[linux] 01/04: WIP: Update to 4.9.72
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jan 5 16:01:38 UTC 2018
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch
in repository linux.
commit b46fc41d0b5fbcf85dc9ecc7b50af844cb0961a1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Dec 28 02:25:35 2017 +0000
WIP: Update to 4.9.72
---
debian/changelog | 638 +++++++++++++++++++++
...-adjust-insn_aux_data-when-patching-insns.patch | 93 ---
.../bugfix/all/bpf-fix-branch-pruning-logic.patch | 111 ----
...-incorrect-sign-extension-in-check_alu_op.patch | 50 --
...t-out-of-bounds-stack-pointer-calculation.patch | 53 --
...-require-that-the-underlying-hash-algorit.patch | 142 -----
...ypto-salsa20-fix-blkcipher_walk-API-usage.patch | 84 ---
...ssing-permission-check-for-request_key-de.patch | 157 -----
...xx-cards-fix-NULL-deref-on-missing-associ.patch | 39 --
...ot-make-page-table-dirty-unconditionally-.patch | 74 ---
...fnetlink_cthelper-add-missing-permission-.patch | 16 +-
...prevent-malicious-bnuminterfaces-overflow.patch | 44 --
...emove-i-o-port-0x80-bypass-on-intel-hosts.patch | 47 --
debian/patches/debian/kernelvariables.patch | 9 +-
debian/patches/series | 11 -
15 files changed, 651 insertions(+), 917 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 7b3f009..d151122 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,641 @@
+linux (4.9.72-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.66
+ - [s390x] fix transactional execution control register handling
+ - [s390x] runtime instrumention: fix possible memory corruption
+ - [s390x] disassembler: add missing end marker for e7 table
+ - [s390x] disassembler: increase show_code buffer size
+ - ACPI / EC: Fix regression related to triggering source of EC event
+ handling
+ - [x86] mm: fix use-after-free of vma during userfaultfd fault
+ - ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER
+ - vsock: use new wait API for vsock_stream_sendmsg()
+ - sched: Make resched_cpu() unconditional
+ - lib/mpi: call cond_resched() from mpi_powm() loop
+ - [x86] decoder: Add new TEST instruction pattern
+ - [arm64] Implement arch-specific pte_access_permitted()
+ - [armhf/armmp-lpae] 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE
+ - [armhf/armmp-lpae] 8721/1: mm: dump: check hardware RO bit for LPAE
+ - [arm64] PCI: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF
+ - dm bufio: fix integer overflow when limiting maximum cache size
+ - dm: allocate struct mapped_device with kvzalloc
+ - [mips*] pci: Remove KERN_WARN instance inside the mt7620 driver
+ - dm: fix race between dm_get_from_kobject() and __dm_destroy()
+ - [mips*] Fix odd fp register warnings with MIPS64r2
+ - [mips*] Fix an n32 core file generation regset support regression
+ - rt2x00usb: mark device removed when get ENOENT usb error
+ - autofs: don't fail mount for transient error
+ - nilfs2: fix race condition that causes file system corruption
+ - eCryptfs: use after free in ecryptfs_release_messaging()
+ - libceph: don't WARN() if user tries to add invalid key
+ - bcache: check ca->alloc_thread initialized before wake up it
+ - isofs: fix timestamps beyond 2027
+ - NFS: Fix typo in nomigration mount option
+ - nfs: Fix ugly referral attributes
+ - NFS: Avoid RCU usage in tracepoints
+ - nfsd: deal with revoked delegations appropriately
+ - rtlwifi: rtl8192ee: Fix memory leak when loading firmware
+ - rtlwifi: fix uninitialized rtlhal->last_suspend_sec time
+ - ata: fixes kernel crash while tracing ata_eh_link_autopsy event
+ - ext4: fix interaction between i_size, fallocate, and delalloc after a
+ crash
+ - ALSA: pcm: update tstamp only if audio_tstamp changed
+ - ALSA: usb-audio: Add sanity checks to FE parser
+ - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
+ - ALSA: usb-audio: Add sanity checks in v2 clock parsers
+ - ALSA: timer: Remove kernel warning at compat ioctl error paths
+ - ALSA: hda: Fix too short HDMI/DP chmap reporting
+ - ALSA: hda/realtek - Fix ALC700 family no sound issue
+ - fix a page leak in vhost_scsi_iov_to_sgl() error recovery
+ - fs/9p: Compare qid.path in v9fs_test_inode
+ - iscsi-target: Fix non-immediate TMR reference leak
+ - target: Fix QUEUE_FULL + SCSI task attribute handling
+ - [armhf] mtd: nand: omap2: Fix subpage write
+ - mtd: nand: Fix writing mtdoops to nand flash.
+ - mtd: nand: mtk: fix infinite ECC decode IRQ issue
+ - p54: don't unregister leds when they are not initialized
+ - block: Fix a race between blk_cleanup_queue() and timeout handling
+ - [armhf,arm64] irqchip/gic-v3: Fix ppi-partitions lookup
+ - lockd: double unregister of inetaddr notifiers
+ - [x86] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
+ - [x86] KVM: SVM: obey guest PAT
+ - SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status
+ - [armhf] clk: ti: dra7-atl-clock: fix child-node lookups
+ - libnvdimm, pfn: make 'resource' attribute only readable by root
+ - libnvdimm, namespace: fix label initialization to use valid seq numbers
+ - libnvdimm, namespace: make 'resource' attribute only readable by root
+ - IB/srpt: Do not accept invalid initiator port names
+ - IB/srp: Avoid that a cable pull can trigger a kernel crash
+ - NFC: fix device-allocation error return
+ - fm10k,i40e,i40evf,igb,igbvf,ixgbe,ixgbevf: Use smp_rmb rather than
+ read_barrier_depends
+ - [powerpc*] signal: Properly handle return value from uprobe_deny_signal()
+ - media: Don't do DMA on stack for firmware upload in the AS102 driver
+ - media: rc: check for integer overflow
+ - media: v4l2-ctrl: Fix flags field on Control events
+ - sched/rt: Simplify the IPI based RT balancing logic
+ - fscrypt: lock mutex before checking for bounce page pool
+ - net/9p: Switch to wait_event_killable()
+ - PM / OPP: Add missing of_node_put(np)
+ - [x86] Revert "drm/i915: Do not rely on wm preservation for ILK watermarks"
+ - e1000e: Fix error path in link detection
+ - e1000e: Fix return value test
+ - e1000e: Separate signaling for link check/link up
+ - e1000e: Avoid receiver overrun interrupt bursts
+ - RDS: make message size limit compliant with spec
+ - RDS: RDMA: return appropriate error on rdma map failures
+ - RDS: RDMA: fix the ib_map_mr_sg_zbva() argument
+ - PCI: Apply _HPX settings only to relevant devices
+ - [armhf] clk: sunxi-ng: A31: Fix spdif clock register
+ - [armhf] clk: sunxi-ng: fix PLL_CPUX adjusting on A33
+ - fscrypt: use ENOKEY when file cannot be created w/o key
+ - fscrypt: use ENOTDIR when setting encryption policy on nondirectory
+ - net: Allow IP_MULTICAST_IF to set index to L3 slave
+ - net: 3com: typhoon: typhoon_init_one: fix incorrect return values
+ - rt2800: set minimum MPDU and PSDU lengths to sane values
+ - adm80211: return an error if adm8211_alloc_rings() fails
+ - mwifiex: sdio: fix use after free issue for save_adapter
+ - ath10k: fix incorrect txpower set by P2P_DEVICE interface
+ - ath10k: ignore configuring the incorrect board_id
+ - ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats()
+ - bnxt_en: Set default completion ring for async events.
+ - ath10k: set CTS protection VDEV param only if VDEV is up
+ - ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE
+ - drm: Apply range restriction after color adjustment when allocation
+ - [arm64] clk: qcom: ipq4019: Add all the frequencies for apss cpu
+ - mac80211: Remove invalid flag operations in mesh TSF synchronization
+ - mac80211: Suppress NEW_PEER_CANDIDATE event if no room
+ - adm80211: add checks for dma mapping errors
+ - iio: light: fix improper return value
+ - netfilter: nft_queue: use raw_smp_processor_id()
+ - netfilter: nf_tables: fix oob access
+ - [armel,armhf] crypto: marvell - Copy IVDIG before launching partial DMA
+ ahash requests
+ - btrfs: return the actual error value from from btrfs_uuid_tree_iterate
+ - [s390x] kbuild: enable modversions for symbols exported from asm
+ - cec: when canceling a message, don't overwrite old status info
+ - cec: CEC_MSG_GIVE_FEATURES should abort for CEC version < 2
+ - cec: update log_addr[] before finishing configuration
+ - nvmet: fix KATO offset in Set Features
+ - xen: xenbus driver must not accept invalid transaction ids
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.67
+ - [armhf] dts: LogicPD Torpedo: Fix camera pin mux
+ - [armhf] dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio
+ - mm/cma: fix alloc_contig_range ret code/potential leak
+ - mm, hugetlbfs: introduce ->split() to vm_operations_struct
+ - mm/madvise.c: fix madvise() infinite loop under special circumstances
+ - btrfs: clear space cache inode generation always
+ - nfsd: Fix stateid races between OPEN and CLOSE
+ - nfsd: Fix another OPEN stateid race
+ - nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat
+ - [armhf] mfd: twl4030-power: Fix pmic for boards that need vmmc1 on reboot
+ - [armhf] OMAP2+: Fix WL1283 Bluetooth Baud Rate
+ - [x86] KVM: pvclock: Handle first-time write to pvclock-page contains
+ random junk
+ - [x86] KVM: Exit to user-mode on #UD intercept when emulator requires
+ - [x86] KVM: inject exceptions produced by x86_decode_insn
+ - [x86] KVM: lapic: Split out x2apic ldr calculation
+ - [x86] KVM: lapic: Fixup LDR on load in x2apic
+ - mmc: core: Do not leave the block driver in a suspended state
+ - mmc: core: prepend 0x to OCR entry in sysfs
+ - eeprom: at24: fix reading from 24MAC402/24MAC602
+ - eeprom: at24: correctly set the size for at24mac402
+ - eeprom: at24: check at24_read/write arguments
+ - [x86,alpha] i2c: i801: Fix Failed to allocate irq -2147483648 error
+ - hwmon: (jc42) optionally try to disable the SMBUS timeout
+ - nvme-pci: add quirk for delay before CHK RDY for WDC SN200
+ - Revert "drm/radeon: dont switch vt on suspend"
+ - drm/amdgpu: potential uninitialized variable in amdgpu_vce_ring_parse_cs()
+ - drm/amdgpu: Potential uninitialized variable in
+ amdgpu_vm_update_directories()
+ - drm/radeon: fix atombios on big endian
+ - [armhf,arm64] drm/panel: simple: Add missing panel_simple_unprepare()
+ calls
+ - [arm64] drm/hisilicon: Ensure LDI regs are properly configured.
+ - drm/ttm: once more fix ttm_buffer_object_transfer
+ - drm/amd/pp: fix typecast error in powerplay.
+ - NFS: revalidate "." etc correctly on "open".
+ - [x86] drm/i915: Don't try indexed reads to alternate slave addresses
+ - [x86] drm/i915: Prevent zero length "index" write
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.68
+ - bcache: only permit to recovery read error when cache device is clean
+ - bcache: recover data from backing when data is clean
+ - Revert "crypto: caam - get rid of tasklet"
+ - mm, oom_reaper: gather each vma to prevent leaking TLB entry
+ - uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
+ - usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
+ - [s390x] runtime instrumentation: simplify task exit handling
+ - ima: fix hash algorithm initialization
+ - [s390x] pci: do not require AIS facility
+ - serial: 8250_fintek: Fix rs485 disablement on invalid ioctl()
+ - staging: rtl8188eu: avoid a null dereference on pmlmepriv
+ - [arm64] mmc: sdhci-msm: fix issue with power irq
+ - serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X
+ - [x86] entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt()
+ - [x86] EDAC, sb_edac: Fix missing break in switch
+ - [armel,armhf] sysrq : fix Show Regs call trace on ARM
+ - usbip: tools: Install all headers needed for libusbip development
+ - [x86] kprobes: Disable preemption in ftrace-based jprobes
+ - iio: adc: ti-ads1015: add 10% to conversion wait time
+ - dax: Avoid page invalidation races and unnecessary radix tree traversals
+ - net/mlx4_en: Fix type mismatch for 32-bit systems
+ - l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket
+ lookups
+ - usb: gadget: f_fs: Fix ExtCompat descriptor validation
+ - libcxgb: fix error check for ip6_route_output()
+ - [armhf] OMAP2+: Fix WL1283 Bluetooth Baud Rate
+ - vti6: fix device register to report IFLA_INFO_KIND
+ - be2net: fix accesses to unicast list
+ - be2net: fix unicast list filling
+ - net/appletalk: Fix kernel memory disclosure
+ - libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount
+ - mm: fix remote numa hits statistics
+ - mac80211: calculate min channel width correctly
+ - nfs: Don't take a reference on fl->fl_file for LOCK operation
+ - [armhf,arm64] KVM: Fix occasional warning from the timer work function
+ - mac80211: prevent skb/txq mismatch
+ - NFSv4: Fix client recovery when server reboots multiple times
+ - [x86] perf/intel: Account interrupts for PEBS errors
+ - [powerpc*] mm: Fix memory hotplug BUG() on radix
+ - qla2xxx: Fix wrong IOCB type assumption
+ - drm/amdgpu: fix bug set incorrect value to vce register
+ - net: sctp: fix array overrun read on sctp_timer_tbl
+ - [x86] fpu: Set the xcomp_bv when we fake up a XSAVES area
+ - drm/amdgpu: fix unload driver issue for virtual display
+ - mac80211: don't try to sleep in rate_control_rate_init()
+ - RDMA/qedr: Return success when not changing QP state
+ - RDMA/qedr: Fix RDMA CM loopback
+ - tipc: fix nametbl_lock soft lockup at module exit
+ - tipc: fix cleanup at module unload
+ - [armhf] dmaengine: pl330: fix double lock
+ - tcp: correct memory barrier usage in tcp_check_space()
+ - nvmet: cancel fatal error and flush async work before free controller
+ - gtp: clear DF bit on GTP packet tx
+ - gtp: fix cross netns recv on gtp socket
+ - net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause
+ - [arm64] net: thunderx: avoid dereferencing xcv when NULL
+ - be2net: fix initial MAC setting
+ - [powerpc*] vfio/spapr: Fix missing mutex unlock when creating a window
+ - mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
+ - xen-netfront: Improve error handling during initialization
+ - cec: initiator should be the same as the destination for, poll
+ - xen-netback: vif counters from int/long to u64
+ - net: fec: fix multicast filtering hardware setup
+ - dma-buf/dma-fence: Extract __dma_fence_is_later()
+ - dma-buf/sw-sync: Fix the is-signaled test to handle u32 wraparound
+ - dma-buf/sw-sync: Prevent user overflow on timeline advance
+ - dma-buf/sw-sync: sync_pt is private and of fixed size
+ - dma-buf/sw-sync: Fix locking around sync_timeline lists
+ - dma-buf/sw-sync: Use an rbtree to sort fences in the timeline
+ - dma-buf/sw_sync: move timeline_fence_ops around
+ - dma-buf/sw_sync: clean up list before signaling the fence
+ - dma-fence: Clear fence->status during dma_fence_init()
+ - dma-fence: Wrap querying the fence->status
+ - dma-fence: Introduce drm_fence_set_error() helper
+ - dma-buf/sw_sync: force signal all unsignaled fences on dying timeline
+ - dma-buf/sync_file: hold reference to fence when creating sync_file
+ - usb: hub: Cycle HUB power when initialization fails
+ - usb: xhci: fix panic in xhci_free_virt_devices_depth_first
+ - USB: core: Add type-specific length check of BOS descriptors
+ - USB: Increase usbfs transfer limit
+ - USB: devio: Prevent integer overflow in proc_do_submiturb()
+ - USB: usbfs: Filter flags passed in from user space
+ - usb: host: fix incorrect updating of offset
+ - xen-netfront: avoid crashing on resume after a failure in
+ talk_to_netback()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.69
+ - can: kvaser_usb: free buf in error paths
+ - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
+ - can: kvaser_usb: ratelimit errors if incomplete messages are received
+ - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
+ - can: ems_usb: cancel urb on -EPIPE and -EPROTO
+ - can: esd_usb2: cancel urb on -EPIPE and -EPROTO
+ - can: usb_8dev: cancel urb on -EPIPE and -EPROTO
+ - virtio: release virtio index when fail to device_register
+ - [x86] hv: kvp: Avoid reading past allocated blocks from KVP file
+ - isa: Prevent NULL dereference in isa_bus driver callbacks
+ - scsi: dma-mapping: always provide dma_get_cache_alignment
+ - scsi: use dma_get_cache_alignment() as minimum DMA alignment
+ - scsi: libsas: align sata_device's rps_resp on a cacheline
+ - efi: Move some sysfs files to be read-only by root
+ - efi/esrt: Use memunmap() instead of kfree() to free the remapping
+ - ASN.1: fix out-of-bounds read when parsing indefinite length item
+ - ASN.1: check for error from ASN1_OP_END__ACT actions
+ - X.509: reject invalid BIT STRING for subjectPublicKey
+ - X.509: fix comparisons of ->pkey_algo
+ - [x86] PCI: Make broadcom_postcore_init() check acpi_disabled
+ - [x86] KVM: fix APIC page invalidation
+ - btrfs: fix missing error return in btrfs_drop_snapshot
+ - ALSA: pcm: prevent UAF in snd_pcm_info
+ - ALSA: seq: Remove spurious WARN_ON() at timer check
+ - ALSA: usb-audio: Fix out-of-bound error
+ - ALSA: usb-audio: Add check return value for usb_string()
+ - [x86] iommu/vt-d: Fix scatterlist offset handling
+ - smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
+ - [s390x] fix compat system call table
+ - [s390x] KVM: Fix skey emulation permission check
+ - [powerpc*] 64s: Initialize ISAv3 MMU registers before setting partition
+ table
+ - brcmfmac: change driver unbind order of the sdio function devices
+ - media: dvb: i2c transfers over usb cannot be done from stack
+ - [armhf,arm64] KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
+ - [armhf,arm64] KVM: Fix broken GICH_ELRSR big endian conversion
+ - [armhf,arm64] KVM: vgic-irqfd: Fix MSI entry allocation
+ - [armhf,arm64] KVM: vgic-its: Check result of allocation before use
+ - [arm64] fpsimd: Prevent registers leaking from dead tasks
+ - [armhf] bus: arm-cci: Fix use of smp_processor_id() in preemptible context
+ - usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
+ - [armel,armhf] BUG if jumping to usermode address in kernel mode
+ - [armel,armhf] avoid faulting on qemu
+ - thp: reduce indentation level in change_huge_pmd()
+ - thp: fix MADV_DONTNEED vs. numa balancing race
+ - mm: drop unused pmdp_huge_get_and_clear_notify()
+ - [armel,armhf] 8657/1: uaccess: consistently check object sizes
+ - vti6: Don't report path MTU below IPV6_MIN_MTU.
+ - [armhf] OMAP2+: gpmc-onenand: propagate error on initialization failure
+ - [x86] platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack
+ register
+ - sched/fair: Make select_idle_cpu() more aggressive
+ - [x86] hpet: Prevent might sleep splat on resume
+ - [powerpc*] 64: Invalidate process table caching after setting process
+ table
+ - lirc: fix dead lock between open and wakeup_filter
+ - module: set __jump_table alignment to 8
+ - [powerpc*] 64: Fix checksum folding in csum_add()
+ - [armhf] OMAP2+: Fix device node reference counts
+ - [armhf] OMAP2+: Release device node after it is no longer needed.
+ - usb: gadget: configs: plug memory leak
+ - USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
+ - [armhf,arm64] usb: dwc3: gadget: Fix system suspend/resume on TI platforms
+ - usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
+ - [x86] kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
+ - libata: drop WARN from protocol error in ata_sff_qc_issue()
+ - workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
+ - scsi: qla2xxx: Fix ql_dump_buffer
+ - scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
+ - [armhf] irqchip/crossbar: Fix incorrect type of register size
+ - [x86] KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
+ - [armhf,arm64] KVM: Survive unknown traps from guests
+ - [armhf,arm64] KVM: VGIC: Fix command handling while ITS being disabled
+ - bnx2x: prevent crash when accessing PTP with interface down
+ - bnx2x: fix possible overrun of VFPF multicast addresses array
+ - bnx2x: fix detection of VLAN filtering feature for VF
+ - bnx2x: do not rollback VF MAC/VLAN filters we did not configure
+ - rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races
+ - [powerpc*] ibmvnic: Fix overflowing firmware/hardware TX queue
+ - [powerpc*] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware
+ - ipv6: reorder icmpv6_init() and ip6_mr_init()
+ - blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()
+ - zram: set physical queue limits to avoid array out of bounds accesses
+ - netfilter: don't track fragmented packets
+ - [powerpc*] axonram: Fix gendisk handling
+ - drm/amd/amdgpu: fix console deadlock if late init failed
+ - [powerpc*] powernv/ioda2: Gracefully fail if too many TCE levels requested
+ - [x86] EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
+ - [x86] EDAC, i5000, i5400: Fix definition of NRECMEMB register
+ - kbuild: pkg: use --transform option to prefix paths in tar
+ - coccinelle: fix parallel build with CHECK=scripts/coccicheck
+ - mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
+ - gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
+ - route: also update fnhe_genid when updating a route cache
+ - route: update fnhe_expires for redirect when the fnhe exists
+ - NFS: Fix a typo in nfs_rename()
+ - sunrpc: Fix rpc_task_begin trace point
+ - xfs: fix forgotten rcu read unlock when skipping inode reclaim
+ - block: wake up all tasks blocked in get_request()
+ - zsmalloc: calling zs_map_object() from irq is a bug
+ - sctp: do not free asoc when it is already dead in sctp_sendmsg
+ - sctp: use the right sk after waking up from wait_buf sleep
+ - bpf: fix lockdep splat
+ - atm: horizon: Fix irq release error
+ - xfrm: Copy policy family in clone_policy
+ - IB/mlx4: Increase maximal message size under UD QP
+ - IB/mlx5: Assign send CQ and recv CQ of UMR QP
+ - afs: Connect up the CB.ProbeUuid
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.70
+ - [s390x] qeth: fix early exit from error path
+ - tipc: fix memory leak in tipc_accept_from_sock()
+ - rds: Fix NULL pointer dereference in __rds_rdma_map
+ - sit: update frag_off info
+ - packet: fix crash in fanout_demux_rollover()
+ - net/packet: fix a race in packet_bind() and packet_notifier()
+ - usbnet: fix alignment for frames with no ethernet header
+ - stmmac: reset last TSO segment size after device open
+ - tcp/dccp: block bh before arming time_wait timer
+ - [s390x] qeth: build max size GSO skbs on L2 devices
+ - [s390x] qeth: fix GSO throughput regression
+ - [s390x] qeth: fix thinko in IPv4 multicast address tracking
+ - tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv()
+ - Fix handling of verdicts after NF_QUEUE
+ - ipmi: Stop timers before cleaning up the module
+ - [s390x] always save and restore all registers on context switch
+ - usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping
+ - fix kcm_clone()
+ - [armhf,arm64] KVM: vgic-its: Preserve the revious read from the pending
+ table
+ - [powerpc*] 64: Fix checksum folding in csum_tcpudp_nofold and
+ ip_fast_csum_nofold
+ - kbuild: do not call cc-option before KBUILD_CFLAGS initialization
+ - ipvlan: fix ipv6 outbound device
+ - audit: ensure that 'audit=1' actually enables audit for PID 1
+ - md: free unused memory after bitmap resize
+ - RDMA/cxgb4: Annotate r2 and stag as __be32
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.71
+ - mfd: fsl-imx25: Clean up irq settings during removal
+ - crypto: rsa - fix buffer overread when stripping leading zeroes
+ - autofs: fix careless error in recent commit
+ - tracing: Allocate mask_str buffer dynamically
+ - USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
+ - usbip: fix stub_rx: get_pipe() to validate endpoint number
+ - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
+ - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
+ - ceph: drop negative child dentries before try pruning inode's alias
+ - usb: xhci: fix TDS for MTK xHCI1.1
+ - xhci: Don't add a virt_dev to the devs array before it's fully allocated
+ - nfs: don't wait on commit in nfs_commit_inode() if there were no commit
+ requests
+ - sched/rt: Do not pull from current CPU if only one CPU to pull
+ - eeprom: at24: change nvmem stride to 1
+ - dmaengine: dmatest: move callback wait queue to thread context
+ - ext4: fix fdatasync(2) after fallocate(2) operation
+ - ext4: fix crash when a directory's i_size is too small
+ - mac80211: Fix addition of mesh configuration element
+ - [x86] KVM: nVMX: do not warn when MSR bitmap address is not backed
+ - md-cluster: free md_cluster_info if node leave cluster
+ - userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
+ - userfaultfd: selftest: vm: allow to build in vm/ directory
+ - net: initialize msg.msg_flags in recvfrom
+ - bnxt_en: Ignore 0 value in autoneg supported speed from firmware.
+ - net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
+ - net: bcmgenet: correct MIB access of UniMAC RUNT counters
+ - net: bcmgenet: reserved phy revisions must be checked first
+ - net: bcmgenet: power down internal phy if open or resume fails
+ - net: bcmgenet: synchronize irq0 status between the isr and task
+ - net: bcmgenet: Power up the internal PHY before probing the MII
+ - rxrpc: Wake up the transmitter if Rx window size increases on the peer
+ - net/mlx5: Fix create autogroup prev initializer
+ - net/mlx5: Don't save PCI state when PCI error is detected
+ - drm/amdgpu: fix parser init error path to avoid crash in parser fini
+ - NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
+ - NFSD: fix nfsd_reset_versions for NFSv4.
+ - [armhf] drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
+ - netfilter: bridge: honor frag_max_size when refragmenting
+ - blk-mq: Fix tagset reinit in the presence of cpu hot-unplug
+ - writeback: fix memory leak in wb_queue_work()
+ - net: wimax/i2400m: fix NULL-deref at probe
+ - dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
+ - irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN
+ - net: Resend IGMP memberships upon peer notification.
+ - qed: Align CIDs according to DORQ requirement
+ - qed: Fix mapping leak on LL2 rx flow
+ - qed: Fix interrupt flags on Rx LL2
+ - scsi: hpsa: update check for logical volume status
+ - scsi: hpsa: limit outstanding rescans
+ - scsi: hpsa: do not timeout reset operations
+ - fjes: Fix wrong netdevice feature flags
+ - drm/radeon/si: add dpm quirk for Oland
+ - [x86] Drivers: hv: util: move waiting for release to hv_utils_transport
+ itself
+ - iwlwifi: mvm: cleanup pending frames in DQA mode
+ - sched/deadline: Add missing update_rq_clock() in dl_task_timer()
+ - sched/deadline: Make sure the replenishment timer fires in the next period
+ - sched/deadline: Throttle a constrained deadline task activated after the
+ deadline
+ - sched/deadline: Use deadline instead of period when calculating overflow
+ - drm/radeon: reinstate oland workaround for sclk
+ - afs: Fix missing put_page()
+ - afs: Populate group ID from vnode status
+ - afs: Adjust mode bits processing
+ - afs: Deal with an empty callback array
+ - afs: Flush outstanding writes when an fd is closed
+ - afs: Migrate vlocation fields to 64-bit
+ - afs: Prevent callback expiry timer overflow
+ - afs: Fix the maths in afs_fs_store_data()
+ - afs: Invalid op ID should abort with RXGEN_OPCODE
+ - afs: Better abort and net error handling
+ - afs: Populate and use client modification time
+ - afs: Fix page leak in afs_write_begin()
+ - afs: Fix afs_kill_pages()
+ - afs: Fix abort on signal while waiting for call completion
+ - nvme-loop: fix a possible use-after-free when destroying the admin queue
+ - nvmet: confirm sq percpu has scheduled and switched to atomic
+ - nvmet-rdma: Fix a possible uninitialized variable dereference
+ - net/mlx4_core: Avoid delays during VF driver device shutdown
+ - net: mpls: Fix nexthop alive tracking on down events
+ - rxrpc: Ignore BUSY packets on old calls
+ - tty: don't panic on OOM in tty_set_ldisc()
+ - tty: fix data race in tty_ldisc_ref_wait()
+ - perf symbols: Fix symbols__fixup_end heuristic for corner cases
+ - efi/esrt: Cleanup bad memory map log messages
+ - NFSv4.1 respect server's max size in CREATE_SESSION
+ - btrfs: add missing memset while reading compressed inline extents
+ - target: Use system workqueue for ALUA transitions
+ - target: fix ALUA transition timeout handling
+ - target: fix race during implicit transition work flushes
+ - [x86] Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when
+ booting"
+ - HID: cp2112: fix broken gpio_direction_input callback
+ - sfc: don't warn on successful change of MAC
+ - video: udlfb: Fix read EDID timeout
+ - rtc: pcf8563: fix output clock rate
+ - [x86] ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case
+ - [armhf] dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
+ - PCI/PME: Handle invalid data when reading Root Status
+ - powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
+ - PCI: Do not allocate more buses than available in parent
+ - netfilter: ipvs: Fix inappropriate output of procfs
+ - [powerpc*] opal: Fix EBUSY bug in acquiring tokens
+ - [powerpc*] ipic: Fix status get and status clear
+ - [x86] platform: intel_punit_ipc: Fix resource ioremap warning
+ - target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
+ - iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
+ - target:fix condition return in core_pr_dump_initiator_port()
+ - target/file: Do not return error for UNMAP if length is zero
+ - badblocks: fix wrong return value in badblocks_set if badblocks are
+ disabled
+ - [x86] iommu/amd: Limit the IOVA page range to the specified addresses
+ - xfs: truncate pagecache before writeback in xfs_setattr_size()
+ - crypto: tcrypt - fix buffer lengths in test_aead_speed()
+ - mm: Handle 0 flags in _calc_vm_trans() macro
+ - [armhf] clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6
+ SoCs w/o VPU
+ - [arm64] clk: hi6220: mark clock cs_atb_syspll as critical
+ - [armhf,arm64] clk: tegra: Fix cclk_lp divisor register
+ - ppp: Destroy the mutex when cleanup
+ - thermal/drivers/step_wise: Fix temperature regulation misbehavior
+ - scsi: scsi_debug: write_same: fix error report
+ - GFS2: Take inode off order_write list when setting jdata flag
+ - bcache: explicitly destroy mutex while exiting
+ - bcache: fix wrong cache_misses statistics
+ - Ib/hfi1: Return actual operational VLs in port info query
+ - [x86] platform: hp_accel: Add quirk for HP ProBook 440 G4
+ - nvme: use kref_get_unless_zero in nvme_find_get_ns
+ - l2tp: cleanup l2tp_tunnel_delete calls
+ - xfs: fix log block underflow during recovery cycle verification
+ - xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
+ - RDMA/cxgb4: Declare stag as __be32
+ - PCI: Detach driver before procfs & sysfs teardown on device remove
+ - scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
+ - scsi: hpsa: destroy sas transport properties before scsi_host
+ - [powerpc*] perf/hv-24x7: Fix incorrect comparison in memord
+ - tty fix oops when rmmod 8250
+ - raid5: Set R5_Expanded on parity devices as well as data.
+ - scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
+ - IB/core: Fix calculation of maximum RoCE MTU
+ - vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
+ - rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_createbss_cmd
+ - rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd
+ - scsi: sd: change manage_start_stop to bool in sysfs interface
+ - scsi: sd: change allow_restart to bool in sysfs interface
+ - scsi: bfa: integer overflow in debugfs
+ - udf: Avoid overflow when session starts at large offset
+ - macvlan: Only deliver one copy of the frame to the macvlan interface
+ - RDMA/cma: Avoid triggering undefined behavior
+ - IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
+ - icmp: don't fail on fragment reassembly time exceeded
+ - ath9k: fix tx99 potential info leak
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.72
+ - cxl: Check if vphb exists before iterating over AFU devices
+ - [arm64] Initialise high_memory global variable earlier
+ - kvm: fix usage of uninit spinlock in avic_vm_destroy()
+ - [armhf] kprobes: Fix the return address of multiple kretprobes
+ - [armhf] kprobes: Align stack to 8-bytes in test code
+ - nvme-loop: handle cpu unplug when re-establishing the controller
+ - cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
+ - r8152: fix the list rx_done may be used without initialization
+ - crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
+ - vsock: track pkt owner vsock
+ - vhost-vsock: add pkt cancel capability
+ - vsock: cancel packets when failing to connect
+ - sch_dsmark: fix invalid skb_cow() usage
+ - bna: integer overflow bug in debugfs
+ - sctp: out_qlen should be updated when pruning unsent queue
+ - usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
+ - usb: gadget: udc: remove pointer dereference after free
+ - netfilter: nfnl_cthelper: fix runtime expectation policy updates
+ - netfilter: nfnl_cthelper: Fix memory leak
+ - [armhf] iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5
+ - r8152: fix the rx early size of RTL8153
+ - tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe
+ - inet: frag: release spinlock before calling icmp_send()
+ - scsi: lpfc: Fix PT2PT PRLI reject
+ - [x86] kvm: vmx: Flush TLB when the APIC-access address changes
+ - [x86] KVM: correct async page present tracepoint
+ - [x86] KVM: VMX: Fix enable VPID conditions
+ - [armhf] dts: ti: fix PCI bus dtc warnings
+ - [x86] hwmon: (asus_atk0110) fix uninitialized data access
+ - HID: xinmo: fix for out of range for THT 2P arcade controller.
+ - ASoC: STI: Fix reader substream pointer set
+ - r8152: prevent the driver from transmitting packets with carrier off
+ - [s390x] qeth: size calculation outbound buffers
+ - [s390x] qeth: no ETH header for outbound AF_IUCV
+ - bna: avoid writing uninitialized data into hw registers
+ - i40iw: Receive netdev events post INET_NOTIFIER state
+ - IB/core: Protect against self-requeue of a cq work item
+ - infiniband: Fix alignment of mmap cookies to support VIPT caching
+ - nbd: set queue timeout properly
+ - net: Do not allow negative values for busy_read and busy_poll sysctl
+ interfaces
+ - IB/rxe: double free on error
+ - IB/rxe: increment msn only when completing a request
+ - i40e: Do not enable NAPI on q_vectors that have no rings
+ - RDMA/iser: Fix possible mr leak on device removal event
+ - irda: vlsi_ir: fix check for DMA mapping errors
+ - netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
+ - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+ - [armhf] dts: am335x-evmsk: adjust mmc2 param to allow suspend
+ - cpufreq: Fix creation of symbolic links to policy directories
+ - net: ipconfig: fix ic_close_devs() use-after-free
+ - [x86] KVM: pci-assign: do not map smm memory slot pages in vt-d page
+ tables
+ - virtio-balloon: use actual number of stats for stats queue buffers
+ - virtio_balloon: prevent uninitialized variable use
+ - isdn: kcapi: avoid uninitialized data
+ - xhci: plat: Register shutdown for xhci_plat
+ - netfilter: nfnetlink_queue: fix secctx memory leak
+ - Btrfs: fix an integer overflow check
+ - [armel,armhf] dma-mapping: disallow dma_get_sgtable() for non-kernel
+ managed memory
+ - [powerpc*] cpuidle: powernv: Pass correct drv->cpumask for registration
+ - bnxt_en: Fix NULL pointer dereference in reopen failure path
+ - [armhf,arm64] backlight: pwm_bl: Fix overflow condition
+ - [armhf,arm64] rtc: pl031: make interrupt optional
+ - kvm, mm: account kvm related kmem slabs to kmemcg
+ - net: phy: at803x: Change error to EINVAL for invalid MAC
+ - PCI: Avoid bus reset if bridge itself is broken
+ - scsi: cxgb4i: fix Tx skb leak
+ - scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1
+ volume created on two SATA drive
+ - PCI: Create SR-IOV virtfn/physfn links before attaching driver
+ - PM / OPP: Move error message to debug level
+ - igb: check memory allocation failure
+ - ixgbe: fix use of uninitialized padding
+ - IB/rxe: check for allocation failure on elem
+ - PCI/AER: Report non-fatal errors only to the affected endpoint
+ - tracing: Exclude 'generic fields' from histograms
+ - fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw
+ - scsi: lpfc: Fix secure firmware updates
+ - scsi: lpfc: PLOGI failures during NPIV testing
+ - vfio/pci: Virtualize Maximum Payload Size
+ - fm10k: ensure we process SM mbx when processing VF mbx
+ - net: ipv6: send NS for DAD when link operationally up
+ - [armhf] clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name
+ collision
+ - tcp: fix under-evaluated ssthresh in TCP Vegas
+ - rtc: set the alarm to the next expiring timer
+ - cpuidle: fix broadcast control when broadcast can not be entered
+ - [arm64] thermal: hisilicon: Handle return value of clk_prepare_enable
+ - [arm64] thermal/drivers/hisi: Fix missing interrupt enablement
+ - [arm64] thermal/drivers/hisi: Fix kernel panic on alarm interrupt
+ - [arm64] thermal/drivers/hisi: Simplify the temperature/step computation
+ - [arm64] thermal/drivers/hisi: Fix multiple alarm interrupts firing
+ - [mips*] math-emu: Fix final emulation phase for certain instructions
+ - [x86] platform: asus-wireless: send an EV_SYN/SYN_REPORT between state
+ changes
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 28 Dec 2017 02:16:23 +0000
+
linux (4.9.65-3+deb9u1) stretch-security; urgency=high
* dccp: CVE-2017-8824: use-after-free in DCCP code
diff --git a/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch b/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
deleted file mode 100644
index f262243..0000000
--- a/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From: Alexei Starovoitov <ast at fb.com>
-Date: Wed, 15 Mar 2017 18:26:41 -0700
-Subject: bpf: adjust insn_aux_data when patching insns
-Origin: https://www.spinics.net/lists/stable/msg206987.html
-
-convert_ctx_accesses() replaces single bpf instruction with a set of
-instructions. Adjust corresponding insn_aux_data while patching.
-It's needed to make sure subsequent 'for(all insn)' loops
-have matching insn and insn_aux_data.
-
-Signed-off-by: Alexei Starovoitov <ast at kernel.org>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++++++++++++++-----
- 1 file changed, 39 insertions(+), 5 deletions(-)
-
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -3210,6 +3210,41 @@ static void convert_pseudo_ld_imm64(stru
- insn->src_reg = 0;
- }
-
-+/* single env->prog->insni[off] instruction was replaced with the range
-+ * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
-+ * [0, off) and [off, end) to new locations, so the patched range stays zero
-+ */
-+static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
-+ u32 off, u32 cnt)
-+{
-+ struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
-+
-+ if (cnt == 1)
-+ return 0;
-+ new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
-+ if (!new_data)
-+ return -ENOMEM;
-+ memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
-+ memcpy(new_data + off + cnt - 1, old_data + off,
-+ sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
-+ env->insn_aux_data = new_data;
-+ vfree(old_data);
-+ return 0;
-+}
-+
-+static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off,
-+ const struct bpf_insn *patch, u32 len)
-+{
-+ struct bpf_prog *new_prog;
-+
-+ new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
-+ if (!new_prog)
-+ return NULL;
-+ if (adjust_insn_aux_data(env, new_prog->len, off, len))
-+ return NULL;
-+ return new_prog;
-+}
-+
- /* convert load instructions that access fields of 'struct __sk_buff'
- * into sequence of instructions that access fields of 'struct sk_buff'
- */
-@@ -3229,10 +3264,10 @@ static int convert_ctx_accesses(struct b
- verbose("bpf verifier is misconfigured\n");
- return -EINVAL;
- } else if (cnt) {
-- new_prog = bpf_patch_insn_single(env->prog, 0,
-- insn_buf, cnt);
-+ new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
- if (!new_prog)
- return -ENOMEM;
-+
- env->prog = new_prog;
- delta += cnt - 1;
- }
-@@ -3253,7 +3288,7 @@ static int convert_ctx_accesses(struct b
- else
- continue;
-
-- if (env->insn_aux_data[i].ptr_type != PTR_TO_CTX)
-+ if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
- continue;
-
- cnt = ops->convert_ctx_access(type, insn->dst_reg, insn->src_reg,
-@@ -3263,8 +3298,7 @@ static int convert_ctx_accesses(struct b
- return -EINVAL;
- }
-
-- new_prog = bpf_patch_insn_single(env->prog, i + delta, insn_buf,
-- cnt);
-+ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
- if (!new_prog)
- return -ENOMEM;
-
diff --git a/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch b/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch
deleted file mode 100644
index 0eb2164..0000000
--- a/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From: Alexei Starovoitov <ast at fb.com>
-Date: Wed, 22 Nov 2017 16:42:05 -0800
-Subject: bpf: fix branch pruning logic
-Origin: https://www.spinics.net/lists/stable/msg206984.html
-
-when the verifier detects that register contains a runtime constant
-and it's compared with another constant it will prune exploration
-of the branch that is guaranteed not to be taken at runtime.
-This is all correct, but malicious program may be constructed
-in such a way that it always has a constant comparison and
-the other branch is never taken under any conditions.
-In this case such path through the program will not be explored
-by the verifier. It won't be taken at run-time either, but since
-all instructions are JITed the malicious program may cause JITs
-to complain about using reserved fields, etc.
-To fix the issue we have to track the instructions explored by
-the verifier and sanitize instructions that are dead at run time
-with NOPs. We cannot reject such dead code, since llvm generates
-it for valid C code, since it doesn't do as much data flow
-analysis as the verifier does.
-
-Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
-Signed-off-by: Alexei Starovoitov <ast at kernel.org>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
----
- include/linux/bpf_verifier.h | 1 +
- kernel/bpf/verifier.c | 27 +++++++++++++++++++++++++++
- 2 files changed, 28 insertions(+)
-
---- a/include/linux/bpf_verifier.h
-+++ b/include/linux/bpf_verifier.h
-@@ -68,6 +68,7 @@ struct bpf_verifier_state_list {
-
- struct bpf_insn_aux_data {
- enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
-+ bool seen; /* this insn was processed by the verifier */
- };
-
- #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2862,6 +2862,7 @@ static int do_check(struct bpf_verifier_
- if (err)
- return err;
-
-+ env->insn_aux_data[insn_idx].seen = true;
- if (class == BPF_ALU || class == BPF_ALU64) {
- err = check_alu_op(env, insn);
- if (err)
-@@ -3059,6 +3060,7 @@ process_bpf_exit:
- return err;
-
- insn_idx++;
-+ env->insn_aux_data[insn_idx].seen = true;
- } else {
- verbose("invalid BPF_LD mode\n");
- return -EINVAL;
-@@ -3218,6 +3220,7 @@ static int adjust_insn_aux_data(struct b
- u32 off, u32 cnt)
- {
- struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
-+ int i;
-
- if (cnt == 1)
- return 0;
-@@ -3227,6 +3230,8 @@ static int adjust_insn_aux_data(struct b
- memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
- memcpy(new_data + off + cnt - 1, old_data + off,
- sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
-+ for (i = off; i < off + cnt - 1; i++)
-+ new_data[i].seen = true;
- env->insn_aux_data = new_data;
- vfree(old_data);
- return 0;
-@@ -3245,6 +3250,25 @@ static struct bpf_prog *bpf_patch_insn_d
- return new_prog;
- }
-
-+/* The verifier does more data flow analysis than llvm and will not explore
-+ * branches that are dead at run time. Malicious programs can have dead code
-+ * too. Therefore replace all dead at-run-time code with nops.
-+ */
-+static void sanitize_dead_code(struct bpf_verifier_env *env)
-+{
-+ struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
-+ struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
-+ struct bpf_insn *insn = env->prog->insnsi;
-+ const int insn_cnt = env->prog->len;
-+ int i;
-+
-+ for (i = 0; i < insn_cnt; i++) {
-+ if (aux_data[i].seen)
-+ continue;
-+ memcpy(insn + i, &nop, sizeof(nop));
-+ }
-+}
-+
- /* convert load instructions that access fields of 'struct __sk_buff'
- * into sequence of instructions that access fields of 'struct sk_buff'
- */
-@@ -3407,6 +3431,9 @@ skip_full_check:
- free_states(env);
-
- if (ret == 0)
-+ sanitize_dead_code(env);
-+
-+ if (ret == 0)
- /* program is valid, convert *(u32*)(ctx + off) accesses */
- ret = convert_ctx_accesses(env);
-
diff --git a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
deleted file mode 100644
index 096543c..0000000
--- a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Daniel Borkmann <daniel at iogearbox.net>
-Date: Thu, 21 Dec 2017 22:42:49 +0100
-Subject: bpf: fix incorrect sign extension in check_alu_op()
-Origin: https://www.spinics.net/lists/stable/msg206986.html
-
-Distinguish between
-BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
-and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
-only perform sign extension in the first case.
-
-Starting with v4.14, this is exploitable by unprivileged users as long as
-the unprivileged_bpf_disabled sysctl isn't set.
-
-Debian assigned CVE-2017-16995 for this issue.
-
-v3:
- - add CVE number (Ben Hutchings)
-
-Fixes: 484611357c19 ("bpf: allow access into map value arrays")
-Signed-off-by: Jann Horn <jannh at google.com>
-Acked-by: Edward Cree <ecree at solarflare.com>
-Signed-off-by: Alexei Starovoitov <ast at kernel.org>
-Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
----
- kernel/bpf/verifier.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1790,10 +1790,17 @@ static int check_alu_op(struct bpf_verif
- /* case: R = imm
- * remember the value we stored into this reg
- */
-+ u64 imm;
-+
-+ if (BPF_CLASS(insn->code) == BPF_ALU64)
-+ imm = insn->imm;
-+ else
-+ imm = (u32)insn->imm;
-+
- regs[insn->dst_reg].type = CONST_IMM;
-- regs[insn->dst_reg].imm = insn->imm;
-- regs[insn->dst_reg].max_value = insn->imm;
-- regs[insn->dst_reg].min_value = insn->imm;
-+ regs[insn->dst_reg].imm = imm;
-+ regs[insn->dst_reg].max_value = imm;
-+ regs[insn->dst_reg].min_value = imm;
- }
-
- } else if (opcode > BPF_END) {
diff --git a/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch b/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
deleted file mode 100644
index 69195de..0000000
--- a/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Jann Horn <jannh at google.com>
-Date: Mon, 18 Dec 2017 20:34:03 +0100
-Subject: bpf: reject out-of-bounds stack pointer calculation
-Origin: https://www.spinics.net/lists/stable/msg206985.html
-
-Reject programs that compute wildly out-of-bounds stack pointers.
-Otherwise, pointers can be computed with an offset that doesn't fit into an
-`int`, causing security issues in the stack memory access check (as well as
-signed integer overflow during offset addition).
-
-This is a fix specifically for the v4.9 stable tree because the mainline
-code looks very different at this point.
-
-Fixes: 7bca0a9702edf ("bpf: enhance verifier to understand stack pointer arithmetic")
-Signed-off-by: Jann Horn <jannh at google.com>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
----
- kernel/bpf/verifier.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1861,10 +1861,28 @@ static int check_alu_op(struct bpf_verif
- ((BPF_SRC(insn->code) == BPF_X &&
- regs[insn->src_reg].type == CONST_IMM) ||
- BPF_SRC(insn->code) == BPF_K)) {
-- if (BPF_SRC(insn->code) == BPF_X)
-+ if (BPF_SRC(insn->code) == BPF_X) {
-+ /* check in case the register contains a big
-+ * 64-bit value
-+ */
-+ if (regs[insn->src_reg].imm < -MAX_BPF_STACK ||
-+ regs[insn->src_reg].imm > MAX_BPF_STACK) {
-+ verbose("R%d value too big in R%d pointer arithmetic\n",
-+ insn->src_reg, insn->dst_reg);
-+ return -EACCES;
-+ }
- dst_reg->imm += regs[insn->src_reg].imm;
-- else
-+ } else {
-+ /* safe against overflow: addition of 32-bit
-+ * numbers in 64-bit representation
-+ */
- dst_reg->imm += insn->imm;
-+ }
-+ if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) {
-+ verbose("R%d out-of-bounds pointer arithmetic\n",
-+ insn->dst_reg);
-+ return -EACCES;
-+ }
- return 0;
- } else if (opcode == BPF_ADD &&
- BPF_CLASS(insn->code) == BPF_ALU64 &&
diff --git a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
deleted file mode 100644
index 88ccf2d..0000000
--- a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 28 Nov 2017 18:01:38 -0800
-Subject: crypto: hmac - require that the underlying hash algorithm is unkeyed
-Origin: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17806
-
-Because the HMAC template didn't check that its underlying hash
-algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
-through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
-being used without having been keyed, resulting in sha3_update() being
-called without sha3_init(), causing a stack buffer overflow.
-
-This is a very old bug, but it seems to have only started causing real
-problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
-because the innermost hash's state is ->import()ed from a zeroed buffer,
-and it just so happens that other hash algorithms are fine with that,
-but SHA-3 is not. However, there could be arch or hardware-dependent
-hash algorithms also affected; I couldn't test everything.
-
-Fix the bug by introducing a function crypto_shash_alg_has_setkey()
-which tests whether a shash algorithm is keyed. Then update the HMAC
-template to require that its underlying hash algorithm is unkeyed.
-
-Here is a reproducer:
-
- #include <linux/if_alg.h>
- #include <sys/socket.h>
-
- int main()
- {
- int algfd;
- struct sockaddr_alg addr = {
- .salg_type = "hash",
- .salg_name = "hmac(hmac(sha3-512-generic))",
- };
- char key[4096] = { 0 };
-
- algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
- bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
- setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
- }
-
-Here was the KASAN report from syzbot:
-
- BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
- BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
- Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
-
- CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
- Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
- Call Trace:
- __dump_stack lib/dump_stack.c:17 [inline]
- dump_stack+0x194/0x257 lib/dump_stack.c:53
- print_address_description+0x73/0x250 mm/kasan/report.c:252
- kasan_report_error mm/kasan/report.c:351 [inline]
- kasan_report+0x25b/0x340 mm/kasan/report.c:409
- check_memory_region_inline mm/kasan/kasan.c:260 [inline]
- check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
- memcpy+0x37/0x50 mm/kasan/kasan.c:303
- memcpy include/linux/string.h:341 [inline]
- sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
- crypto_shash_update+0xcb/0x220 crypto/shash.c:109
- shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
- crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
- hmac_finup+0x182/0x330 crypto/hmac.c:152
- crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
- shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
- crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
- hmac_setkey+0x36a/0x690 crypto/hmac.c:66
- crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
- shash_async_setkey+0x47/0x60 crypto/shash.c:207
- crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
- hash_setkey+0x40/0x90 crypto/algif_hash.c:446
- alg_setkey crypto/af_alg.c:221 [inline]
- alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
- SYSC_setsockopt net/socket.c:1851 [inline]
- SyS_setsockopt+0x189/0x360 net/socket.c:1830
- entry_SYSCALL_64_fastpath+0x1f/0x96
-
-Reported-by: syzbot <syzkaller at googlegroups.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/hmac.c | 6 +++++-
- crypto/shash.c | 5 +++--
- include/crypto/internal/hash.h | 8 ++++++++
- 3 files changed, 16 insertions(+), 3 deletions(-)
-
---- a/crypto/hmac.c
-+++ b/crypto/hmac.c
-@@ -194,11 +194,15 @@ static int hmac_create(struct crypto_tem
- salg = shash_attr_alg(tb[1], 0, 0);
- if (IS_ERR(salg))
- return PTR_ERR(salg);
-+ alg = &salg->base;
-
-+ /* The underlying hash algorithm must be unkeyed */
- err = -EINVAL;
-+ if (crypto_shash_alg_has_setkey(salg))
-+ goto out_put_alg;
-+
- ds = salg->digestsize;
- ss = salg->statesize;
-- alg = &salg->base;
- if (ds > alg->cra_blocksize ||
- ss < alg->cra_blocksize)
- goto out_put_alg;
---- a/crypto/shash.c
-+++ b/crypto/shash.c
-@@ -24,11 +24,12 @@
-
- static const struct crypto_type crypto_shash_type;
-
--static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-- unsigned int keylen)
-+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-+ unsigned int keylen)
- {
- return -ENOSYS;
- }
-+EXPORT_SYMBOL_GPL(shash_no_setkey);
-
- static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
- unsigned int keylen)
---- a/include/crypto/internal/hash.h
-+++ b/include/crypto/internal/hash.h
-@@ -80,6 +80,14 @@ int ahash_register_instance(struct crypt
- struct ahash_instance *inst);
- void ahash_free_instance(struct crypto_instance *inst);
-
-+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-+ unsigned int keylen);
-+
-+static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
-+{
-+ return alg->setkey != shash_no_setkey;
-+}
-+
- int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
- struct hash_alg_common *alg,
- struct crypto_instance *inst);
diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
deleted file mode 100644
index 47888d0..0000000
--- a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 28 Nov 2017 20:56:59 -0800
-Subject: crypto: salsa20 - fix blkcipher_walk API usage
-Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805
-
-When asked to encrypt or decrypt 0 bytes, both the generic and x86
-implementations of Salsa20 crash in blkcipher_walk_done(), either when
-doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
-because walk->buffer and walk->page have not been initialized.
