debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.6.5 

Drop patches applied upstream.

There are some ABI changes still to be resolved.
This commit is contained in:
Ben Hutchings 2016-07-31 01:47:16 +01:00
parent 9da8616b57
commit e8c1b8e306
10 changed files with 209 additions and 843 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
debian/changelog vendored
View File

@ -1,3 +1,212 @@
linux (4.6.5-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5
- cfg80211: remove get/set antenna and tx power warnings
- mac80211: fix fast_tx header alignment
- mac80211: mesh: flush mesh paths unconditionally
- mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
- mac80211: Fix mesh estab_plinks counting in STA removal case
- cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC
header
- EDAC: Fix workqueues poll period resetting
- [x86] EDAC, sb_edac: Fix rank lookup on Broadwell
- futex: Calculate the futex key based on a tail page for file-based futexes
- IB/core: Fix bit curruption in ib_device_cap_flags structure
- IB/cm: Fix a recently introduced locking bug
- IB/rdmavt: Correct qp_priv_alloc() return value test
- IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
- [powerpc*] iommu: Remove the dependency on EEH struct in DDW mechanism
- [powerpc*] pseries: Fix PCI config address for DDW
- [powerpc*] pseries: Fix IBM_ARCH_VEC_NRCORES_OFFSET since POWER8NVL was
added
- USB: EHCI: declare hostpc register as zero-length array
- USB: don't free bandwidth_mutex too early
- usb: common: otg-fsm: add license to usb-otg-fsm
- mnt: fs_fully_visible test the proper mount for MNT_LOCKED
- mnt: Account for MS_RDONLY in fs_fully_visible
- mnt: If fs_fully_visible fails call put_filesystem.
- of: fix autoloading due to broken modalias with no 'compatible'
- of: irq: fix of_irq_get[_byname]() kernel-doc
- [x86] msr: Use the proper trace point conditional for writes
- locking/ww_mutex: Report recursive ww_mutex locking early
- locking/qspinlock: Fix spin_unlock_wait() some more
- locking/static_key: Fix concurrent static_key_slow_inc()
- [x86] kprobes: Clear TF bit in fault on single-stepping
- [x86] perf/intel/rapl: Fix pmus free during cleanup
- [x86] amd_nb: Fix boot crash on non-AMD systems
- [x86] perf: Fix 32-bit perf user callgraph collection
- [armhf] extcon: palmas: Fix boot up state of VBUS when using GPIO
detection
- gpio: make library immune to error pointers
- [x86] gpio: sch: Fix Oops on module load on Asus Eee PC 1201
- Revert "gpiolib: Split GPIO flags parsing and GPIO configuration"
- autofs braino fix for do_last()
- rtlwifi: Fix scheduling while atomic error from commit 49f86ec21c01
- uvc: Forward compat ioctls to their handlers directly
- thermal: cpu_cooling: fix improper order during initialization
- writeback: use higher precision calculation in domain_dirty_limits()
- sd: Fix rw_max for devices that report an optimal xfer size
- nfsd4/rpc: move backchannel create logic into rpc code
- nfsd: Always lock state exclusively.
- nfsd: Extend the mutex holding region around in nfsd4_process_open2()
- pnfs_nfs: fix _cancel_empty_pagelist
- NFS: Fix a double page unlock
- make nfs_atomic_open() call d_drop() on all ->open_context() errors.
- NFS: Fix another OPEN_DOWNGRADE bug
- SUNRPC: fix xprt leak on xps allocation failure
- rpc: share one xps between all backchannels
- [arm64] regulator: qcom_smd: add list_voltage callback
- [arm64] regulator: qcom_smd: add regulator ops for pm8941 lnldo
- [armhf] imx6ul: Fix Micrel PHY mask
- [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit
- [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent
- [armhf] dts: sun6i: yones-toptech-bs1078-v2: Drop constraints on dc1sw
regulator
- [armhf] dts: sun6i: primo81: Drop constraints on dc1sw regulator
- mm: Export migrate_page_move_mapping and migrate_page_copy
