[linux] 02/04: Update to 4.9.65
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Nov 29 21:57:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch
in repository linux.
commit 0f8a096299e8057f0937f111096d7d7fc7caf160
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Nov 29 02:02:28 2017 +0000
Update to 4.9.65
Drop several patches that went upstream.
Avoid or ignore ABI changes as appropriate.
---
debian/changelog | 719 ++++++++++++++++++++-
debian/config/defines | 5 +-
...MaxPathNameComponentLength-0-before-using.patch | 42 --
...xt4-don-t-clear-sgid-when-inheriting-acls.patch | 93 ---
...4-preserve-i_mode-if-__ext4_set_acl-fails.patch | 68 --
.../all/nfsv4-fix-callback-server-shutdown.patch | 147 -----
...-the-required-netlink-attributes-presence.patch | 36 --
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 --
...xxx-fix-an-integer-overflow-in-sysfs-code.patch | 58 --
.../all/sunrpc-refactor-svc_set_num_threads.patch | 154 -----
...-aty-do-not-leak-uninitialized-padding-in.patch | 30 -
...support-keyctl-system-call-in-32-bit-mode.patch | 30 -
...ty-keys-add-config_keys_compat-to-kconfig.patch | 110 ----
...don-t-allow-l2-to-access-the-hardware-cr8.patch | 34 -
...vmx-do-not-bug-on-out-of-bounds-guest-irq.patch | 52 --
.../kvm-x86-fix-singlestepping-over-syscall.patch | 125 ----
.../debian/keys-limit-abi-change-in-4.9.59.patch | 95 +++
.../mac80211-avoid-abi-change-in-4.9.53.patch | 34 +
.../mm-page_alloc-avoid-abi-change-in-4.9.65.patch | 26 +
.../mmc-sdio-avoid-abi-change-in-4.9.54.patch | 125 ++++
.../netfilter-nat-avoid-abi-change-in-4.9.63.patch | 58 ++
...f-event-close-won-t-free-bpf-program-atta.patch | 40 ++
...crease-size-of-mii_bus_id_size-and-bus_id.patch | 34 +
.../s390-mm-avoid-abi-change-in-4.9.52.patch | 76 +++
debian/patches/series | 22 +-
25 files changed, 1212 insertions(+), 1056 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 69b39ae..e943b71 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,16 +1,721 @@
-linux (4.9.51-2) UNRELEASED; urgency=medium
+linux (4.9.65-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.52
+ - mm: prevent double decrease of nr_reserved_highatomic
+ - IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation
+ - IB/addr: Fix setting source address in addr6_resolve()
+ - tty: improve tty_insert_flip_char() fast path
+ - tty: improve tty_insert_flip_char() slow path
+ - tty: fix __tty_insert_flip_char regression
+ - [x86] pinctrl/amd: save pin registers over suspend/resume
+ - [mips*] math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation
+ - [mips*] math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero
+ - [mips*] math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative
+ - [mips*] math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with
+ opposite signs
+ - [mips*] math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs
+ - [mips*] math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs
+ - [mips*] math-emu: Handle zero accumulator case in MADDF and MSUBF
+ separately
+ - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation
+ - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs
+ - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs
+ - [mips*] math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration
+ - [mips*] math-emu: <MADDF|MSUBF>.S: Fix accuracy (32-bit case)
+ - [mips*] math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case)
+ - [x86] crypto: ccp - Fix XTS-AES-128 support on v5 CCPs
+ - crypto: AF_ALG - remove SGL terminator indicator when chaining
+ - ext4: fix incorrect quotaoff if the quota feature is enabled
+ - ext4: fix quota inconsistency during orphan cleanup for read-only mounts
+ - [powerpc*] Fix DAR reporting when alignment handler faults
+ - block: Relax a check in blk_start_queue()
+ - md/bitmap: disable bitmap_resize for file-backed bitmaps.
+ - skd: Avoid that module unloading triggers a use-after-free
+ - skd: Submit requests to firmware before triggering the doorbell
+ - [s390x] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
+ - [s390x] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress
+ path
+ - [s390x] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace
+ records
+ - [s390x] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate
+ with HBA
+ - [s390x] scsi: zfcp: fix missing trace records for early returns in TMF eh
+ handlers
+ - [s390x] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
+ - [s390x] scsi: zfcp: trace HBA FSF response by default on dismiss or
+ timedout late response
+ - [s390x] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
+ - scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs
+ - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic
+ - scsi: megaraid_sas: Return pended IOCTLs with cmd_status
+ MFI_STAT_WRONG_STATE in case adapter is dead
+ - [x86] scsi: storvsc: fix memory leak on ring buffer busy
+ - scsi: sg: remove 'save_scat_len'
+ - scsi: sg: use standard lists for sg_requests
+ - scsi: sg: off by one in sg_ioctl()
+ - scsi: sg: factor out sg_fill_request_table()
+ - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
+ - scsi: qla2xxx: Correction to vha->vref_count timeout
+ - ftrace: Fix selftest goto location on error
+ - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
+ - tracing: Add barrier to trace_printk() buffer nesting modification
+ - tracing: Apply trace_clock changes to instance max buffer
+ - [x86] PCI: shpchp: Enable bridge bus mastering if MSI is enabled
+ - PCI: pciehp: Report power fault only once until we clear it
+ - net/netfilter/nf_conntrack_core: Fix net_conntrack_lock()
+ - [s390x] mm: fix local TLB flushing vs. detach of an mm address space
+ - [s390x] mm: fix race on mm->context.flush_mm
+ - media: v4l2-compat-ioctl32: Fix timespec conversion
+ - media: uvcvideo: Prevent heap overflow when accessing mapped controls
+ - PM / devfreq: Fix memory leak when fail to register device
+ - bcache: initialize dirty stripes in flash_dev_run()
+ - bcache: Fix leak of bdev reference
+ - bcache: do not subtract sectors_to_gc for bypassed IO
+ - bcache: correct cache_dirty_target in __update_writeback_rate()
+ - bcache: Correct return value for sysfs attach errors
+ - bcache: fix for gc and write-back race
+ - bcache: fix bch_hprint crash and improve output
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.53
+ - cifs: release cifs root_cred after exit_cifs
+ - cifs: release auth_key.response for reconnect.
+ - fs/proc: Report eip/esp in /prod/PID/stat for coredumping
+ - mac80211: fix VLAN handling with TXQs
+ - mac80211_hwsim: Use proper TX power
+ - mac80211: flush hw_roc_start work before cancelling the ROC
+ - genirq: Make sparse_irq_lock protect what it should protect
+ - [powerpc*] KVM: Book3S: Fix race and leak in
+ kvm_vm_ioctl_create_spapr_tce()
+ - [powerpc*] KVM: Book3S HV: Protect updates to spapr_tce_tables list
+ - tracing: Fix trace_pipe behavior for instance traces
+ - tracing: Erase irqsoff trace with empty write
+ - md/raid5: fix a race condition in stripe batch
+ - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
+ - drm/radeon: disable hard reset in hibernate for APUs
+ - crypto: drbg - fix freeing of resources
+ - security/keys: properly zero out sensitive key material in big_key
+ - security/keys: rewrite all of big_key crypto
+ - KEYS: fix writing past end of user-supplied buffer in keyring_read()
+ - KEYS: prevent creating a different user's keyrings
+ - KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
+ - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
+ - [powerpc*] tm: Flush TM only if CPU has TM feature
+ - [powerpc*] ftrace: Pass the correct stack pointer for
+ DYNAMIC_FTRACE_WITH_REGS
+ - [s390x] mm: fix write access check in gup_huge_pmd()
+ - PM: core: Fix device_pm_check_callbacks()
+ - cifs: Fix SMB3.1.1 guest authentication to Samba
+ - SMB3: Warn user if trying to sign connection that authenticated as guest
+ - SMB: Validate negotiate (to protect against downgrade) even if signing off
+ - SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
+ - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
+ - iw_cxgb4: remove the stid on listen create failure
+ - iw_cxgb4: put ep reference in pass_accept_req()
+ - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
+ - [arm64] Make sure SPsel is always set
+ - [arm64] fault: Route pte translation faults via do_translation_fault
+ - [x86] KVM: VMX: extract __pi_post_block
+ - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
+ - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
+ - [x86] kvm: Handle async PF in RCU read-side critical sections
+ - xfs: validate bdev support for DAX inode flag
+ - [armhf] etnaviv: fix gem object list corruption
+ - PCI: Fix race condition with driver_override
+ - btrfs: fix NULL pointer dereference from free_reloc_roots()
+ - btrfs: propagate error to btrfs_cmp_data_prepare caller
+ - btrfs: prevent to set invalid default subvolid
+ - [x86] mm: Fix fault error path using unsafe vma pointer
+ - [x86] fpu: Don't let userspace set bogus xcomp_bv
+ - gfs2: Fix debugfs glocks dump
+ - timer/sysctl: Restrict timer migration sysctl values to 0 and 1
+ - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
+ - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
+ - [powerpc*] cxl: Fix driver use count
+ - [x86] KVM: VMX: use cmpxchg64
+ - swiotlb-xen: implement xen_swiotlb_dma_mmap callback
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.54
+ - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
+ - drm: bridge: add DT bindings for TI ths8135
+ - GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
+ - [x86] drm/i915: Fix the overlay frontbuffer tracking
+ - [armhf] dts: exynos: Add CPU OPPs for Exynos4412 Prime
+ - [armhf] clk: sunxi-ng: fix PLL_CPUX adjusting on H3
+ - RDS: RDMA: Fix the composite message user notification
+ - [mips*] Ensure bss section ends on a long-aligned address
+ - scsi: be2iscsi: Add checks to validate CID alloc/free
+ - [armhf] dts: am335x-chilisom: Wakeup from RTC-only state by power on event
+ - igb: re-assign hw address pointer on reset after PCI error
+ - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit
+ attributes
+ - IB/rxe: Add a runtime check in alloc_index()
+ - IB/rxe: Fix a MR reference leak in check_rkey()
+ - [x86] drm/i915/psr: disable psr2 for resolution greater than 32X20
+ - serial: 8250: moxa: Store num_ports in brd
+ - serial: 8250_port: Remove dangerous pr_debug()
+ - IB/ipoib: Fix deadlock over vlan_mutex
+ - IB/ipoib: rtnl_unlock can not come after free_netdev
+ - IB/ipoib: Replace list_del of the neigh->list with list_del_init
+ - [amd64] drm/amdkfd: fix improper return value on error
+ - USB: serial: mos7720: fix control-message error handling
+ - USB: serial: mos7840: fix control-message error handling
+ - sfc: get PIO buffer size from the NIC
+ - partitions/efi: Fix integer overflow in GPT size calculation
+ - ASoC: dapm: handle probe deferrals
+ - audit: log 32-bit socketcalls
+ - ath10k: prevent sta pointer rcu violation
+ - [armhf,arm64] iommu/arm-smmu: Set privileged attribute to 'default'
+ instead of 'unprivileged'
+ - [armhf,arm64] usb: chipidea: vbus event may exist before starting gadget
+ - ASoC: dapm: fix some pointer error handling
+ - [arm64] drm: mali-dp: Fix destination size handling when rotating
+ - [arm64] drm: mali-dp: Fix transposed horizontal/vertical flip
+ - HID: wacom: release the resources before leaving despite devm
+ - net: core: Prevent from dereferencing null pointer when releasing SKB
+ - net/packet: check length in getsockopt() called with PACKET_HDRLEN
+ - team: fix memory leaks
+ - udp: disable inner UDP checksum offloads in IPsec case
+ - qed: Fix possible system hang in the dcbnl-getdcbx() path.
+ - mmc: sdio: fix alignment issue in struct sdio_func
+ - bridge: netlink: register netdevice before executing changelink
+ - Btrfs: fix segmentation fault when doing dio read
+ - Btrfs: fix potential use-after-free for cloned bio
+ - sata_via: Enable hotplug only on VT6421
+ - hugetlbfs: initialize shared policy as part of inode allocation
+ - netfilter: invoke synchronize_rcu after set the _hook_ to NULL
+ - [mips*] IRQ Stack: Unwind IRQ stack onto task stack
+ - nvme-rdma: handle cpu unplug when re-establishing the controller
+ - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
+ - nfs: make nfs4_cb_sv_ops static
+ - [x86] cpufreq: intel_pstate: Update pid_params.sample_rate_ns in
+ pid_param_set()
+ - [x86] acpi: Restore the order of CPU IDs
+ - [armhf,arm64] iommu/io-pgtable-arm: Check for leaf entry before
+ dereferencing it
+ - mm/cgroup: avoid panic when init with low memory
+ - rds: ib: add error handle
+ - md/raid10: submit bio directly to replacement disk
+ - netfilter: nf_tables: set pktinfo->thoff at AH header if found
+ - [arm64] i2c: meson: fix wrong variable usage in meson_i2c_put_data
+ - xfs: remove kmem_zalloc_greedy
+ - libata: transport: Remove circular dependency at free time
+ - tools/power turbostat: bugfix: GFXMHz column not changing
+ - IB/qib: fix false-postive maybe-uninitialized warning
+ - ttpci: address stringop overflow warning
+ - [s390x] mm: make pmdp_invalidate() do invalidation only
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.55
+ - USB: gadgetfs: Fix crash caused by inadequate synchronization
+ - USB: gadgetfs: fix copy_to_user while holding spinlock
+ - usb-storage: unusual_devs entry to fix write-access regression for
+ Seagate external drives
+ - usb-storage: fix bogus hardware error messages for ATA pass-thru devices
+ - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
+ (CVE-2017-16529)
+ - usb: pci-quirks.c: Corrected timeout values used in handshake
+ - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
+ - USB: dummy-hcd: fix connection failures (wrong speed)
+ - USB: dummy-hcd: fix infinite-loop resubmission bug
+ - USB: dummy-hcd: Fix erroneous synchronization change
+ - usb: gadget: mass_storage: set msg_registered after msg registered
+ - USB: g_mass_storage: Fix deadlock when driver is unbound
+ - USB: uas: fix bug in handling of alternate settings (CVE-2017-16530)
+ - USB: core: harden cdc_parse_cdc_header (CVE-2017-16534)
+ - usb: Increase quirk delay for USB devices
+ - USB: fix out-of-bounds in usb_set_configuration (CVE-2017-16531)
+ - xhci: fix finding correct bus_state structure for USB 3.1 hosts
+ - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
+ - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
+ - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
+ - [armhf] iio: adc: twl4030: Fix an error handling path in
+ 'twl4030_madc_probe()'
+ - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
+ handling path of 'twl4030_madc_probe()'
+ - iio: core: Return error for failed read_reg
+ - uwb: properly check kthread_run return value (CVE-2017-16526)
+ - uwb: ensure that endpoint is interrupt
+ - mm, oom_reaper: skip mm structs with mmu notifiers
+ - lib/ratelimit.c: use deferred printk() version
+ - Revert "ALSA: echoaudio: purge contradictions between dimension matrix
+ members and total number of members"
+ - ALSA: usx2y: Suppress kernel warning at page allocation failures
+ - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
+ - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
+ - tcp: update skb->skb_mstamp more carefully
+ - bpf/verifier: reject BPF_ALU64|BPF_END
+ - tcp: fix data delivery rate
+ - udpv6: Fix the checksum computation when HW checksum does not apply
+ - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
+ - net: phy: Fix mask value write on gmii2rgmii converter speed register
+ - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
+ - net/sched: cls_matchall: fix crash when used with classful qdisc
+ - tcp: fastopen: fix on syn-data transmit failure
+ - [powerpc,ppc64] net: emac: Fix napi poll list corruption
+ - packet: hold bind lock when rebinding to fanout hook (CVE-2017-15649)
+ - bpf: one perf event close won't free bpf program attached by another perf
+ event
+ - net_sched: always reset qdisc backlog in qdisc_reset()
+ - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
+ - l2tp: Avoid schedule while atomic in exit_net
+ - l2tp: fix race condition in l2tp_tunnel_delete
+ - tun: bail out from tun_get_user() if the skb is empty
+ - net: dsa: Fix network device registration order
+ - packet: in packet_do_bind, test fanout with bind_lock held
+ (CVE-2017-15649)
+ - packet: only test po->has_vnet_hdr once in packet_snd
+ - net: Set sk_prot_creator when cloning sockets to the right proto
+ - netlink: do not proceed if dump's start() errs
+ - ip6_gre: ip6gre_tap device should keep dst
+ - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
+ - tipc: use only positive error codes in messages
+ - net: rtnetlink: fix info leak in RTM_GETSTATS call
+ - [powerpc*/*64*]: Use emergency stack for kernel TM Bad Thing program
+ checks (CVE-2017-1000255)
+ - [powerpc*] tm: Fix illegal TM state in signal handler (CVE-2017-1000255)
+ - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
+ - driver core: platform: Don't read past the end of "driver_override" buffer
+ - [x86] Drivers: hv: fcopy: restore correct transfer length
+ - ftrace: Fix kmemleak in unregister_ftrace_graph
+ - HID: i2c-hid: allocate hid buffers for real worst case
+ - HID: wacom: leds: Don't try to control the EKR's read-only LEDs
+ - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
+ - HID: wacom: bits shifted too much for 9th and 10th buttons
+ - netlink: fix nla_put_{u8,u16,u32} for KASAN
+ - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
+ - iwlwifi: add workaround to disable wide channels in 5GHz
+ - scsi: sd: Do not override max_sectors_kb sysfs setting
+ - brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+ (CVE-2017-0786)
+ - brcmfmac: setup passive scan if requested by user-space
+ - [x86] drm/i915/bios: ignore HDMI on port A
+ - nvme-pci: Use PCI bus address for data/queues in CMB
+ - mmc: core: add driver strength selection when selecting hs400es
+ - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
+ - vfs: deny copy_file_range() for non regular files
+ - ext4: fix data corruption for mmap writes
+ - ext4: don't allow encrypted operations without keys
+ - f2fs: don't allow encrypted operations without keys
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.56
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.57
+ - ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
+ - CIFS: Reconnect expired SMB sessions
+ - nl80211: Define policy for packet pattern attributes
+ - rcu: Allow for page faults in NMI handlers
+ - USB: dummy-hcd: Fix deadlock caused by disconnect detection
+ - [mips*] math-emu: Remove pr_err() calls from fpu_emu()
+ - [armhf] dmaengine: edma: Align the memcpy acnt array size with the
+ transfer
+ - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
+ dma_inuse
+ - HID: usbhid: fix out-of-bounds bug (CVE-2017-16533)
+ - crypto: shash - Fix zero-length shash ahash digest crash
+ - [x86] KVM: MMU: always terminate page walks at level 1
+ - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
+ - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
+ - device property: Track owner device of device property
+ - fs/mpage.c: fix mpage_writepage() for pages with buffers
+ - ALSA: usb-audio: Kill stray URB at exiting (CVE-2017-16527)
+ - ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265)
+ - ALSA: seq: Fix copy_from_user() call inside lock
+ - ALSA: caiaq: Fix stray URB at probe error path
+ - ALSA: line6: Fix missing initialization before error path
+ - ALSA: line6: Fix leftover URB at error-path during probe
+ - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
+ - [x86] drm/i915: Read timings from the correct transcoder in
+ intel_crtc_mode_get()
+ - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
+ AUX channel
+ - usb: gadget: configfs: Fix memory leak of interface directory data
+ - usb: gadget: composite: Fix use-after-free in
+ usb_composite_overwrite_options
+ - direct-io: Prevent NULL pointer access in submit_page_section
+ - fix unbalanced page refcounting in bio_map_user_iov (CVE-2017-12190)
+ - more bio_map_user_iov() leak fixes
+ - bio_copy_user_iov(): don't ignore ->iov_offset
+ - USB: serial: console: fix use-after-free after failed setup
+ (CVE-2017-16525)
+ - [x86] alternatives: Fix alt_max_short macro to really be a max()
+ - [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT
+ (CVE-2017-12188)
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.58
+ - [mips*] Fix minimum alignment requirement of IRQ stack
+ - xen-netback: Use GFP_ATOMIC to allocate hash
+ - irqchip/crossbar: Fix incorrect type of local variables
+ - initramfs: finish fput() before accessing any binary from initramfs
+ - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length
+ - qed: Don't use attention PTT for configuring BW
+ - mac80211: fix power saving clients handling in iwlwifi
+ - net/mlx4_en: fix overflow in mlx4_en_init_timestamp()
+ - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
+ - f2fs: do SSR for data when there is enough free space
+ - sched/fair: Update rq clock before changing a task's CPU affinity
+ - Btrfs: send, fix failure to rename top level inode due to name collision
+ - f2fs: do not wait for writeback in write_begin
+ - md/linear: shutup lockdep warnning
+ - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new
+ probed PFs
+ - mm/memory_hotplug: set magic number to page->freelist instead of
+ page->lru.next
+ - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock
+ - scsi: scsi_dh_emc: return success in clariion_std_inquiry()
+ - drm/amdgpu: refuse to reserve io mem for split VRAM buffers
+ - [armhf] net: mvpp2: release reference to txq_cpu[] entry after unmapping
+ - qede: Prevent index problems in loopback test
+ - qed: Reserve doorbell BAR space for present CPUs
+ - qed: Read queue state before releasing buffer
+ - ceph: don't update_dentry_lease unless we actually got one
+ - ceph: fix bogus endianness change in ceph_ioctl_set_layout
+ - ceph: clean up unsafe d_parent accesses in build_dentry_path
+ - uapi: fix linux/mroute6.h userspace compilation errors
+ - [amd64] IB/hfi1: Use static CTLE with Preset 6 for integrated HFIs
+ - [amd64] IB/hfi1: Allocate context data on memory node
+ - target/iscsi: Fix unsolicited data seq_end_offset calculation
+ - hrtimer: Catch invalid clockids again
+ - nfsd/callback: Cleanup callback cred on shutdown
+ - [powerpc*] perf: Add restrictions to PMC5 in power9 DD1
+ - drm/nouveau/gr/gf100-: fix ccache error logging
+ - regulator: core: Resolve supplies before disabling unused regulators
+ - btmrvl: avoid double-disable_irq() race
+ - [x86] EDAC, mce_amd: Print IPID and Syndrome on a separate line
+ - usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.59
+ - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
+ (CVE-2017-16535)
+ - usb: hub: Allow reset retry for USB2 devices on connect bounce
+ - can: gs_usb: fix busy loop if no more TX context is available
+ - iio: dummy: events: Add missing break
+ - [armhf] usb: musb: sunxi: Explicitly release USB PHY on exit
+ - [armhf] usb: musb: Check for host-mode using is_host_active() on reset
+ interrupt
+ - xhci: Identify USB 3.1 capable hosts by their port protocol capability
+ - can: esd_usb2: Fix can_dlc value for received RTR, frames
+ - drm/nouveau/bsp/g92: disable by default
+ - drm/nouveau/mmu: flush tlbs before deleting page tables
+ - ALSA: seq: Enable 'use' locking in all configurations
+ - ALSA: hda: Remove superfluous '-' added by printk conversion
+ - ALSA: hda: Abort capability probe at invalid register read
+ - [x86] i2c: ismt: Separate I2C block read from SMBus block read
+ - i2c: piix4: Fix SMBus port selection for AMD Family 17h chips
+ - brcmfmac: Add check for short event packets
+ - brcmsmac: make some local variables 'static const' to reduce stack size
+ - [armel,armhf] bus: mbus: fix window size calculation for 4GB windows
+ - [i386] clockevents/drivers/cs5535: Improve resilience to spurious
+ interrupts
+ - rtlwifi: rtl8821ae: Fix connection lost problem
+ - [x86] microcode/intel: Disable late loading on model 79
+ - KEYS: encrypted: fix dereference of NULL user_key_payload
+ - lib/digsig: fix dereference of NULL user_key_payload
+ - KEYS: don't let add_key() update an uninstantiated key (CVE-2017-15299)
+ - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
+ - [x86] vmbus: fix missing signaling in hv_signal_on_read()
+ - xfs: don't unconditionally clear the reflink flag on zero-block files
+ - xfs: evict CoW fork extents when performing finsert/fcollapse
+ - fs/xfs: Use %pS printk format for direct addresses
+ - xfs: report zeroed or not correctly in xfs_zero_range()
+ - xfs: update i_size after unwritten conversion in dio completion
+ - xfs: perag initialization should only touch m_ag_max_usable for AG 0
+ - xfs: Capture state of the right inode in xfs_iflush_done
+ - xfs: always swap the cow forks when swapping extents
+ - xfs: handle racy AIO in xfs_reflink_end_cow
+ - xfs: Don't log uninitialised fields in inode structures
+ - xfs: move more RT specific code under CONFIG_XFS_RT
+ - xfs: don't change inode mode if ACL update fails
+ - xfs: reinit btree pointer on attr tree inactivation walk
+ - xfs: handle error if xfs_btree_get_bufs fails
+ - xfs: cancel dirty pages on invalidation
+ - xfs: trim writepage mapping to within eof
+ - fscrypt: fix dereference of NULL user_key_payload
+ - KEYS: Fix race between updating and finding a negative key
+ (CVE-2017-15951)
+ - FS-Cache: fix dereference of NULL user_key_payload
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.60
+ - workqueue: replace pool->manager_arb mutex with a flag
+ - ceph: unlock dangling spinlock in try_flush_caps()
+ - usb: xhci: Handle error condition in xhci_stop_device()
+ - [powerpc*] KVM: Fix oops when checking KVM_CAP_PPC_HTM (CVE-2017-15306)
+ - fuse: fix READDIRPLUS skipping an entry
+ - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
+ - Input: gtco - fix potential out-of-bound access (CVE-2017-16643)
+ - assoc_array: Fix a buggy node-splitting case
+ - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action
+ trace
+ - scsi: sg: Re-fix off by one in sg_fill_request_table()
+ - drm/amd/powerplay: fix uninitialized variable
+ - [armhf] can: sun4i: fix loopback mode
+ - can: kvaser_usb: Correct return value in printout
+ - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
+ - cfg80211: fix connect/disconnect edge cases
+ - ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939)
+ - [armhf] regulator: fan53555: fix I2C device ids
+ - ecryptfs: fix dereference of NULL user_key_payload
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.61
+ - ALSA: timer: Add missing mutex lock for compat ioctls
+ - ALSA: seq: Fix nested rwsem annotation for lockdep splat
+ - cifs: check MaxPathNameComponentLength != 0 before using it
+ (Closes: #880504)
+ - KEYS: return full count in keyring_read() if buffer is too small
+ - KEYS: fix out-of-bounds read during ASN.1 parsing
+ - [arm64] ensure __dump_instr() checks addr_limit
+ - [armhf,arm64] KVM: set right LR register value for 32 bit guest when
+ inject abort
+ - [armhf,arm64] kvm: Disable branch profiling in HYP code
+ - [armel,armhf] 8715/1: add a private asm/unaligned.h
+ - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting
+ - ocfs2: fstrim: Fix start offset of first cluster group during fstrim
+ - [x86] drm/i915/edp: read edp display control registers unconditionally
+ - [arm64] drm/msm: Fix potential buffer overflow issue
+ - [arm64] drm/msm: fix an integer overflow test
+ - cpufreq: Do not clear real_cpus mask on policy init
+ - [x86] crypto: ccp - Set the AES size field for all modes
+ - IB/mlx5: Assign DSCP for R-RoCE QPs Address Path
+ - PM / wakeirq: report a wakeup_event on dedicated wekup irq
+ - scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW
+ syspdIO, change fp_possible to bool
+ - [armhf] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped
+ - bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs
+ - staging: rtl8712u: Fix endian settings for structs describing network
+ packets
+ - PCI/MSI: Return failure when msix_setup_entries() fails
+ - ext4: fix stripe-unaligned allocations
+ - ext4: do not use stripe_width if it is not set
+ - [x86] net/ena: change driver's default timeouts
+ - drm/amdgpu: when dpm disabled, also need to stop/start vce.
+ - perf tools: Only increase index if perf_evsel__new_idx() succeeds
+ - iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station
+ - [armhf,arm64] clocksource/drivers/arm_arch_timer: Add dt binding for
+ hisilicon-161010101 erratum
+ - net: phy: dp83867: Recover from "port mirroring" N/A MODE4
+ - cx231xx: Fix I2C on Internal Master 3 Bus
+ - ath10k: fix reading sram contents for QCA4019
+ - [armhf] clk: sunxi-ng: Check kzalloc() for errors and cleanup error path
+ - [armhf] mtd: nand: sunxi: Fix the non-polling case in
+ sunxi_nfc_wait_events()
+ - xen/manage: correct return value check on xenbus_scanf()
+ - scsi: aacraid: Process Error for response I/O
+ - [x86] platform: intel_mid_thermal: Fix module autoload
+ - [x86] staging: lustre: llite: don't invoke direct_IO for the EOF case
+ - [x86] staging: lustre: hsm: stack overrun in hai_dump_data_field
+ - [x86] staging: lustre: ptlrpc: skip lock if export failed
+ - [x86] staging: lustre: lmv: Error not handled for lmv_find_target
+ - brcmfmac: check brcmf_bus_get_memdump result for error
+ - vfs: open() with O_CREAT should not create inodes with unknown ids
+ - [x86] ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers
+ - [armhf] exynos4-is: fimc-is: Unmap region obtained by of_iomap()
+ - [x86] mei: return error on notification request to a disconnected client
+ - [s390x] dasd: check for device error pointer within state change
+ interrupts
+ - [s390x] prng: Adjust generation of entropy to produce real 256 bits.
+ - [s390x] crypto: Extend key length check for AES-XTS in fips mode.
+ - bt8xx: fix memory leak
+ - [armhf] drm/exynos: g2d: prevent integer overflow in
+ - PCI: Avoid possible deadlock on pci_lock and p->pi_lock
+ - [powerpc*/*64*]: Don't try to use radix MMU under a hypervisor
+ - xen: don't print error message in case of missing Xenstore entry
+ - [armel,armhf] dts: mvebu: pl310-cache disable double-linefill
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.62
+ - [armel,armhf] PCI: mvebu: Handle changes to the bridge windows while
+ enabled
+ - sched/core: Add missing update_rq_clock() call in sched_move_task()
+ - xen/netback: set default upper limit of tx/rx queues to 8
+ - [x86] EDAC, amd64: Add x86cpuid sanity check during init
+ - PM / OPP: Error out on failing to add static OPPs for v1 bindings
+ - [armhf] clk: samsung: exynos5433: Add IDs for PHYCLK_MIPIDPHY0_* clocks
+ - drm: drm_minor_register(): Clean up debugfs on failure
+ - [powerpc*] KVM: Book 3S: XICS: correct the real mode ICP rejecting counter
+ - [armhf,arm64] iommu/arm-smmu-v3: Clear prior settings when updating STEs
+ - [x86] pinctrl: baytrail: Fix debugfs offset output
+ - [powerpc*] corenet: explicitly disable the SDHC controller on kmcoge4
+ - [powerpc*] cxl: Force psl data-cache flush during device shutdown
+ - [arm64] dma-mapping: Only swizzle DMA ops for IOMMU_DOMAIN_DMA
+ - [powerpc*] crypto: vmx - disable preemption to enable vsx in aes_ctr.c
+ - [arm64] drm: mali-dp: fix Lx_CONTROL register fields clobber
+ - iio: trigger: free trigger resource correctly
+ - [x86] iio: proximity: sx9500: claim direct mode during raw proximity reads
+ - libertas: fix improper return value
+ - usb: hcd: initialize hcd->flags to 0 when rm hcd
+ - netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
+ - brcmfmac: setup wiphy bands after registering it first
+ - rt2800usb: mark tx failure on timeout
+ - apparmor: fix undefined reference to `aa_g_hash_policy'
+ - IPsec: do not ignore crypto err in ah4 input
+ - [x86] EDAC, amd64: Save and return err code from probe_one_instance()
+ - [s390x] topology: make "topology=off" parameter work
+ - [powerpc] sched/cputime: Fix stale scaled stime on context switch
+ - IB/ipoib: Change list_del to list_del_init in the tx object
+ - [armhf] dts: STiH410-family: fix wrong parent clock frequency
+ - [s390x] qeth: fix retrieval of vipa and proxy-arp addresses
+ - [s390x] qeth: issue STARTLAN as first IPA command
+ - [arm64] wcn36xx: Don't use the destroyed hal_mutex
+ - IB/rxe: Fix reference leaks in memory key invalidation code
+ - [armhf] clk: mvebu: adjust AP806 CPU clock frequencies to production chip
+ - [x86] platform: hp-wmi: Fix detection for dock and tablet mode
+ - cdc_ncm: Set NTB format again after altsetting switch for Huawei devices
+ - KEYS: trusted: sanitize all key material
+ - KEYS: trusted: fix writing past end of buffer in trusted_read()
+ - [x86] platform: hp-wmi: Fix error value for hp_wmi_tablet_state
+ - [x86] platform: hp-wmi: Do not shadow error values
+ - [x86] uaccess, sched/preempt: Verify access_ok() context
+ - workqueue: Fix NULL pointer dereference
+ - crypto: ccm - preserve the IV buffer
+ - [x86] crypto: sha1-mb - fix panic due to unaligned access
+ - [x86] crypto: sha256-mb - fix panic due to unaligned access
+ - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
+ - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit
+ - ALSA: seq: Fix OSS sysex delivery in OSS emulation
+ - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks
+ - [mips*] Fix CM region target definitions
+ - [mips*] SMP: Use a completion event to signal CPU up
+ - [mips*] Fix race on setting and getting cpu_online_mask
+ - [mips*] SMP: Fix deadlock & online race
+ - [armhf] ASoC: sun4i-spdif: remove legacy dapm components
+ - rbd: use GFP_NOIO for parent stat and data requests
+ - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
+ - [arm64] drm/bridge: adv7511: Rework adv7511_power_on/off() so they can be
+ reused internally
+ - [arm64] drm/bridge: adv7511: Reuse __adv7511_power_on/off() when probing
+ EDID
+ - [arm64] drm/bridge: adv7511: Re-write the i2c address before EDID probing
+ - [armhf] can: sun4i: handle overrun in RX FIFO
+ - [x86] smpboot: Make optimization of delay calibration work correctly
+ - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.63
+ - gso: fix payload length when gso_size is zero
+ - tun/tap: sanitize TUNSETSNDBUF input
+ - ipv6: addrconf: increment ifp refcount before ipv6_del_addr()
+ - netlink: do not set cb_running if dump's start() errs
+ - net: call cgroup_sk_alloc() earlier in sk_clone_lock()
+ - tcp: fix tcp_mtu_probe() vs highest_sack
+ - l2tp: check ps->sock before running pppol2tp_session_ioctl()
+ - tun: call dev_get_valid_name() before register_netdevice()
+ - sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
+ - tcp/dccp: fix ireq->opt races
+ - packet: avoid panic in packet_getsockopt()
+ - soreuseport: fix initialization race
+ - ipv6: flowlabel: do not leave opt->tot_len with garbage
+ - sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
+ - tcp/dccp: fix lockdep splat in inet_csk_route_req()
+ - tcp/dccp: fix other lockdep splats accessing ireq_opt
+ - net/unix: don't show information about sockets from other namespaces
+ - tap: double-free in error path in tap_open()
+ - ipip: only increase err_count for some certain type icmp in ipip_err
+ - ip6_gre: only increase err_count for some certain type icmpv6 in
+ ip6gre_err
+ - ip6_gre: update dst pmtu if dev mtu has been updated by toobig in
+ __gre6_xmit
+ - tun: allow positive return values on dev_get_valid_name() call
+ - sctp: reset owner sk for data chunks on out queues when migrating a sock
+ - net_sched: avoid matching qdisc with zero handle
+ - ppp: fix race in ppp device destruction
+ - mac80211: accept key reinstall without changing anything (CVE-2017-13080)
+ - mac80211: use constant time comparison with keys
+ - mac80211: don't compare TKIP TX MIC key in reinstall prevention
+ (CVE-2017-13080)
+ - usb: usbtest: fix NULL pointer dereference (CVE-2017-16532)
+ - Input: ims-psu - check if CDC union descriptor is sane (CVE-2017-16645)
+ - ALSA: seq: Cancel pending autoload work at unbinding device
+ (CVE-2017-16528)
+ - netfilter: nat: avoid use of nf_conn_nat extension
+ - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to
+ rhashtable"
+ - brcmfmac: remove setting IBSS mode when stopping AP
+ - [arm64,mips*] security/keys: add CONFIG_KEYS_COMPAT to Kconfig
+ (Closes: #881830)
+ - target/iscsi: Fix iSCSI task reassignment handling
+ - qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2)
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.64
+ - media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537)
+ - media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646)
+ - [armel,armhf] crypto: reduce priority of bit-sliced AES cipher
+ - Bluetooth: btusb: fix QCA Rome suspend/resume
+ - [armhf,arm64] extcon: Remove potential problem when calling
+ extcon_register_notifier()
+ - [armhf] extcon: palmas: Check the parent instance to prevent the NULL
+ - fm10k: request reset when mbx->state changes
+ - [armhf] dts: Fix compatible for ti81xx uarts for 8250
+ - [armhf] dts: Fix am335x and dm814x scm syscon to probe children
+ - [armhf] OMAP2+: Fix init for multiple quirks for the same SoC
+ - [armhf] dts: Fix omap3 off mode pull defines
+ - [armhf] dts: omap5-uevm: Allow bootloader to configure USB Ethernet MAC
+ - igb: reset the PHY before reading the PHY ID
+ - igb: close/suspend race in netif_device_detach
+ - igb: Fix hw_dbg logging in igb_update_flash_i210
+ - scsi: ufs: add capability to keep auto bkops always enabled
+ - tcp: provide timestamps for partial writes
+ - staging: rtl8188eu: fix incorrect ERROR tags from logs
+ - [x86] irq, trace: Add __irq_entry annotation to x86's platform IRQ
+ handlers
+ - scsi: lpfc: Add missing memory barrier
+ - scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort
+ - scsi: lpfc: Correct host name in symbolic_name field
+ - scsi: lpfc: Correct issue leading to oops during link reset
+ - scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload
+ - ALSA: vx: Don't try to update capture stream before running
+ - ALSA: vx: Fix possible transfer overflow
+ - [armhf] drm/omap: panel-sony-acx565akm.c: Add MODULE_ALIAS
+ - [x86] gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap
+ - [arm64] dts: NS2: reserve memory for Nitro firmware
+ - ixgbe: Configure advertised speeds correctly for KR/KX backplane
+ - ixgbe: fix AER error handling
+ - ixgbe: handle close/suspend race with netif_device_detach/present
+ - ixgbe: Fix reporting of 100Mb capability
+ - ixgbe: Reduce I2C retry count on X550 devices
+ - ixgbe: add mask for 64 RSS queues
+ - ixgbe: do not disable FEC from the driver
+ - [mips*] End asm function prologue macros with .insn
+ - [mips*] init: Ensure bootmem does not corrupt reserved memory
+ - [mips*] init: Ensure reserved memory regions are not added to bootmem
+ - [mips*] traps: Ensure L1 & L2 ECC checking match for CM3 systems
+ - crypto: dh - Don't permit 'p' to be 0
+ - crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
+ - USB: usbfs: compute urb->actual_length for isochronous
+ - usb: gadget: f_fs: Fix use-after-free in ffs_free_inst
+ - USB: serial: garmin_gps: fix I/O after failed probe and remove
+ - USB: serial: garmin_gps: fix memory leak on probe errors
+ - [x86] MCE/AMD: Always give panic severity for UC errors in kernel context
+ - brcmfmac: don't preset all channels as disabled
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.65
+ - tcp_nv: fix division by zero in tcpnv_acked()
+ - net: vrf: correct FRA_L3MDEV encode type
+ - tcp: do not mangle skb->cb[] in tcp_make_synack()
+ - netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
+ - bonding: discard lowest hash bit for 802.3ad layer3+4
+ - net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649)
+ - net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650)
+ - qmi_wwan: Add missing skb_reset_mac_header-call
+ - net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647)
+ - vlan: fix a use-after-free in vlan_device_event()
+ - af_netlink: ensure that NLMSG_DONE never fails in dumps
+ - sctp: do not peel off an assoc from one netns to another one
+ (CVE-2017-15115)
+ - net/sctp: Always set scope_id in sctp_inet6_skb_msgname
+ - crypto: dh - fix memleak in setkey
+ - crypto: dh - Fix double free of ctx->p
+ - ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
+ - [armhf] serial: omap: Fix EFR write on RTS deassertion
+ - serial: 8250_fintek: Fix finding base_port with activated SuperIO
+ - ocfs2: fix cluster hang after a node dies
+ - ocfs2: should wait dio before inode lock in ocfs2_setattr()
+ - ipmi: fix unsigned long underflow
+ - mm/page_alloc.c: broken deferred calculation
+ - coda: fix 'kernel memory exposure attempt' in fsync
+ - mm/pagewalk.c: report holes in hugetlb ranges
[ Ben Hutchings ]
* [armhf] dts: exynos: Add dwc3 SUSPHY quirk (Closes: #843448)
* [mips*] Remove pt_regs adjustments in indirect syscall handler
(Closes: #867358)
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
- * [arm64,mips*] security/keys: Enable keyctl() system call in 32-bit compat
- mode (Closes: #881830)
-
- [ Salvatore Bonaccorso ]
- * cifs: check MaxPathNameComponentLength != 0 before using it.
- Thanks to Andrew Chadwick and Axel Schäfer (Closes: #880504)
+ * l2tp: Ignore ABI change
+ * [armel,armhf] mbus: Ignore ABI change
+ * usb: gadget: Ignore ABI change
+ * [s390x] mm: Avoid ABI change in 4.9.52
+ * mac80211: Avoid ABI change in 4.9.53
+ * mmc: sdio: Avoid ABI change in 4.9.54
+ * KEYS: Limit ABI change in 4.9.59
+ * netfilter: nat: Avoid ABI change in 4.9.63
+ * mm/page_alloc: Avoid ABI change in 4.9.65
+ * Revert "phy: increase size of MII_BUS_ID_SIZE and bus_id" to avoid ABI
+ change
+ * Revert "bpf: one perf event close won't free bpf program attached ..." to
+ avoid ABI change
-- Ben Hutchings <ben at decadent.org.uk> Sun, 01 Oct 2017 16:14:43 +0100
diff --git a/debian/config/defines b/debian/config/defines
index 9984e65..c0dbe1f 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -7,7 +7,9 @@ ignore-changes:
inet_frag_*
inet_frags_*
mm_iommu_*
+ mv_mbus_*
register_cxl_calls
+ register_key_type
unregister_cxl_calls
module:arch/x86/kvm/*
module:drivers/crypto/ccp/*
@@ -23,11 +25,12 @@ ignore-changes:
module:drivers/scsi/ufs/*
module:drivers/target/**
module:drivers/usb/chipidea/**
+ module:drivers/usb/gadget/**
module:drivers/usb/host/**
module:drivers/usb/musb/**
module:fs/nfs/nfs
module:net/ceph/libceph
- module:net/l2tp/l2tp_core
+ module:net/l2tp/**
module:sound/firewire/snd-firewire-lib
# btree library is only selected by few drivers so not useful OOT
btree_*
diff --git a/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch b/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch
deleted file mode 100644
index bb368c8..0000000
--- a/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Ronnie Sahlberg <lsahlber at redhat.com>
-Date: Mon, 30 Oct 2017 13:28:03 +1100
-Subject: cifs: check MaxPathNameComponentLength != 0 before using it
-Origin: https://git.kernel.org/linus/f74bc7c6679200a4a83156bb89cbf6c229fe8ec0
-Bug-Debian: https://bugs.debian.org/880504
-
-And fix tcon leak in error path.
-
-Signed-off-by: Ronnie Sahlberg <lsahlber at redhat.com>
-Signed-off-by: Steve French <smfrench at gmail.com>
-CC: Stable <stable at vger.kernel.org>
-Reviewed-by: David Disseldorp <ddiss at samba.org>
----
- fs/cifs/dir.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
-index dd3e236d7a2b..d9cbda269462 100644
---- a/fs/cifs/dir.c
-+++ b/fs/cifs/dir.c
-@@ -193,7 +193,8 @@ check_name(struct dentry *direntry, struct cifs_tcon *tcon)
- struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
- int i;
-
-- if (unlikely(direntry->d_name.len >
-+ if (unlikely(tcon->fsAttrInfo.MaxPathNameComponentLength &&
-+ direntry->d_name.len >
- le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
- return -ENAMETOOLONG;
-
-@@ -509,7 +510,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
-
- rc = check_name(direntry, tcon);
- if (rc)
-- goto out_free_xid;
-+ goto out;
-
- server = tcon->ses->server;
-
---
-2.15.0
-
diff --git a/debian/patches/bugfix/all/ext4-don-t-clear-sgid-when-inheriting-acls.patch b/debian/patches/bugfix/all/ext4-don-t-clear-sgid-when-inheriting-acls.patch
deleted file mode 100644
index 8fbdba3..0000000
--- a/debian/patches/bugfix/all/ext4-don-t-clear-sgid-when-inheriting-acls.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From: Jan Kara <jack at suse.cz>
-Date: Sun, 30 Jul 2017 23:33:01 -0400
-Subject: ext4: Don't clear SGID when inheriting ACLs
-Origin: https://git.kernel.org/linus/a3bb2d5587521eea6dab2d05326abb0afb460abd
-Bug-Debian: https://bugs.debian.org/873026
-
-When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
-set, DIR1 is expected to have SGID bit set (and owning group equal to
-the owning group of 'DIR0'). However when 'DIR0' also has some default
-ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
-'DIR1' to get cleared if user is not member of the owning group.
-
-Fix the problem by moving posix_acl_update_mode() out of
-__ext4_set_acl() into ext4_set_acl(). That way the function will not be
-called when inheriting ACLs which is what we want as it prevents SGID
-bit clearing and the mode has been properly set by posix_acl_create()
-anyway.
-
-Fixes: 073931017b49d9458aa351605b43a7e34598caef
-CC: stable at vger.kernel.org
-Signed-off-by: Theodore Ts'o <tytso at mit.edu>
-Signed-off-by: Jan Kara <jack at suse.cz>
-Reviewed-by: Andreas Gruenbacher <agruenba at redhat.com>
-[bwh: Backported to 4.9:
- - Keep using ext4_current_time()
- - Adjust context]
----
- fs/ext4/acl.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
---- a/fs/ext4/acl.c
-+++ b/fs/ext4/acl.c
-@@ -188,18 +188,10 @@ __ext4_set_acl(handle_t *handle, struct
- void *value = NULL;
- size_t size = 0;
- int error;
-- int update_mode = 0;
-- umode_t mode = inode->i_mode;
-
- switch (type) {
- case ACL_TYPE_ACCESS:
- name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
-- if (acl) {
-- error = posix_acl_update_mode(inode, &mode, &acl);
-- if (error)
-- return error;
-- update_mode = 1;
-- }
- break;
-
- case ACL_TYPE_DEFAULT:
-@@ -223,11 +215,6 @@ __ext4_set_acl(handle_t *handle, struct
- kfree(value);
- if (!error) {
- set_cached_acl(inode, type, acl);
-- if (update_mode) {
-- inode->i_mode = mode;
-- inode->i_ctime = ext4_current_time(inode);
-- ext4_mark_inode_dirty(handle, inode);
-- }
- }
-
- return error;
-@@ -238,6 +225,8 @@ ext4_set_acl(struct inode *inode, struct
- {
- handle_t *handle;
- int error, retries = 0;
-+ umode_t mode = inode->i_mode;
-+ int update_mode = 0;
-
- retry:
- handle = ext4_journal_start(inode, EXT4_HT_XATTR,
-@@ -245,7 +234,20 @@ retry:
- if (IS_ERR(handle))
- return PTR_ERR(handle);
-
-+ if ((type == ACL_TYPE_ACCESS) && acl) {
-+ error = posix_acl_update_mode(inode, &mode, &acl);
-+ if (error)
-+ goto out_stop;
-+ update_mode = 1;
-+ }
-+
- error = __ext4_set_acl(handle, inode, type, acl);
-+ if (!error && update_mode) {
-+ inode->i_mode = mode;
-+ inode->i_ctime = ext4_current_time(inode);
-+ ext4_mark_inode_dirty(handle, inode);
-+ }
-+out_stop:
- ext4_journal_stop(handle);
- if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
- goto retry;
diff --git a/debian/patches/bugfix/all/ext4-preserve-i_mode-if-__ext4_set_acl-fails.patch b/debian/patches/bugfix/all/ext4-preserve-i_mode-if-__ext4_set_acl-fails.patch
deleted file mode 100644
index 838d67c..0000000
--- a/debian/patches/bugfix/all/ext4-preserve-i_mode-if-__ext4_set_acl-fails.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
- <ernesto.mnd.fernandez at gmail.com>
-Date: Sun, 30 Jul 2017 22:43:41 -0400
-Subject: ext4: preserve i_mode if __ext4_set_acl() fails
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/397e434176bb62bc6068d2210af1d876c6212a7e
-Bug-Debian: https://bugs.debian.org/873026
-
-When changing a file's acl mask, __ext4_set_acl() will first set the group
-bits of i_mode to the value of the mask, and only then set the actual
-extended attribute representing the new acl.
-
-If the second part fails (due to lack of space, for example) and the file
-had no acl attribute to begin with, the system will from now on assume
-that the mask permission bits are actual group permission bits, potentially
-granting access to the wrong users.
-
-Prevent this by only changing the inode mode after the acl has been set.
-
-Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez at gmail.com>
-Signed-off-by: Theodore Ts'o <tytso at mit.edu>
-Reviewed-by: Jan Kara <jack at suse.cz>
-[bwh: Backported to 4.9: keep using ext4_current_time()]
----
- fs/ext4/acl.c | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
---- a/fs/ext4/acl.c
-+++ b/fs/ext4/acl.c
-@@ -188,16 +188,17 @@ __ext4_set_acl(handle_t *handle, struct
- void *value = NULL;
- size_t size = 0;
- int error;
-+ int update_mode = 0;
-+ umode_t mode = inode->i_mode;
-
- switch (type) {
- case ACL_TYPE_ACCESS:
- name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
- if (acl) {
-- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-+ error = posix_acl_update_mode(inode, &mode, &acl);
- if (error)
- return error;
-- inode->i_ctime = ext4_current_time(inode);
-- ext4_mark_inode_dirty(handle, inode);
-+ update_mode = 1;
- }
- break;
-
-@@ -220,8 +221,14 @@ __ext4_set_acl(handle_t *handle, struct
- value, size, 0);
-
- kfree(value);
-- if (!error)
-+ if (!error) {
- set_cached_acl(inode, type, acl);
-+ if (update_mode) {
-+ inode->i_mode = mode;
-+ inode->i_ctime = ext4_current_time(inode);
-+ ext4_mark_inode_dirty(handle, inode);
-+ }
-+ }
-
- return error;
- }
diff --git a/debian/patches/bugfix/all/nfsv4-fix-callback-server-shutdown.patch b/debian/patches/bugfix/all/nfsv4-fix-callback-server-shutdown.patch
deleted file mode 100644
index 8533317..0000000
--- a/debian/patches/bugfix/all/nfsv4-fix-callback-server-shutdown.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From: Trond Myklebust <trond.myklebust at primarydata.com>
-Date: Wed, 26 Apr 2017 11:55:27 -0400
-Subject: [2/2] NFSv4: Fix callback server shutdown
-Origin: https://git.kernel.org/linus/ed6473ddc704a2005b9900ca08e236ebb2d8540a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9059
-
-We want to use kthread_stop() in order to ensure the threads are
-shut down before we tear down the nfs_callback_info in nfs_callback_down.
-
-Tested-and-reviewed-by: Kinglong Mee <kinglongmee at gmail.com>
-Reported-by: Kinglong Mee <kinglongmee at gmail.com>
-Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using svc_set_num_threads()...")
-Signed-off-by: Trond Myklebust <trond.myklebust at primarydata.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfs/callback.c | 24 ++++++++++++++++--------
- include/linux/sunrpc/svc.h | 1 +
- net/sunrpc/svc.c | 38 ++++++++++++++++++++++++++++++++++++++
- 3 files changed, 55 insertions(+), 8 deletions(-)
-
---- a/fs/nfs/callback.c
-+++ b/fs/nfs/callback.c
-@@ -75,7 +75,10 @@ nfs4_callback_svc(void *vrqstp)
-
- set_freezable();
-
-- while (!kthread_should_stop()) {
-+ while (!kthread_freezable_should_stop(NULL)) {
-+
-+ if (signal_pending(current))
-+ flush_signals(current);
- /*
- * Listen for a request on the socket
- */
-@@ -84,6 +87,8 @@ nfs4_callback_svc(void *vrqstp)
- continue;
- svc_process(rqstp);
- }
-+ svc_exit_thread(rqstp);
-+ module_put_and_exit(0);
- return 0;
- }
-
-@@ -102,9 +107,10 @@ nfs41_callback_svc(void *vrqstp)
-
- set_freezable();
-
-- while (!kthread_should_stop()) {
-- if (try_to_freeze())
-- continue;
-+ while (!kthread_freezable_should_stop(NULL)) {
-+
-+ if (signal_pending(current))
-+ flush_signals(current);
-
- prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE);
- spin_lock_bh(&serv->sv_cb_lock);
-@@ -120,11 +126,13 @@ nfs41_callback_svc(void *vrqstp)
- error);
- } else {
- spin_unlock_bh(&serv->sv_cb_lock);
-- schedule();
-+ if (!kthread_should_stop())
-+ schedule();
- finish_wait(&serv->sv_cb_waitq, &wq);
- }
-- flush_signals(current);
- }
-+ svc_exit_thread(rqstp);
-+ module_put_and_exit(0);
- return 0;
- }
-
-@@ -220,14 +228,14 @@ err_bind:
- static struct svc_serv_ops nfs40_cb_sv_ops = {
- .svo_function = nfs4_callback_svc,
- .svo_enqueue_xprt = svc_xprt_do_enqueue,
-- .svo_setup = svc_set_num_threads,
-+ .svo_setup = svc_set_num_threads_sync,
- .svo_module = THIS_MODULE,
- };
- #if defined(CONFIG_NFS_V4_1)
- static struct svc_serv_ops nfs41_cb_sv_ops = {
- .svo_function = nfs41_callback_svc,
- .svo_enqueue_xprt = svc_xprt_do_enqueue,
-- .svo_setup = svc_set_num_threads,
-+ .svo_setup = svc_set_num_threads_sync,
- .svo_module = THIS_MODULE,
- };
-
---- a/include/linux/sunrpc/svc.h
-+++ b/include/linux/sunrpc/svc.h
-@@ -470,6 +470,7 @@ void svc_pool_map_put(void);
- struct svc_serv * svc_create_pooled(struct svc_program *, unsigned int,
- struct svc_serv_ops *);
- int svc_set_num_threads(struct svc_serv *, struct svc_pool *, int);
-+int svc_set_num_threads_sync(struct svc_serv *, struct svc_pool *, int);
- int svc_pool_stats_open(struct svc_serv *serv, struct file *file);
- void svc_destroy(struct svc_serv *);
- void svc_shutdown_net(struct svc_serv *, struct net *);
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -795,6 +795,44 @@ svc_set_num_threads(struct svc_serv *ser
- }
- EXPORT_SYMBOL_GPL(svc_set_num_threads);
-
-+/* destroy old threads */
-+static int
-+svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-+{
-+ struct task_struct *task;
-+ unsigned int state = serv->sv_nrthreads-1;
-+
-+ /* destroy old threads */
-+ do {
-+ task = choose_victim(serv, pool, &state);
-+ if (task == NULL)
-+ break;
-+ kthread_stop(task);
-+ nrservs++;
-+ } while (nrservs < 0);
-+ return 0;
-+}
-+
-+int
-+svc_set_num_threads_sync(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-+{
-+ if (pool == NULL) {
-+ /* The -1 assumes caller has done a svc_get() */
-+ nrservs -= (serv->sv_nrthreads-1);
-+ } else {
-+ spin_lock_bh(&pool->sp_lock);
-+ nrservs -= pool->sp_nrthreads;
-+ spin_unlock_bh(&pool->sp_lock);
-+ }
-+
-+ if (nrservs > 0)
-+ return svc_start_kthreads(serv, pool, nrservs);
-+ if (nrservs < 0)
-+ return svc_stop_kthreads(serv, pool, nrservs);
-+ return 0;
-+}
-+EXPORT_SYMBOL_GPL(svc_set_num_threads_sync);
-+
- /*
- * Called from a server thread as it's exiting. Caller must hold the "service
- * mutex" for the service.
diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
deleted file mode 100644
index 4e6fe5f..0000000
--- a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Tue, 12 Sep 2017 22:21:21 +0000
-Subject: nl80211: check for the required netlink attributes presence
-Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
-
-nl80211_set_rekey_data() does not check if the required attributes
-NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
-NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
-users with CAP_NET_ADMIN privilege and may result in NULL dereference
-and a system crash. Add a check for the required attributes presence.
-This patch is based on the patch by bo Zhang.
-
-This fixes CVE-2017-12153.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
-Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
-Cc: <stable at vger.kernel.org> # v3.1-rc1
-Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
----
- net/wireless/nl80211.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -10381,6 +10381,9 @@ static int nl80211_set_rekey_data(struct
- if (err)
- return err;
-
-+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
-+ !tb[NL80211_REKEY_DATA_KCK])
-+ return -EINVAL;
- if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
- return -ERANGE;
- if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
deleted file mode 100644
index 6c4f009..0000000
--- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Xin Long <lucien.xin at gmail.com>
-Date: Sun, 27 Aug 2017 20:25:26 +0800
-Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
-Origin: https://patchwork.kernel.org/patch/9923803/
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
-
-ChunYu found a kernel crash by syzkaller:
-
-[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
-[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
-[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
-[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
-[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
-[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
-[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
-[...]
-[ 651.627260] Call Trace:
-[ 651.629156] skb_release_all+0x4f/0x60
-[ 651.629450] consume_skb+0x1a5/0x600
-[ 651.630705] netlink_unicast+0x505/0x720
-[ 651.632345] netlink_sendmsg+0xab2/0xe70
-[ 651.633704] sock_sendmsg+0xcf/0x110
-[ 651.633942] ___sys_sendmsg+0x833/0x980
-[ 651.637117] __sys_sendmsg+0xf3/0x240
-[ 651.638820] SyS_sendmsg+0x32/0x50
-[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-It's caused by skb_shared_info at the end of sk_buff was overwritten by
-ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
-
-During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
-ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
-new value to skb_shinfo(SKB)->nr_frags by ev->type.
-
-This patch is to fix it by checking nlh->nlmsg_len properly there to
-avoid over accessing sk_buff.
-
-Reported-by: ChunYu Wang <chunwang at redhat.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Chris Leech <cleech at redhat.com>
----
- drivers/scsi/scsi_transport_iscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_transport_iscsi.c
-+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3696,7 +3696,7 @@ iscsi_if_rx(struct sk_buff *skb)
- uint32_t group;
-
- nlh = nlmsg_hdr(skb);
-- if (nlh->nlmsg_len < sizeof(*nlh) ||
-+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
- skb->len < nlh->nlmsg_len) {
- break;
- }
diff --git a/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch b/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
deleted file mode 100644
index f2c986c..0000000
--- a/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Wed, 30 Aug 2017 16:30:35 +0300
-Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code
-Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051
-
-The value of "size" comes from the user. When we add "start + size" it
-could lead to an integer overflow bug.
-
-It means we vmalloc() a lot more memory than we had intended. I believe
-that on 64 bit systems vmalloc() can succeed even if we ask it to
-allocate huge 4GB buffers. So we would get memory corruption and likely
-a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
-
-Only root can trigger this bug.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
-
-Cc: <stable at vger.kernel.org>
-Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
-Reported-by: shqking <shqking at gmail.com>
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
----
- drivers/scsi/qla2xxx/qla_attr.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/scsi/qla2xxx/qla_attr.c
-+++ b/drivers/scsi/qla2xxx/qla_attr.c
-@@ -310,6 +310,8 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
- return -EINVAL;
- if (start > ha->optrom_size)
- return -EINVAL;
-+ if (size > ha->optrom_size - start)
-+ size = ha->optrom_size - start;
-
- mutex_lock(&ha->optrom_mutex);
- switch (val) {
-@@ -335,8 +337,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
- }
-
- ha->optrom_region_start = start;
-- ha->optrom_region_size = start + size > ha->optrom_size ?
-- ha->optrom_size - start : size;
-+ ha->optrom_region_size = start + size;
-
- ha->optrom_state = QLA_SREADING;
- ha->optrom_buffer = vmalloc(ha->optrom_region_size);
-@@ -409,8 +410,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
- }
-
- ha->optrom_region_start = start;
-- ha->optrom_region_size = start + size > ha->optrom_size ?
-- ha->optrom_size - start : size;
-+ ha->optrom_region_size = start + size;
-
- ha->optrom_state = QLA_SWRITING;
- ha->optrom_buffer = vmalloc(ha->optrom_region_size);
diff --git a/debian/patches/bugfix/all/sunrpc-refactor-svc_set_num_threads.patch b/debian/patches/bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
deleted file mode 100644
index 5fae928..0000000
--- a/debian/patches/bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From: Trond Myklebust <trond.myklebust at primarydata.com>
-Date: Wed, 26 Apr 2017 11:55:26 -0400
-Subject: [1/2] SUNRPC: Refactor svc_set_num_threads()
-Origin: https://git.kernel.org/linus/9e0d87680d689f1758185851c3da6eafb16e71e1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9059
-
-Refactor to separate out the functions of starting and stopping threads
-so that they can be used in other helpers.
-
-Signed-off-by: Trond Myklebust <trond.myklebust at primarydata.com>
-Tested-and-reviewed-by: Kinglong Mee <kinglongmee at gmail.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- net/sunrpc/svc.c | 96 ++++++++++++++++++++++++++++++++++----------------------
- 1 file changed, 58 insertions(+), 38 deletions(-)
-
-diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
-index a08aeb56b8e4..98dc33ae738b 100644
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -702,59 +702,32 @@ choose_victim(struct svc_serv *serv, struct svc_pool *pool, unsigned int *state)
- return task;
- }
-
--/*
-- * Create or destroy enough new threads to make the number
-- * of threads the given number. If `pool' is non-NULL, applies
-- * only to threads in that pool, otherwise round-robins between
-- * all pools. Caller must ensure that mutual exclusion between this and
-- * server startup or shutdown.
-- *
-- * Destroying threads relies on the service threads filling in
-- * rqstp->rq_task, which only the nfs ones do. Assumes the serv
-- * has been created using svc_create_pooled().
-- *
-- * Based on code that used to be in nfsd_svc() but tweaked
-- * to be pool-aware.
-- */
--int
--svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-+/* create new threads */
-+static int
-+svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
- {
- struct svc_rqst *rqstp;
- struct task_struct *task;
- struct svc_pool *chosen_pool;
-- int error = 0;
- unsigned int state = serv->sv_nrthreads-1;
- int node;
-
-- if (pool == NULL) {
-- /* The -1 assumes caller has done a svc_get() */
-- nrservs -= (serv->sv_nrthreads-1);
-- } else {
-- spin_lock_bh(&pool->sp_lock);
-- nrservs -= pool->sp_nrthreads;
-- spin_unlock_bh(&pool->sp_lock);
-- }
--
-- /* create new threads */
-- while (nrservs > 0) {
-+ do {
- nrservs--;
- chosen_pool = choose_pool(serv, pool, &state);
-
- node = svc_pool_map_get_node(chosen_pool->sp_id);
- rqstp = svc_prepare_thread(serv, chosen_pool, node);
-- if (IS_ERR(rqstp)) {
-- error = PTR_ERR(rqstp);
-- break;
-- }
-+ if (IS_ERR(rqstp))
-+ return PTR_ERR(rqstp);
-
- __module_get(serv->sv_ops->svo_module);
- task = kthread_create_on_node(serv->sv_ops->svo_function, rqstp,
- node, "%s", serv->sv_name);
- if (IS_ERR(task)) {
-- error = PTR_ERR(task);
- module_put(serv->sv_ops->svo_module);
- svc_exit_thread(rqstp);
-- break;
-+ return PTR_ERR(task);
- }
-
- rqstp->rq_task = task;
-@@ -763,15 +736,62 @@ svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-
- svc_sock_update_bufs(serv);
- wake_up_process(task);
-- }
-+ } while (nrservs > 0);
-+
-+ return 0;
-+}
-+
-+
-+/* destroy old threads */
-+static int
-+svc_signal_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-+{
-+ struct task_struct *task;
-+ unsigned int state = serv->sv_nrthreads-1;
-+
- /* destroy old threads */
-- while (nrservs < 0 &&
-- (task = choose_victim(serv, pool, &state)) != NULL) {
-+ do {
-+ task = choose_victim(serv, pool, &state);
-+ if (task == NULL)
-+ break;
- send_sig(SIGINT, task, 1);
- nrservs++;
-+ } while (nrservs < 0);
-+
-+ return 0;
-+}
-+
-+/*
-+ * Create or destroy enough new threads to make the number
-+ * of threads the given number. If `pool' is non-NULL, applies
-+ * only to threads in that pool, otherwise round-robins between
-+ * all pools. Caller must ensure that mutual exclusion between this and
-+ * server startup or shutdown.
-+ *
-+ * Destroying threads relies on the service threads filling in
-+ * rqstp->rq_task, which only the nfs ones do. Assumes the serv
-+ * has been created using svc_create_pooled().
-+ *
-+ * Based on code that used to be in nfsd_svc() but tweaked
-+ * to be pool-aware.
-+ */
-+int
-+svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
-+{
-+ if (pool == NULL) {
-+ /* The -1 assumes caller has done a svc_get() */
-+ nrservs -= (serv->sv_nrthreads-1);
-+ } else {
-+ spin_lock_bh(&pool->sp_lock);
-+ nrservs -= pool->sp_nrthreads;
-+ spin_unlock_bh(&pool->sp_lock);
- }
-
-- return error;
-+ if (nrservs > 0)
-+ return svc_start_kthreads(serv, pool, nrservs);
-+ if (nrservs < 0)
-+ return svc_signal_kthreads(serv, pool, nrservs);
-+ return 0;
- }
- EXPORT_SYMBOL_GPL(svc_set_num_threads);
-
diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
deleted file mode 100644
index 2d056c3..0000000
--- a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Mon, 4 Sep 2017 16:00:50 +0200
-Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
- userspace
-Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
-
-'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
-field unitialized, leaking data from the stack. Fix this ensuring all of
-'clk' is initialized to zero.
-
-References: https://github.com/torvalds/linux/pull/441
-Reported-by: sohu0106 <sohu0106 at 126.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
----
- drivers/video/fbdev/aty/atyfb_base.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/video/fbdev/aty/atyfb_base.c
-+++ b/drivers/video/fbdev/aty/atyfb_base.c
-@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
- #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
- case ATYIO_CLKR:
- if (M64_HAS(INTEGRATED)) {
-- struct atyclk clk;
-+ struct atyclk clk = { 0 };
- union aty_pll *pll = &par->pll;
- u32 dsp_config = pll->ct.dsp_config;
- u32 dsp_on_off = pll->ct.dsp_on_off;
diff --git a/debian/patches/bugfix/arm64/arm64-support-keyctl-system-call-in-32-bit-mode.patch b/debian/patches/bugfix/arm64/arm64-support-keyctl-system-call-in-32-bit-mode.patch
deleted file mode 100644
index 1d1fbce..0000000
--- a/debian/patches/bugfix/arm64/arm64-support-keyctl-system-call-in-32-bit-mode.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Wed, 8 Mar 2017 16:27:04 -0800
-Subject: arm64: support keyctl() system call in 32-bit mode
-Origin: https://git.kernel.org/linus/5c2a625937ba49bc691089370638223d310cda9a
-Bug-Debian: https://bugs.debian.org/881830
-
-As is the case for a number of other architectures that have a 32-bit
-compat mode, enable KEYS_COMPAT if both COMPAT and KEYS are enabled.
-This allows AArch32 programs to use the keyctl() system call when
-running on an AArch64 kernel.
-
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: Will Deacon <will.deacon at arm.com>
----
- arch/arm64/Kconfig | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/arch/arm64/Kconfig
-+++ b/arch/arm64/Kconfig
-@@ -1027,6 +1027,10 @@ config SYSVIPC_COMPAT
- def_bool y
- depends on COMPAT && SYSVIPC
-
-+config KEYS_COMPAT
-+ def_bool y
-+ depends on COMPAT && KEYS
-+
- endmenu
-
- menu "Power management options"
diff --git a/debian/patches/bugfix/mips/security-keys-add-config_keys_compat-to-kconfig.patch b/debian/patches/bugfix/mips/security-keys-add-config_keys_compat-to-kconfig.patch
deleted file mode 100644
index 4f45cd6..0000000
--- a/debian/patches/bugfix/mips/security-keys-add-config_keys_compat-to-kconfig.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: Bilal Amarni <bilal.amarni at gmail.com>
-Date: Thu, 8 Jun 2017 14:47:26 +0100
-Subject: security/keys: add CONFIG_KEYS_COMPAT to Kconfig
-Origin: https://git.kernel.org/linus/47b2c3fff4932e6fc17ce13d51a43c6969714e20
-Bug-Debian: https://bugs.debian.org/881830
-
-CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for
-several 64-bit architectures : mips, parisc, tile.
-
-At the moment and for those architectures, calling in 32-bit userspace the
-keyctl syscall would return an ENOSYS error.
-
-This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to
-make sure the compatibility wrapper is registered by default for any 64-bit
-architecture as long as it is configured with CONFIG_COMPAT.
-
-[DH: Modified to remove arm64 compat enablement also as requested by Eric
- Biggers]
-
-Signed-off-by: Bilal Amarni <bilal.amarni at gmail.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Reviewed-by: Arnd Bergmann <arnd at arndb.de>
-cc: Eric Biggers <ebiggers3 at gmail.com>
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- arch/arm64/Kconfig | 4 ----
- arch/powerpc/Kconfig | 5 -----
- arch/s390/Kconfig | 3 ---
- arch/sparc/Kconfig | 3 ---
- arch/x86/Kconfig | 4 ----
- security/keys/Kconfig | 4 ++++
- 6 files changed, 4 insertions(+), 19 deletions(-)
-
---- a/arch/arm64/Kconfig
-+++ b/arch/arm64/Kconfig
-@@ -1027,10 +1027,6 @@ config SYSVIPC_COMPAT
- def_bool y
- depends on COMPAT && SYSVIPC
-
--config KEYS_COMPAT
-- def_bool y
-- depends on COMPAT && KEYS
--
- endmenu
-
- menu "Power management options"
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -1087,11 +1087,6 @@ source "arch/powerpc/Kconfig.debug"
-
- source "security/Kconfig"
-
--config KEYS_COMPAT
-- bool
-- depends on COMPAT && KEYS
-- default y
--
- source "crypto/Kconfig"
-
- config PPC_LIB_RHEAP
---- a/arch/s390/Kconfig
-+++ b/arch/s390/Kconfig
-@@ -359,9 +359,6 @@ config COMPAT
- config SYSVIPC_COMPAT
- def_bool y if COMPAT && SYSVIPC
-
--config KEYS_COMPAT
-- def_bool y if COMPAT && KEYS
--
- config SMP
- def_bool y
- prompt "Symmetric multi-processing support"
---- a/arch/sparc/Kconfig
-+++ b/arch/sparc/Kconfig
-@@ -568,9 +568,6 @@ config SYSVIPC_COMPAT
- depends on COMPAT && SYSVIPC
- default y
-
--config KEYS_COMPAT
-- def_bool y if COMPAT && KEYS
--
- endmenu
-
- source "net/Kconfig"
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2732,10 +2732,6 @@ config COMPAT_FOR_U64_ALIGNMENT
- config SYSVIPC_COMPAT
- def_bool y
- depends on SYSVIPC
--
--config KEYS_COMPAT
-- def_bool y
-- depends on KEYS
- endif
-
- endmenu
---- a/security/keys/Kconfig
-+++ b/security/keys/Kconfig
-@@ -20,6 +20,10 @@ config KEYS
-
- If you are unsure as to whether this is required, answer N.
-
-+config KEYS_COMPAT
-+ def_bool y
-+ depends on COMPAT && KEYS
-+
- config PERSISTENT_KEYRINGS
- bool "Enable register of persistent per-UID keyrings"
- depends on KEYS
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
deleted file mode 100644
index 9e6984e..0000000
--- a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Jim Mattson <jmattson at google.com>
-Date: Tue, 12 Sep 2017 13:02:54 -0700
-Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
-Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
-
-If L1 does not specify the "use TPR shadow" VM-execution control in
-vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
-exiting" VM-execution controls in vmcs02. Failure to do so will give
-the L2 VM unrestricted read/write access to the hardware CR8.
-
-This fixes CVE-2017-12154.
-
-Signed-off-by: Jim Mattson <jmattson at google.com>
-Reviewed-by: David Hildenbrand <david at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -9992,6 +9992,11 @@ static void prepare_vmcs02(struct kvm_vc
- vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
- page_to_phys(vmx->nested.virtual_apic_page));
- vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
-+ } else {
-+#ifdef CONFIG_X86_64
-+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
-+ CPU_BASED_CR8_STORE_EXITING;
-+#endif
- }
-
- if (cpu_has_vmx_msr_bitmap() &&
diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
deleted file mode 100644
index 6dea72e..0000000
--- a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh at amazon.de>
-Date: Thu, 7 Sep 2017 19:02:30 +0100
-Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
-
-The value of the guest_irq argument to vmx_update_pi_irte() is
-ultimately coming from a KVM_IRQFD API call. Do not BUG() in
-vmx_update_pi_irte() if the value is out-of bounds. (Especially,
-since KVM as a whole seems to hang after that.)
-
-Instead, print a message only once if we find that we don't have a
-route for a certain IRQ (which can be out-of-bounds or within the
-array).
-
-This fixes CVE-2017-1000252.
-
-Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
-Signed-off-by: Jan H. Schönherr <jschoenh at amazon.de>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -11159,7 +11159,7 @@ static int vmx_update_pi_irte(struct kvm
- struct kvm_lapic_irq irq;
- struct kvm_vcpu *vcpu;
- struct vcpu_data vcpu_info;
-- int idx, ret = -EINVAL;
-+ int idx, ret = 0;
-
- if (!kvm_arch_has_assigned_device(kvm) ||
- !irq_remapping_cap(IRQ_POSTING_CAP) ||
-@@ -11168,7 +11168,12 @@ static int vmx_update_pi_irte(struct kvm
-
- idx = srcu_read_lock(&kvm->irq_srcu);
- irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
-- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
-+ if (guest_irq >= irq_rt->nr_rt_entries ||
-+ hlist_empty(&irq_rt->map[guest_irq])) {
-+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
-+ guest_irq, irq_rt->nr_rt_entries);
-+ goto out;
-+ }
-
- hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
- if (e->type != KVM_IRQ_ROUTING_MSI)
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch b/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
deleted file mode 100644
index dbe582c..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Wed, 7 Jun 2017 15:13:14 +0200
-Subject: KVM: x86: fix singlestepping over syscall
-Origin: https://git.kernel.org/linus/c8401dda2f0a00cd25c0af6a95ed50e478d25de4
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7518
-
-TF is handled a bit differently for syscall and sysret, compared
-to the other instructions: TF is checked after the instruction completes,
-so that the OS can disable #DB at a syscall by adding TF to FMASK.
-When the sysret is executed the #DB is taken "as if" the syscall insn
-just completed.
-
-KVM emulates syscall so that it can trap 32-bit syscall on Intel processors.
-Fix the behavior, otherwise you could get #DB on a user stack which is not
-nice. This does not affect Linux guests, as they use an IST or task gate
-for #DB.
-
-This fixes CVE-2017-7518.
-
-Cc: stable at vger.kernel.org
-Reported-by: Andy Lutomirski <luto at kernel.org>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
-[bwh: Backported to 4.9:
- - kvm_vcpu_check_singlestep() sets some flags differently
- - Drop changes to kvm_skip_emulated_instruction()]
----
---- a/arch/x86/include/asm/kvm_emulate.h
-+++ b/arch/x86/include/asm/kvm_emulate.h
-@@ -296,6 +296,7 @@ struct x86_emulate_ctxt {
-
- bool perm_ok; /* do not check permissions if true */
- bool ud; /* inject an #UD if host doesn't support insn */
-+ bool tf; /* TF value before instruction (after for syscall/sysret) */
-
- bool have_exception;
- struct x86_exception exception;
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2738,6 +2738,7 @@ static int em_syscall(struct x86_emulate
- ctxt->eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF);
- }
-
-+ ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
- return X86EMUL_CONTINUE;
- }
-
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5250,6 +5250,8 @@ static void init_emulate_ctxt(struct kvm
- kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
-
- ctxt->eflags = kvm_get_rflags(vcpu);
-+ ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
-+
- ctxt->eip = kvm_rip_read(vcpu);
- ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
- (ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
-@@ -5465,37 +5467,26 @@ static int kvm_vcpu_check_hw_bp(unsigned
- return dr6;
- }
-
--static void kvm_vcpu_check_singlestep(struct kvm_vcpu *vcpu, unsigned long rflags, int *r)
-+static void kvm_vcpu_do_singlestep(struct kvm_vcpu *vcpu, int *r)
- {
- struct kvm_run *kvm_run = vcpu->run;
-
-- /*
-- * rflags is the old, "raw" value of the flags. The new value has
-- * not been saved yet.
