Update to 4.18.14
This updates the debian changelog for listing changes of this stable update, including removal of cherry picked commits applied on upstream.
This commit is contained in:
parent
8287bd051d
commit
540db7a99c
|
@ -1,4 +1,4 @@
|
||||||
linux (4.18.13-1) UNRELEASED; urgency=medium
|
linux (4.18.14-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
|
||||||
|
@ -389,6 +389,43 @@ linux (4.18.13-1) UNRELEASED; urgency=medium
|
||||||
- ixgbe: check return value of napi_complete_done()
|
- ixgbe: check return value of napi_complete_done()
|
||||||
- dm thin metadata: fix __udivdi3 undefined on 32-bit
|
- dm thin metadata: fix __udivdi3 undefined on 32-bit
|
||||||
- Revert "drm/amd/pp: Send khz clock values to DC for smu7/8"
|
- Revert "drm/amd/pp: Send khz clock values to DC for smu7/8"
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.14
|
||||||
|
- perf/core: Add sanity check to deal with pinned event failure
|
||||||
|
- mm: migration: fix migration of huge PMD shared pages
|
||||||
|
- mm, thp: fix mlocking THP page with migration enabled
|
||||||
|
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
|
||||||
|
- [x86] KVM: fix L1TF's MMIO GFN calculation
|
||||||
|
- [x86] KVM: VMX: check for existence of secondary exec controls before
|
||||||
|
accessing
|
||||||
|
- blk-mq: I/O and timer unplugs are inverted in blktrace
|
||||||
|
- [powerpc*, mips*, arm64, x86, alpha, armhf] mmc: core: Fix debounce time
|
||||||
|
to use microseconds
|
||||||
|
- [powerpc*, mips*, arm64, x86, alpha, armhf] mmc: slot-gpio: Fix debounce
|
||||||
|
time to use miliseconds again
|
||||||
|
- mac80211: allocate TXQs for active monitor interfaces
|
||||||
|
- drm/amdgpu: Fix vce work queue was not cancelled when suspend
|
||||||
|
- [x86] vdso: Fix asm constraints on vDSO syscall fallbacks
|
||||||
|
- [x86] vdso: Only enable vDSO retpolines when enabled and supported
|
||||||
|
- [x86] vdso: Fix vDSO syscall fallback asm constraint regression
|
||||||
|
- [powerpc*, mips*, arm64, x86, s390x, armhf, sparc, hppa] PCI: Reprogram
|
||||||
|
bridge prefetch registers on resume
|
||||||
|
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
|
||||||
|
- dm mpath: fix attached_handler_name leak and dangling hw_handler_name
|
||||||
|
pointer
|
||||||
|
- dm cache metadata: ignore hints array being too small during resize
|
||||||
|
- dm cache: fix resize crash if user doesn't reload cache table
|
||||||
|
- USB: serial: simple: add Motorola Tetra MTP6550 id
|
||||||
|
- USB: serial: option: improve Quectel EP06 detection
|
||||||
|
- USB: serial: option: add two-endpoints device-id flag
|
||||||
|
- usb: cdc_acm: Do not leak URB buffers
|
||||||
|
- tty: Drop tty->count on tty_reopen() failure
|
||||||
|
- [powerpc*] Avoid code patching freed init sections
|
||||||
|
- [powerpc*] lib: fix book3s/32 boot failure due to code patching
|
||||||
|
- f2fs: fix invalid memory access
|
||||||
|
- tipc: call start and done ops directly in __tipc_nl_compat_dumpit()
|
||||||
|
- ubifs: Check for name being NULL while mounting
|
||||||
|
- rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
|
||||||
|
- ath10k: fix scan crash due to incorrect length calculation
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* linux-perf: Fix BPF feature detection
|
* linux-perf: Fix BPF feature detection
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
From: Jan Beulich <JBeulich@suse.com>
|
|
||||||
Date: Tue, 25 Sep 2018 02:12:30 -0600
|
|
||||||
Subject: xen-netback: fix input validation in xenvif_set_hash_mapping()
|
|
||||||
Origin: https://git.kernel.org/linus/780e83c259fc33e8959fed8dfdad17e378d72b62
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15471
|
|
||||||
|
|
||||||
Both len and off are frontend specified values, so we need to make
|
|
||||||
sure there's no overflow when adding the two for the bounds check. We
|
|
||||||
also want to avoid undefined behavior and hence use off to index into
|
|
||||||
->hash.mapping[] only after bounds checking. This at the same time
|
|
||||||
allows to take care of not applying off twice for the bounds checking
|
|
||||||
against vif->num_queues.
|
|
||||||
|
|
||||||
It is also insufficient to bounds check copy_op.len, as this is len
|
|
||||||
truncated to 16 bits.
|
|
||||||
|
|
||||||
This is XSA-270 / CVE-2018-15471.
|
|
||||||
|
|
||||||
Reported-by: Felix Wilhelm <fwilhelm@google.com>
|
|
||||||
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
||||||
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
|
|
||||||
Tested-by: Paul Durrant <paul.durrant@citrix.com>
|
|
||||||
Cc: stable@vger.kernel.org [4.7 onwards]
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
drivers/net/xen-netback/hash.c | 12 +++++++-----
|
|
||||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
|
|
||||||
index 3c4c58b9fe76..3b6fb5b3bdb2 100644
|
|
||||||
--- a/drivers/net/xen-netback/hash.c
|
|
||||||
+++ b/drivers/net/xen-netback/hash.c
|
|
||||||
@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size)
|
|
||||||
u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
|
|
||||||
u32 off)
|
|
||||||
{
|
|
||||||
- u32 *mapping = &vif->hash.mapping[off];
|
|
||||||
+ u32 *mapping = vif->hash.mapping;
|
|
||||||
struct gnttab_copy copy_op = {
|
|
||||||
.source.u.ref = gref,
|
|
||||||
.source.domid = vif->domid,
|
|
||||||
- .dest.u.gmfn = virt_to_gfn(mapping),
|
|
||||||
.dest.domid = DOMID_SELF,
|
|
||||||
- .dest.offset = xen_offset_in_page(mapping),
|
|
||||||
- .len = len * sizeof(u32),
|
|
||||||
+ .len = len * sizeof(*mapping),
|
|
||||||
.flags = GNTCOPY_source_gref
|
|
||||||
};
|
|
||||||
|
|
||||||
- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
|
|
||||||
+ if ((off + len < off) || (off + len > vif->hash.size) ||
|
|
||||||
+ len > XEN_PAGE_SIZE / sizeof(*mapping))
|
|
||||||
return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
|
|
||||||
|
|
||||||
+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
|
|
||||||
+ copy_op.dest.offset = xen_offset_in_page(mapping + off);
|
|
||||||
+
|
|
||||||
while (len-- != 0)
|
|
||||||
if (mapping[off++] >= vif->num_queues)
|
|
||||||
return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
|
|
|
@ -145,7 +145,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||||
bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
|
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue