debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 3.14.6 

Drop patches applied upstream.

Resolve textual conflicts in the rt patches.

svn path=/dists/sid/linux/; revision=21413
This commit is contained in:
Ben Hutchings 2014-06-08 19:28:12 +00:00
parent ef9299159e
commit 2a5c1497c9
12 changed files with 176 additions and 793 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
debian/changelog vendored
View File

@ -1,4 +1,156 @@
linux (3.14.5-2) UNRELEASED; urgency=medium
linux (3.14.6-1) UNRELEASED; urgency=medium
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.6
- [mipsel] loongson2_cpufreq: Fix CPU clock rate setting
(regression in 3.14)
- rtmutex: Fix deadlock detector for real
- kernfs: add back missing error check in kernfs_fop_mmap()
(regression in 3.14)
- coredump: fix va_list corruption (regression in 3.11)
- mm: make fixup_user_fault() check the vma access rights too
- serial: 8250: Fix thread unsafe __dma_tx_complete function
- 8250_core: Fix unwanted TX chars write
- iwlwifi: 7000: bump API to 9
- timer: Prevent overflow in apply_slack
- cfg80211: free sme on connection failures (regression in 3.11)
- cfg80211: add cfg80211_sched_scan_stopped_rtnl (regression in 3.14)
- mac80211: fix nested rtnl locking on ieee80211_reconfig
(regression in 3.14)
- mm, thp: close race between mremap() and split_huge_page()
- [x86] mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow()
- hwpoison, hugetlb: lock_page/unlock_page does not match for handling a
free hugepage
- iwlwifi: mvm: delay enabling smart FIFO until after beacon RX
(regression in 3.14)
- aio: fix potential leak in aio_run_iocb().
- Revert "hwmon: (coretemp) Refine TjMax detection"
- hrtimer: Prevent remote enqueue of leftmost timers
- hrtimer: Set expiry time before switch_hrtimer_base()
- dm verity: fix biovecs hash calculation regression (regression in 3.14)
- dm cache: fix writethrough mode quiescing in cache_map
(regression in 3.13)
- md/raid10: call wait_barrier() for each request submitted.
(regression in 3.14)
- PNP / ACPI: Do not return errors if _DIS or _SRS are not present
(regression in 3.14)
- ACPI / EC: Process rather than discard events in acpi_ec_clear
(regression in 3.13.7, 3.14)
- irqchip: armada-370-xp: fix invalid cast of signed value into unsigned
variable (regression in 3.13)
- irqchip: armada-370-xp: implement the ->check_device() msi_chip
operation (regression in 3.13)
- irqchip: armada-370-xp: Fix releasing of MSIs (regression in 3.13)
- [x86] drm/i915: Allow user modes to exceed DVI 165MHz limit
(regression in 3.14)
- [x86] drm/i915: Don't check gmch state on inherited configs
(regression in 3.13?)
- [x86] drm/i915: Don't WARN nor handle unexpected hpd interrupts on gmch
platforms (regression in 3.13)
- [x86] drm/radeon: fix runpm handling on APUs (v4) (regression in 3.13)
- drm/radeon: disable mclk dpm on R7 260X (regression in 3.14)
- drm/radeon: add support for newer mc ucode on SI (v2)
- drm/radeon: add support for newer mc ucode on CI (v2)
- drm/radeon: re-enable mclk dpm on R7 260X asics
- drm/radeon/uvd: use lower clocks on old UVD to boot v2
(regression in 3.13)
- drm/radeon: check buffer relocation offset
- USB: Nokia 305 should be treated as unusual dev
- USB: Nokia 5300 should be treated as unusual dev
- Revert "Bluetooth: Enable autosuspend for Intel Bluetooth device"
(regression in 3.14)
- posix_acl: handle NULL ACL in posix_acl_equiv_mode
- fs/affs/super.c: bugfix / double free (regression in 3.14)
- [armel/orion5x] fix target ID for crypto SRAM window
(regression in 3.12)
- [armel/kirkwood]: dts: fix mislocated pcie-controller nodes
(regression in 3.12)
- [armhf/armmp-lpae] 8012/1: kdump: Avoid overflow when converting pfn to
physaddr
- drm/nouveau: fix another lock unbalance in nouveau_crtc_page_flip
(regression in 3.11)
- drm/i915/vlv: reset VLV media force wake request register
(regression in 3.14?)
- i40e: potential array underflow in i40e_vc_process_vf_msg()
- igb: Fix Null-pointer dereference in igb_reset_q_vector
