[linux] 01/01: Update to 4.13.9
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Oct 26 20:41:18 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 48bb38a3f7526c1fdca7afb79bf01f1d64bec3df
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Oct 26 11:12:11 2017 +0200
Update to 4.13.9
Drop many patches which are now upstream.
Avoid/ignore ABI changes as appropriate.
---
debian/changelog | 327 ++++++++++++++++++++-
debian/config/defines | 3 +
...seq-Fix-use-after-free-at-creating-a-port.patch | 141 ---------
.../KEYS-prevent-KEYCTL_READ-on-negative-key.patch | 81 -----
...d-length-check-in-brcmf_cfg80211_escan_ha.patch | 72 -----
.../bugfix/all/fix-infoleak-in-waitid-2.patch | 66 -----
...x-deadlock-in-driver-managed-RX-BA-sessio.patch | 151 ----------
...-the-required-netlink-attributes-presence.patch | 36 ---
...-Use-emergency-stack-for-kernel-TM-Bad-Th.patch | 79 -----
...tm-Fix-illegal-TM-state-in-signal-handler.patch | 62 ----
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 ----
...-aty-do-not-leak-uninitialized-padding-in.patch | 30 --
.../all/waitid-Add-missing-access_ok-checks.patch | 47 ---
...MU-always-terminate-page-walks-at-level-1.patch | 83 ------
...date-last_nonleaf_level-when-initializing.patch | 34 ---
...don-t-allow-l2-to-access-the-hardware-cr8.patch | 34 ---
...vmx-do-not-bug-on-out-of-bounds-guest-irq.patch | 52 ----
.../debian/dax-avoid-abi-change-in-4.13.5.patch | 141 +++++++++
...f-event-close-won-t-free-bpf-program-atta.patch | 40 +++
.../debian/scsi-avoid-abi-change-in-4.13.6.patch | 22 ++
debian/patches/series | 22 +-
21 files changed, 537 insertions(+), 1041 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 802eae7..7a023d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,334 @@
-linux (4.13.4-3) UNRELEASED; urgency=medium
+linux (4.13.9-1) UNRELEASED; urgency=medium
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
+ - cifs: check rsp for NULL before dereferencing in SMB2_open
+ - cifs: release cifs root_cred after exit_cifs
+ - cifs: release auth_key.response for reconnect.
+ - nvme-pci: fix host memory buffer allocation fallback
+ - nvme-pci: use appropriate initial chunk size for HMB allocation
+ - nvme-pci: propagate (some) errors from host memory buffer setup
+ - dax: remove the pmem_dax_ops->flush abstraction
+ - dm integrity: do not check integrity for failed read operations
+ - mmc: block: Fix incorrectly initialized requests
+ - fs/proc: Report eip/esp in /prod/PID/stat for coredumping
+ - scsi: scsi_transport_fc: fix NULL pointer dereference in
+ fc_bsg_job_timeout
+ - cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later)
+ - mac80211: fix VLAN handling with TXQs
+ - mac80211_hwsim: Use proper TX power
+ - mac80211: flush hw_roc_start work before cancelling the ROC
+ - genirq: Make sparse_irq_lock protect what it should protect
+ - genirq/msi: Fix populating multiple interrupts
+ - genirq: Fix cpumask check in __irq_startup_managed()
+ - [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to
+ kvmppc_update_lpcr
+ - [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored
+ incorrectly
+ - [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using
+ byte accesses
+ - tracing: Fix trace_pipe behavior for instance traces
+ - tracing: Erase irqsoff trace with empty write
+ - tracing: Remove RCU work arounds from stack tracer
+ - md/raid5: fix a race condition in stripe batch
+ - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
+ - scsi: aacraid: Fix 2T+ drives on SmartIOC-2000
+ - scsi: aacraid: Add a small delay after IOP reset
+ - [armhf] drm/exynos: Fix locking in the suspend/resume paths
+ - [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting
+ - Revert "drm/i915/bxt: Disable device ready before shutdown command"
+ - drm/amdgpu: revert tile table update for oland
+ - drm/radeon: disable hard reset in hibernate for APUs
+ - crypto: drbg - fix freeing of resources
+ - security/keys: properly zero out sensitive key material in big_key
+ - security/keys: rewrite all of big_key crypto
+ - KEYS: fix writing past end of user-supplied buffer in keyring_read()
+ - KEYS: prevent creating a different user's keyrings
+ - [x86] libnvdimm, namespace: fix btt claim class crash
+ - [powerpc*] eeh: Create PHB PEs after EEH is initialized
+ - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
+ - [powerpc*] tm: Flush TM only if CPU has TM feature
+ - [mips*] Fix perf event init
+ - [s390x] perf: fix bug when creating per-thread event
+ - [s390x] mm: make pmdp_invalidate() do invalidation only
+ - [s390x] mm: fix write access check in gup_huge_pmd()
+ - PM: core: Fix device_pm_check_callbacks()
+ - Revert "IB/ipoib: Update broadcast object if PKey value was changed in
+ index 0"
+ - cifs: Fix SMB3.1.1 guest authentication to Samba
+ - cifs: SMB3: Fix endian warning
+ - cifs: SMB3: Warn user if trying to sign connection that authenticated as
+ guest
+ - cifs: SMB: Validate negotiate (to protect against downgrade) even if
+ signing off
+ - cifs: SMB3: handle new statx fields
+ - cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
+ - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
+ - libceph: don't allow bidirectional swap of pg-upmap-items
+ - brd: fix overflow in __brd_direct_access
+ - gfs2: Fix debugfs glocks dump
+ - bsg-lib: don't free job in bsg_prepare_job
+ - iw_cxgb4: drop listen destroy replies if no ep found
+ - iw_cxgb4: remove the stid on listen create failure
+ - iw_cxgb4: put ep reference in pass_accept_req()
+ - rcu: Allow for page faults in NMI handlers
+ - mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
+ - extable: Consolidate *kernel_text_address() functions
+ - extable: Enable RCU if it is not watching in kernel_text_address()
+ - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
+ - [arm64] Make sure SPsel is always set
+ - [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table
+ - [arm64] fault: Route pte translation faults via do_translation_fault
+ - [x86] KVM: VMX: extract __pi_post_block
+ - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
+ - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
+ - [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache
+ - [x86] kvm: Handle async PF in RCU read-side critical sections
+ - xfs: validate bdev support for DAX inode flag
+ - sched/sysctl: Check user input value of sysctl_sched_time_avg
+ - irq/generic-chip: Don't replace domain's name
+ - mtd: Fix partition alignment check on multi-erasesize devices
+ - [armhf] etnaviv: fix submit error path
+ - [armhf] etnaviv: fix gem object list corruption
+ - futex: Fix pi_state->owner serialization
+ - md: fix a race condition for flush request handling
+ - md: separate request handling
+ - PCI: Fix race condition with driver_override
+ - btrfs: fix NULL pointer dereference from free_reloc_roots()
+ - btrfs: clear ordered flag on cleaning up ordered extents
+ - btrfs: finish ordered extent cleaning if no progress is found
+ - btrfs: propagate error to btrfs_cmp_data_prepare caller
+ - btrfs: prevent to set invalid default subvolid
+ - [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt
+ - PM / OPP: Call notifier without holding opp_table->lock
+ - [x86] mm: Fix fault error path using unsafe vma pointer
+ - [x86] fpu: Don't let userspace set bogus xcomp_bv
+ - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
+ - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
+ - [x86] KVM: VMX: use cmpxchg64
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6
+ - [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on
+ ep0
+ - mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+
+ - net: bonding: Fix transmit load balancing in balance-alb mode if
+ specified by sysfs
+ - openvswitch: Fix an error handling path in
+ 'ovs_nla_init_match_and_action()'
+ - net: bonding: fix tlb_dynamic_lb default value
+ - net_sched: gen_estimator: fix scaling error in bytes/packets samples
+ - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
+ - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
+ - tcp: update skb->skb_mstamp more carefully
+ - bpf/verifier: reject BPF_ALU64|BPF_END
+ - tcp: fix data delivery rate
+ - udpv6: Fix the checksum computation when HW checksum does not apply
+ - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
+ - net: phy: Fix mask value write on gmii2rgmii converter speed register
+ - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
+ - net/sched: cls_matchall: fix crash when used with classful qdisc
+ - 8139too: revisit napi_complete_done() usage
+ - bpf: do not disable/enable BH in bpf_map_free_id()
+ - tcp: fastopen: fix on syn-data transmit failure
+ - [powerpc*] net: emac: Fix napi poll list corruption
+ - net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure
+ - packet: hold bind lock when rebinding to fanout hook
+ - net: change skb->mac_header when Generic XDP calls adjust_head
+ - net_sched: always reset qdisc backlog in qdisc_reset()
+ - [armhf,arm64] net: stmmac: Cocci spatch "of_table"
+ - [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer
+ - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
+ - l2tp: fix race condition in l2tp_tunnel_delete
+ - tun: bail out from tun_get_user() if the skb is empty
+ - [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple
+ vlans
+ - [armhf,arm64] net: dsa: Fix network device registration order
+ - packet: in packet_do_bind, test fanout with bind_lock held
+ - packet: only test po->has_vnet_hdr once in packet_snd
+ - [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs
+ - net: Set sk_prot_creator when cloning sockets to the right proto
+ - net/mlx5e: IPoIB, Fix access to invalid memory address
+ - netlink: do not proceed if dump's start() errs
+ - ip6_gre: ip6gre_tap device should keep dst
+ - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
+ - IPv4: early demux can return an error code
+ - tipc: use only positive error codes in messages
+ - l2tp: fix l2tp_eth module loading
+ - socket, bpf: fix possible use after free
+ - net: rtnetlink: fix info leak in RTM_GETSTATS call
+ - [amd64] bpf: fix bpf_tail_call() x64 JIT
+ - usb: gadget: core: fix ->udc_set_speed() logic
+ - USB: gadgetfs: Fix crash caused by inadequate synchronization
+ - USB: gadgetfs: fix copy_to_user while holding spinlock
+ - usb: gadget: udc: atmel: set vbus irqflags explicitly
+ - usb-storage: unusual_devs entry to fix write-access regression for
+ Seagate external drives
+ - usb-storage: fix bogus hardware error messages for ATA pass-thru devices
+ - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
+ - usb: pci-quirks.c: Corrected timeout values used in handshake
+ - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
+ - USB: dummy-hcd: fix connection failures (wrong speed)
+ - USB: dummy-hcd: fix infinite-loop resubmission bug
+ - USB: dummy-hcd: Fix erroneous synchronization change
+ - USB: devio: Prevent integer overflow in proc_do_submiturb()
+ - USB: devio: Don't corrupt user memory
+ - USB: g_mass_storage: Fix deadlock when driver is unbound
+ - USB: uas: fix bug in handling of alternate settings
+ - USB: core: harden cdc_parse_cdc_header
+ - usb: Increase quirk delay for USB devices
+ - USB: fix out-of-bounds in usb_set_configuration
+ - usb: xhci: Free the right ring in xhci_add_endpoint()
+ - xhci: fix finding correct bus_state structure for USB 3.1 hosts
+ - xhci: fix wrong endpoint ESIT value shown in tracing
+ - usb: host: xhci-plat: allow sysdev to inherit from ACPI
+ - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
+ - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
+ - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
+ - [armhf] iio: adc: twl4030: Fix an error handling path in
+ 'twl4030_madc_probe()'
+ - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
+ handling path of 'twl4030_madc_probe()'
+ - iio: core: Return error for failed read_reg
+ - uwb: properly check kthread_run return value
+ - uwb: ensure that endpoint is interrupt
+ - ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
+ - mm, hugetlb, soft_offline: save compound page order before page migration
+ - mm, oom_reaper: skip mm structs with mmu notifiers
+ - mm: fix RODATA_TEST failure "rodata_test: test data was not read only"
+ - mm: avoid marking swap cached page as lazyfree
+ - mm: fix data corruption caused by lazyfree page
+ - userfaultfd: non-cooperative: fix fork use after free
+ - ALSA: compress: Remove unused variable
+ - Revert "ALSA: echoaudio: purge contradictions between dimension matrix
+ members and total number of members"
+ - ALSA: usx2y: Suppress kernel warning at page allocation failures
+ - [powerpc*] powernv: Increase memory block size to 1GB on radix
+ - [powerpc*] Fix action argument for cpufeatures-based TLB flush
+ - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
+ - [x86] intel_th: pci: Add Lewisburg PCH support
+ - driver core: platform: Don't read past the end of "driver_override" buffer
+ - cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute()
+ returns
+ - [x86] Drivers: hv: fcopy: restore correct transfer length
+ - [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
+ - ftrace: Fix kmemleak in unregister_ftrace_graph
+ - ovl: fix error value printed in ovl_lookup_index()
+ - ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
+ - ovl: fix dentry leak in ovl_indexdir_cleanup()
+ - ovl: fix missing unlock_rename() in ovl_do_copy_up()
+ - ovl: fix regression caused by exclusive upper/work dir protection
+ - [arm64] dt marvell: Fix AP806 system controller size
+ - [arm64] Ensure the instruction emulation is ready for userspace
+ - HID: rmi: Make sure the HID device is opened on resume
+ - HID: i2c-hid: allocate hid buffers for real worst case
+ - HID: wacom: leds: Don't try to control the EKR's read-only LEDs
+ - HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
+ - HID: wacom: Correct coordinate system of touchring and pen twist
+ - HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
+ - HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
+ - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
+ - HID: wacom: bits shifted too much for 9th and 10th buttons
+ - btrfs: avoid overflow when sector_t is 32 bit
+ - Btrfs: fix overlap of fs_info::flags values
+ - dm crypt: reject sector_size feature if device length is not aligned to it
+ - dm ioctl: fix alignment of event number in the device list
+ - dm crypt: fix memory leak in crypt_ctr_cipher_old()
+ - [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive()
+ - [x86] kvm: Avoid async PF preempting the kernel incorrectly
+ - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
+ - scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
+ - scsi: sd: Do not override max_sectors_kb sysfs setting
+ - brcmfmac: setup passive scan if requested by user-space
+ - [x86] drm/i915: always update ELD connector type after get modes
+ - [x86] drm/i915/bios: ignore HDMI on port A
+ - bsg-lib: fix use-after-free under memory-pressure
+ - nvme-pci: Use PCI bus address for data/queues in CMB
+ - mmc: core: add driver strength selection when selecting hs400es
+ - nl80211: Define policy for packet pattern attributes
+ - [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for
+ suspend/resume cycle
+ - udp: perform source validation for mcast early demux
+ - udp: fix bcast packet reception
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7
+ - watchdog: Revert "iTCO_wdt: all versions count down twice"
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8
+ - USB: dummy-hcd: Fix deadlock caused by disconnect detection
+ - [mips*] math-emu: Remove pr_err() calls from fpu_emu()
+ - [mips*] bpf: Fix uninitialised target compiler error
+ - [x86] mei: always use domain runtime pm callbacks.
+ - [armhf] dmaengine: edma: Align the memcpy acnt array size with the
+ transfer
+ - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
+ dma_inuse
+ - NFS: Fix uninitialized rpc_wait_queue
+ - nfs/filelayout: fix oops when freeing filelayout segment
+ - HID: usbhid: fix out-of-bounds bug
+ - crypto: skcipher - Fix crash on zero-length input
+ - crypto: shash - Fix zero-length shash ahash digest crash
+ - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
+ - [x86] pinctrl/amd: Fix build dependency on pinmux code
+ - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
+ - device property: Track owner device of device property
+ - Revert "vmalloc: back off when the current task is killed"
+ - fs/mpage.c: fix mpage_writepage() for pages with buffers
+ - ALSA: usb-audio: Kill stray URB at exiting
+ - ALSA: seq: Fix copy_from_user() call inside lock
+ - ALSA: caiaq: Fix stray URB at probe error path
+ - ALSA: line6: Fix NULL dereference at podhd_disconnect()
+ - ALSA: line6: Fix missing initialization before error path
+ - ALSA: line6: Fix leftover URB at error-path during probe
+ - drm/atomic: Unref duplicated drm_atomic_state in
+ drm_atomic_helper_resume()
+ - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
+ - [x86] drm/i915: Read timings from the correct transcoder in
+ intel_crtc_mode_get()
+ - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
+ AUX channel
+ - [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
+ - usb: gadget: configfs: Fix memory leak of interface directory data
+ - usb: gadget: composite: Fix use-after-free in
+ usb_composite_overwrite_options
+ - [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping
+ functions
+ - [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory"
+ - direct-io: Prevent NULL pointer access in submit_page_section
+ - fix unbalanced page refcounting in bio_map_user_iov
+ - more bio_map_user_iov() leak fixes
+ - bio_copy_user_iov(): don't ignore ->iov_offset
+ - perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
+ - genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
+ - genirq/cpuhotplug: Add sanity check for effective affinity mask
+ - USB: serial: cp210x: fix partnum regression
+ - USB: serial: console: fix use-after-free on disconnect
+ - USB: serial: console: fix use-after-free after failed setup
+ - RAS/CEC: Use the right length for "cec_disable"
+ - [x86] alternatives: Fix alt_max_short macro to really be a max()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9
+ - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs
+ without the feature
+ - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on
+ hypervisors
+ - [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events
+ with explicit PMU
+ - mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock
+ - HID: hid-elecom: extend to fix descriptor for HUGE trackball
+ - [x86] Drivers: hv: vmbus: Fix rescind handling issues
+ - [x86] Drivers: hv: vmbus: Fix bugs in rescind handling
+ - [x86] vmbus: simplify hv_ringbuffer_read
+ - [x86] vmbus: refactor hv_signal_on_read
+ - [x86] vmbus: eliminate duplicate cached index
+ - [x86] vmbus: more host signalling avoidance
+
+ [ Ben Hutchings ]
* [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
* Update build dependencies on libbabeltrace[,-ctf}-dev
* linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
modules
+ * dax: Avoid most ABI changes in 4.13.5
+ * SCSI: Avoid ABI change in 4.13.6
+ * [x86] kvm: Ignore ABI change in 4.13.6
+ * seq-virmidi: Ignore ABI change in 4.13.8
+ * Revert "bpf: one perf event close won't free bpf program attached ..."
+ to avoid an ABI change
-- Ben Hutchings <ben at decadent.org.uk> Wed, 18 Oct 2017 20:03:01 +0100
diff --git a/debian/config/defines b/debian/config/defines
index 2eaeb0e..74152f6 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -4,7 +4,9 @@ ignore-changes:
__cpuhp_*
bpf_analyzer
cxl_*
+ dax_flush
iommu_device_*
+ kvm_async_pf_task_wait
mm_iommu_*
perf_*
register_cxl_calls
@@ -30,6 +32,7 @@ ignore-changes:
module:fs/nfs/**
module:net/ceph/libceph
module:net/l2tp/l2tp_core
+ module:sound/core/seq/snd-seq-virmidi
module:sound/firewire/snd-firewire-lib
# btree library is only selected by few drivers so not useful OOT
btree_*
diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
deleted file mode 100644
index f9026ce..0000000
--- a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Mon, 9 Oct 2017 11:09:20 +0200
-Subject: ALSA: seq: Fix use-after-free at creating a port
-Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
-
-There is a potential race window opened at creating and deleting a
-port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
-a port object and returns its pointer, but it doesn't take the
-refcount, thus it can be deleted immediately by another thread.
-Meanwhile, snd_seq_ioctl_create_port() still calls the function
-snd_seq_system_client_ev_port_start() with the created port object
-that is being deleted, and this triggers use-after-free like:
-
- BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
- =============================================================================
- BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
- -----------------------------------------------------------------------------
- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
- ___slab_alloc+0x425/0x460
- __slab_alloc+0x20/0x40
- kmem_cache_alloc_trace+0x150/0x190
- snd_seq_create_port+0x94/0x9b0 [snd_seq]
- snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
- snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- snd_seq_ioctl+0x40/0x80 [snd_seq]
- do_vfs_ioctl+0x54b/0xda0
- SyS_ioctl+0x79/0x90
- entry_SYSCALL_64_fastpath+0x16/0x75
- INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
- __slab_free+0x204/0x310
- kfree+0x15f/0x180
- port_delete+0x136/0x1a0 [snd_seq]
- snd_seq_delete_port+0x235/0x350 [snd_seq]
- snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
- snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- snd_seq_ioctl+0x40/0x80 [snd_seq]
- do_vfs_ioctl+0x54b/0xda0
- SyS_ioctl+0x79/0x90
- entry_SYSCALL_64_fastpath+0x16/0x75
- Call Trace:
- [<ffffffff81b03781>] dump_stack+0x63/0x82
- [<ffffffff81531b3b>] print_trailer+0xfb/0x160
- [<ffffffff81536db4>] object_err+0x34/0x40
- [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
- [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
- [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
- [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
- [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
- [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
- [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
- [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
- [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
- .....
