From 0a69e0b0466f03d1734fe686cbee65932cd0ee97 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sun, 4 Feb 2018 13:33:30 +0100 Subject: [PATCH] Update to 4.14.17 Refresh cpupower-fix-checks-for-cpu-existence.patch patch --- debian/changelog | 152 +++++++++++++++++- ...pupower-fix-checks-for-cpu-existence.patch | 6 +- ...op-fix-concurrent-lo_open-lo_release.patch | 56 ------- debian/patches/series | 1 - 4 files changed, 155 insertions(+), 60 deletions(-) delete mode 100644 debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch diff --git a/debian/changelog b/debian/changelog index 86ddb53d9..69e352a6b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.14.16-1) UNRELEASED; urgency=medium +linux (4.14.17-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14 @@ -269,9 +269,157 @@ linux (4.14.16-1) UNRELEASED; urgency=medium - [arm64] bpf: fix stack_depth tracking in combination with tail calls - cpufreq: governor: Ensure sufficiently large sampling intervals - nfsd: auth: Fix gid sorting when rootsquash enabled (CVE-2018-1000028) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.17 + - futex: Fix OWNER_DEAD fixup + - loop: fix concurrent lo_open/lo_release (CVE-2018-5344) + - [x86] KVM: Fix CPUID function for word 6 (80000001_ECX) + - gpio: Fix kernel stack leak to userspace + - ALSA: hda - Reduce the suspend time consumption for ALC256 + - crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH + - [x86] crypto: aesni - handle zero length dst buffer + - [x86] crypto: aesni - fix typo in generic_gcmaes_decrypt + - crypto: gcm - add GCM IV size constant + - [x86] crypto: aesni - Use GCM IV size constant + - [x86] crypto: aesni - add wrapper for generic gcm(aes) + - [x86] crypto: aesni - Fix out-of-bounds access of the data buffer in + generic-gcm-aesni + - [x86] crypto: aesni - Fix out-of-bounds access of the AAD buffer in + generic-gcm-aesni + - [arm64] crypto: inside-secure - fix hash when length is a multiple of a + block + - [arm64] crypto: inside-secure - avoid unmapping DMA memory that was not + mapped + - crypto: sha3-generic - fixes for alignment and big endian operation + - crypto: af_alg - whitelist mask and type + - HID: wacom: EKR: ensure devres groups at higher indexes are released + - HID: wacom: Fix reporting of touch toggle (WACOM_HID_WD_MUTE_DEVICE) + events + - igb: Free IRQs when device is hotplugged + - ima/policy: fix parsing of fsuuid + - scsi: aacraid: Fix udev inquiry race condition + - scsi: aacraid: Fix hang in kdump + - VFS: Handle lazytime in do_mount() + - [arm64,armhf] drm/vc4: Account for interrupts in flight + - btrfs: Fix transaction abort during failure in btrfs_rm_dev_item + - Btrfs: bail out gracefully rather than BUG_ON + - cpupowerutils: bench - Fix cpu online check + - cpupower : Fix cpupower working when cpu0 is offline + - [x86] KVM: nVMX/nSVM: Don't intercept #UD when running L2 + - [x86] KVM: emulator: Return to user-mode on L1 CPL=0 emulation failure + - [x86] KVM: Don't re-execute instruction when not passing CR2 value + - [x86] KVM: Fix operand/address-size during instruction decoding + - [x86] KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure + - [x86] KVM: fix em_fxstor() sleeping while in atomic + - [x86] KVM: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race + - [x86] KVM: ioapic: Clear Remote IRR when entry is switched to + edge-triggered + - [x86] KVM: ioapic: Preserve read-only values in the redirection table + - [x86] KVM: nVMX: Fix vmx_check_nested_events() return value in case an + event was reinjected to L2 + - nvme-fabrics: introduce init command check for a queue that is not alive + - nvme-fc: check if queue is ready in queue_rq + - nvme-loop: check if queue is ready in queue_rq + - nvme-pci: disable APST on Samsung SSD 960 EVO + ASUS PRIME B350M-A + - nvme-pci: avoid hmb desc array idx out-of-bound when hmmaxd set. + - nvmet-fc: correct ref counting error when deferred rcv used + - [s390x] topology: fix compile error in file arch/s390/kernel/smp.c + - [s390x] zcrypt: Fix wrong comparison leading to strange load balancing + - ACPI / bus: Leave modalias empty for devices which are not present + - null_blk: fix dev->badblocks leak + - [s390x] fix alloc_pgste check in init_new_context again + - rxrpc: The mutex lock returned by rxrpc_accept_call() needs releasing + - rxrpc: Provide a different lockdep key for call->user_mutex for kernel calls + - rxrpc: Fix service endpoint expiry + - bcache: check return value of register_shrinker + - drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode + - [x86] drm/amdkfd: Fix SDMA ring buffer size calculation + - [x86] drm/amdkfd: Fix SDMA oversubsription handling + - uapi: fix linux/kfd_ioctl.h userspace compilation errors + - nvme-rdma: don't complete requests before a send work request has + completed + - openvswitch: fix the incorrect flow action alloc size + - [armhf] drm/rockchip: dw-mipi-dsi: fix possible un-balanced runtime PM + enable + - mac80211: use QoS NDP for AP probing + - mac80211: fix the update of path metric for RANN frame + - btrfs: fix deadlock when writing out space cache + - sctp: only allow the asoc reset when the asoc outq is empty + - sctp: avoid flushing unsent queue when doing asoc reset + - sctp: set sender next_tsn for the old result with ctsn_ack_point plus 1 + - reiserfs: remove unneeded i_version bump + - [x86] KVM: Fix softlockup when get the current kvmclock + - [x86] KVM: VMX: Fix rflags cache during vCPU reset + - Btrfs: fix list_add corruption and soft lockups in fsync + - KVM: Let KVM_SET_SIGNAL_MASK work as advertised + - xfs: always free inline data before resetting inode fork during ifree + - xfs: log recovery should replay deferred ops in order + - xen-netfront: remove warning when unloading module + - nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) + - nfsd: Ensure we check stateid validity in the seqid operation checks + - grace: replace BUG_ON by WARN_ONCE in exit_net hook + - nfsd: check for use of the closed special stateid + - race of lockd inetaddr notifiers vs nlmsvc_rqst change + - lockd: fix "list_add double add" caused by legacy signal interface + - quota: propagate error from __dquot_initialize + - [arm64,armhf] net: mvpp2: fix the txq_init error path + - [arm64] net: phy: marvell10g: fix the PHY id mask + - bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()' + - Btrfs: incremental send, fix wrong unlink path after renaming file + - nvme-pci: fix NULL pointer dereference in nvme_free_host_mem() + - xfs: fortify xfs_alloc_buftarg error handling + - drm/amdgpu: don't try to move pinned BOs + - quota: Check for register_shrinker() failure. + - SUNRPC: Allow connect to return EHOSTUNREACH + - kmemleak: add scheduling point to kmemleak_scan() + - [armhf] drm/omap: Fix error handling path in 'omap_dmm_probe()' + - [armhf] drm/omap: displays: panel-dpi: add backlight dependency + - xfs: ubsan fixes + - xfs: Properly retry failed dquot items in case of error during buffer + writeback + - perf/core: Fix memory leak triggered by perf --namespace + - scsi: aacraid: Prevent crash in case of free interrupt during scsi EH + path + - scsi: ufs: ufshcd: fix potential NULL pointer dereference in + ufshcd_config_vreg + - iwlwifi: mvm: fix the TX queue hang timeout for MONITOR vif type + - iwlwifi: fix access to prph when transport is stopped + - [arm*] dts: NSP: Disable AHCI controller for HR NSP boards + - [arm*] ARM: dts: NSP: Fix PPI interrupt types + - media: usbtv: add a new usbid + - [x86] xen: Support early interrupts in xen pv guests + - usb: gadget: don't dereference g until after it has been null checked + - staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID + - [arm64,armhf] drm/vc4: Move IRQ enable to PM path + - [x86] KVM: emulate #UD while in guest mode + - [x86] staging: lustre: separate a connection destroy from free struct + kib_conn + - tty: fix data race between tty_init_dev and flush of buf + - USB: serial: pl2303: new device id for Chilitag + - USB: cdc-acm: Do not log urb submission errors on disconnect + - CDC-ACM: apply quirk for card reader + - USB: serial: io_edgeport: fix possible sleep-in-atomic + - usbip: prevent bind loops on devices attached to vhci_hcd + - usbip: list: don't list devices attached to vhci_hcd + - USB: serial: simple: add Motorola Tetra driver + - usb: f_fs: Prevent gadget unbind if it is already unbound + - usb: uas: unconditionally bring back host after reset + - usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc() + - [x86] mei: me: allow runtime pm for platform with D0i3 + - serial: 8250_of: fix return code when probe function fails to get reset + - serial: 8250_uniphier: fix error return code in uniphier_uart_probe() + - [armhf] serial: imx: Only wakeup via RTSDEN bit if the system has + RTS/CTS + - [armhf] spi: imx: do not access registers while clocks disabled + - iio: adc: stm32: fix scan of multiple channels with DMA + - iio: chemical: ccs811: Fix output of IIO_CONCENTRATION channels + - test_firmware: fix missing unlock on error in + config_num_requests_store() + - Input: synaptics-rmi4 - unmask F03 interrupts when port is opened + - Input: synaptics-rmi4 - do not delete interrupt memory too early + - [x86] efi: Clarify that reset attack mitigation needs appropriate + userspace [ Salvatore Bonaccorso ] - * loop: fix concurrent lo_open/lo_release (CVE-2018-5344) * [rt] Update to 4.14.15-rt11 * [rt] Update to 4.14.15-rt13 * crypto: ecc - Fix NULL pointer deref. on no default_rng (Closes: #886556) diff --git a/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch index be5f528f4..f7cbcdb9e 100644 --- a/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch +++ b/debian/patches/bugfix/all/cpupower-fix-checks-for-cpu-existence.patch @@ -17,6 +17,10 @@ properly distinguish and report the zero and negative cases. Fixes: ac5a181d065d ("cpupower: Add cpuidle parts into library") Signed-off-by: Ben Hutchings +[carnil: Update/Refresh patch for 4.14.17: The issue with the +incorrect check has been fixed with upstream commit 53d1cd6b125f. +Keep in the patch the distinction and report for the zero and +negative cases.] --- --- a/tools/power/cpupower/bench/system.c +++ b/tools/power/cpupower/bench/system.c @@ -28,7 +32,7 @@ Signed-off-by: Ben Hutchings dprintf("set %s as cpufreq governor\n", governor); -- if (cpupower_is_cpu_online(cpu) != 0) { +- if (cpupower_is_cpu_online(cpu) != 1) { - perror("cpufreq_cpu_exists"); - fprintf(stderr, "error: cpu %u does not exist\n", cpu); + rc = cpupower_is_cpu_online(cpu); diff --git a/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch b/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch deleted file mode 100644 index a5ba39e4b..000000000 --- a/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Linus Torvalds -Date: Fri, 5 Jan 2018 16:26:00 -0800 -Subject: loop: fix concurrent lo_open/lo_release -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5344 - -范龙飞 reports that KASAN can report a use-after-free in __lock_acquire. -The reason is due to insufficient serialization in lo_release(), which -will continue to use the loop device even after it has decremented the -lo_refcnt to zero. - -In the meantime, another process can come in, open the loop device -again as it is being shut down. Confusion ensues. - -Reported-by: 范龙飞 -Signed-off-by: Linus Torvalds -Signed-off-by: Jens Axboe ---- - drivers/block/loop.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index bc8e61506968..d5fe720cf149 100644 ---- a/drivers/block/loop.c -+++ b/drivers/block/loop.c -@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode) - return err; - } - --static void lo_release(struct gendisk *disk, fmode_t mode) -+static void __lo_release(struct loop_device *lo) - { -- struct loop_device *lo = disk->private_data; - int err; - - if (atomic_dec_return(&lo->lo_refcnt)) -@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode) - mutex_unlock(&lo->lo_ctl_mutex); - } - -+static void lo_release(struct gendisk *disk, fmode_t mode) -+{ -+ mutex_lock(&loop_index_mutex); -+ __lo_release(disk->private_data); -+ mutex_unlock(&loop_index_mutex); -+} -+ - static const struct block_device_operations lo_fops = { - .owner = THIS_MODULE, - .open = lo_open, --- -2.15.1 - diff --git a/debian/patches/series b/debian/patches/series index a8864c4eb..15a8e6af4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -122,7 +122,6 @@ bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch -bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch