Ben Hutchings
feec1caa94
[x86] i915: Add mitigations for two hardware security flaws
2019-11-10 02:53:32 +00:00
Ben Hutchings
c2443a2e97
[x86] Update TAA and NX fixes to pending stable backports
2019-11-09 20:17:15 +00:00
Salvatore Bonaccorso
be004c1b69
x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
2019-11-08 00:14:38 +01:00
Ben Hutchings
37baed7166
[x86] Update TAA (Borislav v2) and NX (v9) fixes
...
The upstream commits for these are now finalised, so we shouldn't need
to replace patches after this (but might need to add more).
2019-11-07 18:10:48 +00:00
Salvatore Bonaccorso
cd92ab49c4
KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
2019-11-07 17:32:14 +01:00
Noah Meyerhans
87c48ee54f
drivers/net/ethernet/amazon: Backport ENA driver from Linux 5.4
2019-10-29 09:47:59 -07:00
Ben Hutchings
02d8d0c5b0
Merge branch 'rpi3_a_plus' into 'buster'
...
[armhf, arm64] Add patches from 5.1 for enabling support for the Raspberry PI 3 A+
See merge request kernel-team/linux!134
2019-10-27 14:24:25 +00:00
Bastian Blank
dbb59eba34
[amd64/cloud-amd64] Re-enable RTC drivers
2019-10-25 23:30:18 +02:00
Ben Hutchings
537ad2315a
[x86] Update TAA patch set to v7
2019-10-24 22:52:37 +01:00
Ben Hutchings
96c0e74c50
[x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135)
...
This is a backport of v6 of the TAA patch set, and will probably
require updates before release. The subject lines for these patches
didn't come through.
2019-10-20 14:51:55 +01:00
Ben Hutchings
d9bd594144
[x86] KVM: Add mitigation for Machine Check Error on Page Size Change
...
(aka iTLB multi-hit, CVE-2018-12207)
This is a backport of v6 of the "NX" patch set, and will probably
require updates before release.
2019-10-20 14:46:13 +01:00
Romain Perier
1df282987d
[armhf, arm64] Backport devicetree for enabling support for the Raspberry PI 3 A+
...
We already have everything we need inside the kernel 4.19.x for
supporting this board. backporting patches from upstream so we get
the support for buster.
2019-10-16 20:07:45 +02:00
Salvatore Bonaccorso
530030f117
ixgbe: Fix secpath usage for IPsec TX offload
...
Closes : #930443
2019-10-15 22:57:58 +02:00
Salvatore Bonaccorso
63680f3314
Release linux (4.19.67-2+deb10u1).
...
-----BEGIN PGP SIGNATURE-----
iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2EsyhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErG0QAKEp2inuWb4xyie24D6ZDbpTWi/37uWW
2E8bYiMguHGv3tJgqBKkz0YQ0BdPYcSk8Jxx9SrHNPvA6TQ8eUup17a9lrPucruj
TcLGyK+d5RG8YX+8ssyrGuC6uG+tO4oYUf4y/Tb+jYH1VOTBasUs3RF0l0bVq33e
BvGJZ4ITkkITmuPv+0/EJs5cbhxtshZ0g63Ojkq1KkcpJI9ZORhgYeOEzMca3qkN
3OkPvl2AcGE027aXQpigvPxfg0S2MpdGLf0aqmpifZbfB69G0f8QihmJ0PEaX72w
1cxFqePBV/noLq9acXOVtdWts2Ufldm8ytn7/BMu+s5utX/jQU/WVCorBWNCVN58
yYLBiLE6hatjhShKDvj20g4aiF8hHzErdlyrs+3jtkElvKvQhw/h8MDyNsvVD70H
UhQH8kdMf3VJ0y4J/PkWXKiBvQJAbUosGFz0LRJUuhoys7CQEP0CGB/iJsIbLMZ9
eRovrwxM2zJNtPFE0R80pZXsb0e2WJHsPY9Ta2OHZHaDEGP2wwnD/wvWo+zIFx9K
YJNYDsnChGwqWqIEvpf3nJVObUfQFOkpWuG3QeFRr3xAujIjOsHMjH8UGdRQMNen
8w0mGMcbnclAHZ7zk3GEHp83qsyH7tCFj37W0ZO8YHj2nMrFMc9D3RGPjvoZ//jM
gRJoAn5pdfE+
=QEEi
-----END PGP SIGNATURE-----
Merge tag 'debian/4.19.67-2+deb10u1' into buster
Release linux (4.19.67-2+deb10u1).
2019-10-15 22:48:01 +02:00
Romain Perier
ae1a40e9a5
[armel/rpi] Enable CONFIG_BRCMFMAC_SDIO ( Closes : #940530 )
2019-09-30 16:55:52 +02:00
Salvatore Bonaccorso
f13b3cd992
Prepare to release linux (4.19.67-2+deb10u1).
2019-09-20 12:51:56 +02:00
Salvatore Bonaccorso
942d6ddd3f
KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)
2019-09-19 17:16:06 +02:00
Salvatore Bonaccorso
c0096a08f9
[x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
2019-09-18 21:35:01 +02:00
Salvatore Bonaccorso
78f0b2574a
vhost: make sure log_num < in_num (CVE-2019-14835)
2019-09-13 06:12:11 +02:00
Romain Perier
782d6ea880
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
...
(CVE-2019-15118)
2019-09-12 22:40:43 +02:00
Romain Perier
aa8fb19232
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
...
(CVE-2019-15117)
[carnil: Use 4.19.67-2+deb10u1 version for buster-security branch]
2019-09-12 22:40:21 +02:00
Romain Perier
484d0b5f4b
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
...
(CVE-2019-15118)
2019-08-28 13:38:41 +02:00
Romain Perier
80e547b069
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
...
(CVE-2019-15117)
2019-08-28 13:38:34 +02:00
Salvatore Bonaccorso
ff672b98a7
Prepare to release linux (4.19.67-2).
2019-08-28 06:20:22 +02:00
Salvatore Bonaccorso
e10bab8d2e
Reference assigned CVE id for CVE-2019-15538
...
Gbp-Dch: Ignore
2019-08-25 17:31:05 +02:00
Salvatore Bonaccorso
a065e442e2
xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
2019-08-24 20:51:54 +02:00
Cyril Brulebois
1b40f700ac
[arm64] Backport DTB support for Rasperry Pi Compute Module 3.
...
Tested-by: Charles Fendt <charles.fendt@me.com>
Signed-off-by: Cyril Brulebois <cyril@debamax.com>
(cherry picked from commit de7501857cae4892f52d8c56c2184be548709052)
2019-08-22 21:16:10 +02:00
Cyril Brulebois
10dd2b634c
[arm] Backport DTB support for Rasperry Pi Compute Module 3.
...
Signed-off-by: Cyril Brulebois <cyril@debamax.com>
(cherry picked from commit 64801af590540b4494f408b95a31fbe07963784d)
2019-08-22 21:16:10 +02:00
Ben Hutchings
57f74f6573
netfilter: conntrack: Use consistent ct id hash calculation
...
This fixes a regression in 4.19.44.
2019-08-22 20:04:20 +01:00
Ben Hutchings
00ee7f7173
[ppc64el] Avoid ABI change for disabling TM
...
Ignore removal of TM functions that are exported for use by KVM.
2019-08-22 20:03:54 +01:00
Ben Hutchings
019113b013
[ppc64el] Disable PPC_TRANSACTIONAL_MEM ( Closes : #866122 )
2019-08-22 20:03:19 +01:00
Ben Hutchings
7ee3696c10
KVM: Ignore ABI changes
...
We already ignored most of them, but missed some. Group together
all the KVM patterns in debian/config/defines.
2019-08-22 20:02:52 +01:00
Ben Hutchings
eaab250914
Merge remote-tracking branch 'salsa/buster' into buster
...
Since I've already uploaded 4.19.67-1, open a new changelog entry for
Salvatore's change.
2019-08-21 23:39:23 +01:00
Salvatore Bonaccorso
9bf2130b62
dm: disable DISCARD if the underlying storage no longer supports it
...
Closes : #934331
2019-08-21 21:41:04 +02:00
Salvatore Bonaccorso
8d3b3b09b9
Add CVE id for CVE-2019-15215
2019-08-21 21:30:17 +02:00
Salvatore Bonaccorso
2de12d5f21
Add CVE id for CVE-2019-15211
2019-08-21 21:29:45 +02:00
Salvatore Bonaccorso
71253bf604
Add CVE id for CVE-2019-15220
2019-08-21 21:28:17 +02:00
Salvatore Bonaccorso
d5720146ae
Add CVE id for CVE-2019-15221
2019-08-21 21:27:23 +02:00
Salvatore Bonaccorso
37487d12f3
Add CVE id for CVE-2019-15223
2019-08-21 21:24:47 +02:00
Salvatore Bonaccorso
0cde12d3b1
Add CVE id for CVE-2019-15219
2019-08-21 21:24:12 +02:00
Salvatore Bonaccorso
92583c3bcb
Add CVE id for CVE-2019-15218
2019-08-21 21:23:39 +02:00
Salvatore Bonaccorso
4d54b8bb16
Add CVE id for CVE-2019-15212
2019-08-21 21:22:59 +02:00
Salvatore Bonaccorso
8e8dc21337
Add CVE id reference for CVE-2019-15216
2019-08-21 21:13:31 +02:00
Ben Hutchings
889a9d1fb0
Prepare to release linux (4.19.67-1).
2019-08-21 17:44:57 +01:00
Ben Hutchings
f79aedcfab
Bump ABI to 6
2019-08-20 01:51:35 +01:00
Ben Hutchings
795d93f1ed
[rt] Update to 4.19.59-rt24
...
This mostly applied cleanly on 4.19.67. A few patches had 1 or 2
lines of fuzz which I've resolved.
2019-08-20 01:51:34 +01:00
Ben Hutchings
0899b0f554
Update to 4.19.67
...
* Drop patches which have been applied to 4.19-stable
* Drop "Revert "net: stmmac: Send TSO packets always from Queue 0"" in
favour of upstream fix "net: stmmac: Re-work the queue selection for
TSO packets"
* Refresh patches that became fuzzy
2019-08-20 01:51:22 +01:00
Ben Hutchings
64c3754b90
Merge branch 'buster-security' into buster
...
* Accept revert of "[sh4]: Check for kprobe trap number before trying
to handle a kprobe trap" and update debian/changelog accordingly, as
sh4 is not a release architecture
* Keep "[arm64] Improve support for the Huawei TaiShan server platform"
which was reverted on the buster-security branch
2019-08-18 19:29:59 +01:00
Ben Hutchings
92fee68e15
Prepare to release linux (4.19.37-5+deb10u2).
2019-08-08 03:02:38 +01:00
Ben Hutchings
95a59b0c5d
inet: Avoid ABI change for IP ID hash change
2019-08-08 03:01:19 +01:00
Ben Hutchings
f02f2890aa
[x86] cpufeatures: Avoid ABI change for swapgs mitigations
...
- Move swapgs feature bits to existing scattered words
- Revert "x86/cpufeatures: Combine word 11 and 12 into a new scattered
features word"
2019-08-08 02:49:24 +01:00
Salvatore Bonaccorso
07a6d57831
Add patchset for CVE-2019-1125
2019-08-07 08:34:30 +02:00
Romain Perier
65c2005956
[powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648)
2019-08-05 19:04:21 +02:00
Romain Perier
3b76691d24
Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207)
2019-08-05 18:57:05 +02:00
Romain Perier
ec64cb4c87
floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
...
This retrieves the patch from the linux-4.19.y branch and refreshes the
previous one "floppy: fix out-of-bounds read in copy_buffer", because
this is firstly "floppy: fix div-by-zero in setup_format_params" that is
applied upstream, then the one regarding out-of-bounds read in copy_buffer.
The one for CVE-2019-14283 was previously refreshed because it was not
applicable directly. Now both patches are synchronized with upstream and
applied in the same order.
2019-08-05 17:56:29 +02:00
Romain Perier
24c58d8c20
inet: switch IP ID generator to siphash (CVE-2019-10638)
2019-07-30 11:20:38 +02:00
Romain Perier
4962cdb584
floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
2019-07-30 11:14:00 +02:00
Aurelien Jarno
b394039686
[arm64] compat: Provide definition for COMPAT_SIGMINSTKSZ ( Closes : #904385 ).
2019-07-29 22:36:47 +02:00
Uwe Kleine-König
8da545ad5d
rtc-s35390a: backport fix to make hwclock able to read the time
2019-07-28 21:37:15 +02:00
Uwe Kleine-König
ed5659c4e4
Merge branch 'imx6' of salsa.debian.org:ukleinek/linux into buster
2019-07-28 21:23:53 +02:00
Romain Perier
8cb769111f
Input: gtco - bounds check collection indent level (CVE-2019-13631)
2019-07-27 13:15:59 +02:00
Romain Perier
167ecd4ada
scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
2019-07-22 14:01:45 +02:00
Romain Perier
84b1bd80aa
Revert unwanted changes for buster-security
...
We need to be based onto 4.19.37-5+deb10u1, and only include security
related topics. Things or improvements added to 4.19.37-6 (that is
already in sid) should be removed because they should not be uploaded
to buster-security accidentaly.
2019-07-22 11:44:02 +02:00
Salvatore Bonaccorso
01d9fffd29
Release linux (4.19.37-5+deb10u1).
...
-----BEGIN PGP SIGNATURE-----
iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0xhh1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8nEP/iF7NUo1hvYNR/ueapgtpnMaHh/OeiGp
x5/4RQW9Lo+Y8djiJWr9Kh7DVT7zp2k6OOb6o2qypgpEpFGGZAf02E3kheTJMhJz
XxDHyGRflQpXDsEbPCcWCXvJjH/7puV/GWATPYo9qE/hs9rBAiFsOlOTqWSJf8Yd
rVxjRRXe9/qRcOV4OJyiuL2GbeL7eO3TqTEl1NVSNP4V1RjYFFy/CUelWAcGzUOI
tkk+NM7CEspQQhpIRkSGB+GyYMvOFNi2mkrz+mJbSUeb75uiZq3myJqHiQOKpwHe
OGJiVBD4Ce8pv3PvR9bFZwgOV2t1XTDOeyUcmh8C07SblwI6iM/vi/nWw7B9VUEH
X2EB/3/TuhKgJHtYpFZdi1mlRrt+6YYgDmbFVUyjojZhOONlVagwq2vaX0ep6yI4
FOQo4kpCG10yse4JxUS0Unv6hk7ShfLe/Kb9lOJvPSZM5dCutWTQrRO05gTyFaev
orMZou9lsXYDTzpFAICE2ZhCcySvYLqvPkkCoabiECMlJE2Ra/rsHiuQEcSNjG8E
A8EqJhElt+W8mvTkofG5yL3oguD6yg4Qf0luKOl0bEcZyBXDbK4nHtHAwcBNoR5X
zNfrikCyo7jPX3JGH3F8wYE9vc04SO+YEkvcyZcLTOUBiDIpZgC4r3IOyBDgzv1K
KDIBNpFCBL0Z
=794G
-----END PGP SIGNATURE-----
Merge tag 'debian/4.19.37-5+deb10u1' into buster
Release linux (4.19.37-5+deb10u1).
2019-07-20 23:07:45 +02:00
Romain Perier
1e1ff4ce9c
binder: fix race between munmap() and direct reclaim (CVE-2019-1999)
2019-07-20 18:36:49 +02:00
Romain Perier
091f76e86d
nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984)
2019-07-20 18:21:14 +02:00
Romain Perier
fbe4322901
[powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817)
2019-07-20 17:17:59 +02:00
Romain Perier
7e902dbcd3
[x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233)
2019-07-20 17:17:43 +02:00
Salvatore Bonaccorso
aa3c23fe0e
Release linux (4.19.37-5+deb10u1).
...
-----BEGIN PGP SIGNATURE-----
iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0xhh1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8nEP/iF7NUo1hvYNR/ueapgtpnMaHh/OeiGp
x5/4RQW9Lo+Y8djiJWr9Kh7DVT7zp2k6OOb6o2qypgpEpFGGZAf02E3kheTJMhJz
XxDHyGRflQpXDsEbPCcWCXvJjH/7puV/GWATPYo9qE/hs9rBAiFsOlOTqWSJf8Yd
rVxjRRXe9/qRcOV4OJyiuL2GbeL7eO3TqTEl1NVSNP4V1RjYFFy/CUelWAcGzUOI
tkk+NM7CEspQQhpIRkSGB+GyYMvOFNi2mkrz+mJbSUeb75uiZq3myJqHiQOKpwHe
OGJiVBD4Ce8pv3PvR9bFZwgOV2t1XTDOeyUcmh8C07SblwI6iM/vi/nWw7B9VUEH
X2EB/3/TuhKgJHtYpFZdi1mlRrt+6YYgDmbFVUyjojZhOONlVagwq2vaX0ep6yI4
FOQo4kpCG10yse4JxUS0Unv6hk7ShfLe/Kb9lOJvPSZM5dCutWTQrRO05gTyFaev
orMZou9lsXYDTzpFAICE2ZhCcySvYLqvPkkCoabiECMlJE2Ra/rsHiuQEcSNjG8E
A8EqJhElt+W8mvTkofG5yL3oguD6yg4Qf0luKOl0bEcZyBXDbK4nHtHAwcBNoR5X
zNfrikCyo7jPX3JGH3F8wYE9vc04SO+YEkvcyZcLTOUBiDIpZgC4r3IOyBDgzv1K
KDIBNpFCBL0Z
=794G
-----END PGP SIGNATURE-----
Merge tag 'debian/4.19.37-5+deb10u1' into buster-security
Release linux (4.19.37-5+deb10u1).
2019-07-19 11:15:23 +02:00
Salvatore Bonaccorso
786d73da80
Prepare to release linux (4.19.37-5+deb10u1).
2019-07-19 10:46:02 +02:00
Salvatore Bonaccorso
c6f3814dc4
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)
2019-07-19 10:45:11 +02:00
Uwe Kleine-König
faee94d2ad
[armhf] Add support for all i.MX6 variants.
2019-07-16 16:48:34 +02:00
John Paul Adrian Glaubitz
c342a968c4
[sh4]: Check for kprobe trap number before trying to handle a kprobe trap
2019-06-23 18:59:55 +02:00
Ben Hutchings
e2cc6dfed3
debian/changelog: Clean up entry for Huawei TaiShan support
2019-06-23 17:27:59 +01:00
Ben Hutchings
c01ce3da12
Merge branch '93sam/linux-huawei-taishan-support' into sid
...
[arm64] Improve support for the Huawei TaiShan server platform
See merge request kernel-team/linux!151
2019-06-23 17:19:03 +01:00
Salvatore Bonaccorso
eb5241a213
tcp: refine memory limit test in tcp_fragment()
...
Closes : #930904
2019-06-23 16:15:34 +02:00
Steve McIntyre
2c3b28ea8f
[arm64] Improve support for the Huawei TaiShan server platform
...
Closes : #930554
Enable the HNS/ROCE Infiniband driver
Backport fixes from 4.20 and 4.21 for HNS3 networking, hisi_sas SAS
and HNS/ROCE Infiniband
Signed-off-by: Steve McIntyre <93sam@debian.org>
2019-06-23 10:58:07 +01:00
Ben Hutchings
8fb3f0b24d
Prepare to release linux (4.19.37-5).
2019-06-19 23:16:58 +01:00
Ben Hutchings
e60e81ccd9
debian/changelog: Wrap a >80-character line
2019-06-19 23:16:33 +01:00
Ben Hutchings
0a8cb2b316
Add ABI reference for 4.19.0-5
...
This is based on version 4.19.37-1 and 4.19.37-3, which are
consistent except for the addition of two symbols related to the
MDS mitigation on x86.
2019-06-19 23:16:32 +01:00
Ben Hutchings
ac648cc5be
debian/changelog: Record ABI fix that did *not* make it into 4.19.37-4
...
Thought I'd built with the ABI fix, but didn't. And there was
no ABI reference to catch this. :-(
2019-06-19 23:16:25 +01:00
Romain Perier
d2962338d6
[sparc64] Fix device naming inconsistency between sunhv_console and sunhv_reg ( Closes : #926539 )
2019-06-19 16:30:43 +02:00
Ben Hutchings
2536e21256
Prepare to release linux (4.19.37-4).
2019-06-17 20:00:30 +01:00
Ben Hutchings
afceeb64fe
debian/changelog: List changes in 4.19.37-rt20
2019-06-17 20:00:14 +01:00
Ben Hutchings
1e253edaa7
Add TCP DoS fixes
2019-06-17 19:46:08 +01:00
Ben Hutchings
4ea468554d
mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (CVE-2019-10126)
2019-06-17 19:32:38 +01:00
Ben Hutchings
e5664e23f5
mm/mincore.c: make mincore() more conservative (CVE-2019-5489)
2019-06-17 19:29:35 +01:00
Ben Hutchings
1894e89399
mwifiex: Don't abort on small, spec-compliant vendor IEs
2019-06-17 19:29:14 +01:00
Ben Hutchings
70b1e1a8fa
mwifiex: Abort at too short BSS descriptor element
2019-06-17 19:25:01 +01:00
Ben Hutchings
54fa813858
mwifiex: Fix possible buffer overflows at parsing bss descriptor (CVE-2019-3846)
2019-06-17 19:24:10 +01:00
Alper Nebi Yasak
cc59373e08
[arm64] udeb: fb-modules: Include rockchipdrm, panel-simple, pwm_bl, pwm-cros-ec
...
Some ChromeOS devices need these for the display.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:46 +03:00
Alper Nebi Yasak
c8cdb80b66
[arm64] udeb: mmc-modules: Include phy-rockchip-emmc
...
Needed for internal storage on some ChromeOS devices.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:46 +03:00
Alper Nebi Yasak
cb05f8d52a
[arm64] udeb: usb-modules: Include phy-rockchip-typec, extcon-usbc-cros-ec
...
On Samsung Chromebook Plus (v1) trying to boot from a rootfs on a USB
storage device without these modules in the initramfs, it drops to an
initramfs shell with a non-working display. For the d-i netboot image,
the screen doesn't turn on, but the installer menu works.
A recent change to initramfs-tools includes extcon-usbc-cros-ec, so
include that and a relevant PHY module here as well.
Relevant:
https://salsa.debian.org/kernel-team/initramfs-tools/commit/994d698a
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:45 +03:00
Alper Nebi Yasak
3c9e2d8dee
[arm64] udeb: kernel-image: Include phy-rockchip-pcie
...
On some ChromeOS devices, this is required to connect to a wireless
network via mwifiex_pcie.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:45 +03:00
Alper Nebi Yasak
b68c83d156
[arm64] udeb: kernel-image: Include cros_ec_spi and SPI drivers
...
The cros_ec multifunction device provides the keyboard services on some
ChromeOS devices, but requires a bus to be enabled to communicate with
it. On Samsung Chromebook Plus (v1), including spi-rockchip and
cros_ec_spi are enough. A recent change in initramfs-tools included all
SPI drivers, so include them here as well.
Relevant:
https://salsa.debian.org/kernel-team/initramfs-tools/commit/797e5fed
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:45 +03:00
Alper Nebi Yasak
0114d125ba
udeb: input-modules: Include all keyboard driver modules
...
Some important modules like cros_ec_keyb are in input/keyboard. A recent
change in initramfs-tools also includes them, so include them here too.
Relevant:
https://salsa.debian.org/kernel-team/initramfs-tools/commit/40f66474
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-06-10 18:50:45 +03:00
Ben Hutchings
d7374fce1e
Merge branch 'sparc64-sid' into 'sid'
...
[sparc64] udeb: Disable suffix for kernel-image
See merge request kernel-team/linux!147
2019-06-09 23:28:08 +00:00
Aurelien Jarno
cbcfb20ce0
[mips] Correctly bounds check virt_addr_valid ( Closes : #929366 )
2019-06-09 00:06:52 +02:00
Salvatore Bonaccorso
3b44df1499
Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
2019-06-07 15:25:30 +02:00
Salvatore Bonaccorso
8910626bca
ext4: zero out the unused memory region in the extent tree block (CVE-2019-11833)
2019-06-07 14:53:07 +02:00
Salvatore Bonaccorso
23527ae20b
brcmfmac: add subtype check for event handling in data path (CVE-2019-9503)
2019-06-07 14:49:05 +02:00
Salvatore Bonaccorso
8970aaa563
brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
2019-06-07 14:43:58 +02:00
Romain Perier
c11ba60cce
[rt] Update to 4.19.37-rt20
2019-05-29 21:49:30 +02:00
Ben Hutchings
92a96d298e
[x86] lockdown,sysrq: Enable ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ( Closes : #929583 )
2019-05-26 18:13:59 +01:00
John Paul Adrian Glaubitz
db249f2b52
[sparc64] udeb: Disable suffix for kernel-image
2019-05-21 14:29:31 +02:00
Ben Hutchings
a8c3d89c71
README.source: Document the various makefiles and use of out-of-tree builds
2019-05-19 15:05:10 +01:00
Ben Hutchings
a96bd61a2e
libbpf: Build out-of-tree
2019-05-19 14:49:48 +01:00
Ben Hutchings
9b28931859
libbpf: Use only 2 components in soversion, matching package name
...
Debian policy says the package name must change when the soname
changes. We don't expect the ABI to change in a stable update,
so use only 2 components in both.
2019-05-19 14:48:13 +01:00
Ben Hutchings
a6879552b5
Drop unnecessary changes from "libbpf: add SONAME to shared object"
...
It's not necessary to delete the definitions of the variables that
become unused. Nor is it necessary to move the definition of
LIBBPF_VERSION before LIB_FILES, because the latter is defined
as recursively expanded (i.e. its variable references are not
immediately expanded).
This makes the actual change we're making clearer, and should
reduce the future work to maintain this patch.
2019-05-19 14:36:25 +01:00
Ben Hutchings
9329ccdf87
[powerpc*] 64s: Include cpu header (fixes FTBFS)
2019-05-15 23:07:44 +01:00
Ben Hutchings
85eddd4dd2
Prepare to release linux (4.19.37-2).
2019-05-14 17:34:46 +01:00
Ben Hutchings
4abc99e835
[x86] linux-cpupower: Update CPPFLAGS for change in <asm/msr-index.h>
2019-05-14 17:34:29 +01:00
Ben Hutchings
1565dc00f4
[x86] Mitigate Microarchitectural Data Sampling (MDS) vulnerabilities
...
Together with a microcode update, this mitigates CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091.
2019-05-10 12:03:12 +01:00
Ben Hutchings
98cbc347d3
debian/bin: Fix Python static checker regressions ( Closes : #928618 )
2019-05-07 21:04:05 +01:00
Ben Hutchings
5ece558b8d
Prepare to release linux (4.19.37-1).
2019-05-05 19:32:32 +01:00
Ben Hutchings
ece5b4e4cd
mm,fs: Prevent page refcount overflow (CVE-2019-11487)
2019-05-05 15:44:05 +01:00
Ben Hutchings
83f5e0f1ef
tracing: Fix buffer_ref pipe ops
...
This is preparation for fixing CVE-2019-11487.
2019-05-05 15:42:32 +01:00
Ben Hutchings
4f3fa1e296
aio: Apply fixes from 4.19.38 (CVE-2019-10125)
2019-05-05 15:41:31 +01:00
Salvatore Bonaccorso
55a23e404a
[amd64,arm64] vfio/type1: Limit DMA mappings per container (CVE-2019-3882)
2019-05-05 16:06:15 +02:00
Ben Hutchings
2c62d20848
MODSIGN: Make shash allocation failure fatal
2019-05-05 13:47:00 +01:00
Ben Hutchings
06cccfd2c3
Merge branch 'bluca/linux-mod_db' into sid
...
Add patches to enable loading db and MOK keys
See merge request kernel-team/linux!139
2019-05-05 13:16:03 +01:00
Ben Hutchings
95f09d9f29
Merge branch 'sid' of salsa.debian.org:kernel-team/linux into sid
2019-05-05 13:15:29 +01:00
Salvatore Bonaccorso
319a580681
Add Debian bug closer for #928457
2019-05-05 10:25:26 +02:00
Vagrant Cascadian
5be0740b91
Add changelog entry for "gencontrol_signed.py: Sort list of modules..."
2019-05-04 18:39:31 -07:00
Ben Hutchings
f79da03296
drivers/firmware/google: Adjust configuration for 4.19
2019-05-04 22:40:59 +01:00
Ben Hutchings
88cad5a2fb
Merge branch 'sid' into 'sid'
...
[arm64] Enable configs for Samsung Chromebook Plus (v1) and other rk3399-gru based devices
See merge request kernel-team/linux!142
2019-05-04 21:34:02 +00:00
Luca Boccassi
643cc8a41c
Add patches to enable loading dbx and MOKX blacklists
...
Import patches from:
https://lore.kernel.org/patchwork/cover/933178/
that allow to also load dbx and MOKX as blacklists for modules.
These patches also disable loading MOK/MOKX when secure boot is
not enabled, as the variables will not be safe, and to check the
variables attributes before accepting them.
2019-05-02 23:04:18 +01:00
Luca Boccassi
188df85f5b
Add patches to enable loading db and MOK keys
...
Import patches from:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi
that enable a new option that automatically loads keys from db
and MOK into the secondary keyring, so that they can be used to
verify the signature of kernel modules. Enable the required KCONFIGs.
Allows users to self-sign modules (eg: dkms).
2019-05-02 22:59:42 +01:00
Uwe Kleine-König
40e420be45
[armhf] Disable MVNETA_BM_ENABLE again
2019-05-02 22:13:54 +02:00
Salvatore Bonaccorso
ecc794295f
Remove annotation for one REJECTed CVE
...
Gbp-Dch: Ignore
2019-05-01 20:46:07 +02:00
Alper Nebi Yasak
b64a303c60
[arm64] Enable configs for Samsung Chromebook Plus (v1) and other rk3399-gru based devices
...
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
2019-05-01 17:40:56 +03:00
Ben Hutchings
ca91c5f5f3
Note that upstream change closes #925496
2019-05-01 14:18:46 +01:00
Romain Perier
0eb7489dad
Enable coreboot memconsole ( Closes : #872069 )
...
With this option enabled, the kernel will be able to retrieve firmware
logs by looking in the coreboot table. This can be accessed from
userspace via the sysfs file /sys/firmware/log.
2019-04-30 16:54:11 +02:00
Ben Hutchings
82f685da41
[sparc64] linux-image: Install uncompressed kernel image
...
Requested by John Paul Adrian Glaubitz, with the explanation:
> GRUB doesn't really support compressed kernels with OpenFirmware, at
> least on SPARC. It used to work with 2.02+patches but it doesn't
> work with GRUB 2.04~rc1 and upstream said that it's not really
> supported.
2019-04-30 15:49:46 +01:00
Romain Perier
fd064d4e63
[rt] Update to 4.19.37-rt19
2019-04-30 14:46:18 +02:00
Salvatore Bonaccorso
e6b7661450
Replace CVE id for CVE-2019-11599
...
Originally CVE-2019-3892 appeared which was REJECTED as reservation
duplicate of CVE-2019-11599.
Gbp-Dch: Ignore
2019-04-30 10:37:56 +02:00
Ben Hutchings
c72c0fff0a
[x86] platform: Enable INTEL_ATOMISP2_PM as module
2019-04-28 18:57:27 +01:00
Ben Hutchings
7ebc9f9504
Update to 4.19.37
...
* Refresh/drop patches as appropriate
2019-04-28 18:55:53 +01:00
Salvatore Bonaccorso
ad494c2131
tty: mark Siemens R3964 line discipline as BROKEN (CVE-2019-11486)
2019-04-26 16:11:56 +02:00
Salvatore Bonaccorso
859ec5f504
[x86] Disable R3964 due to lack of security support
2019-04-26 16:08:19 +02:00
Salvatore Bonaccorso
1c6240e692
inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch() (CVE-2019-9857)
2019-04-26 14:54:14 +02:00
Ben Hutchings
cda3581467
ntfs: Mark it as broken, and add CVE IDs that are being closed
2019-04-25 15:35:56 +01:00
Ben Hutchings
becaca2c80
ntfs: Disable NTFS_FS due to lack of upstream security support
2019-04-25 15:27:49 +01:00
Ben Hutchings
81f14e4fc0
udeb: Drop unused ntfs-modules packages
...
The installer uses ntfs-3g-udeb instead.
2019-04-25 15:27:49 +01:00
Aurelien Jarno
223d2f61ad
[mips] Fix indirect syscall tracing & seccomp filtering for big endian MIPS64 kernels with 32-bit userland.
2019-04-23 19:35:04 +02:00
Ben Hutchings
8f20d53908
[armel/marvell,sh4] linux-image: Recommend apparmor, like all other configs
...
The "recommends" field set in the [image] section for these
configurations overrode the field at the top level. We want
gencontrol.py to concatenate the relations in this section at all
levels.
The ConfigCore.get_merge method supports doing this, but only with
list fields So we need to specify in the config schema that these
fields are comma-separated lists.
2019-04-22 00:30:48 +01:00
Ben Hutchings
967b7d1987
linux-source: Recommend bison and flex, always needed to build the kernel
2019-04-21 23:59:50 +01:00
Ben Hutchings
e6231a29a7
[i386] Add grub-efi-ia32 as an alternate recommended bootloader
2019-04-21 23:56:35 +01:00
Ben Hutchings
25aadd8f22
[powerpc,ppc64,ppc64el] linux-image: Recommend grub-ieee1275
2019-04-21 23:56:01 +01:00
Ben Hutchings
a828d99124
[sparc64] linux-image: Recommend grub-ieee1275 instead of (removed) silo
2019-04-21 23:55:01 +01:00
Ben Hutchings
fb4777ce47
lockdown: Refer to Debian wiki until manual page exists
2019-04-21 00:22:20 +01:00
Ben Hutchings
7c8c3551e1
udeb: Add all HWRNG drivers to kernel-image (see #923675 )
...
The installer will soon start using haveged to provide entropy if
needed, but an HWRNG is probably still preferable.
2019-04-21 00:09:41 +01:00
Ben Hutchings
693aafefbb
[armel/marvell] Disable HW_RANDOM as no HWRNG drivers are usable here
...
We were building the omap-rng driver, because the same block is used
on some recent Marvell chips and HW_RANDOM_OMAP is enabled by default
if ARCH_MVEBU is enabled.
We were also building virtio-rng, but there isn't (so far as I know)
any publicly available emulation of the ARMv5 Marvell chips.
As we're about to include HWRNG drivers to the installer, disable the
whole subsystem for armel/marvell to avoid adding useless drivers.
2019-04-20 23:35:33 +01:00
Ben Hutchings
ea0d63df90
[ia64] linux-image: Recommend grub-efi-ia64 instead of (removed) elilo
2019-04-20 23:04:54 +01:00
Salvatore Bonaccorso
2dff862341
ACPICA: Namespace: remove address node from global list after method termination
2019-04-19 21:06:18 +02:00
Ben Hutchings
c854151c38
[riscv64] linux-image-dbg: Include vdso debug symbols
2019-04-18 00:55:26 +01:00
Salvatore Bonaccorso
90f48698a0
Fix typo: architecures -> architectures
...
Thanks: Cyril Brulebois
Gbp-Dch: Ignore
2019-04-15 21:05:02 +02:00
Salvatore Bonaccorso
4eef18f8b7
xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (CVE-2015-8553)
2019-04-14 22:39:31 +02:00
Bastian Blank
c4517a7e99
Don't longer recommend irqbalance
2019-04-13 08:32:35 +02:00
Salvatore Bonaccorso
f73d6fa21b
Add bug closer for #923723
...
Gbp-Dch: Ignore
2019-04-12 23:39:23 +02:00
Salvatore Bonaccorso
c859bfa672
Add bug closer for #919290
...
Gbp-Dch: Ignore
2019-04-12 23:29:37 +02:00
Salvatore Bonaccorso
dde049bffb
Fix brackets for arch markes
...
Gbp-Dch: Ignore
2019-04-12 09:47:27 +02:00
Luca Boccassi
5a39ad2910
Generate and install libbpf.pc
...
Backport patch from bpf-next and install libbpf.pc in libbpf-dev
2019-04-11 23:15:22 +01:00
Ben Hutchings
1acfe734b7
Merge branch 'sf/linux-sid' into sid
...
Enable SND_SOC_SPDIF on armmp-lpae
See merge request kernel-team/linux!137
2019-04-09 01:19:39 +01:00
YunQiang Su
5ee30838da
re-eanble JUMP_LABEL for mips r6
...
[bwh: Cherry-picked onto the sid branch]
2019-04-09 01:07:11 +01:00
Ben Hutchings
502148bb02
[armhf,arm64[ Revert "net: stmmac: Send TSO packets always from Queue 0"
2019-04-09 01:05:01 +01:00
Ben Hutchings
a0366b7dd1
[rt] Update to 4.19.31-rt18
2019-04-09 00:53:38 +01:00
Ben Hutchings
6fa9d66378
[rt] Add new signing subkey for Steven Rostedt
2019-04-09 00:47:01 +01:00
Ben Hutchings
7935c22e07
Bump ABI to 5
...
There are too many ABI changes for me to cope with.
2019-04-09 00:33:21 +01:00
Ben Hutchings
821ec1b181
Update to 4.19.34
...
* Drop/refresh patches as appropriate
2019-04-09 00:27:06 +01:00
Stefan Fritsch
5862c7e202
Enable SND_SOC_SPDIF on armmp-lpae
...
Needed for Cubietruck
2019-04-07 09:53:33 +02:00
Ben Hutchings
6039118f59
[powerpc*] vdso: Make vdso32 installation conditional in vdso_install
...
Closes : #785065
This finally removes the need for the ppc64el compiler to support
32-bit code generation, and removes a useless file from debug
packages on ppc64el.
2019-03-22 04:28:49 +00:00
Ben Hutchings
e3c916c6d7
debian/bin/abiupdate.py: Change default URLs to use https: scheme
...
Since we don't use the Release and Packages files to verify the
packages we download, it's worth using TLS to reduce the risk of
a man-in-the-middle corrupting them.
ftp.ports.debian.org and security.debian.org don't support TLS
in general, so use deb.debian.org for the ports and security
archives.
2019-03-18 23:11:23 +00:00
Ben Hutchings
0e10941761
debian/bin/abiupdate.py: Automatically select the correct archive to fetch from
...
If the changelog distribution is *-security, fetch from the security
archive. Otherwise, try the main archive, ports, incoming, and
incoming.ports in that order.
2019-03-18 22:53:16 +00:00
Ben Hutchings
926120d62f
Prepare to release linux (4.19.28-2).
2019-03-15 02:16:04 +00:00
Ben Hutchings
88d725750b
Merge remote-tracking branch 'salsa/sid' into sid
2019-03-15 01:45:58 +00:00
Ben Hutchings
44f134c2b9
Merge branch 'include-signing-cert' of salsa.debian.org:corsac/linux into sid
...
certs: include both root CA and direct signing certificate
See merge request kernel-team/linux!135
2019-03-14 21:26:12 +00:00
Vagrant Cascadian
fb17e155b9
[arm64,armhf] Drop PHY_ROCKCHIP_INNO_HDMI, not available till linux
...
v4.20.
2019-03-14 13:32:38 -07:00
Vagrant Cascadian
73f7977c15
[arm64,armhf] Enable PHY_ROCKCHIP_INNO_HDMI as built-ins, not
...
available as modules.
2019-03-14 13:10:29 -07:00
Ben Hutchings
0664e4e069
Merge branch 'sid' of salsa.debian.org:kernel-team/linux into sid
2019-03-14 17:53:52 +00:00
Ben Hutchings
0b67903203
[ppc64el] Disable PCMCIA (fixes FTBFS)
...
It appears to be technically possible to use PCMCIA cards on POWER8/9
systems through a PCI Express to PCI adapter and a PCI to
PCMCIA/CardBus adapter. But I can't believe anyone would want to.
So rather than adding a pcmcia-modules package or excluding the
drivers from udebs, disable PCMCIA altogether.
2019-03-14 17:49:45 +00:00
Ben Hutchings
ae178b6c72
udeb: Make serial_cs optional in serial-modules
...
The next commit will stop building PCMCIA drivers on ppc64el.
2019-03-14 17:48:52 +00:00
Yves-Alexis Perez
af53d158a0
certs: include both root CA and direct signing certificate. closes : #924545
...
Module loading needs the issuer certificate to validate the signature,
and that certificate is not embedded in the signature itself.
For now embed both the signing certificate and the root CA.
2019-03-14 14:16:50 +01:00
Vagrant Cascadian
2f067b01ec
[arm64] Enable MESON_EFUSE as a module.
2019-03-13 23:50:41 -07:00
Vagrant Cascadian
32b309d27c
[arm64] Enable I2C_GPIO as a module.
2019-03-13 23:50:03 -07:00
Vagrant Cascadian
22dd68875f
[arm64,armhf] Enable PHY_ROCKCHIP_INNO_HDMI as modules.
2019-03-13 23:49:26 -07:00
Vagrant Cascadian
7adaffb5a6
[arm64] Enable DRM_SUN4I and DRM_SUN8I_DW_HDMI as modules.
2019-03-13 23:48:44 -07:00
Ben Hutchings
20351317dd
[x86] Drop fix for #865303 , which no longer affects Debian's OpenJDK
...
This workaround is no longer needed for Debian's OpenJDK packages:
* OpenJDK 7 is unfixed (bug #876068 ) but is not present in stretch or
later suites
* OpenJDK 8 was fixed in unstable (bug #876051 ) and the fix was then
included in a stretch security update
* OpenJDK 9 and later were fixed (bug #876069 )
The workaround was never applied upstream and it also doesn't seem
like a good idea to have a Debian-specific VM quirk that weakens the
defence against Stack Clash. Therefore drop it now rather than
including it in another release.
2019-03-13 18:37:35 +00:00
Ben Hutchings
7064a34f6e
[x86,alpha,m68k] binfmt: Disable BINFMT_AOUT, IA32_AOUT, OSF4_COMPAT
...
a.out support is now untested and occasionally results in security
bugs, and will be deprecated upstream (depends on BROKEN) for x86 in
5.1. Disable it completely.
See:
https://lore.kernel.org/lkml/CAG48ez1RVd5mQ_Pb6eygQESaZhpQz765OAZYSoPE0kPqfZEXQg@mail.gmail.com/
https://lore.kernel.org/lkml/20190305145717.GD8256@zn.tnic/
2019-03-13 18:31:13 +00:00
Ben Hutchings
4895e487e1
Prepare to release linux (4.19.28-1).
2019-03-12 05:06:28 +00:00
Ben Hutchings
fb875ddeb6
Bump ABI to 4
2019-03-10 23:34:30 +00:00
Ben Hutchings
4454021eb3
debian/bin/gencontrol_signed.py: Put all files.json fields under "packages"
...
Follow the schema change made in
3a07a08a82
2019-03-10 22:46:07 +00:00
Ben Hutchings
16e5e055ca
certs: Replace test signing certificate with production signing certificate
2019-03-10 22:28:08 +00:00
Vagrant Cascadian
8a42d3ccb9
debian/changelog: Note upstream change closing bugs #913119 , #913138 .
2019-03-10 15:21:11 -07:00
Ben Hutchings
3f14005d42
Merge branch 'sid' into 'sid'
...
MIPS related backports to 4.19
See merge request kernel-team/linux!131
2019-03-10 21:57:55 +00:00
Ben Hutchings
224fd4bf26
debian/changelog: Note upstream change closing bug #921542
2019-03-10 21:49:26 +00:00
Romain Perier
340ed90d8e
Update to 4.19.28
2019-03-10 16:57:21 +01:00
Salvatore Bonaccorso
22610f2634
exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
2019-03-10 09:00:43 +01:00
Ben Hutchings
531357e266
debian/changelog: Only close #922182 once
2019-03-07 21:47:35 +00:00
Ben Hutchings
3ebd4206bf
debian/changelog: Clean up 4.19.27 changes
...
* "svm" is AMD's virtualisation interface for x86 only
* We don't support the MIPS BCM63xx platform
2019-03-07 21:43:35 +00:00