Update to 3.14.6
Drop patches applied upstream. Resolve textual conflicts in the rt patches. svn path=/dists/sid/linux/; revision=21413
This commit is contained in:
parent
ef9299159e
commit
2a5c1497c9
|
@ -1,4 +1,156 @@
|
|||
linux (3.14.5-2) UNRELEASED; urgency=medium
|
||||
linux (3.14.6-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.6
|
||||
- [mipsel] loongson2_cpufreq: Fix CPU clock rate setting
|
||||
(regression in 3.14)
|
||||
- rtmutex: Fix deadlock detector for real
|
||||
- kernfs: add back missing error check in kernfs_fop_mmap()
|
||||
(regression in 3.14)
|
||||
- coredump: fix va_list corruption (regression in 3.11)
|
||||
- mm: make fixup_user_fault() check the vma access rights too
|
||||
- serial: 8250: Fix thread unsafe __dma_tx_complete function
|
||||
- 8250_core: Fix unwanted TX chars write
|
||||
- iwlwifi: 7000: bump API to 9
|
||||
- timer: Prevent overflow in apply_slack
|
||||
- cfg80211: free sme on connection failures (regression in 3.11)
|
||||
- cfg80211: add cfg80211_sched_scan_stopped_rtnl (regression in 3.14)
|
||||
- mac80211: fix nested rtnl locking on ieee80211_reconfig
|
||||
(regression in 3.14)
|
||||
- mm, thp: close race between mremap() and split_huge_page()
|
||||
- [x86] mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow()
|
||||
- hwpoison, hugetlb: lock_page/unlock_page does not match for handling a
|
||||
free hugepage
|
||||
- iwlwifi: mvm: delay enabling smart FIFO until after beacon RX
|
||||
(regression in 3.14)
|
||||
- aio: fix potential leak in aio_run_iocb().
|
||||
- Revert "hwmon: (coretemp) Refine TjMax detection"
|
||||
- hrtimer: Prevent remote enqueue of leftmost timers
|
||||
- hrtimer: Set expiry time before switch_hrtimer_base()
|
||||
- dm verity: fix biovecs hash calculation regression (regression in 3.14)
|
||||
- dm cache: fix writethrough mode quiescing in cache_map
|
||||
(regression in 3.13)
|
||||
- md/raid10: call wait_barrier() for each request submitted.
|
||||
(regression in 3.14)
|
||||
- PNP / ACPI: Do not return errors if _DIS or _SRS are not present
|
||||
(regression in 3.14)
|
||||
- ACPI / EC: Process rather than discard events in acpi_ec_clear
|
||||
(regression in 3.13.7, 3.14)
|
||||
- irqchip: armada-370-xp: fix invalid cast of signed value into unsigned
|
||||
variable (regression in 3.13)
|
||||
- irqchip: armada-370-xp: implement the ->check_device() msi_chip
|
||||
operation (regression in 3.13)
|
||||
- irqchip: armada-370-xp: Fix releasing of MSIs (regression in 3.13)
|
||||
- [x86] drm/i915: Allow user modes to exceed DVI 165MHz limit
|
||||
(regression in 3.14)
|
||||
- [x86] drm/i915: Don't check gmch state on inherited configs
|
||||
(regression in 3.13?)
|
||||
- [x86] drm/i915: Don't WARN nor handle unexpected hpd interrupts on gmch
|
||||
platforms (regression in 3.13)
|
||||
- [x86] drm/radeon: fix runpm handling on APUs (v4) (regression in 3.13)
|
||||
- drm/radeon: disable mclk dpm on R7 260X (regression in 3.14)
|
||||
- drm/radeon: add support for newer mc ucode on SI (v2)
|
||||
- drm/radeon: add support for newer mc ucode on CI (v2)
|
||||
- drm/radeon: re-enable mclk dpm on R7 260X asics
|
||||
- drm/radeon/uvd: use lower clocks on old UVD to boot v2
|
||||
(regression in 3.13)
|
||||
- drm/radeon: check buffer relocation offset
|
||||
- USB: Nokia 305 should be treated as unusual dev
|
||||
- USB: Nokia 5300 should be treated as unusual dev
|
||||
- Revert "Bluetooth: Enable autosuspend for Intel Bluetooth device"
|
||||
(regression in 3.14)
|
||||
- posix_acl: handle NULL ACL in posix_acl_equiv_mode
|
||||
- fs/affs/super.c: bugfix / double free (regression in 3.14)
|
||||
- [armel/orion5x] fix target ID for crypto SRAM window
|
||||
(regression in 3.12)
|
||||
- [armel/kirkwood]: dts: fix mislocated pcie-controller nodes
|
||||
(regression in 3.12)
|
||||
- [armhf/armmp-lpae] 8012/1: kdump: Avoid overflow when converting pfn to
|
||||
physaddr
|
||||
- drm/nouveau: fix another lock unbalance in nouveau_crtc_page_flip
|
||||
(regression in 3.11)
|
||||
- drm/i915/vlv: reset VLV media force wake request register
|
||||
(regression in 3.14?)
|
||||
- i40e: potential array underflow in i40e_vc_process_vf_msg()
|
||||
- igb: Fix Null-pointer dereference in igb_reset_q_vector
|
||||
(regression in 3.14)
|
||||
- igb: Unset IGB_FLAG_HAS_MSIX-flag when falling back to msi-only
|
||||
(regression in 3.14)
|
||||
- leds: leds-pwm: properly clean up after probe failure
|
||||
- device_cgroup: rework device access check and exception checking
|
||||
- device_cgroup: check if exception removal is allowed
|
||||
- media: media-device: fix infoleak in ioctl media_enum_entities()
|
||||
(CVE-2014-1739)
|
||||
- Input: Add INPUT_PROP_TOPBUTTONPAD device property
|
||||
- Input: synaptics - report INPUT_PROP_TOPBUTTONPAD property
|
||||
- e1000e: Fix no connectivity when driver loaded with cable out
|
||||
(regression in 3.12)
|
||||
- autofs: fix lockref lookup
|
||||
- vfs: fix races between __d_instantiate() and checks of dentry flags
|
||||
- ALSA: hda - hdmi: Set converter channel count even without sink
|
||||
(regression in 3.13)
|
||||
- NFSd: Move default initialisers from create_client() to alloc_client()
|
||||
- NFSd: call rpc_destroy_wait_queue() from free_client()
|
||||
- NFSD: Call ->set_acl with a NULL ACL structure if no entries
|
||||
- nfsd4: remove lockowner when removing lock stateid
|
||||
- workqueue: fix bugs in wq_update_unbound_numa() failure path
|
||||
- workqueue: fix a possible race condition between rescuer and pwq-release
|
||||
- [arm] mvebu: mvebu-soc-id: add missing clk_put() call
|
||||
(regression in 3.14)
|
||||
- [arm] mvebu: mvebu-soc-id: keep clock enabled if PCIe unit is enabled
|
||||
(regression in 3.14)
|
||||
- ASoC: dapm: Skip CODEC<->CODEC links in connect_dai_link_widgets()
|
||||
(regression in 3.14)
|
||||
- [hppa] ratelimit userspace segfault printing
|
||||
- [amd64] modify_ldt: Make support for 16-bit segments a runtime option
|
||||
- sysfs: make sure read buffer is zeroed (possible regression in 3.13)
|
||||
- Target/iser: Fix wrong connection requests list addition
|
||||
- Target/iser: Fix iscsit_accept_np and rdma_cm racy flow
|
||||
- iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_out
|
||||
(regression in 3.11)
|
||||
- target: fix memory leak on XCOPY
|
||||
- [x86] drm/i915: Disable self-refresh for untiled fbs on i915gm
|
||||
(regression in 3.14)
|
||||
- [x86] drm/i915: move power domain init earlier during system resume
|
||||
(regression in 3.14?)
|
||||
- [x86] drm/i915: Fix unsafe loop iteration over vma whilst unbinding them
|
||||
(regression in 3.12)
|
||||
- iwlwifi: mvm: BT Coex - fix Look Up Table (regression in 3.13)
|
||||
- PCI: Wrong register used to check pending traffic (regression in 3.14)
|
||||
- dm crypt: fix cpu hotplug crash by removing per-cpu structure
|
||||
- dm thin: allow metadata commit if pool is in PM_OUT_OF_DATA_SPACE mode
|
||||
(regression in 3.14)
|
||||
- dm thin: add timeout to stop out-of-data-space mode holding IO forever
|
||||
- dmaengine: fix dmaengine_unmap failure
|
||||
- dma: mv_xor: Flush descriptors before activating a channel
|
||||
- tcm_fc: Fix free-after-use regression in ft_free_cmd
|
||||
(regression in 3.13)
|
||||
- ACPICA: Tables: Restore old behavor to favor 32-bit FADT addresses.
|
||||
(regression in 3.14)
|
||||
- ACPI: Revert "ACPI: Remove CONFIG_ACPI_PROCFS_POWER and cm_sbsc.c"
|
||||
(regression in 3.13)
|
||||
- ACPI: Revert "ACPI / Battery: Remove battery's proc directory"
|
||||
(regression in 3.13)
|
||||
- [x86] ACPI / video: Add use_native_backlight quirks for more systems
|
||||
- ACPI: Revert "ACPI / AC: convert ACPI ac driver to platform bus"
|
||||
(regression in 3.13)
|
||||
- [x86] ACPI / TPM: Fix resume regression on Chromebooks
|
||||
(regression in 3.14)
|
||||
- i2c: s3c2410: resume race fix
|
||||
- [x86] intel_pstate: Set turbo VID for BayTrail
|
||||
- [s390] crypto: fix aes,des ctr mode concurrency finding.
|
||||
- clk: Fix double free due to devm_clk_register()
|
||||
- clk: Fix slab corruption in clk_unregister()
|
||||
- [powerpc] powernv: Reset root port in firmware (regression in 3.14)
|
||||
- [powerpc] irq work racing with timer interrupt can result in timer
|
||||
interrupt hang (regression in 3.14)
|
||||
- [powerpc] kexec: Fix "Processor X is stuck" issue during kexec from ST
|
||||
mode (regression in 3.13)
|
||||
- spi: core: Ignore unsupported Dual/Quad Transfer Mode bits
|
||||
(regression in 3.12)
|
||||
- libceph: fix corruption when using page_count 0 page in rbd
|
||||
- media: V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel
|
||||
from user-space
|
||||
|
||||
[ Ian Campbell ]
|
||||
* [armhf] Enable VIRTIO_BALLOON and VIRTIO_PCI (Closes: #750742)
|
||||
|
|
|
@ -1,157 +0,0 @@
|
|||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Date: Mon, 12 May 2014 20:45:34 +0000
|
||||
Subject: futex: Add another early deadlock detection check
|
||||
Origin: https://git.kernel.org/linus/866293ee54227584ffcb4a42f69c1f365974ba7f
|
||||
|
||||
Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
|
||||
detection code of rtmutex:
|
||||
http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com
|
||||
|
||||
That underlying issue has been fixed with a patch to the rtmutex code,
|
||||
but the futex code must not call into rtmutex in that case because
|
||||
- it can detect that issue early
|
||||
- it avoids a different and more complex fixup for backing out
|
||||
|
||||
If the user space variable got manipulated to 0x80000000 which means
|
||||
no lock holder, but the waiters bit set and an active pi_state in the
|
||||
kernel is found we can figure out the recursive locking issue by
|
||||
looking at the pi_state owner. If that is the current task, then we
|
||||
can safely return -EDEADLK.
|
||||
|
||||
The check should have been added in commit 59fa62451 (futex: Handle
|
||||
futex_pi OWNER_DIED take over correctly) already, but I did not see
|
||||
the above issue caused by user space manipulation back then.
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Dave Jones <davej@redhat.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Darren Hart <darren@dvhart.com>
|
||||
Cc: Davidlohr Bueso <davidlohr@hp.com>
|
||||
Cc: Steven Rostedt <rostedt@goodmis.org>
|
||||
Cc: Clark Williams <williams@redhat.com>
|
||||
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
|
||||
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
|
||||
Cc: Roland McGrath <roland@hack.frob.com>
|
||||
Cc: Carlos ODonell <carlos@redhat.com>
|
||||
Cc: Jakub Jelinek <jakub@redhat.com>
|
||||
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
|
||||
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
---
|
||||
kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 34 insertions(+), 13 deletions(-)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -731,7 +731,8 @@ void exit_pi_state_list(struct task_stru
|
||||
|
||||
static int
|
||||
lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
|
||||
- union futex_key *key, struct futex_pi_state **ps)
|
||||
+ union futex_key *key, struct futex_pi_state **ps,
|
||||
+ struct task_struct *task)
|
||||
{
|
||||
struct futex_pi_state *pi_state = NULL;
|
||||
struct futex_q *this, *next;
|
||||
@@ -772,6 +773,16 @@ lookup_pi_state(u32 uval, struct futex_h
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Protect against a corrupted uval. If uval
|
||||
+ * is 0x80000000 then pid is 0 and the waiter
|
||||
+ * bit is set. So the deadlock check in the
|
||||
+ * calling code has failed and we did not fall
|
||||
+ * into the check above due to !pid.
|
||||
+ */
|
||||
+ if (task && pi_state->owner == task)
|
||||
+ return -EDEADLK;
|
||||
+
|
||||
atomic_inc(&pi_state->refcount);
|
||||
*ps = pi_state;
|
||||
|
||||
@@ -921,7 +932,7 @@ retry:
|
||||
* We dont have the lock. Look up the PI state (or create it if
|
||||
* we are the first waiter):
|
||||
*/
|
||||
- ret = lookup_pi_state(uval, hb, key, ps);
|
||||
+ ret = lookup_pi_state(uval, hb, key, ps, task);
|
||||
|
||||
if (unlikely(ret)) {
|
||||
switch (ret) {
|
||||
@@ -1333,7 +1344,7 @@ void requeue_pi_wake_futex(struct futex_
|
||||
*
|
||||
* Return:
|
||||
* 0 - failed to acquire the lock atomically;
|
||||
- * 1 - acquired the lock;
|
||||
+ * >0 - acquired the lock, return value is vpid of the top_waiter
|
||||
* <0 - error
|
||||
*/
|
||||
static int futex_proxy_trylock_atomic(u32 __user *pifutex,
|
||||
@@ -1344,7 +1355,7 @@ static int futex_proxy_trylock_atomic(u3
|
||||
{
|
||||
struct futex_q *top_waiter = NULL;
|
||||
u32 curval;
|
||||
- int ret;
|
||||
+ int ret, vpid;
|
||||
|
||||
if (get_futex_value_locked(&curval, pifutex))
|
||||
return -EFAULT;
|
||||
@@ -1372,11 +1383,13 @@ static int futex_proxy_trylock_atomic(u3
|
||||
* the contended case or if set_waiters is 1. The pi_state is returned
|
||||
* in ps in contended cases.
|
||||
*/
|
||||
+ vpid = task_pid_vnr(top_waiter->task);
|
||||
ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
|
||||
set_waiters);
|
||||
- if (ret == 1)
|
||||
+ if (ret == 1) {
|
||||
requeue_pi_wake_futex(top_waiter, key2, hb2);
|
||||
-
|
||||
+ return vpid;
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1407,7 +1420,6 @@ static int futex_requeue(u32 __user *uad
|
||||
struct futex_pi_state *pi_state = NULL;
|
||||
struct futex_hash_bucket *hb1, *hb2;
|
||||
struct futex_q *this, *next;
|
||||
- u32 curval2;
|
||||
|
||||
if (requeue_pi) {
|
||||
/*
|
||||
@@ -1495,16 +1507,25 @@ retry_private:
|
||||
* At this point the top_waiter has either taken uaddr2 or is
|
||||
* waiting on it. If the former, then the pi_state will not
|
||||
* exist yet, look it up one more time to ensure we have a
|
||||
- * reference to it.
|
||||
+ * reference to it. If the lock was taken, ret contains the
|
||||
+ * vpid of the top waiter task.
|
||||
*/
|
||||
- if (ret == 1) {
|
||||
+ if (ret > 0) {
|
||||
WARN_ON(pi_state);
|
||||
drop_count++;
|
||||
task_count++;
|
||||
- ret = get_futex_value_locked(&curval2, uaddr2);
|
||||
- if (!ret)
|
||||
- ret = lookup_pi_state(curval2, hb2, &key2,
|
||||
- &pi_state);
|
||||
+ /*
|
||||
+ * If we acquired the lock, then the user
|
||||
+ * space value of uaddr2 should be vpid. It
|
||||
+ * cannot be changed by the top waiter as it
|
||||
+ * is blocked on hb2 lock if it tries to do
|
||||
+ * so. If something fiddled with it behind our
|
||||
+ * back the pi state lookup might unearth
|
||||
+ * it. So we rather use the known value than
|
||||
+ * rereading and handing potential crap to
|
||||
+ * lookup_pi_state.
|
||||
+ */
|
||||
+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
|
||||
}
|
||||
|
||||
switch (ret) {
|
|
@ -1,95 +0,0 @@
|
|||
Date: Tue, 03 Jun 2014 12:27:07 -0000
|
||||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Subject: [patch 3/4] futex: Always cleanup owner tid in unlock_pi
|
||||
|
||||
If the owner died bit is set at futex_unlock_pi, we currently do not
|
||||
cleanup the user space futex. So the owner TID of the current owner
|
||||
(the unlocker) persists. That's observable inconsistant state,
|
||||
especially when the ownership of the pi state got transferred.
|
||||
|
||||
Clean it up unconditionally.
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Cc: Will Drewry <wad@chromium.org>
|
||||
Cc: Darren Hart <dvhart@linux.intel.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
kernel/futex.c | 44 ++++++++++++++++++++------------------------
|
||||
1 file changed, 20 insertions(+), 24 deletions(-)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -1038,6 +1038,7 @@ static int wake_futex_pi(u32 __user *uad
|
||||
struct task_struct *new_owner;
|
||||
struct futex_pi_state *pi_state = this->pi_state;
|
||||
u32 uninitialized_var(curval), newval;
|
||||
+ int ret = 0;
|
||||
|
||||
if (!pi_state)
|
||||
return -EINVAL;
|
||||
@@ -1061,23 +1062,19 @@ static int wake_futex_pi(u32 __user *uad
|
||||
new_owner = this->task;
|
||||
|
||||
/*
|
||||
- * We pass it to the next owner. (The WAITERS bit is always
|
||||
- * kept enabled while there is PI state around. We must also
|
||||
- * preserve the owner died bit.)