-
-We may fix this in a few different ways, and in this patch, it's fixed
-simply by taking the refcount properly at snd_seq_create_port() and
-letting the caller unref the object after use. Also, there is another
-potential use-after-free by sprintf() call in snd_seq_create_port(),
-and this is moved inside the lock.
-
-This fix covers CVE-2017-15265.
-
-Reported-and-tested-by: Michael23 Yu <ycqzsy at gmail.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/seq/seq_clientmgr.c | 6 +++++-
- sound/core/seq/seq_ports.c | 7 +++++--
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index ea2d0ae85bd3..6c9cba2166d9 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- struct snd_seq_port_info *info = arg;
- struct snd_seq_client_port *port;
- struct snd_seq_port_callback *callback;
-+ int port_idx;
-
- /* it is not allowed to create the port for an another client */
- if (info->addr.client != client->number)
-@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- return -ENOMEM;
-
- if (client->type == USER_CLIENT && info->kernel) {
-- snd_seq_delete_port(client, port->addr.port);
-+ port_idx = port->addr.port;
-+ snd_seq_port_unlock(port);
-+ snd_seq_delete_port(client, port_idx);
- return -EINVAL;
- }
- if (client->type == KERNEL_CLIENT) {
-@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
-
- snd_seq_set_port_info(port, info);
- snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
-+ snd_seq_port_unlock(port);
-
- return 0;
- }
-diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
-index 0a7020c82bfc..d21ece9f8d73 100644
---- a/sound/core/seq/seq_ports.c
-+++ b/sound/core/seq/seq_ports.c
-@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
- }
-
-
--/* create a port, port number is returned (-1 on failure) */
-+/* create a port, port number is returned (-1 on failure);
-+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
-+ */
- struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- int port)
- {
-@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- snd_use_lock_init(&new_port->use_lock);
- port_subs_info_init(&new_port->c_src);
- port_subs_info_init(&new_port->c_dest);
-+ snd_use_lock_use(&new_port->use_lock);
-
- num = port >= 0 ? port : 0;
- mutex_lock(&client->ports_mutex);
-@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- list_add_tail(&new_port->list, &p->list);
- client->num_ports++;
- new_port->addr.port = num; /* store the port number in the port */
-+ sprintf(new_port->name, "port-%d", num);
- write_unlock_irqrestore(&client->ports_lock, flags);
- mutex_unlock(&client->ports_mutex);
-- sprintf(new_port->name, "port-%d", num);
-
- return new_port;
- }
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch b/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
deleted file mode 100644
index e34ea9b..0000000
--- a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Mon, 18 Sep 2017 11:37:23 -0700
-Subject: KEYS: prevent KEYCTL_READ on negative key
-Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192
-
-Because keyctl_read_key() looks up the key with no permissions
-requested, it may find a negatively instantiated key. If the key is
-also possessed, we went ahead and called ->read() on the key. But the
-key payload will actually contain the ->reject_error rather than the
-normal payload. Thus, the kernel oopses trying to read the
-user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
-
-Fortunately the payload data is stored inline, so it shouldn't be
-possible to abuse this as an arbitrary memory read primitive...
-
-Reproducer:
- keyctl new_session
- keyctl request2 user desc '' @s
- keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
-
-It causes a crash like the following:
- BUG: unable to handle kernel paging request at 00000000ffffff92
- IP: user_read+0x33/0xa0
- PGD 36a54067 P4D 36a54067 PUD 0
- Oops: 0000 [#1] SMP
- CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
- task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
- RIP: 0010:user_read+0x33/0xa0
- RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
- RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
- RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
- RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
- R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
- R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
- FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
- Call Trace:
- keyctl_read_key+0xac/0xe0
- SyS_keyctl+0x99/0x120
- entry_SYSCALL_64_fastpath+0x1f/0xbe
- RIP: 0033:0x7f58ec787bb9
- RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
- RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
- RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
- RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
- R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
- R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
- Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
- RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
- CR2: 00000000ffffff92
-
-Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
-Cc: <stable at vger.kernel.org> [v3.13+]
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/keyctl.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index aa1d11a29136..365ff85d7e27 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
-
- key = key_ref_to_ptr(key_ref);
-
-+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
-+ ret = -ENOKEY;
-+ goto error2;
-+ }
-+
- /* see if we can read it directly */
- ret = key_permission(key_ref, KEY_NEED_READ);
- if (ret == 0)
---
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
deleted file mode 100644
index 0ada348..0000000
--- a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Arend Van Spriel <arend.vanspriel at broadcom.com>
-Date: Tue, 12 Sep 2017 10:47:53 +0200
-Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
-Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
-
-Upon handling the firmware notification for scans the length was
-checked properly and may result in corrupting kernel heap memory
-due to buffer overruns. This fix addresses CVE-2017-0786.
-
-Cc: stable at vger.kernel.org # v4.0.x
-Cc: Kevin Cernekee <cernekee at chromium.org>
-Reviewed-by: Hante Meuleman <hante.meuleman at broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts at broadcom.com>
-Reviewed-by: Franky Lin <franky.lin at broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
-Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index aaed4ab503ad..26a0de371c26 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
- struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
- s32 status;
- struct brcmf_escan_result_le *escan_result_le;
-+ u32 escan_buflen;
- struct brcmf_bss_info_le *bss_info_le;
- struct brcmf_bss_info_le *bss = NULL;
- u32 bi_length;
-@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
-
- if (status == BRCMF_E_STATUS_PARTIAL) {
- brcmf_dbg(SCAN, "ESCAN Partial result\n");
-+ if (e->datalen < sizeof(*escan_result_le)) {
-+ brcmf_err("invalid event data length\n");
-+ goto exit;
-+ }
- escan_result_le = (struct brcmf_escan_result_le *) data;
- if (!escan_result_le) {
- brcmf_err("Invalid escan result (NULL pointer)\n");
- goto exit;
- }
-+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
-+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
-+ escan_buflen > e->datalen ||
-+ escan_buflen < sizeof(*escan_result_le)) {
-+ brcmf_err("Invalid escan buffer length: %d\n",
-+ escan_buflen);
-+ goto exit;
-+ }
- if (le16_to_cpu(escan_result_le->bss_count) != 1) {
- brcmf_err("Invalid bss_count %d: ignoring\n",
- escan_result_le->bss_count);
-@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
- }
-
- bi_length = le32_to_cpu(bss_info_le->length);
-- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
-- WL_ESCAN_RESULTS_FIXED_SIZE)) {
-- brcmf_err("Invalid bss_info length %d: ignoring\n",
-+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
-+ brcmf_err("Ignoring invalid bss_info length: %d\n",
- bi_length);
- goto exit;
- }
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
deleted file mode 100644
index b713b3f..0000000
--- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 29 Sep 2017 13:43:15 -0400
-Subject: fix infoleak in waitid(2)
-Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
-
-kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
-case and waitid(2) rusage should've been copied out exactly in that case, *not*
-whenever kernel_waitid() has not returned an error. Compat variant shares that
-braino; none of kernel_wait4() callers do, so the below ought to fix it.
-
-Reported-and-tested-by: Alexander Potapenko <glider at google.com>
-Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
-Cc: stable at vger.kernel.org # v4.13
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- kernel/exit.c | 23 ++++++++++-------------
- 1 file changed, 10 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 3481ababd06a..f2cd53e92147 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- struct waitid_info info = {.status = 0};
- long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
- int signo = 0;
-+
- if (err > 0) {
- signo = SIGCHLD;
- err = 0;
-- }
--
-- if (!err) {
- if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
- return -EFAULT;
- }
-@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- if (err > 0) {
- signo = SIGCHLD;
- err = 0;
-- }
--
-- if (!err && uru) {
-- /* kernel_waitid() overwrites everything in ru */
-- if (COMPAT_USE_64BIT_TIME)
-- err = copy_to_user(uru, &ru, sizeof(ru));
-- else
-- err = put_compat_rusage(&ru, uru);
-- if (err)
-- return -EFAULT;
-+ if (uru) {
-+ /* kernel_waitid() overwrites everything in ru */
-+ if (COMPAT_USE_64BIT_TIME)
-+ err = copy_to_user(uru, &ru, sizeof(ru));
-+ else
-+ err = put_compat_rusage(&ru, uru);
-+ if (err)
-+ return -EFAULT;
-+ }
- }
-
- if (!infop)
---
-2.14.2
-
diff --git a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch b/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
deleted file mode 100644
index 1a7fff9..0000000
--- a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From: Johannes Berg <johannes.berg at intel.com>
-Date: Wed, 6 Sep 2017 15:01:42 +0200
-Subject: mac80211: fix deadlock in driver-managed RX BA session start
-Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828
-Bug-Debian: https://bugs.debian.org/878092
-
-When an RX BA session is started by the driver, and it has to tell
-mac80211 about it, the corresponding bit in tid_rx_manage_offl gets
-set and the BA session work is scheduled. Upon testing this bit, it
-will call __ieee80211_start_rx_ba_session(), thus deadlocking as it
-already holds the ampdu_mlme.mtx, which that acquires again.
-
-Fix this by adding ___ieee80211_start_rx_ba_session(), a version of
-the function that requires the mutex already held.
-
-Cc: stable at vger.kernel.org
-Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue")
-Reported-by: Matteo Croce <mcroce at redhat.com>
-Signed-off-by: Johannes Berg <johannes.berg at intel.com>
----
- net/mac80211/agg-rx.c | 32 +++++++++++++++++++++-----------
- net/mac80211/ht.c | 6 +++---
- net/mac80211/ieee80211_i.h | 4 ++++
- 3 files changed, 28 insertions(+), 14 deletions(-)
-
-diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
-index 2b36eff5d97e..2849a1fc41c5 100644
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
- ieee80211_tx_skb(sdata, skb);
- }
-
--void __ieee80211_start_rx_ba_session(struct sta_info *sta,
-- u8 dialog_token, u16 timeout,
-- u16 start_seq_num, u16 ba_policy, u16 tid,
-- u16 buf_size, bool tx, bool auto_seq)
-+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
-+ u8 dialog_token, u16 timeout,
-+ u16 start_seq_num, u16 ba_policy, u16 tid,
-+ u16 buf_size, bool tx, bool auto_seq)
- {
- struct ieee80211_local *local = sta->sdata->local;
- struct tid_ampdu_rx *tid_agg_rx;
-@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- ht_dbg(sta->sdata,
- "STA %pM requests BA session on unsupported tid %d\n",
- sta->sta.addr, tid);
-- goto end_no_lock;
-+ goto end;
- }
-
- if (!sta->sta.ht_cap.ht_supported) {
-@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
- sta->sta.addr, tid);
- /* send a response anyway, it's an error case if we get here */
-- goto end_no_lock;
-+ goto end;
- }
-
- if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
- ht_dbg(sta->sdata,
- "Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
- sta->sta.addr, tid);
-- goto end_no_lock;
-+ goto end;
- }
-
- /* sanity check for incoming parameters:
-@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- ht_dbg_ratelimited(sta->sdata,
- "AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
- sta->sta.addr, tid, ba_policy, buf_size);
-- goto end_no_lock;
-+ goto end;
- }
- /* determine default buffer size */
- if (buf_size == 0)
-@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- buf_size, sta->sta.addr);
-
- /* examine state machine */
-- mutex_lock(&sta->ampdu_mlme.mtx);
-+ lockdep_assert_held(&sta->ampdu_mlme.mtx);
-
- if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
- if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
-@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- __clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
- sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
- }
-- mutex_unlock(&sta->ampdu_mlme.mtx);
-
--end_no_lock:
- if (tx)
- ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
- dialog_token, status, 1, buf_size,
- timeout);
- }
-
-+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
-+ u8 dialog_token, u16 timeout,
-+ u16 start_seq_num, u16 ba_policy, u16 tid,
-+ u16 buf_size, bool tx, bool auto_seq)
-+{
-+ mutex_lock(&sta->ampdu_mlme.mtx);
-+ ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
-+ start_seq_num, ba_policy, tid,
-+ buf_size, tx, auto_seq);
-+ mutex_unlock(&sta->ampdu_mlme.mtx);
-+}
-+
- void ieee80211_process_addba_request(struct ieee80211_local *local,
- struct sta_info *sta,
- struct ieee80211_mgmt *mgmt,
-diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
-index 4cba7fca10d4..d6d0b4201e40 100644
---- a/net/mac80211/ht.c
-+++ b/net/mac80211/ht.c
-@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
-
- if (test_and_clear_bit(tid,
- sta->ampdu_mlme.tid_rx_manage_offl))
-- __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
-- IEEE80211_MAX_AMPDU_BUF,
-- false, true);
-+ ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
-+ IEEE80211_MAX_AMPDU_BUF,
-+ false, true);
-
- if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
- sta->ampdu_mlme.tid_rx_manage_offl))
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 2197c62a0a6e..9675814f64db 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- u8 dialog_token, u16 timeout,
- u16 start_seq_num, u16 ba_policy, u16 tid,
- u16 buf_size, bool tx, bool auto_seq);
-+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
-+ u8 dialog_token, u16 timeout,
-+ u16 start_seq_num, u16 ba_policy, u16 tid,
-+ u16 buf_size, bool tx, bool auto_seq);
- void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
- enum ieee80211_agg_stop_reason reason);
- void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
---
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
deleted file mode 100644
index 6eab4bd..0000000
--- a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Tue, 12 Sep 2017 22:21:21 +0000
-Subject: nl80211: check for the required netlink attributes presence
-Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
-
-nl80211_set_rekey_data() does not check if the required attributes
-NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
-NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
-users with CAP_NET_ADMIN privilege and may result in NULL dereference
-and a system crash. Add a check for the required attributes presence.
-This patch is based on the patch by bo Zhang.
-
-This fixes CVE-2017-12153.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
-Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
-Cc: <stable at vger.kernel.org> # v3.1-rc1
-Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
----
- net/wireless/nl80211.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
- if (err)
- return err;
-
-+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
-+ !tb[NL80211_REKEY_DATA_KCK])
-+ return -EINVAL;
- if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
- return -ERANGE;
- if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch b/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
deleted file mode 100644
index 24c1553..0000000
--- a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Cyril Bur <cyrilbur at gmail.com>
-Date: Thu, 17 Aug 2017 20:42:26 +1000
-Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
- checks
-Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
-
-When using transactional memory (TM), the CPU can be in one of six
-states as far as TM is concerned, encoded in the Machine State
-Register (MSR). Certain state transitions are illegal and if attempted
-trigger a "TM Bad Thing" type program check exception.
-
-If we ever hit one of these exceptions it's treated as a bug, ie. we
-oops, and kill the process and/or panic, depending on configuration.
-
-One case where we can trigger a TM Bad Thing, is when returning to
-userspace after a system call or interrupt, using RFID. When this
-happens the CPU first restores the user register state, in particular
-r1 (the stack pointer) and then attempts to update the MSR. However
-the MSR update is not allowed and so we take the program check with
-the user register state, but the kernel MSR.
-
-This tricks the exception entry code into thinking we have a bad
-kernel stack pointer, because the MSR says we're coming from the
-kernel, but r1 is pointing to userspace.
-
-To avoid this we instead always switch to the emergency stack if we
-take a TM Bad Thing from the kernel. That way none of the user
-register values are used, other than for printing in the oops message.
-
-This is the fix for CVE-2017-1000255.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-[mpe: Rewrite change log & comments, tweak asm slightly]
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index 48da0f5d2f7f..b82586c53560 100644
---- a/arch/powerpc/kernel/exceptions-64s.S
-+++ b/arch/powerpc/kernel/exceptions-64s.S
-@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
- EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
- TRAMP_KVM(PACA_EXGEN, 0x700)
- EXC_COMMON_BEGIN(program_check_common)
-- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
-+ /*
-+ * It's possible to receive a TM Bad Thing type program check with
-+ * userspace register values (in particular r1), but with SRR1 reporting
-+ * that we came from the kernel. Normally that would confuse the bad
-+ * stack logic, and we would report a bad kernel stack pointer. Instead
-+ * we switch to the emergency stack if we're taking a TM Bad Thing from
-+ * the kernel.
-+ */
-+ li r10,MSR_PR /* Build a mask of MSR_PR .. */
-+ oris r10,r10,0x200000 at h /* .. and SRR1_PROGTM */
-+ and r10,r10,r12 /* Mask SRR1 with that. */
-+ srdi r10,r10,8 /* Shift it so we can compare */
-+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
-+ bne 1f /* If != go to normal path. */
-+
-+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
-+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
-+ /* 3 in EXCEPTION_PROLOG_COMMON */
-+ mr r10,r1 /* Save r1 */
-+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */
-+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
-+ b 3f /* Jump into the macro !! */
-+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
- bl save_nvgprs
- RECONCILE_IRQ_STATE(r10, r11)
- addi r3,r1,STACK_FRAME_OVERHEAD
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch b/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
deleted file mode 100644
index 083cbbe..0000000
--- a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Date: Tue, 22 Aug 2017 17:20:09 -0400
-Subject: powerpc/tm: Fix illegal TM state in signal handler
-Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
-
-Currently it's possible that on returning from the signal handler
-through the restore_tm_sigcontexts() code path (e.g. from a signal
-caught due to a `trap` instruction executed in the middle of an HTM
-block, or a deliberately constructed sigframe) an illegal TM state
-(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
-implicitly the MSR register from SRR1 register on return to userspace
-it causes a TM Bad Thing exception.
-
-That illegal state can be set (a) by a malicious user that disables
-the TM bit by tweaking the bits in uc_mcontext before returning from
-the signal handler or (b) by a sufficient number of context switches
-occurring such that the load_tm counter overflows and TM is disabled
-whilst in the signal handler.
-
-This commit fixes the illegal TM state by ensuring that TM bit is
-always enabled before we return from restore_tm_sigcontexts(). A small
-comment correction is made as well.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Signed-off-by: Breno Leitao <leitao at debian.org>
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index c83c115858c1..b2c002993d78 100644
---- a/arch/powerpc/kernel/signal_64.c
-+++ b/arch/powerpc/kernel/signal_64.c
-@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
- if (MSR_TM_RESV(msr))
- return -EINVAL;
-
-- /* pull in MSR TM from user context */
-+ /* pull in MSR TS bits from user context */
- regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
-
-+ /*
-+ * Ensure that TM is enabled in regs->msr before we leave the signal
-+ * handler. It could be the case that (a) user disabled the TM bit
-+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
-+ * TM bit was disabled because a sufficient number of context switches
-+ * happened whilst in the signal handler and load_tm overflowed,
-+ * disabling the TM bit. In either case we can end up with an illegal
-+ * TM state leading to a TM Bad Thing when we return to userspace.
-+ */
-+ regs->msr |= MSR_TM;
-+
- /* pull in MSR LE from user context */
- regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
deleted file mode 100644
index 2b63f46..0000000
--- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Xin Long <lucien.xin at gmail.com>
-Date: Sun, 27 Aug 2017 20:25:26 +0800
-Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
-Origin: https://patchwork.kernel.org/patch/9923803/
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
-
-ChunYu found a kernel crash by syzkaller:
-
-[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
-[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
-[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
-[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
-[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
-[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
-[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
-[...]
-[ 651.627260] Call Trace:
-[ 651.629156] skb_release_all+0x4f/0x60
-[ 651.629450] consume_skb+0x1a5/0x600
-[ 651.630705] netlink_unicast+0x505/0x720
-[ 651.632345] netlink_sendmsg+0xab2/0xe70
-[ 651.633704] sock_sendmsg+0xcf/0x110
-[ 651.633942] ___sys_sendmsg+0x833/0x980
-[ 651.637117] __sys_sendmsg+0xf3/0x240
-[ 651.638820] SyS_sendmsg+0x32/0x50
-[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-It's caused by skb_shared_info at the end of sk_buff was overwritten by
-ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
-
-During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
-ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
-new value to skb_shinfo(SKB)->nr_frags by ev->type.
-
-This patch is to fix it by checking nlh->nlmsg_len properly there to
-avoid over accessing sk_buff.
-
-Reported-by: ChunYu Wang <chunwang at redhat.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Chris Leech <cleech at redhat.com>
----
- drivers/scsi/scsi_transport_iscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_transport_iscsi.c
-+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
- uint32_t group;
-
- nlh = nlmsg_hdr(skb);
-- if (nlh->nlmsg_len < sizeof(*nlh) ||
-+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
- skb->len < nlh->nlmsg_len) {
- break;
- }
diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
deleted file mode 100644
index 2d056c3..0000000
--- a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Mon, 4 Sep 2017 16:00:50 +0200
-Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
- userspace
-Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
-
-'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
-field unitialized, leaking data from the stack. Fix this ensuring all of
-'clk' is initialized to zero.
-
-References: https://github.com/torvalds/linux/pull/441
-Reported-by: sohu0106 <sohu0106 at 126.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
----
- drivers/video/fbdev/aty/atyfb_base.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/video/fbdev/aty/atyfb_base.c
-+++ b/drivers/video/fbdev/aty/atyfb_base.c
-@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
- #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
- case ATYIO_CLKR:
- if (M64_HAS(INTEGRATED)) {
-- struct atyclk clk;
-+ struct atyclk clk = { 0 };
- union aty_pll *pll = &par->pll;
- u32 dsp_config = pll->ct.dsp_config;
- u32 dsp_on_off = pll->ct.dsp_on_off;
diff --git a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
deleted file mode 100644
index 4872b37..0000000
--- a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 9 Oct 2017 11:36:52 -0700
-Subject: waitid(): Add missing access_ok() checks
-Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
-
-Adds missing access_ok() checks.
-
-CVE-2017-5123
-
-Reported-by: Chris Salls <chrissalls5 at gmail.com>
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Al Viro <viro at zeniv.linux.org.uk>
-Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
-Cc: stable at kernel.org # 4.13
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- kernel/exit.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index f2cd53e92147..cf28528842bc 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- if (!infop)
- return err;
-
-+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+ goto Efault;
-+
- user_access_begin();
- unsafe_put_user(signo, &infop->si_signo, Efault);
- unsafe_put_user(0, &infop->si_errno, Efault);
-@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- if (!infop)
- return err;
-
-+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+ goto Efault;
-+
- user_access_begin();
- unsafe_put_user(signo, &infop->si_signo, Efault);
- unsafe_put_user(0, &infop->si_errno, Efault);
---
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch b/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
deleted file mode 100644
index 47cbead..0000000
--- a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:23 +0200
-Subject: KVM: MMU: always terminate page walks at level 1
-Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-is_last_gpte() is not equivalent to the pseudo-code given in commit
-6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
-value of last_nonleaf_level may override the result even if level == 1.
-
-It is critical for is_last_gpte() to return true on level == 1 to
-terminate page walks. Otherwise memory corruption may occur as level
-is used as an index to various data structures throughout the page
-walking code. Even though the actual bug would be wherever the MMU is
-initialized (as in the previous patch), be defensive and ensure here
-that is_last_gpte() returns the correct value.
-
-This patch is also enough to fix CVE-2017-12188.
-
-Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
-Cc: stable at vger.kernel.org
-Cc: Andy Honig <ahonig at google.com>
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-[Panic if walk_addr_generic gets an incorrect level; this is a serious
- bug and it's not worth a WARN_ON where the recovery path might hide
- further exploitable issues; suggested by Andrew Honig. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c | 14 +++++++-------
- arch/x86/kvm/paging_tmpl.h | 3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 3c25f20115bc..7a69cf053711 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
- unsigned level, unsigned gpte)
- {
- /*
-- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
-- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
-- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
-- */
-- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
--
-- /*
- * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
- * If it is clear, there are no large pages at this level, so clear
- * PT_PAGE_SIZE_MASK in gpte if that is the case.
- */
- gpte &= level - mmu->last_nonleaf_level;
-
-+ /*
-+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
-+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
-+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
-+ */
-+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
-+
- return gpte & PT_PAGE_SIZE_MASK;
- }
-
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 86b68dc5a649..f18d1f8d332b 100644
---- a/arch/x86/kvm/paging_tmpl.h
-+++ b/arch/x86/kvm/paging_tmpl.h
-@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
- --walker->level;
-
- index = PT_INDEX(addr, walker->level);
--
- table_gfn = gpte_to_gfn(pte);
- offset = index * sizeof(pt_element_t);
- pte_gpa = gfn_to_gpa(table_gfn) + offset;
-+
-+ BUG_ON(walker->level < 1);
- walker->table_gfn[walker->level - 1] = table_gfn;
- walker->pte_gpa[walker->level - 1] = pte_gpa;
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
deleted file mode 100644
index eefff5b..0000000
--- a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:22 +0200
-Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
-Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-The function updates context->root_level but didn't call
-update_last_nonleaf_level so the previous and potentially wrong value
-was used for page walks. For example, a zero value of last_nonleaf_level
-would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
-walk_addr_generic function (CVE-2017-12188).
-
-Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 106d4a029a8a..3c25f20115bc 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
-
- update_permission_bitmask(vcpu, context, true);
- update_pkru_bitmask(vcpu, context, true);
-+ update_last_nonleaf_level(vcpu, context);
- reset_rsvds_bits_mask_ept(vcpu, context, execonly);
- reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
- }
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
deleted file mode 100644
index f82767d..0000000
--- a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Jim Mattson <jmattson at google.com>
-Date: Tue, 12 Sep 2017 13:02:54 -0700
-Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
-Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
-
-If L1 does not specify the "use TPR shadow" VM-execution control in
-vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
-exiting" VM-execution controls in vmcs02. Failure to do so will give
-the L2 VM unrestricted read/write access to the hardware CR8.
-
-This fixes CVE-2017-12154.
-
-Signed-off-by: Jim Mattson <jmattson at google.com>
-Reviewed-by: David Hildenbrand <david at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
- if (exec_control & CPU_BASED_TPR_SHADOW) {
- vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
- vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
-+ } else {
-+#ifdef CONFIG_X86_64
-+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
-+ CPU_BASED_CR8_STORE_EXITING;
-+#endif
- }
-
- /*
diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
deleted file mode 100644
index 91c990c..0000000
--- a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh at amazon.de>
-Date: Thu, 7 Sep 2017 19:02:30 +0100
-Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
-
-The value of the guest_irq argument to vmx_update_pi_irte() is
-ultimately coming from a KVM_IRQFD API call. Do not BUG() in
-vmx_update_pi_irte() if the value is out-of bounds. (Especially,
-since KVM as a whole seems to hang after that.)
-
-Instead, print a message only once if we find that we don't have a
-route for a certain IRQ (which can be out-of-bounds or within the
-array).
-
-This fixes CVE-2017-1000252.
-
-Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
-Signed-off-by: Jan H. Schönherr <jschoenh at amazon.de>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
- struct kvm_lapic_irq irq;
- struct kvm_vcpu *vcpu;
- struct vcpu_data vcpu_info;
-- int idx, ret = -EINVAL;
-+ int idx, ret = 0;
-
- if (!kvm_arch_has_assigned_device(kvm) ||
- !irq_remapping_cap(IRQ_POSTING_CAP) ||
-@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
-
- idx = srcu_read_lock(&kvm->irq_srcu);
- irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
-- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
-+ if (guest_irq >= irq_rt->nr_rt_entries ||
-+ hlist_empty(&irq_rt->map[guest_irq])) {
-+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
-+ guest_irq, irq_rt->nr_rt_entries);
-+ goto out;
-+ }
-
- hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
- if (e->type != KVM_IRQ_ROUTING_MSI)
diff --git a/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch
new file mode 100644
index 0000000..5da901b
--- /dev/null
+++ b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch
@@ -0,0 +1,141 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 22:16:38 +0200
+Subject: dax: Avoid ABI change in 4.13.5
+Forwarded: not-needed
+
+Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush
+abstraction") removed dax_operations::flush and
+target_type::dax_flush, resulting in an ABI change. Add these
+operations back but don't restore any of the calls to them. To keep
+existing callers working during an incomplete kernel upgrade, change
+all the implementations to directly do arch_wb_cache_pmem(), just as
+dax_flush() does in the new kernel.
+
+Don't change dax_flush() back; it shouldn't have any out-of-tree
+callers.
+
+---
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter(
+ return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i);
+ }
+
++static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
++ size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++ arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ static struct target_type linear_target = {
+ .name = "linear",
+ .version = {1, 4, 0},
+@@ -198,6 +206,7 @@ static struct target_type linear_target
+ .iterate_devices = linear_iterate_devices,
+ .direct_access = linear_dax_direct_access,
+ .dax_copy_from_iter = linear_dax_copy_from_iter,
++ .dax_flush = linear_dax_flush,
+ };
+
+ int __init dm_linear_init(void)
+--- a/drivers/md/dm-stripe.c
++++ b/drivers/md/dm-stripe.c
+@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta
+ blk_limits_io_opt(limits, chunk_size * sc->stripes);
+ }
+
++static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
++ size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++ arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ static struct target_type stripe_target = {
+ .name = "striped",
+ .version = {1, 6, 0},
+@@ -472,6 +480,7 @@ static struct target_type stripe_target
+ .io_hints = stripe_io_hints,
+ .direct_access = stripe_dax_direct_access,
+ .dax_copy_from_iter = stripe_dax_copy_from_iter,
++ .dax_flush = stripe_dax_flush,
+ };
+
+ int __init dm_stripe_init(void)
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru
+ return ret;
+ }
+
++static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr,
++ size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++ arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ /*
+ * A target may call dm_accept_partial_bio only from the map routine. It is
+ * allowed for all bio types except REQ_PREFLUSH.
+@@ -2980,6 +2988,7 @@ static const struct block_device_operati
+ static const struct dax_operations dm_dax_ops = {
+ .direct_access = dm_dax_direct_access,
+ .copy_from_iter = dm_dax_copy_from_iter,
++ .flush = dm_dax_flush,
+ };
+
+ /*
+--- a/drivers/nvdimm/pmem.c
++++ b/drivers/nvdimm/pmem.c
+@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct
+ return copy_from_iter_flushcache(addr, bytes, i);
+ }
+
++static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff,
++ void *addr, size_t size)
++{
++ arch_wb_cache_pmem(addr, size);
++}
++
+ static const struct dax_operations pmem_dax_ops = {
+ .direct_access = pmem_dax_direct_access,
+ .copy_from_iter = pmem_copy_from_iter,
++ .flush = pmem_dax_flush,
+ };
+
+ static const struct attribute_group *pmem_attribute_groups[] = {
+--- a/include/linux/dax.h
++++ b/include/linux/dax.h
+@@ -19,6 +19,8 @@ struct dax_operations {
+ /* copy_from_iter: required operation for fs-dax direct-i/o */
+ size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t,
+ struct iov_iter *);
++ /* flush: should be unused */
++ void (*flush)(struct dax_device *, pgoff_t, void *, size_t);
+ };
+
+ extern struct attribute_group dax_attribute_group;
+--- a/include/linux/device-mapper.h
++++ b/include/linux/device-mapper.h
+@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn)
+ long nr_pages, void **kaddr, pfn_t *pfn);
+ typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff,
+ void *addr, size_t bytes, struct iov_iter *i);
++typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr,
++ size_t size);
+ #define PAGE_SECTORS (PAGE_SIZE / 512)
+
+ void dm_error(const char *message);
+@@ -184,6 +186,7 @@ struct target_type {
+ dm_io_hints_fn io_hints;
+ dm_dax_direct_access_fn direct_access;
+ dm_dax_copy_from_iter_fn dax_copy_from_iter;
++ dm_dax_flush_fn dax_flush;
+
+ /* For internal device-mapper use. */
+ struct list_head list;
diff --git a/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
new file mode 100644
index 0000000..03555be
--- /dev/null
+++ b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 22:38:57 +0200
+Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
+Forwarded: not-needed
+
+This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
+commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces
+an ABI break that's not easily avoidable. The bug it fixes doesn't seem
+to have any security impact.
+
+---
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -277,7 +277,6 @@ struct trace_event_call {
+ int perf_refcount;
+ struct hlist_head __percpu *perf_events;
+ struct bpf_prog *prog;
+- struct perf_event *bpf_prog_owner;
+
+ int (*perf_perm)(struct trace_event_call *,
+ struct perf_event *);
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc
+ }
+ }
+ event->tp_event->prog = prog;
+- event->tp_event->bpf_prog_owner = event;
+
+ return 0;
+ }
+@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str
+ return;
+
+ prog = event->tp_event->prog;
+- if (prog && event->tp_event->bpf_prog_owner == event) {
++ if (prog) {
+ event->tp_event->prog = NULL;
+ bpf_prog_put(prog);
+ }
diff --git a/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch
new file mode 100644
index 0000000..16ca95e
--- /dev/null
+++ b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch
@@ -0,0 +1,22 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 11:59:43 +0200
+Subject: SCSI: Avoid ABI change in 4.13.6
+Forwarded: not-needed
+
+Hide the new bitfield from genksyms, as it's using what used to be a
+padding bit.
+
+---
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -182,7 +182,10 @@ struct scsi_device {
+ unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
+ unsigned broken_fua:1; /* Don't set FUA bit */
+ unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
++#ifndef __GENKSYMS__
+ unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
++ /* 19 unused bits */
++#endif
+
+ atomic_t disk_events_disable_depth; /* disable depth for disk events */
+
diff --git a/debian/patches/series b/debian/patches/series
index 408d183..1f9d81a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
-bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
# Miscellaneous features
@@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
-bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
-bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
-bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
-bugfix/all/fix-infoleak-in-waitid-2.patch
-bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
-bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
-bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
-bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
-bugfix/all/waitid-Add-missing-access_ok-checks.patch
-bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
-bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
-bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
bugfix/all/module-disable-matching-missing-version-crc.patch
-# ABI maintenance
-
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
@@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/cpupower-bump-soname-version.patch
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
bugfix/all/tools-lib-lockdep-define-pr_cont.patch
+
+# ABI maintenance
+debian/scsi-avoid-abi-change-in-4.13.6.patch
+debian/dax-avoid-abi-change-in-4.13.5.patch
+debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list