From b1a9e2470ab765b1168841becfb895a712b9aa13 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 22 May 2018 00:49:31 +0200 Subject: [PATCH] Update to 4.16.10 --- debian/changelog | 127 ++++++++- ...rrent-munlock-and-oom-reaper-unmap-v.patch | 242 ------------------ ...ss-cmdline-nor-environ-from-file-bac.patch | 106 -------- .../drivers-net-8139-disable-irq-nosync.patch | 28 -- debian/patches/series | 2 - debian/patches/series-rt | 1 - 6 files changed, 123 insertions(+), 383 deletions(-) delete mode 100644 debian/patches/bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch delete mode 100644 debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch delete mode 100644 debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch diff --git a/debian/changelog b/debian/changelog index 636dfb055..8c1d52f83 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.16.8-1) UNRELEASED; urgency=medium +linux (4.16.10-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6 @@ -244,6 +244,128 @@ linux (4.16.8-1) UNRELEASED; urgency=medium - clocksource: Initialize cs->wd_list - clocksource: Consistent de-rate when marking unstable - tracing: Fix bad use of igrab in trace_uprobe.c + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.9 + - ipvs: fix rtnl_lock lockups caused by start_sync_thread + - netfilter: ebtables: don't attempt to allocate 0-sized compat array + - clk: ti: fix flag space conflict with clkctrl clocks + - rds: tcp: must use spin_lock_irq* and not spin_lock_bh with + rds_tcp_conn_lock + - crypto: af_alg - fix possible uninit-value in alg_bind() + - netlink: fix uninit-value in netlink_sendmsg + - net: fix rtnh_ok() + - net: initialize skb->peeked when cloning + - net: fix uninit-value in __hw_addr_add_ex() + - dccp: initialize ireq->ir_mark + - ipv4: fix uninit-value in ip_route_output_key_hash_rcu() + - soreuseport: initialise timewait reuseport field + - inetpeer: fix uninit-value in inet_getpeer + - bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog + - memcg: fix per_node_info cleanup + - perf: Remove superfluous allocation error check + - i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() + - tcp: fix TCP_REPAIR_QUEUE bound checking + - bdi: wake up concurrent wb_shutdown() callers. + - bdi: Fix use after free bug in debugfs_remove() + - bdi: Fix oops in wb_workfn() + - compat: fix 4-byte infoleak via uninitialized struct field + - gpioib: do not free unrequested descriptors + - gpio: fix error path in lineevent_create + - rfkill: gpio: fix memory leak in probe error path + - libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs + - dm integrity: use kvfree for kvmalloc'd memory + - tracing: Fix regex_match_front() to not over compare the test string + - mm: sections are not offlined during memory hotremove + - mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200) + - ceph: fix rsize/wsize capping in ceph_direct_read_write() + - can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() + - [armhf,arm64] drm/vc4: Fix scaling of uni-planar formats + - drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages + - [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log + - [x86] drm/i915: Adjust eDP's logical vco in a reliable place. + - drm/nouveau: Fix deadlock in nv50_mstm_register_connector() + (Closes: #898825) + - drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client + - drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() + - drm/atomic: Clean private obj old_state/new_state in + drm_atomic_state_default_clear() + - net: atm: Fix potential Spectre v1 + - atm: zatm: Fix potential Spectre v1 + - PCI / PM: Always check PME wakeup capability for runtime wakeup support + - PCI / PM: Check device_may_wakeup() in pci_enable_wake() + - cpufreq: schedutil: Avoid using invalid next_freq + - Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" + - [x86] Bluetooth: btusb: Add Dell XPS 13 9360 to + btusb_needs_reset_resume_table + - Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome + chipsets + - [armhf] thermal: exynos: Reading temperature makes sense only when TMU is + turned on + - [armhf] thermal: exynos: Propagate error value from tmu_read() + - nvme: add quirk to force medium priority for SQ creation + - nvme: Fix sync controller reset return + - smb3: directory sync should not return an error + - swiotlb: silent unwanted warning "buffer is full" + - sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] + - sched/autogroup: Fix possible Spectre-v1 indexing for + sched_prio_to_weight[] + - tracing/uprobe_event: Fix strncpy corner case + - [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_* + - [x86] perf/cstate: Fix possible Spectre-v1 indexing for pkg_msr + - [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver + - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] + - [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.10 + - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() + - bridge: check iface upper dev when setting master via ioctl + - dccp: fix tasklet usage + - ipv4: fix fnhe usage by non-cached routes + - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg + - llc: better deal with too small mtu + - net: ethernet: sun: niu set correct packet size in skb + - [armhf] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode + - net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' + - net/mlx4_en: Verify coalescing parameters are in range + - net/mlx5e: Err if asked to offload TC match on frag being first + - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics + - net sched actions: fix refcnt leak in skbmod + - net_sched: fq: take care of throttled flows before reuse + - net: support compat 64-bit time in {s,g}etsockopt + - openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is + found + - qmi_wwan: do not steal interfaces from class drivers + - r8169: fix powering up RTL8168h + - rds: do not leak kernel memory to user land + - sctp: delay the authentication for the duplicated cookie-echo chunk + - sctp: fix the issue that the cookie-ack with auth can't get processed + - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr + - sctp: remove sctp_chunk_put from fail_mark err path in + sctp_ulpevent_make_rcvmsg + - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d + - tcp_bbr: fix to zero idle_restart only upon S/ACKed data + - tcp: ignore Fast Open on repair mode + - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). + - bonding: do not allow rlb updates to invalid mac + - bonding: send learning packets for vlans on slave + - net: sched: fix error path in tcf_proto_create() when modules are not + configured + - net/mlx5e: TX, Use correct counter in dma_map error flow + - net/mlx5: Avoid cleaning flow steering table twice during error flow + - [x86] hv_netvsc: set master device + - ipv6: fix uninit-value in ip6_multipath_l3_keys() + - net/mlx5e: Allow offloading ipv4 header re-write for icmp + - udp: fix SO_BINDTODEVICE + - net/mlx5e: DCBNL fix min inline header size for dscp + - sctp: clear the new asoc's stream outcnt in sctp_stream_update + - tcp: restore autocorking + - tipc: fix one byte leak in tipc_sk_set_orig_addr() + - [x86] hv_netvsc: Fix net device attach on older Windows hosts + - ipv4: reset fnhe_mtu_locked after cache route flushed + - net/mlx5: Fix mlx5_get_vector_affinity function + - net: phy: sfp: fix the BR,min computation + - net/smc: keep clcsock reference in smc_tcp_listen_work() + - scsi: aacraid: Correct hba_send to include iu_type + - proc: do not access cmdline nor environ from file-backed areas + (CVE-2018-1120) [ Romain Perier ] * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204) @@ -257,9 +379,6 @@ linux (4.16.8-1) UNRELEASED; urgency=medium * [rt] Update to 4.16.7-rt1 and reenable * [rt] certs: Reference certificate for test key used in Debian signing service - * mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200) - * proc: do not access cmdline nor environ from file-backed areas - (CVE-2018-1120) -- Vagrant Cascadian Mon, 30 Apr 2018 11:23:15 -0700 diff --git a/debian/patches/bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch b/debian/patches/bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch deleted file mode 100644 index e9a482b89..000000000 --- a/debian/patches/bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch +++ /dev/null @@ -1,242 +0,0 @@ -From: David Rientjes -Date: Fri, 11 May 2018 16:02:04 -0700 -Subject: mm, oom: fix concurrent munlock and oom reaper unmap, v3 -Origin: https://git.kernel.org/linus/27ae357fa82be5ab73b2ef8d39dcb8ca2563483a -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000200 - -Since exit_mmap() is done without the protection of mm->mmap_sem, it is -possible for the oom reaper to concurrently operate on an mm until -MMF_OOM_SKIP is set. - -This allows munlock_vma_pages_all() to concurrently run while the oom -reaper is operating on a vma. Since munlock_vma_pages_range() depends -on clearing VM_LOCKED from vm_flags before actually doing the munlock to -determine if any other vmas are locking the same memory, the check for -VM_LOCKED in the oom reaper is racy. - -This is especially noticeable on architectures such as powerpc where -clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd -is zapped by the oom reaper during follow_page_mask() after the check -for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a -kernel oops. - -Fix this by manually freeing all possible memory from the mm before -doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not -run on the mm anymore so the munlock is safe to do in exit_mmap(). It -also matches the logic that the oom reaper currently uses for -determining when to set MMF_OOM_SKIP itself, so there's no new risk of -excessive oom killing. - -This issue fixes CVE-2018-1000200. - -Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1804241526320.238665@chino.kir.corp.google.com -Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") -Signed-off-by: David Rientjes -Suggested-by: Tetsuo Handa -Acked-by: Michal Hocko -Cc: Andrea Arcangeli -Cc: [4.14+] -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -[carnil: Backport to 4.16: adjust context] ---- - include/linux/oom.h | 2 + - mm/mmap.c | 44 ++++++++++++++++------------ - mm/oom_kill.c | 81 +++++++++++++++++++++++++++------------------------- - 3 files changed, 71 insertions(+), 56 deletions(-) - ---- a/include/linux/oom.h -+++ b/include/linux/oom.h -@@ -95,6 +95,8 @@ static inline int check_stable_address_s - return 0; - } - -+void __oom_reap_task_mm(struct mm_struct *mm); -+ - extern unsigned long oom_badness(struct task_struct *p, - struct mem_cgroup *memcg, const nodemask_t *nodemask, - unsigned long totalpages); ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -2997,6 +2997,32 @@ void exit_mmap(struct mm_struct *mm) - /* mm's last user has gone, and its about to be pulled down */ - mmu_notifier_release(mm); - -+ if (unlikely(mm_is_oom_victim(mm))) { -+ /* -+ * Manually reap the mm to free as much memory as possible. -+ * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard -+ * this mm from further consideration. Taking mm->mmap_sem for -+ * write after setting MMF_OOM_SKIP will guarantee that the oom -+ * reaper will not run on this mm again after mmap_sem is -+ * dropped. -+ * -+ * Nothing can be holding mm->mmap_sem here and the above call -+ * to mmu_notifier_release(mm) ensures mmu notifier callbacks in -+ * __oom_reap_task_mm() will not block. -+ * -+ * This needs to be done before calling munlock_vma_pages_all(), -+ * which clears VM_LOCKED, otherwise the oom reaper cannot -+ * reliably test it. -+ */ -+ mutex_lock(&oom_lock); -+ __oom_reap_task_mm(mm); -+ mutex_unlock(&oom_lock); -+ -+ set_bit(MMF_OOM_SKIP, &mm->flags); -+ down_write(&mm->mmap_sem); -+ up_write(&mm->mmap_sem); -+ } -+ - if (mm->locked_vm) { - vma = mm->mmap; - while (vma) { -@@ -3018,24 +3044,6 @@ void exit_mmap(struct mm_struct *mm) - /* update_hiwater_rss(mm) here? but nobody should be looking */ - /* Use -1 here to ensure all VMAs in the mm are unmapped */ - unmap_vmas(&tlb, vma, 0, -1); -- -- if (unlikely(mm_is_oom_victim(mm))) { -- /* -- * Wait for oom_reap_task() to stop working on this -- * mm. Because MMF_OOM_SKIP is already set before -- * calling down_read(), oom_reap_task() will not run -- * on this "mm" post up_write(). -- * -- * mm_is_oom_victim() cannot be set from under us -- * either because victim->mm is already set to NULL -- * under task_lock before calling mmput and oom_mm is -- * set not NULL by the OOM killer only if victim->mm -- * is found not NULL while holding the task_lock. -- */ -- set_bit(MMF_OOM_SKIP, &mm->flags); -- down_write(&mm->mmap_sem); -- up_write(&mm->mmap_sem); -- } - free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING); - tlb_finish_mmu(&tlb, 0, -1); - ---- a/mm/oom_kill.c -+++ b/mm/oom_kill.c -@@ -474,7 +474,6 @@ bool process_shares_mm(struct task_struc - return false; - } - -- - #ifdef CONFIG_MMU - /* - * OOM Reaper kernel thread which tries to reap the memory used by the OOM -@@ -485,16 +484,54 @@ static DECLARE_WAIT_QUEUE_HEAD(oom_reape - static struct task_struct *oom_reaper_list; - static DEFINE_SPINLOCK(oom_reaper_lock); - --static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) -+void __oom_reap_task_mm(struct mm_struct *mm) - { -- struct mmu_gather tlb; - struct vm_area_struct *vma; -+ -+ /* -+ * Tell all users of get_user/copy_from_user etc... that the content -+ * is no longer stable. No barriers really needed because unmapping -+ * should imply barriers already and the reader would hit a page fault -+ * if it stumbled over a reaped memory. -+ */ -+ set_bit(MMF_UNSTABLE, &mm->flags); -+ -+ for (vma = mm->mmap ; vma; vma = vma->vm_next) { -+ if (!can_madv_dontneed_vma(vma)) -+ continue; -+ -+ /* -+ * Only anonymous pages have a good chance to be dropped -+ * without additional steps which we cannot afford as we -+ * are OOM already. -+ * -+ * We do not even care about fs backed pages because all -+ * which are reclaimable have already been reclaimed and -+ * we do not want to block exit_mmap by keeping mm ref -+ * count elevated without a good reason. -+ */ -+ if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { -+ const unsigned long start = vma->vm_start; -+ const unsigned long end = vma->vm_end; -+ struct mmu_gather tlb; -+ -+ tlb_gather_mmu(&tlb, mm, start, end); -+ mmu_notifier_invalidate_range_start(mm, start, end); -+ unmap_page_range(&tlb, vma, start, end, NULL); -+ mmu_notifier_invalidate_range_end(mm, start, end); -+ tlb_finish_mmu(&tlb, start, end); -+ } -+ } -+} -+ -+static bool oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) -+{ - bool ret = true; - - /* - * We have to make sure to not race with the victim exit path - * and cause premature new oom victim selection: -- * __oom_reap_task_mm exit_mm -+ * oom_reap_task_mm exit_mm - * mmget_not_zero - * mmput - * atomic_dec_and_test -@@ -539,39 +576,8 @@ static bool __oom_reap_task_mm(struct ta - - trace_start_task_reaping(tsk->pid); - -- /* -- * Tell all users of get_user/copy_from_user etc... that the content -- * is no longer stable. No barriers really needed because unmapping -- * should imply barriers already and the reader would hit a page fault -- * if it stumbled over a reaped memory. -- */ -- set_bit(MMF_UNSTABLE, &mm->flags); -- -- for (vma = mm->mmap ; vma; vma = vma->vm_next) { -- if (!can_madv_dontneed_vma(vma)) -- continue; -+ __oom_reap_task_mm(mm); - -- /* -- * Only anonymous pages have a good chance to be dropped -- * without additional steps which we cannot afford as we -- * are OOM already. -- * -- * We do not even care about fs backed pages because all -- * which are reclaimable have already been reclaimed and -- * we do not want to block exit_mmap by keeping mm ref -- * count elevated without a good reason. -- */ -- if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { -- const unsigned long start = vma->vm_start; -- const unsigned long end = vma->vm_end; -- -- tlb_gather_mmu(&tlb, mm, start, end); -- mmu_notifier_invalidate_range_start(mm, start, end); -- unmap_page_range(&tlb, vma, start, end, NULL); -- mmu_notifier_invalidate_range_end(mm, start, end); -- tlb_finish_mmu(&tlb, start, end); -- } -- } - pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n", - task_pid_nr(tsk), tsk->comm, - K(get_mm_counter(mm, MM_ANONPAGES)), -@@ -592,13 +598,12 @@ static void oom_reap_task(struct task_st - struct mm_struct *mm = tsk->signal->oom_mm; - - /* Retry the down_read_trylock(mmap_sem) a few times */ -- while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) -+ while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm)) - schedule_timeout_idle(HZ/10); - - if (attempts <= MAX_OOM_REAP_RETRIES) - goto done; - -- - pr_info("oom_reaper: unable to reap pid:%d (%s)\n", - task_pid_nr(tsk), tsk->comm); - debug_show_all_locks(); diff --git a/debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch b/debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch deleted file mode 100644 index d8a9ff1e8..000000000 --- a/debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Willy Tarreau -Date: Fri, 11 May 2018 08:11:44 +0200 -Subject: proc: do not access cmdline nor environ from file-backed areas -Origin: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1120 - -proc_pid_cmdline_read() and environ_read() directly access the target -process' VM to retrieve the command line and environment. If this -process remaps these areas onto a file via mmap(), the requesting -process may experience various issues such as extra delays if the -underlying device is slow to respond. - -Let's simply refuse to access file-backed areas in these functions. -For this we add a new FOLL_ANON gup flag that is passed to all calls -to access_remote_vm(). The code already takes care of such failures -(including unmapped areas). Accesses via /proc/pid/mem were not -changed though. - -This was assigned CVE-2018-1120. - -Note for stable backports: the patch may apply to kernels prior to 4.11 -but silently miss one location; it must be checked that no call to -access_remote_vm() keeps zero as the last argument. - -Reported-by: Qualys Security Advisory -Cc: Linus Torvalds -Cc: Andy Lutomirski -Cc: Oleg Nesterov -Cc: stable@vger.kernel.org -Signed-off-by: Willy Tarreau -Signed-off-by: Linus Torvalds ---- - fs/proc/base.c | 8 ++++---- - include/linux/mm.h | 1 + - mm/gup.c | 3 +++ - 3 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 1b2ede6abcdf..1a76d751cf3c 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - * Inherently racy -- command line shares address space - * with code and data. - */ -- rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0); -+ rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON); - if (rv <= 0) - goto out_free_page; - -@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - int nr_read; - - _count = min3(count, len, PAGE_SIZE); -- nr_read = access_remote_vm(mm, p, page, _count, 0); -+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON); - if (nr_read < 0) - rv = nr_read; - if (nr_read <= 0) -@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - bool final; - - _count = min3(count, len, PAGE_SIZE); -- nr_read = access_remote_vm(mm, p, page, _count, 0); -+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON); - if (nr_read < 0) - rv = nr_read; - if (nr_read <= 0) -@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, - max_len = min_t(size_t, PAGE_SIZE, count); - this_len = min(max_len, this_len); - -- retval = access_remote_vm(mm, (env_start + src), page, this_len, 0); -+ retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON); - - if (retval <= 0) { - ret = retval; -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 1ac1f06a4be6..c080af584ddd 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, - #define FOLL_MLOCK 0x1000 /* lock present pages */ - #define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */ - #define FOLL_COW 0x4000 /* internal GUP flag */ -+#define FOLL_ANON 0x8000 /* don't do file mappings */ - - static inline int vm_fault_to_errno(int vm_fault, int foll_flags) - { -diff --git a/mm/gup.c b/mm/gup.c -index 76af4cfeaf68..541904a7c60f 100644 ---- a/mm/gup.c -+++ b/mm/gup.c -@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags) - if (vm_flags & (VM_IO | VM_PFNMAP)) - return -EFAULT; - -+ if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma)) -+ return -EFAULT; -+ - if (write) { - if (!(vm_flags & VM_WRITE)) { - if (!(gup_flags & FOLL_FORCE)) --- -2.17.0 - diff --git a/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch b/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch deleted file mode 100644 index 6863e835b..000000000 --- a/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Ingo Molnar -Date: Fri, 3 Jul 2009 08:29:24 -0500 -Subject: drivers/net: Use disable_irq_nosync() in 8139too -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.16/older/patches-4.16.7-rt1.tar.xz - -upstream commit af3e0fcf78879f718c5f73df0814951bd7057d34 - -Use disable_irq_nosync() instead of disable_irq() as this might be -called in atomic context with netpoll. - -Signed-off-by: Ingo Molnar -Signed-off-by: Thomas Gleixner - ---- - drivers/net/ethernet/realtek/8139too.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/realtek/8139too.c -+++ b/drivers/net/ethernet/realtek/8139too.c -@@ -2224,7 +2224,7 @@ static void rtl8139_poll_controller(stru - struct rtl8139_private *tp = netdev_priv(dev); - const int irq = tp->pci_dev->irq; - -- disable_irq(irq); -+ disable_irq_nosync(irq); - rtl8139_interrupt(irq, dev); - enable_irq(irq); - } diff --git a/debian/patches/series b/debian/patches/series index c8ece6c9a..4c47e7b68 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,8 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/xfs-enhance-dinode-verifier.patch bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch -bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch -bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch diff --git a/debian/patches/series-rt b/debian/patches/series-rt index dc4f51def..1e21a6fe6 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -88,7 +88,6 @@ features/all/rt/0048-selftests-ftrace-Add-inter-event-hist-triggers-testc.patch features/all/rt/locking-rtmutex-Handle-non-enqueued-waiters-graceful.patch features/all/rt/sched-Remove-TASK_ALL.patch features/all/rt/rxrpc-remove-unused-static-variables.patch -features/all/rt/drivers-net-8139-disable-irq-nosync.patch features/all/rt/delayacct-use-raw_spinlocks.patch features/all/rt/stop-machine-raw-lock.patch features/all/rt/mmci-remove-bogus-irq-save.patch