[kernel] r22540 - in dists/wheezy-backports/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/all/access_once debian/patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Mon Apr 27 19:47:14 UTC 2015
Author: benh
Date: Mon Apr 27 19:47:14 2015
New Revision: 22540
Log:
Merge changes from jessie up to 3.16.7-ckt9-3~deb8u1
Added:
dists/wheezy-backports/linux/debian/patches/bugfix/all/access_once/
- copied from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/access_once/
dists/wheezy-backports/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
- copied unchanged from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch
- copied unchanged from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch
- copied unchanged from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch
dists/wheezy-backports/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
- copied unchanged from r22527, dists/jessie-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
Modified:
dists/wheezy-backports/linux/ (props changed)
dists/wheezy-backports/linux/debian/changelog
dists/wheezy-backports/linux/debian/patches/series
Modified: dists/wheezy-backports/linux/debian/changelog
==============================================================================
--- dists/wheezy-backports/linux/debian/changelog Mon Apr 27 19:44:59 2015 (r22539)
+++ dists/wheezy-backports/linux/debian/changelog Mon Apr 27 19:47:14 2015 (r22540)
@@ -1,3 +1,35 @@
+linux (3.16.7-ckt9-3~deb8u1~bpo70+1) wheezy-backports; urgency=high
+
+ * Rebuild for wheezy:
+ - Disable architectures that weren't part of wheezy
+ - Use gcc-4.6 for all architectures
+ - Change ABI number to 0.bpo.4
+ - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS)
+ - linux-image: Depend on initramfs-tools without any alternatives, so
+ that neither apt nor aptitude will automatically switch to dracut
+
+ -- Ben Hutchings <ben at decadent.org.uk> Mon, 27 Apr 2015 20:13:07 +0100
+
+linux (3.16.7-ckt9-3~deb8u1) jessie-security; urgency=high
+
+ [ Ben Hutchings ]
+ * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561)
+ (CVE-2015-3331)
+ * tcp: Fix crash in TCP Fast Open (Closes: #782515) (CVE-2015-3332)
+ * kernel: Provide READ_ONCE and ASSIGN_ONCE
+ * Replace use of ACCESS_ONCE on non-scalar types with READ_ONCE or barriers
+ as appropriate
+ * kernel: tighten rules for ACCESS ONCE
+ * kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val)
+ * fs: take i_mutex during prepare_binprm for set[ug]id executables
+ (CVE-2015-3339)
+
+ [ Ian Campbell ]
+ * [xen] release per-queue Tx and Rx resource when disconnecting, fixing
+ network after save/restore or migration. (Closes: #782698)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 24 Apr 2015 03:00:00 +0100
+
linux (3.16.7-ckt9-2~bpo70+1) wheezy-backports; urgency=medium
* Rebuild for wheezy:
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch (from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch Mon Apr 27 19:47:14 2015 (r22540, copy of r22527, dists/jessie-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch)
@@ -0,0 +1,112 @@
+From: Jann Horn <jann at thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+Origin: https://git.kernel.org/linus/8b01fc86b9f425899f8a3a8fc1c47d73c2c20543
+
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+
+This patch was mostly written by Linus Torvalds.
+
+Signed-off-by: Jann Horn <jann at thejh.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.16: s/task_no_new_privs(current)/current->no_new_privs/]
+---
+ fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 48 insertions(+), 28 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1254,6 +1254,53 @@ static void check_unsafe_exec(struct lin
+ spin_unlock(&p->fs->lock);
+ }
+
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++ struct inode *inode;
++ unsigned int mode;
++ kuid_t uid;
++ kgid_t gid;
++
++ /* clear any previous set[ug]id data from a previous binary */
++ bprm->cred->euid = current_euid();
++ bprm->cred->egid = current_egid();
++
++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++ return;
++
++ if (current->no_new_privs)
++ return;
++
++ inode = file_inode(bprm->file);
++ mode = READ_ONCE(inode->i_mode);
++ if (!(mode & (S_ISUID|S_ISGID)))
++ return;
++
++ /* Be careful if suid/sgid is set */
++ mutex_lock(&inode->i_mutex);
++
++ /* reload atomically mode/uid/gid now that lock held */
++ mode = inode->i_mode;
++ uid = inode->i_uid;
++ gid = inode->i_gid;
++ mutex_unlock(&inode->i_mutex);
++
++ /* We ignore suid/sgid if there are no mappings for them in the ns */
++ if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
++ !kgid_has_mapping(bprm->cred->user_ns, gid))
++ return;
++
++ if (mode & S_ISUID) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->euid = uid;
++ }
++
++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->egid = gid;
++ }
++}
++
+ /*
+ * Fill the binprm structure from the inode.
+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1262,36 +1309,9 @@ static void check_unsafe_exec(struct lin
+ */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+- struct inode *inode = file_inode(bprm->file);
+- umode_t mode = inode->i_mode;
+ int retval;
+
+-
+- /* clear any previous set[ug]id data from a previous binary */
+- bprm->cred->euid = current_euid();
+- bprm->cred->egid = current_egid();
+-
+- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+- !current->no_new_privs &&
+- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
+- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
+- /* Set-uid? */
+- if (mode & S_ISUID) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->euid = inode->i_uid;
+- }
+-
+- /* Set-gid? */
+- /*
+- * If setgid is set but no group execute bit then this
+- * is a candidate for mandatory locking, not a setgid
+- * executable.
+- */
+- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->egid = inode->i_gid;
+- }
+- }
++ bprm_fill_uid(bprm);
+
+ /* fill in binprm security blob */
+ retval = security_bprm_set_creds(bprm);
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch (from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch Mon Apr 27 19:47:14 2015 (r22540, copy of r22527, dists/jessie-security/linux/debian/patches/bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch)
@@ -0,0 +1,39 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 15 Apr 2015 17:26:54 +0100
+Subject: tcp: Fix crash in TCP Fast Open
+Bug-Debian: https://bugs.debian.org/782515
+Forwarded: http://mid.gmane.org/1429120832.3211.91.camel@decadent.org.uk
+
+Commit 355a901e6cf1 ("tcp: make connect() mem charging friendly")
+changed tcp_send_syn_data() to perform an open-coded copy of the 'syn'
+skb rather than using skb_copy_expand().
+
+The open-coded copy does not cover the skb_shared_info::gso_segs
+field, so in the new skb it is left set to 0. When this commit was
+backported into stable branches between 3.10.y and 3.16.7-ckty
+inclusive, it triggered the BUG() in tcp_transmit_skb().
+
+Since Linux 3.18 the GSO segment count is kept in the
+tcp_skb_cb::tcp_gso_segs field and tcp_send_syn_data() does copy the
+tcp_skb_cb structure to the new skb, so mainline and newer stable
+branches are not affected.
+
+Set skb_shared_info::gso_segs to the correct value of 1.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ipv4/tcp_output.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index d5457e4..1ea0a07 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2992,6 +2992,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
+ goto fallback;
+ syn_data->ip_summed = CHECKSUM_PARTIAL;
+ memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
++ skb_shinfo(syn_data)->gso_segs = 1;
+ if (unlikely(memcpy_fromiovecend(skb_put(syn_data, space),
+ fo->data->msg_iov, 0, space))) {
+ kfree_skb(syn_data);
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch (from r22527, dists/jessie-security/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch Mon Apr 27 19:47:14 2015 (r22540, copy of r22527, dists/jessie-security/linux/debian/patches/bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch)
@@ -0,0 +1,137 @@
+From a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093 Mon Sep 17 00:00:00 2001
+From: David Vrabel <david.vrabel at citrix.com>
+Date: Thu, 31 Jul 2014 17:38:23 +0100
+Subject: [PATCH] xen-netfront: release per-queue Tx and Rx resource when
+ disconnecting
+Origin: https://git.kernel.org/linus/a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093
+
+Since netfront may reconnect to a backend with a different number of
+queues, all per-queue Rx and Tx resources (skbs and grant references)
+should be freed when disconnecting.
+
+Without this fix, the Tx and Rx grant refs are not released and
+netfront will exhaust them after only a few reconnections. netfront
+will fail to connect when no free grant references are available.
+
+Since all Rx bufs are freed and reallocated instead of reused this
+will add some additional delay to the reconnection but this is
+expected to be small compared to the time taken by any backend hotplug
+scripts etc.
+
+Signed-off-by: David Vrabel <david.vrabel at citrix.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/xen-netfront.c | 68 +++++-----------------------------------------
+ 1 file changed, 7 insertions(+), 61 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 1cc46d0..0b133a3 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1196,22 +1196,6 @@ static void xennet_release_rx_bufs(struct netfront_queue *queue)
+ spin_unlock_bh(&queue->rx_lock);
+ }
+
+-static void xennet_uninit(struct net_device *dev)
+-{
+- struct netfront_info *np = netdev_priv(dev);
+- unsigned int num_queues = dev->real_num_tx_queues;
+- struct netfront_queue *queue;
+- unsigned int i;
+-
+- for (i = 0; i < num_queues; ++i) {
+- queue = &np->queues[i];
+- xennet_release_tx_bufs(queue);
+- xennet_release_rx_bufs(queue);
+- gnttab_free_grant_references(queue->gref_tx_head);
+- gnttab_free_grant_references(queue->gref_rx_head);
+- }
+-}
+-
+ static netdev_features_t xennet_fix_features(struct net_device *dev,
+ netdev_features_t features)
+ {
+@@ -1313,7 +1297,6 @@ static void xennet_poll_controller(struct net_device *dev)
+
+ static const struct net_device_ops xennet_netdev_ops = {
+ .ndo_open = xennet_open,
+- .ndo_uninit = xennet_uninit,
+ .ndo_stop = xennet_close,
+ .ndo_start_xmit = xennet_start_xmit,
+ .ndo_change_mtu = xennet_change_mtu,
+@@ -1455,6 +1438,11 @@ static void xennet_disconnect_backend(struct netfront_info *info)
+
+ napi_synchronize(&queue->napi);
+
++ xennet_release_tx_bufs(queue);
++ xennet_release_rx_bufs(queue);
++ gnttab_free_grant_references(queue->gref_tx_head);
++ gnttab_free_grant_references(queue->gref_rx_head);
++
+ /* End access and free the pages */
+ xennet_end_access(queue->tx_ring_ref, queue->tx.sring);
+ xennet_end_access(queue->rx_ring_ref, queue->rx.sring);
+@@ -2010,10 +1998,7 @@ static int xennet_connect(struct net_device *dev)
+ {
+ struct netfront_info *np = netdev_priv(dev);
+ unsigned int num_queues = 0;
+- int i, requeue_idx, err;
+- struct sk_buff *skb;
+- grant_ref_t ref;
+- struct xen_netif_rx_request *req;
++ int err;
+ unsigned int feature_rx_copy;
+ unsigned int j = 0;
+ struct netfront_queue *queue = NULL;
+@@ -2040,47 +2025,8 @@ static int xennet_connect(struct net_device *dev)
+ netdev_update_features(dev);
+ rtnl_unlock();
+
+- /* By now, the queue structures have been set up */
+- for (j = 0; j < num_queues; ++j) {
+- queue = &np->queues[j];
+-
+- /* Step 1: Discard all pending TX packet fragments. */
+- spin_lock_irq(&queue->tx_lock);
+- xennet_release_tx_bufs(queue);
+- spin_unlock_irq(&queue->tx_lock);
+-
+- /* Step 2: Rebuild the RX buffer freelist and the RX ring itself. */
+- spin_lock_bh(&queue->rx_lock);
+-
+- for (requeue_idx = 0, i = 0; i < NET_RX_RING_SIZE; i++) {
+- skb_frag_t *frag;
+- const struct page *page;
+- if (!queue->rx_skbs[i])
+- continue;
+-
+- skb = queue->rx_skbs[requeue_idx] = xennet_get_rx_skb(queue, i);
+- ref = queue->grant_rx_ref[requeue_idx] = xennet_get_rx_ref(queue, i);
+- req = RING_GET_REQUEST(&queue->rx, requeue_idx);
+-
+- frag = &skb_shinfo(skb)->frags[0];
+- page = skb_frag_page(frag);
+- gnttab_grant_foreign_access_ref(
+- ref, queue->info->xbdev->otherend_id,
+- pfn_to_mfn(page_to_pfn(page)),
+- 0);
+- req->gref = ref;
+- req->id = requeue_idx;
+-
+- requeue_idx++;
+- }
+-
+- queue->rx.req_prod_pvt = requeue_idx;
+-
+- spin_unlock_bh(&queue->rx_lock);
+- }
+-
+ /*
+- * Step 3: All public and private state should now be sane. Get
++ * All public and private state should now be sane. Get
+ * ready to start sending and receiving packets and give the driver
+ * domain a kick because we've probably just requeued some
+ * packets.
+--
+2.1.4
+
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch (from r22527, dists/jessie-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch Mon Apr 27 19:47:14 2015 (r22540, copy of r22527, dists/jessie-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch)
@@ -0,0 +1,63 @@
+From: Stephan Mueller <smueller at chronox.de>
+Date: Thu, 12 Mar 2015 09:17:51 +0100
+Subject: crypto: aesni - fix memory usage in GCM decryption
+Origin: https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
+Bug-Debian: https://bugs.debian.org/782561
+
+The kernel crypto API logic requires the caller to provide the
+length of (ciphertext || authentication tag) as cryptlen for the
+AEAD decryption operation. Thus, the cipher implementation must
+calculate the size of the plaintext output itself and cannot simply use
+cryptlen.
+
+The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
+in req->dst. As the destination buffer for decryption only needs to hold
+the plaintext memory but cryptlen references the input buffer holding
+(ciphertext || authentication tag), the assumption of the destination
+buffer length in RFC4106 GCM operation leads to a too large size. This
+patch simply uses the already calculated plaintext size.
+
+In addition, this patch fixes the offset calculation of the AAD buffer
+pointer: as mentioned before, cryptlen already includes the size of the
+tag. Thus, the tag does not need to be added. With the addition, the AAD
+will be written beyond the already allocated buffer.
+
+Note, this fixes a kernel crash that can be triggered from user space
+via AF_ALG(aead) -- simply use the libkcapi test application
+from [1] and update it to use rfc4106-gcm-aes.
+
+Using [1], the changes were tested using CAVS vectors to demonstrate
+that the crypto operation still delivers the right results.
+
+[1] http://www.chronox.de/libkcapi.html
+
+CC: Tadeusz Struk <tadeusz.struk at intel.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stephan Mueller <smueller at chronox.de>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/aesni-intel_glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
+index 6dfb7d0..6d4faba 100644
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1109,7 +1109,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
+ src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ if (!src)
+ return -ENOMEM;
+- assoc = (src + req->cryptlen + auth_tag_len);
++ assoc = (src + req->cryptlen);
+ scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ req->assoclen, 0);
+@@ -1134,7 +1134,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
+ scatterwalk_done(&src_sg_walk, 0, 0);
+ scatterwalk_done(&assoc_sg_walk, 0, 0);
+ } else {
+- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ kfree(src);
+ }
+ return retval;
Modified: dists/wheezy-backports/linux/debian/patches/series
==============================================================================
--- dists/wheezy-backports/linux/debian/patches/series Mon Apr 27 19:44:59 2015 (r22539)
+++ dists/wheezy-backports/linux/debian/patches/series Mon Apr 27 19:47:14 2015 (r22540)
@@ -194,6 +194,7 @@
bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
bugfix/all/hid-thingm-fix-workqueue-race-on-remove.patch
debian/emmc-don-t-initialize-partitions-on-rpmb-flagged-areas.patch
+bugfix/all/xen-netfront-release-per-queue-Tx-and-Rx-resource-wh.patch
# memfd_create() & kdbus backport
features/all/kdbus/mm-allow-drivers-to-prevent-new-writable-mappings.patch
@@ -579,3 +580,24 @@
debian/procfs-avoid-abi-change-in-3.16.7-ckt8.patch
bugfix/all/btrfs-simplify-insert_orphan_item.patch
+
+bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
+bugfix/all/tcp-fix-crash-in-tcp-fast-open.patch
+
+# Introduce READ_ONCE and WRITE_ONCE; replace misuse of ACCESS_ONCE.
+# Needed for backports of other fixes.
+bugfix/all/access_once/0001-kernel-Provide-READ_ONCE-and-ASSIGN_ONCE.patch
+bugfix/all/access_once/0002-mm-replace-ACCESS_ONCE-with-READ_ONCE-or-barriers.patch
+bugfix/all/access_once/0003-x86-spinlock-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0004-x86-gup-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0005-mips-gup-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0006-arm64-spinlock-Replace-ACCESS_ONCE-READ_ONCE.patch
+bugfix/all/access_once/0007-arm-spinlock-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0008-powerpc-gup-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0009-ppc-kvm-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0010-ppc-hugetlbfs-Replace-ACCESS_ONCE-with-READ_ONCE.patch
+bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
+bugfix/all/access_once/0012-next-sh-Fix-compile-error.patch
+bugfix/all/access_once/0013-kernel-Change-ASSIGN_ONCE-val-x-to-WRITE_ONCE-x-val.patch
+
+bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
More information about the Kernel-svn-changes
mailing list