[linux] 01/01: Update to 4.13.9

Thu Oct 26 20:41:18 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 48bb38a3f7526c1fdca7afb79bf01f1d64bec3df
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Oct 26 11:12:11 2017 +0200

    Update to 4.13.9
    
    Drop many patches which are now upstream.
    
    Avoid/ignore ABI changes as appropriate.
---
 debian/changelog                                   | 327 ++++++++++++++++++++-
 debian/config/defines                              |   3 +
 ...seq-Fix-use-after-free-at-creating-a-port.patch | 141 ---------
 .../KEYS-prevent-KEYCTL_READ-on-negative-key.patch |  81 -----
 ...d-length-check-in-brcmf_cfg80211_escan_ha.patch |  72 -----
 .../bugfix/all/fix-infoleak-in-waitid-2.patch      |  66 -----
 ...x-deadlock-in-driver-managed-RX-BA-sessio.patch | 151 ----------
 ...-the-required-netlink-attributes-presence.patch |  36 ---
 ...-Use-emergency-stack-for-kernel-TM-Bad-Th.patch |  79 -----
 ...tm-Fix-illegal-TM-state-in-signal-handler.patch |  62 ----
 ...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch |  55 ----
 ...-aty-do-not-leak-uninitialized-padding-in.patch |  30 --
 .../all/waitid-Add-missing-access_ok-checks.patch  |  47 ---
 ...MU-always-terminate-page-walks-at-level-1.patch |  83 ------
 ...date-last_nonleaf_level-when-initializing.patch |  34 ---
 ...don-t-allow-l2-to-access-the-hardware-cr8.patch |  34 ---
 ...vmx-do-not-bug-on-out-of-bounds-guest-irq.patch |  52 ----
 .../debian/dax-avoid-abi-change-in-4.13.5.patch    | 141 +++++++++
 ...f-event-close-won-t-free-bpf-program-atta.patch |  40 +++
 .../debian/scsi-avoid-abi-change-in-4.13.6.patch   |  22 ++
 debian/patches/series                              |  22 +-
 21 files changed, 537 insertions(+), 1041 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 802eae7..7a023d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,334 @@
-linux (4.13.4-3) UNRELEASED; urgency=medium
+linux (4.13.9-1) UNRELEASED; urgency=medium
 
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
+    - cifs: check rsp for NULL before dereferencing in SMB2_open
+    - cifs: release cifs root_cred after exit_cifs
+    - cifs: release auth_key.response for reconnect.
+    - nvme-pci: fix host memory buffer allocation fallback
+    - nvme-pci: use appropriate initial chunk size for HMB allocation
+    - nvme-pci: propagate (some) errors from host memory buffer setup
+    - dax: remove the pmem_dax_ops->flush abstraction
+    - dm integrity: do not check integrity for failed read operations
+    - mmc: block: Fix incorrectly initialized requests
+    - fs/proc: Report eip/esp in /prod/PID/stat for coredumping
+    - scsi: scsi_transport_fc: fix NULL pointer dereference in
+      fc_bsg_job_timeout
+    - cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later)
+    - mac80211: fix VLAN handling with TXQs
+    - mac80211_hwsim: Use proper TX power
+    - mac80211: flush hw_roc_start work before cancelling the ROC
+    - genirq: Make sparse_irq_lock protect what it should protect
+    - genirq/msi: Fix populating multiple interrupts
+    - genirq: Fix cpumask check in __irq_startup_managed()
+    - [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to
+      kvmppc_update_lpcr
+    - [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored
+      incorrectly
+    - [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using
+      byte accesses
+    - tracing: Fix trace_pipe behavior for instance traces
+    - tracing: Erase irqsoff trace with empty write
+    - tracing: Remove RCU work arounds from stack tracer
+    - md/raid5: fix a race condition in stripe batch
+    - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
+    - scsi: aacraid: Fix 2T+ drives on SmartIOC-2000
+    - scsi: aacraid: Add a small delay after IOP reset
+    - [armhf] drm/exynos: Fix locking in the suspend/resume paths
+    - [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting
+    - Revert "drm/i915/bxt: Disable device ready before shutdown command"
+    - drm/amdgpu: revert tile table update for oland
+    - drm/radeon: disable hard reset in hibernate for APUs
+    - crypto: drbg - fix freeing of resources
+    - security/keys: properly zero out sensitive key material in big_key
+    - security/keys: rewrite all of big_key crypto
+    - KEYS: fix writing past end of user-supplied buffer in keyring_read()
+    - KEYS: prevent creating a different user's keyrings
+    - [x86] libnvdimm, namespace: fix btt claim class crash
+    - [powerpc*] eeh: Create PHB PEs after EEH is initialized
+    - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node()
+    - [powerpc*] tm: Flush TM only if CPU has TM feature
+    - [mips*] Fix perf event init
+    - [s390x] perf: fix bug when creating per-thread event
+    - [s390x] mm: make pmdp_invalidate() do invalidation only
+    - [s390x] mm: fix write access check in gup_huge_pmd()
+    - PM: core: Fix device_pm_check_callbacks()
+    - Revert "IB/ipoib: Update broadcast object if PKey value was changed in
+      index 0"
+    - cifs: Fix SMB3.1.1 guest authentication to Samba
+    - cifs: SMB3: Fix endian warning
+    - cifs: SMB3: Warn user if trying to sign connection that authenticated as
+      guest
+    - cifs: SMB: Validate negotiate (to protect against downgrade) even if
+      signing off
+    - cifs: SMB3: handle new statx fields
+    - cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
+    - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
+    - libceph: don't allow bidirectional swap of pg-upmap-items
+    - brd: fix overflow in __brd_direct_access
+    - gfs2: Fix debugfs glocks dump
+    - bsg-lib: don't free job in bsg_prepare_job
+    - iw_cxgb4: drop listen destroy replies if no ep found
+    - iw_cxgb4: remove the stid on listen create failure
+    - iw_cxgb4: put ep reference in pass_accept_req()
+    - rcu: Allow for page faults in NMI handlers
+    - mmc: sdhci-pci: Fix voltage switch for some Intel host controllers
+    - extable: Consolidate *kernel_text_address() functions
+    - extable: Enable RCU if it is not watching in kernel_text_address()
+    - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
+    - [arm64] Make sure SPsel is always set
+    - [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table
+    - [arm64] fault: Route pte translation faults via do_translation_fault
+    - [x86] KVM: VMX: extract __pi_post_block
+    - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts
+    - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load
+    - [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache
+    - [x86] kvm: Handle async PF in RCU read-side critical sections
+    - xfs: validate bdev support for DAX inode flag
+    - sched/sysctl: Check user input value of sysctl_sched_time_avg
+    - irq/generic-chip: Don't replace domain's name
+    - mtd: Fix partition alignment check on multi-erasesize devices
+    - [armhf] etnaviv: fix submit error path
+    - [armhf] etnaviv: fix gem object list corruption
+    - futex: Fix pi_state->owner serialization
+    - md: fix a race condition for flush request handling
+    - md: separate request handling
+    - PCI: Fix race condition with driver_override
+    - btrfs: fix NULL pointer dereference from free_reloc_roots()
+    - btrfs: clear ordered flag on cleaning up ordered extents
+    - btrfs: finish ordered extent cleaning if no progress is found
+    - btrfs: propagate error to btrfs_cmp_data_prepare caller
+    - btrfs: prevent to set invalid default subvolid
+    - [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt
+    - PM / OPP: Call notifier without holding opp_table->lock
+    - [x86] mm: Fix fault error path using unsafe vma pointer
+    - [x86] fpu: Don't let userspace set bogus xcomp_bv
+    - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
+    - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
+    - [x86] KVM: VMX: use cmpxchg64
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6
+    - [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on
+      ep0
+    - mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+
+    - net: bonding: Fix transmit load balancing in balance-alb mode if
+      specified by sysfs
+    - openvswitch: Fix an error handling path in
+      'ovs_nla_init_match_and_action()'
+    - net: bonding: fix tlb_dynamic_lb default value
+    - net_sched: gen_estimator: fix scaling error in bytes/packets samples
+    - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
+    - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
+    - tcp: update skb->skb_mstamp more carefully
+    - bpf/verifier: reject BPF_ALU64|BPF_END
+    - tcp: fix data delivery rate
+    - udpv6: Fix the checksum computation when HW checksum does not apply
+    - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
+    - net: phy: Fix mask value write on gmii2rgmii converter speed register
+    - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
+    - net/sched: cls_matchall: fix crash when used with classful qdisc
+    - 8139too: revisit napi_complete_done() usage
+    - bpf: do not disable/enable BH in bpf_map_free_id()
+    - tcp: fastopen: fix on syn-data transmit failure
+    - [powerpc*] net: emac: Fix napi poll list corruption
+    - net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure
+    - packet: hold bind lock when rebinding to fanout hook
+    - net: change skb->mac_header when Generic XDP calls adjust_head
+    - net_sched: always reset qdisc backlog in qdisc_reset()
+    - [armhf,arm64] net: stmmac: Cocci spatch "of_table"
+    - [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer
+    - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
+    - l2tp: fix race condition in l2tp_tunnel_delete
+    - tun: bail out from tun_get_user() if the skb is empty
+    - [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple
+      vlans
+    - [armhf,arm64] net: dsa: Fix network device registration order
+    - packet: in packet_do_bind, test fanout with bind_lock held
+    - packet: only test po->has_vnet_hdr once in packet_snd
+    - [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs
+    - net: Set sk_prot_creator when cloning sockets to the right proto
+    - net/mlx5e: IPoIB, Fix access to invalid memory address
+    - netlink: do not proceed if dump's start() errs
+    - ip6_gre: ip6gre_tap device should keep dst
+    - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
+    - IPv4: early demux can return an error code
+    - tipc: use only positive error codes in messages
+    - l2tp: fix l2tp_eth module loading
+    - socket, bpf: fix possible use after free
+    - net: rtnetlink: fix info leak in RTM_GETSTATS call
+    - [amd64] bpf: fix bpf_tail_call() x64 JIT
+    - usb: gadget: core: fix ->udc_set_speed() logic
+    - USB: gadgetfs: Fix crash caused by inadequate synchronization
+    - USB: gadgetfs: fix copy_to_user while holding spinlock
+    - usb: gadget: udc: atmel: set vbus irqflags explicitly
+    - usb-storage: unusual_devs entry to fix write-access regression for
+      Seagate external drives
+    - usb-storage: fix bogus hardware error messages for ATA pass-thru devices
+    - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
+    - usb: pci-quirks.c: Corrected timeout values used in handshake
+    - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
+    - USB: dummy-hcd: fix connection failures (wrong speed)
+    - USB: dummy-hcd: fix infinite-loop resubmission bug
+    - USB: dummy-hcd: Fix erroneous synchronization change
+    - USB: devio: Prevent integer overflow in proc_do_submiturb()
+    - USB: devio: Don't corrupt user memory
+    - USB: g_mass_storage: Fix deadlock when driver is unbound
+    - USB: uas: fix bug in handling of alternate settings
+    - USB: core: harden cdc_parse_cdc_header
+    - usb: Increase quirk delay for USB devices
+    - USB: fix out-of-bounds in usb_set_configuration
+    - usb: xhci: Free the right ring in xhci_add_endpoint()
+    - xhci: fix finding correct bus_state structure for USB 3.1 hosts
+    - xhci: fix wrong endpoint ESIT value shown in tracing
+    - usb: host: xhci-plat: allow sysdev to inherit from ACPI
+    - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
+    - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
+    - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
+    - [armhf] iio: adc: twl4030: Fix an error handling path in
+      'twl4030_madc_probe()'
+    - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error
+      handling path of 'twl4030_madc_probe()'
+    - iio: core: Return error for failed read_reg
+    - uwb: properly check kthread_run return value
+    - uwb: ensure that endpoint is interrupt
+    - ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
+    - mm, hugetlb, soft_offline: save compound page order before page migration
+    - mm, oom_reaper: skip mm structs with mmu notifiers
+    - mm: fix RODATA_TEST failure "rodata_test: test data was not read only"
+    - mm: avoid marking swap cached page as lazyfree
+    - mm: fix data corruption caused by lazyfree page
+    - userfaultfd: non-cooperative: fix fork use after free
+    - ALSA: compress: Remove unused variable
+    - Revert "ALSA: echoaudio: purge contradictions between dimension matrix
+      members and total number of members"
+    - ALSA: usx2y: Suppress kernel warning at page allocation failures
+    - [powerpc*] powernv: Increase memory block size to 1GB on radix
+    - [powerpc*] Fix action argument for cpufeatures-based TLB flush
+    - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
+    - [x86] intel_th: pci: Add Lewisburg PCH support
+    - driver core: platform: Don't read past the end of "driver_override" buffer
+    - cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute()
+      returns
+    - [x86] Drivers: hv: fcopy: restore correct transfer length
+    - [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
+    - ftrace: Fix kmemleak in unregister_ftrace_graph
+    - ovl: fix error value printed in ovl_lookup_index()
+    - ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
+    - ovl: fix dentry leak in ovl_indexdir_cleanup()
+    - ovl: fix missing unlock_rename() in ovl_do_copy_up()
+    - ovl: fix regression caused by exclusive upper/work dir protection
+    - [arm64] dt marvell: Fix AP806 system controller size
+    - [arm64] Ensure the instruction emulation is ready for userspace
+    - HID: rmi: Make sure the HID device is opened on resume
+    - HID: i2c-hid: allocate hid buffers for real worst case
+    - HID: wacom: leds: Don't try to control the EKR's read-only LEDs
+    - HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
+    - HID: wacom: Correct coordinate system of touchring and pen twist
+    - HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
+    - HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
+    - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
+    - HID: wacom: bits shifted too much for 9th and 10th buttons
+    - btrfs: avoid overflow when sector_t is 32 bit
+    - Btrfs: fix overlap of fs_info::flags values
+    - dm crypt: reject sector_size feature if device length is not aligned to it
+    - dm ioctl: fix alignment of event number in the device list
+    - dm crypt: fix memory leak in crypt_ctr_cipher_old()
+    - [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive()
+    - [x86] kvm: Avoid async PF preempting the kernel incorrectly
+    - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
+    - scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
+    - scsi: sd: Do not override max_sectors_kb sysfs setting
+    - brcmfmac: setup passive scan if requested by user-space
+    - [x86] drm/i915: always update ELD connector type after get modes
+    - [x86] drm/i915/bios: ignore HDMI on port A
+    - bsg-lib: fix use-after-free under memory-pressure
+    - nvme-pci: Use PCI bus address for data/queues in CMB
+    - mmc: core: add driver strength selection when selecting hs400es
+    - nl80211: Define policy for packet pattern attributes
+    - [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for
+      suspend/resume cycle
+    - udp: perform source validation for mcast early demux
+    - udp: fix bcast packet reception
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7
+    - watchdog: Revert "iTCO_wdt: all versions count down twice"
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8
+    - USB: dummy-hcd: Fix deadlock caused by disconnect detection
+    - [mips*] math-emu: Remove pr_err() calls from fpu_emu()
+    - [mips*] bpf: Fix uninitialised target compiler error
+    - [x86] mei: always use domain runtime pm callbacks.
+    - [armhf] dmaengine: edma: Align the memcpy acnt array size with the
+      transfer
+    - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with
+      dma_inuse
+    - NFS: Fix uninitialized rpc_wait_queue
+    - nfs/filelayout: fix oops when freeing filelayout segment
+    - HID: usbhid: fix out-of-bounds bug
+    - crypto: skcipher - Fix crash on zero-length input
+    - crypto: shash - Fix zero-length shash ahash digest crash
+    - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
+    - [x86] pinctrl/amd: Fix build dependency on pinmux code
+    - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap()
+    - device property: Track owner device of device property
+    - Revert "vmalloc: back off when the current task is killed"
+    - fs/mpage.c: fix mpage_writepage() for pages with buffers
+    - ALSA: usb-audio: Kill stray URB at exiting
+    - ALSA: seq: Fix copy_from_user() call inside lock
+    - ALSA: caiaq: Fix stray URB at probe error path
+    - ALSA: line6: Fix NULL dereference at podhd_disconnect()
+    - ALSA: line6: Fix missing initialization before error path
+    - ALSA: line6: Fix leftover URB at error-path during probe
+    - drm/atomic: Unref duplicated drm_atomic_state in
+      drm_atomic_helper_resume()
+    - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off
+    - [x86] drm/i915: Read timings from the correct transcoder in
+      intel_crtc_mode_get()
+    - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP
+      AUX channel
+    - [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check
+    - usb: gadget: configfs: Fix memory leak of interface directory data
+    - usb: gadget: composite: Fix use-after-free in
+      usb_composite_overwrite_options
+    - [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping
+      functions
+    - [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory"
+    - direct-io: Prevent NULL pointer access in submit_page_section
+    - fix unbalanced page refcounting in bio_map_user_iov
+    - more bio_map_user_iov() leak fixes
+    - bio_copy_user_iov(): don't ignore ->iov_offset
+    - perf script: Add missing separator for "-F ip,brstack" (and brstackoff)
+    - genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
+    - genirq/cpuhotplug: Add sanity check for effective affinity mask
+    - USB: serial: cp210x: fix partnum regression
+    - USB: serial: console: fix use-after-free on disconnect
+    - USB: serial: console: fix use-after-free after failed setup
+    - RAS/CEC: Use the right length for "cec_disable"
+    - [x86] alternatives: Fix alt_max_short macro to really be a max()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9
+    - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs
+      without the feature
+    - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on
+      hypervisors
+    - [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events
+      with explicit PMU
+    - mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock
+    - HID: hid-elecom: extend to fix descriptor for HUGE trackball
+    - [x86] Drivers: hv: vmbus: Fix rescind handling issues
+    - [x86] Drivers: hv: vmbus: Fix bugs in rescind handling
+    - [x86] vmbus: simplify hv_ringbuffer_read
+    - [x86] vmbus: refactor hv_signal_on_read
+    - [x86] vmbus: eliminate duplicate cached index
+    - [x86] vmbus: more host signalling avoidance
+
+  [ Ben Hutchings ]
   * [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911)
   * Update build dependencies on libbabeltrace[,-ctf}-dev
   * linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit
     modules
+  * dax: Avoid most ABI changes in 4.13.5
+  * SCSI: Avoid ABI change in 4.13.6
+  * [x86] kvm: Ignore ABI change in 4.13.6
+  * seq-virmidi: Ignore ABI change in 4.13.8
+  * Revert "bpf: one perf event close won't free bpf program attached ..."
+    to avoid an ABI change
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 18 Oct 2017 20:03:01 +0100
 
diff --git a/debian/config/defines b/debian/config/defines
index 2eaeb0e..74152f6 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -4,7 +4,9 @@ ignore-changes:
  __cpuhp_*
  bpf_analyzer
  cxl_*
+ dax_flush
  iommu_device_*
+ kvm_async_pf_task_wait
  mm_iommu_*
  perf_*
  register_cxl_calls
@@ -30,6 +32,7 @@ ignore-changes:
  module:fs/nfs/**
  module:net/ceph/libceph
  module:net/l2tp/l2tp_core
+ module:sound/core/seq/snd-seq-virmidi
  module:sound/firewire/snd-firewire-lib
 # btree library is only selected by few drivers so not useful OOT
  btree_*
diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
deleted file mode 100644
index f9026ce..0000000
--- a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Mon, 9 Oct 2017 11:09:20 +0200
-Subject: ALSA: seq: Fix use-after-free at creating a port
-Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
-
-There is a potential race window opened at creating and deleting a
-port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
-a port object and returns its pointer, but it doesn't take the
-refcount, thus it can be deleted immediately by another thread.
-Meanwhile, snd_seq_ioctl_create_port() still calls the function
-snd_seq_system_client_ev_port_start() with the created port object
-that is being deleted, and this triggers use-after-free like:
-
- BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
- =============================================================================
- BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
- -----------------------------------------------------------------------------
- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
- 	___slab_alloc+0x425/0x460
- 	__slab_alloc+0x20/0x40
-  	kmem_cache_alloc_trace+0x150/0x190
-	snd_seq_create_port+0x94/0x9b0 [snd_seq]
-	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
- 	__slab_free+0x204/0x310
- 	kfree+0x15f/0x180
- 	port_delete+0x136/0x1a0 [snd_seq]
- 	snd_seq_delete_port+0x235/0x350 [snd_seq]
- 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
- 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
- 	snd_seq_ioctl+0x40/0x80 [snd_seq]
- 	do_vfs_ioctl+0x54b/0xda0
- 	SyS_ioctl+0x79/0x90
- 	entry_SYSCALL_64_fastpath+0x16/0x75
- Call Trace:
-  [<ffffffff81b03781>] dump_stack+0x63/0x82
-  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
-  [<ffffffff81536db4>] object_err+0x34/0x40
-  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
-  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
-  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
-  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
-  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
-  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
-  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
-  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
-  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
-  .....
-
-We may fix this in a few different ways, and in this patch, it's fixed
-simply by taking the refcount properly at snd_seq_create_port() and
-letting the caller unref the object after use.  Also, there is another
-potential use-after-free by sprintf() call in snd_seq_create_port(),
-and this is moved inside the lock.
-
-This fix covers CVE-2017-15265.
-
-Reported-and-tested-by: Michael23 Yu <ycqzsy at gmail.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/core/seq/seq_clientmgr.c | 6 +++++-
- sound/core/seq/seq_ports.c     | 7 +++++--
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index ea2d0ae85bd3..6c9cba2166d9 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 	struct snd_seq_port_info *info = arg;
- 	struct snd_seq_client_port *port;
- 	struct snd_seq_port_callback *callback;
-+	int port_idx;
- 
- 	/* it is not allowed to create the port for an another client */
- 	if (info->addr.client != client->number)
-@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 		return -ENOMEM;
- 
- 	if (client->type == USER_CLIENT && info->kernel) {
--		snd_seq_delete_port(client, port->addr.port);
-+		port_idx = port->addr.port;
-+		snd_seq_port_unlock(port);
-+		snd_seq_delete_port(client, port_idx);
- 		return -EINVAL;
- 	}
- 	if (client->type == KERNEL_CLIENT) {
-@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
- 
- 	snd_seq_set_port_info(port, info);
- 	snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
-+	snd_seq_port_unlock(port);
- 
- 	return 0;
- }
-diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
-index 0a7020c82bfc..d21ece9f8d73 100644
---- a/sound/core/seq/seq_ports.c
-+++ b/sound/core/seq/seq_ports.c
-@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
- }
- 
- 
--/* create a port, port number is returned (-1 on failure) */
-+/* create a port, port number is returned (-1 on failure);
-+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
-+ */
- struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 						int port)
- {
-@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	snd_use_lock_init(&new_port->use_lock);
- 	port_subs_info_init(&new_port->c_src);
- 	port_subs_info_init(&new_port->c_dest);
-+	snd_use_lock_use(&new_port->use_lock);
- 
- 	num = port >= 0 ? port : 0;
- 	mutex_lock(&client->ports_mutex);
-@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
- 	list_add_tail(&new_port->list, &p->list);
- 	client->num_ports++;
- 	new_port->addr.port = num;	/* store the port number in the port */
-+	sprintf(new_port->name, "port-%d", num);
- 	write_unlock_irqrestore(&client->ports_lock, flags);
- 	mutex_unlock(&client->ports_mutex);
--	sprintf(new_port->name, "port-%d", num);
- 
- 	return new_port;
- }
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch b/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
deleted file mode 100644
index e34ea9b..0000000
--- a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Mon, 18 Sep 2017 11:37:23 -0700
-Subject: KEYS: prevent KEYCTL_READ on negative key
-Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192
-
-Because keyctl_read_key() looks up the key with no permissions
-requested, it may find a negatively instantiated key.  If the key is
-also possessed, we went ahead and called ->read() on the key.  But the
-key payload will actually contain the ->reject_error rather than the
-normal payload.  Thus, the kernel oopses trying to read the
-user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
-
-Fortunately the payload data is stored inline, so it shouldn't be
-possible to abuse this as an arbitrary memory read primitive...
-
-Reproducer:
-    keyctl new_session
-    keyctl request2 user desc '' @s
-    keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
-
-It causes a crash like the following:
-     BUG: unable to handle kernel paging request at 00000000ffffff92
-     IP: user_read+0x33/0xa0
-     PGD 36a54067 P4D 36a54067 PUD 0
-     Oops: 0000 [#1] SMP
-     CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
-     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
-     task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
-     RIP: 0010:user_read+0x33/0xa0
-     RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
-     RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
-     RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
-     RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
-     R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
-     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
-     FS:  00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
-     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-     CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
-     Call Trace:
-      keyctl_read_key+0xac/0xe0
-      SyS_keyctl+0x99/0x120
-      entry_SYSCALL_64_fastpath+0x1f/0xbe
-     RIP: 0033:0x7f58ec787bb9
-     RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
-     RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
-     RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
-     RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
-     R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
-     R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
-     Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
-     RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
-     CR2: 00000000ffffff92
-
-Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
-Cc: <stable at vger.kernel.org>	[v3.13+]
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/keyctl.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index aa1d11a29136..365ff85d7e27 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
- 
- 	key = key_ref_to_ptr(key_ref);
- 
-+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
-+		ret = -ENOKEY;
-+		goto error2;
-+	}
-+
- 	/* see if we can read it directly */
- 	ret = key_permission(key_ref, KEY_NEED_READ);
- 	if (ret == 0)
--- 
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
deleted file mode 100644
index 0ada348..0000000
--- a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Arend Van Spriel <arend.vanspriel at broadcom.com>
-Date: Tue, 12 Sep 2017 10:47:53 +0200
-Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
-Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
-
-Upon handling the firmware notification for scans the length was
-checked properly and may result in corrupting kernel heap memory
-due to buffer overruns. This fix addresses CVE-2017-0786.
-
-Cc: stable at vger.kernel.org # v4.0.x
-Cc: Kevin Cernekee <cernekee at chromium.org>
-Reviewed-by: Hante Meuleman <hante.meuleman at broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts at broadcom.com>
-Reviewed-by: Franky Lin <franky.lin at broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
-Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c    | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index aaed4ab503ad..26a0de371c26 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
- 	struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
- 	s32 status;
- 	struct brcmf_escan_result_le *escan_result_le;
-+	u32 escan_buflen;
- 	struct brcmf_bss_info_le *bss_info_le;
- 	struct brcmf_bss_info_le *bss = NULL;
- 	u32 bi_length;
-@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
- 
- 	if (status == BRCMF_E_STATUS_PARTIAL) {
- 		brcmf_dbg(SCAN, "ESCAN Partial result\n");
-+		if (e->datalen < sizeof(*escan_result_le)) {
-+			brcmf_err("invalid event data length\n");
-+			goto exit;
-+		}
- 		escan_result_le = (struct brcmf_escan_result_le *) data;
- 		if (!escan_result_le) {
- 			brcmf_err("Invalid escan result (NULL pointer)\n");
- 			goto exit;
- 		}
-+		escan_buflen = le32_to_cpu(escan_result_le->buflen);
-+		if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
-+		    escan_buflen > e->datalen ||
-+		    escan_buflen < sizeof(*escan_result_le)) {
-+			brcmf_err("Invalid escan buffer length: %d\n",
-+				  escan_buflen);
-+			goto exit;
-+		}
- 		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
- 			brcmf_err("Invalid bss_count %d: ignoring\n",
- 				  escan_result_le->bss_count);
-@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
- 		}
- 
- 		bi_length = le32_to_cpu(bss_info_le->length);
--		if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
--					WL_ESCAN_RESULTS_FIXED_SIZE)) {
--			brcmf_err("Invalid bss_info length %d: ignoring\n",
-+		if (bi_length != escan_buflen -	WL_ESCAN_RESULTS_FIXED_SIZE) {
-+			brcmf_err("Ignoring invalid bss_info length: %d\n",
- 				  bi_length);
- 			goto exit;
- 		}
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
deleted file mode 100644
index b713b3f..0000000
--- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 29 Sep 2017 13:43:15 -0400
-Subject: fix infoleak in waitid(2)
-Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
-
-kernel_waitid() can return a PID, an error or 0.  rusage is filled in the first
-case and waitid(2) rusage should've been copied out exactly in that case, *not*
-whenever kernel_waitid() has not returned an error.  Compat variant shares that
-braino; none of kernel_wait4() callers do, so the below ought to fix it.
-
-Reported-and-tested-by: Alexander Potapenko <glider at google.com>
-Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
-Cc: stable at vger.kernel.org # v4.13
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- kernel/exit.c | 23 ++++++++++-------------
- 1 file changed, 10 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 3481ababd06a..f2cd53e92147 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- 	struct waitid_info info = {.status = 0};
- 	long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
- 	int signo = 0;
-+
- 	if (err > 0) {
- 		signo = SIGCHLD;
- 		err = 0;
--	}
--
--	if (!err) {
- 		if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
- 			return -EFAULT;
- 	}
-@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- 	if (err > 0) {
- 		signo = SIGCHLD;
- 		err = 0;
--	}
--
--	if (!err && uru) {
--		/* kernel_waitid() overwrites everything in ru */
--		if (COMPAT_USE_64BIT_TIME)
--			err = copy_to_user(uru, &ru, sizeof(ru));
--		else
--			err = put_compat_rusage(&ru, uru);
--		if (err)
--			return -EFAULT;
-+		if (uru) {
-+			/* kernel_waitid() overwrites everything in ru */
-+			if (COMPAT_USE_64BIT_TIME)
-+				err = copy_to_user(uru, &ru, sizeof(ru));
-+			else
-+				err = put_compat_rusage(&ru, uru);
-+			if (err)
-+				return -EFAULT;
-+		}
- 	}
- 
- 	if (!infop)
--- 
-2.14.2
-
diff --git a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch b/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
deleted file mode 100644
index 1a7fff9..0000000
--- a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From: Johannes Berg <johannes.berg at intel.com>
-Date: Wed, 6 Sep 2017 15:01:42 +0200
-Subject: mac80211: fix deadlock in driver-managed RX BA session start
-Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828
-Bug-Debian: https://bugs.debian.org/878092
-
-When an RX BA session is started by the driver, and it has to tell
-mac80211 about it, the corresponding bit in tid_rx_manage_offl gets
-set and the BA session work is scheduled. Upon testing this bit, it
-will call __ieee80211_start_rx_ba_session(), thus deadlocking as it
-already holds the ampdu_mlme.mtx, which that acquires again.
-
-Fix this by adding ___ieee80211_start_rx_ba_session(), a version of
-the function that requires the mutex already held.
-
-Cc: stable at vger.kernel.org
-Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue")
-Reported-by: Matteo Croce <mcroce at redhat.com>
-Signed-off-by: Johannes Berg <johannes.berg at intel.com>
----
- net/mac80211/agg-rx.c      | 32 +++++++++++++++++++++-----------
- net/mac80211/ht.c          |  6 +++---
- net/mac80211/ieee80211_i.h |  4 ++++
- 3 files changed, 28 insertions(+), 14 deletions(-)
-
-diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
-index 2b36eff5d97e..2849a1fc41c5 100644
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
- 	ieee80211_tx_skb(sdata, skb);
- }
- 
--void __ieee80211_start_rx_ba_session(struct sta_info *sta,
--				     u8 dialog_token, u16 timeout,
--				     u16 start_seq_num, u16 ba_policy, u16 tid,
--				     u16 buf_size, bool tx, bool auto_seq)
-+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
-+				      u8 dialog_token, u16 timeout,
-+				      u16 start_seq_num, u16 ba_policy, u16 tid,
-+				      u16 buf_size, bool tx, bool auto_seq)
- {
- 	struct ieee80211_local *local = sta->sdata->local;
- 	struct tid_ampdu_rx *tid_agg_rx;
-@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 		ht_dbg(sta->sdata,
- 		       "STA %pM requests BA session on unsupported tid %d\n",
- 		       sta->sta.addr, tid);
--		goto end_no_lock;
-+		goto end;
- 	}
- 
- 	if (!sta->sta.ht_cap.ht_supported) {
-@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 		       "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
- 		       sta->sta.addr, tid);
- 		/* send a response anyway, it's an error case if we get here */
--		goto end_no_lock;
-+		goto end;
- 	}
- 
- 	if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
- 		ht_dbg(sta->sdata,
- 		       "Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
- 		       sta->sta.addr, tid);
--		goto end_no_lock;
-+		goto end;
- 	}
- 
- 	/* sanity check for incoming parameters:
-@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 		ht_dbg_ratelimited(sta->sdata,
- 				   "AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
- 				   sta->sta.addr, tid, ba_policy, buf_size);
--		goto end_no_lock;
-+		goto end;
- 	}
- 	/* determine default buffer size */
- 	if (buf_size == 0)
-@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 	       buf_size, sta->sta.addr);
- 
- 	/* examine state machine */
--	mutex_lock(&sta->ampdu_mlme.mtx);
-+	lockdep_assert_held(&sta->ampdu_mlme.mtx);
- 
- 	if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
- 		if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
-@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 		__clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
- 		sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
- 	}
--	mutex_unlock(&sta->ampdu_mlme.mtx);
- 
--end_no_lock:
- 	if (tx)
- 		ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
- 					  dialog_token, status, 1, buf_size,
- 					  timeout);
- }
- 
-+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
-+				     u8 dialog_token, u16 timeout,
-+				     u16 start_seq_num, u16 ba_policy, u16 tid,
-+				     u16 buf_size, bool tx, bool auto_seq)
-+{
-+	mutex_lock(&sta->ampdu_mlme.mtx);
-+	___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
-+					 start_seq_num, ba_policy, tid,
-+					 buf_size, tx, auto_seq);
-+	mutex_unlock(&sta->ampdu_mlme.mtx);
-+}
-+
- void ieee80211_process_addba_request(struct ieee80211_local *local,
- 				     struct sta_info *sta,
- 				     struct ieee80211_mgmt *mgmt,
-diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
-index 4cba7fca10d4..d6d0b4201e40 100644
---- a/net/mac80211/ht.c
-+++ b/net/mac80211/ht.c
-@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
- 
- 		if (test_and_clear_bit(tid,
- 				       sta->ampdu_mlme.tid_rx_manage_offl))
--			__ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
--							IEEE80211_MAX_AMPDU_BUF,
--							false, true);
-+			___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
-+							 IEEE80211_MAX_AMPDU_BUF,
-+							 false, true);
- 
- 		if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
- 				       sta->ampdu_mlme.tid_rx_manage_offl))
-diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 2197c62a0a6e..9675814f64db 100644
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
- 				     u8 dialog_token, u16 timeout,
- 				     u16 start_seq_num, u16 ba_policy, u16 tid,
- 				     u16 buf_size, bool tx, bool auto_seq);
-+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
-+				      u8 dialog_token, u16 timeout,
-+				      u16 start_seq_num, u16 ba_policy, u16 tid,
-+				      u16 buf_size, bool tx, bool auto_seq);
- void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
- 					 enum ieee80211_agg_stop_reason reason);
- void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
--- 
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
deleted file mode 100644
index 6eab4bd..0000000
--- a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Tue, 12 Sep 2017 22:21:21 +0000
-Subject: nl80211: check for the required netlink attributes presence
-Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
-
-nl80211_set_rekey_data() does not check if the required attributes
-NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
-NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
-users with CAP_NET_ADMIN privilege and may result in NULL dereference
-and a system crash. Add a check for the required attributes presence.
-This patch is based on the patch by bo Zhang.
-
-This fixes CVE-2017-12153.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
-Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
-Cc: <stable at vger.kernel.org> # v3.1-rc1
-Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
----
- net/wireless/nl80211.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
- 	if (err)
- 		return err;
- 
-+	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
-+	    !tb[NL80211_REKEY_DATA_KCK])
-+		return -EINVAL;
- 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
- 		return -ERANGE;
- 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch b/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
deleted file mode 100644
index 24c1553..0000000
--- a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Cyril Bur <cyrilbur at gmail.com>
-Date: Thu, 17 Aug 2017 20:42:26 +1000
-Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
- checks
-Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
-
-When using transactional memory (TM), the CPU can be in one of six
-states as far as TM is concerned, encoded in the Machine State
-Register (MSR). Certain state transitions are illegal and if attempted
-trigger a "TM Bad Thing" type program check exception.
-
-If we ever hit one of these exceptions it's treated as a bug, ie. we
-oops, and kill the process and/or panic, depending on configuration.
-
-One case where we can trigger a TM Bad Thing, is when returning to
-userspace after a system call or interrupt, using RFID. When this
-happens the CPU first restores the user register state, in particular
-r1 (the stack pointer) and then attempts to update the MSR. However
-the MSR update is not allowed and so we take the program check with
-the user register state, but the kernel MSR.
-
-This tricks the exception entry code into thinking we have a bad
-kernel stack pointer, because the MSR says we're coming from the
-kernel, but r1 is pointing to userspace.
-
-To avoid this we instead always switch to the emergency stack if we
-take a TM Bad Thing from the kernel. That way none of the user
-register values are used, other than for printing in the oops message.
-
-This is the fix for CVE-2017-1000255.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-[mpe: Rewrite change log & comments, tweak asm slightly]
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index 48da0f5d2f7f..b82586c53560 100644
---- a/arch/powerpc/kernel/exceptions-64s.S
-+++ b/arch/powerpc/kernel/exceptions-64s.S
-@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
- EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
- TRAMP_KVM(PACA_EXGEN, 0x700)
- EXC_COMMON_BEGIN(program_check_common)
--	EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
-+	/*
-+	 * It's possible to receive a TM Bad Thing type program check with
-+	 * userspace register values (in particular r1), but with SRR1 reporting
-+	 * that we came from the kernel. Normally that would confuse the bad
-+	 * stack logic, and we would report a bad kernel stack pointer. Instead
-+	 * we switch to the emergency stack if we're taking a TM Bad Thing from
-+	 * the kernel.
-+	 */
-+	li	r10,MSR_PR		/* Build a mask of MSR_PR ..	*/
-+	oris	r10,r10,0x200000 at h	/* .. and SRR1_PROGTM		*/
-+	and	r10,r10,r12		/* Mask SRR1 with that.		*/
-+	srdi	r10,r10,8		/* Shift it so we can compare	*/
-+	cmpldi	r10,(0x200000 >> 8)	/* .. with an immediate.	*/
-+	bne 1f				/* If != go to normal path.	*/
-+
-+	/* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack	*/
-+	andi.	r10,r12,MSR_PR;		/* Set CR0 correctly for label	*/
-+					/* 3 in EXCEPTION_PROLOG_COMMON	*/
-+	mr	r10,r1			/* Save r1			*/
-+	ld	r1,PACAEMERGSP(r13)	/* Use emergency stack		*/
-+	subi	r1,r1,INT_FRAME_SIZE	/* alloc stack frame		*/
-+	b 3f				/* Jump into the macro !!	*/
-+1:	EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
- 	bl	save_nvgprs
- 	RECONCILE_IRQ_STATE(r10, r11)
- 	addi	r3,r1,STACK_FRAME_OVERHEAD
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch b/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
deleted file mode 100644
index 083cbbe..0000000
--- a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Date: Tue, 22 Aug 2017 17:20:09 -0400
-Subject: powerpc/tm: Fix illegal TM state in signal handler
-Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
-
-Currently it's possible that on returning from the signal handler
-through the restore_tm_sigcontexts() code path (e.g. from a signal
-caught due to a `trap` instruction executed in the middle of an HTM
-block, or a deliberately constructed sigframe) an illegal TM state
-(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
-implicitly the MSR register from SRR1 register on return to userspace
-it causes a TM Bad Thing exception.
-
-That illegal state can be set (a) by a malicious user that disables
-the TM bit by tweaking the bits in uc_mcontext before returning from
-the signal handler or (b) by a sufficient number of context switches
-occurring such that the load_tm counter overflows and TM is disabled
-whilst in the signal handler.
-
-This commit fixes the illegal TM state by ensuring that TM bit is
-always enabled before we return from restore_tm_sigcontexts(). A small
-comment correction is made as well.
-
-Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
-Cc: stable at vger.kernel.org # v4.9+
-Signed-off-by: Gustavo Romero <gromero at linux.vnet.ibm.com>
-Signed-off-by: Breno Leitao <leitao at debian.org>
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index c83c115858c1..b2c002993d78 100644
---- a/arch/powerpc/kernel/signal_64.c
-+++ b/arch/powerpc/kernel/signal_64.c
-@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
- 	if (MSR_TM_RESV(msr))
- 		return -EINVAL;
- 
--	/* pull in MSR TM from user context */
-+	/* pull in MSR TS bits from user context */
- 	regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
- 
-+	/*
-+	 * Ensure that TM is enabled in regs->msr before we leave the signal
-+	 * handler. It could be the case that (a) user disabled the TM bit
-+	 * through the manipulation of the MSR bits in uc_mcontext or (b) the
-+	 * TM bit was disabled because a sufficient number of context switches
-+	 * happened whilst in the signal handler and load_tm overflowed,
-+	 * disabling the TM bit. In either case we can end up with an illegal
-+	 * TM state leading to a TM Bad Thing when we return to userspace.
-+	 */
-+	regs->msr |= MSR_TM;
-+
- 	/* pull in MSR LE from user context */
- 	regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
- 
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
deleted file mode 100644
index 2b63f46..0000000
--- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Xin Long <lucien.xin at gmail.com>
-Date: Sun, 27 Aug 2017 20:25:26 +0800
-Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
-Origin: https://patchwork.kernel.org/patch/9923803/
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
-
-ChunYu found a kernel crash by syzkaller:
-
-[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
-[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
-[  651.618731] general protection fault: 0000 [#1] SMP KASAN
-[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
-[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
-[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
-[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
-[...]
-[  651.627260] Call Trace:
-[  651.629156]  skb_release_all+0x4f/0x60
-[  651.629450]  consume_skb+0x1a5/0x600
-[  651.630705]  netlink_unicast+0x505/0x720
-[  651.632345]  netlink_sendmsg+0xab2/0xe70
-[  651.633704]  sock_sendmsg+0xcf/0x110
-[  651.633942]  ___sys_sendmsg+0x833/0x980
-[  651.637117]  __sys_sendmsg+0xf3/0x240
-[  651.638820]  SyS_sendmsg+0x32/0x50
-[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-It's caused by skb_shared_info at the end of sk_buff was overwritten by
-ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
-
-During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
-ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
-new value to skb_shinfo(SKB)->nr_frags by ev->type.
-
-This patch is to fix it by checking nlh->nlmsg_len properly there to
-avoid over accessing sk_buff.
-
-Reported-by: ChunYu Wang <chunwang at redhat.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Chris Leech <cleech at redhat.com>
----
- drivers/scsi/scsi_transport_iscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_transport_iscsi.c
-+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
- 		uint32_t group;
- 
- 		nlh = nlmsg_hdr(skb);
--		if (nlh->nlmsg_len < sizeof(*nlh) ||
-+		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
- 		    skb->len < nlh->nlmsg_len) {
- 			break;
- 		}
diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
deleted file mode 100644
index 2d056c3..0000000
--- a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Mon, 4 Sep 2017 16:00:50 +0200
-Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
- userspace
-Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
-
-'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
-field unitialized, leaking data from the stack. Fix this ensuring all of
-'clk' is initialized to zero.
-
-References: https://github.com/torvalds/linux/pull/441
-Reported-by: sohu0106 <sohu0106 at 126.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
----
- drivers/video/fbdev/aty/atyfb_base.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/video/fbdev/aty/atyfb_base.c
-+++ b/drivers/video/fbdev/aty/atyfb_base.c
-@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
- #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
- 	case ATYIO_CLKR:
- 		if (M64_HAS(INTEGRATED)) {
--			struct atyclk clk;
-+			struct atyclk clk = { 0 };
- 			union aty_pll *pll = &par->pll;
- 			u32 dsp_config = pll->ct.dsp_config;
- 			u32 dsp_on_off = pll->ct.dsp_on_off;
diff --git a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
deleted file mode 100644
index 4872b37..0000000
--- a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 9 Oct 2017 11:36:52 -0700
-Subject: waitid(): Add missing access_ok() checks
-Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
-
-Adds missing access_ok() checks.
-
-CVE-2017-5123
-
-Reported-by: Chris Salls <chrissalls5 at gmail.com>
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Al Viro <viro at zeniv.linux.org.uk>
-Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
-Cc: stable at kernel.org # 4.13
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- kernel/exit.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index f2cd53e92147..cf28528842bc 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- 	if (!infop)
- 		return err;
- 
-+	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+		goto Efault;
-+
- 	user_access_begin();
- 	unsafe_put_user(signo, &infop->si_signo, Efault);
- 	unsafe_put_user(0, &infop->si_errno, Efault);
-@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- 	if (!infop)
- 		return err;
- 
-+	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
-+		goto Efault;
-+
- 	user_access_begin();
- 	unsafe_put_user(signo, &infop->si_signo, Efault);
- 	unsafe_put_user(0, &infop->si_errno, Efault);
--- 
-2.15.0.rc0
-
diff --git a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch b/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
deleted file mode 100644
index 47cbead..0000000
--- a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:23 +0200
-Subject: KVM: MMU: always terminate page walks at level 1
-Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-is_last_gpte() is not equivalent to the pseudo-code given in commit
-6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
-value of last_nonleaf_level may override the result even if level == 1.
-
-It is critical for is_last_gpte() to return true on level == 1 to
-terminate page walks. Otherwise memory corruption may occur as level
-is used as an index to various data structures throughout the page
-walking code.  Even though the actual bug would be wherever the MMU is
-initialized (as in the previous patch), be defensive and ensure here
-that is_last_gpte() returns the correct value.
-
-This patch is also enough to fix CVE-2017-12188.
-
-Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
-Cc: stable at vger.kernel.org
-Cc: Andy Honig <ahonig at google.com>
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-[Panic if walk_addr_generic gets an incorrect level; this is a serious
- bug and it's not worth a WARN_ON where the recovery path might hide
- further exploitable issues; suggested by Andrew Honig. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c         | 14 +++++++-------
- arch/x86/kvm/paging_tmpl.h |  3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 3c25f20115bc..7a69cf053711 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
- 				unsigned level, unsigned gpte)
- {
- 	/*
--	 * PT_PAGE_TABLE_LEVEL always terminates.  The RHS has bit 7 set
--	 * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
--	 * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
--	 */
--	gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
--
--	/*
- 	 * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
- 	 * If it is clear, there are no large pages at this level, so clear
- 	 * PT_PAGE_SIZE_MASK in gpte if that is the case.
- 	 */
- 	gpte &= level - mmu->last_nonleaf_level;
- 
-+	/*
-+	 * PT_PAGE_TABLE_LEVEL always terminates.  The RHS has bit 7 set
-+	 * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
-+	 * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
-+	 */
-+	gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
-+
- 	return gpte & PT_PAGE_SIZE_MASK;
- }
- 
-diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
-index 86b68dc5a649..f18d1f8d332b 100644
---- a/arch/x86/kvm/paging_tmpl.h
-+++ b/arch/x86/kvm/paging_tmpl.h
-@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
- 		--walker->level;
- 
- 		index = PT_INDEX(addr, walker->level);
--
- 		table_gfn = gpte_to_gfn(pte);
- 		offset    = index * sizeof(pt_element_t);
- 		pte_gpa   = gfn_to_gpa(table_gfn) + offset;
-+
-+		BUG_ON(walker->level < 1);
- 		walker->table_gfn[walker->level - 1] = table_gfn;
- 		walker->pte_gpa[walker->level - 1] = pte_gpa;
- 
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
deleted file mode 100644
index eefff5b..0000000
--- a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Ladi Prosek <lprosek at redhat.com>
-Date: Thu, 5 Oct 2017 11:10:22 +0200
-Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
-Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
-
-The function updates context->root_level but didn't call
-update_last_nonleaf_level so the previous and potentially wrong value
-was used for page walks.  For example, a zero value of last_nonleaf_level
-would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
-walk_addr_generic function (CVE-2017-12188).
-
-Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
-Signed-off-by: Ladi Prosek <lprosek at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/mmu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 106d4a029a8a..3c25f20115bc 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
- 
- 	update_permission_bitmask(vcpu, context, true);
- 	update_pkru_bitmask(vcpu, context, true);
-+	update_last_nonleaf_level(vcpu, context);
- 	reset_rsvds_bits_mask_ept(vcpu, context, execonly);
- 	reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
- }
--- 
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
deleted file mode 100644
index f82767d..0000000
--- a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Jim Mattson <jmattson at google.com>
-Date: Tue, 12 Sep 2017 13:02:54 -0700
-Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
-Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
-
-If L1 does not specify the "use TPR shadow" VM-execution control in
-vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
-exiting" VM-execution controls in vmcs02. Failure to do so will give
-the L2 VM unrestricted read/write access to the hardware CR8.
-
-This fixes CVE-2017-12154.
-
-Signed-off-by: Jim Mattson <jmattson at google.com>
-Reviewed-by: David Hildenbrand <david at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
- 	if (exec_control & CPU_BASED_TPR_SHADOW) {
- 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
- 		vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
-+	} else {
-+#ifdef CONFIG_X86_64
-+		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
-+				CPU_BASED_CR8_STORE_EXITING;
-+#endif
- 	}
- 
- 	/*
diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
deleted file mode 100644
index 91c990c..0000000
--- a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh at amazon.de>
-Date: Thu, 7 Sep 2017 19:02:30 +0100
-Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
-
-The value of the guest_irq argument to vmx_update_pi_irte() is
-ultimately coming from a KVM_IRQFD API call. Do not BUG() in
-vmx_update_pi_irte() if the value is out-of bounds. (Especially,
-since KVM as a whole seems to hang after that.)
-
-Instead, print a message only once if we find that we don't have a
-route for a certain IRQ (which can be out-of-bounds or within the
-array).
-
-This fixes CVE-2017-1000252.
-
-Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
-Signed-off-by: Jan H. Schönherr <jschoenh at amazon.de>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
- 	struct kvm_lapic_irq irq;
- 	struct kvm_vcpu *vcpu;
- 	struct vcpu_data vcpu_info;
--	int idx, ret = -EINVAL;
-+	int idx, ret = 0;
- 
- 	if (!kvm_arch_has_assigned_device(kvm) ||
- 		!irq_remapping_cap(IRQ_POSTING_CAP) ||
-@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
- 
- 	idx = srcu_read_lock(&kvm->irq_srcu);
- 	irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
--	BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
-+	if (guest_irq >= irq_rt->nr_rt_entries ||
-+	    hlist_empty(&irq_rt->map[guest_irq])) {
-+		pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
-+			     guest_irq, irq_rt->nr_rt_entries);
-+		goto out;
-+	}
- 
- 	hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
- 		if (e->type != KVM_IRQ_ROUTING_MSI)
diff --git a/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch
new file mode 100644
index 0000000..5da901b
--- /dev/null
+++ b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch
@@ -0,0 +1,141 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 22:16:38 +0200
+Subject: dax: Avoid ABI change in 4.13.5
+Forwarded: not-needed
+
+Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush
+abstraction") removed dax_operations::flush and
+target_type::dax_flush, resulting in an ABI change.  Add these
+operations back but don't restore any of the calls to them.  To keep
+existing callers working during an incomplete kernel upgrade, change
+all the implementations to directly do arch_wb_cache_pmem(), just as
+dax_flush() does in the new kernel.
+
+Don't change dax_flush() back; it shouldn't have any out-of-tree
+callers.
+
+---
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter(
+ 	return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i);
+ }
+ 
++static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
++		size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++	arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ static struct target_type linear_target = {
+ 	.name   = "linear",
+ 	.version = {1, 4, 0},
+@@ -198,6 +206,7 @@ static struct target_type linear_target
+ 	.iterate_devices = linear_iterate_devices,
+ 	.direct_access = linear_dax_direct_access,
+ 	.dax_copy_from_iter = linear_dax_copy_from_iter,
++	.dax_flush = linear_dax_flush,
+ };
+ 
+ int __init dm_linear_init(void)
+--- a/drivers/md/dm-stripe.c
++++ b/drivers/md/dm-stripe.c
+@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta
+ 	blk_limits_io_opt(limits, chunk_size * sc->stripes);
+ }
+ 
++static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr,
++		size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++	arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ static struct target_type stripe_target = {
+ 	.name   = "striped",
+ 	.version = {1, 6, 0},
+@@ -472,6 +480,7 @@ static struct target_type stripe_target
+ 	.io_hints = stripe_io_hints,
+ 	.direct_access = stripe_dax_direct_access,
+ 	.dax_copy_from_iter = stripe_dax_copy_from_iter,
++	.dax_flush = stripe_dax_flush,
+ };
+ 
+ int __init dm_stripe_init(void)
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru
+ 	return ret;
+ }
+ 
++static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr,
++		size_t size)
++{
++#ifdef CONFIG_ARCH_HAS_PMEM_API
++	arch_wb_cache_pmem(addr, size);
++#endif
++}
++
+ /*
+  * A target may call dm_accept_partial_bio only from the map routine.  It is
+  * allowed for all bio types except REQ_PREFLUSH.
+@@ -2980,6 +2988,7 @@ static const struct block_device_operati
+ static const struct dax_operations dm_dax_ops = {
+ 	.direct_access = dm_dax_direct_access,
+ 	.copy_from_iter = dm_dax_copy_from_iter,
++	.flush = dm_dax_flush,
+ };
+ 
+ /*
+--- a/drivers/nvdimm/pmem.c
++++ b/drivers/nvdimm/pmem.c
+@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct
+ 	return copy_from_iter_flushcache(addr, bytes, i);
+ }
+ 
++static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff,
++		void *addr, size_t size)
++{
++	arch_wb_cache_pmem(addr, size);
++}
++
+ static const struct dax_operations pmem_dax_ops = {
+ 	.direct_access = pmem_dax_direct_access,
+ 	.copy_from_iter = pmem_copy_from_iter,
++	.flush = pmem_dax_flush,
+ };
+ 
+ static const struct attribute_group *pmem_attribute_groups[] = {
+--- a/include/linux/dax.h
++++ b/include/linux/dax.h
+@@ -19,6 +19,8 @@ struct dax_operations {
+ 	/* copy_from_iter: required operation for fs-dax direct-i/o */
+ 	size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t,
+ 			struct iov_iter *);
++	/* flush: should be unused */
++	void (*flush)(struct dax_device *, pgoff_t, void *, size_t);
+ };
+ 
+ extern struct attribute_group dax_attribute_group;
+--- a/include/linux/device-mapper.h
++++ b/include/linux/device-mapper.h
+@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn)
+ 		long nr_pages, void **kaddr, pfn_t *pfn);
+ typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff,
+ 		void *addr, size_t bytes, struct iov_iter *i);
++typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr,
++		size_t size);
+ #define PAGE_SECTORS (PAGE_SIZE / 512)
+ 
+ void dm_error(const char *message);
+@@ -184,6 +186,7 @@ struct target_type {
+ 	dm_io_hints_fn io_hints;
+ 	dm_dax_direct_access_fn direct_access;
+ 	dm_dax_copy_from_iter_fn dax_copy_from_iter;
++	dm_dax_flush_fn dax_flush;
+ 
+ 	/* For internal device-mapper use. */
+ 	struct list_head list;
diff --git a/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
new file mode 100644
index 0000000..03555be
--- /dev/null
+++ b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 22:38:57 +0200
+Subject: Revert "bpf: one perf event close won't free bpf program attached ..."
+Forwarded: not-needed
+
+This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was
+commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream.  It introduces
+an ABI break that's not easily avoidable.  The bug it fixes doesn't seem
+to have any security impact.
+
+---
+--- a/include/linux/trace_events.h
++++ b/include/linux/trace_events.h
+@@ -277,7 +277,6 @@ struct trace_event_call {
+ 	int				perf_refcount;
+ 	struct hlist_head __percpu	*perf_events;
+ 	struct bpf_prog			*prog;
+-	struct perf_event		*bpf_prog_owner;
+ 
+ 	int	(*perf_perm)(struct trace_event_call *,
+ 			     struct perf_event *);
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc
+ 		}
+ 	}
+ 	event->tp_event->prog = prog;
+-	event->tp_event->bpf_prog_owner = event;
+ 
+ 	return 0;
+ }
+@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str
+ 		return;
+ 
+ 	prog = event->tp_event->prog;
+-	if (prog && event->tp_event->bpf_prog_owner == event) {
++	if (prog) {
+ 		event->tp_event->prog = NULL;
+ 		bpf_prog_put(prog);
+ 	}
diff --git a/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch
new file mode 100644
index 0000000..16ca95e
--- /dev/null
+++ b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch
@@ -0,0 +1,22 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 26 Oct 2017 11:59:43 +0200
+Subject: SCSI: Avoid ABI change in 4.13.6
+Forwarded: not-needed
+
+Hide the new bitfield from genksyms, as it's using what used to be a
+padding bit.
+
+---
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -182,7 +182,10 @@ struct scsi_device {
+ 	unsigned no_dif:1;	/* T10 PI (DIF) should be disabled */
+ 	unsigned broken_fua:1;		/* Don't set FUA bit */
+ 	unsigned lun_in_cdb:1;		/* Store LUN bits in CDB[1] */
++#ifndef __GENKSYMS__
+ 	unsigned unmap_limit_for_ws:1;	/* Use the UNMAP limit for WRITE SAME */
++	/* 19 unused bits */
++#endif
+ 
+ 	atomic_t disk_events_disable_depth; /* disable depth for disk events */
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 408d183..1f9d81a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
-bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch
 
 # Miscellaneous features
 
@@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
-bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
-bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
-bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
-bugfix/all/fix-infoleak-in-waitid-2.patch
-bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
-bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
-bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
-bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
-bugfix/all/waitid-Add-missing-access_ok-checks.patch
-bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
-bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
-bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
 bugfix/all/module-disable-matching-missing-version-crc.patch
 
-# ABI maintenance
-
 # Tools bug fixes
 bugfix/all/usbip-document-tcp-wrappers.patch
 bugfix/all/kbuild-fix-recordmcount-dependency.patch
@@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
 bugfix/all/cpupower-bump-soname-version.patch
 bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
 bugfix/all/tools-lib-lockdep-define-pr_cont.patch
+
+# ABI maintenance
+debian/scsi-avoid-abi-change-in-4.13.6.patch
+debian/dax-avoid-abi-change-in-4.13.5.patch
+debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

