[kernel] r22144 - in dists/squeeze-backports/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/features/all/rt
Ben Hutchings
benh at moszumanska.debian.org
Mon Dec 8 22:57:25 UTC 2014
Author: benh
Date: Mon Dec 8 22:57:25 2014
New Revision: 22144
Log:
Merge changes from wheezy-security up to 3.2.63-2+deb7u2~bpo60+1
Added:
dists/squeeze-backports/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch
Deleted:
dists/squeeze-backports/linux/debian/patches/features/all/rt/0222-x86-Disable-IST-stacks-for-debug-int-3-stack-fault-f.patch
dists/squeeze-backports/linux/debian/patches/features/all/rt/0333-Revert-x86-Disable-IST-stacks-for-debug-int-3-stack-.patch
Modified:
dists/squeeze-backports/linux/ (props changed)
dists/squeeze-backports/linux/debian/changelog
dists/squeeze-backports/linux/debian/patches/features/all/rt/0066-x86-Do-not-disable-preemption-in-int3-on-32bit.patch
dists/squeeze-backports/linux/debian/patches/series
dists/squeeze-backports/linux/debian/patches/series-rt
Modified: dists/squeeze-backports/linux/debian/changelog
==============================================================================
--- dists/squeeze-backports/linux/debian/changelog Mon Dec 8 22:49:00 2014 (r22143)
+++ dists/squeeze-backports/linux/debian/changelog Mon Dec 8 22:57:25 2014 (r22144)
@@ -1,4 +1,4 @@
-linux (3.2.63-2+deb7u1~bpo60+1) squeeze-backports; urgency=medium
+linux (3.2.63-2+deb7u2~bpo60+1) squeeze-backports; urgency=medium
* Rebuild for squeeze:
- Use gcc-4.4 for all architectures
@@ -11,7 +11,25 @@
- Make build target depend on build-arch only, so we don't redundantly
build documentation on each architecture
- -- Ben Hutchings <ben at decadent.org.uk> Sun, 02 Nov 2014 01:08:06 +0000
+ -- Ben Hutchings <ben at decadent.org.uk> Mon, 08 Dec 2014 22:50:26 +0000
+
+linux (3.2.63-2+deb7u2) wheezy-security; urgency=high
+
+ * Revert "drivers/net: Disable UFO through virtio" in macvtap and tun.
+ This removes the need to shut down VMs if migrating to a patched
+ host.
+ * ip: Fix backport of "ip: make IP identifiers less predictable"
+ (regression in 3.2.63) (thanks to Jeffrey Knockel)
+ * net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet (CVE-2014-7841)
+ * kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+ (CVE-2014-8369)
+ * media: ttusb-dec: buffer overflow in ioctl (CVE-2014-8884)
+ * [amd64] traps: Stop using IST for #SS (CVE-2014-9090)
+ * [amd64] traps: Fix the espfix64 #DF fixup and rewrite it in C
+ * [amd64] traps: Rework bad_iret
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 07 Dec 2014 03:42:14 +0000
linux (3.2.63-2+deb7u1) wheezy-security; urgency=high
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch)
@@ -0,0 +1,34 @@
+From: Jeffrey Knockel <jeffk at cs.unm.edu>
+Date: Wed, 12 Nov 2014 07:47:20 -0700
+Subject: Patch for 3.2.x, 3.4.x IP identifier regression
+Origin: http://mid.gmane.org/546372F8.50503@cs.unm.edu
+
+With commits 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") and
+04ca6973f7c1 ("ip: make IP identifiers less predictable"), IP
+identifiers are generated from a counter chosen from an array of
+counters indexed by the hash of the outgoing packet header's source
+address, destination address, and protocol number. Thus, in
+__ip_make_skb(), we must now call ip_select_ident() only after setting
+these fields in the IP header to prevent IP identifiers from being
+generated from bogus counters.
+
+IP id sequence before fix: 18174, 5789, 5953, 59420, 59637, ...
+After fix: 5967, 6185, 6374, 6600, 6795, 6892, 7051, 7288, ...
+
+Signed-off-by: Jeffrey Knockel <jeffk at cs.unm.edu>
+---
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1333,11 +1333,11 @@ struct sk_buff *__ip_make_skb(struct soc
+ iph->ihl = 5;
+ iph->tos = inet->tos;
+ iph->frag_off = df;
+- ip_select_ident(skb, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = fl4->saddr;
+ iph->daddr = fl4->daddr;
++ ip_select_ident(skb, sk);
+
+ if (opt) {
+ iph->ihl += opt->optlen>>2;
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch)
@@ -0,0 +1,74 @@
+From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+Origin: https://git.kernel.org/linus/3d32e4dbe71374a6780eaf51d719d76f9a9bf22f
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Cc: stable at vger.kernel.org
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles at oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.2: kvm_pin_pages() also takes a struct kvm *kvm param]
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm *kvm, struct kvm_memory_slot *slot,
+- gfn_t gfn, unsigned long size)
++ gfn_t gfn, unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(kvm, slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_pfn(pfn))
+@@ -117,7 +117,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(kvm, slot, gfn, page_size);
++ pfn = kvm_pin_pages(kvm, slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -129,7 +129,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch)
@@ -0,0 +1,26 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 5 Sep 2014 09:09:28 -0300
+Subject: [media] ttusb-dec: buffer overflow in ioctl
+Origin: https://git.kernel.org/linus/f2e323ec96077642d397bb1c355def536d489d16
+
+We need to add a limit check here so we don't overflow the buffer.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
++++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
+@@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_m
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00 };
+
++ if (cmd->msg_len > sizeof(b) - 4)
++ return -EINVAL;
++
+ memcpy(&b[4], cmd->msg, cmd->msg_len);
+
+ state->config->send_command(fe, 0x72,
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch)
@@ -0,0 +1,73 @@
+From: Daniel Borkmann <dborkman at redhat.com>
+Date: Mon, 10 Nov 2014 17:54:26 +0100
+Subject: net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet
+Origin: https://git.kernel.org/linus/e40607cbe270a9e8360907cb1e62ddf0736e4864
+
+An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
+in the form of:
+
+ ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
+
+While the INIT chunk parameter verification dissects through many things
+in order to detect malformed input, it misses to actually check parameters
+inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
+IP address' parameter in ASCONF, which has as a subparameter an address
+parameter.
+
+So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
+or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
+and thus sctp_get_af_specific() returns NULL, too, which we then happily
+dereference unconditionally through af->from_addr_param().
+
+The trace for the log:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+PGD 0
+Oops: 0000 [#1] SMP
+[...]
+Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
+RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
+ [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
+ [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
+ [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
+ [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
+ [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
+ [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
+ [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
+ [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+ [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+[...]
+
+A minimal way to address this is to check for NULL as we do on all
+other such occasions where we know sctp_get_af_specific() could
+possibly return with NULL.
+
+Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Cc: Vlad Yasevich <vyasevich at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/sm_make_chunk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2570,6 +2570,9 @@ do_addr_param:
+ addr_param = param.v + sizeof(sctp_addip_param_t);
+
+ af = sctp_get_af_specific(param_type2af(param.p->type));
++ if (af == NULL)
++ break;
++
+ af->from_addr_param(&addr, addr_param,
+ htons(asoc->peer.port), 0);
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch)
@@ -0,0 +1,96 @@
+Subject: Revert "drivers/net: Disable UFO through virtio" in macvtap and tun
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Tue, 11 Nov 2014 17:12:58 +0000
+
+This reverts commit 88e0e0e5aa722b193c8758c8b45d041de5316924 for
+the tap drivers, but leaves UFO disabled in virtio_net.
+
+libvirt at least assumes that tap features will never be dropped
+in new kernel versions, and doing so prevents migration of VMs to
+the never kernel version while they are running with virtio net
+devices.
+
+Fixes: 88e0e0e5aa7a ("drivers/net: Disable UFO through virtio")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -579,8 +579,6 @@ static int macvtap_skb_from_vnet_hdr(str
+ gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+ gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+@@ -628,6 +626,8 @@ static int macvtap_skb_to_vnet_hdr(const
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else
+ BUG();
+ if (sinfo->gso_type & SKB_GSO_TCP_ECN)
+@@ -965,7 +965,7 @@ static long macvtap_ioctl(struct file *f
+ case TUNSETOFFLOAD:
+ /* let the user check for future flags */
+ if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 |
+- TUN_F_TSO_ECN))
++ TUN_F_TSO_ECN | TUN_F_UFO))
+ return -EINVAL;
+
+ /* TODO: only accept frames with the features that
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -128,7 +128,7 @@ struct tun_struct {
+ struct net_device *dev;
+ u32 set_features;
+ #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \
+- NETIF_F_TSO6)
++ NETIF_F_TSO6|NETIF_F_UFO)
+ struct fasync_struct *fasync;
+
+ struct tap_filter txflt;
+@@ -710,19 +710,10 @@ static ssize_t tun_get_user(struct tun_s
+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- {
+- static bool warned;
+- if (!warned) {
+- warned = true;
+- netdev_warn(tun->dev,
+- "%s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+- }
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+ break;
+- }
+ default:
+ tun->dev->stats.rx_frame_errors++;
+ kfree_skb(skb);
+@@ -808,6 +799,8 @@ static ssize_t tun_put_user(struct tun_s
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ gso.gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else {
+ pr_err("unexpected GSO type: "
+ "0x%x, gso_size %d, hdr_len %d\n",
+@@ -1231,6 +1224,11 @@ static int set_offload(struct tun_struct
+ features |= NETIF_F_TSO6;
+ arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
+ }
++
++ if (arg & TUN_F_UFO) {
++ features |= NETIF_F_UFO;
++ arg &= ~TUN_F_UFO;
++ }
+ }
+
+ /* This gives the user a way to test for new features in future by
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch)
@@ -0,0 +1,114 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Sat, 22 Nov 2014 18:00:31 -0800
+Subject: x86_64, traps: Fix the espfix64 #DF fixup and rewrite it in C
+Origin: https://git.kernel.org/linus/af726f21ed8af2cdaa4e93098dc211521218ae65
+
+There's nothing special enough about the espfix64 double fault fixup to
+justify writing it in assembly. Move it to C.
+
+This also fixes a bug: if the double fault came from an IST stack, the
+old asm code would return to a partially uninitialized stack frame.
+
+Fixes: 3891a04aafd668686239349ea58f3314ea2af86b
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Reviewed-by: Thomas Gleixner <tglx at linutronix.de>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - Keep using the paranoiderrorentry macro to generate the asm code
+ - Adjust context]
+---
+ arch/x86/kernel/entry_64.S | 34 ++--------------------------------
+ arch/x86/kernel/traps.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 32 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -873,6 +873,7 @@ ENTRY(native_iret)
+ jnz native_irq_return_ldt
+ #endif
+
++.global native_irq_return_iret
+ native_irq_return_iret:
+ iretq
+
+@@ -972,37 +973,6 @@ ENTRY(retint_kernel)
+ CFI_ENDPROC
+ END(common_interrupt)
+
+- /*
+- * If IRET takes a fault on the espfix stack, then we
+- * end up promoting it to a doublefault. In that case,
+- * modify the stack to make it look like we just entered
+- * the #GP handler from user space, similar to bad_iret.
+- */
+-#ifdef CONFIG_X86_ESPFIX64
+- ALIGN
+-__do_double_fault:
+- XCPT_FRAME 1 RDI+8
+- movq RSP(%rdi),%rax /* Trap on the espfix stack? */
+- sarq $PGDIR_SHIFT,%rax
+- cmpl $ESPFIX_PGD_ENTRY,%eax
+- jne do_double_fault /* No, just deliver the fault */
+- cmpl $__KERNEL_CS,CS(%rdi)
+- jne do_double_fault
+- movq RIP(%rdi),%rax
+- cmpq $native_irq_return_iret,%rax
+- jne do_double_fault /* This shouldn't happen... */
+- movq PER_CPU_VAR(kernel_stack),%rax
+- subq $(6*8-KERNEL_STACK_OFFSET),%rax /* Reset to original stack */
+- movq %rax,RSP(%rdi)
+- movq $0,(%rax) /* Missing (lost) #GP error code */
+- movq $general_protection,RIP(%rdi)
+- retq
+- CFI_ENDPROC
+-END(__do_double_fault)
+-#else
+-# define __do_double_fault do_double_fault
+-#endif
+-
+ /*
+ * End of kprobes section
+ */
+@@ -1169,7 +1139,7 @@ zeroentry overflow do_overflow
+ zeroentry bounds do_bounds
+ zeroentry invalid_op do_invalid_op
+ zeroentry device_not_available do_device_not_available
+-paranoiderrorentry double_fault __do_double_fault
++paranoiderrorentry double_fault do_double_fault
+ zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
+ errorentry invalid_TSS do_invalid_TSS
+ errorentry segment_not_present do_segment_not_present
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -224,6 +224,30 @@ dotraplinkage void do_double_fault(struc
+ static const char str[] = "double fault";
+ struct task_struct *tsk = current;
+
++#ifdef CONFIG_X86_ESPFIX64
++ extern unsigned char native_irq_return_iret[];
++
++ /*
++ * If IRET takes a non-IST fault on the espfix64 stack, then we
++ * end up promoting it to a doublefault. In that case, modify
++ * the stack to make it look like we just entered the #GP
++ * handler from user space, similar to bad_iret.
++ */
++ if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
++ regs->cs == __KERNEL_CS &&
++ regs->ip == (unsigned long)native_irq_return_iret)
++ {
++ struct pt_regs *normal_regs = task_pt_regs(current);
++
++ /* Fake a #GP(0) from userspace. */
++ memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
++ normal_regs->orig_ax = 0; /* Missing (lost) #GP error code */
++ regs->ip = (unsigned long)general_protection;
++ regs->sp = (unsigned long)&normal_regs->orig_ax;
++ return;
++ }
++#endif
++
+ /* Return not checked because double check cannot be ignored */
+ notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Rework-bad_iret.patch)
@@ -0,0 +1,154 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Sat, 22 Nov 2014 18:00:33 -0800
+Subject: x86_64, traps: Rework bad_iret
+Origin: https://git.kernel.org/linus/b645af2d5905c4e32399005b867987919cbfc3ae
+
+It's possible for iretq to userspace to fail. This can happen because
+of a bad CS, SS, or RIP.
+
+Historically, we've handled it by fixing up an exception from iretq to
+land at bad_iret, which pretends that the failed iret frame was really
+the hardware part of #GP(0) from userspace. To make this work, there's
+an extra fixup to fudge the gs base into a usable state.
+
+This is suboptimal because it loses the original exception. It's also
+buggy because there's no guarantee that we were on the kernel stack to
+begin with. For example, if the failing iret happened on return from an
+NMI, then we'll end up executing general_protection on the NMI stack.
+This is bad for several reasons, the most immediate of which is that
+general_protection, as a non-paranoid idtentry, will try to deliver
+signals and/or schedule from the wrong stack.
+
+This patch throws out bad_iret entirely. As a replacement, it augments
+the existing swapgs fudge into a full-blown iret fixup, mostly written
+in C. It's should be clearer and more correct.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Reviewed-by: Thomas Gleixner <tglx at linutronix.de>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: we didn't use the _ASM_EXTABLE macro]
+---
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -875,12 +875,14 @@ ENTRY(native_iret)
+
+ .global native_irq_return_iret
+ native_irq_return_iret:
++ /*
++ * This may fault. Non-paranoid faults on return to userspace are
++ * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
++ * Double-faults due to espfix64 are handled in do_double_fault.
++ * Other faults here are fatal.
++ */
+ iretq
+
+- .section __ex_table,"a"
+- .quad native_irq_return_iret, bad_iret
+- .previous
+-
+ #ifdef CONFIG_X86_ESPFIX64
+ native_irq_return_ldt:
+ pushq_cfi %rax
+@@ -907,25 +909,6 @@ native_irq_return_ldt:
+ jmp native_irq_return_iret
+ #endif
+
+- .section .fixup,"ax"
+-bad_iret:
+- /*
+- * The iret traps when the %cs or %ss being restored is bogus.
+- * We've lost the original trap vector and error code.
+- * #GPF is the most likely one to get for an invalid selector.
+- * So pretend we completed the iret and took the #GPF in user mode.
+- *
+- * We are now running with the kernel GS after exception recovery.
+- * But error_entry expects us to have user GS to match the user %cs,
+- * so swap back.
+- */
+- pushq $0
+-
+- SWAPGS
+- jmp general_protection
+-
+- .previous
+-
+ /* edi: workmask, edx: work */
+ retint_careful:
+ CFI_RESTORE_STATE
+@@ -1463,16 +1446,15 @@ error_sti:
+
+ /*
+ * There are two places in the kernel that can potentially fault with
+- * usergs. Handle them here. The exception handlers after iret run with
+- * kernel gs again, so don't set the user space flag. B stepping K8s
+- * sometimes report an truncated RIP for IRET exceptions returning to
+- * compat mode. Check for these here too.
++ * usergs. Handle them here. B stepping K8s sometimes report a
++ * truncated RIP for IRET exceptions returning to compat mode. Check
++ * for these here too.
+ */
+ error_kernelspace:
+ incl %ebx
+ leaq native_irq_return_iret(%rip),%rcx
+ cmpq %rcx,RIP+8(%rsp)
+- je error_swapgs
++ je error_bad_iret
+ movl %ecx,%eax /* zero extend */
+ cmpq %rax,RIP+8(%rsp)
+ je bstep_iret
+@@ -1483,7 +1465,15 @@ error_kernelspace:
+ bstep_iret:
+ /* Fix truncated RIP */
+ movq %rcx,RIP+8(%rsp)
+- jmp error_swapgs
++ /* fall through */
++
++error_bad_iret:
++ SWAPGS
++ mov %rsp,%rdi
++ call fixup_bad_iret
++ mov %rax,%rsp
++ decl %ebx /* Return to usergs */
++ jmp error_sti
+ CFI_ENDPROC
+ END(error_entry)
+
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -363,6 +363,35 @@ asmlinkage __kprobes struct pt_regs *syn
+ *regs = *eregs;
+ return regs;
+ }
++
++struct bad_iret_stack {
++ void *error_entry_ret;
++ struct pt_regs regs;
++};
++
++asmlinkage
++struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
++{
++ /*
++ * This is called from entry_64.S early in handling a fault
++ * caused by a bad iret to user mode. To handle the fault
++ * correctly, we want move our stack frame to task_pt_regs
++ * and we want to pretend that the exception came from the
++ * iret target.
++ */
++ struct bad_iret_stack *new_stack =
++ container_of(task_pt_regs(current),
++ struct bad_iret_stack, regs);
++
++ /* Copy the IRET target to the new stack. */
++ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
++
++ /* Copy the remainder of the stack from the current stack. */
++ memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
++
++ BUG_ON(!user_mode_vm(&new_stack->regs));
++ return new_stack;
++}
+ #endif
+
+ /*
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch Mon Dec 8 22:57:25 2014 (r22144, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch)
@@ -0,0 +1,115 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Sat, 22 Nov 2014 18:00:32 -0800
+Subject: x86_64, traps: Stop using IST for #SS
+Origin: https://git.kernel.org/linus/6f442be2fb22be02cafa606f1769fa1e6f894441
+
+On a 32-bit kernel, this has no effect, since there are no IST stacks.
+
+On a 64-bit kernel, #SS can only happen in user code, on a failed iret
+to user space, a canonical violation on access via RSP or RBP, or a
+genuine stack segment violation in 32-bit kernel code. The first two
+cases don't need IST, and the latter two cases are unlikely fatal bugs,
+and promoting them to double faults would be fine.
+
+This fixes a bug in which the espfix64 code mishandles a stack segment
+violation.
+
+This saves 4k of memory per CPU and a tiny bit of code.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+Reviewed-by: Thomas Gleixner <tglx at linutronix.de>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - No need to define trace_stack_segment
+ - Use the errorentry macro to generate #SS asm code
+ - Adjust context
+ - Checked that this matches Luis's backport for Ubuntu]
+---
+--- a/arch/x86/include/asm/page_32_types.h
++++ b/arch/x86/include/asm/page_32_types.h
+@@ -18,7 +18,6 @@
+ #define THREAD_ORDER 1
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_ORDER)
+
+-#define STACKFAULT_STACK 0
+ #define DOUBLEFAULT_STACK 1
+ #define NMI_STACK 0
+ #define DEBUG_STACK 0
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -14,12 +14,11 @@
+ #define IRQ_STACK_ORDER 2
+ #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
+
+-#define STACKFAULT_STACK 1
+-#define DOUBLEFAULT_STACK 2
+-#define NMI_STACK 3
+-#define DEBUG_STACK 4
+-#define MCE_STACK 5
+-#define N_EXCEPTION_STACKS 5 /* hw limit: 7 */
++#define DOUBLEFAULT_STACK 1
++#define NMI_STACK 2
++#define DEBUG_STACK 3
++#define MCE_STACK 4
++#define N_EXCEPTION_STACKS 4 /* hw limit: 7 */
+
+ #define PUD_PAGE_SIZE (_AC(1, UL) << PUD_SHIFT)
+ #define PUD_PAGE_MASK (~(PUD_PAGE_SIZE-1))
+--- a/arch/x86/kernel/dumpstack_64.c
++++ b/arch/x86/kernel/dumpstack_64.c
+@@ -24,7 +24,6 @@ static char x86_stack_ids[][8] = {
+ [ DEBUG_STACK-1 ] = "#DB",
+ [ NMI_STACK-1 ] = "NMI",
+ [ DOUBLEFAULT_STACK-1 ] = "#DF",
+- [ STACKFAULT_STACK-1 ] = "#SS",
+ [ MCE_STACK-1 ] = "#MC",
+ #if DEBUG_STKSZ > EXCEPTION_STKSZ
+ [ N_EXCEPTION_STACKS ...
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1383,7 +1383,7 @@ apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
+
+ paranoidzeroentry_ist debug do_debug DEBUG_STACK
+ paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
+-paranoiderrorentry stack_segment do_stack_segment
++errorentry stack_segment do_stack_segment
+ #ifdef CONFIG_XEN
+ zeroentry xen_debug do_debug
+ zeroentry xen_int3 do_int3
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -213,24 +213,12 @@ DO_ERROR(X86_TRAP_OLD_MF, SIGFPE, "copro
+ coprocessor_segment_overrun)
+ DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present)
+-#ifdef CONFIG_X86_32
+ DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment)
+-#endif
+ DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check,
+ BUS_ADRALN, 0)
+
+ #ifdef CONFIG_X86_64
+ /* Runs on IST stack */
+-dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
+-{
+- if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
+- X86_TRAP_SS, SIGBUS) == NOTIFY_STOP)
+- return;
+- preempt_conditional_sti(regs);
+- do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
+- preempt_conditional_cli(regs);
+-}
+-
+ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
+ {
+ static const char str[] = "double fault";
+@@ -711,7 +699,7 @@ void __init trap_init(void)
+ set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun);
+ set_intr_gate(X86_TRAP_TS, &invalid_TSS);
+ set_intr_gate(X86_TRAP_NP, &segment_not_present);
+- set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
++ set_intr_gate(X86_TRAP_SS, stack_segment);
+ set_intr_gate(X86_TRAP_GP, &general_protection);
+ set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug);
+ set_intr_gate(X86_TRAP_MF, &coprocessor_error);
Modified: dists/squeeze-backports/linux/debian/patches/features/all/rt/0066-x86-Do-not-disable-preemption-in-int3-on-32bit.patch
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/features/all/rt/0066-x86-Do-not-disable-preemption-in-int3-on-32bit.patch Mon Dec 8 22:49:00 2014 (r22143)
+++ dists/squeeze-backports/linux/debian/patches/features/all/rt/0066-x86-Do-not-disable-preemption-in-int3-on-32bit.patch Mon Dec 8 22:57:25 2014 (r22144)
@@ -19,15 +19,11 @@
Cc: stable-rt at vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+[bwh: Dropped changes to do_stack_segment(), removed by fix for CVE-2014-9090]
---
- arch/x86/kernel/traps.c | 32 +++++++++++++++++++++++---------
- 1 file changed, 23 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 20061b9..8e58b45 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
-@@ -87,9 +87,21 @@ static inline void conditional_sti(struct pt_regs *regs)
+@@ -87,9 +87,21 @@ static inline void conditional_sti(struc
local_irq_enable();
}
@@ -50,7 +46,7 @@
if (regs->flags & X86_EFLAGS_IF)
local_irq_enable();
}
-@@ -100,11 +112,13 @@ static inline void conditional_cli(struct pt_regs *regs)
+@@ -100,11 +112,13 @@ static inline void conditional_cli(struc
local_irq_disable();
}
@@ -65,19 +61,7 @@
}
static void __kprobes
-@@ -226,9 +240,9 @@ dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
- if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
- X86_TRAP_SS, SIGBUS) == NOTIFY_STOP)
- return;
-- preempt_conditional_sti(regs);
-+ conditional_sti_ist(regs);
- do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
-- preempt_conditional_cli(regs);
-+ conditional_cli_ist(regs);
- }
-
- dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
-@@ -321,9 +335,9 @@ dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code)
+@@ -333,9 +347,9 @@ dotraplinkage void __kprobes do_int3(str
return;
#endif
@@ -89,7 +73,7 @@
}
#ifdef CONFIG_X86_64
-@@ -417,12 +431,12 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -458,12 +472,12 @@ dotraplinkage void __kprobes do_debug(st
return;
/* It's safe to allow irq's after DR6 has been saved */
@@ -104,7 +88,7 @@
return;
}
-@@ -441,7 +455,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+@@ -482,7 +496,7 @@ dotraplinkage void __kprobes do_debug(st
si_code = get_si_code(tsk->thread.debugreg6);
if (tsk->thread.debugreg6 & (DR_STEP | DR_TRAP_BITS) || user_icebp)
send_sigtrap(tsk, regs, error_code, si_code);
Modified: dists/squeeze-backports/linux/debian/patches/series
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series Mon Dec 8 22:49:00 2014 (r22143)
+++ dists/squeeze-backports/linux/debian/patches/series Mon Dec 8 22:57:25 2014 (r22144)
@@ -1154,3 +1154,11 @@
bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
bugfix/x86/x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
+bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
+bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
+bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+bugfix/all/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
+bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
+bugfix/x86/x86_64-traps-Stop-using-IST-for-SS.patch
+bugfix/x86/x86_64-traps-Fix-the-espfix64-DF-fixup-and-rewrite-i.patch
+bugfix/x86/x86_64-traps-Rework-bad_iret.patch
Modified: dists/squeeze-backports/linux/debian/patches/series-rt
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series-rt Mon Dec 8 22:49:00 2014 (r22143)
+++ dists/squeeze-backports/linux/debian/patches/series-rt Mon Dec 8 22:57:25 2014 (r22144)
@@ -220,7 +220,6 @@
features/all/rt/0219-x86-Convert-mce-timer-to-hrtimer.patch
features/all/rt/0220-x86-stackprotector-Avoid-random-pool-on-rt.patch
features/all/rt/0221-x86-Use-generic-rwsem_spinlocks-on-rt.patch
-features/all/rt/0222-x86-Disable-IST-stacks-for-debug-int-3-stack-fault-f.patch
features/all/rt/0223-workqueue-use-get-cpu-light.patch.patch
features/all/rt/0224-epoll.patch.patch
features/all/rt/0225-mm-vmalloc.patch.patch
@@ -331,7 +330,6 @@
features/all/rt/0330-smp-add-func-to-IPI-cpus-based-on-parameter-func.patch
features/all/rt/0331-fs-only-send-IPI-to-invalidate-LRU-BH-when-needed.patch
features/all/rt/0332-rcutree-rcu_bh_qs-disable-irq-while-calling-rcu_pree.patch
-features/all/rt/0333-Revert-x86-Disable-IST-stacks-for-debug-int-3-stack-.patch
features/all/rt/0334-rt-Make-cpu_chill-use-hrtimer-instead-of-msleep.patch
features/all/rt/0335-kernel-hrtimer-be-non-freezeable-in-cpu_chill.patch
features/all/rt/0336-arm-unwind-use-a-raw_spin_lock.patch
More information about the Kernel-svn-changes
mailing list