diff --git a/debian/changelog b/debian/changelog index bc7fb0a3f..d0fa208b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.4~rc4-1~exp1) UNRELEASED; urgency=medium + + * New upstream release candidate + + -- Ben Hutchings Thu, 10 Dec 2015 17:34:39 +0000 + linux (4.3-1~exp2) experimental; urgency=medium [ Ben Hutchings ] diff --git a/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch b/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch deleted file mode 100644 index 7cd84014d..000000000 --- a/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch +++ /dev/null @@ -1,283 +0,0 @@ -From: Filipe Manana -Date: Fri, 16 Oct 2015 12:34:25 +0100 -Subject: Btrfs: fix truncation of compressed and inlined extents -Origin: https://git.kernel.org/linus/0305cd5f7fca85dae392b9ba85b116896eb7c1c7 - -When truncating a file to a smaller size which consists of an inline -extent that is compressed, we did not discard (or made unusable) the -data between the new file size and the old file size, wasting metadata -space and allowing for the truncated data to be leaked and the data -corruption/loss mentioned below. -We were also not correctly decrementing the number of bytes used by the -inode, we were setting it to zero, giving a wrong report for callers of -the stat(2) syscall. The fsck tool also reported an error about a mismatch -between the nbytes of the file versus the real space used by the file. - -Now because we weren't discarding the truncated region of the file, it -was possible for a caller of the clone ioctl to actually read the data -that was truncated, allowing for a security breach without requiring root -access to the system, using only standard filesystem operations. The -scenario is the following: - - 1) User A creates a file which consists of an inline and compressed - extent with a size of 2000 bytes - the file is not accessible to - any other users (no read, write or execution permission for anyone - else); - - 2) The user truncates the file to a size of 1000 bytes; - - 3) User A makes the file world readable; - - 4) User B creates a file consisting of an inline extent of 2000 bytes; - - 5) User B issues a clone operation from user A's file into its own - file (using a length argument of 0, clone the whole range); - - 6) User B now gets to see the 1000 bytes that user A truncated from - its file before it made its file world readbale. User B also lost - the bytes in the range [1000, 2000[ bytes from its own file, but - that might be ok if his/her intention was reading stale data from - user A that was never supposed to be public. - -Note that this contrasts with the case where we truncate a file from 2000 -bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In -this case reading any byte from the range [1000, 2000[ will return a value -of 0x00, instead of the original data. - -This problem exists since the clone ioctl was added and happens both with -and without my recent data loss and file corruption fixes for the clone -ioctl (patch "Btrfs: fix file corruption and data loss after cloning -inline extents"). - -So fix this by truncating the compressed inline extents as we do for the -non-compressed case, which involves decompressing, if the data isn't already -in the page cache, compressing the truncated version of the extent, writing -the compressed content into the inline extent and then truncate it. - -The following test case for fstests reproduces the problem. In order for -the test to pass both this fix and my previous fix for the clone ioctl -that forbids cloning a smaller inline extent into a larger one, -which is titled "Btrfs: fix file corruption and data loss after cloning -inline extents", are needed. Without that other fix the test fails in a -different way that does not leak the truncated data, instead part of -destination file gets replaced with zeroes (because the destination file -has a larger inline extent than the source). - - seq=`basename $0` - seqres=$RESULT_DIR/$seq - echo "QA output created by $seq" - tmp=/tmp/$$ - status=1 # failure is the default! - trap "_cleanup; exit \$status" 0 1 2 3 15 - - _cleanup() - { - rm -f $tmp.* - } - - # get standard environment, filters and checks - . ./common/rc - . ./common/filter - - # real QA test starts here - _need_to_be_root - _supported_fs btrfs - _supported_os Linux - _require_scratch - _require_cloner - - rm -f $seqres.full - - _scratch_mkfs >>$seqres.full 2>&1 - _scratch_mount "-o compress" - - # Create our test files. File foo is going to be the source of a clone operation - # and consists of a single inline extent with an uncompressed size of 512 bytes, - # while file bar consists of a single inline extent with an uncompressed size of - # 256 bytes. For our test's purpose, it's important that file bar has an inline - # extent with a size smaller than foo's inline extent. - $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \ - -c "pwrite -S 0x2a 128 384" \ - $SCRATCH_MNT/foo | _filter_xfs_io - $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io - - # Now durably persist all metadata and data. We do this to make sure that we get - # on disk an inline extent with a size of 512 bytes for file foo. - sync - - # Now truncate our file foo to a smaller size. Because it consists of a - # compressed and inline extent, btrfs did not shrink the inline extent to the - # new size (if the extent was not compressed, btrfs would shrink it to 128 - # bytes), it only updates the inode's i_size to 128 bytes. - $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo - - # Now clone foo's inline extent into bar. - # This clone operation should fail with errno EOPNOTSUPP because the source - # file consists only of an inline extent and the file's size is smaller than - # the inline extent of the destination (128 bytes < 256 bytes). However the - # clone ioctl was not prepared to deal with a file that has a size smaller - # than the size of its inline extent (something that happens only for compressed - # inline extents), resulting in copying the full inline extent from the source - # file into the destination file. - # - # Note that btrfs' clone operation for inline extents consists of removing the - # inline extent from the destination inode and copy the inline extent from the - # source inode into the destination inode, meaning that if the destination - # inode's inline extent is larger (N bytes) than the source inode's inline - # extent (M bytes), some bytes (N - M bytes) will be lost from the destination - # file. Btrfs could copy the source inline extent's data into the destination's - # inline extent so that we would not lose any data, but that's currently not - # done due to the complexity that would be needed to deal with such cases - # (specially when one or both extents are compressed), returning EOPNOTSUPP, as - # it's normally not a very common case to clone very small files (only case - # where we get inline extents) and copying inline extents does not save any - # space (unlike for normal, non-inlined extents). - $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar - - # Now because the above clone operation used to succeed, and due to foo's inline - # extent not being shinked by the truncate operation, our file bar got the whole - # inline extent copied from foo, making us lose the last 128 bytes from bar - # which got replaced by the bytes in range [128, 256[ from foo before foo was - # truncated - in other words, data loss from bar and being able to read old and - # stale data from foo that should not be possible to read anymore through normal - # filesystem operations. Contrast with the case where we truncate a file from a - # size N to a smaller size M, truncate it back to size N and then read the range - # [M, N[, we should always get the value 0x00 for all the bytes in that range. - - # We expected the clone operation to fail with errno EOPNOTSUPP and therefore - # not modify our file's bar data/metadata. So its content should be 256 bytes - # long with all bytes having the value 0xbb. - # - # Without the btrfs bug fix, the clone operation succeeded and resulted in - # leaking truncated data from foo, the bytes that belonged to its range - # [128, 256[, and losing data from bar in that same range. So reading the - # file gave us the following content: - # - # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 - # * - # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a - # * - # 0000400 - echo "File bar's content after the clone operation:" - od -t x1 $SCRATCH_MNT/bar - - # Also because the foo's inline extent was not shrunk by the truncate - # operation, btrfs' fsck, which is run by the fstests framework everytime a - # test completes, failed reporting the following error: - # - # root 5 inode 257 errors 400, nbytes wrong - - status=0 - exit - -Cc: stable@vger.kernel.org -Signed-off-by: Filipe Manana ---- - fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 68 insertions(+), 14 deletions(-) - ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -4184,6 +4184,47 @@ static int truncate_space_check(struct b - - } - -+static int truncate_inline_extent(struct inode *inode, -+ struct btrfs_path *path, -+ struct btrfs_key *found_key, -+ const u64 item_end, -+ const u64 new_size) -+{ -+ struct extent_buffer *leaf = path->nodes[0]; -+ int slot = path->slots[0]; -+ struct btrfs_file_extent_item *fi; -+ u32 size = (u32)(new_size - found_key->offset); -+ struct btrfs_root *root = BTRFS_I(inode)->root; -+ -+ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); -+ -+ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) { -+ loff_t offset = new_size; -+ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE); -+ -+ /* -+ * Zero out the remaining of the last page of our inline extent, -+ * instead of directly truncating our inline extent here - that -+ * would be much more complex (decompressing all the data, then -+ * compressing the truncated data, which might be bigger than -+ * the size of the inline extent, resize the extent, etc). -+ * We release the path because to get the page we might need to -+ * read the extent item from disk (data not in the page cache). -+ */ -+ btrfs_release_path(path); -+ return btrfs_truncate_page(inode, offset, page_end - offset, 0); -+ } -+ -+ btrfs_set_file_extent_ram_bytes(leaf, fi, size); -+ size = btrfs_file_extent_calc_inline_size(size); -+ btrfs_truncate_item(root, path, size, 1); -+ -+ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) -+ inode_sub_bytes(inode, item_end + 1 - new_size); -+ -+ return 0; -+} -+ - /* - * this can truncate away extent items, csum items and directory items. - * It starts at a high offset and removes keys until it can't find -@@ -4378,27 +4419,40 @@ search_again: - * special encodings - */ - if (!del_item && -- btrfs_file_extent_compression(leaf, fi) == 0 && - btrfs_file_extent_encryption(leaf, fi) == 0 && - btrfs_file_extent_other_encoding(leaf, fi) == 0) { -- u32 size = new_size - found_key.offset; -- -- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) -- inode_sub_bytes(inode, item_end + 1 - -- new_size); - - /* -- * update the ram bytes to properly reflect -- * the new size of our item -+ * Need to release path in order to truncate a -+ * compressed extent. So delete any accumulated -+ * extent items so far. - */ -- btrfs_set_file_extent_ram_bytes(leaf, fi, size); -- size = -- btrfs_file_extent_calc_inline_size(size); -- btrfs_truncate_item(root, path, size, 1); -+ if (btrfs_file_extent_compression(leaf, fi) != -+ BTRFS_COMPRESS_NONE && pending_del_nr) { -+ err = btrfs_del_items(trans, root, path, -+ pending_del_slot, -+ pending_del_nr); -+ if (err) { -+ btrfs_abort_transaction(trans, -+ root, -+ err); -+ goto error; -+ } -+ pending_del_nr = 0; -+ } -+ -+ err = truncate_inline_extent(inode, path, -+ &found_key, -+ item_end, -+ new_size); -+ if (err) { -+ btrfs_abort_transaction(trans, -+ root, err); -+ goto error; -+ } - } else if (test_bit(BTRFS_ROOT_REF_COWS, - &root->state)) { -- inode_sub_bytes(inode, item_end + 1 - -- found_key.offset); -+ inode_sub_bytes(inode, item_end + 1 - new_size); - } - } - delete: diff --git a/debian/patches/bugfix/all/docbook-use-a-fixed-encoding-for-output.patch b/debian/patches/bugfix/all/docbook-use-a-fixed-encoding-for-output.patch deleted file mode 100644 index 9fd67affa..000000000 --- a/debian/patches/bugfix/all/docbook-use-a-fixed-encoding-for-output.patch +++ /dev/null @@ -1,84 +0,0 @@ -From: Ben Hutchings -Date: Mon, 28 Sep 2015 01:09:52 +0100 -Subject: DocBook: Use a fixed encoding for output -Forwarded: http://mid.gmane.org/1443398992.2517.13.camel@decadent.org.uk - -Currently the encoding of documents generated by DocBook depends on -the current locale. Make the output reproducible independently of -the locale, by setting the encoding to UTF-8 (LC_CTYPE=C.UTF-8) by -preference, or ASCII (LC_CTYPE=C) as a fallback. - -LC_CTYPE can normally be overridden by LC_ALL, but the top-level -Makefile unsets that. - -Signed-off-by: Ben Hutchings ---- ---- a/Documentation/DocBook/Makefile -+++ b/Documentation/DocBook/Makefile -@@ -69,6 +69,12 @@ installmandocs: mandocs - KERNELDOCXMLREF = $(srctree)/scripts/kernel-doc-xml-ref - KERNELDOC = $(srctree)/scripts/kernel-doc - DOCPROC = $(objtree)/scripts/docproc -+CHECK_LC_CTYPE = $(objtree)/scripts/check-lc_ctype -+ -+# Use a fixed encoding - UTF-8 if the C library has support built-in -+# or ASCII if not -+LC_CTYPE := $(call try-run, LC_CTYPE=C.UTF-8 $(CHECK_LC_CTYPE),C.UTF-8,C) -+export LC_CTYPE - - XMLTOFLAGS = -m $(srctree)/$(src)/stylesheet.xsl - XMLTOFLAGS += --skip-validation ---- a/Makefile -+++ b/Makefile -@@ -1353,7 +1353,7 @@ $(help-board-dirs): help-%: - # Documentation targets - # --------------------------------------------------------------------------- - %docs: scripts_basic FORCE -- $(Q)$(MAKE) $(build)=scripts build_docproc -+ $(Q)$(MAKE) $(build)=scripts build_docproc build_check-lc_ctype - $(Q)$(MAKE) $(build)=Documentation/DocBook $@ - - else # KBUILD_EXTMOD ---- a/scripts/Makefile -+++ b/scripts/Makefile -@@ -7,6 +7,7 @@ - # conmakehash: Create chartable - # conmakehash: Create arrays for initializing the kernel console tables - # docproc: Used in Documentation/DocBook -+# check-lc_ctype: Used in Documentation/DocBook - - HOST_EXTRACFLAGS += -I$(srctree)/tools/include - -@@ -27,14 +28,16 @@ HOSTLOADLIBES_extract-cert = -lcrypto - always := $(hostprogs-y) $(hostprogs-m) - - # The following hostprogs-y programs are only build on demand --hostprogs-y += unifdef docproc -+hostprogs-y += unifdef docproc check-lc_ctype - - # These targets are used internally to avoid "is up to date" messages --PHONY += build_unifdef build_docproc -+PHONY += build_unifdef build_docproc build_check-lc_ctype - build_unifdef: $(obj)/unifdef - @: - build_docproc: $(obj)/docproc - @: -+build_check-lc_ctype: $(obj)/check-lc_ctype -+ @: - - subdir-$(CONFIG_MODVERSIONS) += genksyms - subdir-y += mod ---- /dev/null -+++ b/scripts/check-lc_ctype.c -@@ -0,0 +1,11 @@ -+/* -+ * Check that a specified locale works as LC_CTYPE. Used by the -+ * DocBook build system to probe for C.UTF-8 support. -+ */ -+ -+#include -+ -+int main(void) -+{ -+ return !setlocale(LC_CTYPE, ""); -+} diff --git a/debian/patches/bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch b/debian/patches/bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch deleted file mode 100644 index c9d919b4e..000000000 --- a/debian/patches/bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Ben Hutchings -Date: Mon, 28 Sep 2015 01:09:02 +0100 -Subject: Documentation: Avoid creating man pages in source tree -Forwarded: http://mid.gmane.org/1443398942.2517.12.camel@decadent.org.uk - -Currently kernel-doc generates a dummy DocBook file when asked to -convert a C source file with no structured comments. For an -out-of-tree build (objtree != srctree), the title of the output file -is the absolute path name of the C source file, which later results -in a manual page being created alongside the C source file. - -Change the title to be a relative path. - -Signed-off-by: Ben Hutchings ---- ---- a/scripts/kernel-doc -+++ b/scripts/kernel-doc -@@ -2351,12 +2351,13 @@ sub process_file($) { - my $descr; - my $in_purpose = 0; - my $initial_section_counter = $section_counter; -+ my ($orig_file) = @_; - - if (defined($ENV{'SRCTREE'})) { -- $file = "$ENV{'SRCTREE'}" . "/" . "@_"; -+ $file = "$ENV{'SRCTREE'}" . "/" . $orig_file; - } - else { -- $file = "@_"; -+ $file = $orig_file; - } - if (defined($source_map{$file})) { - $file = $source_map{$file}; -@@ -2565,7 +2566,7 @@ sub process_file($) { - print "\n"; - print " \n"; - print " \n"; -- print " ${file}\n"; -+ print " ${orig_file}\n"; - print " \n"; - print " \n"; - print " Document generation inconsistency\n"; -@@ -2579,7 +2580,7 @@ sub process_file($) { - print " \n"; - print " The template for this document tried to insert\n"; - print " the structured comment from the file\n"; -- print " ${file} at this point,\n"; -+ print " ${orig_file} at this point,\n"; - print " but none was found.\n"; - print " This dummy section is inserted to allow\n"; - print " generation to continue.\n"; diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch index c337564c8..123c29da6 100644 --- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch +++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch @@ -53,7 +53,7 @@ upstream submission. /* disable MPU */ --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -432,10 +432,8 @@ static enum ucode_state request_microcod +@@ -907,10 +907,8 @@ static enum ucode_state request_microcod if (c->x86 >= 0x15) snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); @@ -96,7 +96,7 @@ upstream submission. fw_size = firmware->size / sizeof(u32); --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c -@@ -404,10 +404,8 @@ static int ath3k_load_patch(struct usb_d +@@ -408,10 +408,8 @@ static int ath3k_load_patch(struct usb_d le32_to_cpu(fw_version.rom_version)); ret = request_firmware(&firmware, filename, &udev->dev); @@ -108,7 +108,7 @@ upstream submission. pt_rom_version = get_unaligned_le32(firmware->data + firmware->size - 8); -@@ -467,10 +465,8 @@ static int ath3k_load_syscfg(struct usb_ +@@ -471,10 +469,8 @@ static int ath3k_load_syscfg(struct usb_ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); ret = request_firmware(&firmware, filename, &udev->dev); @@ -140,7 +140,7 @@ upstream submission. return -EIO; --- a/drivers/bluetooth/bfusb.c +++ b/drivers/bluetooth/bfusb.c -@@ -664,10 +664,8 @@ static int bfusb_probe(struct usb_interf +@@ -653,10 +653,8 @@ static int bfusb_probe(struct usb_interf skb_queue_head_init(&data->pending_q); skb_queue_head_init(&data->completed_q); @@ -154,7 +154,7 @@ upstream submission. --- a/drivers/bluetooth/bt3c_cs.c +++ b/drivers/bluetooth/bt3c_cs.c -@@ -567,10 +567,8 @@ static int bt3c_open(struct bt3c_info *i +@@ -565,10 +565,8 @@ static int bt3c_open(struct bt3c_info *i /* Load firmware */ err = request_firmware(&firmware, "BT3CPCC.bin", &info->p_dev->dev); @@ -168,7 +168,7 @@ upstream submission. --- a/drivers/bluetooth/btmrvl_sdio.c +++ b/drivers/bluetooth/btmrvl_sdio.c -@@ -355,8 +355,6 @@ static int btmrvl_sdio_download_helper(s +@@ -390,8 +390,6 @@ static int btmrvl_sdio_download_helper(s ret = request_firmware(&fw_helper, card->helper, &card->func->dev); if ((ret < 0) || !fw_helper) { @@ -177,7 +177,7 @@ upstream submission. ret = -ENOENT; goto done; } -@@ -455,8 +453,6 @@ static int btmrvl_sdio_download_fw_w_hel +@@ -490,8 +488,6 @@ static int btmrvl_sdio_download_fw_w_hel ret = request_firmware(&fw_firmware, card->firmware, &card->func->dev); if ((ret < 0) || !fw_firmware) { @@ -233,7 +233,7 @@ upstream submission. where = 0; --- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c +++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c -@@ -1643,10 +1643,8 @@ gf100_gr_ctor_fw(struct gf100_gr *gr, co +@@ -1646,10 +1646,8 @@ gf100_gr_ctor_fw(struct gf100_gr *gr, co snprintf(f, sizeof(f), "nvidia/%s/%s.bin", cname, fwname); ret = request_firmware(&fw, f, device->dev); @@ -742,7 +742,7 @@ upstream submission. GFP_KERNEL | GFP_DMA); --- a/drivers/media/pci/ttpci/av7110.c +++ b/drivers/media/pci/ttpci/av7110.c -@@ -1534,16 +1534,9 @@ static int get_firmware(struct av7110* a +@@ -1531,16 +1531,9 @@ static int get_firmware(struct av7110* a /* request the av7110 firmware, this will block until someone uploads it */ ret = request_firmware(&fw, "dvb-ttpci-01.fw", &av7110->dev->pci->dev); if (ret) { @@ -792,7 +792,7 @@ upstream submission. b[0] = 0xaa; --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c -@@ -1292,11 +1292,8 @@ static int ttusb_dec_boot_dsp(struct ttu +@@ -1290,11 +1290,8 @@ static int ttusb_dec_boot_dsp(struct ttu dprintk("%s\n", __func__); result = request_firmware(&fw_entry, dec->firmware_name, &dec->udev->dev); @@ -1063,7 +1063,7 @@ upstream submission. --- a/drivers/media/usb/s2255/s2255drv.c +++ b/drivers/media/usb/s2255/s2255drv.c -@@ -2299,10 +2299,8 @@ static int s2255_probe(struct usb_interf +@@ -2302,10 +2302,8 @@ static int s2255_probe(struct usb_interf } /* load the first chunk */ if (request_firmware(&dev->fw_data->fw, @@ -1194,7 +1194,7 @@ upstream submission. --- a/drivers/net/ethernet/broadcom/bnx2.c +++ b/drivers/net/ethernet/broadcom/bnx2.c -@@ -3702,16 +3702,13 @@ static int bnx2_request_uncached_firmwar +@@ -3720,16 +3720,13 @@ static int bnx2_request_uncached_firmwar } rc = request_firmware(&bp->mips_firmware, mips_fw_file, &bp->pdev->dev); @@ -1216,7 +1216,7 @@ upstream submission. if (bp->mips_firmware->size < sizeof(*mips_fw) || --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c -@@ -13393,11 +13393,8 @@ static int bnx2x_init_firmware(struct bn +@@ -13401,11 +13401,8 @@ static int bnx2x_init_firmware(struct bn BNX2X_DEV_INFO("Loading %s\n", fw_file_name); rc = request_firmware(&bp->firmware, fw_file_name, &bp->pdev->dev); @@ -1424,20 +1424,16 @@ upstream submission. fwh = (struct at76_fw_header *)(fwe->fw->data); --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c -@@ -1085,12 +1085,8 @@ static void ath9k_hif_usb_firmware_cb(co - struct hif_device_usb *hif_dev = context; - int ret; +@@ -1158,9 +1158,6 @@ static void ath9k_hif_usb_firmware_cb(co + if (!ret) + return; -- if (!fw) { - dev_err(&hif_dev->udev->dev, - "ath9k_htc: Failed to get firmware %s\n", - hif_dev->fw_name); -+ if (!fw) goto err_fw; -- } + } - hif_dev->htc_handle = ath9k_htc_hw_alloc(hif_dev, &hif_usb, - &hif_dev->udev->dev); --- a/drivers/net/wireless/ath/carl9170/usb.c +++ b/drivers/net/wireless/ath/carl9170/usb.c @@ -1033,7 +1033,6 @@ static void carl9170_usb_firmware_step2( @@ -1596,7 +1592,7 @@ upstream submission. } --- a/drivers/net/wireless/mwifiex/main.c +++ b/drivers/net/wireless/mwifiex/main.c -@@ -488,11 +488,8 @@ static void mwifiex_fw_dpc(const struct +@@ -508,11 +508,8 @@ static void mwifiex_fw_dpc(const struct bool init_failed = false; struct wireless_dev *wdev; @@ -1690,7 +1686,7 @@ upstream submission. --- a/drivers/net/wireless/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/orinoco/orinoco_usb.c -@@ -1668,7 +1668,6 @@ static int ezusb_probe(struct usb_interf +@@ -1669,7 +1669,6 @@ static int ezusb_probe(struct usb_interf if (ezusb_firmware_download(upriv, &firmware) < 0) goto error; } else { @@ -1763,8 +1759,8 @@ upstream submission. if (!fw || !fw->size || !fw->data) { rt2x00_err(rt2x00dev, "Failed to read Firmware\n"); ---- a/drivers/net/wireless/rtlwifi/core.c -+++ b/drivers/net/wireless/rtlwifi/core.c +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c @@ -115,7 +115,6 @@ static void rtl_fw_do_work(const struct if (!err) goto found_alt; @@ -1773,8 +1769,8 @@ upstream submission. rtlpriv->max_fw_size = 0; return; } ---- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c @@ -94,7 +94,6 @@ static void rtl92se_fw_cb(const struct f "Firmware callback routine entered!\n"); complete(&rtlpriv->firmware_loading_complete); @@ -1894,7 +1890,7 @@ upstream submission. } --- a/drivers/scsi/aic94xx/aic94xx_init.c +++ b/drivers/scsi/aic94xx/aic94xx_init.c -@@ -385,8 +385,6 @@ static ssize_t asd_store_update_bios(str +@@ -384,8 +384,6 @@ static ssize_t asd_store_update_bios(str filename_ptr, &asd_ha->pcidev->dev); if (err) { @@ -1988,7 +1984,7 @@ upstream submission. QLA_FW_URL ".\n"); --- a/drivers/scsi/qla2xxx/qla_nx.c +++ b/drivers/scsi/qla2xxx/qla_nx.c -@@ -2459,11 +2459,8 @@ try_blob_fw: +@@ -2460,11 +2460,8 @@ try_blob_fw: /* Load firmware blob. */ blob = ha->hablob = qla2x00_request_firmware(vha); @@ -2003,7 +1999,7 @@ upstream submission. if (qla82xx_validate_firmware_blob(vha, --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -5365,8 +5365,6 @@ qla2x00_request_firmware(scsi_qla_host_t +@@ -5364,8 +5364,6 @@ qla2x00_request_firmware(scsi_qla_host_t goto out; if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) { @@ -2027,43 +2023,6 @@ upstream submission. if (fw->size % 2) { printk(KERN_ERR "Bogus length %zu in image \"%s\"\n", fw->size, fwname); ---- a/drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c -+++ b/drivers/staging/ft1000/ft1000-pcmcia/ft1000_hw.c -@@ -2034,18 +2034,12 @@ struct net_device *init_ft1000_card(stru - info->AsicID = ft1000_read_reg(dev, FT1000_REG_ASIC_ID); - if (info->AsicID == ELECTRABUZZ_ID) { - pr_debug("ELECTRABUZZ ASIC\n"); -- if (request_firmware(&fw_entry, "ft1000.img", -- &link->dev) != 0) { -- pr_info("Could not open ft1000.img\n"); -+ if (request_firmware(&fw_entry, "ft1000.img", &link->dev) != 0) - goto err_unreg; -- } - } else { - pr_debug("MAGNEMITE ASIC\n"); -- if (request_firmware(&fw_entry, "ft2000.img", -- &link->dev) != 0) { -- pr_info("Could not open ft2000.img\n"); -+ if (request_firmware(&fw_entry, "ft2000.img", &link->dev) != 0) - goto err_unreg; -- } - } - - ft1000_enable_interrupts(dev); ---- a/drivers/staging/ft1000/ft1000-usb/ft1000_usb.c -+++ b/drivers/staging/ft1000/ft1000-usb/ft1000_usb.c -@@ -133,10 +133,8 @@ static int ft1000_probe(struct usb_inter - ft1000dev->bulk_out_endpointAddr); - - ret = request_firmware(&dsp_fw, "ft3000.img", &dev->dev); -- if (ret < 0) { -- dev_err(interface->usb_dev, "Error request_firmware()\n"); -+ if (ret) - goto err_fw; -- } - - size = max_t(uint, dsp_fw->size, 4096); - pFileStart = kmalloc(size, GFP_KERNEL); --- a/drivers/media/usb/go7007/go7007-driver.c +++ b/drivers/media/usb/go7007/go7007-driver.c @@ -92,10 +92,8 @@ static int go7007_load_encoder(struct go @@ -2161,7 +2120,7 @@ upstream submission. MODULE_FIRMWARE("rtlwifi/rtl8712u.bin"); --- a/drivers/staging/slicoss/slicoss.c +++ b/drivers/staging/slicoss/slicoss.c -@@ -388,11 +388,8 @@ static int slic_card_download_gbrcv(stru +@@ -408,11 +408,8 @@ static int slic_card_download_gbrcv(stru } ret = request_firmware(&fw, file, &adapter->pcidev->dev); @@ -2174,7 +2133,7 @@ upstream submission. rcvucodelen = *(u32 *)(fw->data + index); index += 4; -@@ -466,11 +463,8 @@ static int slic_card_download(struct ada +@@ -486,11 +483,8 @@ static int slic_card_download(struct ada return -ENOENT; } ret = request_firmware(&fw, file, &adapter->pcidev->dev); @@ -2205,7 +2164,7 @@ upstream submission. if (!buffer) --- a/drivers/tty/cyclades.c +++ b/drivers/tty/cyclades.c -@@ -3518,10 +3518,8 @@ static int cyz_load_fw(struct pci_dev *p +@@ -3509,10 +3509,8 @@ static int cyz_load_fw(struct pci_dev *p int retval; retval = request_firmware(&fw, "cyzfirm.bin", &pdev->dev); @@ -2431,18 +2390,18 @@ upstream submission. BootMajorVersion = rec->data[0]; --- a/drivers/usb/serial/io_ti.c +++ b/drivers/usb/serial/io_ti.c -@@ -2483,8 +2483,6 @@ static int edge_startup(struct usb_seria +@@ -1014,8 +1014,6 @@ static int download_fw(struct edgeport_s status = request_firmware(&fw, fw_name, dev); if (status) { - dev_err(dev, "Failed to load image \"%s\" err %d\n", - fw_name, status); - kfree(edge_serial); return status; } + --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c -@@ -1485,10 +1485,8 @@ static int ti_download_firmware(struct t +@@ -1487,10 +1487,8 @@ static int ti_download_firmware(struct t } status = request_firmware(&fw_p, buf, &dev->dev); } @@ -2601,7 +2560,7 @@ upstream submission. filename, emu->firmware->size); --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c -@@ -1734,10 +1734,8 @@ static void azx_firmware_cb(const struct +@@ -1738,10 +1738,8 @@ static void azx_firmware_cb(const struct struct azx *chip = card->private_data; struct pci_dev *pci = chip->pci; @@ -2615,7 +2574,7 @@ upstream submission. if (!chip->disabled) { --- a/sound/pci/korg1212/korg1212.c +++ b/sound/pci/korg1212/korg1212.c -@@ -2330,7 +2330,6 @@ static int snd_korg1212_create(struct sn +@@ -2332,7 +2332,6 @@ static int snd_korg1212_create(struct sn err = request_firmware(&dsp_code, "korg/k1212.dsp", &pci->dev); if (err < 0) { release_firmware(dsp_code); diff --git a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch b/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch deleted file mode 100644 index 6826c67ae..000000000 --- a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:21:24 +0000 -Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open() -Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 - -Compile-tested only. - -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c -index c4198fa..86f9abe 100644 ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) - is->compflags = 0; - - is->reset = isdn_ppp_ccp_reset_alloc(is); -+ if (!is->reset) -+ return -ENOMEM; - - is->lp = NULL; - is->mp_seqno = 0; /* MP sequence number */ -@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -+ if (!is->slcomp) { -+ isdn_ppp_ccp_reset_free(is); -+ return -ENOMEM; -+ } - #endif - #ifdef CONFIG_IPPP_FILTER - is->pass_filter = NULL; diff --git a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch b/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch deleted file mode 100644 index 8d551da49..000000000 --- a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: =?UTF-8?q?Salva=20Peir=C3=B3?= -Date: Wed, 7 Oct 2015 07:09:26 -0300 -Subject: [media] media/vivid-osd: fix info leak in ioctl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c - -The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of -struct fb_vblank after the ->hcount member. Add an explicit -memset(0) before filling the structure to avoid the info leak. - -Signed-off-by: Salva Peiró -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/platform/vivid/vivid-osd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c -index 084d346..e15eef6 100644 ---- a/drivers/media/platform/vivid/vivid-osd.c -+++ b/drivers/media/platform/vivid/vivid-osd.c -@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) - case FBIOGET_VBLANK: { - struct fb_vblank vblank; - -+ memset(&vblank, 0, sizeof(vblank)); - vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | - FB_VBLANK_HAVE_VSYNC; - vblank.count = 0; diff --git a/debian/patches/bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch b/debian/patches/bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch deleted file mode 100644 index 1ac0b528c..000000000 --- a/debian/patches/bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch +++ /dev/null @@ -1,66 +0,0 @@ -From: Laurent Pinchart -Date: Mon, 27 Jul 2015 11:06:48 -0300 -Subject: [media] uvcvideo: Disable hardware timestamps by default -Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=5d0fd3c806b9e932010931ae67dbb482020e0882 -Bug-Debian: https://bugs.debian.org/794327 - -The hardware timestamping implementation has been reported as not -working correctly on at least the Logitech C920. Until this can be -fixed, disable it by default. - -Reported-by: Peter Rabbitson -Signed-off-by: Laurent Pinchart -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/usb/uvc/uvc_driver.c | 3 +++ - drivers/media/usb/uvc/uvc_video.c | 3 +++ - drivers/media/usb/uvc/uvcvideo.h | 1 + - 3 files changed, 7 insertions(+) - -diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c -index 4b5b3e8..d11fd6a 100644 ---- a/drivers/media/usb/uvc/uvc_driver.c -+++ b/drivers/media/usb/uvc/uvc_driver.c -@@ -32,6 +32,7 @@ - #define DRIVER_DESC "USB Video Class driver" - - unsigned int uvc_clock_param = CLOCK_MONOTONIC; -+unsigned int uvc_hw_timestamps_param; - unsigned int uvc_no_drop_param; - static unsigned int uvc_quirks_param = -1; - unsigned int uvc_trace_param; -@@ -2078,6 +2079,8 @@ static int uvc_clock_param_set(const char *val, struct kernel_param *kp) - module_param_call(clock, uvc_clock_param_set, uvc_clock_param_get, - &uvc_clock_param, S_IRUGO|S_IWUSR); - MODULE_PARM_DESC(clock, "Video buffers timestamp clock"); -+module_param_named(hwtimestamps, uvc_hw_timestamps_param, uint, S_IRUGO|S_IWUSR); -+MODULE_PARM_DESC(hwtimestamps, "Use hardware timestamps"); - module_param_named(nodrop, uvc_no_drop_param, uint, S_IRUGO|S_IWUSR); - MODULE_PARM_DESC(nodrop, "Don't drop incomplete frames"); - module_param_named(quirks, uvc_quirks_param, uint, S_IRUGO|S_IWUSR); -diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c -index f839654..1c4a117 100644 ---- a/drivers/media/usb/uvc/uvc_video.c -+++ b/drivers/media/usb/uvc/uvc_video.c -@@ -623,6 +623,9 @@ void uvc_video_clock_update(struct uvc_streaming *stream, - u32 rem; - u64 y; - -+ if (!uvc_hw_timestamps_param) -+ return; -+ - spin_lock_irqsave(&clock->lock, flags); - - if (clock->count < clock->size) -diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h -index 816dd1a..1374bd9 100644 ---- a/drivers/media/usb/uvc/uvcvideo.h -+++ b/drivers/media/usb/uvc/uvcvideo.h -@@ -593,6 +593,7 @@ extern unsigned int uvc_clock_param; - extern unsigned int uvc_no_drop_param; - extern unsigned int uvc_trace_param; - extern unsigned int uvc_timeout_param; -+extern unsigned int uvc_hw_timestamps_param; - - #define uvc_trace(flag, msg...) \ - do { \ diff --git a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch b/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch deleted file mode 100644 index b70b25aba..000000000 --- a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch +++ /dev/null @@ -1,128 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:22:53 +0000 -Subject: ppp, slip: Validate VJ compression slot parameters completely -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae - -Currently slhc_init() treats out-of-range values of rslots and tslots -as equivalent to 0, except that if tslots is too large it will -dereference a null pointer (CVE-2015-7799). - -Add a range-check at the top of the function and make it return an -ERR_PTR() on error instead of NULL. Change the callers accordingly. - -Compile-tested only. - -Reported-by: 郭永刚 -References: http://article.gmane.org/gmane.comp.security.oss.general/17908 -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ - drivers/net/ppp/ppp_generic.c | 6 ++---- - drivers/net/slip/slhc.c | 12 ++++++++---- - drivers/net/slip/slip.c | 2 +- - 4 files changed, 15 insertions(+), 15 deletions(-) - ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -- if (!is->slcomp) { -+ if (IS_ERR(is->slcomp)) { - isdn_ppp_ccp_reset_free(is); -- return -ENOMEM; -+ return PTR_ERR(is->slcomp); - } - #endif - #ifdef CONFIG_IPPP_FILTER -@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil - is->maxcid = val; - #ifdef CONFIG_ISDN_PPP_VJ - sltmp = slhc_init(16, val); -- if (!sltmp) { -- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); -- return -ENOMEM; -- } -+ if (IS_ERR(sltmp)) -+ return PTR_ERR(sltmp); - if (is->slcomp) - slhc_free(is->slcomp); - is->slcomp = sltmp; ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file, - val &= 0xffff; - } - vj = slhc_init(val2+1, val+1); -- if (!vj) { -- netdev_err(ppp->dev, -- "PPP: no memory (VJ compressor)\n"); -- err = -ENOMEM; -+ if (IS_ERR(vj)) { -+ err = PTR_ERR(vj); - break; - } - ppp_lock(ppp); ---- a/drivers/net/slip/slhc.c -+++ b/drivers/net/slip/slhc.c -@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); - static unsigned char * put16(unsigned char *cp, unsigned short x); - static unsigned short pull16(unsigned char **cpp); - --/* Initialize compression data structure -+/* Allocate compression data structure - * slots must be in range 0 to 255 (zero meaning no compression) -+ * Returns pointer to structure or ERR_PTR() on error. - */ - struct slcompress * - slhc_init(int rslots, int tslots) -@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) - register struct cstate *ts; - struct slcompress *comp; - -+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) -+ return ERR_PTR(-EINVAL); -+ - comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); - if (! comp) - goto out_fail; - -- if ( rslots > 0 && rslots < 256 ) { -+ if (rslots > 0) { - size_t rsize = rslots * sizeof(struct cstate); - comp->rstate = kzalloc(rsize, GFP_KERNEL); - if (! comp->rstate) -@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) - comp->rslot_limit = rslots - 1; - } - -- if ( tslots > 0 && tslots < 256 ) { -+ if (tslots > 0) { - size_t tsize = tslots * sizeof(struct cstate); - comp->tstate = kzalloc(tsize, GFP_KERNEL); - if (! comp->tstate) -@@ -141,7 +145,7 @@ out_free2: - out_free: - kfree(comp); - out_fail: -- return NULL; -+ return ERR_PTR(-ENOMEM); - } - - ---- a/drivers/net/slip/slip.c -+++ b/drivers/net/slip/slip.c -@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl - if (cbuff == NULL) - goto err_exit; - slcomp = slhc_init(16, 16); -- if (slcomp == NULL) -+ if (IS_ERR(slcomp)) - goto err_exit; - #endif - spin_lock_bh(&sl->lock); diff --git a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch deleted file mode 100644 index 299242e21..000000000 --- a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Quentin Casasnovas -Subject: RDS: fix race condition when sending a message on unbound socket. -Date: Fri, 16 Oct 2015 17:11:42 +0200 -Origin: https://lkml.org/lkml/2015/10/16/530 - -Sasha's found a NULL pointer dereference in the RDS connection code when -sending a message to an apparently unbound socket. The problem is caused -by the code checking if the socket is bound in rds_sendmsg(), which checks -the rs_bound_addr field without taking a lock on the socket. This opens a -race where rs_bound_addr is temporarily set but where the transport is not -in rds_bind(), leading to a NULL pointer dereference when trying to -dereference 'trans' in __rds_conn_create(). - -Vegard wrote a reproducer for this issue, so kindly ask him to share if -you're interested. - -I cannot reproduce the NULL pointer dereference using Vegard's reproducer -with this patch, whereas I could without. - -Complete earlier incomplete fix to CVE-2015-6937: - - 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") - -Signed-off-by: Quentin Casasnovas -Reviewed-by: Vegard Nossum -Reviewed-by: Sasha Levin -Cc: Vegard Nossum -Cc: Sasha Levin -Cc: Chien Yen -Cc: Santosh Shilimkar -Cc: David S. Miller -Cc: stable@vger.kernel.org ---- - net/rds/connection.c | 6 ------ - net/rds/send.c | 4 +++- - 2 files changed, 3 insertions(+), 7 deletions(-) - ---- a/net/rds/connection.c -+++ b/net/rds/connection.c -@@ -190,12 +190,6 @@ new_conn: - } - } - -- if (trans == NULL) { -- kmem_cache_free(rds_conn_slab, conn); -- conn = ERR_PTR(-ENODEV); -- goto out; -- } -- - conn->c_trans = trans; - - ret = trans->conn_alloc(conn, gfp); ---- a/net/rds/send.c -+++ b/net/rds/send.c -@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, str - release_sock(sk); - } - -- /* racing with another thread binding seems ok here */ -+ lock_sock(sk); - if (daddr == 0 || rs->rs_bound_addr == 0) { -+ release_sock(sk); - ret = -ENOTCONN; /* XXX not a great errno */ - goto out; - } -+ release_sock(sk); - - if (payload_len > rds_sk_sndbuf(rs)) { - ret = -EMSGSIZE; diff --git a/debian/patches/bugfix/all/selftests-add-missing-include-directives.patch b/debian/patches/bugfix/all/selftests-add-missing-include-directives.patch deleted file mode 100644 index 26d6ee9b5..000000000 --- a/debian/patches/bugfix/all/selftests-add-missing-include-directives.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Ben Hutchings -Date: Fri, 30 Oct 2015 01:18:01 +0000 -Subject: selftests: Add missing #include directives - -Several C programs fail to include the headers declaring all the -functions they call, resulting in warnings or errors. - -After this, memfd_test.c is still missing some function declarations -but can't easily get them because of a conflict between - and . - -Signed-off-by: Ben Hutchings ---- - tools/testing/selftests/memfd/memfd_test.c | 1 + - tools/testing/selftests/mqueue/mq_open_tests.c | 1 + - tools/testing/selftests/mqueue/mq_perf_tests.c | 1 + - tools/testing/selftests/timers/nanosleep.c | 1 + - 4 files changed, 4 insertions(+) - -diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c -index 0b9eafb..5347ef6 100644 ---- a/tools/testing/selftests/memfd/memfd_test.c -+++ b/tools/testing/selftests/memfd/memfd_test.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - #include - - #define MFD_DEF_SIZE 8192 -diff --git a/tools/testing/selftests/mqueue/mq_open_tests.c b/tools/testing/selftests/mqueue/mq_open_tests.c -index 9c1a5d35..e0a74bd 100644 ---- a/tools/testing/selftests/mqueue/mq_open_tests.c -+++ b/tools/testing/selftests/mqueue/mq_open_tests.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - static char *usage = - "Usage:\n" -diff --git a/tools/testing/selftests/mqueue/mq_perf_tests.c b/tools/testing/selftests/mqueue/mq_perf_tests.c -index 8519e9e..8188f72 100644 ---- a/tools/testing/selftests/mqueue/mq_perf_tests.c -+++ b/tools/testing/selftests/mqueue/mq_perf_tests.c -@@ -37,6 +37,7 @@ - #include - #include - #include -+#include - - static char *usage = - "Usage:\n" -diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c -index 8a3c29d..ff942ff 100644 ---- a/tools/testing/selftests/timers/nanosleep.c -+++ b/tools/testing/selftests/timers/nanosleep.c -@@ -19,6 +19,7 @@ - * GNU General Public License for more details. - */ - -+#include - #include - #include - #include diff --git a/debian/patches/bugfix/all/selftests-breakpoints-actually-build-it.patch b/debian/patches/bugfix/all/selftests-breakpoints-actually-build-it.patch deleted file mode 100644 index d49fe1006..000000000 --- a/debian/patches/bugfix/all/selftests-breakpoints-actually-build-it.patch +++ /dev/null @@ -1,17 +0,0 @@ -From: Ben Hutchings -Date: Fri, 30 Oct 2015 10:22:55 +0000 -Subject: selftests: breakpoint: Actually build it - -Signed-off-by: Ben Hutchings ---- ---- a/tools/testing/selftests/breakpoints/Makefile -+++ b/tools/testing/selftests/breakpoints/Makefile -@@ -6,7 +6,7 @@ ifeq ($(ARCH),x86) - TEST_PROGS := breakpoint_test - endif - --all: -+all: $(TEST_PROGS) - - include ../lib.mk - diff --git a/debian/patches/bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch b/debian/patches/bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch deleted file mode 100644 index e420702b7..000000000 --- a/debian/patches/bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch +++ /dev/null @@ -1,126 +0,0 @@ -From: Ben Hutchings -Date: Fri, 30 Oct 2015 01:27:28 +0000 -Subject: selftests: kprobe: Choose an always-defined function to probe - -do_fork() is no longer defined on x86, so probe _do_fork() instead. - -Fixes: 3033f14ab78c ("clone: support passing tls argument via C ...") -Signed-off-by: Ben Hutchings ---- - .../selftests/ftrace/test.d/kprobe/add_and_remove.tc | 2 +- - tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc | 2 +- - .../testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc | 2 +- - .../selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc | 14 +++++++------- - .../selftests/ftrace/test.d/kprobe/kretprobe_args.tc | 2 +- - 5 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc b/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc -index a5a4262..c3843ed 100644 ---- a/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/add_and_remove.tc -@@ -5,7 +5,7 @@ - - echo 0 > events/enable - echo > kprobe_events --echo p:myevent do_fork > kprobe_events -+echo p:myevent _do_fork > kprobe_events - grep myevent kprobe_events - test -d events/kprobes/myevent - echo > kprobe_events -diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc b/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc -index d8c7bb6..74507db 100644 ---- a/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/busy_check.tc -@@ -5,7 +5,7 @@ - - echo 0 > events/enable - echo > kprobe_events --echo p:myevent do_fork > kprobe_events -+echo p:myevent _do_fork > kprobe_events - test -d events/kprobes/myevent - echo 1 > events/kprobes/myevent/enable - echo > kprobe_events && exit 1 # this must fail -diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc -index c45ee27..64949d4 100644 ---- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args.tc -@@ -5,7 +5,7 @@ - - echo 0 > events/enable - echo > kprobe_events --echo 'p:testprobe do_fork $stack $stack0 +0($stack)' > kprobe_events -+echo 'p:testprobe _do_fork $stack $stack0 +0($stack)' > kprobe_events - grep testprobe kprobe_events - test -d events/kprobes/testprobe - echo 1 > events/kprobes/testprobe/enable -diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc -index ab41d2b..d6f2f49 100644 ---- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_ftrace.tc -@@ -6,31 +6,31 @@ grep function available_tracers || exit_unsupported # this is configurable - - # prepare - echo nop > current_tracer --echo do_fork > set_ftrace_filter -+echo _do_fork > set_ftrace_filter - echo 0 > events/enable - echo > kprobe_events --echo 'p:testprobe do_fork' > kprobe_events -+echo 'p:testprobe _do_fork' > kprobe_events - - # kprobe on / ftrace off - echo 1 > events/kprobes/testprobe/enable - echo > trace - ( echo "forked") - grep testprobe trace --! grep 'do_fork <-' trace -+! grep '_do_fork <-' trace - - # kprobe on / ftrace on - echo function > current_tracer - echo > trace - ( echo "forked") - grep testprobe trace --grep 'do_fork <-' trace -+grep '_do_fork <-' trace - - # kprobe off / ftrace on - echo 0 > events/kprobes/testprobe/enable - echo > trace - ( echo "forked") - ! grep testprobe trace --grep 'do_fork <-' trace -+grep '_do_fork <-' trace - - # kprobe on / ftrace on - echo 1 > events/kprobes/testprobe/enable -@@ -38,14 +38,14 @@ echo function > current_tracer - echo > trace - ( echo "forked") - grep testprobe trace --grep 'do_fork <-' trace -+grep '_do_fork <-' trace - - # kprobe on / ftrace off - echo nop > current_tracer - echo > trace - ( echo "forked") - grep testprobe trace --! grep 'do_fork <-' trace -+! grep '_do_fork <-' trace - - # cleanup - echo nop > current_tracer -diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc -index 3171798..0d09546 100644 ---- a/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc -+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kretprobe_args.tc -@@ -5,7 +5,7 @@ - - echo 0 > events/enable - echo > kprobe_events --echo 'r:testprobe2 do_fork $retval' > kprobe_events -+echo 'r:testprobe2 _do_fork $retval' > kprobe_events - grep testprobe2 kprobe_events - test -d events/kprobes/testprobe2 - echo 1 > events/kprobes/testprobe2/enable diff --git a/debian/patches/bugfix/all/selftests-make-scripts-executable.patch b/debian/patches/bugfix/all/selftests-make-scripts-executable.patch deleted file mode 100644 index 6d23befc7..000000000 --- a/debian/patches/bugfix/all/selftests-make-scripts-executable.patch +++ /dev/null @@ -1,20 +0,0 @@ -From: Ben Hutchings -Date: Fri, 30 Oct 2015 01:30:36 +0000 -Subject: selftests: Make scripts executable - -Fixes: 87b2d44026e0 ("selftests: add memfd/sealing page-pinning tests") -Fixes: 2bf9e0ab08c6 ("locking/static_keys: Provide a selftest") -Signed-off-by: Ben Hutchings ---- - tools/testing/selftests/memfd/run_fuse_test.sh | 0 - tools/testing/selftests/static_keys/test_static_keys.sh | 0 - 2 files changed, 0 insertions(+), 0 deletions(-) - mode change 100644 => 100755 tools/testing/selftests/memfd/run_fuse_test.sh - mode change 100644 => 100755 tools/testing/selftests/static_keys/test_static_keys.sh - -diff --git a/tools/testing/selftests/memfd/run_fuse_test.sh b/tools/testing/selftests/memfd/run_fuse_test.sh -old mode 100644 -new mode 100755 -diff --git a/tools/testing/selftests/static_keys/test_static_keys.sh b/tools/testing/selftests/static_keys/test_static_keys.sh -old mode 100644 -new mode 100755 diff --git a/debian/patches/bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch b/debian/patches/bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch deleted file mode 100644 index a1951d219..000000000 --- a/debian/patches/bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Ben Hutchings -Date: Sat, 31 Oct 2015 18:04:28 +0000 -Subject: selftests: memfd: Stop unnecessary rebuilds - -Instead of explicitly running the compiler, add dependencies and take -advantage of implicit rules to build only as necessary. - -Signed-off-by: Ben Hutchings ---- ---- a/tools/testing/selftests/memfd/Makefile -+++ b/tools/testing/selftests/memfd/Makefile -@@ -4,16 +4,16 @@ CFLAGS += -I../../../../include/uapi/ - CFLAGS += -I../../../../include/ - CFLAGS += -I../../../../usr/include/ - --all: -- $(CC) $(CFLAGS) memfd_test.c -o memfd_test -- - TEST_PROGS := memfd_test - -+all: $(TEST_PROGS) -+ - include ../lib.mk - --build_fuse: -- $(CC) $(CFLAGS) fuse_mnt.c `pkg-config fuse --cflags --libs` -o fuse_mnt -- $(CC) $(CFLAGS) fuse_test.c -o fuse_test -+build_fuse: fuse_mnt fuse_test -+ -+fuse_mnt.o: CFLAGS += $(shell pkg-config fuse --cflags) -+fuse_mnt: LDFLAGS += $(shell pkg-config fuse --libs) - - run_fuse: build_fuse - @./run_fuse_test.sh || echo "fuse_test: [FAIL]" diff --git a/debian/patches/bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch b/debian/patches/bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch deleted file mode 100644 index e5a9d9648..000000000 --- a/debian/patches/bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Ben Hutchings -Date: Sat, 31 Oct 2015 17:56:11 +0000 -Subject: selftests: vm: Try harder to allocate huge pages - -If we need to increase the number of huge pages, drop caches first -to reduce fragmentation and then check that we actually allocated -as many as we wanted. Retry once if that doesn't work. - -Signed-off-by: Ben Hutchings ---- ---- a/tools/testing/selftests/vm/run_vmtests -+++ b/tools/testing/selftests/vm/run_vmtests -@@ -20,13 +20,26 @@ done < /proc/meminfo - if [ -n "$freepgs" ] && [ -n "$pgsize" ]; then - nr_hugepgs=`cat /proc/sys/vm/nr_hugepages` - needpgs=`expr $needmem / $pgsize` -- if [ $freepgs -lt $needpgs ]; then -+ tries=2 -+ while [ $tries -gt 0 ] && [ $freepgs -lt $needpgs ]; do - lackpgs=$(( $needpgs - $freepgs )) -+ echo 3 > /proc/sys/vm/drop_caches - echo $(( $lackpgs + $nr_hugepgs )) > /proc/sys/vm/nr_hugepages - if [ $? -ne 0 ]; then - echo "Please run this test as root" - exit 1 - fi -+ while read name size unit; do -+ if [ "$name" = "HugePages_Free:" ]; then -+ freepgs=$size -+ fi -+ done < /proc/meminfo -+ tries=$((tries - 1)) -+ done -+ if [ $freepgs -lt $needpgs ]; then -+ printf "Not enough huge pages available (%d < %d)\n" \ -+ $freepgs $needpgs -+ exit 1 - fi - else - echo "no hugetlbfs support in kernel?" diff --git a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch b/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch deleted file mode 100644 index 6fb47c798..000000000 --- a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch +++ /dev/null @@ -1,325 +0,0 @@ -From: Rainer Weikusat -Date: Fri, 20 Nov 2015 22:07:23 +0000 -Subject: unix: avoid use-after-free in ep_remove_wait_queue -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git//commit?id=7d267278a9ece963d77eefec61630223fce08c6c - -Rainer Weikusat writes: -An AF_UNIX datagram socket being the client in an n:1 association with -some server socket is only allowed to send messages to the server if the -receive queue of this socket contains at most sk_max_ack_backlog -datagrams. This implies that prospective writers might be forced to go -to sleep despite none of the message presently enqueued on the server -receive queue were sent by them. In order to ensure that these will be -woken up once space becomes again available, the present unix_dgram_poll -routine does a second sock_poll_wait call with the peer_wait wait queue -of the server socket as queue argument (unix_dgram_recvmsg does a wake -up on this queue after a datagram was received). This is inherently -problematic because the server socket is only guaranteed to remain alive -for as long as the client still holds a reference to it. In case the -connection is dissolved via connect or by the dead peer detection logic -in unix_dgram_sendmsg, the server socket may be freed despite "the -polling mechanism" (in particular, epoll) still has a pointer to the -corresponding peer_wait queue. There's no way to forcibly deregister a -wait queue with epoll. - -Based on an idea by Jason Baron, the patch below changes the code such -that a wait_queue_t belonging to the client socket is enqueued on the -peer_wait queue of the server whenever the peer receive queue full -condition is detected by either a sendmsg or a poll. A wake up on the -peer queue is then relayed to the ordinary wait queue of the client -socket via wake function. The connection to the peer wait queue is again -dissolved if either a wake up is about to be relayed or the client -socket reconnects or a dead peer is detected or the client socket is -itself closed. This enables removing the second sock_poll_wait from -unix_dgram_poll, thus avoiding the use-after-free, while still ensuring -that no blocked writer sleeps forever. - -Signed-off-by: Rainer Weikusat -Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets") -Reviewed-by: Jason Baron -Signed-off-by: David S. Miller -[bwh: Backported to 4.2: adjust context] ---- - include/net/af_unix.h | 1 + - net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 165 insertions(+), 19 deletions(-) - ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -62,6 +62,7 @@ struct unix_sock { - #define UNIX_GC_CANDIDATE 0 - #define UNIX_GC_MAYBE_CYCLE 1 - struct socket_wq peer_wq; -+ wait_queue_t peer_wake; - }; - - static inline struct unix_sock *unix_sk(const struct sock *sk) ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -326,6 +326,118 @@ found: - return s; - } - -+/* Support code for asymmetrically connected dgram sockets -+ * -+ * If a datagram socket is connected to a socket not itself connected -+ * to the first socket (eg, /dev/log), clients may only enqueue more -+ * messages if the present receive queue of the server socket is not -+ * "too large". This means there's a second writeability condition -+ * poll and sendmsg need to test. The dgram recv code will do a wake -+ * up on the peer_wait wait queue of a socket upon reception of a -+ * datagram which needs to be propagated to sleeping would-be writers -+ * since these might not have sent anything so far. This can't be -+ * accomplished via poll_wait because the lifetime of the server -+ * socket might be less than that of its clients if these break their -+ * association with it or if the server socket is closed while clients -+ * are still connected to it and there's no way to inform "a polling -+ * implementation" that it should let go of a certain wait queue -+ * -+ * In order to propagate a wake up, a wait_queue_t of the client -+ * socket is enqueued on the peer_wait queue of the server socket -+ * whose wake function does a wake_up on the ordinary client socket -+ * wait queue. This connection is established whenever a write (or -+ * poll for write) hit the flow control condition and broken when the -+ * association to the server socket is dissolved or after a wake up -+ * was relayed. -+ */ -+ -+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags, -+ void *key) -+{ -+ struct unix_sock *u; -+ wait_queue_head_t *u_sleep; -+ -+ u = container_of(q, struct unix_sock, peer_wake); -+ -+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait, -+ q); -+ u->peer_wake.private = NULL; -+ -+ /* relaying can only happen while the wq still exists */ -+ u_sleep = sk_sleep(&u->sk); -+ if (u_sleep) -+ wake_up_interruptible_poll(u_sleep, key); -+ -+ return 0; -+} -+ -+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other) -+{ -+ struct unix_sock *u, *u_other; -+ int rc; -+ -+ u = unix_sk(sk); -+ u_other = unix_sk(other); -+ rc = 0; -+ spin_lock(&u_other->peer_wait.lock); -+ -+ if (!u->peer_wake.private) { -+ u->peer_wake.private = other; -+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake); -+ -+ rc = 1; -+ } -+ -+ spin_unlock(&u_other->peer_wait.lock); -+ return rc; -+} -+ -+static void unix_dgram_peer_wake_disconnect(struct sock *sk, -+ struct sock *other) -+{ -+ struct unix_sock *u, *u_other; -+ -+ u = unix_sk(sk); -+ u_other = unix_sk(other); -+ spin_lock(&u_other->peer_wait.lock); -+ -+ if (u->peer_wake.private == other) { -+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake); -+ u->peer_wake.private = NULL; -+ } -+ -+ spin_unlock(&u_other->peer_wait.lock); -+} -+ -+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk, -+ struct sock *other) -+{ -+ unix_dgram_peer_wake_disconnect(sk, other); -+ wake_up_interruptible_poll(sk_sleep(sk), -+ POLLOUT | -+ POLLWRNORM | -+ POLLWRBAND); -+} -+ -+/* preconditions: -+ * - unix_peer(sk) == other -+ * - association is stable -+ */ -+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other) -+{ -+ int connected; -+ -+ connected = unix_dgram_peer_wake_connect(sk, other); -+ -+ if (unix_recvq_full(other)) -+ return 1; -+ -+ if (connected) -+ unix_dgram_peer_wake_disconnect(sk, other); -+ -+ return 0; -+} -+ - static inline int unix_writable(struct sock *sk) - { - return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; -@@ -430,6 +542,8 @@ static void unix_release_sock(struct soc - skpair->sk_state_change(skpair); - sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); - } -+ -+ unix_dgram_peer_wake_disconnect(sk, skpair); - sock_put(skpair); /* It may now die */ - unix_peer(sk) = NULL; - } -@@ -664,6 +778,7 @@ static struct sock *unix_create1(struct - INIT_LIST_HEAD(&u->link); - mutex_init(&u->readlock); /* single task reading lock */ - init_waitqueue_head(&u->peer_wait); -+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay); - unix_insert_socket(unix_sockets_unbound(sk), sk); - out: - if (sk == NULL) -@@ -1031,6 +1146,8 @@ restart: - if (unix_peer(sk)) { - struct sock *old_peer = unix_peer(sk); - unix_peer(sk) = other; -+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer); -+ - unix_state_double_unlock(sk, other); - - if (other != old_peer) -@@ -1470,6 +1587,7 @@ static int unix_dgram_sendmsg(struct soc - struct scm_cookie scm; - int max_level; - int data_len = 0; -+ int sk_locked; - - wait_for_unix_gc(); - err = scm_send(sock, msg, &scm, false); -@@ -1548,12 +1666,14 @@ restart: - goto out_free; - } - -+ sk_locked = 0; - unix_state_lock(other); -+restart_locked: - err = -EPERM; - if (!unix_may_send(sk, other)) - goto out_unlock; - -- if (sock_flag(other, SOCK_DEAD)) { -+ if (unlikely(sock_flag(other, SOCK_DEAD))) { - /* - * Check with 1003.1g - what should - * datagram error -@@ -1561,10 +1681,14 @@ restart: - unix_state_unlock(other); - sock_put(other); - -+ if (!sk_locked) -+ unix_state_lock(sk); -+ - err = 0; -- unix_state_lock(sk); - if (unix_peer(sk) == other) { - unix_peer(sk) = NULL; -+ unix_dgram_peer_wake_disconnect_wakeup(sk, other); -+ - unix_state_unlock(sk); - - unix_dgram_disconnected(sk, other); -@@ -1590,21 +1714,38 @@ restart: - goto out_unlock; - } - -- if (unix_peer(other) != sk && unix_recvq_full(other)) { -- if (!timeo) { -- err = -EAGAIN; -- goto out_unlock; -+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { -+ if (timeo) { -+ timeo = unix_wait_for_peer(other, timeo); -+ -+ err = sock_intr_errno(timeo); -+ if (signal_pending(current)) -+ goto out_free; -+ -+ goto restart; - } - -- timeo = unix_wait_for_peer(other, timeo); -+ if (!sk_locked) { -+ unix_state_unlock(other); -+ unix_state_double_lock(sk, other); -+ } - -- err = sock_intr_errno(timeo); -- if (signal_pending(current)) -- goto out_free; -+ if (unix_peer(sk) != other || -+ unix_dgram_peer_wake_me(sk, other)) { -+ err = -EAGAIN; -+ sk_locked = 1; -+ goto out_unlock; -+ } - -- goto restart; -+ if (!sk_locked) { -+ sk_locked = 1; -+ goto restart_locked; -+ } - } - -+ if (unlikely(sk_locked)) -+ unix_state_unlock(sk); -+ - if (sock_flag(other, SOCK_RCVTSTAMP)) - __net_timestamp(skb); - maybe_add_creds(skb, sock, other); -@@ -1618,6 +1759,8 @@ restart: - return len; - - out_unlock: -+ if (sk_locked) -+ unix_state_unlock(sk); - unix_state_unlock(other); - out_free: - kfree_skb(skb); -@@ -2453,14 +2596,16 @@ static unsigned int unix_dgram_poll(stru - return mask; - - writable = unix_writable(sk); -- other = unix_peer_get(sk); -- if (other) { -- if (unix_peer(other) != sk) { -- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); -- if (unix_recvq_full(other)) -- writable = 0; -- } -- sock_put(other); -+ if (writable) { -+ unix_state_lock(sk); -+ -+ other = unix_peer(sk); -+ if (other && unix_peer(other) != sk && -+ unix_recvq_full(other) && -+ unix_dgram_peer_wake_me(sk, other)) -+ writable = 0; -+ -+ unix_state_unlock(sk); - } - - if (writable) diff --git a/debian/patches/bugfix/mips/disable-advansys.patch b/debian/patches/bugfix/mips/disable-advansys.patch deleted file mode 100644 index 1b7afcc3d..000000000 --- a/debian/patches/bugfix/mips/disable-advansys.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Martin Michlmayr -Date: Sat, 19 Jan 2008 18:25:02 +0000 -Subject: [mips] Disable Advansys -Forwarded: http://thread.gmane.org/gmane.linux.scsi/57291 - -Florian Lohoff reports the following build failure on IP32: - - MODPOST 552 modules -ERROR: "free_dma" [drivers/scsi/advansys.ko] undefined! -make[5]: *** [__modpost] Error 1 - -But report: -http://www.mail-archive.com/linux-scsi@vger.kernel.org/msg12773.html - ---- a/drivers/scsi/Kconfig -+++ b/drivers/scsi/Kconfig -@@ -505,6 +505,7 @@ config SCSI_ADVANSYS - tristate "AdvanSys SCSI support" - depends on SCSI - depends on ISA || EISA || PCI -+ depends on !MIPS || BROKEN - help - This is a driver for all SCSI host adapters manufactured by - AdvanSys. It is documented in the kernel source in diff --git a/debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch b/debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch index fa97fb358..d28050471 100644 --- a/debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch +++ b/debian/patches/bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch @@ -41,16 +41,17 @@ Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80896 Acked-by: Mika Kuoppala Signed-off-by: Daniel Vetter +[bwh: Adjust context] --- drivers/gpu/drm/i915/i915_irq.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -2168,9 +2168,13 @@ static irqreturn_t gen8_irq_handler(int - I915_WRITE(SDEIIR, pch_iir); - ret = IRQ_HANDLED; - cpt_irq_handler(dev, pch_iir); +@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int + spt_irq_handler(dev, pch_iir); + else + cpt_irq_handler(dev, pch_iir); - } else - DRM_ERROR("The master control interrupt lied (SDE)!\n"); - diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch deleted file mode 100644 index 7ed419edc..000000000 --- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 10 Nov 2015 09:14:39 +0100 -Subject: KVM: svm: unconditionally intercept #DB -Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d - -This is needed to avoid the possibility that the guest triggers -an infinite stream of #DB exceptions (CVE-2015-8104). - -VMX is not affected: because it does not save DR6 in the VMCS, -it already intercepts #DB unconditionally. - -Reported-by: Jan Beulich -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/svm.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); - set_exception_intercept(svm, AC_VECTOR); -+ set_exception_intercept(svm, DB_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v - mark_dirty(svm->vmcb, VMCB_SEG); - } - --static void update_db_bp_intercept(struct kvm_vcpu *vcpu) -+static void update_bp_intercept(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- clr_exception_intercept(svm, DB_VECTOR); - clr_exception_intercept(svm, BP_VECTOR); - -- if (svm->nmi_singlestep) -- set_exception_intercept(svm, DB_VECTOR); -- - if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { -- if (vcpu->guest_debug & -- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) -- set_exception_intercept(svm, DB_VECTOR); - if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) - set_exception_intercept(svm, BP_VECTOR); - } else -@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) - svm->vmcb->save.rflags &= - ~(X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(&svm->vcpu); - } - - if (svm->vcpu.guest_debug & -@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm - */ - svm->nmi_singlestep = true; - svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(vcpu); - } - - static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_db_bp_intercept, -+ .update_db_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, diff --git a/debian/patches/bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch b/debian/patches/bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch deleted file mode 100644 index d6934af8b..000000000 --- a/debian/patches/bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 10 Nov 2015 11:55:36 +0100 -Subject: KVM: x86: rename update_db_bp_intercept to update_bp_intercept -Origin: https://git.kernel.org/linus/a96036b8ef7df9f10cd575c0d78359bd33188e8e - -Because #DB is now intercepted unconditionally, this callback -only operates on #BP for both VMX and SVM. - -Signed-off-by: Paolo Bonzini ---- - arch/x86/include/asm/kvm_host.h | 2 +- - arch/x86/kvm/svm.c | 2 +- - arch/x86/kvm/vmx.c | 2 +- - arch/x86/kvm/x86.c | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -739,7 +739,7 @@ struct kvm_x86_ops { - void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu); - void (*vcpu_put)(struct kvm_vcpu *vcpu); - -- void (*update_db_bp_intercept)(struct kvm_vcpu *vcpu); -+ void (*update_bp_intercept)(struct kvm_vcpu *vcpu); - int (*get_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr); - int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr); - u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg); ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -4374,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_bp_intercept, -+ .update_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -10335,7 +10335,7 @@ static struct kvm_x86_ops vmx_x86_ops = - .vcpu_load = vmx_vcpu_load, - .vcpu_put = vmx_vcpu_put, - -- .update_db_bp_intercept = update_exception_bitmap, -+ .update_bp_intercept = update_exception_bitmap, - .get_msr = vmx_get_msr, - .set_msr = vmx_set_msr, - .get_segment_base = vmx_get_segment_base, ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -7184,7 +7184,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug( - */ - kvm_set_rflags(vcpu, rflags); - -- kvm_x86_ops->update_db_bp_intercept(vcpu); -+ kvm_x86_ops->update_bp_intercept(vcpu); - - r = 0; - diff --git a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch b/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch deleted file mode 100644 index b8ffd077f..000000000 --- a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch +++ /dev/null @@ -1,38 +0,0 @@ -Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit - ---- -M arch/x86/kvm/svm.c -1 file changed, 8 insertions(+), 0 deletions(-) - - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *s - set_exception_intercept(svm, PF_VECTOR); - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); -+ set_exception_intercept(svm, AC_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s - return 1; - } - -+static int ac_interception(struct vcpu_svm *svm) -+{ -+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); -+ return 1; -+} -+ - static void svm_fpu_activate(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); -@@ -3369,6 +3376,7 @@ static int (*const svm_exit_handlers[])( - [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, - [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, - [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, -+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, - [SVM_EXIT_INTR] = intr_interception, - [SVM_EXIT_NMI] = nmi_interception, - [SVM_EXIT_SMI] = nop_on_interception, diff --git a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch b/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch deleted file mode 100644 index 79ed6243d..000000000 --- a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Eric Northup -Date: Thu Sep 10 11:36:28 2015 -0700 -Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC - -A pathological (or malicious) guest can hang a host core by -mis-configuring its GDT/IDT and enabling alignment checks. - -[bwh: Forward-ported to 4.2: AC_VECTOR is already defined so don't add it] - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru - u32 eb; - - eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | -- (1u << NM_VECTOR) | (1u << DB_VECTOR); -+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); - if ((vcpu->guest_debug & - (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == - (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) -@@ -5146,6 +5146,13 @@ static int handle_exception(struct kvm_v - kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip; - kvm_run->debug.arch.exception = ex_no; - break; -+ case AC_VECTOR: -+ /* -+ * We have already enabled interrupts and pre-emption, so -+ * it's OK to loop here if that is what will happen. -+ */ -+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); -+ return 1; - default: - kvm_run->exit_reason = KVM_EXIT_EXCEPTION; - kvm_run->ex.exception = ex_no; diff --git a/debian/patches/debian/dfsg/files-1 b/debian/patches/debian/dfsg/files-1 index ee68e8ad6..d200306e6 100644 --- a/debian/patches/debian/dfsg/files-1 +++ b/debian/patches/debian/dfsg/files-1 @@ -15,9 +15,6 @@ rm drivers/net/appletalk/cops.h rm drivers/net/appletalk/cops_ffdrv.h rm drivers/net/appletalk/cops_ltdrv.h -rm drivers/staging/ft1000/ft1000-pcmcia/boot.h -rm drivers/staging/ft1000/ft1000-*/*.img - # These include apparently obfuscated code rm drivers/video/fbdev/nvidia/ rm drivers/video/fbdev/riva/ diff --git a/debian/patches/features/all/aufs4/aufs4-mmap.patch b/debian/patches/features/all/aufs4/aufs4-mmap.patch index 1bdf45f99..5a67ad3e1 100644 --- a/debian/patches/features/all/aufs4/aufs4-mmap.patch +++ b/debian/patches/features/all/aufs4/aufs4-mmap.patch @@ -8,24 +8,11 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch aufs4.3 mmap patch -diff --git a/fs/buffer.c b/fs/buffer.c -index 82283ab..477e5f3 100644 ---- a/fs/buffer.c -+++ b/fs/buffer.c -@@ -2473,7 +2473,7 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf, - * Update file times before taking page lock. We may end up failing the - * fault so this update may be superfluous but who really cares... - */ -- file_update_time(vma->vm_file); -+ vma_file_update_time(vma); - - ret = __block_page_mkwrite(vma, vmf, get_block); - sb_end_pagefault(sb); -diff --git a/fs/proc/base.c b/fs/proc/base.c -index b25eee4..c83d588 100644 +[bwh: Forward-ported to 4.4-rc4: drop change in block_page_mkwrite()] + --- a/fs/proc/base.c +++ b/fs/proc/base.c -@@ -1914,7 +1914,7 @@ static int proc_map_files_get_link(struct dentry *dentry, struct path *path) +@@ -1921,7 +1921,7 @@ static int proc_map_files_get_link(struc down_read(&mm->mmap_sem); vma = find_exact_vma(mm, vm_start, vm_end); if (vma && vma->vm_file) { @@ -34,11 +21,9 @@ index b25eee4..c83d588 100644 path_get(path); rc = 0; } -diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c -index f8595e8..cb8eda0 100644 --- a/fs/proc/nommu.c +++ b/fs/proc/nommu.c -@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region) +@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_ file = region->vm_file; if (file) { @@ -50,11 +35,9 @@ index f8595e8..cb8eda0 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; } -diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index e2d46ad..5e7e631 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -280,7 +280,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) +@@ -281,7 +281,10 @@ show_map_vma(struct seq_file *m, struct const char *name = NULL; if (file) { @@ -66,7 +49,7 @@ index e2d46ad..5e7e631 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; -@@ -1465,7 +1468,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) +@@ -1505,7 +1508,7 @@ static int show_numa_map(struct seq_file struct proc_maps_private *proc_priv = &numa_priv->proc_maps; struct vm_area_struct *vma = v; struct numa_maps *md = &numa_priv->md; @@ -75,11 +58,9 @@ index e2d46ad..5e7e631 100644 struct mm_struct *mm = vma->vm_mm; struct mm_walk walk = { .hugetlb_entry = gather_hugetlb_stats, -diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index e0d64c9..7aa92db 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c -@@ -160,7 +160,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma, +@@ -160,7 +160,10 @@ static int nommu_vma_show(struct seq_fil file = vma->vm_file; if (file) { @@ -91,11 +72,9 @@ index e0d64c9..7aa92db 100644 dev = inode->i_sb->s_dev; ino = inode->i_ino; pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT; -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 80001de..9248b97 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -1211,6 +1211,28 @@ static inline int fixup_user_fault(struct task_struct *tsk, +@@ -1183,6 +1183,28 @@ static inline int fixup_user_fault(struc } #endif @@ -124,11 +103,9 @@ index 80001de..9248b97 100644 extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write); extern int access_remote_vm(struct mm_struct *mm, unsigned long addr, void *buf, int len, int write); -diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 3d6baa7..750ca95 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h -@@ -250,6 +250,7 @@ struct vm_region { +@@ -272,6 +272,7 @@ struct vm_region { unsigned long vm_top; /* region allocated to here */ unsigned long vm_pgoff; /* the offset in vm_file corresponding to vm_start */ struct file *vm_file; /* the backing file or NULL */ @@ -136,7 +113,7 @@ index 3d6baa7..750ca95 100644 int vm_usage; /* region usage count (access under nommu_region_sem) */ bool vm_icache_flushed : 1; /* true if the icache has been flushed for -@@ -324,6 +325,7 @@ struct vm_area_struct { +@@ -346,6 +347,7 @@ struct vm_area_struct { unsigned long vm_pgoff; /* Offset (within vm_file) in PAGE_SIZE units, *not* PAGE_CACHE_SIZE */ struct file * vm_file; /* File we map to (can be NULL). */ @@ -144,11 +121,9 @@ index 3d6baa7..750ca95 100644 void * vm_private_data; /* was vm_pte (shared mem) */ #ifndef CONFIG_MMU -diff --git a/kernel/fork.c b/kernel/fork.c -index 2845623..71004bd 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -462,7 +462,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -464,7 +464,7 @@ static int dup_mmap(struct mm_struct *mm struct inode *inode = file_inode(file); struct address_space *mapping = file->f_mapping; @@ -157,11 +132,9 @@ index 2845623..71004bd 100644 if (tmp->vm_flags & VM_DENYWRITE) atomic_dec(&inode->i_writecount); i_mmap_lock_write(mapping); -diff --git a/mm/Makefile b/mm/Makefile -index 2ed4319..e3a53f5 100644 --- a/mm/Makefile +++ b/mm/Makefile -@@ -21,7 +21,7 @@ obj-y := filemap.o mempool.o oom_kill.o \ +@@ -21,7 +21,7 @@ obj-y := filemap.o mempool.o oom_kill. mm_init.o mmu_context.o percpu.o slab_common.o \ compaction.o vmacache.o \ interval_tree.o list_lru.o workingset.o \ @@ -170,11 +143,9 @@ index 2ed4319..e3a53f5 100644 obj-y += init-mm.o -diff --git a/mm/filemap.c b/mm/filemap.c -index 327910c..7bbc372 100644 --- a/mm/filemap.c +++ b/mm/filemap.c -@@ -2089,7 +2089,7 @@ int filemap_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -2128,7 +2128,7 @@ int filemap_page_mkwrite(struct vm_area_ int ret = VM_FAULT_LOCKED; sb_start_pagefault(inode->i_sb); @@ -183,11 +154,9 @@ index 327910c..7bbc372 100644 lock_page(page); if (page->mapping != inode->i_mapping) { unlock_page(page); -diff --git a/mm/memory.c b/mm/memory.c -index deb679c..df2ce3e 100644 --- a/mm/memory.c +++ b/mm/memory.c -@@ -2035,7 +2035,7 @@ static inline int wp_page_reuse(struct mm_struct *mm, +@@ -2035,7 +2035,7 @@ static inline int wp_page_reuse(struct m } if (!page_mkwrite) @@ -196,11 +165,9 @@ index deb679c..df2ce3e 100644 } return VM_FAULT_WRITE; -diff --git a/mm/mmap.c b/mm/mmap.c -index 79bcc9f..da28c8a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c -@@ -275,7 +275,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) +@@ -275,7 +275,7 @@ static struct vm_area_struct *remove_vma if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -209,7 +176,7 @@ index 79bcc9f..da28c8a 100644 mpol_put(vma_policy(vma)); kmem_cache_free(vm_area_cachep, vma); return next; -@@ -887,7 +887,7 @@ again: remove_next = 1 + (end > next->vm_end); +@@ -887,7 +887,7 @@ again: remove_next = 1 + (end > next-> if (remove_next) { if (file) { uprobe_munmap(next, next->vm_start, next->vm_end); @@ -218,7 +185,7 @@ index 79bcc9f..da28c8a 100644 } if (next->anon_vma) anon_vma_merge(vma, next); -@@ -1683,8 +1683,8 @@ out: +@@ -1681,8 +1681,8 @@ out: return addr; unmap_and_free_vma: @@ -228,7 +195,7 @@ index 79bcc9f..da28c8a 100644 /* Undo any partial mapping done by a device driver. */ unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -@@ -2485,7 +2485,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2488,7 +2488,7 @@ static int __split_vma(struct mm_struct goto out_free_mpol; if (new->vm_file) @@ -237,7 +204,7 @@ index 79bcc9f..da28c8a 100644 if (new->vm_ops && new->vm_ops->open) new->vm_ops->open(new); -@@ -2504,7 +2504,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2507,7 +2507,7 @@ static int __split_vma(struct mm_struct if (new->vm_ops && new->vm_ops->close) new->vm_ops->close(new); if (new->vm_file) @@ -246,7 +213,7 @@ index 79bcc9f..da28c8a 100644 unlink_anon_vmas(new); out_free_mpol: mpol_put(vma_policy(new)); -@@ -2646,7 +2646,6 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2649,7 +2649,6 @@ SYSCALL_DEFINE5(remap_file_pages, unsign struct vm_area_struct *vma; unsigned long populate = 0; unsigned long ret = -EINVAL; @@ -254,7 +221,7 @@ index 79bcc9f..da28c8a 100644 pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. " "See Documentation/vm/remap_file_pages.txt.\n", -@@ -2690,10 +2689,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, +@@ -2693,10 +2692,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsign munlock_vma_pages_range(vma, start, start + size); } @@ -267,7 +234,7 @@ index 79bcc9f..da28c8a 100644 out: up_write(&mm->mmap_sem); if (populate) -@@ -2963,7 +2962,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2966,7 +2965,7 @@ struct vm_area_struct *copy_vma(struct v if (anon_vma_clone(new_vma, vma)) goto out_free_mempol; if (new_vma->vm_file) @@ -276,11 +243,9 @@ index 79bcc9f..da28c8a 100644 if (new_vma->vm_ops && new_vma->vm_ops->open) new_vma->vm_ops->open(new_vma); vma_link(mm, new_vma, prev, rb_link, rb_parent); -diff --git a/mm/nommu.c b/mm/nommu.c -index ab14a20..fffc566 100644 --- a/mm/nommu.c +++ b/mm/nommu.c -@@ -671,7 +671,7 @@ static void __put_nommu_region(struct vm_region *region) +@@ -671,7 +671,7 @@ static void __put_nommu_region(struct vm up_write(&nommu_region_sem); if (region->vm_file) @@ -289,7 +254,7 @@ index ab14a20..fffc566 100644 /* IO memory and memory shared directly out of the pagecache * from ramfs/tmpfs mustn't be released here */ -@@ -829,7 +829,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -829,7 +829,7 @@ static void delete_vma(struct mm_struct if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) @@ -320,9 +285,6 @@ index ab14a20..fffc566 100644 kmem_cache_free(vm_area_cachep, vma); return ret; -diff --git a/mm/prfile.c b/mm/prfile.c -new file mode 100644 -index 0000000..b323b8a --- /dev/null +++ b/mm/prfile.c @@ -0,0 +1,86 @@ diff --git a/debian/patches/features/all/cgroups-Allow-memory-cgroup-support-to-be-included-b.patch b/debian/patches/features/all/cgroups-Allow-memory-cgroup-support-to-be-included-b.patch index 95641c717..aacd458be 100644 --- a/debian/patches/features/all/cgroups-Allow-memory-cgroup-support-to-be-included-b.patch +++ b/debian/patches/features/all/cgroups-Allow-memory-cgroup-support-to-be-included-b.patch @@ -1,5 +1,5 @@ From: Ben Hutchings -Date: Sun, 30 May 2010 22:43:38 +0100 +Date: Thu, 10 Dec 2015 18:02:48 +0000 Subject: cgroups: Allow memory cgroup support to be included but disabled Forwarded: no @@ -11,15 +11,9 @@ parameter 'cgroup_enable' as the opposite to 'cgroup_disable'. Signed-off-by: Ben Hutchings [Bastian Blank: Rename CGROUP_MEM_RES_CTLR_DISABLED to MEMCG_DISABLED] --- - Documentation/kernel-parameters.txt | 4 ++-- - init/Kconfig | 8 ++++++++ - kernel/cgroup.c | 20 ++++++++++++++++---- - mm/memcontrol.c | 3 +++ - 4 files changed, 29 insertions(+), 6 deletions(-) - --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt -@@ -587,8 +587,8 @@ bytes respectively. Such letter suffixes +@@ -588,8 +588,8 @@ bytes respectively. Such letter suffixes ccw_timeout_log [S390] See Documentation/s390/CommonIO for details. @@ -49,7 +43,19 @@ Signed-off-by: Ben Hutchings depends on MEMCG && SWAP --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -5468,7 +5468,7 @@ out_free: +@@ -5216,7 +5216,11 @@ int __init cgroup_init_early(void) + return 0; + } + ++#ifdef CONFIG_MEMCG_DISABLED ++static unsigned long cgroup_disable_mask __initdata = 1 << memory_cgrp_id; ++#else + static unsigned long cgroup_disable_mask __initdata; ++#endif + + /** + * cgroup_init - cgroup initialization +@@ -5691,7 +5695,7 @@ out_free: kfree(pathbuf); } @@ -58,17 +64,15 @@ Signed-off-by: Ben Hutchings { struct cgroup_subsys *ss; char *token; -@@ -5483,16 +5483,27 @@ static int __init cgroup_disable(char *s +@@ -5705,13 +5709,27 @@ static int __init cgroup_disable(char *s + if (strcmp(token, ss->name) && strcmp(token, ss->legacy_name)) continue; - -- ss->disabled = 1; -- printk(KERN_INFO "Disabling %s control group subsystem\n", -- ss->name); -+ ss->disabled = value; -+ printk(KERN_INFO "%sabling %s control group subsystem\n", -+ value ? "Dis" : "En", ss->name); - break; +- cgroup_disable_mask |= 1 << i; ++ if (value) ++ cgroup_disable_mask |= 1 << i; ++ else ++ cgroup_disable_mask &= ~(1 << i); } } return 1; @@ -86,18 +90,6 @@ Signed-off-by: Ben Hutchings +} +__setup("cgroup_enable=", cgroup_enable); + - static int __init cgroup_set_legacy_files_on_dfl(char *str) - { - printk("cgroup: using legacy files on the default hierarchy\n"); ---- a/mm/memcontrol.c -+++ b/mm/memcontrol.c -@@ -5209,6 +5209,9 @@ static struct cftype memory_files[] = { - }; - - struct cgroup_subsys memory_cgrp_subsys = { -+#ifdef CONFIG_MEMCG_DISABLED -+ .disabled = 1, -+#endif - .css_alloc = mem_cgroup_css_alloc, - .css_online = mem_cgroup_css_online, - .css_offline = mem_cgroup_css_offline, + /** + * css_tryget_online_from_dir - get corresponding css from a cgroup dentry + * @dentry: directory dentry of interest diff --git a/debian/patches/features/all/efi-autoload-efi-pstore.patch b/debian/patches/features/all/efi-autoload-efi-pstore.patch deleted file mode 100644 index 612049a56..000000000 --- a/debian/patches/features/all/efi-autoload-efi-pstore.patch +++ /dev/null @@ -1,16 +0,0 @@ -From: Ben Hutchings -Subject: efi: Auto-load efi-pstore -Date: Mon, 28 Sep 2015 01:44:16 +0100 -Forwarded: http://mid.gmane.org/1443401056.2517.27.camel@decadent.org.uk - -efi-pstore should be auto-loaded on EFI systems, same as efivars. - -Signed-off-by: Ben Hutchings ---- ---- a/drivers/firmware/efi/efi-pstore.c -+++ b/drivers/firmware/efi/efi-pstore.c -@@ -400,3 +400,4 @@ module_exit(efivars_pstore_exit); - - MODULE_DESCRIPTION("EFI variable backend for pstore"); - MODULE_LICENSE("GPL"); -+MODULE_ALIAS("platform:efivars"); diff --git a/debian/patches/features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch b/debian/patches/features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch deleted file mode 100644 index 0b97390d6..000000000 --- a/debian/patches/features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Ben Hutchings -Date: Mon, 28 Sep 2015 02:34:40 +0100 -Subject: deb-pkg: Add automatic support for armhf architecture -Forwarded: http://mid.gmane.org/1443404080.2517.30.camel@decadent.org.uk - -The Debian armhf architecture uses the ARM EABI hard-float variant, -whereas armel uses the soft-float variant. Although the kernel -doesn't use FP itself, CONFIG_VFP must be enabled to support -hard-float userland and will probably be disabled when supporting a -soft-float userland. So set the architecture to armhf by default when -CONFIG_AEABI and CONFIG_VFP are both enabled. - -Signed-off-by: Ben Hutchings -Acked-by: Ian Campbell -Acked-by: Fathi Boudra ---- -v2: rebased -v3: rebased - - scripts/package/builddeb | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - ---- a/scripts/package/builddeb -+++ b/scripts/package/builddeb -@@ -52,7 +52,16 @@ set_debarch() { - arm64) - debarch=arm64 ;; - arm*) -- debarch=arm$(grep -q CONFIG_AEABI=y $KCONFIG_CONFIG && echo el || true) ;; -+ if grep -q CONFIG_AEABI=y $KCONFIG_CONFIG; then -+ if grep -q CONFIG_VFP=y $KCONFIG_CONFIG; then -+ debarch=armhf -+ else -+ debarch=armel -+ fi -+ else -+ debarch=arm -+ fi -+ ;; - *) - debarch=$(dpkg --print-architecture) - echo "" >&2 diff --git a/debian/patches/features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch b/debian/patches/features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch deleted file mode 100644 index 84c2c60e3..000000000 --- a/debian/patches/features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Mark Langsdorf -Subject: [PATCH v3 2/2] [usb] dd support for ACPI identification to xhci-platform -Date: Tue, 25 Nov 2014 15:19:26 -0600 -Origin: http://permalink.gmane.org/gmane.linux.usb.general/118784 -Bug-Debian: https://bugs.debian.org/785707 - -Provide the methods to let ACPI identify the need to use -xhci-platform. Change the Kconfig files so the -xhci-plat.o file is selectable during kernel config. - -This has been tested on an ARM64 machine with platform XHCI, an -x86_64 machine with XHCI, and an x86_64 machine without XHCI. -There were no regressions or error messages on the machines -without platform XHCI. - -Signed-off-by: Mark Langsdorf -[ ijc -- allow build as a module, otherwise cannot see various core - symbols, like xhci_resume or usb_add_hcd which are in modules. xhci-hcd-plat - can be built as a module from v3.18. ] -[bwh: Drop Kconfig change as a similar change was applied upstream] - ---- -Changes from v2 - Replaced tristate with a boolean as the driver doesn't - compile as a module - Correct --help-- to ---help--- -Changes from v1 - Renamed from "add support for APM X-Gene to xhci-platform" - Removed changes to arm64/Kconfig - Made CONFIG_USB_XHCI_PLATFORM a user selectable config option - ---- a/drivers/usb/host/xhci-plat.c -+++ b/drivers/usb/host/xhci-plat.c -@@ -19,6 +19,7 @@ - #include - #include - #include -+#include - - #include "xhci.h" - #include "xhci-mvebu.h" -@@ -262,6 +263,15 @@ static const struct of_device_id usb_xhc - MODULE_DEVICE_TABLE(of, usb_xhci_of_match); - #endif - -+#ifdef CONFIG_ACPI -+static const struct acpi_device_id usb_xhci_acpi_match[] = { -+ { "PNP0D10", }, -+ { "PNP0D15", }, -+ { } -+}; -+MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_match); -+#endif -+ - static struct platform_driver usb_xhci_driver = { - .probe = xhci_plat_probe, - .remove = xhci_plat_remove, -@@ -269,6 +279,7 @@ static struct platform_driver usb_xhci_d - .name = "xhci-hcd", - .pm = DEV_PM_OPS, - .of_match_table = of_match_ptr(usb_xhci_of_match), -+ .acpi_match_table = ACPI_PTR(usb_xhci_acpi_match), - }, - }; - MODULE_ALIAS("platform:xhci-hcd"); diff --git a/debian/patches/features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch b/debian/patches/features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch deleted file mode 100644 index 88d386031..000000000 --- a/debian/patches/features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Mark Langsdorf -Subject: [PATCH v3 1/2] make xhci platform driver use 64 bit or 32 bit DMA -Date: Tue, 25 Nov 2014 15:19:25 -0600 -Origin: http://permalink.gmane.org/gmane.linux.usb.general/118786 -Bug-Debian: https://bugs.debian.org/785707 - -The xhci platform driver needs to work on systems that either only -support 64-bit DMA or only support 32-bit DMA. Attempt to set a -coherent dma mask for 64-bit DMA, and attempt again with 32-bit -DMA if that fails. - -Signed-off-by: Mark Langsdorf -Tested-by: Mark Salter ---- -Changes from v2: - None -Changes from v1: - Consolidated to use dma_set_mask_and_coherent - Got rid of the check against sizeof(dma_addr_t) - - drivers/usb/host/xhci-plat.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - ---- a/drivers/usb/host/xhci-plat.c -+++ b/drivers/usb/host/xhci-plat.c -@@ -83,14 +83,14 @@ static int xhci_plat_probe(struct platfo - if (irq < 0) - return -ENODEV; - -- /* Initialize dma_mask and coherent_dma_mask to 32-bits */ -- ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); -- if (ret) -- return ret; -- if (!pdev->dev.dma_mask) -- pdev->dev.dma_mask = &pdev->dev.coherent_dma_mask; -- else -- dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)); -+ /* Try setting the coherent_dma_mask to 64 bits, then try 32 bits */ -+ ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); -+ if (ret) { -+ ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); -+ if (ret) -+ return ret; -+ } -+ - - hcd = usb_create_hcd(driver, &pdev->dev, dev_name(&pdev->dev)); - if (!hcd) diff --git a/debian/patches/series b/debian/patches/series index 8c104897b..1129ccfb9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -44,7 +44,6 @@ debian/snd-pcsp-disable-autoload.patch bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch # Arch bug fixes -bugfix/mips/disable-advansys.patch bugfix/arm64/arm64-add-missing-dts-entry-for-X-Gene-platform.patch bugfix/arm64/arm64-removed-using-of-the-mask-attribute-in-the-dts.patch @@ -54,9 +53,6 @@ features/mips/MIPS-Loongson-3-Add-Loongson-LS3A-RS780E-1-way-machi.patch features/mips/MIPS-octeon-Add-support-for-the-UBNT-E200-board.patch features/x86/x86-memtest-WARN-if-bad-RAM-found.patch features/x86/x86-make-x32-syscall-support-conditional.patch -features/arm/deb-pkg-add-automatic-support-for-armhf-architecture.patch -features/arm64/usb-make-xhci-platform-driver-use-64-bit-or-32-bit-dma.patch -features/arm64/usb-add-support-for-acpi-identification-to-xhci-platform.patch # Miscellaneous bug fixes bugfix/all/misc-bmp085-Enable-building-as-a-module.patch @@ -64,12 +60,7 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/disable-some-marvell-phys.patch bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch -# Reproducible docs -bugfix/all/documentation-avoid-creating-man-pages-in-source-tree.patch -bugfix/all/docbook-use-a-fixed-encoding-for-output.patch - # Miscellaneous features -features/all/efi-autoload-efi-pstore.patch # Hardening from grsecurity features/all/grsecurity/grsecurity-kconfig.patch @@ -77,24 +68,6 @@ features/all/grsecurity/grsecurity-kconfig.patch #features/all/grsecurity/grsecurity-kbuild.patch features/all/grsecurity/grkernsec_perf_harden.patch -bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch - -bugfix/all/selftests-add-missing-include-directives.patch -bugfix/all/selftests-memfd-stop-unnecessary-rebuilds.patch -bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch -bugfix/all/selftests-make-scripts-executable.patch -bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch -bugfix/all/selftests-breakpoints-actually-build-it.patch -bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch -bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch -bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch -bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch -bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch -bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch -bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch -bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch -bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch -bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch