[linux] 02/04: Update to 3.16.7-ckt17

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Sep 22 19:19:41 UTC 2015


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 612c261c0c8877667c9595af6a04fe6f07da5615
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Sep 22 17:40:55 2015 +0200

    Update to 3.16.7-ckt17
    
    Drop many patches that were applied upstream.
---
 debian/changelog                                   | 252 ++++++++++++++++++-
 ...0011-kernel-tighten-rules-for-ACCESS-ONCE.patch |   4 +-
 ...-a-full-clone-when-splitting-discard-bios.patch |  60 -----
 ...ree-the-assoc-array-edit-if-edit-is-valid.patch |  37 ---
 .../bugfix/all/libata-add-ata_horkage_notrim.patch |  45 ----
 ...a-force-disable-trim-for-supersspeed-s238.patch |  28 ---
 .../md-use-kzalloc-when-bitmap-is-disabled.patch   |  42 ----
 ...q-make-sure-that-there-s-not-too-many-ele.patch |  34 ---
 .../vhost-actually-track-log-eventfd-file.patch    |  28 ---
 ...ry-64-Fold-the-test_in_nmi-macro-into-its.patch |  71 ------
 ...-x86-asm-entry-64-Remove-a-redundant-jump.patch |  42 ----
 ...ble-nested-do_nmi-handling-for-64-bit-ker.patch | 189 --------------
 ...x86-nmi-64-Remove-asm-code-that-saves-cr2.patch |  51 ----
 ...i-64-Switch-stacks-on-userspace-NMI-entry.patch | 133 ----------
 ...07-x86-nmi-64-Improve-nested-NMI-comments.patch | 279 ---------------------
 ...0008-x86-nmi-64-Reorder-nested-NMI-checks.patch |  83 ------
 ...Use-DF-to-avoid-userspace-RSP-confusing-n.patch |  86 -------
 debian/patches/series                              |  15 --
 18 files changed, 253 insertions(+), 1226 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index fea23b1..2b769f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.16.7-ckt15-1) UNRELEASED; urgency=medium
+linux (3.16.7-ckt17-1) UNRELEASED; urgency=medium
 
   * New upstream stable updates:
     http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12
@@ -453,6 +453,256 @@ linux (3.16.7-ckt15-1) UNRELEASED; urgency=medium
     - ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
     - LZ4 : fix the data abort issue
     - lz4: fix system halt at boot kernel on x86_64
+    http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16
+    - netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings
+    - Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list
+    - Btrfs: use kmem_cache_free when freeing entry in inode cache
+    - Btrfs: fix race between caching kthread and returning inode to inode cache
+    - Btrfs: fix fsync data loss after append write
+    - ext4: fix reservation release on invalidatepage for delalloc fs
+    - ext4: be more strict when migrating to non-extent based file
+    - ext4: correctly migrate a file with a hole at the beginning
+    - ext4: replace open coded nofail allocation in ext4_free_blocks()
+    - drm/radeon: Handle irqs only based on irq ring, not irq status regs.
+    - drm/radeon: unpin cursor BOs on suspend and pin them again on resume (v2)
+    - hpfs: kstrdup() out of memory handling
+    - hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
+    - 9p: don't leave a half-initialized inode sitting around
+    - MIPS: kernel: traps: Fix broken indentation
+    - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping
+    - spi: pl022: Specify 'num-cs' property as required in devicetree binding
+    - iio: twl4030-madc: Pass the IRQF_ONESHOT flag
+    - iio: inv-mpu: Specify the expected format/precision for write channels
+    - iio: DAC: ad5624r_spi: fix bit shift of output data value
+    - iio: adc: at91_adc: allow to use full range of startup time
+    - ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4
+    - iio: tmp006: Check channel info on write
+    - dm btree remove: fix bug in redistribute3
+    - kbuild: Allow arch Makefiles to override {cpp,ld,c}flags
+    - ARC: Override toplevel default -O2 with -O3
+    - crypto: omap-des - Fix unmapping of dma channels
+    - USB: option: add 2020:4000 ID
+    - USB: cp210x: add ID for Aruba Networks controllers
+    - dm btree: silence lockdep lock inversion in dm_btree_del()
+    - usb: musb: host: rely on port_mode to call musb_start()
+    - usb: f_mass_storage: limit number of reported LUNs
+    - drm: add a check for x/y in drm_mode_setcrtc
+    - bio integrity: do not assume bio_integrity_pool exists if bioset exists
+    - ARM: dts: mx23: fix iio-hwmon support
+    - tracing: Have branch tracer use recursive field of task struct
+    - drivers: net: cpsw: fix crash while accessing second slave ethernet interface
+    - USB: serial: Destroy serial_minors IDR on module exit
+    - Btrfs: fix memory leak in the extent_same ioctl
+    - Btrfs: fix list transaction->pending_ordered corruption
+    - can: rcar_can: fix IRQ check
+    - ARC: make sure instruction_pointer() returns unsigned value
+    - Btrfs: fix file corruption after cloning inline extents
+    - st: null pointer dereference panic caused by use after kref_put by st_open
+    - drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5
+    - drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
+    - genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD
+    - x86/asm/entry/64: Fold the 'test_in_nmi' macro into its only user
+    - x86/asm/entry/64: Remove a redundant jump
+    - x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
+    - x86/nmi/64: Remove asm code that saves CR2
+    - x86/nmi/64: Switch stacks on userspace NMI entry
+    - x86/nmi/64: Improve nested NMI comments
+    - x86/nmi/64: Reorder nested NMI checks
+    - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
+    - ARM: 8404/1: dma-mapping: fix off-by-one error in bitmap size check
+    - ipv6: Make MLD packets to only be processed locally
+    - bridge: mdb: start delete timer for temp static entries
+    - net: graceful exit from netif_alloc_netdev_queues()
+    - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df
+    - bridge: mdb: zero out the local br_ip variable before use
+    - net: do not process device backlog during unregistration
+    - net: dsa: Test array index before use
+    - net: dsa: Fix off-by-one in switch address parsing
+    - can: rcar_can: print signed IRQ #
+    - perf symbols: Store if there is a filter in place
+    - perf hists browser: Take the --comm, --dsos, etc filters into account
+    - rds: rds_ib_device.refcount overflow
+    - KEYS: ensure we free the assoc array edit if edit is valid
+    - mm: avoid setting up anonymous pages into file mapping
+    - evm: labeling pseudo filesystems exception
+    - USB: usbfs: allow URBs to be reaped after disconnection
+    - sg_start_req(): make sure that there's not too many elements in iovec
+    - HID: cp2112: fix to force single data-report reply
+    - ata: pmp: add quirk for Marvell 4140 SATA PMP
+    - libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER
+    - libata: add ATA_HORKAGE_NOTRIM
+    - libata: force disable trim for SuperSSpeed S238
+    - libata: increase the timeout when setting transfer mode
+    - can: mcp251x: fix resume when device is down
+    - libata: Do not blacklist M510DC
+    - mac80211: clear subdir_stations when removing debugfs
+    - iio: adc: vf610: fix the adc register read fail issue
+    - net: mvneta: fix refilling for Rx DMA buffers
+    - ALSA: hda - Add new GPU codec ID 0x10de007d to snd-hda
+    - xdrm/i915: Use two 32bit reads for select 64bit REG_READ ioctls
+    - usb: dwc3: gadget: return error if command sent to DEPCMD register fails
+    - usb: dwc3: Reset the transfer resource index on SET_INTERFACE
+    - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function
+    - xhci: Calculate old endpoints correctly on device reset
+    - xhci: report U3 when link is in resume state
+    - xhci: prevent bus_suspend if SS port resuming in phase 1
+    - xhci: do not report PLC when link is in internal resume state
+    - usb: core: lpm: set lpm_capable for root hub device
+    - USB: OHCI: Fix race between ED unlink and URB submission
+    - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225
+    - blkcg: fix gendisk reference leak in blkg_conf_prep()
+    - tile: use free_bootmem_late() for initrd
+    - Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen
+    - block: Do a full clone when splitting discard bios
+    - md/raid1: fix test for 'was read error from last working device'.
