[linux] 02/03: Update to 4.9.51
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Sep 24 21:41:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch
in repository linux.
commit 987bbc34b7bd7efe7e3c3608d79fd6417c2d1a3d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Sep 24 20:03:31 2017 +0100
Update to 4.9.51
---
debian/changelog | 115 ++++++-
...roperly-check-l2cap-config-option-output-.patch | 353 ---------------------
...-t-write-vnet-header-beyond-end-of-buffer.patch | 68 ----
...-out-of-bounds-reads-from-address-storage.patch | 184 -----------
...alize-rcv_mss-to-tcp_min_mss-instead-of-0.patch | 35 --
.../bugfix/all/workqueue-fix-flag-collision.patch | 29 --
.../xfrm-policy-check-policy-direction-value.patch | 40 ---
...REALTIME_INODE-should-be-false-if-no-rt-d.patch | 67 ----
...-add-support-for-__sane_userspace_types__.patch | 56 ----
debian/patches/series | 8 -
10 files changed, 113 insertions(+), 842 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2621b65..0989d45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,117 @@
-linux (4.9.47-2) UNRELEASED; urgency=medium
+linux (4.9.51-1) UNRELEASED; urgency=medium
- *
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.48
+ - [x86] i2c: ismt: Don't duplicate the receive length for block reads
+ - [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length
+ - crypto: algif_skcipher - only call put_page on referenced and used pages
+ - mm, uprobes: fix multiple free of ->uprobes_state.xol_area
+ - mm, madvise: ensure poisoned pages are removed from per-cpu lists
+ - ceph: fix readpage from fscache
+ - cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
+ - cpuset: Fix incorrect memory_pressure control file mapping
+ - CIFS: Fix maximum SMB2 header size
+ - lib/mpi: kunmap after finishing accessing buffer
+ - drm/ttm: Fix accounting error when fail to get pages for pool
+ - [armhf,arm64] kvm: Force reading uncached stage2 PGD
+ - epoll: fix race between ep_poll_callback(POLLFREE) and
+ ep_free()/ep_remove()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.49
+ - usb:xhci:Fix regression when ATI chipsets detected
+ - [armhf] USB: musb: fix external abort on suspend
+ - USB: core: Avoid race of async_completed() w/ usbdev_release()
+ - [x86] staging/rts5208: fix incorrect shift to extract upper nybble
+ - driver core: bus: Fix a potential double free
+ - ath10k: fix memory leak in rx ring buffer allocation
+ - Input: trackpoint - assume 3 buttons when buttons detection fails
+ - rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
+ - dlm: avoid double-free on error path in dlm_device_{register,unregister}
+ - mwifiex: correct channel stat buffer overflows
+ - [s390x] mm: avoid empty zero pages for KVM guests to avoid postcopy hangs
+ - drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
+ - scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
+ - scsi: sg: recheck MMAP_IO request length with lock held
+ - [arm64] drm/bridge: adv7511: Use work_struct to defer hotplug handing to
+ out of irq context
+ - [arm64] drm/bridge: adv7511: Switch to using
+ drm_kms_helper_hotplug_event()
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.50
+ - [armhf] mtd: nand: mxc: Fix mxc_v1 ooblayout
+ - nvme-fabrics: generate spec-compliant UUID NQNs
+ - btrfs: resume qgroup rescan on rw remount
+ - mm/memory.c: fix mem_cgroup_oom_disable() call missing
+ - ALSA: msnd: Optimize / harden DSP and MIDI loops
+ - [arm64] dts: marvell: armada-37xx: Fix GIC maintenance interrupt
+ - [armhf] 8692/1: mm: abort uaccess retries upon fatal signal
+ - NFS: Fix 2 use after free issues in the I/O code
+ - NFS: Sync the correct byte range during synchronous writes
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.51
+ - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
+ - ipv6: add rcu grace period before freeing fib6_node
+ - macsec: add genl family module alias
+ - udp: on peeking bad csum, drop packets even if not at head
+ - qlge: avoid memcpy buffer overflow
+ - [x86] netvsc: fix deadlock betwen link status and removal
+ - cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox()
+ - kcm: do not attach PF_KCM sockets to avoid deadlock
+ - Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
+ - bridge: switchdev: Clear forward mark when transmitting packet
+ - Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
+ - Revert "net: fix percpu memory leaks"
+ - gianfar: Fix Tx flow control deactivation
+ - vhost_net: correctly check tx avail during rx busy polling
+ - ip6_gre: update mtu properly in ip6gre_err
+ - ipv6: fix memory leak with multiple tables during netns destruction
+ - ipv6: fix typo in fib6_net_exit()
+ - sctp: fix missing wake ups in some situations
+ - ip_tunnel: fix setting ttl and tos value in collect_md mode
+ - f2fs: let fill_super handle roll-forward errors
+ - f2fs: check hot_data for roll-forward recovery
+ - [amd64] fsgsbase: Fully initialize FS and GS state in start_thread_common
+ - [amd64] fsgsbase: Report FSBASE and GSBASE correctly in core dumps
+ - [amd64] switch_to: Rewrite FS/GS switching yet again to fix AMD CPUs
+ - xfs: fix spurious spin_is_locked() assert failures on non-smp kernels
+ - xfs: push buffer of flush locked dquot to avoid quotacheck deadlock
+ - xfs: try to avoid blowing out the transaction reservation when bunmaping
+ a shared extent
+ - xfs: release bli from transaction properly on fs shutdown
+ - xfs: remove bli from AIL before release on transaction abort
+ - xfs: don't allow bmap on rt files
+ - xfs: free uncommitted transactions during log recovery
+ - xfs: free cowblocks and retry on buffered write ENOSPC
+ - xfs: don't crash on unexpected holes in dir/attr btrees
+ - xfs: check _btree_check_block value
+ - xfs: set firstfsb to NULLFSBLOCK before feeding it to _bmapi_write
+ - xfs: check _alloc_read_agf buffer pointer before using
+ - xfs: fix quotacheck dquot id overflow infinite loop
+ - xfs: fix multi-AG deadlock in xfs_bunmapi
+ - xfs: Fix per-inode DAX flag inheritance
+ - xfs: fix inobt inode allocation search optimization
+ - xfs: clear MS_ACTIVE after finishing log recovery
+ - xfs: don't leak quotacheck dquots when cow recovery
+ - iomap: fix integer truncation issues in the zeroing and dirtying helpers
+ - xfs: write unmount record for ro mounts
+ - xfs: toggle readonly state around xfs_log_mount_finish
+ - xfs: Properly retry failed inode items in case of error during buffer
+ writeback
+ - xfs: fix recovery failure when log record header wraps log end
+ - xfs: always verify the log tail during recovery
+ - xfs: fix log recovery corruption error due to tail overwrite
+ - xfs: handle -EFSCORRUPTED during head/tail verification
+ - xfs: stop searching for free slots in an inode chunk when there are none
+ - xfs: evict all inodes involved with log redo item
+ - xfs: check for race with xfs_reclaim_inode() in xfs_ifree_cluster()
+ - xfs: don't log dirty ranges for ordered buffers
+ - xfs: skip bmbt block ino validation during owner change
+ - xfs: move bmbt owner change to last step of extent swap
+ - xfs: disallow marking previously dirty buffers as ordered
+ - xfs: relog dirty buffers during swapext bmbt owner change
+ - xfs: disable per-inode DAX flag
+ - xfs: fix incorrect log_flushed on fsync
+ - xfs: don't set v3 xflags for v2 inodes
+ - xfs: open code end_buffer_async_write in xfs_finish_page_writeback
+ - md/raid5: release/flush io in raid5_do_work()
+ - ipv6: Fix may be used uninitialized warning in rt6_check
-- Ben Hutchings <ben at decadent.org.uk> Tue, 19 Sep 2017 00:38:28 +0100
diff --git a/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch b/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
deleted file mode 100644
index 89b9146..0000000
--- a/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
+++ /dev/null
@@ -1,353 +0,0 @@
-From: Ben Seri <ben at armis.com>
-Date: Sat, 9 Sep 2017 23:15:59 +0200
-Subject: Bluetooth: Properly check L2CAP config option output buffer length
-Origin: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000251
-
-Validate the output buffer length for L2CAP config requests and responses
-to avoid overflowing the stack buffer used for building the option blocks.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Ben Seri <ben at armis.com>
-Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/bluetooth/l2cap_core.c | 80 +++++++++++++++++++++++++---------------------
- 1 file changed, 43 insertions(+), 37 deletions(-)
-
---- a/net/bluetooth/l2cap_core.c
-+++ b/net/bluetooth/l2cap_core.c
-@@ -58,7 +58,7 @@ static struct sk_buff *l2cap_build_cmd(s
- u8 code, u8 ident, u16 dlen, void *data);
- static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
- void *data);
--static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
-+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
- static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
-
- static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
-@@ -1473,7 +1473,7 @@ static void l2cap_conn_start(struct l2ca
-
- set_bit(CONF_REQ_SENT, &chan->conf_state);
- l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf), buf);
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- chan->num_conf_req++;
- }
-
-@@ -2977,12 +2977,15 @@ static inline int l2cap_get_conf_opt(voi
- return len;
- }
-
--static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
-+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
- {
- struct l2cap_conf_opt *opt = *ptr;
-
- BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
-
-+ if (size < L2CAP_CONF_OPT_SIZE + len)
-+ return;
-+
- opt->type = type;
- opt->len = len;
-
-@@ -3007,7 +3010,7 @@ static void l2cap_add_conf_opt(void **pt
- *ptr += L2CAP_CONF_OPT_SIZE + len;
- }
-
--static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
-+static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
- {
- struct l2cap_conf_efs efs;
-
-@@ -3035,7 +3038,7 @@ static void l2cap_add_opt_efs(void **ptr
- }
-
- l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
-- (unsigned long) &efs);
-+ (unsigned long) &efs, size);
- }
-
- static void l2cap_ack_timeout(struct work_struct *work)
-@@ -3181,11 +3184,12 @@ static inline void l2cap_txwin_setup(str
- chan->ack_win = chan->tx_win;
- }
-
--static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
-+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
- {
- struct l2cap_conf_req *req = data;
- struct l2cap_conf_rfc rfc = { .mode = chan->mode };
- void *ptr = req->data;
-+ void *endptr = data + data_size;
- u16 size;
-
- BT_DBG("chan %p", chan);
-@@ -3210,7 +3214,7 @@ static int l2cap_build_conf_req(struct l
-
- done:
- if (chan->imtu != L2CAP_DEFAULT_MTU)
-- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
-+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
-
- switch (chan->mode) {
- case L2CAP_MODE_BASIC:
-@@ -3229,7 +3233,7 @@ done:
- rfc.max_pdu_size = 0;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-- (unsigned long) &rfc);
-+ (unsigned long) &rfc, endptr - ptr);
- break;
-
- case L2CAP_MODE_ERTM:
-@@ -3249,21 +3253,21 @@ done:
- L2CAP_DEFAULT_TX_WINDOW);
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-- (unsigned long) &rfc);
-+ (unsigned long) &rfc, endptr - ptr);
-
- if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
-- l2cap_add_opt_efs(&ptr, chan);
-+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
-
- if (test_bit(FLAG_EXT_CTRL, &chan->flags))
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
-- chan->tx_win);
-+ chan->tx_win, endptr - ptr);
-
- if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
- if (chan->fcs == L2CAP_FCS_NONE ||
- test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
- chan->fcs = L2CAP_FCS_NONE;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
-- chan->fcs);
-+ chan->fcs, endptr - ptr);
- }
- break;
-
-@@ -3281,17 +3285,17 @@ done:
- rfc.max_pdu_size = cpu_to_le16(size);
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-- (unsigned long) &rfc);
-+ (unsigned long) &rfc, endptr - ptr);
-
- if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
-- l2cap_add_opt_efs(&ptr, chan);
-+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
-
- if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
- if (chan->fcs == L2CAP_FCS_NONE ||
- test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
- chan->fcs = L2CAP_FCS_NONE;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
-- chan->fcs);
-+ chan->fcs, endptr - ptr);
- }
- break;
- }
-@@ -3302,10 +3306,11 @@ done:
- return ptr - data;
- }
-
--static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
-+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
- {
- struct l2cap_conf_rsp *rsp = data;
- void *ptr = rsp->data;
-+ void *endptr = data + data_size;
- void *req = chan->conf_req;
- int len = chan->conf_len;
- int type, hint, olen;
-@@ -3407,7 +3412,7 @@ done:
- return -ECONNREFUSED;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-- (unsigned long) &rfc);
-+ (unsigned long) &rfc, endptr - ptr);
- }
-
- if (result == L2CAP_CONF_SUCCESS) {
-@@ -3420,7 +3425,7 @@ done:
- chan->omtu = mtu;
- set_bit(CONF_MTU_DONE, &chan->conf_state);
- }
-- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
-+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
-
- if (remote_efs) {
- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-@@ -3434,7 +3439,7 @@ done:
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
- sizeof(efs),
-- (unsigned long) &efs);
-+ (unsigned long) &efs, endptr - ptr);
- } else {
- /* Send PENDING Conf Rsp */
- result = L2CAP_CONF_PENDING;
-@@ -3467,7 +3472,7 @@ done:
- set_bit(CONF_MODE_DONE, &chan->conf_state);
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-- sizeof(rfc), (unsigned long) &rfc);
-+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
-
- if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
- chan->remote_id = efs.id;
-@@ -3481,7 +3486,7 @@ done:
- le32_to_cpu(efs.sdu_itime);
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
- sizeof(efs),
-- (unsigned long) &efs);
-+ (unsigned long) &efs, endptr - ptr);
- }
- break;
-
-@@ -3495,7 +3500,7 @@ done:
- set_bit(CONF_MODE_DONE, &chan->conf_state);
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-- (unsigned long) &rfc);
-+ (unsigned long) &rfc, endptr - ptr);
-
- break;
-
-@@ -3517,10 +3522,11 @@ done:
- }
-
- static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
-- void *data, u16 *result)
-+ void *data, size_t size, u16 *result)
- {
- struct l2cap_conf_req *req = data;
- void *ptr = req->data;
-+ void *endptr = data + size;
- int type, olen;
- unsigned long val;
- struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
-@@ -3538,13 +3544,13 @@ static int l2cap_parse_conf_rsp(struct l
- chan->imtu = L2CAP_DEFAULT_MIN_MTU;
- } else
- chan->imtu = val;
-- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
-+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
- break;
-
- case L2CAP_CONF_FLUSH_TO:
- chan->flush_to = val;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
-- 2, chan->flush_to);
-+ 2, chan->flush_to, endptr - ptr);
- break;
-
- case L2CAP_CONF_RFC:
-@@ -3558,13 +3564,13 @@ static int l2cap_parse_conf_rsp(struct l
- chan->fcs = 0;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-- sizeof(rfc), (unsigned long) &rfc);
-+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
- break;
-
- case L2CAP_CONF_EWS:
- chan->ack_win = min_t(u16, val, chan->ack_win);
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
-- chan->tx_win);
-+ chan->tx_win, endptr - ptr);
- break;
-
- case L2CAP_CONF_EFS:
-@@ -3577,7 +3583,7 @@ static int l2cap_parse_conf_rsp(struct l
- return -ECONNREFUSED;
-
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
-- (unsigned long) &efs);
-+ (unsigned long) &efs, endptr - ptr);
- break;
-
- case L2CAP_CONF_FCS:
-@@ -3682,7 +3688,7 @@ void __l2cap_connect_rsp_defer(struct l2
- return;
-
- l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf), buf);
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- chan->num_conf_req++;
- }
-
-@@ -3890,7 +3896,7 @@ sendresp:
- u8 buf[128];
- set_bit(CONF_REQ_SENT, &chan->conf_state);
- l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf), buf);
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- chan->num_conf_req++;
- }
-
-@@ -3968,7 +3974,7 @@ static int l2cap_connect_create_rsp(stru
- break;
-
- l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, req), req);
-+ l2cap_build_conf_req(chan, req, sizeof(req)), req);
- chan->num_conf_req++;
- break;
-
-@@ -4080,7 +4086,7 @@ static inline int l2cap_config_req(struc
- }
-
- /* Complete config. */
-- len = l2cap_parse_conf_req(chan, rsp);
-+ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
- if (len < 0) {
- l2cap_send_disconn_req(chan, ECONNRESET);
- goto unlock;
-@@ -4114,7 +4120,7 @@ static inline int l2cap_config_req(struc
- if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
- u8 buf[64];
- l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf), buf);
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- chan->num_conf_req++;
- }
-
-@@ -4174,7 +4180,7 @@ static inline int l2cap_config_rsp(struc
- char buf[64];
-
- len = l2cap_parse_conf_rsp(chan, rsp->data, len,
-- buf, &result);
-+ buf, sizeof(buf), &result);
- if (len < 0) {
- l2cap_send_disconn_req(chan, ECONNRESET);
- goto done;
-@@ -4204,7 +4210,7 @@ static inline int l2cap_config_rsp(struc
- /* throw out any old stored conf requests */
- result = L2CAP_CONF_SUCCESS;
- len = l2cap_parse_conf_rsp(chan, rsp->data, len,
-- req, &result);
-+ req, sizeof(req), &result);
- if (len < 0) {
- l2cap_send_disconn_req(chan, ECONNRESET);
- goto done;
-@@ -4781,7 +4787,7 @@ static void l2cap_do_create(struct l2cap
- set_bit(CONF_REQ_SENT, &chan->conf_state);
- l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
- L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf), buf);
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
- chan->num_conf_req++;
- }
- }
-@@ -7457,7 +7463,7 @@ static void l2cap_security_cfm(struct hc
- set_bit(CONF_REQ_SENT, &chan->conf_state);
- l2cap_send_cmd(conn, l2cap_get_ident(conn),
- L2CAP_CONF_REQ,
-- l2cap_build_conf_req(chan, buf),
-+ l2cap_build_conf_req(chan, buf, sizeof(buf)),
- buf);
- chan->num_conf_req++;
- }
diff --git a/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch b/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
deleted file mode 100644
index 4551b40..0000000
--- a/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: Benjamin Poirier <bpoirier at suse.com>
-Date: Mon, 28 Aug 2017 14:29:41 -0400
-Subject: packet: Don't write vnet header beyond end of buffer
-Origin: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14497
-
-... which may happen with certain values of tp_reserve and maclen.
-
-Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
-Signed-off-by: Benjamin Poirier <bpoirier at suse.com>
-Cc: Willem de Bruijn <willemb at google.com>
-Acked-by: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -2151,6 +2151,7 @@ static int tpacket_rcv(struct sk_buff *s
- struct timespec ts;
- __u32 ts_status;
- bool is_drop_n_account = false;
-+ bool do_vnet = false;
-
- /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
- * We may add members to them until current aligned size without forcing
-@@ -2201,8 +2202,10 @@ static int tpacket_rcv(struct sk_buff *s
- netoff = TPACKET_ALIGN(po->tp_hdrlen +
- (maclen < 16 ? 16 : maclen)) +
- po->tp_reserve;
-- if (po->has_vnet_hdr)
-+ if (po->has_vnet_hdr) {
- netoff += sizeof(struct virtio_net_hdr);
-+ do_vnet = true;
-+ }
- macoff = netoff - maclen;
- }
- if (po->tp_version <= TPACKET_V2) {
-@@ -2219,8 +2222,10 @@ static int tpacket_rcv(struct sk_buff *s
- skb_set_owner_r(copy_skb, sk);
- }
- snaplen = po->rx_ring.frame_size - macoff;
-- if ((int)snaplen < 0)
-+ if ((int)snaplen < 0) {
- snaplen = 0;
-+ do_vnet = false;
-+ }
- }
- } else if (unlikely(macoff + snaplen >
- GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
-@@ -2233,6 +2238,7 @@ static int tpacket_rcv(struct sk_buff *s
- if (unlikely((int)snaplen < 0)) {
- snaplen = 0;
- macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
-+ do_vnet = false;
- }
- }
- spin_lock(&sk->sk_receive_queue.lock);
-@@ -2258,7 +2264,7 @@ static int tpacket_rcv(struct sk_buff *s
- }
- spin_unlock(&sk->sk_receive_queue.lock);
-
-- if (po->has_vnet_hdr) {
-+ if (do_vnet) {
- if (__packet_rcv_vnet(skb, h.raw + macoff -
- sizeof(struct virtio_net_hdr))) {
- spin_lock(&sk->sk_receive_queue.lock);
diff --git a/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch b/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
deleted file mode 100644
index 3d37ffa..0000000
--- a/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From: Stefano Brivio <sbrivio at redhat.com>
-Date: Wed, 23 Aug 2017 13:27:13 +0200
-Subject: sctp: Avoid out-of-bounds reads from address storage
-Origin: https://git.kernel.org/linus/ee6c88bb754e3d363e568da78086adfedb692447
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7558
-
-inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
-sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
-to export diagnostic information to userspace.
-
-However, the memory allocated to store sockaddr information is
-smaller than that and depends on the address family, so we leak
-up to 100 uninitialized bytes to userspace. Just use the size of
-the source structs instead, in all the three cases this is what
-userspace expects. Zero out the remaining memory.
-
-Unused bytes (i.e. when IPv4 addresses are used) in source
-structs sctp_sockaddr_entry and sctp_transport are already
-cleared by sctp_add_bind_addr() and sctp_transport_new(),
-respectively.
-
-Noticed while testing KASAN-enabled kernel with 'ss':
-
-[ 2326.885243] BUG: KASAN: slab-out-of-bounds in inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag] at addr ffff881be8779800
-[ 2326.896800] Read of size 128 by task ss/9527
-[ 2326.901564] CPU: 0 PID: 9527 Comm: ss Not tainted 4.11.0-22.el7a.x86_64 #1
-[ 2326.909236] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
-[ 2326.917585] Call Trace:
-[ 2326.920312] dump_stack+0x63/0x8d
-[ 2326.924014] kasan_object_err+0x21/0x70
-[ 2326.928295] kasan_report+0x288/0x540
-[ 2326.932380] ? inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
-[ 2326.938500] ? skb_put+0x8b/0xd0
-[ 2326.942098] ? memset+0x31/0x40
-[ 2326.945599] check_memory_region+0x13c/0x1a0
-[ 2326.950362] memcpy+0x23/0x50
-[ 2326.953669] inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
-[ 2326.959596] ? inet_diag_msg_sctpasoc_fill+0x460/0x460 [sctp_diag]
-[ 2326.966495] ? __lock_sock+0x102/0x150
-[ 2326.970671] ? sock_def_wakeup+0x60/0x60
-[ 2326.975048] ? remove_wait_queue+0xc0/0xc0
-[ 2326.979619] sctp_diag_dump+0x44a/0x760 [sctp_diag]
-[ 2326.985063] ? sctp_ep_dump+0x280/0x280 [sctp_diag]
-[ 2326.990504] ? memset+0x31/0x40
-[ 2326.994007] ? mutex_lock+0x12/0x40
-[ 2326.997900] __inet_diag_dump+0x57/0xb0 [inet_diag]
-[ 2327.003340] ? __sys_sendmsg+0x150/0x150
-[ 2327.007715] inet_diag_dump+0x4d/0x80 [inet_diag]
-[ 2327.012979] netlink_dump+0x1e6/0x490
-[ 2327.017064] __netlink_dump_start+0x28e/0x2c0
-[ 2327.021924] inet_diag_handler_cmd+0x189/0x1a0 [inet_diag]
-[ 2327.028045] ? inet_diag_rcv_msg_compat+0x1b0/0x1b0 [inet_diag]
-[ 2327.034651] ? inet_diag_dump_compat+0x190/0x190 [inet_diag]
-[ 2327.040965] ? __netlink_lookup+0x1b9/0x260
-[ 2327.045631] sock_diag_rcv_msg+0x18b/0x1e0
-[ 2327.050199] netlink_rcv_skb+0x14b/0x180
-[ 2327.054574] ? sock_diag_bind+0x60/0x60
-[ 2327.058850] sock_diag_rcv+0x28/0x40
-[ 2327.062837] netlink_unicast+0x2e7/0x3b0
-[ 2327.067212] ? netlink_attachskb+0x330/0x330
-[ 2327.071975] ? kasan_check_write+0x14/0x20
-[ 2327.076544] netlink_sendmsg+0x5be/0x730
-[ 2327.080918] ? netlink_unicast+0x3b0/0x3b0
-[ 2327.085486] ? kasan_check_write+0x14/0x20
-[ 2327.090057] ? selinux_socket_sendmsg+0x24/0x30
-[ 2327.095109] ? netlink_unicast+0x3b0/0x3b0
-[ 2327.099678] sock_sendmsg+0x74/0x80
-[ 2327.103567] ___sys_sendmsg+0x520/0x530
-[ 2327.107844] ? __get_locked_pte+0x178/0x200
-[ 2327.112510] ? copy_msghdr_from_user+0x270/0x270
-[ 2327.117660] ? vm_insert_page+0x360/0x360
-[ 2327.122133] ? vm_insert_pfn_prot+0xb4/0x150
-[ 2327.126895] ? vm_insert_pfn+0x32/0x40
-[ 2327.131077] ? vvar_fault+0x71/0xd0
-[ 2327.134968] ? special_mapping_fault+0x69/0x110
-[ 2327.140022] ? __do_fault+0x42/0x120
-[ 2327.144008] ? __handle_mm_fault+0x1062/0x17a0
-[ 2327.148965] ? __fget_light+0xa7/0xc0
-[ 2327.153049] __sys_sendmsg+0xcb/0x150
-[ 2327.157133] ? __sys_sendmsg+0xcb/0x150
-[ 2327.161409] ? SyS_shutdown+0x140/0x140
-[ 2327.165688] ? exit_to_usermode_loop+0xd0/0xd0
-[ 2327.170646] ? __do_page_fault+0x55d/0x620
-[ 2327.175216] ? __sys_sendmsg+0x150/0x150
-[ 2327.179591] SyS_sendmsg+0x12/0x20
-[ 2327.183384] do_syscall_64+0xe3/0x230
-[ 2327.187471] entry_SYSCALL64_slow_path+0x25/0x25
-[ 2327.192622] RIP: 0033:0x7f41d18fa3b0
-[ 2327.196608] RSP: 002b:00007ffc3b731218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
-[ 2327.205055] RAX: ffffffffffffffda RBX: 00007ffc3b731380 RCX: 00007f41d18fa3b0
-[ 2327.213017] RDX: 0000000000000000 RSI: 00007ffc3b731340 RDI: 0000000000000003
-[ 2327.220978] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000040
-[ 2327.228939] R10: 00007ffc3b730f30 R11: 0000000000000246 R12: 0000000000000003
-[ 2327.236901] R13: 00007ffc3b731340 R14: 00007ffc3b7313d0 R15: 0000000000000084
-[ 2327.244865] Object at ffff881be87797e0, in cache kmalloc-64 size: 64
-[ 2327.251953] Allocated:
-[ 2327.254581] PID = 9484
-[ 2327.257215] save_stack_trace+0x1b/0x20
-[ 2327.261485] save_stack+0x46/0xd0
-[ 2327.265179] kasan_kmalloc+0xad/0xe0
-[ 2327.269165] kmem_cache_alloc_trace+0xe6/0x1d0
-[ 2327.274138] sctp_add_bind_addr+0x58/0x180 [sctp]
-[ 2327.279400] sctp_do_bind+0x208/0x310 [sctp]
-[ 2327.284176] sctp_bind+0x61/0xa0 [sctp]
-[ 2327.288455] inet_bind+0x5f/0x3a0
-[ 2327.292151] SYSC_bind+0x1a4/0x1e0
-[ 2327.295944] SyS_bind+0xe/0x10
-[ 2327.299349] do_syscall_64+0xe3/0x230
-[ 2327.303433] return_from_SYSCALL_64+0x0/0x6a
-[ 2327.308194] Freed:
-[ 2327.310434] PID = 4131
-[ 2327.313065] save_stack_trace+0x1b/0x20
-[ 2327.317344] save_stack+0x46/0xd0
-[ 2327.321040] kasan_slab_free+0x73/0xc0
-[ 2327.325220] kfree+0x96/0x1a0
-[ 2327.328530] dynamic_kobj_release+0x15/0x40
-[ 2327.333195] kobject_release+0x99/0x1e0
-[ 2327.337472] kobject_put+0x38/0x70
-[ 2327.341266] free_notes_attrs+0x66/0x80
-[ 2327.345545] mod_sysfs_teardown+0x1a5/0x270
-[ 2327.350211] free_module+0x20/0x2a0
-[ 2327.354099] SyS_delete_module+0x2cb/0x2f0
-[ 2327.358667] do_syscall_64+0xe3/0x230
-[ 2327.362750] return_from_SYSCALL_64+0x0/0x6a
-[ 2327.367510] Memory state around the buggy address:
-[ 2327.372855] ffff881be8779700: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
-[ 2327.380914] ffff881be8779780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
-[ 2327.388972] >ffff881be8779800: 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb
-[ 2327.397031] ^
-[ 2327.401792] ffff881be8779880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
-[ 2327.409850] ffff881be8779900: 00 00 00 00 00 04 fc fc fc fc fc fc 00 00 00 00
-[ 2327.417907] ==================================================================
-
-This fixes CVE-2017-7558.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
-Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
-Cc: Xin Long <lucien.xin at gmail.com>
-Cc: Vlad Yasevich <vyasevich at gmail.com>
-Cc: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: Stefano Brivio <sbrivio at redhat.com>
-Acked-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/sctp_diag.c | 7 +++++--
- net/sctp/socket.c | 3 +--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
---- a/net/sctp/sctp_diag.c
-+++ b/net/sctp/sctp_diag.c
-@@ -70,7 +70,8 @@ static int inet_diag_msg_sctpladdrs_fill
-
- info = nla_data(attr);
- list_for_each_entry_rcu(laddr, address_list, list) {
-- memcpy(info, &laddr->a, addrlen);
-+ memcpy(info, &laddr->a, sizeof(laddr->a));
-+ memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
- info += addrlen;
- }
-
-@@ -93,7 +94,9 @@ static int inet_diag_msg_sctpaddrs_fill(
- info = nla_data(attr);
- list_for_each_entry(from, &asoc->peer.transport_addr_list,
- transports) {
-- memcpy(info, &from->ipaddr, addrlen);
-+ memcpy(info, &from->ipaddr, sizeof(from->ipaddr));
-+ memset(info + sizeof(from->ipaddr), 0,
-+ addrlen - sizeof(from->ipaddr));
- info += addrlen;
- }
-
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4369,8 +4369,7 @@ int sctp_get_sctp_info(struct sock *sk,
- info->sctpi_ictrlchunks = asoc->stats.ictrlchunks;
-
- prim = asoc->peer.primary_path;
-- memcpy(&info->sctpi_p_address, &prim->ipaddr,
-- sizeof(struct sockaddr_storage));
-+ memcpy(&info->sctpi_p_address, &prim->ipaddr, sizeof(prim->ipaddr));
- info->sctpi_p_state = prim->state;
- info->sctpi_p_cwnd = prim->cwnd;
- info->sctpi_p_srtt = prim->srtt;
diff --git a/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch b/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
deleted file mode 100644
index 9711744..0000000
--- a/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Wei Wang <weiwan at google.com>
-Date: Thu, 18 May 2017 11:22:33 -0700
-Subject: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
-Origin: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14106
-
-When tcp_disconnect() is called, inet_csk_delack_init() sets
-icsk->icsk_ack.rcv_mss to 0.
-This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
-__tcp_select_window() call path to have division by 0 issue.
-So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Wei Wang <weiwan at google.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Neal Cardwell <ncardwell at google.com>
-Signed-off-by: Yuchung Cheng <ycheng at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/tcp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -2294,6 +2294,10 @@ int tcp_disconnect(struct sock *sk, int
- tcp_set_ca_state(sk, TCP_CA_Open);
- tcp_clear_retrans(tp);
- inet_csk_delack_init(sk);
-+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
-+ * issue in __tcp_select_window()
-+ */
-+ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
- tcp_init_send_head(sk);
- memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
- __sk_dst_reset(sk);
diff --git a/debian/patches/bugfix/all/workqueue-fix-flag-collision.patch b/debian/patches/bugfix/all/workqueue-fix-flag-collision.patch
deleted file mode 100644
index 92a6b4b..0000000
--- a/debian/patches/bugfix/all/workqueue-fix-flag-collision.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 3 Sep 2017 01:12:54 +0100
-Subject: workqueue: Fix flag collision
-Forwarded: https://marc.info/?l=linux-kernel&m=150439794511799&w=2
-
-Commit 0a94efb5acbb ("workqueue: implicit ordered attribute should be
-overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
-same value as __WQ_LEGACY. I don't believe these were intended to
-mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
-
-Fixes: 0a94efb5acbb ("workqueue: implicit ordered attribute should be ...")
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Cc: stable at vger.kernel.org
----
- include/linux/workqueue.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/include/linux/workqueue.h
-+++ b/include/linux/workqueue.h
-@@ -311,8 +311,8 @@ enum {
-
- __WQ_DRAINING = 1 << 16, /* internal: workqueue is draining */
- __WQ_ORDERED = 1 << 17, /* internal: workqueue is ordered */
-- __WQ_ORDERED_EXPLICIT = 1 << 18, /* internal: alloc_ordered_workqueue() */
- __WQ_LEGACY = 1 << 18, /* internal: create*_workqueue() */
-+ __WQ_ORDERED_EXPLICIT = 1 << 19, /* internal: alloc_ordered_workqueue() */
-
- WQ_MAX_ACTIVE = 512, /* I like 512, better ideas? */
- WQ_MAX_UNBOUND_PER_CPU = 4, /* 4 * #cpus for unbound wq */
diff --git a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
deleted file mode 100644
index c119403..0000000
--- a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Wed, 2 Aug 2017 19:50:14 +0200
-Subject: xfrm: policy: check policy direction value
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11600
-
-The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
-as an array index. This can lead to an out-of-bound access, kernel lockup and
-DoS. Add a check for the 'dir' value.
-
-This fixes CVE-2017-11600.
-
-References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
-Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
-Cc: <stable at vger.kernel.org> # v2.6.21-rc1
-Reported-by: "bo Zhang" <zhangbo5891001 at gmail.com>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
----
- net/xfrm/xfrm_policy.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -3356,9 +3356,15 @@ int xfrm_migrate(const struct xfrm_selec
- struct xfrm_state *x_new[XFRM_MAX_DEPTH];
- struct xfrm_migrate *mp;
-
-+ /* Stage 0 - sanity checks */
- if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
- goto out;
-
-+ if (dir >= XFRM_POLICY_MAX) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-+
- /* Stage 1 - find policy */
- if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
- err = -ENOENT;
diff --git a/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch b/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
deleted file mode 100644
index c1ea614..0000000
--- a/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From: Richard Wareing <rwareing at fb.com>
-Date: Wed, 13 Sep 2017 09:09:35 +1000
-Subject: xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
-Origin: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14340
-
-If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
-a directory in a filesystem that does not have a realtime device and
-create a new file in that directory, it gets marked as a real time file.
-When data is written and a fsync is issued, the filesystem attempts to
-flush a non-existent rt device during the fsync process.
-
-This results in a crash dereferencing a null buftarg pointer in
-xfs_blkdev_issue_flush():
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
- IP: xfs_blkdev_issue_flush+0xd/0x20
- .....
- Call Trace:
- xfs_file_fsync+0x188/0x1c0
- vfs_fsync_range+0x3b/0xa0
- do_fsync+0x3d/0x70
- SyS_fsync+0x10/0x20
- do_syscall_64+0x4d/0xb0
- entry_SYSCALL64_slow_path+0x25/0x25
-
-Setting RT inode flags does not require special privileges so any
-unprivileged user can cause this oops to occur. To reproduce, confirm
-kernel is compiled with CONFIG_XFS_RT=y and run:
-
- # mkfs.xfs -f /dev/pmem0
- # mount /dev/pmem0 /mnt/test
- # mkdir /mnt/test/foo
- # xfs_io -c 'chattr +t' /mnt/test/foo
- # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
-
-Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
-
-Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
-
-Fixes: f538d4da8d52 ("[XFS] write barrier support")
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Richard Wareing <rwareing at fb.com>
-Signed-off-by: Dave Chinner <david at fromorbit.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- fs/xfs/xfs_linux.h | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/fs/xfs/xfs_linux.h
-+++ b/fs/xfs/xfs_linux.h
-@@ -363,7 +363,14 @@ static inline __uint64_t howmany_64(__ui
- #endif /* DEBUG */
-
- #ifdef CONFIG_XFS_RT
--#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME)
-+
-+/*
-+ * make sure we ignore the inode flag if the filesystem doesn't have a
-+ * configured realtime device.
-+ */
-+#define XFS_IS_REALTIME_INODE(ip) \
-+ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \
-+ (ip)->i_mount->m_rtdev_targp)
- #else
- #define XFS_IS_REALTIME_INODE(ip) (0)
- #endif
diff --git a/debian/patches/bugfix/alpha/alpha-uapi-add-support-for-__sane_userspace_types__.patch b/debian/patches/bugfix/alpha/alpha-uapi-add-support-for-__sane_userspace_types__.patch
deleted file mode 100644
index 3d6a877..0000000
--- a/debian/patches/bugfix/alpha/alpha-uapi-add-support-for-__sane_userspace_types__.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Tue, 29 Sep 2015 02:55:06 +0100
-Subject: [PATCH] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
-Forwarded: http://mid.gmane.org/1443659755.2730.14.camel@decadent.org.uk
-
-This fixes compiler errors in perf such as:
-
-tests/attr.c: In function 'store_event':
-tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=]
- snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
- ^
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Tested-by: Michael Cree <mcree at orcon.net.nz>
-Cc: stable at vger.kernel.org
----
- arch/alpha/include/asm/types.h | 2 +-
- arch/alpha/include/uapi/asm/types.h | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-# diff --git a/arch/alpha/include/asm/types.h b/arch/alpha/include/asm/types.h
-# index 4cb4b6d..0bc66e1 100644
-# --- a/arch/alpha/include/asm/types.h
-# +++ b/arch/alpha/include/asm/types.h
-# @@ -1,6 +1,6 @@
-# #ifndef _ALPHA_TYPES_H
-# #define _ALPHA_TYPES_H
-#
-# -#include <asm-generic/int-ll64.h>
-# +#include <uapi/asm/types.h>
-#
-# #endif /* _ALPHA_TYPES_H */
-diff --git a/arch/alpha/include/uapi/asm/types.h b/arch/alpha/include/uapi/asm/types.h
-index 9fd3cd4..8d1024d 100644
---- a/arch/alpha/include/uapi/asm/types.h
-+++ b/arch/alpha/include/uapi/asm/types.h
-@@ -9,8 +9,18 @@
- * need to be careful to avoid a name clashes.
- */
-
--#ifndef __KERNEL__
-+/*
-+ * This is here because we used to use l64 for alpha
-+ * and we don't want to impact user mode with our change to ll64
-+ * in the kernel.
-+ *
-+ * However, some user programs are fine with this. They can
-+ * flag __SANE_USERSPACE_TYPES__ to get int-ll64.h here.
-+ */
-+#if !defined(__SANE_USERSPACE_TYPES__) && !defined(__KERNEL__)
- #include <asm-generic/int-l64.h>
-+#else
-+#include <asm-generic/int-ll64.h>
- #endif
-
- #endif /* _UAPI_ALPHA_TYPES_H */
diff --git a/debian/patches/series b/debian/patches/series
index d4d8986..3969d56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -89,7 +89,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
-bugfix/all/workqueue-fix-flag-collision.patch
# Miscellaneous features
features/all/netfilter-nft_ct-add-notrack-support.patch
@@ -125,17 +124,11 @@ bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
bugfix/all/nfsv4-fix-callback-server-shutdown.patch
bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
-bugfix/all/xfrm-policy-check-policy-direction-value.patch
-bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
-bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
-bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
-bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
# Fix exported symbol versions
@@ -161,7 +154,6 @@ bugfix/all/tools-lib-traceevent-use-ldflags.patch
bugfix/all/tools-lib-lockdep-use-ldflags.patch
bugfix/x86/tools-hv-fix-fortify-format-warning.patch
bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
-bugfix/alpha/alpha-uapi-add-support-for-__sane_userspace_types__.patch
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
bugfix/all/cpupower-bump-soname-version.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list