From 65d016b8bfab85d0b6dc99a793007ed57b2ddee8 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 5 Aug 2014 04:03:22 +0000 Subject: [PATCH] Update to 3.14.15 - Drop two patches included upstream - [rt] Refresh two patches with trivial conflicts svn path=/dists/sid/linux/; revision=21685 --- debian/changelog | 66 ++++++++- ...lting-into-a-hole-while-it-s-punched.patch | 129 ------------------ .../s390/s390-ptrace-fix-PSW-mask-check.patch | 56 -------- .../rt/ftrace-migrate-disable-tracing.patch | 10 +- .../features/all/rt/mutex-no-spin-on-rt.patch | 8 +- debian/patches/series | 2 - 6 files changed, 76 insertions(+), 195 deletions(-) delete mode 100644 debian/patches/bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch delete mode 100644 debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch diff --git a/debian/changelog b/debian/changelog index fe7867ca5..2da92899f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,68 @@ -linux (3.14.13-3) UNRELEASED; urgency=medium +linux (3.14.15-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.14 + - Bluetooth: Ignore H5 non-link packets in non-active state + - fuse: timeout comparison fix + - tracing: instance_rmdir() leaks ftrace_event_file->filter + (regression in 3.11) + - xen/balloon: set ballooned out pages as invalid in p2m + (regression in 3.12) + - quota: missing lock in dqcache_shrink_scan() (regression in 3.12) + - shmem: fix faulting into a hole, not taking i_mutex (CVE-2014-4171) + - shmem: fix splicing from a hole while it's punched (CVE-2014-4171) + - e1000e: Fix SHRA register access for 82579 (regression in 3.12) + - ip_tunnel: fix ip_tunnel_lookup + - net: sctp: check proc_dointvec result in proc_sctp_do_auth + - 8021q: fix a potential memory leak + - net: fix UDP tunnel GSO of frag_list GRO packets + - ipv4: fix dst race in sk_dst_get() + - ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix + - bnx2x: fix possible panic under memory stress + - tcp: Fix divide by zero when pushing during tcp-repair + - ipv4: icmp: Fix pMTU handling for rare case + - net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush + (regression in 3.11) + - igmp: fix the problem when mc leave group + - appletalk: Fix socket referencing in skb + - netlink: Fix handling of error from netlink_dump(). + - tipc: clear 'next'-pointer of message fragments before reassembly + (regression in 3.13) + - net: sctp: fix information leaks in ulpevent layer + - bonding: fix ad_select module param check (regression in 3.14) + - net-gre-gro: Fix a bug that breaks the forwarding path + (regression in 3.14) + - perf/x86/intel: ignore CondChgd bit to avoid false NMI handling + - mwifiex: fix Tx timeout issue + - [x86] tsc: Fix cpufreq lockup (regression in 3.14) + - dm thin metadata: do not allow the data block size to change + - dm cache metadata: do not allow the data block size to change + - locking/mutex: Disable optimistic spinning on some architectures + - sched: Fix possible divide by zero in avg_atom() calculation + - aio: protect reqs_available updates from changes in interrupt handlers + (regression in 3.14.10) + - Don't trigger congestion wait on dirty-but-not-writeout pages + (regression in 3.11) + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.15 + - nfs: only show Posix ACLs in listxattr if actually present + (regression in 3.14) + - block: don't assume last put of shared tags is for the host + - libata: support the ata host which implements a queue depth less than 32 + (regression in 3.14.4) + - libata: introduce ata_host->n_tags to avoid oops on SAS controllers + - blkcg: don't call into policy draining if root_blkg is already gone + - coredump: fix the setting of PF_DUMPCORE + - [hppa] Remove SA_RESTORER define + - hwmon: (smsc47m192) Fix temperature limit and vrm write operations + - fs: umount on symlink leaks mnt count (CVE-2014-5045) + - [x86] x86_32, entry: Store badsys error code in %eax + (regression in 3.14.10) + - drm/radeon: fix irq ring buffer overflow handling (regression in 3.14) + - mm: hugetlb: fix copy_hugetlb_page_range() (regression in 3.14.12) + - [x86] efi: Include a .bss section within the PE/COFF headers + - nl80211: move set_qos_map command into split state (regression in 3.14) + - platform_get_irq: Revert to platform_get_resource if of_irq_get fails + (regression in 3.14.6) [ Aurelien Jarno ] * Update German debconf template translations (Holger Wansing) (Closes: diff --git a/debian/patches/bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch b/debian/patches/bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch deleted file mode 100644 index 59ef2136e..000000000 --- a/debian/patches/bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch +++ /dev/null @@ -1,129 +0,0 @@ -From: Hugh Dickins -Date: Mon, 23 Jun 2014 13:22:06 -0700 -Subject: shmem: fix faulting into a hole while it's punched -Origin: https://git.kernel.org/linus/f00cdc6df7d7cfcabb5b740911e6788cb0802bdb - -Trinity finds that mmap access to a hole while it's punched from shmem -can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) -from completing, until the reader chooses to stop; with the puncher's -hold on i_mutex locking out all other writers until it can complete. - -It appears that the tmpfs fault path is too light in comparison with its -hole-punching path, lacking an i_data_sem to obstruct it; but we don't -want to slow down the common case. - -Extend shmem_fallocate()'s existing range notification mechanism, so -shmem_fault() can refrain from faulting pages into the hole while it's -punched, waiting instead on i_mutex (when safe to sleep; or repeatedly -faulting when not). - -[akpm@linux-foundation.org: coding-style fixes] -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Tested-by: Sasha Levin -Cc: Dave Jones -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 52 insertions(+), 4 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt; - #define SHORT_SYMLINK_LEN 128 - - /* -- * shmem_fallocate and shmem_writepage communicate via inode->i_private -- * (with i_mutex making sure that it has only one user at a time): -- * we would prefer not to enlarge the shmem inode just for that. -+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via -+ * inode->i_private (with i_mutex making sure that it has only one user at -+ * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -824,6 +825,7 @@ static int shmem_writepage(struct page * - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -+ !shmem_falloc->mode && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1298,6 +1300,44 @@ static int shmem_fault(struct vm_area_st - int error; - int ret = VM_FAULT_LOCKED; - -+ /* -+ * Trinity finds that probing a hole which tmpfs is punching can -+ * prevent the hole-punch from ever completing: which in turn -+ * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits. -+ */ -+ if (unlikely(inode->i_private)) { -+ struct shmem_falloc *shmem_falloc; -+ -+ spin_lock(&inode->i_lock); -+ shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { -+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; -+ } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; -+ } -+ } -+ - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); - if (error) - return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1813,18 +1853,26 @@ static long shmem_fallocate(struct file - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - -+ shmem_falloc.start = unmap_start >> PAGE_SHIFT; -+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; -+ spin_lock(&inode->i_lock); -+ inode->i_private = &shmem_falloc; -+ spin_unlock(&inode->i_lock); -+ - if ((u64)unmap_end > (u64)unmap_start) - unmap_mapping_range(mapping, unmap_start, - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ - error = 0; -- goto out; -+ goto undone; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ diff --git a/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch b/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch deleted file mode 100644 index af6c8fb65..000000000 --- a/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Martin Schwidefsky -Date: Mon, 23 Jun 2014 15:29:40 +0200 -Subject: s390/ptrace: fix PSW mask check -Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318 - -The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect. -The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace -interface accepts all combinations for the address-space-control -bits. To protect the kernel space the PSW mask check in ptrace needs -to reject the address-space-control bit combination for home space. - -Fixes CVE-2014-3534 - -Cc: stable@vger.kernel.org -Signed-off-by: Martin Schwidefsky ---- - arch/s390/kernel/ptrace.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c -index 2d716734..5dc7ad9 100644 ---- a/arch/s390/kernel/ptrace.c -+++ b/arch/s390/kernel/ptrace.c -@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) - unsigned long mask = PSW_MASK_USER; - - mask |= is_ri_task(child) ? PSW_MASK_RI : 0; -- if ((data & ~mask) != PSW_USER_BITS) -+ if ((data ^ PSW_USER_BITS) & ~mask) -+ /* Invalid psw mask. */ -+ return -EINVAL; -+ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME) -+ /* Invalid address-space-control bits */ - return -EINVAL; - if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA)) -+ /* Invalid addressing mode bits */ - return -EINVAL; - } - *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data; -@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child, - - mask |= is_ri_task(child) ? PSW32_MASK_RI : 0; - /* Build a 64 bit psw mask from 31 bit mask. */ -- if ((tmp & ~mask) != PSW32_USER_BITS) -+ if ((tmp ^ PSW32_USER_BITS) & ~mask) - /* Invalid psw mask. */ - return -EINVAL; -+ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME) -+ /* Invalid address-space-control bits */ -+ return -EINVAL; - regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) | - (regs->psw.mask & PSW_MASK_BA) | - (__u64)(tmp & mask) << 32; --- -2.0.0 - diff --git a/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch b/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch index 9e5d5a394..25a007edc 100644 --- a/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch +++ b/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch @@ -4,6 +4,8 @@ Date: Sun, 17 Jul 2011 21:56:42 +0200 Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz Signed-off-by: Thomas Gleixner +[bwh: Adjust context after "tracing: Add ftrace_trace_stack into + __trace_puts/__trace_bputs" in 3.14.14] --- include/linux/ftrace_event.h | 2 ++ kernel/trace/trace.c | 11 +++++++---- @@ -24,16 +26,16 @@ Signed-off-by: Thomas Gleixner #define FTRACE_MAX_EVENT \ --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c -@@ -462,7 +462,7 @@ int __trace_puts(unsigned long ip, const +@@ -468,7 +468,7 @@ int __trace_puts(unsigned long ip, const local_save_flags(irq_flags); buffer = global_trace.trace_buffer.buffer; - event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, + event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc, - irq_flags, preempt_count()); + irq_flags, pc); if (!event) return 0; -@@ -1552,6 +1552,8 @@ tracing_generic_entry_update(struct trac +@@ -1565,6 +1565,8 @@ tracing_generic_entry_update(struct trac ((pc & SOFTIRQ_MASK) ? TRACE_FLAG_SOFTIRQ : 0) | (tif_need_resched() ? TRACE_FLAG_NEED_RESCHED : 0) | (test_preempt_need_resched() ? TRACE_FLAG_PREEMPT_RESCHED : 0); @@ -42,7 +44,7 @@ Signed-off-by: Thomas Gleixner } EXPORT_SYMBOL_GPL(tracing_generic_entry_update); -@@ -2462,9 +2464,10 @@ static void print_lat_help_header(struct +@@ -2475,9 +2477,10 @@ static void print_lat_help_header(struct seq_puts(m, "# | / _----=> need-resched \n"); seq_puts(m, "# || / _---=> hardirq/softirq \n"); seq_puts(m, "# ||| / _--=> preempt-depth \n"); diff --git a/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch b/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch index b5e82af10..64e89b6df 100644 --- a/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch +++ b/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch @@ -4,15 +4,17 @@ Date: Sun, 17 Jul 2011 21:51:45 +0200 Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.12-rt9.tar.xz Signed-off-by: Thomas Gleixner +[bwh: Include extra dependency from "locking/mutex: Disable optimistic + spinning on some architectures" in 3.14.14] --- kernel/Kconfig.locks | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/Kconfig.locks +++ b/kernel/Kconfig.locks -@@ -222,4 +222,4 @@ endif +@@ -225,4 +225,4 @@ config ARCH_SUPPORTS_ATOMIC_RMW config MUTEX_SPIN_ON_OWNER def_bool y -- depends on SMP && !DEBUG_MUTEXES -+ depends on SMP && !DEBUG_MUTEXES && !PREEMPT_RT_FULL +- depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW ++ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW && !PREEMPT_RT_FULL diff --git a/debian/patches/series b/debian/patches/series index 3690bf51b..dd643609d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -69,7 +69,6 @@ bugfix/mips/MIPS-OCTEON-make-get_system_type-thread-safe.patch bugfix/mips/MIPS-O32-32-bit-Fix-bug-which-can-cause-incorrect-sy.patch bugfix/mips/MIPS-tlbex-fix-a-missing-statement-for-HUGETLB.patch bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch -bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch # Miscellaneous bug fixes bugfix/all/misc-bmp085-Enable-building-as-a-module.patch @@ -91,7 +90,6 @@ features/arm/ARM-dt-sun4i-Add-A10-SPI-controller-nodes.patch features/arm/PHY-sunxi-Add-driver-for-sunxi-usb-phy.patch features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch -bugfix/all/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch features/mips/0001-MIPS-Loongson-Rename-PRID_IMP_LOONGSON1-and-PRID_IMP.patch features/mips/0002-MIPS-Loongson-Add-basic-Loongson-3-definition.patch