+    - mmc: omap_hsmmc: Fix DTO and DCRC handling
+    - mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict
+    - net/xen-netback: off by one in BUG_ON() condition
+    - bridge: mdb: fix double add notification
+    - isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
+    - usb: gadget: mv_udc_core: fix phy_regs I/O memory leak
+    - bonding: fix destruction of bond with devices different from arphrd_ether
+    - bonding: correctly handle bonding type change on enslave failure
+    - inet: frags: fix defragmented packet's IP header for af_packet
+    - mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
+    - mmc: sdhci-esdhc: Make 8BIT bus work
+    - mmc: sdhci-pxav3: fix platform_data is not initialized
+    - freeing unlinked file indefinitely delayed
+    - s390/sclp: clear upper register halves in _sclp_print_early
+    - s390/process: fix sfpc inline assembly
+    - mmc: sdhci: Fix FSL ESDHC reset handling quirk
+    - md: fix a build warning
+    http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17
+    - md: use kzalloc() when bitmap is disabled
+    - sparc64: Fix userspace FPU register corruptions.
+    - sysfs: Create mountpoints with sysfs_create_mount_point
+    - ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc
+    - ASoC: pcm1681: Fix setting de-emphasis sampling rate selection
+    - iscsi-target: Fix use-after-free during TPG session shutdown
+    - iscsi-target: Fix iscsit_start_kthreads failure OOPs
+    - iscsi-target: Fix iser explicit logout TX kthread leak
+    - ARM: dts: i.MX35: Fix can support.
+    - ALSA: hda - Apply fixup for another Toshiba Satellite S50D
+    - vhost: actually track log eventfd file
+    - arm64/efi: map the entire UEFI vendor string before reading it
+    - xfs: remote attribute headers contain an invalid LSN
+    - xfs: remote attributes need to be considered data
+    - ALSA: hda - Apply a fixup to Dell Vostro 5480
+    - ALSA: usb-audio: add dB range mapping for some devices
+    - drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop
+    - drm/radeon/combios: add some validation of lvds values
+    - x86/efi: Use all 64 bit of efi_memmap in setup_e820()
+    - ipr: Fix locking for unit attention handling
+    - ipr: Fix incorrect trace indexing
+    - ipr: Fix invalid array indexing for HRRQ
+    - ALSA: hda - Fix MacBook Pro 5,2 quirk
+    - x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
+    - netfilter: ctnetlink: put back references to master ct and expect objects
+    - ipvs: do not use random local source address for tunnels
+    - ipvs: fix crash if scheduler is changed
+    - ipvs: fix crash with sync protocol v0 and FTP
+    - netfilter: nf_conntrack: Support expectations in different zones
+    - NFS: Don't revalidate the mapping if both size and change attr are up to date
+    - ALSA: hda - fix cs4210_spdif_automute()
+    - net/mlx4_core: Fix wrong index in propagating port change event to VFs
+    - niu: don't count tx error twice in case of headroom realloc fails
+    - avr32: handle NULL as a valid clock object
+    - packet: missing dev_put() in packet_do_bind()
+    - packet: tpacket_snd(): fix signed/unsigned comparison
+    - bridge: mdb: fix delmdb state in the notification
+    - net: sched: fix refcount imbalance in actions
+    - act_pedit: check binding before calling tcf_hash_release()
+    - PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
+    - USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
+    - USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
+    - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
+    - crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
+    - USB: sierra: add 1199:68AB device ID
+    - rbd: fix copyup completion race
+    - md/bitmap: return an error when bitmap superblock is corrupt.
+    - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
+    - thermal: exynos: Disable the regulator on probe failure
+    - MIPS: Fix sched_getaffinity with MT FPAFF enabled
+    - MIPS: Malta: Don't reinitialise RTC
+    - MIPS: do_mcheck: Fix kernel code dump with EVA
+    - MIPS: show_stack: Fix stack trace with EVA
+    - MIPS: Flush RPS on kernel entry with EVA
+    - xhci: fix off by one error in TRB DMA address boundary check
+    - drivers/usb: Delete XHCI command timer if necessary
+    - ALSA: fireworks/firewire-lib: add support for recent firmware quirk
+    - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
+    - MIPS: Make set_pte() SMP safe.
+    - ipc: modify message queue accounting to not take kernel data structures into account
+    - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
+    - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
+    - drm/radeon: fix hotplug race at startup
+    - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver
+    - net/tipc: initialize security state for new connection socket
+    - net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
+    - net: call rcu_read_lock early in process_backlog
+    - net: Clone skb before setting peeked flag
+    - net: Fix skb csum races when peeking
+    - net: Fix skb_set_peeked use-after-free bug
+    - ipv6: lock socket in ip6_datagram_connect()
+    - bonding: correct the MAC address for "follow" fail_over_mac policy
+    - netlink: don't hold mutex in rcu callback when releasing mmapd ring
+    - rds: fix an integer overflow test in rds_info_getsockopt()
+    - udp: fix dst races with multicast early demux
+    - bna: fix interrupts storm caused by erroneous packets
+    - net: gso: use feature flag argument in all protocol gso handlers
+    - Fix firmware loader uevent buffer NULL pointer dereference
+    - qla2xxx: Mark port lost when we receive an RSCN for it.
+    - megaraid_sas: use raw_smp_processor_id()
+    - fs/buffer.c: support buffer cache allocations with gfp modifiers
+    - bufferhead: Add _gfp version for sb_getblk()
+    - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp
+    - HID: usbhid: add Chicony/Pixart usb optical mouse that needs QUIRK_ALWAYS_POLL
+    - ima: add support for new "euid" policy condition
+    - ima: extend "mask" policy matching support
+    - mfd: arizona: Fix initialisation of the PM runtime
+    - xen-blkfront: don't add indirect pages to list when !feature_persistent
+    - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt()
+    - regmap: regcache-rbtree: Clean new present bits on present bitmap resize
+    - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
+    - target: REPORT LUNS should return LUN 0 even for dynamic ACLs
+    - perf: Fix fasync handling on inherited events
+    - KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
+    - x86/ldt: Make modify_ldt synchronous
+    - x86/ldt: Correct LDT access in single stepping logic
+    - rcu: Provide counterpart to rcu_dereference() for non-RCU situations
+    - rcu: Move lockless_dereference() out of rcupdate.h
+    - x86/ldt: Correct FPU emulation access to LDT
+    - localmodconfig: Use Kbuild files too
+    - dm thin metadata: delete btrees when releasing metadata snapshot
+    - dm btree: add ref counting ops for the leaves of top level btrees
+    - drm/radeon: add new OLAND pci id
+    - libiscsi: Fix host busy blocking during connection teardown
+    - libfc: Fix fc_exch_recv_req() error path
+    - libfc: Fix fc_fcp_cleanup_each_cmd()
+    - EDAC, ppc4xx: Access mci->csrows array elements properly
+    - crypto: caam - fix memory corruption in ahash_final_ctx
+    - drm/vmwgfx: Fix execbuf locking issues
+    - mm/hwpoison: fix page refcount of unknown non LRU page
+    - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
+    - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb()
+    - ipc/sem.c: update/correct memory barriers
+    - MIPS: Fix seccomp syscall argument for MIPS64
+    - x86/ldt: Further fix FPU emulation
+    - SCSI: Fix NULL pointer dereference in runtime PM
+    - ALSA: usb-audio: Fix runtime PM unbalance
+    - Add factory recertified Crucial M500s to blacklist
+    - arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
+    - batman-adv: fix kernel crash due to missing NULL checks
+    - batman-adv: protect tt_local_entry from concurrent delete events
+    - perf: Fix PERF_EVENT_IOC_PERIOD migration race
+    - net: Fix RCU splat in af_key
+    - ip6_gre: release cached dst on tunnel removal
+    - s390/sclp: fix compile error
+    - xen/gntdev: convert priv->lock to a mutex
+    - xen/gntdevt: Fix race condition in gntdev_release()
+    - signalfd: fix information leak in signalfd_copyinfo
+    - signal: fix information leak in copy_siginfo_to_user
+    - signal: fix information leak in copy_siginfo_from_user32
 
   [ Ben Hutchings ]
   * [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929)
diff --git a/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch b/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
index 11832b2..b9c9c27 100644
--- a/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
+++ b/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
@@ -43,5 +43,5 @@ Reviewed-by: Paul E. McKenney <paulmck at linux.vnet.ibm.com>
 +	(volatile typeof(x) *)&(x); })
 +#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
  
- /* Ignore/forbid kprobes attach on very low level functions marked by this attribute: */
- #ifdef CONFIG_KPROBES
+ /**
+  * lockless_dereference() - safely load a pointer for later dereference
diff --git a/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch b/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
deleted file mode 100644
index e49647c..0000000
--- a/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: "Martin K. Petersen" <martin.petersen at oracle.com>
-Date: Wed, 22 Jul 2015 07:57:12 -0400
-Subject: block: Do a full clone when splitting discard bios
-Origin: https://git.kernel.org/linus/f3f5da624e0a891c34d8cd513c57f1d9b0c7dadc
-Bug-Debian: https://bugs.debian.org/793326
-
-This fixes a data corruption bug when using discard on top of MD linear,
-raid0 and raid10 personalities.
-
-Commit 20d0189b1012 "block: Introduce new bio_split()" permits sharing
-the bio_vec between the two resulting bios. That is fine for read/write
-requests where the bio_vec is immutable. For discards, however, we need
-to be able to attach a payload and update the bio_vec so the page can
-get mapped to a scatterlist entry. Therefore the bio_vec can not be
-shared when splitting discards and we must do a full clone.
-
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-Reported-by: Seunguk Shin <seunguk.shin at samsung.com>
-Tested-by: Seunguk Shin <seunguk.shin at samsung.com>
-Cc: Seunguk Shin <seunguk.shin at samsung.com>
-Cc: Jens Axboe <axboe at fb.com>
-Cc: Kent Overstreet <kent.overstreet at gmail.com>
-Cc: <stable at vger.kernel.org> # v3.14+
-Reviewed-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Jens Axboe <axboe at fb.com>
----
- block/bio.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
---- a/block/bio.c
-+++ b/block/bio.c
-@@ -1820,8 +1820,9 @@ EXPORT_SYMBOL(bio_endio_nodec);
-  * Allocates and returns a new bio which represents @sectors from the start of
-  * @bio, and updates @bio to represent the remaining sectors.
-  *
-- * The newly allocated bio will point to @bio's bi_io_vec; it is the caller's
-- * responsibility to ensure that @bio is not freed before the split.
-+ * Unless this is a discard request the newly allocated bio will point
-+ * to @bio's bi_io_vec; it is the caller's responsibility to ensure that
-+ * @bio is not freed before the split.
-  */
- struct bio *bio_split(struct bio *bio, int sectors,
- 		      gfp_t gfp, struct bio_set *bs)
-@@ -1831,7 +1832,15 @@ struct bio *bio_split(struct bio *bio, i
- 	BUG_ON(sectors <= 0);
- 	BUG_ON(sectors >= bio_sectors(bio));
- 
--	split = bio_clone_fast(bio, gfp, bs);
-+	/*
-+	 * Discards need a mutable bio_vec to accommodate the payload
-+	 * required by the DSM TRIM and UNMAP commands.
-+	 */
-+	if (bio->bi_rw & REQ_DISCARD)
-+		split = bio_clone_bioset(bio, gfp, bs);
-+	else
-+		split = bio_clone_fast(bio, gfp, bs);
-+
- 	if (!split)
- 		return NULL;
- 
diff --git a/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch b/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
deleted file mode 100644
index a1a31d8..0000000
--- a/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Colin Ian King <colin.king at canonical.com>
-Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
-Origin: https://marc.info/?l=oss-security&m=143800676725867&w=2
-
-__key_link_end is not freeing the associated array edit structure
-and this leads to a 512 byte memory leak each time an identical
-existing key is added with add_key().
-
-The reason the add_key() system call returns okay is that
-key_create_or_update() calls __key_link_begin() before checking to see
-whether it can update a key directly rather than adding/replacing - which
-it turns out it can.  Thus __key_link() is not called through
-__key_instantiate_and_link() and __key_link_end() must cancel the edit.
-
-CVE-2015-1333
-
-Signed-off-by: Colin Ian King <colin.king at canonical.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
-
---- a/security/keys/keyring.c
-+++ b/security/keys/keyring.c
-@@ -1152,9 +1152,11 @@ void __key_link_end(struct key *keyring,
- 	if (index_key->type == &key_type_keyring)
- 		up_write(&keyring_serialise_link_sem);
- 
--	if (edit && !edit->dead_leaf) {
--		key_payload_reserve(keyring,
--				    keyring->datalen - KEYQUOTA_LINK_BYTES);
-+	if (edit) {
-+		if (!edit->dead_leaf) {
-+			key_payload_reserve(keyring,
-+				keyring->datalen - KEYQUOTA_LINK_BYTES);
-+		}
- 		assoc_array_cancel_edit(edit);
- 	}
- 	up_write(&keyring->sem);
diff --git a/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch b/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch
deleted file mode 100644
index 13ed921..0000000
--- a/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Arne Fitzenreiter <arne_f at ipfire.org>
-Date: Wed, 15 Jul 2015 13:54:36 +0200
-Subject: libata: add ATA_HORKAGE_NOTRIM
-Origin: https://git.kernel.org/linus/71d126fd28de2d4d9b7b2088dbccd7ca62fad6e0
-
-Some devices lose data on TRIM whether queued or not.  This patch adds
-a horkage to disable TRIM.
-
-tj: Collapsed unnecessary if() nesting.
-
-Signed-off-by: Arne Fitzenreiter <arne_f at ipfire.org>
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Cc: stable at vger.kernel.org
-[bwh: Backported to 3.16:
- - Adjust context
- - Drop changes to show_ata_dev_trim()]
----
- drivers/ata/libata-scsi.c      | 3 ++-
- drivers/ata/libata-transport.c | 2 ++
- include/linux/libata.h         | 2 ++
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -2514,7 +2514,8 @@ static unsigned int ata_scsiop_read_cap(
- 		rbuf[14] = (lowest_aligned >> 8) & 0x3f;
- 		rbuf[15] = lowest_aligned;
- 
--		if (ata_id_has_trim(args->id)) {
-+		if (ata_id_has_trim(args->id) &&
-+		    !(dev->horkage & ATA_HORKAGE_NOTRIM)) {
- 			rbuf[14] |= 0x80; /* TPE */
- 
- 			if (ata_id_has_zero_after_trim(args->id))
---- a/include/linux/libata.h
-+++ b/include/linux/libata.h
-@@ -422,6 +422,8 @@ enum {
- 	ATA_HORKAGE_NO_NCQ_TRIM	= (1 << 19),	/* don't use queued TRIM */
- 	ATA_HORKAGE_NOLPM	= (1 << 20),	/* don't use LPM */
- 	ATA_HORKAGE_WD_BROKEN_LPM = (1 << 21),	/* some WDs have broken LPM */
-+	ATA_HORKAGE_NOTRIM	= (1 << 24),	/* don't use TRIM */
-+
- 
- 	 /* DMA mask for user DMA control: User visible values; DO NOT
- 	    renumber */
diff --git a/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch b/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
deleted file mode 100644
index 7bddada..0000000
--- a/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Arne Fitzenreiter <arne_f at ipfire.org>
-Date: Wed, 15 Jul 2015 13:54:37 +0200
-Subject: libata: force disable trim for SuperSSpeed S238
-Origin: https://git.kernel.org/linus/cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc
-
-This device loses blocks, often the partition table area, on trim.
-Disable TRIM.
-http://pcengines.ch/msata16a.htm
-
-Signed-off-by: Arne Fitzenreiter <arne_f at ipfire.org>
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Cc: stable at vger.kernel.org
----
- drivers/ata/libata-core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/ata/libata-core.c
-+++ b/drivers/ata/libata-core.c
-@@ -4231,6 +4231,9 @@ static const struct ata_blacklist_entry
- 	{ "Crucial_CT*MX100*",		"MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
- 	{ "Samsung SSD 8*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM, },
- 
-+	/* devices that don't properly handle TRIM commands */
-+	{ "SuperSSpeed S238*",		NULL,	ATA_HORKAGE_NOTRIM, },
-+
- 	/*
- 	 * Some WD SATA-I drives spin up and down erratically when the link
- 	 * is put into the slumber mode.  We don't have full list of the
diff --git a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch b/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
deleted file mode 100644
index 0e9a792..0000000
--- a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Benjamin Randazzo <benjamin at randazzo.fr>
-Date: Sat, 25 Jul 2015 16:36:50 +0200
-Subject: md: use kzalloc() when bitmap is disabled
-Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
-
-In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
-mdu_bitmap_file_t called "file".
-
-5769         file = kmalloc(sizeof(*file), GFP_NOIO);
-5770         if (!file)
-5771                 return -ENOMEM;
-
-This structure is copied to user space at the end of the function.
-
-5786         if (err == 0 &&
-5787             copy_to_user(arg, file, sizeof(*file)))
-5788                 err = -EFAULT
-
-But if bitmap is disabled only the first byte of "file" is initialized
-with zero, so it's possible to read some bytes (up to 4095) of kernel
-space memory from user space. This is an information leak.
-
-5775         /* bitmap disabled, zero the first byte and copy out */
-5776         if (!mddev->bitmap_info.file)
-5777                 file->pathname[0] = '\0';
-
-Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
-Signed-off-by: NeilBrown <neilb at suse.com>
-[bwh: Backported to 3.16: don't touch anything but the allocation call, as
- the following code is significantly different here.]
----
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5624,7 +5624,7 @@ static int get_bitmap_file(struct mddev
- 	char *ptr, *buf = NULL;
- 	int err = -ENOMEM;
- 
--	file = kmalloc(sizeof(*file), GFP_NOIO);
-+	file = kzalloc(sizeof(*file), GFP_NOIO);
- 
- 	if (!file)
- 		goto out;
diff --git a/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch b/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
deleted file mode 100644
index 951ba17..0000000
--- a/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Sat, 21 Mar 2015 20:08:18 -0400
-Subject: sg_start_req(): make sure that there's not too many elements in iovec
-Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
-
-unfortunately, allowing an arbitrary 16bit value means a possibility of
-overflow in the calculation of total number of pages in bio_map_user_iov() -
-we rely on there being no more than PAGE_SIZE members of sum in the
-first loop there.  If that sum wraps around, we end up allocating
-too small array of pointers to pages and it's easy to overflow it in
-the second loop.
-
-X-Coverup: TINC (and there's no lumber cartel either)
-Cc: stable at vger.kernel.org # way, way back
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
- fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
- that function.]
----
- drivers/scsi/sg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1693,6 +1693,9 @@ static int sg_start_req(Sg_request *srp,
- 			md->from_user = 0;
- 	}
- 
-+	if (unlikely(iov_count > UIO_MAXIOV))
-+		return -EINVAL;
-+
- 	if (iov_count) {
- 		int len, size = sizeof(struct sg_iovec) * iov_count;
- 		struct iovec *iov;
diff --git a/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch b/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch
deleted file mode 100644
index 0ffcc61..0000000
--- a/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau at redhat.com>
-Date: Fri, 17 Jul 2015 15:32:03 +0200
-Subject: vhost: actually track log eventfd file
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5
-
-While reviewing vhost log code, I found out that log_file is never
-set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- drivers/vhost/vhost.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -882,6 +882,7 @@ long vhost_dev_ioctl(struct vhost_dev *d
- 		}
- 		if (eventfp != d->log_file) {
- 			filep = d->log_file;
-+			d->log_file = eventfp;
- 			ctx = d->log_ctx;
- 			d->log_ctx = eventfp ?
- 				eventfd_ctx_fileget(eventfp) : NULL;
diff --git a/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch b/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
deleted file mode 100644
index 635bdc6..0000000
--- a/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From: Denys Vlasenko <dvlasenk at redhat.com>
-Date: Wed, 1 Apr 2015 16:50:57 +0200
-Subject: [PATCH 1/9] x86/asm/entry/64: Fold the 'test_in_nmi' macro into its
- only user
-Origin: https://git.kernel.org/linus/0784b36448a2a85b95b6eb21a69b9045c896c065
-
-No code changes.
-
-Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
-Acked-by: Borislav Petkov <bp at suse.de>
-Cc: Alexei Starovoitov <ast at plumgrid.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Oleg Nesterov <oleg at redhat.com>
-Cc: Steven Rostedt <rostedt at goodmis.org>
-Cc: Will Drewry <wad at chromium.org>
-Link: http://lkml.kernel.org/r/1427899858-7165-1-git-send-email-dvlasenk@redhat.com
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 28 +++++++++++++---------------
- 1 file changed, 13 insertions(+), 15 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1441,19 +1441,7 @@ ENTRY(error_exit)
- 	CFI_ENDPROC
- END(error_exit)
- 
--/*
-- * Test if a given stack is an NMI stack or not.
-- */
--	.macro test_in_nmi reg stack nmi_ret normal_ret
--	cmpq %\reg, \stack
--	ja \normal_ret
--	subq $EXCEPTION_STKSZ, %\reg
--	cmpq %\reg, \stack
--	jb \normal_ret
--	jmp \nmi_ret
--	.endm
--
--	/* runs on exception stack */
-+/* Runs on exception stack */
- ENTRY(nmi)
- 	INTR_FRAME
- 	PARAVIRT_ADJUST_EXCEPTION_FRAME
-@@ -1514,8 +1502,18 @@ ENTRY(nmi)
- 	 * We check the variable because the first NMI could be in a
- 	 * breakpoint routine using a breakpoint stack.
- 	 */
--	lea 6*8(%rsp), %rdx
--	test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
-+	lea	6*8(%rsp), %rdx
-+	/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-+	cmpq	%rdx, 4*8(%rsp)
-+	/* If the stack pointer is above the NMI stack, this is a normal NMI */
-+	ja	first_nmi
-+	subq	$EXCEPTION_STKSZ, %rdx
-+	cmpq	%rdx, 4*8(%rsp)
-+	/* If it is below the NMI stack, it is a normal NMI */
-+	jb	first_nmi
-+	/* Ah, it is within the NMI stack, treat it as nested */
-+	jmp	nested_nmi
-+
- 	CFI_REMEMBER_STATE
- 
- nested_nmi:
diff --git a/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch b/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
deleted file mode 100644
index 31cf68f..0000000
--- a/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Denys Vlasenko <dvlasenk at redhat.com>
-Date: Tue, 7 Apr 2015 22:43:41 +0200
-Subject: [PATCH 2/9] x86/asm/entry/64: Remove a redundant jump
-Origin: https://git.kernel.org/linus/a30b0085f54efae11f6256df4e4a16af7eefc1c4
-
-Jumping to the very next instruction is not very useful:
-
-        jmp label
-    label:
-
-Removing the jump.
-
-Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: Alexei Starovoitov <ast at plumgrid.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Oleg Nesterov <oleg at redhat.com>
-Cc: Steven Rostedt <rostedt at goodmis.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Will Drewry <wad at chromium.org>
-Link: http://lkml.kernel.org/r/1428439424-7258-5-git-send-email-dvlasenk@redhat.com
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1512,7 +1512,6 @@ ENTRY(nmi)
- 	/* If it is below the NMI stack, it is a normal NMI */
- 	jb	first_nmi
- 	/* Ah, it is within the NMI stack, treat it as nested */
--	jmp	nested_nmi
- 
- 	CFI_REMEMBER_STATE
- 
diff --git a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch b/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
deleted file mode 100644
index 2804ad9..0000000
--- a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 11:19:37 -0700
-Subject: [PATCH 4/9] x86/nmi: Enable nested do_nmi handling for 64-bit kernels
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=aad62c1521e5904e376b88e71c60849954cbf9de
-
-32-bit kernels handle nested NMIs in C.  Enable the exact same
-handling on 64-bit kernels as well.  This isn't currently necessary,
-but it will become necessary once the asm code starts allowing
-limited nesting.
-
-This is a prerequisite for the fix for CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/nmi.c | 123 +++++++++++++++++++++-----------------------------
- 1 file changed, 52 insertions(+), 71 deletions(-)
-
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
- 
- /*
-- * NMIs can hit breakpoints which will cause it to lose its
-- * NMI context with the CPU when the breakpoint does an iret.
-- */
--#ifdef CONFIG_X86_32
--/*
-- * For i386, NMIs use the same stack as the kernel, and we can
-- * add a workaround to the iret problem in C (preventing nested
-- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
-- * can be in:
-+ * NMIs can hit breakpoints which will cause it to lose its NMI context
-+ * with the CPU when the breakpoint or page fault does an IRET.
-+ *
-+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
-+ * NMI processing.  On x86_64, the asm glue protects us from nested NMIs
-+ * if the outer NMI came from kernel mode, but we can still nest if the
-+ * outer NMI came from user mode.
-+ *
-+ * To handle these nested NMIs, we have three states:
-  *
-  *  1) not running
-  *  2) executing
-@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
-  * (Note, the latch is binary, thus multiple NMIs triggering,
-  *  when one is running, are ignored. Only one NMI is restarted.)
-  *
-- * If an NMI hits a breakpoint that executes an iret, another
-- * NMI can preempt it. We do not want to allow this new NMI
-- * to run, but we want to execute it when the first one finishes.
-- * We set the state to "latched", and the exit of the first NMI will
-- * perform a dec_return, if the result is zero (NOT_RUNNING), then
-- * it will simply exit the NMI handler. If not, the dec_return
-- * would have set the state to NMI_EXECUTING (what we want it to
-- * be when we are running). In this case, we simply jump back
-- * to rerun the NMI handler again, and restart the 'latched' NMI.
-+ * If an NMI executes an iret, another NMI can preempt it. We do not
-+ * want to allow this new NMI to run, but we want to execute it when the
-+ * first one finishes.  We set the state to "latched", and the exit of
-+ * the first NMI will perform a dec_return, if the result is zero
-+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
-+ * dec_return would have set the state to NMI_EXECUTING (what we want it
-+ * to be when we are running). In this case, we simply jump back to
-+ * rerun the NMI handler again, and restart the 'latched' NMI.
-  *
-  * No trap (breakpoint or page fault) should be hit before nmi_restart,
-  * thus there is no race between the first check of state for NOT_RUNNING
-@@ -461,49 +460,36 @@ enum nmi_states {
- static DEFINE_PER_CPU(enum nmi_states, nmi_state);
- static DEFINE_PER_CPU(unsigned long, nmi_cr2);
- 
--#define nmi_nesting_preprocess(regs)					\
--	do {								\
--		if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {	\
--			this_cpu_write(nmi_state, NMI_LATCHED);		\
--			return;						\
--		}							\
--		this_cpu_write(nmi_state, NMI_EXECUTING);		\
--		this_cpu_write(nmi_cr2, read_cr2());			\
--	} while (0);							\
--	nmi_restart:
--
--#define nmi_nesting_postprocess()					\
--	do {								\
--		if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))	\
--			write_cr2(this_cpu_read(nmi_cr2));		\
--		if (this_cpu_dec_return(nmi_state))			\
--			goto nmi_restart;				\
--	} while (0)
--#else /* x86_64 */
-+#ifdef CONFIG_X86_64
- /*
-- * In x86_64 things are a bit more difficult. This has the same problem
-- * where an NMI hitting a breakpoint that calls iret will remove the
-- * NMI context, allowing a nested NMI to enter. What makes this more
-- * difficult is that both NMIs and breakpoints have their own stack.
-- * When a new NMI or breakpoint is executed, the stack is set to a fixed
-- * point. If an NMI is nested, it will have its stack set at that same
-- * fixed address that the first NMI had, and will start corrupting the
-- * stack. This is handled in entry_64.S, but the same problem exists with
-- * the breakpoint stack.
-- *
-- * If a breakpoint is being processed, and the debug stack is being used,
-- * if an NMI comes in and also hits a breakpoint, the stack pointer
-- * will be set to the same fixed address as the breakpoint that was
-- * interrupted, causing that stack to be corrupted. To handle this case,
-- * check if the stack that was interrupted is the debug stack, and if
-- * so, change the IDT so that new breakpoints will use the current stack
-- * and not switch to the fixed address. On return of the NMI, switch back
-- * to the original IDT.
-+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint.  Without
-+ * some care, the inner breakpoint will clobber the outer breakpoint's
-+ * stack.
-+ *
-+ * If a breakpoint is being processed, and the debug stack is being
-+ * used, if an NMI comes in and also hits a breakpoint, the stack
-+ * pointer will be set to the same fixed address as the breakpoint that
-+ * was interrupted, causing that stack to be corrupted. To handle this
-+ * case, check if the stack that was interrupted is the debug stack, and
-+ * if so, change the IDT so that new breakpoints will use the current
-+ * stack and not switch to the fixed address. On return of the NMI,
-+ * switch back to the original IDT.
-  */
- static DEFINE_PER_CPU(int, update_debug_stack);
-+#endif
- 
--static inline void nmi_nesting_preprocess(struct pt_regs *regs)
-+dotraplinkage notrace void
-+do_nmi(struct pt_regs *regs, long error_code)
- {
-+	if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
-+		this_cpu_write(nmi_state, NMI_LATCHED);
-+		return;
-+	}
-+	this_cpu_write(nmi_state, NMI_EXECUTING);
-+	this_cpu_write(nmi_cr2, read_cr2());
-+nmi_restart:
-+
-+#ifdef CONFIG_X86_64
- 	/*
- 	 * If we interrupted a breakpoint, it is possible that
- 	 * the nmi handler will have breakpoints too. We need to
-@@ -514,22 +500,8 @@ static inline void nmi_nesting_preproces
- 		debug_stack_set_zero();
- 		this_cpu_write(update_debug_stack, 1);
- 	}
--}
--
--static inline void nmi_nesting_postprocess(void)
--{
--	if (unlikely(this_cpu_read(update_debug_stack))) {
--		debug_stack_reset();
--		this_cpu_write(update_debug_stack, 0);
--	}
--}
- #endif
- 
--dotraplinkage notrace void
--do_nmi(struct pt_regs *regs, long error_code)
--{
--	nmi_nesting_preprocess(regs);
--
- 	nmi_enter();
- 
- 	inc_irq_stat(__nmi_count);
-@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_
- 
- 	nmi_exit();
- 
--	/* On i386, may loop back to preprocess */
--	nmi_nesting_postprocess();
-+#ifdef CONFIG_X86_64
-+	if (unlikely(this_cpu_read(update_debug_stack))) {
-+		debug_stack_reset();
-+		this_cpu_write(update_debug_stack, 0);
-+	}
-+#endif
-+
-+	if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
-+		write_cr2(this_cpu_read(nmi_cr2));
-+	if (this_cpu_dec_return(nmi_state))
-+		goto nmi_restart;
- }
- NOKPROBE_SYMBOL(do_nmi);
- 
diff --git a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch b/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
deleted file mode 100644
index 0228968..0000000
--- a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 12:03:34 -0700
-Subject: [PATCH 5/9] x86/nmi/64: Remove asm code that saves cr2
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=e7c2c90651fd54c3ca499fbb065ea5cbac30047d
-
-Now that do_nmi saves cr2, we don't need to save it in asm.
-
-This is a prerequisity for the fix for CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Acked-by: Borislav Petkov <bp at suse.de>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 18 ------------------
- 1 file changed, 18 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1654,29 +1654,11 @@ end_repeat_nmi:
- 	call save_paranoid
- 	DEFAULT_FRAME 0
- 
--	/*
--	 * Save off the CR2 register. If we take a page fault in the NMI then
--	 * it could corrupt the CR2 value. If the NMI preempts a page fault
--	 * handler before it was able to read the CR2 register, and then the
--	 * NMI itself takes a page fault, the page fault that was preempted
--	 * will read the information from the NMI page fault and not the
--	 * origin fault. Save it off and restore it if it changes.
--	 * Use the r12 callee-saved register.
--	 */
--	movq %cr2, %r12
--
- 	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
- 	movq %rsp,%rdi
- 	movq $-1,%rsi
- 	call do_nmi
- 
--	/* Did the NMI take a page fault? Restore cr2 if it did */
--	movq %cr2, %rcx
--	cmpq %rcx, %r12
--	je 1f
--	movq %r12, %cr2
--1:
--	
- 	testl %ebx,%ebx				/* swapgs needed? */
- 	jnz nmi_restore
- nmi_swapgs:
diff --git a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch b/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
deleted file mode 100644
index 3654565..0000000
--- a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 11:35:31 -0700
-Subject: [PATCH 6/9] x86/nmi/64: Switch stacks on userspace NMI entry
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=4fb2a8d9cb0efcd7405f1ad105d7f3c764afe02f
-
-Returning to userspace is tricky: IRET can fail, and ESPFIX can
-rearrange the stack prior to IRET.
-
-The NMI nesting fixup relies on a precise stack layout and atomic
-IRET.  Rather than trying to teach the NMI nesting fixup to handle
-ESPFIX and failed IRET, punt: run NMIs that came from user mode on
-the normal kernel stack.
-
-This will make some nested NMIs visible to C code, but the C code is
-okay with that.
-
-As a side effect, this should speed up perf: it eliminates an RDMSR
-when NMIs come from user mode.
-
-Fixes CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Reviewed-by: Borislav Petkov <bp at suse.de>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0:
- - Adjust filename, context
- - s/restore_c_regs_and_iret/restore_args/
- - Use kernel_stack + KERNEL_STACK_OFFSET instead of cpu_current_top_of_stack]
-[luto: Open-coded return path to avoid dependency on partial pt_regs details]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
----
- arch/x86/kernel/entry_64.S | 79 +++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 75 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1475,19 +1475,90 @@ ENTRY(nmi)
- 	 * a nested NMI that updated the copy interrupt stack frame, a
- 	 * jump will be made to the repeat_nmi code that will handle the second
- 	 * NMI.
-+	 *
-+	 * However, espfix prevents us from directly returning to userspace
-+	 * with a single IRET instruction.  Similarly, IRET to user mode
-+	 * can fault.  We therefore handle NMIs from user space like
-+	 * other IST entries.
- 	 */
- 
- 	/* Use %rdx as out temp variable throughout */
- 	pushq_cfi %rdx
- 	CFI_REL_OFFSET rdx, 0
- 
-+	testb	$3, CS-RIP+8(%rsp)
-+	jz	.Lnmi_from_kernel
-+
-+	/*
-+	 * NMI from user mode.  We need to run on the thread stack, but we
-+	 * can't go through the normal entry paths: NMIs are masked, and
-+	 * we don't want to enable interrupts, because then we'll end
-+	 * up in an awkward situation in which IRQs are on but NMIs
-+	 * are off.
-+	 */
-+
-+	SWAPGS
-+	cld
-+	movq	%rsp, %rdx
-+	movq	PER_CPU_VAR(kernel_stack), %rsp
-+	addq	$KERNEL_STACK_OFFSET, %rsp
-+	pushq	5*8(%rdx)	/* pt_regs->ss */
-+	pushq	4*8(%rdx)	/* pt_regs->rsp */
-+	pushq	3*8(%rdx)	/* pt_regs->flags */
-+	pushq	2*8(%rdx)	/* pt_regs->cs */
-+	pushq	1*8(%rdx)	/* pt_regs->rip */
-+	pushq   $-1		/* pt_regs->orig_ax */
-+	pushq   %rdi		/* pt_regs->di */
-+	pushq   %rsi		/* pt_regs->si */
-+	pushq   (%rdx)		/* pt_regs->dx */
-+	pushq   %rcx		/* pt_regs->cx */
-+	pushq   %rax		/* pt_regs->ax */
-+	pushq   %r8		/* pt_regs->r8 */
-+	pushq   %r9		/* pt_regs->r9 */
-+	pushq   %r10		/* pt_regs->r10 */
-+	pushq   %r11		/* pt_regs->r11 */
-+	pushq	%rbx		/* pt_regs->rbx */
-+	pushq	%rbp		/* pt_regs->rbp */
-+	pushq	%r12		/* pt_regs->r12 */
-+	pushq	%r13		/* pt_regs->r13 */
-+	pushq	%r14		/* pt_regs->r14 */
-+	pushq	%r15		/* pt_regs->r15 */
-+
-+	/*
-+	 * At this point we no longer need to worry about stack damage
-+	 * due to nesting -- we're on the normal thread stack and we're
-+	 * done with the NMI stack.
-+	 */
-+
-+	movq	%rsp, %rdi
-+	movq	$-1, %rsi
-+	call	do_nmi
-+
-+	/*
-+	 * Return back to user mode.  We must *not* do the normal exit
-+	 * work, because we don't want to enable interrupts.  Fortunately,
-+	 * do_nmi doesn't modify pt_regs.
-+	 */
-+	SWAPGS
-+
- 	/*
--	 * If %cs was not the kernel segment, then the NMI triggered in user
--	 * space, which means it is definitely not nested.
-+	 * Open-code the entire return process for compatibility with varying
-+	 * register layouts across different kernel versions.
- 	 */
--	cmpl $__KERNEL_CS, 16(%rsp)
--	jne first_nmi
-+	addq	$6*8, %rsp	/* skip bx, bp, and r12-r15 */
-+	popq	%r11		/* pt_regs->r11 */
-+	popq	%r10		/* pt_regs->r10 */
-+	popq	%r9		/* pt_regs->r9 */
-+	popq	%r8		/* pt_regs->r8 */
-+	popq	%rax		/* pt_regs->ax */
-+	popq	%rcx		/* pt_regs->cx */
-+	popq	%rdx		/* pt_regs->dx */
-+	popq	%rsi		/* pt_regs->si */
-+	popq	%rdi		/* pt_regs->di */
-+	addq	$8, %rsp	/* skip orig_ax */
-+	INTERRUPT_RETURN
- 
-+.Lnmi_from_kernel:
- 	/*
- 	 * Check the special variable on the stack to see if NMIs are
- 	 * executing.
diff --git a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch b/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
deleted file mode 100644
index d69d5e3..0000000
--- a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 17:13:26 -0700
-Subject: [PATCH 7/9] x86/nmi/64: Improve nested NMI comments
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=ed02eaa10579ffd480c3bda29701e658f17196e9
-
-I found the nested NMI documentation to be difficult to follow.
-Improve the comments.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 159 ++++++++++++++++++++++++++-------------------
- arch/x86/kernel/nmi.c      |   4 +-
- 2 files changed, 93 insertions(+), 70 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1462,11 +1462,12 @@ ENTRY(nmi)
- 	 *  If the variable is not set and the stack is not the NMI
- 	 *  stack then:
- 	 *    o Set the special variable on the stack
--	 *    o Copy the interrupt frame into a "saved" location on the stack
--	 *    o Copy the interrupt frame into a "copy" location on the stack
-+	 *    o Copy the interrupt frame into an "outermost" location on the
-+	 *      stack
-+	 *    o Copy the interrupt frame into an "iret" location on the stack
- 	 *    o Continue processing the NMI
- 	 *  If the variable is set or the previous stack is the NMI stack:
--	 *    o Modify the "copy" location to jump to the repeate_nmi
-+	 *    o Modify the "iret" location to jump to the repeat_nmi
- 	 *    o return back to the first NMI
- 	 *
- 	 * Now on exit of the first NMI, we first clear the stack variable
-@@ -1560,18 +1561,60 @@ ENTRY(nmi)
- 
- .Lnmi_from_kernel:
- 	/*
--	 * Check the special variable on the stack to see if NMIs are
--	 * executing.
-+	 * Here's what our stack frame will look like:
-+	 * +---------------------------------------------------------+
-+	 * | original SS                                             |
-+	 * | original Return RSP                                     |
-+	 * | original RFLAGS                                         |
-+	 * | original CS                                             |
-+	 * | original RIP                                            |
-+	 * +---------------------------------------------------------+
-+	 * | temp storage for rdx                                    |
-+	 * +---------------------------------------------------------+
-+	 * | "NMI executing" variable                                |
-+	 * +---------------------------------------------------------+
-+	 * | iret SS          } Copied from "outermost" frame        |
-+	 * | iret Return RSP  } on each loop iteration; overwritten  |
-+	 * | iret RFLAGS      } by a nested NMI to force another     |
-+	 * | iret CS          } iteration if needed.                 |
-+	 * | iret RIP         }                                      |
-+	 * +---------------------------------------------------------+
-+	 * | outermost SS          } initialized in first_nmi;       |
-+	 * | outermost Return RSP  } will not be changed before      |
-+	 * | outermost RFLAGS      } NMI processing is done.         |
-+	 * | outermost CS          } Copied to "iret" frame on each  |
-+	 * | outermost RIP         } iteration.                      |
-+	 * +---------------------------------------------------------+
-+	 * | pt_regs                                                 |
-+	 * +---------------------------------------------------------+
-+	 *
-+	 * The "original" frame is used by hardware.  Before re-enabling
-+	 * NMIs, we need to be done with it, and we need to leave enough
-+	 * space for the asm code here.
-+	 *
-+	 * We return by executing IRET while RSP points to the "iret" frame.
-+	 * That will either return for real or it will loop back into NMI
-+	 * processing.
-+	 *
-+	 * The "outermost" frame is copied to the "iret" frame on each
-+	 * iteration of the loop, so each iteration starts with the "iret"
-+	 * frame pointing to the final return target.
-+	 */
-+
-+	/*
-+	 * Determine whether we're a nested NMI.
-+	 *
-+	 * First check "NMI executing".  If it's set, then we're nested.
-+	 * This will not detect if we interrupted an outer NMI just
-+	 * before IRET.
- 	 */
- 	cmpl $1, -8(%rsp)
- 	je nested_nmi
- 
- 	/*
--	 * Now test if the previous stack was an NMI stack.
--	 * We need the double check. We check the NMI stack to satisfy the
--	 * race when the first NMI clears the variable before returning.
--	 * We check the variable because the first NMI could be in a
--	 * breakpoint routine using a breakpoint stack.
-+	 * Now test if the previous stack was an NMI stack.  This covers
-+	 * the case where we interrupt an outer NMI after it clears
-+	 * "NMI executing" but before IRET.
- 	 */
- 	lea	6*8(%rsp), %rdx
- 	/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1588,9 +1631,11 @@ ENTRY(nmi)
- 
- nested_nmi:
- 	/*
--	 * Do nothing if we interrupted the fixup in repeat_nmi.
--	 * It's about to repeat the NMI handler, so we are fine
--	 * with ignoring this one.
-+	 * If we interrupted an NMI that is between repeat_nmi and
-+	 * end_repeat_nmi, then we must not modify the "iret" frame
-+	 * because it's being written by the outer NMI.  That's okay:
-+	 * the outer NMI handler is about to call do_nmi anyway,
-+	 * so we can just resume the outer NMI.
- 	 */
- 	movq $repeat_nmi, %rdx
- 	cmpq 8(%rsp), %rdx
-@@ -1600,7 +1645,10 @@ nested_nmi:
- 	ja nested_nmi_out
- 
- 1:
--	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
-+	/*
-+	 * Modify the "iret" frame to point to repeat_nmi, forcing another
-+	 * iteration of NMI handling.
-+	 */
- 	leaq -1*8(%rsp), %rdx
- 	movq %rdx, %rsp
- 	CFI_ADJUST_CFA_OFFSET 1*8
-@@ -1619,60 +1667,23 @@ nested_nmi_out:
- 	popq_cfi %rdx
- 	CFI_RESTORE rdx
- 
--	/* No need to check faults here */
-+	/* We are returning to kernel mode, so this cannot result in a fault. */
- 	INTERRUPT_RETURN
- 
- 	CFI_RESTORE_STATE
- first_nmi:
--	/*
--	 * Because nested NMIs will use the pushed location that we
--	 * stored in rdx, we must keep that space available.
--	 * Here's what our stack frame will look like:
--	 * +-------------------------+
--	 * | original SS             |
--	 * | original Return RSP     |
--	 * | original RFLAGS         |
--	 * | original CS             |
--	 * | original RIP            |
--	 * +-------------------------+
--	 * | temp storage for rdx    |
--	 * +-------------------------+
--	 * | NMI executing variable  |
--	 * +-------------------------+
--	 * | copied SS               |
--	 * | copied Return RSP       |
--	 * | copied RFLAGS           |
--	 * | copied CS               |
--	 * | copied RIP              |
--	 * +-------------------------+
--	 * | Saved SS                |
--	 * | Saved Return RSP        |
--	 * | Saved RFLAGS            |
--	 * | Saved CS                |
--	 * | Saved RIP               |
--	 * +-------------------------+
--	 * | pt_regs                 |
--	 * +-------------------------+
--	 *
--	 * The saved stack frame is used to fix up the copied stack frame
--	 * that a nested NMI may change to make the interrupted NMI iret jump
--	 * to the repeat_nmi. The original stack frame and the temp storage
--	 * is also used by nested NMIs and can not be trusted on exit.
--	 */
--	/* Do not pop rdx, nested NMIs will corrupt that part of the stack */
-+	/* Restore rdx. */
- 	movq (%rsp), %rdx
- 	CFI_RESTORE rdx
- 
--	/* Set the NMI executing variable on the stack. */
-+	/* Set "NMI executing" on the stack. */
- 	pushq_cfi $1
- 
--	/*
--	 * Leave room for the "copied" frame
--	 */
-+	/* Leave room for the "iret" frame */
- 	subq $(5*8), %rsp
- 	CFI_ADJUST_CFA_OFFSET 5*8
- 
--	/* Copy the stack frame to the Saved frame */
-+	/* Copy the "original" frame to the "outermost" frame */
- 	.rept 5
- 	pushq_cfi 11*8(%rsp)
- 	.endr
-@@ -1680,6 +1691,7 @@ first_nmi:
- 
- 	/* Everything up to here is safe from nested NMIs */
- 
-+repeat_nmi:
- 	/*
- 	 * If there was a nested NMI, the first NMI's iret will return
- 	 * here. But NMIs are still enabled and we can take another
-@@ -1688,16 +1700,21 @@ first_nmi:
- 	 * it will just return, as we are about to repeat an NMI anyway.
- 	 * This makes it safe to copy to the stack frame that a nested
- 	 * NMI will update.
--	 */
--repeat_nmi:
--	/*
--	 * Update the stack variable to say we are still in NMI (the update
--	 * is benign for the non-repeat case, where 1 was pushed just above
--	 * to this very stack slot).
-+	 *
-+	 * RSP is pointing to "outermost RIP".  gsbase is unknown, but, if
-+	 * we're repeating an NMI, gsbase has the same value that it had on
-+	 * the first iteration.  paranoid_entry will load the kernel
-+	 * gsbase if needed before we call do_nmi.
-+	 *
-+	 * Set "NMI executing" in case we came back here via IRET.
- 	 */
- 	movq $1, 10*8(%rsp)
- 
--	/* Make another copy, this one may be modified by nested NMIs */
-+	/*
-+	 * Copy the "outermost" frame to the "iret" frame.  NMIs that nest
-+	 * here must not modify the "iret" frame while we're writing to
-+	 * it or it will end up containing garbage.
-+	 */
- 	addq $(10*8), %rsp
- 	CFI_ADJUST_CFA_OFFSET -10*8
- 	.rept 5
-@@ -1708,9 +1725,9 @@ repeat_nmi:
- end_repeat_nmi:
- 
- 	/*
--	 * Everything below this point can be preempted by a nested
--	 * NMI if the first NMI took an exception and reset our iret stack
--	 * so that we repeat another NMI.
-+	 * Everything below this point can be preempted by a nested NMI.
-+	 * If this happens, then the inner NMI will change the "iret"
-+	 * frame to point back to repeat_nmi.
- 	 */
- 	pushq_cfi $-1		/* ORIG_RAX: no syscall to restart */
- 	subq $ORIG_RAX-R15, %rsp
-@@ -1735,11 +1752,17 @@ end_repeat_nmi:
- nmi_swapgs:
- 	SWAPGS_UNSAFE_STACK
- nmi_restore:
--	/* Pop the extra iret frame at once */
-+
- 	RESTORE_ALL 6*8
- 
--	/* Clear the NMI executing stack variable */
-+	/* Clear "NMI executing". */
- 	movq $0, 5*8(%rsp)
-+
-+	/*
-+	 * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
-+	 * stack in a single instruction.  We are returning to kernel
-+	 * mode, so this cannot result in a fault.
-+	 */
- 	jmp irq_return
- 	CFI_ENDPROC
- END(nmi)
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,8 +408,8 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
- 
- /*
-- * NMIs can hit breakpoints which will cause it to lose its NMI context
-- * with the CPU when the breakpoint or page fault does an IRET.
-+ * NMIs can page fault or hit breakpoints which will cause it to lose
-+ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
-  *
-  * As a result, NMIs can nest if NMIs get unmasked due an IRET during
-  * NMI processing.  On x86_64, the asm glue protects us from nested NMIs
diff --git a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch b/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
deleted file mode 100644
index 196dd15..0000000
--- a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Sun, 12 Jul 2015 20:59:57 -0700
-Subject: [PATCH 8/9] x86/nmi/64: Reorder nested NMI checks
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=b7dcb27674b28ca49b710e95da74c44d32154bed
-
-Check the repeat_nmi .. end_repeat_nmi special case first.  The next
-patch will rework the RSP check and, as a side effect, the RSP check
-will no longer detect repeat_nmi .. end_repeat_nmi, so we'll need
-this ordering of the checks.
-
-Note: this is more subtle than it appears.  The check for repeat_nmi
-.. end_repeat_nmi jumps straight out of the NMI code instead of
-adjusting the "iret" frame to force a repeat.  This is necessary,
-because the code between repeat_nmi and end_repeat_nmi sets "NMI
-executing" and then writes to the "iret" frame itself.  If a nested
-NMI comes in and modifies the "iret" frame while repeat_nmi is also
-modifying it, we'll end up with garbage.  The old code got this
-right, as does the new code, but the new code is a bit more
-explicit.
-
-If we were to move the check right after the "NMI executing" check,
-then we'd get it wrong and have random crashes.
-
-This is a prerequisite for the fix for CVE-2015-3291.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, spacing]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 34 ++++++++++++++++++----------------
- 1 file changed, 18 insertions(+), 16 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1604,7 +1604,24 @@ ENTRY(nmi)
- 	/*
- 	 * Determine whether we're a nested NMI.
- 	 *
--	 * First check "NMI executing".  If it's set, then we're nested.
-+	 * If we interrupted kernel code between repeat_nmi and
-+	 * end_repeat_nmi, then we are a nested NMI.  We must not
-+	 * modify the "iret" frame because it's being written by
-+	 * the outer NMI.  That's okay: the outer NMI handler is
-+	 * about to about to call do_nmi anyway, so we can just
-+	 * resume the outer NMI.
-+	 */
-+
-+	movq	$repeat_nmi, %rdx
-+	cmpq	8(%rsp), %rdx
-+	ja	1f
-+	movq	$end_repeat_nmi, %rdx
-+	cmpq	8(%rsp), %rdx
-+	ja	nested_nmi_out
-+1:
-+
-+	/*
-+	 * Now check "NMI executing".  If it's set, then we're nested.
- 	 * This will not detect if we interrupted an outer NMI just
- 	 * before IRET.
- 	 */
-@@ -1631,21 +1648,6 @@ ENTRY(nmi)
- 
- nested_nmi:
- 	/*
--	 * If we interrupted an NMI that is between repeat_nmi and
--	 * end_repeat_nmi, then we must not modify the "iret" frame
--	 * because it's being written by the outer NMI.  That's okay:
--	 * the outer NMI handler is about to call do_nmi anyway,
--	 * so we can just resume the outer NMI.
--	 */
--	movq $repeat_nmi, %rdx
--	cmpq 8(%rsp), %rdx
--	ja 1f
--	movq $end_repeat_nmi, %rdx
--	cmpq 8(%rsp), %rdx
--	ja nested_nmi_out
--
--1:
--	/*
- 	 * Modify the "iret" frame to point to repeat_nmi, forcing another
- 	 * iteration of NMI handling.
- 	 */
diff --git a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch b/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
deleted file mode 100644
index 1795485..0000000
--- a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 17:25:53 -0700
-Subject: [PATCH 9/9] x86/nmi/64: Use DF to avoid userspace RSP confusing
- nested NMI detection
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=dc68c0f2ec634b2cfecf879235564da58d422cee
-
-We have a tricky bug in the nested NMI code: if we see RSP pointing
-to the NMI stack on NMI entry from kernel mode, we assume that we
-are executing a nested NMI.
-
-This isn't quite true.  A malicious userspace program can point RSP
-at the NMI stack, issue SYSCALL, and arrange for an NMI to happen
-while RSP is still pointing at the NMI stack.
-
-Fix it with a sneaky trick.  Set DF in the region of code that the RSP
-check is intended to detect.  IRET will clear DF atomically.
-
-(Note: other than paravirt, there's little need for all this complexity.
- We could check RIP instead of RSP.)
-
-Fixes CVE-2015-3291.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1631,7 +1631,14 @@ ENTRY(nmi)
- 	/*
- 	 * Now test if the previous stack was an NMI stack.  This covers
- 	 * the case where we interrupt an outer NMI after it clears
--	 * "NMI executing" but before IRET.
-+	 * "NMI executing" but before IRET.  We need to be careful, though:
-+	 * there is one case in which RSP could point to the NMI stack
-+	 * despite there being no NMI active: naughty userspace controls
-+	 * RSP at the very beginning of the SYSCALL targets.  We can
-+	 * pull a fast one on naughty userspace, though: we program
-+	 * SYSCALL to mask DF, so userspace cannot cause DF to be set
-+	 * if it controls the kernel's RSP.  We set DF before we clear
-+	 * "NMI executing".
- 	 */
- 	lea	6*8(%rsp), %rdx
- 	/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1642,10 +1649,16 @@ ENTRY(nmi)
- 	cmpq	%rdx, 4*8(%rsp)
- 	/* If it is below the NMI stack, it is a normal NMI */
- 	jb	first_nmi
--	/* Ah, it is within the NMI stack, treat it as nested */
-+
-+	/* Ah, it is within the NMI stack. */
-+
-+	testb	$(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
-+	jz	first_nmi	/* RSP was user controlled. */
- 
- 	CFI_REMEMBER_STATE
- 
-+	/* This is a nested NMI. */
-+
- nested_nmi:
- 	/*
- 	 * Modify the "iret" frame to point to repeat_nmi, forcing another
-@@ -1757,8 +1770,16 @@ nmi_restore:
- 
- 	RESTORE_ALL 6*8
- 
--	/* Clear "NMI executing". */
--	movq $0, 5*8(%rsp)
-+	/*
-+	 * Clear "NMI executing".  Set DF first so that we can easily
-+	 * distinguish the remaining code between here and IRET from
-+	 * the SYSCALL entry and exit paths.  On a native kernel, we
-+	 * could just inspect RIP, but, on paravirt kernels,
-+	 * INTERRUPT_RETURN can translate into a jump into a
-+	 * hypercall page.
-+	 */
-+	std
-+	movq	$0, 5*8(%rsp)		/* clear "NMI executing" */
- 
- 	/*
- 	 * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
diff --git a/debian/patches/series b/debian/patches/series
index 7b612a3..890c21e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -87,14 +87,6 @@ bugfix/x86/input-synaptics-re-route-tracksticks-buttons-on-the-.patch
 bugfix/mips/mips-normalise-code-flow-in-the-cpu-exception-handle.patch
 bugfix/mips/mips-correct-fp-isa-requirements.patch
 bugfix/mips/mips-math-emu-correct-delay-slot-exception-propagation.patch
-bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
-bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
-bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
-bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
-bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
-bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
-bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
-bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
 
 features/all/readq-writeq-Add-explicit-lo_hi_-read-write-_q-and-h.patch
 
@@ -634,15 +626,8 @@ debian/procfs-avoid-abi-change-in-3.16.7-ckt8.patch
 debian/revert-libata-ignore-spurious-phy-event-on-lpm-polic.patch
 debian/udp-fix-abi-change-in-3.16.7-ckt14.patch
 debian/revert-acpica-utilities-split-io-address-types-from-.patch
-bugfix/all/libata-add-ata_horkage_notrim.patch
-bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
-bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
-bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
-bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
-bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
 bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
 bugfix/all/virtio-net-drop-netif_f_fraglist.patch
-bugfix/all/vhost-actually-track-log-eventfd-file.patch
 bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
 bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
 bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list