- UBIFS: Implement ->migratepage()
- sched/fair: Fix cfs_rq avg tracking underflow
- packet: Use symmetric hash for PACKET_FANOUT_HASH.
- net_sched: fix mirrored packets checksum
- geneve: fix max_mtu setting
- cdc_ncm: workaround for EM7455 "silent" data interface
- ipv6: Fix mem leak in rt6i_pcpu
- [x86] kvm: vmx: check apicv is active before using VT-d posted interrupt
- kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
- [s390x] KVM: mm: Fix CMMA reset during reboot
- [arm*] KVM: Stop leaking vcpu pid references
- [x86] KVM: nVMX: VMX instructions: fix segment checks when L1 is in
long mode.
- HID: elo: kill not flush the work
- Revert "HID: multitouch: enable palm rejection if device implements
confidence usage"
- HID: multitouch: enable palm rejection for Windows Precision Touchpad
- tracing: Handle NULL formats in hold_module_trace_bprintk_format()
- base: make module_create_drivers_dir race-free
- [armhf] iommu/rockchip: Fix zap cache during device attach
- [armhf] iommu/arm-smmu: Wire up map_sg for arm-smmu-v3
- [x86] iommu/vt-d: Enable QI on all IOMMUs before setting root entry
- [x86] iommu/amd: Fix unity mapping initialization race
- [x86] drm/mgag200: Black screen fix for G200e rev 4
- [armhf] drm/fsl-dcu: use flat regmap cache
- ipmi: Remove smi_msg from waiting_rcv_msgs list before
handle_one_recv_msg()
- [arm64] drm/nouveau/Revert "drm/nouveau/device/pci: set as
non-CPU-coherent on ARM64"
- [arm64] fix dump_instr when PAN and UAO are in use
- [arm64] mm: remove page_mapping check in __sync_icache_dcache
- [arm64] kernel: Save and restore UAO and addr_limit on exception entry
- vfs: add d_real_inode() helper
- af_unix: fix hard linked sockets on overlay
- btrfs: account for non-CoW'd blocks in btrfs_abort_transaction
- [x86] drm/radeon: fix asic initialization for virtualized environments
- [x86] drm/amdgpu/gfx7: fix broken condition check
- [x86] drm/amdgpu: fix num_rbs exposed to userspace (v2)
- [x86] drm/amdgpu: initialize amdgpu_cgs_acpi_eval_object result value
- ubi: Make recover_peb power cut aware
- [x86] drm/amdkfd: unbind only existing processes
- [x86] drm/amdkfd: destroy dbgmgr in notifier release
- drm/dp/mst: Always clear proposed vcpi table for port.
- virtio_balloon: fix PFN format for virtio-1
- drm/nouveau/bios/disp: fix handling of "match any protocol" entries
- drm/nouveau/disp/sor/gf119: both links use the same training register
- drm/nouveau/gr/gf100-: update sm error decoding from gk20a nvgpu headers
- drm/nouveau/ltc/gm107-: fix typo in the address of NV_PLTCG_LTC0_LTS0_INTR
- drm/nouveau/fbcon: fix out-of-bounds memory accesses
- drm/nouveau/disp/sor/gm107: training pattern registers are like gm200
- drm/nouveau: fix for disabled fbdev emulation
- drm/nouveau/disp/sor/gf119: select correct sor when poking training
pattern
- [x86] drm/i915/ilk: Don't disable SSC source if it's in use
- [x86] drm/i915/fbc: Disable on HSW by default for now
- [x86] drm/i915: Refresh cached DP port register value on resume
- [x86] drm/i915: Update ifdeffery for mutex->owner
- drm: add missing drm_mode_set_crtcinfo call
- drm: make drm_atomic_set_mode_prop_for_crtc() more reliable
- drm: Wrap direct calls to driver->gem_free_object from CMA
- [x86] drm/amd/powerplay: fix bug that function parameter was incorect.
- [x86] drm/amd/powerplay: need to notify system bios pcie device ready
- [x86] drm/amd/powerplay: fix logic error.
- [x86] drm/amd/powerplay: incorrectly use of the function return value
- [x86] drm/amd/powerplay: fix incorrect voltage table value for tonga
- drm: atmel-hlcdc: actually disable scaling when no scaling is required
- drm/atomic: Make drm_atomic_legacy_backoff reset crtc->acquire_ctx
- drm/ttm: Make ttm_bo_mem_compat available
- [x86] drm/vmwgfx: Add an option to change assumed FB bpp
- [x86] drm/vmwgfx: Work around mode set failure in 2D VMs
- [x86] drm/vmwgfx: Check pin count before attempting to move a buffer
- [x86] drm/vmwgfx: Delay pinning fbdev framebuffer until after mode set
- [x86] drm/vmwgfx: Fix corner case screen target management
- [x86] drm/vmwgfx: Fix error paths when mapping framebuffer
- [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
- PCI: Fix unaligned accesses in VC code
- iio: Fix error handling in iio_trigger_attach_poll_func
- iio:st_pressure: fix sampling gains (bring inline with ABI)
- iio: light apds9960: Add the missing dev.parent
- iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
- iio: proximity: as3935: remove triggered buffer processing
- iio: proximity: as3935: fix buffer stack trashing
- iio: humidity: hdc100x: correct humidity integration time mask
- iio: humidity: hdc100x: fix IIO_TEMP channel reporting
- iio: hudmidity: hdc100x: fix incorrect shifting and scaling
- staging: iio: accel: fix error check
- iio: accel: kxsd9: fix the usage of spi_w8r8()
- iio:ad7266: Fix broken regulator error handling
- iio:ad7266: Fix support for optional regulators
- iio:ad7266: Fix probe deferral for vref
- tty: vt: Fix soft lockup in fbcon cursor blink timer.
- tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
- [x86] hwmon: (dell-smm) Restrict fan control and serial number to
CAP_SYS_ADMIN by default
- [x86] hwmon: (dell-smm) Disallow fan_type() calls on broken machines
- [x86] hwmon: (dell-smm) Cache fan_type() calls and change fan detection
- ALSA: dummy: Fix a use-after-free at closing
- ALSA: hdac_regmap - fix the register access for runtime PM
- [x86] ALSA: hda - Fix the headset mic jack detection on Dell machine
- [x86] ALSA: hda / realtek - add two more Thinkpad IDs (5050,5053) for
tpt460 fixup
- ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
- ALSA: echoaudio: Fix memory allocation
- ALSA: timer: Fix negative queue usage by racy accesses
- [x86] ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
- [x86] ALSA: hda - Add PCI ID for Kabylake-H
- ALSA: hda - fix read before array start
- ALSA: usb-audio: Fix quirks code is not called
- ALSA: hda/realtek - add new pin definition in alc225 pin quirk table
- ALSA: pcm: Free chmap at PCM free callback, too
- ALSA: ctl: Stop notification after disconnection
- ALSA: hda - fix use-after-free after module unload
- [x86] ALSA: hda: add AMD Stoney PCI ID with proper driver caps
- [armhf] sunxi/dt: make the CHIP inherit from allwinner,sun5i-a13
- [armhf] dts: armada-38x: fix MBUS_ID for crypto SRAM on Armada 385 Linksys
- [armel,armhf] mvebu: fix HW I/O coherency related deadlocks
- ovl: fix dentry leak for default_permissions
- ovl: get_write_access() in truncate
- ovl: Copy up underlying inode's ->i_mode to overlay inode
- ovl: handle ATTR_KILL*
- ovl: verify upper dentry in ovl_remove_and_whiteout()
- scsi: fix race between simultaneous decrements of ->host_failed
- [s390x] fix test_fp_ctl inline assembly contraints
- [s390x] Revert "s390/kdump: Clear subchannel ID to signal
non-CCW/SCSI IPL"
- 53c700: fix BUG on untagged commands
- cifs: Fix reconnect to not defer smb3 session reconnect long after socket
reconnect
- cifs: dynamic allocation of ntlmssp blob
- cifs: File names with trailing period or space need special case
conversion
- [x86] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
- tmpfs: don't undo fallocate past its last page
- tmpfs: fix regression hang in fallocate undo
- crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request struct
- [x86] crypto: qat - make qat_asym_algs.o depend on asn1 headers
- [x86] drm/i915: Revert DisplayPort fast link training feature
- ovl: Do d_type check only if work dir creation was successful
- ovl: warn instead of error if d_type is not supported
-- Ben Hutchings <ben@decadent.org.uk> Sat, 30 Jul 2016 14:23:58 +0100
linux (4.6.4-1) unstable; urgency=medium
* Team upload.

44
debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch vendored
View File

@ -1,44 +0,0 @@
From: Scott Bauer <sbauer@plzdonthack.me>
Date: Thu, 23 Jun 2016 08:59:47 -0600
Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
commands
Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.
Cc: stable@vger.kernel.org
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/usbhid/hiddev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 2f1ddca..700145b 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
goto inval;
} else if (uref->usage_index >= field->report_count)
goto inval;
-
- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
- uref->usage_index + uref_multi->num_values > field->report_count))
- goto inval;
}
+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+ uref->usage_index + uref_multi->num_values > field->report_count))
+ goto inval;
+
switch (cmd) {
case HIDIOCGUSAGE:
uref->value = field->value[uref->usage_index];
--
2.8.1

115
debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch vendored
View File

@ -1,115 +0,0 @@
From: Vegard Nossum <vegard.nossum@oracle.com>
Date: Thu, 7 Jul 2016 13:41:11 -0700
Subject: apparmor: fix oops, validate buffer size in apparmor_setprocattr()
Origin: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca
When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.
The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.
SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.
Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
modified for the case that apparmor provides null termination.
Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@kernel.org
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
---
security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct t
{
struct common_audit_data sa;
struct apparmor_audit_data aad = {0,};
- char *command, *args = value;
+ char *command, *largs = NULL, *args = value;
size_t arg_size;
int error;
if (size == 0)
return -EINVAL;
- /* args points to a PAGE_SIZE buffer, AppArmor requires that
- * the buffer must be null terminated or have size <= PAGE_SIZE -1
- * so that AppArmor can null terminate them
- */
- if (args[size - 1] != '\0') {
- if (size == PAGE_SIZE)
- return -EINVAL;
- args[size] = '\0';
- }
-
/* task can only write its own attributes */
if (current != task)
return -EACCES;
- args = value;
+ /* AppArmor requires that the buffer must be null terminated atm */
+ if (args[size - 1] != '\0') {
+ /* null terminate */
+ largs = args = kmalloc(size + 1, GFP_KERNEL);
+ if (!args)
+ return -ENOMEM;
+ memcpy(args, value, size);
+ args[size] = '\0';
+ }
+
+ error = -EINVAL;
args = strim(args);
command = strsep(&args, " ");
if (!args)
- return -EINVAL;
+ goto out;
args = skip_spaces(args);
if (!*args)
- return -EINVAL;
+ goto out;
arg_size = size - (args - (char *) value);
if (strcmp(name, "current") == 0) {
@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct t
goto fail;
} else
/* only support the "current" and "exec" process attributes */
- return -EINVAL;
+ goto fail;
if (!error)
error = size;
+out:
+ kfree(largs);
return error;
fail:
@@ -588,9 +590,9 @@ fail:
aad.profile = aa_current_profile();
aad.op = OP_SETPROCATTR;
aad.info = name;
- aad.error = -EINVAL;
+ aad.error = error = -EINVAL;
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
- return -EINVAL;
+ goto out;
}
static int apparmor_task_setrlimit(struct task_struct *task,
--
2.8.1

86
debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch vendored
View File

@ -1,86 +0,0 @@
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 16 Jun 2016 15:48:57 +0100
Subject: KEYS: potential uninitialized variable
Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a
If __key_link_begin() failed then "edit" would be uninitialized. I've
added a check to fix that.
This allows a random user to crash the kernel, though it's quite
difficult to achieve. There are three ways it can be done as the user
would have to cause an error to occur in __key_link():
(1) Cause the kernel to run out of memory. In practice, this is difficult
to achieve without ENOMEM cropping up elsewhere and aborting the
attempt.
(2) Revoke the destination keyring between the keyring ID being looked up
and it being tested for revocation. In practice, this is difficult to
time correctly because the KEYCTL_REJECT function can only be used
from the request-key upcall process. Further, users can only make use
of what's in /sbin/request-key.conf, though this does including a
rejection debugging test - which means that the destination keyring
has to be the caller's session keyring in practice.
(3) Have just enough key quota available to create a key, a new session
keyring for the upcall and a link in the session keyring, but not then
sufficient quota to create a link in the nominated destination keyring
so that it fails with EDQUOT.
The bug can be triggered using option (3) above using something like the
following:
echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t
The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system. Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.
Assuming the failure occurs, something like the following will be seen:
kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
...
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
...
Call Trace:
kfree+0xde/0x1bc
assoc_array_cancel_edit+0x1f/0x36
__key_link_end+0x55/0x63
key_reject_and_link+0x124/0x155
keyctl_reject_key+0xb6/0xe0
keyctl_negate_key+0x10/0x12
SyS_keyctl+0x9f/0xe7
do_syscall_64+0x63/0x13a
entry_SYSCALL64_slow_path+0x25/0x25
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
security/keys/key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -584,7 +584,7 @@ int key_reject_and_link(struct key *key,
mutex_unlock(&key_construction_mutex);
- if (keyring)
+ if (keyring && link_ret == 0)
__key_link_end(keyring, &key->index_key, edit);
/* wake up anyone waiting for a key to be constructed */

145
debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch vendored
View File

@ -1,145 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 22 Jun 2016 19:43:35 +0100
Subject: [PATCH] nfsd: check permissions when setting ACLs
Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=999653786df6954a31044528ac3f7a5dadca08f4
Use set_posix_acl, which includes proper permission checks, instead of
calling ->set_acl directly. Without this anyone may be able to grant
themselves permissions to a file by setting the ACL.
Lock the inode to make the new checks atomic with respect to set_acl.
(Also, nfsd was the only caller of set_acl not locking the inode, so I
suspect this may fix other races.)
This also simplifies the code, and ensures our ACLs are checked by
posix_acl_valid.
The permission checks and the inode locking were lost with commit
4ac7249e, which changed nfsd to use the set_acl inode operation directly
instead of going through xattr handlers.
Reported-by: David Sinquin <david@sinquin.eu>
[agreunba@redhat.com: use set_posix_acl]
Fixes: 4ac7249e
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
fs/nfsd/nfs2acl.c | 20 ++++++++++----------
fs/nfsd/nfs3acl.c | 16 +++++++---------
fs/nfsd/nfs4acl.c | 16 ++++++++--------
3 files changed, 25 insertions(+), 27 deletions(-)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
goto out;
inode = d_inode(fh->fh_dentry);
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
- error = -EOPNOTSUPP;
- goto out_errno;
- }
error = fh_want_write(fh);
if (error)
goto out_errno;
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
+ fh_lock(fh);
+
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
if (error)
- goto out_drop_write;
- error = inode->i_op->set_acl(inode, argp->acl_default,
- ACL_TYPE_DEFAULT);
+ goto out_drop_lock;
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
if (error)
- goto out_drop_write;
+ goto out_drop_lock;
+
+ fh_unlock(fh);
fh_drop_write(fh);
@@ -131,7 +130,8 @@ out:
posix_acl_release(argp->acl_access);
posix_acl_release(argp->acl_default);
return nfserr;
-out_drop_write:
+out_drop_lock:
+ fh_unlock(fh);
fh_drop_write(fh);
out_errno:
nfserr = nfserrno(error);
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
goto out;
inode = d_inode(fh->fh_dentry);
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
- error = -EOPNOTSUPP;
- goto out_errno;
- }
error = fh_want_write(fh);
if (error)
goto out_errno;
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
+ fh_lock(fh);
+
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
if (error)
- goto out_drop_write;
- error = inode->i_op->set_acl(inode, argp->acl_default,
- ACL_TYPE_DEFAULT);
+ goto out_drop_lock;
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
-out_drop_write:
+out_drop_lock:
+ fh_unlock(fh);
fh_drop_write(fh);
out_errno:
nfserr = nfserrno(error);
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
dentry = fhp->fh_dentry;
inode = d_inode(dentry);
- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
- return nfserr_attrnotsupp;
-
if (S_ISDIR(inode->i_mode))
flags = NFS4_ACL_DIR;
@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
if (host_error < 0)
goto out_nfserr;
- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
+ fh_lock(fhp);
+
+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
if (host_error < 0)
- goto out_release;
+ goto out_drop_lock;
if (S_ISDIR(inode->i_mode)) {
- host_error = inode->i_op->set_acl(inode, dpacl,
- ACL_TYPE_DEFAULT);
+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
}
-out_release:
+out_drop_lock:
+ fh_unlock(fhp);
+
posix_acl_release(pacl);
posix_acl_release(dpacl);
out_nfserr:

153
debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch vendored
View File

@ -1,153 +0,0 @@
From: Tejun Heo <tj@kernel.org>
Date: Wed, 25 May 2016 11:48:25 -0400
Subject: percpu: fix synchronization between chunk->map_extend_work and chunk
destruction
Origin: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3
Atomic allocations can trigger async map extensions which is serviced
by chunk->map_extend_work. pcpu_balance_work which is responsible for
destroying idle chunks wasn't synchronizing properly against
chunk->map_extend_work and may end up freeing the chunk while the work
item is still in flight.
This patch fixes the bug by rolling async map extension operations
into pcpu_balance_work.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
---
mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/mm/percpu.c b/mm/percpu.c
index 0c59684f1ff2..b1d2a3844792 100644
--- a/mm/percpu.c
+++ b/mm/percpu.c
@@ -112,7 +112,7 @@ struct pcpu_chunk {
int map_used; /* # of map entries used before the sentry */
int map_alloc; /* # of map entries allocated */
int *map; /* allocation map */
- struct work_struct map_extend_work;/* async ->map[] extension */
+ struct list_head map_extend_list;/* on pcpu_map_extend_chunks */
void *data; /* chunk data */
int first_free; /* no free below this */
@@ -166,6 +166,9 @@ static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
+/* chunks which need their map areas extended, protected by pcpu_lock */
+static LIST_HEAD(pcpu_map_extend_chunks);
+
/*
* The number of empty populated pages, protected by pcpu_lock. The
* reserved chunk doesn't contribute to the count.
@@ -395,13 +398,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic)
{
int margin, new_alloc;
+ lockdep_assert_held(&pcpu_lock);
+
if (is_atomic) {
margin = 3;
if (chunk->map_alloc <
- chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW &&
- pcpu_async_enabled)
- schedule_work(&chunk->map_extend_work);
+ chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) {
+ if (list_empty(&chunk->map_extend_list)) {
+ list_add_tail(&chunk->map_extend_list,
+ &pcpu_map_extend_chunks);
+ pcpu_schedule_balance_work();
+ }
+ }
} else {
margin = PCPU_ATOMIC_MAP_MARGIN_HIGH;
}
@@ -467,20 +476,6 @@ out_unlock:
return 0;
}
-static void pcpu_map_extend_workfn(struct work_struct *work)
-{
- struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk,
- map_extend_work);
- int new_alloc;
-
- spin_lock_irq(&pcpu_lock);
- new_alloc = pcpu_need_to_extend(chunk, false);
- spin_unlock_irq(&pcpu_lock);
-
- if (new_alloc)
- pcpu_extend_area_map(chunk, new_alloc);
-}
-
/**
* pcpu_fit_in_area - try to fit the requested allocation in a candidate area
* @chunk: chunk the candidate area belongs to
@@ -740,7 +735,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void)
chunk->map_used = 1;
INIT_LIST_HEAD(&chunk->list);
- INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn);
+ INIT_LIST_HEAD(&chunk->map_extend_list);
chunk->free_size = pcpu_unit_size;
chunk->contig_hint = pcpu_unit_size;
@@ -1129,6 +1124,7 @@ static void pcpu_balance_workfn(struct work_struct *work)
if (chunk == list_first_entry(free_head, struct pcpu_chunk, list))
continue;
+ list_del_init(&chunk->map_extend_list);
list_move(&chunk->list, &to_free);
}
@@ -1146,6 +1142,25 @@ static void pcpu_balance_workfn(struct work_struct *work)
pcpu_destroy_chunk(chunk);
}
+ /* service chunks which requested async area map extension */
+ do {
+ int new_alloc = 0;
+
+ spin_lock_irq(&pcpu_lock);
+
+ chunk = list_first_entry_or_null(&pcpu_map_extend_chunks,
+ struct pcpu_chunk, map_extend_list);
+ if (chunk) {
+ list_del_init(&chunk->map_extend_list);
+ new_alloc = pcpu_need_to_extend(chunk, false);
+ }
+
+ spin_unlock_irq(&pcpu_lock);
+
+ if (new_alloc)
+ pcpu_extend_area_map(chunk, new_alloc);
+ } while (chunk);
+
/*
* Ensure there are certain number of free populated pages for
* atomic allocs. Fill up from the most packed so that atomic
@@ -1644,7 +1659,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
*/
schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
INIT_LIST_HEAD(&schunk->list);
- INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn);
+ INIT_LIST_HEAD(&schunk->map_extend_list);
schunk->base_addr = base_addr;
schunk->map = smap;
schunk->map_alloc = ARRAY_SIZE(smap);
@@ -1673,7 +1688,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
if (dyn_size) {
dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
INIT_LIST_HEAD(&dchunk->list);
- INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn);
+ INIT_LIST_HEAD(&dchunk->map_extend_list);
dchunk->base_addr = base_addr;
dchunk->map = dmap;
dchunk->map_alloc = ARRAY_SIZE(dmap);

104
debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch vendored
View File

@ -1,104 +0,0 @@
From: Tejun Heo <tj@kernel.org>
Date: Wed, 25 May 2016 11:48:25 -0400
Subject: percpu: fix synchronization between synchronous map extension and
chunk destruction
Origin: https://git.kernel.org/linus/6710e594f71ccaad8101bc64321152af7cd9ea28
For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.
This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
---
mm/percpu.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/mm/percpu.c b/mm/percpu.c
index b1d2a3844792..9903830aaebb 100644
--- a/mm/percpu.c
+++ b/mm/percpu.c
@@ -162,7 +162,7 @@ static struct pcpu_chunk *pcpu_reserved_chunk;
static int pcpu_reserved_chunk_limit;
static DEFINE_SPINLOCK(pcpu_lock); /* all internal data structures */
-static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
+static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop, map ext */
static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
@@ -444,6 +444,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc)
size_t old_size = 0, new_size = new_alloc * sizeof(new[0]);
unsigned long flags;
+ lockdep_assert_held(&pcpu_alloc_mutex);
+
new = pcpu_mem_zalloc(new_size);
if (!new)
return -ENOMEM;
@@ -890,6 +892,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved,
return NULL;
}
+ if (!is_atomic)
+ mutex_lock(&pcpu_alloc_mutex);
+
spin_lock_irqsave(&pcpu_lock, flags);
/* serve reserved allocations from the reserved chunk if available */
@@ -962,12 +967,9 @@ restart:
if (is_atomic)
goto fail;
- mutex_lock(&pcpu_alloc_mutex);
-
if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) {
chunk = pcpu_create_chunk();
if (!chunk) {
- mutex_unlock(&pcpu_alloc_mutex);
err = "failed to allocate new chunk";
goto fail;
}
@@ -978,7 +980,6 @@ restart:
spin_lock_irqsave(&pcpu_lock, flags);
}
- mutex_unlock(&pcpu_alloc_mutex);
goto restart;
area_found:
@@ -988,8 +989,6 @@ area_found:
if (!is_atomic) {
int page_start, page_end, rs, re;
- mutex_lock(&pcpu_alloc_mutex);
-
page_start = PFN_DOWN(off);
page_end = PFN_UP(off + size);
@@ -1000,7 +999,6 @@ area_found:
spin_lock_irqsave(&pcpu_lock, flags);
if (ret) {
- mutex_unlock(&pcpu_alloc_mutex);
pcpu_free_area(chunk, off, &occ_pages);
err = "failed to populate";
goto fail_unlock;
@@ -1040,6 +1038,8 @@ fail:
/* see the flag handling in pcpu_blance_workfn() */
pcpu_atomic_alloc_failed = true;
pcpu_schedule_balance_work();
+ } else {
+ mutex_unlock(&pcpu_alloc_mutex);
}
return NULL;
}

82
debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch vendored
View File

@ -1,82 +0,0 @@
From: Andreas Gruenbacher <agruenba@redhat.com>
Date: Wed, 22 Jun 2016 23:57:25 +0200
Subject: [PATCH] posix_acl: Add set_posix_acl
Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
Factor out part of posix_acl_xattr_set into a common function that takes
a posix_acl, which nfsd can also call.
The prototype already exists in include/linux/posix_acl.h.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: stable@vger.kernel.org
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[bwh: Backported to 4.6: posix_acl_xattr_set() parameters are different]
---
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -786,39 +786,43 @@ posix_acl_xattr_get(const struct xattr_h
return error;
}
-static int
-posix_acl_xattr_set(const struct xattr_handler *handler,
- struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags)
+int
+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
{
- struct inode *inode = d_backing_inode(dentry);
- struct posix_acl *acl = NULL;
- int ret;
-
if (!IS_POSIXACL(inode))
return -EOPNOTSUPP;
if (!inode->i_op->set_acl)
return -EOPNOTSUPP;
- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
- return value ? -EACCES : 0;
+ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
+ return acl ? -EACCES : 0;
if (!inode_owner_or_capable(inode))
return -EPERM;
+ if (acl) {
+ int ret = posix_acl_valid(acl);
+ if (ret)
+ return ret;
+ }
+ return inode->i_op->set_acl(inode, acl, type);
+}
+EXPORT_SYMBOL(set_posix_acl);
+
+static int
+posix_acl_xattr_set(const struct xattr_handler *handler,
+ struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+{
+ struct inode *inode = d_backing_inode(dentry);
+ struct posix_acl *acl = NULL;
+ int ret;
+
if (value) {
acl = posix_acl_from_xattr(&init_user_ns, value, size);
if (IS_ERR(acl))
return PTR_ERR(acl);
-
- if (acl) {
- ret = posix_acl_valid(acl);
- if (ret)
- goto out;
- }
}
-
- ret = inode->i_op->set_acl(inode, acl, handler->flags);
-out:
+ ret = set_posix_acl(inode, handler->flags, acl);
posix_acl_release(acl);
return ret;
}

106
debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch vendored
View File

@ -1,106 +0,0 @@
From: Cyril Bur <cyrilbur@gmail.com>
Date: Fri, 17 Jun 2016 14:58:34 +1000
Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
syscalls
Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
Userspace can quite legitimately perform an exec() syscall with a
suspended transaction. exec() does not return to the old process, rather
it load a new one and starts that, the expectation therefore is that the
new process starts not in a transaction. Currently exec() is not treated
any differently to any other syscall which creates problems.
Firstly it could allow a new process to start with a suspended
transaction for a binary that no longer exists. This means that the
checkpointed state won't be valid and if the suspended transaction were
ever to be resumed and subsequently aborted (a possibility which is
exceedingly likely as exec()ing will likely doom the transaction) the
new process will jump to invalid state.
Secondly the incorrect attempt to keep the transactional state while
still zeroing state for the new process creates at least two TM Bad
Things. The first triggers on the rfid to return to userspace as
start_thread() has given the new process a 'clean' MSR but the suspend
will still be set in the hardware MSR. The second TM Bad Thing triggers
in __switch_to() as the processor is still transactionally suspended but
__switch_to() wants to zero the TM sprs for the new process.
This is an example of the outcome of calling exec() with a suspended
transaction. Note the first 700 is likely the first TM bad thing
decsribed earlier only the kernel can't report it as we've loaded
userspace registers. c000000000009980 is the rfid in
fast_exception_return()
Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
Oops: Bad kernel stack pointer, sig: 6 [#1]
CPU: 0 PID: 2006 Comm: tm-execed Not tainted
NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
REGS: c00000003ffefd40 TRAP: 0700 Not tainted
MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
CFAR: c0000000000098b4 SOFTE: 0
PACATMSCRATCH: b00000010000d033
GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
NIP [c000000000009980] fast_exception_return+0xb0/0xb8
LR [0000000000000000] (null)
Call Trace:
Instruction dump:
f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
Kernel BUG at c000000000043e80 [verbose debug info unavailable]
Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
Oops: Unrecoverable exception, sig: 6 [#2]
CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
CFAR: c000000000015a20 SOFTE: 0
PACATMSCRATCH: b00000010000d033
GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
LR [c000000000015a24] __switch_to+0x1f4/0x420
Call Trace:
Instruction dump:
7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
This fixes CVE-2016-5828.
Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
Cc: stable@vger.kernel.org # v3.9+
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/process.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1503,6 +1503,16 @@ void start_thread(struct pt_regs *regs,
current->thread.regs = regs - 1;
}
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ /*
+ * Clear any transactional state, we're exec()ing. The cause is
+ * not important as there will never be a recheckpoint so it's not
+ * user visible.
+ */
+ if (MSR_TM_SUSPENDED(mfmsr()))
+ tm_reclaim_current(0);
+#endif
+
memset(regs->gpr, 0, sizeof(regs->gpr));
regs->ctr = 0;
regs->link = 0;

8
debian/patches/series vendored
View File

@ -107,14 +107,6 @@ bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
bugfix/all/keys-potential-uninitialized-variable.patch
bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch
bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
bugfix/all/posix_acl-add-set_posix_acl.patch
bugfix/all/nfsd-check-permissions-when-setting-acls.patch
bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
# ABI maintenance
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch