Subject: mm: Tighten x86 /dev/mem with zeroing reads
-Origin: https://git.kernel.org/linus/a4866aa812518ed1a37d8ea0c881dc946409de94
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7889
-
-Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
-disallowed. However, on x86, the first 1MB was always allowed for BIOS
-and similar things, regardless of it actually being System RAM. It was
-possible for heap to end up getting allocated in low 1MB RAM, and then
-read by things like x86info or dd, which would trip hardened usercopy:
-
-usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
-
-This changes the x86 exception for the low 1MB by reading back zeros for
-System RAM areas instead of blindly allowing them. More work is needed to
-extend this to mmap, but currently mmap doesn't go through usercopy, so
-hardened usercopy won't Oops the kernel.
-
-Reported-by: Tommi Rantala <tommi.t.rantala at nokia.com>
-Tested-by: Tommi Rantala <tommi.t.rantala at nokia.com>
-Signed-off-by: Kees Cook <keescook at chromium.org>
-[bwh: Backported to 3.16: adjust context]
----
- arch/x86/mm/init.c | 41 +++++++++++++++++++--------
- drivers/char/mem.c | 82 ++++++++++++++++++++++++++++++++++--------------------
- 2 files changed, 82 insertions(+), 41 deletions(-)
-
-diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index f97130618113..89c43a1ce82b 100644
---- a/arch/x86/mm/init.c
-+++ b/arch/x86/mm/init.c
-@@ -573,21 +573,40 @@ void __init init_mem_mapping(void)
- * devmem_is_allowed() checks to see if /dev/mem access to a certain address
- * is valid. The argument is a physical page number.
- *
-- *
-- * On x86, access has to be given to the first megabyte of ram because that area
-- * contains bios code and data regions used by X and dosemu and similar apps.
-- * Access has to be given to non-kernel-ram areas as well, these contain the PCI
-- * mmio resources as well as potential bios/acpi data regions.
-+ * On x86, access has to be given to the first megabyte of RAM because that
-+ * area traditionally contains BIOS code and data regions used by X, dosemu,
-+ * and similar apps. Since they map the entire memory range, the whole range
-+ * must be allowed (for mapping), but any areas that would otherwise be
-+ * disallowed are flagged as being "zero filled" instead of rejected.
-+ * Access has to be given to non-kernel-ram areas as well, these contain the
-+ * PCI mmio resources as well as potential bios/acpi data regions.
- */
- int devmem_is_allowed(unsigned long pagenr)
- {
-- if (pagenr < 256)
-- return 1;
-- if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
-+ if (page_is_ram(pagenr)) {
-+ /*
-+ * For disallowed memory regions in the low 1MB range,
-+ * request that the page be shown as all zeros.
-+ */
-+ if (pagenr < 256)
-+ return 2;
-+
-+ return 0;
-+ }
-+
-+ /*
-+ * This must follow RAM test, since System RAM is considered a
-+ * restricted resource under CONFIG_STRICT_IOMEM.
-+ */
-+ if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) {
-+ /* Low 1MB bypasses iomem restrictions. */
-+ if (pagenr < 256)
-+ return 1;
-+
- return 0;
-- if (!page_is_ram(pagenr))
-- return 1;
-- return 0;
-+ }
-+
-+ return 1;
- }
-
- void free_init_pages(char *what, unsigned long begin, unsigned long end)
-diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 917403fe10da..5c2b7c575c9d 100644
---- a/drivers/char/mem.c
-+++ b/drivers/char/mem.c
-@@ -59,6 +59,10 @@ static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
- #endif
-
- #ifdef CONFIG_STRICT_DEVMEM
-+static inline int page_is_allowed(unsigned long pfn)
-+{
-+ return devmem_is_allowed(pfn);
-+}
- static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- {
- u64 from = ((u64)pfn) << PAGE_SHIFT;
-@@ -78,6 +82,10 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- return 1;
- }
- #else
-+static inline int page_is_allowed(unsigned long pfn)
-+{
-+ return 1;
-+}
- static inline int range_is_allowed(unsigned long pfn, unsigned long size)
- {
- return 1;
-@@ -122,23 +130,31 @@ static ssize_t read_mem(struct file *file, char __user *buf,
-
- while (count > 0) {
- unsigned long remaining;
-+ int allowed;
-
- sz = size_inside_page(p, count);
-
-- if (!range_is_allowed(p >> PAGE_SHIFT, count))
-+ allowed = page_is_allowed(p >> PAGE_SHIFT);
-+ if (!allowed)
- return -EPERM;
-+ if (allowed == 2) {
-+ /* Show zeros for restricted memory. */
-+ remaining = clear_user(buf, sz);
-+ } else {
-+ /*
-+ * On ia64 if a page has been mapped somewhere as
-+ * uncached, then it must also be accessed uncached
-+ * by the kernel or data corruption may occur.
-+ */
-+ ptr = xlate_dev_mem_ptr(p);
-+ if (!ptr)
-+ return -EFAULT;
-
-- /*
-- * On ia64 if a page has been mapped somewhere as uncached, then
-- * it must also be accessed uncached by the kernel or data
-- * corruption may occur.
-- */
-- ptr = xlate_dev_mem_ptr(p);
-- if (!ptr)
-- return -EFAULT;
-+ remaining = copy_to_user(buf, ptr, sz);
-+
-+ unxlate_dev_mem_ptr(p, ptr);
-+ }
-
-- remaining = copy_to_user(buf, ptr, sz);
-- unxlate_dev_mem_ptr(p, ptr);
- if (remaining)
- return -EFAULT;
-
-@@ -181,30 +197,36 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
- #endif
-
- while (count > 0) {
-+ int allowed;
-+
- sz = size_inside_page(p, count);
-
-- if (!range_is_allowed(p >> PAGE_SHIFT, sz))
-+ allowed = page_is_allowed(p >> PAGE_SHIFT);
-+ if (!allowed)
- return -EPERM;
-
-- /*
-- * On ia64 if a page has been mapped somewhere as uncached, then
-- * it must also be accessed uncached by the kernel or data
-- * corruption may occur.
-- */
-- ptr = xlate_dev_mem_ptr(p);
-- if (!ptr) {
-- if (written)
-- break;
-- return -EFAULT;
-- }
-+ /* Skip actual writing when a page is marked as restricted. */
-+ if (allowed == 1) {
-+ /*
-+ * On ia64 if a page has been mapped somewhere as
-+ * uncached, then it must also be accessed uncached
-+ * by the kernel or data corruption may occur.
-+ */
-+ ptr = xlate_dev_mem_ptr(p);
-+ if (!ptr) {
-+ if (written)
-+ break;
-+ return -EFAULT;
-+ }
-
-- copied = copy_from_user(ptr, buf, sz);
-- unxlate_dev_mem_ptr(p, ptr);
-- if (copied) {
-- written += sz - copied;
-- if (written)
-- break;
-- return -EFAULT;
-+ copied = copy_from_user(ptr, buf, sz);
-+ unxlate_dev_mem_ptr(p, ptr);
-+ if (copied) {
-+ written += sz - copied;
-+ if (written)
-+ break;
-+ return -EFAULT;
-+ }
- }
-
- buf += sz;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index eb4575b..0000000
--- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Murray McAllister <murray.mcallister at insomniasec.com>
-Date: Mon, 27 Mar 2017 11:12:53 +0200
-Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
-
-Before memory allocations vmw_surface_define_ioctl() checks the
-upper-bounds of a user-supplied size, but does not check if the
-supplied size is 0.
-
-Add check to avoid NULL pointer dereferences.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index b445ce9b9757..f410502cb075 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- num_sizes += req->mip_levels[i];
-
-- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
-- DRM_VMW_MAX_MIP_LEVELS)
-+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
-+ num_sizes == 0)
- return -EINVAL;
-
- size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/debian/revert-scsi-scsi_error-count-medium-access-timeout-only-once.patch b/debian/patches/debian/revert-scsi-scsi_error-count-medium-access-timeout-only-once.patch
new file mode 100644
index 0000000..7492a32
--- /dev/null
+++ b/debian/patches/debian/revert-scsi-scsi_error-count-medium-access-timeout-only-once.patch
@@ -0,0 +1,121 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 31 Aug 2017 20:40:42 +0100
+Subject: Revert "scsi: scsi_error: count medium access timeout only once per EH run"
+Forwarded: not-needed
+
+This reverts commit 1513208e76966c456deb438a7dadd19adac1760a, which as
+commit 7a38dc0bfb4cc39ed57e120e2224673f3d4d200f upstream. It added a
+new member to struct scsi_driver which is an incompatible ABI change.
+
+---
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -224,23 +224,6 @@ scsi_abort_command(struct scsi_cmnd *scm
+ }
+
+ /**
+- * scsi_eh_reset - call into ->eh_action to reset internal counters
+- * @scmd: scmd to run eh on.
+- *
+- * The scsi driver might be carrying internal state about the
+- * devices, so we need to call into the driver to reset the
+- * internal state once the error handler is started.
+- */
+-static void scsi_eh_reset(struct scsi_cmnd *scmd)
+-{
+- if (scmd->request->cmd_type == REQ_TYPE_FS) {
+- struct scsi_driver *sdrv = scsi_cmd_to_driver(scmd);
+- if (sdrv->eh_reset)
+- sdrv->eh_reset(scmd);
+- }
+-}
+-
+-/**
+ * scsi_eh_scmd_add - add scsi cmd to error handling.
+ * @scmd: scmd to run eh on.
+ * @eh_flag: optional SCSI_EH flag.
+@@ -269,7 +252,6 @@ int scsi_eh_scmd_add(struct scsi_cmnd *s
+ if (scmd->eh_eflags & SCSI_EH_ABORT_SCHEDULED)
+ eh_flag &= ~SCSI_EH_CANCEL_CMD;
+ scmd->eh_eflags |= eh_flag;
+- scsi_eh_reset(scmd);
+ list_add_tail(&scmd->eh_entry, &shost->eh_cmd_q);
+ shost->host_failed++;
+ scsi_eh_wakeup(shost);
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -112,7 +112,6 @@ static void sd_rescan(struct device *);
+ static int sd_init_command(struct scsi_cmnd *SCpnt);
+ static void sd_uninit_command(struct scsi_cmnd *SCpnt);
+ static int sd_done(struct scsi_cmnd *);
+-static void sd_eh_reset(struct scsi_cmnd *);
+ static int sd_eh_action(struct scsi_cmnd *, int);
+ static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
+ static void scsi_disk_release(struct device *cdev);
+@@ -510,7 +509,6 @@ static struct scsi_driver sd_template =
+ .uninit_command = sd_uninit_command,
+ .done = sd_done,
+ .eh_action = sd_eh_action,
+- .eh_reset = sd_eh_reset,
+ };
+
+ /*
+@@ -1538,26 +1536,6 @@ static const struct block_device_operati
+ };
+
+ /**
+- * sd_eh_reset - reset error handling callback
+- * @scmd: sd-issued command that has failed
+- *
+- * This function is called by the SCSI midlayer before starting
+- * SCSI EH. When counting medium access failures we have to be
+- * careful to register it only only once per device and SCSI EH run;
+- * there might be several timed out commands which will cause the
+- * 'max_medium_access_timeouts' counter to trigger after the first
+- * SCSI EH run already and set the device to offline.
+- * So this function resets the internal counter before starting SCSI EH.
+- **/
+-static void sd_eh_reset(struct scsi_cmnd *scmd)
+-{
+- struct scsi_disk *sdkp = scsi_disk(scmd->request->rq_disk);
+-
+- /* New SCSI EH run, reset gate variable */
+- sdkp->ignore_medium_access_errors = false;
+-}
+-
+-/**
+ * sd_eh_action - error handling callback
+ * @scmd: sd-issued command that has failed
+ * @eh_disp: The recovery disposition suggested by the midlayer
+@@ -1586,10 +1564,7 @@ static int sd_eh_action(struct scsi_cmnd
+ * process of recovering or has it suffered an internal failure
+ * that prevents access to the storage medium.
+ */
+- if (!sdkp->ignore_medium_access_errors) {
+- sdkp->medium_access_timed_out++;
+- sdkp->ignore_medium_access_errors = true;
+- }
++ sdkp->medium_access_timed_out++;
+
+ /*
+ * If the device keeps failing read/write commands but TEST UNIT
+--- a/drivers/scsi/sd.h
++++ b/drivers/scsi/sd.h
+@@ -90,7 +90,6 @@ struct scsi_disk {
+ unsigned lbpvpd : 1;
+ unsigned ws10 : 1;
+ unsigned ws16 : 1;
+- unsigned ignore_medium_access_errors : 1;
+ };
+ #define to_scsi_disk(obj) container_of(obj,struct scsi_disk,dev)
+
+--- a/include/scsi/scsi_driver.h
++++ b/include/scsi/scsi_driver.h
+@@ -17,7 +17,6 @@ struct scsi_driver {
+ void (*uninit_command)(struct scsi_cmnd *);
+ int (*done)(struct scsi_cmnd *);
+ int (*eh_action)(struct scsi_cmnd *, int);
+- void (*eh_reset)(struct scsi_cmnd *);
+ };
+ #define to_scsi_driver(drv) \
+ container_of((drv), struct scsi_driver, gendrv)
diff --git a/debian/patches/debian/ttm-avoid-abi-change-for-ttm_ref_object_add-require_existed.patch b/debian/patches/debian/ttm-avoid-abi-change-for-ttm_ref_object_add-require_existed.patch
new file mode 100644
index 0000000..7bb750c
--- /dev/null
+++ b/debian/patches/debian/ttm-avoid-abi-change-for-ttm_ref_object_add-require_existed.patch
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 31 Aug 2017 21:30:54 +0100
+Subject: ttm: Avoid ABI change for ttm_ref_object_add() require_existing param
+Forwarded: not-needed
+
+Change the symbol name for the new version of ttm_ref_object_add(), and
+make the old one a wrapper for it.
+
+---
+--- a/drivers/gpu/drm/ttm/ttm_object.c
++++ b/drivers/gpu/drm/ttm/ttm_object.c
+@@ -762,3 +762,12 @@ int ttm_prime_object_init(struct ttm_obj
+ ref_obj_release);
+ }
+ EXPORT_SYMBOL(ttm_prime_object_init);
++
++#undef ttm_ref_object_add
++int ttm_ref_object_add(struct ttm_object_file *tfile,
++ struct ttm_base_object *base,
++ enum ttm_ref_type ref_type, bool *existed)
++{
++ return ttm_ref_object_add_2(tfile, base, ref_type, existed, false);
++}
++EXPORT_SYMBOL(ttm_ref_object_add);
+--- a/include/drm/ttm/ttm_object.h
++++ b/include/drm/ttm/ttm_object.h
+@@ -245,8 +245,12 @@ extern void ttm_base_object_unref(struct
+ */
+ extern int ttm_ref_object_add(struct ttm_object_file *tfile,
+ struct ttm_base_object *base,
+- enum ttm_ref_type ref_type, bool *existed,
+- bool require_existed);
++ enum ttm_ref_type ref_type, bool *existed);
++extern int ttm_ref_object_add_2(struct ttm_object_file *tfile,
++ struct ttm_base_object *base,
++ enum ttm_ref_type ref_type, bool *existed,
++ bool require_existed);
++#define ttm_ref_object_add ttm_ref_object_add_2
+
+ extern bool ttm_ref_object_exists(struct ttm_object_file *tfile,
+ struct ttm_base_object *base);
diff --git a/debian/patches/series b/debian/patches/series
index bed0a5b..cc75fca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -244,7 +244,6 @@ bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/-xen-blkfront-fix-accounting-of-reqs-when-migrating.patch
bugfix/all/locking-mutex-don-t-assume-task_running.patch
bugfix/all/SUNRPC-fix-refcounting-problems-with-auth_gss-messag.patch
-bugfix/all/ext4-fix-fencepost-in-s_first_meta_bg-validation.patch
bugfix/all/ixgbe-do-not-call-check_link-for-ethtool-in-ixgbe_ge.patch
bugfix/all/ipv6-fix-a-refcnt-leak-with-peer-addr.patch
bugfix/all/ipv6-use-addrconf_get_prefix_route-to-remove-peer-ad.patch
@@ -679,60 +678,10 @@ bugfix/all/pie-aslr/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
# Security fixes
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
-bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
-bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
-bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
-bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
-bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
-bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
-bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
-bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
-bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
-bugfix/all/mm-huge_memory.c-fix-up-mm-huge_memory.c-respect-fol.patch
-bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
-bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
-bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
-bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
-bugfix/all/media-dvb-usb-v2-avoid-use-after-free.patch
-bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
-bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
-bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
-bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
-bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
-bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
-bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
-bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
-bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
-bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
-bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
-bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
-bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-bugfix/x86/mm-Tighten-x86-dev-mem-with-zeroing-reads.patch
-bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
-bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
-bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
-bugfix/all/char-lp-fix-possible-integer-overflow-in-lp_setup.patch
-bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
-bugfix/all/dentry-name-snapshots.patch
-bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
-bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
-bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
-bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
-bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
-bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
@@ -792,3 +741,5 @@ debian/revert-x86-panic-replace-smp_send_stop-with-kdump-friendly-version.patch
debian/net-avoid-abi-change-for-net-fix-sk_mem_reclaim_partial.patch
debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch
debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch
+debian/revert-scsi-scsi_error-count-medium-access-timeout-only-once.patch
+debian/ttm-avoid-abi-change-for-ttm_ref_object_add-require_existed.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list