[linux] 01/01: Update to 4.3.5
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Feb 1 10:41:50 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit ba1393105a51e21ed8813044437d9aee1f91f58d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Feb 1 08:53:39 2016 +0100
Update to 4.3.5
Drop several patches that are included in it.
Fix/ignore various ABI changes.
---
debian/changelog | 163 ++++++++++++++++++++-
debian/config/defines | 3 +
...d-checks-for-allocation-failure-in-isdn_p.patch | 37 -----
...ia-media-vivid-osd-fix-info-leak-in-ioctl.patch | 31 ----
...lidate-vj-compression-slot-parameters-com.patch | 128 ----------------
.../tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch | 63 --------
...ly-account-for-FDs-passed-over-unix-socke.patch | 140 ------------------
...grant-maps-should-not-be-subject-to-numa-.patch | 38 -----
.../x86/kvm-svm-unconditionally-intercept-DB.patch | 75 ----------
...barriers-and-document-switch_mm-vs-flush-.patch | 158 --------------------
...x86-mm-Improve-switch_mm-barrier-comments.patch | 64 --------
.../debian/usb-fix-abi-change-in-4.3.5.patch | 23 +++
debian/patches/series | 10 +-
13 files changed, 185 insertions(+), 748 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1ad6903..3d92a19 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.3.4-1) UNRELEASED; urgency=medium
+linux (4.3.5-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
@@ -50,16 +50,169 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
- af_unix: Revert 'lock_interruptible' in stream receive code
- tcp: restore fastopen with no data in SYN packet
- rhashtable: Fix walker list corruption
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5
+ - [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs
+ - [x86] mpx: Fix instruction decoder condition
+ - [x86] signal: Fix restart_syscall number for x32 tasks
+ - [x86] paravirt: Prevent rtc_cmos platform device init on PV guests
+ - [x86] mce: Ensure offline CPUs don't participate in rendezvous process
+ - [x86] xen: don't reset vcpu_info on a cancelled suspend
+ - [x86] KVM: VMX: fix SMEP and SMAP without EPT
+ - [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split
+ - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state
+ in MSR
+ - [x86] KVM: expose MSR_TSC_AUX to userspace
+ - [x86] KVM: correctly print #AC in traces
+ - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
+ - [x86] boot: Double BOOT_HEAP_SIZE to 64KB
+ - [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
+ (CVE-2016-2069)
+ - [x86] mm: Improve switch_mm() barrier comments
+ - timers: Use proper base migration in add_timer_on()
+ - ipmi: Start the timer and thread on internal msgs
+ - ipmi: move timer init to before irq is setup
+ - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after
+ resume back
+ - ALSA: hda - Disable 64bit address for Creative HDA controllers
+ - ALSA: hda - Fix lost 4k BDL boundary workaround
+ - [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio
+ - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b
+ - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in
+ - ALSA: hda - Apply HP headphone fixups more generically
+ - [x86] ALSA: hda - Fix noise on Dell Latitude E6440
+ - [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
+ - [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back
+ from S3
+ - [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo
+ - ALSA: hda - Skip ELD notification during system suspend
+ - ALSA: rme96: Fix unexpected volume reset after rate changes
+ - [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS
+ - ALSA: hda - Fixing speaker noise on the two latest thinkpad models
+ - [x86] ALSA: hda - Fix noise problems on Thinkpad T440s
+ - [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015
+ - [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
+ - [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically
+ - [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
+ - [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
+ - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
+ - ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly
+ - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
+ - [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
+ - [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO
+ - ALSA: hda - Add keycode map for alc input device
+ - [x86] ALSA: usb: Add native DSD support for Oppo HA-1
+ - ALSA: hda - Fixup inverted internal mic for Lenovo E50-80
+ - ALSA: seq: Fix missing NULL check at remove_events ioctl
+ - ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect
+ - ALSA: seq: Fix race at timer setup and close
+ - [x86] ALSA: hda - Fix white noise on Dell Latitude E5550
+ - ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
+ - ALSA: timer: Harden slave timer list handling
+ - [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop
+ - ALSA: timer: Fix race among timer ioctls
+ - ALSA: timer: Fix double unlink of active_list
+ - [x86] ALSA: hda - Add fixup for Dell Latitidue E6540
+ - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
+ - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
+ - ALSA: hrtimer: Fix stall by hrtimer_cancel()
+ - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
+ - [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX
+ - ALSA: hda - Flush the pending probe work at remove
+ - ALSA: timer: Handle disconnection more safely
+ - ASoC: rt286: Fix run time error while modifying const data
+ - ASoC: rsnd: fixup SCU_SYS_INT_EN1 address
+ - ASoC: wm8962: correct addresses for HPF_C_0/1
+ - ASoC: es8328: Fix deemphasis values
+ - ASoC: wm8974: set cache type for regmap
+ - ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx
+ - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
+ - ASoC: wm5110: Fix PGA clear when disabling DRE
+ - ASoC: compress: Fix compress device direction check
+ - usb: xhci: fix config fail of FS hub behind a HS hub with MTT
+ - airspy: increase USB control message buffer size
+ - USB: fix invalid memory access in hub_activate()
+ - USB: ipaq.c: fix a timeout loop
+ - USB: cp210x: add ID for ELV Marble Sound Board 1
+ - usb: core: lpm: fix usb3_hardware_lpm sysfs node
+ - xhci: refuse loading if nousb is used
+ - openvswitch: correct encoding of set tunnel action attributes
+ - veth: don’t modify ip_summed; doing so treats packets with bad checksums
+ as good.
+ - ipv6/addrlabel: fix ip6addrlbl_get()
+ - addrconf: always initialize sysctl table data
+ - net: cdc_ncm: avoid changing RX/TX buffers on MTU changes
+ - sctp: sctp should release assoc when sctp_make_abort_user return NULL
+ in sctp_close
+ - connector: bump skb->users before callback invocation
+ - af_unix: Fix splice-bind deadlock
+ - bridge: Only call /sbin/bridge-stp for the initial network namespace
+ - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
+ - net: sched: fix missing free per cpu on qstats
+ - net: possible use after free in dst_release
+ - tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
+ - vxlan: fix test which detect duplicate vxlan iface
+ - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+ - ipv6: tcp: add rcu locking in tcp_v6_send_synack()
+ - tcp_yeah: don't set ssthresh below 2
+ - sched,cls_flower: set key address type when present
+ - net: pktgen: fix null ptr deref in skb allocation
+ - udp: disallow UFO for sockets with SO_NO_CHECK option
+ - net: preserve IP control block during GSO segmentation
+ - bonding: Prevent IPv6 link local address on enslaved devices
+ - phonet: properly unshare skbs in phonet_rcv()
+ - net: bpf: reject invalid shifts
+ - ipv6: update skb->csum when CE mark is propagated
+ - bridge: fix lockdep addr_list_lock false positive splat
+ - batman-adv: Avoid recursive call_rcu for batadv_bla_claim
+ - batman-adv: Avoid recursive call_rcu for batadv_nc_node
+ - batman-adv: Drop immediate batadv_orig_ifinfo free function
+ - batman-adv: Drop immediate batadv_neigh_node free function
+ - batman-adv: Drop immediate neigh_ifinfo free function
+ - batman-adv: Drop immediate batadv_hard_iface free function
+ - batman-adv: Drop immediate orig_node free function
+ - net/mlx5_core: Fix trimming down IRQ number
+ - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
+ - xfrm: dst_entries_init() per-net dst_ops
+ - [powerpc*] tm: Block signal return setting invalid MSR state
+ - [powerpc*] tm: Check for already reclaimed tasks
+ - [powerpc*] opal-irqchip: Fix double endian conversion
+ - [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian
+ conversion"
+ - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type
+ - [powerpc*] Make value-returning atomics fully ordered
+ - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered
+ - [powerpc*] scripts/recordmcount.pl: support data in text section
+ - [powerpc*] module: Handle R_PPC64_ENTRY relocations
+ - [arm64] recordmcount: Replace the ignored mcount call into nop
+ - [arm64] bpf: fix div-by-zero case
+ - [arm64] bpf: fix mod-by-zero case
+ - [arm64] cmpxchg_dbl: fix return value type
+ - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend()
+ - [arm*] KVM: test properly for a PTE's uncachedness
+ - [arm64] KVM: Fix AArch32 to AArch64 register mapping
+ - [arm*] KVM: correct PTE uncachedness check
+ - [arm64] Clear out any singlestep state on a ptrace detach operation
+ - [arm64] mm: ensure that the zero page is visible to the page table walker
+ - [arm64] kernel: enforce pmuserenr_el0 initialization and restore
+ - [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation
+ - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints
+ - [hppa] iommu: fix panic due to trying to allocate too large region
+ - HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID
+ - HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present
+ - HID: core: Avoid uninitialized buffer access
+ - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
+ - direct-io: Fix negative return from dio read beyond eof
+ - fix the regression from "direct-io: Fix negative return from dio read
+ beyond eof"
+ - [arm64] restore bogomips information in /proc/cpuinfo
+ - [arm64] KVM: Add workaround for Cortex-A57 erratum 834220
+ - [arm64] kernel: fix architected PMU registers unconditional access
[ Ben Hutchings ]
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
* SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
- * [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
- (CVE-2016-2069)
- * [x86] mm: Improve switch_mm() barrier comments
[ Salvatore Bonaccorso ]
- * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
* netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
[ Aurelien Jarno ]
diff --git a/debian/config/defines b/debian/config/defines
index 475934b..11edf5a 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -16,6 +16,9 @@ ignore-changes:
# Can't be used from OOT
pin_is_valid
pinctrl_*
+# Shouldn't be used from OOT
+ module:drivers/net/ethernet/mellanox/**
+ pv_info
[base]
arches:
diff --git a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch b/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
deleted file mode 100644
index 6826c67..0000000
--- a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:21:24 +0000
-Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
-Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3
-
-Compile-tested only.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index c4198fa..86f9abe 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
- is->compflags = 0;
-
- is->reset = isdn_ppp_ccp_reset_alloc(is);
-+ if (!is->reset)
-+ return -ENOMEM;
-
- is->lp = NULL;
- is->mp_seqno = 0; /* MP sequence number */
-@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
- * VJ header compression init
- */
- is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
-+ if (!is->slcomp) {
-+ isdn_ppp_ccp_reset_free(is);
-+ return -ENOMEM;
-+ }
- #endif
- #ifdef CONFIG_IPPP_FILTER
- is->pass_filter = NULL;
diff --git a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch b/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
deleted file mode 100644
index 8d551da..0000000
--- a/debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr at gmail.com>
-Date: Wed, 7 Oct 2015 07:09:26 -0300
-Subject: [media] media/vivid-osd: fix info leak in ioctl
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
-
-The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
-struct fb_vblank after the ->hcount member. Add an explicit
-memset(0) before filling the structure to avoid the info leak.
-
-Signed-off-by: Salva Peiró <speirofr at gmail.com>
-Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/platform/vivid/vivid-osd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
-index 084d346..e15eef6 100644
---- a/drivers/media/platform/vivid/vivid-osd.c
-+++ b/drivers/media/platform/vivid/vivid-osd.c
-@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
- case FBIOGET_VBLANK: {
- struct fb_vblank vblank;
-
-+ memset(&vblank, 0, sizeof(vblank));
- vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
- FB_VBLANK_HAVE_VSYNC;
- vblank.count = 0;
diff --git a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch b/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
deleted file mode 100644
index b70b25a..0000000
--- a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:22:53 +0000
-Subject: ppp, slip: Validate VJ compression slot parameters completely
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae
-
-Currently slhc_init() treats out-of-range values of rslots and tslots
-as equivalent to 0, except that if tslots is too large it will
-dereference a null pointer (CVE-2015-7799).
-
-Add a range-check at the top of the function and make it return an
-ERR_PTR() on error instead of NULL. Change the callers accordingly.
-
-Compile-tested only.
-
-Reported-by: 郭永刚 <guoyonggang at 360.cn>
-References: http://article.gmane.org/gmane.comp.security.oss.general/17908
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
- drivers/net/ppp/ppp_generic.c | 6 ++----
- drivers/net/slip/slhc.c | 12 ++++++++----
- drivers/net/slip/slip.c | 2 +-
- 4 files changed, 15 insertions(+), 15 deletions(-)
-
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file
- * VJ header compression init
- */
- is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
-- if (!is->slcomp) {
-+ if (IS_ERR(is->slcomp)) {
- isdn_ppp_ccp_reset_free(is);
-- return -ENOMEM;
-+ return PTR_ERR(is->slcomp);
- }
- #endif
- #ifdef CONFIG_IPPP_FILTER
-@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil
- is->maxcid = val;
- #ifdef CONFIG_ISDN_PPP_VJ
- sltmp = slhc_init(16, val);
-- if (!sltmp) {
-- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
-- return -ENOMEM;
-- }
-+ if (IS_ERR(sltmp))
-+ return PTR_ERR(sltmp);
- if (is->slcomp)
- slhc_free(is->slcomp);
- is->slcomp = sltmp;
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file,
- val &= 0xffff;
- }
- vj = slhc_init(val2+1, val+1);
-- if (!vj) {
-- netdev_err(ppp->dev,
-- "PPP: no memory (VJ compressor)\n");
-- err = -ENOMEM;
-+ if (IS_ERR(vj)) {
-+ err = PTR_ERR(vj);
- break;
- }
- ppp_lock(ppp);
---- a/drivers/net/slip/slhc.c
-+++ b/drivers/net/slip/slhc.c
-@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
- static unsigned char * put16(unsigned char *cp, unsigned short x);
- static unsigned short pull16(unsigned char **cpp);
-
--/* Initialize compression data structure
-+/* Allocate compression data structure
- * slots must be in range 0 to 255 (zero meaning no compression)
-+ * Returns pointer to structure or ERR_PTR() on error.
- */
- struct slcompress *
- slhc_init(int rslots, int tslots)
-@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
- register struct cstate *ts;
- struct slcompress *comp;
-
-+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
-+ return ERR_PTR(-EINVAL);
-+
- comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
- if (! comp)
- goto out_fail;
-
-- if ( rslots > 0 && rslots < 256 ) {
-+ if (rslots > 0) {
- size_t rsize = rslots * sizeof(struct cstate);
- comp->rstate = kzalloc(rsize, GFP_KERNEL);
- if (! comp->rstate)
-@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
- comp->rslot_limit = rslots - 1;
- }
-
-- if ( tslots > 0 && tslots < 256 ) {
-+ if (tslots > 0) {
- size_t tsize = tslots * sizeof(struct cstate);
- comp->tstate = kzalloc(tsize, GFP_KERNEL);
- if (! comp->tstate)
-@@ -141,7 +145,7 @@ out_free2:
- out_free:
- kfree(comp);
- out_fail:
-- return NULL;
-+ return ERR_PTR(-ENOMEM);
- }
-
-
---- a/drivers/net/slip/slip.c
-+++ b/drivers/net/slip/slip.c
-@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl
- if (cbuff == NULL)
- goto err_exit;
- slcomp = slhc_init(16, 16);
-- if (slcomp == NULL)
-+ if (IS_ERR(slcomp))
- goto err_exit;
- #endif
- spin_lock_bh(&sl->lock);
diff --git a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch b/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
deleted file mode 100644
index bd192a1..0000000
--- a/debian/patches/bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Yuchung Cheng <ycheng at google.com>
-Date: Wed, 6 Jan 2016 12:42:38 -0800
-Subject: tcp: fix zero cwnd in tcp_cwnd_reduction
-Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390
-
-Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
-conditionally") introduced a bug that cwnd may become 0 when both
-inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
-to a div-by-zero if the connection starts another cwnd reduction
-phase by setting tp->prior_cwnd to the current cwnd (0) in
-tcp_init_cwnd_reduction().
-
-To prevent this we skip PRR operation when nothing is acked or
-sacked. Then cwnd must be positive in all cases as long as ssthresh
-is positive:
-
-1) The proportional reduction mode
- inflight > ssthresh > 0
-
-2) The reduction bound mode
- a) inflight == ssthresh > 0
-
- b) inflight < ssthresh
- sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
-
-Therefore in all cases inflight and sndcnt can not both be 0.
-We check invalid tp->prior_cwnd to avoid potential div0 bugs.
-
-In reality this bug is triggered only with a sequence of less common
-events. For example, the connection is terminating an ECN-triggered
-cwnd reduction with an inflight 0, then it receives reordered/old
-ACKs or DSACKs from prior transmission (which acks nothing). Or the
-connection is in fast recovery stage that marks everything lost,
-but fails to retransmit due to local issues, then receives data
-packets from other end which acks nothing.
-
-Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
-Reported-by: Oleksandr Natalenko <oleksandr at natalenko.name>
-Signed-off-by: Yuchung Cheng <ycheng at google.com>
-Signed-off-by: Neal Cardwell <ncardwell at google.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/tcp_input.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 2d656ee..d4c5115 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
- int newly_acked_sacked = prior_unsacked -
- (tp->packets_out - tp->sacked_out);
-
-+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
-+ return;
-+
- tp->prr_delivered += newly_acked_sacked;
- if (delta < 0) {
- u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
deleted file mode 100644
index 8cd6bb4..0000000
--- a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From: willy tarreau <w at 1wt.eu>
-Date: Sun, 10 Jan 2016 07:54:56 +0100
-Subject: unix: properly account for FDs passed over unix sockets
-Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593
-
-It is possible for a process to allocate and accumulate far more FDs than
-the process' limit by sending them over a unix socket then closing them
-to keep the process' fd count low.
-
-This change addresses this problem by keeping track of the number of FDs
-in flight per user and preventing non-privileged processes from having
-more FDs in flight than their configured FD limit.
-
-Reported-by: socketpair at gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/linux/sched.h | 1 +
- net/unix/af_unix.c | 24 ++++++++++++++++++++----
- net/unix/garbage.c | 13 ++++++++-----
- 3 files changed, 29 insertions(+), 9 deletions(-)
-
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index edad7a4..fbf25f1 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -830,6 +830,7 @@ struct user_struct {
- unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
- #endif
- unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
-
- #ifdef CONFIG_KEYS
- struct key *uid_keyring; /* UID specific keyring */
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index ef05cd9..e3f85bc 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
- sock_wfree(skb);
- }
-
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+ struct user_struct *user = current_user();
-+
-+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+ return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
-
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- unsigned char max_level = 0;
- int unix_sock_count = 0;
-
-+ if (too_many_unix_fds(current))
-+ return -ETOOMANYREFS;
-+
- for (i = scm->fp->count - 1; i >= 0; i--) {
- struct sock *sk = unix_get_socket(scm->fp->fp[i]);
-
-@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- if (!UNIXCB(skb).fp)
- return -ENOMEM;
-
-- if (unix_sock_count) {
-- for (i = scm->fp->count - 1; i >= 0; i--)
-- unix_inflight(scm->fp->fp[i]);
-- }
-+ for (i = scm->fp->count - 1; i >= 0; i--)
-+ unix_inflight(scm->fp->fp[i]);
- return max_level;
- }
-
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index a73a226..8fcdc22 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-
-- spin_lock(&unix_gc_lock);
--
- if (atomic_long_inc_return(&u->inflight) == 1) {
- BUG_ON(!list_empty(&u->link));
- list_add_tail(&u->link, &gc_inflight_list);
-@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
- BUG_ON(list_empty(&u->link));
- }
- unix_tot_inflight++;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight++;
-+ spin_unlock(&unix_gc_lock);
- }
-
- void unix_notinflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-
-- spin_lock(&unix_gc_lock);
- BUG_ON(list_empty(&u->link));
-
- if (atomic_long_dec_and_test(&u->inflight))
- list_del_init(&u->link);
- unix_tot_inflight--;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight--;
-+ spin_unlock(&unix_gc_lock);
- }
-
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
---
-2.7.0.rc3
-
diff --git a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch b/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
deleted file mode 100644
index 6da7b5e..0000000
--- a/debian/patches/bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Boris Ostrovsky <boris.ostrovsky at oracle.com>
-Date: Tue, 10 Nov 2015 15:10:33 -0500
-Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing
-Origin: https://git.kernel.org/linus/9c17d96500f78d7ecdb71ca6942830158bc75a2b
-Bug-Debian: https://bugs.debian.org/810472
-
-Doing so will cause the grant to be unmapped and then, during
-fault handling, the fault to be mistakenly treated as NUMA hint
-fault.
-
-In addition, even if those maps could partcipate in NUMA
-balancing, it wouldn't provide any benefit since we are unable
-to determine physical page's node (even if/when VNUMA is
-implemented).
-
-Marking grant maps' VMAs as VM_IO will exclude them from being
-part of NUMA balancing.
-
-Signed-off-by: Boris Ostrovsky <boris.ostrovsky at oracle.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
----
- drivers/xen/gntdev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
-index 2ea0b3b..1be5dd0 100644
---- a/drivers/xen/gntdev.c
-+++ b/drivers/xen/gntdev.c
-@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
-
- vma->vm_ops = &gntdev_vmops;
-
-- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
-+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
-
- if (use_ptemod)
- vma->vm_flags |= VM_DONTCOPY;
diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
deleted file mode 100644
index 7ed419e..0000000
--- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Tue, 10 Nov 2015 09:14:39 +0100
-Subject: KVM: svm: unconditionally intercept #DB
-Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
- set_exception_intercept(svm, AC_VECTOR);
-+ set_exception_intercept(svm, DB_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
-
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- clr_exception_intercept(svm, DB_VECTOR);
- clr_exception_intercept(svm, BP_VECTOR);
-
-- if (svm->nmi_singlestep)
-- set_exception_intercept(svm, DB_VECTOR);
--
- if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-- if (vcpu->guest_debug &
-- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-- set_exception_intercept(svm, DB_VECTOR);
- if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- set_exception_intercept(svm, BP_VECTOR);
- } else
-@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s
- if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- svm->vmcb->save.rflags &=
- ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(&svm->vcpu);
- }
-
- if (svm->vcpu.guest_debug &
-@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm
- */
- svm->nmi_singlestep = true;
- svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(vcpu);
- }
-
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops =
- .vcpu_load = svm_vcpu_load,
- .vcpu_put = svm_vcpu_put,
-
-- .update_db_bp_intercept = update_db_bp_intercept,
-+ .update_db_bp_intercept = update_bp_intercept,
- .get_msr = svm_get_msr,
- .set_msr = svm_set_msr,
- .get_segment_base = svm_get_segment_base,
diff --git a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
deleted file mode 100644
index 0ef0875..0000000
--- a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 6 Jan 2016 12:21:01 -0800
-Subject: x86/mm: Add barriers and document switch_mm()-vs-flush
- synchronization
-Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e
-
-When switch_mm() activates a new PGD, it also sets a bit that
-tells other CPUs that the PGD is in use so that TLB flush IPIs
-will be sent. In order for that to work correctly, the bit
-needs to be visible prior to loading the PGD and therefore
-starting to fill the local TLB.
-
-Document all the barriers that make this work correctly and add
-a couple that were missing.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Dave Hansen <dave.hansen at linux.intel.com>
-Cc: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Rik van Riel <riel at redhat.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: linux-mm at kvack.org
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++-
- arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++---
- 2 files changed, 58 insertions(+), 4 deletions(-)
-
-diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 379cd3658799..1edc9cd198b8 100644
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- #endif
- cpumask_set_cpu(cpu, mm_cpumask(next));
-
-- /* Re-load page tables */
-+ /*
-+ * Re-load page tables.
-+ *
-+ * This logic has an ordering constraint:
-+ *
-+ * CPU 0: Write to a PTE for 'next'
-+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
-+ * CPU 1: set bit 1 in next's mm_cpumask
-+ * CPU 1: load from the PTE that CPU 0 writes (implicit)
-+ *
-+ * We need to prevent an outcome in which CPU 1 observes
-+ * the new PTE value and CPU 0 observes bit 1 clear in
-+ * mm_cpumask. (If that occurs, then the IPI will never
-+ * be sent, and CPU 0's TLB will contain a stale entry.)
-+ *
-+ * The bad outcome can occur if either CPU's load is
-+ * reordered before that CPU's store, so both CPUs much
-+ * execute full barriers to prevent this from happening.
-+ *
-+ * Thus, switch_mm needs a full barrier between the
-+ * store to mm_cpumask and any operation that could load
-+ * from next->pgd. This barrier synchronizes with
-+ * remote TLB flushers. Fortunately, load_cr3 is
-+ * serializing and thus acts as a full barrier.
-+ *
-+ */
- load_cr3(next->pgd);
-+
- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
-
- /* Stop flush ipis for the previous mm */
-@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- * schedule, protecting us from simultaneous changes.
- */
- cpumask_set_cpu(cpu, mm_cpumask(next));
-+
- /*
- * We were in lazy tlb mode and leave_mm disabled
- * tlb flush IPI delivery. We must reload CR3
- * to make sure to use no freed page tables.
-+ *
-+ * As above, this is a barrier that forces
-+ * TLB repopulation to be ordered after the
-+ * store to mm_cpumask.
- */
- load_cr3(next->pgd);
- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
-diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
-index 8ddb5d0d66fb..8f4cc3dfac32 100644
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -161,7 +161,10 @@ void flush_tlb_current_task(void)
- preempt_disable();
-
- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-+
-+ /* This is an implicit full barrier that synchronizes with switch_mm. */
- local_flush_tlb();
-+
- trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
- flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
-@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
- unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
-
- preempt_disable();
-- if (current->active_mm != mm)
-+ if (current->active_mm != mm) {
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+
- goto out;
-+ }
-
- if (!current->mm) {
- leave_mm(smp_processor_id());
-+
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+
- goto out;
- }
-
- if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
- base_pages_to_flush = (end - start) >> PAGE_SHIFT;
-
-+ /*
-+ * Both branches below are implicit full barriers (MOV to CR or
-+ * INVLPG) that synchronize with switch_mm.
-+ */
- if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
- base_pages_to_flush = TLB_FLUSH_ALL;
- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
- preempt_disable();
-
- if (current->active_mm == mm) {
-- if (current->mm)
-+ if (current->mm) {
-+ /*
-+ * Implicit full barrier (INVLPG) that synchronizes
-+ * with switch_mm.
-+ */
- __flush_tlb_one(start);
-- else
-+ } else {
- leave_mm(smp_processor_id());
-+
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+ }
- }
-
- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
diff --git a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
deleted file mode 100644
index 5e3f932..0000000
--- a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Tue, 12 Jan 2016 12:47:40 -0800
-Subject: x86/mm: Improve switch_mm() barrier comments
-Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b
-
-My previous comments were still a bit confusing and there was a
-typo. Fix it up.
-
-Reported-by: Peter Zijlstra <peterz at infradead.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Dave Hansen <dave.hansen at linux.intel.com>
-Cc: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Rik van Riel <riel at redhat.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization")
-Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- arch/x86/include/asm/mmu_context.h | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 1edc9cd198b8..bfd9b2a35a0b 100644
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- * be sent, and CPU 0's TLB will contain a stale entry.)
- *
- * The bad outcome can occur if either CPU's load is
-- * reordered before that CPU's store, so both CPUs much
-+ * reordered before that CPU's store, so both CPUs must
- * execute full barriers to prevent this from happening.
- *
- * Thus, switch_mm needs a full barrier between the
- * store to mm_cpumask and any operation that could load
-- * from next->pgd. This barrier synchronizes with
-- * remote TLB flushers. Fortunately, load_cr3 is
-- * serializing and thus acts as a full barrier.
-+ * from next->pgd. TLB fills are special and can happen
-+ * due to instruction fetches or for no reason at all,
-+ * and neither LOCK nor MFENCE orders them.
-+ * Fortunately, load_cr3() is serializing and gives the
-+ * ordering guarantee we need.
- *
- */
- load_cr3(next->pgd);
-@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
- * tlb flush IPI delivery. We must reload CR3
- * to make sure to use no freed page tables.
- *
-- * As above, this is a barrier that forces
-- * TLB repopulation to be ordered after the
-- * store to mm_cpumask.
-+ * As above, load_cr3() is serializing and orders TLB
-+ * fills with respect to the mm_cpumask write.
- */
- load_cr3(next->pgd);
- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
diff --git a/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch
new file mode 100644
index 0000000..32441eb
--- /dev/null
+++ b/debian/patches/debian/usb-fix-abi-change-in-4.3.5.patch
@@ -0,0 +1,23 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 01 Feb 2016 09:05:24 +0100
+Subject: usb: Fix ABI change in 4.3.5
+Forwarded: not-needed
+
+struct usb_device gained two new bitfields, but there were plenty of
+padding bits to spare. Hide them from genksyms.
+
+---
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -582,8 +582,11 @@ struct usb_device {
+ unsigned usb2_hw_lpm_enabled:1;
+ unsigned usb2_hw_lpm_allowed:1;
+ unsigned usb3_lpm_enabled:1;
++#ifndef __GENKSYMS__
+ unsigned usb3_lpm_u1_enabled:1;
+ unsigned usb3_lpm_u2_enabled:1;
++ /* 18 bits spare */
++#endif
+ int string_langid;
+
+ /* static strings from the device */
diff --git a/debian/patches/series b/debian/patches/series
index 9afb768..49a34c5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,13 +100,9 @@ bugfix/all/selftests-breakpoints-actually-build-it.patch
debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
# Security fixes
-bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
-bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
-bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
-bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
bugfix/all/xen-add-ring_copy_request.patch
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
@@ -127,11 +123,9 @@ bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
-bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
-bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
@@ -142,8 +136,6 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
-bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
-bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
-bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
+debian/usb-fix-abi-change-in-4.3.5.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list