(regression in 3.14)
- igb: Unset IGB_FLAG_HAS_MSIX-flag when falling back to msi-only
(regression in 3.14)
- leds: leds-pwm: properly clean up after probe failure
- device_cgroup: rework device access check and exception checking
- device_cgroup: check if exception removal is allowed
- media: media-device: fix infoleak in ioctl media_enum_entities()
(CVE-2014-1739)
- Input: Add INPUT_PROP_TOPBUTTONPAD device property
- Input: synaptics - report INPUT_PROP_TOPBUTTONPAD property
- e1000e: Fix no connectivity when driver loaded with cable out
(regression in 3.12)
- autofs: fix lockref lookup
- vfs: fix races between __d_instantiate() and checks of dentry flags
- ALSA: hda - hdmi: Set converter channel count even without sink
(regression in 3.13)
- NFSd: Move default initialisers from create_client() to alloc_client()
- NFSd: call rpc_destroy_wait_queue() from free_client()
- NFSD: Call ->set_acl with a NULL ACL structure if no entries
- nfsd4: remove lockowner when removing lock stateid
- workqueue: fix bugs in wq_update_unbound_numa() failure path
- workqueue: fix a possible race condition between rescuer and pwq-release
- [arm] mvebu: mvebu-soc-id: add missing clk_put() call
(regression in 3.14)
- [arm] mvebu: mvebu-soc-id: keep clock enabled if PCIe unit is enabled
(regression in 3.14)
- ASoC: dapm: Skip CODEC<->CODEC links in connect_dai_link_widgets()
(regression in 3.14)
- [hppa] ratelimit userspace segfault printing
- [amd64] modify_ldt: Make support for 16-bit segments a runtime option
- sysfs: make sure read buffer is zeroed (possible regression in 3.13)
- Target/iser: Fix wrong connection requests list addition
- Target/iser: Fix iscsit_accept_np and rdma_cm racy flow
- iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_out
(regression in 3.11)
- target: fix memory leak on XCOPY
- [x86] drm/i915: Disable self-refresh for untiled fbs on i915gm
(regression in 3.14)
- [x86] drm/i915: move power domain init earlier during system resume
(regression in 3.14?)
- [x86] drm/i915: Fix unsafe loop iteration over vma whilst unbinding them
(regression in 3.12)
- iwlwifi: mvm: BT Coex - fix Look Up Table (regression in 3.13)
- PCI: Wrong register used to check pending traffic (regression in 3.14)
- dm crypt: fix cpu hotplug crash by removing per-cpu structure
- dm thin: allow metadata commit if pool is in PM_OUT_OF_DATA_SPACE mode
(regression in 3.14)
- dm thin: add timeout to stop out-of-data-space mode holding IO forever
- dmaengine: fix dmaengine_unmap failure
- dma: mv_xor: Flush descriptors before activating a channel
- tcm_fc: Fix free-after-use regression in ft_free_cmd
(regression in 3.13)
- ACPICA: Tables: Restore old behavor to favor 32-bit FADT addresses.
(regression in 3.14)
- ACPI: Revert "ACPI: Remove CONFIG_ACPI_PROCFS_POWER and cm_sbsc.c"
(regression in 3.13)
- ACPI: Revert "ACPI / Battery: Remove battery's proc directory"
(regression in 3.13)
- [x86] ACPI / video: Add use_native_backlight quirks for more systems
- ACPI: Revert "ACPI / AC: convert ACPI ac driver to platform bus"
(regression in 3.13)
- [x86] ACPI / TPM: Fix resume regression on Chromebooks
(regression in 3.14)
- i2c: s3c2410: resume race fix
- [x86] intel_pstate: Set turbo VID for BayTrail
- [s390] crypto: fix aes,des ctr mode concurrency finding.
- clk: Fix double free due to devm_clk_register()
- clk: Fix slab corruption in clk_unregister()
- [powerpc] powernv: Reset root port in firmware (regression in 3.14)
- [powerpc] irq work racing with timer interrupt can result in timer
interrupt hang (regression in 3.14)
- [powerpc] kexec: Fix "Processor X is stuck" issue during kexec from ST
mode (regression in 3.13)
- spi: core: Ignore unsupported Dual/Quad Transfer Mode bits
(regression in 3.12)
- libceph: fix corruption when using page_count 0 page in rbd
- media: V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel
from user-space
[ Ian Campbell ]
* [armhf] Enable VIRTIO_BALLOON and VIRTIO_PCI (Closes: #750742)

