[linux] 01/03: Update to 4.9.46
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Sep 3 18:56:54 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch
in repository linux.
commit 17811b5a4b11b32307baca3b88067398a1168cfb
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Sep 1 01:20:11 2017 +0100
Update to 4.9.46
---
debian/changelog | 1188 +++++++++++++++++++-
...-timer-fix-missing-queue-indices-reset-at.patch | 52 -
...lsa-timer-fix-race-between-read-and-ioctl.patch | 69 --
...nfmt_elf-use-elf_et_dyn_base-only-for-pie.patch | 167 ---
...x-possible-buffer-overflow-in-brcmf_cfg80.patch | 46 -
...to-skcipher-Add-missing-api-setkey-checks.patch | 73 --
...cp-tcp-do-not-inherit-mc_list-from-parent.patch | 37 -
.../patches/bugfix/all/dentry-name-snapshots.patch | 228 ----
...don-t-leak-bo-on-drm_gem_object_init-fail.patch | 35 -
.../fs-exec.c-account-for-argv-envp-pointers.patch | 90 --
...overflow-of-offset-in-ip6_find_1stfragopt.patch | 55 -
...ip6_find_1stfragopt-return-value-properly.patch | 84 --
...p-do-not-inherit-ipv6_mc_list-from-parent.patch | 59 -
.../all/ipv6-fix-leak-in-ipv6_gso_segment.patch | 32 -
...-out-of-bound-writes-in-__ip6_append_data.patch | 62 -
...nt-overrun-when-parsing-v6-header-options.patch | 221 ----
...-use-consistent-conditional-judgement-for.patch | 38 -
...andle-errors-reported-by-xfrm6_find_1stfr.patch | 40 -
...reduce-max_lock_depth-to-avoid-overflowin.patch | 44 -
...mm-fix-new-crash-in-unmapped_area_topdown.patch | 46 -
.../mm-larger-stack-guard-gap-between-vmas.patch | 886 ---------------
...eue-fix-a-use-after-free-in-sys_mq_notify.patch | 50 -
...lback-create-the-callback-service-through.patch | 78 --
...et-fix-tp_reserve-race-in-packet_set_ring.patch | 46 -
...everal-cases-where-a-padded-len-isn-t-che.patch | 206 ----
...-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch | 29 -
...p-consistently-apply-ufo-or-fragmentation.patch | 85 --
...k-don-t-leak-stack-data-via-response-ring.patch | 130 ---
...nel-Fix-FP-and-vector-register-restoratio.patch | 52 -
.../revert-s390-move-exports-to-definitions.patch | 23 +-
...x-Make-sure-backup_handle-is-always-valid.patch | 60 -
...limit-the-number-of-mip-levels-in-vmw_gb_.patch | 38 -
.../kvm-x86-fix-singlestepping-over-syscall.patch | 12 +-
...rryview-add-a-quirk-to-make-acer-chromebo.patch | 94 --
...rryview-add-terminate-entry-for-dmi_syste.patch | 28 -
debian/patches/debian/tools-perf-install.patch | 6 +-
debian/patches/series | 32 -
37 files changed, 1186 insertions(+), 3335 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 850b216..bc35e38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,23 +1,1184 @@
-linux (4.9.30-3) UNRELEASED; urgency=medium
+linux (4.9.46-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.31
+ - driver: vrf: Fix one possible use-after-free issue
+ - [s390x] qeth: handle sysfs error during initialization
+ - [s390x] qeth: unbreak OSM and OSN support
+ - [s390x] qeth: avoid null pointer dereference on OSN
+ - [s390x] qeth: add missing hash table initializations
+ - [arm64] bpf: fix faulty emission of map access in tail calls
+ - netem: fix skb_orphan_partial()
+ - net: fix compile error in skb_orphan_partial()
+ - tcp: avoid fragmenting peculiar skbs in SACK
+ - sctp: fix src address selection if using secondary addresses for ipv6
+ - net/packet: fix missing net_device reference release
+ - net/mlx5e: Use the correct pause values for ethtool advertising
+ - net/mlx5e: Fix ethtool pause support and advertise reporting
+ - tcp: eliminate negative reordering in tcp_clean_rtx_queue
+ - net: Improve handling of failures on link and route dumps
+ - bridge: netlink: check vlan_default_pvid range
+ - qmi_wwan: add another Lenovo EM74xx device ID
+ - bridge: start hello_timer when enabling KERNEL_STP in br_stp_start
+ - bonding: fix accounting of active ports in 3ad
+ - net/mlx5: Avoid using pending command interface slots
+ - net: phy: marvell: Limit errata to 88m1101
+ - vlan: Fix tcp checksum offloads in Q-in-Q vlans
+ - be2net: Fix offload features for Q-in-Q packets
+ - virtio-net: enable TSO/checksum offloads for Q-in-Q vlans
+ - tcp: avoid fastopen API to be used on AF_UNSPEC
+ - sctp: fix ICMP processing if skb is non-linear
+ - ipv4: add reference counting to metrics
+ - bpf: add bpf_clone_redirect to bpf_helper_changes_pkt_data
+ - fs/ufs: Set UFS default maximum bytes per file
+ - [powerpc*] spufs: Fix hash faults for kernel regions
+ - drivers/tty: 8250: only call fintek_8250_probe when doing port I/O
+ - i2c: i2c-tiny-usb: fix buffer not being DMA capable
+ - [x86] MCE: Export memory_error()
+ - acpi, nfit: Fix the memory error check in nfit_handle_mce()
+ - Revert "ACPI / button: Change default behavior to lid_init_state=open"
+ - mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read
+ - iscsi-target: Always wait for kthread_should_stop() before kthread exit
+ - ibmvscsis: Clear left-over abort_cmd pointers
+ - ibmvscsis: Fix the incorrect req_lim_delta
+ - HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference
+ - nvme-rdma: support devices with queue size < 32
+ - nvme: use blk_mq_start_hw_queues() in nvme_kill_queues()
+ - nvme: avoid to use blk_mq_abort_requeue_list()
+ - scsi: mpt3sas: Force request partial completion alignment
+ - drm/radeon/ci: disable mclk switching for high refresh rates (v2)
+ - drm/radeon: Unbreak HPD handling for r600+
+ - drm/radeon: Fix vram_size/visible values in DRM_RADEON_GEM_INFO ioctl
+ - pcmcia: remove left-over %Z format
+ - ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430
+ - mm/migrate: fix refcount handling when !hugepage_migration_supported()
+ - mlock: fix mlock count can not decrease in race condition
+ - mm: consider memblock reservations for deferred memory initialization
+ sizing
+ - RDMA/qib,hfi1: Fix MR reference count leak on write with immediate
+ - [x86] boot: Use CROSS_COMPILE prefix for readelf
+ - ksm: prevent crash after write_protect_page fails
+ - slub/memcg: cure the brainless abuse of sysfs attributes
+ - mm/slub.c: trace free objects at KERN_INFO
+ - [x86] drm/gma500/psb: Actually use VBT mode when it is found
+ - xfs: Fix missed holes in SEEK_HOLE implementation
+ - xfs: use ->b_state to fix buffer I/O accounting release race
+ - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()
+ - xfs: verify inline directory data forks
+ - xfs: rework the inline directory verifiers
+ - xfs: fix kernel memory exposure problems
+ - xfs: use dedicated log worker wq to avoid deadlock with cil wq
+ - xfs: fix over-copying of getbmap parameters from userspace
+ - xfs: actually report xattr extents via iomap
+ - xfs: drop iolock from reclaim context to appease lockdep
+ - xfs: fix integer truncation in xfs_bmap_remap_alloc
+ - xfs: handle array index overrun in xfs_dir2_leaf_readbuf()
+ - xfs: prevent multi-fsb dir readahead from reading random blocks
+ - xfs: fix up quotacheck buffer list error handling
+ - xfs: support ability to wait on new inodes
+ - xfs: update ag iterator to support wait on new inodes
+ - xfs: wait on new inodes during quotaoff dquot release
+ - xfs: reserve enough blocks to handle btree splits when remapping
+ - xfs: fix use-after-free in xfs_finish_page_writeback
+ - xfs: fix indlen accounting error on partial delalloc conversion
+ - xfs: BMAPX shouldn't barf on inline-format directories
+ - xfs: bad assertion for delalloc an extent that start at i_size
+ - xfs: xfs_trans_alloc_empty
+ - xfs: avoid mount-time deadlock in CoW extent recovery
+ - xfs: fix unaligned access in xfs_btree_visit_blocks
+ - xfs: Fix off-by-in in loop termination in xfs_find_get_desired_pgoff()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.32
+ - bnx2x: Fix Multi-Cos
+ - vxlan: eliminate cached dst leak
+ - cxgb4: avoid enabling napi twice to the same queue
+ - tcp: disallow cwnd undo when switching congestion control
+ - vxlan: fix use-after-free on deletion
+ - net: ping: do not abuse udp_poll()
+ - net/ipv6: Fix CALIPSO causing GPF with datagram support
+ - net: ethoc: enable NAPI before poll may be scheduled
+ - net: stmmac: fix completely hung TX when using TSO
+ - net: bridge: start hello timer only if device is up
+ - serial: ifx6x60: fix use-after-free on module unload
+ - ptrace: Properly initialize ptracer_cred on fork
+ - crypto: asymmetric_keys - handle EBUSY due to backlog correctly
+ - KEYS: fix dereferencing NULL payload with nonzero length
+ - KEYS: fix freeing uninitialized memory in key_update()
+ - KEYS: encrypted: avoid encrypting/decrypting stack buffers
+ - crypto: drbg - wait for crypto op not signal safe
+ - crypto: gcm - wait for crypto op not signal safe
+ - drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
+ - nfsd4: fix null dereference on replay
+ - nfsd: Fix up the "supattr_exclcreat" attributes
+ - efi: Don't issue error message when booted under Xen
+ - kvm: async_pf: fix rcu_irq_enter() with irqs enabled
+ - [x86] KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid
+ emulation
+ - [arm64] KVM: Preserve RES1 bits in SCTLR_EL2
+ - [arm64] KVM: Allow unaligned accesses at EL2
+ - [armhf] KVM: Allow unaligned accesses at HYP
+ - KVM: async_pf: avoid async pf injection when in guest mode
+ - [armhf,arm64] KVM: vgic-v3: Do not use Active+Pending state for a HW
+ interrupt
+ - [armhf,arm64] KVM: vgic-v2: Do not use Active+Pending state for a HW
+ interrupt
+ - dmaengine: usb-dmac: Fix DMAOR AE bit definition
+ - dmaengine: ep93xx: Always start from BASE0
+ - dmaengine: ep93xx: Don't drain the transfers in terminate_all()
+ - dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly
+ - dmaengine: mv_xor_v2: properly handle wrapping in the array of HW
+ descriptors
+ - dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx
+ - dmaengine: mv_xor_v2: enable XOR engine after its configuration
+ - dmaengine: mv_xor_v2: fix tx_submit() implementation
+ - dmaengine: mv_xor_v2: remove interrupt coalescing
+ - dmaengine: mv_xor_v2: set DMA mask to 40 bits
+ - cfq-iosched: fix the delay of cfq_group's vdisktime under iops mode
+ - xen/privcmd: Support correctly 64KB page granularity when mapping memory
+ - ext4: fix SEEK_HOLE
+ - ext4: keep existing extra fields when inode expands
+ - ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO
+ - ext4: fix fdatasync(2) after extent manipulation operations
+ - drm: Fix oops + Xserver hang when unplugging USB drm devices
+ - usb: gadget: f_mass_storage: Serialize wake and sleep execution
+ - usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
+ - usb: chipidea: debug: check before accessing ci_role
+ - staging/lustre/lov: remove set_fs() call from lov_getstripe()
+ - iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's
+ - iio: light: ltr501 Fix interchanged als/ps register field
+ - iio: proximity: as3935: fix AS3935_INT mask
+ - iio: proximity: as3935: fix iio_trigger_poll issue
+ - mei: make sysfs modalias format similar as uevent modalias
+ - cpufreq: cpufreq_register_driver() should return -ENODEV if init fails
+ - target: Re-add check to reject control WRITEs with overflow data
+ - [arm64] drm/msm: Expose our reservation object when exporting a dmabuf.
+ - ahci: Acer SA5-271 SSD Not Detected Fix
+ - cgroup: Prevent kill_css() from being called more than once
+ - Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled
+ - cpuset: consider dying css as offline
+ - fs: add i_blocksize()
+ - ufs: restore proper tail allocation
+ - fix ufs_isblockset()
+ - ufs: restore maintaining ->i_blocks
+ - ufs: set correct ->s_maxsize
+ - ufs_extend_tail(): fix the braino in calling conventions of
+ ufs_new_fragments()
+ - ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path
+ - cxl: Fix error path on bad ioctl
+ - cxl: Avoid double free_irq() for psl,slice interrupts
+ - btrfs: use correct types for page indices in btrfs_page_exists_in_range
+ - btrfs: fix memory leak in update_space_info failure path
+ - [armhf,arm64] KVM: Handle possible NULL stage2 pud when ageing pages
+ - scsi: qla2xxx: don't disable a not previously enabled PCI device
+ - scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to
+ debug customer issues
+ - scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC
+ - scsi: qla2xxx: Fix mailbox pointer error in fwdump capture
+ - [powerpc*] sysdev/simple_gpio: Fix oops in gpio save_regs function
+ - [powerpc*] numa: Fix percpu allocations to be NUMA aware
+ - [powerpc*] hotplug-mem: Fix missing endian conversion of aa_index
+ - [powerpc*] kernel: Fix FP and vector register restoration
+ (Closes: #868902)
+ - [powerpc*] kernel: Initialize load_tm on task creation
+ - [x86] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
+ - drm/nouveau/tmr: fully separate alarm execution/pending lists
+ - ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
+ - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+ (CVE-2017-1000380)
+ - ASoC: Fix use-after-free at card unregistration
+ - cpu/hotplug: Drop the device lock on error
+ - drivers: char: mem: Fix wraparound check to allow mappings up to the end
+ - serial: sh-sci: Fix panic when serial console and DMA are enabled
+ - [arm64] traps: fix userspace cache maintenance emulation on a tagged
+ pointer
+ - [arm64] hw_breakpoint: fix watchpoint matching for tagged pointers
+ - [arm64] entry: improve data abort handling of tagged pointers
+ - [armel,armhf] 8637/1: Adjust memory boundaries after reservations
+ - usercopy: Adjust tests to deal with SMAP/PAN
+ - [x86] drm/i915/vbt: don't propagate errors from intel_bios_init()
+ - [x86] drm/i915/vbt: split out defaults that are set when there is no VBT
+ - cpufreq: schedutil: move cached_raw_freq to struct sugov_policy
+ - cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start()
+ - netfilter: nft_set_rbtree: handle element re-addition after deletion
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.33
+ - PCI/PM: Add needs_resume flag to avoid suspend complete optimization
+ - [x86] drm/i915: Prevent the system suspend complete optimization
+ - partitions/msdos: FreeBSD UFS2 file systems are not recognized
+ - netfilter: nf_conntrack_sip: fix wrong memory initialisation
+ - ibmvnic: Fix endian errors in error reporting output
+ - ibmvnic: Fix endian error when requesting device capabilities
+ - net: xilinx_emaclite: fix freezes due to unordered I/O
+ - net: xilinx_emaclite: fix receive buffer overflow
+ - tcp: tcp_probe: use spin_lock_bh()
+ - ipv6: Handle IPv4-mapped src to in6addr_any dst.
+ - ipv6: Inhibit IPv4-mapped src address on the wire.
+ - tipc: Fix tipc_sk_reinit race conditions
+ - gfs2: Use rhashtable walk interface in glock_hash_walk
+ - NET: Fix /proc/net/arp for AX.25
+ - ibmvnic: Call napi_disable instead of napi_enable in failure path
+ - ibmvnic: Initialize completion variables before starting work
+ - NET: mkiss: Fix panic
+ - net: hns: Fix the device being used for dma mapping during TX
+ - sierra_net: Skip validating irrelevant fields for IDLE LSIs
+ - sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications
+ - i2c: piix4: Request the SMBUS semaphore inside the mutex
+ - i2c: piix4: Fix request_region size
+ - [powerpc*] powernv: Properly set "host-ipi" on IPIs
+ - kernel/ucount.c: mark user_header with kmemleak_ignore()
+ - net: thunderx: Fix PHY autoneg for SGMII QLM mode
+ - ipv6: addrconf: fix generation of new temporary addresses
+ - vfio/spapr_tce: Set window when adding additional groups to container
+ - ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping
+ switches
+ - PM / runtime: Avoid false-positive warnings from might_sleep_if()
+ - jump label: pass kbuild_cflags when checking for asm goto support
+ - shmem: fix sleeping from atomic context
+ - kasan: respect /proc/sys/kernel/traceoff_on_warning
+ - log2: make order_base_2() behave correctly on const input value zero
+ - ethtool: do not vzalloc(0) on registers dump
+ - net: phy: Fix lack of reference count on PHY driver
+ - net: phy: Fix PHY module checks and NULL deref in phy_attach_direct()
+ - net: fix ndo_features_check/ndo_fix_features comment ordering
+ - fscache: Fix dead object requeue
+ - fscache: Clear outstanding writes when disabling a cookie
+ - FS-Cache: Initialise stores_lock in netfs cookie
+ - ipv6: fix flow labels when the traffic class is non-0
+ - drm/nouveau: prevent userspace from deleting client object
+ - drm/nouveau/fence/g84-: protect against concurrent access to semaphore
+ buffers
+ - net/mlx4_core: Avoid command timeouts during VF driver device shutdown
+ - gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page
+ - [x86] pinctrl: baytrail: Rectify debounce support (part 2)
+ - cec: fix wrong last_la determination
+ - drm: prevent double-(un)registration for connectors
+ - drm: Don't race connector registration
+ - net: adaptec: starfire: add checks for dma mapping errors
+ - [x86] drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj()
+ - net/mlx5: E-Switch, Err when retrieving steering name-space fails
+ - net/mlx5: Return EOPNOTSUPP when failing to get steering name-space
+ - net: phy: micrel: add support for KSZ8795
+ - gtp: add genl family modules alias
+ - drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE
+ - drm/nouveau: Rename acpi_work to hpd_work
+ - drm/nouveau: Handle fbcon suspend/resume in seperate worker
+ - drm/nouveau: Don't enabling polling twice on runtime resume
+ - drm/nouveau: Fix drm poll_helper handling
+ - drm/ast: Fixed system hanged if disable P2A
+ - ravb: unmap descriptors when freeing rings
+ - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
+ - nvmet-rdma: Fix missing dma sync to nvme data structures
+ - r8152: avoid start_xmit to call napi_schedule during autosuspend
+ - r8152: check rx after napi is enabled
+ - r8152: re-schedule napi for tx
+ - r8152: fix rtl8152_post_reset function
+ - r8152: avoid start_xmit to schedule napi when napi is disabled
+ - bnxt_en: Fix bnxt_reset() in the slow path task.
+ - bnxt_en: Enhance autoneg support.
+ - bnxt_en: Fix RTNL lock usage on bnxt_update_link().
+ - bnxt_en: Fix RTNL lock usage on bnxt_get_port_module_status().
+ - sctp: sctp gso should set feature with NETIF_F_SG when calling skb_segment
+ - sctp: sctp_addr_id2transport should verify the addr before looking up
+ assoc
+ - usb: musb: Fix external abort on non-linefetch for musb_irq_work()
+ - romfs: use different way to generate fsid for BLOCK or MTD
+ - frv: add atomic64_add_unless()
+ - frv: add missing atomic64 operations
+ - proc: add a schedule point in proc_pid_readdir()
+ - userfaultfd: fix SIGBUS resulting from false rwsem wakeups
+ - kernel/watchdog.c: move hardlockup detector to separate file
+ - kernel/watchdog.c: move shared definitions to nmi.h
+ - kernel/watchdog: prevent false hardlockup on overloaded system
+ - [x86] vhost/vsock: handle vhost_vq_init_access() error
+ - tipc: ignore requests when the connection state is not CONNECTED
+ - tipc: fix connection refcount error
+ - tipc: add subscription refcount to avoid invalid delete
+ - tipc: fix nametbl_lock soft lockup at node/link events
+ - netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL
+ - netfilter: nft_log: restrict the log prefix length to 127
+ - RDMA/qedr: Dispatch port active event from qedr_add
+ - RDMA/qedr: Fix and simplify memory leak in PD alloc
+ - RDMA/qedr: Don't reset QP when queues aren't flushed
+ - RDMA/qedr: Don't spam dmesg if QP is in error state
+ - RDMA/qedr: Return max inline data in QP query result
+ - [s390x] kvm: do not rely on the ILC on kvm host protection fauls
+ - [x86] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail
+ - [x86] drm/i915: Always recompute watermarks when distrust_bios_wm is set,
+ v2.
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.34
+ - fs: pass on flags in compat_writev
+ - configfs: Fix race between create_link and configfs_rmdir
+ - can: gs_usb: fix memory leak in gs_cmd_reset()
+ - ila_xlat: add missing hash secret initialization
+ - cpufreq: conservative: Allow down_threshold to take values from 1 to 10
+ - vb2: Fix an off by one error in 'vb2_plane_vaddr'
+ - mac80211: don't look at the PM bit of BAR frames
+ - mac80211/wpa: use constant time memory comparison for MACs
+ - drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions.
+ - [x86] drm/i915: Fix GVT-g PVINFO version compatibility check
+ - usb: musb: dsps: keep VBUS on for host-only mode
+ - mac80211: fix CSA in IBSS mode
+ - mac80211: fix packet statistics for fast-RX
+ - mac80211: fix IBSS presp allocation size
+ - mac80211: strictly check mesh address extension mode
+ - mac80211: fix dropped counter in multiqueue RX
+ - mac80211: don't send SMPS action frame in AP mode when not needed
+ - [armhf,arm64] drm/vc4: Fix OOPSes from trying to cache a partially
+ constructed BO.
+ - serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
+ - serial: sh-sci: Fix late enablement of AUTORTS
+ - [i386] mm: Set the '__vmalloc_start_set' flag in initmem_init()
+ - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
+ - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
+ - staging: iio: tsl2x7x_core: Fix standard deviation calculation
+ - iio: st_pressure: Fix data sign
+ - iio: proximity: as3935: recalibrate RCO after resume
+ - iio: adc: ti_am335x_adc: allocating too much in probe
+ - IB/mlx5: Fix kernel to user leak prevention logic
+ - usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling
+ - usb: gadget: udc: renesas_usb3: fix deadlock by spinlock
+ - usb: gadget: udc: renesas_usb3: lock for PN_ registers access
+ - USB: hub: fix SS max number of ports
+ - usb: core: fix potential memory leak in error path during hcd creation
+ - USB: usbip: fix nonconforming hub descriptor
+ - pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+ - USB: gadget: dummy_hcd: fix hub-descriptor removable fields
+ - usb: r8a66597-hcd: select a different endpoint on timeout
+ - usb: r8a66597-hcd: decrease timeout
+ - ath10k: fix napi crash during rmmod when probe firmware fails
+ - misc: mic: double free on ioctl error path
+ - drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of
+ IS_ERR()
+ - usb: xhci: Fix USB 3.1 supported protocol parsing
+ - usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
+ - USB: gadget: fix GPF in gadgetfs
+ - USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
+ - mm/memory-failure.c: use compound_head() flags for huge pages
+ - swap: cond_resched in swap_cgroup_prepare()
+ - iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500
+ - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
+ - genirq: Release resources in __setup_irq() error path
+ - alarmtimer: Prevent overflow of relative timers
+ - usb: gadget: composite: Fix function used to free memory
+ - usb: dwc3: exynos fix axius clock error path to do cleanup
+ - [mips*] Fix bnezc/jialc return address calculation
+ - [mips*] .its targets depend on vmlinux
+ - vTPM: Fix missing NULL check
+ - alarmtimer: Rate limit periodic intervals
+ - Allow stack to grow up to address space limit
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.35
+ - clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset
+ - xen/blkback: fix disconnect while I/Os in flight
+ - ALSA: firewire-lib: Fix stall of process context at packet error
+ - ALSA: pcm: Don't treat NULL chmap as a fatal error
+ - [powerpc*] perf: Fix oops when kthread execs user process
+ - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
+ - lib/cmdline.c: fix get_options() overflow while parsing ranges
+ - [x86] perf/intel: Add 1G DTLB load/store miss support for SKL
+ - [s390x] KVM: gaccess: fix real-space designation asce handling for gmap
+ shadows
+ - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly
+ - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly
+ - CIFS: Improve readdir verbosity
+ - cxgb4: notify uP to route ctrlq compl to rdma rspq
+ - HID: Add quirk for Dell PIXART OEM mouse
+ - signal: Only reschedule timers on signals timers have sent
+ - [powerpc*] kprobes: Pause function_graph tracing during jprobes handling
+ - powerpc/64s: Handle data breakpoints in Radix mode
+ - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
+ - brcmfmac: add parameter to pass error code in firmware callback
+ - brcmfmac: use firmware callback upon failure to load
+ - brcmfmac: unbind all devices upon failure in firmware callback
+ - time: Fix clock->read(clock) race around clocksource changes
+ - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
+ - [arm64] vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
+ - target: Fix kref->refcount underflow in transport_cmd_finish_abort
+ - iscsi-target: Fix delayed logout processing greater than
+ SECONDS_FOR_LOGOUT_COMP
+ - iscsi-target: Reject immediate data underflow larger than SCSI transfer
+ length
+ - drm/radeon: add a PX quirk for another K53TK variant
+ - drm/radeon: add a quirk for Toshiba Satellite L20-183
+ - drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating
+ - drm/amdgpu: adjust default display clock
+ - of: Add check to of_scan_flat_dt() before accessing initial_boot_params
+ - mtd: spi-nor: fix spansion quad enable
+ - usb: gadget: f_fs: avoid out of bounds access on comp_desc
+ - rt2x00: avoid introducing a USB dependency in the rt2x00lib module
+ - net: phy: Initialize mdio clock at probe function
+ - dmaengine: bcm2835: Fix cyclic DMA period splitting
+ - spi: double time out tolerance
+ - net: phy: fix marvell phy status reading
+ - jump label: fix passing kbuild_cflags when checking for asm goto support
+ - brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.36
+ - ipv6: release dst on error in ip6_dst_lookup_tail
+ - net: don't call strlen on non-terminated string in dev_set_alias()
+ - decnet: dn_rtmsg: Improve input length sanitization in
+ dnrmg_receive_user_skb
+ - net: Zero ifla_vf_info in rtnl_fill_vfinfo()
+ - net: vrf: Make add_fib_rules per network namespace flag
+ - af_unix: Add sockaddr length checks before accessing sa_family in bind
+ and connect handlers
+ - Fix an intermittent pr_emerg warning about lo becoming free.
+ - sctp: disable BH in sctp_for_each_endpoint
+ - net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
+ - net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse
+ - net/mlx5e: Added BW check for DIM decision mechanism
+ - net/mlx5e: Fix wrong indications in DIM due to counter wraparound
+ - proc: snmp6: Use correct type in memset
+ - igmp: acquire pmc lock for ip_mc_clear_src()
+ - igmp: add a missing spin_lock_init()
+ - ipv6: fix calling in6_ifa_hold incorrectly for dad work
+ - sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
+ - net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it
+ - net/mlx5: Wait for FW readiness before initializing command interface
+ - net/mlx5e: Fix timestamping capabilities reporting
+ - decnet: always not take dst->__refcnt when inserting dst into hash table
+ - net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
+ - sfc: provide dummy definitions of vswitch functions
+ - ipv6: Do not leak throw route references
+ - rtnetlink: add IFLA_GROUP to ifla_policy
+ - netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
+ - netfilter: synproxy: fix conntrackd interaction
+ - NFSv4: fix a reference leak caused WARNING messages
+ - xen/blkback: don't use xen_blkif_get() in xen-blkback kthread
+ - drm/ast: Handle configuration without P2A bridge
+ - mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
+ - [mips*] head: Reorder instructions missing a delay slot
+ - [mips*] Avoid accidental raw backtrace
+ - [mips*] pm-cps: Drop manual cache-line alignment of ready_count
+ - [mips*] Fix IRQ tracing & lockdep when rescheduling
+ - ALSA: hda - Fix endless loop of codec configure
+ - ALSA: hda - set input_path bitmap to zero after moving it to new place
+ - NFSv4.1: Fix a race in nfs4_proc_layoutget
+ - gpiolib: fix filtering out unwanted events
+ - [x86] drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
+ - dm thin: do not queue freed thin mapping for next stage processing
+ - [x86] mm: Fix boot crash caused by incorrect loop count calculation in
+ sync_global_pgds()
+ - usb: gadget: f_fs: Fix possibe deadlock
+ - l2tp: fix race in l2tp_recv_common()
+ - l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
+ - l2tp: fix duplicate session creation
+ - l2tp: hold session while sending creation notifications
+ - l2tp: take a reference on sessions used in genetlink handlers
+ - mm: numa: avoid waiting on freed migrated pages
+ - net: ethtool: add support for 2500BaseT and 5000BaseT link modes
+ - net: phy: add an option to disable EEE advertisement
+ - dt-bindings: net: add EEE capability constants
+ - net: phy: fix sign type error in genphy_config_eee_advert
+ - net: phy: use boolean dt properties for eee broken modes
+ - dt: bindings: net: use boolean dt properties for eee broken modes
+ - [arm64] dts: meson-gxbb-odroidc2: fix GbE tx link breakage
+ - xen/blkback: don't free be structure too early
+ - [x86] KVM: fix fixing of hypercalls
+ - scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
+ - stmmac: add missing of_node_put
+ - scsi: lpfc: Set elsiocb contexts to NULL after freeing it
+ - qla2xxx: Terminate exchange if corrupted
+ - qla2xxx: Fix erroneous invalid handle message
+ - drm/amdgpu: fix program vce instance logic error.
+ - drm/amdgpu: add support for new hainan variants
+ - net: phy: dp83848: add DP83620 PHY support
+ - [x86] perf/intel: Handle exclusive threadid correctly on CPU hotplug
+ - net: korina: Fix NAPI versus resources freeing
+ - [powerpc*] eeh: Enable IO path on permanent error
+ - net: ethtool: Initialize buffer when querying device channel settings
+ - xen-netback: fix memory leaks on XenBus disconnect
+ - xen-netback: protect resource cleaning on XenBus disconnect
+ - bnxt_en: Fix "uninitialized variable" bug in TPA code path.
+ - bpf: don't trigger OOM killer under pressure with map alloc
+ - objtool: Fix IRET's opcode
+ - gianfar: Do not reuse pages from emergency reserve
+ - Btrfs: Fix deadlock between direct IO and fast fsync
+ - Btrfs: fix truncate down when no_holes feature is enabled
+ - virtio_console: fix a crash in config_work_handler
+ - swiotlb-xen: update dev_addr after swapping pages
+ - xen-netfront: Fix Rx stall during network stress and OOM
+ - scsi: virtio_scsi: Reject commands when virtqueue is broken
+ - iwlwifi: fix kernel crash when unregistering thermal zone
+ - [x86] platform: ideapad-laptop: handle ACPI event 1
+ - amd-xgbe: Check xgbe_init() return code
+ - net: dsa: Check return value of phy_connect_direct()
+ - drm/amdgpu: check ring being ready before using
+ - vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null
+ - mlxsw: spectrum_router: Correctly reallocate adjacency entries
+ - virtio_net: fix PAGE_SIZE > 64k
+ - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
+ - vxlan: do not age static remote mac entries
+ - ibmveth: Add a proper check for the availability of the checksum features
+ - kernel/panic.c: add missing \n
+ - [x86] perf/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell
+ init code
+ - [x86] pinctrl: intel: Set pin direction properly
+ - net: phy: marvell: fix Marvell 88E1512 used in SGMII mode
+ - mac80211: recalculate min channel width on VHT opmode changes
+ - [x86] perf/intel: Use ULL constant to prevent undefined shift behaviour
+ - HID: i2c-hid: Add sleep between POWER ON and RESET
+ - scsi: lpfc: avoid double free of resource identifiers
+ - spi: davinci: use dma_mapping_error()
+ - [arm64] assembler: make adr_l work in modules under KASLR
+ - net: thunderx: acpi: fix LMAC initialization
+ - drm/radeon/si: load special ucode for certain MC configs
+ - drm/amd/powerplay: fix vce cg logic error on CZ/St.
+ - drm/amd/powerplay: refine vce dpm update code on Cz.
+ - pmem: return EIO on read_pmem() failure
+ - mac80211: initialize SMPS field in HT capabilities
+ - [x86] tsc: Add the Intel Denverton Processor to native_calibrate_tsc()
+ - [x86] mpx: Use compatible types in comparison to fix sparse error
+ - perf/core: Fix sys_perf_event_open() vs. hotplug
+ - [x86] perf: Reject non sampling events with precise_ip
+ - aio: fix lock dep warning
+ - coredump: Ensure proper size of sparse core files
+ - swiotlb: ensure that page-sized mappings are page-aligned
+ - [s390x] ctl_reg: make __ctl_load a full memory barrier
+ - usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value
+ - be2net: fix status check in be_cmd_pmac_add()
+ - be2net: don't delete MAC on close on unprivileged BE3 VFs
+ - be2net: fix MAC addr setting on privileged BE3 VFs
+ - perf probe: Fix to show correct locations for events on modules
+ - net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types
+ - tipc: allocate user memory with GFP_KERNEL flag
+ - perf probe: Fix to probe on gcc generated functions in modules
+ - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
+ - sctp: check af before verify address in sctp_addr_id2transport
+ - ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets
+ - ravb: Fix use-after-free on `ifconfig eth0 down`
+ - mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings
+ - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
+ - xfrm: NULL dereference on allocation failure
+ - xfrm: Oops on error in pfkey_msg2xfrm_state()
+ - netfilter: use skb_to_full_sk in ip_route_me_harder
+ - watchdog: bcm281xx: Fix use of uninitialized spinlock.
+ - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
+ - spi: When no dma_chan map buffers with spi_master's parent
+ - spi: fix device-node leaks
+ - regulator: tps65086: Fix expected switch DT node names
+ - regulator: tps65086: Fix DT node referencing in of_parse_cb
+ - [armhf] OMAP2+: omap_device: Sync omap_device and pm_runtime after probe
+ defer
+ - [armhf] dts: OMAP3: Fix MFG ID EEPROM
+ - [arm64] ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
+ - [armel,armhf] 8685/1: ensure memblock-limit is pmd-aligned
+ - [x86] tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel
+ - [x86] boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug
+ - [x86] mpx: Correctly report do_mpx_bt_fault() failures to user-space
+ - [x86] mm: Fix flush_tlb_page() on Xen
+ - ocfs2: o2hb: revert hb threshold to keep compatible
+ - iommu/vt-d: Don't over-free page table directories
+ - iommu: Handle default domain attach failure
+ - iommu/dma: Don't reserve PCI I/O windows
+ - iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
+ - iommu/amd: Fix interrupt remapping when disable guest_mode
+ - cpufreq: s3c2416: double free on driver init error path
+ - clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled
+ - brcmfmac: avoid writing channel out of allocated array
+ - i2c: brcmstb: Fix START and STOP conditions
+ - mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program
+ - [arm64] fix NULL dereference in have_cpu_die()
+ - [x86] KVM: fix emulation of RSM and IRET instructions
+ - [x86] KVM: vPMU: fix undefined shift in intel_pmu_refresh()
+ - [x86] KVM: zero base3 of unusable segments
+ - [x86] KVM: nVMX: Fix exception injection
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.37
+ - fs: add a VALID_OPEN_FLAGS
+ - fs: completely ignore unknown open flags
+ - driver core: platform: fix race condition with driver_override
+ - ceph: choose readdir frag based on previous readdir reply
+ - tracing/kprobes: Allow to create probe with a module name starting with a
+ digit
+ - media: entity: Fix stream count check
+ - usb: dwc3: replace %p with %pK
+ - USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
+ - Add USB quirk for HVR-950q to avoid intermittent device resets
+ - usb: usbip: set buffer pointers to NULL after free
+ - usb: Fix typo in the definition of Endpoint[out]Request
+ - USB: core: fix device node leak
+ - mac80211_hwsim: Replace bogus hrtimer clockid
+ - sysctl: don't print negative flag for proc_douintvec
+ - sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
+ - [arm64] pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
+ - [arm64] pinctrl: meson: meson8b: fix the NAND DQS pins
+ - [x86] pinctrl: cherryview: Add terminate entry for dmi_system_id tables
+ - [armhf] pinctrl: sunxi: Fix SPDIF function name for A83T
+ - xhci: Limit USB2 port wake support for AMD Promontory hosts
+ - gfs2: Fix glock rhashtable rcu bug
+ - tpm: fix a kernel memory leak in tpm-sysfs.c
+ - [x86] uaccess: Optimize copy_user_enhanced_fast_string() for short strings
+ - ath10k: override CE5 config for QCA9377
+ - KEYS: Fix an error code in request_master_key()
+ - crypto: drbg - Fixes panic in wait_for_completion call
+ - RDMA/uverbs: Check port number supplied by user verbs cmds
+ - rt286: add Thinkpad Helix 2 to force_combo_jack_table
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.38
+ - Add "shutdown" to "struct class".
+ - tpm: Issue a TPM2_Shutdown for TPM2 devices.
+ - perf thread_map: Correctly size buffer used with dirent->dt_name
+ - perf tests: Avoid possible truncation with dirent->d_name + snprintf
+ - perf bench numa: Avoid possible truncation when using snprintf()
+ - perf header: Fix handling of PERF_EVENT_UPDATE__SCALE
+ - perf scripting perl: Fix compile error with some perl5 versions
+ - perf probe: Fix to probe on gcc generated symbols for offline kernel
+ - perf probe: Add error checks to offline probe post-processing
+ - md: fix incorrect use of lexx_to_cpu in does_sb_need_changing
+ - md: fix super_offset endianness in super_1_rdev_size_change
+ - locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
+ - staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
+ - staging: comedi: fix clean-up of comedi_class in comedi_init()
+ - crypto: caam - fix gfp allocation flags (part I)
+ - crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
+ - ext4: check return value of kstrtoull correctly in reserved_clusters_store
+ - [x86] mm/pat: Don't report PAT on CPUs that don't support it
+ - saa7134: fix warm Medion 7134 EEPROM read
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.39
+ - xen-netfront: Rework the fix for Rx stall during OOM and network stress
+ - net_sched: fix error recovery at qdisc creation
+ - net: sched: Fix one possible panic when no destroy callback
+ - net/phy: micrel: configure intterupts after autoneg workaround
+ - ipv6: avoid unregistering inet6_dev for loopback
+ - net: dp83640: Avoid NULL pointer dereference.
+ - tcp: reset sk_rx_dst in tcp_disconnect()
+ - net: prevent sign extension in dev_get_stats()
+ - bridge: mdb: fix leak on complete_info ptr on fail path
+ - rocker: move dereference before free
+ - bpf: prevent leaking pointer via xadd on unpriviledged
+ - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
+ - net/mlx5: Cancel delayed recovery work when unloading the driver
+ - liquidio: fix bug in soft reset failure detection
+ - net/mlx5e: Fix TX carrier errors report in get stats ndo
+ - ipv6: dad: don't remove dynamic addresses if link is down
+ - vxlan: fix hlist corruption
+ - net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64
+ - net: ipv6: Compare lwstate in detecting duplicate nexthops
+ - vrf: fix bug_on triggered by rx when destroying a vrf
+ - rds: tcp: use sock_create_lite() to create the accept socket
+ - brcmfmac: Fix a memory leak in error handling path in
+ 'brcmf_cfg80211_attach'
+ - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+ - sfc: don't read beyond unicast address list
+ - cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
+ - cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
+ - cfg80211: Check if PMKID attribute is of expected size
+ - cfg80211: Check if NAN service ID is of expected size
+ - irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity
+ - thp, mm: fix crash due race in MADV_FREE handling
+ - kernel/extable.c: mark core_kernel_text notrace
+ - mm/list_lru.c: fix list_lru_count_node() to be race free
+ - fs/dcache.c: fix spin lockup issue on nlru->lock
+ - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
+ CVE-2017-1000371)
+ - [armel,armhf] move ELF_ET_DYN_BASE to 4MB
+ - [arm64] move ELF_ET_DYN_BASE to 4GB / 4MB
+ - [powerpc*] move ELF_ET_DYN_BASE to 4GB / 4MB
+ - [s390x] reduce ELF_ET_DYN_BASE
+ - exec: Limit arg stack to at most 75% of _STK_LIM
+ - [arm64] dts: marvell: armada37xx: Fix timer interrupt specifiers
+ - vt: fix unchecked __put_user() in tioclinux ioctls
+ - rcu: Add memory barriers for NOCB leader wakeup
+ - nvmem: core: fix leaks on registration errors
+ - mnt: In umount propagation reparent in a separate pass
+ - mnt: In propgate_umount handle visiting mounts in any order
+ - mnt: Make propagate_umount less slow for overlapping mount propagation
+ trees
+ - selftests/capabilities: Fix the test_execve test
+ - mm: fix overflow check in expand_upwards()
+ - crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
+ - [x86] crypto: sha1-ssse3 - Disable avx2
+ - crypto: caam - properly set IV after {en,de}crypt
+ - crypto: caam - fix signals handling
+ - Revert "sched/core: Optimize SCHED_SMT"
+ - sched/fair, cpumask: Export for_each_cpu_wrap()
+ - sched/topology: Fix building of overlapping sched-groups
+ - sched/topology: Optimize build_group_mask()
+ - sched/topology: Fix overlapping sched_group_mask
+ - PM / wakeirq: Convert to SRCU
+ - PM / QoS: return -EINVAL for bogus strings
+ - tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate
+ results
+ - [x86] kvm: vmx: Do not disable intercepts for BNDCFGS
+ - [x86] kvm: Guest BNDCFGS requires guest MPX support
+ - [x86] kvm: vmx: Check value written to IA32_BNDCFGS
+ - [x86] kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.40
+ - dm mpath: cleanup -Wbool-operation warning in choose_pgpath()
+ - s5p-jpeg: don't return a random width/height
+ - thermal: max77620: fix device-node reference imbalance
+ - thermal: cpu_cooling: Avoid accessing potentially freed structures
+ - ath9k: fix tx99 use after free
+ - ath9k: fix tx99 bus error
+ - ath9k: fix an invalid pointer dereference in ath9k_rng_stop()
+ - NFC: fix broken device allocation
+ - NFC: nfcmrvl_uart: add missing tty-device sanity check
+ - NFC: nfcmrvl: do not use device-managed resources
+ - NFC: nfcmrvl: use nfc-device for firmware download
+ - NFC: nfcmrvl: fix firmware-management initialisation
+ - nfc: Ensure presence of required attributes in the activate_target handler
+ - nfc: Fix the sockaddr length sanitization in llcp_sock_connect
+ - NFC: Add sockaddr length checks before accessing sa_family in bind
+ handlers
+ - [x86] perf intel-pt: Move decoder error setting into one condition
+ - [x86] perf intel-pt: Improve sample timestamp
+ - [x86] perf intel-pt: Fix missing stack clear
+ - [x86] perf intel-pt: Ensure IP is zero when state is INTEL_PT_STATE_NO_IP
+ - [x86] perf intel-pt: Fix last_ip usage
+ - [x86] perf intel-pt: Ensure never to set 'last_ip' when packet 'count' is
+ zero
+ - [x86] perf intel-pt: Use FUP always when scanning for an IP
+ - [x86] perf intel-pt: Clear FUP flag on error
+ - Bluetooth: use constant time memory comparison for secret values
+ - wlcore: fix 64K page support
+ - btrfs: Don't clear SGID when inheriting ACLs
+ - igb: Explicitly select page 0 at initialization
+ - ASoC: compress: Derive substream from stream based on direction
+ - PM / Domains: Fix unsafe iteration over modified list of device links
+ - PM / Domains: Fix unsafe iteration over modified list of domain providers
+ - PM / Domains: Fix unsafe iteration over modified list of domains
+ - scsi: ses: do not add a device to an enclosure if enclosure_add_links()
+ fails.
+ - scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
+ - iscsi-target: Add login_keys_workaround attribute for non RFC initiators
+ - xen/scsiback: Fix a TMR related use-after-free
+ - [powerpc*] pseries: Fix passing of pp0 in updatepp() and updateboltedpp()
+ - [powerpc*/*64*] Fix atomic64_inc_not_zero() to return an int
+ - [powerpc*] Fix emulation of mcrf in emulate_step()
+ - [powerpc*] Fix emulation of mfocrf in emulate_step()
+ - [powerpc*] asm: Mark cr0 as clobbered in mftb()
+ - [powerpc*] mm/radix: Properly clear process table entry
+ - af_key: Fix sadb_x_ipsecrequest parsing
+ - PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11
+ - PCI: rockchip: Use normal register bank for config accessors
+ - PCI/PM: Restore the status of PCI devices across hibernation
+ - ipvs: SNAT packet replies only for NATed connections
+ - xhci: fix 20000ms port resume timeout
+ - xhci: Fix NULL pointer dereference when cleaning up streams for removed
+ host
+ - xhci: Bad Ethernet performance plugged in ASM1042A host
+ - mxl111sf: Fix driver to use heap allocate buffers for USB messages
+ - usb: storage: return on error to avoid a null pointer dereference
+ - USB: cdc-acm: add device-id for quirky printer
+ - usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
+ - usb: renesas_usbhs: gadget: disable all eps when the driver stops
+ - md: don't use flush_signals in userspace processes
+ - [x86] xen: allow userspace access during hypercalls
+ - cx88: Fix regression in initial video standard setting
+ - libnvdimm, btt: fix btt_rw_page not returning errors
+ - libnvdimm: fix badblock range handling of ARS range
+ - Raid5 should update rdev->sectors after reshape
+ - [s390x] syscalls: Fix out of bounds arguments access
+ - drm/amd/amdgpu: Return error if initiating read out of range on vram
+ - drm/radeon/ci: disable mclk switching for high refresh rates (v2)
+ - drm/radeon: Fix eDP for single-display iMac10,1 (v2)
+ - ipmi: use rcu lock around call to intf->handlers->sender()
+ - ipmi:ssif: Add missing unlock in error branch
+ - xfs: Don't clear SGID when inheriting ACLs
+ - f2fs: sanity check size of nat and sit cache
+ - f2fs: Don't clear SGID when inheriting ACLs
+ - drm/ttm: Fix use-after-free in ttm_bo_clean_mm
+ - ovl: drop CAP_SYS_RESOURCE from saved mounter's credentials
+ - vfio: Fix group release deadlock
+ - vfio: New external user group/file match
+ - nvme-rdma: remove race conditions from IB signalling
+ - ftrace: Fix uninitialized variable in match_records()
+ - [mips*] Fix mips_atomic_set() retry condition
+ - [mips*] Fix mips_atomic_set() with EVA
+ - [mips*] Negate error syscall return in trace
+ - ubifs: Don't leak kernel memory to the MTD
+ - ACPI / EC: Drop EC noirq hooks to fix a regression
+ - Revert "ACPI / EC: Enable event freeze mode..." to fix a regression
+ - [x86] acpi: Prevent out of bound access caused by broken ACPI tables
+ - [x86] ioapic: Pass the correct data to unmask_ioapic_irq()
+ - [mips*] Fix MIPS I ISA /proc/cpuinfo reporting
+ - [mips*] Save static registers before sysmips
+ - [mips*] Actually decode JALX in `__compute_return_epc_for_insn'
+ - [mips*] Fix unaligned PC interpretation in `compute_return_epc'
+ - [mips*] math-emu: Prevent wrong ISA mode instruction emulation
+ - [mips*] Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
+ - [mips*] Send SIGILL for linked branches in `__compute_return_epc_for_insn'
+ - [mips*] Send SIGILL for R6 branches in `__compute_return_epc_for_insn'
+ - [mips*] Fix a typo: s/preset/present/ in r2-to-r6 emulation error message
+ - Input: i8042 - fix crash at boot time
+ - IB/iser: Fix connection teardown race condition
+ - IB/core: Namespace is mandatory input for address resolution
+ - sunrpc: use constant time memory comparison for mac
+ - NFS: only invalidate dentrys that are clearly invalid.
+ - udf: Fix deadlock between writeback and udf_setsize()
+ - target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce
+ - iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
+ - perf annotate: Fix broken arrow at row 0 connecting jmp instruction to
+ its target
+ - staging: rtl8188eu: add TL-WN722N v2 support
+ - staging: comedi: ni_mio_common: fix AO timer off-by-one regression
+ - staging: sm750fb: avoid conflicting vesafb
+ - staging: lustre: ko2iblnd: check copy_from_iter/copy_to_iter return code
+ - ceph: fix race in concurrent readdir
+ - RDMA/core: Initialize port_num in qp_attr
+ - drm/mst: Fix error handling during MST sideband message reception
+ - drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req()
+ - drm/mst: Avoid processing partially received up/down message transactions
+ - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array
+ - hfsplus: Don't clear SGID when inheriting ACLs
+ - ovl: fix random return value on mount
+ - acpi/nfit: Fix memory corruption/Unregister mce decoder on failure
+ - of: device: Export of_device_{get_modalias, uvent_modalias} to modules
+ - spmi: Include OF based modalias in device uevent
+ - reiserfs: Don't clear SGID when inheriting ACLs
+ - PM / Domains: defer dev_pm_domain_set() until genpd->attach_dev succeeds
+ if present
+ - tracing: Fix kmemleak in instance_rmdir
+ - alarmtimer: don't rate limit one-shot timers
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.41
+ - af_key: Add lock to key dump
+ - pstore: Make spinlock per zone instead of global
+ - net: reduce skb_warn_bad_offload() noise
+ - jfs: Don't clear SGID when inheriting ACLs
+ - ALSA: fm801: Initialize chip after IRQ handler is registered
+ - ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table
+ - [powerpc*] pseries: Fix of_node_put() underflow during reconfig remove
+ - NFS: invalidate file size when taking a lock.
+ - NFSv4.1: Fix a race where CB_NOTIFY_LOCK fails to wake a waiter
+ - crypto: authencesn - Fix digest_null crash
+ - [powerpc*] KVM: Book3S HV: Enable TM before accessing TM registers
+ - md/raid5: add thread_group worker async_tx_issue_pending_all
+ - drm/nouveau/disp/nv50-: bump max chans to 21
+ - drm/nouveau/bar/gf100: fix access to upper half of BAR2
+ - [powerpc*] KVM: Book3S HV: Restore critical SPRs to host values on guest
+ exit
+ - [powerpc*] KVM: Book3S HV: Save/restore host values of debug registers
+ - [powerpc*] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware"
+ - Staging: comedi: comedi_fops: Avoid orphaned proc entry
+ - smp/hotplug: Move unparking of percpu threads to the control CPU
+ - smp/hotplug: Replace BUG_ON and react useful
+ - nfc: Fix hangup of RC-S380* in port100_send_ack()
+ - nfc: fdp: fix NULL pointer dereference
+ - net: phy: Do not perform software reset for Generic PHY
+ - isdn: Fix a sleep-in-atomic bug
+ - ath10k: fix null deref on wmi-tlv when trying spectral scan
+ - wil6210: fix deadlock when using fw_no_recovery option
+ - mailbox: always wait in mbox_send_message for blocking Tx mode
+ - mailbox: skip complete wait event if timer expired
+ - mailbox: handle empty message in tx_tick
+ - sched/cgroup: Move sched_online_group() back into css_online() to fix
+ crash
+ - RDMA/uverbs: Fix the check for port number
+ - ipmi/watchdog: fix watchdog timeout set on reboot
+ - v4l: s5c73m3: fix negation operator
+ - pstore: Allow prz to control need for locking
+ - pstore: Correctly initialize spinlock and flags
+ - pstore: Use dynamic spinlock initializer
+ - net: skb_needs_check() accepts CHECKSUM_NONE for tx
+ - device-dax: fix sysfs duplicate warnings
+ - [x86] mce/AMD: Make the init code more robust
+ - r8169: add support for RTL8168 series add-on card.
+ - [armhf] omap2+: fixing wrong strcat for Non-NULL terminated string
+ - dt-bindings: power/supply: Update TPS65217 properties
+ - dt-bindings: input: Specify the interrupt number of TPS65217 power button
+ - [armhf] dts: n900: Mark eMMC slot with no-sdio and no-sd flags
+ - net/mlx5: Disable RoCE on the e-switch management port under switchdev
+ mode
+ - ipv6: Should use consistent conditional judgement for ip6 fragment
+ between __ip6_append_data and ip6_finish_output
+ - net/mlx4_core: Use-after-free causes a resource leak in flow-steering
+ detach
+ - net/mlx4: Remove BUG_ON from ICM allocation routine
+ - net/mlx4_core: Fix raw qp flow steering rules under SRIOV
+ - [arm64] drm/msm: Ensure that the hardware write pointer is valid
+ - [arm64] drm/msm: Put back the vaddr in submit_reloc()
+ - [arm64] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set
+ - irqchip/keystone: Fix "scheduling while atomic" on rt
+ - ASoC: tlv320aic3x: Mark the RESET register as volatile
+ - spi: dw: Make debugfs name unique between instances
+ - ASoC: nau8825: fix invalid configuration in Pre-Scalar of FLL
+ - irqchip/mxs: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND
+ - openrisc: Add _text symbol to fix ksym build error
+ - dmaengine: ioatdma: Add Skylake PCI Dev ID
+ - dmaengine: ioatdma: workaround SKX ioatdma version
+ - l2tp: consider '::' as wildcard address in l2tp_ip6 socket lookup
+ - dmaengine: ti-dma-crossbar: Add some 'of_node_put()' in error path.
+ - usb: dwc3: omap: fix race of pm runtime with irq handler in probe
+ - [arm64] zynqmp: Fix W=1 dtc 1.4 warnings
+ - [arm64] zynqmp: Fix i2c node's compatible string
+ - perf probe: Fix to get correct modname from elf header
+ - ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
+ - usb: gadget: Fix copy/pasted error message
+ - Btrfs: use down_read_nested to make lockdep silent
+ - Btrfs: fix lockdep warning about log_mutex
+ - benet: stricter vxlan offloading check in be_features_check
+ - Btrfs: adjust outstanding_extents counter properly when dio write is split
+ - [armhf] Xen: Zero reserved fields of xatp before making hypervisor call
+ - tools lib traceevent: Fix prev/next_prio for deadline tasks
+ - xfrm: Don't use sk_family for socket policy lookups
+ - perf tools: Install tools/lib/traceevent plugins with install-bin
+ - perf symbols: Robustify reading of build-id from sysfs
+ - video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap
+ - vfio-pci: Handle error from pci_iomap
+ - [arm64] mm: fix show_pte KERN_CONT fallout
+ - nvmem: imx-ocotp: Fix wrong register size
+ - net: usb: asix_devices: add .reset_resume for USB PM
+ - ASoC: fsl_ssi: set fifo watermark to more reliable value
+ - sh_eth: enable RX descriptor word 0 shift on SH7734
+ - ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion
+ - [x86] platform/intel-mid: Rename 'spidev' to 'mrfld_spidev'
+ - [x86] perf: Set pmu->module in Intel PMU modules
+ - [x86] ASoC: Intel: bytcr-rt5640: fix settings in internal clock mode
+ - HID: ignore Petzl USB headlamp
+ - scsi: fnic: Avoid sending reset to firmware when another reset is in
+ progress
+ - scsi: snic: Return error code on memory allocation failure
+ - scsi: bfa: Increase requested firmware version to 3.2.5.1
+ - [x86] ASoC: Intel: Skylake: Release FW ctx in cleanup
+ - ASoC: dpcm: Avoid putting stream state to STOP when FE stream is paused
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.42
+ - cgroup: create dfl_root files on subsys registration
+ - cgroup: fix error return value from cgroup_subtree_control()
+ - libata: array underflow in ata_find_dev()
+ - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
+ - iwlwifi: dvm: prevent an out of bounds access
+ - brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice
+ - NFSv4: Fix EXCHANGE_ID corrupt verifier issue
+ - device property: Make dev_fwnode() public
+ - mmc: core: Fix access to HS400-ES devices
+ - mm, mprotect: flush TLB if potentially racing with a parallel reclaim
+ leaving stale TLB entries
+ - cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
+ - ALSA: hda - Fix speaker output from VAIO VPCL14M1R
+ - drm/amdgpu: Fix undue fallthroughs in golden registers initialization
+ - ASoC: do not close shared backend dailink
+ - KVM: async_pf: make rcu irq exit if not triggered from idle task
+ - mm/page_alloc: Remove kernel address exposure in free_reserved_area()
+ - timers: Fix overflow in get_next_timer_interrupt
+ - [powerpc*] tm: Fix saving of TM SPRs in core dump
+ - [powerpc*/*64*] Fix __check_irq_replay missing decrementer interrupt
+ - iommu/amd: Enable ga_log_intr when enabling guest_mode
+ - gpiolib: skip unwanted events, don't convert them to opposite edge
+ - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
+ - ext4: fix overflow caused by missing cast in ext4_resize_fs()
+ - [armhf] dts: armada-38x: Fix irq type for pca955
+ - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
+ ioctl
+ - iscsi-target: Fix initial login PDU asynchronous socket close OOPs
+ - mmc: dw_mmc: Use device_property_read instead of of_property_read
+ - mmc: core: Use device_property_read instead of of_property_read
+ - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
+ - f2fs: sanity check checkpoint segno and blkoff (CVE-2017-10663)
+ - Btrfs: fix early ENOSPC due to delalloc
+ - saa7164: fix double fetch PCIe access condition (CVE-2017-8831)
+ - tcp_bbr: cut pacing rate only if filled pipe
+ - tcp_bbr: introduce bbr_bw_to_pacing_rate() helper
+ - tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper
+ - tcp_bbr: remove sk_pacing_rate=0 transient during init
+ - tcp_bbr: init pacing rate on first RTT sample
+ - ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
+ - net: Zero terminate ifr_name in dev_ifname().
+ - net: dsa: b53: Add missing ARL entries for BCM53125
+ - ipv4: initialize fib_trie prior to register_netdev_notifier call.
+ - rtnetlink: allocate more memory for dev_set_mac_address()
+ - mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled
+ - openvswitch: fix potential out of bound access in parse_ct
+ - packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
+ - ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment()
+ - net: ethernet: nb8800: Handle all 4 RGMII modes identically
+ - dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly
+ - dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly
+ - dccp: fix a memleak for dccp_feat_init err process
+ - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
+ - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
+ - net/mlx5: Consider tx_enabled in all modes on remap
+ - net/mlx5: Fix command bad flow on command entry allocation failure
+ - net/mlx5e: Fix outer_header_zero() check size
+ - net/mlx5e: Fix wrong delay calculation for overflow check scheduling
+ - net/mlx5e: Schedule overflow check work to mlx5e workqueue
+ - net: phy: Correctly process PHY_HALTED in phy_stop_machine()
+ - xen-netback: correctly schedule rate-limited queues
+ - wext: handle NULL extra data in iwe_stream_add_point better
+ - sh_eth: fix EESIPR values for SH77{34|63}
+ - sh_eth: R8A7740 supports packet shecksumming
+ - net: phy: dp83867: fix irq generation
+ - tg3: Fix race condition in tg3_get_stats64().
+ - [x86] boot: Add missing declaration of string functions
+ - spi: spi-axi: Free resources on error path
+ - ASoC: rt5645: set sel_i2s_pre_div1 to 2
+ - netfilter: use fwmark_reflect in nf_send_reset
+ - phy state machine: failsafe leave invalid RUNNING state
+ - ipv4: make tcp_notsent_lowat sysctl knob behave as true unsigned int
+ - clk/samsung: exynos542x: mark some clocks as critical
+ - scsi: qla2xxx: Get mutex lock before checking optrom_state
+ - drm/virtio: fix framebuffer sparse warning
+ - [armhf] dts: sunxi: Change node name for pwrseq pin on
+ Olinuxino-lime2-emmc
+ - iw_cxgb4: do not send RX_DATA_ACK CPLs after close/abort
+ - nbd: blk_mq_init_queue returns an error code on failure, not NULL
+ - virtio_blk: fix panic in initialization error path
+ - [armel,armhf] 8632/1: ftrace: fix syscall name matching
+ - mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER
+ - lib/Kconfig.debug: fix frv build failure
+ - signal: protect SIGNAL_UNKILLABLE from unintentional clearing.
+ - mm: don't dereference struct page fields of invalid pages
+ - net/mlx5: E-Switch, Re-enable RoCE on mode change only after FDB destroy
+ - net: phy: Fix PHY unbind crash
+ - workqueue: implicit ordered attribute should be overridable
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.43
+ - ppp: Fix false xmit recursion detect with two ppp devices
+ - ppp: fix xmit recursion detection on ppp channels
+ - tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
+ - net: fix keepalive code vs TCP_FASTOPEN_CONNECT
+ - [s390x] bpf: fix jit branch offset related to ldimm64
+ - net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets
+ - net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target
+ - tcp: fastopen: tcp_connect() must refresh the route
+ - net: avoid skb_warn_bad_offload false positives on UFO
+ - igmp: Fix regression caused by igmp sysctl namespace code.
+ - packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
+ - udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ - [armhf,arm64] KVM: Handle hva aging while destroying the vm
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.44
+ - mm: ratelimit PFNs busy info message
+ - mm: fix list corruptions on shmem shrinklist
+ - futex: Remove unnecessary warning from get_futex_key
+ - mtd: nand: Fix timing setup for NANDs that do not support SET FEATURES
+ - iscsi-target: fix memory leak in iscsit_setup_text_cmd()
+ - iscsi-target: Fix iscsi_np reset hung task during parallel delete
+ - target: Fix node_acl demo-mode + uncached dynamic shutdown regression
+ - fuse: initialize the flock flag in fuse_file on allocation
+ - nand: fix wrong default oob layout for small pages using soft ecc
+ - mmc: mmc: correct the logic for setting HS400ES signal voltage
+ - nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays
+ - drm/etnaviv: Fix off-by-one error in reloc checking
+ - [x86] drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut
+ - USB: serial: option: add D-Link DWM-222 device ID
+ - USB: serial: cp210x: add support for Qivicon USB ZigBee dongle
+ - USB: serial: pl2303: add new ATEN device id
+ - usb: musb: fix tx fifo flush handling again
+ - USB: hcd: Mark secondary HCD as dead if the primary one died
+ - staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
+ - iio: accel: bmc150: Always restore device to normal mode after
+ suspend-resume
+ - iio: light: tsl2563: use correct event code
+ - staging: comedi: comedi_fops: do not call blocking ops when !TASK_RUNNING
+ - uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
+ - usb: gadget: udc: renesas_usb3: Fix usb_gadget_giveback_request() calling
+ - usb: renesas_usbhs: Fix UGCTRL2 value for R-Car Gen3
+ - USB: Check for dropped connection before switching to full speed
+ - usb: core: unlink urbs from the tail of the endpoint's urb_list
+ - usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
+ - usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
+ - iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits
+ - pnfs/blocklayout: require 64-bit sector_t
+ - [armhf] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
+ - [x86] pinctrl: intel: merrifield: Correct UART pin lists
+ - [armhf] pinctrl: samsung: Remove bogus irq_[un]mask from resource
+ management
+ - [arm64] pinctrl: meson-gxbb: Add missing GPIODV_18 pin entry
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.45
+ - netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
+ - audit: Fix use after free in audit_remove_watch_rule()
+ - [x86] crypto: sha1 - Fix reads beyond the number of blocks passed
+ - Input: elan_i2c - add ELAN0608 to the ACPI table
+ - Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB
+ - ALSA: seq: 2nd attempt at fixing race creating a queue
+ - ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset
+ - ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
+ - mm: discard memblock data later
+ - mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS
+ - mm/mempolicy: fix use after free when calling get_mempolicy
+ - [amd64,arm64] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
+ - xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511)
+ - blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL
+ - [powerpc*] Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
+ - xen-blkfront: use a right index when checking requests
+ - [amd64] asm: Clear AC on NMI entries
+ - genirq: Restore trigger settings in irq_modify_status()
+ - genirq/ipi: Fixup checks against nr_cpu_ids
+ - Sanitize 'move_pages()' permission checks
+ - pids: make task_tgid_nr_ns() safe
+ - usb: optimize acpi companion search for usb port devices
+ - usb: qmi_wwan: add D-Link DWM-222 device ID
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.46
+ - af_key: do not use GFP_KERNEL in atomic contexts
+ - dccp: purge write queue in dccp_destroy_sock()
+ - dccp: defer ccid_hc_tx_delete() at dismantle time
+ - ipv4: fix NULL dereference in free_fib_info_rcu()
+ - net_sched/sfq: update hierarchical backlog when drop packet
+ - net_sched: remove warning from qdisc_hash_add
+ - bpf: fix bpf_trace_printk on 32 bit archs
+ - openvswitch: fix skb_panic due to the incorrect actions attrlen
+ - ptr_ring: use kmalloc_array()
+ - ipv4: better IP_MAX_MTU enforcement
+ - nfp: fix infinite loop on umapping cleanup
+ - sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
+ - tipc: fix use-after-free
+ - ipv6: reset fn->rr_ptr when replacing route
+ - ipv6: repair fib6 tree in failure case
+ - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
+ - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
+ - irda: do not leak initialized list.dev to userspace
+ - net: sched: fix NULL pointer dereference when action calls some targets
+ - net_sched: fix order of queue length updates in qdisc_replace()
+ - bpf, verifier: add additional patterns to evaluate_reg_imm_alu
+ - bpf: adjust verifier heuristics
+ - bpf, verifier: fix alu ops against map_value{, _adj} register types
+ - bpf: fix mixed signed/unsigned derived min/max value bounds
+ - bpf/verifier: fix min/max handling in BPF_SUB
+ - Input: trackpoint - add new trackpoint firmware ID
+ - Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
+ - Input: ALPS - fix two-finger scroll breakage in right side on ALPS
+ touchpad
+ - [s390x] KVM: sthyi: fix sthyi inline assembly
+ - [s390x] KVM: sthyi: fix specification exception detection
+ - [x86] KVM: block guest protection keys unless the host has them enabled
+ - ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
+ - ALSA: core: Fix unexpected error at replacing user TLV
+ - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
+ - ALSA: firewire: fix NULL pointer dereference when releasing uninitialized
+ data of iso-resource
+ - mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
+ - i2c: designware: Fix system suspend
+ - mm/madvise.c: fix freeing of locked page with MADV_FREE
+ - fork: fix incorrect fput of ->exe_file causing use-after-free
+ - mm/memblock.c: reversed logic in memblock_discard()
+ - drm: Release driver tracking before making the object available again
+ - drm/atomic: If the atomic check fails, return its value first
+ - tracing: Call clear_boot_tracer() at lateinit_sync
+ - tracing: Fix kmemleak in tracing_map_array_free()
+ - tracing: Fix freeing of filter in create_filter() when set_str is false
+ - kbuild: linker script do not match C names unless
+ LD_DEAD_CODE_DATA_ELIMINATION is configured
+ - cifs: Fix df output for users with quota limits
+ - cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
+ - nfsd: Limit end of page list when decoding NFSv4 WRITE
+ - ftrace: Check for null ret_stack on profile function graph entry function
+ - perf/core: Fix group {cpu,task} validation
+ - perf probe: Fix --funcs to show correct symbols for offline module
+ - [x86] perf/intel/rapl: Make package handling more robust
+ - timers: Fix excessive granularity of new timers after a nohz idle
+ - [x86] mm: Fix use-after-free of ldt_struct
+ - net: sunrpc: svcsock: fix NULL-pointer exception
+ - Revert "leds: handle suspend/resume in heartbeat trigger"
+ - netfilter: nat: fix src map lookup
+ - Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
+ - Bluetooth: cmtp: fix possible might sleep error in cmtp_session
+ - Bluetooth: bnep: fix possible might sleep error in bnep_session
+ - iio: imu: adis16480: Fix acceleration scale factor for adis16480
+ - iio: hid-sensor-trigger: Fix the race with user space powering up sensors
+ - staging: rtl8188eu: add RNX-N150NUB support
+ - Clarify (and fix) MAX_LFS_FILESIZE macros
+ - ntb_transport: fix qp count bug
+ - ntb_transport: fix bug calculating num_qps_mw
+ - NTB: ntb_test: fix bug printing ntb_perf results
+ - ntb: no sleep in ntb_async_tx_submit
+ - ntb: ntb_test: ensure the link is up before trying to configure the mws
+ - ntb: transport shouldn't disable link due to bogus values in SPADs
+ - ACPI: ioapic: Clear on-stack resource before using it
+ - ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
+ - ACPI: EC: Fix regression related to wrong ECDT initialization order
+ - [powerpc*] mm: Ensure cpumask update is ordered
[ Ben Hutchings ]
* [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
- * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
- CVE-2017-1000371)
- * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
- * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
- (CVE-2017-1000380)
* xfrm: policy: check policy direction value (CVE-2017-11600)
- * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
- * ipv6: Should use consistent conditional judgement for ip6 fragment
- between __ip6_append_data and ip6_finish_output
- * udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
* [armhf] udeb: Add sunxi_wdt to kernel-image (Closes: #866130)
* udeb: Add dm-raid to md-modules (Closes: #868251)
* [arm64] sound: Enable SND_HDA_INTEL as module (Closes: #867611)
* [x86] ideapad-laptop: Add various IdeaPad models to no_hw_rfkill list
(Closes: #866706)
- * [x86] pinctrl: cherryview: Add terminate entry for dmi_system_id tables
* firmware: dmi: Add DMI_PRODUCT_FAMILY identification string
* firmware: dmi: Avoid ABI break for DMI_PRODUCT_FAMILY
* [x86] pinctrl: cherryview: Extend the Chromebook DMI quirk to Intel_Strago
@@ -29,11 +1190,6 @@ linux (4.9.30-3) UNRELEASED; urgency=medium
* [arm64,armhf] udeb: Ship usb3503 module in usb-modules, needed for
e.g. Arndale development boards, thanks to Wei Liu (Closes: #865645).
- [ Salvatore Bonaccorso ]
- * [powerpc*] kernel: Fix FP and vector register restoration.
- Thanks to Gabriel F. T. Gomes for the report and analysis.
- (Closes: #868902)
-
-- Ben Hutchings <ben at decadent.org.uk> Sun, 16 Jul 2017 21:54:09 +0100
linux (4.9.30-2+deb9u3) stretch-security; urgency=high
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
deleted file mode 100644
index e744bc4..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Fri, 2 Jun 2017 17:26:56 +0200
-Subject: ALSA: timer: Fix missing queue indices reset at
- SNDRV_TIMER_IOCTL_SELECT
-Origin: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
-
-snd_timer_user_tselect() reallocates the queue buffer dynamically, but
-it forgot to reset its indices. Since the read may happen
-concurrently with ioctl and snd_timer_user_tselect() allocates the
-buffer via kmalloc(), this may lead to the leak of uninitialized
-kernel-space data, as spotted via KMSAN:
-
- BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
- CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- Call Trace:
- __dump_stack lib/dump_stack.c:16
- dump_stack+0x143/0x1b0 lib/dump_stack.c:52
- kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
- kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
- copy_to_user ./arch/x86/include/asm/uaccess.h:725
- snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
- do_loop_readv_writev fs/read_write.c:716
- __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
- do_readv_writev fs/read_write.c:894
- vfs_readv fs/read_write.c:908
- do_readv+0x52a/0x5d0 fs/read_write.c:934
- SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
- SyS_readv+0x87/0xb0 fs/read_write.c:1018
-
-This patch adds the missing reset of queue indices. Together with the
-previous fix for the ioctl/read race, we cover the whole problem.
-
-Reported-by: Alexander Potapenko <glider at google.com>
-Tested-by: Alexander Potapenko <glider at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct
- if (err < 0)
- goto __err;
-
-+ tu->qhead = tu->qtail = tu->qused = 0;
- kfree(tu->queue);
- tu->queue = NULL;
- kfree(tu->tqueue);
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
deleted file mode 100644
index c8aa19e..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Fri, 2 Jun 2017 15:03:38 +0200
-Subject: ALSA: timer: Fix race between read and ioctl
-Origin: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
-
-The read from ALSA timer device, the function snd_timer_user_tread(),
-may access to an uninitialized struct snd_timer_user fields when the
-read is concurrently performed while the ioctl like
-snd_timer_user_tselect() is invoked. We have already fixed the races
-among ioctls via a mutex, but we seem to have forgotten the race
-between read vs ioctl.
-
-This patch simply applies (more exactly extends the already applied
-range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
-race window.
-
-Reported-by: Alexander Potapenko <glider at google.com>
-Tested-by: Alexander Potapenko <glider at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- sound/core/timer.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1963,6 +1963,7 @@ static ssize_t snd_timer_user_read(struc
-
- tu = file->private_data;
- unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
-+ mutex_lock(&tu->ioctl_lock);
- spin_lock_irq(&tu->qlock);
- while ((long)count - result >= unit) {
- while (!tu->qused) {
-@@ -1978,7 +1979,9 @@ static ssize_t snd_timer_user_read(struc
- add_wait_queue(&tu->qchange_sleep, &wait);
-
- spin_unlock_irq(&tu->qlock);
-+ mutex_unlock(&tu->ioctl_lock);
- schedule();
-+ mutex_lock(&tu->ioctl_lock);
- spin_lock_irq(&tu->qlock);
-
- remove_wait_queue(&tu->qchange_sleep, &wait);
-@@ -1998,7 +2001,6 @@ static ssize_t snd_timer_user_read(struc
- tu->qused--;
- spin_unlock_irq(&tu->qlock);
-
-- mutex_lock(&tu->ioctl_lock);
- if (tu->tread) {
- if (copy_to_user(buffer, &tu->tqueue[qhead],
- sizeof(struct snd_timer_tread)))
-@@ -2008,7 +2010,6 @@ static ssize_t snd_timer_user_read(struc
- sizeof(struct snd_timer_read)))
- err = -EFAULT;
- }
-- mutex_unlock(&tu->ioctl_lock);
-
- spin_lock_irq(&tu->qlock);
- if (err < 0)
-@@ -2018,6 +2019,7 @@ static ssize_t snd_timer_user_read(struc
- }
- _error:
- spin_unlock_irq(&tu->qlock);
-+ mutex_unlock(&tu->ioctl_lock);
- return result > 0 ? result : err;
- }
-
diff --git a/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch b/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
deleted file mode 100644
index 83150d1..0000000
--- a/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 10 Jul 2017 15:52:37 -0700
-Subject: binfmt_elf: use ELF_ET_DYN_BASE only for PIE
-Origin: https://git.kernel.org/linus/eab09532d40090698b05a07c1c87f39fdbc5fab5
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000370
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000371
-
-The ELF_ET_DYN_BASE position was originally intended to keep loaders
-away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
-/bin/cat" might cause the subsequent load of /bin/cat into where the
-loader had been loaded.)
-
-With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
-ELF_ET_DYN_BASE continued to be used since the kernel was only looking
-at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
-top 1/3rd of the TASK_SIZE, a substantial portion of the address space
-is unused.
-
-For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
-loaded above the mmap region. This means they can be made to collide
-(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
-pathological stack regions.
-
-Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
-region in all cases, and will now additionally avoid programs falling
-back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
-if it would have collided with the stack, now it will fail to load
-instead of falling back to the mmap region).
-
-To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
-are loaded into the mmap region, leaving space available for either an
-ET_EXEC binary with a fixed location or PIE being loaded into mmap by
-the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
-which means architectures can now safely lower their values without risk
-of loaders colliding with their subsequently loaded programs.
-
-For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
-the entire 32-bit address space for 32-bit pointers.
-
-Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
-suggestions on how to implement this solution.
-
-Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
-Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Rik van Riel <riel at redhat.com>
-Cc: Daniel Micay <danielmicay at gmail.com>
-Cc: Qualys Security Advisory <qsa at qualys.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Ingo Molnar <mingo at redhat.com>
-Cc: "H. Peter Anvin" <hpa at zytor.com>
-Cc: Alexander Viro <viro at zeniv.linux.org.uk>
-Cc: Dmitry Safonov <dsafonov at virtuozzo.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk at intel.com>
-Cc: Masahiro Yamada <yamada.masahiro at socionext.com>
-Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
-Cc: Catalin Marinas <catalin.marinas at arm.com>
-Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
-Cc: James Hogan <james.hogan at imgtec.com>
-Cc: Martin Schwidefsky <schwidefsky at de.ibm.com>
-Cc: Michael Ellerman <mpe at ellerman.id.au>
-Cc: Paul Mackerras <paulus at samba.org>
-Cc: Pratyush Anand <panand at redhat.com>
-Cc: Russell King <linux at armlinux.org.uk>
-Cc: Will Deacon <will.deacon at arm.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- arch/x86/include/asm/elf.h | 13 +++++-----
- fs/binfmt_elf.c | 59 +++++++++++++++++++++++++++++++++++++++-------
- 2 files changed, 58 insertions(+), 14 deletions(-)
-
---- a/arch/x86/include/asm/elf.h
-+++ b/arch/x86/include/asm/elf.h
-@@ -246,12 +246,13 @@ extern int force_personality32;
- #define CORE_DUMP_USE_REGSET
- #define ELF_EXEC_PAGESIZE 4096
-
--/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
-- use of this is to invoke "./ld.so someprog" to test out a new version of
-- the loader. We need to make sure that it is out of the way of the program
-- that it will "exec", and that there is sufficient room for the brk. */
--
--#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
-+/*
-+ * This is the base location for PIE (ET_DYN with INTERP) loads. On
-+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
-+ * space open for things that want to use the area for 32-bit pointers.
-+ */
-+#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
-+ 0x100000000UL)
-
- /* This yields a mask that user programs can use to figure out what
- instruction set this CPU supports. This could be done in user space,
---- a/fs/binfmt_elf.c
-+++ b/fs/binfmt_elf.c
-@@ -911,17 +911,60 @@ static int load_elf_binary(struct linux_
- elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
-
- vaddr = elf_ppnt->p_vaddr;
-+ /*
-+ * If we are loading ET_EXEC or we have already performed
-+ * the ET_DYN load_addr calculations, proceed normally.
-+ */
- if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
- elf_flags |= MAP_FIXED;
- } else if (loc->elf_ex.e_type == ET_DYN) {
-- /* Try and get dynamic programs out of the way of the
-- * default mmap base, as well as whatever program they
-- * might try to exec. This is because the brk will
-- * follow the loader, and is not movable. */
-- load_bias = ELF_ET_DYN_BASE - vaddr;
-- if (current->flags & PF_RANDOMIZE)
-- load_bias += arch_mmap_rnd();
-- load_bias = ELF_PAGESTART(load_bias);
-+ /*
-+ * This logic is run once for the first LOAD Program
-+ * Header for ET_DYN binaries to calculate the
-+ * randomization (load_bias) for all the LOAD
-+ * Program Headers, and to calculate the entire
-+ * size of the ELF mapping (total_size). (Note that
-+ * load_addr_set is set to true later once the
-+ * initial mapping is performed.)
-+ *
-+ * There are effectively two types of ET_DYN
-+ * binaries: programs (i.e. PIE: ET_DYN with INTERP)
-+ * and loaders (ET_DYN without INTERP, since they
-+ * _are_ the ELF interpreter). The loaders must
-+ * be loaded away from programs since the program
-+ * may otherwise collide with the loader (especially
-+ * for ET_EXEC which does not have a randomized
-+ * position). For example to handle invocations of
-+ * "./ld.so someprog" to test out a new version of
-+ * the loader, the subsequent program that the
-+ * loader loads must avoid the loader itself, so
-+ * they cannot share the same load range. Sufficient
-+ * room for the brk must be allocated with the
-+ * loader as well, since brk must be available with
-+ * the loader.
-+ *
-+ * Therefore, programs are loaded offset from
-+ * ELF_ET_DYN_BASE and loaders are loaded into the
-+ * independently randomized mmap region (0 load_bias
-+ * without MAP_FIXED).
-+ */
-+ if (elf_interpreter) {
-+ load_bias = ELF_ET_DYN_BASE;
-+ if (current->flags & PF_RANDOMIZE)
-+ load_bias += arch_mmap_rnd();
-+ elf_flags |= MAP_FIXED;
-+ } else
-+ load_bias = 0;
-+
-+ /*
-+ * Since load_bias is used for all subsequent loading
-+ * calculations, we must lower it by the first vaddr
-+ * so that the remaining calculations based on the
-+ * ELF vaddrs will be correctly offset. The result
-+ * is then page aligned.
-+ */
-+ load_bias = ELF_PAGESTART(load_bias - vaddr);
-+
- total_size = total_mapping_size(elf_phdata,
- loc->elf_ex.e_phnum);
- if (!total_size) {
diff --git a/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch b/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
deleted file mode 100644
index d77432a..0000000
--- a/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Arend van Spriel <arend.vanspriel at broadcom.com>
-Date: Fri, 7 Jul 2017 21:09:06 +0100
-Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/8f44c9a41386729fea410e688959ddaa9d51be7c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7541
-
-The lower level nl80211 code in cfg80211 ensures that "len" is between
-25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
-"len" so thats's max of 2280. However, the action_frame->data[] buffer is
-only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
-overflow.
-
- memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
- le16_to_cpu(action_frame->len));
-
-Cc: stable at vger.kernel.org # 3.9.x
-Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
-Reported-by: "freenerguo(郭大兴)" <freenerguo at tencent.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index dcde596c9eb9..7e689c86d565 100644
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -4934,6 +4934,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
- cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
- GFP_KERNEL);
- } else if (ieee80211_is_action(mgmt->frame_control)) {
-+ if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
-+ brcmf_err("invalid action frame length\n");
-+ err = -EINVAL;
-+ goto exit;
-+ }
- af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
- if (af_params == NULL) {
- brcmf_err("unable to allocate frame\n");
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch b/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
deleted file mode 100644
index 4d49388..0000000
--- a/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Herbert Xu <herbert at gondor.apana.org.au>
-Date: Wed, 10 May 2017 03:48:23 +0800
-Subject: crypto: skcipher - Add missing API setkey checks
-Origin: https://git.kernel.org/linus/9933e113c2e87a9f46a40fde8dafbf801dca1ab9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9211
-
-The API setkey checks for key sizes and alignment went AWOL during the
-skcipher conversion. This patch restores them.
-
-Cc: <stable at vger.kernel.org>
-Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...")
-Reported-by: Baozeng <sploving1 at gmail.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/skcipher.c | 40 +++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 39 insertions(+), 1 deletion(-)
-
---- a/crypto/skcipher.c
-+++ b/crypto/skcipher.c
-@@ -221,6 +221,44 @@ static int crypto_init_skcipher_ops_ablk
- return 0;
- }
-
-+static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm,
-+ const u8 *key, unsigned int keylen)
-+{
-+ unsigned long alignmask = crypto_skcipher_alignmask(tfm);
-+ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
-+ u8 *buffer, *alignbuffer;
-+ unsigned long absize;
-+ int ret;
-+
-+ absize = keylen + alignmask;
-+ buffer = kmalloc(absize, GFP_ATOMIC);
-+ if (!buffer)
-+ return -ENOMEM;
-+
-+ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
-+ memcpy(alignbuffer, key, keylen);
-+ ret = cipher->setkey(tfm, alignbuffer, keylen);
-+ kzfree(buffer);
-+ return ret;
-+}
-+
-+static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key,
-+ unsigned int keylen)
-+{
-+ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
-+ unsigned long alignmask = crypto_skcipher_alignmask(tfm);
-+
-+ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) {
-+ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
-+ return -EINVAL;
-+ }
-+
-+ if ((unsigned long)key & alignmask)
-+ return skcipher_setkey_unaligned(tfm, key, keylen);
-+
-+ return cipher->setkey(tfm, key, keylen);
-+}
-+
- static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm)
- {
- struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
-@@ -241,7 +279,7 @@ static int crypto_skcipher_init_tfm(stru
- tfm->__crt_alg->cra_type == &crypto_givcipher_type)
- return crypto_init_skcipher_ops_ablkcipher(tfm);
-
-- skcipher->setkey = alg->setkey;
-+ skcipher->setkey = skcipher_setkey;
- skcipher->encrypt = alg->encrypt;
- skcipher->decrypt = alg->decrypt;
- skcipher->ivsize = alg->ivsize;
diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
deleted file mode 100644
index 4811659..0000000
--- a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: dccp/tcp: do not inherit mc_list from parent
-Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Pray3r <pray3r.z at gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -665,6 +665,8 @@ struct sock *inet_csk_clone_lock(const s
- /* listeners have SOCK_RCU_FREE, not the children */
- sock_reset_flag(newsk, SOCK_RCU_FREE);
-
-+ inet_sk(newsk)->mc_list = NULL;
-+
- newsk->sk_mark = inet_rsk(req)->ir_mark;
- atomic64_set(&newsk->sk_cookie,
- atomic64_read(&inet_rsk(req)->ir_cookie));
diff --git a/debian/patches/bugfix/all/dentry-name-snapshots.patch b/debian/patches/bugfix/all/dentry-name-snapshots.patch
deleted file mode 100644
index ffe2a9f..0000000
--- a/debian/patches/bugfix/all/dentry-name-snapshots.patch
+++ /dev/null
@@ -1,228 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 7 Jul 2017 14:51:19 -0400
-Subject: dentry name snapshots
-Origin: https://git.kernel.org/linus/49d31c2f389acfe83417083e1208422b4091cd9e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7533
-
-take_dentry_name_snapshot() takes a safe snapshot of dentry name;
-if the name is a short one, it gets copied into caller-supplied
-structure, otherwise an extra reference to external name is grabbed
-(those are never modified). In either case the pointer to stable
-string is stored into the same structure.
-
-dentry must be held by the caller of take_dentry_name_snapshot(),
-but may be freely dropped afterwards - the snapshot will stay
-until destroyed by release_dentry_name_snapshot().
-
-Intended use:
- struct name_snapshot s;
-
- take_dentry_name_snapshot(&s, dentry);
- ...
- access s.name
- ...
- release_dentry_name_snapshot(&s);
-
-Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
-to pass down with event.
-
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-[carnil: backport 4.9: adjust context]
----
- fs/dcache.c | 27 +++++++++++++++++++++++++++
- fs/debugfs/inode.c | 10 +++++-----
- fs/namei.c | 8 ++++----
- fs/notify/fsnotify.c | 8 ++++++--
- include/linux/dcache.h | 6 ++++++
- include/linux/fsnotify.h | 31 -------------------------------
- 6 files changed, 48 insertions(+), 42 deletions(-)
-
---- a/fs/dcache.c
-+++ b/fs/dcache.c
-@@ -277,6 +277,33 @@ static inline int dname_external(const s
- return dentry->d_name.name != dentry->d_iname;
- }
-
-+void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry)
-+{
-+ spin_lock(&dentry->d_lock);
-+ if (unlikely(dname_external(dentry))) {
-+ struct external_name *p = external_name(dentry);
-+ atomic_inc(&p->u.count);
-+ spin_unlock(&dentry->d_lock);
-+ name->name = p->name;
-+ } else {
-+ memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
-+ spin_unlock(&dentry->d_lock);
-+ name->name = name->inline_name;
-+ }
-+}
-+EXPORT_SYMBOL(take_dentry_name_snapshot);
-+
-+void release_dentry_name_snapshot(struct name_snapshot *name)
-+{
-+ if (unlikely(name->name != name->inline_name)) {
-+ struct external_name *p;
-+ p = container_of(name->name, struct external_name, name[0]);
-+ if (unlikely(atomic_dec_and_test(&p->u.count)))
-+ kfree_rcu(p, u.head);
-+ }
-+}
-+EXPORT_SYMBOL(release_dentry_name_snapshot);
-+
- static inline void __d_set_inode_and_type(struct dentry *dentry,
- struct inode *inode,
- unsigned type_flags)
---- a/fs/debugfs/inode.c
-+++ b/fs/debugfs/inode.c
-@@ -730,7 +730,7 @@ struct dentry *debugfs_rename(struct den
- {
- int error;
- struct dentry *dentry = NULL, *trap;
-- const char *old_name;
-+ struct name_snapshot old_name;
-
- trap = lock_rename(new_dir, old_dir);
- /* Source or destination directories don't exist? */
-@@ -745,19 +745,19 @@ struct dentry *debugfs_rename(struct den
- if (IS_ERR(dentry) || dentry == trap || d_really_is_positive(dentry))
- goto exit;
-
-- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
-+ take_dentry_name_snapshot(&old_name, old_dentry);
-
- error = simple_rename(d_inode(old_dir), old_dentry, d_inode(new_dir),
- dentry, 0);
- if (error) {
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
- goto exit;
- }
- d_move(old_dentry, dentry);
-- fsnotify_move(d_inode(old_dir), d_inode(new_dir), old_name,
-+ fsnotify_move(d_inode(old_dir), d_inode(new_dir), old_name.name,
- d_is_dir(old_dentry),
- NULL, old_dentry);
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
- unlock_rename(new_dir, old_dir);
- dput(dentry);
- return old_dentry;
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -4336,11 +4336,11 @@ int vfs_rename(struct inode *old_dir, st
- {
- int error;
- bool is_dir = d_is_dir(old_dentry);
-- const unsigned char *old_name;
- struct inode *source = old_dentry->d_inode;
- struct inode *target = new_dentry->d_inode;
- bool new_is_dir = false;
- unsigned max_links = new_dir->i_sb->s_max_links;
-+ struct name_snapshot old_name;
-
- /*
- * Check source == target.
-@@ -4391,7 +4391,7 @@ int vfs_rename(struct inode *old_dir, st
- if (error)
- return error;
-
-- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
-+ take_dentry_name_snapshot(&old_name, old_dentry);
- dget(new_dentry);
- if (!is_dir || (flags & RENAME_EXCHANGE))
- lock_two_nondirectories(source, target);
-@@ -4446,14 +4446,14 @@ out:
- inode_unlock(target);
- dput(new_dentry);
- if (!error) {
-- fsnotify_move(old_dir, new_dir, old_name, is_dir,
-+ fsnotify_move(old_dir, new_dir, old_name.name, is_dir,
- !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
- if (flags & RENAME_EXCHANGE) {
- fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
- new_is_dir, NULL, new_dentry);
- }
- }
-- fsnotify_oldname_free(old_name);
-+ release_dentry_name_snapshot(&old_name);
-
- return error;
- }
---- a/fs/notify/fsnotify.c
-+++ b/fs/notify/fsnotify.c
-@@ -104,16 +104,20 @@ int __fsnotify_parent(struct path *path,
- if (unlikely(!fsnotify_inode_watches_children(p_inode)))
- __fsnotify_update_child_dentry_flags(p_inode);
- else if (p_inode->i_fsnotify_mask & mask) {
-+ struct name_snapshot name;
-+
- /* we are notifying a parent so come up with the new mask which
- * specifies these are events which came from a child. */
- mask |= FS_EVENT_ON_CHILD;
-
-+ take_dentry_name_snapshot(&name, dentry);
- if (path)
- ret = fsnotify(p_inode, mask, path, FSNOTIFY_EVENT_PATH,
-- dentry->d_name.name, 0);
-+ name.name, 0);
- else
- ret = fsnotify(p_inode, mask, dentry->d_inode, FSNOTIFY_EVENT_INODE,
-- dentry->d_name.name, 0);
-+ name.name, 0);
-+ release_dentry_name_snapshot(&name);
- }
-
- dput(parent);
---- a/include/linux/dcache.h
-+++ b/include/linux/dcache.h
-@@ -590,5 +590,11 @@ static inline struct inode *d_real_inode
- return d_backing_inode(d_real((struct dentry *) dentry, NULL, 0));
- }
-
-+struct name_snapshot {
-+ const char *name;
-+ char inline_name[DNAME_INLINE_LEN];
-+};
-+void take_dentry_name_snapshot(struct name_snapshot *, struct dentry *);
-+void release_dentry_name_snapshot(struct name_snapshot *);
-
- #endif /* __LINUX_DCACHE_H */
---- a/include/linux/fsnotify.h
-+++ b/include/linux/fsnotify.h
-@@ -293,35 +293,4 @@ static inline void fsnotify_change(struc
- }
- }
-
--#if defined(CONFIG_FSNOTIFY) /* notify helpers */
--
--/*
-- * fsnotify_oldname_init - save off the old filename before we change it
-- */
--static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
--{
-- return kstrdup(name, GFP_KERNEL);
--}
--
--/*
-- * fsnotify_oldname_free - free the name we got from fsnotify_oldname_init
-- */
--static inline void fsnotify_oldname_free(const unsigned char *old_name)
--{
-- kfree(old_name);
--}
--
--#else /* CONFIG_FSNOTIFY */
--
--static inline const char *fsnotify_oldname_init(const unsigned char *name)
--{
-- return NULL;
--}
--
--static inline void fsnotify_oldname_free(const unsigned char *old_name)
--{
--}
--
--#endif /* CONFIG_FSNOTIFY */
--
- #endif /* _LINUX_FS_NOTIFY_H */
diff --git a/debian/patches/bugfix/all/drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch b/debian/patches/bugfix/all/drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch
deleted file mode 100644
index 526bdbb..0000000
--- a/debian/patches/bugfix/all/drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Thu, 6 Apr 2017 17:59:40 +0200
-Subject: drm/virtio: don't leak bo on drm_gem_object_init failure
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/385aee965b4e4c36551c362a334378d2985b722a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10810
-
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
-Link: http://patchwork.freedesktop.org/patch/msgid/20170406155941.458-1-kraxel@redhat.com
----
- drivers/gpu/drm/virtio/virtgpu_object.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c
-index 1483daebe057..6f66b7347cd0 100644
---- a/drivers/gpu/drm/virtio/virtgpu_object.c
-+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
-@@ -81,8 +81,10 @@ int virtio_gpu_object_create(struct virtio_gpu_device *vgdev,
- return -ENOMEM;
- size = roundup(size, PAGE_SIZE);
- ret = drm_gem_object_init(vgdev->ddev, &bo->gem_base, size);
-- if (ret != 0)
-+ if (ret != 0) {
-+ kfree(bo);
- return ret;
-+ }
- bo->dumb = false;
- virtio_gpu_init_ttm_placement(bo, pinned);
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch b/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
deleted file mode 100644
index aa15c52..0000000
--- a/debian/patches/bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Fri, 23 Jun 2017 15:08:57 -0700
-Subject: fs/exec.c: account for argv/envp pointers
-Origin: https://git.kernel.org/linus/98da7d08850fb8bdeb395d6368ed15753304aa0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000365
-
-When limiting the argv/envp strings during exec to 1/4 of the stack limit,
-the storage of the pointers to the strings was not included. This means
-that an exec with huge numbers of tiny strings could eat 1/4 of the stack
-limit in strings and then additional space would be later used by the
-pointers to the strings.
-
-For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
-single-byte strings would consume less than 2MB of stack, the max (8MB /
-4) amount allowed, but the pointers to the strings would consume the
-remaining additional stack space (1677721 * 4 == 6710884).
-
-The result (1677721 + 6710884 == 8388605) would exhaust stack space
-entirely. Controlling this stack exhaustion could result in
-pathological behavior in setuid binaries (CVE-2017-1000365).
-
-[akpm at linux-foundation.org: additional commenting from Kees]
-Fixes: b6a2fea39318 ("mm: variable length argument support")
-Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Acked-by: Rik van Riel <riel at redhat.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Cc: Alexander Viro <viro at zeniv.linux.org.uk>
-Cc: Qualys Security Advisory <qsa at qualys.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- fs/exec.c | 28 ++++++++++++++++++++++++----
- 1 file changed, 24 insertions(+), 4 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 72934df68471..904199086490 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -220,8 +220,26 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
-
- if (write) {
- unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
-+ unsigned long ptr_size;
- struct rlimit *rlim;
-
-+ /*
-+ * Since the stack will hold pointers to the strings, we
-+ * must account for them as well.
-+ *
-+ * The size calculation is the entire vma while each arg page is
-+ * built, so each time we get here it's calculating how far it
-+ * is currently (rather than each call being just the newly
-+ * added size from the arg page). As a result, we need to
-+ * always add the entire size of the pointers, so that on the
-+ * last call to get_arg_page() we'll actually have the entire
-+ * correct size.
-+ */
-+ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
-+ if (ptr_size > ULONG_MAX - size)
-+ goto fail;
-+ size += ptr_size;
-+
- acct_arg_size(bprm, size / PAGE_SIZE);
-
- /*
-@@ -239,13 +257,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- * to work from.
- */
- rlim = current->signal->rlim;
-- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
-- put_page(page);
-- return NULL;
-- }
-+ if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
-+ goto fail;
- }
-
- return page;
-+
-+fail:
-+ put_page(page);
-+ return NULL;
- }
-
- static void put_arg_page(struct page *page)
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
deleted file mode 100644
index d1b4d72..0000000
--- a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Sabrina Dubroca <sd at queasysnail.net>
-Date: Wed, 19 Jul 2017 22:28:55 +0200
-Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
-Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
-
-In some cases, offset can overflow and can cause an infinite loop in
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
-
-This problem has been here since before the beginning of git history.
-
-Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/output_core.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index e9065b8d3af8..abb2c307fbe8 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
-- u16 offset = sizeof(struct ipv6hdr);
-+ unsigned int offset = sizeof(struct ipv6hdr);
- unsigned int packet_len = skb_tail_pointer(skb) -
- skb_network_header(skb);
- int found_rhdr = 0;
-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- while (offset <= packet_len) {
- struct ipv6_opt_hdr *exthdr;
-+ unsigned int len;
-
- switch (**nexthdr) {
-
-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-- offset += ipv6_optlen(exthdr);
-+ len = ipv6_optlen(exthdr);
-+ if (len + offset >= IPV6_MAXPLEN)
-+ return -EINVAL;
-+ offset += len;
- *nexthdr = &exthdr->nexthdr;
- }
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
deleted file mode 100644
index e6649a9..0000000
--- a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Wed, 17 May 2017 22:54:11 -0400
-Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
-Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-Do not use unsigned variables to see if it returns a negative
-error or not.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Julia Lawall <julia.lawall at lip6.fr>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_offload.c | 9 ++++-----
- net/ipv6/ip6_output.c | 7 +++----
- net/ipv6/udp_offload.c | 8 +++++---
- 3 files changed, 12 insertions(+), 12 deletions(-)
-
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(
- const struct net_offload *ops;
- int proto;
- struct frag_hdr *fptr;
-- unsigned int unfrag_ip6hlen;
- unsigned int payload_len;
- u8 *prevhdr;
- int offset = 0;
-@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(
- skb->network_header = (u8 *)ipv6h - skb->head;
-
- if (udpfrag) {
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
-+ int err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
-+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
- fptr->frag_off = htons(offset);
- if (skb->next)
- fptr->frag_off |= htons(IP6_MF);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -586,11 +586,10 @@ int ip6_fragment(struct net *net, struct
- int ptr, offset = 0, err = 0;
- u8 *prevhdr, nexthdr = 0;
-
-- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (hlen < 0) {
-- err = hlen;
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
- goto fail;
-- }
-+ hlen = err;
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp_offload.c
-+++ b/net/ipv6/udp_offload.c
-@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment
- u8 frag_hdr_sz = sizeof(struct frag_hdr);
- __wsum csum;
- int tnl_hlen;
-+ int err;
-
- mss = skb_shinfo(skb)->gso_size;
- if (unlikely(skb->len <= mss))
-@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment
- /* Find the unfragmentable header and shift it left by frag_hdr_sz
- * bytes to insert fragment header.
- */
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
-+ unfrag_ip6hlen = err;
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
deleted file mode 100644
index 0c923db..0000000
--- a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/dccp/ipv6.c | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv
- newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- newnp->pktoptions = NULL;
- newnp->opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- newnp->mcast_oif = inet6_iif(skb);
- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
-
-@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv
- /* Clone RX bits */
- newnp->rxopt.all = np->rxopt.all;
-
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- newnp->pktoptions = NULL;
- newnp->opt = NULL;
- newnp->mcast_oif = inet6_iif(skb);
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1046,6 +1046,7 @@ static struct sock *tcp_v6_syn_recv_sock
- newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
-
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
- newnp->pktoptions = NULL;
-@@ -1115,6 +1116,7 @@ static struct sock *tcp_v6_syn_recv_sock
- First: no IPv4 options.
- */
- newinet->inet_opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
-
diff --git a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
deleted file mode 100644
index c5142b2..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Sun, 4 Jun 2017 21:41:10 -0400
-Subject: ipv6: Fix leak in ipv6_gso_segment().
-Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-If ip6_find_1stfragopt() fails and we return an error we have to free
-up 'segs' because nobody else is going to.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_offload.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
-index 280268f1dd7b..cdb3728faca7 100644
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
-
- if (udpfrag) {
- int err = ip6_find_1stfragopt(skb, &prevhdr);
-- if (err < 0)
-+ if (err < 0) {
-+ kfree_skb_list(segs);
- return ERR_PTR(err);
-+ }
- fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
- fptr->frag_off = htons(offset);
- if (skb->next)
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
deleted file mode 100644
index 4ece85c..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 19 May 2017 14:17:48 -0700
-Subject: ipv6: fix out of bound writes in __ip6_append_data()
-Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
-
-Andrey Konovalov and idaifish at gmail.com reported crashes caused by
-one skb shared_info being overwritten from __ip6_append_data()
-
-Andrey program lead to following state :
-
-copy -4200 datalen 2000 fraglen 2040
-maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
-
-The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
-fraggap, 0); is overwriting skb->head and skb_shared_info
-
-Since we apparently detect this rare condition too late, move the
-code earlier to even avoid allocating skb and risking crashes.
-
-Once again, many thanks to Andrey and syzkaller team.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Reported-by: <idaifish at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1448,6 +1448,11 @@ alloc_new_skb:
- */
- alloclen += sizeof(struct frag_hdr);
-
-+ copy = datalen - transhdrlen - fraggap;
-+ if (copy < 0) {
-+ err = -EINVAL;
-+ goto error;
-+ }
- if (transhdrlen) {
- skb = sock_alloc_send_skb(sk,
- alloclen + hh_len,
-@@ -1497,13 +1502,9 @@ alloc_new_skb:
- data += fraggap;
- pskb_trim_unique(skb_prev, maxfraglen);
- }
-- copy = datalen - transhdrlen - fraggap;
--
-- if (copy < 0) {
-- err = -EINVAL;
-- kfree_skb(skb);
-- goto error;
-- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
-+ if (copy > 0 &&
-+ getfrag(from, data + transhdrlen, offset,
-+ copy, fraggap, skb) < 0) {
- err = -EFAULT;
- kfree_skb(skb);
- goto error;
diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
deleted file mode 100644
index 4137e70..0000000
--- a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From: Craig Gallek <kraig at google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-The KASAN warning repoted below was discovered with a syzkaller
-program. The reproducer is basically:
- int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
- send(s, &one_byte_of_data, 1, MSG_MORE);
- send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option. Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[ 42.361487] ==================================================================
-[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[ 42.366469]
-[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[ 42.368824] Call Trace:
-[ 42.369183] dump_stack+0xb3/0x10b
-[ 42.369664] print_address_description+0x73/0x290
-[ 42.370325] kasan_report+0x252/0x370
-[ 42.370839] ? ip6_fragment+0x11c8/0x3730
-[ 42.371396] check_memory_region+0x13c/0x1a0
-[ 42.371978] memcpy+0x23/0x50
-[ 42.372395] ip6_fragment+0x11c8/0x3730
-[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
-[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
-[ 42.374263] ? ip6_forward+0x2e30/0x2e30
-[ 42.374803] ip6_finish_output+0x584/0x990
-[ 42.375350] ip6_output+0x1b7/0x690
-[ 42.375836] ? ip6_finish_output+0x990/0x990
-[ 42.376411] ? ip6_fragment+0x3730/0x3730
-[ 42.376968] ip6_local_out+0x95/0x160
-[ 42.377471] ip6_send_skb+0xa1/0x330
-[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
-[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
-[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
-[ 42.379633] ? _copy_from_user+0x84/0xe0
-[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
-[ 42.380878] ? ___sys_sendmsg+0x162/0x930
-[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
-[ 42.382074] ? sock_has_perm+0x1f6/0x290
-[ 42.382614] ? ___sys_sendmsg+0x167/0x930
-[ 42.383173] ? lock_downgrade+0x660/0x660
-[ 42.383727] inet_sendmsg+0x123/0x500
-[ 42.384226] ? inet_sendmsg+0x123/0x500
-[ 42.384748] ? inet_recvmsg+0x540/0x540
-[ 42.385263] sock_sendmsg+0xca/0x110
-[ 42.385758] SYSC_sendto+0x217/0x380
-[ 42.386249] ? SYSC_connect+0x310/0x310
-[ 42.386783] ? __might_fault+0x110/0x1d0
-[ 42.387324] ? lock_downgrade+0x660/0x660
-[ 42.387880] ? __fget_light+0xa1/0x1f0
-[ 42.388403] ? __fdget+0x18/0x20
-[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
-[ 42.389472] ? SyS_setsockopt+0x17f/0x260
-[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[ 42.390650] SyS_sendto+0x40/0x50
-[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.391731] RIP: 0033:0x7fbbb711e383
-[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[ 42.397257]
-[ 42.397411] Allocated by task 3789:
-[ 42.397702] save_stack_trace+0x16/0x20
-[ 42.398005] save_stack+0x46/0xd0
-[ 42.398267] kasan_kmalloc+0xad/0xe0
-[ 42.398548] kasan_slab_alloc+0x12/0x20
-[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
-[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
-[ 42.399654] __alloc_skb+0xf8/0x580
-[ 42.400003] sock_wmalloc+0xab/0xf0
-[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
-[ 42.400813] ip6_append_data+0x1a8/0x2f0
-[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
-[ 42.401505] inet_sendmsg+0x123/0x500
-[ 42.401860] sock_sendmsg+0xca/0x110
-[ 42.402209] ___sys_sendmsg+0x7cb/0x930
-[ 42.402582] __sys_sendmsg+0xd9/0x190
-[ 42.402941] SyS_sendmsg+0x2d/0x50
-[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.403718]
-[ 42.403871] Freed by task 1794:
-[ 42.404146] save_stack_trace+0x16/0x20
-[ 42.404515] save_stack+0x46/0xd0
-[ 42.404827] kasan_slab_free+0x72/0xc0
-[ 42.405167] kfree+0xe8/0x2b0
-[ 42.405462] skb_free_head+0x74/0xb0
-[ 42.405806] skb_release_data+0x30e/0x3a0
-[ 42.406198] skb_release_all+0x4a/0x60
-[ 42.406563] consume_skb+0x113/0x2e0
-[ 42.406910] skb_free_datagram+0x1a/0xe0
-[ 42.407288] netlink_recvmsg+0x60d/0xe40
-[ 42.407667] sock_recvmsg+0xd7/0x110
-[ 42.408022] ___sys_recvmsg+0x25c/0x580
-[ 42.408395] __sys_recvmsg+0xd6/0x190
-[ 42.408753] SyS_recvmsg+0x2d/0x50
-[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.409513]
-[ 42.409665] The buggy address belongs to the object at ffff88000969e780
-[ 42.409665] which belongs to the cache kmalloc-512 of size 512
-[ 42.410846] The buggy address is located 24 bytes inside of
-[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
-[ 42.411941] The buggy address belongs to the page:
-[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
-[ 42.413298] flags: 0x100000000008100(slab|head)
-[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[ 42.415074] page dumped because: kasan: bad access detected
-[ 42.415604]
-[ 42.415757] Memory state around the buggy address:
-[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 42.418273] ^
-[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_offload.c | 2 ++
- net/ipv6/ip6_output.c | 4 ++++
- net/ipv6/output_core.c | 14 ++++++++------
- net/ipv6/udp_offload.c | 2 ++
- 4 files changed, 16 insertions(+), 6 deletions(-)
-
---- a/net/ipv6/ip6_offload.c
-+++ b/net/ipv6/ip6_offload.c
-@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(
-
- if (udpfrag) {
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
- fptr->frag_off = htons(offset);
- if (skb->next)
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -587,6 +587,10 @@ int ip6_fragment(struct net *net, struct
- u8 *prevhdr, nexthdr = 0;
-
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (hlen < 0) {
-+ err = hlen;
-+ goto fail;
-+ }
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident);
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- u16 offset = sizeof(struct ipv6hdr);
-- struct ipv6_opt_hdr *exthdr =
-- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- unsigned int packet_len = skb_tail_pointer(skb) -
- skb_network_header(skb);
- int found_rhdr = 0;
- *nexthdr = &ipv6_hdr(skb)->nexthdr;
-
-- while (offset + 1 <= packet_len) {
-+ while (offset <= packet_len) {
-+ struct ipv6_opt_hdr *exthdr;
-
- switch (**nexthdr) {
-
-@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *
- return offset;
- }
-
-- offset += ipv6_optlen(exthdr);
-- *nexthdr = &exthdr->nexthdr;
-+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+ return -EINVAL;
-+
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-+ offset += ipv6_optlen(exthdr);
-+ *nexthdr = &exthdr->nexthdr;
- }
-
-- return offset;
-+ return -EINVAL;
- }
- EXPORT_SYMBOL(ip6_find_1stfragopt);
-
---- a/net/ipv6/udp_offload.c
-+++ b/net/ipv6/udp_offload.c
-@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment
- * bytes to insert fragment header.
- */
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
deleted file mode 100644
index aa82497..0000000
--- a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Zheng Li <james.z.li at ericsson.com>
-Date: Wed, 28 Dec 2016 23:23:46 +0800
-Subject: ipv6: Should use consistent conditional judgement for ip6 fragment
- between __ip6_append_data and ip6_finish_output
-Origin: https://git.kernel.org/linus/e4c5e13aa45c23692e4acf56f0b3533f328199b2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
-
-There is an inconsistent conditional judgement between __ip6_append_data
-and ip6_finish_output functions, the variable length in __ip6_append_data
-just include the length of application's payload and udp6 header, don't
-include the length of ipv6 header, but in ip6_finish_output use
-(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
-length of ipv6 header.
-
-That causes some particular application's udp6 payloads whose length are
-between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
-though the rst->dev support UFO feature.
-
-Add the length of ipv6 header to length in __ip6_append_data to keep
-consistent conditional judgement as ip6_finish_output for ip6 fragment.
-
-Signed-off-by: Zheng Li <james.z.li at ericsson.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1371,7 +1371,7 @@ emsgsize:
- */
-
- cork->length += length;
-- if (((length > mtu) ||
-+ if ((((length + fragheaderlen) > mtu) ||
- (skb && skb_is_gso(skb))) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
diff --git a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
deleted file mode 100644
index 02ea18f..0000000
--- a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Wed, 31 May 2017 13:15:41 +0100
-Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
-Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-xfrm6_find_1stfragopt() may now return an error code and we must
-not treat it as a length.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Acked-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/xfrm6_mode_ro.c | 2 ++
- net/ipv6/xfrm6_mode_transport.c | 2 ++
- 2 files changed, 4 insertions(+)
-
---- a/net/ipv6/xfrm6_mode_ro.c
-+++ b/net/ipv6/xfrm6_mode_ro.c
-@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
- iph = ipv6_hdr(skb);
-
- hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
-+ if (hdr_len < 0)
-+ return hdr_len;
- skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
- skb_set_network_header(skb, -x->props.header_len);
- skb->transport_header = skb->network_header + hdr_len;
---- a/net/ipv6/xfrm6_mode_transport.c
-+++ b/net/ipv6/xfrm6_mode_transport.c
-@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
- iph = ipv6_hdr(skb);
-
- hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
-+ if (hdr_len < 0)
-+ return hdr_len;
- skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
- skb_set_network_header(skb, -x->props.header_len);
- skb->transport_header = skb->network_header + hdr_len;
diff --git a/debian/patches/bugfix/all/liblockdep-reduce-max_lock_depth-to-avoid-overflowin.patch b/debian/patches/bugfix/all/liblockdep-reduce-max_lock_depth-to-avoid-overflowin.patch
deleted file mode 100644
index f15e6d3..0000000
--- a/debian/patches/bugfix/all/liblockdep-reduce-max_lock_depth-to-avoid-overflowin.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Tue, 14 Jun 2016 20:44:14 +0100
-Subject: [PATCH 2/7] liblockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing
- lock_chain::depth
-Forwarded: http://mid.gmane.org/20160614204752.GU7555@decadent.org.uk
-
-liblockdep has been broken since commit 75dd602a5198 ("lockdep: Fix
-lock_chain::base size"), as that adds a check that MAX_LOCK_DEPTH is
-within the range of lock_chain::depth and in liblockdep it is much
-too large.
-
-That should have resulted in a compiler error, but didn't because:
-
-- the check uses ARRAY_SIZE(), which isn't yet defined in liblockdep
- so is assumed to be an (undeclared) function
-- putting a function call inside a BUILD_BUG_ON() expression quietly
- turns it into some nonsense involving a variable-length array
-
-It did produce a compiler warning, but I didn't notice because
-liblockdep already produces too many warnings if -Wall is enabled
-(which I'll fix shortly).
-
-Even before that commit, which reduced lock_chain::depth from 8 bits
-to 6, MAX_LOCK_DEPTH was too large.
-
-Cc: <stable at vger.kernel.org> # for versions before 4.6, use a value of 255
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- tools/lib/lockdep/uinclude/linux/lockdep.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/lib/lockdep/uinclude/linux/lockdep.h b/tools/lib/lockdep/uinclude/linux/lockdep.h
-index c808c7d02d21..d30214221920 100644
---- a/tools/lib/lockdep/uinclude/linux/lockdep.h
-+++ b/tools/lib/lockdep/uinclude/linux/lockdep.h
-@@ -8,7 +8,7 @@
- #include <linux/utsname.h>
- #include <linux/compiler.h>
-
--#define MAX_LOCK_DEPTH 2000UL
-+#define MAX_LOCK_DEPTH 63UL
-
- #define asmlinkage
- #define __visible
diff --git a/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch b/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
deleted file mode 100644
index ccd5663..0000000
--- a/debian/patches/bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Hugh Dickins <hughd at google.com>
-Date: Tue, 20 Jun 2017 02:10:44 -0700
-Subject: mm: fix new crash in unmapped_area_topdown()
-Origin: https://git.kernel.org/linus/f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
-
-Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
-mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
-end of unmapped_area_topdown(). Linus points out how MAP_FIXED
-(which does not have to respect our stack guard gap intentions)
-could result in gap_end below gap_start there. Fix that, and
-the similar case in its alternative, unmapped_area().
-
-Cc: stable at vger.kernel.org
-Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
-Reported-by: Dave Jones <davej at codemonkey.org.uk>
-Debugged-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mmap.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1813,7 +1813,8 @@ check_current:
- /* Check if current node has a suitable gap */
- if (gap_start > high_limit)
- return -ENOMEM;
-- if (gap_end >= low_limit && gap_end - gap_start >= length)
-+ if (gap_end >= low_limit &&
-+ gap_end > gap_start && gap_end - gap_start >= length)
- goto found;
-
- /* Visit right subtree if it looks promising */
-@@ -1916,7 +1917,8 @@ check_current:
- gap_end = vm_start_gap(vma);
- if (gap_end < low_limit)
- return -ENOMEM;
-- if (gap_start <= high_limit && gap_end - gap_start >= length)
-+ if (gap_start <= high_limit &&
-+ gap_end > gap_start && gap_end - gap_start >= length)
- goto found;
-
- /* Visit left subtree if it looks promising */
diff --git a/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch b/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
deleted file mode 100644
index 546e544..0000000
--- a/debian/patches/bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
+++ /dev/null
@@ -1,886 +0,0 @@
-From: Hugh Dickins <hughd at google.com>
-Date: Mon, 19 Jun 2017 04:03:24 -0700
-Subject: mm: larger stack guard gap, between vmas
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
-
-commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
-
-Stack guard page is a useful feature to reduce a risk of stack smashing
-into a different mapping. We have been using a single page gap which
-is sufficient to prevent having stack adjacent to a different mapping.
-But this seems to be insufficient in the light of the stack usage in
-userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
-used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
-which is 256kB or stack strings with MAX_ARG_STRLEN.
-
-This will become especially dangerous for suid binaries and the default
-no limit for the stack size limit because those applications can be
-tricked to consume a large portion of the stack and a single glibc call
-could jump over the guard page. These attacks are not theoretical,
-unfortunatelly.
-
-Make those attacks less probable by increasing the stack guard gap
-to 1MB (on systems with 4k pages; but make it depend on the page size
-because systems with larger base pages might cap stack allocations in
-the PAGE_SIZE units) which should cover larger alloca() and VLA stack
-allocations. It is obviously not a full fix because the problem is
-somehow inherent, but it should reduce attack space a lot.
-
-One could argue that the gap size should be configurable from userspace,
-but that can be done later when somebody finds that the new 1MB is wrong
-for some special case applications. For now, add a kernel command line
-option (stack_guard_gap) to specify the stack gap size (in page units).
-
-Implementation wise, first delete all the old code for stack guard page:
-because although we could get away with accounting one extra page in a
-stack vma, accounting a larger gap can break userspace - case in point,
-a program run with "ulimit -S -v 20000" failed when the 1MB gap was
-counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
-and strict non-overcommit mode.
-
-Instead of keeping gap inside the stack vma, maintain the stack guard
-gap as a gap between vmas: using vm_start_gap() in place of vm_start
-(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
-places which need to respect the gap - mainly arch_get_unmapped_area(),
-and and the vma tree's subtree_gap support for that.
-
-Original-patch-by: Oleg Nesterov <oleg at redhat.com>
-Original-patch-by: Michal Hocko <mhocko at suse.com>
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Acked-by: Michal Hocko <mhocko at suse.com>
-Tested-by: Helge Deller <deller at gmx.de> # parisc
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[wt: backport to 4.11: adjust context]
-[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
-Signed-off-by: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- Documentation/kernel-parameters.txt | 7 +
- arch/arc/mm/mmap.c | 2
- arch/arm/mm/mmap.c | 4
- arch/frv/mm/elf-fdpic.c | 2
- arch/mips/mm/mmap.c | 2
- arch/parisc/kernel/sys_parisc.c | 15 ++-
- arch/powerpc/mm/hugetlbpage-radix.c | 2
- arch/powerpc/mm/mmap.c | 4
- arch/powerpc/mm/slice.c | 2
- arch/s390/mm/mmap.c | 4
- arch/sh/mm/mmap.c | 4
- arch/sparc/kernel/sys_sparc_64.c | 4
- arch/sparc/mm/hugetlbpage.c | 2
- arch/tile/mm/hugetlbpage.c | 2
- arch/x86/kernel/sys_x86_64.c | 4
- arch/x86/mm/hugetlbpage.c | 2
- arch/xtensa/kernel/syscall.c | 2
- fs/hugetlbfs/inode.c | 2
- fs/proc/task_mmu.c | 4
- include/linux/mm.h | 53 ++++++------
- mm/gup.c | 5 -
- mm/memory.c | 38 ---------
- mm/mmap.c | 149 +++++++++++++++++++++---------------
- 23 files changed, 152 insertions(+), 163 deletions(-)
-
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -3932,6 +3932,13 @@ bytes respectively. Such letter suffixes
- spia_pedr=
- spia_peddr=
-
-+ stack_guard_gap= [MM]
-+ override the default stack gap protection. The value
-+ is in page units and it defines how many pages prior
-+ to (for stacks growing down) resp. after (for stacks
-+ growing up) the main stack are reserved for no other
-+ mapping. Default value is 256 pages.
-+
- stacktrace [FTRACE]
- Enabled the stack tracer on boot up.
-
---- a/arch/arc/mm/mmap.c
-+++ b/arch/arc/mm/mmap.c
-@@ -64,7 +64,7 @@ arch_get_unmapped_area(struct file *filp
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/arm/mm/mmap.c
-+++ b/arch/arm/mm/mmap.c
-@@ -89,7 +89,7 @@ arch_get_unmapped_area(struct file *filp
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -140,7 +140,7 @@ arch_get_unmapped_area_topdown(struct fi
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/frv/mm/elf-fdpic.c
-+++ b/arch/frv/mm/elf-fdpic.c
-@@ -74,7 +74,7 @@ unsigned long arch_get_unmapped_area(str
- addr = PAGE_ALIGN(addr);
- vma = find_vma(current->mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- goto success;
- }
-
---- a/arch/mips/mm/mmap.c
-+++ b/arch/mips/mm/mmap.c
-@@ -92,7 +92,7 @@ static unsigned long arch_get_unmapped_a
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/parisc/kernel/sys_parisc.c
-+++ b/arch/parisc/kernel/sys_parisc.c
-@@ -88,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
- unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- struct mm_struct *mm = current->mm;
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- unsigned long task_size = TASK_SIZE;
- int do_color_align, last_mmap;
- struct vm_unmapped_area_info info;
-@@ -115,9 +115,10 @@ unsigned long arch_get_unmapped_area(str
- else
- addr = PAGE_ALIGN(addr);
-
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- goto found_addr;
- }
-
-@@ -141,7 +142,7 @@ arch_get_unmapped_area_topdown(struct fi
- const unsigned long len, const unsigned long pgoff,
- const unsigned long flags)
- {
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct mm_struct *mm = current->mm;
- unsigned long addr = addr0;
- int do_color_align, last_mmap;
-@@ -175,9 +176,11 @@ arch_get_unmapped_area_topdown(struct fi
- addr = COLOR_ALIGN(addr, last_mmap, pgoff);
- else
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- goto found_addr;
- }
-
---- a/arch/powerpc/mm/hugetlbpage-radix.c
-+++ b/arch/powerpc/mm/hugetlbpage-radix.c
-@@ -65,7 +65,7 @@ radix__hugetlb_get_unmapped_area(struct
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- /*
---- a/arch/powerpc/mm/mmap.c
-+++ b/arch/powerpc/mm/mmap.c
-@@ -106,7 +106,7 @@ radix__arch_get_unmapped_area(struct fil
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -142,7 +142,7 @@ radix__arch_get_unmapped_area_topdown(st
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/powerpc/mm/slice.c
-+++ b/arch/powerpc/mm/slice.c
-@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_
- if ((mm->task_size - len) < addr)
- return 0;
- vma = find_vma(mm, addr);
-- return (!vma || (addr + len) <= vma->vm_start);
-+ return (!vma || (addr + len) <= vm_start_gap(vma));
- }
-
- static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
---- a/arch/s390/mm/mmap.c
-+++ b/arch/s390/mm/mmap.c
-@@ -98,7 +98,7 @@ arch_get_unmapped_area(struct file *filp
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -136,7 +136,7 @@ arch_get_unmapped_area_topdown(struct fi
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/sh/mm/mmap.c
-+++ b/arch/sh/mm/mmap.c
-@@ -63,7 +63,7 @@ unsigned long arch_get_unmapped_area(str
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -113,7 +113,7 @@ arch_get_unmapped_area_topdown(struct fi
-
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/sparc/kernel/sys_sparc_64.c
-+++ b/arch/sparc/kernel/sys_sparc_64.c
-@@ -118,7 +118,7 @@ unsigned long arch_get_unmapped_area(str
-
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -181,7 +181,7 @@ arch_get_unmapped_area_topdown(struct fi
-
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/sparc/mm/hugetlbpage.c
-+++ b/arch/sparc/mm/hugetlbpage.c
-@@ -116,7 +116,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, HPAGE_SIZE);
- vma = find_vma(mm, addr);
- if (task_size - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/tile/mm/hugetlbpage.c
-+++ b/arch/tile/mm/hugetlbpage.c
-@@ -232,7 +232,7 @@ unsigned long hugetlb_get_unmapped_area(
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (current->mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/x86/kernel/sys_x86_64.c
-+++ b/arch/x86/kernel/sys_x86_64.c
-@@ -140,7 +140,7 @@ arch_get_unmapped_area(struct file *filp
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (end - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
-@@ -183,7 +183,7 @@ arch_get_unmapped_area_topdown(struct fi
- addr = PAGE_ALIGN(addr);
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/arch/x86/mm/hugetlbpage.c
-+++ b/arch/x86/mm/hugetlbpage.c
-@@ -144,7 +144,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
- if (mm->get_unmapped_area == arch_get_unmapped_area)
---- a/arch/xtensa/kernel/syscall.c
-+++ b/arch/xtensa/kernel/syscall.c
-@@ -87,7 +87,7 @@ unsigned long arch_get_unmapped_area(str
- /* At this point: (!vmm || addr < vmm->vm_end). */
- if (TASK_SIZE - len < addr)
- return -ENOMEM;
-- if (!vmm || addr + len <= vmm->vm_start)
-+ if (!vmm || addr + len <= vm_start_gap(vmm))
- return addr;
- addr = vmm->vm_end;
- if (flags & MAP_SHARED)
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -191,7 +191,7 @@ hugetlb_get_unmapped_area(struct file *f
- addr = ALIGN(addr, huge_page_size(h));
- vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)))
- return addr;
- }
-
---- a/fs/proc/task_mmu.c
-+++ b/fs/proc/task_mmu.c
-@@ -299,11 +299,7 @@ show_map_vma(struct seq_file *m, struct
-
- /* We don't show the stack guard page in /proc/maps */
- start = vma->vm_start;
-- if (stack_guard_page_start(vma, start))
-- start += PAGE_SIZE;
- end = vma->vm_end;
-- if (stack_guard_page_end(vma, end))
-- end -= PAGE_SIZE;
-
- seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
- seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1356,39 +1356,11 @@ int clear_page_dirty_for_io(struct page
-
- int get_cmdline(struct task_struct *task, char *buffer, int buflen);
-
--/* Is the vma a continuation of the stack vma above it? */
--static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
--{
-- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
--}
--
- static inline bool vma_is_anonymous(struct vm_area_struct *vma)
- {
- return !vma->vm_ops;
- }
-
--static inline int stack_guard_page_start(struct vm_area_struct *vma,
-- unsigned long addr)
--{
-- return (vma->vm_flags & VM_GROWSDOWN) &&
-- (vma->vm_start == addr) &&
-- !vma_growsdown(vma->vm_prev, addr);
--}
--
--/* Is the vma a continuation of the stack vma below it? */
--static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
--{
-- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
--}
--
--static inline int stack_guard_page_end(struct vm_area_struct *vma,
-- unsigned long addr)
--{
-- return (vma->vm_flags & VM_GROWSUP) &&
-- (vma->vm_end == addr) &&
-- !vma_growsup(vma->vm_next, addr);
--}
--
- int vma_is_stack_for_current(struct vm_area_struct *vma);
-
- extern unsigned long move_page_tables(struct vm_area_struct *vma,
-@@ -2127,6 +2099,7 @@ void page_cache_async_readahead(struct a
- pgoff_t offset,
- unsigned long size);
-
-+extern unsigned long stack_guard_gap;
- /* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
- extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
-
-@@ -2155,6 +2128,30 @@ static inline struct vm_area_struct * fi
- return vma;
- }
-
-+static inline unsigned long vm_start_gap(struct vm_area_struct *vma)
-+{
-+ unsigned long vm_start = vma->vm_start;
-+
-+ if (vma->vm_flags & VM_GROWSDOWN) {
-+ vm_start -= stack_guard_gap;
-+ if (vm_start > vma->vm_start)
-+ vm_start = 0;
-+ }
-+ return vm_start;
-+}
-+
-+static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
-+{
-+ unsigned long vm_end = vma->vm_end;
-+
-+ if (vma->vm_flags & VM_GROWSUP) {
-+ vm_end += stack_guard_gap;
-+ if (vm_end < vma->vm_end)
-+ vm_end = -PAGE_SIZE;
-+ }
-+ return vm_end;
-+}
-+
- static inline unsigned long vma_pages(struct vm_area_struct *vma)
- {
- return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
---- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -370,11 +370,6 @@ static int faultin_page(struct task_stru
- /* mlock all present pages, but do not fault in new pages */
- if ((*flags & (FOLL_POPULATE | FOLL_MLOCK)) == FOLL_MLOCK)
- return -ENOENT;
-- /* For mm_populate(), just skip the stack guard page. */
-- if ((*flags & FOLL_POPULATE) &&
-- (stack_guard_page_start(vma, address) ||
-- stack_guard_page_end(vma, address + PAGE_SIZE)))
-- return -ENOENT;
- if (*flags & FOLL_WRITE)
- fault_flags |= FAULT_FLAG_WRITE;
- if (*flags & FOLL_REMOTE)
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -2699,40 +2699,6 @@ out_release:
- }
-
- /*
-- * This is like a special single-page "expand_{down|up}wards()",
-- * except we must first make sure that 'address{-|+}PAGE_SIZE'
-- * doesn't hit another vma.
-- */
--static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
--{
-- address &= PAGE_MASK;
-- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
-- struct vm_area_struct *prev = vma->vm_prev;
--
-- /*
-- * Is there a mapping abutting this one below?
-- *
-- * That's only ok if it's the same stack mapping
-- * that has gotten split..
-- */
-- if (prev && prev->vm_end == address)
-- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
--
-- return expand_downwards(vma, address - PAGE_SIZE);
-- }
-- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
-- struct vm_area_struct *next = vma->vm_next;
--
-- /* As VM_GROWSDOWN but s/below/above/ */
-- if (next && next->vm_start == address + PAGE_SIZE)
-- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
--
-- return expand_upwards(vma, address + PAGE_SIZE);
-- }
-- return 0;
--}
--
--/*
- * We enter with non-exclusive mmap_sem (to exclude vma changes,
- * but allow concurrent faults), and pte mapped but not yet locked.
- * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2748,10 +2714,6 @@ static int do_anonymous_page(struct faul
- if (vma->vm_flags & VM_SHARED)
- return VM_FAULT_SIGBUS;
-
-- /* Check if we need to add a guard page to the stack */
-- if (check_stack_guard_page(vma, fe->address) < 0)
-- return VM_FAULT_SIGSEGV;
--
- /*
- * Use pte_alloc() instead of pte_alloc_map(). We can't run
- * pte_offset_map() on pmds where a huge pmd might be created
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -183,6 +183,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- unsigned long retval;
- unsigned long newbrk, oldbrk;
- struct mm_struct *mm = current->mm;
-+ struct vm_area_struct *next;
- unsigned long min_brk;
- bool populate;
-
-@@ -228,7 +229,8 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
- }
-
- /* Check against existing mmap mappings. */
-- if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))
-+ next = find_vma(mm, oldbrk);
-+ if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
- goto out;
-
- /* Ok, looks good - let it rip. */
-@@ -251,10 +253,22 @@ out:
-
- static long vma_compute_subtree_gap(struct vm_area_struct *vma)
- {
-- unsigned long max, subtree_gap;
-- max = vma->vm_start;
-- if (vma->vm_prev)
-- max -= vma->vm_prev->vm_end;
-+ unsigned long max, prev_end, subtree_gap;
-+
-+ /*
-+ * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
-+ * allow two stack_guard_gaps between them here, and when choosing
-+ * an unmapped area; whereas when expanding we only require one.
-+ * That's a little inconsistent, but keeps the code here simpler.
-+ */
-+ max = vm_start_gap(vma);
-+ if (vma->vm_prev) {
-+ prev_end = vm_end_gap(vma->vm_prev);
-+ if (max > prev_end)
-+ max -= prev_end;
-+ else
-+ max = 0;
-+ }
- if (vma->vm_rb.rb_left) {
- subtree_gap = rb_entry(vma->vm_rb.rb_left,
- struct vm_area_struct, vm_rb)->rb_subtree_gap;
-@@ -350,7 +364,7 @@ static void validate_mm(struct mm_struct
- anon_vma_unlock_read(anon_vma);
- }
-
-- highest_address = vma->vm_end;
-+ highest_address = vm_end_gap(vma);
- vma = vma->vm_next;
- i++;
- }
-@@ -539,7 +553,7 @@ void __vma_link_rb(struct mm_struct *mm,
- if (vma->vm_next)
- vma_gap_update(vma->vm_next);
- else
-- mm->highest_vm_end = vma->vm_end;
-+ mm->highest_vm_end = vm_end_gap(vma);
-
- /*
- * vma->vm_prev wasn't known when we followed the rbtree to find the
-@@ -854,7 +868,7 @@ again:
- vma_gap_update(vma);
- if (end_changed) {
- if (!next)
-- mm->highest_vm_end = end;
-+ mm->highest_vm_end = vm_end_gap(vma);
- else if (!adjust_next)
- vma_gap_update(next);
- }
-@@ -939,7 +953,7 @@ again:
- * mm->highest_vm_end doesn't need any update
- * in remove_next == 1 case.
- */
-- VM_WARN_ON(mm->highest_vm_end != end);
-+ VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
- }
- }
- if (insert && file)
-@@ -1783,7 +1797,7 @@ unsigned long unmapped_area(struct vm_un
-
- while (true) {
- /* Visit left subtree if it looks promising */
-- gap_end = vma->vm_start;
-+ gap_end = vm_start_gap(vma);
- if (gap_end >= low_limit && vma->vm_rb.rb_left) {
- struct vm_area_struct *left =
- rb_entry(vma->vm_rb.rb_left,
-@@ -1794,7 +1808,7 @@ unsigned long unmapped_area(struct vm_un
- }
- }
-
-- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+ gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- check_current:
- /* Check if current node has a suitable gap */
- if (gap_start > high_limit)
-@@ -1821,8 +1835,8 @@ check_current:
- vma = rb_entry(rb_parent(prev),
- struct vm_area_struct, vm_rb);
- if (prev == vma->vm_rb.rb_left) {
-- gap_start = vma->vm_prev->vm_end;
-- gap_end = vma->vm_start;
-+ gap_start = vm_end_gap(vma->vm_prev);
-+ gap_end = vm_start_gap(vma);
- goto check_current;
- }
- }
-@@ -1886,7 +1900,7 @@ unsigned long unmapped_area_topdown(stru
-
- while (true) {
- /* Visit right subtree if it looks promising */
-- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
-+ gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
- if (gap_start <= high_limit && vma->vm_rb.rb_right) {
- struct vm_area_struct *right =
- rb_entry(vma->vm_rb.rb_right,
-@@ -1899,7 +1913,7 @@ unsigned long unmapped_area_topdown(stru
-
- check_current:
- /* Check if current node has a suitable gap */
-- gap_end = vma->vm_start;
-+ gap_end = vm_start_gap(vma);
- if (gap_end < low_limit)
- return -ENOMEM;
- if (gap_start <= high_limit && gap_end - gap_start >= length)
-@@ -1925,7 +1939,7 @@ check_current:
- struct vm_area_struct, vm_rb);
- if (prev == vma->vm_rb.rb_right) {
- gap_start = vma->vm_prev ?
-- vma->vm_prev->vm_end : 0;
-+ vm_end_gap(vma->vm_prev) : 0;
- goto check_current;
- }
- }
-@@ -1963,7 +1977,7 @@ arch_get_unmapped_area(struct file *filp
- unsigned long len, unsigned long pgoff, unsigned long flags)
- {
- struct mm_struct *mm = current->mm;
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct vm_unmapped_area_info info;
-
- if (len > TASK_SIZE - mmap_min_addr)
-@@ -1974,9 +1988,10 @@ arch_get_unmapped_area(struct file *filp
-
- if (addr) {
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- return addr;
- }
-
-@@ -1999,7 +2014,7 @@ arch_get_unmapped_area_topdown(struct fi
- const unsigned long len, const unsigned long pgoff,
- const unsigned long flags)
- {
-- struct vm_area_struct *vma;
-+ struct vm_area_struct *vma, *prev;
- struct mm_struct *mm = current->mm;
- unsigned long addr = addr0;
- struct vm_unmapped_area_info info;
-@@ -2014,9 +2029,10 @@ arch_get_unmapped_area_topdown(struct fi
- /* requesting a specific address */
- if (addr) {
- addr = PAGE_ALIGN(addr);
-- vma = find_vma(mm, addr);
-+ vma = find_vma_prev(mm, addr, &prev);
- if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
-- (!vma || addr + len <= vma->vm_start))
-+ (!vma || addr + len <= vm_start_gap(vma)) &&
-+ (!prev || addr >= vm_end_gap(prev)))
- return addr;
- }
-
-@@ -2151,21 +2167,19 @@ find_vma_prev(struct mm_struct *mm, unsi
- * update accounting. This is shared with both the
- * grow-up and grow-down cases.