-
-The bug is that Salsa20 is calling blkcipher_walk_done() even when
-nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
-be called when a nonzero number of bytes have been provided.
-
-The broken code is part of an optimization that tries to make only one
-call to salsa20_encrypt_bytes() to process inputs that are not evenly
-divisible by 64 bytes. To fix the bug, just remove this "optimization"
-and use the blkcipher_walk API the same way all the other users do.
-
-Reproducer:
-
- #include <linux/if_alg.h>
- #include <sys/socket.h>
- #include <unistd.h>
-
- int main()
- {
- int algfd, reqfd;
- struct sockaddr_alg addr = {
- .salg_type = "skcipher",
- .salg_name = "salsa20",
- };
- char key[16] = { 0 };
-
- algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
- bind(algfd, (void *)&addr, sizeof(addr));
- reqfd = accept(algfd, 0, 0);
- setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
- read(reqfd, key, sizeof(key));
- }
-
-Reported-by: syzbot <syzkaller at googlegroups.com>
-Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
-Cc: <stable at vger.kernel.org> # v2.6.25+
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- arch/x86/crypto/salsa20_glue.c | 7 -------
- crypto/salsa20_generic.c | 7 -------
- 2 files changed, 14 deletions(-)
-
---- a/arch/x86/crypto/salsa20_glue.c
-+++ b/arch/x86/crypto/salsa20_glue.c
-@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc
-
- salsa20_ivsetup(ctx, walk.iv);
-
-- if (likely(walk.nbytes == nbytes))
-- {
-- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
-- walk.dst.virt.addr, nbytes);
-- return blkcipher_walk_done(desc, &walk, 0);
-- }
--
- while (walk.nbytes >= 64) {
- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
- walk.dst.virt.addr,
---- a/crypto/salsa20_generic.c
-+++ b/crypto/salsa20_generic.c
-@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc
-
- salsa20_ivsetup(ctx, walk.iv);
-
-- if (likely(walk.nbytes == nbytes))
-- {
-- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
-- walk.src.virt.addr, nbytes);
-- return blkcipher_walk_done(desc, &walk, 0);
-- }
--
- while (walk.nbytes >= 64) {
- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
- walk.src.virt.addr,
diff --git a/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch b/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
deleted file mode 100644
index 0b7698e..0000000
--- a/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Fri, 8 Dec 2017 15:13:27 +0000
-Subject: KEYS: add missing permission check for request_key() destination
-Origin: https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17807
-
-When the request_key() syscall is not passed a destination keyring, it
-links the requested key (if constructed) into the "default" request-key
-keyring. This should require Write permission to the keyring. However,
-there is actually no permission check.
-
-This can be abused to add keys to any keyring to which only Search
-permission is granted. This is because Search permission allows joining
-the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
-then will set the default request-key keyring to the session keyring.
-Then, request_key() can be used to add keys to the keyring.
-
-Both negatively and positively instantiated keys can be added using this
-method. Adding negative keys is trivial. Adding a positive key is a
-bit trickier. It requires that either /sbin/request-key positively
-instantiates the key, or that another thread adds the key to the process
-keyring at just the right time, such that request_key() misses it
-initially but then finds it in construct_alloc_key().
-
-Fix this bug by checking for Write permission to the keyring in
-construct_get_dest_keyring() when the default keyring is being used.
-
-We don't do the permission check for non-default keyrings because that
-was already done by the earlier call to lookup_user_key(). Also,
-request_key_and_link() is currently passed a 'struct key *' rather than
-a key_ref_t, so the "possessed" bit is unavailable.
-
-We also don't do the permission check for the "requestor keyring", to
-continue to support the use case described by commit 8bbf4976b59f
-("KEYS: Alter use of key instantiation link-to-keyring argument") where
-/sbin/request-key recursively calls request_key() to add keys to the
-original requestor's destination keyring. (I don't know of any users
-who actually do that, though...)
-
-Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 37 insertions(+), 9 deletions(-)
-
-diff --git a/security/keys/request_key.c b/security/keys/request_key.c
-index 5030fcf23681..cb7f8f730c6d 100644
---- a/security/keys/request_key.c
-+++ b/security/keys/request_key.c
-@@ -250,11 +250,12 @@ static int construct_key(struct key *key, const void *callout_info,
- * The keyring selected is returned with an extra reference upon it which the
- * caller must release.
- */
--static void construct_get_dest_keyring(struct key **_dest_keyring)
-+static int construct_get_dest_keyring(struct key **_dest_keyring)
- {
- struct request_key_auth *rka;
- const struct cred *cred = current_cred();
- struct key *dest_keyring = *_dest_keyring, *authkey;
-+ int ret;
-
- kenter("%p", dest_keyring);
-
-@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
- /* the caller supplied one */
- key_get(dest_keyring);
- } else {
-+ bool do_perm_check = true;
-+
- /* use a default keyring; falling through the cases until we
- * find one that we actually have */
- switch (cred->jit_keyring) {
-@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
- dest_keyring =
- key_get(rka->dest_keyring);
- up_read(&authkey->sem);
-- if (dest_keyring)
-+ if (dest_keyring) {
-+ do_perm_check = false;
- break;
-+ }
- }
-
- case KEY_REQKEY_DEFL_THREAD_KEYRING:
-@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
- default:
- BUG();
- }
-+
-+ /*
-+ * Require Write permission on the keyring. This is essential
-+ * because the default keyring may be the session keyring, and
-+ * joining a keyring only requires Search permission.
-+ *
-+ * However, this check is skipped for the "requestor keyring" so
-+ * that /sbin/request-key can itself use request_key() to add
-+ * keys to the original requestor's destination keyring.
-+ */
-+ if (dest_keyring && do_perm_check) {
-+ ret = key_permission(make_key_ref(dest_keyring, 1),
-+ KEY_NEED_WRITE);
-+ if (ret) {
-+ key_put(dest_keyring);
-+ return ret;
-+ }
-+ }
- }
-
- *_dest_keyring = dest_keyring;
- kleave(" [dk %d]", key_serial(dest_keyring));
-- return;
-+ return 0;
- }
-
- /*
-@@ -443,11 +466,15 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
- if (ctx->index_key.type == &key_type_keyring)
- return ERR_PTR(-EPERM);
-
-- user = key_user_lookup(current_fsuid());
-- if (!user)
-- return ERR_PTR(-ENOMEM);
-+ ret = construct_get_dest_keyring(&dest_keyring);
-+ if (ret)
-+ goto error;
-
-- construct_get_dest_keyring(&dest_keyring);
-+ user = key_user_lookup(current_fsuid());
-+ if (!user) {
-+ ret = -ENOMEM;
-+ goto error_put_dest_keyring;
-+ }
-
- ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
- key_user_put(user);
-@@ -462,7 +489,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
- } else if (ret == -EINPROGRESS) {
- ret = 0;
- } else {
-- goto couldnt_alloc_key;
-+ goto error_put_dest_keyring;
- }
-
- key_put(dest_keyring);
-@@ -472,8 +499,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
- construction_failed:
- key_negate_and_link(key, key_negative_timeout, NULL, NULL);
- key_put(key);
--couldnt_alloc_key:
-+error_put_dest_keyring:
- key_put(dest_keyring);
-+error:
- kleave(" = %d", ret);
- return ERR_PTR(ret);
- }
diff --git a/debian/patches/bugfix/all/media-cx231xx-cards-fix-NULL-deref-on-missing-associ.patch b/debian/patches/bugfix/all/media-cx231xx-cards-fix-NULL-deref-on-missing-associ.patch
deleted file mode 100644
index ecdca2a..0000000
--- a/debian/patches/bugfix/all/media-cx231xx-cards-fix-NULL-deref-on-missing-associ.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Thu, 21 Sep 2017 05:40:18 -0300
-Subject: [media] cx231xx-cards: fix NULL-deref on missing association
- descriptor
-Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536
-
-Make sure to check that we actually have an Interface Association
-Descriptor before dereferencing it during probe to avoid dereferencing a
-NULL-pointer.
