debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.4.4 

Drop patches included in it.
This commit is contained in:
Salvatore Bonaccorso 2016-03-04 13:10:37 +01:00
parent 4db36a2b1c
commit 13ca0a257b
23 changed files with 346 additions and 1288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

356
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.4.3-1) UNRELEASED; urgency=medium
linux (4.4.4-1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* New upstream stable update:
@ -134,6 +134,350 @@ linux (4.4.3-1) UNRELEASED; urgency=medium
- posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- modules: fix modparam async_probe request
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.4
- af_iucv: Validate socket address length in iucv_sock_bind()
- gro: Make GRO aware of lightweight tunnels.
- net: dp83640: Fix tx timestamp overflow handling.
- tunnels: Allow IPv6 UDP checksums to be correctly controlled.
- lwt: fix rx checksum setting for lwt devices tunneling over ipv6
- tcp: fix NULL deref in tcp_v4_send_ack()
- af_unix: fix struct pid memory leak
- pptp: fix illegal memory access caused by multiple bind()s
- sctp: allow setting SCTP_SACK_IMMEDIATELY by the application
- net: dsa: fix mv88e6xxx switches
- tipc: fix connection abort during subscription cancel
- inet: frag: Always orphan skbs inside ip_defrag()
- switchdev: Require RTNL mutex to be held when sending FDB notifications
- tcp: beware of alignments in tcp_get_info()
- ipv6: enforce flowi6_oif usage in ip6_dst_lookup_tail()
- ipv6/udp: use sticky pktinfo egress ifindex on connect()
- ipv6: addrconf: Fix recursive spin lock call
- ipv6: fix a lockdep splat
- unix: correctly track in-flight fds in sending process user_struct
(regression in 4.3.3-6; CVE-2016-2550)
- tcp: do not drop syn_recv on all icmp reports
- net:Add sysctl_max_skb_frags
- tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
- enic: increment devcmd2 result ring in case of timeout
- sctp: translate network order to host order when users get a hmacid
- net: Copy inner L3 and L4 headers as unaligned on GRE TEB
- flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
- bpf: fix branch offset adjustment on backjumps after patching ctx expansion
- bonding: Fix ARP monitor validation
- ipv4: fix memory leaks in ip_cmsg_send() callers
- af_unix: Don't set err in unix_stream_read_generic unless there was an error
- af_unix: Guard against other == sk in unix_dgram_sendmsg
- tipc: fix premature addition of node to lookup table
- tcp: md5: release request socket instead of listener
- qmi_wwan: add "4G LTE usb-modem U901"
- net/mlx4_en: Count HW buffer overrun only once
- net/mlx4_en: Choose time-stamping shift value according to HW frequency
- net/mlx4_en: Avoid changing dev->features directly in run-time
- l2tp: Fix error creating L2TP tunnels
- pppoe: fix reference counting in PPPoE proxy
- net_sched fix: reclassification needs to consider ether protocol changes
- route: check and remove route cache when we get route
- tcp/dccp: fix another race at listener dismantle
- IFF_NO_QUEUE: Fix for drivers not calling ether_setup()
- rtnl: RTM_GETNETCONF: fix wrong return value
- tipc: unlock in error path
- unix_diag: fix incorrect sign extension in unix_lookup_by_ino
- sctp: Fix port hash table size computation
- ext4: fix bh->b_state corruption
- ARM: debug-ll: fix BCM63xx entry for multiplatform
- arm64: errata: Add -mpc-relative-literal-loads to build flags
- KVM: s390: fix guest fprs memory leak
- devm_memremap: Fix error value when memremap failed
- drm/gma500: Use correct unref in the gem bo create function
- ARM: 8457/1: psci-smp is built only for SMP
- lib/ucs2_string: Add ucs2 -> utf8 helper functions
- efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
- efi: Do variable name validation tests in utf8
- efi: Make our variable validation list include the guid
- efi: Make efivarfs entries immutable by default
- efi: Add pstore variables to the deletion whitelist
- lib/ucs2_string: Correct ucs2 -> utf8 conversion
- bcache: fix a livelock when we cause a huge number of cache misses
- bcache: Add a cond_resched() call to gc
- bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device
- bcache: fix a leak in bch_cached_dev_run()
- bcache: unregister reboot notifier if bcache fails to unregister device
- bcache: allows use of register in udev to avoid "device_busy" error.
- bcache: prevent crash on changing writeback_running
- bcache: Change refill_dirty() to always scan entire disk if necessary
- dm thin: fix race condition when destroying thin pool workqueue
- can: ems_usb: Fix possible tx overflow
- usb: dwc3: Fix assignment of EP transfer resources
- USB: cp210x: add IDs for GE B650V3 and B850V3 boards
- USB: option: add support for SIM7100E
- USB: option: add "4G LTE usb-modem U901"
- drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE
- spi: omap2-mcspi: Prevent duplicate gpio_request
- iw_cxgb3: Fix incorrectly returning error on success
- drm/i915: shut up gen8+ SDE irq dmesg noise
- ocfs2: unlock inode if deleting inode from orphan fails
- mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED
- mm: numa: quickly fail allocations for NUMA balancing on full nodes
- genirq: Validate action before dereferencing it in handle_irq_event_percpu()
- clocksource/drivers/vt8500: Increase the minimum delta
- s390/kvm: remove dependency on struct save_area definition
- KVM: s390: fix memory overwrites when vx is disabled
- Btrfs: add missing brelse when superblock checksum fails
- Btrfs: igrab inode in writepage
- btrfs: statfs: report zero available if metadata are exhausted
- Btrfs: send, don't BUG_ON() when an empty symlink is found
- Btrfs: fix number of transaction units required to create symlink
- Btrfs: fix transaction handle leak on failure to create hard link
- Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots
- btrfs: initialize the seq counter in struct btrfs_device
- s390: fix normalization bug in exception table sorting
- s390/dasd: prevent incorrect length error under z/VM after PAV changes
- s390/dasd: fix refcount for PAV reassignment
- s390/dasd: fix performance drop
- s390/compat: correct restore of high gprs on signal return
- s390/fpu: signals vs. floating point control register
- uml: flush stdout before forking
- uml: fix hostfs mknod()
- um: link with -lpthread
- locks: fix unlock when fcntl_setlk races with a close
- rtlwifi: rtl_pci: Fix kernel panic
- rtlwifi: rtl8192cu: Add missing parameter setup
- rtlwifi: rtl8192ce: Fix handling of module parameters
- rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
- rtlwifi: rtl8723ae: Fix initialization of module parameters
- rtlwifi: rtl8192se: Fix module parameter initialization
- rtlwifi: rtl8188ee: Fix module parameter initialization
- rtlwifi: rtl8723be: Fix module parameter initialization
- mei: fix fasync return value on error
- mei: validate request value in client notify request ioctl
- namei: ->d_inode of a pinned dentry is stable only for positives
- rc: sunxi-cir: Initialize the spinlock properly
- media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
- si2157: return -EINVAL if firmware blob is too big
- gspca: ov534/topro: prevent a division by 0
- vb2: fix a regression in poll() behavior for output,streams
- tda1004x: only update the frontend properties if locked
- dm space map metadata: remove unused variable in brb_pop()
- dm snapshot: fix hung bios when copy error occurs
- dm: fix dm_rq_target_io leak on faults with .request_fn DM w/ blk-mq paths
- coresight: checking for NULL string in coresight_name_match()
- irqchip/omap-intc: Add support for spurious irq handling
- irqchip/mxs: Add missing set_handle_irq()
- irqchip/atmel-aic: Fix wrong bit operation for IRQ priority
- irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1
- posix-clock: Fix return code on the poll method's error path
- clockevents/tcb_clksrc: Prevent disabling an already disabled clock
- mmc: usdhi6rol0: handle NULL data in timeout
- mmc: sdhci-pci: Do not default to 33 Ohm driver strength for Intel SPT
- mmc: sdhci: Fix DMA descriptor with zero data length
- mmc: sdio: Fix invalid vdd in voltage switch power cycle
- mmc: mmc: Fix incorrect use of driver strength switching HS200 and HS400
- mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
- mmc: core: Enable tuning according to the actual timing
- mmc: mmci: fix an ages old detection error
- mmc: sdhci-acpi: Fix card detect race for Intel BXT/APL
- mmc: pxamci: fix again read-only gpio detection polarity
- mmc: sdhci-pci: Fix card detect race for Intel BXT/APL
- mmc: sdhci: Allow override of mmc host operations
- mmc: sdhci: Allow override of get_cd() called from sdhci_request()
- tools: hv: vss: fix the write()'s argument: error -> vss_msg
- Drivers: hv: vmbus: Fix a Host signaling bug
- Bluetooth: Use continuous scanning when creating LE connections
- Bluetooth: Add support of Toshiba Broadcom based devices
- Bluetooth: Fix incorrect removing of IRKs
- Bluetooth: 6lowpan: Fix kernel NULL pointer dereferences
- Bluetooth: 6lowpan: Fix handling of uncompressed IPv6 packets
- time: Avoid signed overflow in timekeeping_get_ns()
- cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
- Revert "MIPS: Fix PAGE_MASK definition"
- MIPS: Loongson-3: Fix SMP_ASK_C0COUNT IPI handler
- MIPS: hpet: Choose a safe value for the ETIME check
- MIPS: Fix some missing CONFIG_CPU_MIPSR6 #ifdefs
- MIPS: Fix buffer overflow in syscall_get_arguments()
- EDAC: Robustify workqueues destruction
- EDAC, mc_sysfs: Fix freeing bus' name
- sparc64: fix incorrect sign extension in sys_sparc64_personality
- cxl: use correct operator when writing pcie config space values
- clk: exynos: use irqsave version of spin_lock to avoid deadlock with irqs
- regulator: axp20x: Fix GPIO LDO enable value for AXP22x
- regulator: mt6311: MT6311_REGULATOR needs to select REGMAP_I2C
- virtio_balloon: fix race by fill and leak
- virtio_balloon: fix race between migration and ballooning
- virtio_pci: fix use after free on release
- drm/vmwgfx: Fix an incorrect lock check
- drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates
- drm/vmwgfx: respect 'nomodeset'
- drm/amdgpu: Fix off-by-one errors in amdgpu_vm_bo_map
- drm/amdgpu: call hpd_irq_event on resume
- drm/amdgpu: fix lost sync_to if scheduler is enabled.
- drm/amdgpu: fix tonga smu resume
- drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
- drm/amdgpu: no need to load MC firmware on fiji
- drm/amdgpu: move gmc7 support out of CIK dependency
- drm/amdgpu: iceland use CI based MC IP
