Update to 3.14.15
- Drop two patches included upstream - [rt] Refresh two patches with trivial conflicts svn path=/dists/sid/linux/; revision=21685
This commit is contained in:
parent
1ca72186fb
commit
65d016b8bf
|
@ -1,4 +1,68 @@
|
|||
linux (3.14.13-3) UNRELEASED; urgency=medium
|
||||
linux (3.14.15-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.14
|
||||
- Bluetooth: Ignore H5 non-link packets in non-active state
|
||||
- fuse: timeout comparison fix
|
||||
- tracing: instance_rmdir() leaks ftrace_event_file->filter
|
||||
(regression in 3.11)
|
||||
- xen/balloon: set ballooned out pages as invalid in p2m
|
||||
(regression in 3.12)
|
||||
- quota: missing lock in dqcache_shrink_scan() (regression in 3.12)
|
||||
- shmem: fix faulting into a hole, not taking i_mutex (CVE-2014-4171)
|
||||
- shmem: fix splicing from a hole while it's punched (CVE-2014-4171)
|
||||
- e1000e: Fix SHRA register access for 82579 (regression in 3.12)
|
||||
- ip_tunnel: fix ip_tunnel_lookup
|
||||
- net: sctp: check proc_dointvec result in proc_sctp_do_auth
|
||||
- 8021q: fix a potential memory leak
|
||||
- net: fix UDP tunnel GSO of frag_list GRO packets
|
||||
- ipv4: fix dst race in sk_dst_get()
|
||||
- ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
|
||||
- bnx2x: fix possible panic under memory stress
|
||||
- tcp: Fix divide by zero when pushing during tcp-repair
|
||||
- ipv4: icmp: Fix pMTU handling for rare case
|
||||
- net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush
|
||||
(regression in 3.11)
|
||||
- igmp: fix the problem when mc leave group
|
||||
- appletalk: Fix socket referencing in skb
|
||||
- netlink: Fix handling of error from netlink_dump().
|
||||
- tipc: clear 'next'-pointer of message fragments before reassembly
|
||||
(regression in 3.13)
|
||||
- net: sctp: fix information leaks in ulpevent layer
|
||||
- bonding: fix ad_select module param check (regression in 3.14)
|
||||
- net-gre-gro: Fix a bug that breaks the forwarding path
|
||||
(regression in 3.14)
|
||||
- perf/x86/intel: ignore CondChgd bit to avoid false NMI handling
|
||||
- mwifiex: fix Tx timeout issue
|
||||
- [x86] tsc: Fix cpufreq lockup (regression in 3.14)
|
||||
- dm thin metadata: do not allow the data block size to change
|
||||
- dm cache metadata: do not allow the data block size to change
|
||||
- locking/mutex: Disable optimistic spinning on some architectures
|
||||
- sched: Fix possible divide by zero in avg_atom() calculation
|
||||
- aio: protect reqs_available updates from changes in interrupt handlers
|
||||
(regression in 3.14.10)
|
||||
- Don't trigger congestion wait on dirty-but-not-writeout pages
|
||||
(regression in 3.11)
|
||||
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.15
|
||||
- nfs: only show Posix ACLs in listxattr if actually present
|
||||
(regression in 3.14)
|
||||
- block: don't assume last put of shared tags is for the host
|
||||
- libata: support the ata host which implements a queue depth less than 32
|
||||
(regression in 3.14.4)
|
||||
- libata: introduce ata_host->n_tags to avoid oops on SAS controllers
|
||||
- blkcg: don't call into policy draining if root_blkg is already gone
|
||||
- coredump: fix the setting of PF_DUMPCORE
|
||||
- [hppa] Remove SA_RESTORER define
|
||||
- hwmon: (smsc47m192) Fix temperature limit and vrm write operations
|
||||
- fs: umount on symlink leaks mnt count (CVE-2014-5045)
|
||||
- [x86] x86_32, entry: Store badsys error code in %eax
|
||||
(regression in 3.14.10)
|
||||
- drm/radeon: fix irq ring buffer overflow handling (regression in 3.14)
|
||||
- mm: hugetlb: fix copy_hugetlb_page_range() (regression in 3.14.12)
|
||||
- [x86] efi: Include a .bss section within the PE/COFF headers
|
||||
- nl80211: move set_qos_map command into split state (regression in 3.14)
|
||||
- platform_get_irq: Revert to platform_get_resource if of_irq_get fails
|
||||
(regression in 3.14.6)
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* Update German debconf template translations (Holger Wansing) (Closes:
|
||||
|
|
|
@ -1,129 +0,0 @@
|
|||
From: Hugh Dickins <hughd@google.com>
|
||||
Date: Mon, 23 Jun 2014 13:22:06 -0700
|
||||
Subject: shmem: fix faulting into a hole while it's punched
|
||||
Origin: https://git.kernel.org/linus/f00cdc6df7d7cfcabb5b740911e6788cb0802bdb
|
||||
|
||||
Trinity finds that mmap access to a hole while it's punched from shmem
|
||||
can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
|
||||
from completing, until the reader chooses to stop; with the puncher's
|
||||
hold on i_mutex locking out all other writers until it can complete.
|
||||
|
||||
It appears that the tmpfs fault path is too light in comparison with its
|
||||
hole-punching path, lacking an i_data_sem to obstruct it; but we don't
|
||||
want to slow down the common case.
|
||||
|
||||
Extend shmem_fallocate()'s existing range notification mechanism, so
|
||||
shmem_fault() can refrain from faulting pages into the hole while it's
|
||||
punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
|
||||
faulting when not).
|
||||
|
||||
[akpm@linux-foundation.org: coding-style fixes]
|
||||
Signed-off-by: Hugh Dickins <hughd@google.com>
|
||||
Reported-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Tested-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Dave Jones <davej@redhat.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 52 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/mm/shmem.c
|
||||
+++ b/mm/shmem.c
|
||||
@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt;
|
||||
#define SHORT_SYMLINK_LEN 128
|
||||
|
||||
/*
|
||||
- * shmem_fallocate and shmem_writepage communicate via inode->i_private
|
||||
- * (with i_mutex making sure that it has only one user at a time):
|
||||
- * we would prefer not to enlarge the shmem inode just for that.
|
||||
+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via
|
||||
+ * inode->i_private (with i_mutex making sure that it has only one user at
|
||||
+ * a time): we would prefer not to enlarge the shmem inode just for that.
|
||||
*/
|
||||
struct shmem_falloc {
|
||||
+ int mode; /* FALLOC_FL mode currently operating */
|
||||
pgoff_t start; /* start of range currently being fallocated */
|
||||
pgoff_t next; /* the next page offset to be fallocated */
|
||||
pgoff_t nr_falloced; /* how many new pages have been fallocated */
|
||||
@@ -824,6 +825,7 @@ static int shmem_writepage(struct page *
|
||||
spin_lock(&inode->i_lock);
|
||||
shmem_falloc = inode->i_private;
|
||||
if (shmem_falloc &&
|
||||
+ !shmem_falloc->mode &&
|
||||
index >= shmem_falloc->start &&
|
||||
index < shmem_falloc->next)
|
||||
shmem_falloc->nr_unswapped++;
|
||||
@@ -1298,6 +1300,44 @@ static int shmem_fault(struct vm_area_st
|
||||
int error;
|
||||
int ret = VM_FAULT_LOCKED;
|
||||
|
||||
+ /*
|
||||
+ * Trinity finds that probing a hole which tmpfs is punching can
|
||||
+ * prevent the hole-punch from ever completing: which in turn
|
||||
+ * locks writers out with its hold on i_mutex. So refrain from
|
||||
+ * faulting pages into the hole while it's being punched, and
|
||||
+ * wait on i_mutex to be released if vmf->flags permits.
|
||||
+ */
|
||||
+ if (unlikely(inode->i_private)) {
|
||||
+ struct shmem_falloc *shmem_falloc;
|
||||
+
|
||||
+ spin_lock(&inode->i_lock);
|
||||
+ shmem_falloc = inode->i_private;
|
||||
+ if (!shmem_falloc ||
|
||||
+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
|
||||
+ vmf->pgoff < shmem_falloc->start ||
|
||||
+ vmf->pgoff >= shmem_falloc->next)
|
||||
+ shmem_falloc = NULL;
|
||||
+ spin_unlock(&inode->i_lock);
|
||||
+ /*
|
||||
+ * i_lock has protected us from taking shmem_falloc seriously
|
||||
+ * once return from shmem_fallocate() went back up that stack.
|
||||
+ * i_lock does not serialize with i_mutex at all, but it does
|
||||
+ * not matter if sometimes we wait unnecessarily, or sometimes
|
||||
+ * miss out on waiting: we just need to make those cases rare.
|
||||
+ */
|
||||
+ if (shmem_falloc) {
|
||||
+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
|
||||
+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
|
||||
+ up_read(&vma->vm_mm->mmap_sem);
|
||||
+ mutex_lock(&inode->i_mutex);
|
||||
+ mutex_unlock(&inode->i_mutex);
|
||||
+ return VM_FAULT_RETRY;
|
||||
+ }
|
||||
+ /* cond_resched? Leave that to GUP or return to user */
|
||||
+ return VM_FAULT_NOPAGE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
|
||||
if (error)
|
||||
return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
|
||||
@@ -1813,18 +1853,26 @@ static long shmem_fallocate(struct file
|
||||
|
||||
mutex_lock(&inode->i_mutex);
|
||||
|
||||
+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
|
||||
+
|
||||
if (mode & FALLOC_FL_PUNCH_HOLE) {
|
||||
struct address_space *mapping = file->f_mapping;
|
||||
loff_t unmap_start = round_up(offset, PAGE_SIZE);
|
||||
loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
|
||||
|
||||
+ shmem_falloc.start = unmap_start >> PAGE_SHIFT;
|
||||
+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
|
||||
+ spin_lock(&inode->i_lock);
|
||||
+ inode->i_private = &shmem_falloc;
|
||||
+ spin_unlock(&inode->i_lock);
|
||||
+
|
||||
if ((u64)unmap_end > (u64)unmap_start)
|
||||
unmap_mapping_range(mapping, unmap_start,
|
||||
1 + unmap_end - unmap_start, 0);
|
||||
shmem_truncate_range(inode, offset, offset + len - 1);
|
||||
/* No need to unmap again: hole-punching leaves COWed pages */
|
||||
error = 0;
|
||||
- goto out;
|
||||
+ goto undone;
|
||||
}
|
||||
|
||||
/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
|
|
@ -1,56 +0,0 @@
|
|||
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
Date: Mon, 23 Jun 2014 15:29:40 +0200
|
||||
Subject: s390/ptrace: fix PSW mask check
|
||||
Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318
|
||||
|
||||
The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
|
||||
The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
|
||||
interface accepts all combinations for the address-space-control
|
||||
bits. To protect the kernel space the PSW mask check in ptrace needs
|
||||
to reject the address-space-control bit combination for home space.
|
||||
|
||||
Fixes CVE-2014-3534
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
---
|
||||
arch/s390/kernel/ptrace.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
|
||||
index 2d716734..5dc7ad9 100644
|
||||
--- a/arch/s390/kernel/ptrace.c
|
||||
+++ b/arch/s390/kernel/ptrace.c
|
||||
@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
|
||||
unsigned long mask = PSW_MASK_USER;
|
||||
|
||||
mask |= is_ri_task(child) ? PSW_MASK_RI : 0;
|
||||
- if ((data & ~mask) != PSW_USER_BITS)
|
||||
+ if ((data ^ PSW_USER_BITS) & ~mask)
|
||||
+ /* Invalid psw mask. */
|
||||
+ return -EINVAL;
|
||||
+ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME)
|
||||
+ /* Invalid address-space-control bits */
|
||||
return -EINVAL;
|
||||
if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
|
||||
+ /* Invalid addressing mode bits */
|
||||
return -EINVAL;
|
||||
}
|
||||
*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
|
||||
@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child,
|
||||
|
||||
mask |= is_ri_task(child) ? PSW32_MASK_RI : 0;
|
||||
/* Build a 64 bit psw mask from 31 bit mask. */
|
||||
- if ((tmp & ~mask) != PSW32_USER_BITS)
|
||||
+ if ((tmp ^ PSW32_USER_BITS) & ~mask)
|
||||
/* Invalid psw mask. */
|
||||
return -EINVAL;
|
||||
+ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME)
|
||||
+ /* Invalid address-space-control bits */
|
||||
+ return -EINVAL;
|
||||
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
|
||||
(regs->psw.mask & PSW_MASK_BA) |
|
||||
(__u64)(tmp & mask) << 32;
|
||||
--
|
||||
2.0.0
|
||||
|
|
@ -4,6 +4,8 @@ Date: Sun, 17 Jul 2011 21:56:42 +0200
|
|||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
[bwh: Adjust context after "tracing: Add ftrace_trace_stack into
|
||||
__trace_puts/__trace_bputs" in 3.14.14]
|
||||
---
|
||||
include/linux/ftrace_event.h | 2 ++
|
||||
kernel/trace/trace.c | 11 +++++++----
|
||||
|
@ -24,16 +26,16 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
#define FTRACE_MAX_EVENT \
|
||||
--- a/kernel/trace/trace.c
|
||||
+++ b/kernel/trace/trace.c
|
||||
@@ -462,7 +462,7 @@ int __trace_puts(unsigned long ip, const
|
||||
@@ -468,7 +468,7 @@ int __trace_puts(unsigned long ip, const
|
||||
|
||||
local_save_flags(irq_flags);
|
||||
buffer = global_trace.trace_buffer.buffer;
|
||||
- event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc,
|
||||
+ event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc,
|
||||
irq_flags, preempt_count());
|
||||
irq_flags, pc);
|
||||
if (!event)
|
||||
return 0;
|
||||
@@ -1552,6 +1552,8 @@ tracing_generic_entry_update(struct trac
|
||||
@@ -1565,6 +1565,8 @@ tracing_generic_entry_update(struct trac
|
||||
((pc & SOFTIRQ_MASK) ? TRACE_FLAG_SOFTIRQ : 0) |
|
||||
(tif_need_resched() ? TRACE_FLAG_NEED_RESCHED : 0) |
|
||||
(test_preempt_need_resched() ? TRACE_FLAG_PREEMPT_RESCHED : 0);
|
||||
|
@ -42,7 +44,7 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(tracing_generic_entry_update);
|
||||
|
||||
@@ -2462,9 +2464,10 @@ static void print_lat_help_header(struct
|
||||
@@ -2475,9 +2477,10 @@ static void print_lat_help_header(struct
|
||||
seq_puts(m, "# | / _----=> need-resched \n");
|
||||
seq_puts(m, "# || / _---=> hardirq/softirq \n");
|
||||
seq_puts(m, "# ||| / _--=> preempt-depth \n");
|
||||
|
|
|
@ -4,15 +4,17 @@ Date: Sun, 17 Jul 2011 21:51:45 +0200
|
|||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
[bwh: Include extra dependency from "locking/mutex: Disable optimistic
|
||||
spinning on some architectures" in 3.14.14]
|
||||
---
|
||||
kernel/Kconfig.locks | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/kernel/Kconfig.locks
|
||||
+++ b/kernel/Kconfig.locks
|
||||
@@ -222,4 +222,4 @@ endif
|
||||
@@ -225,4 +225,4 @@ config ARCH_SUPPORTS_ATOMIC_RMW
|
||||
|
||||
config MUTEX_SPIN_ON_OWNER
|
||||
def_bool y
|
||||
- depends on SMP && !DEBUG_MUTEXES
|
||||
+ depends on SMP && !DEBUG_MUTEXES && !PREEMPT_RT_FULL
|
||||
- depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
|
||||
+ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW && !PREEMPT_RT_FULL
|
||||
|
|
|
@ -69,7 +69,6 @@ bugfix/mips/MIPS-OCTEON-make-get_system_type-thread-safe.patch
|
|||
bugfix/mips/MIPS-O32-32-bit-Fix-bug-which-can-cause-incorrect-sy.patch
|
||||
bugfix/mips/MIPS-tlbex-fix-a-missing-statement-for-HUGETLB.patch
|
||||
bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
|
||||
bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
|
||||
|
||||
# Miscellaneous bug fixes
|
||||
bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
|
||||
|
@ -91,7 +90,6 @@ features/arm/ARM-dt-sun4i-Add-A10-SPI-controller-nodes.patch
|
|||
features/arm/PHY-sunxi-Add-driver-for-sunxi-usb-phy.patch
|
||||
features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch
|
||||
features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch
|
||||
bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch
|
||||
bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
|
||||
features/mips/0001-MIPS-Loongson-Rename-PRID_IMP_LOONGSON1-and-PRID_IMP.patch
|
||||
features/mips/0002-MIPS-Loongson-Add-basic-Loongson-3-definition.patch
|
||||
|
|
Loading…
Reference in New Issue