Update to 3.14.15

- Drop two patches included upstream
- [rt] Refresh two patches with trivial conflicts

svn path=/dists/sid/linux/; revision=21685

debian/changelog

@@ -1,4 +1,68 @@
-linux (3.14.13-3) UNRELEASED; urgency=medium
+linux (3.14.15-1) UNRELEASED; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.14
+    - Bluetooth: Ignore H5 non-link packets in non-active state
+    - fuse: timeout comparison fix
+    - tracing: instance_rmdir() leaks ftrace_event_file->filter
+      (regression in 3.11)
+    - xen/balloon: set ballooned out pages as invalid in p2m
+      (regression in 3.12)
+    - quota: missing lock in dqcache_shrink_scan() (regression in 3.12)
+    - shmem: fix faulting into a hole, not taking i_mutex (CVE-2014-4171)
+    - shmem: fix splicing from a hole while it's punched (CVE-2014-4171)
+    - e1000e: Fix SHRA register access for 82579 (regression in 3.12)
+    - ip_tunnel: fix ip_tunnel_lookup
+    - net: sctp: check proc_dointvec result in proc_sctp_do_auth
+    - 8021q: fix a potential memory leak
+    - net: fix UDP tunnel GSO of frag_list GRO packets
+    - ipv4: fix dst race in sk_dst_get()
+    - ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
+    - bnx2x: fix possible panic under memory stress
+    - tcp: Fix divide by zero when pushing during tcp-repair
+    - ipv4: icmp: Fix pMTU handling for rare case
+    - net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush
+      (regression in 3.11)
+    - igmp: fix the problem when mc leave group
+    - appletalk: Fix socket referencing in skb
+    - netlink: Fix handling of error from netlink_dump().
+    - tipc: clear 'next'-pointer of message fragments before reassembly
+      (regression in 3.13)
+    - net: sctp: fix information leaks in ulpevent layer
+    - bonding: fix ad_select module param check (regression in 3.14)
+    - net-gre-gro: Fix a bug that breaks the forwarding path
+      (regression in 3.14)
+    - perf/x86/intel: ignore CondChgd bit to avoid false NMI handling
+    - mwifiex: fix Tx timeout issue
+    - [x86] tsc: Fix cpufreq lockup (regression in 3.14)
+    - dm thin metadata: do not allow the data block size to change
+    - dm cache metadata: do not allow the data block size to change
+    - locking/mutex: Disable optimistic spinning on some architectures
+    - sched: Fix possible divide by zero in avg_atom() calculation
+    - aio: protect reqs_available updates from changes in interrupt handlers
+      (regression in 3.14.10)
+    - Don't trigger congestion wait on dirty-but-not-writeout pages
+      (regression in 3.11)
+    https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.15
+    - nfs: only show Posix ACLs in listxattr if actually present
+      (regression in 3.14)
+    - block: don't assume last put of shared tags is for the host
+    - libata: support the ata host which implements a queue depth less than 32
+      (regression in 3.14.4)
+    - libata: introduce ata_host->n_tags to avoid oops on SAS controllers
+    - blkcg: don't call into policy draining if root_blkg is already gone
+    - coredump: fix the setting of PF_DUMPCORE
+    - [hppa] Remove SA_RESTORER define
+    - hwmon: (smsc47m192) Fix temperature limit and vrm write operations
+    - fs: umount on symlink leaks mnt count (CVE-2014-5045)
+    - [x86] x86_32, entry: Store badsys error code in %eax
+      (regression in 3.14.10)
+    - drm/radeon: fix irq ring buffer overflow handling (regression in 3.14)
+    - mm: hugetlb: fix copy_hugetlb_page_range() (regression in 3.14.12)
+    - [x86] efi: Include a .bss section within the PE/COFF headers
+    - nl80211: move set_qos_map command into split state (regression in 3.14)
+    - platform_get_irq: Revert to platform_get_resource if of_irq_get fails
+      (regression in 3.14.6)
 
   [ Aurelien Jarno ]
   * Update German debconf template translations (Holger Wansing) (Closes:

debian/patches/bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch

@@ -1,129 +0,0 @@
-From: Hugh Dickins <hughd@google.com>
-Date: Mon, 23 Jun 2014 13:22:06 -0700
-Subject: shmem: fix faulting into a hole while it's punched
-Origin: https://git.kernel.org/linus/f00cdc6df7d7cfcabb5b740911e6788cb0802bdb
-
-Trinity finds that mmap access to a hole while it's punched from shmem
-can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
-from completing, until the reader chooses to stop; with the puncher's
-hold on i_mutex locking out all other writers until it can complete.
-
-It appears that the tmpfs fault path is too light in comparison with its
-hole-punching path, lacking an i_data_sem to obstruct it; but we don't
-want to slow down the common case.
-
-Extend shmem_fallocate()'s existing range notification mechanism, so
-shmem_fault() can refrain from faulting pages into the hole while it's
-punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
-faulting when not).
-
-[akpm@linux-foundation.org: coding-style fixes]
-Signed-off-by: Hugh Dickins <hughd@google.com>
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Tested-by: Sasha Levin <sasha.levin@oracle.com>
-Cc: Dave Jones <davej@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 52 insertions(+), 4 deletions(-)
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt;
- #define SHORT_SYMLINK_LEN 128
- 
- /*
-- * shmem_fallocate and shmem_writepage communicate via inode->i_private
-- * (with i_mutex making sure that it has only one user at a time):
-- * we would prefer not to enlarge the shmem inode just for that.
-+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via
-+ * inode->i_private (with i_mutex making sure that it has only one user at
-+ * a time): we would prefer not to enlarge the shmem inode just for that.
-  */
- struct shmem_falloc {
-+	int	mode;		/* FALLOC_FL mode currently operating */
- 	pgoff_t start;		/* start of range currently being fallocated */
- 	pgoff_t next;		/* the next page offset to be fallocated */
- 	pgoff_t nr_falloced;	/* how many new pages have been fallocated */
-@@ -824,6 +825,7 @@ static int shmem_writepage(struct page *
- 			spin_lock(&inode->i_lock);
- 			shmem_falloc = inode->i_private;
- 			if (shmem_falloc &&
-+			    !shmem_falloc->mode &&
- 			    index >= shmem_falloc->start &&
- 			    index < shmem_falloc->next)
- 				shmem_falloc->nr_unswapped++;
-@@ -1298,6 +1300,44 @@ static int shmem_fault(struct vm_area_st
- 	int error;
- 	int ret = VM_FAULT_LOCKED;
- 
-+	/*
-+	 * Trinity finds that probing a hole which tmpfs is punching can
-+	 * prevent the hole-punch from ever completing: which in turn
-+	 * locks writers out with its hold on i_mutex.  So refrain from
-+	 * faulting pages into the hole while it's being punched, and
-+	 * wait on i_mutex to be released if vmf->flags permits.
-+	 */
-+	if (unlikely(inode->i_private)) {
-+		struct shmem_falloc *shmem_falloc;
-+
-+		spin_lock(&inode->i_lock);
-+		shmem_falloc = inode->i_private;
-+		if (!shmem_falloc ||
-+		    shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
-+		    vmf->pgoff < shmem_falloc->start ||
-+		    vmf->pgoff >= shmem_falloc->next)
-+			shmem_falloc = NULL;
-+		spin_unlock(&inode->i_lock);
-+		/*
-+		 * i_lock has protected us from taking shmem_falloc seriously
-+		 * once return from shmem_fallocate() went back up that stack.
-+		 * i_lock does not serialize with i_mutex at all, but it does
-+		 * not matter if sometimes we wait unnecessarily, or sometimes
-+		 * miss out on waiting: we just need to make those cases rare.
-+		 */
-+		if (shmem_falloc) {
-+			if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
-+			   !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
-+				up_read(&vma->vm_mm->mmap_sem);
-+				mutex_lock(&inode->i_mutex);
-+				mutex_unlock(&inode->i_mutex);
-+				return VM_FAULT_RETRY;
-+			}
-+			/* cond_resched? Leave that to GUP or return to user */
-+			return VM_FAULT_NOPAGE;
-+		}
-+	}
-+
- 	error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
- 	if (error)
- 		return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
-@@ -1813,18 +1853,26 @@ static long shmem_fallocate(struct file
- 
- 	mutex_lock(&inode->i_mutex);
- 
-+	shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
-+
- 	if (mode & FALLOC_FL_PUNCH_HOLE) {
- 		struct address_space *mapping = file->f_mapping;
- 		loff_t unmap_start = round_up(offset, PAGE_SIZE);
- 		loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
- 
-+		shmem_falloc.start = unmap_start >> PAGE_SHIFT;
-+		shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
-+		spin_lock(&inode->i_lock);
-+		inode->i_private = &shmem_falloc;
-+		spin_unlock(&inode->i_lock);
-+
- 		if ((u64)unmap_end > (u64)unmap_start)
- 			unmap_mapping_range(mapping, unmap_start,
- 					    1 + unmap_end - unmap_start, 0);
- 		shmem_truncate_range(inode, offset, offset + len - 1);
- 		/* No need to unmap again: hole-punching leaves COWed pages */
- 		error = 0;
--		goto out;
-+		goto undone;
- 	}
- 
- 	/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */

debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch

@@ -1,56 +0,0 @@
-From: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Date: Mon, 23 Jun 2014 15:29:40 +0200
-Subject: s390/ptrace: fix PSW mask check
-Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318
-
-The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
-The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
-interface accepts all combinations for the address-space-control
-bits. To protect the kernel space the PSW mask check in ptrace needs
-to reject the address-space-control bit combination for home space.
-
-Fixes CVE-2014-3534
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
----
- arch/s390/kernel/ptrace.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
-index 2d716734..5dc7ad9 100644
---- a/arch/s390/kernel/ptrace.c
-+++ b/arch/s390/kernel/ptrace.c
-@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
- 			unsigned long mask = PSW_MASK_USER;
- 
- 			mask |= is_ri_task(child) ? PSW_MASK_RI : 0;
--			if ((data & ~mask) != PSW_USER_BITS)
-+			if ((data ^ PSW_USER_BITS) & ~mask)
-+				/* Invalid psw mask. */
-+				return -EINVAL;
-+			if ((data & PSW_MASK_ASC) == PSW_ASC_HOME)
-+				/* Invalid address-space-control bits */
- 				return -EINVAL;
- 			if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
-+				/* Invalid addressing mode bits */
- 				return -EINVAL;
- 		}
- 		*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
-@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child,
- 
- 			mask |= is_ri_task(child) ? PSW32_MASK_RI : 0;
- 			/* Build a 64 bit psw mask from 31 bit mask. */
--			if ((tmp & ~mask) != PSW32_USER_BITS)
-+			if ((tmp ^ PSW32_USER_BITS) & ~mask)
- 				/* Invalid psw mask. */
- 				return -EINVAL;
-+			if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME)
-+				/* Invalid address-space-control bits */
-+				return -EINVAL;
- 			regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
- 				(regs->psw.mask & PSW_MASK_BA) |
- 				(__u64)(tmp & mask) << 32;
--- 
-2.0.0
-

debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch

@@ -4,6 +4,8 @@ Date: Sun, 17 Jul 2011 21:56:42 +0200
 Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz
 
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+[bwh: Adjust context after "tracing: Add ftrace_trace_stack into
+ __trace_puts/__trace_bputs" in 3.14.14]
 ---
  include/linux/ftrace_event.h |    2 ++
  kernel/trace/trace.c         |   11 +++++++----
@@ -24,16 +26,16 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  #define FTRACE_MAX_EVENT						\
 --- a/kernel/trace/trace.c
 +++ b/kernel/trace/trace.c
-@@ -462,7 +462,7 @@ int __trace_puts(unsigned long ip, const
+@@ -468,7 +468,7 @@ int __trace_puts(unsigned long ip, const
  
  	local_save_flags(irq_flags);
  	buffer = global_trace.trace_buffer.buffer;
 -	event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, 
 +	event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc,
- 					  irq_flags, preempt_count());
+ 					  irq_flags, pc);
  	if (!event)
  		return 0;
-@@ -1552,6 +1552,8 @@ tracing_generic_entry_update(struct trac
+@@ -1565,6 +1565,8 @@ tracing_generic_entry_update(struct trac
  		((pc & SOFTIRQ_MASK) ? TRACE_FLAG_SOFTIRQ : 0) |
  		(tif_need_resched() ? TRACE_FLAG_NEED_RESCHED : 0) |
  		(test_preempt_need_resched() ? TRACE_FLAG_PREEMPT_RESCHED : 0);
@@ -42,7 +44,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  }
  EXPORT_SYMBOL_GPL(tracing_generic_entry_update);
  
-@@ -2462,9 +2464,10 @@ static void print_lat_help_header(struct
+@@ -2475,9 +2477,10 @@ static void print_lat_help_header(struct
  	seq_puts(m, "#                | / _----=> need-resched    \n");
  	seq_puts(m, "#                || / _---=> hardirq/softirq \n");
  	seq_puts(m, "#                ||| / _--=> preempt-depth   \n");

debian/patches/features/all/rt/mutex-no-spin-on-rt.patch

@@ -4,15 +4,17 @@ Date: Sun, 17 Jul 2011 21:51:45 +0200
 Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz
 
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+[bwh: Include extra dependency from "locking/mutex: Disable optimistic
+ spinning on some architectures" in 3.14.14]
 ---
  kernel/Kconfig.locks |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 --- a/kernel/Kconfig.locks
 +++ b/kernel/Kconfig.locks
-@@ -222,4 +222,4 @@ endif
+@@ -225,4 +225,4 @@ config ARCH_SUPPORTS_ATOMIC_RMW
  
  config MUTEX_SPIN_ON_OWNER
  	def_bool y
--	depends on SMP && !DEBUG_MUTEXES
-+	depends on SMP && !DEBUG_MUTEXES && !PREEMPT_RT_FULL
+-	depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
++	depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW && !PREEMPT_RT_FULL

debian/patches/series

@@ -69,7 +69,6 @@ bugfix/mips/MIPS-OCTEON-make-get_system_type-thread-safe.patch
 bugfix/mips/MIPS-O32-32-bit-Fix-bug-which-can-cause-incorrect-sy.patch
 bugfix/mips/MIPS-tlbex-fix-a-missing-statement-for-HUGETLB.patch
 bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
-bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
 
 # Miscellaneous bug fixes
 bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
@@ -91,7 +90,6 @@ features/arm/ARM-dt-sun4i-Add-A10-SPI-controller-nodes.patch
 features/arm/PHY-sunxi-Add-driver-for-sunxi-usb-phy.patch
 features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch
 features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch
-bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch
 bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
 features/mips/0001-MIPS-Loongson-Rename-PRID_IMP_LOONGSON1-and-PRID_IMP.patch
 features/mips/0002-MIPS-Loongson-Add-basic-Loongson-3-definition.patch