- */
--static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, unsigned long grow)
-+static int acct_stack_growth(struct vm_area_struct *vma,
-+ unsigned long size, unsigned long grow)
- {
- struct mm_struct *mm = vma->vm_mm;
- struct rlimit *rlim = current->signal->rlim;
-- unsigned long new_start, actual_size;
-+ unsigned long new_start;
-
- /* address space limit tests */
- if (!may_expand_vm(mm, vma->vm_flags, grow))
- return -ENOMEM;
-
- /* Stack limit test */
-- actual_size = size;
-- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
-- actual_size -= PAGE_SIZE;
-- if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
-+ if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
- return -ENOMEM;
-
- /* mlock limit tests */
-@@ -2203,17 +2217,30 @@ static int acct_stack_growth(struct vm_a
- int expand_upwards(struct vm_area_struct *vma, unsigned long address)
- {
- struct mm_struct *mm = vma->vm_mm;
-+ struct vm_area_struct *next;
-+ unsigned long gap_addr;
- int error = 0;
-
- if (!(vma->vm_flags & VM_GROWSUP))
- return -EFAULT;
-
- /* Guard against wrapping around to address 0. */
-- if (address < PAGE_ALIGN(address+4))
-- address = PAGE_ALIGN(address+4);
-- else
-+ address &= PAGE_MASK;
-+ address += PAGE_SIZE;
-+ if (!address)
- return -ENOMEM;
-
-+ /* Enforce stack_guard_gap */
-+ gap_addr = address + stack_guard_gap;
-+ if (gap_addr < address)
-+ return -ENOMEM;
-+ next = vma->vm_next;
-+ if (next && next->vm_start < gap_addr) {
-+ if (!(next->vm_flags & VM_GROWSUP))
-+ return -ENOMEM;
-+ /* Check that both stack segments have the same anon_vma? */
-+ }
-+
- /* We must make sure the anon_vma is allocated. */
- if (unlikely(anon_vma_prepare(vma)))
- return -ENOMEM;
-@@ -2257,7 +2284,7 @@ int expand_upwards(struct vm_area_struct
- if (vma->vm_next)
- vma_gap_update(vma->vm_next);
- else
-- mm->highest_vm_end = address;
-+ mm->highest_vm_end = vm_end_gap(vma);
- spin_unlock(&mm->page_table_lock);
-
- perf_event_mmap(vma);
-@@ -2278,6 +2305,8 @@ int expand_downwards(struct vm_area_stru
- unsigned long address)
- {
- struct mm_struct *mm = vma->vm_mm;
-+ struct vm_area_struct *prev;
-+ unsigned long gap_addr;
- int error;
-
- address &= PAGE_MASK;
-@@ -2285,6 +2314,17 @@ int expand_downwards(struct vm_area_stru
- if (error)
- return error;
-
-+ /* Enforce stack_guard_gap */
-+ gap_addr = address - stack_guard_gap;
-+ if (gap_addr > address)
-+ return -ENOMEM;
-+ prev = vma->vm_prev;
-+ if (prev && prev->vm_end > gap_addr) {
-+ if (!(prev->vm_flags & VM_GROWSDOWN))
-+ return -ENOMEM;
-+ /* Check that both stack segments have the same anon_vma? */
-+ }
-+
- /* We must make sure the anon_vma is allocated. */
- if (unlikely(anon_vma_prepare(vma)))
- return -ENOMEM;
-@@ -2339,28 +2379,25 @@ int expand_downwards(struct vm_area_stru
- return error;
- }
-
--/*
-- * Note how expand_stack() refuses to expand the stack all the way to
-- * abut the next virtual mapping, *unless* that mapping itself is also
-- * a stack mapping. We want to leave room for a guard page, after all
-- * (the guard page itself is not added here, that is done by the
-- * actual page faulting logic)
-- *
-- * This matches the behavior of the guard page logic (see mm/memory.c:
-- * check_stack_guard_page()), which only allows the guard page to be
-- * removed under these circumstances.
-- */
-+/* enforced gap between the expanding stack and other mappings. */
-+unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
-+
-+static int __init cmdline_parse_stack_guard_gap(char *p)
-+{
-+ unsigned long val;
-+ char *endptr;
-+
-+ val = simple_strtoul(p, &endptr, 10);
-+ if (!*endptr)
-+ stack_guard_gap = val << PAGE_SHIFT;
-+
-+ return 0;
-+}
-+__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
-+
- #ifdef CONFIG_STACK_GROWSUP
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-- struct vm_area_struct *next;
--
-- address &= PAGE_MASK;
-- next = vma->vm_next;
-- if (next && next->vm_start == address + PAGE_SIZE) {
-- if (!(next->vm_flags & VM_GROWSUP))
-- return -ENOMEM;
-- }
- return expand_upwards(vma, address);
- }
-
-@@ -2382,14 +2419,6 @@ find_extend_vma(struct mm_struct *mm, un
- #else
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
-- struct vm_area_struct *prev;
--
-- address &= PAGE_MASK;
-- prev = vma->vm_prev;
-- if (prev && prev->vm_end == address) {
-- if (!(prev->vm_flags & VM_GROWSDOWN))
-- return -ENOMEM;
-- }
- return expand_downwards(vma, address);
- }
-
-@@ -2487,7 +2516,7 @@ detach_vmas_to_be_unmapped(struct mm_str
- vma->vm_prev = prev;
- vma_gap_update(vma);
- } else
-- mm->highest_vm_end = prev ? prev->vm_end : 0;
-+ mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
- tail_vma->vm_next = NULL;
-
- /* Kill the cache */
diff --git a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch b/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
deleted file mode 100644
index 109dc1a..0000000
--- a/debian/patches/bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Cong Wang <xiyou.wangcong at gmail.com>
-Date: Sun, 9 Jul 2017 13:19:55 -0700
-Subject: mqueue: fix a use-after-free in sys_mq_notify()
-Origin: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11176
-
-The retry logic for netlink_attachskb() inside sys_mq_notify()
-is nasty and vulnerable:
-
-1) The sock refcnt is already released when retry is needed
-2) The fd is controllable by user-space because we already
- release the file refcnt
-
-so we when retry but the fd has been just closed by user-space
-during this small window, we end up calling netlink_detachskb()
-on the error path which releases the sock again, later when
-the user-space closes this socket a use-after-free could be
-triggered.
-
-Setting 'sock' to NULL here should be sufficient to fix it.
-
-Reported-by: GeneBlue <geneblue.mail at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: stable at kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- ipc/mqueue.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ipc/mqueue.c b/ipc/mqueue.c
-index c9ff943f19ab..eb1391b52c6f 100644
---- a/ipc/mqueue.c
-+++ b/ipc/mqueue.c
-@@ -1270,8 +1270,10 @@ static int do_mq_notify(mqd_t mqdes, const struct sigevent *notification)
-
- timeo = MAX_SCHEDULE_TIMEOUT;
- ret = netlink_attachskb(sock, nc, &timeo, NULL);
-- if (ret == 1)
-+ if (ret == 1) {
-+ sock = NULL;
- goto retry;
-+ }
- if (ret) {
- sock = NULL;
- nc = NULL;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch b/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
deleted file mode 100644
index 977b97b..0000000
--- a/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From: Kinglong Mee <kinglongmee at gmail.com>
-Date: Thu, 27 Apr 2017 11:13:38 +0800
-Subject: NFSv4.x/callback: Create the callback service through
- svc_create_pooled
-Origin: https://git.kernel.org/linus/df807fffaabde625fa9adb82e3e5b88cdaa5709a
-Bug-Debian: https://bugs.debian.org/862357
-
-As the comments for svc_set_num_threads() said,
-" Destroying threads relies on the service threads filling in
-rqstp->rq_task, which only the nfs ones do. Assumes the serv
-has been created using svc_create_pooled()."
-
-If creating service through svc_create(), the svc_pool_map_put()
-will be called in svc_destroy(), but the pool map isn't used.
-So that, the reference of pool map will be drop, the next using
-of pool map will get a zero npools.
-
-[ 137.992130] divide error: 0000 [#1] SMP
-[ 137.992148] Modules linked in: nfsd(E) nfsv4 nfs fscache fuse tun bridge stp llc ip_set nfnetlink vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel intel_rapl_perf joydev snd_ens1371 gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore parport_pc parport nfit acpi_cpufreq tpm_tis tpm_tis_core tpm vmw_vmci i2c_piix4 shpchp auth_rpcgss nfs_acl lockd(E) [...]
-[ 137.992336] CPU: 0 PID: 4514 Comm: rpc.nfsd Tainted: G E 4.11.0-rc8+ #536
-[ 137.992777] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
-[ 137.993757] task: ffff955984101d00 task.stack: ffff9873c2604000
-[ 137.994231] RIP: 0010:svc_pool_for_cpu+0x2b/0x80 [sunrpc]
-[ 137.994768] RSP: 0018:ffff9873c2607c18 EFLAGS: 00010246
-[ 137.995227] RAX: 0000000000000000 RBX: ffff95598376f000 RCX: 0000000000000002
-[ 137.995673] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9559944aec00
-[ 137.996156] RBP: ffff9873c2607c18 R08: ffff9559944aec28 R09: 0000000000000000
-[ 137.996609] R10: 0000000001080002 R11: 0000000000000000 R12: ffff95598376f010
-[ 137.997063] R13: ffff95598376f018 R14: ffff9559944aec28 R15: ffff9559944aec00
-[ 137.997584] FS: 00007f755529eb40(0000) GS:ffff9559bb600000(0000) knlGS:0000000000000000
-[ 137.998048] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 137.998548] CR2: 000055f3aecd9660 CR3: 0000000084290000 CR4: 00000000001406f0
-[ 137.999052] Call Trace:
-[ 137.999517] svc_xprt_do_enqueue+0xef/0x260 [sunrpc]
-[ 138.000028] svc_xprt_received+0x47/0x90 [sunrpc]
-[ 138.000487] svc_add_new_perm_xprt+0x76/0x90 [sunrpc]
-[ 138.000981] svc_addsock+0x14b/0x200 [sunrpc]
-[ 138.001424] ? recalc_sigpending+0x1b/0x50
-[ 138.001860] ? __getnstimeofday64+0x41/0xd0
-[ 138.002346] ? do_gettimeofday+0x29/0x90
-[ 138.002779] write_ports+0x255/0x2c0 [nfsd]
-[ 138.003202] ? _copy_from_user+0x4e/0x80
-[ 138.003676] ? write_recoverydir+0x100/0x100 [nfsd]
-[ 138.004098] nfsctl_transaction_write+0x48/0x80 [nfsd]
-[ 138.004544] __vfs_write+0x37/0x160
-[ 138.004982] ? selinux_file_permission+0xd7/0x110
-[ 138.005401] ? security_file_permission+0x3b/0xc0
-[ 138.005865] vfs_write+0xb5/0x1a0
-[ 138.006267] SyS_write+0x55/0xc0
-[ 138.006654] entry_SYSCALL_64_fastpath+0x1a/0xa9
-[ 138.007071] RIP: 0033:0x7f7554b9dc30
-[ 138.007437] RSP: 002b:00007ffc9f92c788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
-[ 138.007807] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f7554b9dc30
-[ 138.008168] RDX: 0000000000000002 RSI: 00005640cd536640 RDI: 0000000000000003
-[ 138.008573] RBP: 00007ffc9f92c780 R08: 0000000000000001 R09: 0000000000000002
-[ 138.008918] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000004
-[ 138.009254] R13: 00005640cdbf77a0 R14: 00005640cdbf7720 R15: 00007ffc9f92c238
-[ 138.009610] Code: 0f 1f 44 00 00 48 8b 87 98 00 00 00 55 48 89 e5 48 83 78 08 00 74 10 8b 05 07 42 02 00 83 f8 01 74 40 83 f8 02 74 19 31 c0 31 d2 <f7> b7 88 00 00 00 5d 89 d0 48 c1 e0 07 48 03 87 90 00 00 00 c3
-[ 138.010664] RIP: svc_pool_for_cpu+0x2b/0x80 [sunrpc] RSP: ffff9873c2607c18
-[ 138.011061] ---[ end trace b3468224cafa7d11 ]---
-
-Signed-off-by: Kinglong Mee <kinglongmee at gmail.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfs/callback.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/nfs/callback.c
-+++ b/fs/nfs/callback.c
-@@ -287,7 +287,7 @@ static struct svc_serv *nfs_callback_cre
- printk(KERN_WARNING "nfs_callback_create_svc: no kthread, %d users??\n",
- cb_info->users);
-
-- serv = svc_create(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
-+ serv = svc_create_pooled(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
- if (!serv) {
- printk(KERN_ERR "nfs_callback_create_svc: create service failed\n");
- return ERR_PTR(-ENOMEM);
diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
deleted file mode 100644
index f2637f4..0000000
--- a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Thu, 10 Aug 2017 12:41:58 -0400
-Subject: packet: fix tp_reserve race in packet_set_ring
-Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
-
-Updates to tp_reserve can race with reads of the field in
-packet_set_ring. Avoid this by holding the socket lock during
-updates in setsockopt PACKET_RESERVE.
-
-This bug was discovered by syzkaller.
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3698,14 +3698,19 @@ packet_setsockopt(struct socket *sock, i
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- if (val > INT_MAX)
- return -EINVAL;
-- po->tp_reserve = val;
-- return 0;
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_reserve = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_LOSS:
- {
diff --git a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch b/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
deleted file mode 100644
index 06f79be..0000000
--- a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Thu, 15 Jun 2017 00:12:24 +0100
-Subject: rxrpc: Fix several cases where a padded len isn't checked in ticket
- decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7482
-
-This fixes CVE-2017-7482.
-
-When a kerberos 5 ticket is being decoded so that it can be loaded into an
-rxrpc-type key, there are several places in which the length of a
-variable-length field is checked to make sure that it's not going to
-overrun the available data - but the data is padded to the nearest
-four-byte boundary and the code doesn't check for this extra. This could
-lead to the size-remaining variable wrapping and the data pointer going
-over the end of the buffer.
-
-Fix this by making the various variable-length data checks use the padded
-length.
-
-Reported-by: 石磊 <shilei-c at 360.cn>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Reviewed-by: Marc Dionne <marc.c.dionne at auristor.com>
-Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/rxrpc/key.c | 64 ++++++++++++++++++++++++++++++---------------------------
- 1 file changed, 34 insertions(+), 30 deletions(-)
-
-diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
-index 0a4e28477ad9..54369225766e 100644
---- a/net/rxrpc/key.c
-+++ b/net/rxrpc/key.c
-@@ -217,7 +217,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, n_parts, loop, tmp;
-+ unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen;
-
- /* there must be at least one name, and at least #names+1 length
- * words */
-@@ -247,16 +247,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- toklen -= 4;
- if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX)
- return -EINVAL;
-- if (tmp > toklen)
-+ paddedlen = (tmp + 3) & ~3;
-+ if (paddedlen > toklen)
- return -EINVAL;
- princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL);
- if (!princ->name_parts[loop])
- return -ENOMEM;
- memcpy(princ->name_parts[loop], xdr, tmp);
- princ->name_parts[loop][tmp] = 0;
-- tmp = (tmp + 3) & ~3;
-- toklen -= tmp;
-- xdr += tmp >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- if (toklen < 4)
-@@ -265,16 +265,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- toklen -= 4;
- if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX)
- return -EINVAL;
-- if (tmp > toklen)
-+ paddedlen = (tmp + 3) & ~3;
-+ if (paddedlen > toklen)
- return -EINVAL;
- princ->realm = kmalloc(tmp + 1, GFP_KERNEL);
- if (!princ->realm)
- return -ENOMEM;
- memcpy(princ->realm, xdr, tmp);
- princ->realm[tmp] = 0;
-- tmp = (tmp + 3) & ~3;
-- toklen -= tmp;
-- xdr += tmp >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- _debug("%s/...@%s", princ->name_parts[0], princ->realm);
-
-@@ -293,7 +293,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, len;
-+ unsigned int toklen = *_toklen, len, paddedlen;
-
- /* there must be at least one tag and one length word */
- if (toklen <= 8)
-@@ -307,15 +307,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- toklen -= 8;
- if (len > max_data_size)
- return -EINVAL;
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > toklen)
-+ return -EINVAL;
- td->data_len = len;
-
- if (len > 0) {
- td->data = kmemdup(xdr, len, GFP_KERNEL);
- if (!td->data)
- return -ENOMEM;
-- len = (len + 3) & ~3;
-- toklen -= len;
-- xdr += len >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- _debug("tag %x len %x", td->tag, td->data_len);
-@@ -387,7 +389,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- const __be32 **_xdr, unsigned int *_toklen)
- {
- const __be32 *xdr = *_xdr;
-- unsigned int toklen = *_toklen, len;
-+ unsigned int toklen = *_toklen, len, paddedlen;
-
- /* there must be at least one length word */
- if (toklen <= 4)
-@@ -399,6 +401,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- toklen -= 4;
- if (len > AFSTOKEN_K5_TIX_MAX)
- return -EINVAL;
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > toklen)
-+ return -EINVAL;
- *_tktlen = len;
-
- _debug("ticket len %u", len);
-@@ -407,9 +412,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- *_ticket = kmemdup(xdr, len, GFP_KERNEL);
- if (!*_ticket)
- return -ENOMEM;
-- len = (len + 3) & ~3;
-- toklen -= len;
-- xdr += len >> 2;
-+ toklen -= paddedlen;
-+ xdr += paddedlen >> 2;
- }
-
- *_xdr = xdr;
-@@ -552,7 +556,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- {
- const __be32 *xdr = prep->data, *token;
- const char *cp;
-- unsigned int len, tmp, loop, ntoken, toklen, sec_ix;
-+ unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix;
- size_t datalen = prep->datalen;
- int ret;
-
-@@ -578,22 +582,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- if (len < 1 || len > AFSTOKEN_CELL_MAX)
- goto not_xdr;
- datalen -= 4;
-- tmp = (len + 3) & ~3;
-- if (tmp > datalen)
-+ paddedlen = (len + 3) & ~3;
-+ if (paddedlen > datalen)
- goto not_xdr;
-
- cp = (const char *) xdr;
- for (loop = 0; loop < len; loop++)
- if (!isprint(cp[loop]))
- goto not_xdr;
-- if (len < tmp)
-- for (; loop < tmp; loop++)
-- if (cp[loop])
-- goto not_xdr;
-+ for (; loop < paddedlen; loop++)
-+ if (cp[loop])
-+ goto not_xdr;
- _debug("cellname: [%u/%u] '%*.*s'",
-- len, tmp, len, len, (const char *) xdr);
-- datalen -= tmp;
-- xdr += tmp >> 2;
-+ len, paddedlen, len, len, (const char *) xdr);
-+ datalen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- /* get the token count */
- if (datalen < 12)
-@@ -614,10 +617,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- sec_ix = ntohl(*xdr);
- datalen -= 4;
- _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix);
-- if (toklen < 20 || toklen > datalen)
-+ paddedlen = (toklen + 3) & ~3;
-+ if (toklen < 20 || toklen > datalen || paddedlen > datalen)
- goto not_xdr;
-- datalen -= (toklen + 3) & ~3;
-- xdr += (toklen + 3) >> 2;
-+ datalen -= paddedlen;
-+ xdr += paddedlen >> 2;
-
- } while (--loop > 0);
-
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
deleted file mode 100644
index 7dd9425..0000000
--- a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 17 May 2017 07:16:40 -0700
-Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
-Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
-
-SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
-ipv6_mc_list from parent"), otherwise bad things can happen.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/ipv6.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -666,6 +666,9 @@ static struct sock *sctp_v6_create_accep
- newnp = inet6_sk(newsk);
-
- memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
-
- rcu_read_lock();
- opt = rcu_dereference(np->opt);
diff --git a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
deleted file mode 100644
index 510d306..0000000
--- a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Thu, 10 Aug 2017 12:29:19 -0400
-Subject: udp: consistently apply ufo or fragmentation
-Origin: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
-
-When iteratively building a UDP datagram with MSG_MORE and that
-datagram exceeds MTU, consistently choose UFO or fragmentation.
-
-Once skb_is_gso, always apply ufo. Conversely, once a datagram is
-split across multiple skbs, do not consider ufo.
-
-Sendpage already maintains the first invariant, only add the second.
-IPv6 does not have a sendpage implementation to modify.
-
-A gso skb must have a partial checksum, do not follow sk_no_check_tx
-in udp_send_skb.
-
-Found by syzkaller.
-
-Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- net/ipv4/ip_output.c | 7 +++++--
- net/ipv4/udp.c | 2 +-
- net/ipv6/ip6_output.c | 7 ++++---
- 3 files changed, 10 insertions(+), 6 deletions(-)
-
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -936,10 +936,12 @@ static int __ip_append_data(struct sock
- csummode = CHECKSUM_PARTIAL;
-
- cork->length += length;
-- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
-+ if ((skb && skb_is_gso(skb)) ||
-+ ((length > mtu) &&
-+ (skb_queue_len(queue) <= 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
-- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
-+ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
- err = ip_ufo_append_data(sk, queue, getfrag, from, length,
- hh_len, fragheaderlen, transhdrlen,
- maxfraglen, flags);
-@@ -1255,6 +1257,7 @@ ssize_t ip_append_page(struct sock *sk,
- return -EINVAL;
-
- if ((size + skb->len > mtu) &&
-+ (skb_queue_len(&sk->sk_write_queue) == 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO)) {
- if (skb->ip_summed != CHECKSUM_PARTIAL)
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -813,7 +813,7 @@ static int udp_send_skb(struct sk_buff *
- if (is_udplite) /* UDP-Lite */
- csum = udplite_csum(skb);
-
-- else if (sk->sk_no_check_tx) { /* UDP csum disabled */
-+ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */
-
- skb->ip_summed = CHECKSUM_NONE;
- goto send;
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1371,11 +1371,12 @@ emsgsize:
- */
-
- cork->length += length;
-- if ((((length + fragheaderlen) > mtu) ||
-- (skb && skb_is_gso(skb))) &&
-+ if ((skb && skb_is_gso(skb)) ||
-+ (((length + fragheaderlen) > mtu) &&
-+ (skb_queue_len(queue) <= 1) &&
- (sk->sk_protocol == IPPROTO_UDP) &&
- (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
-- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
-+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
- err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
- hh_len, fragheaderlen, exthdrlen,
- transhdrlen, mtu, flags, fl6);
diff --git a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch b/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
deleted file mode 100644
index 88a08a7..0000000
--- a/debian/patches/bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From: Jan Beulich <jbeulich at suse.com>
-Date: Tue, 13 Jun 2017 16:28:27 -0400
-Subject: xen-blkback: don't leak stack data via response ring
-Origin: https://git.kernel.org/linus/089bc0143f489bd3a4578bdff5f4ca68fb26f341
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10911
-
-Rather than constructing a local structure instance on the stack, fill
-the fields directly on the shared ring, just like other backends do.
-Build on the fact that all response structure flavors are actually
-identical (the old code did make this assumption too).
-
-This is XSA-216.
-
-Cc: stable at vger.kernel.org
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
- drivers/block/xen-blkback/common.h | 25 +++++--------------------
- 2 files changed, 17 insertions(+), 31 deletions(-)
-
-diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
-index 6b14c509f3c7..0e824091a12f 100644
---- a/drivers/block/xen-blkback/blkback.c
-+++ b/drivers/block/xen-blkback/blkback.c
-@@ -1433,34 +1433,35 @@ static int dispatch_rw_block_io(struct xen_blkif_ring *ring,
- static void make_response(struct xen_blkif_ring *ring, u64 id,
- unsigned short op, int st)
- {
-- struct blkif_response resp;
-+ struct blkif_response *resp;
- unsigned long flags;
- union blkif_back_rings *blk_rings;
- int notify;
-
-- resp.id = id;
-- resp.operation = op;
-- resp.status = st;
--
- spin_lock_irqsave(&ring->blk_ring_lock, flags);
- blk_rings = &ring->blk_rings;
- /* Place on the response ring for the relevant domain. */
- switch (ring->blkif->blk_protocol) {
- case BLKIF_PROTOCOL_NATIVE:
-- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->native,
-+ blk_rings->native.rsp_prod_pvt);
- break;
- case BLKIF_PROTOCOL_X86_32:
-- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
-+ blk_rings->x86_32.rsp_prod_pvt);
- break;
- case BLKIF_PROTOCOL_X86_64:
-- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
-- &resp, sizeof(resp));
-+ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
-+ blk_rings->x86_64.rsp_prod_pvt);
- break;
- default:
- BUG();
- }
-+
-+ resp->id = id;
-+ resp->operation = op;
-+ resp->status = st;
-+
- blk_rings->common.rsp_prod_pvt++;
- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
- spin_unlock_irqrestore(&ring->blk_ring_lock, flags);
-diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
-index 638597b17a38..ecb35fe8ca8d 100644
---- a/drivers/block/xen-blkback/common.h
-+++ b/drivers/block/xen-blkback/common.h
-@@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues;
- struct blkif_common_request {
- char dummy;
- };
--struct blkif_common_response {
-- char dummy;
--};
-+
-+/* i386 protocol version */
-
- struct blkif_x86_32_request_rw {
- uint8_t nr_segments; /* number of segments */
-@@ -129,14 +128,6 @@ struct blkif_x86_32_request {
- } u;
- } __attribute__((__packed__));
-
--/* i386 protocol version */
--#pragma pack(push, 4)
--struct blkif_x86_32_response {
-- uint64_t id; /* copied from request */
-- uint8_t operation; /* copied from request */
-- int16_t status; /* BLKIF_RSP_??? */
--};
--#pragma pack(pop)
- /* x86_64 protocol version */
-
- struct blkif_x86_64_request_rw {
-@@ -193,18 +184,12 @@ struct blkif_x86_64_request {
- } u;
- } __attribute__((__packed__));
-
--struct blkif_x86_64_response {
-- uint64_t __attribute__((__aligned__(8))) id;
-- uint8_t operation; /* copied from request */
-- int16_t status; /* BLKIF_RSP_??? */
--};
--
- DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
-- struct blkif_common_response);
-+ struct blkif_response);
- DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
-- struct blkif_x86_32_response);
-+ struct blkif_response __packed);
- DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
-- struct blkif_x86_64_response);
-+ struct blkif_response);
-
- union blkif_back_rings {
- struct blkif_back_ring native;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/powerpc/powerpc-kernel-Fix-FP-and-vector-register-restoratio.patch b/debian/patches/bugfix/powerpc/powerpc-kernel-Fix-FP-and-vector-register-restoratio.patch
deleted file mode 100644
index eeb30a9..0000000
--- a/debian/patches/bugfix/powerpc/powerpc-kernel-Fix-FP-and-vector-register-restoratio.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Breno Leitao <leitao at debian.org>
-Date: Fri, 2 Jun 2017 18:43:30 -0300
-Subject: powerpc/kernel: Fix FP and vector register restoration
-Origin: https://git.kernel.org/linus/1195892c091a15cc862f4e202482a36adc924e12
-Bug-Debian: https://bugs.debian.org/868902
-
-Currently tsk->thread->load_vec and load_fp are not initialized during
-task creation, which can lead to garbage values in these variables (non-zero
-values).
-
-These variables will be checked later in restore_math() to validate if the
-FP and vector registers are being utilized. Since these values might be
-non-zero, the restore_math() will continue to save the FP and vectors even if
-they were never utilized by the userspace application. load_fp and load_vec
-counters will then overflow (they wrap at 255) and the FP and Altivec will be
-finally disabled, but before that condition is reached (counter overflow)
-several context switches will have restored FP and vector registers without
-need, causing a performance degradation.
-
-Fixes: 70fe3d980f5f ("powerpc: Restore FPU/VEC/VSX if previously used")
-Cc: stable at vger.kernel.org # v4.6+
-Signed-off-by: Breno Leitao <leitao at debian.org>
-Signed-off-by: Gustavo Romero <gusbromero at gmail.com>
-Acked-by: Anton Blanchard <anton at samba.org>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/process.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index baae104b16c7..a9435397eab8 100644
---- a/arch/powerpc/kernel/process.c
-+++ b/arch/powerpc/kernel/process.c
-@@ -1666,6 +1666,7 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
- #ifdef CONFIG_VSX
- current->thread.used_vsr = 0;
- #endif
-+ current->thread.load_fp = 0;
- memset(¤t->thread.fp_state, 0, sizeof(current->thread.fp_state));
- current->thread.fp_save_area = NULL;
- #ifdef CONFIG_ALTIVEC
-@@ -1674,6 +1675,7 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
- current->thread.vr_save_area = NULL;
- current->thread.vrsave = 0;
- current->thread.used_vr = 0;
-+ current->thread.load_vec = 0;
- #endif /* CONFIG_ALTIVEC */
- #ifdef CONFIG_SPE
- memset(current->thread.evr, 0, sizeof(current->thread.evr));
---
-2.13.3
-
diff --git a/debian/patches/bugfix/s390/revert-s390-move-exports-to-definitions.patch b/debian/patches/bugfix/s390/revert-s390-move-exports-to-definitions.patch
index 75cf4be..2038f67 100644
--- a/debian/patches/bugfix/s390/revert-s390-move-exports-to-definitions.patch
+++ b/debian/patches/bugfix/s390/revert-s390-move-exports-to-definitions.patch
@@ -16,8 +16,6 @@ hashes).
6 files changed, 16 insertions(+), 14 deletions(-)
create mode 100644 arch/s390/kernel/s390_ksyms.c
-diff --git a/arch/s390/include/asm/Kbuild b/arch/s390/include/asm/Kbuild
-index 20f196b82a6e..9043d2e1e2ae 100644
--- a/arch/s390/include/asm/Kbuild
+++ b/arch/s390/include/asm/Kbuild
@@ -1,7 +1,6 @@
@@ -28,11 +26,9 @@ index 20f196b82a6e..9043d2e1e2ae 100644
generic-y += irq_work.h
generic-y += mcs_spinlock.h
generic-y += mm-arch-hooks.h
-diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile
-index 1f0fe98f6db9..72ccc41444dc 100644
--- a/arch/s390/kernel/Makefile
+++ b/arch/s390/kernel/Makefile
-@@ -61,7 +61,7 @@ obj-y += entry.o reipl.o relocate_kernel.o
+@@ -61,7 +61,7 @@ obj-y += entry.o reipl.o relocate_kernel
extra-y += head.o head64.o vmlinux.lds
@@ -41,8 +37,6 @@ index 1f0fe98f6db9..72ccc41444dc 100644
obj-$(CONFIG_SMP) += smp.o
obj-$(CONFIG_SCHED_TOPOLOGY) += topology.o
obj-$(CONFIG_HIBERNATION) += suspend.o swsusp.o
-diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
-index 49a30737adde..c51650a1ed16 100644
--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -23,7 +23,6 @@
@@ -53,16 +47,16 @@ index 49a30737adde..c51650a1ed16 100644
__PT_R0 = __PT_GPRS
__PT_R1 = __PT_GPRS + 8
-@@ -260,8 +259,6 @@ sie_exit:
-
- EX_TABLE(.Lrewind_pad,.Lsie_fault)
+@@ -267,8 +266,6 @@ sie_exit:
+ EX_TABLE(.Lrewind_pad4,.Lsie_fault)
+ EX_TABLE(.Lrewind_pad2,.Lsie_fault)
EX_TABLE(sie_exit,.Lsie_fault)
-EXPORT_SYMBOL(sie64a)
-EXPORT_SYMBOL(sie_exit)
#endif
/*
-@@ -828,9 +825,6 @@ ENTRY(save_fpu_regs)
+@@ -837,9 +834,6 @@ ENTRY(save_fpu_regs)
oi __LC_CPU_FLAGS+7,_CIF_FPU
br %r14
.Lsave_fpu_regs_end:
@@ -72,8 +66,6 @@ index 49a30737adde..c51650a1ed16 100644
/*
* Load floating-point controls and floating-point or vector registers.
-diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
-index 9a17e4475d27..e499370fbccb 100644
--- a/arch/s390/kernel/mcount.S
+++ b/arch/s390/kernel/mcount.S
@@ -9,7 +9,6 @@
@@ -93,9 +85,6 @@ index 9a17e4475d27..e499370fbccb 100644
ENTRY(ftrace_caller)
.globl ftrace_regs_caller
.set ftrace_regs_caller,ftrace_caller
-diff --git a/arch/s390/kernel/s390_ksyms.c b/arch/s390/kernel/s390_ksyms.c
-new file mode 100644
-index 000000000000..e67453b73c3c
--- /dev/null
+++ b/arch/s390/kernel/s390_ksyms.c
@@ -0,0 +1,15 @@
@@ -114,8 +103,6 @@ index 000000000000..e67453b73c3c
+#endif
+EXPORT_SYMBOL(memcpy);
+EXPORT_SYMBOL(memset);
-diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S
-index be9fa65bfac4..c6d553e85ab1 100644
--- a/arch/s390/lib/mem.S
+++ b/arch/s390/lib/mem.S
@@ -5,7 +5,6 @@
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch b/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
deleted file mode 100644
index 3dafdac..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: Sinclair Yeh <syeh at vmware.com>
-Date: Fri, 2 Jun 2017 07:50:57 +0200
-Subject: drm/vmwgfx: Make sure backup_handle is always valid
-Origin: https://git.kernel.org/linus/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9605
-
-When vmw_gb_surface_define_ioctl() is called with an existing buffer,
-we end up returning an uninitialized variable in the backup_handle.
-
-The fix is to first initialize backup_handle to 0 just to be sure, and
-second, when a user-provided buffer is found, we will use the
-req->buffer_handle as the backup_handle.
-
-Cc: <stable at vger.kernel.org>
-Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Signed-off-by: Sinclair Yeh <syeh at vmware.com>
-Reviewed-by: Deepak Rawat <drawat at vmware.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++-------
- 1 file changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index baf03d4d86d2..834bb10973a2 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -1274,7 +1274,7 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
- int ret;
- uint32_t size;
-- uint32_t backup_handle;
-+ uint32_t backup_handle = 0;
-
- if (req->multisample_count != 0)
- return -EINVAL;
-@@ -1317,12 +1317,16 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle,
- &res->backup,
- &user_srf->backup_base);
-- if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE <
-- res->backup_size) {
-- DRM_ERROR("Surface backup buffer is too small.\n");
-- vmw_dmabuf_unreference(&res->backup);
-- ret = -EINVAL;
-- goto out_unlock;
-+ if (ret == 0) {
-+ if (res->backup->base.num_pages * PAGE_SIZE <
-+ res->backup_size) {
-+ DRM_ERROR("Surface backup buffer is too small.\n");
-+ vmw_dmabuf_unreference(&res->backup);
-+ ret = -EINVAL;
-+ goto out_unlock;
-+ } else {
-+ backup_handle = req->buffer_handle;
-+ }
- }
- } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer)
- ret = vmw_user_dmabuf_alloc(dev_priv, tfile,
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch b/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
deleted file mode 100644
index 19eb98a..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Fri, 2 Jun 2017 07:42:09 +0200
-Subject: drm/vmwgfx: limit the number of mip levels in
- vmw_gb_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7346
-
-The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is
-a user-controlled 'uint32_t' value which is used as a loop count limit.
-This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'.
-
-References:
-https://bugzilla.redhat.com/show_bug.cgi?id=1437431
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index 7681341fe32b..baf03d4d86d2 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -1279,6 +1279,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data,
- if (req->multisample_count != 0)
- return -EINVAL;
-
-+ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
-+
- if (unlikely(vmw_user_surface_size == 0))
- vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) +
- 128;
---
-2.11.0
-
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch b/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
index 73e324f..dbe582c 100644
--- a/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
+++ b/debian/patches/bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
@@ -27,7 +27,7 @@ Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
---
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
-@@ -294,6 +294,7 @@ struct x86_emulate_ctxt {
+@@ -296,6 +296,7 @@ struct x86_emulate_ctxt {
bool perm_ok; /* do not check permissions if true */
bool ud; /* inject an #UD if host doesn't support insn */
@@ -47,7 +47,7 @@ Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -5236,6 +5236,8 @@ static void init_emulate_ctxt(struct kvm
+@@ -5250,6 +5250,8 @@ static void init_emulate_ctxt(struct kvm
kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
ctxt->eflags = kvm_get_rflags(vcpu);
@@ -56,7 +56,7 @@ Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
ctxt->eip = kvm_rip_read(vcpu);
ctxt->mode = (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
(ctxt->eflags & X86_EFLAGS_VM) ? X86EMUL_MODE_VM86 :
-@@ -5452,37 +5454,26 @@ static int kvm_vcpu_check_hw_bp(unsigned
+@@ -5465,37 +5467,26 @@ static int kvm_vcpu_check_hw_bp(unsigned
return dr6;
}
@@ -111,9 +111,9 @@ Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
}
}
-@@ -5639,8 +5630,9 @@ restart:
- if (vcpu->arch.hflags != ctxt->emul_flags)
- kvm_set_hflags(vcpu, ctxt->emul_flags);
+@@ -5650,8 +5641,9 @@ restart:
+ toggle_interruptibility(vcpu, ctxt->interruptibility);
+ vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
kvm_rip_write(vcpu, ctxt->eip);
- if (r == EMULATE_DONE)
- kvm_vcpu_check_singlestep(vcpu, rflags, &r);
diff --git a/debian/patches/bugfix/x86/pinctrl-cherryview-add-a-quirk-to-make-acer-chromebo.patch b/debian/patches/bugfix/x86/pinctrl-cherryview-add-a-quirk-to-make-acer-chromebo.patch
deleted file mode 100644
index 5897808..0000000
--- a/debian/patches/bugfix/x86/pinctrl-cherryview-add-a-quirk-to-make-acer-chromebo.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Mika Westerberg <mika.westerberg at linux.intel.com>
-Date: Mon, 10 Apr 2017 13:16:33 +0300
-Subject: pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard
- work again
-Origin: https://git.kernel.org/linus/7036502783729c2aaf7a3c24c89087c58721430f
-Bug-Debian: https://bugs.debian.org/862723
-
-After commit 47c950d10202 ("pinctrl: cherryview: Do not add all
-southwest and north GPIOs to IRQ domain") the driver does not add all
-GPIOs to the irqdomain. The reason for that is that those GPIOs cannot
-generate IRQs at all, only GPEs (General Purpose Events). This causes
-Linux virtual IRQ numbering to change.
-
-However, it seems some CYAN Chromebooks, including Acer Chromebook
-hardcodes these Linux IRQ numbers in the ACPI tables of the machine.
-Since the numbering is different now, the IRQ meant for keyboard does
-not match the Linux virtual IRQ number anymore making the keyboard
-non-functional.
-
-Work this around by adding special quirk just for these machines where
-we add back all GPIOs to the irqdomain. Rest of the Cherryview/Braswell
-based machines will not be affected by the change.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=194945
-Fixes: 47c950d10202 ("pinctrl: cherryview: Do not add all southwest and north GPIOs to IRQ domain")
-Reported-by: Adam S Levy <theadamlevy at gmail.com>
-Signed-off-by: Mika Westerberg <mika.westerberg at linux.intel.com>
-Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
----
- drivers/pinctrl/intel/pinctrl-cherryview.c | 26 ++++++++++++++++++++++++--
- 1 file changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
-index f80134e3e0b6..9ff790174906 100644
---- a/drivers/pinctrl/intel/pinctrl-cherryview.c
-+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
-@@ -13,6 +13,7 @@
- * published by the Free Software Foundation.
- */
-
-+#include <linux/dmi.h>
- #include <linux/kernel.h>
- #include <linux/module.h>
- #include <linux/init.h>
-@@ -1524,10 +1525,31 @@ static void chv_gpio_irq_handler(struct irq_desc *desc)
- chained_irq_exit(chip, desc);
- }
-
-+/*
-+ * Certain machines seem to hardcode Linux IRQ numbers in their ACPI
-+ * tables. Since we leave GPIOs that are not capable of generating
-+ * interrupts out of the irqdomain the numbering will be different and
-+ * cause devices using the hardcoded IRQ numbers fail. In order not to
-+ * break such machines we will only mask pins from irqdomain if the machine
-+ * is not listed below.
-+ */
-+static const struct dmi_system_id chv_no_valid_mask[] = {
-+ {
-+ /* See https://bugzilla.kernel.org/show_bug.cgi?id=194945 */
-+ .ident = "Acer Chromebook (CYAN)",
-+ .matches = {
-+ DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
-+ DMI_MATCH(DMI_PRODUCT_NAME, "Edgar"),
-+ DMI_MATCH(DMI_BIOS_DATE, "05/21/2016"),
-+ },
-+ }
-+};
-+
- static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
- {
- const struct chv_gpio_pinrange *range;
- struct gpio_chip *chip = &pctrl->chip;
-+ bool need_valid_mask = !dmi_check_system(chv_no_valid_mask);
- int ret, i, offset;
-
- *chip = chv_gpio_chip;
-@@ -1536,7 +1558,7 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
- chip->label = dev_name(pctrl->dev);
- chip->parent = pctrl->dev;
- chip->base = -1;
-- chip->irq_need_valid_mask = true;
-+ chip->irq_need_valid_mask = need_valid_mask;
-
- ret = devm_gpiochip_add_data(pctrl->dev, chip, pctrl);
- if (ret) {
-@@ -1567,7 +1589,7 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
- intsel &= CHV_PADCTRL0_INTSEL_MASK;
- intsel >>= CHV_PADCTRL0_INTSEL_SHIFT;
-
-- if (intsel >= pctrl->community->nirqs)
-+ if (need_valid_mask && intsel >= pctrl->community->nirqs)
- clear_bit(i, chip->irq_valid_mask);
- }
-
diff --git a/debian/patches/bugfix/x86/pinctrl-cherryview-add-terminate-entry-for-dmi_syste.patch b/debian/patches/bugfix/x86/pinctrl-cherryview-add-terminate-entry-for-dmi_syste.patch
deleted file mode 100644
index 082c086..0000000
--- a/debian/patches/bugfix/x86/pinctrl-cherryview-add-terminate-entry-for-dmi_syste.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Wei Yongjun <weiyongjun1 at huawei.com>
-Date: Tue, 25 Apr 2017 06:22:05 +0000
-Subject: pinctrl: cherryview: Add terminate entry for dmi_system_id tables
-Origin: https://git.kernel.org/linus/a9de080bbcd5c4e213a3d7bbb1e314d60980e943
-
-Make sure dmi_system_id tables are NULL terminated.
-
-Fixes: 703650278372 ("pinctrl: cherryview: Add a quirk to make Acer
-Chromebook keyboard work again")
-Signed-off-by: Wei Yongjun <weiyongjun1 at huawei.com>
-Acked-by: Mika Westerberg <mika.westerberg at linux.intel.com>
-Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
----
- drivers/pinctrl/intel/pinctrl-cherryview.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/pinctrl/intel/pinctrl-cherryview.c
-+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
-@@ -1542,7 +1542,8 @@ static const struct dmi_system_id chv_no
- DMI_MATCH(DMI_PRODUCT_NAME, "Edgar"),
- DMI_MATCH(DMI_BIOS_DATE, "05/21/2016"),
- },
-- }
-+ },
-+ {}
- };
-
- static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
diff --git a/debian/patches/debian/tools-perf-install.patch b/debian/patches/debian/tools-perf-install.patch
index 8d3ede9..ffd5099 100644
--- a/debian/patches/debian/tools-perf-install.patch
+++ b/debian/patches/debian/tools-perf-install.patch
@@ -7,7 +7,7 @@ Forwarded: no
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
-@@ -563,8 +563,8 @@ endif
+@@ -702,8 +702,8 @@ endif
ifndef NO_LIBPERL
$(call QUIET_INSTALL, perl-scripts) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \
@@ -18,7 +18,7 @@ Forwarded: no
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'; \
$(INSTALL) scripts/perl/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'
endif
-@@ -572,23 +572,23 @@ ifndef NO_LIBPYTHON
+@@ -711,23 +711,23 @@ ifndef NO_LIBPYTHON
$(call QUIET_INSTALL, python-scripts) \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/Perf-Trace-Util/lib/Perf/Trace'; \
$(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/bin'; \
@@ -46,5 +46,5 @@ Forwarded: no
- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'
+ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'
- install-bin: install-tools install-tests
+ install-bin: install-tools install-tests install-traceevent-plugins
diff --git a/debian/patches/series b/debian/patches/series
index 620ce93..d90a93c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,8 +53,6 @@ debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
# Arch bug fixes
bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
-bugfix/x86/pinctrl-cherryview-add-a-quirk-to-make-acer-chromebo.patch
-bugfix/x86/pinctrl-cherryview-add-terminate-entry-for-dmi_syste.patch
features/all/firmware-dmi-add-dmi_product_family-identification-s.patch
bugfix/x86/pinctrl-cherryview-extend-the-chromebook-dmi-quirk-t.patch
bugfix/x86/platform-x86-ideapad-laptop-add-y700-15-acz-to-no_hw.patch
@@ -91,7 +89,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
-bugfix/powerpc/powerpc-kernel-Fix-FP-and-vector-register-restoratio.patch
# Miscellaneous features
features/all/netfilter-nft_ct-add-notrack-support.patch
@@ -124,38 +121,10 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
bugfix/all/nfsv4-fix-callback-server-shutdown.patch
-bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
-bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
-bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
-bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
-bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
-bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
-bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
-bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
-bugfix/all/mm-larger-stack-guard-gap-between-vmas.patch
-bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
-bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
-bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
-bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
-bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-bugfix/x86/drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch
-bugfix/all/drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch
-bugfix/all/xen-blkback-don-t-leak-stack-data-via-response-ring.patch
-bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
-bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
-bugfix/all/dentry-name-snapshots.patch
bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
-bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
-bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
-bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
-bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
-bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
@@ -188,7 +157,6 @@ bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
bugfix/all/cpupower-bump-soname-version.patch
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
bugfix/all/liblockdep-fix-undefined-symbol-prandom_u32.patch
-bugfix/all/liblockdep-reduce-max_lock_depth-to-avoid-overflowin.patch
bugfix/all/liblockdep-define-the-array_size-macro.patch
bugfix/all/liblockdep-enable-wall-by-default.patch
bugfix/all/liblockdep-fix-unused-value-warnings.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list