libre/linux-libre: add Arch Linux security patches and fix objtool issue

8 files changed, 551 insertions, 1 deletions

diff --git a/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
new file mode 100644
index 000000000..64341b9b7
--- /dev/null
+++ b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -0,0 +1,103 @@
+From fb89d912d5f7289d3a922c77b671e36e1c740f5e Mon Sep 17 00:00:00 2001
+Message-Id: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Serge Hallyn <serge.hallyn@canonical.com>
+Date: Fri, 31 May 2013 19:12:12 +0100
+Subject: [PATCH 1/7] add sysctl to disallow unprivileged CLONE_NEWUSER by
+ default
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+[bwh: Remove unneeded binary sysctl bits]
+Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+---
+ kernel/fork.c           | 15 +++++++++++++++
+ kernel/sysctl.c         | 12 ++++++++++++
+ kernel/user_namespace.c |  3 +++
+ 3 files changed, 30 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 500ce64517d93e68..35f5860958b40e9b 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -102,6 +102,11 @@
+ 
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+ 
+ /*
+  * Minimum number of threads to boot the kernel
+@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
+ 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ 		return ERR_PTR(-EINVAL);
+ 
++	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++		if (!capable(CAP_SYS_ADMIN))
++			return ERR_PTR(-EPERM);
++
+ 	/*
+ 	 * Thread groups must share signals as well, and detached threads
+ 	 * can only be started up within the thread group.
+@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+ 	if (unshare_flags & CLONE_NEWNS)
+ 		unshare_flags |= CLONE_FS;
+ 
++	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++		err = -EPERM;
++		if (!capable(CAP_SYS_ADMIN))
++			goto bad_unshare_out;
++	}
++
+ 	err = check_unshare_flags(unshare_flags);
+ 	if (err)
+ 		goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 56aca862c4f584f5..e8402ba393c1915d 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -105,6 +105,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = {
+ 		.proc_handler	= proc_dointvec,
+ 	},
+ #endif
++#ifdef CONFIG_USER_NS
++	{
++		.procname	= "unprivileged_userns_clone",
++		.data		= &unprivileged_userns_clone,
++		.maxlen		= sizeof(int),
++		.mode		= 0644,
++		.proc_handler	= proc_dointvec,
++	},
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ 	{
+ 		.procname	= "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index c490f1e4313b998a..dd03bd39d7bf194d 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -24,6 +24,9 @@
+ #include <linux/projid.h>
+ #include <linux/fs_struct.h>
+ 
++/* sysctl */
++int unprivileged_userns_clone;
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+ 
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch b/libre/linux-libre/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
new file mode 100644
index 000000000..8c23c9a54
--- /dev/null
+++ b/libre/linux-libre/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
@@ -0,0 +1,75 @@
+From 8c6956686606b9c3661e74a410c8cb2fc276c5ee Mon Sep 17 00:00:00 2001
+Message-Id: <8c6956686606b9c3661e74a410c8cb2fc276c5ee.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: [PATCH 2/7] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+ value.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list@eworm.de>
+Reported-by: Gabriel C <nix.or.die@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse <list@eworm.de>
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf031172..31277d3bb7dc1241 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
+  *  Checks to see of the link status of the hardware has changed.  If a
+  *  change in link status has been detected, then we read the PHY registers
+  *  to get the current speed/duplex if link exists.
++ *
++ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ *  up).
+  **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+ 	struct e1000_mac_info *mac = &hw->mac;
+ 	s32 ret_val, tipg_reg = 0;
+ 	u16 emi_addr, emi_val = 0;
+ 	bool link;
+ 	u16 phy_reg;
+ 
+ 	/* We only want to go out to the PHY registers to see if Auto-Neg
+ 	 * has completed and/or if our link status has changed.  The
+ 	 * get_link_status flag is set upon receiving a Link Status
+ 	 * Change or Rx Sequence Error interrupt.
+ 	 */
+ 	if (!mac->get_link_status)
+-		return 0;
++		return 1;
+ 
+ 	/* First we want to see if the MII Status Register reports
+ 	 * link.  If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ 	 * different link partner.
+ 	 */
+ 	ret_val = e1000e_config_fc_after_link_up(hw);
+-	if (ret_val)
++	if (ret_val) {
+ 		e_dbg("Error configuring flow control\n");
++		return ret_val;
++	}
+ 
+-	return ret_val;
++	return 1;
+ }
+ 
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/libre/linux-libre/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
new file mode 100644
index 000000000..d7872e2a1
--- /dev/null
+++ b/libre/linux-libre/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
@@ -0,0 +1,57 @@
+From b81e273fb227373a2951c7256ab11a87d5333a9d Mon Sep 17 00:00:00 2001
+Message-Id: <b81e273fb227373a2951c7256ab11a87d5333a9d.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH 3/7] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06aa198..9d43c1f4027408f3 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct inet_sock *inet = inet_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	int err = 0;
+ 	const int old_state = sk->sk_state;
+ 
+ 	if (old_state != DCCP_CLOSED)
+ 		dccp_set_state(sk, DCCP_CLOSED);
+ 
+ 	/*
+ 	 * This corresponds to the ABORT function of RFC793, sec. 3.8
+ 	 * TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
+ 	 */
+ 	if (old_state == DCCP_LISTEN) {
+ 		inet_csk_listen_stop(sk);
+ 	} else if (dccp_need_reset(old_state)) {
+ 		dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
+ 		sk->sk_err = ECONNRESET;
+ 	} else if (old_state == DCCP_REQUESTING)
+ 		sk->sk_err = ECONNRESET;
+ 
+ 	dccp_clear_xmit_timers(sk);
++	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
new file mode 100644
index 000000000..4dca618a8
--- /dev/null
+++ b/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
@@ -0,0 +1,74 @@
+From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
+Message-Id: <d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 15 Nov 2017 06:40:57 +0100
+Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
+ xfrm_state_find."
+
+This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
+
+This commit breaks transport mode when the policy template
+has widlcard addresses configured, so revert it.
+
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2a6093840e7e856e..6bc16bb61b5533ef 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
+ 	struct net *net = xp_net(policy);
+ 	int nx;
+ 	int i, error;
++	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
++	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
+ 	xfrm_address_t tmp;
+ 
+ 	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
+ 		struct xfrm_state *x;
+-		xfrm_address_t *local;
+-		xfrm_address_t *remote;
++		xfrm_address_t *remote = daddr;
++		xfrm_address_t *local  = saddr;
+ 		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
+ 
+-		remote = &tmpl->id.daddr;
+-		local = &tmpl->saddr;
+-		if (xfrm_addr_any(local, tmpl->encap_family)) {
+-			error = xfrm_get_saddr(net, fl->flowi_oif,
+-					       &tmp, remote,
+-					       tmpl->encap_family, 0);
+-			if (error)
+-				goto fail;
+-			local = &tmp;
++		if (tmpl->mode == XFRM_MODE_TUNNEL ||
++		    tmpl->mode == XFRM_MODE_BEET) {
++			remote = &tmpl->id.daddr;
++			local = &tmpl->saddr;
++			if (xfrm_addr_any(local, tmpl->encap_family)) {
++				error = xfrm_get_saddr(net, fl->flowi_oif,
++						       &tmp, remote,
++						       tmpl->encap_family, 0);
++				if (error)
++					goto fail;
++				local = &tmp;
++			}
+ 		}
+ 
+ 		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
+ 
+ 		if (x && x->km.state == XFRM_STATE_VALID) {
+ 			xfrm[nx++] = x;
++			daddr = remote;
++			saddr = local;
+ 			continue;
+ 		}
+ 		if (x) {
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/libre/linux-libre/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
new file mode 100644
index 000000000..edd7b24a3
--- /dev/null
+++ b/libre/linux-libre/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
@@ -0,0 +1,49 @@
+From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001
+Message-Id: <3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Fri, 22 Dec 2017 10:44:57 +0100
+Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy
+ lookup.
+
+When we do tunnel or beet mode, we pass saddr and daddr from the
+template to xfrm_state_find(), this is ok. On transport mode,
+we pass the addresses from the flowi, assuming that the IP
+addresses (and address family) don't change during transformation.
+This assumption is wrong in the IPv4 mapped IPv6 case, packet
+is IPv4 and template is IPv6.
+
+Fix this by catching address family missmatches of the policy
+and the flow already before we do the lookup.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
+  again:
+ 	pol = rcu_dereference(sk->sk_policy[dir]);
+ 	if (pol != NULL) {
+-		bool match = xfrm_selector_match(&pol->selector, fl, family);
++		bool match;
+ 		int err = 0;
+ 
++		if (pol->family != family) {
++			pol = NULL;
++			goto out;
++		}
++
++		match = xfrm_selector_match(&pol->selector, fl, family);
+ 		if (match) {
+ 			if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
+ 				pol = NULL;
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/libre/linux-libre/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
new file mode 100644
index 000000000..0a54ce129
--- /dev/null
+++ b/libre/linux-libre/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
@@ -0,0 +1,114 @@
+From a79cb4d4e540c72a601ca0494e914565c16e2893 Mon Sep 17 00:00:00 2001
+Message-Id: <a79cb4d4e540c72a601ca0494e914565c16e2893.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 20 Dec 2017 07:09:19 -0800
+Subject: [PATCH 6/7] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
+
+While teaching css_task_iter to handle skipping over tasks which
+aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
+css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
+silly bug.
+
+CSS_TASK_ITER_PROCS is implemented by repeating
+css_task_iter_advance() while the advanced cursor is pointing to a
+non-leader thread.  However, the cursor variable, @l, wasn't updated
+when the iteration has to advance to the next css_set and the
+following repetition would operate on the terminal @l from the
+previous iteration which isn't pointing to a valid task leading to
+oopses like the following or infinite looping.
+
+  BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
+  IP: __task_pid_nr_ns+0xc7/0xf0
+  PGD 0 P4D 0
+  Oops: 0000 [#1] SMP
+  ...
+  CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
+  Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
+  task: ffff88c4baee8000 task.stack: ffff96d5c3158000
+  RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
+  RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
+  RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
+  RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
+  RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
+  R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
+  R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
+  FS:  00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
+  Call Trace:
+   cgroup_procs_show+0x19/0x30
+   cgroup_seqfile_show+0x4c/0xb0
+   kernfs_seq_show+0x21/0x30
+   seq_read+0x2ec/0x3f0
+   kernfs_fop_read+0x134/0x180
+   __vfs_read+0x37/0x160
+   ? security_file_permission+0x9b/0xc0
+   vfs_read+0x8e/0x130
+   SyS_read+0x55/0xc0
+   entry_SYSCALL_64_fastpath+0x1a/0xa5
+  RIP: 0033:0x7f94455f942d
+  RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
+  RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
+  RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
+  RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
+  R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
+  R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
+  Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
+  RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
+
+Fix it by moving the initialization of the cursor below the repeat
+label.  While at it, rename it to @next for readability.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
+Cc: stable@vger.kernel.org # v4.14+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Reported-by: Bronek Kozicki <brok@incorrekt.com>
+Reported-by: George Amanakis <gamanakis@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 44857278eb8aa6a2..030e4286f14c715e 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
+ 
+ static void css_task_iter_advance(struct css_task_iter *it)
+ {
+-	struct list_head *l = it->task_pos;
++	struct list_head *next;
+ 
+ 	lockdep_assert_held(&css_set_lock);
+-	WARN_ON_ONCE(!l);
+-
+ repeat:
+ 	/*
+ 	 * Advance iterator to find next entry.  cset->tasks is consumed
+ 	 * first and then ->mg_tasks.  After ->mg_tasks, we move onto the
+ 	 * next cset.
+ 	 */
+-	l = l->next;
++	next = it->task_pos->next;
+ 
+-	if (l == it->tasks_head)
+-		l = it->mg_tasks_head->next;
++	if (next == it->tasks_head)
++		next = it->mg_tasks_head->next;
+ 
+-	if (l == it->mg_tasks_head)
++	if (next == it->mg_tasks_head)
+ 		css_task_iter_advance_css_set(it);
+ 	else
+-		it->task_pos = l;
++		it->task_pos = next;
+ 
+ 	/* if PROCS, skip over tasks which aren't group leaders */
+ 	if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
new file mode 100644
index 000000000..f3af870c7
--- /dev/null
+++ b/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
@@ -0,0 +1,42 @@
+From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
+Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com>
+In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Tue, 26 Dec 2017 23:43:54 -0600
+Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
+
+AMD processors are not subject to the types of attacks that the kernel
+page table isolation feature protects against.  The AMD microarchitecture
+does not allow memory references, including speculative references, that
+access higher privileged data when running in a lesser privileged mode
+when that access would result in a page fault.
+
+Disable page table isolation by default on AMD processors by not setting
+the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
+is set.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+ 
+-	/* Assume for now that ALL x86 CPUs are insecure */
+-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++	if (c->x86_vendor != X86_VENDOR_AMD)
++		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ 
+ 	fpu__init_system(c);
+ 
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD
index ddcb8831d..61d972543 100644
--- a/libre/linux-libre/PKGBUILD
+++ b/libre/linux-libre/PKGBUILD
@@ -56,6 +56,13 @@ source=(
   # other patches
   '0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch'
   '0002-fix-Atmel-maXTouch-touchscreen-support.patch'
+  '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch'
+  '0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch'
+  '0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch'
+  '0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch'
+  '0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch'
+  '0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch'
+  '0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch'
   )
 sha512sums=('0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f'
             'SKIP'
@@ -85,7 +92,14 @@ sha512sums=('0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e6841
             '6c93bc1e8d580af288921e10c456bdbda1dcb6d6f08c111cddaf9a32b43c2df41b50136bc09aaac1da9c3cae667bba6e075d590dcc465107ae6e2c3dcf7da657'
             'f813d51834cedc23fabbb6060709a24f29969fea5aeb963fdeddb79723014ffc0c6d34be45eea8419d5087a5a9c561a42a113d667f03625283f2f2fc68196545'
             '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af'
-            'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168')
+            'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168'
+            '05f2c577450cfeae4b66a7d022a9dd0dab0dbf36e9738423efa8f45aaf0755b48a89f1f88b042946205e681458f76c5c5177c16869094839b7b234e0e2b27511'
+            'fd9bdc818326fa36c9f1813d0d1821de5e325b646e1c307c197ad38bada7f298d35b4bc1bbf1c2854689f3ba71144879e799a1123037caccd6e3f64edfc22d54'
+            '814517d08c35cc886fe3382619d41107d6139a703c27186d0ce58e187eaf4e84891572e58246750ac8602555794ed6f74d946565b98860787a0aa617fb946dda'
+            '7a5a6edf0879e59437b03166882e5afdc2dea9087819b1ada3aee22861a041896e305f136c61f0b8365cddff34852620fe2b3c51b5408d4c243a840b3dfe3059'
+            'e6605e923c967b5f8db619868b15ea5b0d4254c62cf12bb920f38659933d6ca25a643d3e044c4915a8309071461f5f14c55d0aa0329c113bce4780d4fa3afbb7'
+            '0dec1482efe6e5d762a3061f365e43191484f055b738112452b8ca39e162b935d99cf16b25c0b253d6b532fabc54bde2f5c09be91887156ed6ae06d1558f94b9'
+            'fda8b429d98b9017e0d72c91054c53afec6fab41abb06724bc1ce020863956215a3cdeb7692297d533d7426f8e2cc7f8d03c2570abf71e4b1d4f41fdb5fe63f0')
 validpgpkeys=(
   '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
   '6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78' # David P.
@@ -108,6 +122,7 @@ prepare() {
   if [ "${_pkgbasever}" != "${_pkgver}" ]; then
     patch -p1 -i ../patch-${_pkgbasever}-${_pkgver}
   fi
+  chmod +x tools/objtool/sync-check.sh  # GNU patch doesn't support git-style file mode
 
   if [ "${CARCH}" = "armv7h" ]; then
     # RCN patch (CM3 firmware deblobbed and AUFS removed)
@@ -132,8 +147,29 @@ prepare() {
   install -m644 -t drivers/video/logo \
     "${srcdir}/logo_linux_"{clut224.ppm,vga16.ppm,mono.pbm}
 
+  # security patches
+    
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
+  
+  # disable USER_NS for non-root users by default
+  patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+
+  # https://bugs.archlinux.org/task/56575
+  patch -Np1 -i ../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+
+  # https://nvd.nist.gov/vuln/detail/CVE-2017-8824
+  patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+
+  # https://bugs.archlinux.org/task/56605
+  patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+  patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+
+  # https://bugs.archlinux.org/task/56846
+  patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+
+  # For AMD processors, keep PTI off by default
+  #patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
 
   # maintain the TTY over USB disconnects
   # http://www.coreboot.org/EHCI_Gadget_Debug