From 4686b122fcc4dd67db1bbd32d8d47cb1d9025e5b Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 21 Jan 2017 09:20:56 +0100 Subject: [PATCH] Update to 4.9.5 --- debian/changelog | 113 +++++++++++++++++- ...rence-added-by-grab_header-in-proc_s.patch | 87 -------------- ...VM-x86-Introduce-segmented_write_std.patch | 61 ---------- ...ix-emulation-of-MOV-SS-null-selector.patch | 107 ----------------- ..._btrfs_all_work_done-from-normal_wor.patch | 39 ------ ...-and-trace-point-in-run_ordered_work.patch | 8 +- ...-and-dev-kmem-when-securelevel-is-se.patch | 8 +- debian/patches/series | 3 - debian/patches/series-rt | 1 - 9 files changed, 116 insertions(+), 311 deletions(-) delete mode 100644 debian/patches/bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch delete mode 100644 debian/patches/features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch diff --git a/debian/changelog b/debian/changelog index 0a37aa9dd..a2c85f61b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.9.4-1) UNRELEASED; urgency=medium +linux (4.9.5-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.3 @@ -233,6 +233,113 @@ linux (4.9.4-1) UNRELEASED; urgency=medium - [x86] drm/i915/gen9: Fix PCODE polling during CDCLK change notification - rtlwifi: Fix enter/exit power_save - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5 + - Input: xpad - use correct product id for x360w controllers + - Input: i8042 - add Pegatron touchpad to noloop table + - [armhf] regulator: axp20x: Fix axp809 ldo_io registration error on cold + boot + - [arm64, armhf] drm/tegra: dpaux: Fix error handling + - [arm64, armhf] drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() + - drm/savage: dereferencing an error pointer + - zram: revalidate disk under init_lock + - zram: support BDI_CAP_STABLE_WRITES + - dax: fix deadlock with DAX 4k holes + - mm: pmd dirty emulation in page fault handler + - mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} + - ocfs2: fix crash caused by stale lvb with fsdlm plugin + - mm, memcg: fix the active list aging for lowmem requests when memcg is enabled + - mm: support anonymous stable page + - mm/slab.c: fix SLAB freelist randomization duplicate entries + (CVE-2017-5546) + - mm/hugetlb.c: fix reservation race when freeing surplus pages + - [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) + - KVM: eventfd: fix NULL deref irqbypass consumer + - jump_labels: API for flushing deferred jump label updates + - [x86] KVM: flush pending lapic jump label updates on module unload + - [x86] KVM: fix NULL deref in vcpu_scan_ioapic + - [x86] KVM: add Align16 instruction flag + - [x86] KVM: add asm_safe wrapper + - [x86] KVM: emulate FXSAVE and FXRSTOR + - [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) + - efi/libstub/arm*: Pass latest memory map to the kernel + - [x86] efi: Prune invalid memory map entries and fix boot regression + - [x86] efi: Don't allocate memmap through memblock after mm_init() + - nl80211: fix sched scan netlink socket owner destruction + - gpio: Move freeing of GPIO hogs before numbing of the device + - xfs: Timely free truncated dirty pages + - bridge: netfilter: Fix dropping packets that moving through bridge interface + - [x86] cpu/AMD: Clean up cpu_llc_id assignment per topology feature + - [x86] bugs: Separate AMD E400 erratum and C1E bug + - [x86] CPU/AMD: Fix Bulldozer topology + - wusbcore: Fix one more crypto-on-the-stack bug + - [armhf] usb: musb: fix runtime PM in debugfs + - USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) + - USB: serial: ch341: fix initial modem-control state + - USB: serial: ch341: fix resume after reset + - USB: serial: ch341: fix open error handling + - USB: serial: ch341: fix control-message error handling + - USB: serial: ch341: fix open and resume after B0 + - i2c: print correct device invalid address + - i2c: fix kernel memory disclosure in dev interface + - fix a fencepost error in pipe_advance() (CVE-2017-5550) + - xhci: fix deadlock at host remove by running watchdog correctly + - btrfs: fix crash when tracepoint arguments are freed by wq callbacks + - ASoC: hdmi-codec: use unsigned type to structure members with bit-field + - Revert "tty: serial: 8250: add CON_CONSDEV to flags" + - pid: fix lockdep deadlock warning due to ucount_lock + - mnt: Protect the mountpoint hashtable with mount_lock + - drivers: char: mem: Fix thinkos in kmem address checks + - [armhf] dmaengine: omap-dma: Fix dynamic lch_map allocation + - virtio_blk: avoid DMA to stack for the sense buffer + - orinoco: Use shash instead of ahash for MIC calculations + - sysrq: attach sysrq handler correctly for 32-bit kernel + - [arm64, armhf] extcon: return error code on failure + - Clearing FIFOs in RS485 emulation mode causes subsequent transmits to + break + - sysctl: Drop reference added by grab_header in proc_sys_readdir + (CVE-2016-9191) + - [s390x] net/af_iucv: don't use paged skbs for TX on HiperSockets + - [x86] drm/i915/gen9: Fix PCODE polling timeout in stable backport + - drm: Clean up planes in atomic commit helper failure path + - drm/radeon: update smc firmware selection for SI + - drm/radeon: drop verde dpm quirks + - [x86] drm/amdgpu: update si kicker smc firmware + - [x86] drm/amdgpu: drop verde dpm quirks + - USB: serial: ch341: fix modem-control and B0 handling + - net/mlx5: Only cancel recovery work when cleaning up device + - i2c: piix4: Avoid race conditions with IMC + - [x86] cpu: Fix bootup crashes by sanitizing the argument of the + 'clearcpuid=' command-line option + - nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too + - btrfs: fix locking when we put back a delayed ref that's too new + - btrfs: fix error handling when run_delayed_extent_op fails + - NFS: fix typo in parameter description + - pNFS: Fix race in pnfs_wait_on_layoutreturn + - NFS: Fix a performance regression in readdir + - NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. + - [armhf] i2c: mux: pca954x: fix i2c mux selection caching + - [x86] drm/i915/gen9: Fix PCODE polling during SAGV disabling + - drm: avoid uninitialized timestamp use in wait_vblank + - [arm64, armhf] drm/panel: simple: Check against num_timings when setting + preferred for timing + - [x86] drm/i915: Move the min_pixclk[] handling to the end of readout + - drm: Initialise drm_mm.head_node.allocated + - block: Change extern inline to static inline + - block: cfq_cpd_alloc() should use @gfp + - [x86] ACPI / APEI: Fix NMI notification handling + - [x86] powercap/intel_rapl: fix and tidy up error handling + - iw_cxgb4: Fix error return code in c4iw_rdev_open() + - [arm64, armhf] power: supply: bq27xxx_battery: Fix register map for + BQ27510 and BQ27520 + - blk-mq: Always schedule hctx->next_cpu + - [powerpc] mm: Correct process and partition table max size + - [powerpc*] ibmebus: Fix further device reference leaks + - [powerpc*] ibmebus: Fix device reference leaks in sysfs interface + - [powerpc*] powernv: Don't warn on PE init if unfreeze is unsupported + - [arm64] hugetlb: fix the wrong address for several functions + - [arm64] hugetlb: remove the wrong pmd check in find_num_contig() + - [arm64] hugetlb: fix the wrong return value for + huge_ptep_set_access_flags [ Ben Hutchings ] * [armel,armhf,s390x,x86] linux-headers: Fix regression of multilib compiler @@ -241,11 +348,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium * ath9k: fix NULL pointer dereference (Closes: #851621) [ Salvatore Bonaccorso ] - * sysctl: Drop reference added by grab_header in proc_sys_readdir - (CVE-2016-9191) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) - * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) - * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) [ Roger Shimizu ] * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL) diff --git a/debian/patches/bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch b/debian/patches/bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch deleted file mode 100644 index c91cd09a7..000000000 --- a/debian/patches/bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Zhou Chengming -Date: Fri, 6 Jan 2017 09:32:32 +0800 -Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir -Origin: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939 - -Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference -added by grab_header when return from !dir_emit_dots path. -It can cause any path called unregister_sysctl_table will -wait forever. - -The calltrace of CVE-2016-9191: - -[ 5535.960522] Call Trace: -[ 5535.963265] [] schedule+0x3f/0xa0 -[ 5535.968817] [] schedule_timeout+0x3db/0x6f0 -[ 5535.975346] [] ? wait_for_completion+0x45/0x130 -[ 5535.982256] [] wait_for_completion+0xc3/0x130 -[ 5535.988972] [] ? wake_up_q+0x80/0x80 -[ 5535.994804] [] drop_sysctl_table+0xc4/0xe0 -[ 5536.001227] [] drop_sysctl_table+0x77/0xe0 -[ 5536.007648] [] unregister_sysctl_table+0x4d/0xa0 -[ 5536.014654] [] unregister_sysctl_table+0x7f/0xa0 -[ 5536.021657] [] unregister_sched_domain_sysctl+0x15/0x40 -[ 5536.029344] [] partition_sched_domains+0x44/0x450 -[ 5536.036447] [] ? __mutex_unlock_slowpath+0x111/0x1f0 -[ 5536.043844] [] rebuild_sched_domains_locked+0x64/0xb0 -[ 5536.051336] [] update_flag+0x11d/0x210 -[ 5536.057373] [] ? mutex_lock_nested+0x2df/0x450 -[ 5536.064186] [] ? cpuset_css_offline+0x1b/0x60 -[ 5536.070899] [] ? trace_hardirqs_on+0xd/0x10 -[ 5536.077420] [] ? mutex_lock_nested+0x2df/0x450 -[ 5536.084234] [] ? css_killed_work_fn+0x25/0x220 -[ 5536.091049] [] cpuset_css_offline+0x35/0x60 -[ 5536.097571] [] css_killed_work_fn+0x5c/0x220 -[ 5536.104207] [] process_one_work+0x1df/0x710 -[ 5536.110736] [] ? process_one_work+0x160/0x710 -[ 5536.117461] [] worker_thread+0x12b/0x4a0 -[ 5536.123697] [] ? process_one_work+0x710/0x710 -[ 5536.130426] [] kthread+0xfe/0x120 -[ 5536.135991] [] ret_from_fork+0x1f/0x40 -[ 5536.142041] [] ? kthread_create_on_node+0x230/0x230 - -One cgroup maintainer mentioned that "cgroup is trying to offline -a cpuset css, which takes place under cgroup_mutex. The offlining -ends up trying to drain active usages of a sysctl table which apprently -is not happening." -The real reason is that proc_sys_readdir doesn't drop reference added -by grab_header when return from !dir_emit_dots path. So this cpuset -offline path will wait here forever. - -See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13 - -Fixes: f0c3b5093add ("[readdir] convert procfs") -Cc: stable@vger.kernel.org -Reported-by: CAI Qian -Tested-by: Yang Shukui -Signed-off-by: Zhou Chengming -Acked-by: Al Viro -Signed-off-by: Eric W. Biederman ---- - fs/proc/proc_sysctl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c -index 55313d9..d4e37ac 100644 ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -709,7 +709,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx) - ctl_dir = container_of(head, struct ctl_dir, header); - - if (!dir_emit_dots(file, ctx)) -- return 0; -+ goto out; - - pos = 2; - -@@ -719,6 +719,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx) - break; - } - } -+out: - sysctl_head_finish(head); - return 0; - } --- -2.1.4 - diff --git a/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch b/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch deleted file mode 100644 index b5ef81af9..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Steve Rutherford -Date: Wed, 11 Jan 2017 18:28:29 -0800 -Subject: KVM: x86: Introduce segmented_write_std -Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d - -Introduces segemented_write_std. - -Switches from emulated reads/writes to standard read/writes in fxsave, -fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding -kernel memory leak. - -Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR", -2016-11-09), which is luckily not yet in any final release, this would -also be an exploitable kernel memory *write*! - -Reported-by: Dmitry Vyukov -Cc: stable@vger.kernel.org -Fixes: 96051572c819194c37a8367624b285be10297eca -Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62 -Suggested-by: Paolo Bonzini -Signed-off-by: Steve Rutherford -Signed-off-by: Paolo Bonzini -[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1] ---- - arch/x86/kvm/emulate.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86 - return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); - } - -+static int segmented_write_std(struct x86_emulate_ctxt *ctxt, -+ struct segmented_address addr, -+ void *data, -+ unsigned int size) -+{ -+ int rc; -+ ulong linear; -+ -+ rc = linearize(ctxt, addr, size, true, &linear); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); -+} -+ - /* - * Prefetch the remaining bytes of the instruction without crossing page - * boundary if they are not in fetch_cache yet. -@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct - } - /* Disable writeback. */ - ctxt->dst.type = OP_NONE; -- return segmented_write(ctxt, ctxt->dst.addr.mem, -- &desc_ptr, 2 + ctxt->op_bytes); -+ return segmented_write_std(ctxt, ctxt->dst.addr.mem, -+ &desc_ptr, 2 + ctxt->op_bytes); - } - - static int em_sgdt(struct x86_emulate_ctxt *ctxt) diff --git a/debian/patches/bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch b/debian/patches/bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch deleted file mode 100644 index f6d2e5d9e..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 12 Jan 2017 15:02:32 +0100 -Subject: KVM: x86: fix emulation of "MOV SS, null selector" -Origin: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3 - -This is CVE-2017-2583. On Intel this causes a failed vmentry because -SS's type is neither 3 nor 7 (even though the manual says this check is -only done for usable SS, and the dmesg splat says that SS is unusable!). -On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb. - -The fix fabricates a data segment descriptor when SS is set to a null -selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb. -Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3; -this in turn ensures CPL < 3 because RPL must be equal to CPL. - -Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing -the bug and deciphering the manuals. - -Reported-by: Xiaohan Zhang -Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011 -Cc: stable@nongnu.org -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 38 insertions(+), 10 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index f36d0fa..cedbba0 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1585,7 +1585,6 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, - &ctxt->exception); - } - --/* Does not support long mode */ - static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - u16 selector, int seg, u8 cpl, - enum x86_transfer_type transfer, -@@ -1622,20 +1621,34 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - - rpl = selector & 3; - -- /* NULL selector is not valid for TR, CS and SS (except for long mode) */ -- if ((seg == VCPU_SREG_CS -- || (seg == VCPU_SREG_SS -- && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)) -- || seg == VCPU_SREG_TR) -- && null_selector) -- goto exception; -- - /* TR should be in GDT only */ - if (seg == VCPU_SREG_TR && (selector & (1 << 2))) - goto exception; - -- if (null_selector) /* for NULL selector skip all following checks */ -+ /* NULL selector is not valid for TR, CS and (except for long mode) SS */ -+ if (null_selector) { -+ if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) -+ goto exception; -+ -+ if (seg == VCPU_SREG_SS) { -+ if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) -+ goto exception; -+ -+ /* -+ * ctxt->ops->set_segment expects the CPL to be in -+ * SS.DPL, so fake an expand-up 32-bit data segment. -+ */ -+ seg_desc.type = 3; -+ seg_desc.p = 1; -+ seg_desc.s = 1; -+ seg_desc.dpl = cpl; -+ seg_desc.d = 1; -+ seg_desc.g = 1; -+ } -+ -+ /* Skip all following checks */ - goto load; -+ } - - ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr); - if (ret != X86EMUL_CONTINUE) -@@ -1751,6 +1764,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - u16 selector, int seg) - { - u8 cpl = ctxt->ops->cpl(ctxt); -+ -+ /* -+ * None of MOV, POP and LSS can load a NULL selector in CPL=3, but -+ * they can load it at CPL<3 (Intel's manual says only LSS can, -+ * but it's wrong). -+ * -+ * However, the Intel manual says that putting IST=1/DPL=3 in -+ * an interrupt gate will result in SS=3 (the AMD manual instead -+ * says it doesn't), so allow SS=3 in __load_segment_descriptor -+ * and only forbid it here. -+ */ -+ if (seg == VCPU_SREG_SS && selector == 3 && -+ ctxt->mode == X86EMUL_MODE_PROT64) -+ return emulate_exception(ctxt, GP_VECTOR, 0, true); -+ - return __load_segment_descriptor(ctxt, selector, seg, cpl, - X86_TRANSFER_NONE, NULL); - } --- -2.1.4 - diff --git a/debian/patches/features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch b/debian/patches/features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch deleted file mode 100644 index 8c666a7e3..000000000 --- a/debian/patches/features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Sebastian Andrzej Siewior -Date: Wed, 14 Dec 2016 14:44:18 +0100 -Subject: [PATCH] btrfs: drop trace_btrfs_all_work_done() from - normal_work_helper() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.9/older/patches-4.9-rt1.tar.xz - -For btrfs_scrubparity_helper() the ->func() is set to -scrub_parity_bio_endio_worker(). This functions invokes invokes -scrub_free_parity() which kfrees() the worked object. All is good as -long as trace events are not enabled because we boom with a backtrace -like this: -| Workqueue: btrfs-endio btrfs_endio_helper -| RIP: 0010:[] [] trace_event_raw_event_btrfs__work__done+0x4e/0xa0 -| Call Trace: -| [] btrfs_scrubparity_helper+0x59d/0x780 -| [] btrfs_endio_helper+0x9/0x10 -| [] process_one_work+0x26e/0x7b0 -| [] worker_thread+0x46/0x560 -| [] kthread+0xee/0x110 -| [] ret_from_fork+0x2a/0x40 - -So in order to avoid this, I remove the trace point. - -Signed-off-by: Sebastian Andrzej Siewior ---- - fs/btrfs/async-thread.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/fs/btrfs/async-thread.c -+++ b/fs/btrfs/async-thread.c -@@ -318,8 +318,6 @@ static void normal_work_helper(struct bt - set_bit(WORK_DONE_BIT, &work->flags); - run_ordered_work(wq); - } -- if (!need_order) -- trace_btrfs_all_work_done(work); - } - - void btrfs_init_work(struct btrfs_work *work, btrfs_work_func_t uniq_func, diff --git a/debian/patches/features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch b/debian/patches/features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch index 32e7510e2..0cb57665b 100644 --- a/debian/patches/features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch +++ b/debian/patches/features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch @@ -22,12 +22,12 @@ Signed-off-by: Sebastian Andrzej Siewior --- a/fs/btrfs/async-thread.c +++ b/fs/btrfs/async-thread.c -@@ -288,8 +288,8 @@ static void run_ordered_work(struct __bt - * we don't want to call the ordered free functions - * with the lock held though +@@ -306,8 +306,8 @@ static void run_ordered_work(struct __bt + * because the callback could free the structure. */ + wtag = work; - work->ordered_free(work); - trace_btrfs_all_work_done(work); + trace_btrfs_all_work_done(wq->fs_info, wtag); + work->ordered_free(work); } spin_unlock_irqrestore(lock, flags); diff --git a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch b/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch index dd8676dab..b36cd7fe7 100644 --- a/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch +++ b/debian/patches/features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch @@ -25,13 +25,13 @@ Signed-off-by: Matthew Garrett if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *f +@@ -514,6 +517,9 @@ static ssize_t write_kmem(struct file *f char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; + if (get_securelevel() > 0) + return -EPERM; + - if (!pfn_valid(PFN_DOWN(p))) - return -EIO; - + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); diff --git a/debian/patches/series b/debian/patches/series index 49d9efb27..8864fae03 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,10 +96,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch -bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch -bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch diff --git a/debian/patches/series-rt b/debian/patches/series-rt index f4b6dc254..e59c7fc64 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -37,7 +37,6 @@ features/all/rt/x86-apic-get-rid-of-warning-acpi_ioapic_lock-defined.patch features/all/rt/rxrpc-remove-unused-static-variables.patch features/all/rt/rcu-update-make-RCU_EXPEDITE_BOOT-default.patch features/all/rt/locking-percpu-rwsem-use-swait-for-the-wating-writer.patch -features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch # Wants a different fix for upstream