diff --git a/debian/changelog b/debian/changelog index 14ff6b201..3d0797178 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,156 @@ -linux (3.14.5-2) UNRELEASED; urgency=medium +linux (3.14.6-1) UNRELEASED; urgency=medium + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.6 + - [mipsel] loongson2_cpufreq: Fix CPU clock rate setting + (regression in 3.14) + - rtmutex: Fix deadlock detector for real + - kernfs: add back missing error check in kernfs_fop_mmap() + (regression in 3.14) + - coredump: fix va_list corruption (regression in 3.11) + - mm: make fixup_user_fault() check the vma access rights too + - serial: 8250: Fix thread unsafe __dma_tx_complete function + - 8250_core: Fix unwanted TX chars write + - iwlwifi: 7000: bump API to 9 + - timer: Prevent overflow in apply_slack + - cfg80211: free sme on connection failures (regression in 3.11) + - cfg80211: add cfg80211_sched_scan_stopped_rtnl (regression in 3.14) + - mac80211: fix nested rtnl locking on ieee80211_reconfig + (regression in 3.14) + - mm, thp: close race between mremap() and split_huge_page() + - [x86] mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() + - hwpoison, hugetlb: lock_page/unlock_page does not match for handling a + free hugepage + - iwlwifi: mvm: delay enabling smart FIFO until after beacon RX + (regression in 3.14) + - aio: fix potential leak in aio_run_iocb(). + - Revert "hwmon: (coretemp) Refine TjMax detection" + - hrtimer: Prevent remote enqueue of leftmost timers + - hrtimer: Set expiry time before switch_hrtimer_base() + - dm verity: fix biovecs hash calculation regression (regression in 3.14) + - dm cache: fix writethrough mode quiescing in cache_map + (regression in 3.13) + - md/raid10: call wait_barrier() for each request submitted. + (regression in 3.14) + - PNP / ACPI: Do not return errors if _DIS or _SRS are not present + (regression in 3.14) + - ACPI / EC: Process rather than discard events in acpi_ec_clear + (regression in 3.13.7, 3.14) + - irqchip: armada-370-xp: fix invalid cast of signed value into unsigned + variable (regression in 3.13) + - irqchip: armada-370-xp: implement the ->check_device() msi_chip + operation (regression in 3.13) + - irqchip: armada-370-xp: Fix releasing of MSIs (regression in 3.13) + - [x86] drm/i915: Allow user modes to exceed DVI 165MHz limit + (regression in 3.14) + - [x86] drm/i915: Don't check gmch state on inherited configs + (regression in 3.13?) + - [x86] drm/i915: Don't WARN nor handle unexpected hpd interrupts on gmch + platforms (regression in 3.13) + - [x86] drm/radeon: fix runpm handling on APUs (v4) (regression in 3.13) + - drm/radeon: disable mclk dpm on R7 260X (regression in 3.14) + - drm/radeon: add support for newer mc ucode on SI (v2) + - drm/radeon: add support for newer mc ucode on CI (v2) + - drm/radeon: re-enable mclk dpm on R7 260X asics + - drm/radeon/uvd: use lower clocks on old UVD to boot v2 + (regression in 3.13) + - drm/radeon: check buffer relocation offset + - USB: Nokia 305 should be treated as unusual dev + - USB: Nokia 5300 should be treated as unusual dev + - Revert "Bluetooth: Enable autosuspend for Intel Bluetooth device" + (regression in 3.14) + - posix_acl: handle NULL ACL in posix_acl_equiv_mode + - fs/affs/super.c: bugfix / double free (regression in 3.14) + - [armel/orion5x] fix target ID for crypto SRAM window + (regression in 3.12) + - [armel/kirkwood]: dts: fix mislocated pcie-controller nodes + (regression in 3.12) + - [armhf/armmp-lpae] 8012/1: kdump: Avoid overflow when converting pfn to + physaddr + - drm/nouveau: fix another lock unbalance in nouveau_crtc_page_flip + (regression in 3.11) + - drm/i915/vlv: reset VLV media force wake request register + (regression in 3.14?) + - i40e: potential array underflow in i40e_vc_process_vf_msg() + - igb: Fix Null-pointer dereference in igb_reset_q_vector + (regression in 3.14) + - igb: Unset IGB_FLAG_HAS_MSIX-flag when falling back to msi-only + (regression in 3.14) + - leds: leds-pwm: properly clean up after probe failure + - device_cgroup: rework device access check and exception checking + - device_cgroup: check if exception removal is allowed + - media: media-device: fix infoleak in ioctl media_enum_entities() + (CVE-2014-1739) + - Input: Add INPUT_PROP_TOPBUTTONPAD device property + - Input: synaptics - report INPUT_PROP_TOPBUTTONPAD property + - e1000e: Fix no connectivity when driver loaded with cable out + (regression in 3.12) + - autofs: fix lockref lookup + - vfs: fix races between __d_instantiate() and checks of dentry flags + - ALSA: hda - hdmi: Set converter channel count even without sink + (regression in 3.13) + - NFSd: Move default initialisers from create_client() to alloc_client() + - NFSd: call rpc_destroy_wait_queue() from free_client() + - NFSD: Call ->set_acl with a NULL ACL structure if no entries + - nfsd4: remove lockowner when removing lock stateid + - workqueue: fix bugs in wq_update_unbound_numa() failure path + - workqueue: fix a possible race condition between rescuer and pwq-release + - [arm] mvebu: mvebu-soc-id: add missing clk_put() call + (regression in 3.14) + - [arm] mvebu: mvebu-soc-id: keep clock enabled if PCIe unit is enabled + (regression in 3.14) + - ASoC: dapm: Skip CODEC<->CODEC links in connect_dai_link_widgets() + (regression in 3.14) + - [hppa] ratelimit userspace segfault printing + - [amd64] modify_ldt: Make support for 16-bit segments a runtime option + - sysfs: make sure read buffer is zeroed (possible regression in 3.13) + - Target/iser: Fix wrong connection requests list addition + - Target/iser: Fix iscsit_accept_np and rdma_cm racy flow + - iscsi-target: Change BUG_ON to REJECT in iscsit_process_nop_out + (regression in 3.11) + - target: fix memory leak on XCOPY + - [x86] drm/i915: Disable self-refresh for untiled fbs on i915gm + (regression in 3.14) + - [x86] drm/i915: move power domain init earlier during system resume + (regression in 3.14?) + - [x86] drm/i915: Fix unsafe loop iteration over vma whilst unbinding them + (regression in 3.12) + - iwlwifi: mvm: BT Coex - fix Look Up Table (regression in 3.13) + - PCI: Wrong register used to check pending traffic (regression in 3.14) + - dm crypt: fix cpu hotplug crash by removing per-cpu structure + - dm thin: allow metadata commit if pool is in PM_OUT_OF_DATA_SPACE mode + (regression in 3.14) + - dm thin: add timeout to stop out-of-data-space mode holding IO forever + - dmaengine: fix dmaengine_unmap failure + - dma: mv_xor: Flush descriptors before activating a channel + - tcm_fc: Fix free-after-use regression in ft_free_cmd + (regression in 3.13) + - ACPICA: Tables: Restore old behavor to favor 32-bit FADT addresses. + (regression in 3.14) + - ACPI: Revert "ACPI: Remove CONFIG_ACPI_PROCFS_POWER and cm_sbsc.c" + (regression in 3.13) + - ACPI: Revert "ACPI / Battery: Remove battery's proc directory" + (regression in 3.13) + - [x86] ACPI / video: Add use_native_backlight quirks for more systems + - ACPI: Revert "ACPI / AC: convert ACPI ac driver to platform bus" + (regression in 3.13) + - [x86] ACPI / TPM: Fix resume regression on Chromebooks + (regression in 3.14) + - i2c: s3c2410: resume race fix + - [x86] intel_pstate: Set turbo VID for BayTrail + - [s390] crypto: fix aes,des ctr mode concurrency finding. + - clk: Fix double free due to devm_clk_register() + - clk: Fix slab corruption in clk_unregister() + - [powerpc] powernv: Reset root port in firmware (regression in 3.14) + - [powerpc] irq work racing with timer interrupt can result in timer + interrupt hang (regression in 3.14) + - [powerpc] kexec: Fix "Processor X is stuck" issue during kexec from ST + mode (regression in 3.13) + - spi: core: Ignore unsupported Dual/Quad Transfer Mode bits + (regression in 3.12) + - libceph: fix corruption when using page_count 0 page in rbd + - media: V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel + from user-space [ Ian Campbell ] * [armhf] Enable VIRTIO_BALLOON and VIRTIO_PCI (Closes: #750742) diff --git a/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch b/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch deleted file mode 100644 index 016f536a5..000000000 --- a/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch +++ /dev/null @@ -1,157 +0,0 @@ -From: Thomas Gleixner -Date: Mon, 12 May 2014 20:45:34 +0000 -Subject: futex: Add another early deadlock detection check -Origin: https://git.kernel.org/linus/866293ee54227584ffcb4a42f69c1f365974ba7f - -Dave Jones trinity syscall fuzzer exposed an issue in the deadlock -detection code of rtmutex: - http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com - -That underlying issue has been fixed with a patch to the rtmutex code, -but the futex code must not call into rtmutex in that case because - - it can detect that issue early - - it avoids a different and more complex fixup for backing out - -If the user space variable got manipulated to 0x80000000 which means -no lock holder, but the waiters bit set and an active pi_state in the -kernel is found we can figure out the recursive locking issue by -looking at the pi_state owner. If that is the current task, then we -can safely return -EDEADLK. - -The check should have been added in commit 59fa62451 (futex: Handle -futex_pi OWNER_DIED take over correctly) already, but I did not see -the above issue caused by user space manipulation back then. - -Signed-off-by: Thomas Gleixner -Cc: Dave Jones -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Darren Hart -Cc: Davidlohr Bueso -Cc: Steven Rostedt -Cc: Clark Williams -Cc: Paul McKenney -Cc: Lai Jiangshan -Cc: Roland McGrath -Cc: Carlos ODonell -Cc: Jakub Jelinek -Cc: Michael Kerrisk -Cc: Sebastian Andrzej Siewior -Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de -Signed-off-by: Thomas Gleixner ---- - kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- - 1 file changed, 34 insertions(+), 13 deletions(-) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -731,7 +731,8 @@ void exit_pi_state_list(struct task_stru - - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, -- union futex_key *key, struct futex_pi_state **ps) -+ union futex_key *key, struct futex_pi_state **ps, -+ struct task_struct *task) - { - struct futex_pi_state *pi_state = NULL; - struct futex_q *this, *next; -@@ -772,6 +773,16 @@ lookup_pi_state(u32 uval, struct futex_h - return -EINVAL; - } - -+ /* -+ * Protect against a corrupted uval. If uval -+ * is 0x80000000 then pid is 0 and the waiter -+ * bit is set. So the deadlock check in the -+ * calling code has failed and we did not fall -+ * into the check above due to !pid. -+ */ -+ if (task && pi_state->owner == task) -+ return -EDEADLK; -+ - atomic_inc(&pi_state->refcount); - *ps = pi_state; - -@@ -921,7 +932,7 @@ retry: - * We dont have the lock. Look up the PI state (or create it if - * we are the first waiter): - */ -- ret = lookup_pi_state(uval, hb, key, ps); -+ ret = lookup_pi_state(uval, hb, key, ps, task); - - if (unlikely(ret)) { - switch (ret) { -@@ -1333,7 +1344,7 @@ void requeue_pi_wake_futex(struct futex_ - * - * Return: - * 0 - failed to acquire the lock atomically; -- * 1 - acquired the lock; -+ * >0 - acquired the lock, return value is vpid of the top_waiter - * <0 - error - */ - static int futex_proxy_trylock_atomic(u32 __user *pifutex, -@@ -1344,7 +1355,7 @@ static int futex_proxy_trylock_atomic(u3 - { - struct futex_q *top_waiter = NULL; - u32 curval; -- int ret; -+ int ret, vpid; - - if (get_futex_value_locked(&curval, pifutex)) - return -EFAULT; -@@ -1372,11 +1383,13 @@ static int futex_proxy_trylock_atomic(u3 - * the contended case or if set_waiters is 1. The pi_state is returned - * in ps in contended cases. - */ -+ vpid = task_pid_vnr(top_waiter->task); - ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, - set_waiters); -- if (ret == 1) -+ if (ret == 1) { - requeue_pi_wake_futex(top_waiter, key2, hb2); -- -+ return vpid; -+ } - return ret; - } - -@@ -1407,7 +1420,6 @@ static int futex_requeue(u32 __user *uad - struct futex_pi_state *pi_state = NULL; - struct futex_hash_bucket *hb1, *hb2; - struct futex_q *this, *next; -- u32 curval2; - - if (requeue_pi) { - /* -@@ -1495,16 +1507,25 @@ retry_private: - * At this point the top_waiter has either taken uaddr2 or is - * waiting on it. If the former, then the pi_state will not - * exist yet, look it up one more time to ensure we have a -- * reference to it. -+ * reference to it. If the lock was taken, ret contains the -+ * vpid of the top waiter task. - */ -- if (ret == 1) { -+ if (ret > 0) { - WARN_ON(pi_state); - drop_count++; - task_count++; -- ret = get_futex_value_locked(&curval2, uaddr2); -- if (!ret) -- ret = lookup_pi_state(curval2, hb2, &key2, -- &pi_state); -+ /* -+ * If we acquired the lock, then the user -+ * space value of uaddr2 should be vpid. It -+ * cannot be changed by the top waiter as it -+ * is blocked on hb2 lock if it tries to do -+ * so. If something fiddled with it behind our -+ * back the pi state lookup might unearth -+ * it. So we rather use the known value than -+ * rereading and handing potential crap to -+ * lookup_pi_state. -+ */ -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); - } - - switch (ret) { diff --git a/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch b/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch deleted file mode 100644 index 767935000..000000000 --- a/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch +++ /dev/null @@ -1,95 +0,0 @@ -Date: Tue, 03 Jun 2014 12:27:07 -0000 -From: Thomas Gleixner -Subject: [patch 3/4] futex: Always cleanup owner tid in unlock_pi - -If the owner died bit is set at futex_unlock_pi, we currently do not -cleanup the user space futex. So the owner TID of the current owner -(the unlocker) persists. That's observable inconsistant state, -especially when the ownership of the pi state got transferred. - -Clean it up unconditionally. - -Signed-off-by: Thomas Gleixner -Cc: Kees Cook -Cc: Will Drewry -Cc: Darren Hart -Cc: stable@vger.kernel.org ---- - kernel/futex.c | 44 ++++++++++++++++++++------------------------ - 1 file changed, 20 insertions(+), 24 deletions(-) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -1038,6 +1038,7 @@ static int wake_futex_pi(u32 __user *uad - struct task_struct *new_owner; - struct futex_pi_state *pi_state = this->pi_state; - u32 uninitialized_var(curval), newval; -+ int ret = 0; - - if (!pi_state) - return -EINVAL; -@@ -1061,23 +1062,19 @@ static int wake_futex_pi(u32 __user *uad - new_owner = this->task; - - /* -- * We pass it to the next owner. (The WAITERS bit is always -- * kept enabled while there is PI state around. We must also -- * preserve the owner died bit.) -- */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- int ret = 0; -- -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); -- -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -- ret = -EFAULT; -- else if (curval != uval) -- ret = -EINVAL; -- if (ret) { -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -- return ret; -- } -+ * We pass it to the next owner. The WAITERS bit is always -+ * kept enabled while there is PI state around. We cleanup the -+ * owner died bit, because we are the owner. -+ */ -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); -+ -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) -+ ret = -EFAULT; -+ else if (curval != uval) -+ ret = -EINVAL; -+ if (ret) { -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); -+ return ret; - } - - raw_spin_lock_irq(&pi_state->owner->pi_lock); -@@ -2337,9 +2334,10 @@ retry: - /* - * To avoid races, try to do the TID -> 0 atomic transition - * again. If it succeeds then we can return without waking -- * anyone else up: -+ * anyone else up. We only try this if neither the waiters nor -+ * the owner died bit are set. - */ -- if (!(uval & FUTEX_OWNER_DIED) && -+ if (!(uval & ~FUTEX_TID_MASK) && - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) - goto pi_faulted; - /* -@@ -2369,11 +2367,9 @@ retry: - /* - * No waiters - kernel unlocks the futex: - */ -- if (!(uval & FUTEX_OWNER_DIED)) { -- ret = unlock_futex_pi(uaddr, uval); -- if (ret == -EFAULT) -- goto pi_faulted; -- } -+ ret = unlock_futex_pi(uaddr, uval); -+ if (ret == -EFAULT) -+ goto pi_faulted; - - out_unlock: - spin_unlock(&hb->lock); diff --git a/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch b/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch deleted file mode 100644 index 8dfa49282..000000000 --- a/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch +++ /dev/null @@ -1,272 +0,0 @@ -Date: Tue, 03 Jun 2014 12:27:08 -0000 -From: Thomas Gleixner -Subject: [patch 4/4] futex: Make lookup_pi_state more robust - -The current implementation of lookup_pi_state has ambigous handling of -the TID value 0 in the user space futex. We can get into the kernel -even if the TID value is 0, because either there is a stale waiters -bit or the owner died bit is set or we are called from the requeue_pi -path or from user space just for fun. - -The current code avoids an explicit sanity check for pid = 0 in case -that kernel internal state (waiters) are found for the user space -address. This can lead to state leakage and worse under some -circumstances. - -Handle the cases explicit: - - Waiter | pi_state | pi->owner | uTID | uODIED | ? - -[1] NULL | --- | --- | 0 | 0/1 | Valid -[2] NULL | --- | --- | >0 | 0/1 | Valid - -[3] Found | NULL | -- | Any | 0/1 | Invalid - -[4] Found | Found | NULL | 0 | 1 | Valid -[5] Found | Found | NULL | >0 | 1 | Invalid - -[6] Found | Found | task | 0 | 1 | Valid - -[7] Found | Found | NULL | Any | 0 | Invalid - -[8] Found | Found | task | ==taskTID | 0/1 | Valid -[9] Found | Found | task | 0 | 0 | Invalid -[10] Found | Found | task | !=taskTID | 0/1 | Invalid - -[1] Indicates that the kernel can acquire the futex atomically. We - came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. - -[2] Valid, if TID does not belong to a kernel thread. If no matching - thread is found then it indicates that the owner TID has died. - -[3] Invalid. The waiter is queued on a non PI futex - -[4] Valid state after exit_robust_list(), which sets the user space - value to FUTEX_WAITERS | FUTEX_OWNER_DIED. - -[5] The user space value got manipulated between exit_robust_list() - and exit_pi_state_list() - -[6] Valid state after exit_pi_state_list() which sets the new owner in - the pi_state but cannot access the user space value. - -[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. - -[8] Owner and user space value match - -[9] There is no transient state which sets the user space TID to 0 - except exit_robust_list(), but this is indicated by the - FUTEX_OWNER_DIED bit. See [4] - -[10] There is no transient state which leaves owner and user space - TID out of sync. - -Signed-off-by: Thomas Gleixner -Cc: Kees Cook -Cc: Will Drewry -Cc: Darren Hart -Cc: stable@vger.kernel.org ---- - kernel/futex.c | 134 +++++++++++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 106 insertions(+), 28 deletions(-) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -729,10 +729,58 @@ void exit_pi_state_list(struct task_stru - raw_spin_unlock_irq(&curr->pi_lock); - } - -+/* -+ * We need to check the following states: -+ * -+ * Waiter | pi_state | pi->owner | uTID | uODIED | ? -+ * -+ * [1] NULL | --- | --- | 0 | 0/1 | Valid -+ * [2] NULL | --- | --- | >0 | 0/1 | Valid -+ * -+ * [3] Found | NULL | -- | Any | 0/1 | Invalid -+ * -+ * [4] Found | Found | NULL | 0 | 1 | Valid -+ * [5] Found | Found | NULL | >0 | 1 | Invalid -+ * -+ * [6] Found | Found | task | 0 | 1 | Valid -+ * -+ * [7] Found | Found | NULL | Any | 0 | Invalid -+ * -+ * [8] Found | Found | task | ==taskTID | 0/1 | Valid -+ * [9] Found | Found | task | 0 | 0 | Invalid -+ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid -+ * -+ * [1] Indicates that the kernel can acquire the futex atomically. We -+ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. -+ * -+ * [2] Valid, if TID does not belong to a kernel thread. If no matching -+ * thread is found then it indicates that the owner TID has died. -+ * -+ * [3] Invalid. The waiter is queued on a non PI futex -+ * -+ * [4] Valid state after exit_robust_list(), which sets the user space -+ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. -+ * -+ * [5] The user space value got manipulated between exit_robust_list() -+ * and exit_pi_state_list() -+ * -+ * [6] Valid state after exit_pi_state_list() which sets the new owner in -+ * the pi_state but cannot access the user space value. -+ * -+ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. -+ * -+ * [8] Owner and user space value match -+ * -+ * [9] There is no transient state which sets the user space TID to 0 -+ * except exit_robust_list(), but this is indicated by the -+ * FUTEX_OWNER_DIED bit. See [4] -+ * -+ * [10] There is no transient state which leaves owner and user space -+ * TID out of sync. -+ */ - static int - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, -- union futex_key *key, struct futex_pi_state **ps, -- struct task_struct *task) -+ union futex_key *key, struct futex_pi_state **ps) - { - struct futex_pi_state *pi_state = NULL; - struct futex_q *this, *next; -@@ -742,12 +790,13 @@ lookup_pi_state(u32 uval, struct futex_h - plist_for_each_entry_safe(this, next, &hb->chain, list) { - if (match_futex(&this->key, key)) { - /* -- * Another waiter already exists - bump up -- * the refcount and return its pi_state: -+ * Sanity check the waiter before increasing -+ * the refcount and attaching to it. - */ - pi_state = this->pi_state; - /* -- * Userspace might have messed up non-PI and PI futexes -+ * Userspace might have messed up non-PI and -+ * PI futexes [3] - */ - if (unlikely(!pi_state)) - return -EINVAL; -@@ -755,44 +804,70 @@ lookup_pi_state(u32 uval, struct futex_h - WARN_ON(!atomic_read(&pi_state->refcount)); - - /* -- * When pi_state->owner is NULL then the owner died -- * and another waiter is on the fly. pi_state->owner -- * is fixed up by the task which acquires -- * pi_state->rt_mutex. -- * -- * We do not check for pid == 0 which can happen when -- * the owner died and robust_list_exit() cleared the -- * TID. -+ * Handle the owner died case: - */ -- if (pid && pi_state->owner) { -+ if (uval & FUTEX_OWNER_DIED) { - /* -- * Bail out if user space manipulated the -- * futex value. -+ * exit_pi_state_list sets owner to NULL and -+ * wakes the topmost waiter. The task which -+ * acquires the pi_state->rt_mutex will fixup -+ * owner. - */ -- if (pid != task_pid_vnr(pi_state->owner)) -+ if (!pi_state->owner) { -+ /* -+ * No pi state owner, but the user -+ * space TID is not 0. Inconsistent -+ * state. [5] -+ */ -+ if (pid) -+ return -EINVAL; -+ /* -+ * Take a ref on the state and -+ * return. [4] -+ */ -+ goto out_state; -+ } -+ -+ /* -+ * If TID is 0, then either the dying owner -+ * has not yet executed exit_pi_state_list() -+ * or some waiter acquired the rtmutex in the -+ * pi state, but did not yet fixup the TID in -+ * user space. -+ * -+ * Take a ref on the state and return. [6] -+ */ -+ if (!pid) -+ goto out_state; -+ } else { -+ /* -+ * If the owner died bit is not set, -+ * then the pi_state must have an -+ * owner. [7] -+ */ -+ if (!pi_state->owner) - return -EINVAL; - } - - /* -- * Protect against a corrupted uval. If uval -- * is 0x80000000 then pid is 0 and the waiter -- * bit is set. So the deadlock check in the -- * calling code has failed and we did not fall -- * into the check above due to !pid. -+ * Bail out if user space manipulated the -+ * futex value. If pi state exists then the -+ * owner TID must be the same as the user -+ * space TID. [9/10] - */ -- if (task && pi_state->owner == task) -- return -EDEADLK; -+ if (pid != task_pid_vnr(pi_state->owner)) -+ return -EINVAL; - -+ out_state: - atomic_inc(&pi_state->refcount); - *ps = pi_state; -- - return 0; - } - } - - /* - * We are the first waiter - try to look up the real owner and attach -- * the new pi_state to it, but bail out when TID = 0 -+ * the new pi_state to it, but bail out when TID = 0 [1] - */ - if (!pid) - return -ESRCH; -@@ -825,6 +900,9 @@ lookup_pi_state(u32 uval, struct futex_h - return ret; - } - -+ /* -+ * No existing pi state. First waiter. [2] -+ */ - pi_state = alloc_pi_state(); - - /* -@@ -945,7 +1023,7 @@ retry: - * We dont have the lock. Look up the PI state (or create it if - * we are the first waiter): - */ -- ret = lookup_pi_state(uval, hb, key, ps, task); -+ ret = lookup_pi_state(uval, hb, key, ps); - - if (unlikely(ret)) { - switch (ret) { -@@ -1551,7 +1629,7 @@ retry_private: - * rereading and handing potential crap to - * lookup_pi_state. - */ -- ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state); - } - - switch (ret) { diff --git a/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch b/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch deleted file mode 100644 index 8be1947ef..000000000 --- a/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Thomas Gleixner -Date: Mon, 12 May 2014 20:45:35 +0000 -Subject: futex: Prevent attaching to kernel threads -Origin: https://git.kernel.org/linus/f0d71b3dcb8332f7971b5f2363632573e6d9486a - -We happily allow userspace to declare a random kernel thread to be the -owner of a user space PI futex. - -Found while analysing the fallout of Dave Jones syscall fuzzer. - -We also should validate the thread group for private futexes and find -some fast way to validate whether the "alleged" owner has RW access on -the file which backs the SHM, but that's a separate issue. - -Signed-off-by: Thomas Gleixner -Cc: Dave Jones -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Darren Hart -Cc: Davidlohr Bueso -Cc: Steven Rostedt -Cc: Clark Williams -Cc: Paul McKenney -Cc: Lai Jiangshan -Cc: Roland McGrath -Cc: Carlos ODonell -Cc: Jakub Jelinek -Cc: Michael Kerrisk -Cc: Sebastian Andrzej Siewior -Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org ---- - kernel/futex.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -800,6 +800,11 @@ lookup_pi_state(u32 uval, struct futex_h - if (!p) - return -ESRCH; - -+ if (!p->mm) { -+ put_task_struct(p); -+ return -EPERM; -+ } -+ - /* - * We need to look at the task state flags to figure out, - * whether the task is exiting. To protect against the do_exit diff --git a/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch b/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch deleted file mode 100644 index 814f63db2..000000000 --- a/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch +++ /dev/null @@ -1,50 +0,0 @@ -Date: Tue, 03 Jun 2014 12:27:06 -0000 -From: Thomas Gleixner -Subject: [patch 2/4] futex: Validate atomic acquisition in - futex_lock_pi_atomic() - -We need to protect the atomic acquisition in the kernel against rogue -user space which sets the user space futex to 0, so the kernel side -acquisition succeeds while there is existing state in the kernel -associated to the real owner. - -Verify whether the futex has waiters associated with kernel state. If -it has, return -EINVAL. The state is corrupted already, so no point in -cleaning it up. Subsequent calls will fail as well. Not our problem. - -[ tglx: Use futex_top_waiter() and explain why we do not need to try - restoring the already corrupted user space state. ] - -Signed-off-by: Darren Hart -Cc: Kees Cook -Cc: Will Drewry -Cc: stable@vger.kernel.org -Signed-off-by: Thomas Gleixner ---- - kernel/futex.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -896,10 +896,18 @@ retry: - return -EDEADLK; - - /* -- * Surprise - we got the lock. Just return to userspace: -+ * Surprise - we got the lock, but we do not trust user space at all. - */ -- if (unlikely(!curval)) -- return 1; -+ if (unlikely(!curval)) { -+ /* -+ * We verify whether there is kernel state for this -+ * futex. If not, we can safely assume, that the 0 -> -+ * TID transition is correct. If state exists, we do -+ * not bother to fixup the user space state as it was -+ * corrupted already. -+ */ -+ return futex_top_waiter(hb, key) ? -EINVAL : 1; -+ } - - uval = curval; - diff --git a/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch b/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch deleted file mode 100644 index 50d461760..000000000 --- a/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch +++ /dev/null @@ -1,76 +0,0 @@ -Date: Tue, 03 Jun 2014 12:27:06 -0000 -From: Thomas Gleixner -Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex: - Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) - -If uaddr == uaddr2, then we have broken the rule of only requeueing -from a non-pi futex to a pi futex with this call. If we attempt this, -then dangling pointers may be left for rt_waiter resulting in an -exploitable condition. - -This change brings futex_requeue() into line with -futex_wait_requeue_pi() which performs the same check as per commit -6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) - -[ tglx: Compare the resulting keys as well, as uaddrs might be - different depending on the mapping ] - -Fixes CVE-2014-3153. - -Reported-by: Pinkie Pie -Signed-off-by: Will Drewry -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Thomas Gleixner ---- - kernel/futex.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -1428,6 +1428,13 @@ static int futex_requeue(u32 __user *uad - - if (requeue_pi) { - /* -+ * Requeue PI only works on two distinct uaddrs. This -+ * check is only valid for private futexes. See below. -+ */ -+ if (uaddr1 == uaddr2) -+ return -EINVAL; -+ -+ /* - * requeue_pi requires a pi_state, try to allocate it now - * without any locks in case it fails. - */ -@@ -1465,6 +1472,15 @@ retry: - if (unlikely(ret != 0)) - goto out_put_key1; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (requeue_pi && match_futex(&key1, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - hb1 = hash_futex(&key1); - hb2 = hash_futex(&key2); - -@@ -2511,6 +2527,15 @@ static int futex_wait_requeue_pi(u32 __u - if (ret) - goto out_key2; - -+ /* -+ * The check above which compares uaddrs is not sufficient for -+ * shared futexes. We need to compare the keys: -+ */ -+ if (match_futex(&q.key, &key2)) { -+ ret = -EINVAL; -+ goto out_put_keys; -+ } -+ - /* Queue the futex_q, drop the hb lock, wait for wakeup. */ - futex_wait_queue_me(hb, &q, to); - diff --git a/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch b/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch deleted file mode 100644 index 636d6d033..000000000 --- a/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Lv Zheng -Date: Wed, 30 Apr 2014 10:05:40 +0800 -Subject: ACPICA: Tables: Fix invalid pointer accesses in - acpi_tb_parse_root_table(). -Origin: https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git/commit?id=d48dc067450d84324067f4472dc0b169e9af4454 -Bug-Debian: https://bugs.debian.org/748574 - -Linux XSDT validation mechanism backport has introduced a regreession: - Commit: 671cc68dc61f029d44b43a681356078e02d8dab8 - Subject: ACPICA: Back port and refine validation of the XSDT root table. -There is a pointer still accessed after unmapping. - -This patch fixes this issue. Lv Zheng. - -Fixes: 671cc68dc61f (ACPICA: Back port and refine validation of the XSDT root table.) -References: https://bugzilla.kernel.org/show_bug.cgi?id=73911 -References: https://bugs.archlinux.org/task/39811 -Signed-off-by: Lv Zheng -Reported-and-tested-by: Bruce Chiarelli -Reported-and-tested-by: Spyros Stathopoulos -Signed-off-by: Bob Moore -Cc: 3.14+ # 3.14+ -Signed-off-by: Rafael J. Wysocki ---- - drivers/acpi/acpica/tbutils.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/drivers/acpi/acpica/tbutils.c b/drivers/acpi/acpica/tbutils.c -index a4702ee..9fb85f3 100644 ---- a/drivers/acpi/acpica/tbutils.c -+++ b/drivers/acpi/acpica/tbutils.c -@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - u32 table_count; - struct acpi_table_header *table; - acpi_physical_address address; -+ acpi_physical_address rsdt_address; - u32 length; - u8 *table_entry; - acpi_status status; -@@ -488,11 +489,14 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - * as per the ACPI specification. - */ - address = (acpi_physical_address) rsdp->xsdt_physical_address; -+ rsdt_address = -+ (acpi_physical_address) rsdp->rsdt_physical_address; - table_entry_size = ACPI_XSDT_ENTRY_SIZE; - } else { - /* Root table is an RSDT (32-bit physical addresses) */ - - address = (acpi_physical_address) rsdp->rsdt_physical_address; -+ rsdt_address = address; - table_entry_size = ACPI_RSDT_ENTRY_SIZE; - } - -@@ -515,8 +519,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - - /* Fall back to the RSDT */ - -- address = -- (acpi_physical_address) rsdp->rsdt_physical_address; -+ address = rsdt_address; - table_entry_size = ACPI_RSDT_ENTRY_SIZE; - } - } diff --git a/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch b/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch index 0c656976c..59fa3c5e5 100644 --- a/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch +++ b/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch @@ -11,6 +11,8 @@ This patch moves the invokation into a process context so that we only wakeup() a process while holding the lock. Signed-off-by: Sebastian Andrzej Siewior +[bwh: Adjust context to apply after commit 01f8fa4f01d8 ('genirq: Allow + forcing cpu affinity of interrupts') in 3.14.6] --- include/linux/interrupt.h | 1 kernel/irq/manage.c | 79 ++++++++++++++++++++++++++++++++++++++++++++-- @@ -18,7 +20,7 @@ Signed-off-by: Sebastian Andrzej Siewior --- a/include/linux/interrupt.h +++ b/include/linux/interrupt.h -@@ -224,6 +224,7 @@ struct irq_affinity_notify { +@@ -257,6 +257,7 @@ struct irq_affinity_notify { unsigned int irq; struct kref kref; struct work_struct work; @@ -88,10 +90,10 @@ Signed-off-by: Sebastian Andrzej Siewior + +#endif + - int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask) + int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask, + bool force) { - struct irq_chip *chip = irq_data_get_irq_chip(data); -@@ -182,7 +238,17 @@ int __irq_set_affinity_locked(struct irq +@@ -183,7 +239,17 @@ int irq_set_affinity_locked(struct irq_d if (desc->affinity_notify) { kref_get(&desc->affinity_notify->kref); @@ -109,7 +111,7 @@ Signed-off-by: Sebastian Andrzej Siewior } irqd_set(data, IRQD_AFFINITY_SET); -@@ -223,10 +289,8 @@ int irq_set_affinity_hint(unsigned int i +@@ -218,10 +284,8 @@ int irq_set_affinity_hint(unsigned int i } EXPORT_SYMBOL_GPL(irq_set_affinity_hint); @@ -121,7 +123,7 @@ Signed-off-by: Sebastian Andrzej Siewior struct irq_desc *desc = irq_to_desc(notify->irq); cpumask_var_t cpumask; unsigned long flags; -@@ -248,6 +312,13 @@ static void irq_affinity_notify(struct w +@@ -243,6 +307,13 @@ out: kref_put(¬ify->kref, notify->release); } @@ -135,7 +137,7 @@ Signed-off-by: Sebastian Andrzej Siewior /** * irq_set_affinity_notifier - control notification of IRQ affinity changes * @irq: Interrupt for which to enable/disable notification -@@ -277,6 +348,8 @@ irq_set_affinity_notifier(unsigned int i +@@ -272,6 +343,8 @@ irq_set_affinity_notifier(unsigned int i notify->irq = irq; kref_init(¬ify->kref); INIT_WORK(¬ify->work, irq_affinity_notify); diff --git a/debian/patches/features/all/rt/latency-hist.patch b/debian/patches/features/all/rt/latency-hist.patch index 4f3933998..1c3f25b0f 100644 --- a/debian/patches/features/all/rt/latency-hist.patch +++ b/debian/patches/features/all/rt/latency-hist.patch @@ -359,7 +359,7 @@ Signed-off-by: Thomas Gleixner /* * The timer bases: -@@ -998,6 +999,17 @@ int __hrtimer_start_range_ns(struct hrti +@@ -1017,6 +1018,17 @@ int __hrtimer_start_range_ns(struct hrti #endif } @@ -376,8 +376,8 @@ Signed-off-by: Thomas Gleixner + hrtimer_set_expires_range_ns(timer, tim, delta_ns); - timer_stats_hrtimer_set_start_info(timer); -@@ -1276,6 +1288,8 @@ static void __run_hrtimer(struct hrtimer + /* Switch the timer base, if necessary: */ +@@ -1298,6 +1310,8 @@ static void __run_hrtimer(struct hrtimer #ifdef CONFIG_HIGH_RES_TIMERS @@ -386,7 +386,7 @@ Signed-off-by: Thomas Gleixner /* * High resolution timer interrupt * Called with interrupts disabled -@@ -1319,6 +1333,15 @@ void hrtimer_interrupt(struct clock_even +@@ -1341,6 +1355,15 @@ retry: timer = container_of(node, struct hrtimer, node); diff --git a/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch b/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch index 3e5103fe5..536856efa 100644 --- a/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch +++ b/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch @@ -12,7 +12,7 @@ Signed-off-by: Thomas Gleixner --- a/kernel/futex.c +++ b/kernel/futex.c -@@ -1585,6 +1585,16 @@ static int futex_requeue(u32 __user *uad +@@ -1710,6 +1710,16 @@ retry_private: requeue_pi_wake_futex(this, &key2, hb2); drop_count++; continue; @@ -29,7 +29,7 @@ Signed-off-by: Thomas Gleixner } else if (ret) { /* -EDEADLK */ this->pi_state = NULL; -@@ -2439,7 +2449,7 @@ static int futex_wait_requeue_pi(u32 __u +@@ -2563,7 +2573,7 @@ static int futex_wait_requeue_pi(u32 __u struct hrtimer_sleeper timeout, *to = NULL; struct rt_mutex_waiter rt_waiter; struct rt_mutex *pi_mutex = NULL; @@ -38,7 +38,7 @@ Signed-off-by: Thomas Gleixner union futex_key key2 = FUTEX_KEY_INIT; struct futex_q q = futex_q_init; int res, ret; -@@ -2488,20 +2498,55 @@ static int futex_wait_requeue_pi(u32 __u +@@ -2621,20 +2631,55 @@ static int futex_wait_requeue_pi(u32 __u /* Queue the futex_q, drop the hb lock, wait for wakeup. */ futex_wait_queue_me(hb, &q, to); @@ -105,7 +105,7 @@ Signed-off-by: Thomas Gleixner /* Check if the requeue code acquired the second futex for us. */ if (!q.rt_waiter) { -@@ -2510,9 +2555,10 @@ static int futex_wait_requeue_pi(u32 __u +@@ -2643,9 +2688,10 @@ static int futex_wait_requeue_pi(u32 __u * did a lock-steal - fix up the PI-state in that case. */ if (q.pi_state && (q.pi_state->owner != current)) { @@ -118,7 +118,7 @@ Signed-off-by: Thomas Gleixner } } else { /* -@@ -2525,7 +2571,8 @@ static int futex_wait_requeue_pi(u32 __u +@@ -2658,7 +2704,8 @@ static int futex_wait_requeue_pi(u32 __u ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1); debug_rt_mutex_free_waiter(&rt_waiter); @@ -151,8 +151,8 @@ Signed-off-by: Thomas Gleixner goto out_unlock_pi; /* -@@ -528,6 +533,23 @@ static int task_blocks_on_rt_mutex(struc - int chain_walk = 0, res; +@@ -552,6 +557,23 @@ static int task_blocks_on_rt_mutex(struc + return -EDEADLK; raw_spin_lock_irqsave(&task->pi_lock, flags); + @@ -175,7 +175,7 @@ Signed-off-by: Thomas Gleixner __rt_mutex_adjust_prio(task); waiter->task = task; waiter->lock = lock; -@@ -551,7 +573,7 @@ static int task_blocks_on_rt_mutex(struc +@@ -575,7 +597,7 @@ static int task_blocks_on_rt_mutex(struc rt_mutex_enqueue_pi(owner, waiter); __rt_mutex_adjust_prio(owner); @@ -184,7 +184,7 @@ Signed-off-by: Thomas Gleixner chain_walk = 1; raw_spin_unlock_irqrestore(&owner->pi_lock, flags); } -@@ -645,7 +667,7 @@ static void remove_waiter(struct rt_mute +@@ -669,7 +691,7 @@ static void remove_waiter(struct rt_mute } __rt_mutex_adjust_prio(owner); @@ -193,7 +193,7 @@ Signed-off-by: Thomas Gleixner chain_walk = 1; raw_spin_unlock_irqrestore(&owner->pi_lock, flags); -@@ -677,7 +699,7 @@ void rt_mutex_adjust_pi(struct task_stru +@@ -701,7 +723,7 @@ void rt_mutex_adjust_pi(struct task_stru raw_spin_lock_irqsave(&task->pi_lock, flags); waiter = task->pi_blocked_on; diff --git a/debian/patches/series b/debian/patches/series index d2f8fe8b5..6c62816df 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -83,15 +83,8 @@ features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch debian/libata-avoid-abi-change-in-3.14.4.patch debian/dm-avoid-abi-change-in-3.14.4.patch -bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch debian/net-revert-lockdep-changes-in-3.14.5.patch debian/sockdiag-avoid-abi-change-in-3.14.5.patch debian/target-avoid-abi-change-in-3.14.5.patch debian/netfilter-avoid-abi-change-in-3.14.5.patch bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch -bugfix/all/futex-Add-another-early-deadlock-detection-check.patch -bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch -bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch -bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch -bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch -bugfix/all/futex-Make-lookup_pi_state-more-robust.patch