Update to 4.9.5
This commit is contained in:
parent
e888ec46f1
commit
4686b122fc
|
@ -1,4 +1,4 @@
|
|||
linux (4.9.4-1) UNRELEASED; urgency=medium
|
||||
linux (4.9.5-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.3
|
||||
|
@ -233,6 +233,113 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
|
|||
- [x86] drm/i915/gen9: Fix PCODE polling during CDCLK change notification
|
||||
- rtlwifi: Fix enter/exit power_save
|
||||
- rtlwifi: rtl_usb: Fix missing entry in USB driver's private data
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5
|
||||
- Input: xpad - use correct product id for x360w controllers
|
||||
- Input: i8042 - add Pegatron touchpad to noloop table
|
||||
- [armhf] regulator: axp20x: Fix axp809 ldo_io registration error on cold
|
||||
boot
|
||||
- [arm64, armhf] drm/tegra: dpaux: Fix error handling
|
||||
- [arm64, armhf] drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos()
|
||||
- drm/savage: dereferencing an error pointer
|
||||
- zram: revalidate disk under init_lock
|
||||
- zram: support BDI_CAP_STABLE_WRITES
|
||||
- dax: fix deadlock with DAX 4k holes
|
||||
- mm: pmd dirty emulation in page fault handler
|
||||
- mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done}
|
||||
- ocfs2: fix crash caused by stale lvb with fsdlm plugin
|
||||
- mm, memcg: fix the active list aging for lowmem requests when memcg is enabled
|
||||
- mm: support anonymous stable page
|
||||
- mm/slab.c: fix SLAB freelist randomization duplicate entries
|
||||
(CVE-2017-5546)
|
||||
- mm/hugetlb.c: fix reservation race when freeing surplus pages
|
||||
- [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
|
||||
- KVM: eventfd: fix NULL deref irqbypass consumer
|
||||
- jump_labels: API for flushing deferred jump label updates
|
||||
- [x86] KVM: flush pending lapic jump label updates on module unload
|
||||
- [x86] KVM: fix NULL deref in vcpu_scan_ioapic
|
||||
- [x86] KVM: add Align16 instruction flag
|
||||
- [x86] KVM: add asm_safe wrapper
|
||||
- [x86] KVM: emulate FXSAVE and FXRSTOR
|
||||
- [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
|
||||
- efi/libstub/arm*: Pass latest memory map to the kernel
|
||||
- [x86] efi: Prune invalid memory map entries and fix boot regression
|
||||
- [x86] efi: Don't allocate memmap through memblock after mm_init()
|
||||
- nl80211: fix sched scan netlink socket owner destruction
|
||||
- gpio: Move freeing of GPIO hogs before numbing of the device
|
||||
- xfs: Timely free truncated dirty pages
|
||||
- bridge: netfilter: Fix dropping packets that moving through bridge interface
|
||||
- [x86] cpu/AMD: Clean up cpu_llc_id assignment per topology feature
|
||||
- [x86] bugs: Separate AMD E400 erratum and C1E bug
|
||||
- [x86] CPU/AMD: Fix Bulldozer topology
|
||||
- wusbcore: Fix one more crypto-on-the-stack bug
|
||||
- [armhf] usb: musb: fix runtime PM in debugfs
|
||||
- USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
|
||||
- USB: serial: ch341: fix initial modem-control state
|
||||
- USB: serial: ch341: fix resume after reset
|
||||
- USB: serial: ch341: fix open error handling
|
||||
- USB: serial: ch341: fix control-message error handling
|
||||
- USB: serial: ch341: fix open and resume after B0
|
||||
- i2c: print correct device invalid address
|
||||
- i2c: fix kernel memory disclosure in dev interface
|
||||
- fix a fencepost error in pipe_advance() (CVE-2017-5550)
|
||||
- xhci: fix deadlock at host remove by running watchdog correctly
|
||||
- btrfs: fix crash when tracepoint arguments are freed by wq callbacks
|
||||
- ASoC: hdmi-codec: use unsigned type to structure members with bit-field
|
||||
- Revert "tty: serial: 8250: add CON_CONSDEV to flags"
|
||||
- pid: fix lockdep deadlock warning due to ucount_lock
|
||||
- mnt: Protect the mountpoint hashtable with mount_lock
|
||||
- drivers: char: mem: Fix thinkos in kmem address checks
|
||||
- [armhf] dmaengine: omap-dma: Fix dynamic lch_map allocation
|
||||
- virtio_blk: avoid DMA to stack for the sense buffer
|
||||
- orinoco: Use shash instead of ahash for MIC calculations
|
||||
- sysrq: attach sysrq handler correctly for 32-bit kernel
|
||||
- [arm64, armhf] extcon: return error code on failure
|
||||
- Clearing FIFOs in RS485 emulation mode causes subsequent transmits to
|
||||
break
|
||||
- sysctl: Drop reference added by grab_header in proc_sys_readdir
|
||||
(CVE-2016-9191)
|
||||
- [s390x] net/af_iucv: don't use paged skbs for TX on HiperSockets
|
||||
- [x86] drm/i915/gen9: Fix PCODE polling timeout in stable backport
|
||||
- drm: Clean up planes in atomic commit helper failure path
|
||||
- drm/radeon: update smc firmware selection for SI
|
||||
- drm/radeon: drop verde dpm quirks
|
||||
- [x86] drm/amdgpu: update si kicker smc firmware
|
||||
- [x86] drm/amdgpu: drop verde dpm quirks
|
||||
- USB: serial: ch341: fix modem-control and B0 handling
|
||||
- net/mlx5: Only cancel recovery work when cleaning up device
|
||||
- i2c: piix4: Avoid race conditions with IMC
|
||||
- [x86] cpu: Fix bootup crashes by sanitizing the argument of the
|
||||
'clearcpuid=' command-line option
|
||||
- nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too
|
||||
- btrfs: fix locking when we put back a delayed ref that's too new
|
||||
- btrfs: fix error handling when run_delayed_extent_op fails
|
||||
- NFS: fix typo in parameter description
|
||||
- pNFS: Fix race in pnfs_wait_on_layoutreturn
|
||||
- NFS: Fix a performance regression in readdir
|
||||
- NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
|
||||
- [armhf] i2c: mux: pca954x: fix i2c mux selection caching
|
||||
- [x86] drm/i915/gen9: Fix PCODE polling during SAGV disabling
|
||||
- drm: avoid uninitialized timestamp use in wait_vblank
|
||||
- [arm64, armhf] drm/panel: simple: Check against num_timings when setting
|
||||
preferred for timing
|
||||
- [x86] drm/i915: Move the min_pixclk[] handling to the end of readout
|
||||
- drm: Initialise drm_mm.head_node.allocated
|
||||
- block: Change extern inline to static inline
|
||||
- block: cfq_cpd_alloc() should use @gfp
|
||||
- [x86] ACPI / APEI: Fix NMI notification handling
|
||||
- [x86] powercap/intel_rapl: fix and tidy up error handling
|
||||
- iw_cxgb4: Fix error return code in c4iw_rdev_open()
|
||||
- [arm64, armhf] power: supply: bq27xxx_battery: Fix register map for
|
||||
BQ27510 and BQ27520
|
||||
- blk-mq: Always schedule hctx->next_cpu
|
||||
- [powerpc] mm: Correct process and partition table max size
|
||||
- [powerpc*] ibmebus: Fix further device reference leaks
|
||||
- [powerpc*] ibmebus: Fix device reference leaks in sysfs interface
|
||||
- [powerpc*] powernv: Don't warn on PE init if unfreeze is unsupported
|
||||
- [arm64] hugetlb: fix the wrong address for several functions
|
||||
- [arm64] hugetlb: remove the wrong pmd check in find_num_contig()
|
||||
- [arm64] hugetlb: fix the wrong return value for
|
||||
huge_ptep_set_access_flags
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [armel,armhf,s390x,x86] linux-headers: Fix regression of multilib compiler
|
||||
|
@ -241,11 +348,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
|
|||
* ath9k: fix NULL pointer dereference (Closes: #851621)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* sysctl: Drop reference added by grab_header in proc_sys_readdir
|
||||
(CVE-2016-9191)
|
||||
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
|
||||
* [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
|
||||
* [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
|
||||
|
||||
[ Roger Shimizu ]
|
||||
* [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
|
||||
|
|
|
@ -1,87 +0,0 @@
|
|||
From: Zhou Chengming <zhouchengming1@huawei.com>
|
||||
Date: Fri, 6 Jan 2017 09:32:32 +0800
|
||||
Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir
|
||||
Origin: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939
|
||||
|
||||
Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
|
||||
added by grab_header when return from !dir_emit_dots path.
|
||||
It can cause any path called unregister_sysctl_table will
|
||||
wait forever.
|
||||
|
||||
The calltrace of CVE-2016-9191:
|
||||
|
||||
[ 5535.960522] Call Trace:
|
||||
[ 5535.963265] [<ffffffff817cdaaf>] schedule+0x3f/0xa0
|
||||
[ 5535.968817] [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
|
||||
[ 5535.975346] [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
|
||||
[ 5535.982256] [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
|
||||
[ 5535.988972] [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
|
||||
[ 5535.994804] [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
|
||||
[ 5536.001227] [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
|
||||
[ 5536.007648] [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
|
||||
[ 5536.014654] [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
|
||||
[ 5536.021657] [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
|
||||
[ 5536.029344] [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
|
||||
[ 5536.036447] [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
|
||||
[ 5536.043844] [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
|
||||
[ 5536.051336] [<ffffffff8116789d>] update_flag+0x11d/0x210
|
||||
[ 5536.057373] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
|
||||
[ 5536.064186] [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
|
||||
[ 5536.070899] [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
|
||||
[ 5536.077420] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
|
||||
[ 5536.084234] [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
|
||||
[ 5536.091049] [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
|
||||
[ 5536.097571] [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
|
||||
[ 5536.104207] [<ffffffff810bc83f>] process_one_work+0x1df/0x710
|
||||
[ 5536.110736] [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
|
||||
[ 5536.117461] [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
|
||||
[ 5536.123697] [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
|
||||
[ 5536.130426] [<ffffffff810c3f7e>] kthread+0xfe/0x120
|
||||
[ 5536.135991] [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
|
||||
[ 5536.142041] [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230
|
||||
|
||||
One cgroup maintainer mentioned that "cgroup is trying to offline
|
||||
a cpuset css, which takes place under cgroup_mutex. The offlining
|
||||
ends up trying to drain active usages of a sysctl table which apprently
|
||||
is not happening."
|
||||
The real reason is that proc_sys_readdir doesn't drop reference added
|
||||
by grab_header when return from !dir_emit_dots path. So this cpuset
|
||||
offline path will wait here forever.
|
||||
|
||||
See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13
|
||||
|
||||
Fixes: f0c3b5093add ("[readdir] convert procfs")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: CAI Qian <caiqian@redhat.com>
|
||||
Tested-by: Yang Shukui <yangshukui@huawei.com>
|
||||
Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
|
||||
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
|
||||
---
|
||||
fs/proc/proc_sysctl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
|
||||
index 55313d9..d4e37ac 100644
|
||||
--- a/fs/proc/proc_sysctl.c
|
||||
+++ b/fs/proc/proc_sysctl.c
|
||||
@@ -709,7 +709,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
|
||||
ctl_dir = container_of(head, struct ctl_dir, header);
|
||||
|
||||
if (!dir_emit_dots(file, ctx))
|
||||
- return 0;
|
||||
+ goto out;
|
||||
|
||||
pos = 2;
|
||||
|
||||
@@ -719,6 +719,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+out:
|
||||
sysctl_head_finish(head);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
From: Steve Rutherford <srutherford@google.com>
|
||||
Date: Wed, 11 Jan 2017 18:28:29 -0800
|
||||
Subject: KVM: x86: Introduce segmented_write_std
|
||||
Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
|
||||
|
||||
Introduces segemented_write_std.
|
||||
|
||||
Switches from emulated reads/writes to standard read/writes in fxsave,
|
||||
fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
|
||||
kernel memory leak.
|
||||
|
||||
Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
|
||||
2016-11-09), which is luckily not yet in any final release, this would
|
||||
also be an exploitable kernel memory *write*!
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 96051572c819194c37a8367624b285be10297eca
|
||||
Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Steve Rutherford <srutherford@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
[carnil: backport for 4.9, changes only before 283c95d0e389 in 4.10-rc1]
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 22 ++++++++++++++++++----
|
||||
1 file changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -791,6 +791,20 @@ static int segmented_read_std(struct x86
|
||||
return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
|
||||
}
|
||||
|
||||
+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
|
||||
+ struct segmented_address addr,
|
||||
+ void *data,
|
||||
+ unsigned int size)
|
||||
+{
|
||||
+ int rc;
|
||||
+ ulong linear;
|
||||
+
|
||||
+ rc = linearize(ctxt, addr, size, true, &linear);
|
||||
+ if (rc != X86EMUL_CONTINUE)
|
||||
+ return rc;
|
||||
+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Prefetch the remaining bytes of the instruction without crossing page
|
||||
* boundary if they are not in fetch_cache yet.
|
||||
@@ -3658,8 +3672,8 @@ static int emulate_store_desc_ptr(struct
|
||||
}
|
||||
/* Disable writeback. */
|
||||
ctxt->dst.type = OP_NONE;
|
||||
- return segmented_write(ctxt, ctxt->dst.addr.mem,
|
||||
- &desc_ptr, 2 + ctxt->op_bytes);
|
||||
+ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
|
||||
+ &desc_ptr, 2 + ctxt->op_bytes);
|
||||
}
|
||||
|
||||
static int em_sgdt(struct x86_emulate_ctxt *ctxt)
|
|
@ -1,107 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Thu, 12 Jan 2017 15:02:32 +0100
|
||||
Subject: KVM: x86: fix emulation of "MOV SS, null selector"
|
||||
Origin: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3
|
||||
|
||||
This is CVE-2017-2583. On Intel this causes a failed vmentry because
|
||||
SS's type is neither 3 nor 7 (even though the manual says this check is
|
||||
only done for usable SS, and the dmesg splat says that SS is unusable!).
|
||||
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
|
||||
|
||||
The fix fabricates a data segment descriptor when SS is set to a null
|
||||
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
|
||||
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
|
||||
this in turn ensures CPL < 3 because RPL must be equal to CPL.
|
||||
|
||||
Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
|
||||
the bug and deciphering the manuals.
|
||||
|
||||
Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
|
||||
Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
|
||||
Cc: stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 38 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
||||
index f36d0fa..cedbba0 100644
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -1585,7 +1585,6 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
|
||||
&ctxt->exception);
|
||||
}
|
||||
|
||||
-/* Does not support long mode */
|
||||
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
|
||||
u16 selector, int seg, u8 cpl,
|
||||
enum x86_transfer_type transfer,
|
||||
@@ -1622,20 +1621,34 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
|
||||
|
||||
rpl = selector & 3;
|
||||
|
||||
- /* NULL selector is not valid for TR, CS and SS (except for long mode) */
|
||||
- if ((seg == VCPU_SREG_CS
|
||||
- || (seg == VCPU_SREG_SS
|
||||
- && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
|
||||
- || seg == VCPU_SREG_TR)
|
||||
- && null_selector)
|
||||
- goto exception;
|
||||
-
|
||||
/* TR should be in GDT only */
|
||||
if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
|
||||
goto exception;
|
||||
|
||||
- if (null_selector) /* for NULL selector skip all following checks */
|
||||
+ /* NULL selector is not valid for TR, CS and (except for long mode) SS */
|
||||
+ if (null_selector) {
|
||||
+ if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
|
||||
+ goto exception;
|
||||
+
|
||||
+ if (seg == VCPU_SREG_SS) {
|
||||
+ if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
|
||||
+ goto exception;
|
||||
+
|
||||
+ /*
|
||||
+ * ctxt->ops->set_segment expects the CPL to be in
|
||||
+ * SS.DPL, so fake an expand-up 32-bit data segment.
|
||||
+ */
|
||||
+ seg_desc.type = 3;
|
||||
+ seg_desc.p = 1;
|
||||
+ seg_desc.s = 1;
|
||||
+ seg_desc.dpl = cpl;
|
||||
+ seg_desc.d = 1;
|
||||
+ seg_desc.g = 1;
|
||||
+ }
|
||||
+
|
||||
+ /* Skip all following checks */
|
||||
goto load;
|
||||
+ }
|
||||
|
||||
ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
|
||||
if (ret != X86EMUL_CONTINUE)
|
||||
@@ -1751,6 +1764,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
|
||||
u16 selector, int seg)
|
||||
{
|
||||
u8 cpl = ctxt->ops->cpl(ctxt);
|
||||
+
|
||||
+ /*
|
||||
+ * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
|
||||
+ * they can load it at CPL<3 (Intel's manual says only LSS can,
|
||||
+ * but it's wrong).
|
||||
+ *
|
||||
+ * However, the Intel manual says that putting IST=1/DPL=3 in
|
||||
+ * an interrupt gate will result in SS=3 (the AMD manual instead
|
||||
+ * says it doesn't), so allow SS=3 in __load_segment_descriptor
|
||||
+ * and only forbid it here.
|
||||
+ */
|
||||
+ if (seg == VCPU_SREG_SS && selector == 3 &&
|
||||
+ ctxt->mode == X86EMUL_MODE_PROT64)
|
||||
+ return emulate_exception(ctxt, GP_VECTOR, 0, true);
|
||||
+
|
||||
return __load_segment_descriptor(ctxt, selector, seg, cpl,
|
||||
X86_TRANSFER_NONE, NULL);
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
Date: Wed, 14 Dec 2016 14:44:18 +0100
|
||||
Subject: [PATCH] btrfs: drop trace_btrfs_all_work_done() from
|
||||
normal_work_helper()
|
||||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.9/older/patches-4.9-rt1.tar.xz
|
||||
|
||||
For btrfs_scrubparity_helper() the ->func() is set to
|
||||
scrub_parity_bio_endio_worker(). This functions invokes invokes
|
||||
scrub_free_parity() which kfrees() the worked object. All is good as
|
||||
long as trace events are not enabled because we boom with a backtrace
|
||||
like this:
|
||||
| Workqueue: btrfs-endio btrfs_endio_helper
|
||||
| RIP: 0010:[<ffffffff812f81ae>] [<ffffffff812f81ae>] trace_event_raw_event_btrfs__work__done+0x4e/0xa0
|
||||
| Call Trace:
|
||||
| [<ffffffff8136497d>] btrfs_scrubparity_helper+0x59d/0x780
|
||||
| [<ffffffff81364c49>] btrfs_endio_helper+0x9/0x10
|
||||
| [<ffffffff8108af8e>] process_one_work+0x26e/0x7b0
|
||||
| [<ffffffff8108b516>] worker_thread+0x46/0x560
|
||||
| [<ffffffff81091c4e>] kthread+0xee/0x110
|
||||
| [<ffffffff818e166a>] ret_from_fork+0x2a/0x40
|
||||
|
||||
So in order to avoid this, I remove the trace point.
|
||||
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
---
|
||||
fs/btrfs/async-thread.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
--- a/fs/btrfs/async-thread.c
|
||||
+++ b/fs/btrfs/async-thread.c
|
||||
@@ -318,8 +318,6 @@ static void normal_work_helper(struct bt
|
||||
set_bit(WORK_DONE_BIT, &work->flags);
|
||||
run_ordered_work(wq);
|
||||
}
|
||||
- if (!need_order)
|
||||
- trace_btrfs_all_work_done(work);
|
||||
}
|
||||
|
||||
void btrfs_init_work(struct btrfs_work *work, btrfs_work_func_t uniq_func,
|
|
@ -22,12 +22,12 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
|
||||
--- a/fs/btrfs/async-thread.c
|
||||
+++ b/fs/btrfs/async-thread.c
|
||||
@@ -288,8 +288,8 @@ static void run_ordered_work(struct __bt
|
||||
* we don't want to call the ordered free functions
|
||||
* with the lock held though
|
||||
@@ -306,8 +306,8 @@ static void run_ordered_work(struct __bt
|
||||
* because the callback could free the structure.
|
||||
*/
|
||||
wtag = work;
|
||||
- work->ordered_free(work);
|
||||
trace_btrfs_all_work_done(work);
|
||||
trace_btrfs_all_work_done(wq->fs_info, wtag);
|
||||
+ work->ordered_free(work);
|
||||
}
|
||||
spin_unlock_irqrestore(lock, flags);
|
||||
|
|
|
@ -25,13 +25,13 @@ Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
|
|||
if (!valid_phys_addr_range(p, count))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *f
|
||||
@@ -514,6 +517,9 @@ static ssize_t write_kmem(struct file *f
|
||||
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
|
||||
int err = 0;
|
||||
|
||||
+ if (get_securelevel() > 0)
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!pfn_valid(PFN_DOWN(p)))
|
||||
return -EIO;
|
||||
|
||||
if (p < (unsigned long) high_memory) {
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
|
|
|
@ -96,10 +96,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch
|
||||
bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
|
||||
bugfix/x86/KVM-x86-Introduce-segmented_write_std.patch
|
||||
bugfix/x86/KVM-x86-fix-emulation-of-MOV-SS-null-selector.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
|
@ -37,7 +37,6 @@ features/all/rt/x86-apic-get-rid-of-warning-acpi_ioapic_lock-defined.patch
|
|||
features/all/rt/rxrpc-remove-unused-static-variables.patch
|
||||
features/all/rt/rcu-update-make-RCU_EXPEDITE_BOOT-default.patch
|
||||
features/all/rt/locking-percpu-rwsem-use-swait-for-the-wating-writer.patch
|
||||
features/all/rt/btrfs-drop-trace_btrfs_all_work_done-from-normal_wor.patch
|
||||
features/all/rt/btrfs-swap-free-and-trace-point-in-run_ordered_work.patch
|
||||
|
||||
# Wants a different fix for upstream
|
||||
|
|
Loading…
Reference in New Issue