debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.4-rc4 

Refresh and drop patches as appropriate.

- Rewrite memcg disable patch to operate on cgroup_disable_mask
- The ancient Advansys Kconfig bug was fixed (differently) upstream
- ft1000 driver is gone, so we no longer need to remove its firmware
- One hunk of aufs4-mmap.patch is obsolete
This commit is contained in:
Ben Hutchings 2015-12-10 18:13:16 +00:00
parent 2ba9bb2d09
commit 824b04a59d
31 changed files with 94 additions and 1984 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
linux (4.4~rc4-1~exp1) UNRELEASED; urgency=medium
* New upstream release candidate
-- Ben Hutchings <ben@decadent.org.uk> Thu, 10 Dec 2015 17:34:39 +0000
linux (4.3-1~exp2) experimental; urgency=medium
[ Ben Hutchings ]

283
debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch vendored
View File

@ -1,283 +0,0 @@
From: Filipe Manana <fdmanana@suse.com>
Date: Fri, 16 Oct 2015 12:34:25 +0100
Subject: Btrfs: fix truncation of compressed and inlined extents
Origin: https://git.kernel.org/linus/0305cd5f7fca85dae392b9ba85b116896eb7c1c7
When truncating a file to a smaller size which consists of an inline
extent that is compressed, we did not discard (or made unusable) the
data between the new file size and the old file size, wasting metadata
space and allowing for the truncated data to be leaked and the data
corruption/loss mentioned below.
We were also not correctly decrementing the number of bytes used by the
inode, we were setting it to zero, giving a wrong report for callers of
the stat(2) syscall. The fsck tool also reported an error about a mismatch
between the nbytes of the file versus the real space used by the file.
Now because we weren't discarding the truncated region of the file, it
was possible for a caller of the clone ioctl to actually read the data
that was truncated, allowing for a security breach without requiring root
access to the system, using only standard filesystem operations. The
scenario is the following:
1) User A creates a file which consists of an inline and compressed
extent with a size of 2000 bytes - the file is not accessible to
any other users (no read, write or execution permission for anyone
else);
2) The user truncates the file to a size of 1000 bytes;
3) User A makes the file world readable;
4) User B creates a file consisting of an inline extent of 2000 bytes;
5) User B issues a clone operation from user A's file into its own
file (using a length argument of 0, clone the whole range);
6) User B now gets to see the 1000 bytes that user A truncated from
its file before it made its file world readbale. User B also lost
the bytes in the range [1000, 2000[ bytes from its own file, but
that might be ok if his/her intention was reading stale data from
user A that was never supposed to be public.
Note that this contrasts with the case where we truncate a file from 2000
bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In
this case reading any byte from the range [1000, 2000[ will return a value
of 0x00, instead of the original data.
This problem exists since the clone ioctl was added and happens both with
and without my recent data loss and file corruption fixes for the clone
ioctl (patch "Btrfs: fix file corruption and data loss after cloning
inline extents").
So fix this by truncating the compressed inline extents as we do for the
non-compressed case, which involves decompressing, if the data isn't already
in the page cache, compressing the truncated version of the extent, writing
the compressed content into the inline extent and then truncate it.
The following test case for fstests reproduces the problem. In order for
the test to pass both this fix and my previous fix for the clone ioctl
that forbids cloning a smaller inline extent into a larger one,
which is titled "Btrfs: fix file corruption and data loss after cloning
inline extents", are needed. Without that other fix the test fails in a
different way that does not leak the truncated data, instead part of
destination file gets replaced with zeroes (because the destination file
has a larger inline extent than the source).
seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"
tmp=/tmp/$$
status=1 # failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15
_cleanup()
{
rm -f $tmp.*
}
# get standard environment, filters and checks
. ./common/rc
. ./common/filter
# real QA test starts here
_need_to_be_root
_supported_fs btrfs
_supported_os Linux
_require_scratch
_require_cloner
rm -f $seqres.full
_scratch_mkfs >>$seqres.full 2>&1
_scratch_mount "-o compress"
# Create our test files. File foo is going to be the source of a clone operation
# and consists of a single inline extent with an uncompressed size of 512 bytes,
# while file bar consists of a single inline extent with an uncompressed size of
# 256 bytes. For our test's purpose, it's important that file bar has an inline
# extent with a size smaller than foo's inline extent.
$XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \
-c "pwrite -S 0x2a 128 384" \
$SCRATCH_MNT/foo | _filter_xfs_io
$XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io
# Now durably persist all metadata and data. We do this to make sure that we get
# on disk an inline extent with a size of 512 bytes for file foo.
sync
# Now truncate our file foo to a smaller size. Because it consists of a
# compressed and inline extent, btrfs did not shrink the inline extent to the
# new size (if the extent was not compressed, btrfs would shrink it to 128
# bytes), it only updates the inode's i_size to 128 bytes.
$XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo
# Now clone foo's inline extent into bar.
# This clone operation should fail with errno EOPNOTSUPP because the source
# file consists only of an inline extent and the file's size is smaller than
# the inline extent of the destination (128 bytes < 256 bytes). However the
# clone ioctl was not prepared to deal with a file that has a size smaller
# than the size of its inline extent (something that happens only for compressed
# inline extents), resulting in copying the full inline extent from the source
# file into the destination file.
#
# Note that btrfs' clone operation for inline extents consists of removing the
# inline extent from the destination inode and copy the inline extent from the
# source inode into the destination inode, meaning that if the destination
# inode's inline extent is larger (N bytes) than the source inode's inline
# extent (M bytes), some bytes (N - M bytes) will be lost from the destination
# file. Btrfs could copy the source inline extent's data into the destination's
# inline extent so that we would not lose any data, but that's currently not
# done due to the complexity that would be needed to deal with such cases
# (specially when one or both extents are compressed), returning EOPNOTSUPP, as
# it's normally not a very common case to clone very small files (only case
# where we get inline extents) and copying inline extents does not save any
# space (unlike for normal, non-inlined extents).
$CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
# Now because the above clone operation used to succeed, and due to foo's inline
# extent not being shinked by the truncate operation, our file bar got the whole
# inline extent copied from foo, making us lose the last 128 bytes from bar
# which got replaced by the bytes in range [128, 256[ from foo before foo was
# truncated - in other words, data loss from bar and being able to read old and
# stale data from foo that should not be possible to read anymore through normal
# filesystem operations. Contrast with the case where we truncate a file from a
# size N to a smaller size M, truncate it back to size N and then read the range
# [M, N[, we should always get the value 0x00 for all the bytes in that range.
# We expected the clone operation to fail with errno EOPNOTSUPP and therefore
# not modify our file's bar data/metadata. So its content should be 256 bytes
# long with all bytes having the value 0xbb.
#
# Without the btrfs bug fix, the clone operation succeeded and resulted in
# leaking truncated data from foo, the bytes that belonged to its range
# [128, 256[, and losing data from bar in that same range. So reading the
# file gave us the following content:
#
# 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1
# *
# 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
# *
# 0000400
echo "File bar's content after the clone operation:"
od -t x1 $SCRATCH_MNT/bar
# Also because the foo's inline extent was not shrunk by the truncate
# operation, btrfs' fsck, which is run by the fstests framework everytime a
# test completes, failed reporting the following error:
#
# root 5 inode 257 errors 400, nbytes wrong
status=0
exit
Cc: stable@vger.kernel.org
Signed-off-by: Filipe Manana <fdmanana@suse.com>
---
fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 68 insertions(+), 14 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4184,6 +4184,47 @@ static int truncate_space_check(struct b
}
+static int truncate_inline_extent(struct inode *inode,
+ struct btrfs_path *path,
+ struct btrfs_key *found_key,
+ const u64 item_end,
+ const u64 new_size)
+{
+ struct extent_buffer *leaf = path->nodes[0];
+ int slot = path->slots[0];
+ struct btrfs_file_extent_item *fi;
+ u32 size = (u32)(new_size - found_key->offset);
+ struct btrfs_root *root = BTRFS_I(inode)->root;
+
+ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
+
+ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
+ loff_t offset = new_size;
+ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
+
+ /*
+ * Zero out the remaining of the last page of our inline extent,
+ * instead of directly truncating our inline extent here - that
+ * would be much more complex (decompressing all the data, then
+ * compressing the truncated data, which might be bigger than
+ * the size of the inline extent, resize the extent, etc).
+ * We release the path because to get the page we might need to
+ * read the extent item from disk (data not in the page cache).
+ */
+ btrfs_release_path(path);
+ return btrfs_truncate_page(inode, offset, page_end - offset, 0);
+ }
+
+ btrfs_set_file_extent_ram_bytes(leaf, fi, size);
+ size = btrfs_file_extent_calc_inline_size(size);
+ btrfs_truncate_item(root, path, size, 1);
+
+ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
+ inode_sub_bytes(inode, item_end + 1 - new_size);
+
+ return 0;
+}
+
/*
* this can truncate away extent items, csum items and directory items.
* It starts at a high offset and removes keys until it can't find
@@ -4378,27 +4419,40 @@ search_again:
* special encodings
*/
if (!del_item &&
- btrfs_file_extent_compression(leaf, fi) == 0 &&
btrfs_file_extent_encryption(leaf, fi) == 0 &&
btrfs_file_extent_other_encoding(leaf, fi) == 0) {
- u32 size = new_size - found_key.offset;
-
- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
- inode_sub_bytes(inode, item_end + 1 -
- new_size);
/*
- * update the ram bytes to properly reflect
- * the new size of our item
+ * Need to release path in order to truncate a
+ * compressed extent. So delete any accumulated
+ * extent items so far.
*/
- btrfs_set_file_extent_ram_bytes(leaf, fi, size);
- size =
- btrfs_file_extent_calc_inline_size(size);
- btrfs_truncate_item(root, path, size, 1);
+ if (btrfs_file_extent_compression(leaf, fi) !=
+ BTRFS_COMPRESS_NONE && pending_del_nr) {
+ err = btrfs_del_items(trans, root, path,
+ pending_del_slot,
+ pending_del_nr);
+ if (err) {
+ btrfs_abort_transaction(trans,
+ root,
+ err);
+ goto error;
+ }
+ pending_del_nr = 0;
+ }
+
+ err = truncate_inline_extent(inode, path,
+ &found_key,
+ item_end,
+ new_size);
+ if (err) {
+ btrfs_abort_transaction(trans,
+ root, err);
+ goto error;
+ }
} else if (test_bit(BTRFS_ROOT_REF_COWS,
&root->state)) {
- inode_sub_bytes(inode, item_end + 1 -
- found_key.offset);
+ inode_sub_bytes(inode, item_end + 1 - new_size);
}
}
delete:

84
debian/patches/bugfix/all/docbook-use-a-fixed-encoding-for-output.patch vendored
View File

@ -1,84 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 28 Sep 2015 01:09:52 +0100
Subject: DocBook: Use a fixed encoding for output
Forwarded: http://mid.gmane.org/1443398992.2517.13.camel@decadent.org.uk
Currently the encoding of documents generated by DocBook depends on
the current locale. Make the output reproducible independently of
the locale, by setting the encoding to UTF-8 (LC_CTYPE=C.UTF-8) by
preference, or ASCII (LC_CTYPE=C) as a fallback.
LC_CTYPE can normally be overridden by LC_ALL, but the top-level
Makefile unsets that.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/Documentation/DocBook/Makefile
+++ b/Documentation/DocBook/Makefile
@@ -69,6 +69,12 @@ installmandocs: mandocs
KERNELDOCXMLREF = $(srctree)/scripts/kernel-doc-xml-ref
KERNELDOC = $(srctree)/scripts/kernel-doc
DOCPROC = $(objtree)/scripts/docproc
+CHECK_LC_CTYPE = $(objtree)/scripts/check-lc_ctype
+
+# Use a fixed encoding - UTF-8 if the C library has support built-in
+# or ASCII if not
+LC_CTYPE := $(call try-run, LC_CTYPE=C.UTF-8 $(CHECK_LC_CTYPE),C.UTF-8,C)
+export LC_CTYPE
XMLTOFLAGS = -m $(srctree)/$(src)/stylesheet.xsl
XMLTOFLAGS += --skip-validation
--- a/Makefile
+++ b/Makefile
@@ -1353,7 +1353,7 @@ $(help-board-dirs): help-%:
# Documentation targets
# ---------------------------------------------------------------------------
%docs: scripts_basic FORCE
- $(Q)$(MAKE) $(build)=scripts build_docproc
+ $(Q)$(MAKE) $(build)=scripts build_docproc build_check-lc_ctype
$(Q)$(MAKE) $(build)=Documentation/DocBook $@
else # KBUILD_EXTMOD
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -7,6 +7,7 @@
# conmakehash: Create chartable
# conmakehash: Create arrays for initializing the kernel console tables
# docproc: Used in Documentation/DocBook
+# check-lc_ctype: Used in Documentation/DocBook
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
@@ -27,14 +28,16 @@ HOSTLOADLIBES_extract-cert = -lcrypto
always := $(hostprogs-y) $(hostprogs-m)
# The following hostprogs-y programs are only build on demand
-hostprogs-y += unifdef docproc
+hostprogs-y += unifdef docproc check-lc_ctype
# These targets are used internally to avoid "is up to date" messages
-PHONY += build_unifdef build_docproc
+PHONY += build_unifdef build_docproc build_check-lc_ctype
build_unifdef: $(obj)/unifdef
@:
build_docproc: $(obj)/docproc
@:
+build_check-lc_ctype: $(obj)/check-lc_ctype
+ @:
subdir-$(CONFIG_MODVERSIONS) += genksyms
subdir-y += mod
--- /dev/null
+++ b/scripts/check-lc_ctype.c
@@ -0,0 +1,11 @@
+/*
+ * Check that a specified locale works as LC_CTYPE. Used by the
+ * DocBook build system to probe for C.UTF-8 support.
+ */
+
+#include <locale.h>
+
+int main(void)
+{
+ return !setlocale(LC_CTYPE, "");
+}

51
debian/patches/bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch vendored
View File

@ -1,51 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 28 Sep 2015 01:09:02 +0100
Subject: Documentation: Avoid creating man pages in source tree
Forwarded: http://mid.gmane.org/1443398942.2517.12.camel@decadent.org.uk
Currently kernel-doc generates a dummy DocBook file when asked to
convert a C source file with no structured comments. For an
out-of-tree build (objtree != srctree), the title of the output file
is the absolute path name of the C source file, which later results
in a manual page being created alongside the C source file.
Change the title to be a relative path.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/scripts/kernel-doc
+++ b/scripts/kernel-doc
@@ -2351,12 +2351,13 @@ sub process_file($) {
my $descr;
my $in_purpose = 0;
my $initial_section_counter = $section_counter;
+ my ($orig_file) = @_;
if (defined($ENV{'SRCTREE'})) {
- $file = "$ENV{'SRCTREE'}" . "/" . "@_";
+ $file = "$ENV{'SRCTREE'}" . "/" . $orig_file;
}
else {
- $file = "@_";
+ $file = $orig_file;
}
if (defined($source_map{$file})) {
$file = $source_map{$file};
@@ -2565,7 +2566,7 @@ sub process_file($) {
print "<refentry>\n";
print " <refnamediv>\n";
print " <refname>\n";
- print " ${file}\n";
+ print " ${orig_file}\n";
print " </refname>\n";
print " <refpurpose>\n";
print " Document generation inconsistency\n";
@@ -2579,7 +2580,7 @@ sub process_file($) {
print " <para>\n";
print " The template for this document tried to insert\n";
print " the structured comment from the file\n";
- print " <filename>${file}</filename> at this point,\n";
+ print " <filename>${orig_file}</filename> at this point,\n";
print " but none was found.\n";
print " This dummy section is inserted to allow\n";
print " generation to continue.\n";

109
debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch vendored
View File

@ -53,7 +53,7 @@ upstream submission.
/* disable MPU */
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -432,10 +432,8 @@ static enum ucode_state request_microcod
@@ -907,10 +907,8 @@ static enum ucode_state request_microcod
if (c->x86 >= 0x15)
snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86);
@ -96,7 +96,7 @@ upstream submission.
fw_size = firmware->size / sizeof(u32);
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -404,10 +404,8 @@ static int ath3k_load_patch(struct usb_d
@@ -408,10 +408,8 @@ static int ath3k_load_patch(struct usb_d
le32_to_cpu(fw_version.rom_version));
ret = request_firmware(&firmware, filename, &udev->dev);
@ -108,7 +108,7 @@ upstream submission.
pt_rom_version = get_unaligned_le32(firmware->data +
firmware->size - 8);
@@ -467,10 +465,8 @@ static int ath3k_load_syscfg(struct usb_
@@ -471,10 +469,8 @@ static int ath3k_load_syscfg(struct usb_
le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
ret = request_firmware(&firmware, filename, &udev->dev);
@ -140,7 +140,7 @@ upstream submission.
return -EIO;
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -664,10 +664,8 @@ static int bfusb_probe(struct usb_interf
@@ -653,10 +653,8 @@ static int bfusb_probe(struct usb_interf
skb_queue_head_init(&data->pending_q);
skb_queue_head_init(&data->completed_q);
@ -154,7 +154,7 @@ upstream submission.
--- a/drivers/bluetooth/bt3c_cs.c
+++ b/drivers/bluetooth/bt3c_cs.c
@@ -567,10 +567,8 @@ static int bt3c_open(struct bt3c_info *i
@@ -565,10 +565,8 @@ static int bt3c_open(struct bt3c_info *i
/* Load firmware */
err = request_firmware(&firmware, "BT3CPCC.bin", &info->p_dev->dev);
@ -168,7 +168,7 @@ upstream submission.
--- a/drivers/bluetooth/btmrvl_sdio.c
+++ b/drivers/bluetooth/btmrvl_sdio.c
@@ -355,8 +355,6 @@ static int btmrvl_sdio_download_helper(s
@@ -390,8 +390,6 @@ static int btmrvl_sdio_download_helper(s
ret = request_firmware(&fw_helper, card->helper,
&card->func->dev);
if ((ret < 0) || !fw_helper) {
@ -177,7 +177,7 @@ upstream submission.
ret = -ENOENT;
goto done;
}
@@ -455,8 +453,6 @@ static int btmrvl_sdio_download_fw_w_hel
@@ -490,8 +488,6 @@ static int btmrvl_sdio_download_fw_w_hel
ret = request_firmware(&fw_firmware, card->firmware,
&card->func->dev);
if ((ret < 0) || !fw_firmware) {
@ -233,7 +233,7 @@ upstream submission.
where = 0;
--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c
@@ -1643,10 +1643,8 @@ gf100_gr_ctor_fw(struct gf100_gr *gr, co
@@ -1646,10 +1646,8 @@ gf100_gr_ctor_fw(struct gf100_gr *gr, co
snprintf(f, sizeof(f), "nvidia/%s/%s.bin", cname, fwname);
ret = request_firmware(&fw, f, device->dev);
@ -742,7 +742,7 @@ upstream submission.
GFP_KERNEL | GFP_DMA);
--- a/drivers/media/pci/ttpci/av7110.c
+++ b/drivers/media/pci/ttpci/av7110.c
@@ -1534,16 +1534,9 @@ static int get_firmware(struct av7110* a
@@ -1531,16 +1531,9 @@ static int get_firmware(struct av7110* a
/* request the av7110 firmware, this will block until someone uploads it */
ret = request_firmware(&fw, "dvb-ttpci-01.fw", &av7110->dev->pci->dev);
if (ret) {
@ -792,7 +792,7 @@ upstream submission.
b[0] = 0xaa;
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -1292,11 +1292,8 @@ static int ttusb_dec_boot_dsp(struct ttu
@@ -1290,11 +1290,8 @@ static int ttusb_dec_boot_dsp(struct ttu
dprintk("%s\n", __func__);
result = request_firmware(&fw_entry, dec->firmware_name, &dec->udev->dev);
@ -1063,7 +1063,7 @@ upstream submission.
--- a/drivers/media/usb/s2255/s2255drv.c
+++ b/drivers/media/usb/s2255/s2255drv.c
@@ -2299,10 +2299,8 @@ static int s2255_probe(struct usb_interf
@@ -2302,10 +2302,8 @@ static int s2255_probe(struct usb_interf
}
/* load the first chunk */
if (request_firmware(&dev->fw_data->fw,
@ -1194,7 +1194,7 @@ upstream submission.
--- a/drivers/net/ethernet/broadcom/bnx2.c
+++ b/drivers/net/ethernet/broadcom/bnx2.c
@@ -3702,16 +3702,13 @@ static int bnx2_request_uncached_firmwar
@@ -3720,16 +3720,13 @@ static int bnx2_request_uncached_firmwar
}
rc = request_firmware(&bp->mips_firmware, mips_fw_file, &bp->pdev->dev);
@ -1216,7 +1216,7 @@ upstream submission.
if (bp->mips_firmware->size < sizeof(*mips_fw) ||
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -13393,11 +13393,8 @@ static int bnx2x_init_firmware(struct bn
@@ -13401,11 +13401,8 @@ static int bnx2x_init_firmware(struct bn
BNX2X_DEV_INFO("Loading %s\n", fw_file_name);
rc = request_firmware(&bp->firmware, fw_file_name, &bp->pdev->dev);
@ -1424,20 +1424,16 @@ upstream submission.
fwh = (struct at76_fw_header *)(fwe->fw->data);
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1085,12 +1085,8 @@ static void ath9k_hif_usb_firmware_cb(co
struct hif_device_usb *hif_dev = context;
int ret;
@@ -1158,9 +1158,6 @@ static void ath9k_hif_usb_firmware_cb(co
if (!ret)
return;
- if (!fw) {
- dev_err(&hif_dev->udev->dev,
- "ath9k_htc: Failed to get firmware %s\n",
- hif_dev->fw_name);
+ if (!fw)
goto err_fw;
- }
}
hif_dev->htc_handle = ath9k_htc_hw_alloc(hif_dev, &hif_usb,
&hif_dev->udev->dev);
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -1033,7 +1033,6 @@ static void carl9170_usb_firmware_step2(
@ -1596,7 +1592,7 @@ upstream submission.
}
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -488,11 +488,8 @@ static void mwifiex_fw_dpc(const struct
@@ -508,11 +508,8 @@ static void mwifiex_fw_dpc(const struct
bool init_failed = false;
struct wireless_dev *wdev;
@ -1690,7 +1686,7 @@ upstream submission.
--- a/drivers/net/wireless/orinoco/orinoco_usb.c
+++ b/drivers/net/wireless/orinoco/orinoco_usb.c
@@ -1668,7 +1668,6 @@ static int ezusb_probe(struct usb_interf
@@ -1669,7 +1669,6 @@ static int ezusb_probe(struct usb_interf
if (ezusb_firmware_download(upriv, &firmware) < 0)
goto error;
} else {
@ -1763,8 +1759,8 @@ upstream submission.
if (!fw || !fw->size || !fw->data) {
rt2x00_err(rt2x00dev, "Failed to read Firmware\n");
--- a/drivers/net/wireless/rtlwifi/core.c
+++ b/drivers/net/wireless/rtlwifi/core.c
--- a/drivers/net/wireless/realtek/rtlwifi/core.c
+++ b/drivers/net/wireless/realtek/rtlwifi/core.c
@@ -115,7 +115,6 @@ static void rtl_fw_do_work(const struct
if (!err)
goto found_alt;
@ -1773,8 +1769,8 @@ upstream submission.
rtlpriv->max_fw_size = 0;
return;
}
--- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
@@ -94,7 +94,6 @@ static void rtl92se_fw_cb(const struct f
"Firmware callback routine entered!\n");
complete(&rtlpriv->firmware_loading_complete);
@ -1894,7 +1890,7 @@ upstream submission.
}
--- a/drivers/scsi/aic94xx/aic94xx_init.c
+++ b/drivers/scsi/aic94xx/aic94xx_init.c
@@ -385,8 +385,6 @@ static ssize_t asd_store_update_bios(str
@@ -384,8 +384,6 @@ static ssize_t asd_store_update_bios(str
filename_ptr,
&asd_ha->pcidev->dev);
if (err) {
@ -1988,7 +1984,7 @@ upstream submission.
QLA_FW_URL ".\n");
--- a/drivers/scsi/qla2xxx/qla_nx.c
+++ b/drivers/scsi/qla2xxx/qla_nx.c
@@ -2459,11 +2459,8 @@ try_blob_fw:
@@ -2460,11 +2460,8 @@ try_blob_fw:
/* Load firmware blob. */
blob = ha->hablob = qla2x00_request_firmware(vha);
@ -2003,7 +1999,7 @@ upstream submission.
if (qla82xx_validate_firmware_blob(vha,
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -5365,8 +5365,6 @@ qla2x00_request_firmware(scsi_qla_host_t
@@ -5364,8 +5364,6 @@ qla2x00_request_firmware(scsi_qla_host_t
goto out;
if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) {
@ -2027,43 +2023,6 @@ upstream submission.
if (fw->size % 2) {
printk(KERN_ERR "Bogus length %zu in image \"%s\"\n",
fw->size, fwname);
--- a/drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c
+++ b/drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c
@@ -2034,18 +2034,12 @@ struct net_device *init_ft1000_card(stru
info->AsicID = ft1000_read_reg(dev, FT1000_REG_ASIC_ID);
if (info->AsicID == ELECTRABUZZ_ID) {
pr_debug("ELECTRABUZZ ASIC\n");
- if (request_firmware(&fw_entry, "ft1000.img",
- &link->dev) != 0) {
- pr_info("Could not open ft1000.img\n");
+ if (request_firmware(&fw_entry, "ft1000.img", &link->dev) != 0)
goto err_unreg;
- }
} else {
pr_debug("MAGNEMITE ASIC\n");
- if (request_firmware(&fw_entry, "ft2000.img",
- &link->dev) != 0) {
- pr_info("Could not open ft2000.img\n");
+ if (request_firmware(&fw_entry, "ft2000.img", &link->dev) != 0)
goto err_unreg;
- }
}
ft1000_enable_interrupts(dev);
--- a/drivers/staging/ft1000/ft1000-usb/ft1000_usb.c
+++ b/drivers/staging/ft1000/ft1000-usb/ft1000_usb.c
@@ -133,10 +133,8 @@ static int ft1000_probe(struct usb_inter
ft1000dev->bulk_out_endpointAddr);
ret = request_firmware(&dsp_fw, "ft3000.img", &dev->dev);
- if (ret < 0) {
- dev_err(interface->usb_dev, "Error request_firmware()\n");
+ if (ret)
goto err_fw;
- }
size = max_t(uint, dsp_fw->size, 4096);
pFileStart = kmalloc(size, GFP_KERNEL);
--- a/drivers/media/usb/go7007/go7007-driver.c
+++ b/drivers/media/usb/go7007/go7007-driver.c
@@ -92,10 +92,8 @@ static int go7007_load_encoder(struct go
@ -2161,7 +2120,7 @@ upstream submission.
MODULE_FIRMWARE("rtlwifi/rtl8712u.bin");
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -388,11 +388,8 @@ static int slic_card_download_gbrcv(stru
@@ -408,11 +408,8 @@ static int slic_card_download_gbrcv(stru
}
ret = request_firmware(&fw, file, &adapter->pcidev->dev);
@ -2174,7 +2133,7 @@ upstream submission.
rcvucodelen = *(u32 *)(fw->data + index);
index += 4;
@@ -466,11 +463,8 @@ static int slic_card_download(struct ada
@@ -486,11 +483,8 @@ static int slic_card_download(struct ada
return -ENOENT;
}
ret = request_firmware(&fw, file, &adapter->pcidev->dev);
@ -2205,7 +2164,7 @@ upstream submission.
if (!buffer)
--- a/drivers/tty/cyclades.c
+++ b/drivers/tty/cyclades.c
@@ -3518,10 +3518,8 @@ static int cyz_load_fw(struct pci_dev *p
@@ -3509,10 +3509,8 @@ static int cyz_load_fw(struct pci_dev *p
int retval;
retval = request_firmware(&fw, "cyzfirm.bin", &pdev->dev);
@ -2431,18 +2390,18 @@ upstream submission.
BootMajorVersion = rec->data[0];
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2483,8 +2483,6 @@ static int edge_startup(struct usb_seria
@@ -1014,8 +1014,6 @@ static int download_fw(struct edgeport_s
status = request_firmware(&fw, fw_name, dev);
if (status) {
- dev_err(dev, "Failed to load image \"%s\" err %d\n",
- fw_name, status);
kfree(edge_serial);
return status;
}
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -1485,10 +1485,8 @@ static int ti_download_firmware(struct t
@@ -1487,10 +1487,8 @@ static int ti_download_firmware(struct t
}
status = request_firmware(&fw_p, buf, &dev->dev);
}
@ -2601,7 +2560,7 @@ upstream submission.
filename, emu->firmware->size);
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1734,10 +1734,8 @@ static void azx_firmware_cb(const struct
@@ -1738,10 +1738,8 @@ static void azx_firmware_cb(const struct
struct azx *chip = card->private_data;
struct pci_dev *pci = chip->pci;
@ -2615,7 +2574,7 @@ upstream submission.
if (!chip->disabled) {
--- a/sound/pci/korg1212/korg1212.c
+++ b/sound/pci/korg1212/korg1212.c
@@ -2330,7 +2330,6 @@ static int snd_korg1212_create(struct sn
@@ -2332,7 +2332,6 @@ static int snd_korg1212_create(struct sn
err = request_firmware(&dsp_code, "korg/k1212.dsp", &pci->dev);
if (err < 0) {
release_firmware(dsp_code);

37
debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch vendored
View File

@ -1,37 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:21:24 +0000
Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3
Compile-tested only.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index c4198fa..86f9abe 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
is->compflags = 0;
is->reset = isdn_ppp_ccp_reset_alloc(is);
+ if (!is->reset)
+ return -ENOMEM;
is->lp = NULL;
is->mp_seqno = 0; /* MP sequence number */
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
* VJ header compression init
*/
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
+ if (!is->slcomp) {
+ isdn_ppp_ccp_reset_free(is);
+ return -ENOMEM;
+ }
#endif
#ifdef CONFIG_IPPP_FILTER
is->pass_filter = NULL;

31
debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch vendored
View File

@ -1,31 +0,0 @@
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Wed, 7 Oct 2015 07:09:26 -0300
Subject: [media] media/vivid-osd: fix info leak in ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
struct fb_vblank after the ->hcount member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Salva Peiró <speirofr@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/platform/vivid/vivid-osd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
case FBIOGET_VBLANK: {
struct fb_vblank vblank;
+ memset(&vblank, 0, sizeof(vblank));
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
FB_VBLANK_HAVE_VSYNC;
vblank.count = 0;

66
debian/patches/bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch vendored
View File

@ -1,66 +0,0 @@
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Date: Mon, 27 Jul 2015 11:06:48 -0300
Subject: [media] uvcvideo: Disable hardware timestamps by default
Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=5d0fd3c806b9e932010931ae67dbb482020e0882
Bug-Debian: https://bugs.debian.org/794327
The hardware timestamping implementation has been reported as not
working correctly on at least the Logitech C920. Until this can be
fixed, disable it by default.
Reported-by: Peter Rabbitson <rabbit@rabbit.us>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/usb/uvc/uvc_driver.c | 3 +++
drivers/media/usb/uvc/uvc_video.c | 3 +++
drivers/media/usb/uvc/uvcvideo.h | 1 +
3 files changed, 7 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index 4b5b3e8..d11fd6a 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -32,6 +32,7 @@
#define DRIVER_DESC "USB Video Class driver"
unsigned int uvc_clock_param = CLOCK_MONOTONIC;
+unsigned int uvc_hw_timestamps_param;
unsigned int uvc_no_drop_param;
static unsigned int uvc_quirks_param = -1;
unsigned int uvc_trace_param;
@@ -2078,6 +2079,8 @@ static int uvc_clock_param_set(const char *val, struct kernel_param *kp)
module_param_call(clock, uvc_clock_param_set, uvc_clock_param_get,
&uvc_clock_param, S_IRUGO|S_IWUSR);
MODULE_PARM_DESC(clock, "Video buffers timestamp clock");
+module_param_named(hwtimestamps, uvc_hw_timestamps_param, uint, S_IRUGO|S_IWUSR);
+MODULE_PARM_DESC(hwtimestamps, "Use hardware timestamps");
module_param_named(nodrop, uvc_no_drop_param, uint, S_IRUGO|S_IWUSR);
MODULE_PARM_DESC(nodrop, "Don't drop incomplete frames");
module_param_named(quirks, uvc_quirks_param, uint, S_IRUGO|S_IWUSR);
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index f839654..1c4a117 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -623,6 +623,9 @@ void uvc_video_clock_update(struct uvc_streaming *stream,
u32 rem;
u64 y;
+ if (!uvc_hw_timestamps_param)
+ return;
+
spin_lock_irqsave(&clock->lock, flags);
if (clock->count < clock->size)
diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
index 816dd1a..1374bd9 100644
--- a/drivers/media/usb/uvc/uvcvideo.h
+++ b/drivers/media/usb/uvc/uvcvideo.h
@@ -593,6 +593,7 @@ extern unsigned int uvc_clock_param;
extern unsigned int uvc_no_drop_param;
extern unsigned int uvc_trace_param;
extern unsigned int uvc_timeout_param;
+extern unsigned int uvc_hw_timestamps_param;
#define uvc_trace(flag, msg...) \
do { \

128
debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch vendored
View File

@ -1,128 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:22:53 +0000
Subject: ppp, slip: Validate VJ compression slot parameters completely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
drivers/net/ppp/ppp_generic.c | 6 ++----
drivers/net/slip/slhc.c | 12 ++++++++----
drivers/net/slip/slip.c | 2 +-
4 files changed, 15 insertions(+), 15 deletions(-)
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file
* VJ header compression init
*/
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
- if (!is->slcomp) {
+ if (IS_ERR(is->slcomp)) {
isdn_ppp_ccp_reset_free(is);
- return -ENOMEM;
+ return PTR_ERR(is->slcomp);
}
#endif
#ifdef CONFIG_IPPP_FILTER
@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil
is->maxcid = val;
#ifdef CONFIG_ISDN_PPP_VJ
sltmp = slhc_init(16, val);
- if (!sltmp) {
- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
- return -ENOMEM;
- }
+ if (IS_ERR(sltmp))
+ return PTR_ERR(sltmp);
if (is->slcomp)
slhc_free(is->slcomp);
is->slcomp = sltmp;
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file,
val &= 0xffff;
}
vj = slhc_init(val2+1, val+1);
- if (!vj) {
- netdev_err(ppp->dev,
- "PPP: no memory (VJ compressor)\n");
- err = -ENOMEM;
+ if (IS_ERR(vj)) {
+ err = PTR_ERR(vj);
break;
}
ppp_lock(ppp);
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
static unsigned char * put16(unsigned char *cp, unsigned short x);
static unsigned short pull16(unsigned char **cpp);
-/* Initialize compression data structure
+/* Allocate compression data structure
* slots must be in range 0 to 255 (zero meaning no compression)
+ * Returns pointer to structure or ERR_PTR() on error.
*/
struct slcompress *
slhc_init(int rslots, int tslots)
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
register struct cstate *ts;
struct slcompress *comp;
+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
+ return ERR_PTR(-EINVAL);
+
comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
if (! comp)
goto out_fail;
- if ( rslots > 0 && rslots < 256 ) {
+ if (rslots > 0) {
size_t rsize = rslots * sizeof(struct cstate);
comp->rstate = kzalloc(rsize, GFP_KERNEL);
if (! comp->rstate)
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
comp->rslot_limit = rslots - 1;
}
- if ( tslots > 0 && tslots < 256 ) {
+ if (tslots > 0) {
size_t tsize = tslots * sizeof(struct cstate);
comp->tstate = kzalloc(tsize, GFP_KERNEL);
if (! comp->tstate)
@@ -141,7 +145,7 @@ out_free2:
out_free:
kfree(comp);
out_fail:
- return NULL;
+ return ERR_PTR(-ENOMEM);
}
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl
if (cbuff == NULL)
goto err_exit;
slcomp = slhc_init(16, 16);
- if (slcomp == NULL)
+ if (IS_ERR(slcomp))
goto err_exit;
#endif
spin_lock_bh(&sl->lock);

69
debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch vendored
View File

@ -1,69 +0,0 @@
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Subject: RDS: fix race condition when sending a message on unbound socket.
Date: Fri, 16 Oct 2015 17:11:42 +0200
Origin: https://lkml.org/lkml/2015/10/16/530
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Chien Yen <chien.yen@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
---
net/rds/connection.c | 6 ------
net/rds/send.c | 4 +++-
2 files changed, 3 insertions(+), 7 deletions(-)
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -190,12 +190,6 @@ new_conn:
}
}
- if (trans == NULL) {
- kmem_cache_free(rds_conn_slab, conn);
- conn = ERR_PTR(-ENODEV);
- goto out;
- }
-
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, str
release_sock(sk);
}
- /* racing with another thread binding seems ok here */
+ lock_sock(sk);
if (daddr == 0 || rs->rs_bound_addr == 0) {
+ release_sock(sk);
ret = -ENOTCONN; /* XXX not a great errno */
goto out;
}
+ release_sock(sk);
if (payload_len > rds_sk_sndbuf(rs)) {
ret = -EMSGSIZE;

67
debian/patches/bugfix/all/selftests-add-missing-include-directives.patch vendored
View File

@ -1,67 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Oct 2015 01:18:01 +0000
Subject: selftests: Add missing #include directives
Several C programs fail to include the headers declaring all the
functions they call, resulting in warnings or errors.
After this, memfd_test.c is still missing some function declarations
but can't easily get them because of a conflict between
<linux/fcntl.h> and <sys/fcntl.h>.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/memfd/memfd_test.c | 1 +
tools/testing/selftests/mqueue/mq_open_tests.c | 1 +
tools/testing/selftests/mqueue/mq_perf_tests.c | 1 +
tools/testing/selftests/timers/nanosleep.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c
index 0b9eafb..5347ef6 100644
--- a/tools/testing/selftests/memfd/memfd_test.c
+++ b/tools/testing/selftests/memfd/memfd_test.c
@@ -15,6 +15,7 @@
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/syscall.h>
+#include <sys/wait.h>
#include <unistd.h>
#define MFD_DEF_SIZE 8192
diff --git a/tools/testing/selftests/mqueue/mq_open_tests.c b/tools/testing/selftests/mqueue/mq_open_tests.c
index 9c1a5d35..e0a74bd 100644
--- a/tools/testing/selftests/mqueue/mq_open_tests.c
+++ b/tools/testing/selftests/mqueue/mq_open_tests.c
@@ -31,6 +31,7 @@
#include <sys/resource.h>
#include <sys/stat.h>
#include <mqueue.h>
+#include <error.h>
static char *usage =
"Usage:\n"
diff --git a/tools/testing/selftests/mqueue/mq_perf_tests.c b/tools/testing/selftests/mqueue/mq_perf_tests.c
index 8519e9e..8188f72 100644
--- a/tools/testing/selftests/mqueue/mq_perf_tests.c
+++ b/tools/testing/selftests/mqueue/mq_perf_tests.c
@@ -37,6 +37,7 @@
#include <sys/stat.h>
#include <mqueue.h>
#include <popt.h>
+#include <error.h>
static char *usage =
"Usage:\n"
diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c
index 8a3c29d..ff942ff 100644
--- a/tools/testing/selftests/timers/nanosleep.c
+++ b/tools/testing/selftests/timers/nanosleep.c
@@ -19,6 +19,7 @@
* GNU General Public License for more details.
*/
+#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

17
debian/patches/bugfix/all/selftests-breakpoints-actually-build-it.patch vendored
View File

@ -1,17 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Oct 2015 10:22:55 +0000
Subject: selftests: breakpoint: Actually build it
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/testing/selftests/breakpoints/Makefile
+++ b/tools/testing/selftests/breakpoints/Makefile
@@ -6,7 +6,7 @@ ifeq ($(ARCH),x86)
TEST_PROGS := breakpoint_test
endif
-all:
+all: $(TEST_PROGS)
include ../lib.mk

126
debian/patches/bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch vendored
View File

@ -1,126 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Oct 2015 01:27:28 +0000
Subject: selftests: kprobe: Choose an always-defined function to probe
do_fork() is no longer defined on x86, so probe _do_fork() instead.
Fixes: 3033f14ab78c ("clone: support passing tls argument via C ...")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
.../selftests/ftrace/test.d/kprobe/add_and_remove.tc | 2 +-
tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc | 2 +-
.../testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc | 2 +-
.../selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc | 14 +++++++-------
.../selftests/ftrace/test.d/kprobe/kretprobe_args.tc | 2 +-
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc b/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc
index a5a4262..c3843ed 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc
@@ -5,7 +5,7 @@
echo 0 > events/enable
echo > kprobe_events
-echo p:myevent do_fork > kprobe_events
+echo p:myevent _do_fork > kprobe_events
grep myevent kprobe_events
test -d events/kprobes/myevent
echo > kprobe_events
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc b/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc
index d8c7bb6..74507db 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc
@@ -5,7 +5,7 @@
echo 0 > events/enable
echo > kprobe_events
-echo p:myevent do_fork > kprobe_events
+echo p:myevent _do_fork > kprobe_events
test -d events/kprobes/myevent
echo 1 > events/kprobes/myevent/enable
echo > kprobe_events && exit 1 # this must fail
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc
index c45ee27..64949d4 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc
@@ -5,7 +5,7 @@
echo 0 > events/enable
echo > kprobe_events
-echo 'p:testprobe do_fork $stack $stack0 +0($stack)' > kprobe_events
+echo 'p:testprobe _do_fork $stack $stack0 +0($stack)' > kprobe_events
grep testprobe kprobe_events
test -d events/kprobes/testprobe
echo 1 > events/kprobes/testprobe/enable
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc
index ab41d2b..d6f2f49 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc
@@ -6,31 +6,31 @@ grep function available_tracers || exit_unsupported # this is configurable
# prepare
echo nop > current_tracer
-echo do_fork > set_ftrace_filter
+echo _do_fork > set_ftrace_filter
echo 0 > events/enable
echo > kprobe_events
-echo 'p:testprobe do_fork' > kprobe_events
+echo 'p:testprobe _do_fork' > kprobe_events
# kprobe on / ftrace off
echo 1 > events/kprobes/testprobe/enable
echo > trace
( echo "forked")
grep testprobe trace
-! grep 'do_fork <-' trace
+! grep '_do_fork <-' trace
# kprobe on / ftrace on
echo function > current_tracer
echo > trace
( echo "forked")
grep testprobe trace
-grep 'do_fork <-' trace
+grep '_do_fork <-' trace
# kprobe off / ftrace on
echo 0 > events/kprobes/testprobe/enable
echo > trace
( echo "forked")
! grep testprobe trace
-grep 'do_fork <-' trace
+grep '_do_fork <-' trace
# kprobe on / ftrace on
echo 1 > events/kprobes/testprobe/enable
@@ -38,14 +38,14 @@ echo function > current_tracer
echo > trace
( echo "forked")
grep testprobe trace
-grep 'do_fork <-' trace
+grep '_do_fork <-' trace
# kprobe on / ftrace off
echo nop > current_tracer
echo > trace
( echo "forked")
grep testprobe trace
-! grep 'do_fork <-' trace
+! grep '_do_fork <-' trace
# cleanup
echo nop > current_tracer
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc
index 3171798..0d09546 100644
--- a/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc
@@ -5,7 +5,7 @@
echo 0 > events/enable
echo > kprobe_events
-echo 'r:testprobe2 do_fork $retval' > kprobe_events
+echo 'r:testprobe2 _do_fork $retval' > kprobe_events
grep testprobe2 kprobe_events
test -d events/kprobes/testprobe2
echo 1 > events/kprobes/testprobe2/enable

20
debian/patches/bugfix/all/selftests-make-scripts-executable.patch vendored
View File

@ -1,20 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 30 Oct 2015 01:30:36 +0000
Subject: selftests: Make scripts executable
Fixes: 87b2d44026e0 ("selftests: add memfd/sealing page-pinning tests")
Fixes: 2bf9e0ab08c6 ("locking/static_keys: Provide a selftest")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/memfd/run_fuse_test.sh | 0
tools/testing/selftests/static_keys/test_static_keys.sh | 0
2 files changed, 0 insertions(+), 0 deletions(-)
mode change 100644 => 100755 tools/testing/selftests/memfd/run_fuse_test.sh
mode change 100644 => 100755 tools/testing/selftests/static_keys/test_static_keys.sh
diff --git a/tools/testing/selftests/memfd/run_fuse_test.sh b/tools/testing/selftests/memfd/run_fuse_test.sh
old mode 100644
new mode 100755
diff --git a/tools/testing/selftests/static_keys/test_static_keys.sh b/tools/testing/selftests/static_keys/test_static_keys.sh
old mode 100644
new mode 100755

34
debian/patches/bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch vendored
View File

@ -1,34 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 31 Oct 2015 18:04:28 +0000
Subject: selftests: memfd: Stop unnecessary rebuilds
Instead of explicitly running the compiler, add dependencies and take
advantage of implicit rules to build only as necessary.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/testing/selftests/memfd/Makefile
+++ b/tools/testing/selftests/memfd/Makefile
@@ -4,16 +4,16 @@ CFLAGS += -I../../../../include/uapi/
CFLAGS += -I../../../../include/
CFLAGS += -I../../../../usr/include/
-all:
- $(CC) $(CFLAGS) memfd_test.c -o memfd_test
-
TEST_PROGS := memfd_test
+all: $(TEST_PROGS)
+
include ../lib.mk
-build_fuse:
- $(CC) $(CFLAGS) fuse_mnt.c `pkg-config fuse --cflags --libs` -o fuse_mnt
- $(CC) $(CFLAGS) fuse_test.c -o fuse_test
+build_fuse: fuse_mnt fuse_test
+
+fuse_mnt.o: CFLAGS += $(shell pkg-config fuse --cflags)
+fuse_mnt: LDFLAGS += $(shell pkg-config fuse --libs)
run_fuse: build_fuse
@./run_fuse_test.sh || echo "fuse_test: [FAIL]"

40
debian/patches/bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch vendored
View File

@ -1,40 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 31 Oct 2015 17:56:11 +0000
Subject: selftests: vm: Try harder to allocate huge pages
If we need to increase the number of huge pages, drop caches first
to reduce fragmentation and then check that we actually allocated
as many as we wanted. Retry once if that doesn't work.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/testing/selftests/vm/run_vmtests
+++ b/tools/testing/selftests/vm/run_vmtests
@@ -20,13 +20,26 @@ done < /proc/meminfo
if [ -n "$freepgs" ] && [ -n "$pgsize" ]; then
nr_hugepgs=`cat /proc/sys/vm/nr_hugepages`
needpgs=`expr $needmem / $pgsize`
- if [ $freepgs -lt $needpgs ]; then
+ tries=2
+ while [ $tries -gt 0 ] && [ $freepgs -lt $needpgs ]; do
lackpgs=$(( $needpgs - $freepgs ))
+ echo 3 > /proc/sys/vm/drop_caches
echo $(( $lackpgs + $nr_hugepgs )) > /proc/sys/vm/nr_hugepages
if [ $? -ne 0 ]; then
echo "Please run this test as root"
exit 1
fi
+ while read name size unit; do
+ if [ "$name" = "HugePages_Free:" ]; then
+ freepgs=$size
+ fi
+ done < /proc/meminfo
+ tries=$((tries - 1))
+ done
+ if [ $freepgs -lt $needpgs ]; then
+ printf "Not enough huge pages available (%d < %d)\n" \
+ $freepgs $needpgs
+ exit 1
fi
else
echo "no hugetlbfs support in kernel?"

325
debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch vendored
View File

@ -1,325 +0,0 @@
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Date: Fri, 20 Nov 2015 22:07:23 +0000
Subject: unix: avoid use-after-free in ep_remove_wait_queue
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git//commit?id=7d267278a9ece963d77eefec61630223fce08c6c
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.2: adjust context]
---
include/net/af_unix.h | 1 +
net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 165 insertions(+), 19 deletions(-)
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -62,6 +62,7 @@ struct unix_sock {
#define UNIX_GC_CANDIDATE 0
#define UNIX_GC_MAYBE_CYCLE 1
struct socket_wq peer_wq;
+ wait_queue_t peer_wake;
};
static inline struct unix_sock *unix_sk(const struct sock *sk)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -326,6 +326,118 @@ found:
return s;
}
+/* Support code for asymmetrically connected dgram sockets
+ *
+ * If a datagram socket is connected to a socket not itself connected
+ * to the first socket (eg, /dev/log), clients may only enqueue more
+ * messages if the present receive queue of the server socket is not
+ * "too large". This means there's a second writeability condition
+ * poll and sendmsg need to test. The dgram recv code will do a wake
+ * up on the peer_wait wait queue of a socket upon reception of a
+ * datagram which needs to be propagated to sleeping would-be writers
+ * since these might not have sent anything so far. This can't be
+ * accomplished via poll_wait because the lifetime of the server
+ * socket might be less than that of its clients if these break their
+ * association with it or if the server socket is closed while clients
+ * are still connected to it and there's no way to inform "a polling
+ * implementation" that it should let go of a certain wait queue
+ *
+ * In order to propagate a wake up, a wait_queue_t of the client
+ * socket is enqueued on the peer_wait queue of the server socket
+ * whose wake function does a wake_up on the ordinary client socket
+ * wait queue. This connection is established whenever a write (or
+ * poll for write) hit the flow control condition and broken when the
+ * association to the server socket is dissolved or after a wake up
+ * was relayed.
+ */
+
+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
+ void *key)
+{
+ struct unix_sock *u;
+ wait_queue_head_t *u_sleep;
+
+ u = container_of(q, struct unix_sock, peer_wake);
+
+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
+ q);
+ u->peer_wake.private = NULL;
+
+ /* relaying can only happen while the wq still exists */
+ u_sleep = sk_sleep(&u->sk);
+ if (u_sleep)
+ wake_up_interruptible_poll(u_sleep, key);
+
+ return 0;
+}
+
+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
+{
+ struct unix_sock *u, *u_other;
+ int rc;
+
+ u = unix_sk(sk);
+ u_other = unix_sk(other);
+ rc = 0;
+ spin_lock(&u_other->peer_wait.lock);
+
+ if (!u->peer_wake.private) {
+ u->peer_wake.private = other;
+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
+
+ rc = 1;
+ }
+
+ spin_unlock(&u_other->peer_wait.lock);
+ return rc;
+}
+
+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
+ struct sock *other)
+{
+ struct unix_sock *u, *u_other;
+
+ u = unix_sk(sk);
+ u_other = unix_sk(other);
+ spin_lock(&u_other->peer_wait.lock);
+
+ if (u->peer_wake.private == other) {
+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
+ u->peer_wake.private = NULL;
+ }
+
+ spin_unlock(&u_other->peer_wait.lock);
+}
+
+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
+ struct sock *other)
+{
+ unix_dgram_peer_wake_disconnect(sk, other);
+ wake_up_interruptible_poll(sk_sleep(sk),
+ POLLOUT |
+ POLLWRNORM |
+ POLLWRBAND);
+}
+
+/* preconditions:
+ * - unix_peer(sk) == other
+ * - association is stable
+ */
+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
+{
+ int connected;
+
+ connected = unix_dgram_peer_wake_connect(sk, other);
+
+ if (unix_recvq_full(other))
+ return 1;
+
+ if (connected)
+ unix_dgram_peer_wake_disconnect(sk, other);
+
+ return 0;
+}
+
static inline int unix_writable(struct sock *sk)
{
return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
@@ -430,6 +542,8 @@ static void unix_release_sock(struct soc
skpair->sk_state_change(skpair);
sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
}
+
+ unix_dgram_peer_wake_disconnect(sk, skpair);
sock_put(skpair); /* It may now die */
unix_peer(sk) = NULL;
}
@@ -664,6 +778,7 @@ static struct sock *unix_create1(struct
INIT_LIST_HEAD(&u->link);
mutex_init(&u->readlock); /* single task reading lock */
init_waitqueue_head(&u->peer_wait);
+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
unix_insert_socket(unix_sockets_unbound(sk), sk);
out:
if (sk == NULL)
@@ -1031,6 +1146,8 @@ restart:
if (unix_peer(sk)) {
struct sock *old_peer = unix_peer(sk);
unix_peer(sk) = other;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
+
unix_state_double_unlock(sk, other);
if (other != old_peer)
@@ -1470,6 +1587,7 @@ static int unix_dgram_sendmsg(struct soc
struct scm_cookie scm;
int max_level;
int data_len = 0;
+ int sk_locked;
wait_for_unix_gc();
err = scm_send(sock, msg, &scm, false);
@@ -1548,12 +1666,14 @@ restart:
goto out_free;
}
+ sk_locked = 0;
unix_state_lock(other);
+restart_locked:
err = -EPERM;
if (!unix_may_send(sk, other))
goto out_unlock;
- if (sock_flag(other, SOCK_DEAD)) {
+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
/*
* Check with 1003.1g - what should
* datagram error
@@ -1561,10 +1681,14 @@ restart:
unix_state_unlock(other);
sock_put(other);
+ if (!sk_locked)
+ unix_state_lock(sk);
+
err = 0;
- unix_state_lock(sk);
if (unix_peer(sk) == other) {
unix_peer(sk) = NULL;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
+
unix_state_unlock(sk);
unix_dgram_disconnected(sk, other);
@@ -1590,21 +1714,38 @@ restart:
goto out_unlock;
}
- if (unix_peer(other) != sk && unix_recvq_full(other)) {
- if (!timeo) {
- err = -EAGAIN;
- goto out_unlock;
+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ if (timeo) {
+ timeo = unix_wait_for_peer(other, timeo);
+
+ err = sock_intr_errno(timeo);
+ if (signal_pending(current))
+ goto out_free;
+
+ goto restart;
}
- timeo = unix_wait_for_peer(other, timeo);
+ if (!sk_locked) {
+ unix_state_unlock(other);
+ unix_state_double_lock(sk, other);
+ }
- err = sock_intr_errno(timeo);
- if (signal_pending(current))
- goto out_free;
+ if (unix_peer(sk) != other ||
+ unix_dgram_peer_wake_me(sk, other)) {
+ err = -EAGAIN;
+ sk_locked = 1;
+ goto out_unlock;
+ }
- goto restart;
+ if (!sk_locked) {
+ sk_locked = 1;
+ goto restart_locked;
+ }
}
+ if (unlikely(sk_locked))
+ unix_state_unlock(sk);
+
if (sock_flag(other, SOCK_RCVTSTAMP))
__net_timestamp(skb);
maybe_add_creds(skb, sock, other);
@@ -1618,6 +1759,8 @@ restart:
return len;
out_unlock:
+ if (sk_locked)
+ unix_state_unlock(sk);
unix_state_unlock(other);
out_free:
kfree_skb(skb);
@@ -2453,14 +2596,16 @@ static unsigned int unix_dgram_poll(stru
return mask;
writable = unix_writable(sk);
- other = unix_peer_get(sk);
- if (other) {
- if (unix_peer(other) != sk) {
- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
- if (unix_recvq_full(other))
- writable = 0;
- }
- sock_put(other);
+ if (writable) {
+ unix_state_lock(sk);
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+ unix_recvq_full(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
+ unix_state_unlock(sk);
}
if (writable)

24
debian/patches/bugfix/mips/disable-advansys.patch vendored
View File

@ -1,24 +0,0 @@
From: Martin Michlmayr <tbm@cyrius.com>
Date: Sat, 19 Jan 2008 18:25:02 +0000
Subject: [mips] Disable Advansys
Forwarded: http://thread.gmane.org/gmane.linux.scsi/57291
Florian Lohoff <flo@rfc822.org> reports the following build failure on IP32:
MODPOST 552 modules
ERROR: "free_dma" [drivers/scsi/advansys.ko] undefined!
make[5]: *** [__modpost] Error 1
But report:
http://www.mail-archive.com/linux-scsi@vger.kernel.org/msg12773.html
--- a/drivers/scsi/Kconfig
+++ b/drivers/scsi/Kconfig
@@ -505,6 +505,7 @@ config SCSI_ADVANSYS
tristate "AdvanSys SCSI support"
depends on SCSI
depends on ISA || EISA || PCI
+ depends on !MIPS || BROKEN
help
This is a driver for all SCSI host adapters manufactured by
AdvanSys. It is documented in the kernel source in

9
debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch vendored
View File

@ -41,16 +41,17 @@ Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80896
Acked-by: Mika Kuoppala <mika.kuoppala@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Adjust context]
---
drivers/gpu/drm/i915/i915_irq.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -2168,9 +2168,13 @@ static irqreturn_t gen8_irq_handler(int
I915_WRITE(SDEIIR, pch_iir);
ret = IRQ_HANDLED;
cpt_irq_handler(dev, pch_iir);
@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int
spt_irq_handler(dev, pch_iir);
else
cpt_irq_handler(dev, pch_iir);
- } else
- DRM_ERROR("The master control interrupt lied (SDE)!\n");
-

75
debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch vendored
View File

@ -1,75 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 10 Nov 2015 09:14:39 +0100
Subject: KVM: svm: unconditionally intercept #DB
Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
This is needed to avoid the possibility that the guest triggers
an infinite stream of #DB exceptions (CVE-2015-8104).
VMX is not affected: because it does not save DR6 in the VMCS,
it already intercepts #DB unconditionally.
Reported-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/svm.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
set_exception_intercept(svm, AC_VECTOR);
+ set_exception_intercept(svm, DB_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v
mark_dirty(svm->vmcb, VMCB_SEG);
}
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
- clr_exception_intercept(svm, DB_VECTOR);
clr_exception_intercept(svm, BP_VECTOR);
- if (svm->nmi_singlestep)
- set_exception_intercept(svm, DB_VECTOR);
-
if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
- if (vcpu->guest_debug &
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
- set_exception_intercept(svm, DB_VECTOR);
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
set_exception_intercept(svm, BP_VECTOR);
} else
@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
svm->vmcb->save.rflags &=
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(&svm->vcpu);
}
if (svm->vcpu.guest_debug &
@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm
*/
svm->nmi_singlestep = true;
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(vcpu);
}
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops =
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_db_bp_intercept,
+ .update_db_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,

60
debian/patches/bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch vendored
View File

@ -1,60 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 10 Nov 2015 11:55:36 +0100
Subject: KVM: x86: rename update_db_bp_intercept to update_bp_intercept
Origin: https://git.kernel.org/linus/a96036b8ef7df9f10cd575c0d78359bd33188e8e
Because #DB is now intercepted unconditionally, this callback
only operates on #BP for both VMX and SVM.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/svm.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -739,7 +739,7 @@ struct kvm_x86_ops {
void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
void (*vcpu_put)(struct kvm_vcpu *vcpu);
- void (*update_db_bp_intercept)(struct kvm_vcpu *vcpu);
+ void (*update_bp_intercept)(struct kvm_vcpu *vcpu);
int (*get_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg);
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4374,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops =
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_bp_intercept,
+ .update_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10335,7 +10335,7 @@ static struct kvm_x86_ops vmx_x86_ops =
.vcpu_load = vmx_vcpu_load,
.vcpu_put = vmx_vcpu_put,
- .update_db_bp_intercept = update_exception_bitmap,
+ .update_bp_intercept = update_exception_bitmap,
.get_msr = vmx_get_msr,
.set_msr = vmx_set_msr,
.get_segment_base = vmx_get_segment_base,
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7184,7 +7184,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
*/
kvm_set_rflags(vcpu, rflags);
- kvm_x86_ops->update_db_bp_intercept(vcpu);
+ kvm_x86_ops->update_bp_intercept(vcpu);
r = 0;

38
debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch vendored
View File

@ -1,38 +0,0 @@
Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit
---
M arch/x86/kvm/svm.c
1 file changed, 8 insertions(+), 0 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *s
set_exception_intercept(svm, PF_VECTOR);
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s
return 1;
}
+static int ac_interception(struct vcpu_svm *svm)
+{
+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
+ return 1;
+}
+
static void svm_fpu_activate(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
@@ -3369,6 +3376,7 @@ static int (*const svm_exit_handlers[])(
[SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
[SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
[SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
[SVM_EXIT_INTR] = intr_interception,
[SVM_EXIT_NMI] = nmi_interception,
[SVM_EXIT_SMI] = nop_on_interception,

34
debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch vendored
View File

@ -1,34 +0,0 @@
From: Eric Northup <digitaleric@google.com>
Date: Thu Sep 10 11:36:28 2015 -0700
Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC
A pathological (or malicious) guest can hang a host core by
mis-configuring its GDT/IDT and enabling alignment checks.
[bwh: Forward-ported to 4.2: AC_VECTOR is already defined so don't add it]
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru
u32 eb;
eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
- (1u << NM_VECTOR) | (1u << DB_VECTOR);
+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
if ((vcpu->guest_debug &
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
@@ -5146,6 +5146,13 @@ static int handle_exception(struct kvm_v
kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
kvm_run->debug.arch.exception = ex_no;
break;
+ case AC_VECTOR:
+ /*
+ * We have already enabled interrupts and pre-emption, so
+ * it's OK to loop here if that is what will happen.
+ */
+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
+ return 1;
default:
kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
kvm_run->ex.exception = ex_no;

3
debian/patches/debian/dfsg/files-1 vendored
View File

@ -15,9 +15,6 @@ rm drivers/net/appletalk/cops.h
rm drivers/net/appletalk/cops_ffdrv.h
rm drivers/net/appletalk/cops_ltdrv.h
rm drivers/staging/ft1000/ft1000-pcmcia/boot.h
rm drivers/staging/ft1000/ft1000-*/*.img
# These include apparently obfuscated code
rm drivers/video/fbdev/nvidia/
rm drivers/video/fbdev/riva/

86
debian/patches/features/all/aufs4/aufs4-mmap.patch vendored
View File

@ -8,24 +8,11 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch
aufs4.3 mmap patch
diff --git a/fs/buffer.c b/fs/buffer.c
index 82283ab..477e5f3 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -2473,7 +2473,7 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
* Update file times before taking page lock. We may end up failing the
* fault so this update may be superfluous but who really cares...
*/
- file_update_time(vma->vm_file);
+ vma_file_update_time(vma);
ret = __block_page_mkwrite(vma, vmf, get_block);
sb_end_pagefault(sb);
diff --git a/fs/proc/base.c b/fs/proc/base.c
index b25eee4..c83d588 100644
[bwh: Forward-ported to 4.4-rc4: drop change in block_page_mkwrite()]
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1914,7 +1914,7 @@ static int proc_map_files_get_link(struct dentry *dentry, struct path *path)
@@ -1921,7 +1921,7 @@ static int proc_map_files_get_link(struc
down_read(&mm->mmap_sem);
vma = find_exact_vma(mm, vm_start, vm_end);
if (vma && vma->vm_file) {
@ -34,11 +21,9 @@ index b25eee4..c83d588 100644
path_get(path);
rc = 0;
}
diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
index f8595e8..cb8eda0 100644
--- a/fs/proc/nommu.c
+++ b/fs/proc/nommu.c
@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_
file = region->vm_file;
if (file) {
@ -50,11 +35,9 @@ index f8595e8..cb8eda0 100644
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index e2d46ad..5e7e631 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -280,7 +280,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
@@ -281,7 +281,10 @@ show_map_vma(struct seq_file *m, struct
const char *name = NULL;
if (file) {
@ -66,7 +49,7 @@ index e2d46ad..5e7e631 100644
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
@@ -1465,7 +1468,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
@@ -1505,7 +1508,7 @@ static int show_numa_map(struct seq_file
struct proc_maps_private *proc_priv = &numa_priv->proc_maps;
struct vm_area_struct *vma = v;
struct numa_maps *md = &numa_priv->md;
@ -75,11 +58,9 @@ index e2d46ad..5e7e631 100644
struct mm_struct *mm = vma->vm_mm;
struct mm_walk walk = {
.hugetlb_entry = gather_hugetlb_stats,
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index e0d64c9..7aa92db 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -160,7 +160,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
@@ -160,7 +160,10 @@ static int nommu_vma_show(struct seq_fil
file = vma->vm_file;
if (file) {
@ -91,11 +72,9 @@ index e0d64c9..7aa92db 100644
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 80001de..9248b97 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1211,6 +1211,28 @@ static inline int fixup_user_fault(struct task_struct *tsk,
@@ -1183,6 +1183,28 @@ static inline int fixup_user_fault(struc
}
#endif
@ -124,11 +103,9 @@ index 80001de..9248b97 100644
extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
void *buf, int len, int write);
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 3d6baa7..750ca95 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -250,6 +250,7 @@ struct vm_region {
@@ -272,6 +272,7 @@ struct vm_region {
unsigned long vm_top; /* region allocated to here */
unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */
struct file *vm_file; /* the backing file or NULL */
@ -136,7 +113,7 @@ index 3d6baa7..750ca95 100644
int vm_usage; /* region usage count (access under nommu_region_sem) */
bool vm_icache_flushed : 1; /* true if the icache has been flushed for
@@ -324,6 +325,7 @@ struct vm_area_struct {
@@ -346,6 +347,7 @@ struct vm_area_struct {
unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE
units, *not* PAGE_CACHE_SIZE */
struct file * vm_file; /* File we map to (can be NULL). */
@ -144,11 +121,9 @@ index 3d6baa7..750ca95 100644
void * vm_private_data; /* was vm_pte (shared mem) */
#ifndef CONFIG_MMU
diff --git a/kernel/fork.c b/kernel/fork.c
index 2845623..71004bd 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -462,7 +462,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
@@ -464,7 +464,7 @@ static int dup_mmap(struct mm_struct *mm
struct inode *inode = file_inode(file);
struct address_space *mapping = file->f_mapping;
@ -157,11 +132,9 @@ index 2845623..71004bd 100644
if (tmp->vm_flags & VM_DENYWRITE)
atomic_dec(&inode->i_writecount);
i_mmap_lock_write(mapping);
diff --git a/mm/Makefile b/mm/Makefile
index 2ed4319..e3a53f5 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -21,7 +21,7 @@ obj-y := filemap.o mempool.o oom_kill.o \
@@ -21,7 +21,7 @@ obj-y := filemap.o mempool.o oom_kill.
mm_init.o mmu_context.o percpu.o slab_common.o \
compaction.o vmacache.o \
interval_tree.o list_lru.o workingset.o \
@ -170,11 +143,9 @@ index 2ed4319..e3a53f5 100644
obj-y += init-mm.o
diff --git a/mm/filemap.c b/mm/filemap.c
index 327910c..7bbc372 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2089,7 +2089,7 @@ int filemap_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
@@ -2128,7 +2128,7 @@ int filemap_page_mkwrite(struct vm_area_
int ret = VM_FAULT_LOCKED;
sb_start_pagefault(inode->i_sb);
@ -183,11 +154,9 @@ index 327910c..7bbc372 100644
lock_page(page);
if (page->mapping != inode->i_mapping) {
unlock_page(page);
diff --git a/mm/memory.c b/mm/memory.c
index deb679c..df2ce3e 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2035,7 +2035,7 @@ static inline int wp_page_reuse(struct mm_struct *mm,
@@ -2035,7 +2035,7 @@ static inline int wp_page_reuse(struct m
}
if (!page_mkwrite)
@ -196,11 +165,9 @@ index deb679c..df2ce3e 100644
}
return VM_FAULT_WRITE;
diff --git a/mm/mmap.c b/mm/mmap.c
index 79bcc9f..da28c8a 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -275,7 +275,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
@@ -275,7 +275,7 @@ static struct vm_area_struct *remove_vma
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
@ -209,7 +176,7 @@ index 79bcc9f..da28c8a 100644
mpol_put(vma_policy(vma));
kmem_cache_free(vm_area_cachep, vma);
return next;
@@ -887,7 +887,7 @@ again: remove_next = 1 + (end > next->vm_end);
@@ -887,7 +887,7 @@ again: remove_next = 1 + (end > next->
if (remove_next) {
if (file) {
uprobe_munmap(next, next->vm_start, next->vm_end);
@ -218,7 +185,7 @@ index 79bcc9f..da28c8a 100644
}
if (next->anon_vma)
anon_vma_merge(vma, next);
@@ -1683,8 +1683,8 @@ out:
@@ -1681,8 +1681,8 @@ out:
return addr;
unmap_and_free_vma:
@ -228,7 +195,7 @@ index 79bcc9f..da28c8a 100644
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -2485,7 +2485,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
@@ -2488,7 +2488,7 @@ static int __split_vma(struct mm_struct
goto out_free_mpol;
if (new->vm_file)
@ -237,7 +204,7 @@ index 79bcc9f..da28c8a 100644
if (new->vm_ops && new->vm_ops->open)
new->vm_ops->open(new);
@@ -2504,7 +2504,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
@@ -2507,7 +2507,7 @@ static int __split_vma(struct mm_struct
if (new->vm_ops && new->vm_ops->close)
new->vm_ops->close(new);
if (new->vm_file)
@ -246,7 +213,7 @@ index 79bcc9f..da28c8a 100644
unlink_anon_vmas(new);
out_free_mpol:
mpol_put(vma_policy(new));
@@ -2646,7 +2646,6 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
@@ -2649,7 +2649,6 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
struct vm_area_struct *vma;
unsigned long populate = 0;
unsigned long ret = -EINVAL;
@ -254,7 +221,7 @@ index 79bcc9f..da28c8a 100644
pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. "
"See Documentation/vm/remap_file_pages.txt.\n",
@@ -2690,10 +2689,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
@@ -2693,10 +2692,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
munlock_vma_pages_range(vma, start, start + size);
}
@ -267,7 +234,7 @@ index 79bcc9f..da28c8a 100644
out:
up_write(&mm->mmap_sem);
if (populate)
@@ -2963,7 +2962,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
@@ -2966,7 +2965,7 @@ struct vm_area_struct *copy_vma(struct v
if (anon_vma_clone(new_vma, vma))
goto out_free_mempol;
if (new_vma->vm_file)
@ -276,11 +243,9 @@ index 79bcc9f..da28c8a 100644
if (new_vma->vm_ops && new_vma->vm_ops->open)
new_vma->vm_ops->open(new_vma);
vma_link(mm, new_vma, prev, rb_link, rb_parent);
diff --git a/mm/nommu.c b/mm/nommu.c
index ab14a20..fffc566 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -671,7 +671,7 @@ static void __put_nommu_region(struct vm_region *region)
@@ -671,7 +671,7 @@ static void __put_nommu_region(struct vm
up_write(&nommu_region_sem);
if (region->vm_file)
@ -289,7 +254,7 @@ index ab14a20..fffc566 100644
/* IO memory and memory shared directly out of the pagecache
* from ramfs/tmpfs mustn't be released here */
@@ -829,7 +829,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma)
@@ -829,7 +829,7 @@ static void delete_vma(struct mm_struct
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
@ -320,9 +285,6 @@ index ab14a20..fffc566 100644
kmem_cache_free(vm_area_cachep, vma);
return ret;
diff --git a/mm/prfile.c b/mm/prfile.c
new file mode 100644
index 0000000..b323b8a
--- /dev/null
+++ b/mm/prfile.c
@@ -0,0 +1,86 @@

58
debian/patches/features/all/cgroups-Allow-memory-cgroup-support-to-be-included-b.patch vendored
View File

@ -1,5 +1,5 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 30 May 2010 22:43:38 +0100
Date: Thu, 10 Dec 2015 18:02:48 +0000
Subject: cgroups: Allow memory cgroup support to be included but disabled
Forwarded: no
@ -11,15 +11,9 @@ parameter 'cgroup_enable' as the opposite to 'cgroup_disable'.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Bastian Blank: Rename CGROUP_MEM_RES_CTLR_DISABLED to MEMCG_DISABLED]
---
Documentation/kernel-parameters.txt | 4 ++--
init/Kconfig | 8 ++++++++
kernel/cgroup.c | 20 ++++++++++++++++----
mm/memcontrol.c | 3 +++
4 files changed, 29 insertions(+), 6 deletions(-)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -587,8 +587,8 @@ bytes respectively. Such letter suffixes
@@ -588,8 +588,8 @@ bytes respectively. Such letter suffixes
ccw_timeout_log [S390]
See Documentation/s390/CommonIO for details.
@ -49,7 +43,19 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
depends on MEMCG && SWAP
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5468,7 +5468,7 @@ out_free:
@@ -5216,7 +5216,11 @@ int __init cgroup_init_early(void)
return 0;
}
+#ifdef CONFIG_MEMCG_DISABLED
+static unsigned long cgroup_disable_mask __initdata = 1 << memory_cgrp_id;
+#else
static unsigned long cgroup_disable_mask __initdata;
+#endif
/**
* cgroup_init - cgroup initialization
@@ -5691,7 +5695,7 @@ out_free:
kfree(pathbuf);
}
@ -58,17 +64,15 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
{
struct cgroup_subsys *ss;
char *token;
@@ -5483,16 +5483,27 @@ static int __init cgroup_disable(char *s
@@ -5705,13 +5709,27 @@ static int __init cgroup_disable(char *s
if (strcmp(token, ss->name) &&
strcmp(token, ss->legacy_name))
continue;
- ss->disabled = 1;
- printk(KERN_INFO "Disabling %s control group subsystem\n",
- ss->name);
+ ss->disabled = value;
+ printk(KERN_INFO "%sabling %s control group subsystem\n",
+ value ? "Dis" : "En", ss->name);
break;
- cgroup_disable_mask |= 1 << i;
+ if (value)
+ cgroup_disable_mask |= 1 << i;
+ else
+ cgroup_disable_mask &= ~(1 << i);
}
}
return 1;
@ -86,18 +90,6 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+}
+__setup("cgroup_enable=", cgroup_enable);
+
static int __init cgroup_set_legacy_files_on_dfl(char *str)
{
printk("cgroup: using legacy files on the default hierarchy\n");
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5209,6 +5209,9 @@ static struct cftype memory_files[] = {
};
struct cgroup_subsys memory_cgrp_subsys = {
+#ifdef CONFIG_MEMCG_DISABLED
+ .disabled = 1,
+#endif
.css_alloc = mem_cgroup_css_alloc,
.css_online = mem_cgroup_css_online,
.css_offline = mem_cgroup_css_offline,
/**
* css_tryget_online_from_dir - get corresponding css from a cgroup dentry
* @dentry: directory dentry of interest

16
debian/patches/features/all/efi-autoload-efi-pstore.patch vendored
View File

@ -1,16 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Subject: efi: Auto-load efi-pstore
Date: Mon, 28 Sep 2015 01:44:16 +0100
Forwarded: http://mid.gmane.org/1443401056.2517.27.camel@decadent.org.uk
efi-pstore should be auto-loaded on EFI systems, same as efivars.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/firmware/efi/efi-pstore.c
+++ b/drivers/firmware/efi/efi-pstore.c
@@ -400,3 +400,4 @@ module_exit(efivars_pstore_exit);
MODULE_DESCRIPTION("EFI variable backend for pstore");
MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:efivars");

42
debian/patches/features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch vendored
View File

@ -1,42 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 28 Sep 2015 02:34:40 +0100
Subject: deb-pkg: Add automatic support for armhf architecture
Forwarded: http://mid.gmane.org/1443404080.2517.30.camel@decadent.org.uk
The Debian armhf architecture uses the ARM EABI hard-float variant,
whereas armel uses the soft-float variant. Although the kernel
doesn't use FP itself, CONFIG_VFP must be enabled to support
hard-float userland and will probably be disabled when supporting a
soft-float userland. So set the architecture to armhf by default when
CONFIG_AEABI and CONFIG_VFP are both enabled.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
Acked-by: Fathi Boudra <fathi.boudra@linaro.org>
---
v2: rebased
v3: rebased
scripts/package/builddeb | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -52,7 +52,16 @@ set_debarch() {
arm64)
debarch=arm64 ;;
arm*)
- debarch=arm$(grep -q CONFIG_AEABI=y $KCONFIG_CONFIG && echo el || true) ;;
+ if grep -q CONFIG_AEABI=y $KCONFIG_CONFIG; then
+ if grep -q CONFIG_VFP=y $KCONFIG_CONFIG; then
+ debarch=armhf
+ else
+ debarch=armel
+ fi
+ else
+ debarch=arm
+ fi
+ ;;
*)
debarch=$(dpkg --print-architecture)
echo "" >&2

65
debian/patches/features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch vendored
View File

@ -1,65 +0,0 @@
From: Mark Langsdorf <mlangsdo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: [PATCH v3 2/2] [usb] dd support for ACPI identification to xhci-platform
Date: Tue, 25 Nov 2014 15:19:26 -0600
Origin: http://permalink.gmane.org/gmane.linux.usb.general/118784
Bug-Debian: https://bugs.debian.org/785707
Provide the methods to let ACPI identify the need to use
xhci-platform. Change the Kconfig files so the
xhci-plat.o file is selectable during kernel config.
This has been tested on an ARM64 machine with platform XHCI, an
x86_64 machine with XHCI, and an x86_64 machine without XHCI.
There were no regressions or error messages on the machines
without platform XHCI.
Signed-off-by: Mark Langsdorf <mlangsdo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
[ ijc -- allow build as a module, otherwise cannot see various core
symbols, like xhci_resume or usb_add_hcd which are in modules. xhci-hcd-plat
can be built as a module from v3.18. ]
[bwh: Drop Kconfig change as a similar change was applied upstream]
---
Changes from v2
Replaced tristate with a boolean as the driver doesn't
compile as a module
Correct --help-- to ---help---
Changes from v1
Renamed from "add support for APM X-Gene to xhci-platform"
Removed changes to arm64/Kconfig
Made CONFIG_USB_XHCI_PLATFORM a user selectable config option
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -19,6 +19,7 @@
#include <linux/usb/phy.h>
#include <linux/slab.h>
#include <linux/usb/xhci_pdriver.h>
+#include <linux/acpi.h>
#include "xhci.h"
#include "xhci-mvebu.h"
@@ -262,6 +263,15 @@ static const struct of_device_id usb_xhc
MODULE_DEVICE_TABLE(of, usb_xhci_of_match);
#endif
+#ifdef CONFIG_ACPI
+static const struct acpi_device_id usb_xhci_acpi_match[] = {
+ { "PNP0D10", },
+ { "PNP0D15", },
+ { }
+};
+MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_match);
+#endif
+
static struct platform_driver usb_xhci_driver = {
.probe = xhci_plat_probe,
.remove = xhci_plat_remove,
@@ -269,6 +279,7 @@ static struct platform_driver usb_xhci_d
.name = "xhci-hcd",
.pm = DEV_PM_OPS,
.of_match_table = of_match_ptr(usb_xhci_of_match),
+ .acpi_match_table = ACPI_PTR(usb_xhci_acpi_match),
},
};
MODULE_ALIAS("platform:xhci-hcd");

48
debian/patches/features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch vendored
View File

@ -1,48 +0,0 @@
From: Mark Langsdorf <mlangsdo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: [PATCH v3 1/2] make xhci platform driver use 64 bit or 32 bit DMA
Date: Tue, 25 Nov 2014 15:19:25 -0600
Origin: http://permalink.gmane.org/gmane.linux.usb.general/118786
Bug-Debian: https://bugs.debian.org/785707
The xhci platform driver needs to work on systems that either only
support 64-bit DMA or only support 32-bit DMA. Attempt to set a
coherent dma mask for 64-bit DMA, and attempt again with 32-bit
DMA if that fails.
Signed-off-by: Mark Langsdorf <mlangsdo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Tested-by: Mark Salter <msalter-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
Changes from v2:
None
Changes from v1:
Consolidated to use dma_set_mask_and_coherent
Got rid of the check against sizeof(dma_addr_t)
drivers/usb/host/xhci-plat.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -83,14 +83,14 @@ static int xhci_plat_probe(struct platfo
if (irq < 0)
return -ENODEV;
- /* Initialize dma_mask and coherent_dma_mask to 32-bits */
- ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
- if (ret)
- return ret;
- if (!pdev->dev.dma_mask)
- pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask;
- else
- dma_set_mask(&pdev->dev, DMA_BIT_MASK(32));
+ /* Try setting the coherent_dma_mask to 64 bits, then try 32 bits */
+ ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64));
+ if (ret) {
+ ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
+ if (ret)
+ return ret;
+ }
+
hcd = usb_create_hcd(driver, &pdev->dev, dev_name(&pdev->dev));
if (!hcd)

27
debian/patches/series vendored
View File

@ -44,7 +44,6 @@ debian/snd-pcsp-disable-autoload.patch
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
# Arch bug fixes
bugfix/mips/disable-advansys.patch
bugfix/arm64/arm64-add-missing-dts-entry-for-X-Gene-platform.patch
bugfix/arm64/arm64-removed-using-of-the-mask-attribute-in-the-dts.patch
@ -54,9 +53,6 @@ features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch
features/mips/MIPS-octeon-Add-support-for-the-UBNT-E200-board.patch
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
features/x86/x86-make-x32-syscall-support-conditional.patch
features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch
features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch
features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch
# Miscellaneous bug fixes
bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
@ -64,12 +60,7 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch
# Reproducible docs
bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch
bugfix/all/docbook-use-a-fixed-encoding-for-output.patch
# Miscellaneous features
features/all/efi-autoload-efi-pstore.patch
# Hardening from grsecurity
features/all/grsecurity/grsecurity-kconfig.patch
@ -77,24 +68,6 @@ features/all/grsecurity/grsecurity-kconfig.patch
#features/all/grsecurity/grsecurity-kbuild.patch
features/all/grsecurity/grkernsec_perf_harden.patch
bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch
bugfix/all/selftests-add-missing-include-directives.patch
bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch
bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch
bugfix/all/selftests-make-scripts-executable.patch
bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch
bugfix/all/selftests-breakpoints-actually-build-it.patch
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch