diff --git a/debian/changelog b/debian/changelog index ca9a8afa6..ee353dfc5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,505 @@ -linux (4.14.2-2) UNRELEASED; urgency=medium +linux (4.14.7-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.3 + - [s390x] fix transactional execution control register handling + - [s390x] noexec: execute kexec datamover without DAT + - [s390x] runtime instrumention: fix possible memory corruption + - [s390x] guarded storage: fix possible memory corruption + - [s390x] disassembler: add missing end marker for e7 table + - [s390x] disassembler: increase show_code buffer size + - ACPI / PM: Fix acpi_pm_notifier_lock vs flush_workqueue() deadlock + - ACPI / EC: Fix regression related to triggering source of EC event + handling + - cpufreq: schedutil: Reset cached_raw_freq when not in sync with next_freq + - serdev: fix registration of second slave + - sched: Make resched_cpu() unconditional + - lib/mpi: call cond_resched() from mpi_powm() loop + - [x86] boot: Fix boot failure when SMP MP-table is based at 0 + - [x86] decoder: Add new TEST instruction pattern + - [amd64] entry: Fix entry_SYSCALL_64_after_hwframe() IRQ tracing + - [x86] perf: intel: Hide TSX events when RTM is not supported + - [arm64] Implement arch-specific pte_access_permitted() + - [armhf/armmp-lpae] 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE + - [armhf/armmp-lpae] 8721/1: mm: dump: check hardware RO bit for LPAE + - uapi: fix linux/tls.h userspace compilation error + - uapi: fix linux/rxrpc.h userspace compilation errors + - [mips*/4kc-malta] cmpxchg64() and HAVE_VIRT_CPU_ACCOUNTING_GEN don't work + for 32-bit SMP + - [armhf,arm64] net: mvneta: fix handling of the Tx descriptor counter + - nbd: wait uninterruptible for the dead timeout + - nbd: don't start req until after the dead connection logic + - PM / OPP: Add missing of_node_put(np) + - PCI/ASPM: Account for downstream device's Port Common_Mode_Restore_Time + - PCI/ASPM: Use correct capability pointer to program LTR_L1.2_THRESHOLD + - [x86] PCI: hv: Use effective affinity mask + - [arm64] PCI: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF + - [arm64] PCI: Apply Cavium ThunderX ACS quirk to more Root Ports + - dm integrity: allow unaligned bv_offset + - dm cache: fix race condition in the writeback mode overwrite_bio + optimisation + - dm crypt: allow unaligned bv_offset + - dm zoned: ignore last smaller runt zone + - dm mpath: remove annoying message of 'blk_get_request() returned -11' + - dm bufio: fix integer overflow when limiting maximum cache size + - ovl: Put upperdentry if ovl_check_origin() fails + - dm: allocate struct mapped_device with kvzalloc + - sched/rt: Simplify the IPI based RT balancing logic + - dm: fix race between dm_get_from_kobject() and __dm_destroy() + - dm: discard support requires all targets in a table support discards + - [mips*] Fix odd fp register warnings with MIPS64r2 + - [mips*/4kc-malta] Fix MIPS64 FP save/restore on 32-bit kernels + - [mips*] dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry + - [mips*] Fix an n32 core file generation regset support regression + - [mips*] math-emu: Fix final emulation phase for certain instructions + - rt2x00usb: mark device removed when get ENOENT usb error + - mm/z3fold.c: use kref to prevent page free/compact race + - autofs: don't fail mount for transient error + - nilfs2: fix race condition that causes file system corruption + - fscrypt: lock mutex before checking for bounce page pool + - eCryptfs: use after free in ecryptfs_release_messaging() + - libceph: don't WARN() if user tries to add invalid key + - bcache: check ca->alloc_thread initialized before wake up it + - fs: guard_bio_eod() needs to consider partitions + - fanotify: fix fsnotify_prepare_user_wait() failure + - isofs: fix timestamps beyond 2027 + - btrfs: change how we decide to commit transactions during flushing + - f2fs: expose some sectors to user in inline data or dentry case + - NFS: Fix typo in nomigration mount option + - NFS: Revert "NFS: Move the flock open mode check into nfs_flock()" + - nfs: Fix ugly referral attributes + - NFS: Avoid RCU usage in tracepoints + - NFS: revalidate "." etc correctly on "open". + - nfsd: deal with revoked delegations appropriately + - rtlwifi: rtl8192ee: Fix memory leak when loading firmware + - rtlwifi: fix uninitialized rtlhal->last_suspend_sec time + - iwlwifi: fix firmware names for 9000 and A000 series hw + - md: fix deadlock error in recent patch. + - md: don't check MD_SB_CHANGE_CLEAN in md_allow_write + - Bluetooth: btqcomsmd: Add support for BD address setup + - md/bitmap: revert a patch + - fsnotify: clean up fsnotify_prepare/finish_user_wait() + - fsnotify: pin both inode and vfsmount mark + - fsnotify: fix pinning group in fsnotify_prepare_user_wait() + - ata: fixes kernel crash while tracing ata_eh_link_autopsy event + - ext4: fix interaction between i_size, fallocate, and delalloc after a + crash + - ext4: prevent data corruption with inline data + DAX + - ext4: prevent data corruption with journaling + DAX + - ALSA: pcm: update tstamp only if audio_tstamp changed + - ALSA: usb-audio: Add sanity checks to FE parser + - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU + - ALSA: usb-audio: Add sanity checks in v2 clock parsers + - ALSA: timer: Remove kernel warning at compat ioctl error paths + - ALSA: hda/realtek - Fix ALC275 no sound issue + - ALSA: hda: Fix too short HDMI/DP chmap reporting + - ALSA: hda - Fix yet remaining issue with vmaster 0dB initialization + - ALSA: hda/realtek - Fix ALC700 family no sound issue + - [x86] mfd: lpc_ich: Avoton/Rangeley uses SPI_BYT method + - fix a page leak in vhost_scsi_iov_to_sgl() error recovery + - 9p: Fix missing commas in mount options + - fs/9p: Compare qid.path in v9fs_test_inode + - net/9p: Switch to wait_event_killable() + - scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair() + - scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics() + - scsi: lpfc: fix pci hot plug crash in timer management routines + - scsi: lpfc: fix pci hot plug crash in list_add call + - scsi: lpfc: Fix crash receiving ELS while detaching driver + - scsi: lpfc: Fix FCP hba_wqidx assignment + - scsi: lpfc: Fix oops if nvmet_fc_register_targetport fails + - iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref + - iscsi-target: Fix non-immediate TMR reference leak + - target: fix null pointer regression in core_tmr_drain_tmr_list + - target: fix buffer offset in core_scsi3_pri_read_full_status + - target: Fix QUEUE_FULL + SCSI task attribute handling + - target: Fix caw_sem leak in transport_generic_request_failure + - target: Fix quiese during transport_write_pending_qf endless loop + - target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK + - mtd: Avoid probe failures when mtd->dbg.dfs_dir is invalid + - mtd: nand: atmel: Actually use the PM ops + - mtd: nand: omap2: Fix subpage write + - mtd: nand: Fix writing mtdoops to nand flash. + - mtd: nand: mtk: fix infinite ECC decode IRQ issue + - p54: don't unregister leds when they are not initialized + - block: Fix a race between blk_cleanup_queue() and timeout handling + - raid1: prevent freeze_array/wait_all_barriers deadlock + - genirq: Track whether the trigger type has been set + - [armhf,arm64] irqchip/gic-v3: Fix ppi-partitions lookup + - lockd: double unregister of inetaddr notifiers + - [powerpc*] KVM: Book3S HV: Don't call real-mode XICS hypercall handlers + if not enabled + - [x86] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state + - [x86] KVM: SVM: obey guest PAT + - [x86] kvm: vmx: Reinstate support for CPUs without virtual NMI + (Closes: #884482) + - dax: fix PMD faults on zero-length files + - dax: fix general protection fault in dax_alloc_inode + - SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status + - [armhf] clk: ti: dra7-atl-clock: fix child-node lookups + - libnvdimm, dimm: clear 'locked' status on successful DIMM enable + - libnvdimm, pfn: make 'resource' attribute only readable by root + - libnvdimm, namespace: fix label initialization to use valid seq numbers + - libnvdimm, region : make 'resource' attribute only readable by root + - libnvdimm, namespace: make 'resource' attribute only readable by root + - svcrdma: Preserve CB send buffer across retransmits + - IB/srpt: Do not accept invalid initiator port names + - IB/cm: Fix memory corruption in handling CM request + - IB/hfi1: Fix incorrect available receive user context count + - IB/srp: Avoid that a cable pull can trigger a kernel crash + - IB/core: Avoid crash on pkey enforcement failed in received MADs + - IB/core: Only maintain real QPs in the security lists + - NFC: fix device-allocation error return + - spi-nor: intel-spi: Fix broken software sequencing codes + - fm10k,i40e,i40evf,igb,igbvf,ixgbe,ixgbevf: Use smp_rmb rather than + read_barrier_depends + - [hppa] Fix validity check of pointer size argument in new CAS + implementation + - [powerpc*] Fix boot on BOOK3S_32 with CONFIG_STRICT_KERNEL_RWX + - [powerpc*] mm/radix: Fix crashes on Power9 DD1 with radix MMU and + STRICT_RWX + - [powerpc*] perf/imc: Use cpu_to_node() not topology_physical_package_id() + - [powerpc*] signal: Properly handle return value from uprobe_deny_signal() + - [powerpc*] 64s: Fix masking of SRR1 bits on instruction fault + - [powerpc*] 64s/radix: Fix 128TB-512TB virtual address boundary case + allocation + - [powerpc*] 64s/hash: Fix 512T hint detection to use >= 128T + - [powerpc*] 64s/hash: Fix 128TB-512TB virtual address boundary case + allocation + - [powerpc*] 64s/hash: Fix fork() with 512TB process address space + - [powerpc*] 64s/hash: Allow MAP_FIXED allocations to cross 128TB boundary + - media: Don't do DMA on stack for firmware upload in the AS102 driver + - media: rc: check for integer overflow + - media: rc: nec decoder should not send both repeat and keycode + - media: v4l2-ctrl: Fix flags field on Control events + - [arm64] media: venus: fix wrong size on dma_free + - [arm64] media: venus: venc: fix bytesused v4l2_plane field + - [arm64] media: venus: reimplement decoder stop command + - [arm64] dts: meson-gxl: Add alternate ARM Trusted Firmware reserved + memory zone + - iwlwifi: fix wrong struct for a000 device + - iwlwifi: fix PCI IDs and configuration mapping for 9000 series + - iwlwifi: mvm: support version 7 of the SCAN_REQ_UMAC FW command + - e1000e: Fix error path in link detection + - e1000e: Fix return value test + - e1000e: Separate signaling for link check/link up + - e1000e: Avoid receiver overrun interrupt bursts + - e1000e: fix buffer overrun while the I219 is processing DMA transactions + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.4 + - [x86]: platform: hp-wmi: Fix tablet mode detection for convertibles + - mm, memory_hotplug: do not back off draining pcp free pages from kworker + context + - mm, oom_reaper: gather each vma to prevent leaking TLB entry + - [armhf,arm64] mm/cma: fix alloc_contig_range ret code/potential leak + - mm: fix device-dax pud write-faults triggered by get_user_pages() + - mm, hugetlbfs: introduce ->split() to vm_operations_struct + - device-dax: implement ->split() to catch invalid munmap attempts + - mm: introduce get_user_pages_longterm + - mm: fail get_vaddr_frames() for filesystem-dax mappings + - v4l2: disable filesystem-dax mapping support + - IB/core: disable memory registration of filesystem-dax vmas + - exec: avoid RLIMIT_STACK races with prlimit() + - mm/madvise.c: fix madvise() infinite loop under special circumstances + - mm: migrate: fix an incorrect call of prep_transhuge_page() + - mm, memcg: fix mem_cgroup_swapout() for THPs + - fs/fat/inode.c: fix sb_rdonly() change + - autofs: revert "autofs: take more care to not update last_used on path + walk" + - autofs: revert "autofs: fix AT_NO_AUTOMOUNT not being honored" + - mm/hugetlb: fix NULL-pointer dereference on 5-level paging machine + - btrfs: clear space cache inode generation always + - nfsd: Fix stateid races between OPEN and CLOSE + - nfsd: Fix another OPEN stateid race + - nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat + - crypto: algif_aead - skip SGL entries with NULL page + - crypto: af_alg - remove locking in async callback + - crypto: skcipher - Fix skcipher_walk_aead_common + - lockd: lost rollback of set_grace_period() in lockd_down_net() + - [s390x] revert ELF_ET_DYN_BASE base changes + - [armhf] drm: omapdrm: Fix DPI on platforms using the DSI VDDS + - [armhf] omapdrm: hdmi4: Correct the SoC revision matching + - [arm64] module-plts: factor out PLT generation code for ftrace + - [arm64] ftrace: emit ftrace-mod.o contents through code + - [powerpc*] powernv: Fix kexec crashes caused by tlbie tracing + - [powerpc*] kexec: Fix kexec/kdump in P9 guest kernels + - [x86] KVM: pvclock: Handle first-time write to pvclock-page contains + random junk + - [x86] KVM: Exit to user-mode on #UD intercept when emulator requires + - [x86] KVM: inject exceptions produced by x86_decode_insn + - [x86] KVM: lapic: Split out x2apic ldr calculation + - [x86] KVM: lapic: Fixup LDR on load in x2apic + - mmc: sdhci: Avoid swiotlb buffer being full + - mmc: block: Fix missing blk_put_request() + - mmc: block: Check return value of blk_get_request() + - mmc: core: Do not leave the block driver in a suspended state + - mmc: block: Ensure that debugfs files are removed + - mmc: core: prepend 0x to pre_eol_info entry in sysfs + - mmc: core: prepend 0x to OCR entry in sysfs + - ACPI / EC: Fix regression related to PM ops support in ECDT device + - eeprom: at24: fix reading from 24MAC402/24MAC602 + - eeprom: at24: correctly set the size for at24mac402 + - eeprom: at24: check at24_read/write arguments + - [alpha,x86] i2c: i801: Fix Failed to allocate irq -2147483648 error + - bcache: Fix building error on MIPS + - bcache: only permit to recovery read error when cache device is clean + - bcache: recover data from backing when data is clean + - hwmon: (jc42) optionally try to disable the SMBUS timeout + - nvme-pci: add quirk for delay before CHK RDY for WDC SN200 + - Revert "drm/radeon: dont switch vt on suspend" + - drm/amdgpu: potential uninitialized variable in amdgpu_vce_ring_parse_cs() + - drm/amdgpu: Potential uninitialized variable in + amdgpu_vm_update_directories() + - drm/amdgpu: correct reference clock value on vega10 + - drm/amdgpu: fix error handling in amdgpu_bo_do_create + - drm/amdgpu: Properly allocate VM invalidate eng v2 + - drm/amdgpu: Remove check which is not valid for certain VBIOS + - drm/ttm: fix ttm_bo_cleanup_refs_or_queue once more + - dma-buf: make reservation_object_copy_fences rcu save + - drm/amdgpu: reserve root PD while releasing it + - drm/ttm: Always and only destroy bo->ttm_resv in ttm_bo_release_list + - drm/vblank: Fix flip event vblank count + - drm/vblank: Tune drm_crtc_accurate_vblank_count() WARN down to a debug + - drm/tilcdc: Precalculate total frametime in tilcdc_crtc_set_mode() + - drm/radeon: fix atombios on big endian + - drm/panel: simple: Add missing panel_simple_unprepare() calls + - [arm64] drm/hisilicon: Ensure LDI regs are properly configured. + - drm/ttm: once more fix ttm_buffer_object_transfer + - drm/amd/pp: fix typecast error in powerplay. + - drm/fb_helper: Disable all crtc's when initial setup fails. + - drm/edid: Don't send non-zero YQ in AVI infoframe for HDMI 1.x sinks + - drm/amdgpu: move UVD/VCE and VCN structure out from union + - drm/amdgpu: Set adev->vcn.irq.num_types for VCN + - IB/core: Do not warn on lid conversions for OPA + - IB/hfi1: Do not warn on lid conversions for OPA + - e1000e: fix the use of magic numbers for buffer overrun issue + - md: forbid a RAID5 from having both a bitmap and a journal. + - [x86] drm/i915: Fix false-positive assert_rpm_wakelock_held in + i915_pmic_bus_access_notifier v2 + - [x86] drm/i915: Re-register PMIC bus access notifier on runtime resume + - [x86] drm/i915/fbdev: Serialise early hotplug events with async fbdev + config + - [x86] drm/i915/gvt: Correct ADDR_4K/2M/1G_MASK definition + - [x86] drm/i915: Don't try indexed reads to alternate slave addresses + - [x86] drm/i915: Prevent zero length "index" write + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.5 + - drm/amdgpu: Use unsigned ring indices in amdgpu_queue_mgr_map + - [s390x] runtime instrumentation: simplify task exit handling + - usbip: fix usbip attach to find a port that matches the requested speed + - usbip: Fix USB device hang due to wrong enabling of scatter-gather + - uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices + - usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub + - serial: 8250_early: Only set divisor if valid clk & baud + - [mips*] Add custom serial.h with BASE_BAUD override for generic kernel + - ima: fix hash algorithm initialization + - [s390x] vfio-ccw: Do not attempt to free no-op, test and tic cda. + - PM / Domains: Fix genpd to deal with drivers returning 1 from ->prepare() + - [s390x] pci: do not require AIS facility + - serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() + - staging: rtl8188eu: avoid a null dereference on pmlmepriv + - [arm64] mmc: sdhci-msm: fix issue with power irq + - hwmon: (pmbus/core) Prevent unintentional setting of page to 0xFF + - perf/core: Fix __perf_read_group_add() locking + - [armhf] PCI: dra7xx: Create functional dependency between PCIe and PHY + - [x86] intel_rdt: Initialize bitmask of shareable resource if CDP enabled + - [x86] intel_rdt: Fix potential deadlock during resctrl mount + - serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X + - kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y + - [x86] entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() + - [armhf,arm64] clocksource/drivers/arm_arch_timer: Validate CNTFRQ after + enabling frame + - [x86] EDAC, sb_edac: Fix missing break in switch + - [arm64] cpuidle: Correct driver unregistration if init fails + - usb: xhci: Return error when host is dead in xhci_disable_slot() + - [armel,armhf] sysrq : fix Show Regs call trace on ARM + - [sh4] serial: sh-sci: suppress warning for ports without dma channels + - [armhf] serial: imx: Update cached mctrl value when changing RTS + - [x86] kprobes: Disable preemption in ftrace-based jprobes + - [x86] locking/refcounts, asm: Use unique .text section for refcount + exceptions + - [s390x] ptrace: fix guarded storage regset handling + - perf tools: Fix leaking rec_argv in error cases + - mm, x86/mm: Fix performance regression in get_user_pages_fast() + - iio: adc: ti-ads1015: add 10% to conversion wait time + - iio: multiplexer: add NULL check on devm_kzalloc() and devm_kmemdup() + return values + - [x86] locking/refcounts, asm: Enable CONFIG_ARCH_HAS_REFCOUNT + - [powerpc*] jprobes: Disable preemption when triggered through ftrace + - [powerpc*] kprobes: Disable preemption before invoking probe handler for + optprobes + - usb: hub: Cycle HUB power when initialization fails + - [armhf,arm64] USB: ulpi: fix bus-node lookup + - xhci: Don't show incorrect WARN message about events for empty rings + - usb: xhci: fix panic in xhci_free_virt_devices_depth_first + - USB: core: Add type-specific length check of BOS descriptors + - USB: usbfs: Filter flags passed in from user space + - usb: host: fix incorrect updating of offset + - locking/refcounts: Do not force refcount_t usage as GPL-only export + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.6 + - usb: gadget: core: Fix ->udc_set_speed() speed handling + - serdev: ttyport: add missing receive_buf sanity checks + - serdev: ttyport: fix NULL-deref on hangup + - serdev: ttyport: fix tty locking in close + - usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT + - can: peak/pci: fix potential bug when probe() fails + - can: kvaser_usb: free buf in error paths + - can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() + - can: kvaser_usb: ratelimit errors if incomplete messages are received + - can: kvaser_usb: cancel urb on -EPIPE and -EPROTO + - can: ems_usb: cancel urb on -EPIPE and -EPROTO + - can: esd_usb2: cancel urb on -EPIPE and -EPROTO + - can: usb_8dev: cancel urb on -EPIPE and -EPROTO + - can: peak/pcie_fd: fix potential bug in restarting tx queue + - virtio: release virtio index when fail to device_register + - [arm64] pinctrl: armada-37xx: Fix direction_output() callback behavior + - [x86] Drivers: hv: vmbus: Fix a rescind issue + - [x86] hv: kvp: Avoid reading past allocated blocks from KVP file + - firmware: vpd: Destroy vpd sections in remove function + - firmware: vpd: Tie firmware kobject to device lifetime + - firmware: vpd: Fix platform driver and device registration/unregistration + - scsi: dma-mapping: always provide dma_get_cache_alignment + - scsi: use dma_get_cache_alignment() as minimum DMA alignment + - scsi: libsas: align sata_device's rps_resp on a cacheline + - efi: Move some sysfs files to be read-only by root + - efi/esrt: Use memunmap() instead of kfree() to free the remapping + - ASN.1: fix out-of-bounds read when parsing indefinite length item + - ASN.1: check for error from ASN1_OP_END__ACT actions + - KEYS: add missing permission check for request_key() destination + - KEYS: reject NULL restriction string when type is specified + - X.509: reject invalid BIT STRING for subjectPublicKey + - X.509: fix comparisons of ->pkey_algo + - [x86] idt: Load idt early in start_secondary + - [x86] PCI: Make broadcom_postcore_init() check acpi_disabled + - [x86] KVM: fix APIC page invalidation + - btrfs: fix missing error return in btrfs_drop_snapshot + - btrfs: handle errors while updating refcounts in update_ref_for_cow + - ALSA: pcm: prevent UAF in snd_pcm_info + - ALSA: seq: Remove spurious WARN_ON() at timer check + - ALSA: usb-audio: Fix out-of-bound error + - ALSA: usb-audio: Add check return value for usb_string() + - [x86] iommu/vt-d: Fix scatterlist offset handling + - smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place + - [s390x] always save and restore all registers on context switch + - [s390x] mm: fix off-by-one bug in 5-level page table handling + - [s390x] fix compat system call table + - [s390x] KVM: Fix skey emulation permission check + - [powerpc*] Revert "powerpc: Do not call ppc_md.panic in fadump panic + notifier" + - [powerpc*] 64s: Initialize ISAv3 MMU registers before setting partition + table + - iwlwifi: mvm: mark MIC stripped MPDUs + - iwlwifi: mvm: don't use transmit queue hang detection when it is not + possible + - iwlwifi: mvm: flush queue before deleting ROC + - iwlwifi: mvm: fix packet injection + - iwlwifi: mvm: enable RX offloading with TKIP and WEP + - brcmfmac: change driver unbind order of the sdio function devices + - md/r5cache: move mddev_lock() out of r5c_journal_mode_set() + - [armhf] drm/bridge: analogix dp: Fix runtime PM state in get_modes() + callback + - [armhf] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated + without IOMMU + - [x86] drm/i915: Fix vblank timestamp/frame counter jumps on gen2 + - media: dvb: i2c transfers over usb cannot be done from stack + - media: rc: sir_ir: detect presence of port + - media: rc: partial revert of "media: rc: per-protocol repeat period" + - [arm64] KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one + - [armhf] KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one + - [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts + (CVE-2017-1000407) + - [armhf,arm64] KVM: Fix broken GICH_ELRSR big endian conversion + - [armhf,arm64] KVM: vgic-irqfd: Fix MSI entry allocation + - [armhf,arm64] KVM: vgic: Preserve the revious read from the pending table + - [armhf,arm64] KVM: vgic-its: Check result of allocation before use + - [arm64] fpsimd: Prevent registers leaking from dead tasks + - [arm64] SW PAN: Point saved ttbr0 at the zero page when switching to + init_mm + - [arm64] SW PAN: Update saved ttbr0 value on enter_lazy_tlb + - [armhf] Revert "ARM: dts: imx53: add srtc node" + - [armhf] bus: arm-cci: Fix use of smp_processor_id() in preemptible context + - IB/core: Only enforce security for InfiniBand + - [armel,armhf] BUG if jumping to usermode address in kernel mode + - [armel,armhf] avoid faulting on qemu + - [arm64] irqchip/qcom: Fix u32 comparison with value less than zero + - [powerpc*] perf: Fix pmu_count to count only nest imc pmus + - apparmor: fix leak of null profile name if profile allocation fails + - mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() + - gre6: use log_ecn_error module parameter in ip6_tnl_rcv() + - route: also update fnhe_genid when updating a route cache + - route: update fnhe_expires for redirect when the fnhe exists + - rsi: fix memory leak on buf and usb_reg_buf + - pipe: match pipe_max_size data type with procfs + - lib/genalloc.c: make the avail variable an atomic_long_t + - NFS: Fix a typo in nfs_rename() + - sunrpc: Fix rpc_task_begin trace point + - nfp: inherit the max_mtu from the PF netdev + - nfp: fix flower offload metadata flag usage + - xfs: fix forgotten rcu read unlock when skipping inode reclaim + - block: wake up all tasks blocked in get_request() + - [sparc64] mm: set fields in deferred pages + - zsmalloc: calling zs_map_object() from irq is a bug + - slub: fix sysfs duplicate filename creation when slub_debug=O + - sctp: do not free asoc when it is already dead in sctp_sendmsg + - sctp: use the right sk after waking up from wait_buf sleep + - fcntl: don't leak fd reference when fixup_compat_flock fails + - geneve: fix fill_info when link down + - bpf: fix lockdep splat + - [arm64] clk: qcom: common: fix legacy board-clock registration + - [arm64] clk: hi3660: fix incorrect uart3 clock freqency + - atm: horizon: Fix irq release error + - xfrm: Copy policy family in clone_policy + - f2fs: fix to clear FI_NO_PREALLOC + - bnxt_re: changing the ip address shouldn't affect new connections + - IB/mlx4: Increase maximal message size under UD QP + - IB/mlx5: Assign send CQ and recv CQ of UMR QP + - afs: Fix total-length calculation for multiple-page send + - afs: Connect up the CB.ProbeUuid + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.7 + - net: realtek: r8169: implement set_link_ksettings() + - [s390x] qeth: fix early exit from error path + - tipc: fix memory leak in tipc_accept_from_sock() + - vhost: fix skb leak in handle_rx() + - rds: Fix NULL pointer dereference in __rds_rdma_map + - sit: update frag_off info + - tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb() + - packet: fix crash in fanout_demux_rollover() + - net/packet: fix a race in packet_bind() and packet_notifier() + - tcp: remove buggy call to tcp_v6_restore_cb() + - usbnet: fix alignment for frames with no ethernet header + - net: remove hlist_nulls_add_tail_rcu() + - stmmac: reset last TSO segment size after device open + - tcp/dccp: block bh before arming time_wait timer + - [s390x] qeth: build max size GSO skbs on L2 devices + - [s390x] qeth: fix thinko in IPv4 multicast address tracking + - [s390x] qeth: fix GSO throughput regression + - tcp: use IPCB instead of TCP_SKB_CB in inet_exact_dif_match() + - tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() + - tcp: use current time in tcp_rcv_space_adjust() + - net: sched: cbq: create block for q->link.block + - tap: free skb if flags error + - tcp: when scheduling TLP, time of RTO should account for current ACK + - tun: free skb in early errors + - net: ipv6: Fixup device for anycast routes during copy + - tun: fix rcu_read_lock imbalance in tun_build_skb + - net: accept UFO datagrams from tuntap and packet + - net: openvswitch: datapath: fix data type in queue_gso_packets + - cls_bpf: don't decrement net's refcount when offload fails + - sctp: use right member as the param of list_for_each_entry + - ipmi: Stop timers before cleaning up the module + - usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping + - fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall + - fix kcm_clone() + - [armhf,arm64] KVM: vgic-its: Preserve the revious read from the pending + table + - kbuild: do not call cc-option before KBUILD_CFLAGS initialization + - [powerpc*] powernv/idle: Round up latency and residency values + - ipvlan: fix ipv6 outbound device + - blk-mq: Avoid that request queue removal can trigger list corruption + - nvmet-rdma: update queue list during ib_device removal + - audit: Allow auditd to set pid to 0 to end auditing + - audit: ensure that 'audit=1' actually enables audit for PID 1 + - dm raid: fix panic when attempting to force a raid to sync + - md: free unused memory after bitmap resize + - RDMA/cxgb4: Annotate r2 and stag as __be32 + - [x86] intel_rdt: Fix potential deadlock during resctrl unmount [ Salvatore Bonaccorso ] * Add ABI reference for 4.14.0-1 diff --git a/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch b/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch deleted file mode 100644 index 1b116b7d2..000000000 --- a/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch +++ /dev/null @@ -1,109 +0,0 @@ -From: John Johansen -Date: Wed, 22 Nov 2017 07:33:38 -0800 -Subject: apparmor: fix oops in audit_signal_cb hook -Origin: https://lkml.org/lkml/2017/11/22/411 - -The apparmor_audit_data struct ordering got messed up during a merge -conflict, resulting in the signal integer and peer pointer being in -a union instead of a struct together. - -For most of the 4.13 and 4.14 life cycle, this was hidden by commit -651e28c5537abb39076d3949fb7618536f1d242e which fixed the -apparmor_audit_data struct when its data was added. When that commit -was reverted in -rc7 the signal audit bug was exposed, and -unfortunately it never showed up in any of the testing until after -4.14 was released, and Shaun Khan, Zephaniah E. Loss-Cutler-Hull filed -nearly simultaneous bug reports (with different oopes, the smaller of -which is included below). - -Full credit goes to Tetsuo Handa for jumping on this as well and -noticing the audit data struct problem and reporting it. - -Alright, trying again, this time with my mail settings to actually send -as plain text, and with some more detail. - -I am running Ubuntu 16.04, with a mainline 4.14 kernel. - -[ 76.178568] BUG: unable to handle kernel paging request at ffffffff0eee3bc0 -[ 76.178579] IP: audit_signal_cb+0x6c/0xe0 -[ 76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0 -[ 76.178586] Oops: 0000 [#1] PREEMPT SMP -[ 76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel -[ 76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted 4.14.0-f1-dirty #135 -[ 76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio 9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015 -[ 76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000 -[ 76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0 -[ 76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292 -[ 76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX: 0000000000000000 -[ 76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI: ffff9c7a9493d800 -[ 76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09: ffffa09b02a4fc46 -[ 76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12: ffffa09b02a4fd40 -[ 76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15: 0000000000000001 -[ 76.178646] FS: 00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000) knlGS:0000000000000000 -[ 76.178648] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4: 00000000001606f0 -[ 76.178652] Call Trace: -[ 76.178660] common_lsm_audit+0x1da/0x780 -[ 76.178665] ? d_absolute_path+0x60/0x90 -[ 76.178669] ? aa_check_perms+0xcd/0xe0 -[ 76.178672] aa_check_perms+0xcd/0xe0 -[ 76.178675] profile_signal_perm.part.0+0x90/0xa0 -[ 76.178679] aa_may_signal+0x16e/0x1b0 -[ 76.178686] apparmor_task_kill+0x51/0x120 -[ 76.178690] security_task_kill+0x44/0x60 -[ 76.178695] group_send_sig_info+0x25/0x60 -[ 76.178699] kill_pid_info+0x36/0x60 -[ 76.178703] SYSC_kill+0xdb/0x180 -[ 76.178707] ? preempt_count_sub+0x92/0xd0 -[ 76.178712] ? _raw_write_unlock_irq+0x13/0x30 -[ 76.178716] ? task_work_run+0x6a/0x90 -[ 76.178720] ? exit_to_usermode_loop+0x80/0xa0 -[ 76.178723] entry_SYSCALL_64_fastpath+0x13/0x94 -[ 76.178727] RIP: 0033:0x7f8b0e58b767 -[ 76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX: 000000000000003e -[ 76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX: 00007f8b0e58b767 -[ 76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000263b -[ 76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09: 0000000000000001 -[ 76.178739] R10: 000000000000022d R11: 0000000000000206 R12: 0000000000000000 -[ 76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15: 0000000000000000 -[ 76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b 42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd 00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35 -[ 76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08 -[ 76.178796] CR2: ffffffff0eee3bc0 -[ 76.178799] ---[ end trace 514af9529297f1a3 ]--- - -Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals") -Reported-by: Zephaniah E. Loss-Cutler-Hull -Reported-by: Shuah Khan -Reported-by: Tetsuo Handa -Signed-off-by: John Johansen ---- - security/apparmor/include/audit.h | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - ---- a/security/apparmor/include/audit.h -+++ b/security/apparmor/include/audit.h -@@ -121,17 +121,19 @@ struct apparmor_audit_data { - /* these entries require a custom callback fn */ - struct { - struct aa_label *peer; -- struct { -- const char *target; -- kuid_t ouid; -- } fs; -+ union { -+ struct { -+ const char *target; -+ kuid_t ouid; -+ } fs; -+ int signal; -+ }; - }; - struct { - struct aa_profile *profile; - const char *ns; - long pos; - } iface; -- int signal; - struct { - int rlim; - unsigned long max; diff --git a/debian/patches/bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch b/debian/patches/bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch deleted file mode 100644 index 1db3a0348..000000000 --- a/debian/patches/bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch +++ /dev/null @@ -1,183 +0,0 @@ -From: Mauro Carvalho Chehab -Date: Tue, 7 Nov 2017 08:39:39 -0500 -Subject: dvb_frontend: don't use-after-free the frontend struct -Origin: https://git.kernel.org/linus/b1cb7372fa822af6c06c8045963571d13ad6348b -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16648 - -dvb_frontend_invoke_release() may free the frontend struct. -So, the free logic can't update it anymore after calling it. - -That's OK, as __dvb_frontend_free() is called only when the -krefs are zeroed, so nobody is using it anymore. - -That should fix the following KASAN error: - -The KASAN report looks like this (running on kernel 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+)): -================================================================== -BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120 -Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24 - -CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 -Workqueue: usb_hub_wq hub_event -Call Trace: - __dump_stack lib/dump_stack.c:16 - dump_stack+0x292/0x395 lib/dump_stack.c:52 - print_address_description+0x78/0x280 mm/kasan/report.c:252 - kasan_report_error mm/kasan/report.c:351 - kasan_report+0x23d/0x350 mm/kasan/report.c:409 - __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435 - __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156 - dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176 - dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803 - dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340 - dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116 - dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132 - dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295 - usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 - __device_release_driver drivers/base/dd.c:861 - device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893 - device_release_driver+0x1e/0x30 drivers/base/dd.c:918 - bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 - device_del+0x5c4/0xab0 drivers/base/core.c:1985 - usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 - usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 - hub_port_connect drivers/usb/core/hub.c:4754 - hub_port_connect_change drivers/usb/core/hub.c:5009 - port_event drivers/usb/core/hub.c:5115 - hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 - process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 - worker_thread+0x221/0x1850 kernel/workqueue.c:2253 - kthread+0x363/0x440 kernel/kthread.c:231 - ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 - -Allocated by task 24: - save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 - save_stack+0x43/0xd0 mm/kasan/kasan.c:447 - set_track mm/kasan/kasan.c:459 - kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 - kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 - kmalloc ./include/linux/slab.h:493 - kzalloc ./include/linux/slab.h:666 - dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212 - dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136 - dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 - dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 - dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 - dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 - dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155 - usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 - really_probe drivers/base/dd.c:413 - driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 - __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 - bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 - __device_attach+0x26b/0x3c0 drivers/base/dd.c:710 - device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 - bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 - device_add+0xd0b/0x1660 drivers/base/core.c:1835 - usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 - generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 - usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 - really_probe drivers/base/dd.c:413 - driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 - __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 - bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 - __device_attach+0x26b/0x3c0 drivers/base/dd.c:710 - device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 - bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 - device_add+0xd0b/0x1660 drivers/base/core.c:1835 - usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 - hub_port_connect drivers/usb/core/hub.c:4903 - hub_port_connect_change drivers/usb/core/hub.c:5009 - port_event drivers/usb/core/hub.c:5115 - hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 - process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 - worker_thread+0x221/0x1850 kernel/workqueue.c:2253 - kthread+0x363/0x440 kernel/kthread.c:231 - ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 - -Freed by task 24: - save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 - save_stack+0x43/0xd0 mm/kasan/kasan.c:447 - set_track mm/kasan/kasan.c:459 - kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 - slab_free_hook mm/slub.c:1390 - slab_free_freelist_hook mm/slub.c:1412 - slab_free mm/slub.c:2988 - kfree+0xf6/0x2f0 mm/slub.c:3919 - dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202 - dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790 - dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789 - __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153 - dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176 - dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803 - dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340 - dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116 - dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132 - dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295 - usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 - __device_release_driver drivers/base/dd.c:861 - device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893 - device_release_driver+0x1e/0x30 drivers/base/dd.c:918 - bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 - device_del+0x5c4/0xab0 drivers/base/core.c:1985 - usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 - usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 - hub_port_connect drivers/usb/core/hub.c:4754 - hub_port_connect_change drivers/usb/core/hub.c:5009 - port_event drivers/usb/core/hub.c:5115 - hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 - process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119 - worker_thread+0x221/0x1850 kernel/workqueue.c:2253 - kthread+0x363/0x440 kernel/kthread.c:231 - ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 - -The buggy address belongs to the object at ffff880067d45500 - which belongs to the cache kmalloc-2048 of size 2048 -The buggy address is located 1280 bytes inside of - 2048-byte region [ffff880067d45500, ffff880067d45d00) -The buggy address belongs to the page: -page:ffffea00019f5000 count:1 mapcount:0 mapping: (null) -index:0x0 compound_mapcount: 0 -flags: 0x100000000008100(slab|head) -raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f -raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -================================================================== - -Fixes: ead666000a5f ("media: dvb_frontend: only use kref after initialized") - -Reported-by: Andrey Konovalov -Suggested-by: Matthias Schwarzott -Tested-by: Andrey Konovalov -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/dvb-core/dvb_frontend.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c -index d485d5f6cc88..3ad83359098b 100644 ---- a/drivers/media/dvb-core/dvb_frontend.c -+++ b/drivers/media/dvb-core/dvb_frontend.c -@@ -150,11 +150,8 @@ static void __dvb_frontend_free(struct dvb_frontend *fe) - - dvb_frontend_invoke_release(fe, fe->ops.release); - -- if (!fepriv) -- return; -- -- kfree(fepriv); -- fe->frontend_priv = NULL; -+ if (fepriv) -+ kfree(fepriv); - } - - static void dvb_frontend_free(struct kref *ref) diff --git a/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch b/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch deleted file mode 100644 index b6ad1e07d..000000000 --- a/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Johan Hovold -Date: Thu, 21 Sep 2017 05:40:18 -0300 -Subject: [media] cx231xx-cards: fix NULL-deref on missing association - descriptor -Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536 - -Make sure to check that we actually have an Interface Association -Descriptor before dereferencing it during probe to avoid dereferencing a -NULL-pointer. - -Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") - -Cc: stable # 2.6.30 -Reported-by: Andrey Konovalov -Signed-off-by: Johan Hovold -Tested-by: Andrey Konovalov -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c -index e0daa9b6c2a0..9b742d569fb5 100644 ---- a/drivers/media/usb/cx231xx/cx231xx-cards.c -+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c -@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface, - nr = dev->devno; - - assoc_desc = udev->actconfig->intf_assoc[0]; -- if (assoc_desc->bFirstInterface != ifnum) { -+ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { - dev_err(d, "Not found matching IAD interface\n"); - retval = -ENODEV; - goto err_if; diff --git a/debian/patches/bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch b/debian/patches/bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch deleted file mode 100644 index bcf2cca5a..000000000 --- a/debian/patches/bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Daniel Scheller -Date: Sun, 29 Oct 2017 11:43:22 -0400 -Subject: media: dvb-core: always call invoke_release() in fe_free() -Origin: https://git.kernel.org/linus/62229de19ff2b7f3e0ebf4d48ad99061127d0281 - -Follow-up to: ead666000a5f ("media: dvb_frontend: only use kref after initialized") - -The aforementioned commit fixed refcount OOPSes when demod driver attaching -succeeded but tuner driver didn't. However, the use count of the attached -demod drivers don't go back to zero and thus couldn't be cleanly unloaded. -Improve on this by calling dvb_frontend_invoke_release() in -__dvb_frontend_free() regardless of fepriv being NULL, instead of returning -when fepriv is NULL. This is safe to do since _invoke_release() will check -for passed pointers being valid before calling the .release() function. - -[mchehab@s-opensource.com: changed the logic a little bit to reduce - conflicts with another bug fix patch under review] -Fixes: ead666000a5f ("media: dvb_frontend: only use kref after initialized") -Signed-off-by: Daniel Scheller -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/dvb-core/dvb_frontend.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c -index daaf969719e4..d485d5f6cc88 100644 ---- a/drivers/media/dvb-core/dvb_frontend.c -+++ b/drivers/media/dvb-core/dvb_frontend.c -@@ -145,13 +145,14 @@ static void __dvb_frontend_free(struct dvb_frontend *fe) - { - struct dvb_frontend_private *fepriv = fe->frontend_priv; - -- if (!fepriv) -- return; -- -- dvb_free_device(fepriv->dvbdev); -+ if (fepriv) -+ dvb_free_device(fepriv->dvbdev); - - dvb_frontend_invoke_release(fe, fe->ops.release); - -+ if (!fepriv) -+ return; -+ - kfree(fepriv); - fe->frontend_priv = NULL; - } diff --git a/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch b/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch deleted file mode 100644 index 6647fde6a..000000000 --- a/debian/patches/bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch +++ /dev/null @@ -1,109 +0,0 @@ -From: "Kirill A. Shutemov" -Date: Mon, 27 Nov 2017 06:21:25 +0300 -Subject: mm, thp: Do not make page table dirty unconditionally in - touch_p[mu]d() -Origin: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000405 - -Currently, we unconditionally make page table dirty in touch_pmd(). -It may result in false-positive can_follow_write_pmd(). - -We may avoid the situation, if we would only make the page table entry -dirty if caller asks for write access -- FOLL_WRITE. - -The patch also changes touch_pud() in the same way. - -Signed-off-by: Kirill A. Shutemov -Cc: Michal Hocko -Cc: Hugh Dickins -Signed-off-by: Linus Torvalds ---- - mm/huge_memory.c | 36 +++++++++++++----------------------- - 1 file changed, 13 insertions(+), 23 deletions(-) - -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 86fe697e8bfb..0e7ded98d114 100644 ---- a/mm/huge_memory.c -+++ b/mm/huge_memory.c -@@ -842,20 +842,15 @@ EXPORT_SYMBOL_GPL(vmf_insert_pfn_pud); - #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */ - - static void touch_pmd(struct vm_area_struct *vma, unsigned long addr, -- pmd_t *pmd) -+ pmd_t *pmd, int flags) - { - pmd_t _pmd; - -- /* -- * We should set the dirty bit only for FOLL_WRITE but for now -- * the dirty bit in the pmd is meaningless. And if the dirty -- * bit will become meaningful and we'll only set it with -- * FOLL_WRITE, an atomic set_bit will be required on the pmd to -- * set the young bit, instead of the current set_pmd_at. -- */ -- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd)); -+ _pmd = pmd_mkyoung(*pmd); -+ if (flags & FOLL_WRITE) -+ _pmd = pmd_mkdirty(_pmd); - if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK, -- pmd, _pmd, 1)) -+ pmd, _pmd, flags & FOLL_WRITE)) - update_mmu_cache_pmd(vma, addr, pmd); - } - -@@ -884,7 +879,7 @@ struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr, - return NULL; - - if (flags & FOLL_TOUCH) -- touch_pmd(vma, addr, pmd); -+ touch_pmd(vma, addr, pmd, flags); - - /* - * device mapped pages can only be returned if the -@@ -995,20 +990,15 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm, - - #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD - static void touch_pud(struct vm_area_struct *vma, unsigned long addr, -- pud_t *pud) -+ pud_t *pud, int flags) - { - pud_t _pud; - -- /* -- * We should set the dirty bit only for FOLL_WRITE but for now -- * the dirty bit in the pud is meaningless. And if the dirty -- * bit will become meaningful and we'll only set it with -- * FOLL_WRITE, an atomic set_bit will be required on the pud to -- * set the young bit, instead of the current set_pud_at. -- */ -- _pud = pud_mkyoung(pud_mkdirty(*pud)); -+ _pud = pud_mkyoung(*pud); -+ if (flags & FOLL_WRITE) -+ _pud = pud_mkdirty(_pud); - if (pudp_set_access_flags(vma, addr & HPAGE_PUD_MASK, -- pud, _pud, 1)) -+ pud, _pud, flags & FOLL_WRITE)) - update_mmu_cache_pud(vma, addr, pud); - } - -@@ -1031,7 +1021,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr, - return NULL; - - if (flags & FOLL_TOUCH) -- touch_pud(vma, addr, pud); -+ touch_pud(vma, addr, pud, flags); - - /* - * device mapped pages can only be returned if the -@@ -1424,7 +1414,7 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma, - page = pmd_page(*pmd); - VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page); - if (flags & FOLL_TOUCH) -- touch_pmd(vma, addr, pmd); -+ touch_pmd(vma, addr, pmd, flags); - if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) { - /* - * We don't mlock() pte-mapped THPs. This way we can avoid --- -2.15.0 - diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch index d2bdec0b1..a890a8c2b 100644 --- a/debian/patches/debian/kernelvariables.patch +++ b/debian/patches/debian/kernelvariables.patch @@ -14,7 +14,7 @@ use of $(ARCH) needs to be moved after this. --- a/Makefile +++ b/Makefile -@@ -255,42 +255,6 @@ SUBARCH := $(shell uname -m | sed -e s/i +@@ -251,42 +251,6 @@ SUBARCH := $(shell uname -m | sed -e s/i ARCH ?= $(SUBARCH) CROSS_COMPILE ?= $(CONFIG_CROSS_COMPILE:"%"=%) @@ -57,9 +57,9 @@ use of $(ARCH) needs to be moved after this. KCONFIG_CONFIG ?= .config export KCONFIG_CONFIG -@@ -373,6 +337,44 @@ LDFLAGS_vmlinux = - CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,) - CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,) +@@ -374,6 +338,45 @@ CFLAGS_KERNEL = + AFLAGS_KERNEL = + LDFLAGS_vmlinux = +-include $(obj)/.kernelvariables + @@ -99,6 +99,7 @@ use of $(ARCH) needs to be moved after this. +ifeq ($(ARCH),m68knommu) + hdr-arch := m68k +endif - ++ # Use USERINCLUDE when you must reference the UAPI directories only. USERINCLUDE := \ + -I$(srctree)/arch/$(hdr-arch)/include/uapi \ diff --git a/debian/patches/features/all/aufs4/aufs4-standalone.patch b/debian/patches/features/all/aufs4/aufs4-standalone.patch index 78efd82c1..085dc2fd8 100644 --- a/debian/patches/features/all/aufs4/aufs4-standalone.patch +++ b/debian/patches/features/all/aufs4/aufs4-standalone.patch @@ -8,11 +8,9 @@ Patch headers added by debian/patches/features/all/aufs4/gen-patch aufs4.14 standalone patch -diff --git a/fs/dcache.c b/fs/dcache.c -index e3719a5..3203470 100644 --- a/fs/dcache.c +++ b/fs/dcache.c -@@ -1305,6 +1305,7 @@ void d_walk(struct dentry *parent, void *data, +@@ -1305,6 +1305,7 @@ rename_retry: seq = 1; goto again; } @@ -20,7 +18,7 @@ index e3719a5..3203470 100644 struct check_mount { struct vfsmount *mnt; -@@ -2894,6 +2895,7 @@ void d_exchange(struct dentry *dentry1, struct dentry *dentry2) +@@ -2894,6 +2895,7 @@ void d_exchange(struct dentry *dentry1, write_sequnlock(&rename_lock); } @@ -28,11 +26,9 @@ index e3719a5..3203470 100644 /** * d_ancestor - search for an ancestor -diff --git a/fs/exec.c b/fs/exec.c -index 3e14ba2..6818b01 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path) +@@ -109,6 +109,7 @@ bool path_noexec(const struct path *path return (path->mnt->mnt_flags & MNT_NOEXEC) || (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC); } @@ -40,11 +36,9 @@ index 3e14ba2..6818b01 100644 #ifdef CONFIG_USELIB /* -diff --git a/fs/fcntl.c b/fs/fcntl.c -index cffefab..725d190 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c -@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, unsigned long arg) +@@ -85,6 +85,7 @@ int setfl(int fd, struct file * filp, un out: return error; } @@ -52,11 +46,9 @@ index cffefab..725d190 100644 static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, int force) -diff --git a/fs/file_table.c b/fs/file_table.c -index 61517f5..c6bab39c 100644 --- a/fs/file_table.c +++ b/fs/file_table.c -@@ -148,6 +148,7 @@ struct file *get_empty_filp(void) +@@ -148,6 +148,7 @@ over: } return ERR_PTR(-ENFILE); } @@ -88,11 +80,9 @@ index 61517f5..c6bab39c 100644 void __init files_init(void) { -diff --git a/fs/inode.c b/fs/inode.c -index f7800d6..f31a6c7 100644 --- a/fs/inode.c +++ b/fs/inode.c -@@ -1664,6 +1664,7 @@ int update_time(struct inode *inode, struct timespec *time, int flags) +@@ -1664,6 +1664,7 @@ int update_time(struct inode *inode, str return update_time(inode, time, flags); } @@ -100,11 +90,9 @@ index f7800d6..f31a6c7 100644 /** * touch_atime - update the access time -diff --git a/fs/namespace.c b/fs/namespace.c -index e5a4a7f..6d0c376 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *mnt) +@@ -517,6 +517,7 @@ void __mnt_drop_write(struct vfsmount *m mnt_dec_writers(real_mount(mnt)); preempt_enable(); } @@ -112,7 +100,7 @@ index e5a4a7f..6d0c376 100644 /** * mnt_drop_write - give up write access to a mount -@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *mnt) +@@ -851,6 +852,7 @@ int is_current_mnt_ns(struct vfsmount *m { return check_mnt(real_mount(mnt)); } @@ -120,7 +108,7 @@ index e5a4a7f..6d0c376 100644 /* * vfsmount lock must be held for write -@@ -1887,6 +1889,7 @@ int iterate_mounts(int (*f)(struct vfsmount *, void *), void *arg, +@@ -1887,6 +1889,7 @@ int iterate_mounts(int (*f)(struct vfsmo } return 0; } @@ -128,8 +116,6 @@ index e5a4a7f..6d0c376 100644 static void cleanup_group_ids(struct mount *mnt, struct mount *end) { -diff --git a/fs/notify/group.c b/fs/notify/group.c -index 3235753..14a2d48 100644 --- a/fs/notify/group.c +++ b/fs/notify/group.c @@ -22,6 +22,7 @@ @@ -140,7 +126,7 @@ index 3235753..14a2d48 100644 #include #include "fsnotify.h" -@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_group *group) +@@ -109,6 +110,7 @@ void fsnotify_get_group(struct fsnotify_ { atomic_inc(&group->refcnt); } @@ -148,7 +134,7 @@ index 3235753..14a2d48 100644 /* * Drop a reference to a group. Free it if it's through. -@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_group *group) +@@ -118,6 +120,7 @@ void fsnotify_put_group(struct fsnotify_ if (atomic_dec_and_test(&group->refcnt)) fsnotify_final_destroy_group(group); } @@ -156,7 +142,7 @@ index 3235753..14a2d48 100644 /* * Create a new fsnotify_group and hold a reference for the group returned. -@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *ops) +@@ -147,6 +150,7 @@ struct fsnotify_group *fsnotify_alloc_gr return group; } @@ -164,19 +150,17 @@ index 3235753..14a2d48 100644 int fsnotify_fasync(int fd, struct file *file, int on) { -diff --git a/fs/notify/mark.c b/fs/notify/mark.c -index 9991f88..117042c 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c -@@ -118,6 +118,7 @@ static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) - { - return atomic_inc_not_zero(&mark->refcnt); +@@ -245,6 +245,7 @@ void fsnotify_put_mark(struct fsnotify_m + queue_delayed_work(system_unbound_wq, &reaper_work, + FSNOTIFY_REAPER_DELAY); } +EXPORT_SYMBOL_GPL(fsnotify_put_mark); - static void __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) - { -@@ -395,6 +396,7 @@ void fsnotify_destroy_mark(struct fsnotify_mark *mark, + /* + * Get mark reference when we found the mark via lockless traversal of object +@@ -392,6 +393,7 @@ void fsnotify_destroy_mark(struct fsnoti mutex_unlock(&group->mark_mutex); fsnotify_free_mark(mark); } @@ -184,7 +168,7 @@ index 9991f88..117042c 100644 /* * Sorting function for lists of fsnotify marks. -@@ -607,6 +609,7 @@ int fsnotify_add_mark_locked(struct fsnotify_mark *mark, struct inode *inode, +@@ -604,6 +606,7 @@ err: fsnotify_put_mark(mark); return ret; } @@ -192,7 +176,7 @@ index 9991f88..117042c 100644 int fsnotify_add_mark(struct fsnotify_mark *mark, struct inode *inode, struct vfsmount *mnt, int allow_dups) -@@ -742,6 +745,7 @@ void fsnotify_init_mark(struct fsnotify_mark *mark, +@@ -739,6 +742,7 @@ void fsnotify_init_mark(struct fsnotify_ fsnotify_get_group(group); mark->group = group; } @@ -200,11 +184,9 @@ index 9991f88..117042c 100644 /* * Destroy all marks in destroy_list, waits for SRCU period to finish before -diff --git a/fs/open.c b/fs/open.c -index 7ea1184..6e2e241 100644 --- a/fs/open.c +++ b/fs/open.c -@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, +@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, l inode_unlock(dentry->d_inode); return ret; } @@ -220,11 +202,9 @@ index 7ea1184..6e2e241 100644 static int do_dentry_open(struct file *f, struct inode *inode, -diff --git a/fs/read_write.c b/fs/read_write.c -index 2388284..b2a68e5 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -454,6 +454,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) +@@ -454,6 +454,7 @@ ssize_t vfs_read(struct file *file, char return ret; } @@ -240,7 +220,7 @@ index 2388284..b2a68e5 100644 vfs_writef_t vfs_writef(struct file *file) { -@@ -505,6 +507,7 @@ vfs_writef_t vfs_writef(struct file *file) +@@ -505,6 +507,7 @@ vfs_writef_t vfs_writef(struct file *fil return new_sync_write; return ERR_PTR(-ENOSYS); } @@ -248,7 +228,7 @@ index 2388284..b2a68e5 100644 ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { -@@ -574,6 +577,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ +@@ -574,6 +577,7 @@ ssize_t vfs_write(struct file *file, con return ret; } @@ -256,11 +236,9 @@ index 2388284..b2a68e5 100644 static inline loff_t file_pos_read(struct file *file) { -diff --git a/fs/splice.c b/fs/splice.c -index eb888c6..7ab89d2 100644 --- a/fs/splice.c +++ b/fs/splice.c -@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out, +@@ -850,6 +850,7 @@ long do_splice_from(struct pipe_inode_in return splice_write(pipe, out, ppos, len, flags); } @@ -268,7 +246,7 @@ index eb888c6..7ab89d2 100644 /* * Attempt to initiate a splice from a file to a pipe. -@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_t *ppos, +@@ -879,6 +880,7 @@ long do_splice_to(struct file *in, loff_ return splice_read(in, ppos, pipe, len, flags); } @@ -276,11 +254,9 @@ index eb888c6..7ab89d2 100644 /** * splice_direct_to_actor - splices data directly between two non-pipes -diff --git a/fs/sync.c b/fs/sync.c -index fe15900..e3386ea 100644 --- a/fs/sync.c +++ b/fs/sync.c -@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block *sb, int wait) +@@ -39,6 +39,7 @@ int __sync_filesystem(struct super_block sb->s_op->sync_fs(sb, wait); return __sync_blockdev(sb->s_bdev, wait); } @@ -288,11 +264,9 @@ index fe15900..e3386ea 100644 /* * Write out and wait upon all dirty data associated with this -diff --git a/fs/xattr.c b/fs/xattr.c -index 61cd28b..35570cd 100644 --- a/fs/xattr.c +++ b/fs/xattr.c -@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, +@@ -297,6 +297,7 @@ vfs_getxattr_alloc(struct dentry *dentry *xattr_value = value; return error; } @@ -300,11 +274,9 @@ index 61cd28b..35570cd 100644 ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name, -diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c -index bc97a97..895a1ba 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c -@@ -155,6 +155,7 @@ inline struct lock_class *lockdep_hlock_class(struct held_lock *hlock) +@@ -155,6 +155,7 @@ inline struct lock_class *lockdep_hlock_ } return lock_classes + hlock->class_idx - 1; } @@ -312,8 +284,6 @@ index bc97a97..895a1ba 100644 #define hlock_class(hlock) lockdep_hlock_class(hlock) #ifdef CONFIG_LOCK_STAT -diff --git a/kernel/task_work.c b/kernel/task_work.c -index 5718b3e..e6c64d9 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -116,3 +116,4 @@ void task_work_run(void) @@ -321,8 +291,6 @@ index 5718b3e..e6c64d9 100644 } } +EXPORT_SYMBOL_GPL(task_work_run); -diff --git a/security/commoncap.c b/security/commoncap.c -index fc46f5b..90543ef 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1270,12 +1270,14 @@ int cap_mmap_addr(unsigned long addr) @@ -340,8 +308,6 @@ index fc46f5b..90543ef 100644 #ifdef CONFIG_SECURITY -diff --git a/security/device_cgroup.c b/security/device_cgroup.c -index 5ef7e52..e2e959d 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -8,6 +8,7 @@ @@ -352,7 +318,7 @@ index 5ef7e52..e2e959d 100644 #include #include #include -@@ -850,6 +851,7 @@ int __devcgroup_inode_permission(struct inode *inode, int mask) +@@ -850,6 +851,7 @@ int __devcgroup_inode_permission(struct return __devcgroup_check_permission(type, imajor(inode), iminor(inode), access); } @@ -360,11 +326,9 @@ index 5ef7e52..e2e959d 100644 int devcgroup_inode_mknod(int mode, dev_t dev) { -diff --git a/security/security.c b/security/security.c -index 4bf0f57..b30d1e1 100644 --- a/security/security.c +++ b/security/security.c -@@ -530,6 +530,7 @@ int security_path_rmdir(const struct path *dir, struct dentry *dentry) +@@ -530,6 +530,7 @@ int security_path_rmdir(const struct pat return 0; return call_int_hook(path_rmdir, 0, dir, dentry); } @@ -372,7 +336,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_unlink(const struct path *dir, struct dentry *dentry) { -@@ -546,6 +547,7 @@ int security_path_symlink(const struct path *dir, struct dentry *dentry, +@@ -546,6 +547,7 @@ int security_path_symlink(const struct p return 0; return call_int_hook(path_symlink, 0, dir, dentry, old_name); } @@ -380,7 +344,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_link(struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry) -@@ -554,6 +556,7 @@ int security_path_link(struct dentry *old_dentry, const struct path *new_dir, +@@ -554,6 +556,7 @@ int security_path_link(struct dentry *ol return 0; return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry); } @@ -388,7 +352,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry, -@@ -581,6 +584,7 @@ int security_path_truncate(const struct path *path) +@@ -581,6 +584,7 @@ int security_path_truncate(const struct return 0; return call_int_hook(path_truncate, 0, path); } @@ -396,7 +360,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_chmod(const struct path *path, umode_t mode) { -@@ -588,6 +592,7 @@ int security_path_chmod(const struct path *path, umode_t mode) +@@ -588,6 +592,7 @@ int security_path_chmod(const struct pat return 0; return call_int_hook(path_chmod, 0, path, mode); } @@ -404,7 +368,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) { -@@ -595,6 +600,7 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) +@@ -595,6 +600,7 @@ int security_path_chown(const struct pat return 0; return call_int_hook(path_chown, 0, path, uid, gid); } @@ -412,7 +376,7 @@ index 4bf0f57..b30d1e1 100644 int security_path_chroot(const struct path *path) { -@@ -680,6 +686,7 @@ int security_inode_readlink(struct dentry *dentry) +@@ -680,6 +686,7 @@ int security_inode_readlink(struct dentr return 0; return call_int_hook(inode_readlink, 0, dentry); } @@ -420,7 +384,7 @@ index 4bf0f57..b30d1e1 100644 int security_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) -@@ -695,6 +702,7 @@ int security_inode_permission(struct inode *inode, int mask) +@@ -695,6 +702,7 @@ int security_inode_permission(struct ino return 0; return call_int_hook(inode_permission, 0, inode, mask); } @@ -428,7 +392,7 @@ index 4bf0f57..b30d1e1 100644 int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { -@@ -866,6 +874,7 @@ int security_file_permission(struct file *file, int mask) +@@ -866,6 +874,7 @@ int security_file_permission(struct file return fsnotify_perm(file, mask); } @@ -436,7 +400,7 @@ index 4bf0f57..b30d1e1 100644 int security_file_alloc(struct file *file) { -@@ -925,6 +934,7 @@ int security_mmap_file(struct file *file, unsigned long prot, +@@ -925,6 +934,7 @@ int security_mmap_file(struct file *file return ret; return ima_file_mmap(file, prot); } diff --git a/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch b/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch index f791a3b2d..794b0d7cc 100644 --- a/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch +++ b/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch @@ -7,6 +7,7 @@ There are a few local_irq_disable() which then take sleeping locks. This patch converts them local locks. Signed-off-by: Sebastian Andrzej Siewior +[bwh: Adjust context after 4.14.4] --- mm/memcontrol.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) @@ -110,7 +111,7 @@ Signed-off-by: Sebastian Andrzej Siewior memcg_check_events(memcg, page); if (!mem_cgroup_is_root(memcg)) - css_put(&memcg->css); + css_put_many(&memcg->css, nr_entries); + local_unlock_irqrestore(event_lock, flags); } diff --git a/debian/patches/features/all/rt/sched-rt-Simplify-the-IPI-based-RT-balancing-logic.patch b/debian/patches/features/all/rt/sched-rt-Simplify-the-IPI-based-RT-balancing-logic.patch deleted file mode 100644 index 3179d8a86..000000000 --- a/debian/patches/features/all/rt/sched-rt-Simplify-the-IPI-based-RT-balancing-logic.patch +++ /dev/null @@ -1,565 +0,0 @@ -From: "Steven Rostedt (Red Hat)" -Date: Fri, 6 Oct 2017 14:05:04 -0400 -Subject: [PATCH] sched/rt: Simplify the IPI based RT balancing logic -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.14/older/patches-4.14.1-rt3.tar.xz - -Upstream commit 4bdced5c9a2922521e325896a7bbbf0132c94e56 - -When a CPU lowers its priority (schedules out a high priority task for a -lower priority one), a check is made to see if any other CPU has overloaded -RT tasks (more than one). It checks the rto_mask to determine this and if so -it will request to pull one of those tasks to itself if the non running RT -task is of higher priority than the new priority of the next task to run on -the current CPU. - -When we deal with large number of CPUs, the original pull logic suffered -from large lock contention on a single CPU run queue, which caused a huge -latency across all CPUs. This was caused by only having one CPU having -overloaded RT tasks and a bunch of other CPUs lowering their priority. To -solve this issue, commit: - - b6366f048e0c ("sched/rt: Use IPI to trigger RT task push migration instead of pulling") - -changed the way to request a pull. Instead of grabbing the lock of the -overloaded CPU's runqueue, it simply sent an IPI to that CPU to do the work. - -Although the IPI logic worked very well in removing the large latency build -up, it still could suffer from a large number of IPIs being sent to a single -CPU. On a 80 CPU box, I measured over 200us of processing IPIs. Worse yet, -when I tested this on a 120 CPU box, with a stress test that had lots of -RT tasks scheduling on all CPUs, it actually triggered the hard lockup -detector! One CPU had so many IPIs sent to it, and due to the restart -mechanism that is triggered when the source run queue has a priority status -change, the CPU spent minutes! processing the IPIs. - -Thinking about this further, I realized there's no reason for each run queue -to send its own IPI. As all CPUs with overloaded tasks must be scanned -regardless if there's one or many CPUs lowering their priority, because -there's no current way to find the CPU with the highest priority task that -can schedule to one of these CPUs, there really only needs to be one IPI -being sent around at a time. - -This greatly simplifies the code! - -The new approach is to have each root domain have its own irq work, as the -rto_mask is per root domain. The root domain has the following fields -attached to it: - - rto_push_work - the irq work to process each CPU set in rto_mask - rto_lock - the lock to protect some of the other rto fields - rto_loop_start - an atomic that keeps contention down on rto_lock - the first CPU scheduling in a lower priority task - is the one to kick off the process. - rto_loop_next - an atomic that gets incremented for each CPU that - schedules in a lower priority task. - rto_loop - a variable protected by rto_lock that is used to - compare against rto_loop_next - rto_cpu - The cpu to send the next IPI to, also protected by - the rto_lock. - -When a CPU schedules in a lower priority task and wants to make sure -overloaded CPUs know about it. It increments the rto_loop_next. Then it -atomically sets rto_loop_start with a cmpxchg. If the old value is not "0", -then it is done, as another CPU is kicking off the IPI loop. If the old -value is "0", then it will take the rto_lock to synchronize with a possible -IPI being sent around to the overloaded CPUs. - -If rto_cpu is greater than or equal to nr_cpu_ids, then there's either no -IPI being sent around, or one is about to finish. Then rto_cpu is set to the -first CPU in rto_mask and an IPI is sent to that CPU. If there's no CPUs set -in rto_mask, then there's nothing to be done. - -When the CPU receives the IPI, it will first try to push any RT tasks that is -queued on the CPU but can't run because a higher priority RT task is -currently running on that CPU. - -Then it takes the rto_lock and looks for the next CPU in the rto_mask. If it -finds one, it simply sends an IPI to that CPU and the process continues. - -If there's no more CPUs in the rto_mask, then rto_loop is compared with -rto_loop_next. If they match, everything is done and the process is over. If -they do not match, then a CPU scheduled in a lower priority task as the IPI -was being passed around, and the process needs to start again. The first CPU -in rto_mask is sent the IPI. - -This change removes this duplication of work in the IPI logic, and greatly -lowers the latency caused by the IPIs. This removed the lockup happening on -the 120 CPU machine. It also simplifies the code tremendously. What else -could anyone ask for? - -Thanks to Peter Zijlstra for simplifying the rto_loop_start atomic logic and -supplying me with the rto_start_trylock() and rto_start_unlock() helper -functions. - -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Peter Zijlstra (Intel) -Cc: Clark Williams -Cc: Daniel Bristot de Oliveira -Cc: John Kacur -Cc: Linus Torvalds -Cc: Mike Galbraith -Cc: Peter Zijlstra -Cc: Scott Wood -Cc: Thomas Gleixner -Link: http://lkml.kernel.org/r/20170424114732.1aac6dc4@gandalf.local.home -Signed-off-by: Ingo Molnar -Signed-off-by: Sebastian Andrzej Siewior ---- - kernel/sched/rt.c | 316 +++++++++++++++++------------------------------- - kernel/sched/sched.h | 24 ++- - kernel/sched/topology.c | 6 - 3 files changed, 138 insertions(+), 208 deletions(-) - ---- a/kernel/sched/rt.c -+++ b/kernel/sched/rt.c -@@ -74,10 +74,6 @@ static void start_rt_bandwidth(struct rt - raw_spin_unlock(&rt_b->rt_runtime_lock); - } - --#if defined(CONFIG_SMP) && defined(HAVE_RT_PUSH_IPI) --static void push_irq_work_func(struct irq_work *work); --#endif -- - void init_rt_rq(struct rt_rq *rt_rq) - { - struct rt_prio_array *array; -@@ -97,13 +93,6 @@ void init_rt_rq(struct rt_rq *rt_rq) - rt_rq->rt_nr_migratory = 0; - rt_rq->overloaded = 0; - plist_head_init(&rt_rq->pushable_tasks); -- --#ifdef HAVE_RT_PUSH_IPI -- rt_rq->push_flags = 0; -- rt_rq->push_cpu = nr_cpu_ids; -- raw_spin_lock_init(&rt_rq->push_lock); -- init_irq_work(&rt_rq->push_work, push_irq_work_func); --#endif - #endif /* CONFIG_SMP */ - /* We start is dequeued state, because no RT tasks are queued */ - rt_rq->rt_queued = 0; -@@ -1876,241 +1865,166 @@ static void push_rt_tasks(struct rq *rq) - } - - #ifdef HAVE_RT_PUSH_IPI -+ - /* -- * The search for the next cpu always starts at rq->cpu and ends -- * when we reach rq->cpu again. It will never return rq->cpu. -- * This returns the next cpu to check, or nr_cpu_ids if the loop -- * is complete. -+ * When a high priority task schedules out from a CPU and a lower priority -+ * task is scheduled in, a check is made to see if there's any RT tasks -+ * on other CPUs that are waiting to run because a higher priority RT task -+ * is currently running on its CPU. In this case, the CPU with multiple RT -+ * tasks queued on it (overloaded) needs to be notified that a CPU has opened -+ * up that may be able to run one of its non-running queued RT tasks. -+ * -+ * All CPUs with overloaded RT tasks need to be notified as there is currently -+ * no way to know which of these CPUs have the highest priority task waiting -+ * to run. Instead of trying to take a spinlock on each of these CPUs, -+ * which has shown to cause large latency when done on machines with many -+ * CPUs, sending an IPI to the CPUs to have them push off the overloaded -+ * RT tasks waiting to run. -+ * -+ * Just sending an IPI to each of the CPUs is also an issue, as on large -+ * count CPU machines, this can cause an IPI storm on a CPU, especially -+ * if its the only CPU with multiple RT tasks queued, and a large number -+ * of CPUs scheduling a lower priority task at the same time. -+ * -+ * Each root domain has its own irq work function that can iterate over -+ * all CPUs with RT overloaded tasks. Since all CPUs with overloaded RT -+ * tassk must be checked if there's one or many CPUs that are lowering -+ * their priority, there's a single irq work iterator that will try to -+ * push off RT tasks that are waiting to run. -+ * -+ * When a CPU schedules a lower priority task, it will kick off the -+ * irq work iterator that will jump to each CPU with overloaded RT tasks. -+ * As it only takes the first CPU that schedules a lower priority task -+ * to start the process, the rto_start variable is incremented and if -+ * the atomic result is one, then that CPU will try to take the rto_lock. -+ * This prevents high contention on the lock as the process handles all -+ * CPUs scheduling lower priority tasks. -+ * -+ * All CPUs that are scheduling a lower priority task will increment the -+ * rt_loop_next variable. This will make sure that the irq work iterator -+ * checks all RT overloaded CPUs whenever a CPU schedules a new lower -+ * priority task, even if the iterator is in the middle of a scan. Incrementing -+ * the rt_loop_next will cause the iterator to perform another scan. - * -- * rq->rt.push_cpu holds the last cpu returned by this function, -- * or if this is the first instance, it must hold rq->cpu. - */ - static int rto_next_cpu(struct rq *rq) - { -- int prev_cpu = rq->rt.push_cpu; -+ struct root_domain *rd = rq->rd; -+ int next; - int cpu; - -- cpu = cpumask_next(prev_cpu, rq->rd->rto_mask); -- - /* -- * If the previous cpu is less than the rq's CPU, then it already -- * passed the end of the mask, and has started from the beginning. -- * We end if the next CPU is greater or equal to rq's CPU. -+ * When starting the IPI RT pushing, the rto_cpu is set to -1, -+ * rt_next_cpu() will simply return the first CPU found in -+ * the rto_mask. -+ * -+ * If rto_next_cpu() is called with rto_cpu is a valid cpu, it -+ * will return the next CPU found in the rto_mask. -+ * -+ * If there are no more CPUs left in the rto_mask, then a check is made -+ * against rto_loop and rto_loop_next. rto_loop is only updated with -+ * the rto_lock held, but any CPU may increment the rto_loop_next -+ * without any locking. - */ -- if (prev_cpu < rq->cpu) { -- if (cpu >= rq->cpu) -- return nr_cpu_ids; -+ for (;;) { - -- } else if (cpu >= nr_cpu_ids) { -- /* -- * We passed the end of the mask, start at the beginning. -- * If the result is greater or equal to the rq's CPU, then -- * the loop is finished. -- */ -- cpu = cpumask_first(rq->rd->rto_mask); -- if (cpu >= rq->cpu) -- return nr_cpu_ids; -- } -- rq->rt.push_cpu = cpu; -+ /* When rto_cpu is -1 this acts like cpumask_first() */ -+ cpu = cpumask_next(rd->rto_cpu, rd->rto_mask); - -- /* Return cpu to let the caller know if the loop is finished or not */ -- return cpu; --} -+ rd->rto_cpu = cpu; - --static int find_next_push_cpu(struct rq *rq) --{ -- struct rq *next_rq; -- int cpu; -+ if (cpu < nr_cpu_ids) -+ return cpu; - -- while (1) { -- cpu = rto_next_cpu(rq); -- if (cpu >= nr_cpu_ids) -- break; -- next_rq = cpu_rq(cpu); -+ rd->rto_cpu = -1; -+ -+ /* -+ * ACQUIRE ensures we see the @rto_mask changes -+ * made prior to the @next value observed. -+ * -+ * Matches WMB in rt_set_overload(). -+ */ -+ next = atomic_read_acquire(&rd->rto_loop_next); - -- /* Make sure the next rq can push to this rq */ -- if (next_rq->rt.highest_prio.next < rq->rt.highest_prio.curr) -+ if (rd->rto_loop == next) - break; -+ -+ rd->rto_loop = next; - } - -- return cpu; -+ return -1; - } - --#define RT_PUSH_IPI_EXECUTING 1 --#define RT_PUSH_IPI_RESTART 2 -+static inline bool rto_start_trylock(atomic_t *v) -+{ -+ return !atomic_cmpxchg_acquire(v, 0, 1); -+} - --/* -- * When a high priority task schedules out from a CPU and a lower priority -- * task is scheduled in, a check is made to see if there's any RT tasks -- * on other CPUs that are waiting to run because a higher priority RT task -- * is currently running on its CPU. In this case, the CPU with multiple RT -- * tasks queued on it (overloaded) needs to be notified that a CPU has opened -- * up that may be able to run one of its non-running queued RT tasks. -- * -- * On large CPU boxes, there's the case that several CPUs could schedule -- * a lower priority task at the same time, in which case it will look for -- * any overloaded CPUs that it could pull a task from. To do this, the runqueue -- * lock must be taken from that overloaded CPU. Having 10s of CPUs all fighting -- * for a single overloaded CPU's runqueue lock can produce a large latency. -- * (This has actually been observed on large boxes running cyclictest). -- * Instead of taking the runqueue lock of the overloaded CPU, each of the -- * CPUs that scheduled a lower priority task simply sends an IPI to the -- * overloaded CPU. An IPI is much cheaper than taking an runqueue lock with -- * lots of contention. The overloaded CPU will look to push its non-running -- * RT task off, and if it does, it can then ignore the other IPIs coming -- * in, and just pass those IPIs off to any other overloaded CPU. -- * -- * When a CPU schedules a lower priority task, it only sends an IPI to -- * the "next" CPU that has overloaded RT tasks. This prevents IPI storms, -- * as having 10 CPUs scheduling lower priority tasks and 10 CPUs with -- * RT overloaded tasks, would cause 100 IPIs to go out at once. -- * -- * The overloaded RT CPU, when receiving an IPI, will try to push off its -- * overloaded RT tasks and then send an IPI to the next CPU that has -- * overloaded RT tasks. This stops when all CPUs with overloaded RT tasks -- * have completed. Just because a CPU may have pushed off its own overloaded -- * RT task does not mean it should stop sending the IPI around to other -- * overloaded CPUs. There may be another RT task waiting to run on one of -- * those CPUs that are of higher priority than the one that was just -- * pushed. -- * -- * An optimization that could possibly be made is to make a CPU array similar -- * to the cpupri array mask of all running RT tasks, but for the overloaded -- * case, then the IPI could be sent to only the CPU with the highest priority -- * RT task waiting, and that CPU could send off further IPIs to the CPU with -- * the next highest waiting task. Since the overloaded case is much less likely -- * to happen, the complexity of this implementation may not be worth it. -- * Instead, just send an IPI around to all overloaded CPUs. -- * -- * The rq->rt.push_flags holds the status of the IPI that is going around. -- * A run queue can only send out a single IPI at a time. The possible flags -- * for rq->rt.push_flags are: -- * -- * (None or zero): No IPI is going around for the current rq -- * RT_PUSH_IPI_EXECUTING: An IPI for the rq is being passed around -- * RT_PUSH_IPI_RESTART: The priority of the running task for the rq -- * has changed, and the IPI should restart -- * circulating the overloaded CPUs again. -- * -- * rq->rt.push_cpu contains the CPU that is being sent the IPI. It is updated -- * before sending to the next CPU. -- * -- * Instead of having all CPUs that schedule a lower priority task send -- * an IPI to the same "first" CPU in the RT overload mask, they send it -- * to the next overloaded CPU after their own CPU. This helps distribute -- * the work when there's more than one overloaded CPU and multiple CPUs -- * scheduling in lower priority tasks. -- * -- * When a rq schedules a lower priority task than what was currently -- * running, the next CPU with overloaded RT tasks is examined first. -- * That is, if CPU 1 and 5 are overloaded, and CPU 3 schedules a lower -- * priority task, it will send an IPI first to CPU 5, then CPU 5 will -- * send to CPU 1 if it is still overloaded. CPU 1 will clear the -- * rq->rt.push_flags if RT_PUSH_IPI_RESTART is not set. -- * -- * The first CPU to notice IPI_RESTART is set, will clear that flag and then -- * send an IPI to the next overloaded CPU after the rq->cpu and not the next -- * CPU after push_cpu. That is, if CPU 1, 4 and 5 are overloaded when CPU 3 -- * schedules a lower priority task, and the IPI_RESTART gets set while the -- * handling is being done on CPU 5, it will clear the flag and send it back to -- * CPU 4 instead of CPU 1. -- * -- * Note, the above logic can be disabled by turning off the sched_feature -- * RT_PUSH_IPI. Then the rq lock of the overloaded CPU will simply be -- * taken by the CPU requesting a pull and the waiting RT task will be pulled -- * by that CPU. This may be fine for machines with few CPUs. -- */ --static void tell_cpu_to_push(struct rq *rq) -+static inline void rto_start_unlock(atomic_t *v) - { -- int cpu; -+ atomic_set_release(v, 0); -+} - -- if (rq->rt.push_flags & RT_PUSH_IPI_EXECUTING) { -- raw_spin_lock(&rq->rt.push_lock); -- /* Make sure it's still executing */ -- if (rq->rt.push_flags & RT_PUSH_IPI_EXECUTING) { -- /* -- * Tell the IPI to restart the loop as things have -- * changed since it started. -- */ -- rq->rt.push_flags |= RT_PUSH_IPI_RESTART; -- raw_spin_unlock(&rq->rt.push_lock); -- return; -- } -- raw_spin_unlock(&rq->rt.push_lock); -- } -+static void tell_cpu_to_push(struct rq *rq) -+{ -+ int cpu = -1; - -- /* When here, there's no IPI going around */ -+ /* Keep the loop going if the IPI is currently active */ -+ atomic_inc(&rq->rd->rto_loop_next); - -- rq->rt.push_cpu = rq->cpu; -- cpu = find_next_push_cpu(rq); -- if (cpu >= nr_cpu_ids) -+ /* Only one CPU can initiate a loop at a time */ -+ if (!rto_start_trylock(&rq->rd->rto_loop_start)) - return; - -- rq->rt.push_flags = RT_PUSH_IPI_EXECUTING; -+ raw_spin_lock(&rq->rd->rto_lock); - -- irq_work_queue_on(&rq->rt.push_work, cpu); -+ /* -+ * The rto_cpu is updated under the lock, if it has a valid cpu -+ * then the IPI is still running and will continue due to the -+ * update to loop_next, and nothing needs to be done here. -+ * Otherwise it is finishing up and an ipi needs to be sent. -+ */ -+ if (rq->rd->rto_cpu < 0) -+ cpu = rto_next_cpu(rq); -+ -+ raw_spin_unlock(&rq->rd->rto_lock); -+ -+ rto_start_unlock(&rq->rd->rto_loop_start); -+ -+ if (cpu >= 0) -+ irq_work_queue_on(&rq->rd->rto_push_work, cpu); - } - - /* Called from hardirq context */ --static void try_to_push_tasks(void *arg) -+void rto_push_irq_work_func(struct irq_work *work) - { -- struct rt_rq *rt_rq = arg; -- struct rq *rq, *src_rq; -- int this_cpu; -+ struct rq *rq; - int cpu; - -- this_cpu = rt_rq->push_cpu; -+ rq = this_rq(); - -- /* Paranoid check */ -- BUG_ON(this_cpu != smp_processor_id()); -- -- rq = cpu_rq(this_cpu); -- src_rq = rq_of_rt_rq(rt_rq); -- --again: -+ /* -+ * We do not need to grab the lock to check for has_pushable_tasks. -+ * When it gets updated, a check is made if a push is possible. -+ */ - if (has_pushable_tasks(rq)) { - raw_spin_lock(&rq->lock); -- push_rt_task(rq); -+ push_rt_tasks(rq); - raw_spin_unlock(&rq->lock); - } - -- /* Pass the IPI to the next rt overloaded queue */ -- raw_spin_lock(&rt_rq->push_lock); -- /* -- * If the source queue changed since the IPI went out, -- * we need to restart the search from that CPU again. -- */ -- if (rt_rq->push_flags & RT_PUSH_IPI_RESTART) { -- rt_rq->push_flags &= ~RT_PUSH_IPI_RESTART; -- rt_rq->push_cpu = src_rq->cpu; -- } -+ raw_spin_lock(&rq->rd->rto_lock); - -- cpu = find_next_push_cpu(src_rq); -+ /* Pass the IPI to the next rt overloaded queue */ -+ cpu = rto_next_cpu(rq); - -- if (cpu >= nr_cpu_ids) -- rt_rq->push_flags &= ~RT_PUSH_IPI_EXECUTING; -- raw_spin_unlock(&rt_rq->push_lock); -+ raw_spin_unlock(&rq->rd->rto_lock); - -- if (cpu >= nr_cpu_ids) -+ if (cpu < 0) - return; - -- /* -- * It is possible that a restart caused this CPU to be -- * chosen again. Don't bother with an IPI, just see if we -- * have more to push. -- */ -- if (unlikely(cpu == rq->cpu)) -- goto again; -- - /* Try the next RT overloaded CPU */ -- irq_work_queue_on(&rt_rq->push_work, cpu); --} -- --static void push_irq_work_func(struct irq_work *work) --{ -- struct rt_rq *rt_rq = container_of(work, struct rt_rq, push_work); -- -- try_to_push_tasks(rt_rq); -+ irq_work_queue_on(&rq->rd->rto_push_work, cpu); - } - #endif /* HAVE_RT_PUSH_IPI */ - ---- a/kernel/sched/sched.h -+++ b/kernel/sched/sched.h -@@ -502,7 +502,7 @@ static inline int rt_bandwidth_enabled(v - } - - /* RT IPI pull logic requires IRQ_WORK */ --#ifdef CONFIG_IRQ_WORK -+#if defined(CONFIG_IRQ_WORK) && defined(CONFIG_SMP) - # define HAVE_RT_PUSH_IPI - #endif - -@@ -524,12 +524,6 @@ struct rt_rq { - unsigned long rt_nr_total; - int overloaded; - struct plist_head pushable_tasks; --#ifdef HAVE_RT_PUSH_IPI -- int push_flags; -- int push_cpu; -- struct irq_work push_work; -- raw_spinlock_t push_lock; --#endif - #endif /* CONFIG_SMP */ - int rt_queued; - -@@ -638,6 +632,19 @@ struct root_domain { - struct dl_bw dl_bw; - struct cpudl cpudl; - -+#ifdef HAVE_RT_PUSH_IPI -+ /* -+ * For IPI pull requests, loop across the rto_mask. -+ */ -+ struct irq_work rto_push_work; -+ raw_spinlock_t rto_lock; -+ /* These are only updated and read within rto_lock */ -+ int rto_loop; -+ int rto_cpu; -+ /* These atomics are updated outside of a lock */ -+ atomic_t rto_loop_next; -+ atomic_t rto_loop_start; -+#endif - /* - * The "RT overload" flag: it gets set if a CPU has more than - * one runnable RT task. -@@ -655,6 +662,9 @@ extern void init_defrootdomain(void); - extern int sched_init_domains(const struct cpumask *cpu_map); - extern void rq_attach_root(struct rq *rq, struct root_domain *rd); - -+#ifdef HAVE_RT_PUSH_IPI -+extern void rto_push_irq_work_func(struct irq_work *work); -+#endif - #endif /* CONFIG_SMP */ - - /* ---- a/kernel/sched/topology.c -+++ b/kernel/sched/topology.c -@@ -269,6 +269,12 @@ static int init_rootdomain(struct root_d - if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL)) - goto free_dlo_mask; - -+#ifdef HAVE_RT_PUSH_IPI -+ rd->rto_cpu = -1; -+ raw_spin_lock_init(&rd->rto_lock); -+ init_irq_work(&rd->rto_push_work, rto_push_irq_work_func); -+#endif -+ - init_dl_bw(&rd->dl_bw); - if (cpudl_init(&rd->cpudl) != 0) - goto free_rto_mask; diff --git a/debian/patches/series b/debian/patches/series index 944b2b376..ed8e850df 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -80,7 +80,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch bugfix/all/i40e-fix-flags-declaration.patch -bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch bugfix/all/xen-time-do-not-decrease-steal-time-after-live-migra.patch # Miscellaneous features @@ -117,10 +116,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch -bugfix/all/media-dvb-core-always-call-invoke_release-in-fe_free.patch -bugfix/all/dvb_frontend-don-t-use-after-free-the-frontend-struc.patch -bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch diff --git a/debian/patches/series-rt b/debian/patches/series-rt index 3f3883dad..473aa73dd 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -6,7 +6,6 @@ # UPSTREAM changes queued ############################################################ features/all/rt/rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch -features/all/rt/sched-rt-Simplify-the-IPI-based-RT-balancing-logic.patch ############################################################ # UPSTREAM FIXES, patches pending