[linux] 01/01: Update to 3.16.7-ckt22
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jan 24 04:14:51 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 2e38dbab71997431bd3351b2a47d3fe2152e3004
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Jan 24 03:06:40 2016 +0000
Update to 3.16.7-ckt22
- Drop many patches which went upstream
- Ignore ABI changes due to "ipv6: add complete rcu protection around np->opt"
and un-export of block function not needed by modules
- Fix ABI change in drm
---
debian/changelog | 239 ++++++++++++++-
debian/config/defines | 12 +
...alidate-socket-address-length-in-sco_sock.patch | 22 --
...runcation-of-compressed-and-inlined-exten.patch | 283 ------------------
.../keys-fix-race-between-read-and-revoke.patch | 110 -------
...alidation-for-the-socket-syscall-protocol.patch | 82 ------
...-sockaddr_len-in-pptp_bind-and-pptp_conne.patch | 34 ---
...-when-sending-a-message-on-unbound-socket.patch | 69 -----
...lice-sendfile-at-once-fails-for-big-files.patch | 132 ---------
...id-use-after-free-in-ep_remove_wait_queue.patch | 325 ---------------------
...node-allocations-in-post-growfs-disk-spac.patch | 149 ----------
...oad-pit-counters-for-all-channels-when-re.patch | 53 ----
...sable-psmi-sleep-messages-on-all-rings-ar.patch | 150 ----------
.../x86/kvm-svm-unconditionally-intercept-DB.patch | 80 -----
...-intercept-ac-to-avoid-guest-host-exploit.patch | 38 ---
...x-avoid-guest-host-dos-by-intercepting-ac.patch | 42 ---
.../drm-fix-abi-change-in-3.16.7-ckt22.patch | 25 ++
debian/patches/series | 15 +-
18 files changed, 273 insertions(+), 1587 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 90c057c..e7feb3b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,241 @@
-linux (3.16.7-ckt20-2) UNRELEASED; urgency=medium
+linux (3.16.7-ckt22-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21
+ - irda: precedence bug in irlmp_seq_hb_idx()
+ - macvtap: unbreak receiving of gro skb with frag list
+ - RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in
+ rds_tcp_data_recv
+ - stmmac: Correctly report PTP capabilities.
+ - ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH()
+ in preemptible context.
+ - sit: fix sit0 percpu double allocations
+ - packet: race condition in packet_bind
+ - net: avoid NULL deref in inet_ctl_sock_destroy()
+ - net: fix a race in dst_release()
+ - Failing to send a CLOSE if file is opened WRONLY and server reboots on a
+ 4.x mount
+ - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when
+ sanitizing map
+ - HID: core: Avoid uninitialized buffer access
+ - [media] v4l2-compat-ioctl32: fix alignment for ARM64
+ - [armhf] net: mvneta: Fix CPU_MAP registers initialisation
+ - mtd: mtdpart: fix add_mtd_partitions error path
+ - [armel,armhf] 8426/1: dma-mapping: add missing range check in dma_mmap()
+ - [armel,armhf] 8427/1: dma-mapping: add support for offset parameter in
+ dma_mmap()
+ - spi: ti-qspi: Fix data corruption seen on r/w stress test
+ - lockd: create NSM handles per net namespace
+ - Btrfs: fix file corruption and data loss after cloning inline extents
+ - [armel,armhf] common: edma: Fix channel parameter for irq callbacks
+ - [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints
+ - ext4: fix potential use after free in __ext4_journal_stop
+ - ext4: fix calculation of meta_bg descriptor backups
+ - ext4, jbd2: ensure entering into panic after recording an error in
+ superblock
+ - vTPM: fix memory allocation flag for rtce buffer at kernel boot
+ - spi: dw: explicitly free IRQ handler in dw_spi_remove_host()
+ - media: vb2 dma-contig: Fully cache synchronise buffers in prepare and
+ finish
+ - Bluetooth: hidp: fix device disconnect on idle timeout
+ - Bluetooth: ath3k: Add new AR3012 0930:021c id
+ - Bluetooth: ath3k: Add support of AR3012 0cf3:817b device
+ - spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word
+ - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler
+ - [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after
+ resume back
+ - megaraid_sas: Do not use PAGE_SIZE for max_sectors
+ - [s390x] KVM: SCA must not cross page boundaries
+ - [arm64] Fix compat register mappings
+ - can: Use correct type in sizeof() in nla_put()
+ - mtd: blkdevs: fix potential deadlock + lockdep warnings
+ - Revert "dm mpath: fix stalls when handling invalid ioctls"
+ - [x86] drm/i915: add quirk to enable backlight on Dell Chromebook 11 (2015)
+ - crypto: algif_hash - Only export and import on sockets with data
+ - xtensa: fixes for configs without loop option
+ - megaraid_sas : do not access user memory from IOCTL code
+ - mac80211: fix divide by zero when NOA update
+ - mac80211: allow null chandef in tracing
+ - [x86] KVM: VMX: fix SMEP and SMAP without EPT
+ - [armhf] thermal: exynos: Fix unbalanced regulator disable on probe failure
+ - [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b
+ - firewire: ohci: fix JMicron JMB38x IT context discovery
+ - scsi: restart list search after unlock in scsi_remove_target
+ - mm: slab: only move management objects off-slab for sizes larger than
+ KMALLOC_MIN_SIZE
+ - [x86] Input: elantech - add Fujitsu Lifebook U745 to force crc_enabled
+ - proc: actually make proc_fd_permission() thread-friendly
+ - [x86] setup: Extend low identity map to cover whole kernel range
+ - [x86] setup: Fix low identity map for >= 2GB kernel range
+ - [x86] cpu: Call verify_cpu() after having entered long mode too
+ - Btrfs: fix race leading to incorrect item deletion when dropping extents
+ - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
+ - perf: Fix inherited events vs. tracepoint filters
+ - scsi_sysfs: Fix queue_ramp_up_period return code
+ - Btrfs: fix race when listing an inode's xattrs
+ - [x86] ideapad-laptop: Add Lenovo Yoga 900 to no_hw_rfkill dmi list
+ - [x86] storvsc: Don't set the SRB_FLAGS_QUEUE_ACTION_ENABLE flag
+ - [x86] KVM: Defining missing x86 vectors
+ - drivers: of: of_reserved_mem: fixup the alignment with CMA setup
+ - drm/ast: Initialized data needed to map fbdev memory
+ - FS-Cache: Increase reference of parent after registering, netfs success
+ - FS-Cache: Don't override netfs's primary_index if registering failed
+ - binfmt_elf: Don't clobber passed executable's file header
+ - fs/pipe.c: return error code rather than 0 in pipe_write()
+ - mac80211: fix driver RSSI event calculations
+ - wm831x_power: Use IRQF_ONESHOT to request threaded IRQs
+ - mwifiex: fix mwifiex_rdeeprom_read()
+ - dmaengine: dw: convert to __ffs()
+ - usb: ehci-orion: fix probe for !GENERIC_PHY
+ - devres: fix a for loop bounds check
+ - netfilter: remove dead code
+ - ipv4: Fix ip_queue_xmit to pass sk into ip_local_out_sk
+ - packet: fix match_fanout_group()
+ - hsi: fix double kfree
+ - hsi: omap_ssi_port: Prevent warning if cawake_gpio is not defined.
+ - ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in
+ - drm: Fix return value of drm_framebuffer_init()
+ - ALSA: fireworks: use u32 type for be32_to_cpup() macro
+ - ALSA: bebob: use correct type for __be32 data
+ - tcp: apply Kern's check on RTTs used for congestion control
+ - clk: versatile-icst: fix memory leak
+ - mfd: twl6040: Fix deferred probe handling for clk32k
+ - of/fdt: fix error checking for earlycon address
+ - netfilter: nfnetlink: don't probe module if it exists
+ - xprtrdma: Re-arm after missed events
+ - ceph: fix message length computation
+ - ipv6: fix tunnel error handling
+ - perf trace: Fix documentation for -i
+ - bonding: fix panic on non-ARPHRD_ETHER enslave failure
+ - rtc: ds1307: Fix alarm programming for mcp794xx
+ - TPM: Avoid reference to potentially freed memory
+ - md/raid0: update queue parameter in a safer location.
+ - md/raid0: apply base queue limits *before* disk_stack_limits
+ - drm/radeon: add quirk for MSI R7 370
+ - drm/radeon: add quirk for ASUS R7 370
+ - drm/radeon: fix quirk for MSI R7 370 Armor 2X
+ - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
+ - fs/proc, core/debug: Don't expose absolute kernel addresses via wchan
+ - ALSA: hda - Disable 64bit address for Creative HDA controllers
+ - printk: prevent userland from spoofing kernel messages
+ - FS-Cache: Handle a write to the page immediately beyond the EOF marker
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt22
+ - iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
+ - iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
+ - iio: ad5064: Fix ad5629/ad5669 shift
+ - iio:ad7793: Fix ad7785 product ID
+ - [x86] fpu: Fix 32-bit signal frame handling
+ - iio: adc: xilinx: Fix VREFN scale
+ - [x86] drm/i915: quirk backlight present on Macbook 4, 1
+ - USB: qcserial: Add support for Quectel EC20 Mini PCIe module
+ - USB: serial: option: add support for Novatel MiFi USB620L
+ - USB: ti_usb_3410_5052: Add Honeywell HGI80 ID
+ - [x86] drm/i915: get runtime PM reference around GEM set_caching IOCTL
+ - drm/radeon: unconditionally set sysfs_initialized
+ - USB: qcserial: Fix support for HP lt4112 LTE/HSPA+ Gobi 4G Modem
+ - [arm64] kernel: pause/unpause function graph tracer in cpu_suspend()
+ - usb: dwc3: gadget: let us set lower max_speed
+ - usb: chipidea: debug: disable usb irq while role switch
+ - xhci: Workaround to get Intel xHCI reset working more reliably
+ - xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices
+ - [x86] cpu: Fix SMAP check in PVOPS environments
+ - [arm64] restore bogomips information in /proc/cpuinfo
+ - USB: option: add XS Stick W100-2 from 4G Systems
+ - usblp: do not set TASK_INTERRUPTIBLE before lock
+ - fat: fix fake_offset handling on error path
+ - kernel/signal.c: unexport sigsuspend()
+ - ocfs2: fix umask ignored issue
+ - mmc: remove bondage between REQ_META and reliable write
+ - packet: do skb_probe_transport_header when we actually have data
+ - packet: only allow extra vlan len on ethernet devices
+ - packet: fix tpacket_snd max frame len
+ - sctp: translate host order to network order when setting a hmacid
+ - net/mlx4_core: Avoid returning success in case of an error flow
+ - usb: musb: core: fix order of arguments to ulpi write callback
+ - FS-Cache: Add missing initialization of ret in cachefiles_write_page()
+ - macvlan: fix leak in macvlan_handle_frame
+ - packet: always probe for transport header
+ - packet: infer protocol from ethernet header if unset
+ - ip_tunnel: disable preemption when updating per-cpu tstats
+ - snmp: Remove duplicate OUTMCAST stat increment
+ - tcp: initialize tp->copied_seq in case of cross SYN connection
+ - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
+ - net: ipmr: fix static mfc/dev leaks on table destruction
+ - net: ip6mr: fix static mfc/dev leaks on table destruction
+ - ipv6: distinguish frag queues by device for multicast and link-local
+ packets
+ - ipv6: add complete rcu protection around np->opt
+ - net/neighbour: fix crash at dumping device-agnostic proxy entries
+ - ipv6: sctp: implement sctp_v6_destroy_sock()
+ - xfs: allow inode allocations in post-growfs disk space (Closes: #802885)
+ - ALSA: usb-audio: add packet size quirk for the Medeli DD305
+ - ALSA: usb-audio: prevent CH345 multiport output SysEx corruption
+ - ALSA: usb-audio: work around CH345 input SysEx corruption
+ - dm thin: restore requested 'error_if_no_space' setting on OODS to WRITE
+ transition
+ - dm: fix ioctl retry termination with signal
+ - ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
+ - mac: validate mac_partition is within sector
+ - ALSA: hda - Apply HP headphone fixups more generically
+ - fix sysvfs symlinks
+ - vfs: Make sendfile(2) killable even better
+ - vfs: Avoid softlockups with sendfile(2)
+ - nfs4: start callback_ident at idr 1
+ - ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3
+ - [arm64] KVM: Fix AArch32 to AArch64 register mapping
+ - drm/radeon: make rv770_set_sw_state failures non-fatal
+ - ALSA: hda - Fix noise on Gigabyte Z170X mobo
+ - drm/radeon: make some dpm errors debug only
+ - nfs: if we have no valid attrs, then don't declare the attribute cache
+ valid
+ - xen/gntdev: Grant maps should not be subject to NUMA balancing
+ - iscsi-target: Fix rx_login_comp hang after login failure
+ - target: Fix race for SCF_COMPARE_AND_WRITE_POST checking
+ - target: fix COMPARE_AND_WRITE non zero SGL offset data corruption
+ - [armel/kirkwood] dts: Fix QNAP TS219 power-off
+ - netfilter: ipt_rpfilter: remove the nh_scope test in
+ rpfilter_lookup_reverse
+ - netfilter: nf_tables: fix bogus warning in nft_data_uninit()
+ - netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
+ - gre6: allow to update all parameters via rtnl
+ - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
+ - sctp: use the same clock as if sock source timestamps were on
+ - sctp: update the netstamp_needed counter when copying sockets
+ - ipv6: sctp: clone options to avoid use after free
+ - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
+ - skbuff: Fix offset error in skb_reorder_vlan_header
+ - af_unix: Revert 'lock_interruptible' in stream receive code
+ - ip6mr: call del_timer_sync() in ip6mr_free_table()
+ - [x86] drm/i915: Disable PSMI sleep messages on all rings around context
+ switches (Closes: #777231)
+ - crypto: nx - Fix timing leak in GCM and CCM decryption
+ - crypto: talitos - Fix timing leak in ESP ICV verification
+ - ASoC: wm8962: correct addresses for HPF_C_0/1
+ - mac80211: mesh: fix call_rcu() usage
+ - mac80211: ensure we don't update tx power on a non-running sdata
+ - can: sja1000: clear interrupts on start
+ - ring-buffer: Update read stamp with first real commit on page
+ - block: Always check queue limits for cloned requests
+ - Fix a memory leak in scsi_host_dev_release()
+ - wan/x25: Fix use-after-free in x25_asy_open_tty()
+ - mac80211: do not actively scan DFS channels
+ - locking: Add WARN_ON_ONCE lock assertion
+ - drm: Fix an unwanted master inheritance v2
+ - sched/core: Clear the root_domain cpumasks in init_rootdomain()
+ - [x86] signal: Fix restart_syscall number for x32 tasks
+ - isdn: Partially revert debug format string usage clean up
+ - remoteproc: avoid stack overflow in debugfs file
+ - [armhf] net: mvneta: add configuration for MBUS windows access protection
+ - [armhf] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG
+ - [armhf] net: mvneta: fix bit assignment for RX packet irq enable
+ - ipv4: igmp: Allow removing groups from a removed interface
+ - sched/core: Remove false-positive warning from wake_up_process()
+ - btrfs: fix signed overflows in btrfs_sync_file
[ Ben Hutchings ]
* udeb: Add dm-service-time to multipath-modules (Closes: #806131)
- * xfs: allow inode allocations in post-growfs disk space (Closes: #802885)
- * [x86] drm/i915: Disable PSMI sleep messages on all rings around context
- switches (Closes: #777231)
+ * net: Ignore ABI changes due to "ipv6: add complete rcu protection around
+ np->opt", which don't appear to affect out-of-tree modules
[ Aurelien Jarno ]
* [mips*] Add support for MIPS 5KE CPU.
diff --git a/debian/config/defines b/debian/config/defines
index f56a8f6..2e5e424 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -29,11 +29,23 @@ ignore-changes:
of_device_is_stdout_path
module:sound/soc/*
# Not needed by modules at all
+ blk_rq_check_limits
clk_divider_ro_ops
tick_nohz_idle_enter
tick_nohz_idle_exit
# Apparently not used from OOT
skb_copy_and_csum_datagram_iovec
+ module:net/dccp/dccp
+ fl6_*
+ inet_sk_diag_fill
+ ip6_append_data
+ ip6_datagram_send_ctl
+ ip6_xmit
+ ipv6_dup_options
+ ipv6_fixup_options
+ ipv6_push_nfrag_opts
+ tcp_cong_avoid_ai
+ tcp_slow_start
[base]
arches:
diff --git a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch b/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
deleted file mode 100644
index 5d83efc..0000000
--- a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Tue, 15 Dec 2015 15:39:08 -0500
-Subject: bluetooth: Validate socket address length in sco_sock_bind().
-Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
-
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/bluetooth/sco.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket *
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ if (addr_len < sizeof(struct sockaddr_sco))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
diff --git a/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch b/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
deleted file mode 100644
index fa73700..0000000
--- a/debian/patches/bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
+++ /dev/null
@@ -1,283 +0,0 @@
-From: Filipe Manana <fdmanana at suse.com>
-Date: Fri, 16 Oct 2015 12:34:25 +0100
-Subject: Btrfs: fix truncation of compressed and inlined extents
-Origin: https://git.kernel.org/linus/0305cd5f7fca85dae392b9ba85b116896eb7c1c7
-
-When truncating a file to a smaller size which consists of an inline
-extent that is compressed, we did not discard (or made unusable) the
-data between the new file size and the old file size, wasting metadata
-space and allowing for the truncated data to be leaked and the data
-corruption/loss mentioned below.
-We were also not correctly decrementing the number of bytes used by the
-inode, we were setting it to zero, giving a wrong report for callers of
-the stat(2) syscall. The fsck tool also reported an error about a mismatch
-between the nbytes of the file versus the real space used by the file.
-
-Now because we weren't discarding the truncated region of the file, it
-was possible for a caller of the clone ioctl to actually read the data
-that was truncated, allowing for a security breach without requiring root
-access to the system, using only standard filesystem operations. The
-scenario is the following:
-
- 1) User A creates a file which consists of an inline and compressed
- extent with a size of 2000 bytes - the file is not accessible to
- any other users (no read, write or execution permission for anyone
- else);
-
- 2) The user truncates the file to a size of 1000 bytes;
-
- 3) User A makes the file world readable;
-
- 4) User B creates a file consisting of an inline extent of 2000 bytes;
-
- 5) User B issues a clone operation from user A's file into its own
- file (using a length argument of 0, clone the whole range);
-
- 6) User B now gets to see the 1000 bytes that user A truncated from
- its file before it made its file world readbale. User B also lost
- the bytes in the range [1000, 2000[ bytes from its own file, but
- that might be ok if his/her intention was reading stale data from
- user A that was never supposed to be public.
-
-Note that this contrasts with the case where we truncate a file from 2000
-bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In
-this case reading any byte from the range [1000, 2000[ will return a value
-of 0x00, instead of the original data.
-
-This problem exists since the clone ioctl was added and happens both with
-and without my recent data loss and file corruption fixes for the clone
-ioctl (patch "Btrfs: fix file corruption and data loss after cloning
-inline extents").
-
-So fix this by truncating the compressed inline extents as we do for the
-non-compressed case, which involves decompressing, if the data isn't already
-in the page cache, compressing the truncated version of the extent, writing
-the compressed content into the inline extent and then truncate it.
-
-The following test case for fstests reproduces the problem. In order for
-the test to pass both this fix and my previous fix for the clone ioctl
-that forbids cloning a smaller inline extent into a larger one,
-which is titled "Btrfs: fix file corruption and data loss after cloning
-inline extents", are needed. Without that other fix the test fails in a
-different way that does not leak the truncated data, instead part of
-destination file gets replaced with zeroes (because the destination file
-has a larger inline extent than the source).
-
- seq=`basename $0`
- seqres=$RESULT_DIR/$seq
- echo "QA output created by $seq"
- tmp=/tmp/$$
- status=1 # failure is the default!
- trap "_cleanup; exit \$status" 0 1 2 3 15
-
- _cleanup()
- {
- rm -f $tmp.*
- }
-
- # get standard environment, filters and checks
- . ./common/rc
- . ./common/filter
-
- # real QA test starts here
- _need_to_be_root
- _supported_fs btrfs
- _supported_os Linux
- _require_scratch
- _require_cloner
-
- rm -f $seqres.full
-
- _scratch_mkfs >>$seqres.full 2>&1
- _scratch_mount "-o compress"
-
- # Create our test files. File foo is going to be the source of a clone operation
- # and consists of a single inline extent with an uncompressed size of 512 bytes,
- # while file bar consists of a single inline extent with an uncompressed size of
- # 256 bytes. For our test's purpose, it's important that file bar has an inline
- # extent with a size smaller than foo's inline extent.
- $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \
- -c "pwrite -S 0x2a 128 384" \
- $SCRATCH_MNT/foo | _filter_xfs_io
- $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io
-
- # Now durably persist all metadata and data. We do this to make sure that we get
- # on disk an inline extent with a size of 512 bytes for file foo.
- sync
-
- # Now truncate our file foo to a smaller size. Because it consists of a
- # compressed and inline extent, btrfs did not shrink the inline extent to the
- # new size (if the extent was not compressed, btrfs would shrink it to 128
- # bytes), it only updates the inode's i_size to 128 bytes.
- $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo
-
- # Now clone foo's inline extent into bar.
- # This clone operation should fail with errno EOPNOTSUPP because the source
- # file consists only of an inline extent and the file's size is smaller than
- # the inline extent of the destination (128 bytes < 256 bytes). However the
- # clone ioctl was not prepared to deal with a file that has a size smaller
- # than the size of its inline extent (something that happens only for compressed
- # inline extents), resulting in copying the full inline extent from the source
- # file into the destination file.
- #
- # Note that btrfs' clone operation for inline extents consists of removing the
- # inline extent from the destination inode and copy the inline extent from the
- # source inode into the destination inode, meaning that if the destination
- # inode's inline extent is larger (N bytes) than the source inode's inline
- # extent (M bytes), some bytes (N - M bytes) will be lost from the destination
- # file. Btrfs could copy the source inline extent's data into the destination's
- # inline extent so that we would not lose any data, but that's currently not
- # done due to the complexity that would be needed to deal with such cases
- # (specially when one or both extents are compressed), returning EOPNOTSUPP, as
- # it's normally not a very common case to clone very small files (only case
- # where we get inline extents) and copying inline extents does not save any
- # space (unlike for normal, non-inlined extents).
- $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
-
- # Now because the above clone operation used to succeed, and due to foo's inline
- # extent not being shinked by the truncate operation, our file bar got the whole
- # inline extent copied from foo, making us lose the last 128 bytes from bar
- # which got replaced by the bytes in range [128, 256[ from foo before foo was
- # truncated - in other words, data loss from bar and being able to read old and
- # stale data from foo that should not be possible to read anymore through normal
- # filesystem operations. Contrast with the case where we truncate a file from a
- # size N to a smaller size M, truncate it back to size N and then read the range
- # [M, N[, we should always get the value 0x00 for all the bytes in that range.
-
- # We expected the clone operation to fail with errno EOPNOTSUPP and therefore
- # not modify our file's bar data/metadata. So its content should be 256 bytes
- # long with all bytes having the value 0xbb.
- #
- # Without the btrfs bug fix, the clone operation succeeded and resulted in
- # leaking truncated data from foo, the bytes that belonged to its range
- # [128, 256[, and losing data from bar in that same range. So reading the
- # file gave us the following content:
- #
- # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1
- # *
- # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
- # *
- # 0000400
- echo "File bar's content after the clone operation:"
- od -t x1 $SCRATCH_MNT/bar
-
- # Also because the foo's inline extent was not shrunk by the truncate
- # operation, btrfs' fsck, which is run by the fstests framework everytime a
- # test completes, failed reporting the following error:
- #
- # root 5 inode 257 errors 400, nbytes wrong
-
- status=0
- exit
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Filipe Manana <fdmanana at suse.com>
----
- fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 68 insertions(+), 14 deletions(-)
-
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -3993,6 +3993,47 @@ out:
- return err;
- }
-
-+static int truncate_inline_extent(struct inode *inode,
-+ struct btrfs_path *path,
-+ struct btrfs_key *found_key,
-+ const u64 item_end,
-+ const u64 new_size)
-+{
-+ struct extent_buffer *leaf = path->nodes[0];
-+ int slot = path->slots[0];
-+ struct btrfs_file_extent_item *fi;
-+ u32 size = (u32)(new_size - found_key->offset);
-+ struct btrfs_root *root = BTRFS_I(inode)->root;
-+
-+ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
-+
-+ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
-+ loff_t offset = new_size;
-+ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
-+
-+ /*
-+ * Zero out the remaining of the last page of our inline extent,
-+ * instead of directly truncating our inline extent here - that
-+ * would be much more complex (decompressing all the data, then
-+ * compressing the truncated data, which might be bigger than
-+ * the size of the inline extent, resize the extent, etc).
-+ * We release the path because to get the page we might need to
-+ * read the extent item from disk (data not in the page cache).
-+ */
-+ btrfs_release_path(path);
-+ return btrfs_truncate_page(inode, offset, page_end - offset, 0);
-+ }
-+
-+ btrfs_set_file_extent_ram_bytes(leaf, fi, size);
-+ size = btrfs_file_extent_calc_inline_size(size);
-+ btrfs_truncate_item(root, path, size, 1);
-+
-+ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
-+ inode_sub_bytes(inode, item_end + 1 - new_size);
-+
-+ return 0;
-+}
-+
- /*
- * this can truncate away extent items, csum items and directory items.
- * It starts at a high offset and removes keys until it can't find
-@@ -4162,27 +4203,40 @@ search_again:
- * special encodings
- */
- if (!del_item &&
-- btrfs_file_extent_compression(leaf, fi) == 0 &&
- btrfs_file_extent_encryption(leaf, fi) == 0 &&
- btrfs_file_extent_other_encoding(leaf, fi) == 0) {
-- u32 size = new_size - found_key.offset;
--
-- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
-- inode_sub_bytes(inode, item_end + 1 -
-- new_size);
-
- /*
-- * update the ram bytes to properly reflect
-- * the new size of our item
-+ * Need to release path in order to truncate a
-+ * compressed extent. So delete any accumulated
-+ * extent items so far.
- */
-- btrfs_set_file_extent_ram_bytes(leaf, fi, size);
-- size =
-- btrfs_file_extent_calc_inline_size(size);
-- btrfs_truncate_item(root, path, size, 1);
-+ if (btrfs_file_extent_compression(leaf, fi) !=
-+ BTRFS_COMPRESS_NONE && pending_del_nr) {
-+ err = btrfs_del_items(trans, root, path,
-+ pending_del_slot,
-+ pending_del_nr);
-+ if (err) {
-+ btrfs_abort_transaction(trans,
-+ root,
-+ err);
-+ goto error;
-+ }
-+ pending_del_nr = 0;
-+ }
-+
-+ err = truncate_inline_extent(inode, path,
-+ &found_key,
-+ item_end,
-+ new_size);
-+ if (err) {
-+ btrfs_abort_transaction(trans,
-+ root, err);
-+ goto error;
-+ }
- } else if (test_bit(BTRFS_ROOT_REF_COWS,
- &root->state)) {
-- inode_sub_bytes(inode, item_end + 1 -
-- found_key.offset);
-+ inode_sub_bytes(inode, item_end + 1 - new_size);
- }
- }
- delete:
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
deleted file mode 100644
index 87fe522..0000000
--- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Fri, 18 Dec 2015 01:34:26 +0000
-Subject: KEYS: Fix race between read and revoke
-Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
-
-This fixes CVE-2015-7550.
-
-There's a race between keyctl_read() and keyctl_revoke(). If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-I think the bug was introduced with the original keyrings code.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller). Here's a cleaned up version:
-
- #include <sys/types.h>
- #include <keyutils.h>
- #include <pthread.h>
- void *thr0(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- keyctl_revoke(key);
- return 0;
- }
- void *thr1(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- char buffer[16];
- keyctl_read(key, buffer, 16);
- return 0;
- }
- int main()
- {
- key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
- pthread_t th[5];
- pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
- pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
- pthread_join(th[0], 0);
- pthread_join(th[1], 0);
- pthread_join(th[2], 0);
- pthread_join(th[3], 0);
- return 0;
- }
-
-Build as:
-
- cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
- while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel. The crash can be
-summarised as:
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
- IP: [<ffffffff81279b08>] user_read+0x56/0xa3
- ...
- Call Trace:
- [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
- [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
- [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -744,16 +744,16 @@ long keyctl_read_key(key_serial_t keyid,
-
- /* the key is probably readable - now try to read it */
- can_read_key:
-- ret = key_validate(key);
-- if (ret == 0) {
-- ret = -EOPNOTSUPP;
-- if (key->type->read) {
-- /* read the data with the semaphore held (since we
-- * might sleep) */
-- down_read(&key->sem);
-+ ret = -EOPNOTSUPP;
-+ if (key->type->read) {
-+ /* Read the data with the semaphore held (since we might sleep)
-+ * to protect against the key being updated or revoked.
-+ */
-+ down_read(&key->sem);
-+ ret = key_validate(key);
-+ if (ret == 0)
- ret = key->type->read(key, buffer, buflen);
-- up_read(&key->sem);
-- }
-+ up_read(&key->sem);
- }
-
- error2:
diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
deleted file mode 100644
index 5833731..0000000
--- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Subject: net: add validation for the socket syscall protocol argument
-Date: Mon, 14 Dec 2015 17:17:49 +0100
-Origin: http://article.gmane.org/gmane.linux.network/391482
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
- int socket_fd;
- struct sockaddr_in addr;
- addr.sin_port = 0;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_family = 10;
-
- socket_fd = socket(10,3,0x40000000);
- connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Reported-by: 郭永刚 <guoyonggang at 360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
----
- net/ipv4/af_inet.c | 3 +++
- net/ipv6/af_inet6.c | 3 +++
- net/socket.c | 3 +++
- 3 files changed, 9 insertions(+)
-
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -259,6 +259,9 @@ static int inet_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- sock->state = SS_UNCONNECTED;
-
- /* Look for the requested type/protocol pair. */
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- /* Look for the requested type/protocol pair. */
- lookup_protocol:
- err = -ESOCKTNOSUPPORT;
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1254,6 +1254,9 @@ int __sock_create(struct net *net, int f
- return -EAFNOSUPPORT;
- if (type < 0 || type >= SOCK_MAX)
- return -EINVAL;
-+ /* upper bound should be tested by per-protocol .create callbacks */
-+ if (protocol < 0)
-+ return -EINVAL;
-
- /* Compatibility.
-
diff --git a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
deleted file mode 100644
index 3c8b7bf..0000000
--- a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Mon, 14 Dec 2015 13:48:36 -0800
-Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
-Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1
-
-Reported-by: Dmitry Vyukov <dvyukov at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/net/ppp/pptp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -420,6 +420,9 @@ static int pptp_bind(struct socket *sock
- struct pptp_opt *opt = &po->proto.pptp;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- opt->src_addr = sp->sa_addr.pptp;
-@@ -441,6 +444,9 @@ static int pptp_connect(struct socket *s
- struct flowi4 fl4;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- if (sp->sa_protocol != PX_PROTO_PPTP)
- return -EINVAL;
-
diff --git a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
deleted file mode 100644
index 22d1a5b..0000000
--- a/debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Subject: RDS: fix race condition when sending a message on unbound socket.
-Date: Fri, 16 Oct 2015 17:11:42 +0200
-Origin: https://lkml.org/lkml/2015/10/16/530
-
-Sasha's found a NULL pointer dereference in the RDS connection code when
-sending a message to an apparently unbound socket. The problem is caused
-by the code checking if the socket is bound in rds_sendmsg(), which checks
-the rs_bound_addr field without taking a lock on the socket. This opens a
-race where rs_bound_addr is temporarily set but where the transport is not
-in rds_bind(), leading to a NULL pointer dereference when trying to
-dereference 'trans' in __rds_conn_create().
-
-Vegard wrote a reproducer for this issue, so kindly ask him to share if
-you're interested.
-
-I cannot reproduce the NULL pointer dereference using Vegard's reproducer
-with this patch, whereas I could without.
-
-Complete earlier incomplete fix to CVE-2015-6937:
-
- 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
-
-Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Reviewed-by: Vegard Nossum <vegard.nossum at oracle.com>
-Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: Vegard Nossum <vegard.nossum at oracle.com>
-Cc: Sasha Levin <sasha.levin at oracle.com>
-Cc: Chien Yen <chien.yen at oracle.com>
-Cc: Santosh Shilimkar <santosh.shilimkar at oracle.com>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: stable at vger.kernel.org
----
- net/rds/connection.c | 6 ------
- net/rds/send.c | 4 +++-
- 2 files changed, 3 insertions(+), 7 deletions(-)
-
---- a/net/rds/connection.c
-+++ b/net/rds/connection.c
-@@ -183,12 +183,6 @@ static struct rds_connection *__rds_conn
- }
- }
-
-- if (trans == NULL) {
-- kmem_cache_free(rds_conn_slab, conn);
-- conn = ERR_PTR(-ENODEV);
-- goto out;
-- }
--
- conn->c_trans = trans;
-
- ret = trans->conn_alloc(conn, gfp);
---- a/net/rds/send.c
-+++ b/net/rds/send.c
-@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
- release_sock(sk);
- }
-
-- /* racing with another thread binding seems ok here */
-+ lock_sock(sk);
- if (daddr == 0 || rs->rs_bound_addr == 0) {
-+ release_sock(sk);
- ret = -ENOTCONN; /* XXX not a great errno */
- goto out;
- }
-+ release_sock(sk);
-
- /* size of rm including all sgs */
- ret = rds_rm_size(msg, payload_len);
diff --git a/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch b/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
deleted file mode 100644
index 67afaea..0000000
--- a/debian/patches/bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From: Christophe Leroy <christophe.leroy at c-s.fr>
-Date: Wed, 6 May 2015 17:26:47 +0200
-Subject: splice: sendfile() at once fails for big files
-Bug-Debian: https://bugs.debian.org/785189
-Origin: https://git.kernel.org/linus/0ff28d9f4674d781e492bcff6f32f0fe48cf0fed
-
-Using sendfile with below small program to get MD5 sums of some files,
-it appear that big files (over 64kbytes with 4k pages system) get a
-wrong MD5 sum while small files get the correct sum.
-This program uses sendfile() to send a file to an AF_ALG socket
-for hashing.
-
-/* md5sum2.c */
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <linux/if_alg.h>
-
-int main(int argc, char **argv)
-{
- int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
- struct stat st;
- struct sockaddr_alg sa = {
- .salg_family = AF_ALG,
- .salg_type = "hash",
- .salg_name = "md5",
- };
- int n;
-
- bind(sk, (struct sockaddr*)&sa, sizeof(sa));
-
- for (n = 1; n < argc; n++) {
- int size;
- int offset = 0;
- char buf[4096];
- int fd;
- int sko;
- int i;
-
- fd = open(argv[n], O_RDONLY);
- sko = accept(sk, NULL, 0);
- fstat(fd, &st);
- size = st.st_size;
- sendfile(sko, fd, &offset, size);
- size = read(sko, buf, sizeof(buf));
- for (i = 0; i < size; i++)
- printf("%2.2x", buf[i]);
- printf(" %s\n", argv[n]);
- close(fd);
- close(sko);
- }
- exit(0);
-}
-
-Test below is done using official linux patch files. First result is
-with a software based md5sum. Second result is with the program above.
-
-root at vgoip:~# ls -l patch-3.6.*
--rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz
--rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz
-
-root at vgoip:~# md5sum patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-root at vgoip:~# ./md5sum2 patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz
-
-After investivation, it appears that sendfile() sends the files by blocks
-of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
-block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
-is reset as if it was the end of the file.
-
-This patch adds SPLICE_F_MORE to the flags when more data is pending.
-
-With the patch applied, we get the correct sums:
-
-root at vgoip:~# md5sum patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-root at vgoip:~# ./md5sum2 patch-3.6.*
-b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
-c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
-
-Signed-off-by: Christophe Leroy <christophe.leroy at c-s.fr>
-Signed-off-by: Jens Axboe <axboe at fb.com>
----
- fs/splice.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -1176,7 +1176,7 @@ ssize_t splice_direct_to_actor(struct fi
- long ret, bytes;
- umode_t i_mode;
- size_t len;
-- int i, flags;
-+ int i, flags, more;
-
- /*
- * We require the input being a regular file, as we don't want to
-@@ -1219,6 +1219,7 @@ ssize_t splice_direct_to_actor(struct fi
- * Don't block on output, we have to drain the direct pipe.
- */
- sd->flags &= ~SPLICE_F_NONBLOCK;
-+ more = sd->flags & SPLICE_F_MORE;
-
- while (len) {
- size_t read_len;
-@@ -1232,6 +1233,15 @@ ssize_t splice_direct_to_actor(struct fi
- sd->total_len = read_len;
-
- /*
-+ * If more data is pending, set SPLICE_F_MORE
-+ * If this is the last data and SPLICE_F_MORE was not set
-+ * initially, clears it.
-+ */
-+ if (read_len < len)
-+ sd->flags |= SPLICE_F_MORE;
-+ else if (!more)
-+ sd->flags &= ~SPLICE_F_MORE;
-+ /*
- * NOTE: nonblocking mode only applies to the input. We
- * must not do the output in nonblocking mode as then we
- * could get stuck data in the internal pipe:
diff --git a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch b/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
deleted file mode 100644
index ae38daa..0000000
--- a/debian/patches/bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
+++ /dev/null
@@ -1,325 +0,0 @@
-From: Rainer Weikusat <rweikusat at mobileactivedefense.com>
-Date: Fri, 20 Nov 2015 22:07:23 +0000
-Subject: unix: avoid use-after-free in ep_remove_wait_queue
-Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git//commit?id=7d267278a9ece963d77eefec61630223fce08c6c
-
-Rainer Weikusat <rweikusat at mobileactivedefense.com> writes:
-An AF_UNIX datagram socket being the client in an n:1 association with
-some server socket is only allowed to send messages to the server if the
-receive queue of this socket contains at most sk_max_ack_backlog
-datagrams. This implies that prospective writers might be forced to go
-to sleep despite none of the message presently enqueued on the server
-receive queue were sent by them. In order to ensure that these will be
-woken up once space becomes again available, the present unix_dgram_poll
-routine does a second sock_poll_wait call with the peer_wait wait queue
-of the server socket as queue argument (unix_dgram_recvmsg does a wake
-up on this queue after a datagram was received). This is inherently
-problematic because the server socket is only guaranteed to remain alive
-for as long as the client still holds a reference to it. In case the
-connection is dissolved via connect or by the dead peer detection logic
-in unix_dgram_sendmsg, the server socket may be freed despite "the
-polling mechanism" (in particular, epoll) still has a pointer to the
-corresponding peer_wait queue. There's no way to forcibly deregister a
-wait queue with epoll.
-
-Based on an idea by Jason Baron, the patch below changes the code such
-that a wait_queue_t belonging to the client socket is enqueued on the
-peer_wait queue of the server whenever the peer receive queue full
-condition is detected by either a sendmsg or a poll. A wake up on the
-peer queue is then relayed to the ordinary wait queue of the client
-socket via wake function. The connection to the peer wait queue is again
-dissolved if either a wake up is about to be relayed or the client
-socket reconnects or a dead peer is detected or the client socket is
-itself closed. This enables removing the second sock_poll_wait from
-unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
-that no blocked writer sleeps forever.
-
-Signed-off-by: Rainer Weikusat <rweikusat at mobileactivedefense.com>
-Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
-Reviewed-by: Jason Baron <jbaron at akamai.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- include/net/af_unix.h | 1 +
- net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------
- 2 files changed, 165 insertions(+), 19 deletions(-)
-
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -63,6 +63,7 @@ struct unix_sock {
- #define UNIX_GC_CANDIDATE 0
- #define UNIX_GC_MAYBE_CYCLE 1
- struct socket_wq peer_wq;
-+ wait_queue_t peer_wake;
- };
-
- static inline struct unix_sock *unix_sk(struct sock *sk)
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -316,6 +316,118 @@ found:
- return s;
- }
-
-+/* Support code for asymmetrically connected dgram sockets
-+ *
-+ * If a datagram socket is connected to a socket not itself connected
-+ * to the first socket (eg, /dev/log), clients may only enqueue more
-+ * messages if the present receive queue of the server socket is not
-+ * "too large". This means there's a second writeability condition
-+ * poll and sendmsg need to test. The dgram recv code will do a wake
-+ * up on the peer_wait wait queue of a socket upon reception of a
-+ * datagram which needs to be propagated to sleeping would-be writers
-+ * since these might not have sent anything so far. This can't be
-+ * accomplished via poll_wait because the lifetime of the server
-+ * socket might be less than that of its clients if these break their
-+ * association with it or if the server socket is closed while clients
-+ * are still connected to it and there's no way to inform "a polling
-+ * implementation" that it should let go of a certain wait queue
-+ *
-+ * In order to propagate a wake up, a wait_queue_t of the client
-+ * socket is enqueued on the peer_wait queue of the server socket
-+ * whose wake function does a wake_up on the ordinary client socket
-+ * wait queue. This connection is established whenever a write (or
-+ * poll for write) hit the flow control condition and broken when the
-+ * association to the server socket is dissolved or after a wake up
-+ * was relayed.
-+ */
-+
-+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
-+ void *key)
-+{
-+ struct unix_sock *u;
-+ wait_queue_head_t *u_sleep;
-+
-+ u = container_of(q, struct unix_sock, peer_wake);
-+
-+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
-+ q);
-+ u->peer_wake.private = NULL;
-+
-+ /* relaying can only happen while the wq still exists */
-+ u_sleep = sk_sleep(&u->sk);
-+ if (u_sleep)
-+ wake_up_interruptible_poll(u_sleep, key);
-+
-+ return 0;
-+}
-+
-+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
-+{
-+ struct unix_sock *u, *u_other;
-+ int rc;
-+
-+ u = unix_sk(sk);
-+ u_other = unix_sk(other);
-+ rc = 0;
-+ spin_lock(&u_other->peer_wait.lock);
-+
-+ if (!u->peer_wake.private) {
-+ u->peer_wake.private = other;
-+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+
-+ rc = 1;
-+ }
-+
-+ spin_unlock(&u_other->peer_wait.lock);
-+ return rc;
-+}
-+
-+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
-+ struct sock *other)
-+{
-+ struct unix_sock *u, *u_other;
-+
-+ u = unix_sk(sk);
-+ u_other = unix_sk(other);
-+ spin_lock(&u_other->peer_wait.lock);
-+
-+ if (u->peer_wake.private == other) {
-+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
-+ u->peer_wake.private = NULL;
-+ }
-+
-+ spin_unlock(&u_other->peer_wait.lock);
-+}
-+
-+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
-+ struct sock *other)
-+{
-+ unix_dgram_peer_wake_disconnect(sk, other);
-+ wake_up_interruptible_poll(sk_sleep(sk),
-+ POLLOUT |
-+ POLLWRNORM |
-+ POLLWRBAND);
-+}
-+
-+/* preconditions:
-+ * - unix_peer(sk) == other
-+ * - association is stable
-+ */
-+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
-+{
-+ int connected;
-+
-+ connected = unix_dgram_peer_wake_connect(sk, other);
-+
-+ if (unix_recvq_full(other))
-+ return 1;
-+
-+ if (connected)
-+ unix_dgram_peer_wake_disconnect(sk, other);
-+
-+ return 0;
-+}
-+
- static inline int unix_writable(struct sock *sk)
- {
- return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
-@@ -420,6 +532,8 @@ static void unix_release_sock(struct soc
- skpair->sk_state_change(skpair);
- sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
- }
-+
-+ unix_dgram_peer_wake_disconnect(sk, skpair);
- sock_put(skpair); /* It may now die */
- unix_peer(sk) = NULL;
- }
-@@ -653,6 +767,7 @@ static struct sock *unix_create1(struct
- INIT_LIST_HEAD(&u->link);
- mutex_init(&u->readlock); /* single task reading lock */
- init_waitqueue_head(&u->peer_wait);
-+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
- unix_insert_socket(unix_sockets_unbound(sk), sk);
- out:
- if (sk == NULL)
-@@ -1020,6 +1135,8 @@ restart:
- if (unix_peer(sk)) {
- struct sock *old_peer = unix_peer(sk);
- unix_peer(sk) = other;
-+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
-+
- unix_state_double_unlock(sk, other);
-
- if (other != old_peer)
-@@ -1459,6 +1576,7 @@ static int unix_dgram_sendmsg(struct kio
- struct scm_cookie tmp_scm;
- int max_level;
- int data_len = 0;
-+ int sk_locked;
-
- if (NULL == siocb->scm)
- siocb->scm = &tmp_scm;
-@@ -1540,12 +1658,14 @@ restart:
- goto out_free;
- }
-
-+ sk_locked = 0;
- unix_state_lock(other);
-+restart_locked:
- err = -EPERM;
- if (!unix_may_send(sk, other))
- goto out_unlock;
-
-- if (sock_flag(other, SOCK_DEAD)) {
-+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
- /*
- * Check with 1003.1g - what should
- * datagram error
-@@ -1553,10 +1673,14 @@ restart:
- unix_state_unlock(other);
- sock_put(other);
-
-+ if (!sk_locked)
-+ unix_state_lock(sk);
-+
- err = 0;
-- unix_state_lock(sk);
- if (unix_peer(sk) == other) {
- unix_peer(sk) = NULL;
-+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
-+
- unix_state_unlock(sk);
-
- unix_dgram_disconnected(sk, other);
-@@ -1582,21 +1706,38 @@ restart:
- goto out_unlock;
- }
-
-- if (unix_peer(other) != sk && unix_recvq_full(other)) {
-- if (!timeo) {
-- err = -EAGAIN;
-- goto out_unlock;
-+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
-+ if (timeo) {
-+ timeo = unix_wait_for_peer(other, timeo);
-+
-+ err = sock_intr_errno(timeo);
-+ if (signal_pending(current))
-+ goto out_free;
-+
-+ goto restart;
- }
-
-- timeo = unix_wait_for_peer(other, timeo);
-+ if (!sk_locked) {
-+ unix_state_unlock(other);
-+ unix_state_double_lock(sk, other);
-+ }
-
-- err = sock_intr_errno(timeo);
-- if (signal_pending(current))
-- goto out_free;
-+ if (unix_peer(sk) != other ||
-+ unix_dgram_peer_wake_me(sk, other)) {
-+ err = -EAGAIN;
-+ sk_locked = 1;
-+ goto out_unlock;
-+ }
-
-- goto restart;
-+ if (!sk_locked) {
-+ sk_locked = 1;
-+ goto restart_locked;
-+ }
- }
-
-+ if (unlikely(sk_locked))
-+ unix_state_unlock(sk);
-+
- if (sock_flag(other, SOCK_RCVTSTAMP))
- __net_timestamp(skb);
- maybe_add_creds(skb, sock, other);
-@@ -1610,6 +1751,8 @@ restart:
- return len;
-
- out_unlock:
-+ if (sk_locked)
-+ unix_state_unlock(sk);
- unix_state_unlock(other);
- out_free:
- kfree_skb(skb);
-@@ -2269,14 +2412,16 @@ static unsigned int unix_dgram_poll(stru
- return mask;
-
- writable = unix_writable(sk);
-- other = unix_peer_get(sk);
-- if (other) {
-- if (unix_peer(other) != sk) {
-- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
-- if (unix_recvq_full(other))
-- writable = 0;
-- }
-- sock_put(other);
-+ if (writable) {
-+ unix_state_lock(sk);
-+
-+ other = unix_peer(sk);
-+ if (other && unix_peer(other) != sk &&
-+ unix_recvq_full(other) &&
-+ unix_dgram_peer_wake_me(sk, other))
-+ writable = 0;
-+
-+ unix_state_unlock(sk);
- }
-
- if (writable)
diff --git a/debian/patches/bugfix/all/xfs-allow-inode-allocations-in-post-growfs-disk-spac.patch b/debian/patches/bugfix/all/xfs-allow-inode-allocations-in-post-growfs-disk-spac.patch
deleted file mode 100644
index 129d01d..0000000
--- a/debian/patches/bugfix/all/xfs-allow-inode-allocations-in-post-growfs-disk-spac.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From: Eric Sandeen <sandeen at redhat.com>
-Date: Thu, 24 Jul 2014 20:51:54 +1000
-Subject: xfs: allow inode allocations in post-growfs disk space
-Origin: https://git.kernel.org/linus/9de67c3ba9ea961ba420573d56479d09d33a7587
-Bug-Debian: https://bugs.debian.org/802885
-
-Today, if we perform an xfs_growfs which adds allocation groups,
-mp->m_maxagi is not properly updated when the growfs is complete.
-
-Therefore inodes will continue to be allocated only in the
-AGs which existed prior to the growfs, and the new space
-won't be utilized.
-
-This is because of this path in xfs_growfs_data_private():
-
-xfs_growfs_data_private
- xfs_initialize_perag(mp, nagcount, &nagimax);
- if (mp->m_flags & XFS_MOUNT_32BITINODES)
- index = xfs_set_inode32(mp);
- else
- index = xfs_set_inode64(mp);
-
- if (maxagi)
- *maxagi = index;
-
-where xfs_set_inode* iterates over the (old) agcount in
-mp->m_sb.sb_agblocks, which has not yet been updated
-in the growfs path. So "index" will be returned based on
-the old agcount, not the new one, and new AGs are not available
-for inode allocation.
-
-Fix this by explicitly passing the proper AG count (which
-xfs_initialize_perag() already has) down another level,
-so that xfs_set_inode* can make the proper decision about
-acceptable AGs for inode allocation in the potentially
-newly-added AGs.
-
-This has been broken since 3.7, when these two
-xfs_set_inode* functions were added in commit 2d2194f.
-Prior to that, we looped over "agcount" not sb_agblocks
-in these calculations.
-
-Signed-off-by: Eric Sandeen <sandeen at redhat.com>
-Reviewed-by: Brian Foster <bfoster at redhat.com>
-Signed-off-by: Dave Chinner <david at fromorbit.com>
----
- fs/xfs/xfs_mount.c | 4 ++--
- fs/xfs/xfs_super.c | 20 +++++++++++++-------
- fs/xfs/xfs_super.h | 4 ++--
- 3 files changed, 17 insertions(+), 11 deletions(-)
-
-diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
-index d5c44a6..f205a2c 100644
---- a/fs/xfs/xfs_mount.c
-+++ b/fs/xfs/xfs_mount.c
-@@ -250,9 +250,9 @@ xfs_initialize_perag(
- mp->m_flags &= ~XFS_MOUNT_32BITINODES;
-
- if (mp->m_flags & XFS_MOUNT_32BITINODES)
-- index = xfs_set_inode32(mp);
-+ index = xfs_set_inode32(mp, agcount);
- else
-- index = xfs_set_inode64(mp);
-+ index = xfs_set_inode64(mp, agcount);
-
- if (maxagi)
- *maxagi = index;
-diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
-index f2e5f8a..b475eb6 100644
---- a/fs/xfs/xfs_super.c
-+++ b/fs/xfs/xfs_super.c
-@@ -597,8 +597,13 @@ xfs_max_file_offset(
- return (((__uint64_t)pagefactor) << bitshift) - 1;
- }
-
-+/*
-+ * xfs_set_inode32() and xfs_set_inode64() are passed an agcount
-+ * because in the growfs case, mp->m_sb.sb_agcount is not updated
-+ * yet to the potentially higher ag count.
-+ */
- xfs_agnumber_t
--xfs_set_inode32(struct xfs_mount *mp)
-+xfs_set_inode32(struct xfs_mount *mp, xfs_agnumber_t agcount)
- {
- xfs_agnumber_t index = 0;
- xfs_agnumber_t maxagi = 0;
-@@ -620,10 +625,10 @@ xfs_set_inode32(struct xfs_mount *mp)
- do_div(icount, sbp->sb_agblocks);
- max_metadata = icount;
- } else {
-- max_metadata = sbp->sb_agcount;
-+ max_metadata = agcount;
- }
-
-- for (index = 0; index < sbp->sb_agcount; index++) {
-+ for (index = 0; index < agcount; index++) {
- ino = XFS_AGINO_TO_INO(mp, index, agino);
-
- if (ino > XFS_MAXINUMBER_32) {
-@@ -648,11 +653,11 @@ xfs_set_inode32(struct xfs_mount *mp)
- }
-
- xfs_agnumber_t
--xfs_set_inode64(struct xfs_mount *mp)
-+xfs_set_inode64(struct xfs_mount *mp, xfs_agnumber_t agcount)
- {
- xfs_agnumber_t index = 0;
-
-- for (index = 0; index < mp->m_sb.sb_agcount; index++) {
-+ for (index = 0; index < agcount; index++) {
- struct xfs_perag *pag;
-
- pag = xfs_perag_get(mp, index);
-@@ -1188,6 +1193,7 @@ xfs_fs_remount(
- char *options)
- {
- struct xfs_mount *mp = XFS_M(sb);
-+ xfs_sb_t *sbp = &mp->m_sb;
- substring_t args[MAX_OPT_ARGS];
- char *p;
- int error;
-@@ -1208,10 +1214,10 @@ xfs_fs_remount(
- mp->m_flags &= ~XFS_MOUNT_BARRIER;
- break;
- case Opt_inode64:
-- mp->m_maxagi = xfs_set_inode64(mp);
-+ mp->m_maxagi = xfs_set_inode64(mp, sbp->sb_agcount);
- break;
- case Opt_inode32:
-- mp->m_maxagi = xfs_set_inode32(mp);
-+ mp->m_maxagi = xfs_set_inode32(mp, sbp->sb_agcount);
- break;
- default:
- /*
-diff --git a/fs/xfs/xfs_super.h b/fs/xfs/xfs_super.h
-index bbe3d15..b4cfe21 100644
---- a/fs/xfs/xfs_super.h
-+++ b/fs/xfs/xfs_super.h
-@@ -76,8 +76,8 @@ extern __uint64_t xfs_max_file_offset(unsigned int);
-
- extern void xfs_flush_inodes(struct xfs_mount *mp);
- extern void xfs_blkdev_issue_flush(struct xfs_buftarg *);
--extern xfs_agnumber_t xfs_set_inode32(struct xfs_mount *);
--extern xfs_agnumber_t xfs_set_inode64(struct xfs_mount *);
-+extern xfs_agnumber_t xfs_set_inode32(struct xfs_mount *, xfs_agnumber_t agcount);
-+extern xfs_agnumber_t xfs_set_inode64(struct xfs_mount *, xfs_agnumber_t agcount);
-
- extern const struct export_operations xfs_export_operations;
- extern const struct xattr_handler *xfs_xattr_handlers[];
diff --git a/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch b/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
deleted file mode 100644
index 12c2968..0000000
--- a/debian/patches/bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Andrew Honig <ahonig at google.com>
-Date: Wed, 18 Nov 2015 14:50:23 -0800
-Subject: KVM: x86: Reload pit counters for all channels when restoring state
-Origin: https://git.kernel.org/linus/0185604c2d82c560dab2f2933a18f797e74ab5a8
-
-Currently if userspace restores the pit counters with a count of 0
-on channels 1 or 2 and the guest attempts to read the count on those
-channels, then KVM will perform a mod of 0 and crash. This will ensure
-that 0 values are converted to 65536 as per the spec.
-
-This is CVE-2015-7513.
-
-Signed-off-by: Andy Honig <ahonig at google.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[carnil: Backport to 4.3.3: context]
----
- arch/x86/kvm/x86.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -3559,10 +3559,11 @@ static int kvm_vm_ioctl_get_pit(struct k
- static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps)
- {
- int r = 0;
--
-+ int i;
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state));
-- kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, ps->channels[i].count, 0);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
-@@ -3583,6 +3584,7 @@ static int kvm_vm_ioctl_get_pit2(struct
- static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
- {
- int r = 0, start = 0;
-+ int i;
- u32 prev_legacy, cur_legacy;
- mutex_lock(&kvm->arch.vpit->pit_state.lock);
- prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY;
-@@ -3592,7 +3594,8 @@ static int kvm_vm_ioctl_set_pit2(struct
- memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels,
- sizeof(kvm->arch.vpit->pit_state.channels));
- kvm->arch.vpit->pit_state.flags = ps->flags;
-- kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start);
-+ for (i = 0; i < 3; i++)
-+ kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start);
- mutex_unlock(&kvm->arch.vpit->pit_state.lock);
- return r;
- }
diff --git a/debian/patches/bugfix/x86/drm-i915-disable-psmi-sleep-messages-on-all-rings-ar.patch b/debian/patches/bugfix/x86/drm-i915-disable-psmi-sleep-messages-on-all-rings-ar.patch
deleted file mode 100644
index 95d58e1..0000000
--- a/debian/patches/bugfix/x86/drm-i915-disable-psmi-sleep-messages-on-all-rings-ar.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From: Chris Wilson <chris at chris-wilson.co.uk>
-Date: Tue, 16 Dec 2014 10:02:27 +0000
-Subject: drm/i915: Disable PSMI sleep messages on all rings around context
- switches
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/2c550183476dfa25641309ae9a28d30feed14379
-
-There exists a current workaround to prevent a hang on context switch
-should the ring go to sleep in the middle of the restore,
-WaProgramMiArbOnOffAroundMiSetContext (applicable to all gen7+). In
-spite of disabling arbitration (which prevents the ring from powering
-down during the critical section) we were still hitting hangs that had
-the hallmarks of the known erratum. That is we are still seeing hangs
-"on the last instruction in the context restore". By comparing -nightly
-(broken) with requests (working), we were able to deduce that it was the
-semaphore LRI cross-talk that reproduced the original failure. The key
-was that requests implemented deferred semaphore signalling, and
-disabling that, i.e. emitting the semaphore signal to every other ring
-after every batch restored the frequent hang. Explicitly disabling PSMI
-sleep on the RCS ring was insufficient, all the rings had to be awake to
-prevent the hangs. Fortunately, we can reduce the wakelock to the
-MI_SET_CONTEXT operation itself, and so should be able to limit the extra
-power implications.
-
-Since the MI_ARB_ON_OFF workaround is listed for all gen7 and above
-products, we should apply this extra hammer for all of the same
-platforms despite so far that we have only been able to reproduce the
-hang on certain ivb and hsw models. The last question is whether we want
-to always use the extra hammer or only when we know semaphores are in
-operation. At the moment, we only use LRI on non-RCS rings for
-semaphores, but that may change in the future with the possibility of
-reintroducing this bug under subtle conditions.
-
-v2: Make it explicit that the PSMI LRI are an extension to the original
-workaround for the other rings.
-v3: Bikeshedding variable names and whitespacing
-
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80660
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=83677
-Cc: Simon Farnsworth <simon at farnz.org.uk>
-Cc: Daniel Vetter <daniel at ffwll.ch>
-Cc: Ville Syrjälä <ville.syrjala at linux.intel.com>
-Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
-Tested-by: Peter Frühberger <fritsch at xbmc.org>
-Reviewed-by: Daniel Vetter <daniel at ffwll.ch>
-Cc: stable at vger.kernel.org
-Signed-off-by: Jani Nikula <jani.nikula at intel.com>
-[bwh: Backported to 3.16: adjust context]
----
- drivers/gpu/drm/i915/i915_gem_context.c | 48 +++++++++++++++++++++++++++------
- drivers/gpu/drm/i915/i915_reg.h | 2 ++
- 2 files changed, 42 insertions(+), 8 deletions(-)
-
---- a/drivers/gpu/drm/i915/i915_gem_context.c
-+++ b/drivers/gpu/drm/i915/i915_gem_context.c
-@@ -545,7 +545,12 @@ mi_set_context(struct intel_engine_cs *r
- struct intel_context *new_context,
- u32 hw_flags)
- {
-- int ret;
-+ const int num_rings =
-+ /* Use an extended w/a on ivb+ if signalling from other rings */
-+ i915_semaphore_is_enabled(ring->dev) ?
-+ hweight32(INTEL_INFO(ring->dev)->ring_mask) - 1 :
-+ 0;
-+ int len, i, ret;
-
- /* w/a: If Flush TLB Invalidation Mode is enabled, driver must do a TLB
- * invalidation prior to MI_SET_CONTEXT. On GEN6 we don't set the value
-@@ -558,15 +563,31 @@ mi_set_context(struct intel_engine_cs *r
- return ret;
- }
-
-- ret = intel_ring_begin(ring, 6);
-+
-+ len = 4;
-+ if (INTEL_INFO(ring->dev)->gen >= 7)
-+ len += 2 + (num_rings ? 4*num_rings + 2 : 0);
-+
-+ ret = intel_ring_begin(ring, len);
- if (ret)
- return ret;
-
- /* WaProgramMiArbOnOffAroundMiSetContext:ivb,vlv,hsw,bdw,chv */
-- if (INTEL_INFO(ring->dev)->gen >= 7)
-+ if (INTEL_INFO(ring->dev)->gen >= 7) {
- intel_ring_emit(ring, MI_ARB_ON_OFF | MI_ARB_DISABLE);
-- else
-- intel_ring_emit(ring, MI_NOOP);
-+ if (num_rings) {
-+ struct intel_engine_cs *signaller;
-+
-+ intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(num_rings));
-+ for_each_ring(signaller, to_i915(ring->dev), i) {
-+ if (signaller == ring)
-+ continue;
-+
-+ intel_ring_emit(ring, RING_PSMI_CTL(signaller->mmio_base));
-+ intel_ring_emit(ring, _MASKED_BIT_ENABLE(GEN6_PSMI_SLEEP_MSG_DISABLE));
-+ }
-+ }
-+ }
-
- intel_ring_emit(ring, MI_NOOP);
- intel_ring_emit(ring, MI_SET_CONTEXT);
-@@ -581,10 +602,21 @@ mi_set_context(struct intel_engine_cs *r
- */
- intel_ring_emit(ring, MI_NOOP);
-
-- if (INTEL_INFO(ring->dev)->gen >= 7)
-+ if (INTEL_INFO(ring->dev)->gen >= 7) {
-+ if (num_rings) {
-+ struct intel_engine_cs *signaller;
-+
-+ intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(num_rings));
-+ for_each_ring(signaller, to_i915(ring->dev), i) {
-+ if (signaller == ring)
-+ continue;
-+
-+ intel_ring_emit(ring, RING_PSMI_CTL(signaller->mmio_base));
-+ intel_ring_emit(ring, _MASKED_BIT_DISABLE(GEN6_PSMI_SLEEP_MSG_DISABLE));
-+ }
-+ }
- intel_ring_emit(ring, MI_ARB_ON_OFF | MI_ARB_ENABLE);
-- else
-- intel_ring_emit(ring, MI_NOOP);
-+ }
-
- intel_ring_advance(ring);
-
---- a/drivers/gpu/drm/i915/i915_reg.h
-+++ b/drivers/gpu/drm/i915/i915_reg.h
-@@ -978,6 +978,7 @@ enum punit_power_well {
- #define GEN6_VERSYNC (RING_SYNC_1(VEBOX_RING_BASE))
- #define GEN6_VEVSYNC (RING_SYNC_2(VEBOX_RING_BASE))
- #define GEN6_NOSYNC 0
-+#define RING_PSMI_CTL(base) ((base)+0x50)
- #define RING_MAX_IDLE(base) ((base)+0x54)
- #define RING_HWS_PGA(base) ((base)+0x80)
- #define RING_HWS_PGA_GEN6(base) ((base)+0x2080)
-@@ -1301,6 +1302,7 @@ enum punit_power_well {
- #define GEN6_BLITTER_FBC_NOTIFY (1<<3)
-
- #define GEN6_RC_SLEEP_PSMI_CONTROL 0x2050
-+#define GEN6_PSMI_SLEEP_MSG_DISABLE (1 << 0)
- #define GEN8_RC_SEMA_IDLE_MSG_DISABLE (1 << 12)
- #define GEN8_FF_DOP_CLOCK_GATE_DISABLE (1<<10)
-
diff --git a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch b/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
deleted file mode 100644
index efa115e..0000000
--- a/debian/patches/bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Tue, 10 Nov 2015 09:14:39 +0100
-Subject: KVM: svm: unconditionally intercept #DB
-Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 1839264..1cc1ffc 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1020,6 +1020,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
- set_exception_intercept(svm, AC_VECTOR);
-+ set_exception_intercept(svm, DB_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1554,20 +1555,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
-
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- clr_exception_intercept(svm, DB_VECTOR);
- clr_exception_intercept(svm, BP_VECTOR);
-
-- if (svm->nmi_singlestep)
-- set_exception_intercept(svm, DB_VECTOR);
--
- if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-- if (vcpu->guest_debug &
-- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-- set_exception_intercept(svm, DB_VECTOR);
- if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- set_exception_intercept(svm, BP_VECTOR);
- } else
-@@ -1673,7 +1667,6 @@ static int db_interception(struct vcpu_svm *svm)
- if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- svm->vmcb->save.rflags &=
- ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(&svm->vcpu);
- }
-
- if (svm->vcpu.guest_debug &
-@@ -3661,7 +3654,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- */
- svm->nmi_singlestep = true;
- svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(vcpu);
- }
-
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4287,7 +4279,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- .vcpu_load = svm_vcpu_load,
- .vcpu_put = svm_vcpu_put,
-
-- .update_db_bp_intercept = update_db_bp_intercept,
-+ .update_db_bp_intercept = update_bp_intercept,
- .get_msr = svm_get_msr,
- .set_msr = svm_set_msr,
- .get_segment_base = svm_get_segment_base,
---
-2.6.2
-
diff --git a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch b/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
deleted file mode 100644
index ed5ae71..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit
-
----
-M arch/x86/kvm/svm.c
-1 file changed, 8 insertions(+), 0 deletions(-)
-
-
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1101,6 +1101,7 @@ static void init_vmcb(struct vcpu_svm *s
- set_exception_intercept(svm, PF_VECTOR);
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
-+ set_exception_intercept(svm, AC_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1785,6 +1786,12 @@ static int ud_interception(struct vcpu_s
- return 1;
- }
-
-+static int ac_interception(struct vcpu_svm *svm)
-+{
-+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
-+ return 1;
-+}
-+
- static void svm_fpu_activate(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-@@ -3325,6 +3332,7 @@ static int (*const svm_exit_handlers[])(
- [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
- [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
- [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
-+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
- [SVM_EXIT_INTR] = intr_interception,
- [SVM_EXIT_NMI] = nmi_interception,
- [SVM_EXIT_SMI] = nop_on_interception,
diff --git a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch b/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
deleted file mode 100644
index ef70a29..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Eric Northup <digitaleric at google.com>
-Date: Thu Sep 10 11:36:28 2015 -0700
-Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC
-
-A pathological (or malicious) guest can hang a host core by
-mis-configuring its GDT/IDT and enabling alignment checks.
-
---- a/arch/x86/include/uapi/asm/kvm.h
-+++ b/arch/x86/include/uapi/asm/kvm.h
-@@ -23,6 +23,7 @@
- #define GP_VECTOR 13
- #define PF_VECTOR 14
- #define MF_VECTOR 16
-+#define AC_VECTOR 17
- #define MC_VECTOR 18
-
- /* Select x86 specific features in <linux/kvm.h> */
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1467,7 +1467,7 @@ static void update_exception_bitmap(stru
- u32 eb;
-
- eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
-- (1u << NM_VECTOR) | (1u << DB_VECTOR);
-+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
- if ((vcpu->guest_debug &
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
-@@ -4908,6 +4908,13 @@ static int handle_exception(struct kvm_v
- kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
- kvm_run->debug.arch.exception = ex_no;
- break;
-+ case AC_VECTOR:
-+ /*
-+ * We have already enabled interrupts and pre-emption, so
-+ * it's OK to loop here if that is what will happen.
-+ */
-+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
-+ return 1;
- default:
- kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
- kvm_run->ex.exception = ex_no;
diff --git a/debian/patches/debian/drm-fix-abi-change-in-3.16.7-ckt22.patch b/debian/patches/debian/drm-fix-abi-change-in-3.16.7-ckt22.patch
new file mode 100644
index 0000000..9fb7362
--- /dev/null
+++ b/debian/patches/debian/drm-fix-abi-change-in-3.16.7-ckt22.patch
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 24 Jan 2016 03:16:17 +0000
+Subject: drm: Fxi ABI change in 3.16.7-ckt22
+Forwarded: not-needed
+
+The bitfields at the beginning of drm_file fit in a single word with
+plenty of bits to spare, so just hide the new bitfield from genksyms.
+---
+--- a/include/drm/drmP.h
++++ b/include/drm/drmP.h
+@@ -407,11 +407,14 @@ struct drm_file {
+ * in the plane list
+ */
+ unsigned universal_planes:1;
++#ifndef __GENKSYMS__
+ /*
+ * This client is allowed to gain master privileges for @master.
+ * Protected by struct drm_device::master_mutex.
+ */
+ unsigned allowed_master:1;
++ /* 26 spare bits left */
++#endif
+
+ struct pid *pid;
+ kuid_t uid;
diff --git a/debian/patches/series b/debian/patches/series
index 98ddab0..75b3d94 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -637,20 +637,12 @@ bugfix/all/media-uvcvideo-disable-hardware-timestamps-by-defaul.patch
bugfix/all/nbd-fix-timeout-detection.patch
bugfix/all/nbd-remove-variable-pid.patch
bugfix/all/nbd-add-locking-for-tasks.patch
-bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
-bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
-bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
debian/ehci-fix-abi-change-in-3.16.7-ckt19.patch
-bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
-bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
-bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
debian/af_unix-avoid-abi-changes.patch
-bugfix/all/btrfs-fix-truncation-of-compressed-and-inlined-exten.patch
-bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
bugfix/all/xen-add-ring_copy_request.patch
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
@@ -662,12 +654,8 @@ bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
-bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
-bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/ptrace-fix-abi-change-for-priv-esc-fix.patch
-bugfix/all/keys-fix-race-between-read-and-revoke.patch
-bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
@@ -677,5 +665,4 @@ bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
-bugfix/all/xfs-allow-inode-allocations-in-post-growfs-disk-spac.patch
-bugfix/x86/drm-i915-disable-psmi-sleep-messages-on-all-rings-ar.patch
+debian/drm-fix-abi-change-in-3.16.7-ckt22.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list