debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.3.5 

Drop several patches that are included in it.

Fix/ignore various ABI changes.
This commit is contained in:
Ben Hutchings 2016-02-01 08:53:39 +01:00
parent 20ed8bdbac
commit ba1393105a
13 changed files with 185 additions and 748 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.3.4-1) UNRELEASED; urgency=medium
linux (4.3.5-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
@ -50,16 +50,169 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
- af_unix: Revert 'lock_interruptible' in stream receive code
- tcp: restore fastopen with no data in SYN packet
- rhashtable: Fix walker list corruption
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5
- [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs
- [x86] mpx: Fix instruction decoder condition
- [x86] signal: Fix restart_syscall number for x32 tasks
- [x86] paravirt: Prevent rtc_cmos platform device init on PV guests
- [x86] mce: Ensure offline CPUs don't participate in rendezvous process
- [x86] xen: don't reset vcpu_info on a cancelled suspend
- [x86] KVM: VMX: fix SMEP and SMAP without EPT
- [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split
- [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state
in MSR
- [x86] KVM: expose MSR_TSC_AUX to userspace
- [x86] KVM: correctly print #AC in traces
- [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
- [x86] boot: Double BOOT_HEAP_SIZE to 64KB
- [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
(CVE-2016-2069)
- [x86] mm: Improve switch_mm() barrier comments
- timers: Use proper base migration in add_timer_on()
- ipmi: Start the timer and thread on internal msgs
- ipmi: move timer init to before irq is setup
- [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after
resume back
- ALSA: hda - Disable 64bit address for Creative HDA controllers
- ALSA: hda - Fix lost 4k BDL boundary workaround
- [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio
- [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b
- ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in
- ALSA: hda - Apply HP headphone fixups more generically
- [x86] ALSA: hda - Fix noise on Dell Latitude E6440
- [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
- [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back
from S3
- [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo
- ALSA: hda - Skip ELD notification during system suspend
- ALSA: rme96: Fix unexpected volume reset after rate changes
- [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS
- ALSA: hda - Fixing speaker noise on the two latest thinkpad models
- [x86] ALSA: hda - Fix noise problems on Thinkpad T440s
- [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015
- [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
- [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically
- [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
- [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
- ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
- ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly
- ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
- [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
- [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO
- ALSA: hda - Add keycode map for alc input device
- [x86] ALSA: usb: Add native DSD support for Oppo HA-1
- ALSA: hda - Fixup inverted internal mic for Lenovo E50-80
- ALSA: seq: Fix missing NULL check at remove_events ioctl
- ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect
- ALSA: seq: Fix race at timer setup and close
- [x86] ALSA: hda - Fix white noise on Dell Latitude E5550
- ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
- ALSA: timer: Harden slave timer list handling
- [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop
- ALSA: timer: Fix race among timer ioctls
- ALSA: timer: Fix double unlink of active_list
- [x86] ALSA: hda - Add fixup for Dell Latitidue E6540
- ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
- ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
- ALSA: hrtimer: Fix stall by hrtimer_cancel()
- ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
- [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX
- ALSA: hda - Flush the pending probe work at remove
- ALSA: timer: Handle disconnection more safely
- ASoC: rt286: Fix run time error while modifying const data
- ASoC: rsnd: fixup SCU_SYS_INT_EN1 address
- ASoC: wm8962: correct addresses for HPF_C_0/1
- ASoC: es8328: Fix deemphasis values
- ASoC: wm8974: set cache type for regmap
- ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx
- ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
- ASoC: wm5110: Fix PGA clear when disabling DRE
- ASoC: compress: Fix compress device direction check
- usb: xhci: fix config fail of FS hub behind a HS hub with MTT
- airspy: increase USB control message buffer size
- USB: fix invalid memory access in hub_activate()
- USB: ipaq.c: fix a timeout loop
- USB: cp210x: add ID for ELV Marble Sound Board 1
- usb: core: lpm: fix usb3_hardware_lpm sysfs node
- xhci: refuse loading if nousb is used
- openvswitch: correct encoding of set tunnel action attributes
- veth: dont modify ip_summed; doing so treats packets with bad checksums
as good.
- ipv6/addrlabel: fix ip6addrlbl_get()
- addrconf: always initialize sysctl table data
- net: cdc_ncm: avoid changing RX/TX buffers on MTU changes
- sctp: sctp should release assoc when sctp_make_abort_user return NULL
in sctp_close
- connector: bump skb->users before callback invocation
- af_unix: Fix splice-bind deadlock
- bridge: Only call /sbin/bridge-stp for the initial network namespace
- net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
- net: sched: fix missing free per cpu on qstats
- net: possible use after free in dst_release
- tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
- vxlan: fix test which detect duplicate vxlan iface
- net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
- ipv6: tcp: add rcu locking in tcp_v6_send_synack()
- tcp_yeah: don't set ssthresh below 2
- sched,cls_flower: set key address type when present
- net: pktgen: fix null ptr deref in skb allocation
- udp: disallow UFO for sockets with SO_NO_CHECK option
- net: preserve IP control block during GSO segmentation
- bonding: Prevent IPv6 link local address on enslaved devices
- phonet: properly unshare skbs in phonet_rcv()
- net: bpf: reject invalid shifts
- ipv6: update skb->csum when CE mark is propagated
- bridge: fix lockdep addr_list_lock false positive splat
- batman-adv: Avoid recursive call_rcu for batadv_bla_claim
- batman-adv: Avoid recursive call_rcu for batadv_nc_node
- batman-adv: Drop immediate batadv_orig_ifinfo free function
- batman-adv: Drop immediate batadv_neigh_node free function
- batman-adv: Drop immediate neigh_ifinfo free function
- batman-adv: Drop immediate batadv_hard_iface free function
- batman-adv: Drop immediate orig_node free function
- net/mlx5_core: Fix trimming down IRQ number
- team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
- xfrm: dst_entries_init() per-net dst_ops
- [powerpc*] tm: Block signal return setting invalid MSR state
- [powerpc*] tm: Check for already reclaimed tasks
- [powerpc*] opal-irqchip: Fix double endian conversion
- [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian
conversion"
- [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type
- [powerpc*] Make value-returning atomics fully ordered
- [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered
- [powerpc*] scripts/recordmcount.pl: support data in text section
- [powerpc*] module: Handle R_PPC64_ENTRY relocations
- [arm64] recordmcount: Replace the ignored mcount call into nop
- [arm64] bpf: fix div-by-zero case
- [arm64] bpf: fix mod-by-zero case
- [arm64] cmpxchg_dbl: fix return value type
- [arm64] kernel: pause/unpause function graph tracer in cpu_suspend()
- [arm*] KVM: test properly for a PTE's uncachedness
- [arm64] KVM: Fix AArch32 to AArch64 register mapping
- [arm*] KVM: correct PTE uncachedness check
- [arm64] Clear out any singlestep state on a ptrace detach operation
- [arm64] mm: ensure that the zero page is visible to the page table walker
- [arm64] kernel: enforce pmuserenr_el0 initialization and restore
- [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation
- [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints
- [hppa] iommu: fix panic due to trying to allocate too large region
- HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID
- HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present
- HID: core: Avoid uninitialized buffer access
- staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
- direct-io: Fix negative return from dio read beyond eof
- fix the regression from "direct-io: Fix negative return from dio read
beyond eof"
- [arm64] restore bogomips information in /proc/cpuinfo
- [arm64] KVM: Add workaround for Cortex-A57 erratum 834220
- [arm64] kernel: fix architected PMU registers unconditional access
[ Ben Hutchings ]
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
* SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
* [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
(CVE-2016-2069)
* [x86] mm: Improve switch_mm() barrier comments
[ Salvatore Bonaccorso ]
* tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
* netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
[ Aurelien Jarno ]

3
debian/config/defines vendored
View File

@ -16,6 +16,9 @@ ignore-changes:
# Can't be used from OOT
pin_is_valid
pinctrl_*
# Shouldn't be used from OOT
module:drivers/net/ethernet/mellanox/**
pv_info
[base]
arches:

37
debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch vendored
View File

@ -1,37 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:21:24 +0000
Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3
Compile-tested only.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index c4198fa..86f9abe 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
is->compflags = 0;
is->reset = isdn_ppp_ccp_reset_alloc(is);
+ if (!is->reset)
+ return -ENOMEM;
is->lp = NULL;
is->mp_seqno = 0; /* MP sequence number */
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
* VJ header compression init
*/
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
+ if (!is->slcomp) {
+ isdn_ppp_ccp_reset_free(is);
+ return -ENOMEM;
+ }
#endif
#ifdef CONFIG_IPPP_FILTER
is->pass_filter = NULL;

31
debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch vendored
View File

@ -1,31 +0,0 @@
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Wed, 7 Oct 2015 07:09:26 -0300
Subject: [media] media/vivid-osd: fix info leak in ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
struct fb_vblank after the ->hcount member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Salva Peiró <speirofr@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/platform/vivid/vivid-osd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
case FBIOGET_VBLANK: {
struct fb_vblank vblank;
+ memset(&vblank, 0, sizeof(vblank));
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
FB_VBLANK_HAVE_VSYNC;
vblank.count = 0;

128
debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch vendored
View File

@ -1,128 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:22:53 +0000
Subject: ppp, slip: Validate VJ compression slot parameters completely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
drivers/net/ppp/ppp_generic.c | 6 ++----
drivers/net/slip/slhc.c | 12 ++++++++----
drivers/net/slip/slip.c | 2 +-
4 files changed, 15 insertions(+), 15 deletions(-)
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file
* VJ header compression init
*/
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
- if (!is->slcomp) {
+ if (IS_ERR(is->slcomp)) {
isdn_ppp_ccp_reset_free(is);
- return -ENOMEM;
+ return PTR_ERR(is->slcomp);
}
#endif
#ifdef CONFIG_IPPP_FILTER
@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil
is->maxcid = val;
#ifdef CONFIG_ISDN_PPP_VJ
sltmp = slhc_init(16, val);
- if (!sltmp) {
- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
- return -ENOMEM;
- }
+ if (IS_ERR(sltmp))
+ return PTR_ERR(sltmp);
if (is->slcomp)
slhc_free(is->slcomp);
is->slcomp = sltmp;
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file,
val &= 0xffff;
}
vj = slhc_init(val2+1, val+1);
- if (!vj) {
- netdev_err(ppp->dev,
- "PPP: no memory (VJ compressor)\n");
- err = -ENOMEM;
+ if (IS_ERR(vj)) {
+ err = PTR_ERR(vj);
break;
}
ppp_lock(ppp);
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
static unsigned char * put16(unsigned char *cp, unsigned short x);
static unsigned short pull16(unsigned char **cpp);
-/* Initialize compression data structure
+/* Allocate compression data structure
* slots must be in range 0 to 255 (zero meaning no compression)
+ * Returns pointer to structure or ERR_PTR() on error.
*/
struct slcompress *
slhc_init(int rslots, int tslots)
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
register struct cstate *ts;
struct slcompress *comp;
+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
+ return ERR_PTR(-EINVAL);
+
comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
if (! comp)
goto out_fail;
- if ( rslots > 0 && rslots < 256 ) {
+ if (rslots > 0) {
size_t rsize = rslots * sizeof(struct cstate);
comp->rstate = kzalloc(rsize, GFP_KERNEL);
if (! comp->rstate)
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
comp->rslot_limit = rslots - 1;
}
- if ( tslots > 0 && tslots < 256 ) {
+ if (tslots > 0) {
size_t tsize = tslots * sizeof(struct cstate);
comp->tstate = kzalloc(tsize, GFP_KERNEL);
if (! comp->tstate)
@@ -141,7 +145,7 @@ out_free2:
out_free:
kfree(comp);
out_fail:
- return NULL;
+ return ERR_PTR(-ENOMEM);
}
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl
if (cbuff == NULL)
goto err_exit;
slcomp = slhc_init(16, 16);
- if (slcomp == NULL)
+ if (IS_ERR(slcomp))
goto err_exit;
#endif
spin_lock_bh(&sl->lock);

63
debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch vendored
View File

@ -1,63 +0,0 @@
From: Yuchung Cheng <ycheng@google.com>
Date: Wed, 6 Jan 2016 12:42:38 -0800
Subject: tcp: fix zero cwnd in tcp_cwnd_reduction
Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390
Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
conditionally") introduced a bug that cwnd may become 0 when both
inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
to a div-by-zero if the connection starts another cwnd reduction
phase by setting tp->prior_cwnd to the current cwnd (0) in
tcp_init_cwnd_reduction().
To prevent this we skip PRR operation when nothing is acked or
sacked. Then cwnd must be positive in all cases as long as ssthresh
is positive:
1) The proportional reduction mode
inflight > ssthresh > 0
2) The reduction bound mode
a) inflight == ssthresh > 0
b) inflight < ssthresh
sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
Therefore in all cases inflight and sndcnt can not both be 0.
We check invalid tp->prior_cwnd to avoid potential div0 bugs.
In reality this bug is triggered only with a sequence of less common
events. For example, the connection is terminating an ECN-triggered
cwnd reduction with an inflight 0, then it receives reordered/old
ACKs or DSACKs from prior transmission (which acks nothing). Or the
connection is in fast recovery stage that marks everything lost,
but fails to retransmit due to local issues, then receives data
packets from other end which acks nothing.
Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/tcp_input.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 2d656ee..d4c5115 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
int newly_acked_sacked = prior_unsacked -
(tp->packets_out - tp->sacked_out);
+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
+ return;
+
tp->prr_delivered += newly_acked_sacked;
if (delta < 0) {
u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
--
2.1.4

140
debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch vendored
View File

@ -1,140 +0,0 @@
From: willy tarreau <w@1wt.eu>
Date: Sun, 10 Jan 2016 07:54:56 +0100
Subject: unix: properly account for FDs passed over unix sockets
Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593
It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.
This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/linux/sched.h | 1 +
net/unix/af_unix.c | 24 ++++++++++++++++++++----
net/unix/garbage.c | 13 ++++++++-----
3 files changed, 29 insertions(+), 9 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index edad7a4..fbf25f1 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -830,6 +830,7 @@ struct user_struct {
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
#endif
unsigned long locked_shm; /* How many pages of mlocked shm ? */
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
#ifdef CONFIG_KEYS
struct key *uid_keyring; /* UID specific keyring */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ef05cd9..e3f85bc 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
sock_wfree(skb);
}
+/*
+ * The "user->unix_inflight" variable is protected by the garbage
+ * collection lock, and we just read it locklessly here. If you go
+ * over the limit, there might be a tiny race in actually noticing
+ * it across threads. Tough.
+ */
+static inline bool too_many_unix_fds(struct task_struct *p)
+{
+ struct user_struct *user = current_user();
+
+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return false;
+}
+
#define MAX_RECURSION_LEVEL 4
static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
unsigned char max_level = 0;
int unix_sock_count = 0;
+ if (too_many_unix_fds(current))
+ return -ETOOMANYREFS;
+
for (i = scm->fp->count - 1; i >= 0; i--) {
struct sock *sk = unix_get_socket(scm->fp->fp[i]);
@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
if (!UNIXCB(skb).fp)
return -ENOMEM;
- if (unix_sock_count) {
- for (i = scm->fp->count - 1; i >= 0; i--)
- unix_inflight(scm->fp->fp[i]);
- }
+ for (i = scm->fp->count - 1; i >= 0; i--)
+ unix_inflight(scm->fp->fp[i]);
return max_level;
}
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index a73a226..8fcdc22 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
{
struct sock *s = unix_get_socket(fp);
+ spin_lock(&unix_gc_lock);
+
if (s) {
struct unix_sock *u = unix_sk(s);
- spin_lock(&unix_gc_lock);
-
if (atomic_long_inc_return(&u->inflight) == 1) {
BUG_ON(!list_empty(&u->link));
list_add_tail(&u->link, &gc_inflight_list);
@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
BUG_ON(list_empty(&u->link));
}
unix_tot_inflight++;
- spin_unlock(&unix_gc_lock);
}
+ fp->f_cred->user->unix_inflight++;
+ spin_unlock(&unix_gc_lock);
}
void unix_notinflight(struct file *fp)
{
struct sock *s = unix_get_socket(fp);
+ spin_lock(&unix_gc_lock);
+
if (s) {
struct unix_sock *u = unix_sk(s);
- spin_lock(&unix_gc_lock);
BUG_ON(list_empty(&u->link));
if (atomic_long_dec_and_test(&u->inflight))
list_del_init(&u->link);
unix_tot_inflight--;
- spin_unlock(&unix_gc_lock);
}
+ fp->f_cred->user->unix_inflight--;
+ spin_unlock(&unix_gc_lock);
}
static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
--
2.7.0.rc3

38
debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch vendored
View File

@ -1,38 +0,0 @@
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Date: Tue, 10 Nov 2015 15:10:33 -0500
Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing
Origin: https://git.kernel.org/linus/9c17d96500f78d7ecdb71ca6942830158bc75a2b
Bug-Debian: https://bugs.debian.org/810472
Doing so will cause the grant to be unmapped and then, during
fault handling, the fault to be mistakenly treated as NUMA hint
fault.
In addition, even if those maps could partcipate in NUMA
balancing, it wouldn't provide any benefit since we are unable
to determine physical page's node (even if/when VNUMA is
implemented).
Marking grant maps' VMAs as VM_IO will exclude them from being
part of NUMA balancing.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
---
drivers/xen/gntdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 2ea0b3b..1be5dd0 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
vma->vm_ops = &gntdev_vmops;
- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
if (use_ptemod)
vma->vm_flags |= VM_DONTCOPY;

75
debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch vendored
View File

@ -1,75 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 10 Nov 2015 09:14:39 +0100
Subject: KVM: svm: unconditionally intercept #DB
Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
This is needed to avoid the possibility that the guest triggers
an infinite stream of #DB exceptions (CVE-2015-8104).
VMX is not affected: because it does not save DR6 in the VMCS,
it already intercepts #DB unconditionally.
Reported-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/svm.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
set_exception_intercept(svm, AC_VECTOR);
+ set_exception_intercept(svm, DB_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v
mark_dirty(svm->vmcb, VMCB_SEG);
}
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
- clr_exception_intercept(svm, DB_VECTOR);
clr_exception_intercept(svm, BP_VECTOR);
- if (svm->nmi_singlestep)
- set_exception_intercept(svm, DB_VECTOR);
-
if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
- if (vcpu->guest_debug &
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
- set_exception_intercept(svm, DB_VECTOR);
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
set_exception_intercept(svm, BP_VECTOR);
} else
@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
svm->vmcb->save.rflags &=
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(&svm->vcpu);
}
if (svm->vcpu.guest_debug &
@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm
*/
svm->nmi_singlestep = true;
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
- update_db_bp_intercept(vcpu);
}
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops =
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_db_bp_intercept,
+ .update_db_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,

158
debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch vendored
View File

@ -1,158 +0,0 @@
From: Andy Lutomirski <luto@kernel.org>
Date: Wed, 6 Jan 2016 12:21:01 -0800
Subject: x86/mm: Add barriers and document switch_mm()-vs-flush
synchronization
Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e
When switch_mm() activates a new PGD, it also sets a bit that
tells other CPUs that the PGD is in use so that TLB flush IPIs
will be sent. In order for that to work correctly, the bit
needs to be visible prior to loading the PGD and therefore
starting to fill the local TLB.
Document all the barriers that make this work correctly and add
a couple that were missing.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: stable@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++-
arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++---
2 files changed, 58 insertions(+), 4 deletions(-)
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 379cd3658799..1edc9cd198b8 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
#endif
cpumask_set_cpu(cpu, mm_cpumask(next));
- /* Re-load page tables */
+ /*
+ * Re-load page tables.
+ *
+ * This logic has an ordering constraint:
+ *
+ * CPU 0: Write to a PTE for 'next'
+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
+ * CPU 1: set bit 1 in next's mm_cpumask
+ * CPU 1: load from the PTE that CPU 0 writes (implicit)
+ *
+ * We need to prevent an outcome in which CPU 1 observes
+ * the new PTE value and CPU 0 observes bit 1 clear in
+ * mm_cpumask. (If that occurs, then the IPI will never
+ * be sent, and CPU 0's TLB will contain a stale entry.)
+ *
+ * The bad outcome can occur if either CPU's load is
+ * reordered before that CPU's store, so both CPUs much
+ * execute full barriers to prevent this from happening.
+ *
+ * Thus, switch_mm needs a full barrier between the
+ * store to mm_cpumask and any operation that could load
+ * from next->pgd. This barrier synchronizes with
+ * remote TLB flushers. Fortunately, load_cr3 is
+ * serializing and thus acts as a full barrier.
+ *
+ */
load_cr3(next->pgd);
+
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
/* Stop flush ipis for the previous mm */
@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* schedule, protecting us from simultaneous changes.
*/
cpumask_set_cpu(cpu, mm_cpumask(next));
+
/*
* We were in lazy tlb mode and leave_mm disabled
* tlb flush IPI delivery. We must reload CR3
* to make sure to use no freed page tables.
+ *
+ * As above, this is a barrier that forces
+ * TLB repopulation to be ordered after the
+ * store to mm_cpumask.
*/
load_cr3(next->pgd);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index 8ddb5d0d66fb..8f4cc3dfac32 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -161,7 +161,10 @@ void flush_tlb_current_task(void)
preempt_disable();
count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
+
+ /* This is an implicit full barrier that synchronizes with switch_mm. */
local_flush_tlb();
+
trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
preempt_disable();
- if (current->active_mm != mm)
+ if (current->active_mm != mm) {
+ /* Synchronize with switch_mm. */
+ smp_mb();
+
goto out;
+ }
if (!current->mm) {
leave_mm(smp_processor_id());
+
+ /* Synchronize with switch_mm. */
+ smp_mb();
+
goto out;
}
if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
base_pages_to_flush = (end - start) >> PAGE_SHIFT;
+ /*
+ * Both branches below are implicit full barriers (MOV to CR or
+ * INVLPG) that synchronize with switch_mm.
+ */
if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
base_pages_to_flush = TLB_FLUSH_ALL;
count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
preempt_disable();
if (current->active_mm == mm) {
- if (current->mm)
+ if (current->mm) {
+ /*
+ * Implicit full barrier (INVLPG) that synchronizes
+ * with switch_mm.
+ */
__flush_tlb_one(start);
- else
+ } else {
leave_mm(smp_processor_id());
+
+ /* Synchronize with switch_mm. */
+ smp_mb();
+ }
}
if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)

64
debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch vendored
View File

@ -1,64 +0,0 @@
From: Andy Lutomirski <luto@kernel.org>
Date: Tue, 12 Jan 2016 12:47:40 -0800
Subject: x86/mm: Improve switch_mm() barrier comments
Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b
My previous comments were still a bit confusing and there was a
typo. Fix it up.
Reported-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization")
Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/include/asm/mmu_context.h | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 1edc9cd198b8..bfd9b2a35a0b 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* be sent, and CPU 0's TLB will contain a stale entry.)
*
* The bad outcome can occur if either CPU's load is
- * reordered before that CPU's store, so both CPUs much
+ * reordered before that CPU's store, so both CPUs must
* execute full barriers to prevent this from happening.
*
* Thus, switch_mm needs a full barrier between the
* store to mm_cpumask and any operation that could load
- * from next->pgd. This barrier synchronizes with
- * remote TLB flushers. Fortunately, load_cr3 is
- * serializing and thus acts as a full barrier.
+ * from next->pgd. TLB fills are special and can happen
+ * due to instruction fetches or for no reason at all,
+ * and neither LOCK nor MFENCE orders them.
+ * Fortunately, load_cr3() is serializing and gives the
+ * ordering guarantee we need.
*
*/
load_cr3(next->pgd);
@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* tlb flush IPI delivery. We must reload CR3
* to make sure to use no freed page tables.
*
- * As above, this is a barrier that forces
- * TLB repopulation to be ordered after the
- * store to mm_cpumask.
+ * As above, load_cr3() is serializing and orders TLB
+ * fills with respect to the mm_cpumask write.
*/
load_cr3(next->pgd);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);

23
debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch vendored Normal file
View File

@ -0,0 +1,23 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 01 Feb 2016 09:05:24 +0100
Subject: usb: Fix ABI change in 4.3.5
Forwarded: not-needed
struct usb_device gained two new bitfields, but there were plenty of
padding bits to spare. Hide them from genksyms.
---
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -582,8 +582,11 @@ struct usb_device {
unsigned usb2_hw_lpm_enabled:1;
unsigned usb2_hw_lpm_allowed:1;
unsigned usb3_lpm_enabled:1;
+#ifndef __GENKSYMS__
unsigned usb3_lpm_u1_enabled:1;
unsigned usb3_lpm_u2_enabled:1;
+ /* 18 bits spare */
+#endif
int string_langid;
/* static strings from the device */

10
debian/patches/series vendored
View File

@ -100,13 +100,9 @@ bugfix/all/selftests-breakpoints-actually-build-it.patch
debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
# Security fixes
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
bugfix/all/xen-add-ring_copy_request.patch
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
@ -127,11 +123,9 @@ bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
@ -142,8 +136,6 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
debian/usb-fix-abi-change-in-4.3.5.patch