Update to 4.14.11
This commit is contained in:
parent
304afa4414
commit
96dad8ed7e
|
@ -1,9 +1,43 @@
|
|||
linux (4.14.10-1) UNRELEASED; urgency=medium
|
||||
linux (4.14.11-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.9
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.10
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11
|
||||
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE
|
||||
- x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y
|
||||
- x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3
|
||||
switching
|
||||
- x86/mm/pti: Add infrastructure for page table isolation
|
||||
- x86/pti: Add the pti= cmdline option and documentation
|
||||
- x86/mm/pti: Add mapping helper functions
|
||||
- x86/mm/pti: Allow NX poison to be set in p4d/pgd
|
||||
- x86/mm/pti: Allocate a separate user PGD
|
||||
- x86/mm/pti: Populate user PGD
|
||||
- x86/mm/pti: Add functions to clone kernel PMDs
|
||||
- x86/mm/pti: Force entry through trampoline when PTI active
|
||||
- x86/mm/pti: Share cpu_entry_area with user space page tables
|
||||
- x86/entry: Align entry text section to PMD boundary
|
||||
- x86/mm/pti: Share entry text PMD
|
||||
- x86/mm/pti: Map ESPFIX into user space
|
||||
- x86/cpu_entry_area: Add debugstore entries to cpu_entry_area
|
||||
- x86/events/intel/ds: Map debug buffers in cpu_entry_area
|
||||
- x86/mm/64: Make a full PGD-entry size hole in the memory map
|
||||
- x86/pti: Put the LDT in its own PGD if PTI is on
|
||||
- x86/pti: Map the vsyscall page if needed
|
||||
- x86/mm: Allow flushing for future ASID switches
|
||||
- x86/mm: Abstract switching CR3
|
||||
- x86/mm: Use/Fix PCID to optimize user/kernel switches
|
||||
- x86/mm: Optimize RESTORE_CR3
|
||||
- x86/mm: Use INVPCID for __native_flush_tlb_single()
|
||||
- x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming
|
||||
- x86/dumpstack: Indicate in Oops whether PTI is configured and enabled
|
||||
- x86/mm/pti: Add Kconfig
|
||||
- net: Fix double free and memory corruption in get_net_ns_by_id()
|
||||
(CVE-2017-15129)
|
||||
* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
|
||||
(CVE-2017-5754)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Sun, 10 Dec 2017 03:50:58 +0000
|
||||
Subject: net: ipv4: fix for a race condition in raw_sendmsg
|
||||
Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712
|
||||
|
||||
inet->hdrincl is racy, and could lead to uninitialized stack pointer
|
||||
usage, so its value should be read only once.
|
||||
|
||||
Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/raw.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/net/ipv4/raw.c
|
||||
+++ b/net/ipv4/raw.c
|
||||
@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk,
|
||||
int err;
|
||||
struct ip_options_data opt_copy;
|
||||
struct raw_frag_vec rfv;
|
||||
+ int hdrincl;
|
||||
|
||||
err = -EMSGSIZE;
|
||||
if (len > 0xFFFF)
|
||||
goto out;
|
||||
|
||||
+ /* hdrincl should be READ_ONCE(inet->hdrincl)
|
||||
+ * but READ_ONCE() doesn't work with bit fields
|
||||
+ */
|
||||
+ hdrincl = inet->hdrincl;
|
||||
/*
|
||||
* Check the flags.
|
||||
*/
|
||||
@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk,
|
||||
/* Linux does not mangle headers on raw sockets,
|
||||
* so that IP options + IP_HDRINCL is non-sense.
|
||||
*/
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
goto done;
|
||||
if (ipc.opt->opt.srr) {
|
||||
if (!daddr)
|
||||
@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk,
|
||||
|
||||
flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
|
||||
RT_SCOPE_UNIVERSE,
|
||||
- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
inet_sk_flowi_flags(sk) |
|
||||
- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
daddr, saddr, 0, 0, sk->sk_uid);
|
||||
|
||||
- if (!inet->hdrincl) {
|
||||
+ if (!hdrincl) {
|
||||
rfv.msg = msg;
|
||||
rfv.hlen = 0;
|
||||
|
||||
@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk,
|
||||
goto do_confirm;
|
||||
back_from_confirm:
|
||||
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
err = raw_send_hdrinc(sk, &fl4, msg, len,
|
||||
&rt, msg->msg_flags, &ipc.sockc);
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Wed, 6 Dec 2017 12:12:27 -0800
|
||||
Subject: netlink: Add netns check on taps
|
||||
Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
|
||||
|
||||
Currently, a nlmon link inside a child namespace can observe systemwide
|
||||
netlink activity. Filter the traffic so that nlmon can only sniff
|
||||
netlink messages from its own netns.
|
||||
|
||||
Test case:
|
||||
|
||||
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
|
||||
ip link set nlmon0 up; \
|
||||
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
|
||||
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
|
||||
spi 0x1 mode transport \
|
||||
auth sha1 0x6162633132330000000000000000000000000000 \
|
||||
enc aes 0x00000000000000000000000000000000
|
||||
grep --binary abc123 /tmp/nlmon.pcap
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/netlink/af_netlink.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str
|
||||
struct sock *sk = skb->sk;
|
||||
int ret = -ENOMEM;
|
||||
|
||||
+ if (!net_eq(dev_net(dev), sock_net(sk)))
|
||||
+ return 0;
|
||||
+
|
||||
dev_hold(dev);
|
||||
|
||||
if (is_vmalloc_addr(skb->head))
|
|
@ -1,76 +0,0 @@
|
|||
From: Anna-Maria Gleixner <anna-maria@linutronix.de>
|
||||
Date: Fri, 22 Dec 2017 15:51:12 +0100
|
||||
Subject: [PATCH 1/4] timer: Use deferrable base independent of
|
||||
base::nohz_active
|
||||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz
|
||||
|
||||
During boot and before base::nohz_active is set in the timer bases, deferrable
|
||||
timers are enqueued into the standard timer base. This works correctly as
|
||||
long as base::nohz_active is false.
|
||||
|
||||
Once it base::nohz_active is set and a timer which was enqueued before that
|
||||
is accessed the lock selector code choses the lock of the deferred
|
||||
base. This causes unlocked access to the standard base and in case the
|
||||
timer is removed it does not clear the pending flag in the standard base
|
||||
bitmap which causes get_next_timer_interrupt() to return bogus values.
|
||||
|
||||
To prevent that, the deferrable timers must be enqueued in the deferrable
|
||||
base, even when base::nohz_active is not set. Those deferrable timers also
|
||||
need to be expired unconditional.
|
||||
|
||||
Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
|
||||
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: rt@linutronix.de
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
---
|
||||
kernel/time/timer.c | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
|
||||
index f2674a056c26..fdfaf4f3bcfa 100644
|
||||
--- a/kernel/time/timer.c
|
||||
+++ b/kernel/time/timer.c
|
||||
@@ -814,11 +814,10 @@ static inline struct timer_base *get_timer_cpu_base(u32 tflags, u32 cpu)
|
||||
struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu);
|
||||
|
||||
/*
|
||||
- * If the timer is deferrable and nohz is active then we need to use
|
||||
- * the deferrable base.
|
||||
+ * If the timer is deferrable and NO_HZ_COMMON is set then we need
|
||||
+ * to use the deferrable base.
|
||||
*/
|
||||
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
|
||||
- (tflags & TIMER_DEFERRABLE))
|
||||
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
|
||||
base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu);
|
||||
return base;
|
||||
}
|
||||
@@ -828,11 +827,10 @@ static inline struct timer_base *get_timer_this_cpu_base(u32 tflags)
|
||||
struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
|
||||
|
||||
/*
|
||||
- * If the timer is deferrable and nohz is active then we need to use
|
||||
- * the deferrable base.
|
||||
+ * If the timer is deferrable and NO_HZ_COMMON is set then we need
|
||||
+ * to use the deferrable base.
|
||||
*/
|
||||
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
|
||||
- (tflags & TIMER_DEFERRABLE))
|
||||
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
|
||||
base = this_cpu_ptr(&timer_bases[BASE_DEF]);
|
||||
return base;
|
||||
}
|
||||
@@ -1644,7 +1642,7 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
|
||||
base->must_forward_clk = false;
|
||||
|
||||
__run_timers(base);
|
||||
- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active)
|
||||
+ if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
|
||||
__run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
|
||||
}
|
||||
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Date: Fri, 22 Dec 2017 15:51:14 +0100
|
||||
Subject: [PATCH 3/4] timer: Invoke timer_start_debug() where it makes sense
|
||||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.8-rt9.tar.xz
|
||||
|
||||
The timer start debug function is called before the proper timer base is
|
||||
set. As a consequence the trace data contains the stale CPU and flags
|
||||
values.
|
||||
|
||||
Call the debug function after setting the new base and flags.
|
||||
|
||||
Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: rt@linutronix.de
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
---
|
||||
kernel/time/timer.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
|
||||
index fdfaf4f3bcfa..a4d095e1010e 100644
|
||||
--- a/kernel/time/timer.c
|
||||
+++ b/kernel/time/timer.c
|
||||
@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
|
||||
if (!ret && pending_only)
|
||||
goto out_unlock;
|
||||
|
||||
- debug_activate(timer, expires);
|
||||
-
|
||||
new_base = get_target_base(base, timer->flags);
|
||||
|
||||
if (base != new_base) {
|
||||
@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
|
||||
}
|
||||
}
|
||||
|
||||
+ debug_activate(timer, expires);
|
||||
+
|
||||
timer->expires = expires;
|
||||
/*
|
||||
* If 'idx' was calculated above and the base time did not advance
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -115,7 +115,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
return period;
|
||||
}
|
||||
|
||||
@@ -684,10 +689,10 @@ static ktime_t tick_nohz_stop_sched_tick
|
||||
@@ -689,10 +694,10 @@ static ktime_t tick_nohz_stop_sched_tick
|
||||
|
||||
/* Read jiffies and the time when jiffies were updated last */
|
||||
do {
|
||||
|
@ -127,7 +127,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
+ } while (read_seqcount_retry(&jiffies_seq, seq));
|
||||
ts->last_jiffies = basejiff;
|
||||
|
||||
if (rcu_needs_cpu(basemono, &next_rcu) ||
|
||||
/*
|
||||
--- a/kernel/time/timekeeping.c
|
||||
+++ b/kernel/time/timekeeping.c
|
||||
@@ -2326,8 +2326,10 @@ EXPORT_SYMBOL(hardpps);
|
||||
|
|
|
@ -76,7 +76,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
call preempt_schedule_irq
|
||||
--- a/arch/x86/entry/entry_64.S
|
||||
+++ b/arch/x86/entry/entry_64.S
|
||||
@@ -750,7 +750,23 @@ retint_kernel:
|
||||
@@ -761,7 +761,23 @@ retint_kernel:
|
||||
bt $9, EFLAGS(%rsp) /* were interrupts off? */
|
||||
jnc 1f
|
||||
0: cmpl $0, PER_CPU_VAR(__preempt_count)
|
||||
|
@ -205,7 +205,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
/*
|
||||
--- a/arch/x86/kernel/asm-offsets.c
|
||||
+++ b/arch/x86/kernel/asm-offsets.c
|
||||
@@ -37,6 +37,7 @@ void common(void) {
|
||||
@@ -38,6 +38,7 @@ void common(void) {
|
||||
|
||||
BLANK();
|
||||
OFFSET(TASK_TI_flags, task_struct, thread_info.flags);
|
||||
|
@ -213,11 +213,11 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
OFFSET(TASK_addr_limit, task_struct, thread.addr_limit);
|
||||
|
||||
BLANK();
|
||||
@@ -93,6 +94,7 @@ void common(void) {
|
||||
@@ -94,6 +95,7 @@ void common(void) {
|
||||
|
||||
BLANK();
|
||||
DEFINE(PTREGS_SIZE, sizeof(struct pt_regs));
|
||||
+ DEFINE(_PREEMPT_ENABLED, PREEMPT_ENABLED);
|
||||
|
||||
/* Layout info for cpu_entry_area */
|
||||
OFFSET(CPU_ENTRY_AREA_tss, cpu_entry_area, tss);
|
||||
/* TLB state for the entry code */
|
||||
OFFSET(TLB_STATE_user_pcid_flush_mask, tlb_state, user_pcid_flush_mask);
|
||||
|
|
|
@ -119,9 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
|
||||
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
|
||||
bugfix/all/netlink-add-netns-check-on-taps.patch
|
||||
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
|
||||
bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
|
||||
bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
|
||||
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
|
||||
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
|
||||
|
|
|
@ -16,9 +16,7 @@ features/all/rt/rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch
|
|||
############################################################
|
||||
|
||||
# Timer/NOHZ fixups
|
||||
features/all/rt/0001-timer-Use-deferrable-base-independent-of-base-nohz_a.patch
|
||||
features/all/rt/0002-nohz-Prevent-erroneous-tick-stop-invocations.patch
|
||||
features/all/rt/0003-timer-Invoke-timer_start_debug-where-it-makes-sense.patch
|
||||
features/all/rt/0004-timerqueue-Document-return-values-of-timerqueue_add-.patch
|
||||
|
||||
# soft hrtimer patches (v4)
|
||||
|
|
Loading…
Reference in New Issue