-- *
-- * This is correct even for TF set by the guest, because "the
-- * processor will not generate this exception after the instruction
-- * that sets the TF flag".
-- */
-- if (unlikely(rflags & X86_EFLAGS_TF)) {
-- if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
-- kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1 |
-- DR6_RTM;
-- kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
-- kvm_run->debug.arch.exception = DB_VECTOR;
-- kvm_run->exit_reason = KVM_EXIT_DEBUG;
-- *r = EMULATE_USER_EXIT;
-- } else {
-- vcpu->arch.emulate_ctxt.eflags &= ~X86_EFLAGS_TF;
-- /*
-- * "Certain debug exceptions may clear bit 0-3. The
-- * remaining contents of the DR6 register are never
-- * cleared by the processor".
-- */
-- vcpu->arch.dr6 &= ~15;
-- vcpu->arch.dr6 |= DR6_BS | DR6_RTM;
-- kvm_queue_exception(vcpu, DB_VECTOR);
-- }
-+ if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP) {
-+ kvm_run->debug.arch.dr6 = DR6_BS | DR6_FIXED_1 | DR6_RTM;
-+ kvm_run->debug.arch.pc = vcpu->arch.singlestep_rip;
-+ kvm_run->debug.arch.exception = DB_VECTOR;
-+ kvm_run->exit_reason = KVM_EXIT_DEBUG;
-+ *r = EMULATE_USER_EXIT;
-+ } else {
-+ vcpu->arch.emulate_ctxt.eflags &= ~X86_EFLAGS_TF;
-+ /*
-+ * "Certain debug exceptions may clear bit 0-3. The
-+ * remaining contents of the DR6 register are never
-+ * cleared by the processor".
-+ */
-+ vcpu->arch.dr6 &= ~15;
-+ vcpu->arch.dr6 |= DR6_BS | DR6_RTM;
-+ kvm_queue_exception(vcpu, DB_VECTOR);
- }
- }
-
-@@ -5650,8 +5641,9 @@ restart:
- toggle_interruptibility(vcpu, ctxt->interruptibility);
- vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
- kvm_rip_write(vcpu, ctxt->eip);
-- if (r == EMULATE_DONE)
-- kvm_vcpu_check_singlestep(vcpu, rflags, &r);
-+ if (r == EMULATE_DONE &&
-+ (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
-+ kvm_vcpu_do_singlestep(vcpu, &r);
- if (!ctxt->have_exception ||
- exception_type(ctxt->exception.vector) == EXCPT_TRAP)
- __kvm_set_rflags(vcpu, ctxt->eflags);
diff --git a/debian/patches/debian/keys-limit-abi-change-in-4.9.59.patch b/debian/patches/debian/keys-limit-abi-change-in-4.9.59.patch
new file mode 100644
index 0000000..a069e0e
--- /dev/null
+++ b/debian/patches/debian/keys-limit-abi-change-in-4.9.59.patch
@@ -0,0 +1,95 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 29 Oct 2017 10:30:46 +0000
+Subject: KEYS: Limit ABI change in 4.9.59
+Forwarded: not-needed
+
+Commit 363b02dab09b ("KEYS: Fix race between updating and finding a
+negative key") rearranged various state members in struct key, resulting
+in an ABI change for all keys APIs.
+
+Only the keys subsystem and key type implementation use this state
+information, so we can limit the ABI break to them:
+
+- Renumber the other flags back to their old values
+- Hide the deletion of the reject_error field from genksyms (it was only
+ used inside the keys subsystem)
+- Move the new state field to the end of the structure and hide it from
+ genksyms
+- Rename the register_key_type() function, so newly built key type
+ modules will only load on top of the new keys subsystem while old
+ key type modules will only load on top of the old keys subsystem
+
+---
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -162,7 +162,6 @@ struct key {
+ * - may not match RCU dereferenced payload
+ * - payload should contain own length
+ */
+- short state; /* Key state (+) or rejection error (-) */
+
+ #ifdef KEY_DEBUGGING
+ unsigned magic;
+@@ -171,16 +170,16 @@ struct key {
+ #endif
+
+ unsigned long flags; /* status flags (change with bitops) */
+-#define KEY_FLAG_DEAD 0 /* set if key type has been deleted */
+-#define KEY_FLAG_REVOKED 1 /* set if key had been revoked */
+-#define KEY_FLAG_IN_QUOTA 2 /* set if key consumes quota */
+-#define KEY_FLAG_USER_CONSTRUCT 3 /* set if key is being constructed in userspace */
+-#define KEY_FLAG_ROOT_CAN_CLEAR 4 /* set if key can be cleared by root without permission */
+-#define KEY_FLAG_INVALIDATED 5 /* set if key has been invalidated */
+-#define KEY_FLAG_BUILTIN 6 /* set if key is built in to the kernel */
+-#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
+-#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
+-#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
++#define KEY_FLAG_DEAD 1 /* set if key type has been deleted */
++#define KEY_FLAG_REVOKED 2 /* set if key had been revoked */
++#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */
++#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */
++#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
++#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
++#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
++#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
++#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
++#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */
+
+ /* the key type and key description string
+ * - the desc is used to match a key against search criteria
+@@ -206,6 +205,9 @@ struct key {
+ struct list_head name_link;
+ struct assoc_array keys;
+ };
++#ifdef __GENKSYMS__
++ int reject_error;
++#endif
+ };
+
+ /* This is set on a keyring to restrict the addition of a link to a key
+@@ -221,6 +223,10 @@ struct key {
+ int (*restrict_link)(struct key *keyring,
+ const struct key_type *type,
+ const union key_payload *payload);
++
++#ifndef __GENKSYMS__
++ short state; /* Key state (+) or rejection error (-) */
++#endif
+ };
+
+ extern struct key *key_alloc(struct key_type *type,
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -154,6 +154,12 @@ struct key_type {
+
+ extern struct key_type key_type_keyring;
+
++/*
++ * ABI compat: Rename register function so newly built key type modules
++ * will require a new kernel and can then safely assume the existence of the
++ * key::state field. Other keys users don't access it and are unaffected.
++ */
++#define register_key_type register_key_type_2
+ extern int register_key_type(struct key_type *ktype);
+ extern void unregister_key_type(struct key_type *ktype);
+
diff --git a/debian/patches/debian/mac80211-avoid-abi-change-in-4.9.53.patch b/debian/patches/debian/mac80211-avoid-abi-change-in-4.9.53.patch
new file mode 100644
index 0000000..2f3f9bb
--- /dev/null
+++ b/debian/patches/debian/mac80211-avoid-abi-change-in-4.9.53.patch
@@ -0,0 +1,34 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 28 Oct 2017 20:46:43 +0100
+Subject: mac80211: Avoid ABI change in 4.9.53
+Forwarded: not-needed
+
+Commit 531682159092 ("mac80211: fix VLAN handling with TXQs") replaced
+a union with two separate members in ieee80211_tx_info::control. The
+one which changed offset (enqueue_time) doesn't appear to be accessed
+outside of the mac80211 module, so this shouldn't be an ABI change for
+drivers. Therefore hide the ABI change from genksyms.
+
+---
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -902,10 +902,19 @@ struct ieee80211_tx_info {
+ unsigned long jiffies;
+ };
+ /* NB: vif can be NULL for injected frames */
++#ifndef __GENKSYMS__
+ struct ieee80211_vif *vif;
++#else
++ union {
++ struct ieee80211_vif *vif;
++ codel_time_t enqueue_time;
++ };
++#endif
+ struct ieee80211_key_conf *hw_key;
+ u32 flags;
++#ifndef __GENKSYMS__
+ codel_time_t enqueue_time;
++#endif
+ } control;
+ struct {
+ u64 cookie;
diff --git a/debian/patches/debian/mm-page_alloc-avoid-abi-change-in-4.9.65.patch b/debian/patches/debian/mm-page_alloc-avoid-abi-change-in-4.9.65.patch
new file mode 100644
index 0000000..6470e3b
--- /dev/null
+++ b/debian/patches/debian/mm-page_alloc-avoid-abi-change-in-4.9.65.patch
@@ -0,0 +1,26 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 29 Nov 2017 20:05:45 +0000
+Subject: mm/page_alloc: Avoid ABI change in 4.9.65
+Forwarded: not-needed
+
+Commit d135e5750205 "mm/page_alloc.c: broken deferred calculation"
+renamed pglist_data::static_init_size to static_init_pgcnt. However
+the field has the same semantics as were intended originally (and in
+any case, the field is only used by built-in code). Hide the renaming
+from genksyms.
+
+---
+--- a/include/linux/mmzone.h
++++ b/include/linux/mmzone.h
+@@ -673,7 +673,11 @@ typedef struct pglist_data {
+ */
+ unsigned long first_deferred_pfn;
+ /* Number of non-deferred pages */
++#ifndef __GENKSYMS__
+ unsigned long static_init_pgcnt;
++#else
++ unsigned long static_init_size;
++#endif
+ #endif /* CONFIG_DEFERRED_STRUCT_PAGE_INIT */
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
diff --git a/debian/patches/debian/mmc-sdio-avoid-abi-change-in-4.9.54.patch b/debian/patches/debian/mmc-sdio-avoid-abi-change-in-4.9.54.patch
new file mode 100644
index 0000000..0cc9ac0
--- /dev/null
+++ b/debian/patches/debian/mmc-sdio-avoid-abi-change-in-4.9.54.patch
@@ -0,0 +1,125 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 29 Nov 2017 19:54:22 +0000
+Subject: mmc: sdio: Avoid ABI change in 4.9.54
+Forwarded: not-needed
+
+Commit 5ef1ecf060f2 "mmc: sdio: fix alignment issue in struct
+sdio_func" changed the type of sdio_func::tmpbuf from array to
+pointer. On 64-bit architectures this also changes the size of the
+field. It appears that tmpbuf is only used by the MMC core, and the
+structure is always allocated there. So put padding in the old
+position, move the pointer to the end of the structure, and hide this
+from genksyms.
+
+Just in case I missed a user elsewhere, which might end up accessing
+memory off the end of an old structure, rename the field to
+core_tmpbuf (and update its users in the core).
+
+---
+--- a/drivers/mmc/core/sdio_bus.c
++++ b/drivers/mmc/core/sdio_bus.c
+@@ -266,7 +266,7 @@ static void sdio_release_func(struct dev
+ sdio_free_func_cis(func);
+
+ kfree(func->info);
+- kfree(func->tmpbuf);
++ kfree(func->core_tmpbuf);
+ kfree(func);
+ }
+
+@@ -285,8 +285,8 @@ struct sdio_func *sdio_alloc_func(struct
+ * allocate buffer separately to make sure it's properly aligned for
+ * DMA usage (incl. 64 bit DMA)
+ */
+- func->tmpbuf = kmalloc(4, GFP_KERNEL);
+- if (!func->tmpbuf) {
++ func->core_tmpbuf = kmalloc(4, GFP_KERNEL);
++ if (!func->core_tmpbuf) {
+ kfree(func);
+ return ERR_PTR(-ENOMEM);
+ }
+--- a/drivers/mmc/core/sdio_io.c
++++ b/drivers/mmc/core/sdio_io.c
+@@ -530,14 +530,14 @@ u16 sdio_readw(struct sdio_func *func, u
+ if (err_ret)
+ *err_ret = 0;
+
+- ret = sdio_memcpy_fromio(func, func->tmpbuf, addr, 2);
++ ret = sdio_memcpy_fromio(func, func->core_tmpbuf, addr, 2);
+ if (ret) {
+ if (err_ret)
+ *err_ret = ret;
+ return 0xFFFF;
+ }
+
+- return le16_to_cpup((__le16 *)func->tmpbuf);
++ return le16_to_cpup((__le16 *)func->core_tmpbuf);
+ }
+ EXPORT_SYMBOL_GPL(sdio_readw);
+
+@@ -556,9 +556,9 @@ void sdio_writew(struct sdio_func *func,
+ {
+ int ret;
+
+- *(__le16 *)func->tmpbuf = cpu_to_le16(b);
++ *(__le16 *)func->core_tmpbuf = cpu_to_le16(b);
+
+- ret = sdio_memcpy_toio(func, addr, func->tmpbuf, 2);
++ ret = sdio_memcpy_toio(func, addr, func->core_tmpbuf, 2);
+ if (err_ret)
+ *err_ret = ret;
+ }
+@@ -582,14 +582,14 @@ u32 sdio_readl(struct sdio_func *func, u
+ if (err_ret)
+ *err_ret = 0;
+
+- ret = sdio_memcpy_fromio(func, func->tmpbuf, addr, 4);
++ ret = sdio_memcpy_fromio(func, func->core_tmpbuf, addr, 4);
+ if (ret) {
+ if (err_ret)
+ *err_ret = ret;
+ return 0xFFFFFFFF;
+ }
+
+- return le32_to_cpup((__le32 *)func->tmpbuf);
++ return le32_to_cpup((__le32 *)func->core_tmpbuf);
+ }
+ EXPORT_SYMBOL_GPL(sdio_readl);
+
+@@ -608,9 +608,9 @@ void sdio_writel(struct sdio_func *func,
+ {
+ int ret;
+
+- *(__le32 *)func->tmpbuf = cpu_to_le32(b);
++ *(__le32 *)func->core_tmpbuf = cpu_to_le32(b);
+
+- ret = sdio_memcpy_toio(func, addr, func->tmpbuf, 4);
++ ret = sdio_memcpy_toio(func, addr, func->core_tmpbuf, 4);
+ if (err_ret)
+ *err_ret = ret;
+ }
+--- a/include/linux/mmc/sdio_func.h
++++ b/include/linux/mmc/sdio_func.h
+@@ -53,12 +53,21 @@ struct sdio_func {
+ unsigned int state; /* function state */
+ #define SDIO_STATE_PRESENT (1<<0) /* present in sysfs */
+
+- u8 *tmpbuf; /* DMA:able scratch buffer */
++#ifndef __GENKSYMS__
++ u8 pad_tmpbuf[4];
++#else
++ u8 tmpbuf[4];
++#endif
+
+ unsigned num_info; /* number of info strings */
+ const char **info; /* info strings */
+
+ struct sdio_func_tuple *tuples;
++
++#ifndef __GENKSYMS__
++ u8 *core_tmpbuf; /* DMA:able scratch buffer
++ * for SDIO core use */
++#endif
+ };
+
+ #define sdio_func_present(f) ((f)->state & SDIO_STATE_PRESENT)
diff --git a/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.9.63.patch b/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.9.63.patch
new file mode 100644
index 0000000..0cee413
--- /dev/null
+++ b/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.9.63.patch
@@ -0,0 +1,58 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 16 Nov 2017 21:00:59 +0000
+Subject: netfilter: nat: Avoid ABI change in 4.9.63
+Forwarded: not-needed
+
+Commit e1bf1687740c ("netfilter: nat: Revert "netfilter: nat: convert
+nat bysrc hash to rhashtable") changed the type of
+nf_conn::nat_bysource. Thankfully the two types are the same size,
+and nothing outside of nf_nat_core touches this field directly. Hide
+the change from genksyms but add compile-time assertions to make sure
+that this isn't an ABI change.
+
+---
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -17,6 +17,7 @@
+ #include <linux/bitops.h>
+ #include <linux/compiler.h>
+ #include <linux/atomic.h>
++#include <linux/rhashtable.h>
+
+ #include <linux/netfilter/nf_conntrack_tcp.h>
+ #include <linux/netfilter/nf_conntrack_dccp.h>
+@@ -100,7 +101,11 @@ struct nf_conn {
+ possible_net_t ct_net;
+
+ #if IS_ENABLED(CONFIG_NF_NAT)
++#ifndef __GENKSYMS__
+ struct hlist_node nat_bysource;
++#else
++ struct rhlist_head nat_bysource;
++#endif
+ #endif
+ /* all members below initialized via memset */
+ u8 __nfct_init_offset[0];
+--- a/include/net/netfilter/nf_nat.h
++++ b/include/net/netfilter/nf_nat.h
+@@ -1,5 +1,6 @@
+ #ifndef _NF_NAT_H
+ #define _NF_NAT_H
++#include <linux/rhashtable.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter/nf_nat.h>
+ #include <net/netfilter/nf_conntrack_tuple.h>
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -811,6 +811,11 @@ static int __init nf_nat_init(void)
+ {
+ int ret;
+
++ /* bwh: Assert that nat_bysource hasn't changed size or alignment */
++ BUILD_BUG_ON(sizeof(struct hlist_node) != sizeof(struct rhlist_head));
++ BUILD_BUG_ON(__alignof__(struct hlist_node) !=
++ __alignof__(struct rhlist_head));
++
+ /* Leave them the same for the moment. */
+ nf_nat_htable_size = nf_conntrack_htable_size;
+
diff --git a/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
new file mode 100644
index 0000000..1602815
--- /dev/null
+++ b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 22:38:57 +0200
+Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
+Forwarded: not-needed
+
+This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
+commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces
+an ABI break that's not easily avoidable. The bug it fixes doesn't seem
+to have any security impact.
+
+---
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -273,7 +273,6 @@ struct trace_event_call {
+ int perf_refcount;
+ struct hlist_head __percpu *perf_events;
+ struct bpf_prog *prog;
+- struct perf_event *bpf_prog_owner;
+
+ int (*perf_perm)(struct trace_event_call *,
+ struct perf_event *);
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7876,7 +7876,6 @@ static int perf_event_set_bpf_prog(struc
+ }
+ }
+ event->tp_event->prog = prog;
+- event->tp_event->bpf_prog_owner = event;
+
+ return 0;
+ }
+@@ -7891,7 +7890,7 @@ static void perf_event_free_bpf_prog(str
+ return;
+
+ prog = event->tp_event->prog;
+- if (prog && event->tp_event->bpf_prog_owner == event) {
++ if (prog) {
+ event->tp_event->prog = NULL;
+ bpf_prog_put(prog);
+ }
diff --git a/debian/patches/debian/revert-phy-increase-size-of-mii_bus_id_size-and-bus_id.patch b/debian/patches/debian/revert-phy-increase-size-of-mii_bus_id_size-and-bus_id.patch
new file mode 100644
index 0000000..add8d16
--- /dev/null
+++ b/debian/patches/debian/revert-phy-increase-size-of-mii_bus_id_size-and-bus_id.patch
@@ -0,0 +1,34 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 29 Nov 2017 02:31:04 +0000
+Subject: Revert "phy: increase size of MII_BUS_ID_SIZE and bus_id"
+Forwarded: not-needed
+
+This reverts commit a88a90128888dba8754db5a194dba84e9703b93f, which
+was commit 4567d686f5c6d955e57a3afa1741944c1e7f4033 upstream. I don't
+want to change ABI for this.
+
+---
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -142,7 +142,11 @@ static inline const char *phy_modes(phy_
+ /* Used when trying to connect to a specific phy (mii bus id:phy device id) */
+ #define PHY_ID_FMT "%s:%02x"
+
+-#define MII_BUS_ID_SIZE 61
++/*
++ * Need to be a little smaller than phydev->dev.bus_id to leave room
++ * for the ":%02x"
++ */
++#define MII_BUS_ID_SIZE (20 - 3)
+
+ /* Or MII_ADDR_C45 into regnum for read/write on mii_bus to enable the 21 bit
+ IEEE 802.3ae clause 45 addressing mode used by 10GIGE phy chips. */
+@@ -598,7 +602,7 @@ struct phy_driver {
+ /* A Structure for boards to register fixups with the PHY Lib */
+ struct phy_fixup {
+ struct list_head list;
+- char bus_id[MII_BUS_ID_SIZE + 3];
++ char bus_id[20];
+ u32 phy_uid;
+ u32 phy_uid_mask;
+ int (*run)(struct phy_device *phydev);
diff --git a/debian/patches/debian/s390-mm-avoid-abi-change-in-4.9.52.patch b/debian/patches/debian/s390-mm-avoid-abi-change-in-4.9.52.patch
new file mode 100644
index 0000000..accdc20
--- /dev/null
+++ b/debian/patches/debian/s390-mm-avoid-abi-change-in-4.9.52.patch
@@ -0,0 +1,76 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 27 Nov 2017 20:49:07 +0000
+Subject: s390/mm: Avoid ABI change in 4.9.52
+Forwarded: not-needed
+
+Commit 60f07c8ec5fa "s390/mm: fix race on mm->context.flush_mm" added
+a field to the s390 definition of mm_context_t. This is embedded in
+the arch-indepdendent struct mm_struct, so adding a new field results
+in an incompatible change to the layout of the larger struct.
+
+Move the new field out of mm_context_t to the end of mm_struct, and
+hide the change from genksyms.
+
+---
+--- a/arch/s390/include/asm/mmu.h
++++ b/arch/s390/include/asm/mmu.h
+@@ -5,7 +5,6 @@
+ #include <linux/errno.h>
+
+ typedef struct {
+- spinlock_t lock;
+ cpumask_t cpu_attach_mask;
+ atomic_t flush_count;
+ unsigned int flush_mm;
+@@ -26,7 +25,7 @@ typedef struct {
+ } mm_context_t;
+
+ #define INIT_MM_CONTEXT(name) \
+- .context.lock = __SPIN_LOCK_UNLOCKED(name.context.lock), \
++ .s390_flush_lock = __SPIN_LOCK_UNLOCKED(name.s390_flush_lock), \
+ .context.pgtable_lock = \
+ __SPIN_LOCK_UNLOCKED(name.context.pgtable_lock), \
+ .context.pgtable_list = LIST_HEAD_INIT(name.context.pgtable_list), \
+--- a/arch/s390/include/asm/mmu_context.h
++++ b/arch/s390/include/asm/mmu_context.h
+@@ -15,7 +15,7 @@
+ static inline int init_new_context(struct task_struct *tsk,
+ struct mm_struct *mm)
+ {
+- spin_lock_init(&mm->context.lock);
++ spin_lock_init(&mm->s390_flush_lock);
+ spin_lock_init(&mm->context.pgtable_lock);
+ INIT_LIST_HEAD(&mm->context.pgtable_list);
+ spin_lock_init(&mm->context.gmap_lock);
+--- a/arch/s390/include/asm/tlbflush.h
++++ b/arch/s390/include/asm/tlbflush.h
+@@ -96,12 +96,12 @@ static inline void __tlb_flush_kernel(vo
+
+ static inline void __tlb_flush_mm_lazy(struct mm_struct * mm)
+ {
+- spin_lock(&mm->context.lock);
++ spin_lock(&mm->s390_flush_lock);
+ if (mm->context.flush_mm) {
+ mm->context.flush_mm = 0;
+ __tlb_flush_mm(mm);
+ }
+- spin_unlock(&mm->context.lock);
++ spin_unlock(&mm->s390_flush_lock);
+ }
+
+ /*
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -523,6 +523,12 @@ struct mm_struct {
+ atomic_long_t hugetlb_usage;
+ #endif
+ struct work_struct async_put_work;
++#ifndef __GENKSYMS__
++#ifdef CONFIG_S390
++ /* bwh: This should be in s390's mm_context_t but that breaks ABI */
++ spinlock_t s390_flush_lock;
++#endif
++#endif
+ };
+
+ static inline void mm_init_cpumask(struct mm_struct *mm)
diff --git a/debian/patches/series b/debian/patches/series
index ba448be..5bb21c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -65,8 +65,6 @@ bugfix/x86/platform-x86-ideapad-laptop-add-several-models-to-no.patch
bugfix/powerpc/powerpc-invalidate-erat-on-powersave-wakeup-for-power9.patch
bugfix/arm/arm-dts-exynos-add-dwc3-susphy-quirk.patch
bugfix/mips/mips-remove-pt_regs-adjustments-in-indirect-syscall-.patch
-bugfix/arm64/arm64-support-keyctl-system-call-in-32-bit-mode.patch
-bugfix/mips/security-keys-add-config_keys_compat-to-kconfig.patch
# Arch features
features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch
@@ -100,9 +98,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
-bugfix/all/ext4-preserve-i_mode-if-__ext4_set_acl-fails.patch
-bugfix/all/ext4-don-t-clear-sgid-when-inheriting-acls.patch
-bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch
# Miscellaneous features
features/all/netfilter-nft_ct-add-notrack-support.patch
@@ -135,15 +130,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
-bugfix/all/nfsv4-fix-callback-server-shutdown.patch
-bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
-bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
-bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
-bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
-bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
-bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
@@ -180,3 +166,11 @@ bugfix/all/liblockdep-fix-defined-but-not-used-warning-for-init.patch
# ABI maintenance
debian/ip6_fib-avoid-abi-change-in-4.9.51.patch
debian/inet_frag-limit-abi-change-in-4.9.51.patch
+debian/s390-mm-avoid-abi-change-in-4.9.52.patch
+debian/mac80211-avoid-abi-change-in-4.9.53.patch
+debian/mmc-sdio-avoid-abi-change-in-4.9.54.patch
+debian/keys-limit-abi-change-in-4.9.59.patch
+debian/netfilter-nat-avoid-abi-change-in-4.9.63.patch
+debian/mm-page_alloc-avoid-abi-change-in-4.9.65.patch
+debian/revert-phy-increase-size-of-mii_bus_id_size-and-bus_id.patch
+debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list