summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorTony Lambiris2017-12-26 12:58:10 -0500
committerTony Lambiris2017-12-26 12:58:10 -0500
commit25f4684cd588033e2ff25444221d8ad6ec77277f (patch)
tree659ee3dbd7b7684c1b76cdda2481e93d409cb580
parent0a2aa9683827726495bcbca4cb1f01c659d71fb6 (diff)
downloadaur-25f4684cd588033e2ff25444221d8ad6ec77277f.tar.gz
Version bump, sync with upstream
-rw-r--r--.SRCINFO22
-rw-r--r--0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch77
-rw-r--r--0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch72
-rw-r--r--0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch73
-rw-r--r--0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch57
-rw-r--r--0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch49
-rw-r--r--0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch114
-rw-r--r--PKGBUILD52
-rw-r--r--config34
9 files changed, 514 insertions, 36 deletions
diff --git a/.SRCINFO b/.SRCINFO
index ad1e6c8f782..e2bd1fd6d5f 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
pkgbase = linux-macbook
- pkgver = 4.14.4
+ pkgver = 4.14.9
pkgrel = 1
url = https://www.kernel.org/
arch = x86_64
@@ -12,8 +12,8 @@ pkgbase = linux-macbook
options = !strip
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
- source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.4.xz
- source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.4.sign
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.9.xz
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.9.sign
source = config
source = 60-linux.hook
source = 90-linux.hook
@@ -25,13 +25,19 @@ pkgbase = linux-macbook
source = RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch
source = intel-pstate-backport.patch
source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ source = 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ source = 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+ source = 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+ source = 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+ source = 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ source = 0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
sha256sums = SKIP
- sha256sums = e9dcf9aad5977289940cd6e3762af02b87a725ba6c1a9f4af86958dc621e3a84
+ sha256sums = 5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704
sha256sums = SKIP
- sha256sums = 12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9
+ sha256sums = 4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
@@ -42,6 +48,12 @@ pkgbase = linux-macbook
sha256sums = 09189eb269a9fd16898cf90a477df23306236fb897791e8d04e5a75d5007bbff
sha256sums = 3d9fdbb4bee270efa6eef1d8e40a5ae562a87d5a2edae629e0829cc51714de13
sha256sums = 37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85
+ sha256sums = c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3
+ sha256sums = 1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2
+ sha256sums = ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32
+ sha256sums = 64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00
+ sha256sums = 3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb
+ sha256sums = 95f0d0a94983b0dafd295f660a663f9be5ef2fcb9646098426a5d12b59f50638
pkgname = linux-macbook
pkgdesc = The Linux-macbook kernel and modules
diff --git a/0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch b/0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
new file mode 100644
index 00000000000..fe62f65af16
--- /dev/null
+++ b/0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
@@ -0,0 +1,77 @@
+From 16b5ff888e251b8c4dedd3994d2e85ab25ea7fa4 Mon Sep 17 00:00:00 2001
+Message-Id: <16b5ff888e251b8c4dedd3994d2e85ab25ea7fa4.1514245036.git.jan.steffens@gmail.com>
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 18 Dec 2017 23:36:57 +0100
+Subject: [PATCH] ALSA: usb-audio: Fix the missing ctl name suffix at parsing
+ SU
+
+The commit 89b89d121ffc ("ALSA: usb-audio: Add check return value for
+usb_string()") added the check of the return value from
+snd_usb_copy_string_desc(), which is correct per se, but it introduced
+a regression. In the original code, either the "Clock Source",
+"Playback Source" or "Capture Source" suffix is added after the
+terminal string, while the commit changed it to add the suffix only
+when get_term_name() is failing. It ended up with an incorrect ctl
+name like "PCM" instead of "PCM Capture Source".
+
+Also, even the original code has a similar bug: when the ctl name is
+generated from snd_usb_copy_string_desc() for the given iSelector, it
+also doesn't put the suffix.
+
+This patch addresses these issues: the suffix is added always when no
+static mapping is found. Also the patch tries to put more comments
+and cleans up the if/else block for better readability in order to
+avoid the same pitfall again.
+
+Fixes: 89b89d121ffc ("ALSA: usb-audio: Add check return value for usb_string()")
+Reported-and-tested-by: Mauro Santos <registo.mailling@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/mixer.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index 4fde4f8d4444a597..75bce127d768c613 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2173,20 +2173,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
+ kctl->private_value = (unsigned long)namelist;
+ kctl->private_free = usb_mixer_selector_elem_free;
+
+- nameid = uac_selector_unit_iSelector(desc);
++ /* check the static mapping table at first */
+ len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
+- if (len)
+- ;
+- else if (nameid)
+- len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+- sizeof(kctl->id.name));
+- else
+- len = get_term_name(state, &state->oterm,
+- kctl->id.name, sizeof(kctl->id.name), 0);
+-
+ if (!len) {
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++ /* no mapping ? */
++ /* if iSelector is given, use it */
++ nameid = uac_selector_unit_iSelector(desc);
++ if (nameid)
++ len = snd_usb_copy_string_desc(state, nameid,
++ kctl->id.name,
++ sizeof(kctl->id.name));
++ /* ... or pick up the terminal name at next */
++ if (!len)
++ len = get_term_name(state, &state->oterm,
++ kctl->id.name, sizeof(kctl->id.name), 0);
++ /* ... or use the fixed string "USB" as the last resort */
++ if (!len)
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
++ /* and add the proper suffix */
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
+ else if ((state->oterm.type & 0xff00) == 0x0100)
+--
+2.15.1
+
diff --git a/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
new file mode 100644
index 00000000000..b44eb2ab889
--- /dev/null
+++ b/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
@@ -0,0 +1,72 @@
+From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001
+Message-Id: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 15 Nov 2017 06:40:57 +0100
+Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in
+ xfrm_state_find."
+
+This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
+
+This commit breaks transport mode when the policy template
+has widlcard addresses configured, so revert it.
+
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 6eb228a70131069b..a2e531bf4f976308 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
+ struct net *net = xp_net(policy);
+ int nx;
+ int i, error;
++ xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
++ xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
+ xfrm_address_t tmp;
+
+ for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
+ struct xfrm_state *x;
+- xfrm_address_t *local;
+- xfrm_address_t *remote;
++ xfrm_address_t *remote = daddr;
++ xfrm_address_t *local = saddr;
+ struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
+
+- remote = &tmpl->id.daddr;
+- local = &tmpl->saddr;
+- if (xfrm_addr_any(local, tmpl->encap_family)) {
+- error = xfrm_get_saddr(net, fl->flowi_oif,
+- &tmp, remote,
+- tmpl->encap_family, 0);
+- if (error)
+- goto fail;
+- local = &tmp;
++ if (tmpl->mode == XFRM_MODE_TUNNEL ||
++ tmpl->mode == XFRM_MODE_BEET) {
++ remote = &tmpl->id.daddr;
++ local = &tmpl->saddr;
++ if (xfrm_addr_any(local, tmpl->encap_family)) {
++ error = xfrm_get_saddr(net, fl->flowi_oif,
++ &tmp, remote,
++ tmpl->encap_family, 0);
++ if (error)
++ goto fail;
++ local = &tmp;
++ }
+ }
+
+ x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
+
+ if (x && x->km.state == XFRM_STATE_VALID) {
+ xfrm[nx++] = x;
++ daddr = remote;
++ saddr = local;
+ continue;
+ }
+ if (x) {
+--
+2.15.1
+
diff --git a/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch b/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
new file mode 100644
index 00000000000..7e3ecbde40f
--- /dev/null
+++ b/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
@@ -0,0 +1,73 @@
+From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
+Message-Id: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+ value.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list@eworm.de>
+Reported-by: Gabriel C <nix.or.die@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse <list@eworm.de>
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf031172..31277d3bb7dc1241 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
+ * Checks to see of the link status of the hardware has changed. If a
+ * change in link status has been detected, then we read the PHY registers
+ * to get the current speed/duplex if link exists.
++ *
++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ * up).
+ **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+ struct e1000_mac_info *mac = &hw->mac;
+ s32 ret_val, tipg_reg = 0;
+ u16 emi_addr, emi_val = 0;
+ bool link;
+ u16 phy_reg;
+
+ /* We only want to go out to the PHY registers to see if Auto-Neg
+ * has completed and/or if our link status has changed. The
+ * get_link_status flag is set upon receiving a Link Status
+ * Change or Rx Sequence Error interrupt.
+ */
+ if (!mac->get_link_status)
+- return 0;
++ return 1;
+
+ /* First we want to see if the MII Status Register reports
+ * link. If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ * different link partner.
+ */
+ ret_val = e1000e_config_fc_after_link_up(hw);
+- if (ret_val)
++ if (ret_val) {
+ e_dbg("Error configuring flow control\n");
++ return ret_val;
++ }
+
+- return ret_val;
++ return 1;
+ }
+
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
+--
+2.15.1
+
diff --git a/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
new file mode 100644
index 00000000000..26311bf3bb5
--- /dev/null
+++ b/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
@@ -0,0 +1,57 @@
+From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
+Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steffens@gmail.com>
+In-Reply-To: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
+References: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06aa198..9d43c1f4027408f3 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+ if (old_state != DCCP_CLOSED)
+ dccp_set_state(sk, DCCP_CLOSED);
+
+ /*
+ * This corresponds to the ABORT function of RFC793, sec. 3.8
+ * TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
+ */
+ if (old_state == DCCP_LISTEN) {
+ inet_csk_listen_stop(sk);
+ } else if (dccp_need_reset(old_state)) {
+ dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
+ sk->sk_err = ECONNRESET;
+ } else if (old_state == DCCP_REQUESTING)
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
+--
+2.15.1
+
diff --git a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
new file mode 100644
index 00000000000..ad461449273
--- /dev/null
+++ b/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
@@ -0,0 +1,49 @@
+From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001
+Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com>
+In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 22 Dec 2017 10:44:57 +0100
+Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy
+ lookup.
+
+When we do tunnel or beet mode, we pass saddr and daddr from the
+template to xfrm_state_find(), this is ok. On transport mode,
+we pass the addresses from the flowi, assuming that the IP
+addresses (and address family) don't change during transformation.
+This assumption is wrong in the IPv4 mapped IPv6 case, packet
+is IPv4 and template is IPv6.
+
+Fix this by catching address family missmatches of the policy
+and the flow already before we do the lookup.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index a2e531bf4f976308..c79ed3bed5d4dc2f 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
+ again:
+ pol = rcu_dereference(sk->sk_policy[dir]);
+ if (pol != NULL) {
+- bool match = xfrm_selector_match(&pol->selector, fl, family);
++ bool match;
+ int err = 0;
+
++ if (pol->family != family) {
++ pol = NULL;
++ goto out;
++ }
++
++ match = xfrm_selector_match(&pol->selector, fl, family);
+ if (match) {
+ if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
+ pol = NULL;
+--
+2.15.1
+
diff --git a/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
new file mode 100644
index 00000000000..80a09f9a546
--- /dev/null
+++ b/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
@@ -0,0 +1,114 @@
+From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001
+Message-Id: <a3c64fe9d978f3ee8f21fac5b410c63fe7cce725.1514245012.git.jan.steffens@gmail.com>
+In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 20 Dec 2017 07:09:19 -0800
+Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
+
+While teaching css_task_iter to handle skipping over tasks which
+aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
+css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
+silly bug.
+
+CSS_TASK_ITER_PROCS is implemented by repeating
+css_task_iter_advance() while the advanced cursor is pointing to a
+non-leader thread. However, the cursor variable, @l, wasn't updated
+when the iteration has to advance to the next css_set and the
+following repetition would operate on the terminal @l from the
+previous iteration which isn't pointing to a valid task leading to
+oopses like the following or infinite looping.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
+ IP: __task_pid_nr_ns+0xc7/0xf0
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP
+ ...
+ CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
+ Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
+ task: ffff88c4baee8000 task.stack: ffff96d5c3158000
+ RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
+ RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
+ RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
+ RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
+ RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
+ R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
+ R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
+ FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
+ Call Trace:
+ cgroup_procs_show+0x19/0x30
+ cgroup_seqfile_show+0x4c/0xb0
+ kernfs_seq_show+0x21/0x30
+ seq_read+0x2ec/0x3f0
+ kernfs_fop_read+0x134/0x180
+ __vfs_read+0x37/0x160
+ ? security_file_permission+0x9b/0xc0
+ vfs_read+0x8e/0x130
+ SyS_read+0x55/0xc0
+ entry_SYSCALL_64_fastpath+0x1a/0xa5
+ RIP: 0033:0x7f94455f942d
+ RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
+ RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
+ RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
+ RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
+ R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
+ R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
+ Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
+ RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
+
+Fix it by moving the initialization of the cursor below the repeat
+label. While at it, rename it to @next for readability.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
+Cc: stable@vger.kernel.org # v4.14+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Reported-by: Bronek Kozicki <brok@incorrekt.com>
+Reported-by: George Amanakis <gamanakis@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 44857278eb8aa6a2..030e4286f14c715e 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
+
+ static void css_task_iter_advance(struct css_task_iter *it)
+ {
+- struct list_head *l = it->task_pos;
++ struct list_head *next;
+
+ lockdep_assert_held(&css_set_lock);
+- WARN_ON_ONCE(!l);
+-
+ repeat:
+ /*
+ * Advance iterator to find next entry. cset->tasks is consumed
+ * first and then ->mg_tasks. After ->mg_tasks, we move onto the
+ * next cset.
+ */
+- l = l->next;
++ next = it->task_pos->next;
+
+- if (l == it->tasks_head)
+- l = it->mg_tasks_head->next;
++ if (next == it->tasks_head)
++ next = it->mg_tasks_head->next;
+
+- if (l == it->mg_tasks_head)
++ if (next == it->mg_tasks_head)
+ css_task_iter_advance_css_set(it);
+ else
+- it->task_pos = l;
++ it->task_pos = next;
+
+ /* if PROCS, skip over tasks which aren't group leaders */
+ if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
+--
+2.15.1
+
diff --git a/PKGBUILD b/PKGBUILD
index fd52073ff04..2483ec55798 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@
#pkgbase=linux # Build stock -ARCH kernel
pkgbase=linux-macbook # Build kernel with a different name
_srcname=linux-4.14
-pkgver=4.14.4
+pkgver=4.14.9
pkgrel=1
arch=('x86_64')
url="https://www.kernel.org/"
@@ -23,13 +23,19 @@ source=(
'60-linux.hook' # pacman hook for depmod
'90-linux.hook' # pacman hook for initramfs regeneration
'linux.preset' # standard config files for mkinitcpio ramdisk
- 'macbook-wakeup.service' # service file for suspend/resume events
- 'apple-gmux.patch' # linux-macbook specific patches
- 'PCI-Work-around-poweroff-suspend-to-RAM-issue-on-Mac.patch'
- 'RFC-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch'
- 'RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch'
- 'intel-pstate-backport.patch'
- '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch'
+ macbook-wakeup.service # service file for suspend/resume events
+ apple-gmux.patch # linux-macbook specific patches
+ PCI-Work-around-poweroff-suspend-to-RAM-issue-on-Mac.patch
+ RFC-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch
+ RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch
+ intel-pstate-backport.patch
+ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+ 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+ 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+ 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ 0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -37,9 +43,9 @@ validpgpkeys=(
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
- 'e9dcf9aad5977289940cd6e3762af02b87a725ba6c1a9f4af86958dc621e3a84'
+ '5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704'
'SKIP'
- '12a7bd958a820315d8d8be7544976e8a8aa1fb7aa27fcf8377ca68317e3e70a9'
+ '4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
@@ -49,7 +55,13 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'7c99aaeaea7837f83a3ad215cf07277934ccf39720acee7f1c371dc86bdf89fc'
'09189eb269a9fd16898cf90a477df23306236fb897791e8d04e5a75d5007bbff'
'3d9fdbb4bee270efa6eef1d8e40a5ae562a87d5a2edae629e0829cc51714de13'
- '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85')
+ '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
+ 'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
+ '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
+ 'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
+ '64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
+ '3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb'
+ '95f0d0a94983b0dafd295f660a663f9be5ef2fcb9646098426a5d12b59f50638')
_kernelname=${pkgbase#linux}
@@ -83,9 +95,25 @@ prepare() {
patch -p1 -F1 -i \
"${srcdir}/RFC-v2-PCI-Workaround-to-enable-poweroff-on-Mac-Pro-11.patch"
- # https://bugs.archlinux.org/task/56207
+ # disable USER_NS for non-root users by default
patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+ # https://bugs.archlinux.org/task/56575
+ patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+
+ # https://nvd.nist.gov/vuln/detail/CVE-2017-8824
+ patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+
+ # https://bugs.archlinux.org/task/56605
+ patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+ patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+
+ # https://bugs.archlinux.org/task/56846
+ patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+
+ # https://bugs.archlinux.org/task/56830
+ patch -Np1 -i ../0001-ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
+
cp -Tf ../config .config
if [ "${_kernelname}" != "" ]; then
diff --git a/config b/config
index 6f374b703a7..852bc5460d5 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.4-2 Kernel Configuration
+# Linux/x86 4.14.9-1 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE_SYSCTL=y
CONFIG_CROSS_MEMORY_ATTACH=y
CONFIG_FHANDLE=y
# CONFIG_USELIB is not set
-CONFIG_AUDIT=y
+# CONFIG_AUDIT is not set
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
#
# IRQ subsystem
@@ -265,6 +262,7 @@ CONFIG_OPROFILE_NMI_TIMER=y
CONFIG_KPROBES=y
CONFIG_JUMP_LABEL=y
# CONFIG_STATIC_KEYS_SELFTEST is not set
+CONFIG_OPTPROBES=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_UPROBES=y
# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
@@ -345,6 +343,7 @@ CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
CONFIG_STRICT_MODULE_RWX=y
+CONFIG_ARCH_HAS_REFCOUNT=y
# CONFIG_REFCOUNT_FULL is not set
#
@@ -1136,7 +1135,6 @@ CONFIG_NETFILTER_XT_SET=m
#
# Xtables targets
#
-CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -2246,7 +2244,7 @@ CONFIG_SCSI_HPTIOP=m
CONFIG_SCSI_BUSLOGIC=m
CONFIG_SCSI_FLASHPOINT=y
CONFIG_VMWARE_PVSCSI=m
-# CONFIG_XEN_SCSI_FRONTEND is not set
+CONFIG_XEN_SCSI_FRONTEND=m
CONFIG_HYPERV_STORAGE=m
CONFIG_LIBFC=m
CONFIG_LIBFCOE=m
@@ -2256,8 +2254,8 @@ CONFIG_SCSI_SNIC=m
# CONFIG_SCSI_SNIC_DEBUG_FS is not set
CONFIG_SCSI_DMX3191D=m
CONFIG_SCSI_EATA=m
-# CONFIG_SCSI_EATA_TAGGED_QUEUE is not set
-# CONFIG_SCSI_EATA_LINKED_COMMANDS is not set
+CONFIG_SCSI_EATA_TAGGED_QUEUE=y
+CONFIG_SCSI_EATA_LINKED_COMMANDS=y
CONFIG_SCSI_EATA_MAX_TAGS=16
CONFIG_SCSI_FUTURE_DOMAIN=m
CONFIG_SCSI_GDTH=m
@@ -2290,7 +2288,7 @@ CONFIG_SCSI_LPFC=m
CONFIG_SCSI_DC395x=m
CONFIG_SCSI_AM53C974=m
CONFIG_SCSI_WD719X=m
-# CONFIG_SCSI_DEBUG is not set
+CONFIG_SCSI_DEBUG=m
CONFIG_SCSI_PMCRAID=m
CONFIG_SCSI_PM8001=m
CONFIG_SCSI_BFA_FC=m
@@ -4027,8 +4025,7 @@ CONFIG_GPIO_PCI_IDIO_16=m
CONFIG_GPIO_VIPERBOARD=m
# CONFIG_W1 is not set
CONFIG_POWER_AVS=y
-CONFIG_POWER_RESET=y
-# CONFIG_POWER_RESET_RESTART is not set
+# CONFIG_POWER_RESET is not set
CONFIG_POWER_SUPPLY=y
# CONFIG_POWER_SUPPLY_DEBUG is not set
CONFIG_PDA_POWER=m
@@ -5328,7 +5325,7 @@ CONFIG_FB_EFI=y
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_SM501 is not set
# CONFIG_FB_SMSCUFX is not set
-CONFIG_FB_UDL=m
+# CONFIG_FB_UDL is not set
# CONFIG_FB_IBM_GXT4500 is not set
# CONFIG_FB_VIRTUAL is not set
CONFIG_XEN_FBDEV_FRONTEND=m
@@ -6523,7 +6520,7 @@ CONFIG_HYPERV_BALLOON=m
# Xen driver support
#
CONFIG_XEN_BALLOON=y
-# CONFIG_XEN_SELFBALLOONING is not set
+CONFIG_XEN_SELFBALLOONING=y
CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT=512
CONFIG_XEN_SCRUB_PAGES=y
@@ -6542,7 +6539,7 @@ CONFIG_XEN_PCIDEV_BACKEND=m
CONFIG_XEN_SCSI_BACKEND=m
CONFIG_XEN_PRIVCMD=m
CONFIG_XEN_ACPI_PROCESSOR=m
-# CONFIG_XEN_MCE_LOG is not set
+CONFIG_XEN_MCE_LOG=y
CONFIG_XEN_HAVE_PVMMU=y
CONFIG_XEN_EFI=y
CONFIG_XEN_AUTO_XLATE=y
@@ -8114,9 +8111,9 @@ CONFIG_OPTIMIZE_INLINING=y
# CONFIG_DEBUG_NMI_SELFTEST is not set
# CONFIG_X86_DEBUG_FPU is not set
# CONFIG_PUNIT_ATOM_DEBUG is not set
-# CONFIG_FRAME_POINTER_UNWINDER is not set
-CONFIG_ORC_UNWINDER=y
-# CONFIG_GUESS_UNWINDER is not set
+CONFIG_UNWINDER_ORC=y
+# CONFIG_UNWINDER_FRAME_POINTER is not set
+# CONFIG_UNWINDER_GUESS is not set
#
# Security options
@@ -8148,7 +8145,6 @@ CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_YAMA=y
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
-CONFIG_INTEGRITY_AUDIT=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y