From ba1393105a51e21ed8813044437d9aee1f91f58d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 1 Feb 2016 08:53:39 +0100 Subject: [PATCH] Update to 4.3.5 Drop several patches that are included in it. Fix/ignore various ABI changes. --- debian/changelog | 163 +++++++++++++++++- debian/config/defines | 3 + ...cks-for-allocation-failure-in-isdn_p.patch | 37 ---- ...dia-vivid-osd-fix-info-leak-in-ioctl.patch | 31 ---- ...e-vj-compression-slot-parameters-com.patch | 128 -------------- ...-fix-zero-cwnd-in-tcp_cwnd_reduction.patch | 63 ------- ...count-for-FDs-passed-over-unix-socke.patch | 140 --------------- ...-maps-should-not-be-subject-to-numa-.patch | 38 ---- ...kvm-svm-unconditionally-intercept-DB.patch | 75 -------- ...ers-and-document-switch_mm-vs-flush-.patch | 158 ----------------- ...m-Improve-switch_mm-barrier-comments.patch | 64 ------- .../debian/usb-fix-abi-change-in-4.3.5.patch | 23 +++ debian/patches/series | 10 +- 13 files changed, 185 insertions(+), 748 deletions(-) delete mode 100644 debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch delete mode 100644 debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch delete mode 100644 debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch delete mode 100644 debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch delete mode 100644 debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch delete mode 100644 debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch delete mode 100644 debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch delete mode 100644 debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch delete mode 100644 debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch create mode 100644 debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch diff --git a/debian/changelog b/debian/changelog index 1ad6903a4..3d92a19c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.3.4-1) UNRELEASED; urgency=medium +linux (4.3.5-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 @@ -50,16 +50,169 @@ linux (4.3.4-1) UNRELEASED; urgency=medium - af_unix: Revert 'lock_interruptible' in stream receive code - tcp: restore fastopen with no data in SYN packet - rhashtable: Fix walker list corruption + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5 + - [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs + - [x86] mpx: Fix instruction decoder condition + - [x86] signal: Fix restart_syscall number for x32 tasks + - [x86] paravirt: Prevent rtc_cmos platform device init on PV guests + - [x86] mce: Ensure offline CPUs don't participate in rendezvous process + - [x86] xen: don't reset vcpu_info on a cancelled suspend + - [x86] KVM: VMX: fix SMEP and SMAP without EPT + - [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split + - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state + in MSR + - [x86] KVM: expose MSR_TSC_AUX to userspace + - [x86] KVM: correctly print #AC in traces + - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] + - [x86] boot: Double BOOT_HEAP_SIZE to 64KB + - [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization + (CVE-2016-2069) + - [x86] mm: Improve switch_mm() barrier comments + - timers: Use proper base migration in add_timer_on() + - ipmi: Start the timer and thread on internal msgs + - ipmi: move timer init to before irq is setup + - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after + resume back + - ALSA: hda - Disable 64bit address for Creative HDA controllers + - ALSA: hda - Fix lost 4k BDL boundary workaround + - [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio + - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b + - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in + - ALSA: hda - Apply HP headphone fixups more generically + - [x86] ALSA: hda - Fix noise on Dell Latitude E6440 + - [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 + - [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back + from S3 + - [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo + - ALSA: hda - Skip ELD notification during system suspend + - ALSA: rme96: Fix unexpected volume reset after rate changes + - [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS + - ALSA: hda - Fixing speaker noise on the two latest thinkpad models + - [x86] ALSA: hda - Fix noise problems on Thinkpad T440s + - [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015 + - [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd + - [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically + - [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines + - [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads + - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly + - ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly + - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() + - [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) + - [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO + - ALSA: hda - Add keycode map for alc input device + - [x86] ALSA: usb: Add native DSD support for Oppo HA-1 + - ALSA: hda - Fixup inverted internal mic for Lenovo E50-80 + - ALSA: seq: Fix missing NULL check at remove_events ioctl + - ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect + - ALSA: seq: Fix race at timer setup and close + - [x86] ALSA: hda - Fix white noise on Dell Latitude E5550 + - ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices + - ALSA: timer: Harden slave timer list handling + - [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop + - ALSA: timer: Fix race among timer ioctls + - ALSA: timer: Fix double unlink of active_list + - [x86] ALSA: hda - Add fixup for Dell Latitidue E6540 + - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode + - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode + - ALSA: hrtimer: Fix stall by hrtimer_cancel() + - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 + - [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX + - ALSA: hda - Flush the pending probe work at remove + - ALSA: timer: Handle disconnection more safely + - ASoC: rt286: Fix run time error while modifying const data + - ASoC: rsnd: fixup SCU_SYS_INT_EN1 address + - ASoC: wm8962: correct addresses for HPF_C_0/1 + - ASoC: es8328: Fix deemphasis values + - ASoC: wm8974: set cache type for regmap + - ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx + - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz + - ASoC: wm5110: Fix PGA clear when disabling DRE + - ASoC: compress: Fix compress device direction check + - usb: xhci: fix config fail of FS hub behind a HS hub with MTT + - airspy: increase USB control message buffer size + - USB: fix invalid memory access in hub_activate() + - USB: ipaq.c: fix a timeout loop + - USB: cp210x: add ID for ELV Marble Sound Board 1 + - usb: core: lpm: fix usb3_hardware_lpm sysfs node + - xhci: refuse loading if nousb is used + - openvswitch: correct encoding of set tunnel action attributes + - veth: don’t modify ip_summed; doing so treats packets with bad checksums + as good. + - ipv6/addrlabel: fix ip6addrlbl_get() + - addrconf: always initialize sysctl table data + - net: cdc_ncm: avoid changing RX/TX buffers on MTU changes + - sctp: sctp should release assoc when sctp_make_abort_user return NULL + in sctp_close + - connector: bump skb->users before callback invocation + - af_unix: Fix splice-bind deadlock + - bridge: Only call /sbin/bridge-stp for the initial network namespace + - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X + - net: sched: fix missing free per cpu on qstats + - net: possible use after free in dst_release + - tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) + - vxlan: fix test which detect duplicate vxlan iface + - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory + - ipv6: tcp: add rcu locking in tcp_v6_send_synack() + - tcp_yeah: don't set ssthresh below 2 + - sched,cls_flower: set key address type when present + - net: pktgen: fix null ptr deref in skb allocation + - udp: disallow UFO for sockets with SO_NO_CHECK option + - net: preserve IP control block during GSO segmentation + - bonding: Prevent IPv6 link local address on enslaved devices + - phonet: properly unshare skbs in phonet_rcv() + - net: bpf: reject invalid shifts + - ipv6: update skb->csum when CE mark is propagated + - bridge: fix lockdep addr_list_lock false positive splat + - batman-adv: Avoid recursive call_rcu for batadv_bla_claim + - batman-adv: Avoid recursive call_rcu for batadv_nc_node + - batman-adv: Drop immediate batadv_orig_ifinfo free function + - batman-adv: Drop immediate batadv_neigh_node free function + - batman-adv: Drop immediate neigh_ifinfo free function + - batman-adv: Drop immediate batadv_hard_iface free function + - batman-adv: Drop immediate orig_node free function + - net/mlx5_core: Fix trimming down IRQ number + - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid + - xfrm: dst_entries_init() per-net dst_ops + - [powerpc*] tm: Block signal return setting invalid MSR state + - [powerpc*] tm: Check for already reclaimed tasks + - [powerpc*] opal-irqchip: Fix double endian conversion + - [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian + conversion" + - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type + - [powerpc*] Make value-returning atomics fully ordered + - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered + - [powerpc*] scripts/recordmcount.pl: support data in text section + - [powerpc*] module: Handle R_PPC64_ENTRY relocations + - [arm64] recordmcount: Replace the ignored mcount call into nop + - [arm64] bpf: fix div-by-zero case + - [arm64] bpf: fix mod-by-zero case + - [arm64] cmpxchg_dbl: fix return value type + - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend() + - [arm*] KVM: test properly for a PTE's uncachedness + - [arm64] KVM: Fix AArch32 to AArch64 register mapping + - [arm*] KVM: correct PTE uncachedness check + - [arm64] Clear out any singlestep state on a ptrace detach operation + - [arm64] mm: ensure that the zero page is visible to the page table walker + - [arm64] kernel: enforce pmuserenr_el0 initialization and restore + - [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation + - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints + - [hppa] iommu: fix panic due to trying to allocate too large region + - HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID + - HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present + - HID: core: Avoid uninitialized buffer access + - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly + - direct-io: Fix negative return from dio read beyond eof + - fix the regression from "direct-io: Fix negative return from dio read + beyond eof" + - [arm64] restore bogomips information in /proc/cpuinfo + - [arm64] KVM: Add workaround for Cortex-A57 erratum 834220 + - [arm64] kernel: fix architected PMU registers unconditional access [ Ben Hutchings ] * fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785) * SCSI: fix crashes in sd and sr runtime PM (Closes: #801925) - * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization - (CVE-2016-2069) - * [x86] mm: Improve switch_mm() barrier comments [ Salvatore Bonaccorso ] - * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070) * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787) [ Aurelien Jarno ] diff --git a/debian/config/defines b/debian/config/defines index 475934be3..11edf5a50 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -16,6 +16,9 @@ ignore-changes: # Can't be used from OOT pin_is_valid pinctrl_* +# Shouldn't be used from OOT + module:drivers/net/ethernet/mellanox/** + pv_info [base] arches: diff --git a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch b/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch deleted file mode 100644 index 6826c67ae..000000000 --- a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:21:24 +0000 -Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open() -Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 - -Compile-tested only. - -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c -index c4198fa..86f9abe 100644 ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) - is->compflags = 0; - - is->reset = isdn_ppp_ccp_reset_alloc(is); -+ if (!is->reset) -+ return -ENOMEM; - - is->lp = NULL; - is->mp_seqno = 0; /* MP sequence number */ -@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -+ if (!is->slcomp) { -+ isdn_ppp_ccp_reset_free(is); -+ return -ENOMEM; -+ } - #endif - #ifdef CONFIG_IPPP_FILTER - is->pass_filter = NULL; diff --git a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch b/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch deleted file mode 100644 index 8d551da49..000000000 --- a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: =?UTF-8?q?Salva=20Peir=C3=B3?= -Date: Wed, 7 Oct 2015 07:09:26 -0300 -Subject: [media] media/vivid-osd: fix info leak in ioctl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c - -The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of -struct fb_vblank after the ->hcount member. Add an explicit -memset(0) before filling the structure to avoid the info leak. - -Signed-off-by: Salva Peiró -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/platform/vivid/vivid-osd.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c -index 084d346..e15eef6 100644 ---- a/drivers/media/platform/vivid/vivid-osd.c -+++ b/drivers/media/platform/vivid/vivid-osd.c -@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) - case FBIOGET_VBLANK: { - struct fb_vblank vblank; - -+ memset(&vblank, 0, sizeof(vblank)); - vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | - FB_VBLANK_HAVE_VSYNC; - vblank.count = 0; diff --git a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch b/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch deleted file mode 100644 index b70b25aba..000000000 --- a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch +++ /dev/null @@ -1,128 +0,0 @@ -From: Ben Hutchings -Date: Sun, 1 Nov 2015 16:22:53 +0000 -Subject: ppp, slip: Validate VJ compression slot parameters completely -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae - -Currently slhc_init() treats out-of-range values of rslots and tslots -as equivalent to 0, except that if tslots is too large it will -dereference a null pointer (CVE-2015-7799). - -Add a range-check at the top of the function and make it return an -ERR_PTR() on error instead of NULL. Change the callers accordingly. - -Compile-tested only. - -Reported-by: 郭永刚 -References: http://article.gmane.org/gmane.comp.security.oss.general/17908 -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ - drivers/net/ppp/ppp_generic.c | 6 ++---- - drivers/net/slip/slhc.c | 12 ++++++++---- - drivers/net/slip/slip.c | 2 +- - 4 files changed, 15 insertions(+), 15 deletions(-) - ---- a/drivers/isdn/i4l/isdn_ppp.c -+++ b/drivers/isdn/i4l/isdn_ppp.c -@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file - * VJ header compression init - */ - is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ -- if (!is->slcomp) { -+ if (IS_ERR(is->slcomp)) { - isdn_ppp_ccp_reset_free(is); -- return -ENOMEM; -+ return PTR_ERR(is->slcomp); - } - #endif - #ifdef CONFIG_IPPP_FILTER -@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil - is->maxcid = val; - #ifdef CONFIG_ISDN_PPP_VJ - sltmp = slhc_init(16, val); -- if (!sltmp) { -- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); -- return -ENOMEM; -- } -+ if (IS_ERR(sltmp)) -+ return PTR_ERR(sltmp); - if (is->slcomp) - slhc_free(is->slcomp); - is->slcomp = sltmp; ---- a/drivers/net/ppp/ppp_generic.c -+++ b/drivers/net/ppp/ppp_generic.c -@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file, - val &= 0xffff; - } - vj = slhc_init(val2+1, val+1); -- if (!vj) { -- netdev_err(ppp->dev, -- "PPP: no memory (VJ compressor)\n"); -- err = -ENOMEM; -+ if (IS_ERR(vj)) { -+ err = PTR_ERR(vj); - break; - } - ppp_lock(ppp); ---- a/drivers/net/slip/slhc.c -+++ b/drivers/net/slip/slhc.c -@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); - static unsigned char * put16(unsigned char *cp, unsigned short x); - static unsigned short pull16(unsigned char **cpp); - --/* Initialize compression data structure -+/* Allocate compression data structure - * slots must be in range 0 to 255 (zero meaning no compression) -+ * Returns pointer to structure or ERR_PTR() on error. - */ - struct slcompress * - slhc_init(int rslots, int tslots) -@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) - register struct cstate *ts; - struct slcompress *comp; - -+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) -+ return ERR_PTR(-EINVAL); -+ - comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); - if (! comp) - goto out_fail; - -- if ( rslots > 0 && rslots < 256 ) { -+ if (rslots > 0) { - size_t rsize = rslots * sizeof(struct cstate); - comp->rstate = kzalloc(rsize, GFP_KERNEL); - if (! comp->rstate) -@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) - comp->rslot_limit = rslots - 1; - } - -- if ( tslots > 0 && tslots < 256 ) { -+ if (tslots > 0) { - size_t tsize = tslots * sizeof(struct cstate); - comp->tstate = kzalloc(tsize, GFP_KERNEL); - if (! comp->tstate) -@@ -141,7 +145,7 @@ out_free2: - out_free: - kfree(comp); - out_fail: -- return NULL; -+ return ERR_PTR(-ENOMEM); - } - - ---- a/drivers/net/slip/slip.c -+++ b/drivers/net/slip/slip.c -@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl - if (cbuff == NULL) - goto err_exit; - slcomp = slhc_init(16, 16); -- if (slcomp == NULL) -+ if (IS_ERR(slcomp)) - goto err_exit; - #endif - spin_lock_bh(&sl->lock); diff --git a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch b/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch deleted file mode 100644 index bd192a17c..000000000 --- a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Yuchung Cheng -Date: Wed, 6 Jan 2016 12:42:38 -0800 -Subject: tcp: fix zero cwnd in tcp_cwnd_reduction -Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390 - -Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode -conditionally") introduced a bug that cwnd may become 0 when both -inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead -to a div-by-zero if the connection starts another cwnd reduction -phase by setting tp->prior_cwnd to the current cwnd (0) in -tcp_init_cwnd_reduction(). - -To prevent this we skip PRR operation when nothing is acked or -sacked. Then cwnd must be positive in all cases as long as ssthresh -is positive: - -1) The proportional reduction mode - inflight > ssthresh > 0 - -2) The reduction bound mode - a) inflight == ssthresh > 0 - - b) inflight < ssthresh - sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh - -Therefore in all cases inflight and sndcnt can not both be 0. -We check invalid tp->prior_cwnd to avoid potential div0 bugs. - -In reality this bug is triggered only with a sequence of less common -events. For example, the connection is terminating an ECN-triggered -cwnd reduction with an inflight 0, then it receives reordered/old -ACKs or DSACKs from prior transmission (which acks nothing). Or the -connection is in fast recovery stage that marks everything lost, -but fails to retransmit due to local issues, then receives data -packets from other end which acks nothing. - -Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally") -Reported-by: Oleksandr Natalenko -Signed-off-by: Yuchung Cheng -Signed-off-by: Neal Cardwell -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_input.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 2d656ee..d4c5115 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, - int newly_acked_sacked = prior_unsacked - - (tp->packets_out - tp->sacked_out); - -+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) -+ return; -+ - tp->prr_delivered += newly_acked_sacked; - if (delta < 0) { - u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + --- -2.1.4 - diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch deleted file mode 100644 index 8cd6bb4ac..000000000 --- a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch +++ /dev/null @@ -1,140 +0,0 @@ -From: willy tarreau -Date: Sun, 10 Jan 2016 07:54:56 +0100 -Subject: unix: properly account for FDs passed over unix sockets -Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593 - -It is possible for a process to allocate and accumulate far more FDs than -the process' limit by sending them over a unix socket then closing them -to keep the process' fd count low. - -This change addresses this problem by keeping track of the number of FDs -in flight per user and preventing non-privileged processes from having -more FDs in flight than their configured FD limit. - -Reported-by: socketpair@gmail.com -Reported-by: Tetsuo Handa -Mitigates: CVE-2013-4312 (Linux 2.0+) -Suggested-by: Linus Torvalds -Acked-by: Hannes Frederic Sowa -Signed-off-by: Willy Tarreau -Signed-off-by: David S. Miller ---- - include/linux/sched.h | 1 + - net/unix/af_unix.c | 24 ++++++++++++++++++++---- - net/unix/garbage.c | 13 ++++++++----- - 3 files changed, 29 insertions(+), 9 deletions(-) - -diff --git a/include/linux/sched.h b/include/linux/sched.h -index edad7a4..fbf25f1 100644 ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -830,6 +830,7 @@ struct user_struct { - unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ - #endif - unsigned long locked_shm; /* How many pages of mlocked shm ? */ -+ unsigned long unix_inflight; /* How many files in flight in unix sockets */ - - #ifdef CONFIG_KEYS - struct key *uid_keyring; /* UID specific keyring */ -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index ef05cd9..e3f85bc 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb) - sock_wfree(skb); - } - -+/* -+ * The "user->unix_inflight" variable is protected by the garbage -+ * collection lock, and we just read it locklessly here. If you go -+ * over the limit, there might be a tiny race in actually noticing -+ * it across threads. Tough. -+ */ -+static inline bool too_many_unix_fds(struct task_struct *p) -+{ -+ struct user_struct *user = current_user(); -+ -+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) -+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); -+ return false; -+} -+ - #define MAX_RECURSION_LEVEL 4 - - static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) -@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - unsigned char max_level = 0; - int unix_sock_count = 0; - -+ if (too_many_unix_fds(current)) -+ return -ETOOMANYREFS; -+ - for (i = scm->fp->count - 1; i >= 0; i--) { - struct sock *sk = unix_get_socket(scm->fp->fp[i]); - -@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - if (!UNIXCB(skb).fp) - return -ENOMEM; - -- if (unix_sock_count) { -- for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -- } -+ for (i = scm->fp->count - 1; i >= 0; i--) -+ unix_inflight(scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index a73a226..8fcdc22 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); -- - if (atomic_long_inc_return(&u->inflight) == 1) { - BUG_ON(!list_empty(&u->link)); - list_add_tail(&u->link, &gc_inflight_list); -@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) - BUG_ON(list_empty(&u->link)); - } - unix_tot_inflight++; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight++; -+ spin_unlock(&unix_gc_lock); - } - - void unix_notinflight(struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -+ spin_lock(&unix_gc_lock); -+ - if (s) { - struct unix_sock *u = unix_sk(s); - -- spin_lock(&unix_gc_lock); - BUG_ON(list_empty(&u->link)); - - if (atomic_long_dec_and_test(&u->inflight)) - list_del_init(&u->link); - unix_tot_inflight--; -- spin_unlock(&unix_gc_lock); - } -+ fp->f_cred->user->unix_inflight--; -+ spin_unlock(&unix_gc_lock); - } - - static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), --- -2.7.0.rc3 - diff --git a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch b/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch deleted file mode 100644 index 6da7b5eb8..000000000 --- a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Boris Ostrovsky -Date: Tue, 10 Nov 2015 15:10:33 -0500 -Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing -Origin: https://git.kernel.org/linus/9c17d96500f78d7ecdb71ca6942830158bc75a2b -Bug-Debian: https://bugs.debian.org/810472 - -Doing so will cause the grant to be unmapped and then, during -fault handling, the fault to be mistakenly treated as NUMA hint -fault. - -In addition, even if those maps could partcipate in NUMA -balancing, it wouldn't provide any benefit since we are unable -to determine physical page's node (even if/when VNUMA is -implemented). - -Marking grant maps' VMAs as VM_IO will exclude them from being -part of NUMA balancing. - -Signed-off-by: Boris Ostrovsky -Cc: stable@vger.kernel.org -Signed-off-by: David Vrabel ---- - drivers/xen/gntdev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c -index 2ea0b3b..1be5dd0 100644 ---- a/drivers/xen/gntdev.c -+++ b/drivers/xen/gntdev.c -@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) - - vma->vm_ops = &gntdev_vmops; - -- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; -+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO; - - if (use_ptemod) - vma->vm_flags |= VM_DONTCOPY; diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch deleted file mode 100644 index 7ed419edc..000000000 --- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 10 Nov 2015 09:14:39 +0100 -Subject: KVM: svm: unconditionally intercept #DB -Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d - -This is needed to avoid the possibility that the guest triggers -an infinite stream of #DB exceptions (CVE-2015-8104). - -VMX is not affected: because it does not save DR6 in the VMCS, -it already intercepts #DB unconditionally. - -Reported-by: Jan Beulich -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/svm.c | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s - set_exception_intercept(svm, UD_VECTOR); - set_exception_intercept(svm, MC_VECTOR); - set_exception_intercept(svm, AC_VECTOR); -+ set_exception_intercept(svm, DB_VECTOR); - - set_intercept(svm, INTERCEPT_INTR); - set_intercept(svm, INTERCEPT_NMI); -@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v - mark_dirty(svm->vmcb, VMCB_SEG); - } - --static void update_db_bp_intercept(struct kvm_vcpu *vcpu) -+static void update_bp_intercept(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- clr_exception_intercept(svm, DB_VECTOR); - clr_exception_intercept(svm, BP_VECTOR); - -- if (svm->nmi_singlestep) -- set_exception_intercept(svm, DB_VECTOR); -- - if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { -- if (vcpu->guest_debug & -- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) -- set_exception_intercept(svm, DB_VECTOR); - if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) - set_exception_intercept(svm, BP_VECTOR); - } else -@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) - svm->vmcb->save.rflags &= - ~(X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(&svm->vcpu); - } - - if (svm->vcpu.guest_debug & -@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm - */ - svm->nmi_singlestep = true; - svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); -- update_db_bp_intercept(vcpu); - } - - static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) -@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = - .vcpu_load = svm_vcpu_load, - .vcpu_put = svm_vcpu_put, - -- .update_db_bp_intercept = update_db_bp_intercept, -+ .update_db_bp_intercept = update_bp_intercept, - .get_msr = svm_get_msr, - .set_msr = svm_set_msr, - .get_segment_base = svm_get_segment_base, diff --git a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch deleted file mode 100644 index 0ef087561..000000000 --- a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch +++ /dev/null @@ -1,158 +0,0 @@ -From: Andy Lutomirski -Date: Wed, 6 Jan 2016 12:21:01 -0800 -Subject: x86/mm: Add barriers and document switch_mm()-vs-flush - synchronization -Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e - -When switch_mm() activates a new PGD, it also sets a bit that -tells other CPUs that the PGD is in use so that TLB flush IPIs -will be sent. In order for that to work correctly, the bit -needs to be visible prior to loading the PGD and therefore -starting to fill the local TLB. - -Document all the barriers that make this work correctly and add -a couple that were missing. - -Signed-off-by: Andy Lutomirski -Cc: Andrew Morton -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: Denys Vlasenko -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Rik van Riel -Cc: Thomas Gleixner -Cc: linux-mm@kvack.org -Cc: stable@vger.kernel.org -Signed-off-by: Ingo Molnar ---- - arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++- - arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++--- - 2 files changed, 58 insertions(+), 4 deletions(-) - -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 379cd3658799..1edc9cd198b8 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - #endif - cpumask_set_cpu(cpu, mm_cpumask(next)); - -- /* Re-load page tables */ -+ /* -+ * Re-load page tables. -+ * -+ * This logic has an ordering constraint: -+ * -+ * CPU 0: Write to a PTE for 'next' -+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. -+ * CPU 1: set bit 1 in next's mm_cpumask -+ * CPU 1: load from the PTE that CPU 0 writes (implicit) -+ * -+ * We need to prevent an outcome in which CPU 1 observes -+ * the new PTE value and CPU 0 observes bit 1 clear in -+ * mm_cpumask. (If that occurs, then the IPI will never -+ * be sent, and CPU 0's TLB will contain a stale entry.) -+ * -+ * The bad outcome can occur if either CPU's load is -+ * reordered before that CPU's store, so both CPUs much -+ * execute full barriers to prevent this from happening. -+ * -+ * Thus, switch_mm needs a full barrier between the -+ * store to mm_cpumask and any operation that could load -+ * from next->pgd. This barrier synchronizes with -+ * remote TLB flushers. Fortunately, load_cr3 is -+ * serializing and thus acts as a full barrier. -+ * -+ */ - load_cr3(next->pgd); -+ - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); - - /* Stop flush ipis for the previous mm */ -@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * schedule, protecting us from simultaneous changes. - */ - cpumask_set_cpu(cpu, mm_cpumask(next)); -+ - /* - * We were in lazy tlb mode and leave_mm disabled - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. -+ * -+ * As above, this is a barrier that forces -+ * TLB repopulation to be ordered after the -+ * store to mm_cpumask. - */ - load_cr3(next->pgd); - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); -diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c -index 8ddb5d0d66fb..8f4cc3dfac32 100644 ---- a/arch/x86/mm/tlb.c -+++ b/arch/x86/mm/tlb.c -@@ -161,7 +161,10 @@ void flush_tlb_current_task(void) - preempt_disable(); - - count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); -+ -+ /* This is an implicit full barrier that synchronizes with switch_mm. */ - local_flush_tlb(); -+ - trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) - flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); -@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, - unsigned long base_pages_to_flush = TLB_FLUSH_ALL; - - preempt_disable(); -- if (current->active_mm != mm) -+ if (current->active_mm != mm) { -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto out; -+ } - - if (!current->mm) { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ - goto out; - } - - if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) - base_pages_to_flush = (end - start) >> PAGE_SHIFT; - -+ /* -+ * Both branches below are implicit full barriers (MOV to CR or -+ * INVLPG) that synchronize with switch_mm. -+ */ - if (base_pages_to_flush > tlb_single_page_flush_ceiling) { - base_pages_to_flush = TLB_FLUSH_ALL; - count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); -@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) - preempt_disable(); - - if (current->active_mm == mm) { -- if (current->mm) -+ if (current->mm) { -+ /* -+ * Implicit full barrier (INVLPG) that synchronizes -+ * with switch_mm. -+ */ - __flush_tlb_one(start); -- else -+ } else { - leave_mm(smp_processor_id()); -+ -+ /* Synchronize with switch_mm. */ -+ smp_mb(); -+ } - } - - if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) diff --git a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch deleted file mode 100644 index 5e3f9326c..000000000 --- a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Andy Lutomirski -Date: Tue, 12 Jan 2016 12:47:40 -0800 -Subject: x86/mm: Improve switch_mm() barrier comments -Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b - -My previous comments were still a bit confusing and there was a -typo. Fix it up. - -Reported-by: Peter Zijlstra -Signed-off-by: Andy Lutomirski -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: Denys Vlasenko -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Rik van Riel -Cc: Thomas Gleixner -Cc: stable@vger.kernel.org -Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization") -Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org -Signed-off-by: Ingo Molnar ---- - arch/x86/include/asm/mmu_context.h | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index 1edc9cd198b8..bfd9b2a35a0b 100644 ---- a/arch/x86/include/asm/mmu_context.h -+++ b/arch/x86/include/asm/mmu_context.h -@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * be sent, and CPU 0's TLB will contain a stale entry.) - * - * The bad outcome can occur if either CPU's load is -- * reordered before that CPU's store, so both CPUs much -+ * reordered before that CPU's store, so both CPUs must - * execute full barriers to prevent this from happening. - * - * Thus, switch_mm needs a full barrier between the - * store to mm_cpumask and any operation that could load -- * from next->pgd. This barrier synchronizes with -- * remote TLB flushers. Fortunately, load_cr3 is -- * serializing and thus acts as a full barrier. -+ * from next->pgd. TLB fills are special and can happen -+ * due to instruction fetches or for no reason at all, -+ * and neither LOCK nor MFENCE orders them. -+ * Fortunately, load_cr3() is serializing and gives the -+ * ordering guarantee we need. - * - */ - load_cr3(next->pgd); -@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, - * tlb flush IPI delivery. We must reload CR3 - * to make sure to use no freed page tables. - * -- * As above, this is a barrier that forces -- * TLB repopulation to be ordered after the -- * store to mm_cpumask. -+ * As above, load_cr3() is serializing and orders TLB -+ * fills with respect to the mm_cpumask write. - */ - load_cr3(next->pgd); - trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); diff --git a/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch new file mode 100644 index 000000000..32441eb51 --- /dev/null +++ b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch @@ -0,0 +1,23 @@ +From: Ben Hutchings +Date: Mon, 01 Feb 2016 09:05:24 +0100 +Subject: usb: Fix ABI change in 4.3.5 +Forwarded: not-needed + +struct usb_device gained two new bitfields, but there were plenty of +padding bits to spare. Hide them from genksyms. + +--- +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -582,8 +582,11 @@ struct usb_device { + unsigned usb2_hw_lpm_enabled:1; + unsigned usb2_hw_lpm_allowed:1; + unsigned usb3_lpm_enabled:1; ++#ifndef __GENKSYMS__ + unsigned usb3_lpm_u1_enabled:1; + unsigned usb3_lpm_u2_enabled:1; ++ /* 18 bits spare */ ++#endif + int string_langid; + + /* static strings from the device */ diff --git a/debian/patches/series b/debian/patches/series index 9afb768e7..49a34c542 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -100,13 +100,9 @@ bugfix/all/selftests-breakpoints-actually-build-it.patch debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch # Security fixes -bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch -bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch -bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch -bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch bugfix/all/ovl-fix-permission-checking-for-setattr.patch bugfix/all/xen-add-ring_copy_request.patch bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch @@ -127,11 +123,9 @@ bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch -bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch -bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch @@ -142,8 +136,6 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch -bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch -bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch -bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch +debian/usb-fix-abi-change-in-4.3.5.patch