[linux] 01/01: Update to 3.2.76
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jan 24 03:46:47 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy
in repository linux.
commit 16a315aa3332a27d93851d56afdc1cffd25ce556
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jan 23 23:42:11 2016 +0000
Update to 3.2.76
Drop a whole lot of patches that were included upstream.
Fix the af_unix and enclosure ABI changes; ignore the IPv6 ABI change.
---
debian/changelog | 152 ++++++++++
debian/config/defines | 11 +
...alidate-socket-address-length-in-sco_sock.patch | 22 --
...d-checks-for-allocation-failure-in-isdn_p.patch | 37 ---
.../keys-fix-race-between-read-and-revoke.patch | 110 -------
...idation-for-the-socket-syscall-protocol-a.patch | 126 --------
...lidate-vj-compression-slot-parameters-com.patch | 129 --------
...-sockaddr_len-in-pptp_bind-and-pptp_conne.patch | 34 ---
...-when-sending-a-message-on-unbound-socket.patch | 69 -----
...ument-to-skb_copy_and_csum_datagram_iovec.patch | 108 -------
...lice-sendfile-at-once-fails-for-big-files.patch | 132 ---------
...y-support-msg_peek-with-truncated-buffers.patch | 88 ------
...id-use-after-free-in-ep_remove_wait_queue.patch | 325 ---------------------
.../bugfix/all/xen-add-ring_copy_request.patch | 52 ----
...-only-read-request-operation-from-shared-.patch | 57 ----
...-don-t-use-last-request-to-determine-mini.patch | 36 ---
...-netback-use-ring_copy_request-throughout.patch | 127 --------
...-do-not-install-an-irq-handler-for-msi-in.patch | 75 -----
...-don-t-allow-msi-x-ops-if-pci_command_mem.patch | 59 ----
...-for-xen_pci_op_disable_msi-x-only-disabl.patch | 100 -------
...-return-error-on-xen_pci_op_enable_msi-wh.patch | 56 ----
...-return-error-on-xen_pci_op_enable_msix-w.patch | 58 ----
...-save-xen_pci_op-commands-before-processi.patch | 73 -----
...oad-pit-counters-for-all-channels-when-re.patch | 53 ----
.../x86/kvm-svm-unconditionally-intercept-db.patch | 78 -----
.../patches/debian/af_unix-avoid-abi-changes.patch | 28 +-
.../enclosure-fix-abi-change-in-2.6.32.70.patch | 30 ++
debian/patches/features/all/drm/drm-3.4.patch | 239 +++++++++++++--
.../arm/ahci-Add-JMicron-362-device-IDs.patch | 33 ---
debian/patches/series | 25 +-
30 files changed, 425 insertions(+), 2097 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 9e5aa61..f43ebf4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,155 @@
+linux (3.2.76-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.74
+ - PCI: Fix devfn for VPD access through function 0
+ - PCI: Use function 0 VPD for identical functions, regular VPD for others
+ - mac80211: fix driver RSSI event calculations
+ - HID: core: Avoid uninitialized buffer access
+ - wm831x_power: Use IRQF_ONESHOT to request threaded IRQs
+ - mwifiex: fix mwifiex_rdeeprom_read()
+ - mtd: mtdpart: fix add_mtd_partitions error path
+ - devres: fix a for loop bounds check
+ - packet: fix match_fanout_group()
+ - Btrfs: added helper btrfs_next_item()
+ - Btrfs: fix file corruption and data loss after cloning inline extents
+ - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints
+ - Btrfs: don't use ram_bytes for uncompressed inline items
+ - Btrfs: fix truncation of compressed and inlined extents
+ - ext4, jbd2: ensure entering into panic after recording an error in
+ superblock
+ - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler
+ - ALSA: hda - Disable 64bit address for Creative HDA controllers
+ - megaraid_sas: Do not use PAGE_SIZE for max_sectors
+ - can: Use correct type in sizeof() in nla_put()
+ - mtd: blkdevs: fix potential deadlock + lockdep warnings
+ - crypto: algif_hash - Only export and import on sockets with data
+ - megaraid_sas : do not access user memory from IOCTL code
+ - ipv6: fix tunnel error handling
+ - ALSA: hda - Apply pin fixup for HP ProBook 6550b
+ - firewire: ohci: fix JMicron JMB38x IT context discovery
+ - scsi: restart list search after unlock in scsi_remove_target
+ - [amd64] cpu: Call verify_cpu() after having entered long mode too
+ - Btrfs: fix race leading to incorrect item deletion when dropping extents
+ - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
+ - perf: Fix inherited events vs. tracepoint filters
+ - scsi_sysfs: Fix queue_ramp_up_period return code
+ - Btrfs: fix race when listing an inode's xattrs
+ - net: fix a race in dst_release()
+ - FS-Cache: Increase reference of parent after registering, netfs success
+ - FS-Cache: Don't override netfs's primary_index if registering failed
+ - FS-Cache: Handle a write to the page immediately beyond the EOF marker
+ - binfmt_elf: Don't clobber passed executable's file header
+ - fs: make dumpable=2 require fully qualified path
+ - fs: if a coredump already exists, unlink and recreate with O_EXCL
+ - irda: precedence bug in irlmp_seq_hb_idx()
+ - RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in
+ rds_tcp_data_recv
+ - ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH()
+ in preemptible context.
+ - net: avoid NULL deref in inet_ctl_sock_destroy()
+ http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.75
+ - fuse: break infinite loop in fuse_fill_write_pages()
+ - sctp: translate host order to network order when setting a hmacid
+ - ALSA: usb-audio: add packet size quirk for the Medeli DD305
+ - ALSA: usb-audio: prevent CH345 multiport output SysEx corruption
+ - ALSA: usb-audio: work around CH345 input SysEx corruption
+ - usb: musb: core: fix order of arguments to ulpi write callback
+ - ASoC: wm8962: correct addresses for HPF_C_0/1
+ - net: fix __netdev_update_features return on ndo_set_features failure
+ - FS-Cache: Add missing initialization of ret in cachefiles_write_page()
+ - mac80211: mesh: fix call_rcu() usage
+ - macvlan: fix leak in macvlan_handle_frame
+ - xhci: Add XHCI_INTEL_HOST quirk
+ - xhci: Workaround to get Intel xHCI reset working more reliably
+ - usblp: do not set TASK_INTERRUPTIBLE before lock
+ - mac: validate mac_partition is within sector
+ - ip6mr: call del_timer_sync() in ip6mr_free_table()
+ - net: ip6mr: fix static mfc/dev leaks on table destruction
+ - can: sja1000: clear interrupts on start
+ - USB: cp210x: Remove CP2110 ID from compatibility list
+ - USB: cdc-acm - Add IGNORE_DEVICE quirk
+ - USB: cdc_acm: Ignore Infineon Flash Loader utility
+ - fix sysvfs symlinks
+ - vfs: Make sendfile(2) killable even better
+ - vfs: Avoid softlockups with sendfile(2)
+ - broadcom: fix PHY_ID_BCM5481 entry in the id table
+ - ring-buffer: Update read stamp with first real commit on page
+ - ext4: Fix handling of extended tv_sec
+ - jbd2: Fix unreclaimed pages after truncate in data=journal mode
+ - nfs: if we have no valid attrs, then don't declare the attribute cache
+ valid
+ - AHCI: Fix softreset failed issue of Port Multiplier
+ - sata_sil: disable trim
+ - wan/x25: Fix use-after-free in x25_asy_open_tty()
+ - USB: whci-hcd: add check for dma mapping error
+ - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
+ - dm btree: fix leak of bufio-backed block in btree_split_sibling error path
+ - ipv4: igmp: Allow removing groups from a removed interface
+ - locking: Add WARN_ON_ONCE lock assertion
+ - sched/core: Remove false-positive warning from wake_up_process()
+ - sched/core: Clear the root_domain cpumasks in init_rootdomain()
+ - usb: xhci: fix config fail of FS hub behind a HS hub with MTT
+ - ALSA: rme96: Fix unexpected volume reset after rate changes
+ - 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
+ - ipmi: move timer init to before irq is setup
+ - dm btree: fix bufio buffer leaks in dm_btree_del() error path
+ - vgaarb: fix signal handling in vga_get()
+ - mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make
+ any progress
+ - mm: hugetlb: call huge_pte_alloc() only if ptep is null
+ - snmp: Remove duplicate OUTMCAST stat increment
+ - tcp: initialize tp->copied_seq in case of cross SYN connection
+ - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
+ - net: ipmr: fix static mfc/dev leaks on table destruction
+ - ipv6: distinguish frag queues by device for multicast and link-local
+ packets
+ - dccp: remove unnecessary codes in ipv6.c
+ - ipv6: add complete rcu protection around np->opt
+ - ipv6: sctp: implement sctp_v6_destroy_sock()
+ - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
+ - sctp: update the netstamp_needed counter when copying sockets
+ - ipv6: sctp: clone options to avoid use after free
+ - af_unix: Revert 'lock_interruptible' in stream receive code
+ - af_unix: fix a fatal race with bit fields
+ http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.76
+ - sctp: start t5 timer only when peer rwnd is 0 and local state is
+ SHUTDOWN_PENDING
+ - ipv6: sctp: fix lockdep splat in sctp_v6_get_dst()
+ - video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented
+ - crypto: skcipher - Copy iv from desc even for 0-len walks
+ - rfkill: copy the name into the rfkill struct
+ - ses: Fix problems with simple enclosures
+ - ses: fix additional element traversal bug
+ - tty: Fix GPF in flush_to_ldisc()
+ - ALSA: tlv: compute TLV_*_ITEM lengths automatically
+ - ALSA: tlv: add DECLARE_TLV_DB_RANGE()
+ - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
+ - sh_eth: fix TX buffer byte-swapping
+ - mISDN: fix a loop count
+ - ser_gigaset: fix deallocation of platform device structure
+ - spi: fix parent-device reference leak
+ - [s390*] dis: Fix handling of format specifiers
+ - USB: ipaq.c: fix a timeout loop
+ - USB: fix invalid memory access in hub_activate()
+ - ipv6/addrlabel: fix ip6addrlbl_get()
+ - ocfs2: fix BUG when calculate new backup super
+ - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone()
+ - [mips*] Fix restart of indirect syscalls
+ - net/core: revert "net: fix __netdev_update_features return.." and add
+ comment
+ - genirq: Prevent chip buslock deadlock
+ - net: possible use after free in dst_release
+ - [x86] kvm: only channel 0 of the i8254 is linked to the HPET
+ - vmstat: allocate vmstat_wq before it is used
+ - cdrom: Random writing support for BD-RE media
+
+ [ Ben Hutchings ]
+ * net: Ignore ABI changes due to "ipv6: add complete rcu protection around
+ np->opt", which don't appear to affect out-of-tree modules
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 23 Jan 2016 23:02:51 +0000
+
linux (3.2.73-2+deb7u2) wheezy-security; urgency=medium
* net: add validation for the socket syscall protocol argument (CVE-2015-8543)
diff --git a/debian/config/defines b/debian/config/defines
index 8081852..790b71f 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -77,6 +77,17 @@ ignore-changes:
module:sound/pci/emu10k1/*
# Apparently not used from OOT
skb_copy_and_csum_datagram_iovec
+ module:net/dccp/dccp
+ fl6_*
+ inet_sk_diag_fill
+ ip6_append_data
+ ip6_datagram_send_ctl
+ ip6_xmit
+ ipv6_dup_options
+ ipv6_fixup_options
+ ipv6_push_nfrag_opts
+ tcp_cong_avoid_ai
+ tcp_slow_start
[base]
arches:
diff --git a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch b/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
deleted file mode 100644
index e7936ac..0000000
--- a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Tue, 15 Dec 2015 15:39:08 -0500
-Subject: bluetooth: Validate socket address length in sco_sock_bind().
-Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
-
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/bluetooth/sco.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -475,6 +475,9 @@ static int sco_sock_bind(struct socket *
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ if (addr_len < sizeof(struct sockaddr_sco))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
diff --git a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch b/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
deleted file mode 100644
index 6826c67..0000000
--- a/debian/patches/bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:21:24 +0000
-Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
-Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3
-
-Compile-tested only.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index c4198fa..86f9abe 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
- is->compflags = 0;
-
- is->reset = isdn_ppp_ccp_reset_alloc(is);
-+ if (!is->reset)
-+ return -ENOMEM;
-
- is->lp = NULL;
- is->mp_seqno = 0; /* MP sequence number */
-@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
- * VJ header compression init
- */
- is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
-+ if (!is->slcomp) {
-+ isdn_ppp_ccp_reset_free(is);
-+ return -ENOMEM;
-+ }
- #endif
- #ifdef CONFIG_IPPP_FILTER
- is->pass_filter = NULL;
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
deleted file mode 100644
index 0f7310a..0000000
--- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Fri, 18 Dec 2015 01:34:26 +0000
-Subject: KEYS: Fix race between read and revoke
-Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
-
-This fixes CVE-2015-7550.
-
-There's a race between keyctl_read() and keyctl_revoke(). If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-I think the bug was introduced with the original keyrings code.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller). Here's a cleaned up version:
-
- #include <sys/types.h>
- #include <keyutils.h>
- #include <pthread.h>
- void *thr0(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- keyctl_revoke(key);
- return 0;
- }
- void *thr1(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- char buffer[16];
- keyctl_read(key, buffer, 16);
- return 0;
- }
- int main()
- {
- key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
- pthread_t th[5];
- pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
- pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
- pthread_join(th[0], 0);
- pthread_join(th[1], 0);
- pthread_join(th[2], 0);
- pthread_join(th[3], 0);
- return 0;
- }
-
-Build as:
-
- cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
- while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel. The crash can be
-summarised as:
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
- IP: [<ffffffff81279b08>] user_read+0x56/0xa3
- ...
- Call Trace:
- [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
- [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
- [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -688,16 +688,16 @@ long keyctl_read_key(key_serial_t keyid,
-
- /* the key is probably readable - now try to read it */
- can_read_key:
-- ret = key_validate(key);
-- if (ret == 0) {
-- ret = -EOPNOTSUPP;
-- if (key->type->read) {
-- /* read the data with the semaphore held (since we
-- * might sleep) */
-- down_read(&key->sem);
-+ ret = -EOPNOTSUPP;
-+ if (key->type->read) {
-+ /* Read the data with the semaphore held (since we might sleep)
-+ * to protect against the key being updated or revoked.
-+ */
-+ down_read(&key->sem);
-+ ret = key_validate(key);
-+ if (ret == 0)
- ret = key->type->read(key, buffer, buflen);
-- up_read(&key->sem);
-- }
-+ up_read(&key->sem);
- }
-
- error2:
diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
deleted file mode 100644
index 4431f69..0000000
--- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Date: Mon, 14 Dec 2015 22:03:39 +0100
-Subject: net: add validation for the socket syscall protocol argument
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
- int socket_fd;
- struct sockaddr_in addr;
- addr.sin_port = 0;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_family = 10;
-
- socket_fd = socket(10,3,0x40000000);
- connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Cc: Cong Wang <cwang at twopensource.com>
-Reported-by: 郭永刚 <guoyonggang at 360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: open-code U8_MAX]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- include/net/sock.h | 1 +
- net/ax25/af_ax25.c | 3 +++
- net/decnet/af_decnet.c | 3 +++
- net/ipv4/af_inet.c | 3 +++
- net/ipv6/af_inet6.c | 3 +++
- net/irda/af_irda.c | 3 +++
- 6 files changed, 16 insertions(+)
-
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -302,6 +302,7 @@ struct sock {
- sk_no_check : 2,
- sk_userlocks : 4,
- sk_protocol : 8,
-+#define SK_PROTOCOL_MAX ((u8)~0U)
- sk_type : 16;
- kmemcheck_bitfield_end(flags);
- int sk_wmem_queued;
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -806,6 +806,9 @@ static int ax25_create(struct net *net,
- struct sock *sk;
- ax25_cb *ax25;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -681,6 +681,9 @@ static int dn_create(struct net *net, st
- {
- struct sock *sk;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -279,6 +279,9 @@ static int inet_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- if (unlikely(!inet_ehash_secret))
- if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
- build_ehash_secret();
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- if (sock->type != SOCK_RAW &&
- sock->type != SOCK_DGRAM &&
- !inet_ehash_secret)
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1106,6 +1106,9 @@ static int irda_create(struct net *net,
-
- IRDA_DEBUG(2, "%s()\n", __func__);
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (net != &init_net)
- return -EAFNOSUPPORT;
-
diff --git a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch b/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
deleted file mode 100644
index 377a3bd..0000000
--- a/debian/patches/bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:22:53 +0000
-Subject: ppp, slip: Validate VJ compression slot parameters completely
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae
-
-Currently slhc_init() treats out-of-range values of rslots and tslots
-as equivalent to 0, except that if tslots is too large it will
-dereference a null pointer (CVE-2015-7799).
-
-Add a range-check at the top of the function and make it return an
-ERR_PTR() on error instead of NULL. Change the callers accordingly.
-
-Compile-tested only.
-
-Reported-by: 郭永刚 <guoyonggang at 360.cn>
-References: http://article.gmane.org/gmane.comp.security.oss.general/17908
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust indentation]
----
- drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
- drivers/net/ppp/ppp_generic.c | 6 ++----
- drivers/net/slip/slhc.c | 12 ++++++++----
- drivers/net/slip/slip.c | 2 +-
- 4 files changed, 15 insertions(+), 15 deletions(-)
-
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file
- * VJ header compression init
- */
- is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
-- if (!is->slcomp) {
-+ if (IS_ERR(is->slcomp)) {
- isdn_ppp_ccp_reset_free(is);
-- return -ENOMEM;
-+ return PTR_ERR(is->slcomp);
- }
- #endif
- #ifdef CONFIG_IPPP_FILTER
-@@ -574,10 +574,8 @@ isdn_ppp_ioctl(int min, struct file *fil
- is->maxcid = val;
- #ifdef CONFIG_ISDN_PPP_VJ
- sltmp = slhc_init(16, val);
-- if (!sltmp) {
-- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
-- return -ENOMEM;
-- }
-+ if (IS_ERR(sltmp))
-+ return PTR_ERR(sltmp);
- if (is->slcomp)
- slhc_free(is->slcomp);
- is->slcomp = sltmp;
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -703,10 +703,8 @@ static long ppp_ioctl(struct file *file,
- val &= 0xffff;
- }
- vj = slhc_init(val2+1, val+1);
-- if (!vj) {
-- netdev_err(ppp->dev,
-- "PPP: no memory (VJ compressor)\n");
-- err = -ENOMEM;
-+ if (IS_ERR(vj)) {
-+ err = PTR_ERR(vj);
- break;
- }
- ppp_lock(ppp);
---- a/drivers/net/slip/slhc.c
-+++ b/drivers/net/slip/slhc.c
-@@ -85,8 +85,9 @@ static long decode(unsigned char **cpp);
- static unsigned char * put16(unsigned char *cp, unsigned short x);
- static unsigned short pull16(unsigned char **cpp);
-
--/* Initialize compression data structure
-+/* Allocate compression data structure
- * slots must be in range 0 to 255 (zero meaning no compression)
-+ * Returns pointer to structure or ERR_PTR() on error.
- */
- struct slcompress *
- slhc_init(int rslots, int tslots)
-@@ -95,11 +96,14 @@ slhc_init(int rslots, int tslots)
- register struct cstate *ts;
- struct slcompress *comp;
-
-+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
-+ return ERR_PTR(-EINVAL);
-+
- comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
- if (! comp)
- goto out_fail;
-
-- if ( rslots > 0 && rslots < 256 ) {
-+ if (rslots > 0) {
- size_t rsize = rslots * sizeof(struct cstate);
- comp->rstate = kzalloc(rsize, GFP_KERNEL);
- if (! comp->rstate)
-@@ -107,7 +111,7 @@ slhc_init(int rslots, int tslots)
- comp->rslot_limit = rslots - 1;
- }
-
-- if ( tslots > 0 && tslots < 256 ) {
-+ if (tslots > 0) {
- size_t tsize = tslots * sizeof(struct cstate);
- comp->tstate = kzalloc(tsize, GFP_KERNEL);
- if (! comp->tstate)
-@@ -142,7 +146,7 @@ out_free2:
- out_free:
- kfree(comp);
- out_fail:
-- return NULL;
-+ return ERR_PTR(-ENOMEM);
- }
-
-
---- a/drivers/net/slip/slip.c
-+++ b/drivers/net/slip/slip.c
-@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl
- if (cbuff == NULL)
- goto err_exit;
- slcomp = slhc_init(16, 16);
-- if (slcomp == NULL)
-+ if (IS_ERR(slcomp))
- goto err_exit;
- #endif
- spin_lock_bh(&sl->lock);
diff --git a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
deleted file mode 100644
index 3c8b7bf..0000000
--- a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Mon, 14 Dec 2015 13:48:36 -0800
-Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
-Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1
-
-Reported-by: Dmitry Vyukov <dvyukov at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/net/ppp/pptp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock
- struct pptp_opt *opt = &po->proto.pptp;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- opt->src_addr = sp->sa_addr.pptp;
-@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s
- struct flowi4 fl4;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- if (sp->sa_protocol != PX_PROTO_PPTP)
- return -EINVAL;
-
diff --git a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
deleted file mode 100644
index c54d253..0000000
--- a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Subject: RDS: fix race condition when sending a message on unbound socket.
-Date: Fri, 16 Oct 2015 17:11:42 +0200
-Origin: https://lkml.org/lkml/2015/10/16/530
-
-Sasha's found a NULL pointer dereference in the RDS connection code when
-sending a message to an apparently unbound socket. The problem is caused
-by the code checking if the socket is bound in rds_sendmsg(), which checks
-the rs_bound_addr field without taking a lock on the socket. This opens a
-race where rs_bound_addr is temporarily set but where the transport is not
-in rds_bind(), leading to a NULL pointer dereference when trying to
-dereference 'trans' in __rds_conn_create().
-
-Vegard wrote a reproducer for this issue, so kindly ask him to share if
-you're interested.
-
-I cannot reproduce the NULL pointer dereference using Vegard's reproducer
-with this patch, whereas I could without.
-
-Complete earlier incomplete fix to CVE-2015-6937:
-
- 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
-
-Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Reviewed-by: Vegard Nossum <vegard.nossum at oracle.com>
-Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: Vegard Nossum <vegard.nossum at oracle.com>
-Cc: Sasha Levin <sasha.levin at oracle.com>
-Cc: Chien Yen <chien.yen at oracle.com>
-Cc: Santosh Shilimkar <santosh.shilimkar at oracle.com>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: stable at vger.kernel.org
----
- net/rds/connection.c | 6 ------
- net/rds/send.c | 4 +++-
- 2 files changed, 3 insertions(+), 7 deletions(-)
-
---- a/net/rds/connection.c
-+++ b/net/rds/connection.c
-@@ -178,12 +178,6 @@ static struct rds_connection *__rds_conn
- }
- }
-
-- if (trans == NULL) {
-- kmem_cache_free(rds_conn_slab, conn);
-- conn = ERR_PTR(-ENODEV);
-- goto out;
-- }
--
- conn->c_trans = trans;
-
- ret = trans->conn_alloc(conn, gfp);
---- a/net/rds/send.c
-+++ b/net/rds/send.c
-@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
- release_sock(sk);
- }
-
-- /* racing with another thread binding seems ok here */
-+ lock_sock(sk);
- if (daddr == 0 || rs->rs_bound_addr == 0) {
-+ release_sock(sk);
- ret = -ENOTCONN; /* XXX not a great errno */
- goto out;
- }
-+ release_sock(sk);
-
- /* size of rm including all sgs */
- ret = rds_rm_size(msg, payload_len);
diff --git a/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch b/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
deleted file mode 100644
index 391e135..0000000
--- a/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sat, 02 Jan 2016 01:11:55 +0000
-Subject: Revert "net: add length argument to skb_copy_and_csum_datagram_iovec"
-Bug-Debian: https://bugs.debian.org/808293
-
-This reverts commit 127500d724f8c43f452610c9080444eedb5eaa6c. That fixed
-the problem of buffer over-reads introduced by backporting commit
-89c22d8c3b27 ("net: Fix skb csum races when peeking"), but resulted in
-incorrect checksumming for short reads. It will be replaced with a
-complete fix.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/linux/skbuff.h
-+++ b/include/linux/skbuff.h
-@@ -2134,8 +2134,7 @@ extern int skb_copy_datagram_iove
- int size);
- extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
- int hlen,
-- struct iovec *iov,
-- int len);
-+ struct iovec *iov);
- extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
- int offset,
- const struct iovec *from,
---- a/net/core/datagram.c
-+++ b/net/core/datagram.c
-@@ -709,7 +709,6 @@ EXPORT_SYMBOL(__skb_checksum_complete);
- * @skb: skbuff
- * @hlen: hardware length
- * @iov: io vector
-- * @len: amount of data to copy from skb to iov
- *
- * Caller _must_ check that skb will fit to this iovec.
- *
-@@ -719,14 +718,11 @@ EXPORT_SYMBOL(__skb_checksum_complete);
- * can be modified!
- */
- int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-- int hlen, struct iovec *iov, int len)
-+ int hlen, struct iovec *iov)
- {
- __wsum csum;
- int chunk = skb->len - hlen;
-
-- if (chunk > len)
-- chunk = len;
--
- if (!chunk)
- return 0;
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -5198,7 +5198,7 @@ static int tcp_copy_to_iovec(struct sock
- err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
- else
- err = skb_copy_and_csum_datagram_iovec(skb, hlen,
-- tp->ucopy.iov, chunk);
-+ tp->ucopy.iov);
-
- if (!err) {
- tp->ucopy.len -= chunk;
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1207,7 +1207,7 @@ try_again:
- else {
- err = skb_copy_and_csum_datagram_iovec(skb,
- sizeof(struct udphdr),
-- msg->msg_iov, copied);
-+ msg->msg_iov);
-
- if (err == -EINVAL)
- goto csum_copy_err;
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -479,7 +479,7 @@ static int rawv6_recvmsg(struct kiocb *i
- goto csum_copy_err;
- err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
- } else {
-- err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
-+ err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -383,8 +383,7 @@ try_again:
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied );
- else {
-- err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-- msg->msg_iov, copied);
-+ err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
---- a/net/rxrpc/ar-recvmsg.c
-+++ b/net/rxrpc/ar-recvmsg.c
-@@ -185,8 +185,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, st
- msg->msg_iov, copy);
- } else {
- ret = skb_copy_and_csum_datagram_iovec(skb, offset,
-- msg->msg_iov,
-- copy);
-+ msg->msg_iov);
- if (ret == -EINVAL)
- goto csum_copy_error;
- }
diff --git a/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch b/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
deleted file mode 100644
index eaa9596..0000000
--- a/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From: Christophe Leroy <christophe.leroy at c-s.fr>
-Date: Wed, 6 May 2015 17:26:47 +0200
-Subject: splice: sendfile() at once fails for big files
-Bug-Debian: https://bugs.debian.org/785189
-Origin: https://git.kernel.org/linus/0ff28d9f4674d781e492bcff6f32f0fe48cf0fed
-
-Using sendfile with below small program to get MD5 sums of some files,
-it appear that big files (over 64kbytes with 4k pages system) get a
-wrong MD5 sum while small files get the correct sum.
-This program uses sendfile() to send a file to an AF_ALG socket
-for hashing.
-
-/* md5sum2.c */
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <linux/if_alg.h>
-
-int main(int argc, char **argv)
-{
- int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
- struct stat st;
- struct sockaddr_alg sa = {
- .salg_family = AF_ALG,
- .salg_type = "hash",
- .salg_name = "md5",
- };
- int n;
-
- bind(sk, (struct sockaddr*)&sa, sizeof(sa));
-
- for (n = 1; n < argc; n++) {
- int size;
- int offset = 0;
- char buf[4096];
- int fd;
- int sko;
- int i;
-
- fd = open(argv[n], O_RDONLY);
- sko = accept(sk, NULL, 0);
- fstat(fd, &st);
- size = st.st_size;
- sendfile(sko, fd, &offset, size);
- size = read(sko, buf, sizeof(buf));
- for (i = 0; i < size; i++)
- printf("%2.2x", buf[i]);
- printf(" %s\n", argv[n]);
- close(fd);
- close(sko);
- }
- exit(0);
-}
-
-Test below is done using official linux patch files. First result is
-with a software based md5sum. Second result is with the program above.
-
-root at vgoip:~# ls -l patch-3.6.*
--rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz
--rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz
-
-root at vgoip:~# md5sum patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-root at vgoip:~# ./md5sum2 patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz
-
-After investivation, it appears that sendfile() sends the files by blocks
-of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
-block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
-is reset as if it was the end of the file.
-
-This patch adds SPLICE_F_MORE to the flags when more data is pending.
-
-With the patch applied, we get the correct sums:
-
-root at vgoip:~# md5sum patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-root at vgoip:~# ./md5sum2 patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-Signed-off-by: Christophe Leroy <christophe.leroy at c-s.fr>
-Signed-off-by: Jens Axboe <axboe at fb.com>
----
- fs/splice.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct fi
- long ret, bytes;
- umode_t i_mode;
- size_t len;
-- int i, flags;
-+ int i, flags, more;
-
- /*
- * We require the input being a regular file, as we don't want to
-@@ -1232,6 +1232,7 @@ ssize_t splice_direct_to_actor(struct fi
- * Don't block on output, we have to drain the direct pipe.
- */
- sd->flags &= ~SPLICE_F_NONBLOCK;
-+ more = sd->flags & SPLICE_F_MORE;
-
- while (len) {
- size_t read_len;
-@@ -1245,6 +1246,15 @@ ssize_t splice_direct_to_actor(struct fi
- sd->total_len = read_len;
-
- /*
-+ * If more data is pending, set SPLICE_F_MORE
-+ * If this is the last data and SPLICE_F_MORE was not set
-+ * initially, clears it.
-+ */
-+ if (read_len < len)
-+ sd->flags |= SPLICE_F_MORE;
-+ else if (!more)
-+ sd->flags &= ~SPLICE_F_MORE;
-+ /*
- * NOTE: nonblocking mode only applies to the input. We
- * must not do the output in nonblocking mode as then we
- * could get stuck data in the internal pipe:
diff --git a/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch b/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
deleted file mode 100644
index f910fd8..0000000
--- a/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-Bug-Debian: https://bugs.debian.org/808293
-Origin: http://article.gmane.org/gmane.linux.kernel.stable/159132
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1172,6 +1172,7 @@ int udp_recvmsg(struct kiocb *iocb, stru
- int peeked;
- int err;
- int is_udplite = IS_UDPLITE(sk);
-+ bool checksum_valid = false;
- bool slow;
-
- if (flags & MSG_ERRQUEUE)
-@@ -1197,11 +1198,12 @@ try_again:
- */
-
- if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
-- if (udp_lib_checksum_complete(skb))
-+ checksum_valid = !udp_lib_checksum_complete(skb);
-+ if (!checksum_valid)
- goto csum_copy_err;
- }
-
-- if (skb_csum_unnecessary(skb))
-+ if (checksum_valid || skb_csum_unnecessary(skb))
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied);
- else {
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -344,6 +344,7 @@ int udpv6_recvmsg(struct kiocb *iocb, st
- int peeked;
- int err;
- int is_udplite = IS_UDPLITE(sk);
-+ bool checksum_valid = false;
- int is_udp4;
- bool slow;
-
-@@ -375,11 +376,12 @@ try_again:
- */
-
- if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
-- if (udp_lib_checksum_complete(skb))
-+ checksum_valid = !udp_lib_checksum_complete(skb);
-+ if (!checksum_valid)
- goto csum_copy_err;
- }
-
-- if (skb_csum_unnecessary(skb))
-+ if (checksum_valid || skb_csum_unnecessary(skb))
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied );
- else {
diff --git a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch b/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
deleted file mode 100644
index 05fab4e..0000000
--- a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
+++ /dev/null
@@ -1,325 +0,0 @@
-From: Rainer Weikusat <rweikusat at mobileactivedefense.com>
-Date: Fri, 20 Nov 2015 22:07:23 +0000
-Subject: unix: avoid use-after-free in ep_remove_wait_queue
-Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git//commit?id=7d267278a9ece963d77eefec61630223fce08c6c
-
-Rainer Weikusat <rweikusat at mobileactivedefense.com> writes:
-An AF_UNIX datagram socket being the client in an n:1 association with
-some server socket is only allowed to send messages to the server if the
-receive queue of this socket contains at most sk_max_ack_backlog
-datagrams. This implies that prospective writers might be forced to go
-to sleep despite none of the message presently enqueued on the server
-receive queue were sent by them. In order to ensure that these will be
-woken up once space becomes again available, the present unix_dgram_poll
-routine does a second sock_poll_wait call with the peer_wait wait queue
-of the server socket as queue argument (unix_dgram_recvmsg does a wake
-up on this queue after a datagram was received). This is inherently
-problematic because the server socket is only guaranteed to remain alive
-for as long as the client still holds a reference to it. In case the
-connection is dissolved via connect or by the dead peer detection logic
-in unix_dgram_sendmsg, the server socket may be freed despite "the
-polling mechanism" (in particular, epoll) still has a pointer to the
-corresponding peer_wait queue. There's no way to forcibly deregister a
-wait queue with epoll.
-
-Based on an idea by Jason Baron, the patch below changes the code such
-that a wait_queue_t belonging to the client socket is enqueued on the
-peer_wait queue of the server whenever the peer receive queue full
-condition is detected by either a sendmsg or a poll. A wake up on the
-peer queue is then relayed to the ordinary wait queue of the client
-socket via wake function. The connection to the peer wait queue is again
-dissolved if either a wake up is about to be relayed or the client
-socket reconnects or a dead peer is detected or the client socket is
-itself closed. This enables removing the second sock_poll_wait from
-unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
-that no blocked writer sleeps forever.
-
-Signed-off-by: Rainer Weikusat <rweikusat at mobileactivedefense.com>
-Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
-Reviewed-by: Jason Baron <jbaron at akamai.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- include/net/af_unix.h | 1 +
- net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------
- 2 files changed, 165 insertions(+), 19 deletions(-)
-
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -58,6 +58,7 @@ struct unix_sock {
- unsigned int gc_maybe_cycle : 1;
- unsigned char recursion_level;
- struct socket_wq peer_wq;
-+ wait_queue_t peer_wake;
- };
- #define unix_sk(__sk) ((struct unix_sock *)__sk)
-
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -303,6 +303,118 @@ found:
- return s;
- }
-
-+/* Support code for asymmetrically connected dgram sockets
-+ *
-+ * If a datagram socket is connected to a socket not itself connected
-+ * to the first socket (eg, /dev/log), clients may only enqueue more
-+ * messages if the present receive queue of the server socket is not
-+ * "too large". This means there's a second writeability condition
-+ * poll and sendmsg need to test. The dgram recv code will do a wake
-+ * up on the peer_wait wait queue of a socket upon reception of a
-+ * datagram which needs to be propagated to sleeping would-be writers
-+ * since these might not have sent anything so far. This can't be
-+ * accomplished via poll_wait because the lifetime of the server
-+ * socket might be less than that of its clients if these break their
-+ * association with it or if the server socket is closed while clients
-+ * are still connected to it and there's no way to inform "a polling
-+ * implementation" that it should let go of a certain wait queue
-+ *
-+ * In order to propagate a wake up, a wait_queue_t of the client
-+ * socket is enqueued on the peer_wait queue of the server socket
-+ * whose wake function does a wake_up on the ordinary client socket
-+ * wait queue. This connection is established whenever a write (or
-+ * poll for write) hit the flow control condition and broken when the
-+ * association to the server socket is dissolved or after a wake up
-+ * was relayed.
-+ */
-+
-+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
-+ void *key)
-+{
-+ struct unix_sock *u;
-+ wait_queue_head_t *u_sleep;
-+
-+ u = container_of(q, struct unix_sock, peer_wake);
-+
-+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
-+ q);
-+ u->peer_wake.private = NULL;
-+
-+ /* relaying can only happen while the wq still exists */
-+ u_sleep = sk_sleep(&u->sk);
-+ if (u_sleep)
-+ wake_up_interruptible_poll(u_sleep, key);
-+
-+ return 0;
-+}
-+
-+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
-+{
-+ struct unix_sock *u, *u_other;
-+ int rc;
-+
-+ u = unix_sk(sk);
-+ u_other = unix_sk(other);
-+ rc = 0;
-+ spin_lock(&u_other->peer_wait.lock);
-+
-+ if (!u->peer_wake.private) {
-+ u->peer_wake.private = other;
-+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+
-+ rc = 1;
-+ }
-+
-+ spin_unlock(&u_other->peer_wait.lock);
-+ return rc;
-+}
-+
-+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
-+ struct sock *other)
-+{
-+ struct unix_sock *u, *u_other;
-+
-+ u = unix_sk(sk);
-+ u_other = unix_sk(other);
-+ spin_lock(&u_other->peer_wait.lock);
-+
-+ if (u->peer_wake.private == other) {
-+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+ u->peer_wake.private = NULL;
-+ }
-+
-+ spin_unlock(&u_other->peer_wait.lock);
-+}
-+
-+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
-+ struct sock *other)
-+{
-+ unix_dgram_peer_wake_disconnect(sk, other);
-+ wake_up_interruptible_poll(sk_sleep(sk),
-+ POLLOUT |
-+ POLLWRNORM |
-+ POLLWRBAND);
-+}
-+
-+/* preconditions:
-+ * - unix_peer(sk) == other
-+ * - association is stable
-+ */
-+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
-+{
-+ int connected;
-+
-+ connected = unix_dgram_peer_wake_connect(sk, other);
-+
-+ if (unix_recvq_full(other))
-+ return 1;
-+
-+ if (connected)
-+ unix_dgram_peer_wake_disconnect(sk, other);
-+
-+ return 0;
-+}
-+
- static inline int unix_writable(struct sock *sk)
- {
- return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
-@@ -409,6 +521,8 @@ static void unix_release_sock(struct soc
- skpair->sk_state_change(skpair);
- sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
- }
-+
-+ unix_dgram_peer_wake_disconnect(sk, skpair);
- sock_put(skpair); /* It may now die */
- unix_peer(sk) = NULL;
- }
-@@ -630,6 +744,7 @@ static struct sock *unix_create1(struct
- INIT_LIST_HEAD(&u->link);
- mutex_init(&u->readlock); /* single task reading lock */
- init_waitqueue_head(&u->peer_wait);
-+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
- unix_insert_socket(unix_sockets_unbound, sk);
- out:
- if (sk == NULL)
-@@ -1005,6 +1120,8 @@ restart:
- if (unix_peer(sk)) {
- struct sock *old_peer = unix_peer(sk);
- unix_peer(sk) = other;
-+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
-+
- unix_state_double_unlock(sk, other);
-
- if (other != old_peer)
-@@ -1444,6 +1561,7 @@ static int unix_dgram_sendmsg(struct kio
- long timeo;
- struct scm_cookie tmp_scm;
- int max_level;
-+ int sk_locked;
-
- if (NULL == siocb->scm)
- siocb->scm = &tmp_scm;
-@@ -1512,12 +1630,14 @@ restart:
- goto out_free;
- }
-
-+ sk_locked = 0;
- unix_state_lock(other);
-+restart_locked:
- err = -EPERM;
- if (!unix_may_send(sk, other))
- goto out_unlock;
-
-- if (sock_flag(other, SOCK_DEAD)) {
-+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
- /*
- * Check with 1003.1g - what should
- * datagram error
-@@ -1525,10 +1645,14 @@ restart:
- unix_state_unlock(other);
- sock_put(other);
-
-+ if (!sk_locked)
-+ unix_state_lock(sk);
-+
- err = 0;
-- unix_state_lock(sk);
- if (unix_peer(sk) == other) {
- unix_peer(sk) = NULL;
-+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
-+
- unix_state_unlock(sk);
-
- unix_dgram_disconnected(sk, other);
-@@ -1554,21 +1678,38 @@ restart:
- goto out_unlock;
- }
-
-- if (unix_peer(other) != sk && unix_recvq_full(other)) {
-- if (!timeo) {
-- err = -EAGAIN;
-- goto out_unlock;
-+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-+ if (timeo) {
-+ timeo = unix_wait_for_peer(other, timeo);
-+
-+ err = sock_intr_errno(timeo);
-+ if (signal_pending(current))
-+ goto out_free;
-+
-+ goto restart;
- }
-
-- timeo = unix_wait_for_peer(other, timeo);
-+ if (!sk_locked) {
-+ unix_state_unlock(other);
-+ unix_state_double_lock(sk, other);
-+ }
-
-- err = sock_intr_errno(timeo);
-- if (signal_pending(current))
-- goto out_free;
-+ if (unix_peer(sk) != other ||
-+ unix_dgram_peer_wake_me(sk, other)) {
-+ err = -EAGAIN;
-+ sk_locked = 1;
-+ goto out_unlock;
-+ }
-
-- goto restart;
-+ if (!sk_locked) {
-+ sk_locked = 1;
-+ goto restart_locked;
-+ }
- }
-
-+ if (unlikely(sk_locked))
-+ unix_state_unlock(sk);
-+
- if (sock_flag(other, SOCK_RCVTSTAMP))
- __net_timestamp(skb);
- maybe_add_creds(skb, sock, other);
-@@ -1582,6 +1723,8 @@ restart:
- return len;
-
- out_unlock:
-+ if (sk_locked)
-+ unix_state_unlock(sk);
- unix_state_unlock(other);
- out_free:
- kfree_skb(skb);
-@@ -2186,14 +2329,16 @@ static unsigned int unix_dgram_poll(stru
- return mask;
-
- writable = unix_writable(sk);
-- other = unix_peer_get(sk);
-- if (other) {
-- if (unix_peer(other) != sk) {
-- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
-- if (unix_recvq_full(other))
-- writable = 0;
-- }
-- sock_put(other);
-+ if (writable) {
-+ unix_state_lock(sk);
-+
-+ other = unix_peer(sk);
-+ if (other && unix_peer(other) != sk &&
-+ unix_recvq_full(other) &&
-+ unix_dgram_peer_wake_me(sk, other))
-+ writable = 0;
-+
-+ unix_state_unlock(sk);
- }
-
- if (writable)
diff --git a/debian/patches/bugfix/all/xen-add-ring_copy_request.patch b/debian/patches/bugfix/all/xen-add-ring_copy_request.patch
deleted file mode 100644
index 51e9546..0000000
--- a/debian/patches/bugfix/all/xen-add-ring_copy_request.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 14:58:08 +0000
-Subject: [1/7] xen: Add RING_COPY_REQUEST()
-Origin: https://git.kernel.org/linus/454d5d882c7e412b840e3c99010fe81a9862f6fb
-
-Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
-(i.e., by not considering that the other end may alter the data in the
-shared ring while it is being inspected). Safe usage of a request
-generally requires taking a local copy.
-
-Provide a RING_COPY_REQUEST() macro to use instead of
-RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
-ensuring that the copy is done correctly regardless of any possible
-compiler optimizations.
-
-Use a volatile source to prevent the compiler from reordering or
-omitting the copy.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- include/xen/interface/io/ring.h | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
-index 7d28aff..7dc685b4 100644
---- a/include/xen/interface/io/ring.h
-+++ b/include/xen/interface/io/ring.h
-@@ -181,6 +181,20 @@ struct __name##_back_ring { \
- #define RING_GET_REQUEST(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
-
-+/*
-+ * Get a local copy of a request.
-+ *
-+ * Use this in preference to RING_GET_REQUEST() so all processing is
-+ * done on a local copy that cannot be modified by the other end.
-+ *
-+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
-+ * to be ineffective where _req is a struct which consists of only bitfields.
-+ */
-+#define RING_COPY_REQUEST(_r, _idx, _req) do { \
-+ /* Use volatile to force the copy into _req. */ \
-+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
-+} while (0)
-+
- #define RING_GET_RESPONSE(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
-
diff --git a/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch b/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
deleted file mode 100644
index c28f1ae..0000000
--- a/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau at citrix.com>
-Date: Tue, 3 Nov 2015 16:34:09 +0000
-Subject: [4/7] xen-blkback: only read request operation from shared ring once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/1f13d75ccb806260079e0679d55d9253e370ec8a
-
-A compiler may load a switch statement value multiple times, which could
-be bad when the value is in memory shared with the frontend.
-
-When converting a non-native request to a native one, ensure that
-src->operation is only loaded once by using READ_ONCE().
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: Backported to 3.2:
- - s/READ_ONCE/ACCESS_ONCE/
- - Adjust context]
----
- drivers/block/xen-blkback/common.h | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/block/xen-blkback/common.h
-+++ b/drivers/block/xen-blkback/common.h
-@@ -238,11 +238,11 @@ static inline void blkif_get_x86_32_req(
- struct blkif_x86_32_request *src)
- {
- int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
-- dst->operation = src->operation;
-+ dst->operation = ACCESS_ONCE(src->operation);
- dst->nr_segments = src->nr_segments;
- dst->handle = src->handle;
- dst->id = src->id;
-- switch (src->operation) {
-+ switch (dst->operation) {
- case BLKIF_OP_READ:
- case BLKIF_OP_WRITE:
- case BLKIF_OP_WRITE_BARRIER:
-@@ -267,11 +267,11 @@ static inline void blkif_get_x86_64_req(
- struct blkif_x86_64_request *src)
- {
- int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST;
-- dst->operation = src->operation;
-+ dst->operation = ACCESS_ONCE(src->operation);
- dst->nr_segments = src->nr_segments;
- dst->handle = src->handle;
- dst->id = src->id;
-- switch (src->operation) {
-+ switch (dst->operation) {
- case BLKIF_OP_READ:
- case BLKIF_OP_WRITE:
- case BLKIF_OP_WRITE_BARRIER:
diff --git a/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch b/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
deleted file mode 100644
index 5be0784..0000000
--- a/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 15:16:01 +0000
-Subject: [2/7] xen-netback: don't use last request to determine minimum Tx
- credit
-Origin: https://git.kernel.org/linus/0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357
-
-The last from guest transmitted request gives no indication about the
-minimum amount of credit that the guest might need to send a packet
-since the last packet might have been a small one.
-
-Instead allow for the worst case 128 KiB packet.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Wei Liu <wei.liu2 at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: Backported to 3.2: s/queue/vif/g]
----
- drivers/net/xen-netback/netback.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/drivers/net/xen-netback/netback.c
-+++ b/drivers/net/xen-netback/netback.c
-@@ -864,9 +864,7 @@ static void tx_add_credit(struct xenvif
- * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
- * Otherwise the interface can seize up due to insufficient credit.
- */
-- max_burst = RING_GET_REQUEST(&vif->tx, vif->tx.req_cons)->size;
-- max_burst = min(max_burst, 131072UL);
-- max_burst = max(max_burst, vif->credit_bytes);
-+ max_burst = max(131072UL, vif->credit_bytes);
-
- /* Take care that adding a new chunk of credit doesn't wrap to zero. */
- max_credit = vif->remaining_credit + vif->credit_bytes;
diff --git a/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch b/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
deleted file mode 100644
index 594da33..0000000
--- a/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 15:17:06 +0000
-Subject: [3/7] xen-netback: use RING_COPY_REQUEST() throughout
-Origin: https://git.kernel.org/linus/68a33bfd8403e4e22847165d149823a2e0e67c9c
-
-Instead of open-coding memcpy()s and directly accessing Tx and Rx
-requests, use the new RING_COPY_REQUEST() that ensures the local copy
-is correct.
-
-This is more than is strictly necessary for guest Rx requests since
-only the id and gref fields are used and it is harmless if the
-frontend modifies these.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Wei Liu <wei.liu2 at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: Backported to 3.2:
- - s/queue/vif/g
- - Adjust context]
----
- drivers/net/xen-netback/netback.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
---- a/drivers/net/xen-netback/netback.c
-+++ b/drivers/net/xen-netback/netback.c
-@@ -406,17 +406,17 @@ static struct netbk_rx_meta *get_next_rx
- struct netrx_pending_operations *npo)
- {
- struct netbk_rx_meta *meta;
-- struct xen_netif_rx_request *req;
-+ struct xen_netif_rx_request req;
-
-- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
-+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
-
- meta = npo->meta + npo->meta_prod++;
- meta->gso_size = 0;
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
-
- npo->copy_off = 0;
-- npo->copy_gref = req->gref;
-+ npo->copy_gref = req.gref;
-
- return meta;
- }
-@@ -518,7 +518,7 @@ static int netbk_gop_skb(struct sk_buff
- struct xenvif *vif = netdev_priv(skb->dev);
- int nr_frags = skb_shinfo(skb)->nr_frags;
- int i;
-- struct xen_netif_rx_request *req;
-+ struct xen_netif_rx_request req;
- struct netbk_rx_meta *meta;
- unsigned char *data;
- int head = 1;
-@@ -528,14 +528,14 @@ static int netbk_gop_skb(struct sk_buff
-
- /* Set up a GSO prefix descriptor, if necessary */
- if (skb_shinfo(skb)->gso_size && vif->gso_prefix) {
-- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
-+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
- meta = npo->meta + npo->meta_prod++;
- meta->gso_size = skb_shinfo(skb)->gso_size;
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
- }
-
-- req = RING_GET_REQUEST(&vif->rx, vif->rx.req_cons++);
-+ RING_COPY_REQUEST(&vif->rx, vif->rx.req_cons++, &req);
- meta = npo->meta + npo->meta_prod++;
-
- if (!vif->gso_prefix)
-@@ -544,9 +544,9 @@ static int netbk_gop_skb(struct sk_buff
- meta->gso_size = 0;
-
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
- npo->copy_off = 0;
-- npo->copy_gref = req->gref;
-+ npo->copy_gref = req.gref;
-
- data = skb->data;
- while (data < skb_tail_pointer(skb)) {
-@@ -890,7 +890,7 @@ static void netbk_tx_err(struct xenvif *
- make_tx_response(vif, txp, XEN_NETIF_RSP_ERROR);
- if (cons == end)
- break;
-- txp = RING_GET_REQUEST(&vif->tx, cons++);
-+ RING_COPY_REQUEST(&vif->tx, cons++, txp);
- } while (1);
- vif->tx.req_cons = cons;
- xen_netbk_check_rx_xenvif(vif);
-@@ -957,8 +957,7 @@ static int netbk_count_requests(struct x
- if (drop_err)
- txp = &dropped_tx;
-
-- memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
-- sizeof(*txp));
-+ RING_COPY_REQUEST(&vif->tx, cons + slots, txp);
-
- /* If the guest submitted a frame >= 64 KiB then
- * first->size overflowed and following slots will
-@@ -1246,8 +1245,7 @@ static int xen_netbk_get_extras(struct x
- return -EBADR;
- }
-
-- memcpy(&extra, RING_GET_REQUEST(&vif->tx, cons),
-- sizeof(extra));
-+ RING_COPY_REQUEST(&vif->tx, cons, &extra);
- if (unlikely(!extra.type ||
- extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
- vif->tx.req_cons = ++cons;
-@@ -1442,7 +1440,7 @@ static unsigned xen_netbk_tx_build_gops(
-
- idx = vif->tx.req_cons;
- rmb(); /* Ensure that we see the request before we copy it. */
-- memcpy(&txreq, RING_GET_REQUEST(&vif->tx, idx), sizeof(txreq));
-+ RING_COPY_REQUEST(&vif->tx, idx, &txreq);
-
- /* Credit-based scheduling. */
- if (txreq.size > vif->remaining_credit &&
diff --git a/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch b/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
deleted file mode 100644
index 45e09e0..0000000
--- a/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 17:24:08 -0500
-Subject: [3/5] xen/pciback: Do not install an IRQ handler for MSI interrupts.
-Origin: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0
-
-Otherwise an guest can subvert the generic MSI code to trigger
-an BUG_ON condition during MSI interrupt freeing:
-
- for (i = 0; i < entry->nvec_used; i++)
- BUG_ON(irq_has_action(entry->irq + i));
-
-Xen PCI backed installs an IRQ handler (request_irq) for
-the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
-(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
-done in case the device has legacy interrupts the GSI line
-is shared by the backend devices.
-
-To subvert the backend the guest needs to make the backend
-to change the dev->irq from the GSI to the MSI interrupt line,
-make the backend allocate an interrupt handler, and then command
-the backend to free the MSI interrupt and hit the BUG_ON.
-
-Since the backend only calls 'request_irq' when the guest
-writes to the PCI_COMMAND register the guest needs to call
-XEN_PCI_OP_enable_msi before any other operation. This will
-cause the generic MSI code to setup an MSI entry and
-populate dev->irq with the new PIRQ value.
-
-Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
-and cause the backend to setup an IRQ handler for dev->irq
-(which instead of the GSI value has the MSI pirq). See
-'xen_pcibk_control_isr'.
-
-Then the guest disables the MSI: XEN_PCI_OP_disable_msi
-which ends up triggering the BUG_ON condition in 'free_msi_irqs'
-as there is an IRQ handler for the entry->irq (dev->irq).
-
-Note that this cannot be done using MSI-X as the generic
-code does not over-write dev->irq with the MSI-X PIRQ values.
-
-The patch inhibits setting up the IRQ handler if MSI or
-MSI-X (for symmetry reasons) code had been called successfully.
-
-P.S.
-Xen PCIBack when it sets up the device for the guest consumption
-ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
-XSA-120 addendum patch removed that - however when upstreaming said
-addendum we found that it caused issues with qemu upstream. That
-has now been fixed in qemu upstream.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -68,6 +68,13 @@ static void xen_pcibk_control_isr(struct
- enable ? "enable" : "disable");
-
- if (enable) {
-+ /*
-+ * The MSI or MSI-X should not have an IRQ handler. Otherwise
-+ * if the guest terminates we BUG_ON in free_msi_irqs.
-+ */
-+ if (dev->msi_enabled || dev->msix_enabled)
-+ goto out;
-+
- rc = request_irq(dev_data->irq,
- xen_pcibk_guest_interrupt, IRQF_SHARED,
- dev_data->irq_name, dev);
diff --git a/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch b/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
deleted file mode 100644
index 85141fc..0000000
--- a/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 18:13:27 -0500
-Subject: [5/5] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not
- set.
-Origin: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0
-
-commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way")
-teaches us that dealing with MSI-X can be troublesome.
-
-Further checks in the MSI-X architecture shows that if the
-PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we
-may not be able to access the BAR (since they are memory regions).
-
-Since the MSI-X tables are located in there.. that can lead
-to us causing PCIe errors. Inhibit us performing any
-operation on the MSI-X unless the MEMORY bit is set.
-
-Note that Xen hypervisor with:
-"x86/MSI-X: access MSI-X table only after having enabled MSI-X"
-will return:
-xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!
-
-When the generic MSI code tries to setup the PIRQ without
-MEMORY bit set. Which means with later versions of Xen
-(4.6) this patch is not neccessary.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -210,6 +210,7 @@ int xen_pcibk_enable_msix(struct xen_pci
- struct xen_pcibk_dev_data *dev_data;
- int i, result;
- struct msix_entry *entries;
-+ u16 cmd;
-
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n",
-@@ -221,7 +222,12 @@ int xen_pcibk_enable_msix(struct xen_pci
- if (dev->msix_enabled)
- return -EALREADY;
-
-- if (dev->msi_enabled)
-+ /*
-+ * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
-+ * to access the BARs where the MSI-X entries reside.
-+ */
-+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
-+ if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
- return -ENXIO;
-
- entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL);
diff --git a/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch b/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
deleted file mode 100644
index aa3a134..0000000
--- a/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Wed, 1 Apr 2015 10:49:47 -0400
-Subject: [4/5] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if
- device has MSI(X) enabled.
-Origin: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49
-
-Otherwise just continue on, returning the same values as
-previously (return of 0, and op->result has the PIRQ value).
-
-This does not change the behavior of XEN_PCI_OP_disable_msi[|x].
-
-The pci_disable_msi or pci_disable_msix have the checks for
-msi_enabled or msix_enabled so they will error out immediately.
-
-However the guest can still call these operations and cause
-us to disable the 'ack_intr'. That means the backend IRQ handler
-for the legacy interrupt will not respond to interrupts anymore.
-
-This will lead to (if the device is causing an interrupt storm)
-for the Linux generic code to disable the interrupt line.
-
-Naturally this will only happen if the device in question
-is plugged in on the motherboard on shared level interrupt GSI.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -183,20 +183,23 @@ static
- int xen_pcibk_disable_msi(struct xen_pcibk_device *pdev,
- struct pci_dev *dev, struct xen_pci_op *op)
- {
-- struct xen_pcibk_dev_data *dev_data;
--
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: disable MSI\n",
- pci_name(dev));
-- pci_disable_msi(dev);
-
-+ if (dev->msi_enabled) {
-+ struct xen_pcibk_dev_data *dev_data;
-+
-+ pci_disable_msi(dev);
-+
-+ dev_data = pci_get_drvdata(dev);
-+ if (dev_data)
-+ dev_data->ack_intr = 1;
-+ }
- op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev),
- op->value);
-- dev_data = pci_get_drvdata(dev);
-- if (dev_data)
-- dev_data->ack_intr = 1;
- return 0;
- }
-
-@@ -262,23 +265,27 @@ static
- int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev,
- struct pci_dev *dev, struct xen_pci_op *op)
- {
-- struct xen_pcibk_dev_data *dev_data;
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: disable MSI-X\n",
- pci_name(dev));
-- pci_disable_msix(dev);
-
-+ if (dev->msix_enabled) {
-+ struct xen_pcibk_dev_data *dev_data;
-+
-+ pci_disable_msix(dev);
-+
-+ dev_data = pci_get_drvdata(dev);
-+ if (dev_data)
-+ dev_data->ack_intr = 1;
-+ }
- /*
- * SR-IOV devices (which don't have any legacy IRQ) have
- * an undefined IRQ value of zero.
- */
- op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
- if (unlikely(verbose_request))
-- printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", pci_name(dev),
-- op->value);
-- dev_data = pci_get_drvdata(dev);
-- if (dev_data)
-- dev_data->ack_intr = 1;
-+ printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n",
-+ pci_name(dev), op->value);
- return 0;
- }
- #endif
diff --git a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch b/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
deleted file mode 100644
index 8cf7567..0000000
--- a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Fri, 3 Apr 2015 11:08:22 -0400
-Subject: [1/5] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device
- has MSI or MSI-X enabled
-Origin: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d
-
-The guest sequence of:
-
- a) XEN_PCI_OP_enable_msi
- b) XEN_PCI_OP_enable_msi
- c) XEN_PCI_OP_disable_msi
-
-results in hitting an BUG_ON condition in the msi.c code.
-
-The MSI code uses an dev->msi_list to which it adds MSI entries.
-Under the above conditions an BUG_ON() can be hit. The device
-passed in the guest MUST have MSI capability.
-
-The a) adds the entry to the dev->msi_list and sets msi_enabled.
-The b) adds a second entry but adding in to SysFS fails (duplicate entry)
-and deletes all of the entries from msi_list and returns (with msi_enabled
-is still set). c) pci_disable_msi passes the msi_enabled checks and hits:
-
-BUG_ON(list_empty(dev_to_msi_list(&dev->dev)));
-
-and blows up.
-
-The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard
-against that. The check for msix_enabled is not stricly neccessary.
-
-This is part of XSA-157.
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -142,7 +142,12 @@ int xen_pcibk_enable_msi(struct xen_pcib
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev));
-
-- status = pci_enable_msi(dev);
-+ if (dev->msi_enabled)
-+ status = -EALREADY;
-+ else if (dev->msix_enabled)
-+ status = -ENXIO;
-+ else
-+ status = pci_enable_msi(dev);
-
- if (status) {
- pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI for guest %u: err %d\n",
diff --git a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch b/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
deleted file mode 100644
index 6a4c7c0..0000000
--- a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 18:07:44 -0500
-Subject: [2/5] xen/pciback: Return error on XEN_PCI_OP_enable_msix when device
- has MSI or MSI-X enabled
-Origin: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9
-
-The guest sequence of:
-
- a) XEN_PCI_OP_enable_msix
- b) XEN_PCI_OP_enable_msix
-
-results in hitting an NULL pointer due to using freed pointers.
-
-The device passed in the guest MUST have MSI-X capability.
-
-The a) constructs and SysFS representation of MSI and MSI groups.
-The b) adds a second set of them but adding in to SysFS fails (duplicate entry).
-'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that
-in a) pdev->msi_irq_groups is still set) and also free's ALL of the
-MSI-X entries of the device (the ones allocated in step a) and b)).
-
-The unwind code: 'free_msi_irqs' deletes all the entries and tries to
-delete the pdev->msi_irq_groups (which hasn't been set to NULL).
-However the pointers in the SysFS are already freed and we hit an
-NULL pointer further on when 'strlen' is attempted on a freed pointer.
-
-The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard
-against that. The check for msi_enabled is not stricly neccessary.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -204,9 +204,16 @@ int xen_pcibk_enable_msix(struct xen_pci
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n",
- pci_name(dev));
-+
- if (op->value > SH_INFO_MAX_VEC)
- return -EINVAL;
-
-+ if (dev->msix_enabled)
-+ return -EALREADY;
-+
-+ if (dev->msi_enabled)
-+ return -ENXIO;
-+
- entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL);
- if (entries == NULL)
- return -ENOMEM;
diff --git a/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch b/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
deleted file mode 100644
index 2d5a29d..0000000
--- a/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 16 Nov 2015 12:40:48 -0500
-Subject: [7/7] xen/pciback: Save xen_pci_op commands before processing it
-Origin: https://git.kernel.org/linus/8135cf8b092723dbfcc611fe6fdcb3a36c9951c5
-
-Double fetch vulnerabilities that happen when a variable is
-fetched twice from shared memory but a security check is only
-performed the first time.
-
-The xen_pcibk_do_op function performs a switch statements on the op->cmd
-value which is stored in shared memory. Interestingly this can result
-in a double fetch vulnerability depending on the performed compiler
-optimization.
-
-This patch fixes it by saving the xen_pci_op command before
-processing it. We also use 'barrier' to make sure that the
-compiler does not perform any optimization.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Signed-off-by: Jan Beulich <JBeulich at suse.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback.h | 1 +
- drivers/xen/xen-pciback/pciback_ops.c | 15 ++++++++++++++-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
---- a/drivers/xen/xen-pciback/pciback.h
-+++ b/drivers/xen/xen-pciback/pciback.h
-@@ -37,6 +37,7 @@ struct xen_pcibk_device {
- struct xen_pci_sharedinfo *sh_info;
- unsigned long flags;
- struct work_struct op_work;
-+ struct xen_pci_op op;
- };
-
- struct xen_pcibk_dev_data {
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -296,9 +296,11 @@ void xen_pcibk_do_op(struct work_struct
- container_of(data, struct xen_pcibk_device, op_work);
- struct pci_dev *dev;
- struct xen_pcibk_dev_data *dev_data = NULL;
-- struct xen_pci_op *op = &pdev->sh_info->op;
-+ struct xen_pci_op *op = &pdev->op;
- int test_intx = 0;
-
-+ *op = pdev->sh_info->op;
-+ barrier();
- dev = xen_pcibk_get_pci_dev(pdev, op->domain, op->bus, op->devfn);
-
- if (dev == NULL)
-@@ -340,6 +342,17 @@ void xen_pcibk_do_op(struct work_struct
- if ((dev_data->enable_intx != test_intx))
- xen_pcibk_control_isr(dev, 0 /* no reset */);
- }
-+ pdev->sh_info->op.err = op->err;
-+ pdev->sh_info->op.value = op->value;
-+#ifdef CONFIG_PCI_MSI
-+ if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
-+ unsigned int i;
-+
-+ for (i = 0; i < op->value; i++)
-+ pdev->sh_info->op.msix_entries[i].vector =
-+ op->msix_entries[i].vector;
-+ }
-+#endif
- /* Tell the driver domain that we're done. */
- wmb();
- clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
diff --git a/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch b/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
deleted file mode 100644
index 1e05775..0000000
--- a/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Andrew Honig <ahonig at google.com>
-Date: Wed, 18 Nov 2015 14:50:23 -0800
-Subject: KVM: x86: Reload pit counters for all channels when restoring state
-Origin: https://git.kernel.org/linus/0185604c2d82c560dab2f2933a18f797e74ab5a8
-
-Currently if userspace restores the pit counters with a count of 0
-on channels 1 or 2 and the guest attempts to read the count on those
-channels, then KVM will perform a mod of 0 and crash. This will ensure
-that 0 values are converted to 65536 as per the spec.
-
-This is CVE-2015-7513.
-
-Signed-off-by: Andy Honig <ahonig at google.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[carnil: Backport to 4.3.3: context]
----
- arch/x86/kvm/x86.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -3434,10 +3434,11 @@ static int kvm_vm_ioctl_get_pit(struct k
- static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
- {
- int r = 0;
--
-+ int i;
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
-- kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
-@@ -3458,6 +3459,7 @@ static int kvm_vm_ioctl_get_pit2(struct
- static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
- {
- int r = 0, start = 0;
-+ int i;
- u32 prev_legacy, cur_legacy;
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
-@@ -3467,7 +3469,8 @@ static int kvm_vm_ioctl_set_pit2(struct
- memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
- sizeof(kvm->arch.vpit->pit_state.channels));
- kvm->arch.vpit->pit_state.flags = ps->flags;
-- kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-db.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-db.patch
deleted file mode 100644
index e2f9647..0000000
--- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-db.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Tue, 10 Nov 2015 09:14:39 +0100
-Subject: KVM: svm: unconditionally intercept #DB
-Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[bwh: Backported to 3.2, with thanks to Paolo:
- - update_db_bp_intercept() was called update_db_intercept()
- - The remaining call is in svm_guest_debug() rather than through svm_x86_ops]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1015,6 +1015,7 @@ static void init_vmcb(struct vcpu_svm *s
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
- set_exception_intercept(svm, AC_VECTOR);
-+ set_exception_intercept(svm, DB_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1550,20 +1551,13 @@ static void svm_set_segment(struct kvm_v
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
-
--static void update_db_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- clr_exception_intercept(svm, DB_VECTOR);
- clr_exception_intercept(svm, BP_VECTOR);
-
-- if (svm->nmi_singlestep)
-- set_exception_intercept(svm, DB_VECTOR);
--
- if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-- if (vcpu->guest_debug &
-- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-- set_exception_intercept(svm, DB_VECTOR);
- if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- set_exception_intercept(svm, BP_VECTOR);
- } else
-@@ -1581,7 +1575,7 @@ static void svm_guest_debug(struct kvm_v
-
- mark_dirty(svm->vmcb, VMCB_DR);
-
-- update_db_intercept(vcpu);
-+ update_bp_intercept(vcpu);
- }
-
- static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
-@@ -1655,7 +1649,6 @@ static int db_interception(struct vcpu_s
- if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- svm->vmcb->save.rflags &=
- ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_intercept(&svm->vcpu);
- }
-
- if (svm->vcpu.guest_debug &
-@@ -3557,7 +3550,6 @@ static void enable_nmi_window(struct kvm
- */
- svm->nmi_singlestep = true;
- svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_intercept(vcpu);
- }
-
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
diff --git a/debian/patches/debian/af_unix-avoid-abi-changes.patch b/debian/patches/debian/af_unix-avoid-abi-changes.patch
index 5ca4950..3d16e7e 100644
--- a/debian/patches/debian/af_unix-avoid-abi-changes.patch
+++ b/debian/patches/debian/af_unix-avoid-abi-changes.patch
@@ -1,19 +1,35 @@
From: Ben Hutchings <ben at decadent.org.uk>
-Date: Tue, 01 Dec 2015 02:21:58 +0000
+Date: Sat, 23 Jan 2016 23:24:59 +0000
Subject: af_unix: Avoid ABI changes
+Forwarded: not-needed
struct unix_sock is only allocated in af_unix so it's safe to add new
-members at the end. Hide peer_wake from genksyms.
+members at the end. Hide gc_flags and peer_wake from genksyms.
+Include padding in place of the bitfields that were removed. These are
+not accessed outside of the af_unix implementation.
---
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
-@@ -58,7 +58,9 @@ struct unix_sock {
- unsigned int gc_maybe_cycle : 1;
+@@ -54,12 +54,20 @@ struct unix_sock {
+ struct list_head link;
+ atomic_long_t inflight;
+ spinlock_t lock;
++#ifdef __GENKSYMS__
++ unsigned int gc_candidate : 1;
++ unsigned int gc_maybe_cycle : 1;
++#else
++ unsigned int pad : 2;
++#endif
unsigned char recursion_level;
- struct socket_wq peer_wq;
++ struct socket_wq peer_wq;
+#ifndef __GENKSYSMS__
- wait_queue_t peer_wake;
++ wait_queue_t peer_wake;
+ unsigned long gc_flags;
+ #define UNIX_GC_CANDIDATE 0
+ #define UNIX_GC_MAYBE_CYCLE 1
+- struct socket_wq peer_wq;
+- wait_queue_t peer_wake;
+#endif
};
#define unix_sk(__sk) ((struct unix_sock *)__sk)
diff --git a/debian/patches/debian/enclosure-fix-abi-change-in-2.6.32.70.patch b/debian/patches/debian/enclosure-fix-abi-change-in-2.6.32.70.patch
new file mode 100644
index 0000000..6ff5e54
--- /dev/null
+++ b/debian/patches/debian/enclosure-fix-abi-change-in-2.6.32.70.patch
@@ -0,0 +1,30 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 23 Jan 2016 18:47:29 +0000
+Subject: enclosure: Fix ABI change in 3.2.76
+Forwarded: not-needed
+
+This is a bit ridiculous...
+---
+ include/linux/enclosure.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
+index f6c229e..a146074 100644
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -29,11 +29,15 @@
+ /* A few generic types ... taken from ses-2 */
+ enum enclosure_component_type {
+ ENCLOSURE_COMPONENT_DEVICE = 0x01,
++#ifndef __GENKSYMS__
+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
++#endif
+ ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
++#ifndef __GENKSYMS__
+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
++#endif
+ };
+
+ /* ses-2 common element status */
diff --git a/debian/patches/features/all/drm/drm-3.4.patch b/debian/patches/features/all/drm/drm-3.4.patch
index 89d57ea..f115479 100644
--- a/debian/patches/features/all/drm/drm-3.4.patch
+++ b/debian/patches/features/all/drm/drm-3.4.patch
@@ -3179,7 +3179,7 @@ index dd58373..a0d6e89 100644
out_free:
drm_fb_helper_crtc_free(fb_helper);
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
-index 020b103..b90abff 100644
+index 5f1a653..b90abff 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -133,6 +133,9 @@ int drm_open(struct inode *inode, struct file *filp)
@@ -3205,7 +3205,70 @@ index 020b103..b90abff 100644
if (filp->f_op == NULL) {
filp->f_op = old_fops;
goto out;
-@@ -268,6 +274,9 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
+@@ -219,62 +225,6 @@ static int drm_cpu_valid(void)
+ }
+
+ /**
+- * drm_new_set_master - Allocate a new master object and become master for the
+- * associated master realm.
+- *
+- * @dev: The associated device.
+- * @fpriv: File private identifying the client.
+- *
+- * This function must be called with dev::struct_mutex held.
+- * Returns negative error code on failure. Zero on success.
+- */
+-int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)
+-{
+- struct drm_master *old_master;
+- int ret;
+-
+- lockdep_assert_held_once(&dev->struct_mutex);
+-
+- /* create a new master */
+- fpriv->minor->master = drm_master_create(fpriv->minor);
+- if (!fpriv->minor->master)
+- return -ENOMEM;
+-
+- /* take another reference for the copy in the local file priv */
+- old_master = fpriv->master;
+- fpriv->master = drm_master_get(fpriv->minor->master);
+-
+- if (dev->driver->master_create) {
+- mutex_unlock(&dev->struct_mutex);
+- ret = dev->driver->master_create(dev, fpriv->master);
+- mutex_lock(&dev->struct_mutex);
+- if (ret)
+- goto out_err;
+- }
+- if (dev->driver->master_set) {
+- ret = dev->driver->master_set(dev, fpriv, true);
+- if (ret)
+- goto out_err;
+- }
+-
+- fpriv->is_master = 1;
+- fpriv->allowed_master = 1;
+- fpriv->authenticated = 1;
+- if (old_master)
+- drm_master_put(&old_master);
+-
+- return 0;
+-
+-out_err:
+- /* drop both references and restore old master on failure */
+- drm_master_put(&fpriv->minor->master);
+- drm_master_put(&fpriv->master);
+- fpriv->master = old_master;
+-
+- return ret;
+-}
+-
+-/**
+ * Called whenever a process opens /dev/drm.
+ *
+ * \param inode device inode.
+@@ -324,6 +274,9 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
if (dev->driver->driver_features & DRIVER_GEM)
drm_gem_open(dev, priv);
@@ -3215,7 +3278,54 @@ index 020b103..b90abff 100644
if (dev->driver->open) {
ret = dev->driver->open(dev, priv);
if (ret < 0)
-@@ -501,12 +510,12 @@ int drm_release(struct inode *inode, struct file *filp)
+@@ -335,10 +288,43 @@ static int drm_open_helper(struct inode *inode, struct file *filp,
+ mutex_lock(&dev->struct_mutex);
+ if (!priv->minor->master) {
+ /* create a new master */
+- ret = drm_new_set_master(dev, priv);
+- mutex_unlock(&dev->struct_mutex);
+- if (ret)
++ priv->minor->master = drm_master_create(priv->minor);
++ if (!priv->minor->master) {
++ mutex_unlock(&dev->struct_mutex);
++ ret = -ENOMEM;
+ goto out_free;
++ }
++
++ priv->is_master = 1;
++ /* take another reference for the copy in the local file priv */
++ priv->master = drm_master_get(priv->minor->master);
++
++ priv->authenticated = 1;
++
++ mutex_unlock(&dev->struct_mutex);
++ if (dev->driver->master_create) {
++ ret = dev->driver->master_create(dev, priv->master);
++ if (ret) {
++ mutex_lock(&dev->struct_mutex);
++ /* drop both references if this fails */
++ drm_master_put(&priv->minor->master);
++ drm_master_put(&priv->master);
++ mutex_unlock(&dev->struct_mutex);
++ goto out_free;
++ }
++ }
++ mutex_lock(&dev->struct_mutex);
++ if (dev->driver->master_set) {
++ ret = dev->driver->master_set(dev, priv, true);
++ if (ret) {
++ /* drop both references if this fails */
++ drm_master_put(&priv->minor->master);
++ drm_master_put(&priv->master);
++ mutex_unlock(&dev->struct_mutex);
++ goto out_free;
++ }
++ }
++ mutex_unlock(&dev->struct_mutex);
+ } else {
+ /* get a reference to the master */
+ priv->master = drm_master_get(priv->minor->master);
+@@ -524,12 +510,12 @@ int drm_release(struct inode *inode, struct file *filp)
drm_events_release(file_priv);
@@ -3231,7 +3341,7 @@ index 020b103..b90abff 100644
mutex_lock(&dev->ctxlist_mutex);
if (!list_empty(&dev->ctxlist)) {
struct drm_ctx_list *pos, *n;
-@@ -568,6 +577,10 @@ int drm_release(struct inode *inode, struct file *filp)
+@@ -591,6 +577,10 @@ int drm_release(struct inode *inode, struct file *filp)
if (dev->driver->postclose)
dev->driver->postclose(dev, file_priv);
@@ -3242,7 +3352,7 @@ index 020b103..b90abff 100644
kfree(file_priv);
/* ========================================================
-@@ -582,6 +595,8 @@ int drm_release(struct inode *inode, struct file *filp)
+@@ -605,6 +595,8 @@ int drm_release(struct inode *inode, struct file *filp)
retcode = -EBUSY;
} else
retcode = drm_lastclose(dev);
@@ -4311,10 +4421,34 @@ index cebce45..0000000
-
-EXPORT_SYMBOL(drm_sman_cleanup);
diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c
-index 6d7b083..aa454f8 100644
+index 6c1f6ce..aa454f8 100644
--- a/drivers/gpu/drm/drm_stub.c
+++ b/drivers/gpu/drm/drm_stub.c
-@@ -319,6 +319,7 @@ int drm_fill_in_dev(struct drm_device *dev,
+@@ -225,10 +225,6 @@ int drm_setmaster_ioctl(struct drm_device *dev, void *data,
+ if (!file_priv->minor->master &&
+ file_priv->minor->master != file_priv->master) {
+ mutex_lock(&dev->struct_mutex);
+- if (!file_priv->allowed_master) {
+- ret = drm_new_set_master(dev, file_priv);
+- goto out_unlock;
+- }
+ file_priv->minor->master = drm_master_get(file_priv->master);
+ file_priv->is_master = 1;
+ if (dev->driver->master_set) {
+@@ -238,11 +234,10 @@ int drm_setmaster_ioctl(struct drm_device *dev, void *data,
+ drm_master_put(&file_priv->minor->master);
+ }
+ }
+- out_unlock:
+ mutex_unlock(&dev->struct_mutex);
+ }
+
+- return ret;
++ return 0;
+ }
+
+ int drm_dropmaster_ioctl(struct drm_device *dev, void *data,
+@@ -324,6 +319,7 @@ int drm_fill_in_dev(struct drm_device *dev,
drm_lastclose(dev);
return retcode;
}
@@ -4322,7 +4456,7 @@ index 6d7b083..aa454f8 100644
/**
-@@ -397,6 +398,7 @@ err_idr:
+@@ -402,6 +398,7 @@ err_idr:
*minor = NULL;
return ret;
}
@@ -4330,7 +4464,7 @@ index 6d7b083..aa454f8 100644
/**
* Put a secondary minor number.
-@@ -428,6 +430,12 @@ int drm_put_minor(struct drm_minor **minor_p)
+@@ -433,6 +430,12 @@ int drm_put_minor(struct drm_minor **minor_p)
*minor_p = NULL;
return 0;
}
@@ -4343,7 +4477,7 @@ index 6d7b083..aa454f8 100644
/**
* Called via drm_exit() at module unload time or when pci device is
-@@ -492,3 +500,21 @@ void drm_put_dev(struct drm_device *dev)
+@@ -497,3 +500,21 @@ void drm_put_dev(struct drm_device *dev)
kfree(dev);
}
EXPORT_SYMBOL(drm_put_dev);
@@ -46164,7 +46298,7 @@ index 861223b..1a93066 100644
/* On Ironlake whatever DRAM config, GPU always do
* same swizzling setup.
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index 93e74fb..fc6f32a 100644
+index 93e74fbd..fc6f32a 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -716,7 +716,6 @@ i915_error_object_create(struct drm_i915_private *dev_priv,
@@ -76201,7 +76335,7 @@ index e022776b..e534e5d 100644
+
#endif
diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
-index 47f3bd2..52aabf24 100644
+index 47f3bd2..52aabf2 100644
--- a/drivers/gpu/drm/radeon/evergreend.h
+++ b/drivers/gpu/drm/radeon/evergreend.h
@@ -81,6 +81,11 @@
@@ -88819,10 +88953,22 @@ index 894b5f0..19d68c5 100644
snprintf(i2c->adapter.name, sizeof(i2c->adapter.name),
"Radeon aux bus %s", name);
diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-index 42f5a2b..77c456d 100644
+index 931a8a9..77c456d 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
-@@ -67,7 +67,8 @@ void radeon_driver_irq_preinstall_kms(struct drm_device *dev)
+@@ -51,11 +51,6 @@ static void radeon_hotplug_work_func(struct work_struct *work)
+ struct drm_mode_config *mode_config = &dev->mode_config;
+ struct drm_connector *connector;
+
+- /* we can race here at startup, some boards seem to trigger
+- * hotplug irqs when they shouldn't. */
+- if (!rdev->mode_info.mode_config_initialized)
+- return;
+-
+ mutex_lock(&mode_config->mutex);
+ if (mode_config->num_connector) {
+ list_for_each_entry(connector, &mode_config->connector_list, head)
+@@ -72,7 +67,8 @@ void radeon_driver_irq_preinstall_kms(struct drm_device *dev)
unsigned i;
/* Disable *all* interrupts */
@@ -88832,7 +88978,7 @@ index 42f5a2b..77c456d 100644
rdev->irq.gui_idle = false;
for (i = 0; i < RADEON_MAX_HPD_PINS; i++)
rdev->irq.hpd[i] = false;
-@@ -83,9 +84,11 @@ void radeon_driver_irq_preinstall_kms(struct drm_device *dev)
+@@ -88,9 +84,11 @@ void radeon_driver_irq_preinstall_kms(struct drm_device *dev)
int radeon_driver_irq_postinstall_kms(struct drm_device *dev)
{
struct radeon_device *rdev = dev->dev_private;
@@ -88845,7 +88991,7 @@ index 42f5a2b..77c456d 100644
radeon_irq_set(rdev);
return 0;
}
-@@ -99,7 +102,8 @@ void radeon_driver_irq_uninstall_kms(struct drm_device *dev)
+@@ -104,7 +102,8 @@ void radeon_driver_irq_uninstall_kms(struct drm_device *dev)
return;
}
/* Disable *all* interrupts */
@@ -88855,7 +89001,7 @@ index 42f5a2b..77c456d 100644
rdev->irq.gui_idle = false;
for (i = 0; i < RADEON_MAX_HPD_PINS; i++)
rdev->irq.hpd[i] = false;
-@@ -218,26 +222,26 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
+@@ -223,26 +222,26 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
flush_work_sync(&rdev->hotplug_work);
}
@@ -99069,6 +99215,19 @@ index e223175..a877813 100644
return -EINVAL;
}
+diff --git a/drivers/gpu/drm/ttm/ttm_lock.c b/drivers/gpu/drm/ttm/ttm_lock.c
+index 9934b4d..075daf4 100644
+--- a/drivers/gpu/drm/ttm/ttm_lock.c
++++ b/drivers/gpu/drm/ttm/ttm_lock.c
+@@ -180,7 +180,7 @@ int ttm_write_lock(struct ttm_lock *lock, bool interruptible)
+ spin_unlock(&lock->lock);
+ }
+ } else
+- wait_event(lock->queue, __ttm_write_lock(lock));
++ wait_event(lock->queue, __ttm_read_lock(lock));
+
+ return ret;
+ }
diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
index e70ddd8..23d2ecb 100644
--- a/drivers/gpu/drm/ttm/ttm_memory.c
@@ -105491,7 +105650,7 @@ index 4be33b4..64ff02d 100644
/* typedef area */
#ifndef __KERNEL__
diff --git a/include/drm/drmP.h b/include/drm/drmP.h
-index bf4b2dc..dd73104 100644
+index e7cd03c..dd73104 100644
--- a/include/drm/drmP.h
+++ b/include/drm/drmP.h
@@ -91,6 +91,7 @@ struct drm_device;
@@ -105543,7 +105702,19 @@ index bf4b2dc..dd73104 100644
/** File private data */
struct drm_file {
int authenticated;
-@@ -437,6 +451,8 @@ struct drm_file {
+@@ -430,11 +444,6 @@ struct drm_file {
+ void *driver_priv;
+
+ int is_master; /* this file private is a master for a minor */
+- /*
+- * This client is allowed to gain master privileges for @master.
+- * Protected by struct drm_device::struct_mutex.
+- */
+- unsigned allowed_master:1;
+ struct drm_master *master; /* master this node is currently associated with
+ N.B. not always minor->master */
+ struct list_head fbs;
+@@ -442,6 +451,8 @@ struct drm_file {
wait_queue_head_t event_wait;
struct list_head event_list;
int event_space;
@@ -105552,7 +105723,7 @@ index bf4b2dc..dd73104 100644
};
/** Wait queue */
-@@ -652,6 +668,12 @@ struct drm_gem_object {
+@@ -657,6 +668,12 @@ struct drm_gem_object {
uint32_t pending_write_domain;
void *driver_private;
@@ -105565,7 +105736,7 @@ index bf4b2dc..dd73104 100644
};
#include "drm_crtc.h"
-@@ -820,7 +842,7 @@ struct drm_driver {
+@@ -825,7 +842,7 @@ struct drm_driver {
* Specifically, the timestamp in @vblank_time should correspond as
* closely as possible to the time when the first video scanline of
* the video frame after the end of VBLANK will start scanning out,
@@ -105574,7 +105745,7 @@ index bf4b2dc..dd73104 100644
* @crtc is currently inside VBLANK, this will be a time in the future.
* If the @crtc is currently scanning out a frame, this will be the
* past start time of the current scanout. This is meant to adhere
-@@ -890,6 +912,20 @@ struct drm_driver {
+@@ -895,6 +912,20 @@ struct drm_driver {
int (*gem_open_object) (struct drm_gem_object *, struct drm_file *);
void (*gem_close_object) (struct drm_gem_object *, struct drm_file *);
@@ -105595,7 +105766,7 @@ index bf4b2dc..dd73104 100644
/* vga arb irq handler */
void (*vgaarb_irq)(struct drm_device *dev, bool state);
-@@ -918,7 +954,7 @@ struct drm_driver {
+@@ -923,7 +954,7 @@ struct drm_driver {
int dev_priv_size;
struct drm_ioctl_desc *ioctls;
int num_ioctls;
@@ -105604,7 +105775,7 @@ index bf4b2dc..dd73104 100644
union {
struct pci_driver *pci;
struct platform_device *platform_device;
-@@ -1170,6 +1206,8 @@ struct drm_device {
+@@ -1175,6 +1206,8 @@ struct drm_device {
struct idr object_name_idr;
/*@} */
int switch_power_state;
@@ -105613,7 +105784,7 @@ index bf4b2dc..dd73104 100644
};
#define DRM_SWITCH_POWER_ON 0
-@@ -1235,6 +1273,19 @@ static inline int drm_mtrr_del(int handle, unsigned long offset,
+@@ -1240,6 +1273,19 @@ static inline int drm_mtrr_del(int handle, unsigned long offset,
}
#endif
@@ -105633,7 +105804,15 @@ index bf4b2dc..dd73104 100644
/******************************************************************/
/** \name Internal function definitions */
/*@{*/
-@@ -1264,11 +1315,6 @@ extern unsigned int drm_poll(struct file *filp, struct poll_table_struct *wait);
+@@ -1259,7 +1305,6 @@ extern int drm_fasync(int fd, struct file *filp, int on);
+ extern ssize_t drm_read(struct file *filp, char __user *buffer,
+ size_t count, loff_t *offset);
+ extern int drm_release(struct inode *inode, struct file *filp);
+-extern int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv);
+
+ /* Mapping support (drm_vm.h) */
+ extern int drm_mmap(struct file *filp, struct vm_area_struct *vma);
+@@ -1270,11 +1315,6 @@ extern unsigned int drm_poll(struct file *filp, struct poll_table_struct *wait);
/* Memory management support (drm_memory.h) */
#include "drm_memory.h"
@@ -105645,7 +105824,7 @@ index bf4b2dc..dd73104 100644
extern void drm_free_agp(DRM_AGP_MEM * handle, int pages);
extern int drm_bind_agp(DRM_AGP_MEM * handle, unsigned int start);
extern DRM_AGP_MEM *drm_agp_bind_pages(struct drm_device *dev,
-@@ -1383,12 +1429,8 @@ extern void drm_core_reclaim_buffers(struct drm_device *dev,
+@@ -1389,12 +1429,8 @@ extern void drm_core_reclaim_buffers(struct drm_device *dev,
/* IRQ support (drm_irq.h) */
extern int drm_control(struct drm_device *dev, void *data,
struct drm_file *file_priv);
@@ -105658,7 +105837,7 @@ index bf4b2dc..dd73104 100644
extern int drm_vblank_init(struct drm_device *dev, int num_crtcs);
extern int drm_wait_vblank(struct drm_device *dev, void *data,
-@@ -1464,6 +1506,7 @@ extern void drm_master_put(struct drm_master **master);
+@@ -1470,6 +1506,7 @@ extern void drm_master_put(struct drm_master **master);
extern void drm_put_dev(struct drm_device *dev);
extern int drm_put_minor(struct drm_minor **minor);
@@ -105666,7 +105845,7 @@ index bf4b2dc..dd73104 100644
extern unsigned int drm_debug;
extern unsigned int drm_vblank_offdelay;
-@@ -1502,6 +1545,32 @@ extern int drm_vblank_info(struct seq_file *m, void *data);
+@@ -1508,6 +1545,32 @@ extern int drm_vblank_info(struct seq_file *m, void *data);
extern int drm_clients_info(struct seq_file *m, void* data);
extern int drm_gem_name_info(struct seq_file *m, void *data);
@@ -105699,7 +105878,7 @@ index bf4b2dc..dd73104 100644
#if DRM_DEBUG_CODE
extern int drm_vma_info(struct seq_file *m, void *data);
#endif
-@@ -1697,5 +1766,13 @@ extern void drm_platform_exit(struct drm_driver *driver, struct platform_device
+@@ -1703,5 +1766,13 @@ extern void drm_platform_exit(struct drm_driver *driver, struct platform_device
extern int drm_get_platform_dev(struct platform_device *pdev,
struct drm_driver *driver);
diff --git a/debian/patches/features/arm/ahci-Add-JMicron-362-device-IDs.patch b/debian/patches/features/arm/ahci-Add-JMicron-362-device-IDs.patch
deleted file mode 100644
index 1d8fbe8..0000000
--- a/debian/patches/features/arm/ahci-Add-JMicron-362-device-IDs.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Mon, 10 Sep 2012 01:09:04 +0100
-Subject: ahci: Add JMicron 362 device IDs
-
-commit 1fefb8fdc6562057a0e4e4542f3d4323981c9686 upstream.
-
-The JMicron JMB362 controller supports AHCI only, but some revisions
-use the IDE class code. These need to be matched by device ID.
-
-These additions have apparently been included by QNAP in their NAS
-devices using these controllers.
-
-References: http://bugs.debian.org/634180
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Jeff Garzik <jgarzik at redhat.com>
----
- drivers/ata/ahci.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index 50d5dea..c3f52eb 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -268,6 +268,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- /* JMicron 360/1/3/5/6, match class to avoid IDE function */
- { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
- PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr },
-+ /* JMicron 362B and 362C have an AHCI function with IDE class code */
-+ { PCI_VDEVICE(JMICRON, 0x2362), board_ahci_ign_iferr },
-+ { PCI_VDEVICE(JMICRON, 0x236f), board_ahci_ign_iferr },
-
- /* ATI */
- { PCI_VDEVICE(ATI, 0x4380), board_ahci_sb600 }, /* ATI SB600 */
diff --git a/debian/patches/series b/debian/patches/series
index 016e277..7501feb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -394,7 +394,6 @@ features/all/bql/skge-add-byte-queue-limit-support.patch
bugfix/all/PCI-PM-Runtime-make-PCI-traces-quieter.patch
features/all/USB-add-USB_VENDOR_AND_INTERFACE_INFO-macro.patch
-features/arm/ahci-Add-JMicron-362-device-IDs.patch
debian/perf-hide-abi-change-in-3.2.30.patch
debian/iwlwifi-do-not-request-unreleased-firmware.patch
debian/hid-avoid-ABI-change-in-3.2.31.patch
@@ -1160,33 +1159,11 @@ debian/bh-avoid-abi-change-in-3.2.71.patch
debian/x86-mm-avoid-abi-change-in-3.2.72.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
-bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
-bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
-bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
-bugfix/x86/kvm-svm-unconditionally-intercept-db.patch
-bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
-bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
debian/af_unix-avoid-abi-changes.patch
-bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
-bugfix/all/xen-add-ring_copy_request.patch
-bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
-bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
-bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
-bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
-bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
-bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
-bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
-bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
-bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
-bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
-bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
-bugfix/all/keys-fix-race-between-read-and-revoke.patch
-bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
-bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
-bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
bugfix/all/drm-radeon-fix-hotplug-race-at-startup.patch
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
+debian/enclosure-fix-abi-change-in-2.6.32.70.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list