Merge tag 'debian/4.12.13-1' into stretch-backports

"Release linux (4.12.13-1)."

Drop the ABI reference files for 4.12.0-2 and change our ABI number to
0.bpo.2.

debian/changelog

+linux (4.12.13-1~bpo9+1) stretch-backports; urgency=medium
+
+  * Rebuild for stretch-backports:
+    - Change ABI number to 0.bpo.2
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Thu, 28 Sep 2017 12:29:04 +0100
+
+linux (4.12.13-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.13
+    - mtd: nand: make Samsung SLC NAND usable again
+    - mtd: nand: hynix: add support for 20nm NAND chips
+    - [armhf] mtd: nand: mxc: Fix mxc_v1 ooblayout
+    - nvme-fabrics: generate spec-compliant UUID NQNs
+    - btrfs: resume qgroup rescan on rw remount
+    - rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be
+    - radix-tree: must check __radix_tree_preload() return value
+    - mm: kvfree the swap cluster info if the swap file is unsatisfactory
+    - mm/swapfile.c: fix swapon frontswap_map memory leak on error
+    - mm/memory.c: fix mem_cgroup_oom_disable() call missing
+    - [i386] ALSA: msnd: Optimize / harden DSP and MIDI loops
+    - [x86] KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest
+    - rt2800: fix TX_PIN_CFG setting for non MT7620 chips
+    - Bluetooth: Properly check L2CAP config option output buffer length
+      (CVE-2017-1000251) (Closes: #875881)
+    - [arm64] dts: marvell: armada-37xx: Fix GIC maintenance interrupt
+    - [armel,armhf] 8692/1: mm: abort uaccess retries upon fatal signal
+    - NFS: Fix 2 use after free issues in the I/O code
+    - NFS: Sync the correct byte range during synchronous writes
+    - NFSv4: Fix up mirror allocation
+    - xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+      (CVE-2017-14340)
+
+  [ Salvatore Bonaccorso ]
+  * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558)
+  * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
+  * Add ABI reference for 4.12.0-2
+
+  [ Ben Hutchings ]
+  * nl80211: check for the required netlink attributes presence (CVE-2017-12153)
+  * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
+  * video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+    (CVE-2017-14156)
+  * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+    (CVE-2017-14489)
+  * packet: Don't write vnet header beyond end of buffer (CVE-2017-14497)
+  * [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252)
+  * nfs: Ignore ABI change
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Tue, 19 Sep 2017 01:59:17 +0100
+
+linux (4.12.12-2) unstable; urgency=medium
+
+  * debian/source/lintian-overrides: Override license-problem-gfdl-invariants
+    error triggered by a ReSTified copy of the GFDL
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Mon, 11 Sep 2017 04:35:28 +0100
+
+linux (4.12.12-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.7
+    - ppp: Fix false xmit recursion detect with two ppp devices
+    - ppp: fix xmit recursion detection on ppp channels
+    - tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
+    - net: fix keepalive code vs TCP_FASTOPEN_CONNECT
+    - ipv6: set rt6i_protocol properly in the route when it is installed
+    - [s390x] bpf: fix jit branch offset related to ldimm64
+    - net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets
+    - net: sched: set xt_tgchk_param par.net properly in ipt_init_target
+    - net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target
+    - tcp: fastopen: tcp_connect() must refresh the route
+    - qmi_wwan: fix NULL deref on disconnect
+    - net: avoid skb_warn_bad_offload false positives on UFO
+    - igmp: Fix regression caused by igmp sysctl namespace code.
+    - scsi: sg: only check for dxfer_len greater than 256M
+    - btrfs: Remove false alert when fiemap range is smaller than on-disk
+      extent
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.8
+    - mm: ratelimit PFNs busy info message
+    - mm: fix list corruptions on shmem shrinklist
+    - futex: Remove unnecessary warning from get_futex_key
+    - xfs: Fix leak of discard bio
+    - [armhf] pinctrl: armada-37xx: Fix number of pin in south bridge
+    - mtd: nand: Fix timing setup for NANDs that do not support SET FEATURES
+    - mtd: nand: Declare tBERS, tR and tPROG as u64 to avoid integer overflow
+    - iscsi-target: fix memory leak in iscsit_setup_text_cmd()
+    - iscsi-target: Fix iscsi_np reset hung task during parallel delete
+    - usb-storage: fix deadlock involving host lock and scsi_done
+    - target: Fix node_acl demo-mode + uncached dynamic shutdown regression
+    - fuse: initialize the flock flag in fuse_file on allocation
+    - i2c: designware: Some broken DSTDs use 1MiHz instead of 1MHz
+    - nand: fix wrong default oob layout for small pages using soft ecc
+    - mmc: mmc: correct the logic for setting HS400ES signal voltage
+    - nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays
+    - [armhf] drm/etnaviv: Fix off-by-one error in reloc checking
+    - [x86] drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut
+    - [armhf] usb: musb: fix tx fifo flush handling again
+    - USB: hcd: Mark secondary HCD as dead if the primary one died
+    - [armhf] iio: accel: st_accel: add SPI-3wire support
+    - [x86] iio: accel: bmc150: Always restore device to normal mode after
+      suspend-resume
+    - iio: light: tsl2563: use correct event code
+    - staging: comedi: comedi_fops: do not call blocking ops when !TASK_RUNNING
+    - uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
+    - firmware: fix batched requests - wake all waiters
+    - firmware: fix batched requests - send wake up on failure on direct lookups
+    - firmware: avoid invalid fallback aborts by using killable wait
+    - block: Make blk_mq_delay_kick_requeue_list() rerun the queue at a quiet
+      time
+    - USB: Check for dropped connection before switching to full speed
+    - usb: core: unlink urbs from the tail of the endpoint's urb_list
+    - usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
+    - usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
+    - PCI: Protect pci_error_handlers->reset_notify() usage with device_lock()
+    - xhci: Reset Renesas uPD72020x USB controller for 32-bit DMA issue
+    - pnfs/blocklayout: require 64-bit sector_t
+    - [x86] pinctrl: cherryview: Add Setzer models to the Chromebook DMI quirk
+    - [armhf] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
+    - [x86] pinctrl: intel: merrifield: Correct UART pin lists
+    - [armhf] pinctrl: samsung: Remove bogus irq_[un]mask from resource
+      management
+    - [arm64] pinctrl: meson-gxbb: Add missing GPIODV_18 pin entry
+    - [arm64] pinctrl: meson-gxl: Add missing GPIODV_18 pin entry
+    - [mips*] Revert "MIPS: Don't unnecessarily include kmalloc.h into
+      <asm/cache.h>."
+    - [mips*/octeon] Fix broken EDAC driver.
+    - [ppc64el] Fix /proc/cpuinfo revision for POWER9 DD2
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.9
+    - audit: Fix use after free in audit_remove_watch_rule()
+    - [hppa] pci memory bar assignment fails with 64bit kernels on dino/cujo
+    - [x86] crypto: sha1 - Fix reads beyond the number of blocks passed
+    - [x86] drm/i915: Perform an invalidate prior to executing golden
+      renderstate
+    - drm/amdgpu: save list length when fence is signaled
+    - md: fix test in md_write_start()
+    - md: always clear ->safemode when md_check_recovery gets the mddev lock.
+    - MD: not clear ->safemode for external metadata array
+    - ALSA: seq: 2nd attempt at fixing race creating a queue
+    - ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset
+    - ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
+    - ALSA: usb-audio: add DSD support for new Amanero PID
+    - mm: discard memblock data later
+    - slub: fix per memcg cache leak on css offline
+    - mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS
+    - mm/cma_debug.c: fix stack corruption due to sprintf usage
+    - mm/mempolicy: fix use after free when calling get_mempolicy
+    - mm/vmalloc.c: don't unconditonally use __GFP_HIGHMEM
+    - [amd64,arm64] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
+    - xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511)
+    - [armhf] ARM: dts: imx6qdl-nitrogen6_som2: fix PCIe reset
+    - blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL
+    - [powerpc*] Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
+    - xen-blkfront: use a right index when checking requests
+    - [x86] perf: Fix RDPMC vs. mm_struct tracking
+    - [amd64] asm: Clear AC on NMI entries
+    - [x86] Fix norandmaps/ADDR_NO_RANDOMIZE
+    - [x86] elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks
+    - genirq: Restore trigger settings in irq_modify_status()
+    - genirq/ipi: Fixup checks against nr_cpu_ids
+    - kernel/watchdog: Prevent false positives with turbo modes
+    - Sanitize 'move_pages()' permission checks (CVE-2017-14140)
+    - pids: make task_tgid_nr_ns() safe
+    - debug: Fix WARN_ON_ONCE() for modules
+    - usb: optimize acpi companion search for usb port devices
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.10
+    - [sparc64] remove unnecessary log message
+    - bonding: require speed/duplex only for 802.3ad, alb and tlb
+    - bonding: ratelimit failed speed/duplex update warning
+    - af_key: do not use GFP_KERNEL in atomic contexts
+    - dccp: purge write queue in dccp_destroy_sock()
+    - dccp: defer ccid_hc_tx_delete() at dismantle time
+    - ipv4: fix NULL dereference in free_fib_info_rcu()
+    - net_sched/sfq: update hierarchical backlog when drop packet
+    - net_sched: remove warning from qdisc_hash_add
+    - bpf: fix bpf_trace_printk on 32 bit archs
+    - net: igmp: Use ingress interface rather than vrf device
+    - openvswitch: fix skb_panic due to the incorrect actions attrlen
+    - ptr_ring: use kmalloc_array()
+    - ipv4: better IP_MAX_MTU enforcement
+    - nfp: fix infinite loop on umapping cleanup
+    - tun: handle register_netdevice() failures properly
+    - sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
+    - tipc: fix use-after-free
+    - ipv6: reset fn->rr_ptr when replacing route
+    - ipv6: repair fib6 tree in failure case
+    - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
+    - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
+    - irda: do not leak initialized list.dev to userspace
+    - net: sched: fix NULL pointer dereference when action calls some targets
+    - net_sched: fix order of queue length updates in qdisc_replace()
+    - bpf, verifier: add additional patterns to evaluate_reg_imm_alu
+    - bpf: fix mixed signed/unsigned derived min/max value bounds
+    - bpf/verifier: fix min/max handling in BPF_SUB
+    - Input: ALPS - fix two-finger scroll breakage in right side on ALPS
+      touchpad
+    - [s390x] KVM: sthyi: fix sthyi inline assembly
+    - [s390x] KVM: sthyi: fix specification exception detection
+    - [x86] KVM: simplify handling of PKRU
+    - [x86] KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
+    - [x86] KVM: block guest protection keys unless the host has them enabled
+    - ALSA: core: Fix unexpected error at replacing user TLV
+    - ALSA: firewire: fix NULL pointer dereference when releasing
+      uninitialized data of iso-resource
+    - ALSA: firewire-motu: destroy stream data surely at failure of card
+      initialization
+    - PM/hibernate: touch NMI watchdog when creating snapshot
+    - mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
+    - dax: fix deadlock due to misaligned PMD faults
+    - i2c: designware: Fix system suspend
+    - mm/madvise.c: fix freeing of locked page with MADV_FREE
+    - fork: fix incorrect fput of ->exe_file causing use-after-free
+    - mm/memblock.c: reversed logic in memblock_discard()
+    - [arm64] fpsimd: Prevent registers leaking across exec
+    - drm: Fix framebuffer leak
+    - drm: Release driver tracking before making the object available again
+    - [armhf] drm/sun4i: Implement drm_driver lastclose to restore fbdev
+      console
+    - drm/atomic: Handle -EDEADLK with out-fences correctly
+    - drm/atomic: If the atomic check fails, return its value first
+    - [x86] drm/i915/vbt: ignore extraneous child devices for a port
+    - [x86] drm/i915/gvt: Fix the kernel null pointer error
+    - Revert "drm/amdgpu: fix vblank_time when displays are off"
+    - ACPI: device property: Fix node lookup in
+      acpi_graph_get_child_prop_value()
+    - tracing: Call clear_boot_tracer() at lateinit_sync
+    - tracing: Missing error code in tracer_alloc_buffers()
+    - tracing: Fix kmemleak in tracing_map_array_free()
+    - tracing: Fix freeing of filter in create_filter() when set_str is false
+    - RDMA/uverbs: Initialize cq_context appropriately
+    - cifs: Fix df output for users with quota limits
+    - cifs: return ENAMETOOLONG for overlong names in
+      cifs_open()/cifs_lookup()
+    - nfsd: Limit end of page list when decoding NFSv4 WRITE
+    - ring-buffer: Have ring_buffer_alloc_read_page() return error on offline
+      CPU
+    - virtio_pci: fix cpu affinity support
+    - ftrace: Check for null ret_stack on profile function graph entry
+      function
+    - perf/core: Fix group {cpu,task} validation
+    - timers: Fix excessive granularity of new timers after a nohz idle
+    - [x86] mm: Fix use-after-free of ldt_struct
+    - net: sunrpc: svcsock: fix NULL-pointer exception
+    - netfilter: expect: fix crash when putting uninited expectation
+    - netfilter: nat: fix src map lookup
+    - netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
+    - Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
+    - Bluetooth: cmtp: fix possible might sleep error in cmtp_session
+    - Bluetooth: bnep: fix possible might sleep error in bnep_session
+    - iio: hid-sensor-trigger: Fix the race with user space powering up
+      sensors
+    - iommu: Fix wrong freeing of iommu_device->dev
+    - Clarify (and fix) MAX_LFS_FILESIZE macros
+    - ACPI: EC: Fix regression related to wrong ECDT initialization order
+    - [powerpc*] mm: Ensure cpumask update is ordered
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.11
+    - [arm64] mm: abort uaccess retries upon fatal signal
+    - [x86] io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl
+    - [mips*] irqchip: mips-gic: SYNC after enabling GIC region
+    - Input: synaptics - fix device info appearing different on reconnect
+    - Input: xpad - fix PowerA init quirk for some gamepad models
+    - crypto: chacha20 - fix handling of chunked input
+    - [x86] i2c: ismt: Don't duplicate the receive length for block reads
+    - [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length
+    - crypto: algif_skcipher - only call put_page on referenced and used pages
+    - mm, uprobes: fix multiple free of ->uprobes_state.xol_area
+    - mm, madvise: ensure poisoned pages are removed from per-cpu lists
+    - ceph: fix readpage from fscache
+    - cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
+    - cpuset: Fix incorrect memory_pressure control file mapping
+    - CIFS: Fix maximum SMB2 header size
+    - CIFS: remove endian related sparse warning
+    - dm mpath: do not lock up a CPU with requeuing activity
+    - [x86] drm/vmwgfx: Fix F26 Wayland screen update issue
+    - [arm64, armhf] wl1251: add a missing spin_lock_init()
+    - [arm64] mmc: sdhci-xenon: add set_power callback
+    - lib/mpi: kunmap after finishing accessing buffer
+    - xfrm: policy: check policy direction value
+    - drm/ttm: Fix accounting error when fail to get pages for pool
+    - nvme: fix the definition of the doorbell buffer config support bit
+    - drm/nouveau/i2c/gf119-: add support for address-only transactions
+    - epoll: fix race between ep_poll_callback(POLLFREE) and
+      ep_free()/ep_remove()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.12
+    - usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
+    - USB: serial: option: add support for D-Link DWM-157 C1
+    - usb: Add device quirk for Logitech HD Pro Webcam C920-C
+    - usb:xhci:Fix regression when ATI chipsets detected
+    - [armhf] USB: musb: fix external abort on suspend
+    - USB: core: Avoid race of async_completed() w/ usbdev_release()
+    - [x86] staging/rts5208: fix incorrect shift to extract upper nybble
+    - iio: adc: ti-ads1015: fix incorrect data rate setting update
+    - iio: adc: ti-ads1015: fix scale information for ADS1115
+    - iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set
+    - iio: adc: ti-ads1015: avoid getting stale result after runtime resume
+    - iio: adc: ti-ads1015: don't return invalid value from buffer setup
+      callbacks
+    - iio: adc: ti-ads1015: add adequate wait time to get correct conversion
+    - driver core: bus: Fix a potential double free
+    - HID: wacom: Do not completely map WACOM_HID_WD_TOUCHRINGSTATUS usage
+    - [x86] intel_th: pci: Add Cannon Lake PCH-H support
+    - [x86] intel_th: pci: Add Cannon Lake PCH-LP support
+    - ath10k: fix memory leak in rx ring buffer allocation
+    - Input: trackpoint - assume 3 buttons when buttons detection fails
+    - rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
+    - Bluetooth: Add support of 13d3:3494 RTL8723BE device
+    - iwlwifi: pci: add new PCI ID for 7265D
+    - dlm: avoid double-free on error path in dlm_device_{register,unregister}
+    - mwifiex: correct channel stat buffer overflows
+    - [s390x] mm: avoid empty zero pages for KVM guests to avoid postcopy
+      hangs
+    - [s390x] mm: fix BUG_ON in crst_table_upgrade
+    - drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
+    - drm/nouveau: Fix error handling in nv50_disp_atomic_commit
+    - workqueue: Fix flag collision
+    - ahci: don't use MSI for devices with the silly Intel NVMe remapping
+      scheme
+    - cs5536: add support for IDE controller variant
+    - scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
+    - scsi: sg: recheck MMAP_IO request length with lock held
+    - of/device: Prevent buffer overflow in of_device_modalias()
+    - rtlwifi: Fix memory leak when firmware request fails
+    - rtlwifi: Fix fallback firmware loading
+
+  [ Ben Hutchings ]
+  * [alpha] udeb: Add i2c-modules (fixes FTBFS)
+  * cpupower: Add/update definition of MSRHEADER macro for turbostat and
+    x86_energy_perf_policy (Closes: #872414)
+  * Bump ABI to 2
+
+  [ Roger Shimizu ]
+  * [armel] Disable CONFIG_STRICT_KERNEL_RWX, which will save about 3MB
+    on linux Image (before compression). (Closes: #870185)
+
+  [ Uwe Kleine-König ]
+  * mtd: nandsim: remove debugfs entries in error path
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 10 Sep 2017 19:42:51 +0100
+
 linux (4.12.6-1~bpo9+1) stretch-backports; urgency=medium
 
   * Rebuild for stretch-backports:

debian/config/armel/config.marvell

@@ -6,6 +6,7 @@
 CONFIG_CC_STACKPROTECTOR_REGULAR=y
 # CONFIG_CC_STACKPROTECTOR_STRONG is not set
 ## end choice
+# CONFIG_STRICT_KERNEL_RWX is not set
 
 ##
 ## file: arch/arm/Kconfig

debian/config/defines

 [abi]
-abiname: 0.bpo.1
+abiname: 0.bpo.2
 ignore-changes:
  __cpuhp_*
  bpf_analyzer
  cxl_*
+ iommu_device_*
  mm_iommu_*
+ perf_*
  register_cxl_calls
  unregister_cxl_calls
+ *_hw_breakpoint
  module:arch/x86/kvm/*
  module:drivers/crypto/ccp/*
  module:drivers/hv/*
  module:drivers/iio/common/hid-sensors/*
  module:drivers/iio/common/st_sensors/**
+ module:drivers/mtd/nand/*
  module:drivers/net/wireless/**
  module:drivers/nvdimm/*
  module:drivers/power/supply/bq27xxx_battery
@@ -23,6 +27,7 @@ ignore-changes:
  module:drivers/usb/chipidea/**
  module:drivers/usb/host/**
  module:drivers/usb/musb/**
+ module:fs/nfs/**
  module:net/ceph/libceph
  module:net/l2tp/l2tp_core
  module:sound/firewire/snd-firewire-lib

debian/installer/alpha/modules/alpha-generic/i2c-modules

+#include <i2c-modules>

debian/patches/bugfix/all/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base.patch

-From: Kees Cook <keescook@chromium.org>
-Date: Mon, 07 Aug 2017 20:15:42 +0000
-Subject: mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE base
-Origin: https://marc.info/?l=linux-arm-kernel&m=150213698426008&w=2
-Bug-Debian: https://bugs.debian.org/869090
-
-Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000
-broke AddressSanitizer. This is a partial revert of:
-
-  commit eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
-  commit 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
-
-The AddressSanitizer tool has hard-coded expectations about where
-executable mappings are loaded. The motivation for changing the PIE
-base in the above commits was to avoid the Stack-Clash CVEs that
-allowed executable mappings to get too close to heap and stack. This
-was mainly a problem on 32-bit, but the 64-bit bases were moved too,
-in an effort to proactively protect those systems (proofs of concept
-do exist that show 64-bit collisions, but other recent changes to fix
-stack accounting and setuid behaviors will minimize the impact).
-
-The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC
-base), so only the 64-bit PIE base needs to be reverted to let x86 and
-arm64 ASan binaries run again. Future changes to the 64-bit PIE base on
-these architectures can be made optional once a more dynamic method for
-dealing with AddressSanitizer is found. (e.g. always loading PIE into
-the mmap region for marked binaries.)
-
-Reported-by: Kostya Serebryany <kcc@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Kees Cook <keescook@chromium.org>
----
- arch/arm64/include/asm/elf.h | 4 ++--
- arch/x86/include/asm/elf.h   | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
-index acae781f7359..3288c2b36731 100644
---- a/arch/arm64/include/asm/elf.h
-+++ b/arch/arm64/include/asm/elf.h
-@@ -114,10 +114,10 @@
- 
- /*
-  * This is the base location for PIE (ET_DYN with INTERP) loads. On
-- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
-+ * 64-bit, this is above 4GB to leave the entire 32-bit address
-  * space open for things that want to use the area for 32-bit pointers.
-  */
--#define ELF_ET_DYN_BASE		0x100000000UL
-+#define ELF_ET_DYN_BASE		(2 * TASK_SIZE_64 / 3)
- 
- #ifndef __ASSEMBLY__
- 
-diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
-index 1c18d83d3f09..9aeb91935ce0 100644
---- a/arch/x86/include/asm/elf.h
-+++ b/arch/x86/include/asm/elf.h
-@@ -247,11 +247,11 @@ extern int force_personality32;
- 
- /*
-  * This is the base location for PIE (ET_DYN with INTERP) loads. On
-- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
-+ * 64-bit, this is above 4GB to leave the entire 32-bit address
-  * space open for things that want to use the area for 32-bit pointers.
-  */
- #define ELF_ET_DYN_BASE		(mmap_is_ia32() ? 0x000400000UL : \
--						  0x100000000UL)
-+						  (TASK_SIZE / 3 * 2))
- 
- /* This yields a mask that user programs can use to figure out what
-    instruction set this CPU supports.  This could be done in user space,

debian/patches/bugfix/all/mtd-nandsim-remove-debugfs-entries-in-error-path.patch

+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Date: Wed, 23 Aug 2017 09:03:04 +0200
+Subject: [PATCH] mtd: nandsim: remove debugfs entries in error path
+Origin: https://git.kernel.org/linus/b974696da1cfc5aa0c29ed97dc8f6c239899e64b
+
+The debugfs entries must be removed before an error is returned in the
+probe function. Otherwise another try to load the module fails and when
+the debugfs files are accessed without the module loaded, the kernel
+still tries to call a function in that module.
+
+Fixes: 5346c27c5fed ("mtd: nandsim: Introduce debugfs infrastructure")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+---
+ drivers/mtd/nand/nandsim.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
+index 03a0d057bf2f..e4211c3cc49b 100644
+--- a/drivers/mtd/nand/nandsim.c
++++ b/drivers/mtd/nand/nandsim.c
+@@ -2373,6 +2373,7 @@ static int __init ns_init_module(void)
+         return 0;
+ 
+ err_exit:
++	nandsim_debugfs_remove(nand);
+ 	free_nandsim(nand);
+ 	nand_release(nsmtd);
+ 	for (i = 0;i < ARRAY_SIZE(nand->partitions); ++i)
+-- 
+2.14.1
+

debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch

+From: Vladis Dronov <vdronov@redhat.com>
+Date: Tue, 12 Sep 2017 22:21:21 +0000
+Subject: nl80211: check for the required netlink attributes presence
+Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
+
+nl80211_set_rekey_data() does not check if the required attributes
+NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
+NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
+users with CAP_NET_ADMIN privilege and may result in NULL dereference
+and a system crash. Add a check for the required attributes presence.
+This patch is based on the patch by bo Zhang.
+
+This fixes CVE-2017-12153.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
+Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
+Cc: <stable@vger.kernel.org> # v3.1-rc1
+Reported-by: bo Zhang <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
+ 	if (err)
+ 		return err;
+ 
++	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++	    !tb[NL80211_REKEY_DATA_KCK])
++		return -EINVAL;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ 		return -ERANGE;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)

debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch

+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 28 Aug 2017 14:29:41 -0400
+Subject: packet: Don't write vnet header beyond end of buffer
+Origin: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14497
+
+... which may happen with certain values of tp_reserve and maclen.
+
+Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2192,6 +2192,7 @@ static int tpacket_rcv(struct sk_buff *s
+ 	struct timespec ts;
+ 	__u32 ts_status;
+ 	bool is_drop_n_account = false;
++	bool do_vnet = false;
+ 
+ 	/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
+ 	 * We may add members to them until current aligned size without forcing
+@@ -2242,8 +2243,10 @@ static int tpacket_rcv(struct sk_buff *s
+ 		netoff = TPACKET_ALIGN(po->tp_hdrlen +
+ 				       (maclen < 16 ? 16 : maclen)) +
+ 				       po->tp_reserve;
+-		if (po->has_vnet_hdr)
++		if (po->has_vnet_hdr) {
+ 			netoff += sizeof(struct virtio_net_hdr);
++			do_vnet = true;
++		}
+ 		macoff = netoff - maclen;
+ 	}
+ 	if (po->tp_version <= TPACKET_V2) {
+@@ -2260,8 +2263,10 @@ static int tpacket_rcv(struct sk_buff *s
+ 					skb_set_owner_r(copy_skb, sk);
+ 			}
+ 			snaplen = po->rx_ring.frame_size - macoff;
+-			if ((int)snaplen < 0)
++			if ((int)snaplen < 0) {
+ 				snaplen = 0;
++				do_vnet = false;
++			}
+ 		}
+ 	} else if (unlikely(macoff + snaplen >
+ 			    GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
+@@ -2274,6 +2279,7 @@ static int tpacket_rcv(struct sk_buff *s
+ 		if (unlikely((int)snaplen < 0)) {
+ 			snaplen = 0;
+ 			macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
++			do_vnet = false;
+ 		}
+ 	}
+ 	spin_lock(&sk->sk_receive_queue.lock);
+@@ -2299,7 +2305,7 @@ static int tpacket_rcv(struct sk_buff *s
+ 	}
+ 	spin_unlock(&sk->sk_receive_queue.lock);
+ 
+-	if (po->has_vnet_hdr) {
++	if (do_vnet) {
+ 		if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
+ 					    sizeof(struct virtio_net_hdr),
+ 					    vio_le(), true)) {

debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch

-From: Willem de Bruijn <willemb@google.com>
-Date: Thu, 10 Aug 2017 12:41:58 -0400
-Subject: packet: fix tp_reserve race in packet_set_ring
-Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111
-
-Updates to tp_reserve can race with reads of the field in
-packet_set_ring. Avoid this by holding the socket lock during
-updates in setsockopt PACKET_RESERVE.
-
-This bug was discovered by syzkaller.
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/packet/af_packet.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 0615c2a950fa..008a45ca3112 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
- 
- 		if (optlen != sizeof(val))
- 			return -EINVAL;
--		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
--			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
- 		if (val > INT_MAX)
- 			return -EINVAL;
--		po->tp_reserve = val;
--		return 0;
-+		lock_sock(sk);
-+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+			ret = -EBUSY;
-+		} else {
-+			po->tp_reserve = val;
-+			ret = 0;
-+		}
-+		release_sock(sk);
-+		return ret;
- 	}
- 	case PACKET_LOSS:
- 	{
--- 
-2.11.0
-

debian/patches/bugfix/all/rtlwifi-fix-fallback-firmware-loading.patch

-From: Sven Joachim <svenjoac@gmx.de>
-Date: Mon, 31 Jul 2017 18:10:45 +0200
-Subject: rtlwifi: Fix fallback firmware loading
-Origin: https://git.kernel.org/linus/1d9b168d8ea9a0f51947d0e2f84856e77d2fe7ff
-Bug-Debian: https://bugs.debian.org/869084
-
-Commit f70e4df2b384 ("rtlwifi: Add code to read new versions of
-firmware") added code to load an old firmware file if the new one is
-not available.  Unfortunately that code is never reached because
-request_firmware_nowait() does not wait for the firmware to show up
-and returns 0 even if the file is not there.
-
-Use the existing fallback mechanism introduced by commit 62009b7f1279
-("rtlwifi: rtl8192cu: Add new firmware") instead.
-
-Fixes: f70e4df2b384 ("rtlwifi: Add code to read new versions of firmware")
-Cc: stable@vger.kernel.org
-Signed-off-by: Sven Joachim <svenjoac@gmx.de>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 17 +++++------------
- drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c | 17 +++++------------
- 2 files changed, 10 insertions(+), 24 deletions(-)
-
---- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
-@@ -187,18 +187,10 @@ int rtl8723be_init_sw_vars(struct ieee80
- 				      rtlpriv->io.dev, GFP_KERNEL, hw,
- 				      rtl_fw_cb);
- 	if (err) {
--		/* Failed to get firmware. Check if old version available */
--		fw_name = "rtlwifi/rtl8723befw.bin";
--		pr_info("Using firmware %s\n", fw_name);
--		err = request_firmware_nowait(THIS_MODULE, 1, fw_name,
--					      rtlpriv->io.dev, GFP_KERNEL, hw,
--					      rtl_fw_cb);
--		if (err) {
--			pr_err("Failed to request firmware!\n");
--			vfree(rtlpriv->rtlhal.pfirmware);
--			rtlpriv->rtlhal.pfirmware = NULL;
--			return 1;
--		}
-+		pr_err("Failed to request firmware!\n");
-+		vfree(rtlpriv->rtlhal.pfirmware);
-+		rtlpriv->rtlhal.pfirmware = NULL;
-+		return 1;
- 	}
- 	return 0;
- }
-@@ -289,6 +281,7 @@ static const struct rtl_hal_cfg rtl8723b
- 	.bar_id = 2,
- 	.write_readback = true,
- 	.name = "rtl8723be_pci",
-+	.alt_fw_name = "rtlwifi/rtl8723befw.bin",
- 	.ops = &rtl8723be_hal_ops,
- 	.mod_params = &rtl8723be_mod_params,
- 	.maps[SYS_ISO_CTRL] = REG_SYS_ISO_CTRL,
---- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c
-+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c
-@@ -216,18 +216,10 @@ int rtl8821ae_init_sw_vars(struct ieee80
- 				      rtlpriv->io.dev, GFP_KERNEL, hw,
- 				      rtl_fw_cb);
- 	if (err) {
--		/* Failed to get firmware. Check if old version available */
--		fw_name = "rtlwifi/rtl8821aefw.bin";
--		pr_info("Using firmware %s\n", fw_name);
--		err = request_firmware_nowait(THIS_MODULE, 1, fw_name,
--					      rtlpriv->io.dev, GFP_KERNEL, hw,
--					      rtl_fw_cb);
--		if (err) {
--			pr_err("Failed to request normal firmware!\n");
--			vfree(rtlpriv->rtlhal.wowlan_firmware);
--			vfree(rtlpriv->rtlhal.pfirmware);
--			return 1;
--		}
-+		pr_err("Failed to request normal firmware!\n");
-+		vfree(rtlpriv->rtlhal.wowlan_firmware);
-+		vfree(rtlpriv->rtlhal.pfirmware);
-+		return 1;
- 	}
- 	/*load wowlan firmware*/
- 	pr_info("Using firmware %s\n", wowlan_fw_name);
-@@ -331,6 +323,7 @@ static const struct rtl_hal_cfg rtl8821a
- 	.bar_id = 2,
- 	.write_readback = true,
- 	.name = "rtl8821ae_pci",
-+	.alt_fw_name = "rtlwifi/rtl8821aefw.bin",
- 	.ops = &rtl8821ae_hal_ops,
- 	.mod_params = &rtl8821ae_mod_params,
- 	.maps[SYS_ISO_CTRL] = REG_SYS_ISO_CTRL,