-
-Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
-
-Cc: stable <stable at vger.kernel.org> # 2.6.30
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Johan Hovold <johan at kernel.org>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
-index e0daa9b6c2a0..9b742d569fb5 100644
---- a/drivers/media/usb/cx231xx/cx231xx-cards.c
-+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
-@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface,
- nr = dev->devno;
-
- assoc_desc = udev->actconfig->intf_assoc[0];
-- if (assoc_desc->bFirstInterface != ifnum) {
-+ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
- dev_err(d, "Not found matching IAD interface\n");
- retval = -ENODEV;
- goto err_if;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch b/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch
deleted file mode 100644
index 457a996..0000000
--- a/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: "Kirill A. Shutemov" <kirill.shutemov at linux.intel.com>
-Date: Mon, 27 Nov 2017 06:21:25 +0300
-Subject: mm, thp: Do not make page table dirty unconditionally in
- touch_p[mu]d()
-Origin: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000405
-
-Currently, we unconditionally make page table dirty in touch_pmd().
-It may result in false-positive can_follow_write_pmd().
-
-We may avoid the situation, if we would only make the page table entry
-dirty if caller asks for write access -- FOLL_WRITE.
-
-The patch also changes touch_pud() in the same way.
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov at linux.intel.com>
-Cc: Michal Hocko <mhocko at suse.com>
-Cc: Hugh Dickins <hughd at google.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[carnil: backport for 4.9:
- - Adjust context
- - Drop specific part for PUD-sized transparent hugepages. Support
- for PUD-sized transparent hugepages was added in v4.11-rc1
-]
----
- mm/huge_memory.c | 36 +++++++++++++-----------------------
- 1 file changed, 13 insertions(+), 23 deletions(-)
-
---- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -745,20 +745,15 @@ int vmf_insert_pfn_pmd(struct vm_area_st
- EXPORT_SYMBOL_GPL(vmf_insert_pfn_pmd);
-
- static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,
-- pmd_t *pmd)
-+ pmd_t *pmd, int flags)
- {
- pmd_t _pmd;
-
-- /*
-- * We should set the dirty bit only for FOLL_WRITE but for now
-- * the dirty bit in the pmd is meaningless. And if the dirty
-- * bit will become meaningful and we'll only set it with
-- * FOLL_WRITE, an atomic set_bit will be required on the pmd to
-- * set the young bit, instead of the current set_pmd_at.
-- */
-- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
-+ _pmd = pmd_mkyoung(*pmd);
-+ if (flags & FOLL_WRITE)
-+ _pmd = pmd_mkdirty(_pmd);
- if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
-- pmd, _pmd, 1))
-+ pmd, _pmd, flags & FOLL_WRITE))
- update_mmu_cache_pmd(vma, addr, pmd);
- }
-
-@@ -787,7 +782,7 @@ struct page *follow_devmap_pmd(struct vm
- return NULL;
-
- if (flags & FOLL_TOUCH)
-- touch_pmd(vma, addr, pmd);
-+ touch_pmd(vma, addr, pmd, flags);
-
- /*
- * device mapped pages can only be returned if the
-@@ -1158,7 +1153,7 @@ struct page *follow_trans_huge_pmd(struc
- page = pmd_page(*pmd);
- VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);
- if (flags & FOLL_TOUCH)
-- touch_pmd(vma, addr, pmd);
-+ touch_pmd(vma, addr, pmd, flags);
- if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
- /*
- * We don't mlock() pte-mapped THPs. This way we can avoid
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
index a10695c..37ab05d 100644
--- a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+++ b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
@@ -42,9 +42,9 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
#include <net/netlink.h>
#include <net/sock.h>
-@@ -297,6 +298,9 @@ static int nfnl_cthelper_new(struct net
- struct nf_conntrack_tuple tuple;
- int ret = 0, i;
+@@ -392,6 +393,9 @@ static int nfnl_cthelper_new(struct net
+ struct nfnl_cthelper *nlcth;
+ int ret = 0;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
@@ -52,8 +52,8 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
return -EINVAL;
-@@ -511,6 +515,9 @@ static int nfnl_cthelper_get(struct net
- struct nf_conntrack_tuple tuple;
+@@ -595,6 +599,9 @@ static int nfnl_cthelper_get(struct net
+ struct nfnl_cthelper *nlcth;
bool tuple_set = false;
+ if (!capable(CAP_NET_ADMIN))
@@ -62,9 +62,9 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = {
.dump = nfnl_cthelper_dump_table,
-@@ -583,6 +590,9 @@ static int nfnl_cthelper_del(struct net
- bool tuple_set = false, found = false;
- int i, j = 0, ret;
+@@ -661,6 +668,9 @@ static int nfnl_cthelper_del(struct net
+ struct nfnl_cthelper *nlcth, *n;
+ int j = 0, ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
deleted file mode 100644
index 29218c9..0000000
--- a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Alan Stern <stern at rowland.harvard.edu>
-Date: Tue, 12 Dec 2017 14:25:13 -0500
-Subject: USB: core: prevent malicious bNumInterfaces overflow
-Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558
-
-A malicious USB device with crafted descriptors can cause the kernel
-to access unallocated memory by setting the bNumInterfaces value too
-high in a configuration descriptor. Although the value is adjusted
-during parsing, this adjustment is skipped in one of the error return
-paths.
-
-This patch prevents the problem by setting bNumInterfaces to 0
-initially. The existing code already sets it to the proper value
-after parsing is complete.
-
-Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-CC: <stable at vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/core/config.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -550,6 +550,9 @@ static int usb_parse_configuration(struc
- unsigned iad_num = 0;
-
- memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
-+ nintf = nintf_orig = config->desc.bNumInterfaces;
-+ config->desc.bNumInterfaces = 0; // Adjusted later
-+
- if (config->desc.bDescriptorType != USB_DT_CONFIG ||
- config->desc.bLength < USB_DT_CONFIG_SIZE ||
- config->desc.bLength > size) {
-@@ -563,7 +566,6 @@ static int usb_parse_configuration(struc
- buffer += config->desc.bLength;
- size -= config->desc.bLength;
-
-- nintf = nintf_orig = config->desc.bNumInterfaces;
- if (nintf > USB_MAXINTERFACES) {
- dev_warn(ddev, "config %d has too many interfaces: %d, "
- "using maximum allowed: %d\n",
diff --git a/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
deleted file mode 100644
index a84514a..0000000
--- a/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 6ead44d4b5b8b1ecfcbd2302f15028dab7774da3 Mon Sep 17 00:00:00 2001
-From: Andrew Honig <ahonig at google.com>
-Date: Fri, 1 Dec 2017 10:21:09 -0800
-Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/d59d51f088014f25c2562de59b9abff4f42a7468
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000407
-
-This fixes CVE-2017-1000407.
-
-KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
-the guest floods this port with writes it generates exceptions and
-instability in the host kernel, leading to a crash. With this change
-guest writes to port 0x80 on Intel will behave the same as they
-currently behave on AMD systems.
-
-Prevent the flooding by removing the code that sets port 0x80 as a
-passthrough port. This is essentially the same as upstream patch
-99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
-for AMD chipsets and this patch is for Intel.
-
-Signed-off-by: Andrew Honig <ahonig at google.com>
-Signed-off-by: Jim Mattson <jmattson at google.com>
-Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
-Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- arch/x86/kvm/vmx.c | 5 -----
- 1 file changed, 5 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -6411,12 +6411,7 @@ static __init int hardware_setup(void)
- memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
- memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
-
-- /*
-- * Allow direct access to the PC debug port (it is often used for I/O
-- * delays, but the vmexits simply slow things down).
-- */
- memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
-- clear_bit(0x80, vmx_io_bitmap_a);
-
- memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
-
diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch
index d2bdec0..3e7f35b 100644
--- a/debian/patches/debian/kernelvariables.patch
+++ b/debian/patches/debian/kernelvariables.patch
@@ -57,9 +57,9 @@ use of $(ARCH) needs to be moved after this.
KCONFIG_CONFIG ?= .config
export KCONFIG_CONFIG
-@@ -373,6 +337,44 @@ LDFLAGS_vmlinux =
- CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
- CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+@@ -371,6 +335,45 @@ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-include $(obj)/.kernelvariables
+
@@ -99,6 +99,7 @@ use of $(ARCH) needs to be moved after this.
+ifeq ($(ARCH),m68knommu)
+ hdr-arch := m68k
+endif
-
++
# Use USERINCLUDE when you must reference the UAPI directories only.
USERINCLUDE := \
+ -I$(srctree)/arch/$(hdr-arch)/include/uapi \
diff --git a/debian/patches/series b/debian/patches/series
index 171924b..862828a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -135,27 +135,16 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/media-cx231xx-cards-fix-NULL-deref-on-missing-associ.patch
-bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch
bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
-bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
-bugfix/all/bpf-fix-branch-pruning-logic.patch
-bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
-bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
bugfix/all/netlink-add-netns-check-on-taps.patch
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
-bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
-bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
-bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
-bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
-bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
# Fix exported symbol versions
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list