|
||||
- */
|
||||
- if (!(uval & FUTEX_OWNER_DIED)) {
|
||||
- int ret = 0;
|
||||
-
|
||||
- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
|
||||
-
|
||||
- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
|
||||
- ret = -EFAULT;
|
||||
- else if (curval != uval)
|
||||
- ret = -EINVAL;
|
||||
- if (ret) {
|
||||
- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
|
||||
- return ret;
|
||||
- }
|
||||
+ * We pass it to the next owner. The WAITERS bit is always
|
||||
+ * kept enabled while there is PI state around. We cleanup the
|
||||
+ * owner died bit, because we are the owner.
|
||||
+ */
|
||||
+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
|
||||
+
|
||||
+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
|
||||
+ ret = -EFAULT;
|
||||
+ else if (curval != uval)
|
||||
+ ret = -EINVAL;
|
||||
+ if (ret) {
|
||||
+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
raw_spin_lock_irq(&pi_state->owner->pi_lock);
|
||||
@@ -2337,9 +2334,10 @@ retry:
|
||||
/*
|
||||
* To avoid races, try to do the TID -> 0 atomic transition
|
||||
* again. If it succeeds then we can return without waking
|
||||
- * anyone else up:
|
||||
+ * anyone else up. We only try this if neither the waiters nor
|
||||
+ * the owner died bit are set.
|
||||
*/
|
||||
- if (!(uval & FUTEX_OWNER_DIED) &&
|
||||
+ if (!(uval & ~FUTEX_TID_MASK) &&
|
||||
cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
|
||||
goto pi_faulted;
|
||||
/*
|
||||
@@ -2369,11 +2367,9 @@ retry:
|
||||
/*
|
||||
* No waiters - kernel unlocks the futex:
|
||||
*/
|
||||
- if (!(uval & FUTEX_OWNER_DIED)) {
|
||||
- ret = unlock_futex_pi(uaddr, uval);
|
||||
- if (ret == -EFAULT)
|
||||
- goto pi_faulted;
|
||||
- }
|
||||
+ ret = unlock_futex_pi(uaddr, uval);
|
||||
+ if (ret == -EFAULT)
|
||||
+ goto pi_faulted;
|
||||
|
||||
out_unlock:
|
||||
spin_unlock(&hb->lock);
|
|
@ -1,272 +0,0 @@
|
|||
Date: Tue, 03 Jun 2014 12:27:08 -0000
|
||||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Subject: [patch 4/4] futex: Make lookup_pi_state more robust
|
||||
|
||||
The current implementation of lookup_pi_state has ambigous handling of
|
||||
the TID value 0 in the user space futex. We can get into the kernel
|
||||
even if the TID value is 0, because either there is a stale waiters
|
||||
bit or the owner died bit is set or we are called from the requeue_pi
|
||||
path or from user space just for fun.
|
||||
|
||||
The current code avoids an explicit sanity check for pid = 0 in case
|
||||
that kernel internal state (waiters) are found for the user space
|
||||
address. This can lead to state leakage and worse under some
|
||||
circumstances.
|
||||
|
||||
Handle the cases explicit:
|
||||
|
||||
Waiter | pi_state | pi->owner | uTID | uODIED | ?
|
||||
|
||||
[1] NULL | --- | --- | 0 | 0/1 | Valid
|
||||
[2] NULL | --- | --- | >0 | 0/1 | Valid
|
||||
|
||||
[3] Found | NULL | -- | Any | 0/1 | Invalid
|
||||
|
||||
[4] Found | Found | NULL | 0 | 1 | Valid
|
||||
[5] Found | Found | NULL | >0 | 1 | Invalid
|
||||
|
||||
[6] Found | Found | task | 0 | 1 | Valid
|
||||
|
||||
[7] Found | Found | NULL | Any | 0 | Invalid
|
||||
|
||||
[8] Found | Found | task | ==taskTID | 0/1 | Valid
|
||||
[9] Found | Found | task | 0 | 0 | Invalid
|
||||
[10] Found | Found | task | !=taskTID | 0/1 | Invalid
|
||||
|
||||
[1] Indicates that the kernel can acquire the futex atomically. We
|
||||
came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
|
||||
|
||||
[2] Valid, if TID does not belong to a kernel thread. If no matching
|
||||
thread is found then it indicates that the owner TID has died.
|
||||
|
||||
[3] Invalid. The waiter is queued on a non PI futex
|
||||
|
||||
[4] Valid state after exit_robust_list(), which sets the user space
|
||||
value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
|
||||
|
||||
[5] The user space value got manipulated between exit_robust_list()
|
||||
and exit_pi_state_list()
|
||||
|
||||
[6] Valid state after exit_pi_state_list() which sets the new owner in
|
||||
the pi_state but cannot access the user space value.
|
||||
|
||||
[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
|
||||
|
||||
[8] Owner and user space value match
|
||||
|
||||
[9] There is no transient state which sets the user space TID to 0
|
||||
except exit_robust_list(), but this is indicated by the
|
||||
FUTEX_OWNER_DIED bit. See [4]
|
||||
|
||||
[10] There is no transient state which leaves owner and user space
|
||||
TID out of sync.
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Cc: Will Drewry <wad@chromium.org>
|
||||
Cc: Darren Hart <dvhart@linux.intel.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
kernel/futex.c | 134 +++++++++++++++++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 106 insertions(+), 28 deletions(-)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -729,10 +729,58 @@ void exit_pi_state_list(struct task_stru
|
||||
raw_spin_unlock_irq(&curr->pi_lock);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * We need to check the following states:
|
||||
+ *
|
||||
+ * Waiter | pi_state | pi->owner | uTID | uODIED | ?
|
||||
+ *
|
||||
+ * [1] NULL | --- | --- | 0 | 0/1 | Valid
|
||||
+ * [2] NULL | --- | --- | >0 | 0/1 | Valid
|
||||
+ *
|
||||
+ * [3] Found | NULL | -- | Any | 0/1 | Invalid
|
||||
+ *
|
||||
+ * [4] Found | Found | NULL | 0 | 1 | Valid
|
||||
+ * [5] Found | Found | NULL | >0 | 1 | Invalid
|
||||
+ *
|
||||
+ * [6] Found | Found | task | 0 | 1 | Valid
|
||||
+ *
|
||||
+ * [7] Found | Found | NULL | Any | 0 | Invalid
|
||||
+ *
|
||||
+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid
|
||||
+ * [9] Found | Found | task | 0 | 0 | Invalid
|
||||
+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid
|
||||
+ *
|
||||
+ * [1] Indicates that the kernel can acquire the futex atomically. We
|
||||
+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
|
||||
+ *
|
||||
+ * [2] Valid, if TID does not belong to a kernel thread. If no matching
|
||||
+ * thread is found then it indicates that the owner TID has died.
|
||||
+ *
|
||||
+ * [3] Invalid. The waiter is queued on a non PI futex
|
||||
+ *
|
||||
+ * [4] Valid state after exit_robust_list(), which sets the user space
|
||||
+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
|
||||
+ *
|
||||
+ * [5] The user space value got manipulated between exit_robust_list()
|
||||
+ * and exit_pi_state_list()
|
||||
+ *
|
||||
+ * [6] Valid state after exit_pi_state_list() which sets the new owner in
|
||||
+ * the pi_state but cannot access the user space value.
|
||||
+ *
|
||||
+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
|
||||
+ *
|
||||
+ * [8] Owner and user space value match
|
||||
+ *
|
||||
+ * [9] There is no transient state which sets the user space TID to 0
|
||||
+ * except exit_robust_list(), but this is indicated by the
|
||||
+ * FUTEX_OWNER_DIED bit. See [4]
|
||||
+ *
|
||||
+ * [10] There is no transient state which leaves owner and user space
|
||||
+ * TID out of sync.
|
||||
+ */
|
||||
static int
|
||||
lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
|
||||
- union futex_key *key, struct futex_pi_state **ps,
|
||||
- struct task_struct *task)
|
||||
+ union futex_key *key, struct futex_pi_state **ps)
|
||||
{
|
||||
struct futex_pi_state *pi_state = NULL;
|
||||
struct futex_q *this, *next;
|
||||
@@ -742,12 +790,13 @@ lookup_pi_state(u32 uval, struct futex_h
|
||||
plist_for_each_entry_safe(this, next, &hb->chain, list) {
|
||||
if (match_futex(&this->key, key)) {
|
||||
/*
|
||||
- * Another waiter already exists - bump up
|
||||
- * the refcount and return its pi_state:
|
||||
+ * Sanity check the waiter before increasing
|
||||
+ * the refcount and attaching to it.
|
||||
*/
|
||||
pi_state = this->pi_state;
|
||||
/*
|
||||
- * Userspace might have messed up non-PI and PI futexes
|
||||
+ * Userspace might have messed up non-PI and
|
||||
+ * PI futexes [3]
|
||||
*/
|
||||
if (unlikely(!pi_state))
|
||||
return -EINVAL;
|
||||
@@ -755,44 +804,70 @@ lookup_pi_state(u32 uval, struct futex_h
|
||||
WARN_ON(!atomic_read(&pi_state->refcount));
|
||||
|
||||
/*
|
||||
- * When pi_state->owner is NULL then the owner died
|
||||
- * and another waiter is on the fly. pi_state->owner
|
||||
- * is fixed up by the task which acquires
|
||||
- * pi_state->rt_mutex.
|
||||
- *
|
||||
- * We do not check for pid == 0 which can happen when
|
||||
- * the owner died and robust_list_exit() cleared the
|
||||
- * TID.
|
||||
+ * Handle the owner died case:
|
||||
*/
|
||||
- if (pid && pi_state->owner) {
|
||||
+ if (uval & FUTEX_OWNER_DIED) {
|
||||
/*
|
||||
- * Bail out if user space manipulated the
|
||||
- * futex value.
|
||||
+ * exit_pi_state_list sets owner to NULL and
|
||||
+ * wakes the topmost waiter. The task which
|
||||
+ * acquires the pi_state->rt_mutex will fixup
|
||||
+ * owner.
|
||||
*/
|
||||
- if (pid != task_pid_vnr(pi_state->owner))
|
||||
+ if (!pi_state->owner) {
|
||||
+ /*
|
||||
+ * No pi state owner, but the user
|
||||
+ * space TID is not 0. Inconsistent
|
||||
+ * state. [5]
|
||||
+ */
|
||||
+ if (pid)
|
||||
+ return -EINVAL;
|
||||
+ /*
|
||||
+ * Take a ref on the state and
|
||||
+ * return. [4]
|
||||
+ */
|
||||
+ goto out_state;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If TID is 0, then either the dying owner
|
||||
+ * has not yet executed exit_pi_state_list()
|
||||
+ * or some waiter acquired the rtmutex in the
|
||||
+ * pi state, but did not yet fixup the TID in
|
||||
+ * user space.
|
||||
+ *
|
||||
+ * Take a ref on the state and return. [6]
|
||||
+ */
|
||||
+ if (!pid)
|
||||
+ goto out_state;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * If the owner died bit is not set,
|
||||
+ * then the pi_state must have an
|
||||
+ * owner. [7]
|
||||
+ */
|
||||
+ if (!pi_state->owner)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
- * Protect against a corrupted uval. If uval
|
||||
- * is 0x80000000 then pid is 0 and the waiter
|
||||
- * bit is set. So the deadlock check in the
|
||||
- * calling code has failed and we did not fall
|
||||
- * into the check above due to !pid.
|
||||
+ * Bail out if user space manipulated the
|
||||
+ * futex value. If pi state exists then the
|
||||
+ * owner TID must be the same as the user
|
||||
+ * space TID. [9/10]
|
||||
*/
|
||||
- if (task && pi_state->owner == task)
|
||||
- return -EDEADLK;
|
||||
+ if (pid != task_pid_vnr(pi_state->owner))
|
||||
+ return -EINVAL;
|
||||
|
||||
+ out_state:
|
||||
atomic_inc(&pi_state->refcount);
|
||||
*ps = pi_state;
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* We are the first waiter - try to look up the real owner and attach
|
||||
- * the new pi_state to it, but bail out when TID = 0
|
||||
+ * the new pi_state to it, but bail out when TID = 0 [1]
|
||||
*/
|
||||
if (!pid)
|
||||
return -ESRCH;
|
||||
@@ -825,6 +900,9 @@ lookup_pi_state(u32 uval, struct futex_h
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * No existing pi state. First waiter. [2]
|
||||
+ */
|
||||
pi_state = alloc_pi_state();
|
||||
|
||||
/*
|
||||
@@ -945,7 +1023,7 @@ retry:
|
||||
* We dont have the lock. Look up the PI state (or create it if
|
||||
* we are the first waiter):
|
||||
*/
|
||||
- ret = lookup_pi_state(uval, hb, key, ps, task);
|
||||
+ ret = lookup_pi_state(uval, hb, key, ps);
|
||||
|
||||
if (unlikely(ret)) {
|
||||
switch (ret) {
|
||||
@@ -1551,7 +1629,7 @@ retry_private:
|
||||
* rereading and handing potential crap to
|
||||
* lookup_pi_state.
|
||||
*/
|
||||
- ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
|
||||
+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
|
||||
}
|
||||
|
||||
switch (ret) {
|
|
@ -1,50 +0,0 @@
|
|||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Date: Mon, 12 May 2014 20:45:35 +0000
|
||||
Subject: futex: Prevent attaching to kernel threads
|
||||
Origin: https://git.kernel.org/linus/f0d71b3dcb8332f7971b5f2363632573e6d9486a
|
||||
|
||||
We happily allow userspace to declare a random kernel thread to be the
|
||||
owner of a user space PI futex.
|
||||
|
||||
Found while analysing the fallout of Dave Jones syscall fuzzer.
|
||||
|
||||
We also should validate the thread group for private futexes and find
|
||||
some fast way to validate whether the "alleged" owner has RW access on
|
||||
the file which backs the SHM, but that's a separate issue.
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Dave Jones <davej@redhat.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Darren Hart <darren@dvhart.com>
|
||||
Cc: Davidlohr Bueso <davidlohr@hp.com>
|
||||
Cc: Steven Rostedt <rostedt@goodmis.org>
|
||||
Cc: Clark Williams <williams@redhat.com>
|
||||
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
|
||||
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
|
||||
Cc: Roland McGrath <roland@hack.frob.com>
|
||||
Cc: Carlos ODonell <carlos@redhat.com>
|
||||
Cc: Jakub Jelinek <jakub@redhat.com>
|
||||
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
|
||||
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
kernel/futex.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -800,6 +800,11 @@ lookup_pi_state(u32 uval, struct futex_h
|
||||
if (!p)
|
||||
return -ESRCH;
|
||||
|
||||
+ if (!p->mm) {
|
||||
+ put_task_struct(p);
|
||||
+ return -EPERM;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We need to look at the task state flags to figure out,
|
||||
* whether the task is exiting. To protect against the do_exit
|
|
@ -1,50 +0,0 @@
|
|||
Date: Tue, 03 Jun 2014 12:27:06 -0000
|
||||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Subject: [patch 2/4] futex: Validate atomic acquisition in
|
||||
futex_lock_pi_atomic()
|
||||
|
||||
We need to protect the atomic acquisition in the kernel against rogue
|
||||
user space which sets the user space futex to 0, so the kernel side
|
||||
acquisition succeeds while there is existing state in the kernel
|
||||
associated to the real owner.
|
||||
|
||||
Verify whether the futex has waiters associated with kernel state. If
|
||||
it has, return -EINVAL. The state is corrupted already, so no point in
|
||||
cleaning it up. Subsequent calls will fail as well. Not our problem.
|
||||
|
||||
[ tglx: Use futex_top_waiter() and explain why we do not need to try
|
||||
restoring the already corrupted user space state. ]
|
||||
|
||||
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
|
||||
Cc: Kees Cook <keescook@chromium.org>
|
||||
Cc: Will Drewry <wad@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
---
|
||||
kernel/futex.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -896,10 +896,18 @@ retry:
|
||||
return -EDEADLK;
|
||||
|
||||
/*
|
||||
- * Surprise - we got the lock. Just return to userspace:
|
||||
+ * Surprise - we got the lock, but we do not trust user space at all.
|
||||
*/
|
||||
- if (unlikely(!curval))
|
||||
- return 1;
|
||||
+ if (unlikely(!curval)) {
|
||||
+ /*
|
||||
+ * We verify whether there is kernel state for this
|
||||
+ * futex. If not, we can safely assume, that the 0 ->
|
||||
+ * TID transition is correct. If state exists, we do
|
||||
+ * not bother to fixup the user space state as it was
|
||||
+ * corrupted already.
|
||||
+ */
|
||||
+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
|
||||
+ }
|
||||
|
||||
uval = curval;
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
Date: Tue, 03 Jun 2014 12:27:06 -0000
|
||||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex:
|
||||
Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
|
||||
|
||||
If uaddr == uaddr2, then we have broken the rule of only requeueing
|
||||
from a non-pi futex to a pi futex with this call. If we attempt this,
|
||||
then dangling pointers may be left for rt_waiter resulting in an
|
||||
exploitable condition.
|
||||
|
||||
This change brings futex_requeue() into line with
|
||||
futex_wait_requeue_pi() which performs the same check as per commit
|
||||
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
|
||||
|
||||
[ tglx: Compare the resulting keys as well, as uaddrs might be
|
||||
different depending on the mapping ]
|
||||
|
||||
Fixes CVE-2014-3153.
|
||||
|
||||
Reported-by: Pinkie Pie
|
||||
Signed-off-by: Will Drewry <wad@chromium.org>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
---
|
||||
kernel/futex.c | 25 +++++++++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -1428,6 +1428,13 @@ static int futex_requeue(u32 __user *uad
|
||||
|
||||
if (requeue_pi) {
|
||||
/*
|
||||
+ * Requeue PI only works on two distinct uaddrs. This
|
||||
+ * check is only valid for private futexes. See below.
|
||||
+ */
|
||||
+ if (uaddr1 == uaddr2)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ /*
|
||||
* requeue_pi requires a pi_state, try to allocate it now
|
||||
* without any locks in case it fails.
|
||||
*/
|
||||
@@ -1465,6 +1472,15 @@ retry:
|
||||
if (unlikely(ret != 0))
|
||||
goto out_put_key1;
|
||||
|
||||
+ /*
|
||||
+ * The check above which compares uaddrs is not sufficient for
|
||||
+ * shared futexes. We need to compare the keys:
|
||||
+ */
|
||||
+ if (requeue_pi && match_futex(&key1, &key2)) {
|
||||
+ ret = -EINVAL;
|
||||
+ goto out_put_keys;
|
||||
+ }
|
||||
+
|
||||
hb1 = hash_futex(&key1);
|
||||
hb2 = hash_futex(&key2);
|
||||
|
||||
@@ -2511,6 +2527,15 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
if (ret)
|
||||
goto out_key2;
|
||||
|
||||
+ /*
|
||||
+ * The check above which compares uaddrs is not sufficient for
|
||||
+ * shared futexes. We need to compare the keys:
|
||||
+ */
|
||||
+ if (match_futex(&q.key, &key2)) {
|
||||
+ ret = -EINVAL;
|
||||
+ goto out_put_keys;
|
||||
+ }
|
||||
+
|
||||
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
|
||||
futex_wait_queue_me(hb, &q, to);
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
From: Lv Zheng <lv.zheng@intel.com>
|
||||
Date: Wed, 30 Apr 2014 10:05:40 +0800
|
||||
Subject: ACPICA: Tables: Fix invalid pointer accesses in
|
||||
acpi_tb_parse_root_table().
