debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Merge changes from sid up to 3.16.7-2 

svn path=/dists/trunk/linux/; revision=22054
This commit is contained in:
Ben Hutchings 2014-11-06 21:57:46 +00:00
parent 5eb5c2f9b4 c5365c420a
commit 78d8475ba2
111 changed files with 4298 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
debian/bin/check-patches.sh vendored
View File

@ -15,8 +15,12 @@ echo
echo "Patches without required headers"
echo "================================"
xargs egrep -l '^(Subject|Description):' < $TMPDIR/used | xargs egrep -l '^(From|Author|Origin):' > $TMPDIR/goodheaders || test $? = 1
fgrep -v -f $TMPDIR/goodheaders $TMPDIR/used
fgrep -v -f $TMPDIR/goodheaders $TMPDIR/used || test $? = 1
echo
echo "Patches without Origin or Forwarded header"
echo "=========================================="
xargs egrep -L '^(Origin|Forwarded):' < $TMPDIR/used || test $? = 1
xargs egrep -L '^(Origin:|Forwarded: (no\b|not-needed|http))' < $TMPDIR/used || test $? = 1
echo
echo "Patches to be forwarded"
echo "======================="
xargs egrep -l '^Forwarded: no\b' < $TMPDIR/used || test $? = 1

16
debian/bin/gencontrol.py vendored
View File

@ -60,8 +60,7 @@ class Gencontrol(Base):
makeflags.update({
'VERSION': self.version.linux_version,
'UPSTREAMVERSION': self.version.linux_upstream,
'ABINAME': self.abiname,
'ABINAME_PART': self.abiname_part,
'ABINAME': self.abiname_version + self.abiname_part,
'SOURCEVERSION': self.version.complete,
})
@ -130,8 +129,7 @@ class Gencontrol(Base):
except KeyError:
abiname_part = self.abiname_part
makeflags['ABINAME'] = vars['abiname'] = \
self.version.linux_upstream + abiname_part
makeflags['ABINAME_PART'] = abiname_part
self.abiname_version + abiname_part
if foreign_kernel:
packages_headers_arch = []
@ -466,17 +464,21 @@ class Gencontrol(Base):
self.abiname_part = ''
else:
self.abiname_part = '-%s' % self.config['abi', ]['abiname']
self.abiname = self.version.linux_upstream + self.abiname_part
# We need to keep at least three version components to avoid
# userland breakage (e.g. #742226, #745984).
self.abiname_version = re.sub('^(\d+\.\d+)(?=-|$)', r'\1.0',
self.version.linux_upstream)
self.vars = {
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'source_package': self.changelog[0].source,
'abiname': self.abiname,
'abiname': self.abiname_version + self.abiname_part,
}
self.config['version', ] = {'source': self.version.complete,
'upstream': self.version.linux_upstream,
'abiname': self.abiname}
'abiname': (self.abiname_version +
self.abiname_part)}
distribution = self.changelog[0].distribution
if distribution in ('unstable', ):

588
debian/changelog vendored
View File

@ -28,6 +28,594 @@ linux (3.17~rc5-1~exp1) experimental; urgency=medium
-- maximilian attems <maks@debian.org> Thu, 18 Sep 2014 23:50:00 +0200
linux (3.16.7-2) unstable; urgency=medium
[ Ian Campbell ]
* Disable TSO in mv643xx_eth driver by default (Closes: #764162).
[ Aurelien Jarno ]
* [i386] Rename 486 flavour to 586 for udebs. (Closes: #768288)
[ Ben Hutchings ]
* [hppa] udeb: Fix modules in multiple packages (Closes: 768297)
-- Ben Hutchings <ben@decadent.org.uk> Thu, 06 Nov 2014 17:42:26 +0000
linux (3.16.7-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.6
- rtnetlink: fix VF info size (regression in 3.11)
- myri10ge: check for DMA mapping errors
- Revert "macvlan: simplify the structure port" (regression in 3.16)
- tcp: don't use timestamp from repaired skb-s to calculate RTT (v2)
(regression in 3.15)
- tcp: fix tcp_release_cb() to dispatch via address family for
mtu_reduced()
- tipc: fix message importance range check (regression in 3.15)
- packet: handle too big packets for PACKET_V3
- bnx2x: Revert UNDI flushing mechanism (regression in 3.14)
- net: ipv6: fib: don't sleep inside atomic lock (regression in 3.15)
- openvswitch: fix panic with multiple vlan headers
- ipv6: fix rtnl locking in setsockopt for anycast and multicast
- l2tp: fix race while getting PMTU on PPP pseudo-wire (regression in 3.15)
- ipv6: restore the behavior of ipv6_sock_ac_drop()
- bonding: fix div by zero while enslaving and transmitting
(regression in 3.12)
- net: filter: fix possible use after free (regression in 3.15)
- net: allow macvlans to move to net namespace (regression in 3.13)
- macvlan: allow to enqueue broadcast pkt on virtual device
(regression in 3.16)
- xfrm: Generate blackhole routes only from route lookup functions
- xfrm: Generate queueing routes only from route lookup functions
- macvtap: Fix race between device delete and open.
- net/mlx4_core: Allow not to specify probe_vf in SRIOV IB mode
(regression in 3.15)
- net/mlx4: Correctly configure single ported VFs from the host
(regression in 3.15)
- gro: fix aggregation for skb using frag_list (regression in 3.13)
- hyperv: Fix bug in netvsc_start_xmit() (potential use-after-free)
- team: avoid race condition in scheduling delayed work
- hyperv: Fix bug in netvsc_send() (potential use-after-free)
- sctp: handle association restarts when the socket is closed.
- net_sched: copy exts->type in tcf_exts_change() (regression in 3.14)
- crypto: caam - fix addressing of struct member
- driver/base/node: remove unnecessary kfree of node struct from
unregister_one_node (regression in 3.15)
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.7
- btrfs: wake up transaction thread from SYNC_FS ioctl
- Btrfs: fix up bounds checking in lseek
- Btrfs: don't do async reclaim during log replay
- Btrfs: cleanup error handling in build_backref_tree
- Btrfs: fix build_backref_tree issue with multiple shared blocks
- Btrfs: fix race in WAIT_SYNC ioctl
- fs: Add a missing permission check to do_umount (CVE-2014-7975)
- kvm: fix potentially corrupt mmio cache
- [x86] kvm,vmx: Preserve CR4 across VM entry (CVE-2014-3690)
- be2iscsi: check ip buffer before copying (stack buffer overflow)
- mptfusion: enable no_write_same for vmware scsi disks
- qla2xxx: fix kernel NULL pointer access (regression in 3.16)
(Closes: #764804)
- qla2xxx: Fix shost use-after-free on device removal (regression in 3.14)
- dmaengine: fix xor sources continuation
- [arm64] debug: don't re-enable debug exceptions on return from el1_dbg
- mei: bus: fix possible boundaries violation
- nfsv4: Fixing lease renewal (regression in 3.13)
- lzo: check for length overrun in variable length encoding.
- [armhf] tty: omap-serial: fix division by zero
- NFSv4: Fix lock recovery when CREATE_SESSION/SETCLIENTID_CONFIRM fails
- NFSv4: fix open/lock state recovery error handling
- NFSv4.1: Fix an NFSv4.1 state renewal regression
- nfsd4: reserve adequate space for LOCK op (regression in 3.16)
- NFS: Fix an uninitialised pointer Oops in the writeback error path
- NFS: Fix a bogus warning in nfs_generic_pgio (regression in 3.16.4)
- iwlwifi: mvm: disable BT Co-running by default
- [armel,armhf] PCI: mvebu: Fix uninitialized variable in
mvebu_get_tgt_attr()
- Revert "ath9k_hw: reduce ANI firstep range for older chips"
(regression in 3.15)
- fanotify: enable close-on-exec on events' fd when requested in
fanotify_init()
- futex: Ensure get_futex_key_refs() always implies a barrier
(regression in 3.14)
- [ppc64el] iommu/ddw: Fix endianness
- [arm64] compat: fix compat types affecting struct compat_elf_prpsinfo
- ALSA: emu10k1: Fix deadlock in synth voice lookup
- ALSA: hda - Add missing terminating entry to SND_HDA_PIN_QUIRK macro
- [armhf] mvebu: Netgear RN104: Use Hardware BCH ECC
- [armhf] mvebu: Netgear RN2120: Use Hardware BCH ECC
- [armhf] mvebu: Netgear RN102: Use Hardware BCH ECC
- ecryptfs: avoid to access NULL pointer when write metadata in xattr
- xfs: ensure WB_SYNC_ALL writeback handles partial pages correctly
- [sparc*] Do not disable interrupts in nmi_cpu_busy()
- [sparc*] Fix pcr_ops initialization and usage bugs.
- [sparc*] sun4v TLB error power off events
- [sparc*] Fix corrupted thread fault code.
- [sparc*] find_node adjustment
- [sparc*] Let memset return the address argument
- [sparc*] bpf_jit: fix support for ldx/stx mem and SKF_AD_VLAN_TAG
- [sparc*] bpf_jit: fix loads from negative offsets
- [sparc*] Fix FPU register corruption with AES crypto offload.
- [sparc*] Do not define thread fpregs save area as zero-length array.
- [sparc*] Fix hibernation code refrence to PAGE_OFFSET.
- [sparc*] correctly recognise M6 and M7 cpu type
- [sparc*] T5 PMU
- [sparc*] Switch to 4-level page tables.
- [sparc*] Adjust KTSB assembler to support larger physical addresses.
- [sparc*] Fix physical memory management regressions with large
max_phys_bits.
- [sparc*] Use kernel page tables for vmemmap.
- [sparc*] Increase MAX_PHYS_ADDRESS_BITS to 53.
- [sparc*] sparse irq
- [sparc*] Fix register corruption in top-most kernel stack frame during
boot.
- [sparc*] Implement __get_user_pages_fast().
[ Ben Hutchings ]
* [i386] Rename 486 flavour to 586, as it has not worked on 486 processors
since we enabled CC_STACKPROTECTOR (Closes: #766105)
- Select M586TSC instead of M486
* [x86] r8723au: Backport changes up to Linux 3.17 (Closes: #765685)
* mmc_block: Increase max_devices and set MMC_BLOCK_MINORS to 256
(Closes: #765621)
* [x86] drm/i915: Initialise userptr mmu_notifier serial to 1
(Closes: #765590)
* rtsx_usb_ms: Use msleep_interruptible() in polling loop (Closes: #765717)
* Bump ABI to 4
* Add '.0' to the kernel version string (Closes: #742226, #745984)
* vfs,fuse: Change iov_iter_get_pages() to take both maxsize and maxpages
parameters (Closes: #764285)
* lockd: Try to reconnect if statd has moved (Closes: #767219)
* m25p80: Fix module device ID table
* HID: i2c-hid: call the hid driver's suspend and resume callbacks
(Closes: #767204)
* [x86] drm/i915: Add some L3 registers to the parser whitelist
(Closes: #767148)
* wireless: rt2x00: add new rt2800usb device (thanks to Cyril Brulebois)
(Closes: #766802)
* drivers/net,ipv6: Fix virtio/IPv6 regression in 3.16:
- drivers/net: Disable UFO through virtio
- drivers/net,ipv6: Select IPv6 fragment idents for virtio UFO packets
* [x86] KVM: Check non-canonical addresses upon WRMSR (CVE-2014-3610)
* [x86] KVM: Prevent host from panicking on shared MSR writes.
(CVE-2014-3610)
* [x86] KVM: Improve thread safety in pit (CVE-2014-3611)
* [x86] kvm: vmx: handle invvpid vm exit gracefully (CVE-2014-3646)
* [x86] KVM: Fix wrong masking on relative jump/call
* [x86] KVM: Emulator fixes for eip canonical checks on near branches
(CVE-2014-3647)
* [x86] KVM: Handle errors when RIP is set during far jumps (CVE-2014-3647)
* [x86] KVM: Fix far-jump to non-canonical check
* net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
(CVE-2014-3673)
* net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687)
* net: sctp: fix remote memory pressure from excessive queueing
(CVE-2014-3688)
* mnt: Prevent pivot_root from creating a loop in the mount tree
(CVE-2014-7970)
* linux-image: Recommend irqbalance if CONFIG_SMP is enabled
(Closes: #577788)
* [armhf] leds: Enable LEDS_PWM as module (for Cubox-i)
* [x86] Backport Thunderbolt support on Apple computers from 3.17
* [x86] linux-image: Remove lilo from suggested boot loaders
* [amd64] linux-image: Add grub-efi to suggested boot loaders
* [hppa] Reduce SIGRTMIN from 37 to 32 to behave like other Linux
architectures (Closes: #766635)
* [hppa] udeb: Add many more module packages (Closes: #766793)
* iwlwifi: Backport firmware monitor from 3.17 (Closes: #767088)
* bug script: Warn if the running kernel matches the ABI name of the
package but is not the installed version
[ Mauricio Faria de Oliveira ]
* [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles
(Closes: #764745)
[ Uwe Kleine-König ]
* [armhf] enable rtc driver for i.MX6
* [armhf] add chipidea usb host driver to usb-modules-$version-armmmp-di
for i.MX6
* [armhf] enable PCI and NAND driver for Armada 370
* [armhf] enable RTC, GPIO_PCA953X, SENSORS_G762 and watchdog driver for
Netgear ReadyNAS 102/104
[ Ian Campbell ]
* [armhf] Build i2c-s3c2410 statically, it is used by the arndale power
controller.
* [armhf] Backport device tree file for Olimex A20-OLinuXino-LIME. (Closes: #764967)
* [armhf] Enable various drivers for the Nokia N900. Patch from Sebastian
Reichel. (Closes: #766070)
* [arm64] Enable EHCI and OHCI platform USB HCD drivers.
* Enable MTD and MTDBLOCK in top-level config.
* [armhf] Add mtd-modules udeb. Patch from Uwe Kleine-Koenig.
[ Aurelien Jarno ]
* [mips*] Backport a hugetlb fix for Octeon from 3.18.
* [mips*] Backport math emulation fix for MIPS32r2 from 3.18.
* [mips*] Only define MAX_PHYSMEM_BITS on Loongson-3, until a better fix
is committed upstream. Fixes Loongson-2 kernel and maybe more. Closes:
#764223.
* [mips*/octeon] Add support for the UBNT E200 board (EdgeRouter/EdgeRouter
Pro 8 port).
* [mips*/octeon] Enable SERIAL_8250_DW. Disable KEYBOARD_ATKBD, MOUSE_PS2,
SERIO_I8042.
* [mips*/octeon] Really enable USB_OCTEON_EHCI and USB_OCTEON_OHCI. Closes:
Closes: #762066.
-- Ben Hutchings <ben@decadent.org.uk> Tue, 04 Nov 2014 09:47:27 +0000
linux (3.16.5-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.4
- module: Clean up ro/nx after early module load failures
(regression in 3.16)
- [armhf] cpufreq: OPP: Avoid sleeping while atomic
- [armhf] drm/tilcdc: Fix various bugs in removal path
- drm/ttm: Fix possible stack overflow by recursive shrinker calls.
- [x86] drm/i915: Fix crash when failing to parse MIPI VBT
(regression in 3.16)
- [x86] drm/i915: read HEAD register back in init_ring_common() to enforce
ordering (Closes: #763583)
- libata: widen Crucial M550 blacklist matching
- pata_scc: propagate return value of scc_wait_after_reset
- pwm: Fix period and polarity in pwm_get() for non-perfect matches
- aio: add missing smp_rmb() in read_events_ring
- [arm64] flush TLS registers during exec
- [arm64] use irq_set_affinity with force=false when migrating irqs
(regression in 3.15)
- [arm*] KVM: Nuke Hyp-mode tlbs before enabling MMU
- [x86] i2c: ismt: use correct length when copy buffer
- ftrace: Use current addr when converting to nop in
__ftrace_replace_code() (regression in 3.16)
- ALSA: core: fix buffer overflow in snd_info_get_line()
- ALSA: firewire-lib/dice: add arrangements of PCM pointer and interrupts
for Dice quirk (regression in 3.16)
- HID: picolcd: sanity check report size in raw_event() callback
(CVE-2014-3186)
- HID: magicmouse: sanity check report size in raw_event() callback
(CVE-2014-3181)
- HID: logitech-dj: prevent false errors to be shown (regression in 3.16.2)
- [x86] drm/i915: Skip load detect when intel_crtc->new_enable==true
(regression in 3.16)
- [x86] drm/i915: fix plane/cursor handling when runtime suspended
(regression in 3.14)
- [x86] drm/i915: Ignore VBT backlight presence check on Acer C720 (4005U)
(regression in 3.15)
- [x86] drm/i915: Wait for vblank before enabling the TV encoder
(regression in 3.16)
- [x86] drm/i915/hdmi: fix hdmi audio state readout (regression in 3.16)
- drm/radeon: Add ability to get and change dpm state when radeon PX card
is turned off (regression in 3.15)
- locks: pass correct "before" pointer to locks_unlink_lock in
generic_add_lease
- ufs: fix deadlocks introduced by sb mutex merge (regression in 3.16)
- USB: serial: fix potential stack buffer overflow
- USB: serial: fix potential heap buffer overflow
- USB: option: reduce interrupt-urb logging verbosity (regression in 3.16)
- [armhf] usb: phy: twl4030-usb: Fix lost interrupts after ID pin goes down
(regression in 3.13)
- [armhf] usb: phy: twl4030-usb: Fix regressions to runtime PM on omaps
(regressions in 3.14, 3.15)
- uwb: init beacon cache entry before registering uwb device
- usb: hub: take hub->hdev reference when processing from eventlist
- USB: EHCI: unlink QHs even after the controller has stopped
- Revert "ACPI / battery: fix wrong value of capacity_now reported when
fully charged" (regression in 3.16)
- [x86] iommu/vt-d: Check return value of acpi_bus_get_device()
(regression in 3.15)
- [armhf/armmp-lpae] iommu/arm-smmu: fix programming of SMMU_CBn_TCR for
stage 1
- cgroup: check cgroup liveliness before unbreaking kernfs
(regression in 3.15)
- NFSv4: Fix another bug in the close/open_downgrade code
(regression in 3.16.2)
- nfsd4: fix corruption of NFSv4 read data (regression in 3.16)
- nfs: check wait_on_bit_lock err in page_group_lock
- nfs: clear_request_commit while holding i_lock
- nfs: fix nonblocking calls to nfs_page_group_lock
- nfs: use blocking page_group_lock in add_request
- nfs: fix error handling in lock_and_join_requests
- nfs: don't sleep with inode lock in lock_and_join_requests
- nfs: disallow duplicate pages in pgio page vectors
- nfs: can_coalesce_requests must enforce contiguity
- [armhf] 8129/1: errata: work around Cortex-A15 erratum 830321 using dummy
strex
- [armhf] 8133/1: use irq_set_affinity with force=false when migrating irqs
(regression in 3.15)
- [armel,armhf] 8148/1: flush TLS and thumbee register state during exec
- [armel,armhf] 8149/1: perf: Don't sleep while atomic when enabling
per-cpu interrupts (regression in 3.15)
- [armhf] imx: fix .is_enabled() of shared gate clock (regression in 3.16)
- [armhf] 8165/1: alignment: don't break misaligned NEON load/store
- [mips*] Fix MFC1 & MFHC1 emulation for 64-bit MIPS systems
(regression in 3.15)
- ACPICA: Update to GPIO region handler interface.
- gpio / ACPI: Use pin index and bit length
- ACPI / platform / LPSS: disable async suspend/resume of LPSS devices
(regression in 3.16)
- ACPI / hotplug: Generate online uevents for ACPI containers
(regression in 3.14)
- ACPI / video: disable native backlight for ThinkPad X201s
(regression in 3.16)
- regmap: Fix regcache debugfs initialization (regression in 3.15)
- regmap: Fix handling of volatile registers for format_write() chips
- regmap: Don't attempt block writes when syncing cache on single_rw
devices
- cgroup: reject cgroup names with '\n'
- cgroup: delay the clearing of cgrp->kn->priv
- cgroup: fix unbalanced locking (regression in 3.14)
- [s390*] KVM: Fix user triggerable bug in dead code
- [s390*] KVM: mm: try a cow on read only pages for key ops
- [s390*] KVM: mm: Fix storage key corruption during swapping
- [s390*] KVM: mm: Fix guest storage key corruption in
ptep_set_access_flags
- [x86] xen: don't copy bogus duplicate entries into kernel page tables
- [x86] early_ioremap: Increase FIX_BTMAPS_SLOTS to 8 (regression in 3.16)
- shmem: fix nlink for rename overwrite directory
- SMB3: Fix oops when creating symlinks on smb3
- iio: Fix indio_dev->trig assignment in several drivers
- Target/iser: Don't put isert_conn inside disconnected handler
- target: Fix inverted logic in SE_DEV_ALUA_SUPPORT_STATE_STORE
(regression in 3.13)
- iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid
- SCSI: libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
- Revert "iwlwifi: dvm: don't enable CTS to self" (regression in 3.16)
- iwlwifi: mvm: fix endianity issues with Smart Fifo commands
(regression in 3.14)
- iwlwifi: mvm: set MAC_FILTER_IN_BEACON correctly for STA/P2P client
(regression in 3.16)
- workqueue: apply __WQ_ORDERED to create_singlethread_workqueue()
(regression in 3.10)
- futex: Unlock hb->lock in futex_wait_requeue_pi() error path
- block: Fix dev_t minor allocation lifetime
- dm cache: fix race causing dirty blocks to be marked as clean
- percpu: fix pcpu_alloc_pages() failure path
- percpu: perform tlb flush after pcpu_map_pages() failure
- regulatory: add NUL to alpha2
- lockd: fix rpcbind crash on lockd startup failure (regression in 3.15)
- genhd: fix leftover might_sleep() in blk_free_devt()
- eventpoll: fix uninitialized variable in epoll_ctl
- kcmp: fix standard comparison bug
- fs/notify: don't show f_handle if exportfs_encode_inode_fh failed
- nilfs2: fix data loss with mmap()
- mm, slab: initialize object alignment on cache creation
- fs/cachefiles: add missing \n to kerror conversions (regression in 3.16)
- mm: softdirty: keep bit when zapping file pte
- sched: Fix unreleased llc_shared_mask bit during CPU hotplug
- brcmfmac: handle IF event for P2P_DEVICE interface (regression in 3.12)
- ath9k_htc: fix random decryption failure (regression in 3.15)
- [powerpc,ppc*] Add smp_mb() to arch_spin_is_locked()
- [powerpc,ppc*] Add smp_mb()s to arch_spin_unlock_wait()
- [hppa] Implement new LWS CAS supporting 64 bit operations.
- alarmtimer: Return relative times in timer_gettime
- alarmtimer: Do not signal SIGEV_NONE timers
- alarmtimer: Lock k_itimer during timer callback
- GFS2: fix d_splice_alias() misuses
- IB/qib: Correct reference counting in debugfs qp_stats
- IB/mlx4: Avoid null pointer dereference in mlx4_ib_scan_netdevs()
(regression in 3.14)
- IB/mlx4: Don't duplicate the default RoCE GID (regression in 3.14)
- IB/core: When marshaling uverbs path, clear unused fields
(regression in 3.14)
- mm: Fix unbalanced mutex in dma_pool_create(). (regression in 3.16)
- PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device
(regression in 3.15)
- Revert "PCI: Don't scan random busses in pci_scan_bridge()"
(regression in 3.15)
- drm/nouveau/runpm: fix module unload
- drm/radeon/px: fix module unload
- fs: Fix nasty 32-bit overflow bug in buffer i/o code.
- blk-mq: Avoid race condition with uninitialized requests
- [x86] crypto: ccp - Check for CCP before registering crypto algs
- nl80211: clear skb cb before passing to netlink
- Revert "PCI: Make sure bus number resources stay within their parents
bounds" (regression in 3.15)
- cpufreq: release policy->rwsem on error (regression in 3.14)
- cpufreq: fix cpufreq suspend/resume for intel_pstate (regression in 3.15)
- media: it913x: init tuner on attach (regression in 3.15)
- media: videobuf2-dma-sg: fix for wrong GFP mask to
sg_alloc_table_from_pages (regression in 3.13)
- media: vb2: fix vb2 state check when start_streaming fails
(regression in 3.16.3)
- media: vb2: fix plane index sanity check in vb2_plane_cookie()
- md/raid1: clean up request counts properly in close_sync()
(regression in 3.13)
- md/raid1: be more cautious where we read-balance during resync.
(regression in 3.13)
- md/raid1: make sure resync waits for conflicting writes to complete.
(regression in 3.13)
- md/raid1: Don't use next_resync to determine how far resync has
progressed (regression in 3.13)
- md/raid1: update next_resync under resync_lock. (regression in 3.13)
- md/raid1: count resync requests in nr_pending. (regression in 3.13)
- md/raid1: fix_read_error should act on all non-faulty devices.
- md/raid1: intialise start_next_window for READ case to avoid hang
(regression in 3.13)
- netfilter: xt_hashlimit: perform garbage collection from process context
- mmc: mmci: Reverse IRQ handling for the arm_variant (regression in 3.15)
- partitions: aix.c: off by one bug (regression in 3.11)
- cpufreq: update 'cpufreq_suspended' after stopping governors
- aio: block exit_aio() until all context requests are completed
- ext4: propagate errors up to ext4_find_entry()'s callers
- ext4: avoid trying to kfree an ERR_PTR pointer
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.5
- udf: Avoid infinite loop when processing indirect ICBs (CVE-2014-6410)
- ASoC: core: fix possible ZERO_SIZE_PTR pointer dereferencing error.
- perf: fix perf bug in fork()
- mm: memcontrol: do not iterate uninitialized memcgs (regression in 3.14)
- mm: migrate: Close race between migration completion and mprotect
- [x86] ACPI / i915: Update the condition to ignore firmware backlight
change request (regression in 3.16)
- [x86] cpufreq: pcc-cpufreq: Fix wait_event() under spinlock
(regression in 3.15)
- md/raid5: disable 'DISCARD' by default due to safety concerns.
- [x86] drm/i915: Flush the PTEs after updating them before suspend
(regression in 3.12)
- cifs: Fix problem recognizing symlinks (regression in 3.13)
- ring-buffer: Fix infinite spin in reading buffer (regression in 3.16.3)
- mm: numa: Do not mark PTEs pte_numa when splitting huge pages
- media: vb2: fix VBI/poll regression
[ Ian Campbell ]
* [armhf] Add Exynos5 disk/usb/nic modules to udebs.
* [armhf] Backport BananaPi device tree files. Patch from Karsten
Merker (Closes: #763897).
[ Ben Hutchings ]
* [hppa/parisc64-smp] Work around gcc 4.8 miscompilation (Closes: #762390)
* [powerpc/powerpc64,ppc64*] video/fb: Change FB_MATROX, FB_RADEON, FB_ATY,
FB_SIS, FB_3DFX, FB_VOODOO1 back to modules (Closes: #748398)
* udeb: Add pata_rdc to pata-modules (Closes: #633128)
* [s390*] 3215: fix tty output containing tabs (Closes: #758264)
* radeon: Don't check for installed firmware if driver is built-in
(Closes: #763305)
* Bump ABI to 3
* vfs: fold swapping ->d_name.hash into switch_names()
* vfs: Don't exchange "short" filenames unconditionally. (Closes: #763700)
* [hppa,m68k,mips/r4k-ip22,sparc*] bluetooth: Enable BT as module
(Closes: #764524)
[ Aurelien Jarno ]
* [arm64] Change RTC_DRV_PL031 and RTC_DRV_XGENE from modules to built-ins
as the kernel isn't able to initialize the system clock from a hardware
clock whose driver is a module, and as there is no initramfs mechanism
to do that.
* [armhf] Change RTC_DRV_DA9052, RTC_DRV_IMXDI, RTC_DRV_MC13XXX,
RTC_DRV_MV, RTC_DRV_MXC, RTC_DRV_OMAP, RTC_DRV_PL030, RTC_DRV_PL031,
RTC_DRV_S5M, RTC_DRV_SUNXI, RTC_DRV_VT8500 from modules to built-ins for
the same reason as above.
-- Ben Hutchings <ben@decadent.org.uk> Fri, 10 Oct 2014 09:15:17 +0100
linux (3.16.3-2) unstable; urgency=medium
[ Ben Hutchings ]
* [s390*] syscall: Fix unimplented-syscall entries added before
memfd_create() (fixes FTBFS) (Closes: #762221)
* [armel/kirkwood] Change configuration to reduce kernel image size
(fixes FTBFS) (Closes: #762219)
- block: Change IOSCHED_DEADLINE to module
- gpu: Disable VGA_ARB
[ Aurelien Jarno ]
* [mips*/octeon] Enable OCTEON_USB, USB_EHCI_HCD, USB_OHCI_HCD,
and USB_OCTEON_EHCI, USB_OCTEON_OHCI (Closes: #762066).
-- Bastian Blank <waldi@debian.org> Sat, 20 Sep 2014 11:43:05 +0200
linux (3.16.3-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.3
- reiserfs: fix corruption introduced by balance_leaf refactor
(regression in 3.16) (Closes: #761457)
- reiserfs: Fix use after free in journal teardown
- media: v4l: vb2: Fix stream start and buffer completion race
- [x86] iommu/vt-d: Exclude devices using RMRRs from IOMMU API domains
- [powerpc*] powerpc/powernv: Fix IOMMU group lost (regression in 3.15)
- [x86] iommu/vt-d: Defer domain removal if device is assigned to a driver
- [x86] iommu/amd: Fix cleanup_domain for mass device removal
- [s390*] locking: Reenable optimistic spinning
- firmware: Do not use WARN_ON(!spin_is_locked())
- CAPABILITIES: remove undefined caps from all processes
- fanotify: fix double free of pending permission events
- ocfs2: do not write error flag to user structure we cannot copy from/to
- [powerpc*] mm: fix potential infinite loop in dissolve_free_huge_pages()
- drivers/mfd/rtsx_usb.c: export device table (Closes: #761428)
- [powerpc*] mm: Use read barrier when creating real_pte
- [powerpc*] thp: Add write barrier after updating the valid bit
- [powerpc*] thp: Invalidate old 64K based hash page mapping before insert
of 4k pte
- [powerpc*] thp: Handle combo pages in invalidate
- [powerpc*] thp: Invalidate with vpn in loop
- [powerpc*] thp: Use ACCESS_ONCE when loading pmdp
- SCSI: save command pool address of Scsi_Host (regression in 3.15)
- fix regression in SCSI_IOCTL_SEND_COMMAND (regression in 3.16)
- [mips*] GIC: Prevent array overrun
- [mips*] ptrace: Test correct task's flags in task_user_regset_view()
- [mips*] ptrace: Change GP regset to use correct core dump register layout
- [mips*] ptrace: Avoid smp_processor_id() when retrieving FPU IR
- [mips*] syscall: Fix AUDIT value for O32 processes on MIPS64
- [mips*] scall64-o32: Fix indirect syscall detection
- [mips,powerpc] bfa: Fix undefined bit shift on big-endian architectures
with 32-bit DMA address
- ACPI / hotplug: Check scan handlers in acpi_scan_hot_remove()
(regression in 3.14)
- ACPI: Run fixed event device notifications in process context
(regression in 3.15)
- ACPI / scan: Allow ACPI drivers to bind to PNP device objects
(regression in 3.16)
- ACPI / EC: Add support to disallow QR_EC to be issued when SCI_EVT isn't
set (regression in 3.14.13, 3.16)
- ACPI / EC: Add support to disallow QR_EC to be issued before completing
previous QR_EC (regression in 3.14.13, 3.16)
- ACPI / scan: not cache _SUN value in struct acpi_device_pnp
(regression in 3.14)
- ACPI / video: Add a disable_native_backlight quirk
- ACPI / video: Disable native_backlight on HP ENVY 15 Notebook PC
- ring-buffer: Always reset iterator to reader page
- ring-buffer: Up rb_iter_peek() loop count to 3
- vfs: get rid of propagate_umount() mistakenly treating slaves as busy.
(regression in 3.15)
- Bluetooth: Fix tracking local SSP authentication requirement
- Bluetooth: Avoid use of session socket after the session gets freed
- vfs: __generic_file_write_iter(): fix handling of sync error after DIO
(regression in 3.16)
- rbd: rework rbd_request_fn() (regression in 3.15)
- vfs: fix copy_tree() regression (regression in 3.14)
- md/raid1,raid10: always abort recover on write error.
- md/raid5: avoid livelock caused by non-aligned writes.
(regression in 3.16)
- md/raid6: avoid data corruption during recovery of double-degraded RAID6
- md/raid10: fix memory leak when reshaping a RAID10.
- xfs: ensure verifiers are attached to recovered buffers
- xfs: quotacheck leaves dquot buffers without verifiers
- xfs: don't dirty buffers beyond EOF
- xfs: don't zero partial page cache pages during O_DIRECT writes
- xfs: don't zero partial page cache pages during O_DIRECT reads
- libceph: set last_piece in ceph_msg_data_pages_cursor_init() correctly
- libceph: gracefully handle large reply messages from the mon
- libceph: do not hard code max auth ticket len (CVE-2014-6416,
CVE-2014-6417, CVE-2014-6418)
- CIFS: Fix async reading on reconnects
- CIFS: Possible null ptr deref in SMB2_tcon
- CIFS: Fix wrong directory attributes after rename
- mtd/ftl: fix the double free of the buffers allocated in build_maps()
- mtd: nand: omap: Fix 1-bit Hamming code scheme, omap_calculate_ecc()
- dm table: propagate QUEUE_FLAG_NO_SG_MERGE (regression in 3.16)
- KEYS: Fix use-after-free in assoc_array_gc()
- KEYS: Fix termination condition in assoc array garbage collection
(CVE-2014-3631)
[ Ben Hutchings ]
* sfc: Adding PCI ID for Solarflare 7000 series 40G network adapter.
* sfc: Add 40G link capability decoding
* Bump ABI to 2 (Closes: #761874)
* ata: Enable SATA_ZPODD
* tracing: Enable TRACER_SNAPSHOT
* Add memfd_create() and shared memory sealing (Closes: #760702):
- mm: allow drivers to prevent new writable mappings
- shm: add sealing API
- shm: add memfd_create() syscall
- shm: wait for pins to be released when sealing
- mm: Add memfd_create() system call
- [arm*,m68k,mips*,powerpc*,s390*,sparc*] Wire up memfd_create()
* udeb: Add ccm, ctr to crypto-modules (Closes: #761902)
* [armhf] udeb: Add ehci-platform, ohci-platform and phy-sun4i-usb to
usb-modules (Closes: #761591)
[ Ian Campbell ]
* [armhf] Enable support for Exynos5 systems. (Closes: #759291)
* [arm64] Enable crypto accelerator modules
* [arm64] Add cdrom-core-modules udeb
[ Aurelien Jarno ]
* [powerpc/powerpc64,ppc64el] Backport more KVM patches from 3.17. Enable
KVM_BOOK3S_64, KVM_BOOK3S_64_HV, KVM_BOOK3S_64_PR and KVM_XICS. (Closes:
#761656).
-- Ben Hutchings <ben@decadent.org.uk> Thu, 18 Sep 2014 03:32:47 +0100
linux (3.16.2-3) unstable; urgency=medium
[ Ben Hutchings ]

3
debian/config/alpha/config vendored
View File

@ -415,14 +415,11 @@ CONFIG_MMC_BLOCK=m
##
## file: drivers/mtd/Kconfig
##
CONFIG_MTD=m
CONFIG_MTD_REDBOOT_PARTS=y
CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED=y
CONFIG_MTD_REDBOOT_PARTS_READONLY=y
CONFIG_MTD_CMDLINE_PARTS=y
CONFIG_MTD_BLOCK=m
CONFIG_MTD_BLOCK_RO=m
CONFIG_FTL=m
CONFIG_NFTL=m
CONFIG_NFTL_RW=y

6
debian/config/amd64/defines vendored
View File

@ -1,7 +1,3 @@
[abi]
ignore-changes:
module:arch/x86/kvm/*
[base]
featuresets:
none
@ -13,7 +9,7 @@ debug-info: true
image-file: arch/x86/boot/bzImage
[image]
bootloaders: grub-pc extlinux lilo
bootloaders: grub-pc grub-efi extlinux
configs:
install-stem: vmlinuz

24
debian/config/arm64/config vendored
View File

@ -7,6 +7,18 @@ CONFIG_SMP=y
CONFIG_XEN=y
CONFIG_COMPAT=y
##
## file: arch/arm64/crypto/Kconfig
##
CONFIG_ARM64_CRYPTO=y
CONFIG_CRYPTO_SHA1_ARM64_CE=m
CONFIG_CRYPTO_SHA2_ARM64_CE=m
CONFIG_CRYPTO_GHASH_ARM64_CE=m
CONFIG_CRYPTO_AES_ARM64_CE=m
CONFIG_CRYPTO_AES_ARM64_CE_CCM=m
CONFIG_CRYPTO_AES_ARM64_CE_BLK=m
# CONFIG_CRYPTO_AES_ARM64_NEON_BLK is not set
##
## file: drivers/ata/Kconfig
##
@ -76,8 +88,8 @@ CONFIG_POWER_RESET_XGENE=y
##
## file: drivers/rtc/Kconfig
##
CONFIG_RTC_DRV_PL031=m
CONFIG_RTC_DRV_XGENE=m
CONFIG_RTC_DRV_PL031=y
CONFIG_RTC_DRV_XGENE=y
##
## file: drivers/tty/serial/Kconfig
@ -101,6 +113,14 @@ CONFIG_SERIAL_8250_RUNTIME_UARTS=4
CONFIG_SERIAL_8250_DW=y
# CONFIG_SERIAL_8250_EM is not set
##
## file: drivers/usb/host/Kconfig
##
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_EHCI_HCD_PLATFORM=m
CONFIG_USB_OHCI_HCD=m
CONFIG_USB_OHCI_HCD_PLATFORM=m
##
## file: drivers/virtio/Kconfig
##

10
debian/config/armel/config.kirkwood vendored
View File

@ -49,6 +49,11 @@ CONFIG_ARM_THUMB=y
# CONFIG_CPU_DCACHE_DISABLE is not set
# CONFIG_CPU_DCACHE_WRITETHROUGH is not set
##
## file: block/Kconfig.iosched
##
CONFIG_IOSCHED_DEADLINE=m
##
## file: block/partitions/Kconfig
##
@ -168,6 +173,11 @@ CONFIG_GPIO_SYSFS=y
##
# CONFIG_DRM is not set
##
## file: drivers/gpu/vga/Kconfig
##
# CONFIG_VGA_ARB is not set
##
## file: drivers/hwmon/Kconfig
##

109
debian/config/armhf/config.armmp vendored
View File

@ -26,6 +26,14 @@ CONFIG_NEON=y
#. DEBUG_LL is incompatible with multiplatform
# CONFIG_DEBUG_LL is not set
##
## file: arch/arm/mach-exynos/Kconfig
##
CONFIG_ARCH_EXYNOS=y
# CONFIG_ARCH_EXYNOS3 is not set
# CONFIG_ARCH_EXYNOS4 is not set
CONFIG_ARCH_EXYNOS5=y
##
## file: arch/arm/mach-highbank/Kconfig
##
@ -132,6 +140,7 @@ CONFIG_HW_RANDOM_OMAP=m
## file: drivers/clk/Kconfig
##
CONFIG_CLK_TWL6040=m
CONFIG_COMMON_CLK_S2MPS11=m
##
## file: drivers/cpufreq/Kconfig
@ -172,6 +181,7 @@ CONFIG_TI_CPPI41=m
CONFIG_GPIO_SYSFS=y
CONFIG_GPIO_DA9052=m
CONFIG_GPIO_GENERIC_PLATFORM=m
CONFIG_GPIO_PCA953X=m
CONFIG_GPIO_TWL4030=y
CONFIG_GPIO_TWL6040=y
@ -185,6 +195,11 @@ CONFIG_DRM=m
##
CONFIG_DRM_I2C_NXP_TDA998X=m
##
## file: drivers/gpu/drm/omapdrm/Kconfig
##
CONFIG_DRM_OMAP=m
##
## file: drivers/gpu/drm/tilcdc/Kconfig
##
@ -195,6 +210,11 @@ CONFIG_DRM_TILCDC=m
##
CONFIG_IMX_IPUV3_CORE=m
##
## file: drivers/hwmon/Kconfig
##
CONFIG_SENSORS_G762=m
##
## file: drivers/hwspinlock/Kconfig
##
@ -208,12 +228,19 @@ CONFIG_I2C_CHARDEV=m
##
## file: drivers/i2c/busses/Kconfig
##
CONFIG_I2C_EXYNOS5=m
CONFIG_I2C_GPIO=y
CONFIG_I2C_IMX=m
CONFIG_I2C_MV64XXX=m
CONFIG_I2C_OMAP=y
CONFIG_I2C_S3C2410=y
CONFIG_I2C_VERSATILE=m
##
## file: drivers/i2c/muxes/Kconfig
##
CONFIG_I2C_ARB_GPIO_CHALLENGE=m
##
## file: drivers/iio/Kconfig
##
@ -223,6 +250,7 @@ CONFIG_IIO=m
## file: drivers/iio/adc/Kconfig
##
CONFIG_TI_AM335X_ADC=m
CONFIG_TWL4030_MADC=m
##
## file: drivers/iio/light/Kconfig
@ -272,6 +300,7 @@ CONFIG_LEDS_CLASS=y
CONFIG_LEDS_GPIO=m
CONFIG_LEDS_LP5523=m
CONFIG_LEDS_DA9052=m
CONFIG_LEDS_PWM=m
##
## file: drivers/leds/trigger/Kconfig
@ -324,6 +353,7 @@ CONFIG_MFD_DA9052_SPI=y
CONFIG_MFD_DA9052_I2C=y
CONFIG_MFD_MC13XXX_SPI=m
CONFIG_MFD_MC13XXX_I2C=m
CONFIG_MFD_SEC_CORE=y
CONFIG_MFD_TI_AM335X_TSCADC=m
CONFIG_TWL6040_CORE=y
@ -346,6 +376,8 @@ CONFIG_MMC=y
## file: drivers/mmc/host/Kconfig
##
CONFIG_MMC_ARMMMCI=m
CONFIG_MMC_DW=m
CONFIG_MMC_DW_EXYNOS=m
CONFIG_MMC_SDHCI=m
CONFIG_MMC_SDHCI_PLTFM=m
CONFIG_MMC_SDHCI_ESDHC_IMX=m
@ -366,6 +398,7 @@ CONFIG_MTD=y
##
CONFIG_MTD_NAND=y
CONFIG_MTD_NAND_OMAP2=m
CONFIG_MTD_NAND_PXA3xx=m
CONFIG_MTD_NAND_GPMI_NAND=m
CONFIG_MTD_NAND_ORION=m
CONFIG_MTD_NAND_MXC=m
@ -529,6 +562,11 @@ CONFIG_WL18XX=m
CONFIG_WLCORE_SPI=m
CONFIG_WLCORE_SDIO=m
##
## file: drivers/pci/host/Kconfig
##
CONFIG_PCI_MVEBU=y
##
## file: drivers/phy/Kconfig
##
@ -536,7 +574,11 @@ CONFIG_OMAP_CONTROL_PHY=m
CONFIG_OMAP_USB2=m
CONFIG_TI_PIPE3=m
CONFIG_TWL4030_USB=m
CONFIG_PHY_EXYNOS5250_SATA=m
CONFIG_PHY_SUN4I_USB=m
CONFIG_PHY_SAMSUNG_USB2=m
CONFIG_PHY_EXYNOS5250_USB2=y
CONFIG_PHY_EXYNOS5_USBDRD=m
##
## file: drivers/pinctrl/Kconfig
@ -551,6 +593,7 @@ CONFIG_PINCTRL_WM8850=y
##
## file: drivers/power/Kconfig
##
CONFIG_CHARGER_BQ2415X=m
CONFIG_BATTERY_BQ27x00=m
CONFIG_CHARGER_ISP1704=m
@ -580,22 +623,29 @@ CONFIG_REGULATOR_ANATOP=m
CONFIG_REGULATOR_DA9052=m
CONFIG_REGULATOR_MC13783=m
CONFIG_REGULATOR_MC13892=m
CONFIG_REGULATOR_S2MPA01=m
CONFIG_REGULATOR_S2MPS11=m
CONFIG_REGULATOR_S5M8767=m
CONFIG_REGULATOR_TWL4030=y
CONFIG_REGULATOR_VEXPRESS=m
##
## file: drivers/rtc/Kconfig
##
CONFIG_RTC_DRV_DA9052=m
CONFIG_RTC_DRV_IMXDI=m
CONFIG_RTC_DRV_OMAP=m
CONFIG_RTC_DRV_PL030=m
CONFIG_RTC_DRV_PL031=m
CONFIG_RTC_DRV_VT8500=m
CONFIG_RTC_DRV_SUNXI=m
CONFIG_RTC_DRV_MV=m
CONFIG_RTC_DRV_MC13XXX=m
CONFIG_RTC_DRV_MXC=m
CONFIG_RTC_DRV_ISL12057=y
CONFIG_RTC_DRV_DA9052=y
CONFIG_RTC_DRV_IMXDI=y
CONFIG_RTC_DRV_OMAP=y
CONFIG_RTC_DRV_PL030=y
CONFIG_RTC_DRV_PL031=y
CONFIG_RTC_DRV_VT8500=y
CONFIG_RTC_DRV_S5M=y
CONFIG_RTC_DRV_SUNXI=y
CONFIG_RTC_DRV_TWL4030=y
CONFIG_RTC_DRV_MV=y
CONFIG_RTC_DRV_MC13XXX=y
CONFIG_RTC_DRV_MXC=y
CONFIG_RTC_DRV_SNVS=y
##
## file: drivers/scsi/Kconfig
@ -615,6 +665,22 @@ CONFIG_SPI_PL022=m
CONFIG_SPI_SUN6I=m
CONFIG_SPI_SPIDEV=y
##
## file: drivers/hsi/Kconfig
##
CONFIG_HSI=m
##
## file: drivers/hsi/controllers/Kconfig
##
CONFIG_OMAP_SSI=m
##
## file: drivers/hsi/clients/Kconfig
##
CONFIG_NOKIA_MODEM=m
CONFIG_SSI_PROTOCOL=m
##
## file: drivers/staging/iio/accel/Kconfig
##
@ -658,6 +724,8 @@ CONFIG_SERIAL_OMAP_CONSOLE=y
CONFIG_SERIAL_ARC=y
CONFIG_SERIAL_ARC_CONSOLE=y
CONFIG_SERIAL_ARC_NR_PORTS=1
CONFIG_SERIAL_SAMSUNG=y
CONFIG_SERIAL_SAMSUNG_CONSOLE=y
##
## file: drivers/tty/serial/8250/Kconfig
@ -685,6 +753,14 @@ CONFIG_USB_CHIPIDEA_UDC=y
CONFIG_USB_CHIPIDEA_HOST=y
CONFIG_USB_CHIPIDEA_DEBUG=y
##
## file: drivers/usb/dwc3/Kconfig
##
CONFIG_USB_DWC3=m
CONFIG_USB_DWC3_HOST=y
CONFIG_USB_DWC3_EXYNOS=m
# CONFIG_USB_DWC3_PCI is not set
##
## file: drivers/usb/gadget/Kconfig
##
@ -700,13 +776,20 @@ CONFIG_USB_G_NOKIA=m
## file: drivers/usb/host/Kconfig
##
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_EHCI_EXYNOS=m
CONFIG_USB_EHCI_MXC=m
CONFIG_USB_EHCI_HCD_OMAP=y
CONFIG_USB_EHCI_HCD_PLATFORM=m
CONFIG_USB_OHCI_HCD=m
CONFIG_USB_OHCI_EXYNOS=m
CONFIG_USB_OHCI_HCD_OMAP3=y
CONFIG_USB_OHCI_HCD_PLATFORM=m
##
## file: drivers/usb/misc/Kconfig
##
CONFIG_USB_HSIC_USB3503=m
##
## file: drivers/usb/musb/Kconfig
##
@ -748,6 +831,11 @@ CONFIG_OMAP2_DSS_VENC=y
CONFIG_OMAP4_DSS_HDMI=y
CONFIG_OMAP2_DSS_SDI=y
##
## file: drivers/video/fbdev/omap2/displays-new/Kconfig
##
CONFIG_DISPLAY_PANEL_SONY_ACX565AKM=m
##
## file: drivers/video/fbdev/omap2/omapfb/Kconfig
##
@ -764,6 +852,7 @@ CONFIG_VIRTIO_MMIO=m
CONFIG_DA9052_WATCHDOG=m
CONFIG_ARM_SP805_WATCHDOG=m
CONFIG_OMAP_WATCHDOG=m
CONFIG_ORION_WATCHDOG=m
CONFIG_SUNXI_WATCHDOG=m
CONFIG_TWL4030_WATCHDOG=m
CONFIG_IMX2_WDT=m

11
debian/config/config vendored
View File

@ -146,8 +146,7 @@ CONFIG_ACPI_INITRD_TABLE_OVERRIDE=y
CONFIG_ATA=m
CONFIG_ATA_VERBOSE_ERROR=y
CONFIG_ATA_ACPI=y
#. TODO: Enable at next ABI bump
# CONFIG_SATA_ZPODD is not set
CONFIG_SATA_ZPODD=y
CONFIG_SATA_PMP=y
CONFIG_SATA_AHCI=m
# CONFIG_SATA_AHCI_PLATFORM is not set
@ -2190,7 +2189,7 @@ CONFIG_SENSORS_LIS3_I2C=m
##
## file: drivers/mmc/card/Kconfig
##
CONFIG_MMC_BLOCK_MINORS=8
CONFIG_MMC_BLOCK_MINORS=256
CONFIG_MMC_BLOCK_BOUNCE=y
CONFIG_SDIO_UART=m
# CONFIG_MMC_TEST is not set
@ -2222,6 +2221,9 @@ CONFIG_MMC_REALTEK_USB=m
##
## file: drivers/mtd/Kconfig
##
CONFIG_MTD=m
CONFIG_MTD_BLOCK=m
CONFIG_MTD_BLOCK_RO=m
# CONFIG_MTD_TESTS is not set
CONFIG_MTD_AR7_PARTS=m
CONFIG_RFD_FTL=m
@ -5115,8 +5117,7 @@ CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_IRQSOFF_TRACER is not set
# CONFIG_SCHED_TRACER is not set
CONFIG_FTRACE_SYSCALLS=y
#. TODO: Enable at next ABI bump
# CONFIG_TRACER_SNAPSHOT is not set
CONFIG_TRACER_SNAPSHOT=y
## choice: Branch Profiling
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set

2
debian/config/defines vendored
View File

@ -1,5 +1,5 @@
[abi]
abiname: 1
abiname: 4
[base]
arches:

6
debian/config/hppa/config vendored
View File

@ -592,12 +592,6 @@ CONFIG_FLATMEM_MANUAL=y
##
# CONFIG_HAMRADIO is not set
##
## file: net/bluetooth/Kconfig
##
#. TODO
# CONFIG_BT is not set
##
## file: net/decnet/Kconfig
##

2
debian/config/i386/config.486 → debian/config/i386/config.586 vendored
View File

@ -18,7 +18,7 @@ CONFIG_OLPC_XO15_SCI=y
## file: arch/x86/Kconfig.cpu
##
## choice: Processor family
CONFIG_M486=y
CONFIG_M586TSC=y
# CONFIG_M686 is not set
## end choice

12
debian/config/i386/defines vendored
View File

@ -1,7 +1,3 @@
[abi]
ignore-changes:
module:arch/x86/kvm/*
[base]
featuresets:
none
@ -18,22 +14,22 @@ part-long-pae: This kernel requires PAE (Physical Address Extension).
Turion or Phenom; Transmeta Efficeon; VIA C7; and some other processors.
[image]
bootloaders: grub-pc extlinux lilo
bootloaders: grub-pc extlinux
configs:
install-stem: vmlinuz
[relations]
headers%gcc-4.8: linux-compiler-gcc-4.8-x86
[486_description]
[586_description]
hardware: older PCs
hardware-long: PCs with a single processor not supporting PAE
parts: up
[486_image]
[586_image]
configs:
kernelarch-x86/config-arch-32
i386/config.486
i386/config.586
[686-pae_build]
debug-info: true

2
debian/config/i386/none/defines vendored
View File

@ -1,6 +1,6 @@
[base]
flavours:
486
586
686-pae
amd64

3
debian/config/kernelarch-mips/config.4kc-malta vendored
View File

@ -186,10 +186,7 @@ CONFIG_MMC_BLOCK=m
##
## file: drivers/mtd/Kconfig
##
CONFIG_MTD=m
CONFIG_MTD_REDBOOT_PARTS=y
CONFIG_MTD_BLOCK=m
CONFIG_MTD_BLOCK_RO=m
CONFIG_FTL=m
CONFIG_NFTL=m
CONFIG_NFTL_RW=y

3
debian/config/kernelarch-mips/config.5kc-malta vendored
View File

@ -189,10 +189,7 @@ CONFIG_MMC_BLOCK=m
##
## file: drivers/mtd/Kconfig
##
CONFIG_MTD=m
CONFIG_MTD_REDBOOT_PARTS=y
CONFIG_MTD_BLOCK=m
CONFIG_MTD_BLOCK_RO=m
CONFIG_FTL=m
CONFIG_NFTL=m
CONFIG_NFTL_RW=y

23
debian/config/kernelarch-mips/config.octeon vendored
View File

@ -53,13 +53,18 @@ CONFIG_I2C_OCTEON=y
## file: drivers/input/keyboard/Kconfig
##
CONFIG_INPUT_KEYBOARD=y
CONFIG_KEYBOARD_ATKBD=y
# CONFIG_KEYBOARD_ATKBD is not set
##
## file: drivers/input/mouse/Kconfig
##
CONFIG_INPUT_MOUSE=y
CONFIG_MOUSE_PS2=y
# CONFIG_MOUSE_PS2 is not set
##
## file: drivers/input/serio/Kconfig
##
# CONFIG_SERIO_I8042 is not set
##
## file: drivers/input/touchscreen/Kconfig
@ -104,6 +109,11 @@ CONFIG_RTC_DRV_DS1307=y
##
CONFIG_OCTEON_ETHERNET=y
##
## file: drivers/staging/octeon-usb/Kconfig
##
CONFIG_OCTEON_USB=y
##
## file: drivers/tty/serial/8250/Kconfig
##
@ -111,6 +121,15 @@ CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_SERIAL_8250_NR_UARTS=2
CONFIG_SERIAL_8250_RUNTIME_UARTS=2
CONFIG_SERIAL_8250_DW=y
##
## file: drivers/usb/host/Kconfig
##
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_OCTEON_EHCI=y
CONFIG_USB_OCTEON_OHCI=y
CONFIG_USB_OHCI_HCD=m
##
## file: kernel/power/Kconfig

5
debian/config/kernelarch-mips/config.r4k-ip22 vendored
View File

@ -150,11 +150,6 @@ CONFIG_FB=y
##
CONFIG_INDYDOG=m
##
## file: net/bluetooth/Kconfig
##
# CONFIG_BT is not set
##
## file: sound/mips/Kconfig
##

13
debian/config/kernelarch-powerpc/config vendored
View File

@ -808,34 +808,31 @@ CONFIG_FB_CIRRUS=m
# CONFIG_FB_PM2 is not set
# CONFIG_FB_CYBER2000 is not set
CONFIG_FB_OF=y
CONFIG_FB_CT65550=y
# CONFIG_FB_ASILIANT is not set
# CONFIG_FB_VGA16 is not set
CONFIG_FB_S1D13XXX=m
CONFIG_FB_MATROX=y
CONFIG_FB_MATROX=m
CONFIG_FB_MATROX_MILLENIUM=y
CONFIG_FB_MATROX_MYSTIQUE=y
CONFIG_FB_MATROX_G=y
CONFIG_FB_MATROX_I2C=m
CONFIG_FB_MATROX_MAVEN=m
CONFIG_FB_RADEON=y
CONFIG_FB_RADEON=m
CONFIG_FB_RADEON_I2C=y
# CONFIG_FB_RADEON_DEBUG is not set
CONFIG_FB_ATY128=y
CONFIG_FB_ATY=y
CONFIG_FB_ATY=m
CONFIG_FB_ATY_CT=y
CONFIG_FB_ATY_GENERIC_LCD=y
CONFIG_FB_ATY_GX=y
CONFIG_FB_SAVAGE=m
CONFIG_FB_SAVAGE_I2C=y
CONFIG_FB_SAVAGE_ACCEL=y
CONFIG_FB_SIS=y
CONFIG_FB_SIS=m
CONFIG_FB_SIS_300=y
CONFIG_FB_SIS_315=y
CONFIG_FB_NEOMAGIC=m
CONFIG_FB_KYRO=m
CONFIG_FB_3DFX=y
CONFIG_FB_VOODOO1=y
CONFIG_FB_VOODOO1=m
CONFIG_FB_TRIDENT=m
CONFIG_FB_IBM_GXT4500=m
# CONFIG_FB_VIRTUAL is not set

13
debian/config/kernelarch-powerpc/config-arch-64 vendored
View File

@ -9,9 +9,16 @@ CONFIG_NUMA=y
CONFIG_PPC_64K_PAGES=y
## end choice
CONFIG_SCHED_SMT=y
CONFIG_CMDLINE="console=hvsi0 console=hvc0 console=ttyS0,9600 console=tty0"
CONFIG_KERNEL_START=0xc000000000000000
##
## file: arch/powerpc/kvm/Kconfig
##
CONFIG_KVM_BOOK3S_64=m
CONFIG_KVM_BOOK3S_64_HV=m
CONFIG_KVM_BOOK3S_64_PR=m
CONFIG_KVM_XICS=y
##
## file: arch/powerpc/platforms/Kconfig
##
@ -107,11 +114,7 @@ CONFIG_HVCS=m
##
## file: drivers/video/fbdev/Kconfig
##
# CONFIG_FB_CONTROL is not set
# CONFIG_FB_PLATINUM is not set
# CONFIG_FB_VALKYRIE is not set
# CONFIG_FB_IMSTT is not set
# CONFIG_FB_ATY128 is not set
##
## file: drivers/watchdog/Kconfig

5
debian/config/kernelarch-powerpc/config-arch-64-be vendored
View File

@ -1,3 +1,8 @@
##
## file: arch/powerpc/Kconfig
##
CONFIG_CMDLINE="console=hvsi0 console=hvc0 console=ttyS0,9600 console=tty0"
##
## file: arch/powerpc/platforms/cell/Kconfig
##

5
debian/config/kernelarch-powerpc/config-arch-64-le vendored
View File

@ -1,3 +1,8 @@
##
## file: arch/powerpc/Kconfig
##
# CONFIG_CMDLINE_BOOL is not set
##
## file: arch/powerpc/platforms/Kconfig.cputype
##

5
debian/config/kernelarch-sparc/config vendored
View File

@ -558,11 +558,6 @@ CONFIG_SPARSEMEM_MANUAL=y
##
# CONFIG_HAMRADIO is not set
##
## file: net/bluetooth/Kconfig
##
# CONFIG_BT is not set
##
## file: net/decnet/Kconfig
##

3
debian/config/kernelarch-x86/config vendored
View File

@ -799,14 +799,11 @@ CONFIG_MMC_SDHCI_ACPI=m
##
## file: drivers/mtd/Kconfig
##
CONFIG_MTD=m
CONFIG_MTD_REDBOOT_PARTS=y
CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
# CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set
# CONFIG_MTD_REDBOOT_PARTS_READONLY is not set
# CONFIG_MTD_CMDLINE_PARTS is not set
CONFIG_MTD_BLOCK=m
CONFIG_MTD_BLOCK_RO=m
CONFIG_FTL=m
CONFIG_NFTL=m
CONFIG_NFTL_RW=y

5
debian/config/m68k/config vendored
View File

@ -780,11 +780,6 @@ CONFIG_HZ_PERIODIC=y
##
# CONFIG_BATMAN_ADV is not set
##
## file: net/bluetooth/Kconfig
##
# CONFIG_BT is not set
##
## file: net/can/Kconfig
##

8
debian/config/powerpc/config.powerpc vendored
View File

@ -88,7 +88,15 @@ CONFIG_SERIAL_MPC52xx_CONSOLE_BAUD=115200
CONFIG_FB_CONTROL=y
CONFIG_FB_PLATINUM=y
CONFIG_FB_VALKYRIE=y
CONFIG_FB_CT65550=y
CONFIG_FB_IMSTT=y
CONFIG_FB_MATROX=y
CONFIG_FB_RADEON=y
CONFIG_FB_ATY128=y
CONFIG_FB_ATY=y
CONFIG_FB_SIS=y
CONFIG_FB_3DFX=y
CONFIG_FB_VOODOO1=y
##
## file: init/Kconfig

2
debian/installer/arm64/modules/arm64/cdrom-core-modules vendored Normal file
View File

@ -0,0 +1,2 @@
#include <cdrom-core-modules>

1
debian/installer/armhf/modules/armhf-armmp/mmc-modules vendored
View File

@ -3,3 +3,4 @@ sdhci-esdhc-imx
mmci
omap_hsmmc
sunxi-mmc
dw_mmc-exynos

3
debian/installer/armhf/modules/armhf-armmp/mtd-modules vendored Normal file
View File

@ -0,0 +1,3 @@
#include <mtd-modules>
mxc_nand
pxa3xx_nand

2
debian/installer/armhf/modules/armhf-armmp/sata-modules vendored
View File

@ -3,4 +3,4 @@ ahci_platform
ahci_imx
ahci_sunxi
sata_highbank
phy-exynos5250-sata

6
debian/installer/armhf/modules/armhf-armmp/usb-modules vendored
View File

@ -1 +1,7 @@
#include <usb-modules>
phy-sun4i-usb
dwc3-exynos
ohci-exynos
ehci-exynos
phy-exynos-usb2
ci_hdrc_imx

1
debian/installer/hppa/modules/hppa-parisc64-smp/ata-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/ata-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/crc-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/crc-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/event-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/event-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/isofs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/isofs-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/jfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/jfs-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/mouse-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/mouse-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/nic-shared-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/nic-shared-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/nic-usb-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/nic-usb-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/sata-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/sata-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/scsi-common-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/scsi-common-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/serial-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/serial-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/squashfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/squashfs-modules"

1
debian/installer/hppa/modules/hppa-parisc64-smp/usb-serial-modules vendored Normal file
View File

@ -0,0 +1 @@
#include "../hppa/usb-serial-modules"

1
debian/installer/hppa/modules/hppa/ata-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <ata-modules>

1
debian/installer/hppa/modules/hppa/crc-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <crc-modules>

1
debian/installer/hppa/modules/hppa/event-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <event-modules>

1
debian/installer/hppa/modules/hppa/isofs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <isofs-modules>

1
debian/installer/hppa/modules/hppa/jfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <jfs-modules>

1
debian/installer/hppa/modules/hppa/mouse-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <mouse-modules>

1
debian/installer/hppa/modules/hppa/nic-shared-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nic-shared-modules>

1
debian/installer/hppa/modules/hppa/nic-usb-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nic-usb-modules>

2
debian/installer/hppa/modules/hppa/sata-modules vendored Normal file
View File

@ -0,0 +1,2 @@
#include <sata-modules>

2
debian/installer/hppa/modules/hppa/scsi-common-modules vendored Normal file
View File

@ -0,0 +1,2 @@
#include <scsi-common-modules>

1
debian/installer/hppa/modules/hppa/scsi-modules vendored
View File

@ -4,7 +4,6 @@ lasi700
osst
sg
st
sym53c8xx
zalon7xx
megaraid ?
megaraid_mbox ?

1
debian/installer/hppa/modules/hppa/serial-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <serial-modules>

1
debian/installer/hppa/modules/hppa/squashfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <squashfs-modules>

1
debian/installer/hppa/modules/hppa/usb-serial-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <usb-serial-modules>

2
debian/installer/i386/kernel-versions vendored
View File

@ -1,3 +1,3 @@
# arch version flavour installedname suffix build-depends
i386 - 486 - - -
i386 - 586 - - -
i386 - 686-pae - - -

1
debian/installer/mips/modules/mips-octeon/usb-modules vendored
View File

@ -1 +1,2 @@
#include <usb-modules>
octeon-hcd

2
debian/installer/modules/crypto-modules vendored
View File

@ -4,4 +4,6 @@ twofish_generic
serpent_generic
sha256_generic
cbc ?
ccm
ctr
xts

2
debian/installer/modules/mmc-modules vendored
View File

@ -4,3 +4,5 @@ sdhci-pci ?
sdhci-acpi ?
ricoh_mmc ?
tifm_sd ?
dw_mmc ?
dw_mmc_pltfm ?

1
debian/installer/modules/pata-modules vendored
View File

@ -28,6 +28,7 @@ pata_pdc202xx_old ?
pata_piccolo ?
pata_qdi ?
pata_radisys ?
pata_rdc ?
pata_rz1000 ?
pata_sc1200 ?
pata_serverworks ?

4
debian/installer/modules/usb-modules vendored
View File

@ -1,7 +1,11 @@
ehci-hcd ?
ehci-pci ?
ehci-platform ?
ohci-hcd ?
ohci-pci ?
ohci-platform ?
uhci-hcd ?
xhci-hcd ?
usbcore ?
dwc3 ?
usb3503 ?

2
debian/lib/python/debian_linux/gencontrol.py vendored
View File

@ -275,7 +275,7 @@ class Gencontrol(object):
def subst(match):
return vars[match.group(1)]
return re.sub(r'@([-_a-z]+)@', subst, six.text_type(s))
return re.sub(r'@([-_a-z0-9]+)@', subst, six.text_type(s))
def write(self, packages, makefile):
self.write_control(packages.values())

52
debian/patches/bugfix/all/SUNRPC-Don-t-wake-tasks-during-connection-abort.patch vendored Normal file
View File

@ -0,0 +1,52 @@
From: Benjamin Coddington <bcodding@redhat.com>
Date: Tue, 23 Sep 2014 12:26:19 -0400
Subject: [1/2] SUNRPC: Don't wake tasks during connection abort
Origin: https://git.kernel.org/linus/a743419f420a64d442280845c0377a915b76644f
Bug-Debian: https://bugs.debian.org/767219
When aborting a connection to preserve source ports, don't wake the task in
xs_error_report. This allows tasks with RPC_TASK_SOFTCONN to succeed if the
connection needs to be re-established since it preserves the task's status
instead of setting it to the status of the aborting kernel_connect().
This may also avoid a potential conflict on the socket's lock.
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Cc: stable@vger.kernel.org # 3.14+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
---
include/linux/sunrpc/xprt.h | 1 +
net/sunrpc/xprtsock.c | 4 ++++
2 files changed, 5 insertions(+)
--- a/include/linux/sunrpc/xprt.h
+++ b/include/linux/sunrpc/xprt.h
@@ -357,6 +357,7 @@ int xs_swapper(struct rpc_xprt *xprt,
#define XPRT_CONNECTION_ABORT (7)
#define XPRT_CONNECTION_CLOSE (8)
#define XPRT_CONGESTED (9)
+#define XPRT_CONNECTION_REUSE (10)
static inline void xprt_set_connected(struct rpc_xprt *xprt)
{
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -842,6 +842,8 @@ static void xs_error_report(struct sock
dprintk("RPC: xs_error_report client %p, error=%d...\n",
xprt, -err);
trace_rpc_socket_error(xprt, sk->sk_socket, err);
+ if (test_bit(XPRT_CONNECTION_REUSE, &xprt->state))
+ goto out;
xprt_wake_pending_tasks(xprt, err);
out:
read_unlock_bh(&sk->sk_callback_lock);
@@ -2241,7 +2243,9 @@ static void xs_tcp_setup_socket(struct w
abort_and_exit = test_and_clear_bit(XPRT_CONNECTION_ABORT,
&xprt->state);
/* "close" the socket, preserving the local port */
+ set_bit(XPRT_CONNECTION_REUSE, &xprt->state);
xs_tcp_reuse_connection(transport);
+ clear_bit(XPRT_CONNECTION_REUSE, &xprt->state);
if (abort_and_exit)
goto out_eagain;

1
debian/patches/bugfix/all/disable-some-marvell-phys.patch vendored
View File

@ -2,6 +2,7 @@ From: Ian Campbell <ijc@hellion.org.uk>
Subject: phy/marvell: disable 4-port phys
Date: Wed, 20 Nov 2013 08:30:14 +0000
Bug-Debian: https://bugs.debian.org/723177
Forwarded: http://thread.gmane.org/gmane.linux.debian.devel.bugs.general/1107774/
The Marvell PHY was originally disabled because it can cause networking
failures on some systems. According to Lennert Buytenhek this is because some

212
debian/patches/bugfix/all/drivers-net-Disable-UFO-through-virtio.patch vendored Normal file
View File

@ -0,0 +1,212 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 30 Oct 2014 18:27:12 +0000
Subject: [1/2] drivers/net: Disable UFO through virtio
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=3d0ad09412ffe00c9afa201d01effdb6023d09b4
IPv6 does not allow fragmentation by routers, so there is no
fragmentation ID in the fixed header. UFO for IPv6 requires the ID to
be passed separately, but there is no provision for this in the virtio
net protocol.
Until recently our software implementation of UFO/IPv6 generated a new
ID, but this was a bug. Now we will use ID=0 for any UFO/IPv6 packet
passed through a tap, which is even worse.
Unfortunately there is no distinction between UFO/IPv4 and v6
features, so disable UFO on taps and virtio_net completely until we
have a proper solution.
We cannot depend on VM managers respecting the tap feature flags, so
keep accepting UFO packets but log a warning the first time we do
this.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 916e4cf46d02 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data")
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/macvtap.c | 13 +++++--------
drivers/net/tun.c | 19 +++++++++++--------
drivers/net/virtio_net.c | 24 ++++++++++++++----------
3 files changed, 30 insertions(+), 26 deletions(-)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -65,7 +65,7 @@ static struct cdev macvtap_cdev;
static const struct proto_ops macvtap_socket_ops;
#define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \
- NETIF_F_TSO6 | NETIF_F_UFO)
+ NETIF_F_TSO6)
#define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO)
#define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG)
@@ -569,6 +569,8 @@ static int macvtap_skb_from_vnet_hdr(str
gso_type = SKB_GSO_TCPV6;
break;
case VIRTIO_NET_HDR_GSO_UDP:
+ pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
+ current->comm);
gso_type = SKB_GSO_UDP;
break;
default:
@@ -614,8 +616,6 @@ static void macvtap_skb_to_vnet_hdr(cons
vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
else if (sinfo->gso_type & SKB_GSO_TCPV6)
vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
- else if (sinfo->gso_type & SKB_GSO_UDP)
- vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP;
else
BUG();
if (sinfo->gso_type & SKB_GSO_TCP_ECN)
@@ -950,9 +950,6 @@ static int set_offload(struct macvtap_qu
if (arg & TUN_F_TSO6)
feature_mask |= NETIF_F_TSO6;
}
-
- if (arg & TUN_F_UFO)
- feature_mask |= NETIF_F_UFO;
}
/* tun/tap driver inverts the usage for TSO offloads, where
@@ -963,7 +960,7 @@ static int set_offload(struct macvtap_qu
* When user space turns off TSO, we turn off GSO/LRO so that
* user-space will not receive TSO frames.
*/
- if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_UFO))
+ if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6))
features |= RX_OFFLOADS;
else
features &= ~RX_OFFLOADS;
@@ -1064,7 +1061,7 @@ static long macvtap_ioctl(struct file *f
case TUNSETOFFLOAD:
/* let the user check for future flags */
if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 |
- TUN_F_TSO_ECN | TUN_F_UFO))
+ TUN_F_TSO_ECN))
return -EINVAL;
rtnl_lock();
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -174,7 +174,7 @@ struct tun_struct {
struct net_device *dev;
netdev_features_t set_features;
#define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \
- NETIF_F_TSO6|NETIF_F_UFO)
+ NETIF_F_TSO6)
int vnet_hdr_sz;
int sndbuf;
@@ -1149,8 +1149,18 @@ static ssize_t tun_get_user(struct tun_s
skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
break;
case VIRTIO_NET_HDR_GSO_UDP:
+ {
+ static bool warned;
+
+ if (!warned) {
+ warned = true;
+ netdev_warn(tun->dev,
+ "%s: using disabled UFO feature; please fix this program\n",
+ current->comm);
+ }
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
break;
+ }
default:
tun->dev->stats.rx_frame_errors++;
kfree_skb(skb);
@@ -1251,8 +1261,6 @@ static ssize_t tun_put_user(struct tun_s
gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
else if (sinfo->gso_type & SKB_GSO_TCPV6)
gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
- else if (sinfo->gso_type & SKB_GSO_UDP)
- gso.gso_type = VIRTIO_NET_HDR_GSO_UDP;
else {
pr_err("unexpected GSO type: "
"0x%x, gso_size %d, hdr_len %d\n",
@@ -1761,11 +1769,6 @@ static int set_offload(struct tun_struct
features |= NETIF_F_TSO6;
arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
}
-
- if (arg & TUN_F_UFO) {
- features |= NETIF_F_UFO;
- arg &= ~TUN_F_UFO;
- }
}
/* This gives the user a way to test for new features in future by
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -496,8 +496,17 @@ static void receive_buf(struct receive_q
skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
break;
case VIRTIO_NET_HDR_GSO_UDP:
+ {
+ static bool warned;
+
+ if (!warned) {
+ warned = true;
+ netdev_warn(dev,
+ "host using disabled UFO feature; please fix it\n");
+ }
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
break;
+ }
case VIRTIO_NET_HDR_GSO_TCPV6:
skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
break;
@@ -836,8 +845,6 @@ static int xmit_skb(struct send_queue *s
hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
- else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
- hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_UDP;
else
BUG();
if (skb_shinfo(skb)->gso_type & SKB_GSO_TCP_ECN)
@@ -1657,7 +1664,7 @@ static int virtnet_probe(struct virtio_d
dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
- dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
+ dev->hw_features |= NETIF_F_TSO
| NETIF_F_TSO_ECN | NETIF_F_TSO6;
}
/* Individual feature bits: what can host handle? */
@@ -1667,11 +1674,9 @@ static int virtnet_probe(struct virtio_d
dev->hw_features |= NETIF_F_TSO6;
if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_ECN))
dev->hw_features |= NETIF_F_TSO_ECN;
- if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_UFO))
- dev->hw_features |= NETIF_F_UFO;
if (gso)
- dev->features |= dev->hw_features & (NETIF_F_ALL_TSO|NETIF_F_UFO);
+ dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
/* (!csum && gso) case will be fixed by register_netdev() */
}
if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
@@ -1711,8 +1716,7 @@ static int virtnet_probe(struct virtio_d
/* If we can receive ANY GSO packets, we must allocate large ones. */
if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) ||
- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) ||
- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO))
+ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN))
vi->big_packets = true;
if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF))
@@ -1910,9 +1914,9 @@ static struct virtio_device_id id_table[
static unsigned int features[] = {
VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM,
VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC,
- VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6,
+ VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_TSO6,
VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6,
- VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO,
+ VIRTIO_NET_F_GUEST_ECN,
VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ,
VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN,
VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ,

135
debian/patches/bugfix/all/drivers-net-ipv6-Select-IPv6-fragment-idents-for-vir.patch vendored Normal file
View File

@ -0,0 +1,135 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 30 Oct 2014 18:27:17 +0000
Subject: [2/2] drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO
packets
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=5188cd44c55db3e92cd9e77a40b5baa7ed4340f7
UFO is now disabled on all drivers that work with virtio net headers,
but userland may try to send UFO/IPv6 packets anyway. Instead of
sending with ID=0, we should select identifiers on their behalf (as we
used to).
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 916e4cf46d02 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data")
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/macvtap.c | 3 +++
drivers/net/tun.c | 6 +++++-
include/net/ipv6.h | 2 ++
net/ipv6/output_core.c | 34 ++++++++++++++++++++++++++++++++++
4 files changed, 44 insertions(+), 1 deletion(-)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -16,6 +16,7 @@
#include <linux/idr.h>
#include <linux/fs.h>
+#include <net/ipv6.h>
#include <net/net_namespace.h>
#include <net/rtnetlink.h>
#include <net/sock.h>
@@ -572,6 +573,8 @@ static int macvtap_skb_from_vnet_hdr(str
pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
current->comm);
gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
break;
default:
return -EINVAL;
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -65,6 +65,7 @@
#include <linux/nsproxy.h>
#include <linux/virtio_net.h>
#include <linux/rcupdate.h>
+#include <net/ipv6.h>
#include <net/net_namespace.h>
#include <net/netns/generic.h>
#include <net/rtnetlink.h>
@@ -1139,6 +1140,8 @@ static ssize_t tun_get_user(struct tun_s
break;
}
+ skb_reset_network_header(skb);
+
if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
pr_debug("GSO!\n");
switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
@@ -1159,6 +1162,8 @@ static ssize_t tun_get_user(struct tun_s
current->comm);
}
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
break;
}
default:
@@ -1189,7 +1194,6 @@ static ssize_t tun_get_user(struct tun_s
skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
}
- skb_reset_network_header(skb);
skb_probe_transport_header(skb, 0);
rxhash = skb_get_hash(skb);
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -668,6 +668,8 @@ static inline int ipv6_addr_diff(const s
return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
}
+void ipv6_proxy_select_ident(struct sk_buff *skb);
+
int ip6_dst_hoplimit(struct dst_entry *dst);
static inline int ip6_sk_dst_hoplimit(struct ipv6_pinfo *np, struct flowi6 *fl6,
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -3,11 +3,45 @@
* not configured or static. These functions are needed by GSO/GRO implementation.
*/
#include <linux/export.h>
+#include <net/ip.h>
#include <net/ipv6.h>
#include <net/ip6_fib.h>
#include <net/addrconf.h>
#include <net/secure_seq.h>
+/* This function exists only for tap drivers that must support broken
+ * clients requesting UFO without specifying an IPv6 fragment ID.
+ *
+ * This is similar to ipv6_select_ident() but we use an independent hash
+ * seed to limit information leakage.
+ *
+ * The network header must be set before calling this.
+ */
+void ipv6_proxy_select_ident(struct sk_buff *skb)
+{
+ static u32 ip6_proxy_idents_hashrnd __read_mostly;
+ struct in6_addr buf[2];
+ struct in6_addr *addrs;
+ u32 hash, id;
+
+ addrs = skb_header_pointer(skb,
+ skb_network_offset(skb) +
+ offsetof(struct ipv6hdr, saddr),
+ sizeof(buf), buf);
+ if (!addrs)
+ return;
+
+ net_get_random_once(&ip6_proxy_idents_hashrnd,
+ sizeof(ip6_proxy_idents_hashrnd));
+
+ hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd);
+ hash = __ipv6_addr_jhash(&addrs[0], hash);
+
+ id = ip_idents_reserve(hash, 1);
+ skb_shinfo(skb)->ip6_frag_id = htonl(id);
+}
+EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);

3
debian/patches/bugfix/all/firmware_class-log-every-success-and-failure.patch vendored
View File

@ -17,6 +17,9 @@ removed in later patches.
This does not cover the case where we fall back to a user-mode helper
(which is no longer enabled in Debian).
NOTE: hw-detect will depend on the "firmware: failed to load %s (%d)\n"
format to detect missing firmware.
---
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c

1
debian/patches/bugfix/all/firmware_class-return-specific-errors-from-file-read.patch vendored
View File

@ -1,6 +1,7 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 14 Dec 2013 17:14:39 +0000
Subject: firmware_class: Return specific errors from file read
Forwarded: no
Currently several failure cases are not distinguished and are
incorrectly reported as -EINVAL or -ENOENT.

2
debian/patches/bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch vendored
View File

@ -3,7 +3,7 @@ Date: Sat, 19 Oct 2013 19:43:35 +0100
Subject: kbuild: Use -nostdinc in compile tests
Bug-Debian: https://bugs.debian.org/726861
Bug-Debian: https://bugs.debian.org/717557
Forwarded: no
Forwarded: http://mid.gmane.org/1415235534.3398.35.camel@decadent.org.uk
Debian's gcc 4.8 pre-includes <stdc-predef.h> by default, which in
turn includes <bits/predefs.h>. This fails when building a 64-bit

34
debian/patches/bugfix/all/lockd-Try-to-reconnect-if-statd-has-moved.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Benjamin Coddington <bcodding@redhat.com>
Date: Tue, 23 Sep 2014 12:26:20 -0400
Subject: [2/2] lockd: Try to reconnect if statd has moved
Origin: https://git.kernel.org/linus/173b3afceebe76fa2205b2c8808682d5b541fe3c
Bug-Debian: https://bugs.debian.org/767219
If rpc.statd is restarted, upcalls to monitor hosts can fail with
ECONNREFUSED. In that case force a lookup of statd's new port and retry the
upcall.
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
---
fs/lockd/mon.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c
index daa8e75..9106f42 100644
--- a/fs/lockd/mon.c
+++ b/fs/lockd/mon.c
@@ -159,6 +159,12 @@ static int nsm_mon_unmon(struct nsm_handle *nsm, u32 proc, struct nsm_res *res,
msg.rpc_proc = &clnt->cl_procinfo[proc];
status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN);
+ if (status == -ECONNREFUSED) {
+ dprintk("lockd: NSM upcall RPC failed, status=%d, forcing rebind\n",
+ status);
+ rpc_force_rebind(clnt);
+ status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN);
+ }
if (status < 0)
dprintk("lockd: NSM upcall RPC failed, status=%d\n",
status);

42
debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch vendored Normal file
View File

@ -0,0 +1,42 @@
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Wed, 8 Oct 2014 10:42:27 -0700
Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d
Andy Lutomirski recently demonstrated that when chroot is used to set
the root path below the path for the new ``root'' passed to pivot_root
the pivot_root system call succeeds and leaks mounts.
In examining the code I see that starting with a new root that is
below the current root in the mount tree will result in a loop in the
mount tree after the mounts are detached and then reattached to one
another. Resulting in all kinds of ugliness including a leak of that
mounts involved in the leak of the mount loop.
Prevent this problem by ensuring that the new mount is reachable from
the current root of the mount tree.
[Added stable cc. Fixes CVE-2014-7970. --Andy]
Cc: stable@vger.kernel.org
Reported-by: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
fs/namespace.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _
/* make sure we can reach put_old from new_root */
if (!is_path_reachable(old_mnt, old.dentry, &new))
goto out4;
+ /* make certain new is below the root */
+ if (!is_path_reachable(new_mnt, new.dentry, &root))
+ goto out4;
root_mp->m_count++; /* pin it so it won't go away */
lock_mount_hash();
detach_mnt(new_mnt, &parent_path);

46
debian/patches/bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch vendored Normal file
View File

@ -0,0 +1,46 @@
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
Date: Mon, 29 Sep 2014 11:47:53 +0200
Subject: [2/4] mtd: m25p80: get rid of spi_get_device_id
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: http://git.infradead.org/l2-mtd.git/commit/90e55b3812a1245bb674afcc4410ddba7db402f6
This simplifies the way we use spi_nor framework and will allow us to
drop spi_nor_match_id.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
drivers/mtd/devices/m25p80.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index dcda628..822209d 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -197,6 +197,7 @@ static int m25p_probe(struct spi_device *spi)
struct m25p *flash;
struct spi_nor *nor;
enum read_mode mode = SPI_NOR_NORMAL;
+ char *flash_name = NULL;
int ret;
data = dev_get_platdata(&spi->dev);
@@ -236,12 +237,11 @@ static int m25p_probe(struct spi_device *spi)
* If that's the case, respect "type" and ignore a "name".
*/
if (data && data->type)
- id = spi_nor_match_id(data->type);
-
- /* If we didn't get name from platform, simply use "modalias". */
- if (!id)
- id = spi_get_device_id(spi);
+ flash_name = data->type;
+ else
+ flash_name = spi->modalias;
+ id = spi_nor_match_id(flash_name);
ret = spi_nor_scan(nor, id, mode);
if (ret)
return ret;

125
debian/patches/bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch vendored Normal file
View File

@ -0,0 +1,125 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 30 Sep 2014 03:14:55 +0100
Subject: [4/4] mtd: m25p80,spi-nor: Fix module aliases for m25p80
Origin: http://git.infradead.org/l2-mtd.git/commit/a5b7616c55e188fe3d6ef686bef402d4703ecb62
m25p80's device ID table is now spi_nor_ids, defined in spi-nor. The
MODULE_DEVICE_TABLE() macro doesn't work with extern definitions, but
its use was also removed at the same time. Now if m25p80 is built as
a module it doesn't get the necessary aliases to be loaded
automatically.
A clean solution to this will involve defining the list of device
IDs in spi-nor.h and removing struct spi_device_id from the spi-nor
API, but this is quite a large change.
As a quick fix suitable for stable, copy the device IDs back into
m25p80.
Fixes: 03e296f613af ("mtd: m25p80: use the SPI nor framework")
Cc: <stable@vger.kernel.org> # 3.16.x: 32f1b7c8352f: mtd: move support for struct flash_platform_data into m25p80
Cc: <stable@vger.kernel.org> # 3.16.x: 90e55b3812a1: mtd: m25p80: get rid of spi_get_device_id
Cc: <stable@vger.kernel.org> # 3.16.x: 70f3ce0510af: mtd: spi-nor: make spi_nor_scan() take a chip type name, not spi_device_id
Cc: <stable@vger.kernel.org> # 3.16.x
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
drivers/mtd/devices/m25p80.c | 52 ++++++++++++++++++++++++++++++++++++++++++-
drivers/mtd/spi-nor/spi-nor.c | 3 +--
include/linux/mtd/spi-nor.h | 1 -
3 files changed, 52 insertions(+), 4 deletions(-)
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -261,12 +261,62 @@ static int m25p_remove(struct spi_device
}
+/*
+ * XXX This needs to be kept in sync with spi_nor_ids. We can't share
+ * it with spi-nor, because if this is built as a module then modpost
+ * won't be able to read it and add appropriate aliases.
+ */
+static const struct spi_device_id m25p_ids[] = {
+ {"at25fs010"}, {"at25fs040"}, {"at25df041a"}, {"at25df321a"},
+ {"at25df641"}, {"at26f004"}, {"at26df081a"}, {"at26df161a"},
+ {"at26df321"}, {"at45db081d"},
+ {"en25f32"}, {"en25p32"}, {"en25q32b"}, {"en25p64"},
+ {"en25q64"}, {"en25qh128"}, {"en25qh256"},
+ {"f25l32pa"},
+ {"mr25h256"}, {"mr25h10"},
+ {"gd25q32"}, {"gd25q64"},
+ {"160s33b"}, {"320s33b"}, {"640s33b"},
+ {"mx25l2005a"}, {"mx25l4005a"}, {"mx25l8005"}, {"mx25l1606e"},
+ {"mx25l3205d"}, {"mx25l3255e"}, {"mx25l6405d"}, {"mx25l12805d"},
+ {"mx25l12855e"},{"mx25l25635e"},{"mx25l25655e"},{"mx66l51235l"},
+ {"mx66l1g55g"},
+ {"n25q064"}, {"n25q128a11"}, {"n25q128a13"}, {"n25q256a"},
+ {"n25q512a"}, {"n25q512ax3"}, {"n25q00"},
+ {"pm25lv512"}, {"pm25lv010"}, {"pm25lq032"},
+ {"s25sl032p"}, {"s25sl064p"}, {"s25fl256s0"}, {"s25fl256s1"},
+ {"s25fl512s"}, {"s70fl01gs"}, {"s25sl12800"}, {"s25sl12801"},
+ {"s25fl129p0"}, {"s25fl129p1"}, {"s25sl004a"}, {"s25sl008a"},
+ {"s25sl016a"}, {"s25sl032a"}, {"s25sl064a"}, {"s25fl008k"},
+ {"s25fl016k"}, {"s25fl064k"},
+ {"sst25vf040b"},{"sst25vf080b"},{"sst25vf016b"},{"sst25vf032b"},
+ {"sst25vf064c"},{"sst25wf512"}, {"sst25wf010"}, {"sst25wf020"},
+ {"sst25wf040"},
+ {"m25p05"}, {"m25p10"}, {"m25p20"}, {"m25p40"},
+ {"m25p80"}, {"m25p16"}, {"m25p32"}, {"m25p64"},
+ {"m25p128"}, {"n25q032"},
+ {"m25p05-nonjedec"}, {"m25p10-nonjedec"}, {"m25p20-nonjedec"},
+ {"m25p40-nonjedec"}, {"m25p80-nonjedec"}, {"m25p16-nonjedec"},
+ {"m25p32-nonjedec"}, {"m25p64-nonjedec"}, {"m25p128-nonjedec"},
+ {"m45pe10"}, {"m45pe80"}, {"m45pe16"},
+ {"m25pe20"}, {"m25pe80"}, {"m25pe16"},
+ {"m25px16"}, {"m25px32"}, {"m25px32-s0"}, {"m25px32-s1"},
+ {"m25px64"},
+ {"w25x10"}, {"w25x20"}, {"w25x40"}, {"w25x80"},
+ {"w25x16"}, {"w25x32"}, {"w25q32"}, {"w25q32dw"},
+ {"w25x64"}, {"w25q64"}, {"w25q128"}, {"w25q80"},
+ {"w25q80bl"}, {"w25q128"}, {"w25q256"}, {"cat25c11"},
+ {"cat25c03"}, {"cat25c09"}, {"cat25c17"}, {"cat25128"},
+ { },
+};
+MODULE_DEVICE_TABLE(spi, m25p_ids);
+
+
static struct spi_driver m25p80_driver = {
.driver = {
.name = "m25p80",
.owner = THIS_MODULE,
},
- .id_table = spi_nor_ids,
+ .id_table = m25p_ids,
.probe = m25p_probe,
.remove = m25p_remove,
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -429,7 +429,7 @@ struct flash_info {
* more nor chips. This current list focusses on newer chips, which
* have been converging on command sets which including JEDEC ID.
*/
-const struct spi_device_id spi_nor_ids[] = {
+static const struct spi_device_id spi_nor_ids[] = {
/* Atmel -- some are (confusingly) marketed as "DataFlash" */
{ "at25fs010", INFO(0x1f6601, 0, 32 * 1024, 4, SECT_4K) },
{ "at25fs040", INFO(0x1f6604, 0, 64 * 1024, 8, SECT_4K) },
@@ -590,7 +590,6 @@ const struct spi_device_id spi_nor_ids[]
{ "cat25128", CAT25_INFO(2048, 8, 64, 2, SPI_NOR_NO_ERASE | SPI_NOR_NO_FR) },
{ },
};
-EXPORT_SYMBOL_GPL(spi_nor_ids);
static const struct spi_device_id *spi_nor_read_id(struct spi_nor *nor)
{
--- a/include/linux/mtd/spi-nor.h
+++ b/include/linux/mtd/spi-nor.h
@@ -195,6 +195,5 @@ struct spi_nor {
* Return: 0 for success, others for failure.
*/
int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode);
-extern const struct spi_device_id spi_nor_ids[];
#endif

119
debian/patches/bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch vendored Normal file
View File

@ -0,0 +1,119 @@
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
Date: Sun, 28 Sep 2014 22:36:54 +0200
Subject: [1/4] mtd: move support for struct flash_platform_data into m25p80
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: http://git.infradead.org/l2-mtd.git/commit/32f1b7c8352fd33d41bcec3cfb054ccdcfd40a42
This "type" seems to be an extra hint for m25p80 about the flash. Some
archs register flash_platform_data with "name" set to "m25p80" and then
with a real flash name set in "type". It seems to be a trick specific
to the m25p80 so let's move it out of spi-nor.
Btw switch to the spi_nor_match_id instead of iterating spi_nor_ids.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
drivers/mtd/devices/m25p80.c | 22 ++++++++++++++++++++--
drivers/mtd/spi-nor/spi-nor.c | 28 +---------------------------
2 files changed, 21 insertions(+), 29 deletions(-)
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -193,11 +193,14 @@ static int m25p_probe(struct spi_device
{
struct mtd_part_parser_data ppdata;
struct flash_platform_data *data;
+ const struct spi_device_id *id = NULL;
struct m25p *flash;
struct spi_nor *nor;
enum read_mode mode = SPI_NOR_NORMAL;
int ret;
+ data = dev_get_platdata(&spi->dev);
+
flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL);
if (!flash)
return -ENOMEM;
@@ -223,11 +226,26 @@ static int m25p_probe(struct spi_device
mode = SPI_NOR_QUAD;
else if (spi->mode & SPI_RX_DUAL)
mode = SPI_NOR_DUAL;
- ret = spi_nor_scan(nor, spi_get_device_id(spi), mode);
+
+ if (data && data->name)
+ flash->mtd.name = data->name;
+
+ /* For some (historical?) reason many platforms provide two different
+ * names in flash_platform_data: "name" and "type". Quite often name is
+ * set to "m25p80" and then "type" provides a real chip name.
+ * If that's the case, respect "type" and ignore a "name".
+ */
+ if (data && data->type)
+ id = spi_nor_match_id(data->type);
+
+ /* If we didn't get name from platform, simply use "modalias". */
+ if (!id)
+ id = spi_get_device_id(spi);
+
+ ret = spi_nor_scan(nor, id, mode);
if (ret)
return ret;
- data = dev_get_platdata(&spi->dev);
ppdata.of_node = spi->dev.of_node;
return mtd_device_parse_register(&flash->mtd, NULL, &ppdata,
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -871,7 +871,6 @@ int spi_nor_scan(struct spi_nor *nor, co
enum read_mode mode)
{
struct flash_info *info;
- struct flash_platform_data *data;
struct device *dev = nor->dev;
struct mtd_info *mtd = nor->mtd;
struct device_node *np = dev->of_node;
@@ -882,28 +881,6 @@ int spi_nor_scan(struct spi_nor *nor, co
if (ret)
return ret;
- /* Platform data helps sort out which chip type we have, as
- * well as how this board partitions it. If we don't have
- * a chip ID, try the JEDEC id commands; they'll work for most
- * newer chips, even if we don't recognize the particular chip.
- */
- data = dev_get_platdata(dev);
- if (data && data->type) {
- const struct spi_device_id *plat_id;
-
- for (i = 0; i < ARRAY_SIZE(spi_nor_ids) - 1; i++) {
- plat_id = &spi_nor_ids[i];
- if (strcmp(data->type, plat_id->name))
- continue;
- break;
- }
-
- if (i < ARRAY_SIZE(spi_nor_ids) - 1)
- id = plat_id;
- else
- dev_warn(dev, "unrecognized id %s\n", data->type);
- }
-
info = (void *)id->driver_data;
if (info->jedec_id) {
@@ -941,11 +918,8 @@ int spi_nor_scan(struct spi_nor *nor, co
write_sr(nor, 0);
}
- if (data && data->name)
- mtd->name = data->name;
- else
+ if (!mtd->name)
mtd->name = dev_name(dev);
-
mtd->type = MTD_NORFLASH;
mtd->writesize = 1;
mtd->flags = MTD_CAP_NORFLASH;

162
debian/patches/bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch vendored Normal file
View File

@ -0,0 +1,162 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 29 Sep 2014 11:47:54 +0200
Subject: [3/4] mtd: spi-nor: make spi_nor_scan() take a chip type name, not
spi_device_id
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: http://git.infradead.org/l2-mtd.git/commit/70f3ce0510afdad7cbaf27ab7ab961377205c782
Drivers currently call spi_nor_match_id() and then spi_nor_scan().
This adds a dependency on struct spi_device_id which we want to
avoid. Make spi_nor_scan() do it for them.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
drivers/mtd/devices/m25p80.c | 4 +---
drivers/mtd/spi-nor/fsl-quadspi.c | 7 +------
drivers/mtd/spi-nor/spi-nor.c | 13 +++++++++----
include/linux/mtd/spi-nor.h | 20 +++-----------------
4 files changed, 14 insertions(+), 30 deletions(-)
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -193,7 +193,6 @@ static int m25p_probe(struct spi_device
{
struct mtd_part_parser_data ppdata;
struct flash_platform_data *data;
- const struct spi_device_id *id = NULL;
struct m25p *flash;
struct spi_nor *nor;
enum read_mode mode = SPI_NOR_NORMAL;
@@ -241,8 +240,7 @@ static int m25p_probe(struct spi_device
else
flash_name = spi->modalias;
- id = spi_nor_match_id(flash_name);
- ret = spi_nor_scan(nor, id, mode);
+ ret = spi_nor_scan(nor, flash_name, mode);
if (ret)
return ret;
--- a/drivers/mtd/spi-nor/fsl-quadspi.c
+++ b/drivers/mtd/spi-nor/fsl-quadspi.c
@@ -881,7 +881,6 @@ static int fsl_qspi_probe(struct platfor
/* iterate the subnodes. */
for_each_available_child_of_node(dev->of_node, np) {
- const struct spi_device_id *id;
char modalias[40];
/* skip the holes */
@@ -909,10 +908,6 @@ static int fsl_qspi_probe(struct platfor
if (of_modalias_node(np, modalias, sizeof(modalias)) < 0)
goto map_failed;
- id = spi_nor_match_id(modalias);
- if (!id)
- goto map_failed;
-
ret = of_property_read_u32(np, "spi-max-frequency",
&q->clk_rate);
if (ret < 0)
@@ -921,7 +916,7 @@ static int fsl_qspi_probe(struct platfor
/* set the chip address for READID */
fsl_qspi_set_base_addr(q, nor);
- ret = spi_nor_scan(nor, id, SPI_NOR_QUAD);
+ ret = spi_nor_scan(nor, modalias, SPI_NOR_QUAD);
if (ret)
goto map_failed;
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -28,6 +28,8 @@
#define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16)
+static const struct spi_device_id *spi_nor_match_id(const char *name);
+
/*
* Read the status register, returning its value in the location
* Return the status register value.
@@ -867,9 +869,9 @@ static int spi_nor_check(struct spi_nor
return 0;
}
-int spi_nor_scan(struct spi_nor *nor, const struct spi_device_id *id,
- enum read_mode mode)
+int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode)
{
+ const struct spi_device_id *id = NULL;
struct flash_info *info;
struct device *dev = nor->dev;
struct mtd_info *mtd = nor->mtd;
@@ -881,6 +883,10 @@ int spi_nor_scan(struct spi_nor *nor, co
if (ret)
return ret;
+ id = spi_nor_match_id(name);
+ if (!id)
+ return -ENOENT;
+
info = (void *)id->driver_data;
if (info->jedec_id) {
@@ -1062,7 +1068,7 @@ int spi_nor_scan(struct spi_nor *nor, co
}
EXPORT_SYMBOL_GPL(spi_nor_scan);
-const struct spi_device_id *spi_nor_match_id(char *name)
+static const struct spi_device_id *spi_nor_match_id(const char *name)
{
const struct spi_device_id *id = spi_nor_ids;
@@ -1073,7 +1079,6 @@ const struct spi_device_id *spi_nor_matc
}
return NULL;
}
-EXPORT_SYMBOL_GPL(spi_nor_match_id);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Huang Shijie <shijie8@gmail.com>");
--- a/include/linux/mtd/spi-nor.h
+++ b/include/linux/mtd/spi-nor.h
@@ -183,32 +183,18 @@ struct spi_nor {
/**
* spi_nor_scan() - scan the SPI NOR
* @nor: the spi_nor structure
- * @id: the spi_device_id provided by the driver
+ * @name: the chip type name
* @mode: the read mode supported by the driver
*
* The drivers can use this fuction to scan the SPI NOR.
* In the scanning, it will try to get all the necessary information to
* fill the mtd_info{} and the spi_nor{}.
*
- * The board may assigns a spi_device_id with @id which be used to compared with
- * the spi_device_id detected by the scanning.
+ * The chip type name can be provided through the @name parameter.
*
* Return: 0 for success, others for failure.
*/
-int spi_nor_scan(struct spi_nor *nor, const struct spi_device_id *id,
- enum read_mode mode);
+int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode);
extern const struct spi_device_id spi_nor_ids[];
-/**
- * spi_nor_match_id() - find the spi_device_id by the name
- * @name: the name of the spi_device_id
- *
- * The drivers use this function to find the spi_device_id
- * specified by the @name.
- *
- * Return: returns the right spi_device_id pointer on success,
- * and returns NULL on failure.
- */
-const struct spi_device_id *spi_nor_match_id(char *name);
-
#endif

42
debian/patches/bugfix/all/net-mv643xx-disable-tso-by-default.patch vendored Normal file
View File

@ -0,0 +1,42 @@
Subject: [1/1] net: mv643xx_eth: Make TSO disabled by default
From: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Date: Sat, 1 Nov 2014 12:30:20 -0300
Origin: http://patchwork.ozlabs.org/patch/405792/
Data corruption has been observed to be produced by TSO. For instance,
accessing files on a NFS-server with TSO enabled results in different data
transferred each time.
This has been observed only on Kirkwood platforms, i.e. with the mv643xx_eth
driver. Same tests on platforms using the mvneta ethernet driver have
passed without errors.
Make TSO disabled by default for now, until we can found a proper fix
for the regression.
Fixes: 3ae8f4e0b98 ('net: mv643xx_eth: Implement software TSO')
Reported-by: Slawomir Gajzner <slawomir.gajzner@gmail.com>
Reported-by: Julien D'Ascenzio <jdascenzio@yahoo.fr>
Signed-off-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
index b151a94..8b72780 100644
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -3110,11 +3110,11 @@ static int mv643xx_eth_probe(struct platform_device *pdev)
dev->watchdog_timeo = 2 * HZ;
dev->base_addr = 0;
- dev->features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO;
+ dev->features = NETIF_F_SG | NETIF_F_IP_CSUM;
dev->vlan_features = dev->features;
dev->features |= NETIF_F_RXCSUM;
- dev->hw_features = dev->features;
+ dev->hw_features = dev->features | NETIF_F_TSO;
dev->priv_flags |= IFF_UNICAST_FLT;
dev->gso_max_segs = MV643XX_MAX_TSO_SEGS;

87
debian/patches/bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch vendored Normal file
View File

@ -0,0 +1,87 @@
From: Daniel Borkmann <dborkman@redhat.com>
Date: Thu, 9 Oct 2014 22:55:32 +0200
Subject: net: sctp: fix panic on duplicate ASCONF chunks
Origin: https://git.kernel.org/linus/b69040d8e39f20d5215a03502a8e8b4c6ab78395
When receiving a e.g. semi-good formed connection scan in the
form of ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
---------------- ASCONF_a; ASCONF_b ----------------->
... where ASCONF_a equals ASCONF_b chunk (at least both serials
need to be equal), we panic an SCTP server!
The problem is that good-formed ASCONF chunks that we reply with
ASCONF_ACK chunks are cached per serial. Thus, when we receive a
same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
not need to process them again on the server side (that was the
idea, also proposed in the RFC). Instead, we know it was cached
and we just resend the cached chunk instead. So far, so good.
Where things get nasty is in SCTP's side effect interpreter, that
is, sctp_cmd_interpreter():
While incoming ASCONF_a (chunk = event_arg) is being marked
!end_of_packet and !singleton, and we have an association context,
we do not flush the outqueue the first time after processing the
ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
queued up, although we set local_cork to 1. Commit 2e3216cd54b1
changed the precedence, so that as long as we get bundled, incoming
chunks we try possible bundling on outgoing queue as well. Before
this commit, we would just flush the output queue.
Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
continue to process the same ASCONF_b chunk from the packet. As
we have cached the previous ASCONF_ACK, we find it, grab it and
do another SCTP_CMD_REPLY command on it. So, effectively, we rip
the chunk->list pointers and requeue the same ASCONF_ACK chunk
another time. Since we process ASCONF_b, it's correctly marked
with end_of_packet and we enforce an uncork, and thus flush, thus
crashing the kernel.
Fix it by testing if the ASCONF_ACK is currently pending and if
that is the case, do not requeue it. When flushing the output
queue we may relink the chunk for preparing an outgoing packet,
but eventually unlink it when it's copied into the skb right
before transmission.
Joint work with Vlad Yasevich.
Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/sctp/sctp.h | 5 +++++
net/sctp/associola.c | 2 ++
2 files changed, 7 insertions(+)
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -433,6 +433,11 @@ static inline void sctp_assoc_pending_pm
asoc->pmtu_pending = 0;
}
+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
+{
+ return !list_empty(&chunk->list);
+}
+
/* Walk through a list of TLV parameters. Don't trust the
* individual parameter lengths and instead depend on
* the chunk length to indicate when to stop. Make sure
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1670,6 +1670,8 @@ struct sctp_chunk *sctp_assoc_lookup_asc
* ack chunk whose serial number matches that of the request.
*/
list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
+ if (sctp_chunk_pending(ack))
+ continue;
if (ack->subh.addip_hdr->serial == serial) {
sctp_chunk_hold(ack);
return ack;

