[linux] 01/01: Update to 4.14-rc5

Tue Oct 17 22:34:06 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 4206eefe1378e3eed2259a9ba390d99e5c748b39
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Oct 17 23:34:01 2017 +0100

    Update to 4.14-rc5
---
 debian/changelog                                   |   2 +-
 ...seq-Fix-use-after-free-at-creating-a-port.patch | 141 ---------------------
 ...-Use-emergency-stack-for-kernel-TM-Bad-Th.patch |  79 ------------
 ...tm-Fix-illegal-TM-state-in-signal-handler.patch |  62 ---------
 .../all/waitid-Add-missing-access_ok-checks.patch  |  47 -------
 ...MU-always-terminate-page-walks-at-level-1.patch |  83 ------------
 ...date-last_nonleaf_level-when-initializing.patch |  34 -----
 debian/patches/series                              |   6 -
 8 files changed, 1 insertion(+), 453 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4719b3d..2baf804 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.14~rc4-1~exp1) UNRELEASED; urgency=medium
+linux (4.14~rc5-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release candidate
 
diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
deleted file mode 100644
index f9026ce..0000000
--- a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Mon, 9 Oct 2017 11:09:20 +0200
-Subject: ALSA: seq: Fix use-after-free at creating a port
-Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
-
-There is a potential race window opened at creating and deleting a
-port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
-a port object and returns its pointer, but it doesn't take the
-refcount, thus it can be deleted immediately by another thread.
-Meanwhile, snd_seq_ioctl_create_port() still calls the function
-snd_seq_system_client_ev_port_start() with the created port object
-that is being deleted, and this triggers use-after-free like:
-
- BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
- =============================================================================
- BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
- -----------------------------------------------------------------------------
- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
- 	___slab_alloc+0x425/0x460
- 	__slab_alloc+0x20/0x40
-  	kmem_cache_alloc_trace+0x150/0x190
-	snd_seq_create_port+0x94/0x9b0 [snd_seq]
-	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
- 	__slab_free+0x204/0x310
- 	kfree+0x15f/0x180
- 	port_delete+0x136/0x1a0 [snd_seq]
- 	snd_seq_delete_port+0x235/0x350 [snd_seq]
- 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- Call Trace:
-  [<ffffffff81b03781>] dump_stack+0x63/0x82
-  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
-  [<ffffffff81536db4>] object_err+0x34/0x40
-  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
-  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
-  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
-  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
-  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
-  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
-  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
-  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
-  .....
-
-We may fix this in a few different ways, and in this patch, it's fixed
-simply by taking the refcount properly at snd_seq_create_port() and
-letting the caller unref the object after use.  Also, there is another
-potential use-after-free by sprintf() call in snd_seq_create_port(),
-and this is moved inside the lock.
-
-This fix covers CVE-2017-15265.
-
-Reported-and-tested-by: Michael23 Yu <ycqzsy at gmail.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/seq/seq_clientmgr.c | 6 +++++-
- sound/core/seq/seq_ports.c     | 7 +++++--
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index ea2d0ae85bd3..6c9cba2166d9 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 	struct snd_seq_port_info *info = arg;
- 	struct snd_seq_client_port *port;
- 	struct snd_seq_port_callback *callback;
-+	int port_idx;
- 
- 	/* it is not allowed to create the port for an another client */
- 	if (info->addr.client != client->number)
-@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 		return -ENOMEM;
- 
- 	if (client->type == USER_CLIENT && info->kernel) {
--		snd_seq_delete_port(client, port->addr.port);
-+		port_idx = port->addr.port;
-+		snd_seq_port_unlock(port);
-+		snd_seq_delete_port(client, port_idx);
- 		return -EINVAL;
- 	}
- 	if (client->type == KERNEL_CLIENT) {
-@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 
- 	snd_seq_set_port_info(port, info);
- 	snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
-+	snd_seq_port_unlock(port);
- 
- 	return 0;
- }
-diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
-index 0a7020c82bfc..d21ece9f8d73 100644
---- a/sound/core/seq/seq_ports.c
-+++ b/sound/core/seq/seq_ports.c
-@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
- }
- 
- 
--/* create a port, port number is returned (-1 on failure) */
-+/* create a port, port number is returned (-1 on failure);
-+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
-+ */
- struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 						int port)
- {
-@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	snd_use_lock_init(&new_port->use_lock);
- 	port_subs_info_init(&new_port->c_src);
- 	port_subs_info_init(&new_port->c_dest);
-+	snd_use_lock_use(&new_port->use_lock);
- 
- 	num = port >= 0 ? port : 0;
- 	mutex_lock(&client->ports_mutex);
-@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	list_add_tail(&new_port->list, &p->list);
- 	client->num_ports++;
- 	new_port->addr.port = num;	/* store the port number in the port */
-+	sprintf(new_port->name, "port-%d", num);
- 	write_unlock_irqrestore(&client->ports_lock, flags);
- 	mutex_unlock(&client->ports_mutex);
--	sprintf(new_port->name, "port-%d", num);
- 
- 	return new_port;
- }
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch b/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
deleted file mode 100644
index 24c1553..0000000
--- a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Cyril Bur <cyrilbur at gmail.com>
-Date: Thu, 17 Aug 2017 20:42:26 +1000
-Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
- checks
-Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
-
-When using transactional memory (TM), the CPU can be in one of six
-states as far as TM is concerned, encoded in the Machine State
-Register (MSR). Certain state transitions are illegal and if attempted
-trigger a "TM Bad Thing" type program check exception.
-
-If we ever hit one of these exceptions it's treated as a bug, ie. we
-oops, and kill the process and/or panic, depending on configuration.
-
-One case where we can trigger a TM Bad Thing, is when returning to
-userspace after a system call or interrupt, using RFID. When this
-happens the CPU first restores the user register state, in particular
-r1 (the stack pointer) and then attempts to update the MSR. However
-the MSR update is not allowed and so we take the program check with
-the user register state, but the kernel MSR.
-
-This tricks the exception entry code into thinking we have a bad
-kernel stack pointer, because the MSR says we're coming from the
-kernel, but r1 is pointing to userspace.
-
-To avoid this we instead always switch to the emergency stack if we
-take a TM Bad Thing from the kernel. That way none of the user
-register values are used, other than for printing in the oops message.
-
-This is the fix for CVE-2017-1000255.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-[mpe: Rewrite change log & comments, tweak asm slightly]
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index 48da0f5d2f7f..b82586c53560 100644
---- a/arch/powerpc/kernel/exceptions-64s.S
-+++ b/arch/powerpc/kernel/exceptions-64s.S
-@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
- EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
- TRAMP_KVM(PACA_EXGEN, 0x700)
- EXC_COMMON_BEGIN(program_check_common)
--	EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
-+	/*
-+	 * It's possible to receive a TM Bad Thing type program check with
-+	 * userspace register values (in particular r1), but with SRR1 reporting
-+	 * that we came from the kernel. Normally that would confuse the bad
-+	 * stack logic, and we would report a bad kernel stack pointer. Instead
-+	 * we switch to the emergency stack if we're taking a TM Bad Thing from
-+	 * the kernel.
-+	 */
-+	li	r10,MSR_PR		/* Build a mask of MSR_PR ..	*/
-+	oris	r10,r10,0x200000 at h	/* .. and SRR1_PROGTM		*/
-+	and	r10,r10,r12		/* Mask SRR1 with that.		*/
-+	srdi	r10,r10,8		/* Shift it so we can compare	*/
-+	cmpldi	r10,(0x200000 >> 8)	/* .. with an immediate.	*/
-+	bne 1f				/* If != go to normal path.	*/
-+
-+	/* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack	*/
-+	andi.	r10,r12,MSR_PR;		/* Set CR0 correctly for label	*/
-+					/* 3 in EXCEPTION_PROLOG_COMMON	*/
-+	mr	r10,r1			/* Save r1			*/
-+	ld	r1,PACAEMERGSP(r13)	/* Use emergency stack		*/
-+	subi	r1,r1,INT_FRAME_SIZE	/* alloc stack frame		*/
-+	b 3f				/* Jump into the macro !!	*/
-+1:	EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
- 	bl	save_nvgprs
- 	RECONCILE_IRQ_STATE(r10, r11)
- 	addi	r3,r1,STACK_FRAME_OVERHEAD
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch b/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
deleted file mode 100644
index 083cbbe..0000000
--- a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Date: Tue, 22 Aug 2017 17:20:09 -0400
-Subject: powerpc/tm: Fix illegal TM state in signal handler
-Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
-
-Currently it's possible that on returning from the signal handler
-through the restore_tm_sigcontexts() code path (e.g. from a signal
-caught due to a `trap` instruction executed in the middle of an HTM
-block, or a deliberately constructed sigframe) an illegal TM state
-(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
-implicitly the MSR register from SRR1 register on return to userspace
-it causes a TM Bad Thing exception.
-
-That illegal state can be set (a) by a malicious user that disables
-the TM bit by tweaking the bits in uc_mcontext before returning from
-the signal handler or (b) by a sufficient number of context switches
-occurring such that the load_tm counter overflows and TM is disabled
-whilst in the signal handler.
-
-This commit fixes the illegal TM state by ensuring that TM bit is
-always enabled before we return from restore_tm_sigcontexts(). A small
-comment correction is made as well.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Signed-off-by: Breno Leitao <leitao at debian.org>
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index c83c115858c1..b2c002993d78 100644
---- a/arch/powerpc/kernel/signal_64.c
-+++ b/arch/powerpc/kernel/signal_64.c
-@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
- 	if (MSR_TM_RESV(msr))
- 		return -EINVAL;
- 
--	/* pull in MSR TM from user context */
-+	/* pull in MSR TS bits from user context */
- 	regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
- 
-+	/*
-+	 * Ensure that TM is enabled in regs->msr before we leave the signal
-+	 * handler. It could be the case that (a) user disabled the TM bit
-+	 * through the manipulation of the MSR bits in uc_mcontext or (b) the
-+	 * TM bit was disabled because a sufficient number of context switches
-+	 * happened whilst in the signal handler and load_tm overflowed,
-+	 * disabling the TM bit. In either case we can end up with an illegal
-+	 * TM state leading to a TM Bad Thing when we return to userspace.
-+	 */
-+	regs->msr |= MSR_TM;
-+
- 	/* pull in MSR LE from user context */
- 	regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
- 
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
deleted file mode 100644
index 4872b37..0000000
--- a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 9 Oct 2017 11:36:52 -0700
-Subject: waitid(): Add missing access_ok() checks
-Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
-
-Adds missing access_ok() checks.
-
-CVE-2017-5123
-
-Reported-by: Chris Salls <chrissalls5 at gmail.com>
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Al Viro <viro at zeniv.linux.org.uk>
-Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
-Cc: stable at kernel.org # 4.13
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- kernel/exit.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index f2cd53e92147..cf28528842bc 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- 	if (!infop)
- 		return err;
- 
-+	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+		goto Efault;
-+
- 	user_access_begin();
- 	unsafe_put_user(signo, &infop->si_signo, Efault);
- 	unsafe_put_user(0, &infop->si_errno, Efault);
-@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- 	if (!infop)
- 		return err;
- 
-+	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+		goto Efault;
-+
- 	user_access_begin();
- 	unsafe_put_user(signo, &infop->si_signo, Efault);
- 	unsafe_put_user(0, &infop->si_errno, Efault);
--- 
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch b/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
deleted file mode 100644
index 47cbead..0000000
--- a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:23 +0200
-Subject: KVM: MMU: always terminate page walks at level 1
-Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-is_last_gpte() is not equivalent to the pseudo-code given in commit
-6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
-value of last_nonleaf_level may override the result even if level == 1.
-
-It is critical for is_last_gpte() to return true on level == 1 to
-terminate page walks. Otherwise memory corruption may occur as level
-is used as an index to various data structures throughout the page
-walking code.  Even though the actual bug would be wherever the MMU is
-initialized (as in the previous patch), be defensive and ensure here
-that is_last_gpte() returns the correct value.
-
-This patch is also enough to fix CVE-2017-12188.
-
-Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
-Cc: stable at vger.kernel.org
-Cc: Andy Honig <ahonig at google.com>
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-[Panic if walk_addr_generic gets an incorrect level; this is a serious
- bug and it's not worth a WARN_ON where the recovery path might hide
- further exploitable issues; suggested by Andrew Honig. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c         | 14 +++++++-------
- arch/x86/kvm/paging_tmpl.h |  3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 3c25f20115bc..7a69cf053711 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
- 				unsigned level, unsigned gpte)
- {
- 	/*
--	 * PT_PAGE_TABLE_LEVEL always terminates.  The RHS has bit 7 set
--	 * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
--	 * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
--	 */
--	gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
--
--	/*
- 	 * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
- 	 * If it is clear, there are no large pages at this level, so clear
- 	 * PT_PAGE_SIZE_MASK in gpte if that is the case.
- 	 */
- 	gpte &= level - mmu->last_nonleaf_level;
- 
-+	/*
-+	 * PT_PAGE_TABLE_LEVEL always terminates.  The RHS has bit 7 set
-+	 * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
-+	 * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
-+	 */
-+	gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
-+
- 	return gpte & PT_PAGE_SIZE_MASK;
- }
- 
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 86b68dc5a649..f18d1f8d332b 100644
---- a/arch/x86/kvm/paging_tmpl.h
-+++ b/arch/x86/kvm/paging_tmpl.h
-@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
- 		--walker->level;
- 
- 		index = PT_INDEX(addr, walker->level);
--
- 		table_gfn = gpte_to_gfn(pte);
- 		offset    = index * sizeof(pt_element_t);
- 		pte_gpa   = gfn_to_gpa(table_gfn) + offset;
-+
-+		BUG_ON(walker->level < 1);
- 		walker->table_gfn[walker->level - 1] = table_gfn;
- 		walker->pte_gpa[walker->level - 1] = pte_gpa;
- 
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
deleted file mode 100644
index eefff5b..0000000
--- a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:22 +0200
-Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
-Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-The function updates context->root_level but didn't call
-update_last_nonleaf_level so the previous and potentially wrong value
-was used for page walks.  For example, a zero value of last_nonleaf_level
-would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
-walk_addr_generic function (CVE-2017-12188).
-
-Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 106d4a029a8a..3c25f20115bc 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
- 
- 	update_permission_bitmask(vcpu, context, true);
- 	update_pkru_bitmask(vcpu, context, true);
-+	update_last_nonleaf_level(vcpu, context);
- 	reset_rsvds_bits_mask_ept(vcpu, context, execonly);
- 	reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
- }
--- 
-2.11.0
-
diff --git a/debian/patches/series b/debian/patches/series
index 5710099..8938ee6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -112,12 +112,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
-bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
-bugfix/all/waitid-Add-missing-access_ok-checks.patch
-bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
-bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
-bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

