dgit.raspbian.org Git - linux.git/log

snd-pcsp: Disable autoload

There are two drivers claiming the platform:pcspkr device:
- pcspkr creates an input(!) device that can only beep
- snd-pcsp creates an equivalent input device plus a PCM device that can
  play barely recognisable renditions of sampled sound

snd-pcsp is blacklisted by the alsa-base package, but not everyone
installs that.  On PCs where no sound is wanted at all, both drivers
will still be loaded and one or other will complain that it couldn't
claim the relevant I/O range.

In case anyone finds snd-pcsp useful, we continue to build it.  But
remove the alias, to ensure it's not loaded where it's not wanted.

Gbp-Pq: Topic debian
Gbp-Pq: Name snd-pcsp-disable-autoload.patch

cdc_ncm,cdc_mbim: Use NCM by default

Devices that support both NCM and MBIM modes should be kept in NCM
mode unless there is userland support for MBIM.

Set the default value of cdc_ncm.prefer_mbim to false and leave it to
userland (modem-manager) to override this with a modprobe.conf file
once it's ready to speak MBIM.

Gbp-Pq: Topic debian
Gbp-Pq: Name cdc_ncm-cdc_mbim-use-ncm-by-default.patch

security,perf: Allow further restriction of perf_event_open

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all
Gbp-Pq: Name security-perf-allow-further-restriction-of-perf_event_open.patch

add sysctl to disallow unprivileged CLONE_NEWUSER by default

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]

Gbp-Pq: Topic debian
Gbp-Pq: Name add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

yama: Disable by default

Gbp-Pq: Topic debian
Gbp-Pq: Name yama-disable-by-default.patch

sched: Do not enable autogrouping by default

We want to provide the option of autogrouping but without enabling
it by default yet.

Gbp-Pq: Topic debian
Gbp-Pq: Name sched-autogroup-disabled.patch

fs: Enable link security restrictions by default

This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').

Gbp-Pq: Topic debian
Gbp-Pq: Name fs-enable-link-security-restrictions-by-default.patch

dccp: Disable auto-loading as mitigation against local exploits

We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch

decnet: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'decnet' protocol is unmaintained and of mostly historical
interest, and the user-space support package 'dnet-common' loads the
module explicitly. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name decnet-Disable-auto-loading-as-mitigation-against-lo.patch

rds: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name rds-Disable-auto-loading-as-mitigation-against-local.patch

af_802154: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch

aufs4.9 standalone patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 standalone patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-standalone.patch

aufs4.9 mmap patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 mmap patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-mmap.patch

aufs4.9 base patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 base patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-base.patch

radeon: Firmware is required for DRM and KMS on R600 onward

radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.

radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.

Therefore, perform a basic check for the existence of
/lib/firmware/radeon when a device is probed, and abort if it is
missing, except for the pre-R600 case.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch

firmware: Remove redundant log messages from drivers

Now that firmware_class logs every success and failure consistently,
many other log messages can be removed from drivers.

This will probably need to be split up into multiple patches prior to
upstream submission.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name firmware-remove-redundant-log-messages-from-drivers.patch

firmware_class: Log every success and failure against given device

The hundreds of users of request_firmware() have nearly as many
different log formats for reporting failures.  They also have only the
vaguest hint as to what went wrong; only firmware_class really knows
that.  Therefore, add specific log messages for the failure modes that
aren't currently logged.

In case of a driver that tries multiple names, this may result in the
impression that it failed to initialise.  Therefore, also log successes.

This makes many error messages in drivers redundant, which will be
removed in later patches.

This does not cover the case where we fall back to a user-mode helper
(which is no longer enabled in Debian).

NOTE: hw-detect will depend on the "firmware: failed to load %s (%d)\n"
format to detect missing firmware.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name firmware_class-log-every-success-and-failure.patch

iwlwifi: Do not request unreleased firmware for IWL6000

The iwlwifi driver currently supports firmware API versions 4-6 for
these devices.  It will request the file for the latest supported
version and then fall back to earlier versions.  However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.

The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless.  So stop
requesting the unreleased firmware.

Gbp-Pq: Topic debian
Gbp-Pq: Name iwlwifi-do-not-request-unreleased-firmware.patch

af9005: Use request_firmware() to load register init script

Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.

Gbp-Pq: Topic features/all
Gbp-Pq: Name drivers-media-dvb-usb-af9005-request_firmware.patch

Install perf scripts non-executable

[bwh: Forward-ported to 3.12]

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-install.patch

Create manpages and binaries including the version

[bwh: Fix version insertion in perf man page cross-references and perf
man page title. Install bash_completion script for perf with a
version-dependent name. And do the same for trace.]

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-version.patch

modpost symbol prefix setting

[bwh: The original version of this was added by Bastian Blank. The
upstream code includes <generated/autoconf.h> so that <linux/export.h>
can tell whether C symbols have an underscore prefix. Since we build
modpost separately from the kernel, <generated/autoconf.h> won't exist.
However, no Debian Linux architecture uses the symbol prefix, so we
can simply omit it.]

Gbp-Pq: Topic debian
Gbp-Pq: Name modpost-symbol-prefix.patch

Kbuild: kconfig: Verbose version of --listnewconfig

If the KBUILD_VERBOSE environment variable is set to non-zero, show
the default values of new symbols and not just their names.

Based on work by Bastian Blank <waldi@debian.org> and
maximilian attems <max@stro.at>. Simplified by Michal Marek
<mmarek@suse.cz>.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all
Gbp-Pq: Name Kbuild-kconfig-Verbose-version-of-listnewconfig.patch

powerpcspe-omit-uimage

Gbp-Pq: Topic debian
Gbp-Pq: Name powerpcspe-omit-uimage.patch

Fix uImage build

[bwh: This was added without a description, but I think it is dealing
with a similar issue to powerpcspe-omit-uimage.patch]

Gbp-Pq: Topic debian
Gbp-Pq: Name arch-sh4-fix-uimage-build.patch

Partially revert "MIPS: Add -Werror to arch/mips/Kbuild"

This reverts commit 66f9ba101f54bda63ab1db97f9e9e94763d0651b.

We really don't want to add -Werror anywhere.

Gbp-Pq: Topic debian
Gbp-Pq: Name mips-disable-werror.patch

Tweak gitignore for Debian pkg-kernel using git svn.

[bwh: Tweak further for pure git]

Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch

kbuild: Make the toolchain variables easily overwritable

Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.

We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, CFLAGS_KERNEL and CFLAGS_MODULE.

This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.

Gbp-Pq: Topic debian
Gbp-Pq: Name kernelvariables.patch

Make mkcompile_h accept an alternate timestamp string

We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.

Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.

Gbp-Pq: Topic debian
Gbp-Pq: Name uname-version-timestamp.patch

Include package version along with kernel release in stack traces

For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.

Gbp-Pq: Topic debian
Gbp-Pq: Name version.patch

linux (4.9.25-1) unstable; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
    - net/openvswitch: Set the ipv6 source tunnel key address attribute
      correctly
    - net: properly release sk_frag.page
    - [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware
    - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
    - net: unix: properly re-increment inflight counter of GC discarded
      candidates
    - net: vrf: Reset rt6i_idev in local dst after put
    - net/mlx5: Add missing entries for set/query rate limit commands
    - net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
    - net/mlx5: Increase number of max QPs in default profile
    - net/mlx5e: Count GSO/LRO packets correctly
    - ipv6: make sure to initialize sockc.tsflags before first use
    - ipv4: provide stronger user input validation in nl_fib_input()
    - socket, bpf: fix sk_filter use after free in sk_clone_lock
    - tcp: initialize icsk_ack.lrcvtime at session start time
    - Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate
      number of endpoints before using them
    - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
    - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
    - ALSA: hda - Adding a group of pin definition to fix headset problem
    - ACM gadget: fix endianness in notifications
    - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
      wBytesPerInterval
    - USB: uss720,idmouse,wusbcore: fix NULL-deref at probe
    - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
    - usb: hub: Fix crash after failure to read BOS descriptor
    - USB: usbtmc: add missing endpoint sanity check
    - USB: usbtmc: fix probe error path
    - uwb: i1480-dfu: fix NULL-deref at probe
    - mmc: ushc: fix NULL-deref at probe
    - [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery
    - iio: sw-device: Fix config group initialization
    - iio: hid-sensor-trigger: Change get poll value function order to avoid
      sensor properties losing after resume from S3
    - parport: fix attempt to write duplicate procfiles
    - ext4: mark inode dirty after converting inline directory
    - ext4: lock the xattr block before checksuming it
    - [powerpc*/*64*] Fix idle wakeup potential to clobber registers
    - mmc: sdhci: Do not disable interrupts while waiting for clock
    - mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
    - [x86] hwrng: amd - Revert managed API changes
    - [x86] hwrng: geode - Revert managed API changes
    - [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module
      clock
    - [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
    - mwifiex: pcie: don't leak DMA buffers when removing
    - [x86] crypto: ccp - Assign DMA commands to the channel's CCP
    - xen/acpi: upload PM state from init-domain to Xen
    - [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
    - [arm64] kaslr: Fix up the kernel image alignment
    - cpufreq: Restore policy min/max limits on CPU online
    - cgroup, net_cls: iterate the fds of only the tasks which are being
      migrated
    - blk-mq: don't complete un-started request in timeout handler
    - [x86] drm/amdgpu: reinstate oland workaround for sclk
    - jbd2: don't leak memory if setting up journal fails
    - [x86] intel_th: Don't leak module refcount on failure to activate
    - [x86] Drivers: hv: vmbus: Don't leak channel ids
    - [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
    - libceph: don't set weight to IN when OSD is destroyed
    - [x86] device-dax: fix pmd/pte fault fallback handling
    - [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind
    - nl80211: fix dumpit error path RTNL deadlocks
    - drm: reference count event->completion
    - fbcon: Fix vc attr at deinit
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20
    - xfrm: policy: init locks early
    - [x86] KVM: cleanup the page tracking SRCU instance
    - virtio_balloon: init 1st buffer in stats vq
    - [mips*] ptrace: Preserve previous registers for short regset write
    - [sparc64] ptrace: Preserve previous registers for short regset write
    - fscrypt: remove broken support for detecting keyring key revocation
      (CVE-2017-7374)
    - sched/rt: Add a missing rescheduling point
    - [armhf] usb: musb: fix possible spinlock deadlock
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21
    - libceph: force GFP_NOIO for socket allocations
    - xen/setup: Don't relocate p2m over existing one
    - xfs: only update mount/resv fields on success in __xfs_ag_resv_init
    - xfs: use per-AG reservations for the finobt
    - xfs: pull up iolock from xfs_free_eofblocks()
    - xfs: sync eofblocks scans under iolock are livelock prone
    - xfs: fix eofblocks race with file extending async dio writes
    - xfs: fix toctou race when locking an inode to access the data map
    - xfs: fail _dir_open when readahead fails
    - xfs: filter out obviously bad btree pointers
    - xfs: check for obviously bad level values in the bmbt root
    - xfs: verify free block header fields
    - xfs: allow unwritten extents in the CoW fork
    - xfs: mark speculative prealloc CoW fork extents unwritten
    - xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t
    - xfs: update ctime and mtime on clone destinatation inodes
    - xfs: reject all unaligned direct writes to reflinked files
    - xfs: don't fail xfs_extent_busy allocation
    - xfs: handle indlen shortage on delalloc extent merge
    - xfs: split indlen reservations fairly when under reserved
    - xfs: fix uninitialized variable in _reflink_convert_cow
    - xfs: don't reserve blocks for right shift transactions
    - xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment
    - xfs: tune down agno asserts in the bmap code
    - xfs: only reclaim unwritten COW extents periodically
    - xfs: fix and streamline error handling in xfs_end_io
    - xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask
    - xfs: use iomap new flag for newly allocated delalloc blocks
    - xfs: try any AG when allocating the first btree block when reflinking
    - scsi: libsas: fix ata xfer length
    - scsi: scsi_dh_alua: Check scsi_device_get() return value
    - scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion
      function
    - ALSA: seq: Fix race during FIFO resize
    - ALSA: hda - fix a problem for lineout on a Dell AIO machine
    - [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong
      reference of pointer
    - HID: wacom: Don't add ghost interface as shared data
    - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
    - NFSv4.1 fix infinite loop on IO BAD_STATEID error
    - nfsd: map the ENOKEY to nfserr_perm for avoiding warning
    - [hppa] Clean up fixup routines for get_user()/put_user()
    - [hppa] Avoid stalled CPU warnings after system shutdown
    - [hppa] Fix access fault handling in pa_memcpy()
    - ACPI: Fix incompatibility with mcount-based function graph tracing
    - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
    - USB: fix linked-list corruption in rh_call_control()
    - [x86] KVM: clear bus pointer when destroyed
    - KVM: kvm_io_bus_unregister_dev() should never fail
    - drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
    - [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time
      CRTC state.
    - [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex
    - [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization
    - [x86] mce: Fix copy/paste error in exception table entries
    - lib/syscall: Clear return values when no stack
    - mm: rmap: fix huge file mmap accounting in the memcg stats
    - mm, hugetlb: use pte_present() instead of pmd_present() in
      follow_huge_pmd()
    - qla2xxx: Allow vref count to timeout on vport delete.
    - mm: workingset: fix premature shadow node shrinking with cgroups
    - blk: improve order of bio handling in generic_make_request()
    - blk: Ensure users for current->bio_list can see the full list.
    - padata: avoid race in reordering
    - nvme/core: Fix race kicking freed request_queue
    - nvme/pci: Disable on removal when disconnected
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22
    - ppdev: check before attaching port
    - ppdev: fix registering same device name
    - [x86] drm/vmwgfx: Type-check lookups of fence objects
    - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
      vmw_get_cap_3d_ioctl()
    - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
    - [x86] drm/vmwgfx: Remove getparam error message
    - sysfs: be careful of error returns from ops->show()
    - [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm
    - [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region
    - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
    - [x86] iio: bmg160: reset chip when probing
    - [arm64] mm: unaligned access by user-land should be received as SIGBUS
    - cfg80211: check rdev resume callback only for registered wiphy
    - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
    - mm/page_alloc.c: fix print order in show_free_areas()
    - ptrace: fix PTRACE_LISTEN race corrupting task->state
    - dm verity fec: limit error correction recursion
    - dm verity fec: fix bufio leaks
    - ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
    - xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
    - ring-buffer: Fix return value check in test_ringbuffer()
    - mac80211: unconditionally start new netdev queues with iTXQ support
    - brcmfmac: use local iftype avoiding use-after-free of virtual interface
    - [powerpc*] Disable HFSCR[TM] if TM is not supported
    - [powerpc*] mm: Add missing global TLB invalidate if cxl is active
    - [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules
    - [powerpc*] Don't try to fix up misaligned load-with-reservation
      instructions
    - [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable()
    - dm raid: fix NULL pointer dereference for raid1 without bitmap
    - [s390x] decompressor: fix initrd corruption caused by bss clear
    - [s390x] uaccess: get_user() should zero on failure (again)
    - [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3
    - [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2
    - [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page
    - [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize
      calculation
    - mm/mempolicy.c: fix error handling in set_mempolicy and mbind
      (CVE-2017-7616)
    - random: use chacha20 for get_random_int/long
    - [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data
      structure
    - [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines
    - [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing
      controller)
    - HID: i2c-hid: add a simple quirk to fix device defects
    - usb: dwc3: gadget: delay unmap of bounced requests
    - [x86] ASoC: Intel: bytct_rt5640: change default capture settings
    - [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs
      in suspend
    - scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
    - HID: multitouch: do not retrieve all reports for all devices
    - [arm64] mmc: sdhci-msm: Enable few quirks
    - scsi: ufs: ensure that host pa_tactivate is higher than device
    - svcauth_gss: Close connection when dropping an incoming message
    - scsi: ufs: add quirk to increase host PA_SaveConfigTime
    - [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family
    - nvme: simplify stripe quirk
    - ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
    - HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
    - [x86] drm/i915: actually drive the BDW reserved IDs
    - scsi: ufs: issue link starup 2 times if device isn't active
    - [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x
    - ACPI / button: Change default behavior to lid_init_state=open
    - [x86] ACPI: save NVS memory for Lenovo G50-45
    - HID: wacom: don't apply generic settings to old devices
    - [arm64] firmware: qcom: scm: Fix interrupted SCM calls
    - [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode
    - [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB
    - [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT
    - [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk
    - [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk
    - usb-storage: Add ignore-residue quirk for Initio INIC-3619
    - [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.23
    - [x86] drm/i915/gen9: Increase PCODE request timeout to 50ms
    - [x86] drm/i915: Nuke debug messages from the pipe update critical section
    - [x86] drm/i915: Avoid tweaking evaluation thresholds on Baytrail v3
    - [x86] drm/i915: Only enable hotplug interrupts if the display interrupts
      are enabled
    - [x86] drm/i915: Drop support for I915_EXEC_CONSTANTS_* execbuf parameters.
    - [x86] drm/i915: Stop using RP_DOWN_EI on Baytrail
    - [x86] drm/i915: Avoid rcu_barrier() from reclaim paths (shrinker)
    - [armhf,arm64] i2c: bcm2835: Fix hang for writing messages larger than 16
      bytes
    - rt2x00usb: fix anchor initialization
    - rt2x00usb: do not anchor rx and tx urb's
    - [mips*] Introduce irq_stack
    - [mips*] Stack unwinding while on IRQ stack
    - [mips*] Only change $28 to thread_info if coming from user mode
    - [mips*] Switch to the irq_stack in interrupts
    - [mips*] Select HAVE_IRQ_EXIT_ON_IRQ_STACK
    - [mips*] IRQ Stack: Fix erroneous jal to plat_irq_dispatch
    - [x86] Revert "drm/i915/execlists: Reset RING registers upon resume"
    - blk-mq: Avoid memory reclaim when remapping queues
    - usb: hub: Wait for connection to be reestablished after port reset
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to
      VGT transitions
    - dma-buf: add support for compat ioctl
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.24
    - cgroup, kthread: close race window where new kthreads can be migrated to
      non-root cgroups
    - thp: fix MADV_DONTNEED vs. MADV_FREE race
    - thp: fix MADV_DONTNEED vs clear soft dirty race
    - zsmalloc: expand class bit
    - drm/nouveau/mpeg: mthd returns true on success now
    - drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one
    - [armhf] drm/etnaviv: fix missing unlock on error in etnaviv_gpu_submit()
    - CIFS: reconnect thread reschedule itself
    - CIFS: store results of cifs_reopen_file to avoid infinite wait
    - Input: xpad - add support for Razer Wildcat gamepad
    - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
    - [x86] efi: Don't try to reserve runtime regions
    - [x86] signals: Fix lower/upper bound reporting in compat siginfo
    - [x86] pmem: fix broken __copy_user_nocache cache-bypass assumptions
    - [x86] vdso: Ensure vdso32_enabled gets set to valid values only
    - [x86] vdso: Plug race between mapping and ELF header setup
    - [x86] acpi, nfit, libnvdimm: fix interleave set cookie calculation
      (64-bit comparison)
    - ACPI / scan: Set the visited flag for all enumerated devices
    - [hppa] fix bugs in pa_memcpy
    - efi/libstub: Skip GOP with PIXEL_BLT_ONLY format
    - efi/fb: Avoid reconfiguration of BAR that covers the framebuffer
    - iscsi-target: Fix TMR reference leak during session shutdown
    - iscsi-target: Drop work-around for legacy GlobalSAN initiator
    - scsi: sr: Sanity check returned mode data
    - scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
    - scsi: qla2xxx: Add fix to read correct register value for ISP82xx.
    - scsi: sd: Fix capacity calculation with 32-bit sector_t
    - target: Avoid mappedlun symlink creation during lun shutdown
    - xen, fbfront: fix connecting to backend
    - new privimitive: iov_iter_revert()
    - make skb_copy_datagram_msg() et.al. preserve ->msg_iter on error
    - [x86] libnvdimm: fix blk free space accounting
    - [x86] libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep
      splat
    - [armhf] pwm: rockchip: State of PWM clock should synchronize with PWM
      enabled state
    - cpufreq: Bring CPUs up even if cpufreq_online() failed
    - [armhf] irqchip/irq-imx-gpcv2: Fix spinlock initialization
    - ftrace: Fix removing of second function probe
    - zram: do not use copy_page with non-page aligned address
    - ftrace: Fix function pid filter on instances
    - crypto: algif_aead - Fix bogus request dereference in completion function
    - crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618)
    - [hppa] Fix get_user() for 64-bit value on 32-bit kernel
    - dvb-usb-v2: avoid use-after-free (CVE-2017-8064)
    - drm/nouveau/disp/mcp7x: disable dptmds workaround (Closes: #850219)
    - [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889)
    - dvb-usb-firmware: don't do DMA on stack (CVE-2017-8061)
    - cxusb: Use a dma capable buffer also for reading (CVE-2017-8063)
    - virtio-console: avoid DMA from stack (CVE-2017-8067)
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.25
    - KEYS: Disallow keyrings beginning with '.' to be joined as session
      keyrings (CVE-2016-9604)
    - KEYS: Change the name of the dead type to ".dead" to prevent user access
      (CVE-2017-6951)
    - KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
      (CVE-2017-7472)
    - tracing: Allocate the snapshot buffer before enabling probe
    - ring-buffer: Have ring_buffer_iter_empty() return true when empty
    - mm: prevent NR_ISOLATE_* stats from going negative
    - cifs: Do not send echoes before Negotiate is complete (Closes: #856843)
    - CIFS: remove bad_network_name flag
    - [s390x] mm: fix CMMA vs KSM vs others
    - Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
    - ACPI / power: Avoid maybe-uninitialized warning
    - [armhf] mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for
      DDR50 card
    - ubifs: Fix RENAME_WHITEOUT support
    - ubifs: Fix O_TMPFILE corner case in ubifs_link()
    - mac80211: reject ToDS broadcast data frames
    - mac80211: fix MU-MIMO follow-MAC mode
    - ubi/upd: Always flush after prepared for an update
    - [powerpc*] kprobe: Fix oops when kprobed on 'stdu' instruction
    - [x86] mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
    - [x86] mce: Make the MCE notifier a blocking one
    - device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation

  [ Ben Hutchings ]
  * w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
  * debian/rules.real: Undefine $LANGUAGE, which can break debug symbols for
    vDSOs (Closes: #859807)
  * Bump ABI to 3
  * [s390x] Set NR_CPUS=256 (Closes: #858731)
  * [x86] usbip: Increase USBIP_VHCI_NR_HCS to 8 and USBIP_VHCI_HC_PORTS to 31
    (Closes: #859641)
  * [powerpc/powerpc64,ppc64*] target: Enable SCSI_IBMVSCSIS as module
  * cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores
    (Closes: #859978)
  * udeb: Include all AHCI drivers in sata-modules (Closes: #860335)
  * [powerpc/powerpc64,ppc64] Set NR_CPUS=2048, matching ppc64el
  * [powerpc*/*64*] Enable CPUMASK_OFFSTACK to reduce stack usage
  * [mips*el/loongson-3] Set NR_CPUS=16 to allow for Loongson 3B2000
  * [mips*/octeon] Set NR_CPUS=64 to allow for Cavium CN7890
  * [arm64] Set NR_CPUS=256 to allow for multi-SoC systems (Closes: #861209)
  * [powerpc/powerpc-smp,powerpcspe] Explicitly set NR_CPUS=4
  * Move debug symbols back to the main archive, to avoid problems with the
    current handling in dak
  * linux-image: Disable signing until it's supported in dak
  * [rt] Update to 4.9.20-rt16:
    - rtmutex: Make lock_killable work
    - rtmutex: Provide rt_mutex_lock_state()
    - rtmutex: Provide locked slowpath
    - rwsem/rt: Lift single reader restriction
  * PCI: Enable PCIE_PTM (except on armel/marvell)
  * 6lowpan: Enable Generic Header Compression modules
  * net/sched: Enable NET_ACT_SKBMOD as module
  * ethernet: Enable NFP_NETVF as module
  * net/phy: Enable MICROSEMI_PHY as module
  * input/tablet: Enable TABLET_USB_PEGASUS as module
  * [x86] input/touchscreen: Enable TOUCHSCREEN_SURFACE3_SPI as module
  * serial/8250: Enable SERIAL_8250_MOXA as module
  * [x86] gpio: Enable GPIO_AMDPT as module
  * [x86] thermal: Enable INT3406_THERMAL as module
  * watchdog: Enable WATCHDOG_SYSFS
  * integrity: Enable IMA, IMA_DEFAULT_HASH_SHA256, IMA_APPRAISE,
    IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY, IMA_BLACKLIST_KEYRING
    (except on armel/marvell) (Closes: #788290)
  * media: Enable VIDEO_TW5864, VIDEO_TW686X as modules
  * [x86] amdgpu,sound/soc: Enable DRM_AMD_ACP; enable SND_SOC_AMD_ACP as module
  * hda: Set SND_HDA_PREALLOC_SIZE=2048 as recommended for PulseAudio
  * HID: Enable HID_SENSOR_CUSTOM_SENSOR as module
  * leds,USB: Enable USB_LEDS_TRIGGER_USBPORT as module
  * usbip: Enable USBIP_VUDC as module
  * USB/misc: Enable UCSI as module
  * leds: Enable LEDS_TRIGGER_DISK, LEDS_TRIGGER_MTD, LEDS_TRIGGER_PANIC
  * IB: Enable INFINIBAND_HFI1, INFINIBAND_I40IW, INFINIBAND_QEDR, RDMA_RXE
    as modules
  * [amd64] EDAC: Enable EDAC_SKX as module
  * [x86] comedi: Enable COMEDI_ADV_PCI1720, COMEDI_ADV_PCI1760 as modules
  * [x86] platform: Enable INTEL_HID_EVENT as module
  * [x86] hwtracing: Enable INTEL_TH, INTEL_TH_PCI, INTEL_TH_GTH, INTEL_TH_MSU,
    INTEL_TH_PTI as modules
  * [rt] tracing: Enable HWLAT_TRACER
  * [x86] crypto: Enable CRYPTO_DEV_QAT_C3XXX, CRYPTO_DEV_QAT_C62X,
    CRYPTO_DEV_QAT_C3XXXVF, CRYPTO_DEV_QAT_C62XVF as modules
  * crypto: Enable CRYPTO_DEV_CHELSIO as module
  * [arm64] Enable ARMV8_DEPRECATED, SWP_EMULATION, CP15_BARRIER_EMULATION,
    SETEND_EMULATION (Closes: #861384)
  * udeb: Add tifm_7xx1 to mmc-modules (Closes: #861195)
  * leds: Enable LEDS_GPIO as module for all configurations with GPIOs
    (Closes: #860569)
  * selinux: Set SECURITY_SELINUX_CHECKREQPROT_VALUE=0, per default.
    This may break some old applications if SELinux is enabled, and can be
    reverted using the kernel parameter: checkreqprot=1
  * udeb: Move mfd-core to kernel-image, as both input-modules and
    mmc-modules need it
  * crypto: Change CRYPTO_SHA256 from module to built-in, as required by IMA

  [ Salvatore Bonaccorso ]
  * ping: implement proper locking (CVE-2017-2671)
  * macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
  * macsec: dynamically allocate space for sglist
  * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
  * nfsd4: minor NFSv2/v3 write decoding cleanup
  * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)

  [ Aurelien Jarno ]
  * [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
    board.
  * [mips*el/loongson-3] Disable PAGE_EXTENSION and PAGE_POISONING.

  [ John Paul Adrian Glaubitz ]
  * [m68k] udeb: Enable suffix for kernel-image (Closes: #859366)

[dgit import unpatched linux 4.9.25-1]

Import linux_4.9.25.orig.tar.xz

[dgit import orig linux_4.9.25.orig.tar.xz]

Import linux_4.9.25-1.debian.tar.xz

[dgit import tarball linux 4.9.25-1 linux_4.9.25-1.debian.tar.xz]