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git/commit?id=d48dc067450d84324067f4472dc0b169e9af4454
|
||||
Bug-Debian: https://bugs.debian.org/748574
|
||||
|
||||
Linux XSDT validation mechanism backport has introduced a regreession:
|
||||
Commit: 671cc68dc61f029d44b43a681356078e02d8dab8
|
||||
Subject: ACPICA: Back port and refine validation of the XSDT root table.
|
||||
There is a pointer still accessed after unmapping.
|
||||
|
||||
This patch fixes this issue. Lv Zheng.
|
||||
|
||||
Fixes: 671cc68dc61f (ACPICA: Back port and refine validation of the XSDT root table.)
|
||||
References: https://bugzilla.kernel.org/show_bug.cgi?id=73911
|
||||
References: https://bugs.archlinux.org/task/39811
|
||||
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
|
||||
Reported-and-tested-by: Bruce Chiarelli <mano155@gmail.com>
|
||||
Reported-and-tested-by: Spyros Stathopoulos <spystath@gmail.com>
|
||||
Signed-off-by: Bob Moore <robert.moore@intel.com>
|
||||
Cc: 3.14+ <stable@vger.kernel.org> # 3.14+
|
||||
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
||||
---
|
||||
drivers/acpi/acpica/tbutils.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/acpi/acpica/tbutils.c b/drivers/acpi/acpica/tbutils.c
|
||||
index a4702ee..9fb85f3 100644
|
||||
--- a/drivers/acpi/acpica/tbutils.c
|
||||
+++ b/drivers/acpi/acpica/tbutils.c
|
||||
@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
|
||||
u32 table_count;
|
||||
struct acpi_table_header *table;
|
||||
acpi_physical_address address;
|
||||
+ acpi_physical_address rsdt_address;
|
||||
u32 length;
|
||||
u8 *table_entry;
|
||||
acpi_status status;
|
||||
@@ -488,11 +489,14 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
|
||||
* as per the ACPI specification.
|
||||
*/
|
||||
address = (acpi_physical_address) rsdp->xsdt_physical_address;
|
||||
+ rsdt_address =
|
||||
+ (acpi_physical_address) rsdp->rsdt_physical_address;
|
||||
table_entry_size = ACPI_XSDT_ENTRY_SIZE;
|
||||
} else {
|
||||
/* Root table is an RSDT (32-bit physical addresses) */
|
||||
|
||||
address = (acpi_physical_address) rsdp->rsdt_physical_address;
|
||||
+ rsdt_address = address;
|
||||
table_entry_size = ACPI_RSDT_ENTRY_SIZE;
|
||||
}
|
||||
|
||||
@@ -515,8 +519,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
|
||||
|
||||
/* Fall back to the RSDT */
|
||||
|
||||
- address =
|
||||
- (acpi_physical_address) rsdp->rsdt_physical_address;
|
||||
+ address = rsdt_address;
|
||||
table_entry_size = ACPI_RSDT_ENTRY_SIZE;
|
||||
}
|
||||
}
|
|
@ -11,6 +11,8 @@ This patch moves the invokation into a process context so that we only
|
|||
wakeup() a process while holding the lock.
|
||||
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
[bwh: Adjust context to apply after commit 01f8fa4f01d8 ('genirq: Allow
|
||||
forcing cpu affinity of interrupts') in 3.14.6]
|
||||
---
|
||||
include/linux/interrupt.h | 1
|
||||
kernel/irq/manage.c | 79 ++++++++++++++++++++++++++++++++++++++++++++--
|
||||
|
@ -18,7 +20,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
|
||||
--- a/include/linux/interrupt.h
|
||||
+++ b/include/linux/interrupt.h
|
||||
@@ -224,6 +224,7 @@ struct irq_affinity_notify {
|
||||
@@ -257,6 +257,7 @@ struct irq_affinity_notify {
|
||||
unsigned int irq;
|
||||
struct kref kref;
|
||||
struct work_struct work;
|
||||
|
@ -88,10 +90,10 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
+
|
||||
+#endif
|
||||
+
|
||||
int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask)
|
||||
int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
|
||||
bool force)
|
||||
{
|
||||
struct irq_chip *chip = irq_data_get_irq_chip(data);
|
||||
@@ -182,7 +238,17 @@ int __irq_set_affinity_locked(struct irq
|
||||
@@ -183,7 +239,17 @@ int irq_set_affinity_locked(struct irq_d
|
||||
|
||||
if (desc->affinity_notify) {
|
||||
kref_get(&desc->affinity_notify->kref);
|
||||
|
@ -109,7 +111,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
}
|
||||
irqd_set(data, IRQD_AFFINITY_SET);
|
||||
|
||||
@@ -223,10 +289,8 @@ int irq_set_affinity_hint(unsigned int i
|
||||
@@ -218,10 +284,8 @@ int irq_set_affinity_hint(unsigned int i
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(irq_set_affinity_hint);
|
||||
|
||||
|
@ -121,7 +123,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
struct irq_desc *desc = irq_to_desc(notify->irq);
|
||||
cpumask_var_t cpumask;
|
||||
unsigned long flags;
|
||||
@@ -248,6 +312,13 @@ static void irq_affinity_notify(struct w
|
||||
@@ -243,6 +307,13 @@ out:
|
||||
kref_put(¬ify->kref, notify->release);
|
||||
}
|
||||
|
||||
|
@ -135,7 +137,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
/**
|
||||
* irq_set_affinity_notifier - control notification of IRQ affinity changes
|
||||
* @irq: Interrupt for which to enable/disable notification
|
||||
@@ -277,6 +348,8 @@ irq_set_affinity_notifier(unsigned int i
|
||||
@@ -272,6 +343,8 @@ irq_set_affinity_notifier(unsigned int i
|
||||
notify->irq = irq;
|
||||
kref_init(¬ify->kref);
|
||||
INIT_WORK(¬ify->work, irq_affinity_notify);
|
||||
|
|
|
@ -359,7 +359,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
|
||||
/*
|
||||
* The timer bases:
|
||||
@@ -998,6 +999,17 @@ int __hrtimer_start_range_ns(struct hrti
|
||||
@@ -1017,6 +1018,17 @@ int __hrtimer_start_range_ns(struct hrti
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -376,8 +376,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
+
|
||||
hrtimer_set_expires_range_ns(timer, tim, delta_ns);
|
||||
|
||||
timer_stats_hrtimer_set_start_info(timer);
|
||||
@@ -1276,6 +1288,8 @@ static void __run_hrtimer(struct hrtimer
|
||||
/* Switch the timer base, if necessary: */
|
||||
@@ -1298,6 +1310,8 @@ static void __run_hrtimer(struct hrtimer
|
||||
|
||||
#ifdef CONFIG_HIGH_RES_TIMERS
|
||||
|
||||
|
@ -386,7 +386,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
/*
|
||||
* High resolution timer interrupt
|
||||
* Called with interrupts disabled
|
||||
@@ -1319,6 +1333,15 @@ void hrtimer_interrupt(struct clock_even
|
||||
@@ -1341,6 +1355,15 @@ retry:
|
||||
|
||||
timer = container_of(node, struct hrtimer, node);
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
|
||||
--- a/kernel/futex.c
|
||||
+++ b/kernel/futex.c
|
||||
@@ -1585,6 +1585,16 @@ static int futex_requeue(u32 __user *uad
|
||||
@@ -1710,6 +1710,16 @@ retry_private:
|
||||
requeue_pi_wake_futex(this, &key2, hb2);
|
||||
drop_count++;
|
||||
continue;
|
||||
|
@ -29,7 +29,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
} else if (ret) {
|
||||
/* -EDEADLK */
|
||||
this->pi_state = NULL;
|
||||
@@ -2439,7 +2449,7 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
@@ -2563,7 +2573,7 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
struct hrtimer_sleeper timeout, *to = NULL;
|
||||
struct rt_mutex_waiter rt_waiter;
|
||||
struct rt_mutex *pi_mutex = NULL;
|
||||
|
@ -38,7 +38,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
union futex_key key2 = FUTEX_KEY_INIT;
|
||||
struct futex_q q = futex_q_init;
|
||||
int res, ret;
|
||||
@@ -2488,20 +2498,55 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
@@ -2621,20 +2631,55 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
|
||||
futex_wait_queue_me(hb, &q, to);
|
||||
|
||||
|
@ -105,7 +105,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
|
||||
/* Check if the requeue code acquired the second futex for us. */
|
||||
if (!q.rt_waiter) {
|
||||
@@ -2510,9 +2555,10 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
@@ -2643,9 +2688,10 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
* did a lock-steal - fix up the PI-state in that case.
|
||||
*/
|
||||
if (q.pi_state && (q.pi_state->owner != current)) {
|
||||
|
@ -118,7 +118,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
}
|
||||
} else {
|
||||
/*
|
||||
@@ -2525,7 +2571,8 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
@@ -2658,7 +2704,8 @@ static int futex_wait_requeue_pi(u32 __u
|
||||
ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
|
||||
debug_rt_mutex_free_waiter(&rt_waiter);
|
||||
|
||||
|
@ -151,8 +151,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
goto out_unlock_pi;
|
||||
|
||||
/*
|
||||
@@ -528,6 +533,23 @@ static int task_blocks_on_rt_mutex(struc
|
||||
int chain_walk = 0, res;
|
||||
@@ -552,6 +557,23 @@ static int task_blocks_on_rt_mutex(struc
|
||||
return -EDEADLK;
|
||||
|
||||
raw_spin_lock_irqsave(&task->pi_lock, flags);
|
||||
+
|
||||
|
@ -175,7 +175,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
__rt_mutex_adjust_prio(task);
|
||||
waiter->task = task;
|
||||
waiter->lock = lock;
|
||||
@@ -551,7 +573,7 @@ static int task_blocks_on_rt_mutex(struc
|
||||
@@ -575,7 +597,7 @@ static int task_blocks_on_rt_mutex(struc
|
||||
rt_mutex_enqueue_pi(owner, waiter);
|
||||
|
||||
__rt_mutex_adjust_prio(owner);
|
||||
|
@ -184,7 +184,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
chain_walk = 1;
|
||||
raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
|
||||
}
|
||||
@@ -645,7 +667,7 @@ static void remove_waiter(struct rt_mute
|
||||
@@ -669,7 +691,7 @@ static void remove_waiter(struct rt_mute
|
||||
}
|
||||
__rt_mutex_adjust_prio(owner);
|
||||
|
||||
|
@ -193,7 +193,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
chain_walk = 1;
|
||||
|
||||
raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
|
||||
@@ -677,7 +699,7 @@ void rt_mutex_adjust_pi(struct task_stru
|
||||
@@ -701,7 +723,7 @@ void rt_mutex_adjust_pi(struct task_stru
|
||||
raw_spin_lock_irqsave(&task->pi_lock, flags);
|
||||
|
||||
waiter = task->pi_blocked_on;
|
||||
|
|
|
@ -83,15 +83,8 @@ features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch
|
|||
features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch
|
||||
debian/libata-avoid-abi-change-in-3.14.4.patch
|
||||
debian/dm-avoid-abi-change-in-3.14.4.patch
|
||||
bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch
|
||||
debian/net-revert-lockdep-changes-in-3.14.5.patch
|
||||
debian/sockdiag-avoid-abi-change-in-3.14.5.patch
|
||||
debian/target-avoid-abi-change-in-3.14.5.patch
|
||||
debian/netfilter-avoid-abi-change-in-3.14.5.patch
|
||||
bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch
|
||||
bugfix/all/futex-Add-another-early-deadlock-detection-check.patch
|
||||
bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch
|
||||
bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch
|
||||
bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
|
||||
bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch
|
||||
bugfix/all/futex-Make-lookup_pi_state-more-robust.patch
|
||||
|
|
Loading…
Reference in New Issue