updpkg: libre/linux-libre 4.14.12_gnu-1

9 files changed, 62 insertions, 136 deletions

diff --git a/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
deleted file mode 100644
index 4dca618a8..000000000
--- a/libre/linux-libre/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
-Message-Id: <d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steffens@gmail.com>
-In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-From: Steffen Klassert <steffen.klassert@secunet.com>
-Date: Wed, 15 Nov 2017 06:40:57 +0100
-Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
- xfrm_state_find."
-
-This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
-
-This commit breaks transport mode when the policy template
-has widlcard addresses configured, so revert it.
-
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
----
- net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 2a6093840e7e856e..6bc16bb61b5533ef 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
- 	struct net *net = xp_net(policy);
- 	int nx;
- 	int i, error;
-+	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
-+	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
- 	xfrm_address_t tmp;
- 
- 	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
- 		struct xfrm_state *x;
--		xfrm_address_t *local;
--		xfrm_address_t *remote;
-+		xfrm_address_t *remote = daddr;
-+		xfrm_address_t *local  = saddr;
- 		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
- 
--		remote = &tmpl->id.daddr;
--		local = &tmpl->saddr;
--		if (xfrm_addr_any(local, tmpl->encap_family)) {
--			error = xfrm_get_saddr(net, fl->flowi_oif,
--					       &tmp, remote,
--					       tmpl->encap_family, 0);
--			if (error)
--				goto fail;
--			local = &tmp;
-+		if (tmpl->mode == XFRM_MODE_TUNNEL ||
-+		    tmpl->mode == XFRM_MODE_BEET) {
-+			remote = &tmpl->id.daddr;
-+			local = &tmpl->saddr;
-+			if (xfrm_addr_any(local, tmpl->encap_family)) {
-+				error = xfrm_get_saddr(net, fl->flowi_oif,
-+						       &tmp, remote,
-+						       tmpl->encap_family, 0);
-+				if (error)
-+					goto fail;
-+				local = &tmp;
-+			}
- 		}
- 
- 		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
- 
- 		if (x && x->km.state == XFRM_STATE_VALID) {
- 			xfrm[nx++] = x;
-+			daddr = remote;
-+			saddr = local;
- 			continue;
- 		}
- 		if (x) {
--- 
-2.15.1
-
diff --git a/libre/linux-libre/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/libre/linux-libre/0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
index edd7b24a3..edd7b24a3 100644
--- a/libre/linux-libre/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+++ b/libre/linux-libre/0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
diff --git a/libre/linux-libre/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/libre/linux-libre/0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
index 0a54ce129..0a54ce129 100644
--- a/libre/linux-libre/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+++ b/libre/linux-libre/0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
diff --git a/libre/linux-libre/0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch b/libre/linux-libre/0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
new file mode 100644
index 000000000..5d36d15ac
--- /dev/null
+++ b/libre/linux-libre/0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
@@ -0,0 +1,42 @@
+From cf45be4971bdd769c09e2a11db483510cd0bcc5f Mon Sep 17 00:00:00 2001
+Message-Id: <cf45be4971bdd769c09e2a11db483510cd0bcc5f.1515173964.git.jan.steffens@gmail.com>
+In-Reply-To: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com>
+References: <0b716bdb952b678d9bb5eb32198dbc82ec492df2.1515173964.git.jan.steffens@gmail.com>
+From: Jim Bride <jim.bride@linux.intel.com>
+Date: Mon, 6 Nov 2017 13:38:57 -0800
+Subject: [PATCH 6/6] drm/i915/edp: Only use the alternate fixed mode if it's
+ asked for
+
+In commit dc911f5bd8aa ("drm/i915/edp: Allow alternate fixed mode for
+eDP if available."), the patch allows for the use of an alternate fixed
+mode if it is available, but the patch was not ensuring that the only
+time the alternate mode is used is when it is specifically requested.
+This patch adds an additional comparison to intel_edp_compare_alt_mode
+to ensure that we only use the alternate mode if it is directly
+requested.
+
+Fixes: dc911f5bd8aac ("Allow alternate fixed mode for eDP if available.")
+Cc: David Weinehall <david.weinehall@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Jim Bride <jim.bride@linux.intel.com>
+---
+ drivers/gpu/drm/i915/intel_dp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
+index 09f274419eea1c74..838cee312e8e6978 100644
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -1632,7 +1632,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1,
+ 			m1->vdisplay == m2->vdisplay &&
+ 			m1->vsync_start == m2->vsync_start &&
+ 			m1->vsync_end == m2->vsync_end &&
+-			m1->vtotal == m2->vtotal);
++			m1->vtotal == m2->vtotal &&
++			m1->vrefresh == m2->vrefresh);
+ 	return bres;
+ }
+ 
+-- 
+2.15.1
+
diff --git a/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
deleted file mode 100644
index f3af870c7..000000000
--- a/libre/linux-libre/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
-Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com>
-In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-From: Tom Lendacky <thomas.lendacky@amd.com>
-Date: Tue, 26 Dec 2017 23:43:54 -0600
-Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
-
-AMD processors are not subject to the types of attacks that the kernel
-page table isolation feature protects against.  The AMD microarchitecture
-does not allow memory references, including speculative references, that
-access higher privileged data when running in a lesser privileged mode
-when that access would result in a page fault.
-
-Disable page table isolation by default on AMD processors by not setting
-the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
-is set.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Reviewed-by: Borislav Petkov <bp@suse.de>
----
- arch/x86/kernel/cpu/common.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
- 
- 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
- 
--	/* Assume for now that ALL x86 CPUs are insecure */
--	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
-+	if (c->x86_vendor != X86_VENDOR_AMD)
-+		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
- 
- 	fpu__init_system(c);
- 
--- 
-2.15.1
-
diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD
index 61d972543..65f997a8a 100644
--- a/libre/linux-libre/PKGBUILD
+++ b/libre/linux-libre/PKGBUILD
@@ -13,7 +13,7 @@
 pkgbase=linux-libre         # Build stock kernel
 #pkgbase=linux-libre-custom # Build kernel with a different name
 _pkgbasever=4.14-gnu
-_pkgver=4.14.10-gnu
+_pkgver=4.14.12-gnu
 
 _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
 _replacesoldkernels=() # '%' gets replaced with _kernelname
@@ -59,14 +59,13 @@ source=(
   '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch'
   '0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch'
   '0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch'
-  '0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch'
-  '0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch'
-  '0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch'
-  '0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch'
+  '0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch'
+  '0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch'
+  '0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch'
   )
 sha512sums=('0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f'
             'SKIP'
-            'f9b6f524702573a493745a3be29ceb923d370e1fdbe5c919a2579ebd8303725bfedd75cd103b79513012a9f1d30ec842718010a5bbecde27f83cb6b329c05297'
+            '2e8abb699328db2b156890b6ab966ba0c8cefbf64c909d13290c92ca99419b5fb06a53d3d93ed83ed6bd28edb6eeba73bd996f3cb2bc150c3b8709b2e2bbea17'
             'SKIP'
             '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
             'SKIP'
@@ -74,13 +73,13 @@ sha512sums=('0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e6841
             'SKIP'
             '7a3716bfe3b9f546da309c7492f3e08f8f506813afeb1c737a474c83313d5c313cf4582b65215c2cfce3b74d9d1021c96e8badafe8f6e5b01fe28d2b5c61ae78'
             'SKIP'
-            '197d85bf105751d1210fc1b6e5bfe0fe22c1dccbe6d2403b65f7f987b6ddc3893f4c68e1e73e510d28c7dcdc458c645c9bf6209066465303265f74bfa0cbfd3b'
-            'e65bceeba59b7e8ff138620918dcd6dd465fc87bb1e9351b903e5b0cc5dd353badd355a72f2c5402bd44bdd6cc10b5383f0992b4daf0c6142d1442ff8e3a78f9'
-            '4d76b5cba6a5112d52854429e97b765fd3dc1a2b68590f01b69e006b30c35d9dda8bd6caa53ddfafbb900b06d8418187815d063493d150d9d23fabd12cb34dba'
+            '702101a78169ad81532f416b44b74bf7723055169027489a1e95eea9909ed693f20fe3a595152f284cc0837ff09202231a82285c55c25db35447d15492f21aed'
+            'c0cad633c02bfb3ac0dd3c3daaa044b808bf6f3cfbd1035c31d95dfca338d3ad0eae50f6d9c264f6e8eaa3b590d8b500401509f55f8198406c726f6727ce0b05'
+            '7ff4babbe27585e0576d0a66f03cf41bd7556f8047db36f5e1f8391f1c624466fb714a7cfd0d91ae608eb5a123dfb7ad315ee900d8a81c9a2b1b769f4eb356a4'
             '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a'
             '4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44'
             '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf'
-            'd6d056420ff750bde128787bbd556a0e3d6bb3a924e03efedeb95ea71680cc796a4778cc523d7cdfb57220e62e103b56500515cbc9d3125887183c74125f68bf'
+            '6a9a290f0fa71973f40a0335017b65bac0486fe719fa79d5cab9358d03c43613f796f5cfcf68bd89964fcb71e05dcead40516b28f78cd25ab9a841c05cbd5874'
             'SKIP'
             '29c709ee6892a668c77945142ed9749cb8a3135575a4316f4a3cc85fbda41c09fdd65e32507b654c96aa438bd2aed08c09919bb162daee969643aafd053321c4'
             '5b35ef2c675aed00ddf82b8a96a486230fad78f05b5a69c95a57632d6c7f428f026439f3ced72cf54156ffd4fd563e68d4285ba6f42428c00b966257951039c3'
@@ -96,10 +95,9 @@ sha512sums=('0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e6841
             '05f2c577450cfeae4b66a7d022a9dd0dab0dbf36e9738423efa8f45aaf0755b48a89f1f88b042946205e681458f76c5c5177c16869094839b7b234e0e2b27511'
             'fd9bdc818326fa36c9f1813d0d1821de5e325b646e1c307c197ad38bada7f298d35b4bc1bbf1c2854689f3ba71144879e799a1123037caccd6e3f64edfc22d54'
             '814517d08c35cc886fe3382619d41107d6139a703c27186d0ce58e187eaf4e84891572e58246750ac8602555794ed6f74d946565b98860787a0aa617fb946dda'
-            '7a5a6edf0879e59437b03166882e5afdc2dea9087819b1ada3aee22861a041896e305f136c61f0b8365cddff34852620fe2b3c51b5408d4c243a840b3dfe3059'
             'e6605e923c967b5f8db619868b15ea5b0d4254c62cf12bb920f38659933d6ca25a643d3e044c4915a8309071461f5f14c55d0aa0329c113bce4780d4fa3afbb7'
             '0dec1482efe6e5d762a3061f365e43191484f055b738112452b8ca39e162b935d99cf16b25c0b253d6b532fabc54bde2f5c09be91887156ed6ae06d1558f94b9'
-            'fda8b429d98b9017e0d72c91054c53afec6fab41abb06724bc1ce020863956215a3cdeb7692297d533d7426f8e2cc7f8d03c2570abf71e4b1d4f41fdb5fe63f0')
+            'fcc40dc86dd432be76854e3c51889db488de0f1029ecc227b92c4f58c62ba928f7dc3b9515ac3ca0a08d6a0a72ca4a1a754d47c4fb274fe89f09a2a336088e7a')
 validpgpkeys=(
   '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
   '6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78' # David P.
@@ -162,14 +160,13 @@ prepare() {
   patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
   # https://bugs.archlinux.org/task/56605
-  patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
-  patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+  patch -Np1 -i ../0004-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
 
   # https://bugs.archlinux.org/task/56846
-  patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+  patch -Np1 -i ../0005-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
 
-  # For AMD processors, keep PTI off by default
-  #patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+  # https://bugs.archlinux.org/task/56711
+  patch -Np1 -i ../0006-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
 
   # maintain the TTY over USB disconnects
   # http://www.coreboot.org/EHCI_Gadget_Debug
diff --git a/libre/linux-libre/config.armv7h b/libre/linux-libre/config.armv7h
index 39ed8b475..7c369dcac 100644
--- a/libre/linux-libre/config.armv7h
+++ b/libre/linux-libre/config.armv7h
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm 4.14.8-gnu-1 Kernel Configuration
+# Linux/arm 4.14.12-gnu-1 Kernel Configuration
 #
 CONFIG_ARM=y
 CONFIG_ARM_HAS_SG_CHAIN=y
@@ -8433,6 +8433,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_SECURITY_INFINIBAND is not set
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
diff --git a/libre/linux-libre/config.i686 b/libre/linux-libre/config.i686
index cc903c884..207de9398 100644
--- a/libre/linux-libre/config.i686
+++ b/libre/linux-libre/config.i686
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.4-gnu Kernel Configuration
+# Linux/x86 4.14.12-gnu Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -8290,6 +8290,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_NETWORK is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_SECURITY_INFINIBAND is not set
 CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
diff --git a/libre/linux-libre/config.x86_64 b/libre/linux-libre/config.x86_64
index 8b7751b72..0cdd17a02 100644
--- a/libre/linux-libre/config.x86_64
+++ b/libre/linux-libre/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.4-gnu-1 Kernel Configuration
+# Linux/x86 4.14.12-gnu-1 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -8073,6 +8073,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_NETWORK is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_SECURITY_INFINIBAND is not set
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_INTEL_TXT is not set