Update to 4.18.13
This commit is contained in:
parent
3448bce542
commit
63b0a73429
|
@ -1,4 +1,4 @@
|
|||
linux (4.18.12-1) UNRELEASED; urgency=medium
|
||||
linux (4.18.13-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
|
||||
|
@ -256,12 +256,145 @@ linux (4.18.12-1) UNRELEASED; urgency=medium
|
|||
- [powerpc*] fix csum_ipv6_magic() on little endian platforms
|
||||
- [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property
|
||||
- [powerpc*] pseries: Fix unitialized timer reset on migration
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.13
|
||||
- mac80211: Run TXQ teardown code before de-registering interfaces
|
||||
- mac80211_hwsim: require at least one channel
|
||||
- Btrfs: fix unexpected failure of nocow buffered writes after snapshotting
|
||||
when low on space
|
||||
- [powerpc*] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate
|
||||
function
|
||||
- cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule)
|
||||
- btrfs: btrfs_shrink_device should call commit transaction at the end
|
||||
- scsi: csiostor: add a check for NULL pointer after kmalloc()
|
||||
- scsi: csiostor: fix incorrect port capabilities
|
||||
- scsi: libata: Add missing newline at end of file
|
||||
- scsi: aacraid: fix a signedness bug
|
||||
- bpf, sockmap: fix potential use after free in bpf_tcp_close
|
||||
- bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg
|
||||
- bpf: sockmap, decrement copied count correctly in redirect error case
|
||||
- mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
|
||||
- mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
|
||||
- cfg80211: make wmm_rule part of the reg_rule structure
|
||||
- mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom
|
||||
- nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP
|
||||
- nl80211: Pass center frequency in kHz instead of MHz
|
||||
- bpf: fix several offset tests in bpf_msg_pull_data
|
||||
- mac80211: mesh: fix HWMP sequence numbering to follow standard
|
||||
- mac80211: avoid kernel panic when building AMSDU from non-linear SKB
|
||||
- bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data
|
||||
- bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data
|
||||
- bpf: fix sg shift repair start offset in bpf_msg_pull_data
|
||||
- [arm64] net: hns: add the code for cleaning pkt in chip
|
||||
- [arm64] net: hns: add netif_carrier_off before change speed and duplex
|
||||
- [arm64, armhf] net: mvpp2: initialize port of_node pointer
|
||||
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
|
||||
- mac80211: do not convert to A-MSDU if frag/subframe limited
|
||||
- mac80211: always account for A-MSDU header changes
|
||||
- Revert "blk-throttle: fix race between blkcg_bio_issue_check() and
|
||||
cgroup_rmdir()"
|
||||
- md/raid5-cache: disable reshape completely
|
||||
- RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
|
||||
- bpf: Fix bpf_msg_pull_data()
|
||||
- bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP
|
||||
- fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
|
||||
- mac80211: fix an off-by-one issue in A-MSDU max_subframe computation
|
||||
- cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
|
||||
- mac80211: fix WMM TXOP calculation
|
||||
- mac80211: fix a race between restart and CSA flows
|
||||
- mac80211: Fix station bandwidth setting after channel switch
|
||||
- mac80211: don't Tx a deauth frame if the AP forbade Tx
|
||||
- mac80211: shorten the IBSS debug messages
|
||||
- [powerpc*] net/ibm/emac: wrong emac_calc_base call was used by typo
|
||||
- ceph: avoid a use-after-free in ceph_destroy_options()
|
||||
- firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
|
||||
- afs: Fix cell specification to permit an empty address list
|
||||
- mm: madvise(MADV_DODUMP): allow hugetlbfs pages
|
||||
- netfilter: xt_cluster: add dependency on conntrack module
|
||||
- [x86] HID: intel-ish-hid: Enable Sunrise Point-H ish driver
|
||||
- HID: add support for Apple Magic Keyboards
|
||||
- HID: hid-saitek: Add device ID for RAT 7 Contagion
|
||||
- scsi: iscsi: target: Set conn->sess to NULL when
|
||||
iscsi_login_set_conn_values fails
|
||||
- scsi: iscsi: target: Fix conn_ops double free
|
||||
- perf annotate: Properly interpret indirect call
|
||||
- perf evsel: Fix potential null pointer dereference in
|
||||
perf_evsel__new_idx()
|
||||
- perf util: Fix bad memory access in trace info.
|
||||
- [powerpc*] perf probe: Ignore SyS symbols irrespective of endianness
|
||||
- [arm64] perf annotate: Fix parsing aarch64 branch instructions after
|
||||
objdump update
|
||||
- netfilter: nf_tables: release chain in flushing set
|
||||
- HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub
|
||||
report
|
||||
- USB: yurex: Check for truncation in yurex_read()
|
||||
- nvmet-rdma: fix possible bogus dereference under heavy load
|
||||
- net/mlx5: Consider PCI domain in search for next dev
|
||||
- [x86] HID: i2c-hid: Don't reset device upon system resume
|
||||
- dm raid: fix reshape race on small devices
|
||||
- drm/nouveau: fix oops in client init failure path
|
||||
- drm/nouveau/mmu: don't attempt to dereference vmm without valid instance
|
||||
pointer
|
||||
- drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
|
||||
- drm/nouveau/disp: fix DP disable race
|
||||
- drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for
|
||||
LVDS/eDP panels
|
||||
- dm raid: fix stripe adding reshape deadlock
|
||||
- dm raid: fix rebuild of specific devices by updating superblock
|
||||
- dm raid: fix RAID leg rebuild errors
|
||||
- r8169: set TxConfig register after TX / RX is enabled, just like RxConfig
|
||||
- fs/cifs: suppress a string overflow warning
|
||||
- net: ena: fix surprise unplug NULL dereference kernel crash
|
||||
- net: ena: fix driver when PAGE_SIZE == 64kB
|
||||
- net: ena: fix device destruction to gracefully free resources
|
||||
- net: ena: fix potential double ena_destroy_device()
|
||||
- net: ena: fix missing lock during device destruction
|
||||
- net: ena: fix missing calls to READ_ONCE
|
||||
- sched/topology: Set correct NUMA topology type
|
||||
- dm thin metadata: try to avoid ever aborting transactions
|
||||
- netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for
|
||||
NF_REPEAT
|
||||
- netfilter: xt_hashlimit: use s->file instead of s->private
|
||||
- drm/amdgpu: Fix SDMA hang in prt mode v2
|
||||
- drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
|
||||
- r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
|
||||
- [s390x] qeth: use vzalloc for QUERY OAT buffer
|
||||
- [s390x] qeth: don't dump past end of unknown HW header
|
||||
- cifs: read overflow in is_valid_oplock_break()
|
||||
- asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP &&
|
||||
CONFIG_INDIRECT_PIO
|
||||
- xen/manage: don't complain about an empty value in control/sysrq node
|
||||
- [mips*, x86, s390x] xen: avoid crash in disable_hotplug_cpu
|
||||
- new primitive: discard_new_inode()
|
||||
- vfs: don't evict uninitialized inode
|
||||
- ovl: set I_CREATING on inode being created
|
||||
- ovl: fix access beyond unterminated strings
|
||||
- ovl: fix memory leak on unlink of indexed file
|
||||
- ovl: fix format of setxattr debug
|
||||
- sysfs: Do not return POSIX ACL xattrs via listxattr
|
||||
- b43: fix DMA error related regression with proprietary firmware
|
||||
- firmware: Fix security issue with request_firmware_into_buf()
|
||||
- firmware: Always initialize the fw_priv list object
|
||||
- smb2: fix missing files in root share directory listing
|
||||
- [x86] iommu/amd: Clear memory encryption mask from physical address
|
||||
- ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
|
||||
- [x86] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
|
||||
- crypto: chelsio - Fix memory corruption in DMA Mapped buffers.
|
||||
- [arm64, armhf, x86, powerpc*] gpiolib: Free the last requested descriptor
|
||||
- [x86] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()
|
||||
- proc: restrict kernel stack dumps to root
|
||||
- ocfs2: fix locking for res->tracking and dlm->tracking_list
|
||||
- [x86] HID: i2c-hid: disable runtime PM operations on hantick touchpad
|
||||
- ixgbe: check return value of napi_complete_done()
|
||||
- dm thin metadata: fix __udivdi3 undefined on 32-bit
|
||||
- Revert "drm/amd/pp: Send khz clock values to DC for smu7/8"
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* linux-perf: Fix BPF feature detection
|
||||
|
||||
[ Romain Perier ]
|
||||
* [rt] Update to 4.18.12-rt7
|
||||
* Fixed FTBFS caused by wireless-disable-regulatory.db-direct-loading.patch,
|
||||
due to conflicting types for 'reg_query_regdb_wmm'
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* [arm64] Update pinebook/teres-i device-tree patches to 4.19.x:
|
||||
|
|
|
@ -1,60 +0,0 @@
|
|||
From: Jann Horn <jannh@google.com>
|
||||
Date: Fri, 5 Oct 2018 18:17:59 +0200
|
||||
Subject: bpf: 32-bit RSH verification must truncate input before the ALU op
|
||||
Origin: https://git.kernel.org/linus/b799207e1e1816b09e7a5920fbb2d5fcf6edd681
|
||||
Bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1686
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18445
|
||||
|
||||
When I wrote commit 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification"), I
|
||||
assumed that, in order to emulate 64-bit arithmetic with 32-bit logic, it
|
||||
is sufficient to just truncate the output to 32 bits; and so I just moved
|
||||
the register size coercion that used to be at the start of the function to
|
||||
the end of the function.
|
||||
|
||||
That assumption is true for almost every op, but not for 32-bit right
|
||||
shifts, because those can propagate information towards the least
|
||||
significant bit. Fix it by always truncating inputs for 32-bit ops to 32
|
||||
bits.
|
||||
|
||||
Also get rid of the coerce_reg_to_size() after the ALU op, since that has
|
||||
no effect.
|
||||
|
||||
Fixes: 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification")
|
||||
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
|
||||
Signed-off-by: Jann Horn <jannh@google.com>
|
||||
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
||||
---
|
||||
kernel/bpf/verifier.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
|
||||
index bb07e74b34a2..465952a8e465 100644
|
||||
--- a/kernel/bpf/verifier.c
|
||||
+++ b/kernel/bpf/verifier.c
|
||||
@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
|
||||
u64 umin_val, umax_val;
|
||||
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
|
||||
|
||||
+ if (insn_bitness == 32) {
|
||||
+ /* Relevant for 32-bit RSH: Information can propagate towards
|
||||
+ * LSB, so it isn't sufficient to only truncate the output to
|
||||
+ * 32 bits.
|
||||
+ */
|
||||
+ coerce_reg_to_size(dst_reg, 4);
|
||||
+ coerce_reg_to_size(&src_reg, 4);
|
||||
+ }
|
||||
+
|
||||
smin_val = src_reg.smin_value;
|
||||
smax_val = src_reg.smax_value;
|
||||
umin_val = src_reg.umin_value;
|
||||
@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
|
||||
if (BPF_CLASS(insn->code) != BPF_ALU64) {
|
||||
/* 32-bit ALU ops are (32,32)->32 */
|
||||
coerce_reg_to_size(dst_reg, 4);
|
||||
- coerce_reg_to_size(&src_reg, 4);
|
||||
}
|
||||
|
||||
__reg_deduce_bounds(dst_reg);
|
||||
--
|
||||
2.19.1
|
||||
|
|
@ -12,7 +12,7 @@ Index: debian-kernel/net/wireless/reg.c
|
|||
===================================================================
|
||||
--- debian-kernel.orig/net/wireless/reg.c
|
||||
+++ debian-kernel/net/wireless/reg.c
|
||||
@@ -489,6 +489,7 @@ static void reg_regdb_apply(struct work_
|
||||
@@ -476,6 +476,7 @@ static void reg_regdb_apply(struct work_
|
||||
|
||||
static DECLARE_WORK(reg_regdb_work, reg_regdb_apply);
|
||||
|
||||
|
@ -20,7 +20,7 @@ Index: debian-kernel/net/wireless/reg.c
|
|||
static int reg_schedule_apply(const struct ieee80211_regdomain *regdom)
|
||||
{
|
||||
struct reg_regdb_apply_request *request;
|
||||
@@ -508,6 +509,7 @@ static int reg_schedule_apply(const stru
|
||||
@@ -495,6 +496,7 @@ static int reg_schedule_apply(const stru
|
||||
schedule_work(®_regdb_work);
|
||||
return 0;
|
||||
}
|
||||
|
@ -28,7 +28,7 @@ Index: debian-kernel/net/wireless/reg.c
|
|||
|
||||
#ifdef CONFIG_CFG80211_CRDA_SUPPORT
|
||||
/* Max number of consecutive attempts to communicate with CRDA */
|
||||
@@ -587,6 +589,36 @@ static inline int call_crda(const char *
|
||||
@@ -574,6 +576,36 @@ static inline int call_crda(const char *
|
||||
/* code to directly load a firmware database through request_firmware */
|
||||
static const struct fwdb_header *regdb;
|
||||
|
||||
|
@ -53,8 +53,8 @@ Index: debian-kernel/net/wireless/reg.c
|
|||
+ return -ENOENT;
|
||||
+}
|
||||
+
|
||||
+int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
|
||||
+ struct ieee80211_wmm_rule *rule)
|
||||
+int reg_query_regdb_wmm(char *alpha2, int freq,
|
||||
+ struct ieee80211_reg_rule *rule)
|
||||
+{
|
||||
+ return -ENODATA;
|
||||
+}
|
||||
|
@ -65,7 +65,7 @@ Index: debian-kernel/net/wireless/reg.c
|
|||
struct fwdb_country {
|
||||
u8 alpha2[2];
|
||||
__be16 coll_ptr;
|
||||
@@ -1152,6 +1184,8 @@ int reg_reload_regdb(void)
|
||||
@@ -1090,6 +1122,8 @@ int reg_reload_regdb(void)
|
||||
return err;
|
||||
}
|
||||
|
||||
|
|
|
@ -146,7 +146,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
|
||||
bugfix/all/bpf-32-bit-RSH-verification-must-truncate-input-befo.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue