dgit.raspbian.org Git - linux.git/log

nfsd: check for oversized NFSv2/v3 arguments

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name nfsd-check-for-oversized-NFSv2-v3-arguments.patch

macsec: dynamically allocate space for sglist

We call skb_cow_data, which is good anyway to ensure we can actually
modify the skb as such (another error from prior). Now that we have the
number of fragments required, we can safely allocate exactly that amount
of memory.

Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name macsec-dynamically-allocate-space-for-sglist.patch

macsec: avoid heap overflow in skb_to_sgvec

While this may appear as a humdrum one line change, it's actually quite
important. An sk_buff stores data in three places:

1. A linear chunk of allocated memory in skb->data. This is the easiest
   one to work with, but it precludes using scatterdata since the memory
   must be linear.
2. The array skb_shinfo(skb)->frags, which is of maximum length
   MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
   can point to different pages.
3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
   which in turn can have data in either (1) or (2).

The first two are rather easy to deal with, since they're of a fixed
maximum length, while the third one is not, since there can be
potentially limitless chains of fragments. Fortunately dealing with
frag_list is opt-in for drivers, so drivers don't actually have to deal
with this mess. For whatever reason, macsec decided it wanted pain, and
so it explicitly specified NETIF_F_FRAGLIST.

Because dealing with (1), (2), and (3) is insane, most users of sk_buff
doing any sort of crypto or paging operation calls a convenient function
called skb_to_sgvec (which happens to be recursive if (3) is in use!).
This takes a sk_buff as input, and writes into its output pointer an
array of scattergather list items. Sometimes people like to declare a
fixed size scattergather list on the stack; othertimes people like to
allocate a fixed size scattergather list on the heap. However, if you're
doing it in a fixed-size fashion, you really shouldn't be using
NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
frag_list children arent't shared and then you check the number of
fragments in total required.)

Macsec specifically does this:

        size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
        tmp = kmalloc(size, GFP_ATOMIC);
        *sg = (struct scatterlist *)(tmp + sg_offset);
...
        sg_init_table(sg, MAX_SKB_FRAGS + 1);
        skb_to_sgvec(skb, sg, 0, skb->len);

Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
overflow the heap, and disaster ensues.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name macsec-avoid-heap-overflow-in-skb_to_sgvec.patch

ping: implement proper locking

We got a report of yet another bug in ping

http://www.openwall.com/lists/oss-security/2017/03/24/6

->disconnect() is not called with socket lock held.

Fix this by acquiring ping rwlock earlier.

Thanks to Daniel, Alexander and Andrey for letting us know this problem.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
Reported-by: Solar Designer <solar@openwall.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ping-implement-proper-locking.patch

net/packet: fix overflow in check for tp_reserve

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name net-packet-fix-overflow-in-check-for-tp_reserve.patch

net/packet: fix overflow in check for tp_frame_nr

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name net-packet-fix-overflow-in-check-for-tp_frame_nr.patch

time: Mark TIMER_STATS as broken

This is a substitute for upstream commit dfb4357da6dd "time: Remove
CONFIG_TIMER_STATS", which avoids the need to resolve conflicts with
the PREEMPT_RT patch series.

Gbp-Pq: Topic debian
Gbp-Pq: Name time-mark-timer_stats-as-broken.patch

PCI: Set pci=nobios by default

CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped
W+X, which is undesirable for security reasons and will result in a
warning at boot now that we enable CONFIG_DEBUG_WX.

This can be overridden using the kernel parameter "pci=nobios", but we
want to disable W+X by default. Disable PCI BIOS probing by default;
it can still be enabled using "pci=bios".

Gbp-Pq: Topic debian
Gbp-Pq: Name i386-686-pae-pci-set-pci-nobios-by-default.patch

arm64: add kernel config option to set securelevel when in Secure Boot mode

Add a kernel configuration option to enable securelevel, to restrict
userspace's ability to modify the running kernel when UEFI Secure Boot is
enabled. Based on the x86 patch by Matthew Garrett.

Determine the state of Secure Boot in the EFI stub and pass this to the
kernel using the FDT.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name arm64-add-kernel-config-option-to-set-securelevel-wh.patch

arm64/efi: Disable secure boot if shim is in insecure mode

Port to arm64 a patch originally written by Josh Boyer for the x86 EFI
stub.

A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set. Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch

mtd: Disable slram and phram when securelevel is enabled

The slram and phram drivers both allow mapping regions of physical
address space such that they can then be read and written by userland
through the MTD interface. This is probably usable to manipulate
hardware into overwriting kernel code on many systems. Prevent that
if securelevel is set.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch

Enable cold boot attack mitigation

Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name enable-cold-boot-attack-mitigation.patch

acpi: Disable APEI error injection if securelevel is set

ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
supported by the firmware, ACPI specification 5.0 and later provide for a
way to specify a physical memory address to which to inject the error.

Injecting errors through EINJ can produce errors which to the platform are
indistinguishable from real hardware errors. This can have undesirable
side-effects, such as causing the platform to mark hardware as needing
replacement.

While it does not provide a method to load unauthenticated privileged code,
the effect of these errors may persist across reboots and affect trust in
the underlying hardware, so disable error injection through EINJ if
securelevel is set.

Signed-off-by: Linn Crosetto <linn@hpe.com>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name acpi-disable-apei-error-injection-if-securelevel-is-.patch

acpi: Disable ACPI table override if securelevel is set

From the kernel documentation (initrd_table_override.txt):

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
  to override nearly any ACPI table provided by the BIOS with an
  instrumented, modified one.

When securelevel is set, the kernel should disallow any unauthenticated
changes to kernel space. ACPI tables contain code invoked by the kernel, so
do not allow ACPI tables to be overridden if securelevel is set.

Signed-off-by: Linn Crosetto <linn@hpe.com>
[bwh: Forward-ported to 4.7: ACPI override code moved to drivers/acpi/tables.c]
[bwh: Forward-ported to 4.9: adjust context]

Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name acpi-disable-acpi-table-override-if-securelevel-is-s.patch

kexec/uefi: copy secure_boot flag in boot params across kexec reboot

Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot. Adding a patch to fix this by retain the secure_boot flag
in original kernel.

secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.

Signed-off-by: Dave Young <dyoung@redhat.com>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch

hibernate: Disable when securelevel is set

There is currently no way to verify the resume image when returning
from hibernate. This might compromise the securelevel trust model,
so until we can work with signed hibernate images we disable it in
a secure modules environment.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name hibernate-disable-when-securelevel-is-set.patch

efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set. Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch

Add option to automatically set securelevel when in Secure Boot mode

UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that the kernel prevent userspace from inserting untrusted kernel
code at runtime. Add a configuration option that enforces this automatically
when enabled.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name add-option-to-automatically-set-securelevel-when-in-.patch

asus-wmi: Restrict debugfs interface when securelevel is set

We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
be manipulated in such a way that arbitrary code can be executed in the
kernel. Prevent that if securelevel is set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name asus-wmi-restrict-debugfs-interface-when-securelevel.patch

x86: Restrict MSR access when securelevel is set

Permitting write access to MSRs allows userspace to modify the running
kernel. Prevent this if securelevel has been set. Based on a patch by Kees
Cook.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name x86-restrict-msr-access-when-securelevel-is-set.patch

uswsusp: Disable when securelevel is set

uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if securelevel
has been set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name uswsusp-disable-when-securelevel-is-set.patch

kexec: Disable at runtime if securelevel has been set.

kexec permits the loading and execution of arbitrary code in ring 0, which
permits the modification of the running kernel. Prevent this if securelevel
has been set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name kexec-disable-at-runtime-if-securelevel-has-been-set.patch

acpi: Ignore acpi_rsdp kernel parameter when securelevel is set

This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to execute arbitrary code in the kernel.
Disable this when securelevel is set.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch

acpi: Limit access to custom_method if securelevel is set

custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to modify the kernel at runtime. Prevent this
if securelevel has been set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name acpi-limit-access-to-custom_method-if-securelevel-is.patch

Restrict /dev/mem and /dev/kmem when securelevel is set.

Allowing users to write to address space provides mechanisms that may permit
modification of the kernel at runtime. Prevent this if securelevel has been
set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
[bwh: Forward-ported to 4.9: adjust context]

Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch

x86: Lock down IO port access when securelevel is enabled

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
space. This would potentially permit root to trigger arbitrary DMA, so lock
it down when securelevel is set.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name x86-lock-down-io-port-access-when-securelevel-is-ena.patch

PCI: Lock down BAR access when securelevel is enabled

Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
kernel code. This should be prevented if securelevel has been set. Default
to paranoid - in future we can potentially relax this for sufficiently
IOMMU-isolated devices.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name pci-lock-down-bar-access-when-securelevel-is-enabled.patch

Enforce module signatures when securelevel is greater than 0

If securelevel has been set to 1 or greater, require that all modules have
valid signatures.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name enforce-module-signatures-when-securelevel-is-greate.patch

Add BSD-style securelevel support

Provide a coarse-grained runtime configuration option for restricting
userspace's ability to modify the running kernel.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Gbp-Pq: Topic features/all/securelevel
Gbp-Pq: Name add-bsd-style-securelevel-support.patch

netfilter: nft_ct: add notrack support

This patch adds notrack support.

I decided to add a new expression, given that this doesn't fit into the
existing set operation. Notrack doesn't need a source register, and an
hypothetical NFT_CT_NOTRACK key makes no sense since matching the
untracked state is done through NFT_CT_STATE.

I'm placing this new notrack expression into nft_ct.c, I think a single
module is too much.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Gbp-Pq: Topic features/all
Gbp-Pq: Name netfilter-nft_ct-add-notrack-support.patch

Kbuild.include: addtree: Remove quotes before matching path

systemtap currently fails to build modules when the kernel source and
object trees are separate.

systemtap adds something like -I"/usr/share/systemtap/runtime" to
EXTRA_CFLAGS, and addtree should not adjust this as it's specifying an
absolute directory. But since make has no understanding of shell
quoting, it does anyway.

For a long time this didn't matter, because addtree would still emit
the original -I option after the adjusted one. However, commit
db547ef19064 ("Kbuild: don't add obj tree in additional includes")
changed it to remove the original -I option.

Remove quotes (both double and single) before matching against the
excluded patterns.

References: https://bugs.debian.org/856474
Reported-by: Jack Henschel <jackdev@mailbox.org>
Reported-by: Ritesh Raj Sarraf <rrs@debian.org>
Fixes: db547ef19064 ("Kbuild: don't add obj tree in additional includes")
Cc: stable@vger.kernel.org # 4.8+
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name kbuild-include-addtree-remove-quotes-before-matching-path.patch

dvb-usb-dibusb-mc-common: Add MODULE_LICENSE

dvb-usb-dibusb-mc-common is licensed under GPLv2, and if we don't say
so then it won't even load since it needs a GPL-only symbol.

Reported-by: Dominique Dumont <dod@debian.org>
References: https://bugs.debian.org/853110
Cc: stable@vger.kernel.org # 4.9+
Fixes: e91455a1495a ("[media] dvb-usb: split out common parts of dibusb")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name media-dvb-usb-dibusb-mc-common-add-module_license.patch

Partially revert "usb: Kconfig: using select for USB_COMMON dependency"

This reverts commit cb9c1cfc86926d0e86d19c8e34f6c23458cd3478 for
USB_LED_TRIG. This config symbol has bool type and enables extra code
in usb_common itself, not a separate driver. Enabling it should not
force usb_common to be built-in!

Fixes: cb9c1cfc8692 ("usb: Kconfig: using select for USB_COMMON dependency")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name partially-revert-usb-kconfig-using-select-for-usb_co.patch

kbuild: Do not use hyphen in exported variable name

This definition in Makefile.dtbinst:

export dtbinst-root ?= $(obj)

should define and export dtbinst-root when handling the root dts
directory, and do nothing in the subdirectories. However, the
variable does not reliably get exported to the environment, perhaps
because its name contains a hyphen.

Rename the variable to dtbinst_root.

References: https://bugs.debian.org/833561
Fixes: 323a028d39cdi ("dts, kbuild: Implement support for dtb vendor subdirs")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name kbuild-do-not-use-hyphen-in-exported-variable-name.patch

fs: Add MODULE_SOFTDEP declarations for hard-coded crypto drivers

This helps initramfs builders and other tools to find the full
dependencies of a module.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name fs-add-module_softdep-declarations-for-hard-coded-cr.patch

phy/marvell: disable 4-port phys

The Marvell PHY was originally disabled because it can cause networking
failures on some systems. According to Lennert Buytenhek this is because some
of the variants added did not share the same register layout. Since the known
cases are all 4-ports disable those variants (indicated by a 4 in the
penultimate position of the model name) until they can be audited for
correctness.

[bwh: Also #if-out the init functions for these PHYs to avoid
compiler warnings]

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name disable-some-marvell-phys.patch

kbuild: Use -nostdinc in compile tests

gcc 4.8 and later include <stdc-predef.h> by default.  In some
versions of eglibc that includes <bits/predefs.h>, but that may be
missing when building with a biarch compiler.  Also <stdc-predef.h>
itself could be missing as we are only trying to build a kernel, not
userland.

The -nostdinc option disables this, though it isn't explicitly
documented.  This option is already used when actually building
the kernel, but not by cc-option and other tests.  This can result
in silently miscompiling the kernel.

References: https://bugs.debian.org/717557
References: https://bugs.debian.org/726861
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name kbuild-use-nostdinc-in-compile-tests.patch

ARM: orion5x: fix Makefile for linkstation-lschl.dtb

The rename of orion5x-lschl.dts needs to be reflected in the Makefile:

make[3]: *** No rule to make target 'arch/arm/boot/dts/orion5x-lschl.dtb', needed by '__build'.

Fixes: 6cfd3cd8d836 ("ARM: dts: orion5x-lschl: More consistent naming on linkstation series")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name ARM-orion5x-fix-Makefile-for-linkstation-lschl.dtb.patch

ARM: dts: orion5x-lschl: More consistent naming on linkstation series

DTS files, which includes orion5x-linkstation.dtsi, are named:
  orion5x-linkstation-*.dts

So we rename the file below:
  arch/arm/boot/dts/orion5x-lschl.dts
to the new name:
  arch/arm/boot/dts/orion5x-linkstation-lschl.dts

Because DTS conversion of this device was just introduced in 4.9, Debian
is still using legacy device support, other distros are the same,
so here we won't expect any impact actually.

Fixes: f94f268979a2 ("ARM: dts: orion5x: convert ls-chl to FDT")
Cc: Ashley Hughes <ashley.hughes@blueyonder.co.uk>
Signed-off-by: Roger Shimizu <rogershimizu@gmail.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name ARM-dts-orion5x-lschl-More-consistent-naming-on-link.patch

ARM: dts: orion5x-lschl: Fix model name

Model name should be consistent with legacy device file, so that user
can migrate their system from legacy device support to device-tree
safely.

Legacy device file is currently removed, but it can be found on 4.8
or previous version of linux:
arch/arm/mach-orion5x/ls-chl-setup.c

Fixes: f94f268979a2 ("ARM: dts: orion5x: convert ls-chl to FDT")
Cc: Ashley Hughes <ashley.hughes@blueyonder.co.uk>
Signed-off-by: Roger Shimizu <rogershimizu@gmail.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name ARM-dts-orion5x-lschl-Fix-model-name.patch

ARM64: dts: meson-gx: Add firmware reserved memory zones

The Amlogic Meson GXBB/GXL/GXM secure monitor uses part of the memory space,
this patch adds these reserved zones.

Without such reserved memory zones, running the following stress command :
$ stress-ng --vm 16 --vm-bytes 128M --timeout 10s
multiple times:

Could lead to the following kernel crashes :
[ 46.937975] Bad mode in Error handler detected on CPU1, code 0xbf000000 -- SError
...
[ 47.058536] Internal error: Attempting to execute userspace memory: 8600000f [#3] PREEMPT SMP
...
Instead of the OOM killer.

Fixes: 4f24eda8401f ("ARM64: dts: Prepare configs for Amlogic Meson GXBaby")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
[khilman: added Fixes tag, added _reserved and unit addresses]
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 4.9: adjust filename]

Gbp-Pq: Topic features/arm64
Gbp-Pq: Name dts-meson-gx-add-firmware-reserved-memory-zone.patch

ARM: dts: orion5x: convert ls-chl to FDT

This patch converts my orion5x ls-chl Linkstation device to device tree.

[gregory.clement@free-electrons.com: fix title, add back the commit log,
move the removal of the platform in an other patch]
Signed-off-by: Ashley Hughes <ashley.hughes@blueyonder.co.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name ARM-dts-orion5x-convert-ls-chl-to-FDT.patch

ARM: dts: turris-omnia: add support for ethernet switch

The Turris Omnia features a Marvell MV88E6176 ethernet switch. Add it to
the dts.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Tested-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name arm-dts-turris-omnia-add-support-for-ethernet-switch.patch

ARM: dts: add support for Turris Omnia

This machine is an open hardware router by cz.nic driven by a
Marvell Armada 385.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Tomas Hlavacek <tmshlvck@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Gbp-Pq: Topic features/arm
Gbp-Pq: Name arm-dts-add-support-for-turris-omnia.patch

x86: Make x32 syscall support conditional on a kernel parameter

Enabling x32 in the standard amd64 kernel would increase its attack
surface while provide no benefit to the vast majority of its users.
No-one seems interested in regularly checking for vulnerabilities
specific to x32 (at least no-one with a white hat).

Still, adding another flavour just to turn on x32 seems wasteful. And
the only differences on syscall entry are two instructions (mask out
the x32 flag and compare the syscall number).

So pad the standard comparison with a nop and add a kernel parameter
"syscall.x32" which controls whether this is replaced with the x32
version at boot time. Add a Kconfig parameter to set the default.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/x86
Gbp-Pq: Name x86-make-x32-syscall-support-conditional.patch

x86: memtest: WARN if bad RAM found

Since this is not a particularly thorough test, if we find any bad
bits of RAM then there is a fair chance that there are other bad bits
we fail to detect.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/x86
Gbp-Pq: Name x86-memtest-WARN-if-bad-RAM-found.patch

MIPS: Loongson 3: Add Loongson LS3A RS780E 1-way machine definition

Add a Loongson LS3A RS780E 1-way machine definition, which only differs
from other Loongson 3 based machines by the UART base clock speed.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
[bwh: Forward-ported to 4.2]

Gbp-Pq: Topic features/mips
Gbp-Pq: Name MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch

MIPS: increase MAX_PHYSMEM_BITS on Loongson 3 only

Commit c4617318 broke Loongson-2 support and maybe even more by increasing
the value of MAX_PHYSMEM_BITS. At it is currently only needed on
Loongson-3, define it conditionally.

Note: this should be replace by upstream fix when available.

Gbp-Pq: Topic features/mips
Gbp-Pq: Name MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch

ARM: dts: kirkwood: Fix SATA pinmux-ing for TS419

The old board code for the TS419 assigns MPP pins 15 and 16 as SATA
activity signals (and none as SATA presence signals). Currently the
device tree assigns the SoC's default pinmux groups for SATA, which
conflict with the second Ethernet port.

Reported-by: gmbh@gazeta.pl
Tested-by: gmbh@gazeta.pl
References: https://bugs.debian.org/855017
Cc: stable@vger.kernel.org # 3.15+
Fixes: 934b524b3f49 ("ARM: Kirkwood: Add DT description of QNAP 419")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic bugfix/arm
Gbp-Pq: Name arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch

Don't WARN about expected W+X pages on Xen

Currently Xen PV domains (or at least dom0) on amd64 tend to have a
large number of low kernel pages with W+X permissions. It's not
obvious how to fix this, and we're not going to get any new
information by WARNing about this, but we do still want to hear about
other W+X cases. So add a condition to the WARN_ON.

Gbp-Pq: Topic debian
Gbp-Pq: Name amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch

fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS

Various free and proprietary AV products use this feature and users
apparently want it. But punting access checks to userland seems like
an easy way to deadlock the system, and there will be nothing we can
do about that. So warn and taint the kernel if this feature is
actually used.

Gbp-Pq: Topic debian
Gbp-Pq: Name fanotify-taint-on-use-of-fanotify_access_permissions.patch

fjes: Disable auto-loading

fjes matches a generic ACPI device ID, and relies on its probe
function to distinguish whether that really corresponds to a supported
device. Very few system will need the driver and it wastes memory on
all the other systems where the same device ID appears, so disable
auto-loading.

Gbp-Pq: Topic debian
Gbp-Pq: Name fjes-disable-autoload.patch

viafb: Autoload on OLPC XO 1.5 only

It appears that viafb won't work automatically on all the boards for
which it has a PCI device ID match. Currently, it is blacklisted by
udev along with most other framebuffer drivers, so this doesn't matter
much.

However, this driver is required for console support on the XO 1.5.
We need to allow it to be autoloaded on this model only, and then
un-blacklist it in udev.

Gbp-Pq: Topic bugfix/x86
Gbp-Pq: Name viafb-autoload-on-olpc-xo1.5-only.patch

snd-pcsp: Disable autoload

There are two drivers claiming the platform:pcspkr device:
- pcspkr creates an input(!) device that can only beep
- snd-pcsp creates an equivalent input device plus a PCM device that can
  play barely recognisable renditions of sampled sound

snd-pcsp is blacklisted by the alsa-base package, but not everyone
installs that.  On PCs where no sound is wanted at all, both drivers
will still be loaded and one or other will complain that it couldn't
claim the relevant I/O range.

In case anyone finds snd-pcsp useful, we continue to build it.  But
remove the alias, to ensure it's not loaded where it's not wanted.

Gbp-Pq: Topic debian
Gbp-Pq: Name snd-pcsp-disable-autoload.patch

cdc_ncm,cdc_mbim: Use NCM by default

Devices that support both NCM and MBIM modes should be kept in NCM
mode unless there is userland support for MBIM.

Set the default value of cdc_ncm.prefer_mbim to false and leave it to
userland (modem-manager) to override this with a modprobe.conf file
once it's ready to speak MBIM.

Gbp-Pq: Topic debian
Gbp-Pq: Name cdc_ncm-cdc_mbim-use-ncm-by-default.patch

security,perf: Allow further restriction of perf_event_open

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all
Gbp-Pq: Name security-perf-allow-further-restriction-of-perf_event_open.patch

add sysctl to disallow unprivileged CLONE_NEWUSER by default

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]

Gbp-Pq: Topic debian
Gbp-Pq: Name add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

yama: Disable by default

Gbp-Pq: Topic debian
Gbp-Pq: Name yama-disable-by-default.patch

sched: Do not enable autogrouping by default

We want to provide the option of autogrouping but without enabling
it by default yet.

Gbp-Pq: Topic debian
Gbp-Pq: Name sched-autogroup-disabled.patch

fs: Enable link security restrictions by default

This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').

Gbp-Pq: Topic debian
Gbp-Pq: Name fs-enable-link-security-restrictions-by-default.patch

dccp: Disable auto-loading as mitigation against local exploits

We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch

decnet: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'decnet' protocol is unmaintained and of mostly historical
interest, and the user-space support package 'dnet-common' loads the
module explicitly. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name decnet-Disable-auto-loading-as-mitigation-against-lo.patch

rds: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name rds-Disable-auto-loading-as-mitigation-against-local.patch

af_802154: Disable auto-loading as mitigation against local exploits

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch

aufs4.9 standalone patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 standalone patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-standalone.patch

aufs4.9 mmap patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 mmap patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-mmap.patch

aufs4.9 base patch

Patch headers added by debian/patches/features/all/aufs4/gen-patch

aufs4.9 base patch

Gbp-Pq: Topic features/all/aufs4
Gbp-Pq: Name aufs4-base.patch

radeon: Firmware is required for DRM and KMS on R600 onward

radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.

radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.

Therefore, perform a basic check for the existence of
/lib/firmware/radeon when a device is probed, and abort if it is
missing, except for the pre-R600 case.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch

firmware: Remove redundant log messages from drivers

Now that firmware_class logs every success and failure consistently,
many other log messages can be removed from drivers.

This will probably need to be split up into multiple patches prior to
upstream submission.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name firmware-remove-redundant-log-messages-from-drivers.patch

firmware_class: Log every success and failure against given device

The hundreds of users of request_firmware() have nearly as many
different log formats for reporting failures.  They also have only the
vaguest hint as to what went wrong; only firmware_class really knows
that.  Therefore, add specific log messages for the failure modes that
aren't currently logged.

In case of a driver that tries multiple names, this may result in the
impression that it failed to initialise.  Therefore, also log successes.

This makes many error messages in drivers redundant, which will be
removed in later patches.

This does not cover the case where we fall back to a user-mode helper
(which is no longer enabled in Debian).

NOTE: hw-detect will depend on the "firmware: failed to load %s (%d)\n"
format to detect missing firmware.

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name firmware_class-log-every-success-and-failure.patch

iwlwifi: Do not request unreleased firmware for IWL6000

The iwlwifi driver currently supports firmware API versions 4-6 for
these devices.  It will request the file for the latest supported
version and then fall back to earlier versions.  However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.

The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless.  So stop
requesting the unreleased firmware.

Gbp-Pq: Topic debian
Gbp-Pq: Name iwlwifi-do-not-request-unreleased-firmware.patch

af9005: Use request_firmware() to load register init script

Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.

Gbp-Pq: Topic features/all
Gbp-Pq: Name drivers-media-dvb-usb-af9005-request_firmware.patch

Install perf scripts non-executable

[bwh: Forward-ported to 3.12]

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-install.patch

Create manpages and binaries including the version

[bwh: Fix version insertion in perf man page cross-references and perf
man page title. Install bash_completion script for perf with a
version-dependent name. And do the same for trace.]

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-version.patch

modpost symbol prefix setting

[bwh: The original version of this was added by Bastian Blank. The
upstream code includes <generated/autoconf.h> so that <linux/export.h>
can tell whether C symbols have an underscore prefix. Since we build
modpost separately from the kernel, <generated/autoconf.h> won't exist.
However, no Debian Linux architecture uses the symbol prefix, so we
can simply omit it.]

Gbp-Pq: Topic debian
Gbp-Pq: Name modpost-symbol-prefix.patch

Kbuild: kconfig: Verbose version of --listnewconfig

If the KBUILD_VERBOSE environment variable is set to non-zero, show
the default values of new symbols and not just their names.

Based on work by Bastian Blank <waldi@debian.org> and
maximilian attems <max@stro.at>. Simplified by Michal Marek
<mmarek@suse.cz>.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all
Gbp-Pq: Name Kbuild-kconfig-Verbose-version-of-listnewconfig.patch

powerpcspe-omit-uimage

Gbp-Pq: Topic debian
Gbp-Pq: Name powerpcspe-omit-uimage.patch

Fix uImage build

[bwh: This was added without a description, but I think it is dealing
with a similar issue to powerpcspe-omit-uimage.patch]

Gbp-Pq: Topic debian
Gbp-Pq: Name arch-sh4-fix-uimage-build.patch

Partially revert "MIPS: Add -Werror to arch/mips/Kbuild"

This reverts commit 66f9ba101f54bda63ab1db97f9e9e94763d0651b.

We really don't want to add -Werror anywhere.

Gbp-Pq: Topic debian
Gbp-Pq: Name mips-disable-werror.patch

Tweak gitignore for Debian pkg-kernel using git svn.

[bwh: Tweak further for pure git]

Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch

kbuild: Make the toolchain variables easily overwritable

Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.

We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, CFLAGS_KERNEL and CFLAGS_MODULE.

This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.

Gbp-Pq: Topic debian
Gbp-Pq: Name kernelvariables.patch

Make mkcompile_h accept an alternate timestamp string

We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.

Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.

Gbp-Pq: Topic debian
Gbp-Pq: Name uname-version-timestamp.patch

Include package version along with kernel release in stack traces

For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.

Gbp-Pq: Topic debian
Gbp-Pq: Name version.patch

linux (4.9.25-1) unstable; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
    - net/openvswitch: Set the ipv6 source tunnel key address attribute
      correctly
    - net: properly release sk_frag.page
    - [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware
    - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
    - net: unix: properly re-increment inflight counter of GC discarded
      candidates
    - net: vrf: Reset rt6i_idev in local dst after put
    - net/mlx5: Add missing entries for set/query rate limit commands
    - net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
    - net/mlx5: Increase number of max QPs in default profile
    - net/mlx5e: Count GSO/LRO packets correctly
    - ipv6: make sure to initialize sockc.tsflags before first use
    - ipv4: provide stronger user input validation in nl_fib_input()
    - socket, bpf: fix sk_filter use after free in sk_clone_lock
    - tcp: initialize icsk_ack.lrcvtime at session start time
    - Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate
      number of endpoints before using them
    - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
    - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
    - ALSA: hda - Adding a group of pin definition to fix headset problem
    - ACM gadget: fix endianness in notifications
    - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
      wBytesPerInterval
    - USB: uss720,idmouse,wusbcore: fix NULL-deref at probe
    - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
    - usb: hub: Fix crash after failure to read BOS descriptor
    - USB: usbtmc: add missing endpoint sanity check
    - USB: usbtmc: fix probe error path
    - uwb: i1480-dfu: fix NULL-deref at probe
    - mmc: ushc: fix NULL-deref at probe
    - [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery
    - iio: sw-device: Fix config group initialization
    - iio: hid-sensor-trigger: Change get poll value function order to avoid
      sensor properties losing after resume from S3
    - parport: fix attempt to write duplicate procfiles
    - ext4: mark inode dirty after converting inline directory
    - ext4: lock the xattr block before checksuming it
    - [powerpc*/*64*] Fix idle wakeup potential to clobber registers
    - mmc: sdhci: Do not disable interrupts while waiting for clock
    - mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
    - [x86] hwrng: amd - Revert managed API changes
    - [x86] hwrng: geode - Revert managed API changes
    - [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module
      clock
    - [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
    - mwifiex: pcie: don't leak DMA buffers when removing
    - [x86] crypto: ccp - Assign DMA commands to the channel's CCP
    - xen/acpi: upload PM state from init-domain to Xen
    - [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
    - [arm64] kaslr: Fix up the kernel image alignment
    - cpufreq: Restore policy min/max limits on CPU online
    - cgroup, net_cls: iterate the fds of only the tasks which are being
      migrated
    - blk-mq: don't complete un-started request in timeout handler
    - [x86] drm/amdgpu: reinstate oland workaround for sclk
    - jbd2: don't leak memory if setting up journal fails
    - [x86] intel_th: Don't leak module refcount on failure to activate
    - [x86] Drivers: hv: vmbus: Don't leak channel ids
    - [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
    - libceph: don't set weight to IN when OSD is destroyed
    - [x86] device-dax: fix pmd/pte fault fallback handling
    - [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind
    - nl80211: fix dumpit error path RTNL deadlocks
    - drm: reference count event->completion
    - fbcon: Fix vc attr at deinit
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20
    - xfrm: policy: init locks early
    - [x86] KVM: cleanup the page tracking SRCU instance
    - virtio_balloon: init 1st buffer in stats vq
    - [mips*] ptrace: Preserve previous registers for short regset write
    - [sparc64] ptrace: Preserve previous registers for short regset write
    - fscrypt: remove broken support for detecting keyring key revocation
      (CVE-2017-7374)
    - sched/rt: Add a missing rescheduling point
    - [armhf] usb: musb: fix possible spinlock deadlock
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21
    - libceph: force GFP_NOIO for socket allocations
    - xen/setup: Don't relocate p2m over existing one
    - xfs: only update mount/resv fields on success in __xfs_ag_resv_init
    - xfs: use per-AG reservations for the finobt
    - xfs: pull up iolock from xfs_free_eofblocks()
    - xfs: sync eofblocks scans under iolock are livelock prone
    - xfs: fix eofblocks race with file extending async dio writes
    - xfs: fix toctou race when locking an inode to access the data map
    - xfs: fail _dir_open when readahead fails
    - xfs: filter out obviously bad btree pointers
    - xfs: check for obviously bad level values in the bmbt root
    - xfs: verify free block header fields
    - xfs: allow unwritten extents in the CoW fork
    - xfs: mark speculative prealloc CoW fork extents unwritten
    - xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t
    - xfs: update ctime and mtime on clone destinatation inodes
    - xfs: reject all unaligned direct writes to reflinked files
    - xfs: don't fail xfs_extent_busy allocation
    - xfs: handle indlen shortage on delalloc extent merge
    - xfs: split indlen reservations fairly when under reserved
    - xfs: fix uninitialized variable in _reflink_convert_cow
    - xfs: don't reserve blocks for right shift transactions
    - xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment
    - xfs: tune down agno asserts in the bmap code
    - xfs: only reclaim unwritten COW extents periodically
    - xfs: fix and streamline error handling in xfs_end_io
    - xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask
    - xfs: use iomap new flag for newly allocated delalloc blocks
    - xfs: try any AG when allocating the first btree block when reflinking
    - scsi: libsas: fix ata xfer length
    - scsi: scsi_dh_alua: Check scsi_device_get() return value
    - scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion
      function
    - ALSA: seq: Fix race during FIFO resize
    - ALSA: hda - fix a problem for lineout on a Dell AIO machine
    - [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong
      reference of pointer
    - HID: wacom: Don't add ghost interface as shared data
    - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
    - NFSv4.1 fix infinite loop on IO BAD_STATEID error
    - nfsd: map the ENOKEY to nfserr_perm for avoiding warning
    - [hppa] Clean up fixup routines for get_user()/put_user()
    - [hppa] Avoid stalled CPU warnings after system shutdown
    - [hppa] Fix access fault handling in pa_memcpy()
    - ACPI: Fix incompatibility with mcount-based function graph tracing
    - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
    - USB: fix linked-list corruption in rh_call_control()
    - [x86] KVM: clear bus pointer when destroyed
    - KVM: kvm_io_bus_unregister_dev() should never fail
    - drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
    - [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time
      CRTC state.
    - [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex
    - [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization
    - [x86] mce: Fix copy/paste error in exception table entries
    - lib/syscall: Clear return values when no stack
    - mm: rmap: fix huge file mmap accounting in the memcg stats
    - mm, hugetlb: use pte_present() instead of pmd_present() in
      follow_huge_pmd()
    - qla2xxx: Allow vref count to timeout on vport delete.
    - mm: workingset: fix premature shadow node shrinking with cgroups
    - blk: improve order of bio handling in generic_make_request()
    - blk: Ensure users for current->bio_list can see the full list.
    - padata: avoid race in reordering
    - nvme/core: Fix race kicking freed request_queue
    - nvme/pci: Disable on removal when disconnected
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22
    - ppdev: check before attaching port
    - ppdev: fix registering same device name
    - [x86] drm/vmwgfx: Type-check lookups of fence objects
    - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
      vmw_get_cap_3d_ioctl()
    - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
    - [x86] drm/vmwgfx: Remove getparam error message
    - sysfs: be careful of error returns from ops->show()
    - [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm
    - [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region
    - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
    - [x86] iio: bmg160: reset chip when probing
    - [arm64] mm: unaligned access by user-land should be received as SIGBUS
    - cfg80211: check rdev resume callback only for registered wiphy
    - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
    - mm/page_alloc.c: fix print order in show_free_areas()
    - ptrace: fix PTRACE_LISTEN race corrupting task->state
    - dm verity fec: limit error correction recursion
    - dm verity fec: fix bufio leaks
    - ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
    - xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
    - ring-buffer: Fix return value check in test_ringbuffer()
    - mac80211: unconditionally start new netdev queues with iTXQ support
    - brcmfmac: use local iftype avoiding use-after-free of virtual interface
    - [powerpc*] Disable HFSCR[TM] if TM is not supported
    - [powerpc*] mm: Add missing global TLB invalidate if cxl is active
    - [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules
    - [powerpc*] Don't try to fix up misaligned load-with-reservation
      instructions
    - [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable()
    - dm raid: fix NULL pointer dereference for raid1 without bitmap
    - [s390x] decompressor: fix initrd corruption caused by bss clear
    - [s390x] uaccess: get_user() should zero on failure (again)
    - [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3
    - [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2
    - [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page
    - [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize
      calculation
    - mm/mempolicy.c: fix error handling in set_mempolicy and mbind
      (CVE-2017-7616)
    - random: use chacha20 for get_random_int/long
    - [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data
      structure
    - [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines
    - [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing
      controller)
    - HID: i2c-hid: add a simple quirk to fix device defects
    - usb: dwc3: gadget: delay unmap of bounced requests
    - [x86] ASoC: Intel: bytct_rt5640: change default capture settings
    - [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs
      in suspend
    - scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
    - HID: multitouch: do not retrieve all reports for all devices
    - [arm64] mmc: sdhci-msm: Enable few quirks
    - scsi: ufs: ensure that host pa_tactivate is higher than device
    - svcauth_gss: Close connection when dropping an incoming message
    - scsi: ufs: add quirk to increase host PA_SaveConfigTime
    - [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family
    - nvme: simplify stripe quirk
    - ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
    - HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
    - [x86] drm/i915: actually drive the BDW reserved IDs
    - scsi: ufs: issue link starup 2 times if device isn't active
    - [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x
    - ACPI / button: Change default behavior to lid_init_state=open
    - [x86] ACPI: save NVS memory for Lenovo G50-45
    - HID: wacom: don't apply generic settings to old devices
    - [arm64] firmware: qcom: scm: Fix interrupted SCM calls
    - [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode
    - [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB
    - [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT
    - [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk
    - [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk
    - usb-storage: Add ignore-residue quirk for Initio INIC-3619
    - [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.23
    - [x86] drm/i915/gen9: Increase PCODE request timeout to 50ms
    - [x86] drm/i915: Nuke debug messages from the pipe update critical section
    - [x86] drm/i915: Avoid tweaking evaluation thresholds on Baytrail v3
    - [x86] drm/i915: Only enable hotplug interrupts if the display interrupts
      are enabled
    - [x86] drm/i915: Drop support for I915_EXEC_CONSTANTS_* execbuf parameters.
    - [x86] drm/i915: Stop using RP_DOWN_EI on Baytrail
    - [x86] drm/i915: Avoid rcu_barrier() from reclaim paths (shrinker)
    - [armhf,arm64] i2c: bcm2835: Fix hang for writing messages larger than 16
      bytes
    - rt2x00usb: fix anchor initialization
    - rt2x00usb: do not anchor rx and tx urb's
    - [mips*] Introduce irq_stack
    - [mips*] Stack unwinding while on IRQ stack
    - [mips*] Only change $28 to thread_info if coming from user mode
    - [mips*] Switch to the irq_stack in interrupts
    - [mips*] Select HAVE_IRQ_EXIT_ON_IRQ_STACK
    - [mips*] IRQ Stack: Fix erroneous jal to plat_irq_dispatch
    - [x86] Revert "drm/i915/execlists: Reset RING registers upon resume"
    - blk-mq: Avoid memory reclaim when remapping queues
    - usb: hub: Wait for connection to be reestablished after port reset
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to
      VGT transitions
    - dma-buf: add support for compat ioctl
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.24
    - cgroup, kthread: close race window where new kthreads can be migrated to
      non-root cgroups
    - thp: fix MADV_DONTNEED vs. MADV_FREE race
    - thp: fix MADV_DONTNEED vs clear soft dirty race
    - zsmalloc: expand class bit
    - drm/nouveau/mpeg: mthd returns true on success now
    - drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one
    - [armhf] drm/etnaviv: fix missing unlock on error in etnaviv_gpu_submit()
    - CIFS: reconnect thread reschedule itself
    - CIFS: store results of cifs_reopen_file to avoid infinite wait
    - Input: xpad - add support for Razer Wildcat gamepad
    - [x86] perf: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
    - [x86] efi: Don't try to reserve runtime regions
    - [x86] signals: Fix lower/upper bound reporting in compat siginfo
    - [x86] pmem: fix broken __copy_user_nocache cache-bypass assumptions
    - [x86] vdso: Ensure vdso32_enabled gets set to valid values only
    - [x86] vdso: Plug race between mapping and ELF header setup
    - [x86] acpi, nfit, libnvdimm: fix interleave set cookie calculation
      (64-bit comparison)
    - ACPI / scan: Set the visited flag for all enumerated devices
    - [hppa] fix bugs in pa_memcpy
    - efi/libstub: Skip GOP with PIXEL_BLT_ONLY format
    - efi/fb: Avoid reconfiguration of BAR that covers the framebuffer
    - iscsi-target: Fix TMR reference leak during session shutdown
    - iscsi-target: Drop work-around for legacy GlobalSAN initiator
    - scsi: sr: Sanity check returned mode data
    - scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
    - scsi: qla2xxx: Add fix to read correct register value for ISP82xx.
    - scsi: sd: Fix capacity calculation with 32-bit sector_t
    - target: Avoid mappedlun symlink creation during lun shutdown
    - xen, fbfront: fix connecting to backend
    - new privimitive: iov_iter_revert()
    - make skb_copy_datagram_msg() et.al. preserve ->msg_iter on error
    - [x86] libnvdimm: fix blk free space accounting
    - [x86] libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep
      splat
    - [armhf] pwm: rockchip: State of PWM clock should synchronize with PWM
      enabled state
    - cpufreq: Bring CPUs up even if cpufreq_online() failed
    - [armhf] irqchip/irq-imx-gpcv2: Fix spinlock initialization
    - ftrace: Fix removing of second function probe
    - zram: do not use copy_page with non-page aligned address
    - ftrace: Fix function pid filter on instances
    - crypto: algif_aead - Fix bogus request dereference in completion function
    - crypto: ahash - Fix EINPROGRESS notification callback (CVE-2017-7618)
    - [hppa] Fix get_user() for 64-bit value on 32-bit kernel
    - dvb-usb-v2: avoid use-after-free (CVE-2017-8064)
    - drm/nouveau/disp/mcp7x: disable dptmds workaround (Closes: #850219)
    - [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889)
    - dvb-usb-firmware: don't do DMA on stack (CVE-2017-8061)
    - cxusb: Use a dma capable buffer also for reading (CVE-2017-8063)
    - virtio-console: avoid DMA from stack (CVE-2017-8067)
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.25
    - KEYS: Disallow keyrings beginning with '.' to be joined as session
      keyrings (CVE-2016-9604)
    - KEYS: Change the name of the dead type to ".dead" to prevent user access
      (CVE-2017-6951)
    - KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
      (CVE-2017-7472)
    - tracing: Allocate the snapshot buffer before enabling probe
    - ring-buffer: Have ring_buffer_iter_empty() return true when empty
    - mm: prevent NR_ISOLATE_* stats from going negative
    - cifs: Do not send echoes before Negotiate is complete (Closes: #856843)
    - CIFS: remove bad_network_name flag
    - [s390x] mm: fix CMMA vs KSM vs others
    - Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
    - ACPI / power: Avoid maybe-uninitialized warning
    - [armhf] mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for
      DDR50 card
    - ubifs: Fix RENAME_WHITEOUT support
    - ubifs: Fix O_TMPFILE corner case in ubifs_link()
    - mac80211: reject ToDS broadcast data frames
    - mac80211: fix MU-MIMO follow-MAC mode
    - ubi/upd: Always flush after prepared for an update
    - [powerpc*] kprobe: Fix oops when kprobed on 'stdu' instruction
    - [x86] mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
    - [x86] mce: Make the MCE notifier a blocking one
    - device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation

  [ Ben Hutchings ]
  * w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
  * debian/rules.real: Undefine $LANGUAGE, which can break debug symbols for
    vDSOs (Closes: #859807)
  * Bump ABI to 3
  * [s390x] Set NR_CPUS=256 (Closes: #858731)
  * [x86] usbip: Increase USBIP_VHCI_NR_HCS to 8 and USBIP_VHCI_HC_PORTS to 31
    (Closes: #859641)
  * [powerpc/powerpc64,ppc64*] target: Enable SCSI_IBMVSCSIS as module
  * cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores
    (Closes: #859978)
  * udeb: Include all AHCI drivers in sata-modules (Closes: #860335)
  * [powerpc/powerpc64,ppc64] Set NR_CPUS=2048, matching ppc64el
  * [powerpc*/*64*] Enable CPUMASK_OFFSTACK to reduce stack usage
  * [mips*el/loongson-3] Set NR_CPUS=16 to allow for Loongson 3B2000
  * [mips*/octeon] Set NR_CPUS=64 to allow for Cavium CN7890
  * [arm64] Set NR_CPUS=256 to allow for multi-SoC systems (Closes: #861209)
  * [powerpc/powerpc-smp,powerpcspe] Explicitly set NR_CPUS=4
  * Move debug symbols back to the main archive, to avoid problems with the
    current handling in dak
  * linux-image: Disable signing until it's supported in dak
  * [rt] Update to 4.9.20-rt16:
    - rtmutex: Make lock_killable work
    - rtmutex: Provide rt_mutex_lock_state()
    - rtmutex: Provide locked slowpath
    - rwsem/rt: Lift single reader restriction
  * PCI: Enable PCIE_PTM (except on armel/marvell)
  * 6lowpan: Enable Generic Header Compression modules
  * net/sched: Enable NET_ACT_SKBMOD as module
  * ethernet: Enable NFP_NETVF as module
  * net/phy: Enable MICROSEMI_PHY as module
  * input/tablet: Enable TABLET_USB_PEGASUS as module
  * [x86] input/touchscreen: Enable TOUCHSCREEN_SURFACE3_SPI as module
  * serial/8250: Enable SERIAL_8250_MOXA as module
  * [x86] gpio: Enable GPIO_AMDPT as module
  * [x86] thermal: Enable INT3406_THERMAL as module
  * watchdog: Enable WATCHDOG_SYSFS
  * integrity: Enable IMA, IMA_DEFAULT_HASH_SHA256, IMA_APPRAISE,
    IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY, IMA_BLACKLIST_KEYRING
    (except on armel/marvell) (Closes: #788290)
  * media: Enable VIDEO_TW5864, VIDEO_TW686X as modules
  * [x86] amdgpu,sound/soc: Enable DRM_AMD_ACP; enable SND_SOC_AMD_ACP as module
  * hda: Set SND_HDA_PREALLOC_SIZE=2048 as recommended for PulseAudio
  * HID: Enable HID_SENSOR_CUSTOM_SENSOR as module
  * leds,USB: Enable USB_LEDS_TRIGGER_USBPORT as module
  * usbip: Enable USBIP_VUDC as module
  * USB/misc: Enable UCSI as module
  * leds: Enable LEDS_TRIGGER_DISK, LEDS_TRIGGER_MTD, LEDS_TRIGGER_PANIC
  * IB: Enable INFINIBAND_HFI1, INFINIBAND_I40IW, INFINIBAND_QEDR, RDMA_RXE
    as modules
  * [amd64] EDAC: Enable EDAC_SKX as module
  * [x86] comedi: Enable COMEDI_ADV_PCI1720, COMEDI_ADV_PCI1760 as modules
  * [x86] platform: Enable INTEL_HID_EVENT as module
  * [x86] hwtracing: Enable INTEL_TH, INTEL_TH_PCI, INTEL_TH_GTH, INTEL_TH_MSU,
    INTEL_TH_PTI as modules
  * [rt] tracing: Enable HWLAT_TRACER
  * [x86] crypto: Enable CRYPTO_DEV_QAT_C3XXX, CRYPTO_DEV_QAT_C62X,
    CRYPTO_DEV_QAT_C3XXXVF, CRYPTO_DEV_QAT_C62XVF as modules
  * crypto: Enable CRYPTO_DEV_CHELSIO as module
  * [arm64] Enable ARMV8_DEPRECATED, SWP_EMULATION, CP15_BARRIER_EMULATION,
    SETEND_EMULATION (Closes: #861384)
  * udeb: Add tifm_7xx1 to mmc-modules (Closes: #861195)
  * leds: Enable LEDS_GPIO as module for all configurations with GPIOs
    (Closes: #860569)
  * selinux: Set SECURITY_SELINUX_CHECKREQPROT_VALUE=0, per default.
    This may break some old applications if SELinux is enabled, and can be
    reverted using the kernel parameter: checkreqprot=1
  * udeb: Move mfd-core to kernel-image, as both input-modules and
    mmc-modules need it
  * crypto: Change CRYPTO_SHA256 from module to built-in, as required by IMA

  [ Salvatore Bonaccorso ]
  * ping: implement proper locking (CVE-2017-2671)
  * macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
  * macsec: dynamically allocate space for sglist
  * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
  * nfsd4: minor NFSv2/v3 write decoding cleanup
  * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)

  [ Aurelien Jarno ]
  * [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
    board.
  * [mips*el/loongson-3] Disable PAGE_EXTENSION and PAGE_POISONING.

  [ John Paul Adrian Glaubitz ]
  * [m68k] udeb: Enable suffix for kernel-image (Closes: #859366)

[dgit import unpatched linux 4.9.25-1]

Import linux_4.9.25.orig.tar.xz

[dgit import orig linux_4.9.25.orig.tar.xz]

Import linux_4.9.25-1.debian.tar.xz

[dgit import tarball linux 4.9.25-1 linux_4.9.25-1.debian.tar.xz]