- drm/amdgpu: The VI specific EXE bit should only apply to GMC v8.0 above
- drm/amdgpu: pull topaz gmc bits into gmc_v7
- drm/amdgpu: drop topaz support from gmc8 module
- drm/amdgpu: don't load MEC2 on topaz
- drm/amdgpu: remove exp hardware support from iceland
- drm/amdgpu: fix s4 resume
- drm/amdgpu: remove unnecessary forward declaration
- drm/amdgpu: hold reference to fences in amdgpu_sa_bo_new (v2)
- drm/amdgpu: fix issue with overlapping userptrs
- drm/amdgpu: use post-decrement in error handling
- drm/amdgpu: Don't hang in amdgpu_flip_work_func on disabled crtc.
- drm/amdgpu/pm: adjust display configuration after powerstate
- drm/nouveau/kms: take mode_config mutex in connector hotplug path
- drm/nouveau/display: Enable vblank irqs after display engine is on again.
- drm/nouveau/disp/dp: ensure sink is powered up before attempting link training
- drm/nouveau: platform: Fix deferred probe
- drm/dp/mst: process broadcast messages correctly
- drm/dp/mst: always send reply for UP request
- drm/dp/mst: fix in MSTB RAD initialization
- drm/dp/mst: fix in RAD element access
- drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil
- drm/dp/mst: Calculate MST PBN with 31.32 fixed point
- drm/dp/mst: move GUID storage from mgr, port to only mst branch
- drm/dp/mst: Reverse order of MST enable and clearing VC payload table.
- drm/dp/mst: deallocate payload on port destruction
- drm/radeon: Fix off-by-one errors in radeon_vm_bo_set_addr
- drm/radeon: call hpd_irq_event on resume
- drm/radeon: Fix "slow" audio over DP on DCE8+
- drm/radeon: clean up fujitsu quirks
- drm/radeon: properly byte swap vce firmware setup
- drm/radeon: cleaned up VCO output settings for DP audio
- drm/radeon: Add a common function for DFS handling
- drm/radeon: fix DP audio support for APU with DCE4.1 display engine
- drm: add helper to check for wc memory support
- drm/radeon: mask out WC from BO on unsupported arches
- drm/radeon: hold reference to fences in radeon_sa_bo_new
- drm: fix missing reference counting decrease
- drm/i915: Restore inhibiting the load of the default context
- drm/i915: intel_hpd_init(): Fix suspend/resume reprobing
- drm/i915: Init power domains early in driver load
- drm/i915: Make sure DC writes are coherent on flush.
- drm/i915/dp: fall back to 18 bpp when sink capability is unknown
- drm/i915: Don't reject primary plane windowing with color keying enabled on SKL+
- drm/i915/skl: Don't skip mst encoders in skl_ddi_pll_select()
- drm/i915/dsi: defend gpio table against out of bounds access
- drm/i915/dsi: don't pass arbitrary data to sideband
- drm/i915: fix error path in intel_setup_gmbus()
- drm/qxl: use kmalloc_array to alloc reloc_info in qxl_process_single_command
- drm/radeon: use post-decrement in error handling
- drm: No-Op redundant calls to drm_vblank_off() (v2)
- drm: Prevent vblank counter bumps > 1 with active vblank clients. (v2)
- drm: Fix drm_vblank_pre/post_modeset regression from Linux 4.4
- drm: Fix treatment of drm_vblank_offdelay in drm_vblank_on() (v2)
- drm/radeon: Don't hang in radeon_flip_work_func on disabled crtc. (v2)
- drm/radeon/pm: adjust display configuration after powerstate
- make sure that freeing shmem fast symlinks is RCU-delayed
- toshiba_acpi: Fix blank screen at boot if transflective backlight is supported
- ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill dmi list
- ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list
- uapi: update install list after nvme.h rename
- lib: sw842: select crc32
- ACPI / video: Add disable_backlight_sysfs_if quirk for the Toshiba Portege R700
- ACPI / video: Add disable_backlight_sysfs_if quirk for the Toshiba Satellite R830
- ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist"
- ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
- nfit: fix multi-interface dimm handling, acpi6.1 compatibility
- dmaengine: dw: fix cyclic transfer setup
- dmaengine: dw: fix cyclic transfer callbacks
- dmaengine: at_xdmac: fix resume for cyclic transfers
- dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer
- IB/cm: Fix a recently introduced deadlock
- IB/qib: fix mcast detach when qp not attached
- IB/qib: Support creating qps with GFP_NOIO flag
- IB/mlx5: Expose correct maximum number of CQE capacity
- Thermal: initialize thermal zone device correctly
- Thermal: handle thermal zone device properly during system sleep
- Thermal: do thermal zone update after a cooling device registered
- hwmon: (dell-smm) Blacklist Dell Studio XPS 8000
- hwmon: (gpio-fan) Remove un-necessary speed_index lookup for thermal hook
- hwmon: (ads1015) Handle negative conversion values correctly
- cpufreq: pxa2xx: fix pxa_cpufreq_change_voltage prototype
- cpufreq: Fix NULL reference crash while accessing policy->governor_data
- seccomp: always propagate NO_NEW_PRIVS on tsync
- libceph: fix ceph_msg_revoke()
- libceph: don't bail early from try_read() when skipping a message
- libceph: use the right footer size when skipping a message
- libceph: don't spam dmesg with stray reply warnings
- sd: Optimal I/O size is in bytes, not sectors
- Staging: speakup: Fix getting port information
- Revert "Staging: panel: usleep_range is preferred over udelay"
- cdc-acm:exclude Samsung phone 04e8:685d
- perf stat: Do not clean event's private stats
- tick/nohz: Set the correct expiry when switching to nohz/lowres mode
- rfkill: fix rfkill_fop_read wait_event usage
- mac80211: Requeue work after scan complete for all VIF types.
- workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup
- Revert "workqueue: make sure delayed work run in local cpu"
- ALSA: hda - Apply clock gate workaround to Skylake, too
- ALSA: hda - Fixing background noise on Dell Inspiron 3162
- target: Fix LUN_RESET active I/O handling for ACK_KREF
- target: Fix LUN_RESET active TMR descriptor handling
- target: Fix TAS handling for multi-session se_node_acls
- target: Fix remote-port TMR ABORT + se_cmd fabric stop
- target: Fix race with SCF_SEND_DELAYED_TAS handling
- spi: atmel: fix gpio chip-select in case of non-DT platform
- qla2xxx: Fix stale pointer access.
- libata: fix sff host state machine locking while polling
- ARCv2: STAR 9000950267: Handle return from intr to Delay Slot #2
- ARCv2: SMP: Emulate IPI to self using software triggered interrupt
- PCI/AER: Flush workqueue on device remove to avoid use-after-free
- cpuset: make mm migration asynchronous
- cgroup: make sure a parent css isn't offlined before its children
- writeback: keep superblock pinned during cgroup writeback association switches
- phy: core: fix wrong err handle for phy_power_on
- i2c: i801: Adding Intel Lewisburg support for iTCO
- bio: return EINTR if copying to user space got interrupted
- block: fix use-after-free in dio_bio_complete
- nfs: fix nfs_size_to_loff_t
- NFSv4: Fix a dentry leak on alias use
- of/irq: Fix msi-map calculation for nonzero rid-base
- KVM: async_pf: do not warn on page allocation failures
- KVM: arm/arm64: vgic: Ensure bitmaps are long enough
- KVM: x86: fix missed hardware breakpoints
- KVM: x86: fix conversion of addresses to linear in 32-bit protected mode
- KVM: x86: MMU: fix ubsan index-out-of-range warning
- powerpc/eeh: Fix partial hotplug criterion
- tracing: Fix showing function event in available_events
- sunrpc/cache: fix off-by-one in qword_get()
- kernel/resource.c: fix muxed resource handling in __request_region()
- do_last(): don't let a bogus return value from ->open() et.al. to confuse us
- ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption
- ARM: at91/dt: fix typo in sama5d2 pinmux descriptions
- xen/arm: correctly handle DMA mapping of compound pages
- xen/scsiback: correct frontend counting
- xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
- xen/pciback: Save the number of MSI-X entries to be copied later.
- xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
- should_follow_link(): validate ->d_seq after having decided to follow
- do_last(): ELOOP failure exit should be done after leaving RCU mode
- hpfs: don't truncate the file when delete fails
- x86/mpx: Fix off-by-one comparison with nr_registers
- x86/entry/compat: Add missing CLAC to entry_INT80_32
- x86/irq: Call chip->irq_set_affinity in proper context
- x86/irq: Fix a race in x86_vector_free_irqs()
- x86/irq: Validate that irq descriptor is still active
- x86/irq: Do not use apic_chip_data.old_domain as temporary buffer
- x86/irq: Reorganize the return path in assign_irq_vector
- x86/irq: Reorganize the search in assign_irq_vector
- x86/irq: Check vector allocation early
- x86/irq: Copy vectormask instead of an AND operation
- x86/irq: Get rid of code duplication
- x86/irq: Remove offline cpus from vector cleanup
- x86/irq: Clear move_in_progress before sending cleanup IPI
- x86/irq: Remove the cpumask allocation from send_cleanup_vector()
- x86/irq: Remove outgoing CPU from vector cleanup mask
- x86/irq: Call irq_force_move_complete with irq descriptor
- x86/irq: Plug vector cleanup race
- IB/cma: Fix RDMA port validation for iWarp
- security: let security modules use PTRACE_MODE_* with bitmasks
- iwlwifi: dvm: fix WoWLAN
- iwlwifi: pcie: properly configure the debug buffer size for 8000
- iwlwifi: update and fix 7265 series PCI IDs
- iwlwifi: mvm: don't allow sched scans without matches to be started
[ Roger Shimizu ]
* [armhf] dts: imx6dlq-wandboard-revb1: use unique model id
@ -142,8 +486,6 @@ linux (4.4.3-1) UNRELEASED; urgency=medium
Buffalo Linkstation devices.
[ Ben Hutchings ]
* unix: correctly track in-flight fds in sending process user_struct
(regression in 4.3.3-6; CVE-2016-2550)
* udeb: Include more modules, including those needed on Firefly-RK3288,
thanks to Vagrant Cascadian (Closes: #815476)
- [armhf] core-modules: Include regulator drivers by default
@ -151,10 +493,6 @@ linux (4.4.3-1) UNRELEASED; urgency=medium
- mmc-modules: Depends on usb-modules
- usb-modules: Include USB PHY drivers by default
[ Aurelien Jarno ]
* [x86] KVM: fix conversion of addresses to linear in 32-bit protected
mode.
[ Ian Campbell ]
* [armhf] dts: Add DTB for Novena, patches from Vagrant Cascadian
(Closes: #815324)
@ -162,10 +500,8 @@ linux (4.4.3-1) UNRELEASED; urgency=medium
[ Uwe Kleine-König ]
* [armhf] enable AXP20X_POWER (Closes: #815971)
* [rt] Update to 4.4.3-rt9
* genirq: Validate action before dereferencing it in
handle_irq_event_percpu()
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 28 Feb 2016 07:02:42 +0100
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 04 Mar 2016 13:01:58 +0100
linux (4.4.2-3) unstable; urgency=medium

65
debian/patches/bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch vendored
View File

@ -1,65 +0,0 @@
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Date: Mon, 08 Feb 2016 18:47:19 +0000
Subject: af_unix: Don't set err in unix_stream_read_generic unless there was an error
Origin: http://mid.gmane.org/87bn7rrqdk.fsf@doppelsaurus.mobileactivedefense.com
The present unix_stream_read_generic contains various code sequences of
the form
err = -EDISASTER;
if (<test>)
goto out;
This has the unfortunate side effect of possibly causing the error code
to bleed through to the final
out:
return copied ? : err;
and then to be wrongly returned if no data was copied because the caller
didn't supply a data buffer, as demonstrated by the program available at
http://pad.lv/1540731
Change it such that err is only set if an error condition was detected.
Fixes: 3822b5c2fc62 ("af_unix: Revert 'lock_interruptible' in stream receive code")
Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
---
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2275,13 +2275,15 @@ static int unix_stream_read_generic(stru
size_t size = state->size;
unsigned int last_len;
- err = -EINVAL;
- if (sk->sk_state != TCP_ESTABLISHED)
+ if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
+ err = -EINVAL;
goto out;
+ }
- err = -EOPNOTSUPP;
- if (flags & MSG_OOB)
+ if (unlikely(flags & MSG_OOB)) {
+ err = -EOPNOTSUPP;
goto out;
+ }
target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
timeo = sock_rcvtimeo(sk, noblock);
@@ -2327,9 +2329,11 @@ again:
goto unlock;
unix_state_unlock(sk);
- err = -EAGAIN;
- if (!timeo)
+ if (!timeo) {
+ err = -EAGAIN;
break;
+ }
+
mutex_unlock(&u->readlock);
timeo = unix_stream_data_wait(sk, timeo, last,

40
debian/patches/bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch vendored
View File

@ -1,40 +0,0 @@
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Date: Thu, 11 Feb 2016 19:37:27 +0000
Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg
Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
---
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1781,7 +1781,12 @@ restart_locked:
goto out_unlock;
}
- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ /* other == sk && unix_peer(other) != sk if
+ * - unix_peer(sk) == NULL, destination address bound to sk
+ * - unix_peer(sk) == sk by time of get but disconnected before lock
+ */
+ if (other != sk &&
+ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
if (timeo) {
timeo = unix_wait_for_peer(other, timeo);

26
debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch vendored
View File

@ -1,26 +0,0 @@
From: Kent Overstreet <kmo@daterainc.com>
Date: Sun, 29 Nov 2015 17:18:33 -0800
Subject: [2/8] bcache: Add a cond_resched() call to gc
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=c5f1e5adf956e3ba82d204c7c141a75da9fa449a
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/btree.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index 4a1179c..22b9e34 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -1741,6 +1741,7 @@ static void bch_btree_gc(struct cache_set *c)
do {
ret = btree_root(gc_root, c, &op, &writes, &stats);
closure_sync(&writes);
+ cond_resched();
if (ret && ret != -EAGAIN)
pr_warn("gc failed!");

46
debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch vendored
View File

@ -1,46 +0,0 @@
From: Gabriel de Perthuis <g2p.code@gmail.com>
Date: Sun, 29 Nov 2015 18:40:23 -0800
Subject: [6/8] bcache: allows use of register in udev to avoid "device_busy"
error.
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=d7076f21629f8f329bca4a44dc408d94670f49e2
Allows to use register, not register_quiet in udev to avoid "device_busy" error.
The initial patch proposed at https://lkml.org/lkml/2013/8/26/549 by Gabriel de Perthuis
<g2p.code@gmail.com> does not unlock the mutex and hangs the kernel.
See http://thread.gmane.org/gmane.linux.kernel.bcache.devel/2594 for the discussion.
Cc: Denis Bychkov <manover@gmail.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Gabriel de Perthuis <g2p.code@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 18f14a2..8d0ead9 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1938,6 +1938,8 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr,
else
err = "device busy";
mutex_unlock(&bch_register_lock);
+ if (attr == &ksysfs_register_quiet)
+ goto out;
}
goto err;
}
@@ -1976,8 +1978,7 @@ out:
err_close:
blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL);
err:
- if (attr != &ksysfs_register_quiet)
- pr_info("error opening %s: %s", path, err);
+ pr_info("error opening %s: %s", path, err);
ret = -EINVAL;
goto out;
}

91
debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch vendored
View File

@ -1,91 +0,0 @@
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Sun, 29 Nov 2015 18:47:01 -0800
Subject: [8/8] bcache: Change refill_dirty() to always scan entire disk if
necessary
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=627ccd20b4ad3ba836472468208e2ac4dfadbf03
Previously, it would only scan the entire disk if it was starting from
the very start of the disk - i.e. if the previous scan got to the end.
This was broken by refill_full_stripes(), which updates last_scanned so
that refill_dirty was never triggering the searched_from_start path.
But if we change refill_dirty() to always scan the entire disk if
necessary, regardless of what last_scanned was, the code gets cleaner
and we fix that bug too.
Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/writeback.c | 37 ++++++++++++++++++++++++++++++-------
1 file changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
index b23f88d..b9346cd 100644
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -323,6 +323,10 @@ void bcache_dev_sectors_dirty_add(struct cache_set *c, unsigned inode,
static bool dirty_pred(struct keybuf *buf, struct bkey *k)
{
+ struct cached_dev *dc = container_of(buf, struct cached_dev, writeback_keys);
+
+ BUG_ON(KEY_INODE(k) != dc->disk.id);
+
return KEY_DIRTY(k);
}
@@ -372,11 +376,24 @@ next:
}
}
+/*
+ * Returns true if we scanned the entire disk
+ */
static bool refill_dirty(struct cached_dev *dc)
{
struct keybuf *buf = &dc->writeback_keys;
+ struct bkey start = KEY(dc->disk.id, 0, 0);
struct bkey end = KEY(dc->disk.id, MAX_KEY_OFFSET, 0);
- bool searched_from_start = false;
+ struct bkey start_pos;
+
+ /*
+ * make sure keybuf pos is inside the range for this disk - at bringup
+ * we might not be attached yet so this disk's inode nr isn't
+ * initialized then
+ */
+ if (bkey_cmp(&buf->last_scanned, &start) < 0 ||
+ bkey_cmp(&buf->last_scanned, &end) > 0)
+ buf->last_scanned = start;
if (dc->partial_stripes_expensive) {
refill_full_stripes(dc);
@@ -384,14 +401,20 @@ static bool refill_dirty(struct cached_dev *dc)
return false;
}
- if (bkey_cmp(&buf->last_scanned, &end) >= 0) {
- buf->last_scanned = KEY(dc->disk.id, 0, 0);
- searched_from_start = true;
- }
-
+ start_pos = buf->last_scanned;
bch_refill_keybuf(dc->disk.c, buf, &end, dirty_pred);
- return bkey_cmp(&buf->last_scanned, &end) >= 0 && searched_from_start;
+ if (bkey_cmp(&buf->last_scanned, &end) < 0)
+ return false;
+
+ /*
+ * If we get to the end start scanning again from the beginning, and
+ * only scan up to where we initially started scanning from:
+ */
+ buf->last_scanned = start;
+ bch_refill_keybuf(dc->disk.c, buf, &start_pos, dirty_pred);
+
+ return bkey_cmp(&buf->last_scanned, &start_pos) >= 0;
}
static int bch_writeback_thread(void *arg)

109
debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch vendored
View File

@ -1,109 +0,0 @@
From: Zheng Liu <wenqing.lz@taobao.com>
Date: Sun, 29 Nov 2015 17:19:32 -0800
Subject: [3/8] bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a
backing device
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=fecaee6f20ee122ad75402c53d8278f9bb142ddc
This bug can be reproduced by the following script:
#!/bin/bash
bcache_sysfs="/sys/fs/bcache"
function clear_cache()
{
if [ ! -e $bcache_sysfs ]; then
echo "no bcache sysfs"
exit
fi
cset_uuid=$(ls -l $bcache_sysfs|head -n 2|tail -n 1|awk '{print $9}')
sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/detach"
sleep 5
sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/attach"
}
for ((i=0;i<10;i++)); do
clear_cache
done
The warning messages look like below:
[ 275.948611] ------------[ cut here ]------------
[ 275.963840] WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xb8/0xd0() (Tainted: P W
--------------- )
[ 275.979253] Hardware name: Tecal RH2285
[ 275.994106] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:09.0/0000:08:00.0/host4/target4:2:1/4:2:1:0/block/sdb/sdb1/bcache/cache'
[ 276.024105] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
[ 276.072643] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1
[ 276.089315] Call Trace:
[ 276.105801] [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
[ 276.122650] [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
[ 276.139361] [<ffffffff81205c08>] ? sysfs_add_one+0xb8/0xd0
[ 276.156012] [<ffffffff8120609b>] ? sysfs_do_create_link+0x12b/0x170
[ 276.172682] [<ffffffff81206113>] ? sysfs_create_link+0x13/0x20
[ 276.189282] [<ffffffffa03bda21>] ? bcache_device_link+0xc1/0x110 [bcache]
[ 276.205993] [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
[ 276.222794] [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
[ 276.239680] [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
[ 276.256594] [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
[ 276.273364] [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
[ 276.290133] [<ffffffff811890b1>] ? sys_write+0x51/0x90
[ 276.306368] [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
[ 276.322301] ---[ end trace 9f5d4fcdd0c3edfb ]---
[ 276.338241] ------------[ cut here ]------------
[ 276.354109] WARNING: at /home/wenqing.lz/bcache/bcache/super.c:720
bcache_device_link+0xdf/0x110 [bcache]() (Tainted: P W --------------- )
[ 276.386017] Hardware name: Tecal RH2285
[ 276.401430] Couldn't create device <-> cache set symlinks
[ 276.401759] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
[ 276.465477] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1
[ 276.482169] Call Trace:
[ 276.498610] [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
[ 276.515405] [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
[ 276.532059] [<ffffffffa03bda3f>] ? bcache_device_link+0xdf/0x110 [bcache]
[ 276.548808] [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
[ 276.565569] [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
[ 276.582418] [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
[ 276.599341] [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
[ 276.616142] [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
[ 276.632607] [<ffffffff811890b1>] ? sys_write+0x51/0x90
[ 276.648671] [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
[ 276.664756] ---[ end trace 9f5d4fcdd0c3edfc ]---
We forget to clear BCACHE_DEV_UNLINK_DONE flag in bcache_device_attach()
function when we attach a backing device first time. After detaching this
backing device, this flag will be true and sysfs_remove_link() isn't called in
bcache_device_unlink(). Then when we attach this backing device again,
sysfs_create_link() will return EEXIST error in bcache_device_link().
So the fix is trival and we clear this flag in bcache_device_link().
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/super.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 679a093..383f060 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -685,6 +685,8 @@ static void bcache_device_link(struct bcache_device *d, struct cache_set *c,
WARN(sysfs_create_link(&d->kobj, &c->kobj, "cache") ||
sysfs_create_link(&c->kobj, &d->kobj, d->name),
"Couldn't create device <-> cache set symlinks");
+
+ clear_bit(BCACHE_DEV_UNLINK_DONE, &d->flags);
}
static void bcache_device_detach(struct bcache_device *d)

32
debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch vendored
View File

@ -1,32 +0,0 @@
From: Al Viro <viro@ZenIV.linux.org.uk>
Date: Sun, 29 Nov 2015 17:20:59 -0800
Subject: [4/8] bcache: fix a leak in bch_cached_dev_run()
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=4d4d8573a8451acc9f01cbea24b7e55f04a252fe
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/super.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 383f060..43e911e 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -849,8 +849,11 @@ void bch_cached_dev_run(struct cached_dev *dc)
buf[SB_LABEL_SIZE] = '\0';
env[2] = kasprintf(GFP_KERNEL, "CACHED_LABEL=%s", buf);
- if (atomic_xchg(&dc->running, 1))
+ if (atomic_xchg(&dc->running, 1)) {
+ kfree(env[1]);
+ kfree(env[2]);
return;
+ }
if (!d->c &&
BDEV_STATE(&dc->sb) != BDEV_STATE_NONE) {

67
debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch vendored
View File

@ -1,67 +0,0 @@
From: Zheng Liu <gnehzuil.liu@gmail.com>
Date: Sun, 29 Nov 2015 17:17:05 -0800
Subject: [1/8] bcache: fix a livelock when we cause a huge number of cache
misses
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ef9ccbfcb90cf84bdba320a571b18b05c41101b
Subject : [PATCH v2] bcache: fix a livelock in btree lock
Date : Wed, 25 Feb 2015 20:32:09 +0800 (02/25/2015 04:32:09 AM)
This commit tries to fix a livelock in bcache. This livelock might
happen when we causes a huge number of cache misses simultaneously.
When we get a cache miss, bcache will execute the following path.
->cached_dev_make_request()
->cached_dev_read()
->cached_lookup()
->bch->btree_map_keys()
->btree_root() <------------------------
->bch_btree_map_keys_recurse() |
->cache_lookup_fn() |
->cached_dev_cache_miss() |
->bch_btree_insert_check_key() -|
[If btree->seq is not equal to seq + 1, we should return
EINTR and traverse btree again.]
In bch_btree_insert_check_key() function we first need to check upgrade
flag (op->lock == -1), and when this flag is true we need to release
read btree->lock and try to take write btree->lock. During taking and
releasing this write lock, btree->seq will be monotone increased in
order to prevent other threads modify this in cache miss (see btree.h:74).
But if there are some cache misses caused by some requested, we could
meet a livelock because btree->seq is always changed by others. Thus no
one can make progress.
This commit will try to take write btree->lock if it encounters a race
when we traverse btree. Although it sacrifice the scalability but we
can ensure that only one can modify the btree.
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Joshua Schmid <jschmid@suse.com>
Cc: Zhu Yanhai <zhu.yanhai@gmail.com>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/btree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index 83392f8..4a1179c 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -2162,8 +2162,10 @@ int bch_btree_insert_check_key(struct btree *b, struct btree_op *op,
rw_lock(true, b, b->level);
if (b->key.ptr[0] != btree_ptr ||
- b->seq != seq + 1)
+ b->seq != seq + 1) {
+ op->lock = b->level;
goto out;
+ }
}
SET_KEY_PTRS(check_key, 1);

32
debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch vendored
View File

@ -1,32 +0,0 @@
From: Stefan Bader <stefan.bader@canonical.com>
Date: Sun, 29 Nov 2015 18:44:49 -0800
Subject: [7/8] bcache: prevent crash on changing writeback_running
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=8d16ce540c94c9d366eb36fc91b7154d92d6397b
Added a safeguard in the shutdown case. At least while not being
attached it is also possible to trigger a kernel bug by writing into
writeback_running. This change adds the same check before trying to
wake up the thread for that case.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/writeback.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/writeback.h b/drivers/md/bcache/writeback.h
index 0a9dab1..073a042 100644
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -63,7 +63,8 @@ static inline bool should_writeback(struct cached_dev *dc, struct bio *bio,
static inline void bch_writeback_queue(struct cached_dev *dc)
{
- wake_up_process(dc->writeback_thread);
+ if (!IS_ERR_OR_NULL(dc->writeback_thread))
+ wake_up_process(dc->writeback_thread);
}
static inline void bch_writeback_add(struct cached_dev *dc)

35
debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch vendored
View File

@ -1,35 +0,0 @@
From: Zheng Liu <wenqing.lz@taobao.com>
Date: Sun, 29 Nov 2015 17:21:57 -0800
Subject: [5/8] bcache: unregister reboot notifier if bcache fails to
unregister device
Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ecf0cdb2b437402110ab57546e02abfa68a716b
In bcache_init() function it forgot to unregister reboot notifier if
bcache fails to unregister a block device. This commit fixes this.
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Joshua Schmid <jschmid@suse.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kmo@daterainc.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
---
drivers/md/bcache/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 43e911e..18f14a2 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -2071,8 +2071,10 @@ static int __init bcache_init(void)
closure_debug_init();
bcache_major = register_blkdev(0, "bcache");
- if (bcache_major < 0)
+ if (bcache_major < 0) {
+ unregister_reboot_notifier(&reboot);
return bcache_major;
+ }
if (!(bcache_wq = create_workqueue("bcache")) ||
!(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) ||

89
debian/patches/bugfix/all/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch vendored
View File

@ -1,89 +0,0 @@
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed, 10 Feb 2016 16:47:11 +0100
Subject: bpf: fix branch offset adjustment on backjumps after patching ctx
expansion
Origin: https://git.kernel.org/linus/a1b14d27ed0965838350f1377ff97c93ee383492
When ctx access is used, the kernel often needs to expand/rewrite
instructions, so after that patching, branch offsets have to be
adjusted for both forward and backward jumps in the new eBPF program,
but for backward jumps it fails to account the delta. Meaning, for
example, if the expansion happens exactly on the insn that sits at
the jump target, it doesn't fix up the back jump offset.
Analysis on what the check in adjust_branches() is currently doing:
/* adjust offset of jmps if necessary */
if (i < pos && i + insn->off + 1 > pos)
insn->off += delta;
else if (i > pos && i + insn->off + 1 < pos)
insn->off -= delta;
First condition (forward jumps):
Before: After:
insns[0] insns[0]
insns[1] <--- i/insn insns[1] <--- i/insn
insns[2] <--- pos insns[P] <--- pos
insns[3] insns[P] `------| delta
insns[4] <--- target_X insns[P] `-----|
insns[5] insns[3]
insns[4] <--- target_X
insns[5]
First case is if we cross pos-boundary and the jump instruction was
before pos. This is handeled correctly. I.e. if i == pos, then this
would mean our jump that we currently check was the patchlet itself
that we just injected. Since such patchlets are self-contained and
have no awareness of any insns before or after the patched one, the
delta is correctly not adjusted. Also, for the second condition in
case of i + insn->off + 1 == pos, means we jump to that newly patched
instruction, so no offset adjustment are needed. That part is correct.
Second condition (backward jumps):
Before: After:
insns[0] insns[0]
insns[1] <--- target_X insns[1] <--- target_X
insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y
insns[3] insns[P] `------| delta
insns[4] <--- i/insn insns[P] `-----|
insns[5] insns[3]
insns[4] <--- i/insn
insns[5]
Second interesting case is where we cross pos-boundary and the jump
instruction was after pos. Backward jump with i == pos would be
impossible and pose a bug somewhere in the patchlet, so the first
condition checking i > pos is okay only by itself. However, i +
insn->off + 1 < pos does not always work as intended to trigger the
adjustment. It works when jump targets would be far off where the
delta wouldn't matter. But, for example, where the fixed insn->off
before pointed to pos (target_Y), it now points to pos + delta, so
that additional room needs to be taken into account for the check.
This means that i) both tests here need to be adjusted into pos + delta,
and ii) for the second condition, the test needs to be <= as pos
itself can be a target in the backjump, too.
Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d1d3e8f57de9..2e7f7ab739e4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2082,7 +2082,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
/* adjust offset of jmps if necessary */
if (i < pos && i + insn->off + 1 > pos)
insn->off += delta;
- else if (i > pos && i + insn->off + 1 < pos)
+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
insn->off -= delta;
}
}

100
debian/patches/bugfix/all/genirq-Validate-action-before-dereferencing-it-in-ha.patch vendored
View File

@ -1,100 +0,0 @@
From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 13 Jan 2016 14:07:25 +0100
Subject: [PATCH] genirq: Validate action before dereferencing it in
handle_irq_event_percpu()
Origin: v4.5-rc2, commit:570540d50710ed192e98e2f7f74578c9486b6b05
commit 71f64340fc0e changed the handling of irq_desc->action from
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
if (desc->action) {
handle_irq_event()
action = desc->action
unlock(desc)
desc->action = NULL handle_irq_event_percpu(desc, action)
action->xxx
to
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
if (desc->action) {
handle_irq_event()
unlock(desc)
desc->action = NULL handle_irq_event_percpu(desc, action)
action = desc->action
action->xxx
So if free_irq manages to set the action to NULL between the unlock and before
the readout, we happily dereference a null pointer.
We could simply revert 71f64340fc0e, but we want to preserve the better code
generation. A simple solution is to change the action loop from a do {} while
to a while {} loop.
This is safe because we either see a valid desc->action or NULL. If the action
is about to be removed it is still valid as free_irq() is blocked on
synchronize_irq().
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
handle_irq_event(desc)
set(INPROGRESS)
unlock(desc)
handle_irq_event_percpu(desc)
action = desc->action
desc->action = NULL while (action) {
action->xxx
...
action = action->next;
sychronize_irq()
while(INPROGRESS); lock(desc)
clr(INPROGRESS)
free(action)
That's basically the same mechanism as we have for shared
interrupts. action->next can become NULL while handle_irq_event_percpu()
runs. Either it sees the action or NULL. It does not matter, because action
itself cannot go away before the interrupt in progress flag has been cleared.
Fixes: commit 71f64340fc0e "genirq: Remove the second parameter from handle_irq_event_percpu()"
Reported-by: zyjzyj2000@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Huang Shijie <shijie.huang@arm.com>
Cc: Jiang Liu <jiang.liu@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1601131224190.3575@nanos
---
kernel/irq/handle.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
index a302cf9a2126..57bff7857e87 100644
--- a/kernel/irq/handle.c
+++ b/kernel/irq/handle.c
@@ -138,7 +138,8 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
unsigned int flags = 0, irq = desc->irq_data.irq;
struct irqaction *action = desc->action;
- do {
+ /* action might have become NULL since we dropped the lock */
+ while (action) {
irqreturn_t res;
trace_irq_handler_entry(irq, action);
@@ -173,7 +174,7 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
retval |= res;
action = action->next;
- } while (action);
+ }
add_interrupt_randomness(irq, flags);
--
2.7.0

41
debian/patches/bugfix/all/iff_no_queue-fix-for-drivers-not-calling-ether_setup.patch vendored
View File

@ -1,41 +0,0 @@
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 17 Feb 2016 15:37:43 +0100
Subject: IFF_NO_QUEUE: Fix for drivers not calling ether_setup()
Origin: http://mid.gmane.org/1455719863-25730-1-git-send-email-phil@nwl.cc
My implementation around IFF_NO_QUEUE driver flag assumed that leaving
tx_queue_len untouched (specifically: not setting it to zero) by drivers
would make it possible to assign a regular qdisc to them without having
to worry about setting tx_queue_len to a useful value. This was only
partially true: I overlooked that some drivers don't call ether_setup()
and therefore not initialize tx_queue_len to the default value of 1000.
Consequently, removing the workarounds in place for that case in qdisc
implementations which cared about it (namely, pfifo, bfifo, gred, htb,
plug and sfb) leads to problems with these specific interface types and
qdiscs.
Luckily, there's already a sanitization point for drivers setting
tx_queue_len to zero, which can be reused to assign the fallback value
most qdisc implementations used, which is 1.
Fixes: 348e3435cbefa ("net: sched: drop all special handling of tx_queue_len == 0")
Tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/core/dev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7125,8 +7125,10 @@ struct net_device *alloc_netdev_mqs(int
dev->priv_flags = IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM;
setup(dev);
- if (!dev->tx_queue_len)
+ if (!dev->tx_queue_len) {
dev->priv_flags |= IFF_NO_QUEUE;
+ dev->tx_queue_len = 1;
+ }
dev->num_tx_queues = txqs;
dev->real_num_tx_queues = txqs;

38
debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch vendored
View File

@ -1,38 +0,0 @@
From: Hariprasad S <hariprasad@chelsio.com>
Date: Fri, 11 Dec 2015 13:59:17 +0530
Subject: iw_cxgb3: Fix incorrectly returning error on success
Origin: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3
The cxgb3_*_send() functions return NET_XMIT_ values, which are
positive integers values. So don't treat positive return values
as an error.
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
index cb78b1e9bcd9..f504ba73e5dc 100644
--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en
error = l2t_send(tdev, skb, l2e);
if (error < 0)
kfree_skb(skb);
- return error;
+ return error < 0 ? error : 0;
}
int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
error = cxgb3_ofld_send(tdev, skb);
if (error < 0)
kfree_skb(skb);
- return error;
+ return error < 0 ? error : 0;
}
static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)

70
debian/patches/bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch vendored
View File

@ -1,70 +0,0 @@
From: Tejun Heo <tj@kernel.org>
Date: Tue, 9 Feb 2016 18:14:48 -0500
Subject: Revert "workqueue: make sure delayed work run in local cpu"
Origin: http://mid.gmane.org/1455059690-18765-2-git-send-email-tj@kernel.org
This reverts commit 874bbfe600a660cba9c776b3957b1ce393151b76.
Workqueue used to implicity guarantee that work items queued without
explicit CPU specified are put on the local CPU. Recent changes in
timer broke the guarantee and led to vmstat breakage which was fixed
by 176bed1de5bf ("vmstat: explicitly schedule per-cpu work on the CPU
we need it to run on").
vmstat is the most likely to expose the issue and it's quite possible
that there are other similar problems which are a lot more difficult
to trigger. As a preventive measure, 874bbfe600a6 ("workqueue: make
sure delayed work run in local cpu") was applied to restore the local
CPU guarnatee. Unfortunately, the change exposed a bug in timer code
which got fixed by 22b886dd1018 ("timers: Use proper base migration in
add_timer_on()"). Due to code restructuring, the commit couldn't be
backported beyond certain point and stable kernels which only had
874bbfe600a6 started crashing.
The local CPU guarantee was accidental more than anything else and we
want to get rid of it anyway. As, with the vmstat case fixed,
874bbfe600a6 is causing more problems than it's fixing, it has been
decided to take the chance and officially break the guarantee by
reverting the commit. A debug feature will be added to force foreign
CPU assignment to expose cases relying on the guarantee and fixes for
the individual cases will be backported to stable as necessary.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu")
Link: http://lkml.kernel.org/g/20160120211926.GJ10810@quack.suse.cz
Cc: stable@vger.kernel.org
Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: Daniel Bilik <daniel.bilik@neosystem.cz>
Cc: Jan Kara <jack@suse.cz>
Cc: Shaohua Li <shli@fb.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Daniel Bilik <daniel.bilik@neosystem.cz>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
---
kernel/workqueue.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -1458,13 +1458,13 @@ static void __queue_delayed_work(int cpu
timer_stats_timer_set_start_info(&dwork->timer);
dwork->wq = wq;
- /* timer isn't guaranteed to run in this cpu, record earlier */
- if (cpu == WORK_CPU_UNBOUND)
- cpu = raw_smp_processor_id();
dwork->cpu = cpu;
timer->expires = jiffies + delay;
- add_timer_on(timer, cpu);
+ if (unlikely(cpu != WORK_CPU_UNBOUND))
+ add_timer_on(timer, cpu);
+ else
+ add_timer(timer);
}
/**

155
debian/patches/bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch vendored
View File

@ -1,155 +0,0 @@
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Wed, 3 Feb 2016 02:11:03 +0100
Subject: unix: correctly track in-flight fds in sending process user_struct
Origin: https://git.kernel.org/linus/415e3d3e90ce9e18727e8843ae343eda5a58fad6
The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.
To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/af_unix.h | 4 ++--
include/net/scm.h | 1 +
net/core/scm.c | 7 +++++++
net/unix/af_unix.c | 4 ++--
net/unix/garbage.c | 8 ++++----
5 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 2a91a0561a47..9b4c418bebd8 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -6,8 +6,8 @@
#include <linux/mutex.h>
#include <net/sock.h>
-void unix_inflight(struct file *fp);
-void unix_notinflight(struct file *fp);
+void unix_inflight(struct user_struct *user, struct file *fp);
+void unix_notinflight(struct user_struct *user, struct file *fp);
void unix_gc(void);
void wait_for_unix_gc(void);
struct sock *unix_get_socket(struct file *filp);
diff --git a/include/net/scm.h b/include/net/scm.h
index 262532d111f5..59fa93c01d2a 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -21,6 +21,7 @@ struct scm_creds {
struct scm_fp_list {
short count;
short max;
+ struct user_struct *user;
struct file *fp[SCM_MAX_FD];
};
diff --git a/net/core/scm.c b/net/core/scm.c
index 14596fb37172..2696aefdc148 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
*fplp = fpl;
fpl->count = 0;
fpl->max = SCM_MAX_FD;
+ fpl->user = NULL;
}
fpp = &fpl->fp[fpl->count];
@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
*fpp++ = file;
fpl->count++;
}
+
+ if (!fpl->user)
+ fpl->user = get_uid(current_user());
+
return num;
}
@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
scm->fp = NULL;
for (i=fpl->count-1; i>=0; i--)
fput(fpl->fp[i]);
+ free_uid(fpl->user);
kfree(fpl);
}
}
@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
for (i = 0; i < fpl->count; i++)
get_file(fpl->fp[i]);
new_fpl->max = new_fpl->count;
+ new_fpl->user = get_uid(fpl->user);
}
return new_fpl;
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 49d5093eb055..29be035f9c65 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
UNIXCB(skb).fp = NULL;
for (i = scm->fp->count-1; i >= 0; i--)
- unix_notinflight(scm->fp->fp[i]);
+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
}
static void unix_destruct_scm(struct sk_buff *skb)
@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
return -ENOMEM;
for (i = scm->fp->count - 1; i >= 0; i--)
- unix_inflight(scm->fp->fp[i]);
+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
return max_level;
}
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 8fcdc2283af5..6a0d48525fcf 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
* descriptor if it is for an AF_UNIX socket.
*/
-void unix_inflight(struct file *fp)
+void unix_inflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);
@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
}
unix_tot_inflight++;
}
- fp->f_cred->user->unix_inflight++;
+ user->unix_inflight++;
spin_unlock(&unix_gc_lock);
}
-void unix_notinflight(struct file *fp)
+void unix_notinflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);
@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
list_del_init(&u->link);
unix_tot_inflight--;
}
- fp->f_cred->user->unix_inflight--;
+ user->unix_inflight--;
spin_unlock(&unix_gc_lock);
}

67
debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch vendored
View File

@ -1,67 +0,0 @@
From: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri, 23 Oct 2015 10:56:12 +0200
Subject: drm/i915: shut up gen8+ SDE irq dmesg noise
Origin: http://cgit.freedesktop.org/drm-intel/commit?id=97e5ed1111dcc5300a0f59a55248cd243937a8ab
We get tons of cases where the master interrupt handler apparently set
a bit, with the SDEIIR disagreeing. No idea what's going on there, but
it's consistent on gen8+, no one seems to care about it and it's
making CI results flaky.
Shut it up.
No idea what's going on here, but we've had fun with PCH interrupts
before:
commit 44498aea293b37af1d463acd9658cdce1ecdf427
Author: Paulo Zanoni <paulo.r.zanoni@intel.com>
Date: Fri Feb 22 17:05:28 2013 -0300
drm/i915: also disable south interrupts when handling them
Note that there's a regression report in Bugzilla, and other
regression reports on the mailing lists keep croping up. But no ill
effects have ever been reported. But for paranoia still keep the
message at a debug level as a breadcrumb, just in case.
This message was introduced in
commit 38cc46d73ed99dd7002f1406002e52d7975d16cc
Author: Oscar Mateo <oscar.mateo@intel.com>
Date: Mon Jun 16 16:10:59 2014 +0100
drm/i915/bdw: Ack interrupts before handling them (GEN8)
v2: Improve commit message a bit.
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1445590572-23631-2-git-send-email-daniel.vetter@ffwll.ch
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80896
Acked-by: Mika Kuoppala <mika.kuoppala@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Adjust context]
---
drivers/gpu/drm/i915/i915_irq.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int
spt_irq_handler(dev, pch_iir);
else
cpt_irq_handler(dev, pch_iir);
- } else
- DRM_ERROR("The master control interrupt lied (SDE)!\n");
-
+ } else {
+ /*
+ * Like on previous PCH there seems to be something
+ * fishy going on with forwarding PCH interrupts.
+ */
+ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n");
+ }
}
I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL);

60
debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch vendored
View File

@ -1,60 +0,0 @@
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Fri, 8 Jan 2016 20:29:40 +0100
Subject: drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates
Origin: https://git.kernel.org/linus/a50e2bf5a0f674d62b69f51f6935a30e82bd015c
When the framebuffer is a vmwgfx dma buffer and a proxy surface is
created, the vmw_kms_update_proxy() function requires that the proxy
surface width and the framebuffer pitch are compatible, otherwise
display corruption occurs as seen in gnome-shell/native with software
3D. Since the framebuffer pitch is determined by user-space, allocate
a proxy surface the width of which is based on the framebuffer pitch
rather than on the framebuffer width.
Cc: <stable@vger.kernel.org>
Reported-by: Raphael Hertzog <buxy@kali.org>
Tested-by: Mati Aharoni <muts@kali.org>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -725,21 +725,25 @@ static int vmw_create_dmabuf_proxy(struc
uint32_t format;
struct drm_vmw_size content_base_size;
struct vmw_resource *res;
+ unsigned int bytes_pp;
int ret;
switch (mode_cmd->depth) {
case 32:
case 24:
format = SVGA3D_X8R8G8B8;
+ bytes_pp = 4;
break;
case 16:
case 15:
format = SVGA3D_R5G6B5;
+ bytes_pp = 2;
break;
case 8:
format = SVGA3D_P8;
+ bytes_pp = 1;
break;
default:
@@ -747,7 +751,7 @@ static int vmw_create_dmabuf_proxy(struc
return -EINVAL;
}
- content_base_size.width = mode_cmd->width;
+ content_base_size.width = mode_cmd->pitch / bytes_pp;
content_base_size.height = mode_cmd->height;
content_base_size.depth = 1;

58
debian/patches/bugfix/x86/kvm-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch vendored
View File

@ -1,58 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 19 Feb 2016 18:07:21 +0100
Subject: KVM: x86: fix conversion of addresses to linear in 32-bit protected
mode
Origin: https://git.kernel.org/linus/0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70
Commit e8dd2d2d641c ("Silence compiler warning in arch/x86/kvm/emulate.c",
2015-09-06) broke boot of the Hurd. The bug is that the "default:"
case actually could modify "la", but after the patch this change is
not reflected in *linear.
The bug is visible whenever a non-zero segment base causes the linear
address to wrap around the 4GB mark.
Fixes: e8dd2d2d641cb2724ee10e76c0ad02e04289c017
Cc: stable@vger.kernel.org
Reported-by: Aurelien Jarno <aurelien@aurel32.net>
Tested-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/emulate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 1505587..b9b09fe 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -650,10 +650,10 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
u16 sel;
la = seg_base(ctxt, addr.seg) + addr.ea;
- *linear = la;
*max_size = 0;
switch (mode) {
case X86EMUL_MODE_PROT64:
+ *linear = la;
if (is_noncanonical_address(la))
goto bad;
@@ -662,6 +662,7 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
goto bad;
break;
default:
+ *linear = la = (u32)la;
usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
addr.seg);
if (!usable)
@@ -689,7 +690,6 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
if (size > *max_size)
goto bad;
}
- la &= (u32)-1;
break;
}
if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
--
2.7.0

37
debian/patches/features/all/rt/btrfs-initialize-the-seq-counter-in-struct-btrfs_dev.patch vendored
View File

@ -1,37 +0,0 @@
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: Fri, 15 Jan 2016 14:28:39 +0100
Subject: btrfs: initialize the seq counter in struct btrfs_device
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.4/patches-4.4.3-rt9.tar.xz
I managed to trigger this:
| INFO: trying to register non-static key.
| the code is fine but needs lockdep annotation.
| turning off the locking correctness validator.
| CPU: 1 PID: 781 Comm: systemd-gpt-aut Not tainted 4.4.0-rt2+ #14
| Hardware name: ARM-Versatile Express
| [<80307cec>] (dump_stack)
| [<80070e98>] (__lock_acquire)
| [<8007184c>] (lock_acquire)
| [<80287800>] (btrfs_ioctl)
| [<8012a8d4>] (do_vfs_ioctl)
| [<8012ac14>] (SyS_ioctl)
so I think that btrfs_device_data_ordered_init() is not invoked behind
a macro somewhere.
Fixes: 7cc8e58d53cd ("Btrfs: fix unprotected device's variants on 32bits machine")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -232,6 +232,7 @@ static struct btrfs_device *__alloc_devi
spin_lock_init(&dev->reada_lock);
atomic_set(&dev->reada_in_flight, 0);
atomic_set(&dev->dev_stats_ccnt, 0);
+ btrfs_device_data_ordered_init(dev);
INIT_RADIX_TREE(&dev->reada_zones, GFP_NOFS & ~__GFP_DIRECT_RECLAIM);
INIT_RADIX_TREE(&dev->reada_extents, GFP_NOFS & ~__GFP_DIRECT_RECLAIM);

19
debian/patches/series vendored
View File

@ -42,9 +42,6 @@ debian/snd-pcsp-disable-autoload.patch
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
# Arch bug fixes
bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch
bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
bugfix/x86/kvm-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch
bugfix/mips/mips-math-emu-correctly-handle-nop-emulation.patch
# Arch features
@ -105,14 +102,6 @@ bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch
bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch
bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch
bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
bugfix/all/rt2x00-fix-monitor-mode-regression.patch
# Miscellaneous features
@ -128,12 +117,6 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
bugfix/all/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
bugfix/all/genirq-Validate-action-before-dereferencing-it-in-ha.patch
bugfix/x86/x86-mm-page-align-the-_end-symbol-to-avoid-pfn-conve.patch
bugfix/x86/x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-n.patch
bugfix/x86/x86-efi-map-ram-into-the-identity-page-table-for-mix.patch
@ -141,8 +124,6 @@ bugfix/x86/x86-efi-hoist-page-table-switching-code-into-efi_cal.patch
bugfix/x86/x86-efi-build-our-own-page-table-structures.patch
bugfix/x86/x86-efi-setup-separate-efi-page-tables-in-kexec-path.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/iff_no_queue-fix-for-drivers-not-calling-ether_setup.patch
bugfix/arm/net-mv643xx_eth-fix-packet-corruption-with-tso-and-t.patch
bugfix/x86/x86-efi-bgrt-fix-kernel-panic-when-mapping-bgrt-data.patch
bugfix/x86/x86-efi-bgrt-replace-early_memremap-with-memremap.patch
bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch

1
debian/patches/series-rt vendored
View File

@ -15,7 +15,6 @@ features/all/rt/arm64-replace-read_lock-to-rcu-lock-in-call_step_hoo.patch
############################################################
# Stuff broken upstream, patches submitted
############################################################
features/all/rt/btrfs-initialize-the-seq-counter-in-struct-btrfs_dev.patch
features/all/rt/sched-use-tsk_cpus_allowed-instead-of-accessing-cpus.patch
features/all/rt/sched-provide-a-tsk_nr_cpus_allowed-helper.patch
features/all/rt/drivers-cpuidle-coupled-fix-warning-cpuidle_coupled_.patch