149
debian/patches/bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch vendored Normal file
View File

@ -0,0 +1,149 @@
From: Daniel Borkmann <dborkman@redhat.com>
Date: Thu, 9 Oct 2014 22:55:33 +0200
Subject: net: sctp: fix remote memory pressure from excessive queueing
Origin: https://git.kernel.org/linus/26b87c7881006311828bb0ab271a551a62dcceb4
This scenario is not limited to ASCONF, just taken as one
example triggering the issue. When receiving ASCONF probes
in the form of ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
[...]
---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
ASCONFs and have increasing serial numbers, we process such
ASCONF chunk(s) marked with !end_of_packet and !singleton,
since we have not yet reached the SCTP packet end. SCTP does
only do verification on a chunk by chunk basis, as an SCTP
packet is nothing more than just a container of a stream of
chunks which it eats up one by one.
We could run into the case that we receive a packet with a
malformed tail, above marked as trailing JUNK. All previous
chunks are here goodformed, so the stack will eat up all
previous chunks up to this point. In case JUNK does not fit
into a chunk header and there are no more other chunks in
the input queue, or in case JUNK contains a garbage chunk
header, but the encoded chunk length would exceed the skb
tail, or we came here from an entirely different scenario
and the chunk has pdiscard=1 mark (without having had a flush
point), it will happen, that we will excessively queue up
the association's output queue (a correct final chunk may
then turn it into a response flood when flushing the
queue ;)): I ran a simple script with incremental ASCONF
serial numbers and could see the server side consuming
excessive amount of RAM [before/after: up to 2GB and more].
The issue at heart is that the chunk train basically ends
with !end_of_packet and !singleton markers and since commit
2e3216cd54b1 ("sctp: Follow security requirement of responding
with 1 packet") therefore preventing an output queue flush
point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
chunk (chunk = event_arg) even though local_cork is set,
but its precedence has changed since then. In the normal
case, the last chunk with end_of_packet=1 would trigger the
queue flush to accommodate possible outgoing bundling.
In the input queue, sctp_inq_pop() seems to do the right thing
in terms of discarding invalid chunks. So, above JUNK will
not enter the state machine and instead be released and exit
the sctp_assoc_bh_rcv() chunk processing loop. It's simply
the flush point being missing at loop exit. Adding a try-flush
approach on the output queue might not work as the underlying
infrastructure might be long gone at this point due to the
side-effect interpreter run.
One possibility, albeit a bit of a kludge, would be to defer
invalid chunk freeing into the state machine in order to
possibly trigger packet discards and thus indirectly a queue
flush on error. It would surely be better to discard chunks
as in the current, perhaps better controlled environment, but
going back and forth, it's simply architecturally not possible.
I tried various trailing JUNK attack cases and it seems to
look good now.
Joint work with Vlad Yasevich.
Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/sctp/inqueue.c | 33 +++++++--------------------------
net/sctp/sm_statefuns.c | 3 +++
2 files changed, 10 insertions(+), 26 deletions(-)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 4de12af..7e8a16c 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
} else {
/* Nothing to do. Next chunk in the packet, please. */
ch = (sctp_chunkhdr_t *) chunk->chunk_end;
-
/* Force chunk->skb->data to chunk->chunk_end. */
- skb_pull(chunk->skb,
- chunk->chunk_end - chunk->skb->data);
-
- /* Verify that we have at least chunk headers
- * worth of buffer left.
- */
- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
- sctp_chunk_free(chunk);
- chunk = queue->in_progress = NULL;
- }
+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
+ /* We are guaranteed to pull a SCTP header. */
}
}
@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
chunk->subh.v = NULL; /* Subheader is no longer valid. */
- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
+ skb_tail_pointer(chunk->skb)) {
/* This is not a singleton */
chunk->singleton = 0;
} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
- /* RFC 2960, Section 6.10 Bundling
- *
- * Partial chunks MUST NOT be placed in an SCTP packet.
- * If the receiver detects a partial chunk, it MUST drop
- * the chunk.
- *
- * Since the end of the chunk is past the end of our buffer
- * (which contains the whole packet, we can freely discard
- * the whole packet.
- */
- sctp_chunk_free(chunk);
- chunk = queue->in_progress = NULL;
-
- return NULL;
+ /* Discard inside state machine. */
+ chunk->pdiscard = 1;
+ chunk->chunk_end = skb_tail_pointer(chunk->skb);
} else {
/* We are at the end of the packet, so mark the chunk
* in case we need to send a SACK.
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index bdea3df..3ee27b7 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
{
__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
+ /* Previously already marked? */
+ if (unlikely(chunk->pdiscard))
+ return 0;
if (unlikely(chunk_length < required_length))
return 0;

336
debian/patches/bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch vendored Normal file
View File

@ -0,0 +1,336 @@
From: Daniel Borkmann <dborkman@redhat.com>
Date: Thu, 9 Oct 2014 22:55:31 +0200
Subject: net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
Origin: https://git.kernel.org/linus/9de7922bc709eee2f609cd01d98aaedc4cf5ea74
Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
ASCONF chunk") added basic verification of ASCONF chunks, however,
it is still possible to remotely crash a server by sending a
special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
end:0x440 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:129!
[...]
Call Trace:
<IRQ>
[<ffffffff8144fb1c>] skb_put+0x5c/0x70
[<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
[<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
[<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
[<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
[<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
[<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
[<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff81497078>] ip_local_deliver+0x98/0xa0
[<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
[<ffffffff81496ac5>] ip_rcv+0x275/0x350
[<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
[<ffffffff81460588>] netif_receive_skb+0x58/0x60
This can be triggered e.g., through a simple scripted nmap
connection scan injecting the chunk after the handshake, for
example, ...
-------------- INIT[ASCONF; ASCONF_ACK] ------------->
<----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-------------------- COOKIE-ECHO -------------------->
<-------------------- COOKIE-ACK ---------------------
------------------ ASCONF; UNKNOWN ------------------>
... where ASCONF chunk of length 280 contains 2 parameters ...
1) Add IP address parameter (param length: 16)
2) Add/del IP address parameter (param length: 255)
... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
Address Parameter in the ASCONF chunk is even missing, too.
This is just an example and similarly-crafted ASCONF chunks
could be used just as well.
The ASCONF chunk passes through sctp_verify_asconf() as all
parameters passed sanity checks, and after walking, we ended
up successfully at the chunk end boundary, and thus may invoke
sctp_process_asconf(). Parameter walking is done with
WORD_ROUND() to take padding into account.
In sctp_process_asconf()'s TLV processing, we may fail in
sctp_process_asconf_param() e.g., due to removal of the IP
address that is also the source address of the packet containing
the ASCONF chunk, and thus we need to add all TLVs after the
failure to our ASCONF response to remote via helper function
sctp_add_asconf_response(), which basically invokes a
sctp_addto_chunk() adding the error parameters to the given
skb.
When walking to the next parameter this time, we proceed
with ...
length = ntohs(asconf_param->param_hdr.length);
asconf_param = (void *)asconf_param + length;
... instead of the WORD_ROUND()'ed length, thus resulting here
in an off-by-one that leads to reading the follow-up garbage
parameter length of 12336, and thus throwing an skb_over_panic
for the reply when trying to sctp_addto_chunk() next time,
which implicitly calls the skb_put() with that length.
Fix it by using sctp_walk_params() [ which is also used in
INIT parameter processing ] macro in the verification *and*
in ASCONF processing: it will make sure we don't spill over,
that we walk parameters WORD_ROUND()'ed. Moreover, we're being
more defensive and guard against unknown parameter types and
missized addresses.
Joint work with Vlad Yasevich.
Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/sctp/sm.h | 6 +--
net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++---------------------
net/sctp/sm_statefuns.c | 18 +--------
3 files changed, 60 insertions(+), 63 deletions(-)
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 7f4eeb3..72a31db 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
int, __be16);
struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
union sctp_addr *addr);
-int sctp_verify_asconf(const struct sctp_association *asoc,
- struct sctp_paramhdr *param_hdr, void *chunk_end,
- struct sctp_paramhdr **errp);
+bool sctp_verify_asconf(const struct sctp_association *asoc,
+ struct sctp_chunk *chunk, bool addr_param_needed,
+ struct sctp_paramhdr **errp);
struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
struct sctp_chunk *asconf);
int sctp_process_asconf_ack(struct sctp_association *asoc,
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index ae0e616..ab734be 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3110,50 +3110,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
return SCTP_ERROR_NO_ERROR;
}
-/* Verify the ASCONF packet before we process it. */
-int sctp_verify_asconf(const struct sctp_association *asoc,
- struct sctp_paramhdr *param_hdr, void *chunk_end,
- struct sctp_paramhdr **errp) {
- sctp_addip_param_t *asconf_param;
+/* Verify the ASCONF packet before we process it. */
+bool sctp_verify_asconf(const struct sctp_association *asoc,
+ struct sctp_chunk *chunk, bool addr_param_needed,
+ struct sctp_paramhdr **errp)
+{
+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
union sctp_params param;
- int length, plen;
-
- param.v = (sctp_paramhdr_t *) param_hdr;
- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
- length = ntohs(param.p->length);
- *errp = param.p;
+ bool addr_param_seen = false;
- if (param.v > chunk_end - length ||
- length < sizeof(sctp_paramhdr_t))
- return 0;
+ sctp_walk_params(param, addip, addip_hdr.params) {
+ size_t length = ntohs(param.p->length);
+ *errp = param.p;
switch (param.p->type) {
+ case SCTP_PARAM_ERR_CAUSE:
+ break;
+ case SCTP_PARAM_IPV4_ADDRESS:
+ if (length != sizeof(sctp_ipv4addr_param_t))
+ return false;
+ addr_param_seen = true;
+ break;
+ case SCTP_PARAM_IPV6_ADDRESS:
+ if (length != sizeof(sctp_ipv6addr_param_t))
+ return false;
+ addr_param_seen = true;
+ break;
case SCTP_PARAM_ADD_IP:
case SCTP_PARAM_DEL_IP:
case SCTP_PARAM_SET_PRIMARY:
- asconf_param = (sctp_addip_param_t *)param.v;
- plen = ntohs(asconf_param->param_hdr.length);
- if (plen < sizeof(sctp_addip_param_t) +
- sizeof(sctp_paramhdr_t))
- return 0;
+ /* In ASCONF chunks, these need to be first. */
+ if (addr_param_needed && !addr_param_seen)
+ return false;
+ length = ntohs(param.addip->param_hdr.length);
+ if (length < sizeof(sctp_addip_param_t) +
+ sizeof(sctp_paramhdr_t))
+ return false;
break;
case SCTP_PARAM_SUCCESS_REPORT:
case SCTP_PARAM_ADAPTATION_LAYER_IND:
if (length != sizeof(sctp_addip_param_t))
- return 0;
-
+ return false;
break;
default:
- break;
+ /* This is unkown to us, reject! */
+ return false;
}
-
- param.v += WORD_ROUND(length);
}
- if (param.v != chunk_end)
- return 0;
+ /* Remaining sanity checks. */
+ if (addr_param_needed && !addr_param_seen)
+ return false;
+ if (!addr_param_needed && addr_param_seen)
+ return false;
+ if (param.v != chunk->chunk_end)
+ return false;
- return 1;
+ return true;
}
/* Process an incoming ASCONF chunk with the next expected serial no. and
@@ -3162,16 +3175,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
struct sctp_chunk *asconf)
{
+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
+ bool all_param_pass = true;
+ union sctp_params param;
sctp_addiphdr_t *hdr;
union sctp_addr_param *addr_param;
sctp_addip_param_t *asconf_param;
struct sctp_chunk *asconf_ack;
-
__be16 err_code;
int length = 0;
int chunk_len;
__u32 serial;
- int all_param_pass = 1;
chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
hdr = (sctp_addiphdr_t *)asconf->skb->data;
@@ -3199,9 +3213,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
goto done;
/* Process the TLVs contained within the ASCONF chunk. */
- while (chunk_len > 0) {
+ sctp_walk_params(param, addip, addip_hdr.params) {
+ /* Skip preceeding address parameters. */
+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+ param.p->type == SCTP_PARAM_IPV6_ADDRESS)
+ continue;
+
err_code = sctp_process_asconf_param(asoc, asconf,
- asconf_param);
+ param.addip);
/* ADDIP 4.1 A7)
* If an error response is received for a TLV parameter,
* all TLVs with no response before the failed TLV are
@@ -3209,28 +3228,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
* the failed response are considered unsuccessful unless
* a specific success indication is present for the parameter.
*/
- if (SCTP_ERROR_NO_ERROR != err_code)
- all_param_pass = 0;
-
+ if (err_code != SCTP_ERROR_NO_ERROR)
+ all_param_pass = false;
if (!all_param_pass)
- sctp_add_asconf_response(asconf_ack,
- asconf_param->crr_id, err_code,
- asconf_param);
+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
+ err_code, param.addip);
/* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
* an IP address sends an 'Out of Resource' in its response, it
* MUST also fail any subsequent add or delete requests bundled
* in the ASCONF.
*/
- if (SCTP_ERROR_RSRC_LOW == err_code)
+ if (err_code == SCTP_ERROR_RSRC_LOW)
goto done;
-
- /* Move to the next ASCONF param. */
- length = ntohs(asconf_param->param_hdr.length);
- asconf_param = (void *)asconf_param + length;
- chunk_len -= length;
}
-
done:
asoc->peer.addip_serial++;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index c8f6063..bdea3df 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3591,9 +3591,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
struct sctp_chunk *asconf_ack = NULL;
struct sctp_paramhdr *err_param = NULL;
sctp_addiphdr_t *hdr;
- union sctp_addr_param *addr_param;
__u32 serial;
- int length;
if (!sctp_vtag_verify(chunk, asoc)) {
sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
@@ -3618,17 +3616,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
hdr = (sctp_addiphdr_t *)chunk->skb->data;
serial = ntohl(hdr->serial);
- addr_param = (union sctp_addr_param *)hdr->params;
- length = ntohs(addr_param->p.length);
- if (length < sizeof(sctp_paramhdr_t))
- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- (void *)addr_param, commands);
-
/* Verify the ASCONF chunk before processing it. */
- if (!sctp_verify_asconf(asoc,
- (sctp_paramhdr_t *)((void *)addr_param + length),
- (void *)chunk->chunk_end,
- &err_param))
+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
(void *)err_param, commands);
@@ -3745,10 +3734,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
rcvd_serial = ntohl(addip_hdr->serial);
/* Verify the ASCONF-ACK chunk before processing it. */
- if (!sctp_verify_asconf(asoc,
- (sctp_paramhdr_t *)addip_hdr->params,
- (void *)asconf_ack->chunk_end,
- &err_param))
+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
(void *)err_param, commands);

11
debian/patches/bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch vendored
View File

@ -38,7 +38,7 @@ missing, except for the pre-R600 KMS case.
/*
* KMS wrapper.
* - 2.0.0 - initial interface
@@ -320,6 +323,37 @@ static struct drm_driver driver_old = {
@@ -341,6 +344,42 @@ static struct drm_driver driver_old = {
static struct drm_driver kms_driver;
@ -49,6 +49,10 @@ missing, except for the pre-R600 KMS case.
+ */
+static bool radeon_firmware_installed(void)
+{
+#if IS_BUILTIN(CONFIG_DRM_RADEON)
+ /* It may be too early to tell. Assume it's there. */
+ return true;
+#else
+ struct path path;
+
+ if (kern_path("/lib/firmware/radeon", LOOKUP_DIRECTORY | LOOKUP_FOLLOW,
@ -58,6 +62,7 @@ missing, except for the pre-R600 KMS case.
+ }
+
+ return false;
+#endif
+}
+
+#ifdef CONFIG_DRM_RADEON_UMS
@ -76,7 +81,7 @@ missing, except for the pre-R600 KMS case.
static int radeon_kick_out_firmware_fb(struct pci_dev *pdev)
{
struct apertures_struct *ap;
@@ -346,6 +380,12 @@ static int radeon_pci_probe(struct pci_d
@@ -367,6 +406,12 @@ static int radeon_pci_probe(struct pci_d
{
int ret;
@ -89,7 +94,7 @@ missing, except for the pre-R600 KMS case.
/* Get rid of things like offb */
ret = radeon_kick_out_firmware_fb(pdev);
if (ret)
@@ -577,6 +617,7 @@ static struct pci_driver *pdriver;
@@ -586,6 +631,7 @@ static struct pci_driver *pdriver;
static struct pci_driver radeon_pci_driver = {
.name = DRIVER_NAME,
.id_table = pciidlist,

29
debian/patches/bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 26 Oct 2014 03:39:42 +0000
Subject: rtsx_usb_ms: Use msleep_interruptible() in polling loop
Bug-Debian: https://bugs.debian.org/765717
Forwarded: http://mid.gmane.org/1415237557.3398.41.camel@decadent.org.uk
rtsx_usb_ms creates a task that mostly sleeps, but tasks in
uninterruptible sleep still contribute to the load average (for
bug-compatibility with Unix). A load average of ~1 on a system that
should be idle is somewhat alarming.
Change the sleep to be interruptible, but still ignore signals.
A better fix might be to replace this loop with a delayed work item.
diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c
index a7282b7..7356780 100644
--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -706,7 +706,8 @@ poll_again:
if (host->eject)
break;
- msleep(1000);
+ if (msleep_interruptible(1000))
+ flush_signals(current);
}
complete(&host->detect_ms_exit);

50
debian/patches/bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch vendored Normal file
View File

@ -0,0 +1,50 @@
From: Markos Chandras <markos.chandras@imgtec.com>
Date: Tue, 21 Oct 2014 10:21:54 +0100
Subject: MIPS: cp1emu: Fix ISA restrictions for cop1x_op instructions
Origin: https://git.kernel.org/linus/a5466d7bba9af83a82cc7c081b2a7d557cde3204
Commit 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") removed
the #ifdef ISA conditions and switched to runtime detection. However,
according to the instruction set manual, the cop1x_op instructions are
available in >=MIPS32r2 as well. This fixes a problem on MIPS32r2
with the ntpd package which failed to execute with a SIGILL exit code due
to the fact that a madd.d instruction was not being emulated.
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Fixes: 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery")
Cc: <stable@vger.kernel.org> # v3.16+
Cc: linux-mips@linux-mips.org
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Patchwork: https://patchwork.linux-mips.org/patch/8173/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
arch/mips/math-emu/cp1emu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 7a47277..51a0fde 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1023,7 +1023,7 @@ emul:
goto emul;
case cop1x_op:
- if (cpu_has_mips_4_5 || cpu_has_mips64)
+ if (cpu_has_mips_4_5 || cpu_has_mips64 || cpu_has_mips32r2)
/* its one of ours */
goto emul;
@@ -1068,7 +1068,7 @@ emul:
break;
case cop1x_op:
- if (!cpu_has_mips_4_5 && !cpu_has_mips64)
+ if (!cpu_has_mips_4_5 && !cpu_has_mips64 && !cpu_has_mips32r2)
return SIGILL;
sig = fpux_emu(xcp, ctx, ir, fault_addr);
--
2.1.1

90
debian/patches/bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch vendored Normal file
View File

@ -0,0 +1,90 @@
From: David Daney <david.daney@cavium.com>
Date: Mon, 20 Oct 2014 15:34:23 -0700
Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler
Origin: https://git.kernel.org/linus/9e0f162a36914937a937358fcb45e0609ef2bfc4
In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for
HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets
would work properly with huge pages. The change was incorrect in that
it broke the OCTEON case.
The problem is shown here:
xxx0: df7a0000 ld k0,0(k1)
.
.
.
xxxc0: df610000 ld at,0(k1)
xxxc4: 335a0ff0 andi k0,k0,0xff0
xxxc8: e825ffcd bbit1 at,0x5,0x0
xxxcc: 003ad82d daddu k1,at,k0
.
.
.
In the non-octeon case there is a destructive test for the huge PTE
bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609
patch added).
In the octeon case, we modify k1 in the branch delay slot, but we
never need k0 again, so the new load is not needed, but since k1 is
modified, if we do the load, we load from a garbage location and then
get a nested TLB Refill, which is seen in userspace as either SIGBUS
or SIGSEGV (depending on the garbage).
The real fix is to only do this reloading if it is needed, and never
where it is harmful.
Signed-off-by: David Daney <david.daney@cavium.com>
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: stable@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8151/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
arch/mips/mm/tlbex.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c
index a08dd53..b5f228e 100644
--- a/arch/mips/mm/tlbex.c
+++ b/arch/mips/mm/tlbex.c
@@ -1062,6 +1062,7 @@ static void build_update_entries(u32 **p, unsigned int tmp, unsigned int ptep)
struct mips_huge_tlb_info {
int huge_pte;
int restore_scratch;
+ bool need_reload_pte;
};
static struct mips_huge_tlb_info
@@ -1076,6 +1077,7 @@ build_fast_tlb_refill_handler (u32 **p, struct uasm_label **l,
rv.huge_pte = scratch;
rv.restore_scratch = 0;
+ rv.need_reload_pte = false;
if (check_for_high_segbits) {
UASM_i_MFC0(p, tmp, C0_BADVADDR);
@@ -1264,6 +1266,7 @@ static void build_r4000_tlb_refill_handler(void)
} else {
htlb_info.huge_pte = K0;
htlb_info.restore_scratch = 0;
+ htlb_info.need_reload_pte = true;
vmalloc_mode = refill_noscratch;
/*
* create the plain linear handler
@@ -1300,7 +1303,8 @@ static void build_r4000_tlb_refill_handler(void)
}
#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
uasm_l_tlb_huge_update(&l, p);
- UASM_i_LW(&p, K0, 0, K1);
+ if (htlb_info.need_reload_pte)
+ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1);
build_huge_update_entries(&p, htlb_info.huge_pte, K1);
build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random,
htlb_info.restore_scratch);
--
2.1.1

100
debian/patches/bugfix/parisc/parisc-reduce-sigrtmin-from-37-to-32-to-behave-like-.patch vendored Normal file
View File

@ -0,0 +1,100 @@
From: Helge Deller <deller@gmx.de>
Date: Fri, 10 Oct 2014 22:20:17 +0200
Subject: parisc: Reduce SIGRTMIN from 37 to 32 to behave like other Linux
architectures
Origin: https://git.kernel.org/linus/1f25df2eff5b25f52c139d3ff31bc883eee9a0ab
Bug-Debian: https://bugs.debian.org/766635
This patch reduces the value of SIGRTMIN on PARISC from 37 to 32, thus
increasing the number of available RT signals and bring it in sync with other
Linux architectures.
Historically we wanted to natively support HP-UX 32bit binaries with the
PA-RISC Linux port. Because of that we carried the various available signals
from HP-UX (e.g. SIGEMT and SIGLOST) and folded them in between the native
Linux signals. Although this was the right decision at that time, this
required us to increase SIGRTMIN to at least 37 which left us with 27 (64-37)
RT signals.
Those 27 RT signals haven't been a problem in the past, but with the upcoming
importance of systemd we now got the problem that systemd alloctes (hardcoded)
signals up to SIGRTMIN+29 which is beyond our NSIG of 64. Because of that we
have not been able to use systemd on the PARISC Linux port yet.
Of course we could ask the systemd developers to not use those hardcoded
values, but this change is very unlikely, esp. with PA-RISC being a niche
architecture.
The other possibility would be to increase NSIG to e.g. 128, but this would
mean to duplicate most of the existing Linux signal handling code into the
parisc specific Linux kernel tree which would most likely introduce lots of new
bugs beside the code duplication.
The third option is to drop some HP-UX signals and shuffle some other signals
around to bring SIGRTMIN to 32. This is of course an ABI change, but testing
has shown that existing Linux installations are not visibly affected by this
change - most likely because we move those signals around which are rarely used
and move them to slots which haven't been used in Linux yet. In an existing
installation I was able to exchange either the Linux kernel or glibc (or both)
without affecting the boot process and installed applications.
Dropping the HP-UX signals isn't an issue either, since support for HP-UX was
basically dropped a few months back with Kernel 3.14 in commit
f5a408d53edef3af07ac7697b8bc54a755628450 already, when we changed EWOULDBLOCK
to be equal to EAGAIN.
So, even if this is an ABI change, it's better to change it now and thus bring
PARISC Linux in sync with other architectures to avoid other issues in the
future.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: Carlos O'Donell <carlos@systemhalted.org>
Cc: John David Anglin <dave.anglin@bell.net>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: PARISC Linux Kernel Mailinglist <linux-parisc@vger.kernel.org>
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
---
arch/parisc/include/uapi/asm/signal.h | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/arch/parisc/include/uapi/asm/signal.h b/arch/parisc/include/uapi/asm/signal.h
index f5645d6..10df707 100644
--- a/arch/parisc/include/uapi/asm/signal.h
+++ b/arch/parisc/include/uapi/asm/signal.h
@@ -8,12 +8,12 @@
#define SIGTRAP 5
#define SIGABRT 6
#define SIGIOT 6
-#define SIGEMT 7
+#define SIGSTKFLT 7
#define SIGFPE 8
#define SIGKILL 9
#define SIGBUS 10
#define SIGSEGV 11
-#define SIGSYS 12 /* Linux doesn't use this */
+#define SIGXCPU 12
#define SIGPIPE 13
#define SIGALRM 14
#define SIGTERM 15
@@ -32,16 +32,12 @@
#define SIGTTIN 27
#define SIGTTOU 28
#define SIGURG 29
-#define SIGLOST 30 /* Linux doesn't use this either */
-#define SIGUNUSED 31
-#define SIGRESERVE SIGUNUSED
-
-#define SIGXCPU 33
-#define SIGXFSZ 34
-#define SIGSTKFLT 36
+#define SIGXFSZ 30
+#define SIGUNUSED 31
+#define SIGSYS 31 /* Linux doesn't use this */
/* These should not be considered constants from userland. */
-#define SIGRTMIN 37
+#define SIGRTMIN 32
#define SIGRTMAX _NSIG /* it's 44 under HP/UX */
/*

135
debian/patches/bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch vendored Normal file
View File

@ -0,0 +1,135 @@
From: Nadav Amit <namit@cs.technion.ac.il>
Date: Tue, 16 Sep 2014 03:24:05 +0300
Subject: KVM: x86: Check non-canonical addresses upon WRMSR
Origin: https://git.kernel.org/linus/854e8bb1aa06c578c2c9145fa6bfe3680ef63b23
Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
written to certain MSRs. The behavior is "almost" identical for AMD and Intel
(ignoring MSRs that are not implemented in either architecture since they would
anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
non-canonical address is written on Intel but not on AMD (which ignores the top
32-bits).
Accordingly, this patch injects a #GP on the MSRs which behave identically on
Intel and AMD. To eliminate the differences between the architecutres, the
value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
canonical value before writing instead of injecting a #GP.
Some references from Intel and AMD manuals:
According to Intel SDM description of WRMSR instruction #GP is expected on
WRMSR "If the source register contains a non-canonical address and ECX
specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
According to AMD manual instruction manual:
LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
form, a general-protection exception (#GP) occurs."
IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
base field must be in canonical form or a #GP fault will occur."
IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
be in canonical form."
This patch fixes CVE-2014-3610.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++
arch/x86/kvm/svm.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++-
4 files changed, 42 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -989,6 +989,20 @@ static inline void kvm_inject_gp(struct
kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
}
+static inline u64 get_canonical(u64 la)
+{
+ return ((int64_t)la << 16) >> 16;
+}
+
+static inline bool is_noncanonical_address(u64 la)
+{
+#ifdef CONFIG_X86_64
+ return get_canonical(la) != la;
+#else
+ return false;
+#endif
+}
+
#define TSS_IOPB_BASE_OFFSET 0x66
#define TSS_BASE_SIZE 0x68
#define TSS_IOPB_SIZE (65536 / 8)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3228,7 +3228,7 @@ static int wrmsr_interception(struct vcp
msr.host_initiated = false;
svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
- if (svm_set_msr(&svm->vcpu, &msr)) {
+ if (kvm_set_msr(&svm->vcpu, &msr)) {
trace_kvm_msr_write_ex(ecx, data);
kvm_inject_gp(&svm->vcpu, 0);
} else {
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5246,7 +5246,7 @@ static int handle_wrmsr(struct kvm_vcpu
msr.data = data;
msr.index = ecx;
msr.host_initiated = false;
- if (vmx_set_msr(vcpu, &msr) != 0) {
+ if (kvm_set_msr(vcpu, &msr) != 0) {
trace_kvm_msr_write_ex(ecx, data);
kvm_inject_gp(vcpu, 0);
return 1;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -948,7 +948,6 @@ void kvm_enable_efer_bits(u64 mask)
}
EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
-
/*
* Writes msr value into into the appropriate "register".
* Returns 0 on success, non-0 otherwise.
@@ -956,8 +955,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
*/
int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
{
+ switch (msr->index) {
+ case MSR_FS_BASE:
+ case MSR_GS_BASE:
+ case MSR_KERNEL_GS_BASE:
+ case MSR_CSTAR:
+ case MSR_LSTAR:
+ if (is_noncanonical_address(msr->data))
+ return 1;
+ break;
+ case MSR_IA32_SYSENTER_EIP:
+ case MSR_IA32_SYSENTER_ESP:
+ /*
+ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
+ * non-canonical address is written on Intel but not on
+ * AMD (which ignores the top 32-bits, because it does
+ * not implement 64-bit SYSENTER).
+ *
+ * 64-bit code should hence be able to write a non-canonical
+ * value on AMD. Making the address canonical ensures that
+ * vmentry does not fail on Intel after writing a non-canonical
+ * value, and that something deterministic happens if the guest
+ * invokes 64-bit SYSENTER.
+ */
+ msr->data = get_canonical(msr->data);
+ }
return kvm_x86_ops->set_msr(vcpu, msr);
}
+EXPORT_SYMBOL_GPL(kvm_set_msr);
/*
* Adapt set_msr() to msr_io()'s calling convention

229
debian/patches/bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch vendored Normal file
View File

@ -0,0 +1,229 @@
From: Nadav Amit <namit@cs.technion.ac.il>
Date: Thu, 18 Sep 2014 22:39:38 +0300
Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches
Origin: https://git.kernel.org/linus/234f3ce485d54017f15cf5e0699cff4100121601
Before changing rip (during jmp, call, ret, etc.) the target should be asserted
to be canonical one, as real CPUs do. During sysret, both target rsp and rip
should be canonical. If any of these values is noncanonical, a #GP exception
should occur. The exception to this rule are syscall and sysenter instructions
in which the assigned rip is checked during the assignment to the relevant
MSRs.
This patch fixes the emulator to behave as real CPUs do for near branches.
Far branches are handled by the next patch.
This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/emulate.c | 78 ++++++++++++++++++++++++++++++++++----------------
1 file changed, 54 insertions(+), 24 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -572,7 +572,8 @@ static int emulate_nm(struct x86_emulate
return emulate_exception(ctxt, NM_VECTOR, 0, false);
}
-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
+static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
+ int cs_l)
{
switch (ctxt->op_bytes) {
case 2:
@@ -582,16 +583,25 @@ static inline void assign_eip_near(struc
ctxt->_eip = (u32)dst;
break;
case 8:
+ if ((cs_l && is_noncanonical_address(dst)) ||
+ (!cs_l && (dst & ~(u32)-1)))
+ return emulate_gp(ctxt, 0);
ctxt->_eip = dst;
break;
default:
WARN(1, "unsupported eip assignment size\n");
}
+ return X86EMUL_CONTINUE;
+}
+
+static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
+{
+ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
}
-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
{
- assign_eip_near(ctxt, ctxt->_eip + rel);
+ return assign_eip_near(ctxt, ctxt->_eip + rel);
}
static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
@@ -1986,13 +1996,15 @@ static int em_grp45(struct x86_emulate_c
case 2: /* call near abs */ {
long int old_eip;
old_eip = ctxt->_eip;
- ctxt->_eip = ctxt->src.val;
+ rc = assign_eip_near(ctxt, ctxt->src.val);
+ if (rc != X86EMUL_CONTINUE)
+ break;
ctxt->src.val = old_eip;
rc = em_push(ctxt);
break;
}
case 4: /* jmp abs */
- ctxt->_eip = ctxt->src.val;
+ rc = assign_eip_near(ctxt, ctxt->src.val);
break;
case 5: /* jmp far */
rc = em_jmp_far(ctxt);
@@ -2024,10 +2036,14 @@ static int em_cmpxchg8b(struct x86_emula
static int em_ret(struct x86_emulate_ctxt *ctxt)
{
- ctxt->dst.type = OP_REG;
- ctxt->dst.addr.reg = &ctxt->_eip;
- ctxt->dst.bytes = ctxt->op_bytes;
- return em_pop(ctxt);
+ int rc;
+ unsigned long eip;
+
+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+ return assign_eip_near(ctxt, eip);
}
static int em_ret_far(struct x86_emulate_ctxt *ctxt)
@@ -2305,7 +2321,7 @@ static int em_sysexit(struct x86_emulate
{
const struct x86_emulate_ops *ops = ctxt->ops;
struct desc_struct cs, ss;
- u64 msr_data;
+ u64 msr_data, rcx, rdx;
int usermode;
u16 cs_sel = 0, ss_sel = 0;
@@ -2321,6 +2337,9 @@ static int em_sysexit(struct x86_emulate
else
usermode = X86EMUL_MODE_PROT32;
+ rcx = reg_read(ctxt, VCPU_REGS_RCX);
+ rdx = reg_read(ctxt, VCPU_REGS_RDX);
+
cs.dpl = 3;
ss.dpl = 3;
ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
@@ -2338,6 +2357,9 @@ static int em_sysexit(struct x86_emulate
ss_sel = cs_sel + 8;
cs.d = 0;
cs.l = 1;
+ if (is_noncanonical_address(rcx) ||
+ is_noncanonical_address(rdx))
+ return emulate_gp(ctxt, 0);
break;
}
cs_sel |= SELECTOR_RPL_MASK;
@@ -2346,8 +2368,8 @@ static int em_sysexit(struct x86_emulate
ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
+ ctxt->_eip = rdx;
+ *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
return X86EMUL_CONTINUE;
}
@@ -2888,10 +2910,13 @@ static int em_aad(struct x86_emulate_ctx
static int em_call(struct x86_emulate_ctxt *ctxt)
{
+ int rc;
long rel = ctxt->src.val;
ctxt->src.val = (unsigned long)ctxt->_eip;
- jmp_rel(ctxt, rel);
+ rc = jmp_rel(ctxt, rel);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
return em_push(ctxt);
}
@@ -2923,11 +2948,12 @@ static int em_call_far(struct x86_emulat
static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
{
int rc;
+ unsigned long eip;
- ctxt->dst.type = OP_REG;
- ctxt->dst.addr.reg = &ctxt->_eip;
- ctxt->dst.bytes = ctxt->op_bytes;
- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rc = assign_eip_near(ctxt, eip);
if (rc != X86EMUL_CONTINUE)
return rc;
rsp_increment(ctxt, ctxt->src.val);
@@ -3257,20 +3283,24 @@ static int em_lmsw(struct x86_emulate_ct
static int em_loop(struct x86_emulate_ctxt *ctxt)
{
+ int rc = X86EMUL_CONTINUE;
+
register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
(ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
- jmp_rel(ctxt, ctxt->src.val);
+ rc = jmp_rel(ctxt, ctxt->src.val);
- return X86EMUL_CONTINUE;
+ return rc;
}
static int em_jcxz(struct x86_emulate_ctxt *ctxt)
{
+ int rc = X86EMUL_CONTINUE;
+
if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
- jmp_rel(ctxt, ctxt->src.val);
+ rc = jmp_rel(ctxt, ctxt->src.val);
- return X86EMUL_CONTINUE;
+ return rc;
}
static int em_in(struct x86_emulate_ctxt *ctxt)
@@ -4671,7 +4701,7 @@ special_insn:
break;
case 0x70 ... 0x7f: /* jcc (short) */
if (test_cc(ctxt->b, ctxt->eflags))
- jmp_rel(ctxt, ctxt->src.val);
+ rc = jmp_rel(ctxt, ctxt->src.val);
break;
case 0x8d: /* lea r16/r32, m */
ctxt->dst.val = ctxt->src.addr.mem.ea;
@@ -4700,7 +4730,7 @@ special_insn:
break;
case 0xe9: /* jmp rel */
case 0xeb: /* jmp rel short */
- jmp_rel(ctxt, ctxt->src.val);
+ rc = jmp_rel(ctxt, ctxt->src.val);
ctxt->dst.type = OP_NONE; /* Disable writeback. */
break;
case 0xf4: /* hlt */
@@ -4820,7 +4850,7 @@ twobyte_insn:
break;
case 0x80 ... 0x8f: /* jnz rel, etc*/
if (test_cc(ctxt->b, ctxt->eflags))
- jmp_rel(ctxt, ctxt->src.val);
+ rc = jmp_rel(ctxt, ctxt->src.val);
break;
case 0x90 ... 0x9f: /* setcc r/m8 */
ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);

60
debian/patches/bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch vendored Normal file
View File

@ -0,0 +1,60 @@
From: Nadav Amit <namit@cs.technion.ac.il>
Date: Thu, 18 Sep 2014 22:39:37 +0300
Subject: KVM: x86: Fix wrong masking on relative jump/call
Origin: https://git.kernel.org/linus/05c83ec9b73c8124555b706f6af777b10adf0862
Relative jumps and calls do the masking according to the operand size, and not
according to the address size as the KVM emulator does today.
This patch fixes KVM behavior.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -499,11 +499,6 @@ static void rsp_increment(struct x86_emu
masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
}
-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
-{
- register_address_increment(ctxt, &ctxt->_eip, rel);
-}
-
static u32 desc_limit_scaled(struct desc_struct *desc)
{
u32 limit = get_desc_limit(desc);
@@ -577,6 +572,28 @@ static int emulate_nm(struct x86_emulate
return emulate_exception(ctxt, NM_VECTOR, 0, false);
}
+static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
+{
+ switch (ctxt->op_bytes) {
+ case 2:
+ ctxt->_eip = (u16)dst;
+ break;
+ case 4:
+ ctxt->_eip = (u32)dst;
+ break;
+ case 8:
+ ctxt->_eip = dst;
+ break;
+ default:
+ WARN(1, "unsupported eip assignment size\n");
+ }
+}
+
+static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+{
+ assign_eip_near(ctxt, ctxt->_eip + rel);
+}
+
static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
{
u16 selector;

245
debian/patches/bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch vendored Normal file
View File

@ -0,0 +1,245 @@
From: Nadav Amit <namit@cs.technion.ac.il>
Date: Thu, 18 Sep 2014 22:39:39 +0300
Subject: KVM: x86: Handle errors when RIP is set during far jumps
Origin: https://git.kernel.org/linus/d1442d85cc30ea75f7d399474ca738e0bc96f715
Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not
handle this case, and may result in failed vm-entry once the assignment is
done. The tricky part of doing so is that loading the new CS affects the
VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
unconsistent state. Therefore, this patch saves on 64-bit the old CS
descriptor and restores it if loading RIP failed.
This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/emulate.c | 118 ++++++++++++++++++++++++++++++++++++-------------
1 file changed, 88 insertions(+), 30 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1442,7 +1442,9 @@ static int write_segment_descriptor(stru
/* Does not support long mode */
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- u16 selector, int seg, u8 cpl, bool in_task_switch)
+ u16 selector, int seg, u8 cpl,
+ bool in_task_switch,
+ struct desc_struct *desc)
{
struct desc_struct seg_desc, old_desc;
u8 dpl, rpl;
@@ -1574,6 +1576,8 @@ static int __load_segment_descriptor(str
}
load:
ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
+ if (desc)
+ *desc = seg_desc;
return X86EMUL_CONTINUE;
exception:
emulate_exception(ctxt, err_vec, err_code, true);
@@ -1584,7 +1588,7 @@ static int load_segment_descriptor(struc
u16 selector, int seg)
{
u8 cpl = ctxt->ops->cpl(ctxt);
- return __load_segment_descriptor(ctxt, selector, seg, cpl, false);
+ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL);
}
static void write_register_operand(struct operand *op)
@@ -1978,17 +1982,31 @@ static int em_iret(struct x86_emulate_ct
static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
{
int rc;
- unsigned short sel;
+ unsigned short sel, old_sel;
+ struct desc_struct old_desc, new_desc;
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ u8 cpl = ctxt->ops->cpl(ctxt);
+
+ /* Assignment of RIP may only fail in 64-bit mode */
+ if (ctxt->mode == X86EMUL_MODE_PROT64)
+ ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
+ VCPU_SREG_CS);
memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
+ &new_desc);
if (rc != X86EMUL_CONTINUE)
return rc;
- ctxt->_eip = 0;
- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
- return X86EMUL_CONTINUE;
+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
+ if (rc != X86EMUL_CONTINUE) {
+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+ /* assigning eip failed; restore the old cs */
+ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
+ return rc;
+ }
+ return rc;
}
static int em_grp45(struct x86_emulate_ctxt *ctxt)
@@ -2055,21 +2073,34 @@ static int em_ret(struct x86_emulate_ctx
static int em_ret_far(struct x86_emulate_ctxt *ctxt)
{
int rc;
- unsigned long cs;
+ unsigned long eip, cs;
+ u16 old_cs;
int cpl = ctxt->ops->cpl(ctxt);
+ struct desc_struct old_desc, new_desc;
+ const struct x86_emulate_ops *ops = ctxt->ops;
+
+ if (ctxt->mode == X86EMUL_MODE_PROT64)
+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
+ VCPU_SREG_CS);
- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
if (rc != X86EMUL_CONTINUE)
return rc;
- if (ctxt->op_bytes == 4)
- ctxt->_eip = (u32)ctxt->_eip;
rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
if (rc != X86EMUL_CONTINUE)
return rc;
/* Outer-privilege level return is not implemented */
if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
return X86EMUL_UNHANDLEABLE;
- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
+ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, false,
+ &new_desc);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rc = assign_eip_far(ctxt, eip, new_desc.l);
+ if (rc != X86EMUL_CONTINUE) {
+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
+ }
return rc;
}
@@ -2496,19 +2527,24 @@ static int load_state_from_tss16(struct
* Now load segment descriptors. If fault happens at this stage
* it is handled in a context of new task
*/
- ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
@@ -2633,25 +2669,32 @@ static int load_state_from_tss32(struct
* Now load segment descriptors. If fault happenes at this stage
* it is handled in a context of new task
*/
- ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
+ cpl, true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
- ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, true);
+ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
+ true, NULL);
if (ret != X86EMUL_CONTINUE)
return ret;
@@ -2934,24 +2977,39 @@ static int em_call_far(struct x86_emulat
u16 sel, old_cs;
ulong old_eip;
int rc;
+ struct desc_struct old_desc, new_desc;
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ int cpl = ctxt->ops->cpl(ctxt);
- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
old_eip = ctxt->_eip;
+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
+ &new_desc);
+ if (rc != X86EMUL_CONTINUE)
return X86EMUL_CONTINUE;
- ctxt->_eip = 0;
- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
+ if (rc != X86EMUL_CONTINUE)
+ goto fail;
ctxt->src.val = old_cs;
rc = em_push(ctxt);
if (rc != X86EMUL_CONTINUE)
- return rc;
+ goto fail;
ctxt->src.val = old_eip;
- return em_push(ctxt);
+ rc = em_push(ctxt);
+ /* If we failed, we tainted the memory, but the very least we should
+ restore cs */
+ if (rc != X86EMUL_CONTINUE)
+ goto fail;
+ return rc;
+fail:
+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
+ return rc;
+
}
static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)

34
debian/patches/bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Andy Honig <ahonig@google.com>
Date: Wed, 27 Aug 2014 14:42:54 -0700
Subject: KVM: x86: Improve thread safety in pit
Origin: https://git.kernel.org/linus/2febc839133280d5a5e8e1179c94ea674489dae2
There's a race condition in the PIT emulation code in KVM. In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization. If the race condition occurs at the wrong time this
can crash the host kernel.
This fixes CVE-2014-3611.
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/i8254.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 518d864..298781d 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
return;
timer = &pit->pit_state.timer;
+ mutex_lock(&pit->pit_state.lock);
if (hrtimer_cancel(timer))
hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
+ mutex_unlock(&pit->pit_state.lock);
}
static void destroy_pit_timer(struct kvm_pit *pit)

81
debian/patches/bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch vendored Normal file
View File

@ -0,0 +1,81 @@
From: Andy Honig <ahonig@google.com>
Date: Wed, 27 Aug 2014 11:16:44 -0700
Subject: KVM: x86: Prevent host from panicking on shared MSR writes.
Origin: https://git.kernel.org/linus/8b3c3104c3f4f706e99365c3e0d2aa61b95f969f
The previous patch blocked invalid writes directly when the MSR
is written. As a precaution, prevent future similar mistakes by
gracefulling handle GPs caused by writes to shared MSRs.
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
[Remove parts obsoleted by Nadav's patch. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/vmx.c | 7 +++++--
arch/x86/kvm/x86.c | 11 ++++++++---
3 files changed, 14 insertions(+), 6 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1061,7 +1061,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp
void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
void kvm_define_shared_msr(unsigned index, u32 msr);
-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
+int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2615,12 +2615,15 @@ static int vmx_set_msr(struct kvm_vcpu *
default:
msr = find_msr_entry(vmx, msr_index);
if (msr) {
+ u64 old_msr_data = msr->data;
msr->data = data;
if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
preempt_disable();
- kvm_set_shared_msr(msr->index, msr->data,
- msr->mask);
+ ret = kvm_set_shared_msr(msr->index, msr->data,
+ msr->mask);
preempt_enable();
+ if (ret)
+ msr->data = old_msr_data;
}
break;
}
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -227,20 +227,25 @@ static void kvm_shared_msr_cpu_online(vo
shared_msr_update(i, shared_msrs_global.msrs[i]);
}
-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
{
unsigned int cpu = smp_processor_id();
struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
+ int err;
if (((value ^ smsr->values[slot].curr) & mask) == 0)
- return;
+ return 0;
smsr->values[slot].curr = value;
- wrmsrl(shared_msrs_global.msrs[slot], value);
+ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
+ if (err)
+ return 1;
+
if (!smsr->registered) {
smsr->urn.on_user_return = kvm_on_user_return;
user_return_notifier_register(&smsr->urn);
smsr->registered = true;
}
+ return 0;
}
EXPORT_SYMBOL_GPL(kvm_set_shared_msr);

72
debian/patches/bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch vendored Normal file
View File

@ -0,0 +1,72 @@
From: Petr Matousek <pmatouse@redhat.com>
Date: Tue, 23 Sep 2014 20:22:30 +0200
Subject: kvm: vmx: handle invvpid vm exit gracefully
Origin: https://git.kernel.org/linus/a642fc305053cc1c6e47e4f4df327895747ab485
On systems with invvpid instruction support (corresponding bit in
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
causes vm exit, which is currently not handled and results in
propagation of unknown exit to userspace.
Fix this by installing an invvpid vm exit handler.
This is CVE-2014-3646.
Cc: stable@vger.kernel.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/include/uapi/asm/vmx.h | 2 ++
arch/x86/kvm/vmx.c | 9 ++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/arch/x86/include/uapi/asm/vmx.h
+++ b/arch/x86/include/uapi/asm/vmx.h
@@ -67,6 +67,7 @@
#define EXIT_REASON_EPT_MISCONFIG 49
#define EXIT_REASON_INVEPT 50
#define EXIT_REASON_PREEMPTION_TIMER 52
+#define EXIT_REASON_INVVPID 53
#define EXIT_REASON_WBINVD 54
#define EXIT_REASON_XSETBV 55
#define EXIT_REASON_APIC_WRITE 56
@@ -114,6 +115,7 @@
{ EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \
{ EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \
{ EXIT_REASON_INVD, "INVD" }, \
+ { EXIT_REASON_INVVPID, "INVVPID" }, \
{ EXIT_REASON_INVPCID, "INVPCID" }
#endif /* _UAPIVMX_H */
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6618,6 +6618,12 @@ static int handle_invept(struct kvm_vcpu
return 1;
}
+static int handle_invvpid(struct kvm_vcpu *vcpu)
+{
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 1;
+}
+
/*
* The exit handlers return 1 if the exit was handled fully and guest execution
* may resume. Otherwise they set the kvm_run parameter to indicate what needs
@@ -6663,6 +6669,7 @@ static int (*const kvm_vmx_exit_handlers
[EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait,
[EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor,
[EXIT_REASON_INVEPT] = handle_invept,
+ [EXIT_REASON_INVVPID] = handle_invvpid,
};
static const int kvm_vmx_max_exit_handlers =
@@ -6896,7 +6903,7 @@ static bool nested_vmx_exit_handled(stru
case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
- case EXIT_REASON_INVEPT:
+ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
/*
* VMX instructions trap unconditionally. This allows L1 to
* emulate them for its L2 guest, i.e., allows 3-level nesting!

58
debian/patches/bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch vendored Normal file
View File

@ -0,0 +1,58 @@
From: Nadav Amit <namit@cs.technion.ac.il>
Date: Tue, 28 Oct 2014 00:03:43 +0200
Subject: KVM: x86: Fix far-jump to non-canonical check
Origin: https://git.kernel.org/linus/7e46dddd6f6cd5dbf3c7bd04a7e75d19475ac9f2
Commit d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far
jumps") introduced a bug that caused the fix to be incomplete. Due to
incorrect evaluation, far jump to segment with L bit cleared (i.e., 32-bit
segment) and RIP with any of the high bits set (i.e, RIP[63:32] != 0) set may
not trigger #GP. As we know, this imposes a security problem.
In addition, the condition for two warnings was incorrect.
Fixes: d1442d85cc30ea75f7d399474ca738e0bc96f715
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
[Add #ifdef CONFIG_X86_64 to avoid complaints of undefined behavior. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/emulate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -582,12 +582,14 @@ static inline int assign_eip_far(struct
case 4:
ctxt->_eip = (u32)dst;
break;
+#ifdef CONFIG_X86_64
case 8:
if ((cs_l && is_noncanonical_address(dst)) ||
- (!cs_l && (dst & ~(u32)-1)))
+ (!cs_l && (dst >> 32) != 0))
return emulate_gp(ctxt, 0);
ctxt->_eip = dst;
break;
+#endif
default:
WARN(1, "unsupported eip assignment size\n");
}
@@ -1998,7 +2000,7 @@ static int em_jmp_far(struct x86_emulate
rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
if (rc != X86EMUL_CONTINUE) {
- WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
/* assigning eip failed; restore the old cs */
ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
return rc;
@@ -2092,7 +2094,7 @@ static int em_ret_far(struct x86_emulate
return rc;
rc = assign_eip_far(ctxt, eip, new_desc.l);
if (rc != X86EMUL_CONTINUE) {
- WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
}
return rc;

1
debian/patches/debian/i2o-disable-i2o_ext_adaptec-on-64bit.patch vendored
View File

@ -1,6 +1,7 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 12 Sep 2014 13:24:26 +0100
Subject: i2o: Disable I2O_EXT_ADAPTEC on 64-bit
Forwarded: no
The code it enables works uses 32-bit numbers for userland virtual
addresses:

49
debian/patches/features/all/mmc_block-increase-max_devices.patch vendored Normal file
View File

@ -0,0 +1,49 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 26 Oct 2014 02:09:23 +0000
Subject: mmc_block: Increase max_devices
Bug-Debian: https://bugs.debian.org/765621
Forwarded: http://mid.gmane.org/1415244909.3398.51.camel@decadent.org.uk
Currently the driver imposes a limit of 256 total minor numbers,
apparently based on the historic Unix/Linux limit. This is quite
restrictive, particularly if we raise the maximum number of
partitions per card to 256 to match sd.
In order to make the full minor number space available we would
have to replace the static dev_use and name_use arrays with struct
ida. But we can at least allow use of 256 cards rather than just
256 minors, with only a small change.
---
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -78,13 +78,16 @@ static int perdev_minors = CONFIG_MMC_BL
/*
* We've only got one major, so number of mmcblk devices is
- * limited to 256 / number of minors per device.
+ * limited to (1 << 20) / number of minors per device. It is also
+ * currently limited by the size of the static bitmaps below.
*/
static int max_devices;
-/* 256 minors, so at most 256 separate devices */
-static DECLARE_BITMAP(dev_use, 256);
-static DECLARE_BITMAP(name_use, 256);
+#define MAX_DEVICES 256
+
+/* TODO: Replace these with struct ida */
+static DECLARE_BITMAP(dev_use, MAX_DEVICES);
+static DECLARE_BITMAP(name_use, MAX_DEVICES);
/*
* There is one mmc_blk_data per slot.
@@ -2558,7 +2561,7 @@ static int __init mmc_blk_init(void)
if (perdev_minors != CONFIG_MMC_BLOCK_MINORS)
pr_info("mmcblk: using %d minors per device\n", perdev_minors);
- max_devices = 256 / perdev_minors;
+ max_devices = min(MAX_DEVICES, (1 << MINORBITS) / perdev_minors);
res = register_blkdev(MMC_BLOCK_MAJOR, "mmc");
if (res)

26
debian/patches/features/all/wireless-rt2x00-add-new-rt2800usb-device.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From: Cyril Brulebois <kibi@debian.org>
Date: Sun, 26 Oct 2014 12:33:38 +0100
Subject: wireless: rt2x00: add new rt2800usb device
Bug-Debian: https://bugs.debian.org/766802
Forwarded: http://article.gmane.org/gmane.linux.kernel/1815824
0x1b75 0xa200 AirLive WN-200USB wireless 11b/g/n dongle
References: https://bugs.debian.org/766802
Reported-by: Martin Mokrejs <mmokrejs@fold.natur.cuni.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Cyril Brulebois <kibi@debian.org>
---
drivers/net/wireless/rt2x00/rt2800usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -1111,6 +1111,7 @@ static struct usb_device_id rt2800usb_de
/* Ovislink */
{ USB_DEVICE(0x1b75, 0x3071) },
{ USB_DEVICE(0x1b75, 0x3072) },
+ { USB_DEVICE(0x1b75, 0xa200) },
/* Para */
{ USB_DEVICE(0x20b8, 0x8888) },
/* Pegatron */

246
debian/patches/features/arm/dts-sun7i-Add-Banana-Pi-board.patch vendored Normal file
View File

@ -0,0 +1,246 @@
From: Hans de Goede <hdegoede@redhat.com>
Subject: [PATCH v2 3/3] ARM: dts: sun7i: Add Banana Pi board
Date: Wed, 1 Oct 2014 09:26:06 +0200
Origin: https://git.kernel.org/cgit/linux/kernel/git/mripard/linux.git/commit/?id=8a5b272fbf446ce475bb434b956a45a666936af4
The Banana Pi is an A20 based development board using Raspberry Pi compatible
IO headers. It comes with 1 GB RAM, 1 Gb ethernet, 2x USB host, sata, hdmi
and stereo audio out + various expenansion headers:
http://www.lemaker.org/
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
---
arch/arm/boot/dts/Makefile | 1 +
arch/arm/boot/dts/sun7i-a20-bananapi.dts | 214 +++++++++++++++++++++++++++++++
2 files changed, 215 insertions(+)
create mode 100644 arch/arm/boot/dts/sun7i-a20-bananapi.dts
--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -414,6 +414,7 @@ dtb-$(CONFIG_MACH_SUN6I) += \
sun6i-a31-hummingbird.dtb \
sun6i-a31-m9.dtb
dtb-$(CONFIG_MACH_SUN7I) += \
+ sun7i-a20-bananapi.dtb \
sun7i-a20-cubieboard2.dtb \
sun7i-a20-cubietruck.dtb \
sun7i-a20-i12-tvbox.dtb \
--- /dev/null
+++ b/arch/arm/boot/dts/sun7i-a20-bananapi.dts
@@ -0,0 +1,214 @@
+/*
+ * Copyright 2014 Hans de Goede <hdegoede@redhat.com>
+ *
+ * Hans de Goede <hdegoede@redhat.com>
+ *
+ * This file is dual-licensed: you can use it either under the terms
+ * of the GPL or the X11 license, at your option. Note that this dual
+ * licensing only applies to this file, and not this project as a
+ * whole.
+ *
+ * a) This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with this library; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ *
+ * Or, alternatively,
+ *
+ * b) Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+/dts-v1/;
+/include/ "sun7i-a20.dtsi"
+/include/ "sunxi-common-regulators.dtsi"
+
+/ {
+ model = "LeMaker Banana Pi";
+ compatible = "lemaker,bananapi", "allwinner,sun7i-a20";
+
+ soc@01c00000 {
+ spi0: spi@01c05000 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&spi0_pins_a>;
+ status = "okay";
+ };
+
+ mmc0: mmc@01c0f000 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc0_pins_a>, <&mmc0_cd_pin_bananapi>;
+ vmmc-supply = <&reg_vcc3v3>;
+ bus-width = <4>;
+ cd-gpios = <&pio 7 10 0>; /* PH10 */
+ cd-inverted;
+ status = "okay";
+ };
+
+ usbphy: phy@01c13400 {
+ usb1_vbus-supply = <&reg_usb1_vbus>;
+ usb2_vbus-supply = <&reg_usb2_vbus>;
+ status = "okay";
+ };
+
+ ehci0: usb@01c14000 {
+ status = "okay";
+ };
+
+ ohci0: usb@01c14400 {
+ status = "okay";
+ };
+
+ ahci: sata@01c18000 {
+ status = "okay";
+ };
+
+ ehci1: usb@01c1c000 {
+ status = "okay";
+ };
+
+ ohci1: usb@01c1c400 {
+ status = "okay";
+ };
+
+ pinctrl@01c20800 {
+ mmc0_cd_pin_bananapi: mmc0_cd_pin@0 {
+ allwinner,pins = "PH10";
+ allwinner,function = "gpio_in";
+ allwinner,drive = <0>;
+ allwinner,pull = <1>;
+ };
+
+ gmac_power_pin_bananapi: gmac_power_pin@0 {
+ allwinner,pins = "PH23";
+ allwinner,function = "gpio_out";
+ allwinner,drive = <0>;
+ allwinner,pull = <0>;
+ };
+
+ led_pins_bananapi: led_pins@0 {
+ allwinner,pins = "PH24";
+ allwinner,function = "gpio_out";
+ allwinner,drive = <0>;
+ allwinner,pull = <0>;
+ };
+ };
+
+ ir0: ir@01c21800 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&ir0_pins_a>;
+ status = "okay";
+ };
+
+ uart0: serial@01c28000 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart0_pins_a>;
+ status = "okay";
+ };
+
+ uart3: serial@01c28c00 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart3_pins_b>;
+ status = "okay";
+ };
+
+ uart7: serial@01c29c00 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&uart7_pins_a>;
+ status = "okay";
+ };
+
+ i2c0: i2c@01c2ac00 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c0_pins_a>;
+ status = "okay";
+
+ axp209: pmic@34 {
+ compatible = "x-powers,axp209";
+ reg = <0x34>;
+ interrupt-parent = <&nmi_intc>;
+ interrupts = <0 8>;
+
+ interrupt-controller;
+ #interrupt-cells = <1>;
+ };
+ };
+
+ i2c2: i2c@01c2b400 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c2_pins_a>;
+ status = "okay";
+ };
+
+ gmac: ethernet@01c50000 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&gmac_pins_rgmii_a>;
+ phy = <&phy1>;
+ phy-mode = "rgmii";
+ phy-supply = <&reg_gmac_3v3>;
+ status = "okay";
+
+ phy1: ethernet-phy@1 {
+ reg = <1>;
+ };
+ };
+ };
+
+ leds {
+ compatible = "gpio-leds";
+ pinctrl-names = "default";
+ pinctrl-0 = <&led_pins_bananapi>;
+
+ green {
+ label = "bananapi:green:usr";
+ gpios = <&pio 7 24 0>;
+ };
+ };
+
+ reg_usb1_vbus: usb1-vbus {
+ status = "okay";
+ };
+
+ reg_usb2_vbus: usb2-vbus {
+ status = "okay";
+ };
+
+ reg_gmac_3v3: gmac-3v3 {
+ compatible = "regulator-fixed";
+ pinctrl-names = "default";
+ pinctrl-0 = <&gmac_power_pin_bananapi>;
+ regulator-name = "gmac-3v3";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+ startup-delay-us = <50000>;
+ enable-active-high;
+ gpio = <&pio 7 23 0>;
+ };
+};

29
debian/patches/features/arm/dts-sun7i-Add-spi0_pins_a-pinctrl-setting.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: Hans de Goede <hdegoede@redhat.com>
Subject: [PATCH v2 1/3] ARM: dts: sun7i: Add spi0_pins_a pinctrl setting
Date: Wed, 1 Oct 2014 09:26:04 +0200
Origin: https://git.kernel.org/cgit/linux/kernel/git/mripard/linux.git/commit/?id=a99eb770b4ab561434c9049b7b09cf40e27d3a55
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
---
arch/arm/boot/dts/sun7i-a20.dtsi | 7 +++++++
1 file changed, 7 insertions(+)
Index: linux-3.16.3/arch/arm/boot/dts/sun7i-a20.dtsi
===================================================================
--- linux-3.16.3.orig/arch/arm/boot/dts/sun7i-a20.dtsi
+++ linux-3.16.3/arch/arm/boot/dts/sun7i-a20.dtsi
@@ -704,6 +704,13 @@
allwinner,pull = <0>;
};
+ spi0_pins_a: spi0@0 {
+ allwinner,pins = "PI10", "PI11", "PI12", "PI13", "PI14";
+ allwinner,function = "spi0";
+ allwinner,drive = <0>;
+ allwinner,pull = <0>;
+ };
+
spi1_pins_a: spi1@0 {
allwinner,pins = "PI16", "PI17", "PI18", "PI19";
allwinner,function = "spi1";

Some files were not shown because too many files have changed in this diff Show More