157
debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch vendored
View File

@ -1,157 +0,0 @@
From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 12 May 2014 20:45:34 +0000
Subject: futex: Add another early deadlock detection check
Origin: https://git.kernel.org/linus/866293ee54227584ffcb4a42f69c1f365974ba7f
Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
detection code of rtmutex:
http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com
That underlying issue has been fixed with a patch to the rtmutex code,
but the futex code must not call into rtmutex in that case because
- it can detect that issue early
- it avoids a different and more complex fixup for backing out
If the user space variable got manipulated to 0x80000000 which means
no lock holder, but the waiters bit set and an active pi_state in the
kernel is found we can figure out the recursive locking issue by
looking at the pi_state owner. If that is the current task, then we
can safely return -EDEADLK.
The check should have been added in commit 59fa62451 (futex: Handle
futex_pi OWNER_DIED take over correctly) already, but I did not see
the above issue caused by user space manipulation back then.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Dave Jones <davej@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Clark Williams <williams@redhat.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Carlos ODonell <carlos@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
1 file changed, 34 insertions(+), 13 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -731,7 +731,8 @@ void exit_pi_state_list(struct task_stru
static int
lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
- union futex_key *key, struct futex_pi_state **ps)
+ union futex_key *key, struct futex_pi_state **ps,
+ struct task_struct *task)
{
struct futex_pi_state *pi_state = NULL;
struct futex_q *this, *next;
@@ -772,6 +773,16 @@ lookup_pi_state(u32 uval, struct futex_h
return -EINVAL;
}
+ /*
+ * Protect against a corrupted uval. If uval
+ * is 0x80000000 then pid is 0 and the waiter
+ * bit is set. So the deadlock check in the
+ * calling code has failed and we did not fall
+ * into the check above due to !pid.
+ */
+ if (task && pi_state->owner == task)
+ return -EDEADLK;
+
atomic_inc(&pi_state->refcount);
*ps = pi_state;
@@ -921,7 +932,7 @@ retry:
* We dont have the lock. Look up the PI state (or create it if
* we are the first waiter):
*/
- ret = lookup_pi_state(uval, hb, key, ps);
+ ret = lookup_pi_state(uval, hb, key, ps, task);
if (unlikely(ret)) {
switch (ret) {
@@ -1333,7 +1344,7 @@ void requeue_pi_wake_futex(struct futex_
*
* Return:
* 0 - failed to acquire the lock atomically;
- * 1 - acquired the lock;
+ * >0 - acquired the lock, return value is vpid of the top_waiter
* <0 - error
*/
static int futex_proxy_trylock_atomic(u32 __user *pifutex,
@@ -1344,7 +1355,7 @@ static int futex_proxy_trylock_atomic(u3
{
struct futex_q *top_waiter = NULL;
u32 curval;
- int ret;
+ int ret, vpid;
if (get_futex_value_locked(&curval, pifutex))
return -EFAULT;
@@ -1372,11 +1383,13 @@ static int futex_proxy_trylock_atomic(u3
* the contended case or if set_waiters is 1. The pi_state is returned
* in ps in contended cases.
*/
+ vpid = task_pid_vnr(top_waiter->task);
ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
set_waiters);
- if (ret == 1)
+ if (ret == 1) {
requeue_pi_wake_futex(top_waiter, key2, hb2);
-
+ return vpid;
+ }
return ret;
}
@@ -1407,7 +1420,6 @@ static int futex_requeue(u32 __user *uad
struct futex_pi_state *pi_state = NULL;
struct futex_hash_bucket *hb1, *hb2;
struct futex_q *this, *next;
- u32 curval2;
if (requeue_pi) {
/*
@@ -1495,16 +1507,25 @@ retry_private:
* At this point the top_waiter has either taken uaddr2 or is
* waiting on it. If the former, then the pi_state will not
* exist yet, look it up one more time to ensure we have a
- * reference to it.
+ * reference to it. If the lock was taken, ret contains the
+ * vpid of the top waiter task.
*/
- if (ret == 1) {
+ if (ret > 0) {
WARN_ON(pi_state);
drop_count++;
task_count++;
- ret = get_futex_value_locked(&curval2, uaddr2);
- if (!ret)
- ret = lookup_pi_state(curval2, hb2, &key2,
- &pi_state);
+ /*
+ * If we acquired the lock, then the user
+ * space value of uaddr2 should be vpid. It
+ * cannot be changed by the top waiter as it
+ * is blocked on hb2 lock if it tries to do
+ * so. If something fiddled with it behind our
+ * back the pi state lookup might unearth
+ * it. So we rather use the known value than
+ * rereading and handing potential crap to
+ * lookup_pi_state.
+ */
+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
}
switch (ret) {

95
debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch vendored
View File

@ -1,95 +0,0 @@
Date: Tue, 03 Jun 2014 12:27:07 -0000
From: Thomas Gleixner <tglx@linutronix.de>
Subject: [patch 3/4] futex: Always cleanup owner tid in unlock_pi
If the owner died bit is set at futex_unlock_pi, we currently do not
cleanup the user space futex. So the owner TID of the current owner
(the unlocker) persists. That's observable inconsistant state,
especially when the ownership of the pi state got transferred.
Clean it up unconditionally.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
---
kernel/futex.c | 44 ++++++++++++++++++++------------------------
1 file changed, 20 insertions(+), 24 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1038,6 +1038,7 @@ static int wake_futex_pi(u32 __user *uad
struct task_struct *new_owner;
struct futex_pi_state *pi_state = this->pi_state;
u32 uninitialized_var(curval), newval;
+ int ret = 0;
if (!pi_state)
return -EINVAL;
@@ -1061,23 +1062,19 @@ static int wake_futex_pi(u32 __user *uad
new_owner = this->task;
/*
- * We pass it to the next owner. (The WAITERS bit is always
- * kept enabled while there is PI state around. We must also
- * preserve the owner died bit.)
- */
- if (!(uval & FUTEX_OWNER_DIED)) {
- int ret = 0;
-
- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
-
- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
- ret = -EFAULT;
- else if (curval != uval)
- ret = -EINVAL;
- if (ret) {
- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
- return ret;
- }
+ * We pass it to the next owner. The WAITERS bit is always
+ * kept enabled while there is PI state around. We cleanup the
+ * owner died bit, because we are the owner.
+ */
+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
+
+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
+ ret = -EFAULT;
+ else if (curval != uval)
+ ret = -EINVAL;
+ if (ret) {
+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
+ return ret;
}
raw_spin_lock_irq(&pi_state->owner->pi_lock);
@@ -2337,9 +2334,10 @@ retry:
/*
* To avoid races, try to do the TID -> 0 atomic transition
* again. If it succeeds then we can return without waking
- * anyone else up:
+ * anyone else up. We only try this if neither the waiters nor
+ * the owner died bit are set.
*/
- if (!(uval & FUTEX_OWNER_DIED) &&
+ if (!(uval & ~FUTEX_TID_MASK) &&
cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
goto pi_faulted;
/*
@@ -2369,11 +2367,9 @@ retry:
/*
* No waiters - kernel unlocks the futex:
*/
- if (!(uval & FUTEX_OWNER_DIED)) {
- ret = unlock_futex_pi(uaddr, uval);
- if (ret == -EFAULT)
- goto pi_faulted;
- }
+ ret = unlock_futex_pi(uaddr, uval);
+ if (ret == -EFAULT)
+ goto pi_faulted;
out_unlock:
spin_unlock(&hb->lock);

272
debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch vendored
View File

@ -1,272 +0,0 @@
Date: Tue, 03 Jun 2014 12:27:08 -0000
From: Thomas Gleixner <tglx@linutronix.de>
Subject: [patch 4/4] futex: Make lookup_pi_state more robust
The current implementation of lookup_pi_state has ambigous handling of
the TID value 0 in the user space futex. We can get into the kernel
even if the TID value is 0, because either there is a stale waiters
bit or the owner died bit is set or we are called from the requeue_pi
path or from user space just for fun.
The current code avoids an explicit sanity check for pid = 0 in case
that kernel internal state (waiters) are found for the user space
address. This can lead to state leakage and worse under some
circumstances.
Handle the cases explicit:
Waiter | pi_state | pi->owner | uTID | uODIED | ?
[1] NULL | --- | --- | 0 | 0/1 | Valid
[2] NULL | --- | --- | >0 | 0/1 | Valid
[3] Found | NULL | -- | Any | 0/1 | Invalid
[4] Found | Found | NULL | 0 | 1 | Valid
[5] Found | Found | NULL | >0 | 1 | Invalid
[6] Found | Found | task | 0 | 1 | Valid
[7] Found | Found | NULL | Any | 0 | Invalid
[8] Found | Found | task | ==taskTID | 0/1 | Valid
[9] Found | Found | task | 0 | 0 | Invalid
[10] Found | Found | task | !=taskTID | 0/1 | Invalid
[1] Indicates that the kernel can acquire the futex atomically. We
came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
[2] Valid, if TID does not belong to a kernel thread. If no matching
thread is found then it indicates that the owner TID has died.
[3] Invalid. The waiter is queued on a non PI futex
[4] Valid state after exit_robust_list(), which sets the user space
value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
[5] The user space value got manipulated between exit_robust_list()
and exit_pi_state_list()
[6] Valid state after exit_pi_state_list() which sets the new owner in
the pi_state but cannot access the user space value.
[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
[8] Owner and user space value match
[9] There is no transient state which sets the user space TID to 0
except exit_robust_list(), but this is indicated by the
FUTEX_OWNER_DIED bit. See [4]
[10] There is no transient state which leaves owner and user space
TID out of sync.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
---
kernel/futex.c | 134 +++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 106 insertions(+), 28 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -729,10 +729,58 @@ void exit_pi_state_list(struct task_stru
raw_spin_unlock_irq(&curr->pi_lock);
}
+/*
+ * We need to check the following states:
+ *
+ * Waiter | pi_state | pi->owner | uTID | uODIED | ?
+ *
+ * [1] NULL | --- | --- | 0 | 0/1 | Valid
+ * [2] NULL | --- | --- | >0 | 0/1 | Valid
+ *
+ * [3] Found | NULL | -- | Any | 0/1 | Invalid
+ *
+ * [4] Found | Found | NULL | 0 | 1 | Valid
+ * [5] Found | Found | NULL | >0 | 1 | Invalid
+ *
+ * [6] Found | Found | task | 0 | 1 | Valid
+ *
+ * [7] Found | Found | NULL | Any | 0 | Invalid
+ *
+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid
+ * [9] Found | Found | task | 0 | 0 | Invalid
+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid
+ *
+ * [1] Indicates that the kernel can acquire the futex atomically. We
+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
+ *
+ * [2] Valid, if TID does not belong to a kernel thread. If no matching
+ * thread is found then it indicates that the owner TID has died.
+ *
+ * [3] Invalid. The waiter is queued on a non PI futex
+ *
+ * [4] Valid state after exit_robust_list(), which sets the user space
+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
+ *
+ * [5] The user space value got manipulated between exit_robust_list()
+ * and exit_pi_state_list()
+ *
+ * [6] Valid state after exit_pi_state_list() which sets the new owner in
+ * the pi_state but cannot access the user space value.
+ *
+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
+ *
+ * [8] Owner and user space value match
+ *
+ * [9] There is no transient state which sets the user space TID to 0
+ * except exit_robust_list(), but this is indicated by the
+ * FUTEX_OWNER_DIED bit. See [4]
+ *
+ * [10] There is no transient state which leaves owner and user space
+ * TID out of sync.
+ */
static int
lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
- union futex_key *key, struct futex_pi_state **ps,
- struct task_struct *task)
+ union futex_key *key, struct futex_pi_state **ps)
{
struct futex_pi_state *pi_state = NULL;
struct futex_q *this, *next;
@@ -742,12 +790,13 @@ lookup_pi_state(u32 uval, struct futex_h
plist_for_each_entry_safe(this, next, &hb->chain, list) {
if (match_futex(&this->key, key)) {
/*
- * Another waiter already exists - bump up
- * the refcount and return its pi_state:
+ * Sanity check the waiter before increasing
+ * the refcount and attaching to it.
*/
pi_state = this->pi_state;
/*
- * Userspace might have messed up non-PI and PI futexes
+ * Userspace might have messed up non-PI and
+ * PI futexes [3]
*/
if (unlikely(!pi_state))
return -EINVAL;
@@ -755,44 +804,70 @@ lookup_pi_state(u32 uval, struct futex_h
WARN_ON(!atomic_read(&pi_state->refcount));
/*
- * When pi_state->owner is NULL then the owner died
- * and another waiter is on the fly. pi_state->owner
- * is fixed up by the task which acquires
- * pi_state->rt_mutex.
- *
- * We do not check for pid == 0 which can happen when
- * the owner died and robust_list_exit() cleared the
- * TID.
+ * Handle the owner died case:
*/
- if (pid && pi_state->owner) {
+ if (uval & FUTEX_OWNER_DIED) {
/*
- * Bail out if user space manipulated the
- * futex value.
+ * exit_pi_state_list sets owner to NULL and
+ * wakes the topmost waiter. The task which
+ * acquires the pi_state->rt_mutex will fixup
+ * owner.
*/
- if (pid != task_pid_vnr(pi_state->owner))
+ if (!pi_state->owner) {
+ /*
+ * No pi state owner, but the user
+ * space TID is not 0. Inconsistent
+ * state. [5]
+ */
+ if (pid)
+ return -EINVAL;
+ /*
+ * Take a ref on the state and
+ * return. [4]
+ */
+ goto out_state;
+ }
+
+ /*
+ * If TID is 0, then either the dying owner
+ * has not yet executed exit_pi_state_list()
+ * or some waiter acquired the rtmutex in the
+ * pi state, but did not yet fixup the TID in
+ * user space.
+ *
+ * Take a ref on the state and return. [6]
+ */
+ if (!pid)
+ goto out_state;
+ } else {
+ /*
+ * If the owner died bit is not set,
+ * then the pi_state must have an
+ * owner. [7]
+ */
+ if (!pi_state->owner)
return -EINVAL;
}
/*
- * Protect against a corrupted uval. If uval
- * is 0x80000000 then pid is 0 and the waiter
- * bit is set. So the deadlock check in the
- * calling code has failed and we did not fall
- * into the check above due to !pid.
+ * Bail out if user space manipulated the
+ * futex value. If pi state exists then the
+ * owner TID must be the same as the user
+ * space TID. [9/10]
*/
- if (task && pi_state->owner == task)
- return -EDEADLK;
+ if (pid != task_pid_vnr(pi_state->owner))
+ return -EINVAL;
+ out_state:
atomic_inc(&pi_state->refcount);
*ps = pi_state;
-
return 0;
}
}
/*
* We are the first waiter - try to look up the real owner and attach
- * the new pi_state to it, but bail out when TID = 0
+ * the new pi_state to it, but bail out when TID = 0 [1]
*/
if (!pid)
return -ESRCH;
@@ -825,6 +900,9 @@ lookup_pi_state(u32 uval, struct futex_h
return ret;
}
+ /*
+ * No existing pi state. First waiter. [2]
+ */
pi_state = alloc_pi_state();
/*
@@ -945,7 +1023,7 @@ retry:
* We dont have the lock. Look up the PI state (or create it if
* we are the first waiter):
*/
- ret = lookup_pi_state(uval, hb, key, ps, task);
+ ret = lookup_pi_state(uval, hb, key, ps);
if (unlikely(ret)) {
switch (ret) {
@@ -1551,7 +1629,7 @@ retry_private:
* rereading and handing potential crap to
* lookup_pi_state.
*/
- ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
}
switch (ret) {

50
debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch vendored
View File

@ -1,50 +0,0 @@
From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 12 May 2014 20:45:35 +0000
Subject: futex: Prevent attaching to kernel threads
Origin: https://git.kernel.org/linus/f0d71b3dcb8332f7971b5f2363632573e6d9486a
We happily allow userspace to declare a random kernel thread to be the
owner of a user space PI futex.
Found while analysing the fallout of Dave Jones syscall fuzzer.
We also should validate the thread group for private futexes and find
some fast way to validate whether the "alleged" owner has RW access on
the file which backs the SHM, but that's a separate issue.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Dave Jones <davej@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Clark Williams <williams@redhat.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Carlos ODonell <carlos@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---
kernel/futex.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -800,6 +800,11 @@ lookup_pi_state(u32 uval, struct futex_h
if (!p)
return -ESRCH;
+ if (!p->mm) {
+ put_task_struct(p);
+ return -EPERM;
+ }
+
/*
* We need to look at the task state flags to figure out,
* whether the task is exiting. To protect against the do_exit

50
debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch vendored
View File

@ -1,50 +0,0 @@
Date: Tue, 03 Jun 2014 12:27:06 -0000
From: Thomas Gleixner <tglx@linutronix.de>
Subject: [patch 2/4] futex: Validate atomic acquisition in
futex_lock_pi_atomic()
We need to protect the atomic acquisition in the kernel against rogue
user space which sets the user space futex to 0, so the kernel side
acquisition succeeds while there is existing state in the kernel
associated to the real owner.
Verify whether the futex has waiters associated with kernel state. If
it has, return -EINVAL. The state is corrupted already, so no point in
cleaning it up. Subsequent calls will fail as well. Not our problem.
[ tglx: Use futex_top_waiter() and explain why we do not need to try
restoring the already corrupted user space state. ]
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
kernel/futex.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -896,10 +896,18 @@ retry:
return -EDEADLK;
/*
- * Surprise - we got the lock. Just return to userspace:
+ * Surprise - we got the lock, but we do not trust user space at all.
*/
- if (unlikely(!curval))
- return 1;
+ if (unlikely(!curval)) {
+ /*
+ * We verify whether there is kernel state for this
+ * futex. If not, we can safely assume, that the 0 ->
+ * TID transition is correct. If state exists, we do
+ * not bother to fixup the user space state as it was
+ * corrupted already.
+ */
+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
+ }
uval = curval;

76
debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch vendored
View File

@ -1,76 +0,0 @@
Date: Tue, 03 Jun 2014 12:27:06 -0000
From: Thomas Gleixner <tglx@linutronix.de>
Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex:
Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.
This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
kernel/futex.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1428,6 +1428,13 @@ static int futex_requeue(u32 __user *uad
if (requeue_pi) {
/*
+ * Requeue PI only works on two distinct uaddrs. This
+ * check is only valid for private futexes. See below.
+ */
+ if (uaddr1 == uaddr2)
+ return -EINVAL;
+
+ /*
* requeue_pi requires a pi_state, try to allocate it now
* without any locks in case it fails.
*/
@@ -1465,6 +1472,15 @@ retry:
if (unlikely(ret != 0))
goto out_put_key1;
+ /*
+ * The check above which compares uaddrs is not sufficient for
+ * shared futexes. We need to compare the keys:
+ */
+ if (requeue_pi && match_futex(&key1, &key2)) {
+ ret = -EINVAL;
+ goto out_put_keys;
+ }
+
hb1 = hash_futex(&key1);
hb2 = hash_futex(&key2);
@@ -2511,6 +2527,15 @@ static int futex_wait_requeue_pi(u32 __u
if (ret)
goto out_key2;
+ /*
+ * The check above which compares uaddrs is not sufficient for
+ * shared futexes. We need to compare the keys:
+ */
+ if (match_futex(&q.key, &key2)) {
+ ret = -EINVAL;
+ goto out_put_keys;
+ }
+
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
futex_wait_queue_me(hb, &q, to);

64
debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch vendored
View File

@ -1,64 +0,0 @@
From: Lv Zheng <lv.zheng@intel.com>
Date: Wed, 30 Apr 2014 10:05:40 +0800
Subject: ACPICA: Tables: Fix invalid pointer accesses in
acpi_tb_parse_root_table().
Origin: https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git/commit?id=d48dc067450d84324067f4472dc0b169e9af4454
Bug-Debian: https://bugs.debian.org/748574
Linux XSDT validation mechanism backport has introduced a regreession:
Commit: 671cc68dc61f029d44b43a681356078e02d8dab8
Subject: ACPICA: Back port and refine validation of the XSDT root table.
There is a pointer still accessed after unmapping.
This patch fixes this issue. Lv Zheng.
Fixes: 671cc68dc61f (ACPICA: Back port and refine validation of the XSDT root table.)
References: https://bugzilla.kernel.org/show_bug.cgi?id=73911
References: https://bugs.archlinux.org/task/39811
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Reported-and-tested-by: Bruce Chiarelli <mano155@gmail.com>
Reported-and-tested-by: Spyros Stathopoulos <spystath@gmail.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Cc: 3.14+ <stable@vger.kernel.org> # 3.14+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
drivers/acpi/acpica/tbutils.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpica/tbutils.c b/drivers/acpi/acpica/tbutils.c
index a4702ee..9fb85f3 100644
--- a/drivers/acpi/acpica/tbutils.c
+++ b/drivers/acpi/acpica/tbutils.c
@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
u32 table_count;
struct acpi_table_header *table;
acpi_physical_address address;
+ acpi_physical_address rsdt_address;
u32 length;
u8 *table_entry;
acpi_status status;
@@ -488,11 +489,14 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
* as per the ACPI specification.
*/
address = (acpi_physical_address) rsdp->xsdt_physical_address;
+ rsdt_address =
+ (acpi_physical_address) rsdp->rsdt_physical_address;
table_entry_size = ACPI_XSDT_ENTRY_SIZE;
} else {
/* Root table is an RSDT (32-bit physical addresses) */
address = (acpi_physical_address) rsdp->rsdt_physical_address;
+ rsdt_address = address;
table_entry_size = ACPI_RSDT_ENTRY_SIZE;
}
@@ -515,8 +519,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
/* Fall back to the RSDT */
- address =
- (acpi_physical_address) rsdp->rsdt_physical_address;
+ address = rsdt_address;
table_entry_size = ACPI_RSDT_ENTRY_SIZE;
}
}

16
debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch vendored
View File

@ -11,6 +11,8 @@ This patch moves the invokation into a process context so that we only
wakeup() a process while holding the lock.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[bwh: Adjust context to apply after commit 01f8fa4f01d8 ('genirq: Allow
forcing cpu affinity of interrupts') in 3.14.6]
---
include/linux/interrupt.h | 1
kernel/irq/manage.c | 79 ++++++++++++++++++++++++++++++++++++++++++++--
@ -18,7 +20,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
--- a/include/linux/interrupt.h
+++ b/include/linux/interrupt.h
@@ -224,6 +224,7 @@ struct irq_affinity_notify {
@@ -257,6 +257,7 @@ struct irq_affinity_notify {
unsigned int irq;
struct kref kref;
struct work_struct work;
@ -88,10 +90,10 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+#endif
+
int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask)
int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
bool force)
{
struct irq_chip *chip = irq_data_get_irq_chip(data);
@@ -182,7 +238,17 @@ int __irq_set_affinity_locked(struct irq
@@ -183,7 +239,17 @@ int irq_set_affinity_locked(struct irq_d
if (desc->affinity_notify) {
kref_get(&desc->affinity_notify->kref);
@ -109,7 +111,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
}
irqd_set(data, IRQD_AFFINITY_SET);
@@ -223,10 +289,8 @@ int irq_set_affinity_hint(unsigned int i
@@ -218,10 +284,8 @@ int irq_set_affinity_hint(unsigned int i
}
EXPORT_SYMBOL_GPL(irq_set_affinity_hint);
@ -121,7 +123,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
struct irq_desc *desc = irq_to_desc(notify->irq);
cpumask_var_t cpumask;
unsigned long flags;
@@ -248,6 +312,13 @@ static void irq_affinity_notify(struct w
@@ -243,6 +307,13 @@ out:
kref_put(&notify->kref, notify->release);
}
@ -135,7 +137,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
/**
* irq_set_affinity_notifier - control notification of IRQ affinity changes
* @irq: Interrupt for which to enable/disable notification
@@ -277,6 +348,8 @@ irq_set_affinity_notifier(unsigned int i
@@ -272,6 +343,8 @@ irq_set_affinity_notifier(unsigned int i
notify->irq = irq;
kref_init(&notify->kref);
INIT_WORK(&notify->work, irq_affinity_notify);

8
debian/patches/features/all/rt/latency-hist.patch vendored
View File

@ -359,7 +359,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
/*
* The timer bases:
@@ -998,6 +999,17 @@ int __hrtimer_start_range_ns(struct hrti
@@ -1017,6 +1018,17 @@ int __hrtimer_start_range_ns(struct hrti
#endif
}
@ -376,8 +376,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
hrtimer_set_expires_range_ns(timer, tim, delta_ns);
timer_stats_hrtimer_set_start_info(timer);
@@ -1276,6 +1288,8 @@ static void __run_hrtimer(struct hrtimer
/* Switch the timer base, if necessary: */
@@ -1298,6 +1310,8 @@ static void __run_hrtimer(struct hrtimer
#ifdef CONFIG_HIGH_RES_TIMERS
@ -386,7 +386,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
/*
* High resolution timer interrupt
* Called with interrupts disabled
@@ -1319,6 +1333,15 @@ void hrtimer_interrupt(struct clock_even
@@ -1341,6 +1355,15 @@ retry:
timer = container_of(node, struct hrtimer, node);

20
debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch vendored
View File

@ -12,7 +12,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1585,6 +1585,16 @@ static int futex_requeue(u32 __user *uad
@@ -1710,6 +1710,16 @@ retry_private:
requeue_pi_wake_futex(this, &key2, hb2);
drop_count++;
continue;
@ -29,7 +29,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
} else if (ret) {
/* -EDEADLK */
this->pi_state = NULL;
@@ -2439,7 +2449,7 @@ static int futex_wait_requeue_pi(u32 __u
@@ -2563,7 +2573,7 @@ static int futex_wait_requeue_pi(u32 __u
struct hrtimer_sleeper timeout, *to = NULL;
struct rt_mutex_waiter rt_waiter;
struct rt_mutex *pi_mutex = NULL;
@ -38,7 +38,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
union futex_key key2 = FUTEX_KEY_INIT;
struct futex_q q = futex_q_init;
int res, ret;
@@ -2488,20 +2498,55 @@ static int futex_wait_requeue_pi(u32 __u
@@ -2621,20 +2631,55 @@ static int futex_wait_requeue_pi(u32 __u
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
futex_wait_queue_me(hb, &q, to);
@ -105,7 +105,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
/* Check if the requeue code acquired the second futex for us. */
if (!q.rt_waiter) {
@@ -2510,9 +2555,10 @@ static int futex_wait_requeue_pi(u32 __u
@@ -2643,9 +2688,10 @@ static int futex_wait_requeue_pi(u32 __u
* did a lock-steal - fix up the PI-state in that case.
*/
if (q.pi_state && (q.pi_state->owner != current)) {
@ -118,7 +118,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
}
} else {
/*
@@ -2525,7 +2571,8 @@ static int futex_wait_requeue_pi(u32 __u
@@ -2658,7 +2704,8 @@ static int futex_wait_requeue_pi(u32 __u
ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
debug_rt_mutex_free_waiter(&rt_waiter);
@ -151,8 +151,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
goto out_unlock_pi;
/*
@@ -528,6 +533,23 @@ static int task_blocks_on_rt_mutex(struc
int chain_walk = 0, res;
@@ -552,6 +557,23 @@ static int task_blocks_on_rt_mutex(struc
return -EDEADLK;
raw_spin_lock_irqsave(&task->pi_lock, flags);
+
@ -175,7 +175,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
__rt_mutex_adjust_prio(task);
waiter->task = task;
waiter->lock = lock;
@@ -551,7 +573,7 @@ static int task_blocks_on_rt_mutex(struc
@@ -575,7 +597,7 @@ static int task_blocks_on_rt_mutex(struc
rt_mutex_enqueue_pi(owner, waiter);
__rt_mutex_adjust_prio(owner);
@ -184,7 +184,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
chain_walk = 1;
raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
}
@@ -645,7 +667,7 @@ static void remove_waiter(struct rt_mute
@@ -669,7 +691,7 @@ static void remove_waiter(struct rt_mute
}
__rt_mutex_adjust_prio(owner);
@ -193,7 +193,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
chain_walk = 1;
raw_spin_unlock_irqrestore(&owner->pi_lock, flags);
@@ -677,7 +699,7 @@ void rt_mutex_adjust_pi(struct task_stru
@@ -701,7 +723,7 @@ void rt_mutex_adjust_pi(struct task_stru
raw_spin_lock_irqsave(&task->pi_lock, flags);
waiter = task->pi_blocked_on;

7
debian/patches/series vendored
View File

@ -83,15 +83,8 @@ features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch
features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch
debian/libata-avoid-abi-change-in-3.14.4.patch
debian/dm-avoid-abi-change-in-3.14.4.patch
bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch
debian/net-revert-lockdep-changes-in-3.14.5.patch
debian/sockdiag-avoid-abi-change-in-3.14.5.patch
debian/target-avoid-abi-change-in-3.14.5.patch
debian/netfilter-avoid-abi-change-in-3.14.5.patch
bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch
bugfix/all/futex-Add-another-early-deadlock-detection-check.patch
bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch
bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch
bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch
bugfix/all/futex-Make-lookup_pi_state-more-robust.patch