From 43505297af39c8431b00edbbe79192ee3941e6c3 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Jun 2018 23:53:25 +0100 Subject: [PATCH 1/9] vhost: fix info leak due to uninitialized memory (CVE-2018-1118) --- debian/changelog | 1 + ...nfo-leak-due-to-uninitialized-memory.patch | 36 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 38 insertions(+) create mode 100644 debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch diff --git a/debian/changelog b/debian/changelog index 52ca9ab3f..e42dc3da9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,7 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * [mips*] Increase RELOCATION_TABLE_SIZE to 0x00140000 (fixes FTBFS) * Set ABI to 1 * [x86,arm64] Disable code signing for upload to unstable + * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 000000000..86ed3b396 --- /dev/null +++ b/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,36 @@ +From: "Michael S. Tsirkin" +Date: Sat, 12 May 2018 00:33:10 +0300 +Subject: vhost: fix info leak due to uninitialized memory +Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118 + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node; diff --git a/debian/patches/series b/debian/patches/series index 53c589716..083bb2166 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -125,6 +125,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 5e4f042d2f5d86c5513faa0a132e61e170486b59 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Jun 2018 23:56:20 +0100 Subject: [PATCH 2/9] ext4: correctly handle a zero-length xattr with a non-zero e_value_offs (CVE-2018-10840) --- debian/changelog | 2 + ...andle-a-zero-length-xattr-with-a-non.patch | 65 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 68 insertions(+) create mode 100644 debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch diff --git a/debian/changelog b/debian/changelog index e42dc3da9..02e15c2b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * Set ABI to 1 * [x86,arm64] Disable code signing for upload to unstable * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) + * ext4: correctly handle a zero-length xattr with a non-zero e_value_offs + (CVE-2018-10840) [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch new file mode 100644 index 000000000..623ffc0b6 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch @@ -0,0 +1,65 @@ +From: Theodore Ts'o +Date: Wed, 23 May 2018 11:31:03 -0400 +Subject: ext4: correctly handle a zero-length xattr with a non-zero + e_value_offs +Origin: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10840 + +Ext4 will always create ext4 extended attributes which do not have a +value (where e_value_size is zero) with e_value_offs set to zero. In +most places e_value_offs will not be used in a substantive way if +e_value_size is zero. + +There was one exception to this, which is in ext4_xattr_set_entry(), +where if there is a maliciously crafted file system where there is an +extended attribute with e_value_offs is non-zero and e_value_size is +0, the attempt to remove this xattr will result in a negative value +getting passed to memmove, leading to the following sadness: + +[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) +[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 +[ 44.538733] IP: __memmove+0x81/0x1a0 +[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 +[ 44.538793] Oops: 0003 [#1] SMP PTI +[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 + ... +[ 44.539475] Call Trace: +[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 + ... +[ 44.539972] ext4_xattr_block_set+0x212/0xea0 + ... +[ 44.540041] ext4_xattr_set_handle+0x514/0x610 +[ 44.540065] ext4_xattr_set+0x7f/0x120 +[ 44.540090] __vfs_removexattr+0x4d/0x60 +[ 44.540112] vfs_removexattr+0x75/0xe0 +[ 44.540132] removexattr+0x4d/0x80 + ... +[ 44.540279] path_removexattr+0x91/0xb0 +[ 44.540300] SyS_removexattr+0xf/0x20 +[ 44.540322] do_syscall_64+0x71/0x120 +[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 + +https://bugzilla.kernel.org/show_bug.cgi?id=199347 + +This addresses CVE-2018-10840. + +Reported-by: "Xu, Wen" +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") +--- + fs/ext4/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e + + /* No failures allowed past this point. */ + +- if (!s->not_found && here->e_value_offs) { ++ if (!s->not_found && here->e_value_size && here->e_value_offs) { + /* Remove the old value. */ + void *first_val = s->base + min_offs; + size_t offs = le16_to_cpu(here->e_value_offs); diff --git a/debian/patches/series b/debian/patches/series index 083bb2166..41ae67cb2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -126,6 +126,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch +bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 8d25e929eabad84e7e05366d2c18c58030875fdf Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 25 Jun 2018 23:59:59 +0100 Subject: [PATCH 3/9] ext4: do not allow external inodes for inline data (CVE-2018-11412) Plus the related fix "ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()". --- debian/changelog | 2 + ...rs-from-ext4_find_inline_data_nolock.patch | 61 +++++++++++++++++++ ...llow-external-inodes-for-inline-data.patch | 43 +++++++++++++ debian/patches/series | 2 + 4 files changed, 108 insertions(+) create mode 100644 debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch create mode 100644 debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch diff --git a/debian/changelog b/debian/changelog index 02e15c2b4..cf9b597da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) * ext4: correctly handle a zero-length xattr with a non-zero e_value_offs (CVE-2018-10840) + * ext4: do not allow external inodes for inline data (CVE-2018-11412) + * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch new file mode 100644 index 000000000..33dbe382e --- /dev/null +++ b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch @@ -0,0 +1,61 @@ +From: Theodore Ts'o +Date: Tue, 22 May 2018 17:14:07 -0400 +Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to + ext4_iget() +Origin: https://git.kernel.org/linus/eb9b5f01c33adebc31cbc236c02695f605b0e417 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 + +If ext4_find_inline_data_nolock() returns an error it needs to get +reflected up to ext4_iget(). In order to fix this, +ext4_iget_extra_inode() needs to return an error (and not return +void). + +This is related to "ext4: do not allow external inodes for inline +data" (which fixes CVE-2018-11412) in that in the errors=continue +case, it would be useful to for userspace to receive an error +indicating that file system is corrupted. + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct + } + } + +-static inline void ext4_iget_extra_inode(struct inode *inode, ++static inline int ext4_iget_extra_inode(struct inode *inode, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) + { + __le32 *magic = (void *)raw_inode + + EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize; ++ + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <= + EXT4_INODE_SIZE(inode->i_sb) && + *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { + ext4_set_inode_state(inode, EXT4_STATE_XATTR); +- ext4_find_inline_data_nolock(inode); ++ return ext4_find_inline_data_nolock(inode); + } else + EXT4_I(inode)->i_inline_off = 0; ++ return 0; + } + + int ext4_get_projid(struct inode *inode, kprojid_t *projid) +@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo + ei->i_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + } else { +- ext4_iget_extra_inode(inode, raw_inode, ei); ++ ret = ext4_iget_extra_inode(inode, raw_inode, ei); ++ if (ret) ++ goto bad_inode; + } + } + diff --git a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch new file mode 100644 index 000000000..bb65b21b0 --- /dev/null +++ b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch @@ -0,0 +1,43 @@ +From: Theodore Ts'o +Date: Tue, 22 May 2018 16:15:24 -0400 +Subject: ext4: do not allow external inodes for inline data +Origin: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 + +The inline data feature was implemented before we added support for +external inodes for xattrs. It makes no sense to support that +combination, but the problem is that there are a number of extended +attribute checks that are skipped if e_value_inum is non-zero. + +Unfortunately, the inline data code is completely e_value_inum +unaware, and attempts to interpret the xattr fields as if it were an +inline xattr --- at which point, Hilarty Ensues. + +This addresses CVE-2018-11412. + +https://bugzilla.kernel.org/show_bug.cgi?id=199803 + +Reported-by: Jann Horn +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +Fixes: e50e5129f384 ("ext4: xattr-in-inode support") +Cc: stable@kernel.org +--- + fs/ext4/inline.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct + goto out; + + if (!is.s.not_found) { ++ if (is.s.here->e_value_inum) { ++ EXT4_ERROR_INODE(inode, "inline data xattr refers " ++ "to an external xattr inode"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - + (void *)ext4_raw_inode(&is.iloc)); + EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + diff --git a/debian/patches/series b/debian/patches/series index 41ae67cb2..b3fa76dbc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -127,6 +127,8 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch +bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch +bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From d6b55c2dde2efec933dfc1974dfdb812cac87add Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 00:21:20 +0100 Subject: [PATCH 4/9] socket: close race condition between sock_close() and sockfs_setattr() (CVE-2018-12232) --- debian/changelog | 2 + ...e-condition-between-sock_close-and-s.patch | 87 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 90 insertions(+) create mode 100644 debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch diff --git a/debian/changelog b/debian/changelog index cf9b597da..b61c693fe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium (CVE-2018-10840) * ext4: do not allow external inodes for inline data (CVE-2018-11412) * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() + * socket: close race condition between sock_close() and sockfs_setattr() + (CVE-2018-12232) [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch b/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch new file mode 100644 index 000000000..1c8c8e56b --- /dev/null +++ b/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch @@ -0,0 +1,87 @@ +From: Cong Wang +Date: Thu, 7 Jun 2018 13:39:49 -0700 +Subject: socket: close race condition between sock_close() and + sockfs_setattr() +Origin: https://git.kernel.org/linus/6d8c50dcb029872b298eea68cc6209c866fd3e14 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12232 + +fchownat() doesn't even hold refcnt of fd until it figures out +fd is really needed (otherwise is ignored) and releases it after +it resolves the path. This means sock_close() could race with +sockfs_setattr(), which leads to a NULL pointer dereference +since typically we set sock->sk to NULL in ->release(). + +As pointed out by Al, this is unique to sockfs. So we can fix this +in socket layer by acquiring inode_lock in sock_close() and +checking against NULL in sockfs_setattr(). + +sock_release() is called in many places, only the sock_close() +path matters here. And fortunately, this should not affect normal +sock_close() as it is only called when the last fd refcnt is gone. +It only affects sock_close() with a parallel sockfs_setattr() in +progress, which is not common. + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Reported-by: shankarapailoor +Cc: Tetsuo Handa +Cc: Lorenzo Colitti +Cc: Al Viro +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +--- + net/socket.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry + if (!err && (iattr->ia_valid & ATTR_UID)) { + struct socket *sock = SOCKET_I(d_inode(dentry)); + +- sock->sk->sk_uid = iattr->ia_uid; ++ if (sock->sk) ++ sock->sk->sk_uid = iattr->ia_uid; ++ else ++ err = -ENOENT; + } + + return err; +@@ -586,12 +589,16 @@ EXPORT_SYMBOL(sock_alloc); + * an inode not a file. + */ + +-void sock_release(struct socket *sock) ++static void __sock_release(struct socket *sock, struct inode *inode) + { + if (sock->ops) { + struct module *owner = sock->ops->owner; + ++ if (inode) ++ inode_lock(inode); + sock->ops->release(sock); ++ if (inode) ++ inode_unlock(inode); + sock->ops = NULL; + module_put(owner); + } +@@ -605,6 +612,11 @@ void sock_release(struct socket *sock) + } + sock->file = NULL; + } ++ ++void sock_release(struct socket *sock) ++{ ++ __sock_release(sock, NULL); ++} + EXPORT_SYMBOL(sock_release); + + void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) +@@ -1146,7 +1158,7 @@ static int sock_mmap(struct file *file, + + static int sock_close(struct inode *inode, struct file *filp) + { +- sock_release(SOCKET_I(inode)); ++ __sock_release(SOCKET_I(inode), inode); + return 0; + } + diff --git a/debian/patches/series b/debian/patches/series index b3fa76dbc..d55902246 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -129,6 +129,7 @@ bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch +bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 4eabac8481070640376e52af27ba12a4a80a5fb0 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 00:25:31 +0100 Subject: [PATCH 5/9] [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) --- debian/changelog | 2 + ...opy_from_user-the-request-header-onc.patch | 43 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 46 insertions(+) create mode 100644 debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch diff --git a/debian/changelog b/debian/changelog index b61c693fe..4a23ffd45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,8 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() * socket: close race condition between sock_close() and sockfs_setattr() (CVE-2018-12232) + * [x86] virt: vbox: Only copy_from_user the request-header once + (CVE-2018-12633) [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch new file mode 100644 index 000000000..4f4db6fe2 --- /dev/null +++ b/debian/patches/bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch @@ -0,0 +1,43 @@ +From: Wenwen Wang +Date: Tue, 8 May 2018 08:50:28 -0500 +Subject: virt: vbox: Only copy_from_user the request-header once +Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633 + +In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from +the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the +'version', 'size_in', and 'size_out' fields of 'hdr' are verified. + +Before this commit, after the checks a buffer for the entire request would +be allocated and then all data including the verified header would be +copied from the userspace 'arg' pointer again. + +Given that the 'arg' pointer resides in userspace, a malicious userspace +process can race to change the data pointed to by 'arg' between the two +copies. By doing so, the user can bypass the verifications on the ioctl +argument. + +This commit fixes this by using the already checked copy of the header +to fill the header part of the allocated buffer and only copying the +remainder of the data from userspace. + +Signed-off-by: Wenwen Wang +Reviewed-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct + if (!buf) + return -ENOMEM; + +- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { ++ *((struct vbg_ioctl_hdr *)buf) = hdr; ++ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), ++ hdr.size_in - sizeof(hdr))) { + ret = -EFAULT; + goto out; + } diff --git a/debian/patches/series b/debian/patches/series index d55902246..c1793b83e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -130,6 +130,7 @@ bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch +bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch From 1ddc0915c9af98cd90ebc501aaed6010e5239041 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Mon, 25 Jun 2018 18:23:47 -0700 Subject: [PATCH 6/9] [arm64] Add device-tree to support Pinebook. --- debian/changelog | 3 + ...a64-Add-RTC-clock-to-phandle-32kHz-e.patch | 36 ++ ...s-allwinner-a64-add-R_I2C-controller.patch | 64 ++++ ...ts-allwinner-a64-Add-PWM-controllers.patch | 99 +++++ ...s-allwinner-add-support-for-Pinebook.patch | 344 ++++++++++++++++++ ...ner-a64-add-SRAM-controller-device-t.patch | 54 +++ debian/patches/series | 6 + 7 files changed, 606 insertions(+) create mode 100644 debian/patches/features/arm64/pinebook/0001-arm64-allwinner-a64-Add-RTC-clock-to-phandle-32kHz-e.patch create mode 100644 debian/patches/features/arm64/pinebook/0002-arm64-dts-allwinner-a64-add-R_I2C-controller.patch create mode 100644 debian/patches/features/arm64/pinebook/0003-arm64-dts-allwinner-a64-Add-PWM-controllers.patch create mode 100644 debian/patches/features/arm64/pinebook/0004-arm64-dts-allwinner-add-support-for-Pinebook.patch create mode 100644 debian/patches/features/arm64/pinebook/0005-arm64-dts-allwinner-a64-add-SRAM-controller-device-t.patch diff --git a/debian/changelog b/debian/changelog index 4a23ffd45..cf194c8bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,9 @@ linux (4.17.2-1) UNRELEASED; urgency=medium [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) + [ Vagrant Cascadian ] + * [arm64] Add device-tree to support Pinebook. + -- Ben Hutchings Fri, 22 Jun 2018 17:34:37 +0100 linux (4.17.2-1~exp1) experimental; urgency=medium diff --git a/debian/patches/features/arm64/pinebook/0001-arm64-allwinner-a64-Add-RTC-clock-to-phandle-32kHz-e.patch b/debian/patches/features/arm64/pinebook/0001-arm64-allwinner-a64-Add-RTC-clock-to-phandle-32kHz-e.patch new file mode 100644 index 000000000..a6b692c71 --- /dev/null +++ b/debian/patches/features/arm64/pinebook/0001-arm64-allwinner-a64-Add-RTC-clock-to-phandle-32kHz-e.patch @@ -0,0 +1,36 @@ +From e1a9a4745fd5e6e61d57803659cd54fbe757a172 Mon Sep 17 00:00:00 2001 +From: Jagan Teki +Date: Fri, 1 Jun 2018 23:05:26 +0530 +Subject: [PATCH 1/5] arm64: allwinner: a64: Add RTC clock to phandle 32kHz + external oscillator + +Outside of SOC few chips need external clock source +through RTC example Wifi chip. So RTC clock nodes to +phandle 32kHz external oscillator. + +prefix rtc- with clock-output-names defined in +dt-binding to avoid confusion with existing osc32k name. + +Signed-off-by: Jagan Teki +Signed-off-by: Maxime Ripard +--- + arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +index 1b2ef28c42bd..82516aec4153 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +@@ -634,6 +634,9 @@ + reg = <0x01f00000 0x54>; + interrupts = , + ; ++ clock-output-names = "rtc-osc32k", "rtc-osc32k-out"; ++ clocks = <&osc32k>; ++ #clock-cells = <1>; + }; + + r_intc: interrupt-controller@1f00c00 { +-- +2.11.0 + diff --git a/debian/patches/features/arm64/pinebook/0002-arm64-dts-allwinner-a64-add-R_I2C-controller.patch b/debian/patches/features/arm64/pinebook/0002-arm64-dts-allwinner-a64-add-R_I2C-controller.patch new file mode 100644 index 000000000..4859af061 --- /dev/null +++ b/debian/patches/features/arm64/pinebook/0002-arm64-dts-allwinner-a64-add-R_I2C-controller.patch @@ -0,0 +1,64 @@ +From 871b5352125c49a2d5f31db69baede43e003a532 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Tue, 5 Jun 2018 22:17:00 -0700 +Subject: [PATCH 2/5] arm64: dts: allwinner: a64: add R_I2C controller + +Allwinner A64 has a I2C controller, which is in the R_ MMIO zone and has +two groups of pinmuxes on PL bank, so it's called R_I2C. + +Add support for this I2C controller and the pinmux which doesn't conflict +with RSB. + +Signed-off-by: Icenowy Zheng +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Maxime Ripard +--- + arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +index 82516aec4153..1b31a3aaed5a 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + / { + interrupt-parent = <&gic>; +@@ -658,6 +659,18 @@ + #reset-cells = <1>; + }; + ++ r_i2c: i2c@1f02400 { ++ compatible = "allwinner,sun50i-a64-i2c", ++ "allwinner,sun6i-a31-i2c"; ++ reg = <0x01f02400 0x400>; ++ interrupts = ; ++ clocks = <&r_ccu CLK_APB0_I2C>; ++ resets = <&r_ccu RST_APB0_I2C>; ++ status = "disabled"; ++ #address-cells = <1>; ++ #size-cells = <0>; ++ }; ++ + r_pio: pinctrl@1f02c00 { + compatible = "allwinner,sun50i-a64-r-pinctrl"; + reg = <0x01f02c00 0x400>; +@@ -669,6 +682,11 @@ + interrupt-controller; + #interrupt-cells = <3>; + ++ r_i2c_pins_a: i2c-a { ++ pins = "PL8", "PL9"; ++ function = "s_i2c"; ++ }; ++ + r_rsb_pins: rsb { + pins = "PL0", "PL1"; + function = "s_rsb"; +-- +2.11.0 + diff --git a/debian/patches/features/arm64/pinebook/0003-arm64-dts-allwinner-a64-Add-PWM-controllers.patch b/debian/patches/features/arm64/pinebook/0003-arm64-dts-allwinner-a64-Add-PWM-controllers.patch new file mode 100644 index 000000000..409cd89c6 --- /dev/null +++ b/debian/patches/features/arm64/pinebook/0003-arm64-dts-allwinner-a64-Add-PWM-controllers.patch @@ -0,0 +1,99 @@ +From b5df280bb16345875c0c1baf1db5607fde005395 Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Tue, 5 Jun 2018 22:17:01 -0700 +Subject: [PATCH 3/5] arm64: dts: allwinner: a64: Add PWM controllers + +The Allwinner A64 SoC features two PWM controllers, which are fully +compatible to the one used in the A13 and H3 chips. + +Add the nodes for the devices (one for the "normal" PWM, the other for +the one in the CPUS domain) and the pins their outputs are connected to. + +On the A64 the "normal" PWM is muxed together with one of the MDIO pins +used to communicate with the Ethernet PHY, so it won't be usable on many +boards. But the Pinebook laptop uses this pin for controlling the LCD +backlight. + +On Pine64 the CPUS PWM pin however is routed to the "RPi2" header, +at the same location as the PWM pin on the RaspberryPi. + +Tested on Pinebook and Teres-I + +[vasily: fixed comment message as requested by Stefan Bruens, added default + muxing options to pwm and r_pwm nodes] + +Signed-off-by: Andre Przywara +Signed-off-by: Vasily Khoruzhick +Tested-by: Harald Geyer +Signed-off-by: Maxime Ripard +--- + arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 32 +++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +index 1b31a3aaed5a..2777b2d02d77 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +@@ -365,6 +365,11 @@ + bias-pull-up; + }; + ++ pwm_pin: pwm_pin { ++ pins = "PD22"; ++ function = "pwm"; ++ }; ++ + rmii_pins: rmii_pins { + pins = "PD10", "PD11", "PD13", "PD14", "PD17", + "PD18", "PD19", "PD20", "PD22", "PD23"; +@@ -630,6 +635,17 @@ + #interrupt-cells = <3>; + }; + ++ pwm: pwm@1c21400 { ++ compatible = "allwinner,sun50i-a64-pwm", ++ "allwinner,sun5i-a13-pwm"; ++ reg = <0x01c21400 0x400>; ++ clocks = <&osc24M>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pwm_pin>; ++ #pwm-cells = <3>; ++ status = "disabled"; ++ }; ++ + rtc: rtc@1f00000 { + compatible = "allwinner,sun6i-a31-rtc"; + reg = <0x01f00000 0x54>; +@@ -671,6 +687,17 @@ + #size-cells = <0>; + }; + ++ r_pwm: pwm@1f03800 { ++ compatible = "allwinner,sun50i-a64-pwm", ++ "allwinner,sun5i-a13-pwm"; ++ reg = <0x01f03800 0x400>; ++ clocks = <&osc24M>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&r_pwm_pin>; ++ #pwm-cells = <3>; ++ status = "disabled"; ++ }; ++ + r_pio: pinctrl@1f02c00 { + compatible = "allwinner,sun50i-a64-r-pinctrl"; + reg = <0x01f02c00 0x400>; +@@ -687,6 +714,11 @@ + function = "s_i2c"; + }; + ++ r_pwm_pin: pwm { ++ pins = "PL10"; ++ function = "s_pwm"; ++ }; ++ + r_rsb_pins: rsb { + pins = "PL0", "PL1"; + function = "s_rsb"; +-- +2.11.0 + diff --git a/debian/patches/features/arm64/pinebook/0004-arm64-dts-allwinner-add-support-for-Pinebook.patch b/debian/patches/features/arm64/pinebook/0004-arm64-dts-allwinner-add-support-for-Pinebook.patch new file mode 100644 index 000000000..6140232d8 --- /dev/null +++ b/debian/patches/features/arm64/pinebook/0004-arm64-dts-allwinner-add-support-for-Pinebook.patch @@ -0,0 +1,344 @@ +From df35fbcfa3983c233f5fadaf8db18bfd10ac58b6 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Tue, 5 Jun 2018 22:17:02 -0700 +Subject: [PATCH 4/5] arm64: dts: allwinner: add support for Pinebook + +Pinebook is a A64-based laptop produced by Pine64, with the following +peripherals: + +USB: +- Two external USB ports (one is directly connected to A64's OTG +controller, the other is under a internal hub connected to the host-only +controller.) +- USB HID keyboard and touchpad connected to the internal hub. +- USB UVC camera connected to the internal hub. + +Power-related: +- A DC IN jack connected to AXP803's DCIN pin. +- A Li-Polymer battery connected to AXP803's battery pins. + +Storage: +- An eMMC by Foresee on the main board (in the product revision of the +main board it's designed to be switchable). +- An external MicroSD card slot. + +Display: +- An eDP LCD panel (1366x768) connected via an ANX6345 RGB-eDP bridge. +- A mini HDMI port. + +Misc: +- A Hall sensor designed to detect the status of lid, connected to GPIO PL12. +- A headphone jack connected to the SoC's internal codec. +- A debug UART port muxed with headphone jack. + +This commit adds basical support for it. + +[vasily: squashed several commits into one, added simplefb node, added usbphy + to ehci0 and ohci0 nodes and other cosmetic changes to dts] + +Signed-off-by: Icenowy Zheng +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Maxime Ripard +--- + arch/arm64/boot/dts/allwinner/Makefile | 1 + + .../boot/dts/allwinner/sun50i-a64-pinebook.dts | 280 +++++++++++++++++++++ + 2 files changed, 281 insertions(+) + create mode 100644 arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts + +Index: linux-4.17.2/arch/arm64/boot/dts/allwinner/Makefile +=================================================================== +--- linux-4.17.2.orig/arch/arm64/boot/dts/allwinner/Makefile ++++ linux-4.17.2/arch/arm64/boot/dts/allwinner/Makefile +@@ -4,6 +4,7 @@ dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-n + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-olinuxino.dtb + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-orangepi-win.dtb + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-pine64-plus.dtb sun50i-a64-pine64.dtb ++dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-pinebook.dtb + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-sopine-baseboard.dtb + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-a64-teres-i.dtb + dtb-$(CONFIG_ARCH_SUNXI) += sun50i-h5-orangepi-pc2.dtb +Index: linux-4.17.2/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts +=================================================================== +--- /dev/null ++++ linux-4.17.2/arch/arm64/boot/dts/allwinner/sun50i-a64-pinebook.dts +@@ -0,0 +1,280 @@ ++// SPDX-License-Identifier: (GPL-2.0+ OR MIT) ++/* ++ * Copyright (C) 2017 Icenowy Zheng ++ * Copyright (C) 2018 Vasily Khoruzhick ++ * ++ */ ++ ++/dts-v1/; ++ ++#include "sun50i-a64.dtsi" ++ ++#include ++#include ++#include ++ ++/ { ++ model = "Pinebook"; ++ compatible = "pine64,pinebook", "allwinner,sun50i-a64"; ++ ++ aliases { ++ serial0 = &uart0; ++ ethernet0 = &rtl8723cs; ++ }; ++ ++ backlight: backlight { ++ compatible = "pwm-backlight"; ++ pwms = <&pwm 0 50000 0>; ++ brightness-levels = <0 5 10 15 20 30 40 55 70 85 100>; ++ default-brightness-level = <2>; ++ enable-gpios = <&pio 3 23 GPIO_ACTIVE_HIGH>; /* PD23 */ ++ }; ++ ++ chosen { ++ stdout-path = "serial0:115200n8"; ++ ++ framebuffer-lcd { ++ panel-supply = <®_dc1sw>; ++ dvdd25-supply = <®_dldo2>; ++ dvdd12-supply = <®_fldo1>; ++ }; ++ }; ++ ++ gpio_keys { ++ compatible = "gpio-keys"; ++ ++ lid_switch { ++ label = "Lid Switch"; ++ gpios = <&r_pio 0 12 GPIO_ACTIVE_LOW>; /* PL12 */ ++ linux,input-type = ; ++ linux,code = ; ++ linux,can-disable; ++ }; ++ }; ++ ++ reg_vcc3v3: vcc3v3 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc3v3"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ }; ++ ++ wifi_pwrseq: wifi_pwrseq { ++ compatible = "mmc-pwrseq-simple"; ++ reset-gpios = <&r_pio 0 2 GPIO_ACTIVE_LOW>; /* PL2 */ ++ }; ++}; ++ ++&ehci0 { ++ phys = <&usbphy 0>; ++ phy-names = "usb"; ++ status = "okay"; ++}; ++ ++&ehci1 { ++ status = "okay"; ++}; ++ ++&mmc0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc0_pins>; ++ vmmc-supply = <®_dcdc1>; ++ cd-gpios = <&pio 5 6 GPIO_ACTIVE_HIGH>; ++ cd-inverted; ++ disable-wp; ++ bus-width = <4>; ++ status = "okay"; ++}; ++ ++&mmc1 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc1_pins>; ++ vmmc-supply = <®_dldo4>; ++ vqmmc-supply = <®_eldo1>; ++ mmc-pwrseq = <&wifi_pwrseq>; ++ bus-width = <4>; ++ non-removable; ++ status = "okay"; ++ ++ rtl8723cs: wifi@1 { ++ reg = <1>; ++ }; ++}; ++ ++&mmc2 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc2_pins>; ++ vmmc-supply = <®_dcdc1>; ++ vqmmc-supply = <®_eldo1>; ++ bus-width = <8>; ++ non-removable; ++ cap-mmc-hw-reset; ++ mmc-hs200-1_8v; ++ status = "okay"; ++}; ++ ++&ohci0 { ++ phys = <&usbphy 0>; ++ phy-names = "usb"; ++ status = "okay"; ++}; ++ ++&ohci1 { ++ status = "okay"; ++}; ++ ++&pwm { ++ status = "okay"; ++}; ++ ++&r_rsb { ++ status = "okay"; ++ ++ axp803: pmic@3a3 { ++ compatible = "x-powers,axp803"; ++ reg = <0x3a3>; ++ interrupt-parent = <&r_intc>; ++ interrupts = <0 IRQ_TYPE_LEVEL_LOW>; ++ }; ++}; ++ ++/* The ANX6345 eDP-bridge is on r_i2c */ ++&r_i2c { ++ clock-frequency = <100000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&r_i2c_pins_a>; ++ status = "okay"; ++}; ++ ++#include "axp803.dtsi" ++ ++®_aldo1 { ++ regulator-min-microvolt = <2800000>; ++ regulator-max-microvolt = <2800000>; ++ regulator-name = "vcc-csi"; ++}; ++ ++®_aldo2 { ++ regulator-always-on; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-pl"; ++}; ++ ++®_aldo3 { ++ regulator-always-on; ++ regulator-min-microvolt = <2700000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-pll-avcc"; ++}; ++ ++®_dc1sw { ++ regulator-name = "vcc-lcd"; ++}; ++ ++®_dcdc1 { ++ regulator-always-on; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-3v3"; ++}; ++ ++®_dcdc2 { ++ regulator-always-on; ++ regulator-min-microvolt = <1000000>; ++ regulator-max-microvolt = <1300000>; ++ regulator-name = "vdd-cpux"; ++}; ++ ++/* DCDC3 is polyphased with DCDC2 */ ++ ++®_dcdc5 { ++ regulator-always-on; ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; ++ regulator-name = "vcc-dram"; ++}; ++ ++®_dcdc6 { ++ regulator-always-on; ++ regulator-min-microvolt = <1100000>; ++ regulator-max-microvolt = <1100000>; ++ regulator-name = "vdd-sys"; ++}; ++ ++®_dldo1 { ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-hdmi"; ++}; ++ ++®_dldo2 { ++ regulator-min-microvolt = <2500000>; ++ regulator-max-microvolt = <2500000>; ++ regulator-name = "vcc-edp"; ++}; ++ ++®_dldo3 { ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "avdd-csi"; ++}; ++ ++®_dldo4 { ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-wifi"; ++}; ++ ++®_eldo1 { ++ regulator-always-on; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-name = "cpvdd"; ++}; ++ ++®_eldo3 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-name = "vdd-1v8-csi"; ++}; ++ ++®_fldo1 { ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; ++ regulator-name = "vcc-1v2-hsic"; ++}; ++ ++®_fldo2 { ++ regulator-always-on; ++ regulator-min-microvolt = <1100000>; ++ regulator-max-microvolt = <1100000>; ++ regulator-name = "vdd-cpus"; ++}; ++ ++®_ldo_io0 { ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-usb"; ++ status = "okay"; ++}; ++ ++®_rtc_ldo { ++ regulator-name = "vcc-rtc"; ++}; ++ ++&uart0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart0_pins_a>; ++ status = "okay"; ++}; ++ ++&usb_otg { ++ dr_mode = "host"; ++}; ++ ++&usbphy { ++ usb0_vbus-supply = <®_ldo_io0>; ++ usb1_vbus-supply = <®_ldo_io0>; ++ status = "okay"; ++}; diff --git a/debian/patches/features/arm64/pinebook/0005-arm64-dts-allwinner-a64-add-SRAM-controller-device-t.patch b/debian/patches/features/arm64/pinebook/0005-arm64-dts-allwinner-a64-add-SRAM-controller-device-t.patch new file mode 100644 index 000000000..9b3020af7 --- /dev/null +++ b/debian/patches/features/arm64/pinebook/0005-arm64-dts-allwinner-a64-add-SRAM-controller-device-t.patch @@ -0,0 +1,54 @@ +From 1f1f5183981d70bf0950f8467772851a05eb9148 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Wed, 11 Apr 2018 22:16:41 +0800 +Subject: [PATCH 5/5] arm64: dts: allwinner: a64: add SRAM controller device + tree node + +Allwinner A64 has a SRAM controller, and in the device tree currently +we have a syscon node to enable EMAC driver to access the EMAC clock +register. As SRAM controller driver can now export regmap for this +register, replace the syscon node to the SRAM controller device node, +and let EMAC driver to acquire its EMAC clock regmap. + +Signed-off-by: Icenowy Zheng +[wens@csie.org: Updated compatible string] +Acked-by: Maxime Ripard +Signed-off-by: Chen-Yu Tsai +--- + arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +index 2777b2d02d77..ff2ddde1e117 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +@@ -170,9 +170,24 @@ + ranges; + + syscon: syscon@1c00000 { +- compatible = "allwinner,sun50i-a64-system-controller", +- "syscon"; ++ compatible = "allwinner,sun50i-a64-system-control"; + reg = <0x01c00000 0x1000>; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ ranges; ++ ++ sram_c: sram@18000 { ++ compatible = "mmio-sram"; ++ reg = <0x00018000 0x28000>; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ ranges = <0 0x00018000 0x28000>; ++ ++ de2_sram: sram-section@0 { ++ compatible = "allwinner,sun50i-a64-sram-c"; ++ reg = <0x0000 0x28000>; ++ }; ++ }; + }; + + dma: dma-controller@1c02000 { +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index c1793b83e..8951afe46 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -75,6 +75,12 @@ features/x86/x86-make-x32-syscall-support-conditional.patch # Add support for Raspberry PI 3b+ features/armhf/ARM-dts-bcm2837-Add-Raspberry-Pi-3-B.patch features/arm64/arm64-dts-broadcom-Add-reference-to-Raspberry-Pi-3-B.patch +# Add device-tree for Pinebook from linux next-20180625 +features/arm64/pinebook/0001-arm64-allwinner-a64-Add-RTC-clock-to-phandle-32kHz-e.patch +features/arm64/pinebook/0002-arm64-dts-allwinner-a64-add-R_I2C-controller.patch +features/arm64/pinebook/0003-arm64-dts-allwinner-a64-Add-PWM-controllers.patch +features/arm64/pinebook/0004-arm64-dts-allwinner-add-support-for-Pinebook.patch +features/arm64/pinebook/0005-arm64-dts-allwinner-a64-add-SRAM-controller-device-t.patch # Miscellaneous bug fixes bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch From c9c765a055b250b544fe1d9fa76fb8f44ab1c565 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 01:20:45 +0100 Subject: [PATCH 7/9] [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules --- debian/changelog | 1 + debian/config/kernelarch-x86/config | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index cf194c8bb..6ceae5e39 100644 --- a/debian/changelog +++ b/debian/changelog @@ -20,6 +20,7 @@ linux (4.17.2-1) UNRELEASED; urgency=medium (CVE-2018-12232) * [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) + * [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index cb74577c7..14b9bc9e6 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -1648,6 +1648,11 @@ CONFIG_RTL8723BS=m ## CONFIG_RTS5208=m +## +## file: drivers/staging/vboxvideo/Kconfig +## +CONFIG_DRM_VBOXVIDEO=m + ## ## file: drivers/staging/vt6656/Kconfig ## @@ -1830,6 +1835,11 @@ CONFIG_FB_HYPERV=m ## # CONFIG_FB_GEODE is not set +## +## file: drivers/virt/vboxguest/Kconfig +## +CONFIG_VBOXGUEST=m + ## ## file: drivers/watchdog/Kconfig ## From 544f15ac7230efe7ee4d3b72712837bf191a062b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 02:04:01 +0100 Subject: [PATCH 8/9] aufs: Update support patchset to aufs4.x-rcN-20180611 --- debian/changelog | 1 + .../features/all/aufs4/aufs4-base.patch | 48 +++---- .../features/all/aufs4/aufs4-mmap.patch | 73 ++++++---- .../features/all/aufs4/aufs4-standalone.patch | 126 ++++++++++++------ 4 files changed, 159 insertions(+), 89 deletions(-) diff --git a/debian/changelog b/debian/changelog index 6ceae5e39..392ff606b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,7 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) * [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules + * aufs: Update support patchset to aufs4.x-rcN-20180611 [ Romain Perier ] * [x86] Enable DCN 1.0 Raven family (Closes #901349) diff --git a/debian/patches/features/all/aufs4/aufs4-base.patch b/debian/patches/features/all/aufs4/aufs4-base.patch index d340976fe..3daef1a0a 100644 --- a/debian/patches/features/all/aufs4/aufs4-base.patch +++ b/debian/patches/features/all/aufs4/aufs4-base.patch @@ -1,19 +1,19 @@ From: J. R. Okajima -Date: Tue Apr 3 14:43:11 2018 +0900 -Subject: aufs4.16 base patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/8ed212d3987b8aed42d89dd0137bd44bad4a0a6c +Date: Wed Jun 6 14:11:07 2018 +0900 +Subject: aufs4.x-rcN base patch +Origin: https://github.com/sfjro/aufs4-standalone/tree/ed41e3660da6cb1b70e5adfa294f6dbc03bf6fb7 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch SPDX-License-Identifier: GPL-2.0 -aufs4.16 base patch +aufs4.x-rcN base patch diff --git a/MAINTAINERS b/MAINTAINERS -index 6e950b8..7324ece 100644 +index 9c125f7..4616bbf 100644 --- a/MAINTAINERS +++ b/MAINTAINERS -@@ -2485,6 +2485,19 @@ F: include/linux/audit.h +@@ -2519,6 +2519,19 @@ F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit* @@ -34,10 +34,10 @@ index 6e950b8..7324ece 100644 M: Miguel Ojeda Sandonis W: http://miguelojeda.es/auxdisplay.htm diff --git a/drivers/block/loop.c b/drivers/block/loop.c -index ee62d2d..4ca6361 100644 +index 55cf554..bc965e5 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c -@@ -691,6 +691,24 @@ static inline int is_loop_device(struct file *file) +@@ -713,6 +713,24 @@ static inline int is_loop_device(struct file *file) return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; } @@ -63,10 +63,10 @@ index ee62d2d..4ca6361 100644 static ssize_t loop_attr_show(struct device *dev, char *page, diff --git a/fs/dcache.c b/fs/dcache.c -index 8945e6c..87c19c0 100644 +index 2acfc69..ff338e2 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -1205,7 +1205,7 @@ enum d_walk_ret { +@@ -1234,7 +1234,7 @@ enum d_walk_ret { * * The @enter() and @finish() callbacks are called with d_lock held. */ @@ -76,7 +76,7 @@ index 8945e6c..87c19c0 100644 void (*finish)(void *)) { diff --git a/fs/fcntl.c b/fs/fcntl.c -index 1e97f1f..8cd01f7 100644 +index d737ff0..7550799 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -32,7 +32,7 @@ @@ -98,10 +98,10 @@ index 1e97f1f..8cd01f7 100644 return error; diff --git a/fs/inode.c b/fs/inode.c -index ef36236..929a5a3 100644 +index 3b55391..e0c5255 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1659,7 +1659,7 @@ EXPORT_SYMBOL(generic_update_time); +@@ -1663,7 +1663,7 @@ EXPORT_SYMBOL(generic_update_time); * This does the actual work of updating an inodes time or version. Must have * had called mnt_want_write() before calling this. */ @@ -111,7 +111,7 @@ index ef36236..929a5a3 100644 int (*update_time)(struct inode *, struct timespec *, int); diff --git a/fs/namespace.c b/fs/namespace.c -index 9d1374a..26ef600 100644 +index 5f75969..61129ff 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -846,6 +846,12 @@ static inline int check_mnt(struct mount *mnt) @@ -128,10 +128,10 @@ index 9d1374a..26ef600 100644 * vfsmount lock must be held for write */ diff --git a/fs/read_write.c b/fs/read_write.c -index f8547b8..0a5c47b 100644 +index c4eabbf..ddd6e67 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -484,6 +484,28 @@ ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, +@@ -489,6 +489,28 @@ ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, return -EINVAL; } @@ -161,7 +161,7 @@ index f8547b8..0a5c47b 100644 { mm_segment_t old_fs; diff --git a/fs/splice.c b/fs/splice.c -index 39e2dc0..c5fb195 100644 +index 005d09c..f617ab0 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -837,8 +837,8 @@ EXPORT_SYMBOL(generic_splice_sendpage); @@ -189,7 +189,7 @@ index 39e2dc0..c5fb195 100644 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); diff --git a/fs/sync.c b/fs/sync.c -index 6e0a2cb..a6891ee 100644 +index b54e054..2860782 100644 --- a/fs/sync.c +++ b/fs/sync.c @@ -28,7 +28,7 @@ @@ -214,7 +214,7 @@ index 279720d..76e38ea 100644 static inline void fput_light(struct file *file, int fput_needed) { diff --git a/include/linux/fs.h b/include/linux/fs.h -index c6baf76..71dc695 100644 +index 760d8da..09a2542 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1270,6 +1270,7 @@ extern void fasync_free(struct fasync_struct *); @@ -225,7 +225,7 @@ index c6baf76..71dc695 100644 extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force); extern int f_setown(struct file *filp, unsigned long arg, int force); extern void f_delown(struct file *filp); -@@ -1722,6 +1723,7 @@ struct file_operations { +@@ -1724,6 +1725,7 @@ struct file_operations { ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int); unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); int (*check_flags)(int); @@ -233,7 +233,7 @@ index c6baf76..71dc695 100644 int (*flock) (struct file *, int, struct file_lock *); ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int); ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int); -@@ -1792,6 +1794,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, +@@ -1794,6 +1796,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector, struct iovec *fast_pointer, struct iovec **ret_pointer); @@ -246,7 +246,7 @@ index c6baf76..71dc695 100644 extern ssize_t __vfs_read(struct file *, char __user *, size_t, loff_t *); extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *); extern ssize_t vfs_write(struct file *, const char __user *, size_t, loff_t *); -@@ -2196,6 +2204,7 @@ extern int current_umask(void); +@@ -2199,6 +2207,7 @@ extern int current_umask(void); extern void ihold(struct inode * inode); extern void iput(struct inode *); extern int generic_update_time(struct inode *, struct timespec *, int); @@ -254,7 +254,7 @@ index c6baf76..71dc695 100644 /* /sys/fs */ extern struct kobject *fs_kobj; -@@ -2476,6 +2485,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) +@@ -2485,6 +2494,7 @@ static inline bool sb_is_blkdev_sb(struct super_block *sb) return false; } #endif @@ -318,7 +318,7 @@ index 74b4911..19789fb 100644 + unsigned int flags); #endif diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c -index 89b5f83..0dca42f 100644 +index 0233863..06e0d7a 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -140,7 +140,7 @@ static struct lock_list list_entries[MAX_LOCKDEP_ENTRIES]; diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index 13d56b9bb..21f1020e8 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -1,17 +1,19 @@ From: J. R. Okajima -Date: Tue Apr 3 14:43:11 2018 +0900 -Subject: aufs4.16 mmap patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/8ed212d3987b8aed42d89dd0137bd44bad4a0a6c +Date: Wed Jun 6 14:11:07 2018 +0900 +Subject: aufs4.x-rcN mmap patch +Origin: https://github.com/sfjro/aufs4-standalone/tree/ed41e3660da6cb1b70e5adfa294f6dbc03bf6fb7 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch SPDX-License-Identifier: GPL-2.0 -aufs4.16 mmap patch +aufs4.x-rcN mmap patch +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 1a76d75..77f698e 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c -@@ -2018,7 +2018,7 @@ static int map_files_get_link(struct den +@@ -2024,7 +2024,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) down_read(&mm->mmap_sem); vma = find_exact_vma(mm, vm_start, vm_end); if (vma && vma->vm_file) { @@ -20,9 +22,11 @@ aufs4.16 mmap patch path_get(path); rc = 0; } +diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c +index 7563437..7c0dc0f 100644 --- a/fs/proc/nommu.c +++ b/fs/proc/nommu.c -@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_ +@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region) file = region->vm_file; if (file) { @@ -34,9 +38,11 @@ aufs4.16 mmap patch dev = inode->i_sb->s_dev; ino = inode->i_ino; } +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index c486ad4..76b71f8 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -305,7 +305,10 @@ show_map_vma(struct seq_file *m, struct +@@ -305,7 +305,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) const char *name = NULL; if (file) { @@ -48,7 +54,7 @@ aufs4.16 mmap patch dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; -@@ -1722,7 +1725,7 @@ static int show_numa_map(struct seq_file +@@ -1726,7 +1729,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) struct proc_maps_private *proc_priv = &numa_priv->proc_maps; struct vm_area_struct *vma = v; struct numa_maps *md = &numa_priv->md; @@ -57,9 +63,11 @@ aufs4.16 mmap patch struct mm_struct *mm = vma->vm_mm; struct mm_walk walk = { .hugetlb_entry = gather_hugetlb_stats, +diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c +index 5b62f57..dfb4a3b 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c -@@ -156,7 +156,10 @@ static int nommu_vma_show(struct seq_fil +@@ -156,7 +156,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma, file = vma->vm_file; if (file) { @@ -71,9 +79,11 @@ aufs4.16 mmap patch dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT; +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 02a616e..01b3bb9 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -1380,6 +1380,28 @@ static inline void unmap_shared_mapping_ +@@ -1380,6 +1380,28 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping, unmap_mapping_range(mapping, holebegin, holelen, 0); } @@ -102,6 +112,8 @@ aufs4.16 mmap patch extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, unsigned int gup_flags); extern int access_remote_vm(struct mm_struct *mm, unsigned long addr, +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index 2161234..78aa367 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -251,6 +251,7 @@ struct vm_region { @@ -120,9 +132,11 @@ aufs4.16 mmap patch void * vm_private_data; /* was vm_pte (shared mem) */ atomic_long_t swap_readahead_info; +diff --git a/kernel/fork.c b/kernel/fork.c +index a5d21c4..e965e09 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -474,7 +474,7 @@ static __latent_entropy int dup_mmap(str +@@ -473,7 +473,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, struct inode *inode = file_inode(file); struct address_space *mapping = file->f_mapping; @@ -131,9 +145,11 @@ aufs4.16 mmap patch if (tmp->vm_flags & VM_DENYWRITE) atomic_dec(&inode->i_writecount); i_mmap_lock_write(mapping); +diff --git a/mm/Makefile b/mm/Makefile +index b4e54a9a..77892ae 100644 --- a/mm/Makefile +++ b/mm/Makefile -@@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill. +@@ -39,7 +39,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ mm_init.o mmu_context.o percpu.o slab_common.o \ compaction.o vmacache.o \ interval_tree.o list_lru.o workingset.o \ @@ -142,9 +158,11 @@ aufs4.16 mmap patch obj-y += init-mm.o +diff --git a/mm/filemap.c b/mm/filemap.c +index 0604cb0..45d2369 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -2701,7 +2701,7 @@ int filemap_page_mkwrite(struct vm_fault +@@ -2700,7 +2700,7 @@ int filemap_page_mkwrite(struct vm_fault *vmf) int ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); @@ -153,9 +171,11 @@ aufs4.16 mmap patch lock_page(page); if (page->mapping != inode->i_mapping) { unlock_page(page); +diff --git a/mm/mmap.c b/mm/mmap.c +index fc41c05..e376869 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -171,7 +171,7 @@ static struct vm_area_struct *remove_vma +@@ -180,7 +180,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -164,7 +184,7 @@ aufs4.16 mmap patch mpol_put(vma_policy(vma)); kmem_cache_free(vm_area_cachep, vma); return next; -@@ -896,7 +896,7 @@ again: +@@ -905,7 +905,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, if (remove_next) { if (file) { uprobe_munmap(next, next->vm_start, next->vm_end); @@ -173,7 +193,7 @@ aufs4.16 mmap patch } if (next->anon_vma) anon_vma_merge(vma, next); -@@ -1779,8 +1779,8 @@ out: +@@ -1820,8 +1820,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return addr; unmap_and_free_vma: @@ -183,7 +203,7 @@ aufs4.16 mmap patch /* Undo any partial mapping done by a device driver. */ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -@@ -2604,7 +2604,7 @@ int __split_vma(struct mm_struct *mm, st +@@ -2645,7 +2645,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, goto out_free_mpol; if (new->vm_file) @@ -192,7 +212,7 @@ aufs4.16 mmap patch if (new->vm_ops && new->vm_ops->open) new->vm_ops->open(new); -@@ -2623,7 +2623,7 @@ int __split_vma(struct mm_struct *mm, st +@@ -2664,7 +2664,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, if (new->vm_ops && new->vm_ops->close) new->vm_ops->close(new); if (new->vm_file) @@ -201,7 +221,7 @@ aufs4.16 mmap patch unlink_anon_vmas(new); out_free_mpol: mpol_put(vma_policy(new)); -@@ -2785,7 +2785,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign +@@ -2826,7 +2826,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, struct vm_area_struct *vma; unsigned long populate = 0; unsigned long ret = -EINVAL; @@ -210,7 +230,7 @@ aufs4.16 mmap patch pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.\n", current->comm, current->pid); -@@ -2860,10 +2860,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsign +@@ -2901,10 +2901,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, } } @@ -239,7 +259,7 @@ aufs4.16 mmap patch out: up_write(&mm->mmap_sem); if (populate) -@@ -3171,7 +3188,7 @@ struct vm_area_struct *copy_vma(struct v +@@ -3220,7 +3237,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, if (anon_vma_clone(new_vma, vma)) goto out_free_mempol; if (new_vma->vm_file) @@ -248,9 +268,11 @@ aufs4.16 mmap patch if (new_vma->vm_ops && new_vma->vm_ops->open) new_vma->vm_ops->open(new_vma); vma_link(mm, new_vma, prev, rb_link, rb_parent); +diff --git a/mm/nommu.c b/mm/nommu.c +index 1372373..6362dde 100644 --- a/mm/nommu.c +++ b/mm/nommu.c -@@ -629,7 +629,7 @@ static void __put_nommu_region(struct vm +@@ -629,7 +629,7 @@ static void __put_nommu_region(struct vm_region *region) up_write(&nommu_region_sem); if (region->vm_file) @@ -259,7 +281,7 @@ aufs4.16 mmap patch /* IO memory and memory shared directly out of the pagecache * from ramfs/tmpfs mustn't be released here */ -@@ -767,7 +767,7 @@ static void delete_vma(struct mm_struct +@@ -767,7 +767,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -277,7 +299,7 @@ aufs4.16 mmap patch kmem_cache_free(vm_region_jar, region); region = pregion; result = start; -@@ -1364,10 +1364,10 @@ error_just_free: +@@ -1364,10 +1364,10 @@ unsigned long do_mmap(struct file *file, up_write(&nommu_region_sem); error: if (region->vm_file) @@ -290,6 +312,9 @@ aufs4.16 mmap patch kmem_cache_free(vm_area_cachep, vma); return ret; +diff --git a/mm/prfile.c b/mm/prfile.c +new file mode 100644 +index 0000000..14efc4f --- /dev/null +++ b/mm/prfile.c @@ -0,0 +1,86 @@ diff --git a/debian/patches/features/all/aufs4/aufs4-standalone.patch b/debian/patches/features/all/aufs4/aufs4-standalone.patch index 81ecae439..cb8b4c389 100644 --- a/debian/patches/features/all/aufs4/aufs4-standalone.patch +++ b/debian/patches/features/all/aufs4/aufs4-standalone.patch @@ -1,17 +1,19 @@ From: J. R. Okajima -Date: Tue Apr 3 14:43:11 2018 +0900 -Subject: aufs4.16 standalone patch -Origin: https://github.com/sfjro/aufs4-standalone/tree/8ed212d3987b8aed42d89dd0137bd44bad4a0a6c +Date: Wed Jun 6 14:11:07 2018 +0900 +Subject: aufs4.x-rcN standalone patch +Origin: https://github.com/sfjro/aufs4-standalone/tree/ed41e3660da6cb1b70e5adfa294f6dbc03bf6fb7 Bug-Debian: https://bugs.debian.org/541828 Patch headers added by debian/patches/features/all/aufs4/gen-patch SPDX-License-Identifier: GPL-2.0 -aufs4.16 standalone patch +aufs4.x-rcN standalone patch +diff --git a/fs/dcache.c b/fs/dcache.c +index ff338e2..3e2bae8 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -1342,6 +1342,7 @@ rename_retry: +@@ -1342,6 +1342,7 @@ void d_walk(struct dentry *parent, void *data, seq = 1; goto again; } @@ -19,7 +21,7 @@ aufs4.16 standalone patch struct check_mount { struct vfsmount *mnt; -@@ -2920,6 +2921,7 @@ void d_exchange(struct dentry *dentry1, +@@ -2942,6 +2943,7 @@ void d_exchange(struct dentry *dentry1, struct dentry *dentry2) write_sequnlock(&rename_lock); } @@ -27,9 +29,11 @@ aufs4.16 standalone patch /** * d_ancestor - search for an ancestor +diff --git a/fs/exec.c b/fs/exec.c +index 183059c..35adee4 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path +@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path) return (path->mnt->mnt_flags & MNT_NOEXEC) || (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC); } @@ -37,9 +41,11 @@ aufs4.16 standalone patch #ifdef CONFIG_USELIB /* +diff --git a/fs/fcntl.c b/fs/fcntl.c +index 7550799..d403576 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c -@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, un +@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, unsigned long arg) out: return error; } @@ -47,9 +53,11 @@ aufs4.16 standalone patch static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, int force) +diff --git a/fs/file_table.c b/fs/file_table.c +index 7ec0b3e..819ee07 100644 --- a/fs/file_table.c +++ b/fs/file_table.c -@@ -147,6 +147,7 @@ over: +@@ -147,6 +147,7 @@ struct file *get_empty_filp(void) } return ERR_PTR(-ENFILE); } @@ -81,9 +89,11 @@ aufs4.16 standalone patch void __init files_init(void) { +diff --git a/fs/inode.c b/fs/inode.c +index e0c5255..ff36056 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1671,6 +1671,7 @@ int update_time(struct inode *inode, str +@@ -1672,6 +1672,7 @@ int update_time(struct inode *inode, struct timespec *time, int flags) return update_time(inode, time, flags); } @@ -91,9 +101,11 @@ aufs4.16 standalone patch /** * touch_atime - update the access time +diff --git a/fs/namespace.c b/fs/namespace.c +index 61129ff..5d3e0382 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *m +@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *mnt) mnt_dec_writers(real_mount(mnt)); preempt_enable(); } @@ -101,7 +113,7 @@ aufs4.16 standalone patch /** * mnt_drop_write - give up write access to a mount -@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *m +@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *mnt) { return check_mnt(real_mount(mnt)); } @@ -109,7 +121,7 @@ aufs4.16 standalone patch /* * vfsmount lock must be held for write -@@ -1892,6 +1894,7 @@ int iterate_mounts(int (*f)(struct vfsmo +@@ -1893,6 +1895,7 @@ int iterate_mounts(int (*f)(struct vfsmount *, void *), void *arg, } return 0; } @@ -117,6 +129,8 @@ aufs4.16 standalone patch static void cleanup_group_ids(struct mount *mnt, struct mount *end) { +diff --git a/fs/notify/group.c b/fs/notify/group.c +index b7a4b6a..5a69d60 100644 --- a/fs/notify/group.c +++ b/fs/notify/group.c @@ -22,6 +22,7 @@ @@ -127,7 +141,7 @@ aufs4.16 standalone patch #include #include "fsnotify.h" -@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_ +@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_group *group) { refcount_inc(&group->refcnt); } @@ -135,7 +149,7 @@ aufs4.16 standalone patch /* * Drop a reference to a group. Free it if it's through. -@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_ +@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_group *group) if (refcount_dec_and_test(&group->refcnt)) fsnotify_final_destroy_group(group); } @@ -143,7 +157,7 @@ aufs4.16 standalone patch /* * Create a new fsnotify_group and hold a reference for the group returned. -@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_gr +@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *ops) return group; } @@ -151,9 +165,11 @@ aufs4.16 standalone patch int fsnotify_fasync(int fd, struct file *file, int on) { +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index e9191b4..1f8ccfa 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c -@@ -108,6 +108,7 @@ void fsnotify_get_mark(struct fsnotify_m +@@ -108,6 +108,7 @@ void fsnotify_get_mark(struct fsnotify_mark *mark) WARN_ON_ONCE(!refcount_read(&mark->refcnt)); refcount_inc(&mark->refcnt); } @@ -161,7 +177,7 @@ aufs4.16 standalone patch static void __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) { -@@ -392,6 +393,7 @@ void fsnotify_destroy_mark(struct fsnoti +@@ -392,6 +393,7 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark, mutex_unlock(&group->mark_mutex); fsnotify_free_mark(mark); } @@ -169,7 +185,7 @@ aufs4.16 standalone patch /* * Sorting function for lists of fsnotify marks. -@@ -606,6 +608,7 @@ err: +@@ -606,6 +608,7 @@ int fsnotify_add_mark_locked(struct fsnotify_mark *mark, struct inode *inode, fsnotify_put_mark(mark); return ret; } @@ -177,7 +193,7 @@ aufs4.16 standalone patch int fsnotify_add_mark(struct fsnotify_mark *mark, struct inode *inode, struct vfsmount *mnt, int allow_dups) -@@ -741,6 +744,7 @@ void fsnotify_init_mark(struct fsnotify_ +@@ -741,6 +744,7 @@ void fsnotify_init_mark(struct fsnotify_mark *mark, fsnotify_get_group(group); mark->group = group; } @@ -185,9 +201,11 @@ aufs4.16 standalone patch /* * Destroy all marks in destroy_list, waits for SRCU period to finish before +diff --git a/fs/open.c b/fs/open.c +index d0e955b..527bc1a 100644 --- a/fs/open.c +++ b/fs/open.c -@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, l +@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, inode_unlock(dentry->d_inode); return ret; } @@ -195,9 +213,19 @@ aufs4.16 standalone patch long vfs_truncate(const struct path *path, loff_t length) { +@@ -723,6 +724,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group) + { + return ksys_fchown(fd, user, group); + } ++EXPORT_SYMBOL_GPL(open_check_o_direct); + + int open_check_o_direct(struct file *f) + { +diff --git a/fs/read_write.c b/fs/read_write.c +index ddd6e67..aabf92d 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -459,6 +459,7 @@ ssize_t vfs_read(struct file *file, char +@@ -459,6 +459,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) return ret; } @@ -213,7 +241,7 @@ aufs4.16 standalone patch vfs_writef_t vfs_writef(struct file *file) { -@@ -510,6 +512,7 @@ vfs_writef_t vfs_writef(struct file *fil +@@ -510,6 +512,7 @@ vfs_writef_t vfs_writef(struct file *file) return new_sync_write; return ERR_PTR(-ENOSYS); } @@ -221,7 +249,7 @@ aufs4.16 standalone patch ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { -@@ -579,6 +582,7 @@ ssize_t vfs_write(struct file *file, con +@@ -579,6 +582,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ return ret; } @@ -229,9 +257,11 @@ aufs4.16 standalone patch static inline loff_t file_pos_read(struct file *file) { +diff --git a/fs/splice.c b/fs/splice.c +index f617ab0..ec0ad02 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_in +@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out, return splice_write(pipe, out, ppos, len, flags); } @@ -239,7 +269,7 @@ aufs4.16 standalone patch /* * Attempt to initiate a splice from a file to a pipe. -@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_ +@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_t *ppos, return splice_read(in, ppos, pipe, len, flags); } @@ -247,9 +277,11 @@ aufs4.16 standalone patch /** * splice_direct_to_actor - splices data directly between two non-pipes +diff --git a/fs/sync.c b/fs/sync.c +index 2860782..ffd7ea4 100644 --- a/fs/sync.c +++ b/fs/sync.c -@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block +@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block *sb, int wait) sb->s_op->sync_fs(sb, wait); return __sync_blockdev(sb->s_bdev, wait); } @@ -257,9 +289,11 @@ aufs4.16 standalone patch /* * Write out and wait upon all dirty data associated with this +diff --git a/fs/xattr.c b/fs/xattr.c +index 61cd28b..35570cd 100644 --- a/fs/xattr.c +++ b/fs/xattr.c -@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry +@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, *xattr_value = value; return error; } @@ -267,9 +301,11 @@ aufs4.16 standalone patch ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 06e0d7a..6af91bd 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c -@@ -151,6 +151,7 @@ inline struct lock_class *lockdep_hlock_ +@@ -151,6 +151,7 @@ inline struct lock_class *lockdep_hlock_class(struct held_lock *hlock) } return lock_classes + hlock->class_idx - 1; } @@ -277,6 +313,8 @@ aufs4.16 standalone patch #define hlock_class(hlock) lockdep_hlock_class(hlock) #ifdef CONFIG_LOCK_STAT +diff --git a/kernel/task_work.c b/kernel/task_work.c +index 0fef395..83fb1ec 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -116,3 +116,4 @@ void task_work_run(void) @@ -284,9 +322,11 @@ aufs4.16 standalone patch } } +EXPORT_SYMBOL_GPL(task_work_run); +diff --git a/security/commoncap.c b/security/commoncap.c +index 1ce701f..a0d106e 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -1330,12 +1330,14 @@ int cap_mmap_addr(unsigned long addr) +@@ -1332,12 +1332,14 @@ int cap_mmap_addr(unsigned long addr) } return ret; } @@ -301,6 +341,8 @@ aufs4.16 standalone patch #ifdef CONFIG_SECURITY +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index c65b39b..e363d22 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -8,6 +8,7 @@ @@ -311,14 +353,16 @@ aufs4.16 standalone patch #include #include #include -@@ -824,3 +825,4 @@ int __devcgroup_check_permission(short t +@@ -824,3 +825,4 @@ int __devcgroup_check_permission(short type, u32 major, u32 minor, return 0; } +EXPORT_SYMBOL_GPL(__devcgroup_check_permission); +diff --git a/security/security.c b/security/security.c +index 7bc2fde..6bd0468 100644 --- a/security/security.c +++ b/security/security.c -@@ -537,6 +537,7 @@ int security_path_rmdir(const struct pat +@@ -537,6 +537,7 @@ int security_path_rmdir(const struct path *dir, struct dentry *dentry) return 0; return call_int_hook(path_rmdir, 0, dir, dentry); } @@ -326,7 +370,7 @@ aufs4.16 standalone patch int security_path_unlink(const struct path *dir, struct dentry *dentry) { -@@ -553,6 +554,7 @@ int security_path_symlink(const struct p +@@ -553,6 +554,7 @@ int security_path_symlink(const struct path *dir, struct dentry *dentry, return 0; return call_int_hook(path_symlink, 0, dir, dentry, old_name); } @@ -334,7 +378,7 @@ aufs4.16 standalone patch int security_path_link(struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry) -@@ -561,6 +563,7 @@ int security_path_link(struct dentry *ol +@@ -561,6 +563,7 @@ int security_path_link(struct dentry *old_dentry, const struct path *new_dir, return 0; return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry); } @@ -342,7 +386,7 @@ aufs4.16 standalone patch int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, -@@ -588,6 +591,7 @@ int security_path_truncate(const struct +@@ -588,6 +591,7 @@ int security_path_truncate(const struct path *path) return 0; return call_int_hook(path_truncate, 0, path); } @@ -350,7 +394,7 @@ aufs4.16 standalone patch int security_path_chmod(const struct path *path, umode_t mode) { -@@ -595,6 +599,7 @@ int security_path_chmod(const struct pat +@@ -595,6 +599,7 @@ int security_path_chmod(const struct path *path, umode_t mode) return 0; return call_int_hook(path_chmod, 0, path, mode); } @@ -358,7 +402,7 @@ aufs4.16 standalone patch int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) { -@@ -602,6 +607,7 @@ int security_path_chown(const struct pat +@@ -602,6 +607,7 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) return 0; return call_int_hook(path_chown, 0, path, uid, gid); } @@ -366,7 +410,7 @@ aufs4.16 standalone patch int security_path_chroot(const struct path *path) { -@@ -687,6 +693,7 @@ int security_inode_readlink(struct dentr +@@ -687,6 +693,7 @@ int security_inode_readlink(struct dentry *dentry) return 0; return call_int_hook(inode_readlink, 0, dentry); } @@ -374,7 +418,7 @@ aufs4.16 standalone patch int security_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) -@@ -702,6 +709,7 @@ int security_inode_permission(struct ino +@@ -702,6 +709,7 @@ int security_inode_permission(struct inode *inode, int mask) return 0; return call_int_hook(inode_permission, 0, inode, mask); } @@ -382,7 +426,7 @@ aufs4.16 standalone patch int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { -@@ -873,6 +881,7 @@ int security_file_permission(struct file +@@ -873,6 +881,7 @@ int security_file_permission(struct file *file, int mask) return fsnotify_perm(file, mask); } @@ -390,7 +434,7 @@ aufs4.16 standalone patch int security_file_alloc(struct file *file) { -@@ -932,6 +941,7 @@ int security_mmap_file(struct file *file +@@ -932,6 +941,7 @@ int security_mmap_file(struct file *file, unsigned long prot, return ret; return ima_file_mmap(file, prot); } From 2202083eb035a18cd8556f4884efa61604291df9 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 26 Jun 2018 02:49:30 +0100 Subject: [PATCH 9/9] Update to 4.17.3 Drop patches applied upstream. --- debian/changelog | 76 ++++++++++++++-- ...rs-from-ext4_find_inline_data_nolock.patch | 61 ------------- ...andle-a-zero-length-xattr-with-a-non.patch | 65 -------------- ...llow-external-inodes-for-inline-data.patch | 43 --------- ...network-regression-after-ifdown-ifup.patch | 43 --------- ...e-condition-between-sock_close-and-s.patch | 87 ------------------- ...nfo-leak-due-to-uninitialized-memory.patch | 36 -------- debian/patches/series | 6 -- 8 files changed, 68 insertions(+), 349 deletions(-) delete mode 100644 debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch delete mode 100644 debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch delete mode 100644 debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch delete mode 100644 debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch delete mode 100644 debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch delete mode 100644 debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch diff --git a/debian/changelog b/debian/changelog index 392ff606b..5a266c016 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,71 @@ -linux (4.17.2-1) UNRELEASED; urgency=medium +linux (4.17.3-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.3 + - net: aquantia: fix unsigned numvecs comparison with less than zero + - bonding: re-evaluate force_primary when the primary slave name changes + - cdc_ncm: avoid padding beyond end of skb + - ipv6: allow PMTU exceptions to local routes + - [armhf,arm64] net: dsa: add error handling for pskb_trim_rcsum + - net/sched: act_simple: fix parsing of TCA_DEF_DATA + - tcp: verify the checksum of the first data segment in a new connection + - socket: close race condition between sock_close() and sockfs_setattr() + (CVE-2018-12232) + - udp: fix rx queue len reported by diag and proc interface + - net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds + vlan + - ACPICA: AML parser: attempt to continue loading table after error + - ext4: fix hole length detection in ext4_ind_map_blocks() + - ext4: update mtime in ext4_punch_hole even if no blocks are released + - ext4: do not allow external inodes for inline data (CVE-2018-11412) + - ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() + - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs + (CVE-2018-10840) + - ext4: fix fencepost error in check for inode count overflow during resize + - driver core: Don't ignore class_dir_create_and_add() failure. + - Btrfs: allow empty subvol= again + - Btrfs: fix clone vs chattr NODATASUM race + - Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() + - btrfs: return error value if create_io_em failed in cow_file_range + - btrfs: scrub: Don't use inode pages for device replace + - ALSA: usb-audio: Disable the quirk for Nura headset + - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() + - [x86] MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() + - smb3: fix various xid leaks + - smb3: on reconnect set PreviousSessionId field + - CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session + expiry + - cifs: For SMB2 security informaion query, check for minimum sized + security descriptor instead of sizeof FileAllInformation class + - nbd: fix nbd device deletion + - nbd: update size when connected + - nbd: use bd_set_size when updating disk size + - blk-mq: reinit q->tag_set_list entry only after grace period + - bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue + - cpufreq: Fix new policy initialization during limits updates via sysfs + - cpufreq: governors: Fix long idle detection logic in load calculation + - libata: zpodd: small read overflow in eject_tray() + - libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk + - nvme/pci: Sync controller reset for AER slot_reset + - [x86] vector: Fix the args of vector_alloc tracepoint + - [x86] apic/vector: Prevent hlist corruption and leaks + - [x86] apic: Provide apic_ack_irq() + - [x86] ioapic: Use apic_ack_irq() + - [x86] platform/uv: Use apic_ack_irq() + - irq_remapping: Use apic_ack_irq() + - genirq/generic_pending: Do not lose pending affinity update + - genirq/affinity: Defer affinity setting if irq chip is busy + - genirq/migration: Avoid out of line call if pending is not set + - [x86] intel_rdt: Enable CMT and MBM on new Skylake stepping + - media: uvcvideo: Prevent setting unavailable flags + - media: rc: ensure input/lirc device can be opened after register + - iwlwifi: fw: harden page loading code + - [x86] HID: intel_ish-hid: ipc: register more pm callbacks to support + hibernation + - HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large + - vhost: fix info leak due to uninitialized memory (CVE-2018-1118) + - fs/binfmt_misc.c: do not allow offset overflow + - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset [ Ben Hutchings ] * [amd64,arm64,armhf] android: Build modules to support Anbox @@ -11,13 +78,6 @@ linux (4.17.2-1) UNRELEASED; urgency=medium * [mips*] Increase RELOCATION_TABLE_SIZE to 0x00140000 (fixes FTBFS) * Set ABI to 1 * [x86,arm64] Disable code signing for upload to unstable - * vhost: fix info leak due to uninitialized memory (CVE-2018-1118) - * ext4: correctly handle a zero-length xattr with a non-zero e_value_offs - (CVE-2018-10840) - * ext4: do not allow external inodes for inline data (CVE-2018-11412) - * ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() - * socket: close race condition between sock_close() and sockfs_setattr() - (CVE-2018-12232) * [x86] virt: vbox: Only copy_from_user the request-header once (CVE-2018-12633) * [x86] vboxguest: Enable VBOXGUEST and DRM_VBOXVIDEO as modules diff --git a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch b/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch deleted file mode 100644 index 33dbe382e..000000000 --- a/debian/patches/bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Theodore Ts'o -Date: Tue, 22 May 2018 17:14:07 -0400 -Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to - ext4_iget() -Origin: https://git.kernel.org/linus/eb9b5f01c33adebc31cbc236c02695f605b0e417 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 - -If ext4_find_inline_data_nolock() returns an error it needs to get -reflected up to ext4_iget(). In order to fix this, -ext4_iget_extra_inode() needs to return an error (and not return -void). - -This is related to "ext4: do not allow external inodes for inline -data" (which fixes CVE-2018-11412) in that in the errors=continue -case, it would be useful to for userspace to receive an error -indicating that file system is corrupted. - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org ---- - fs/ext4/inode.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct - } - } - --static inline void ext4_iget_extra_inode(struct inode *inode, -+static inline int ext4_iget_extra_inode(struct inode *inode, - struct ext4_inode *raw_inode, - struct ext4_inode_info *ei) - { - __le32 *magic = (void *)raw_inode + - EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize; -+ - if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <= - EXT4_INODE_SIZE(inode->i_sb) && - *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { - ext4_set_inode_state(inode, EXT4_STATE_XATTR); -- ext4_find_inline_data_nolock(inode); -+ return ext4_find_inline_data_nolock(inode); - } else - EXT4_I(inode)->i_inline_off = 0; -+ return 0; - } - - int ext4_get_projid(struct inode *inode, kprojid_t *projid) -@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo - ei->i_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; - } else { -- ext4_iget_extra_inode(inode, raw_inode, ei); -+ ret = ext4_iget_extra_inode(inode, raw_inode, ei); -+ if (ret) -+ goto bad_inode; - } - } - diff --git a/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch deleted file mode 100644 index 623ffc0b6..000000000 --- a/debian/patches/bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Theodore Ts'o -Date: Wed, 23 May 2018 11:31:03 -0400 -Subject: ext4: correctly handle a zero-length xattr with a non-zero - e_value_offs -Origin: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10840 - -Ext4 will always create ext4 extended attributes which do not have a -value (where e_value_size is zero) with e_value_offs set to zero. In -most places e_value_offs will not be used in a substantive way if -e_value_size is zero. - -There was one exception to this, which is in ext4_xattr_set_entry(), -where if there is a maliciously crafted file system where there is an -extended attribute with e_value_offs is non-zero and e_value_size is -0, the attempt to remove this xattr will result in a negative value -getting passed to memmove, leading to the following sadness: - -[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) -[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 -[ 44.538733] IP: __memmove+0x81/0x1a0 -[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 -[ 44.538793] Oops: 0003 [#1] SMP PTI -[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 - ... -[ 44.539475] Call Trace: -[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 - ... -[ 44.539972] ext4_xattr_block_set+0x212/0xea0 - ... -[ 44.540041] ext4_xattr_set_handle+0x514/0x610 -[ 44.540065] ext4_xattr_set+0x7f/0x120 -[ 44.540090] __vfs_removexattr+0x4d/0x60 -[ 44.540112] vfs_removexattr+0x75/0xe0 -[ 44.540132] removexattr+0x4d/0x80 - ... -[ 44.540279] path_removexattr+0x91/0xb0 -[ 44.540300] SyS_removexattr+0xf/0x20 -[ 44.540322] do_syscall_64+0x71/0x120 -[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 - -https://bugzilla.kernel.org/show_bug.cgi?id=199347 - -This addresses CVE-2018-10840. - -Reported-by: "Xu, Wen" -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org -Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") ---- - fs/ext4/xattr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e - - /* No failures allowed past this point. */ - -- if (!s->not_found && here->e_value_offs) { -+ if (!s->not_found && here->e_value_size && here->e_value_offs) { - /* Remove the old value. */ - void *first_val = s->base + min_offs; - size_t offs = le16_to_cpu(here->e_value_offs); diff --git a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch b/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch deleted file mode 100644 index bb65b21b0..000000000 --- a/debian/patches/bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Theodore Ts'o -Date: Tue, 22 May 2018 16:15:24 -0400 -Subject: ext4: do not allow external inodes for inline data -Origin: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-11412 - -The inline data feature was implemented before we added support for -external inodes for xattrs. It makes no sense to support that -combination, but the problem is that there are a number of extended -attribute checks that are skipped if e_value_inum is non-zero. - -Unfortunately, the inline data code is completely e_value_inum -unaware, and attempts to interpret the xattr fields as if it were an -inline xattr --- at which point, Hilarty Ensues. - -This addresses CVE-2018-11412. - -https://bugzilla.kernel.org/show_bug.cgi?id=199803 - -Reported-by: Jann Horn -Reviewed-by: Andreas Dilger -Signed-off-by: Theodore Ts'o -Fixes: e50e5129f384 ("ext4: xattr-in-inode support") -Cc: stable@kernel.org ---- - fs/ext4/inline.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct - goto out; - - if (!is.s.not_found) { -+ if (is.s.here->e_value_inum) { -+ EXT4_ERROR_INODE(inode, "inline data xattr refers " -+ "to an external xattr inode"); -+ error = -EFSCORRUPTED; -+ goto out; -+ } - EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - - (void *)ext4_raw_inode(&is.iloc)); - EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + diff --git a/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch b/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch deleted file mode 100644 index b5a97511d..000000000 --- a/debian/patches/bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 52acf73b6e9a6962045feb2ba5a8921da2201915 Mon Sep 17 00:00:00 2001 -From: Dexuan Cui -Date: Wed, 6 Jun 2018 21:32:51 +0000 -Subject: [PATCH] hv_netvsc: Fix a network regression after ifdown/ifup - -Recently people reported the NIC stops working after -"ifdown eth0; ifup eth0". It turns out in this case the TX queues are not -enabled, after the refactoring of the common detach logic: when the NIC -has sub-channels, usually we enable all the TX queues after all -sub-channels are set up: see rndis_set_subchannel() -> -netif_device_attach(), but in the case of "ifdown eth0; ifup eth0" where -the number of channels doesn't change, we also must make sure the TX queues -are enabled. The patch fixes the regression. - -Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") -Signed-off-by: Dexuan Cui -Cc: Stephen Hemminger -Cc: K. Y. Srinivasan -Cc: Haiyang Zhang -Signed-off-by: David S. Miller ---- - drivers/net/hyperv/netvsc_drv.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index bef4d55a108c..8eec156418ea 100644 ---- a/drivers/net/hyperv/netvsc_drv.c -+++ b/drivers/net/hyperv/netvsc_drv.c -@@ -127,8 +127,10 @@ static int netvsc_open(struct net_device *net) - } - - rdev = nvdev->extension; -- if (!rdev->link_state) -+ if (!rdev->link_state) { - netif_carrier_on(net); -+ netif_tx_wake_all_queues(net); -+ } - - if (vf_netdev) { - /* Setting synthetic device up transparently sets --- -2.17.1 - diff --git a/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch b/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch deleted file mode 100644 index 1c8c8e56b..000000000 --- a/debian/patches/bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Cong Wang -Date: Thu, 7 Jun 2018 13:39:49 -0700 -Subject: socket: close race condition between sock_close() and - sockfs_setattr() -Origin: https://git.kernel.org/linus/6d8c50dcb029872b298eea68cc6209c866fd3e14 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12232 - -fchownat() doesn't even hold refcnt of fd until it figures out -fd is really needed (otherwise is ignored) and releases it after -it resolves the path. This means sock_close() could race with -sockfs_setattr(), which leads to a NULL pointer dereference -since typically we set sock->sk to NULL in ->release(). - -As pointed out by Al, this is unique to sockfs. So we can fix this -in socket layer by acquiring inode_lock in sock_close() and -checking against NULL in sockfs_setattr(). - -sock_release() is called in many places, only the sock_close() -path matters here. And fortunately, this should not affect normal -sock_close() as it is only called when the last fd refcnt is gone. -It only affects sock_close() with a parallel sockfs_setattr() in -progress, which is not common. - -Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") -Reported-by: shankarapailoor -Cc: Tetsuo Handa -Cc: Lorenzo Colitti -Cc: Al Viro -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - net/socket.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - ---- a/net/socket.c -+++ b/net/socket.c -@@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry - if (!err && (iattr->ia_valid & ATTR_UID)) { - struct socket *sock = SOCKET_I(d_inode(dentry)); - -- sock->sk->sk_uid = iattr->ia_uid; -+ if (sock->sk) -+ sock->sk->sk_uid = iattr->ia_uid; -+ else -+ err = -ENOENT; - } - - return err; -@@ -586,12 +589,16 @@ EXPORT_SYMBOL(sock_alloc); - * an inode not a file. - */ - --void sock_release(struct socket *sock) -+static void __sock_release(struct socket *sock, struct inode *inode) - { - if (sock->ops) { - struct module *owner = sock->ops->owner; - -+ if (inode) -+ inode_lock(inode); - sock->ops->release(sock); -+ if (inode) -+ inode_unlock(inode); - sock->ops = NULL; - module_put(owner); - } -@@ -605,6 +612,11 @@ void sock_release(struct socket *sock) - } - sock->file = NULL; - } -+ -+void sock_release(struct socket *sock) -+{ -+ __sock_release(sock, NULL); -+} - EXPORT_SYMBOL(sock_release); - - void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) -@@ -1146,7 +1158,7 @@ static int sock_mmap(struct file *file, - - static int sock_close(struct inode *inode, struct file *filp) - { -- sock_release(SOCKET_I(inode)); -+ __sock_release(SOCKET_I(inode), inode); - return 0; - } - diff --git a/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch deleted file mode 100644 index 86ed3b396..000000000 --- a/debian/patches/bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Sat, 12 May 2018 00:33:10 +0300 -Subject: vhost: fix info leak due to uninitialized memory -Origin: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1118 - -struct vhost_msg within struct vhost_msg_node is copied to userspace. -Unfortunately it turns out on 64 bit systems vhost_msg has padding after -type which gcc doesn't initialize, leaking 4 uninitialized bytes to -userspace. - -This padding also unfortunately means 32 bit users of this interface are -broken on a 64 bit kernel which will need to be fixed separately. - -Fixes: CVE-2018-1118 -Cc: stable@vger.kernel.org -Reported-by: Kevin Easton -Signed-off-by: Michael S. Tsirkin -Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com -Signed-off-by: Michael S. Tsirkin ---- - drivers/vhost/vhost.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(str - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); - if (!node) - return NULL; -+ -+ /* Make sure all padding within the structure is initialized. */ -+ memset(&node->msg, 0, sizeof node->msg); - node->vq = vq; - node->msg.type = type; - return node; diff --git a/debian/patches/series b/debian/patches/series index 8951afe46..6736bbfa8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -91,7 +91,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/i40e-build-for-64-bit-targets-only.patch bugfix/all/ib-fix-rdma_rxe-and-infiniband_rdmavt-dependencies-f.patch -bugfix/all/hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch # Miscellaneous features @@ -131,11 +130,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/vhost-fix-info-leak-due-to-uninitialized-memory.patch -bugfix/all/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch -bugfix/all/ext4-do-not-allow-external-inodes-for-inline-data.patch -bugfix/all/ext4-bubble-errors-from-ext4_find_inline_data_nolock.patch -bugfix/all/socket-close-race-condition-between-sock_close-and-s.patch bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch # Fix exported symbol versions