[linux] 02/02: Update to 3.16.7-ckt25
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Mar 2 20:00:20 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit ab6b0e8fbd111883bf41396985453dbbba06ece7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Mar 2 15:00:44 2016 +0000
Update to 3.16.7-ckt25
Fix/ignore ABI changes in af_alg, cgroup, crypto, and enclosure.
---
debian/changelog | 403 ++++++++++++++++++++-
debian/config/defines | 1 +
...-keyring-ref-leak-in-join_session_keyring.patch | 75 ----
.../alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch | 51 ---
...missing-null-check-at-remove_events-ioctl.patch | 31 --
...lsa-seq-fix-race-at-timer-setup-and-close.patch | 35 --
...sa-timer-fix-double-unlink-of-active_list.patch | 34 --
.../alsa-timer-fix-race-among-timer-ioctls.patch | 119 ------
...sa-timer-harden-slave-timer-list-handling.patch | 98 -----
...sb-audio-avoid-freeing-umidi-object-twice.patch | 29 --
...ak-infinite-loop-in-fuse_fill_write_pages.patch | 56 ---
...ix-incorrectly-returning-error-on-success.patch | 38 --
...sion-fix-crash-on-detecting-device-with-i.patch | 44 ---
...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 87 -----
...the-per-user-amount-of-pages-allocated-in.patch | 237 ------------
...ument-to-skb_copy_and_csum_datagram_iovec.patch | 95 -----
...e-make-sure-delayed-work-run-in-local-cpu.patch | 70 ----
...-t-finish-a-td-if-we-get-a-short-transfer.patch | 37 --
...t-soft-lockup-when-sctp_accept-is-called-.patch | 190 ----------
...unsafe-ldisc-reference-via-ioctl-tiocgetd.patch | 63 ----
...y-support-msg_peek-with-truncated-buffers.patch | 88 -----
...flight-fds-in-sending-process-user_struct.patch | 145 --------
...ly-account-for-FDs-passed-over-unix-socke.patch | 129 -------
...fix-invalid-memory-access-in-hub_activate.patch | 88 -----
...sh-on-detecting-device-without-write_urbs.patch | 31 --
...sbvision-fix-overflow-of-interfaces-array.patch | 33 --
.../bugfix/all/xen-add-ring_copy_request.patch | 52 ---
...-only-read-request-operation-from-shared-.patch | 48 ---
...-read-from-indirect-descriptors-only-once.patch | 63 ----
...-don-t-use-last-request-to-determine-mini.patch | 35 --
...-netback-use-ring_copy_request-throughout.patch | 126 -------
...-do-not-install-an-irq-handler-for-msi-in.patch | 77 ----
...-don-t-allow-msi-x-ops-if-pci_command_mem.patch | 61 ----
...-for-xen_pci_op_disable_msi-x-only-disabl.patch | 102 ------
...-return-error-on-xen_pci_op_enable_msi-wh.patch | 58 ---
...-return-error-on-xen_pci_op_enable_msix-w.patch | 60 ---
...-save-xen_pci_op-commands-before-processi.patch | 77 ----
...barriers-and-document-switch_mm-vs-flush-.patch | 157 --------
...x86-mm-Improve-switch_mm-barrier-comments.patch | 62 ----
.../crypto-fix-abi-change-in-3.16.7-ckt25.patch | 137 +++++++
.../enclosure-fix-abi-change-in-3.16.7-ckt23.patch | 30 ++
...oup-make-sure-a-parent-css-isn-t-offlined.patch | 79 ++++
debian/patches/series | 40 +-
43 files changed, 652 insertions(+), 2919 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 70ef9d8..8efdde5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.16.7-ckt22-1) UNRELEASED; urgency=medium
+linux (3.16.7-ckt25-1) UNRELEASED; urgency=medium
* New upstream stable update:
http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt21
@@ -231,6 +231,407 @@ linux (3.16.7-ckt22-1) UNRELEASED; urgency=medium
- ipv4: igmp: Allow removing groups from a removed interface
- sched/core: Remove false-positive warning from wake_up_process()
- btrfs: fix signed overflows in btrfs_sync_file
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt23
+ - iio: fix some warning messages
+ - USB: cp210x: Remove CP2110 ID from compatibility list
+ - USB: cdc_acm: Ignore Infineon Flash Loader utility
+ - USB: serial: Another Infineon flash loader USB ID
+ - ext4: Fix handling of extended tv_sec
+ - jbd2: Fix unreclaimed pages after truncate in data=journal mode
+ - drm/ttm: Fixed a read/write lock imbalance
+ - AHCI: Fix softreset failed issue of Port Multiplier
+ - sata_sil: disable trim
+ - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
+ JMicron
+ - staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
+ - irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
+ - usb: core : hub: Fix BOS 'NULL pointer' kernel panic
+ - USB: whci-hcd: add check for dma mapping error
+ - dm btree: fix leak of bufio-backed block in btree_split_sibling error path
+ - SCSI: Fix NULL pointer dereference in runtime PM
+ - perf: Fix PERF_EVENT_IOC_PERIOD deadlock
+ - usb: xhci: fix config fail of FS hub behind a HS hub with MTT
+ - ALSA: rme96: Fix unexpected volume reset after rate changes
+ - ALSA: hda - Add inverted dmic for Packard Bell DOTS
+ - virtio: fix memory leak of virtio ida cache layers
+ - nfs4: limit callback decoding to received bytes
+ - SUNRPC: Fix callback channel
+ - IB/srp: Fix possible send queue overflow
+ - ALSA: hda - Fixing speaker noise on the two latest thinkpad models
+ - 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
+ - radeon/cik: Fix GFX IB test on Big-Endian
+ - radeon: Fix VCE ring test for Big-Endian systems
+ - radeon: Fix VCE IB test on Big-Endian systems
+ - ALSA: hda - Fix noise problems on Thinkpad T440s
+ - dm thin metadata: fix bug when taking a metadata snapshot
+ - dm space map metadata: fix ref counting bug when bootstrapping a new
+ space map
+ - ipmi: move timer init to before irq is setup
+ - dm btree: fix bufio buffer leaks in dm_btree_del() error path
+ - vgaarb: fix signal handling in vga_get()
+ - xhci: fix usb2 resume timing and races.
+ - USB: add quirk for devices with broken LPM
+ - [hppa] iommu: fix panic due to trying to allocate too large region
+ - mm: hugetlb: fix hugepage memory leak caused by wrong reserve count
+ - mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make
+ any progress
+ - mm: hugetlb: call huge_pte_alloc() only if ptep is null
+ - drivers/base/memory.c: prohibit offlining of memory blocks with missing
+ sections
+ - ocfs2: fix SGID not inherited issue
+ - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support
+ - efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
+ - [armhf] i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
+ - xen/events/fifo: Consume unprocessed events when a CPU dies
+ - video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented
+ - crypto: skcipher - Copy iv from desc even for 0-len walks
+ - rfkill: copy the name into the rfkill struct
+ - ses: Fix problems with simple enclosures
+ - Revert "SCSI: Fix NULL pointer dereference in runtime PM"
+ - ses: fix additional element traversal bug
+ - powercap / RAPL: fix BIOS lock check
+ - n_tty: Fix poll() after buffer-limited eof push read
+ - tty: Fix GPF in flush_to_ldisc()
+ - ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
+ - [armel,armhf] 8471/1: need to save/restore arm register(r11) when it is
+ corrupted
+ - ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
+ - spi: fix parent-device reference leak
+ - dma-debug: Fix dma_debug_entry offset calculation
+ - [powerpc*] powernv: Fix the overflow of OPAL message notifiers head array
+ - [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type
+ - USB: ipaq.c: fix a timeout loop
+ - USB: fix invalid memory access in hub_activate()
+ - pinctrl: bcm2835: Fix initial value for direction_output
+ - net: phy: mdio-mux: Check return value of mdiobus_alloc()
+ - mISDN: fix a loop count
+ - qlcnic: fix a timeout loop
+ - ser_gigaset: fix deallocation of platform device structure
+ - include/linux/mmdebug.h: should include linux/bug.h
+ - [x86] drm/i915: Fix SRC_COPY width on 830/845g
+ - vmstat: allocate vmstat_wq before it is used
+ - [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state
+ in MSR
+ - ASoC: wm8974: set cache type for regmap
+ - [armhf] dts: imx6: Fix Ethernet PHY mode on Ventana boards
+ - ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
+ - [s390x] dis: Fix handling of format specifiers
+ - [hppa] Fix syscall restarts
+ - ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
+ - ocfs2: fix BUG when calculate new backup super
+ - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone()
+ - net/mlx4_en: Remove dependency between timestamping capability
+ and service_task
+ - net/mlx4_en: Fix HW timestamp init issue upon system startup
+ - ipv6/addrlabel: fix ip6addrlbl_get()
+ - qlcnic: fix a loop exit condition better
+ - genirq: Prevent chip buslock deadlock
+ - ftrace/scripts: Fix incorrect use of sprintf in recordmcount
+ - tracing: Fix setting of start_index in find_next()
+ - [armhf] dts: vt8500: Add SDHC node to DTS file for WM8650
+ - [x86] mce: Ensure offline CPUs don't participate in rendezvous process
+ - ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
+ - async_tx: use GFP_NOWAIT rather than GFP_IO
+ - ftrace/module: Call clean up function when module init fails early
+ - ASoC: Use nested lock for snd_soc_dapm_mutex_lock
+ - net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
+ - net: possible use after free in dst_release
+ - [x86] kvm: only channel 0 of the i8254 is linked to the HPET
+ - firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt24
+ - drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
+ - veth: don’t modify ip_summed; doing so treats packets with bad checksums
+ as good.
+ - sctp: sctp should release assoc when sctp_make_abort_user return NULL in
+ sctp_close
+ - connector: bump skb->users before callback invocation
+ - unix: properly account for FDs passed over unix sockets
+ - bridge: Only call /sbin/bridge-stp for the initial network namespace
+ - vxlan: fix test which detect duplicate vxlan iface
+ - net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+ - tcp_yeah: don't set ssthresh below 2
+ - bonding: Prevent IPv6 link local address on enslaved devices
+ - phonet: properly unshare skbs in phonet_rcv()
+ - net: bpf: reject invalid shifts
+ - ipv6: update skb->csum when CE mark is propagated
+ - team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
+ - xen-netback: respect user provided max_queues
+ - xen-netfront: respect user provided max_queues
+ - xen-netfront: print correct number of queues
+ - xen-netfront: update num_queues to real created
+ - xfrm: dst_entries_init() per-net dst_ops
+ - sctp: convert sack_needed and sack_generation to bits
+ - sctp: start t5 timer only when peer rwnd is 0 and local state is
+ SHUTDOWN_PENDING
+ - nfs: Fix unused variable error
+ - media: gspca: ov534/topro: prevent a division by 0
+ - media: media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
+ - [x86] KVM: expose MSR_TSC_AUX to userspace
+ - [x86] KVM: correctly print #AC in traces
+ - drm/radeon: call hpd_irq_event on resume
+ - xhci: refuse loading if nousb is used
+ - [arm64] Clear out any singlestep state on a ptrace detach operation
+ - time: Avoid signed overflow in timekeeping_get_ns()
+ - Bluetooth: Add support of Toshiba Broadcom based devices
+ - rtlwifi: fix memory leak for USB device
+ - wlcore/wl12xx: spi: fix oops on firmware load
+ - EDAC: Fix the leak of mci->bus->name when bus_register fails
+ - EDAC, mc_sysfs: Fix freeing bus' name
+ - EDAC: Robustify workqueues destruction
+ - [arm64] mm: ensure that the zero page is visible to the page table walker
+ - [powerpc*] Make value-returning atomics fully ordered
+ - [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered
+ - dm space map metadata: remove unused variable in brb_pop()
+ - dm thin: fix race condition when destroying thin pool workqueue
+ - futex: Drop refcount if requeue_pi() acquired the rtmutex
+ - [arm64] mdscr_el1: avoid exposing DCC to userspace
+ - [arm64] kernel: enforce pmuserenr_el0 initialization and restore
+ - drm/radeon: clean up fujitsu quirks
+ - mmc: sdio: Fix invalid vdd in voltage switch power cycle
+ - mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
+ - udf: limit the maximum number of indirect extents in a row
+ - nfs: Fix race in __update_open_stateid()
+ - USB: cp210x: add ID for ELV Marble Sound Board 1
+ - posix-clock: Fix return code on the poll method's error path
+ - rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
+ - rtlwifi: rtl8192se: Fix module parameter initialization
+ - rtlwifi: rtl8192ce: Fix handling of module parameters
+ - rtlwifi: rtl8192cu: Add missing parameter setup
+ - NFSv4: Don't perform cached access checks before we've OPENed the file
+ - NFS: Fix attribute cache revalidation
+ - bcache: fix a livelock when we cause a huge number of cache misses
+ - bcache: Add a cond_resched() call to gc
+ - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device
+ - bcache: fix a leak in bch_cached_dev_run()
+ - bcache: unregister reboot notifier if bcache fails to unregister device
+ - bcache: allows use of register in udev to avoid "device_busy" error.
+ - bcache: prevent crash on changing writeback_running
+ - bcache: Change refill_dirty() to always scan entire disk if necessary
+ - wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
+ - Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
+ - libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct
+ - [x86] xen: don't reset vcpu_info on a cancelled suspend
+ - udf: Prevent buffer overrun with multi-byte characters
+ - udf: Check output buffer length when converting name to CS0
+ - PCI: Fix minimum allocation address overwrite
+ - PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
+ - iwlwifi: update and fix 7265 series PCI IDs
+ - locks: fix unlock when fcntl_setlk races with a close
+ - ASoC: compress: Fix compress device direction check
+ - dm snapshot: fix hung bios when copy error occurs
+ - uml: fix hostfs mknod()
+ - uml: flush stdout before forking
+ - drm/nouveau/kms: take mode_config mutex in connector hotplug path
+ - [x86] boot: Double BOOT_HEAP_SIZE to 64KB
+ - [s390x] fix normalization bug in exception table sorting
+ - xfs: inode recovery readahead can race with inode buffer creation
+ - xfs: handle dquot buffer readahead in log recovery correctly
+ - clocksource/drivers/vt8500: Increase the minimum delta
+ - Input: elantech - mark protocols v2 and v3 as semi-mt
+ - [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
+ - virtio_balloon: fix race by fill and leak
+ - virtio_balloon: fix race between migration and ballooning
+ - [hppa] Fix __ARCH_SI_PREAMBLE_SIZE
+ - scripts/recordmcount.pl: support data in text section on powerpc
+ - [powerpc*] module: Handle R_PPC64_ENTRY relocations
+ - dmaengine: dw: fix cyclic transfer setup
+ - dmaengine: dw: fix cyclic transfer callbacks
+ - mmc: mmci: fix an ages old detection error
+ - [sparc64] fix incorrect sign extension in sys_sparc64_personality
+ - cifs: fix race between call_async() and reconnect()
+ - cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
+ - dma-debug: switch check from _text to _stext
+ - ocfs2/dlm: ignore cleaning the migration mle that is inuse
+ - zram/zcomp: use GFP_NOIO to allocate streams
+ - zram: try vmalloc() after kmalloc()
+ - mm: soft-offline: check return value in second __get_any_page() call
+ - memcg: only free spare array when readers are done
+ - panic: release stale console lock to always get the logbuf printed out
+ - kernel/panic.c: turn off locks debug before releasing console lock
+ - printk: do cond_resched() between lines while outputting to consoles
+ - ALSA: hda - Fix bass pin fixup for ASUS N550JX
+ - crypto: af_alg - Disallow bind/setkey/... after accept(2)
+ - crypto: af_alg - Fix socket double-free when accept fails
+ - crypto: af_alg - Add nokey compatibility path
+ - crypto: hash - Add crypto_ahash_has_setkey
+ - crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path
+ - crypto: af_alg - Forbid bind(2) when nokey child sockets are present
+ - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
+ - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
+ - ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
+ - crypto: algif_skcipher - Load TX SG list after waiting
+ - crypto: crc32c - Fix crc32c soft dependency
+ - IB/qib: fix mcast detach when qp not attached
+ - IB/qib: Support creating qps with GFP_NOIO flag
+ - [x86] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill
+ dmi list
+ - iscsi-target: Fix potential dead-lock during node acl delete
+ - ALSA: timer: Handle disconnection more safely
+ - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with
+ ocfs2_unblock_lock
+ - [x86] ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list
+ - [x86] drm/i915: avoid deadlock on failure paths in
+ __intel_framebuffer_create()
+ - [x86] drm/i915: On fb alloc failure, unref gem object where it gets refed
+ - media: rc: allow rc modules to be loaded if rc-main is not a module
+ - SCSI: initio: remove duplicate module device table
+ - [arm64] clk: xgene: Fix divider with non-zero shift value
+ - clk: st: avoid uninitialized variable use
+ - ath9k_htc: check for underflow in ath9k_htc_rx_msg()
+ - mtd: nand: fix ONFI parameter page layout
+ - mtd: nand: denali: add missing nand_release() call in denali_remove()
+ - mtd: nand: remove unused and buggy get_platform_nandchip() helper function
+ - ALSA: fm801: propagate TUNER_ONLY bit when autodetected
+ - pinctrl: bcm2835: Fix memory leak in error path
+ - [x86] LDT: Print the real LDT base address
+ - sysrq: Fix warning in sysrq generated crash.
+ - kconfig: return 'false' instead of 'no' in bool function
+ - [x86] perf: Fix filter_events() bug with event mappings
+ - power: test_power: correctly handle empty writes
+ - firmware: actually return NULL on failed request_firmware_nowait()
+ - target: Fix a memory leak in target_dev_lba_map_store()
+ - um: Fix build error and kconfig for i386
+ - ipv6: tcp: add rcu locking in tcp_v6_send_synack()
+ - mmc: sd: limit SD card power limit according to cards capabilities
+ - Btrfs: clean up an error code in btrfs_init_space_info()
+ - bridge: fix lockdep addr_list_lock false positive splat
+ - batman-adv: Avoid recursive call_rcu for batadv_bla_claim
+ - batman-adv: Avoid recursive call_rcu for batadv_nc_node
+ - batman-adv: fix potential TT client + orig-node memory leak
+ - batman-adv: Drop immediate batadv_orig_ifinfo free function
+ - batman-adv: Drop immediate batadv_neigh_node free function
+ - batman-adv: Drop immediate neigh_ifinfo free function
+ - batman-adv: Drop immediate batadv_hard_iface free function
+ - batman-adv: Drop immediate orig_node free function
+ - printk: help pr_debug and pr_devel to optimize out arguments
+ - mmc: debugfs: correct wrong voltage value
+ - IB/mlx4: Initialize hop_limit when creating address handle
+ - net/mlx4: Remove unused macro
+ - cifs: Ratelimit kernel log messages
+ - HID: usbhid: fix recursive deadlock
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt25
+ - ASN.1: Fix non-match detection failure on data overrun
+ - qeth: initialize net_device with carrier off
+ - EVM: Use crypto_memneq() for digest comparisons
+ - iio: adis_buffer: Fix out-of-bounds memory access
+ - [powerpc*] KVM: Fix emulation of H_SET_DABR/X on POWER8
+ - [x86] irq: Call chip->irq_set_affinity in proper context
+ - ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
+ - usb: cdc-acm: handle unlinked urb in acm read callback
+ - usb: cdc-acm: send zero packet for intel 7260 modem
+ - cdc-acm:exclude Samsung phone 04e8:685d
+ - usb: hub: do not clear BOS field during reset device
+ - USB: cp210x: add ID for IAI USB to RS485 adaptor
+ - USB: visor: fix null-deref at probe
+ - USB: serial: option: Adding support for Telit LE922
+ - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
+ - ALSA: seq: Degrade the error message for too many opens
+ - USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
+ - USB: option: fix Cinterion AHxx enumeration
+ - ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
+ - ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
+ - virtio_pci: fix use after free on release
+ - ALSA: bebob: Use a signed return type for get_formation_index
+ - [arm64] errata: Add -mpc-relative-literal-loads to build flags
+ - [powerpc*] eeh: Fix PE location code
+ - SCSI: fix crashes in sd and sr runtime PM
+ - n_tty: Fix unsafe reference to "other" ldisc
+ - staging/speakup: Use tty_ldisc_ref() for paste kworker
+ - ALSA: dummy: Disable switching timer backend via sysfs
+ - [x86] drm/vmwgfx: respect 'nomodeset'
+ - [x86] mm/pat: Avoid truncation when converting cpa->numpages to address
+ - perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed
+ - perf hists: Fix HISTC_MEM_DCACHELINE width setting
+ - [powerpc*] perf: Remove PPMU_HAS_SSLOT flag for Power8
+ - vmstat: explicitly schedule per-cpu work on the CPU we need it to run on
+ - umount: Do not allow unmounting rootfs.
+ - crypto: algif_skcipher - Require setkey before accept(2)
+ - crypto: algif_skcipher - Add nokey compatibility path
+ - crypto: algif_hash - Require setkey before accept(2)
+ - crypto: skcipher - Add crypto_skcipher_has_setkey
+ - crypto: algif_skcipher - Add key check exception for cipher_null
+ - crypto: algif_hash - Remove custom release parent function
+ - crypto: algif_skcipher - Remove custom release parent function
+ - crypto: algif_hash - Fix race condition in hash_check_key
+ - crypto: algif_skcipher - Fix race condition in skcipher_check_key
+ - iio: add HAS_IOMEM dependency to VF610_ADC
+ - iio: dac: mcp4725: set iio name property in sysfs
+ - ASoC: rt5645: fix the shift bit of IN1 boost
+ - cgroup: make sure a parent css isn't offlined before its children
+ - PCI/AER: Flush workqueue on device remove to avoid use-after-free
+ - libata: disable forced PORTS_IMPL for >= AHCI 1.3
+ - mac80211: Requeue work after scan complete for all VIF types.
+ - rfkill: fix rfkill_fop_read wait_event usage
+ - crypto: shash - Fix has_key setting
+ - [x86] drm/i915/dp: fall back to 18 bpp when sink capability is unknown
+ - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
+ - crypto: algif_hash - wait for crypto_ahash_init() to complete
+ - iio: inkern: fix a NULL dereference on error
+ - iio: pressure: mpl115: fix temperature offset sign
+ - [x86] intel_scu_ipcutil: underflow in scu_reg_access()
+ - ALSA: seq: Fix race at closing in virmidi driver
+ - ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
+ - ALSA: pcm: Fix potential deadlock in OSS emulation
+ - ALSA: seq: Fix yet another races among ALSA timer accesses
+ - ALSA: timer: Code cleanup
+ - ALSA: timer: Fix link corruption due to double start or stop
+ - libata: fix sff host state machine locking while polling
+ - [mips*] Fix buffer overflow in syscall_get_arguments()
+ - cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
+ - ASoC: dpcm: fix the BE state on hw_free
+ - module: wrapper for symbol name.
+ - ALSA: hda - Add fixup for Mac Mini 7,1 model
+ - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
+ - ALSA: rawmidi: Fix race at copying & updating the position
+ - ALSA: seq: Fix lockdep warnings due to double mutex locks
+ - drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
+ - radix-tree: fix race in gang lookup
+ - [x86] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
+ - xhci: Fix list corruption in urb dequeue at host removal
+ - media: tda1004x: only update the frontend properties if locked
+ - ALSA: timer: Fix leftover link at closing
+ - media: saa7134-alsa: Only frees registered sound cards
+ - Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
+ - scsi_dh_rdac: always retry MODE SELECT on command lock violation
+ - SCSI: Add Marvell Console to VPD blacklist
+ - drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil
+ - ALSA: hda - Fix static checker warning in patch_hdmi.c
+ - Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
+ - dump_stack: avoid potential deadlocks
+ - mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make
+ any progress
+ - ocfs2/dlm: clear refmap bit of recovery lock while doing local
+ recovery cleanup
+ - mm: replace vma_lock_anon_vma with anon_vma_lock_read/write
+ - radix-tree: fix oops after radix_tree_iter_retry
+ - crypto: user - lock crypto_alg_list on alg dump
+ - serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
+ - pty: fix possible use after free of tty->driver_data
+ - pty: make sure super_block is still valid in final /dev/tty close
+ - ALSA: hda - Fix speaker output from VAIO AiO machines
+ - klist: fix starting point removed bug in klist iterators
+ - ALSA: dummy: Implement timer backend switching more safely
+ - ALSA: timer: Fix wrong instance passed to slave callbacks
+ - [armel,armhf] 8517/1: ICST: avoid arithmetic overflow in icst_hz()
+ - ALSA: timer: Fix race between stop and interrupt
+ - ALSA: timer: Fix race at concurrent reads
+ - [armhf] phy: twl4030-usb: Relase usb phy on unload
+ - [x86] ahci: Intel DNV device IDs SATA
+ - workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup
+ - drm/radeon: hold reference to fences in radeon_sa_bo_new
+ - [armel,armhf] 8519/1: ICST: try other dividends than 1
+ - btrfs: properly set the termination value of ctx->pos in readdir
+ - net: phy: Fix phy_mac_interrupt()
+ - af_unix: fix struct pid memory leak
+ - pptp: fix illegal memory access caused by multiple bind()s
+ - sctp: allow setting SCTP_SACK_IMMEDIATELY by the application
+ - netlink: not trim skb for mmaped socket when dump
+ - ipv6: fix a lockdep splat
+ - sctp: translate network order to host order when users get a hmacid
+ - IB/mlx5: Fix RC transport send queue overhead computation
+ - [x86] drm/vmwgfx: Fix an fb unlocking bug
+ - net: phy: fix PHY_RUNNING in phy_state_machine
+ - net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS
[ Ben Hutchings ]
* udeb: Add dm-service-time to multipath-modules (Closes: #806131)
diff --git a/debian/config/defines b/debian/config/defines
index 65f0652..4bb19cf 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -51,6 +51,7 @@ ignore-changes:
__scm_send
scm_detach_fds
scm_fp_dup
+ af_alg_*
[base]
arches:
diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
deleted file mode 100644
index 9c6a969..0000000
--- a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
-From: Yevgeny Pats <yevgeny at perception-point.io>
-Date: Mon, 11 Jan 2016 12:05:28 +0000
-Subject: KEYS: Fix keyring ref leak in join_session_keyring()
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
- #include <stddef.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <keyutils.h>
-
- int main(int argc, const char *argv[])
- {
- int i = 0;
- key_serial_t serial;
-
- serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
- "leaked-keyring");
- if (serial < 0) {
- perror("keyctl");
- return -1;
- }
-
- if (keyctl(KEYCTL_SETPERM, serial,
- KEY_POS_ALL | KEY_USR_ALL) < 0) {
- perror("keyctl");
- return -1;
- }
-
- for (i = 0; i < 100; i++) {
- serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
- "leaked-keyring");
- if (serial < 0) {
- perror("keyctl");
- return -1;
- }
- }
-
- return 0;
- }
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning. If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny at perception-point.io>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- ret = PTR_ERR(keyring);
- goto error2;
- } else if (keyring == new->session_keyring) {
-+ key_put(keyring);
- ret = 0;
- goto error2;
- }
---
-2.7.0.rc3
-
diff --git a/debian/patches/bugfix/all/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch b/debian/patches/bugfix/all/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
deleted file mode 100644
index 200db5a..0000000
--- a/debian/patches/bugfix/all/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Mon, 18 Jan 2016 13:52:47 +0100
-Subject: ALSA: hrtimer: Fix stall by hrtimer_cancel()
-Origin: https://git.kernel.org/linus/2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
-
-hrtimer_cancel() waits for the completion from the callback, thus it
-must not be called inside the callback itself. This was already a
-problem in the past with ALSA hrtimer driver, and the early commit
-[fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
-
-However, the previous fix is still insufficient: it may still cause a
-lockup when the ALSA timer instance reprograms itself in its callback.
-Then it invokes the start function even in snd_timer_interrupt() that
-is called in hrtimer callback itself, results in a CPU stall. This is
-no hypothetical problem but actually triggered by syzkaller fuzzer.
-
-This patch tries to fix the issue again. Now we call
-hrtimer_try_to_cancel() at both start and stop functions so that it
-won't fall into a deadlock, yet giving some chance to cancel the queue
-if the functions have been called outside the callback. The proper
-hrtimer_cancel() is called in anyway at closing, so this should be
-enough.
-
-Reported-and-tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/hrtimer.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
-index 886be7da989d..38514ed6e55c 100644
---- a/sound/core/hrtimer.c
-+++ b/sound/core/hrtimer.c
-@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
- struct snd_hrtimer *stime = t->private_data;
-
- atomic_set(&stime->running, 0);
-- hrtimer_cancel(&stime->hrt);
-+ hrtimer_try_to_cancel(&stime->hrt);
- hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
- HRTIMER_MODE_REL);
- atomic_set(&stime->running, 1);
-@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
- {
- struct snd_hrtimer *stime = t->private_data;
- atomic_set(&stime->running, 0);
-+ hrtimer_try_to_cancel(&stime->hrt);
- return 0;
- }
-
diff --git a/debian/patches/bugfix/all/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch b/debian/patches/bugfix/all/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch
deleted file mode 100644
index 2f55169..0000000
--- a/debian/patches/bugfix/all/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Tue, 12 Jan 2016 12:38:02 +0100
-Subject: ALSA: seq: Fix missing NULL check at remove_events ioctl
-Origin: https://git.kernel.org/linus/030e2c78d3a91dd0d27fef37e91950dde333eba1
-
-snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
-unconditionally even if there is no FIFO assigned, and this leads to
-an Oops due to NULL dereference. The fix is just to add a proper NULL
-check.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/seq/seq_clientmgr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index 225c73152ee9..ab4cd2930ce3 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
- * No restrictions so for a user client we can clear
- * the whole fifo
- */
-- if (client->type == USER_CLIENT)
-+ if (client->type == USER_CLIENT && client->data.user.fifo)
- snd_seq_fifo_clear(client->data.user.fifo);
- }
-
diff --git a/debian/patches/bugfix/all/alsa-seq-fix-race-at-timer-setup-and-close.patch b/debian/patches/bugfix/all/alsa-seq-fix-race-at-timer-setup-and-close.patch
deleted file mode 100644
index 3e5f955..0000000
--- a/debian/patches/bugfix/all/alsa-seq-fix-race-at-timer-setup-and-close.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Tue, 12 Jan 2016 15:36:27 +0100
-Subject: ALSA: seq: Fix race at timer setup and close
-Origin: https://git.kernel.org/linus/3567eb6af614dac436c4b16a8d426f9faed639b3
-
-ALSA sequencer code has an open race between the timer setup ioctl and
-the close of the client. This was triggered by syzkaller fuzzer, and
-a use-after-free was caught there as a result.
-
-This patch papers over it by adding a proper queue->timer_mutex lock
-around the timer-related calls in the relevant code path.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/seq/seq_queue.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
-index aad4878cee55..52defd86d8b4 100644
---- a/sound/core/seq/seq_queue.c
-+++ b/sound/core/seq/seq_queue.c
-@@ -144,8 +144,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
- static void queue_delete(struct snd_seq_queue *q)
- {
- /* stop and release the timer */
-+ mutex_lock(&q->timer_mutex);
- snd_seq_timer_stop(q->timer);
- snd_seq_timer_close(q);
-+ mutex_unlock(&q->timer_mutex);
- /* wait until access free */
- snd_use_lock_sync(&q->use_lock);
- /* release resources... */
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-double-unlink-of-active_list.patch b/debian/patches/bugfix/all/alsa-timer-fix-double-unlink-of-active_list.patch
deleted file mode 100644
index 97cc8d5..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-double-unlink-of-active_list.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Wed, 13 Jan 2016 21:35:06 +0100
-Subject: ALSA: timer: Fix double unlink of active_list
-Origin: https://git.kernel.org/linus/ee8413b01045c74340aa13ad5bdf905de32be736
-
-ALSA timer instance object has a couple of linked lists and they are
-unlinked unconditionally at snd_timer_stop(). Meanwhile
-snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
-the element list itself unchanged. This ends up with unlinking twice,
-and it was caught by syzkaller fuzzer.
-
-The fix is to use list_del_init() variant properly there, too.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/timer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 777a45e08e53..222c549341c8 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -694,7 +694,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
- } else {
- ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- if (--timer->running)
-- list_del(&ti->active_list);
-+ list_del_init(&ti->active_list);
- }
- if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
- (ti->flags & SNDRV_TIMER_IFLG_FAST))
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-race-among-timer-ioctls.patch b/debian/patches/bugfix/all/alsa-timer-fix-race-among-timer-ioctls.patch
deleted file mode 100644
index d72d535..0000000
--- a/debian/patches/bugfix/all/alsa-timer-fix-race-among-timer-ioctls.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Wed, 13 Jan 2016 17:48:01 +0100
-Subject: ALSA: timer: Fix race among timer ioctls
-Origin: https://git.kernel.org/linus/af368027a49a751d6ff4ee9e3f9961f35bb4fede
-
-ALSA timer ioctls have an open race and this may lead to a
-use-after-free of timer instance object. A simplistic fix is to make
-each ioctl exclusive. We have already tread_sem for controlling the
-tread, and extend this as a global mutex to be applied to each ioctl.
-
-The downside is, of course, the worse concurrency. But these ioctls
-aren't to be parallel accessible, in anyway, so it should be fine to
-serialize there.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/timer.c | 32 +++++++++++++++++++-------------
- 1 file changed, 19 insertions(+), 13 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 222c549341c8..79fd8a1a9afc 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -73,7 +73,7 @@ struct snd_timer_user {
- struct timespec tstamp; /* trigger tstamp */
- wait_queue_head_t qchange_sleep;
- struct fasync_struct *fasync;
-- struct mutex tread_sem;
-+ struct mutex ioctl_lock;
- };
-
- /* list of timers */
-@@ -1257,7 +1257,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
- return -ENOMEM;
- spin_lock_init(&tu->qlock);
- init_waitqueue_head(&tu->qchange_sleep);
-- mutex_init(&tu->tread_sem);
-+ mutex_init(&tu->ioctl_lock);
- tu->ticks = 1;
- tu->queue_size = 128;
- tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
-@@ -1277,8 +1277,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
- if (file->private_data) {
- tu = file->private_data;
- file->private_data = NULL;
-+ mutex_lock(&tu->ioctl_lock);
- if (tu->timeri)
- snd_timer_close(tu->timeri);
-+ mutex_unlock(&tu->ioctl_lock);
- kfree(tu->queue);
- kfree(tu->tqueue);
- kfree(tu);
-@@ -1516,7 +1518,6 @@ static int snd_timer_user_tselect(struct file *file,
- int err = 0;
-
- tu = file->private_data;
-- mutex_lock(&tu->tread_sem);
- if (tu->timeri) {
- snd_timer_close(tu->timeri);
- tu->timeri = NULL;
-@@ -1560,7 +1561,6 @@ static int snd_timer_user_tselect(struct file *file,
- }
-
- __err:
-- mutex_unlock(&tu->tread_sem);
- return err;
- }
-
-@@ -1773,7 +1773,7 @@ enum {
- SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
- };
-
--static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- unsigned long arg)
- {
- struct snd_timer_user *tu;
-@@ -1790,17 +1790,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- {
- int xarg;
-
-- mutex_lock(&tu->tread_sem);
-- if (tu->timeri) { /* too late */
-- mutex_unlock(&tu->tread_sem);
-+ if (tu->timeri) /* too late */
- return -EBUSY;
-- }
-- if (get_user(xarg, p)) {
-- mutex_unlock(&tu->tread_sem);
-+ if (get_user(xarg, p))
- return -EFAULT;
-- }
- tu->tread = xarg ? 1 : 0;
-- mutex_unlock(&tu->tread_sem);
- return 0;
- }
- case SNDRV_TIMER_IOCTL_GINFO:
-@@ -1833,6 +1827,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
- return -ENOTTY;
- }
-
-+static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
-+ unsigned long arg)
-+{
-+ struct snd_timer_user *tu = file->private_data;
-+ long ret;
-+
-+ mutex_lock(&tu->ioctl_lock);
-+ ret = __snd_timer_user_ioctl(file, cmd, arg);
-+ mutex_unlock(&tu->ioctl_lock);
-+ return ret;
-+}
-+
- static int snd_timer_user_fasync(int fd, struct file * file, int on)
- {
- struct snd_timer_user *tu;
diff --git a/debian/patches/bugfix/all/alsa-timer-harden-slave-timer-list-handling.patch b/debian/patches/bugfix/all/alsa-timer-harden-slave-timer-list-handling.patch
deleted file mode 100644
index 03f3565..0000000
--- a/debian/patches/bugfix/all/alsa-timer-harden-slave-timer-list-handling.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Thu, 14 Jan 2016 16:30:58 +0100
-Subject: ALSA: timer: Harden slave timer list handling
-Origin: https://git.kernel.org/linus/b5a663aa426f4884c71cd8580adae73f33570f0d
-
-A slave timer instance might be still accessible in a racy way while
-operating the master instance as it lacks of locking. Since the
-master operation is mostly protected with timer->lock, we should cope
-with it while changing the slave instance, too. Also, some linked
-lists (active_list and ack_list) of slave instances aren't unlinked
-immediately at stopping or closing, and this may lead to unexpected
-accesses.
-
-This patch tries to address these issues. It adds spin lock of
-timer->lock (either from master or slave, which is equivalent) in a
-few places. For avoiding a deadlock, we ensure that the global
-slave_active_lock is always locked at first before each timer lock.
-
-Also, ack and active_list of slave instances are properly unlinked at
-snd_timer_stop() and snd_timer_close().
-
-Last but not least, remove the superfluous call of _snd_timer_stop()
-at removing slave links. This is a noop, and calling it may confuse
-readers wrt locking. Further cleanup will follow in a later patch.
-
-Actually we've got reports of use-after-free by syzkaller fuzzer, and
-this hopefully fixes these issues.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- sound/core/timer.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 79fd8a1a9afc..8eaffb5aa836 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
- slave->slave_id == master->slave_id) {
- list_move_tail(&slave->open_list, &master->slave_list_head);
- spin_lock_irq(&slave_active_lock);
-+ spin_lock(&master->timer->lock);
- slave->master = master;
- slave->timer = master->timer;
- if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
- list_add_tail(&slave->active_list,
- &master->slave_active_head);
-+ spin_unlock(&master->timer->lock);
- spin_unlock_irq(&slave_active_lock);
- }
- }
-@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
- timer->hw.close)
- timer->hw.close(timer);
- /* remove slave links */
-+ spin_lock_irq(&slave_active_lock);
-+ spin_lock(&timer->lock);
- list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
- open_list) {
-- spin_lock_irq(&slave_active_lock);
-- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
- list_move_tail(&slave->open_list, &snd_timer_slave_list);
- slave->master = NULL;
- slave->timer = NULL;
-- spin_unlock_irq(&slave_active_lock);
-+ list_del_init(&slave->ack_list);
-+ list_del_init(&slave->active_list);
- }
-+ spin_unlock(&timer->lock);
-+ spin_unlock_irq(&slave_active_lock);
- mutex_unlock(®ister_mutex);
- }
- out:
-@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
-
- spin_lock_irqsave(&slave_active_lock, flags);
- timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
-- if (timeri->master)
-+ if (timeri->master && timeri->timer) {
-+ spin_lock(&timeri->timer->lock);
- list_add_tail(&timeri->active_list,
- &timeri->master->slave_active_head);
-+ spin_unlock(&timeri->timer->lock);
-+ }
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return 1; /* delayed start */
- }
-@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
- if (!keep_flag) {
- spin_lock_irqsave(&slave_active_lock, flags);
- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
-+ list_del_init(&timeri->ack_list);
-+ list_del_init(&timeri->active_list);
- spin_unlock_irqrestore(&slave_active_lock, flags);
- }
- goto __end;
diff --git a/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch b/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
deleted file mode 100644
index 5c45beb..0000000
--- a/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Andrey Konovalov <andreyknvl at gmail.com>
-Date: Sat, 13 Feb 2016 11:08:06 +0300
-Subject: ALSA: usb-audio: avoid freeing umidi object twice
-Origin: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7
-
-The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
-when tearing down the rawmidi interface. So we shouldn't try to free it
-in snd_usbmidi_create() after having registered the rawmidi interface.
-
-Found by KASAN.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at gmail.com>
-Acked-by: Clemens Ladisch <clemens at ladisch.de>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
----
- sound/usb/midi.c | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/sound/usb/midi.c
-+++ b/sound/usb/midi.c
-@@ -2322,7 +2322,6 @@ int snd_usbmidi_create(struct snd_card *
- else
- err = snd_usbmidi_create_endpoints(umidi, endpoints);
- if (err < 0) {
-- snd_usbmidi_free(umidi);
- return err;
- }
-
diff --git a/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch b/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
deleted file mode 100644
index d31a449..0000000
--- a/debian/patches/bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Roman Gushchin <klamm at yandex-team.ru>
-Date: Mon, 12 Oct 2015 16:33:44 +0300
-Subject: fuse: break infinite loop in fuse_fill_write_pages()
-Origin: https://git.kernel.org/linus/3ca8138f014a913f98e6ef40e939868e1e9ea876
-
-I got a report about unkillable task eating CPU. Further
-investigation shows, that the problem is in the fuse_fill_write_pages()
-function. If iov's first segment has zero length, we get an infinite
-loop, because we never reach iov_iter_advance() call.
-
-Fix this by calling iov_iter_advance() before repeating an attempt to
-copy data from userspace.
-
-A similar problem is described in 124d3b7041f ("fix writev regression:
-pan hanging unkillable and un-straceable"). If zero-length segmend
-is followed by segment with invalid address,
-iov_iter_fault_in_readable() checks only first segment (zero-length),
-iov_iter_copy_from_user_atomic() skips it, fails at second and
-returns zero -> goto again without skipping zero-length segment.
-
-Patch calls iov_iter_advance() before goto again: we'll skip zero-length
-segment at second iteraction and iov_iter_fault_in_readable() will detect
-invalid address.
-
-Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
-description.
-
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Maxim Patlasov <mpatlasov at parallels.com>
-Cc: Konstantin Khlebnikov <khlebnikov at yandex-team.ru>
-Signed-off-by: Roman Gushchin <klamm at yandex-team.ru>
-Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
-Fixes: ea9b9907b82a ("fuse: implement perform_write")
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- fs/fuse/file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -1088,6 +1088,7 @@ static ssize_t fuse_fill_write_pages(str
- tmp = iov_iter_copy_from_user_atomic(page, ii, offset, bytes);
- flush_dcache_page(page);
-
-+ iov_iter_advance(ii, tmp);
- if (!tmp) {
- unlock_page(page);
- page_cache_release(page);
-@@ -1100,7 +1101,6 @@ static ssize_t fuse_fill_write_pages(str
- req->page_descs[req->num_pages].length = tmp;
- req->num_pages++;
-
-- iov_iter_advance(ii, tmp);
- count += tmp;
- pos += tmp;
- offset += tmp;
diff --git a/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
deleted file mode 100644
index 002fb60..0000000
--- a/debian/patches/bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Hariprasad S <hariprasad at chelsio.com>
-Date: Fri, 11 Dec 2015 13:59:17 +0530
-Subject: iw_cxgb3: Fix incorrectly returning error on success
-Origin: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3
-
-The cxgb3_*_send() functions return NET_XMIT_ values, which are
-positive integers values. So don't treat positive return values
-as an error.
-
-Signed-off-by: Steve Wise <swise at opengridcomputing.com>
-Signed-off-by: Hariprasad Shenai <hariprasad at chelsio.com>
-Signed-off-by: Doug Ledford <dledford at redhat.com>
----
- drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
-index cb78b1e9bcd9..f504ba73e5dc 100644
---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
-+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
-@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en
- error = l2t_send(tdev, skb, l2e);
- if (error < 0)
- kfree_skb(skb);
-- return error;
-+ return error < 0 ? error : 0;
- }
-
- int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
-@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
- error = cxgb3_ofld_send(tdev, skb);
- if (error < 0)
- kfree_skb(skb);
-- return error;
-+ return error < 0 ? error : 0;
- }
-
- static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
deleted file mode 100644
index 9968add..0000000
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Date: Mon, 16 Nov 2015 15:55:11 -0200
-Subject: [media] usbvision: fix crash on detecting device with invalid
- configuration
-Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=fa52bd506f274b7619955917abfde355e3d19ffe
-
-The usbvision driver crashes when a specially crafted usb device with invalid
-number of interfaces or endpoints is detected. This fix adds checks that the
-device has proper configuration expected by the driver.
-
-Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
---- a/drivers/media/usb/usbvision/usbvision-video.c
-+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in
-
- if (usbvision_device_data[model].interface >= 0)
- interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
-- else
-+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
- interface = &dev->actconfig->interface[ifnum]->altsetting[0];
-+ else {
-+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
-+ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
-+ ret = -ENODEV;
-+ goto err_usb;
-+ }
-+
-+ if (interface->desc.bNumEndpoints < 2) {
-+ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
-+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
-+ ret = -ENODEV;
-+ goto err_usb;
-+ }
- endpoint = &interface->endpoint[1].desc;
-+
- if (!usb_endpoint_xfer_isoc(endpoint)) {
- dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
- __func__, ifnum);
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
deleted file mode 100644
index 00cfed1..0000000
--- a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Alexey Khoroshilov <khoroshilov at ispras.ru>
-Date: Fri, 27 Mar 2015 19:39:09 -0300
-Subject: [media] usbvision: fix leak of usb_dev on failure paths in
- usbvision_probe()
-Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
-
-There is no usb_put_dev() on failure paths in usbvision_probe().
-
-Found by Linux Driver Verification project (linuxtesting.org).
-
-Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
-Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/usb/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
-
---- a/drivers/media/usb/usbvision/usbvision-video.c
-+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1522,7 +1522,7 @@ static int usbvision_probe(struct usb_in
- const struct usb_host_interface *interface;
- struct usb_usbvision *usbvision = NULL;
- const struct usb_endpoint_descriptor *endpoint;
-- int model, i;
-+ int model, i, ret;
-
- PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
- dev->descriptor.idVendor,
-@@ -1531,7 +1531,8 @@ static int usbvision_probe(struct usb_in
- model = devid->driver_info;
- if (model < 0 || model >= usbvision_device_data_size) {
- PDEBUG(DBG_PROBE, "model out of bounds %d", model);
-- return -ENODEV;
-+ ret = -ENODEV;
-+ goto err_usb;
- }
- printk(KERN_INFO "%s: %s found\n", __func__,
- usbvision_device_data[model].model_string);
-@@ -1546,18 +1547,21 @@ static int usbvision_probe(struct usb_in
- __func__, ifnum);
- dev_err(&intf->dev, "%s: Endpoint attributes %d",
- __func__, endpoint->bmAttributes);
-- return -ENODEV;
-+ ret = -ENODEV;
-+ goto err_usb;
- }
- if (usb_endpoint_dir_out(endpoint)) {
- dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
- __func__, ifnum);
-- return -ENODEV;
-+ ret = -ENODEV;
-+ goto err_usb;
- }
-
- usbvision = usbvision_alloc(dev, intf);
- if (usbvision == NULL) {
- dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
-- return -ENOMEM;
-+ ret = -ENOMEM;
-+ goto err_usb;
- }
-
- if (dev->descriptor.bNumConfigurations > 1)
-@@ -1576,8 +1580,8 @@ static int usbvision_probe(struct usb_in
- usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
- if (usbvision->alt_max_pkt_size == NULL) {
- dev_err(&intf->dev, "usbvision: out of memory!\n");
-- usbvision_release(usbvision);
-- return -ENOMEM;
-+ ret = -ENOMEM;
-+ goto err_pkt;
- }
-
- for (i = 0; i < usbvision->num_alt; i++) {
-@@ -1612,6 +1616,12 @@ static int usbvision_probe(struct usb_in
-
- PDEBUG(DBG_PROBE, "success");
- return 0;
-+
-+err_pkt:
-+ usbvision_release(usbvision);
-+err_usb:
-+ usb_put_dev(dev);
-+ return ret;
- }
-
-
diff --git a/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch b/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
deleted file mode 100644
index 80ddbc6..0000000
--- a/debian/patches/bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
+++ /dev/null
@@ -1,237 +0,0 @@
-From: Willy Tarreau <w at 1wt.eu>
-Date: Mon, 18 Jan 2016 16:36:09 +0100
-Subject: pipe: limit the per-user amount of pages allocated in pipes
-Origin: https://git.kernel.org/linus/759c01142a5d0f364a462346168a56de28a80f52
-
-On no-so-small systems, it is possible for a single process to cause an
-OOM condition by filling large pipes with data that are never read. A
-typical process filling 4000 pipes with 1 MB of data will use 4 GB of
-memory. On small systems it may be tricky to set the pipe max size to
-prevent this from happening.
-
-This patch makes it possible to enforce a per-user soft limit above
-which new pipes will be limited to a single page, effectively limiting
-them to 4 kB each, as well as a hard limit above which no new pipes may
-be created for this user. This has the effect of protecting the system
-against memory abuse without hurting other users, and still allowing
-pipes to work correctly though with less data at once.
-
-The limit are controlled by two new sysctls : pipe-user-pages-soft, and
-pipe-user-pages-hard. Both may be disabled by setting them to zero. The
-default soft limit allows the default number of FDs per process (1024)
-to create pipes of the default size (64kB), thus reaching a limit of 64MB
-before starting to create only smaller pipes. With 256 processes limited
-to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
-1084 MB of memory allocated for a user. The hard limit is disabled by
-default to avoid breaking existing applications that make intensive use
-of pipes (eg: for splicing).
-
-Reported-by: socketpair at gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- Documentation/sysctl/fs.txt | 23 ++++++++++++++++++++++
- fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++++--
- include/linux/pipe_fs_i.h | 4 ++++
- include/linux/sched.h | 1 +
- kernel/sysctl.c | 14 ++++++++++++++
- 5 files changed, 87 insertions(+), 2 deletions(-)
-
---- a/Documentation/sysctl/fs.txt
-+++ b/Documentation/sysctl/fs.txt
-@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/
- - nr_open
- - overflowuid
- - overflowgid
-+- pipe-user-pages-hard
-+- pipe-user-pages-soft
- - protected_hardlinks
- - protected_symlinks
- - suid_dumpable
-@@ -159,6 +161,27 @@ The default is 65534.
-
- ==============================================================
-
-+pipe-user-pages-hard:
-+
-+Maximum total number of pages a non-privileged user may allocate for pipes.
-+Once this limit is reached, no new pipes may be allocated until usage goes
-+below the limit again. When set to 0, no limit is applied, which is the default
-+setting.
-+
-+==============================================================
-+
-+pipe-user-pages-soft:
-+
-+Maximum total number of pages a non-privileged user may allocate for pipes
-+before the pipe size gets limited to a single page. Once this limit is reached,
-+new pipes will be limited to a single page in size for this user in order to
-+limit total memory usage, and trying to increase them using fcntl() will be
-+denied until usage goes below the limit again. The default value allows to
-+allocate up to 1024 pipes at their default size. When set to 0, no limit is
-+applied.
-+
-+==============================================================
-+
- protected_hardlinks:
-
- A long-standing class of security issues is the hardlink-based
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576;
- */
- unsigned int pipe_min_size = PAGE_SIZE;
-
-+/* Maximum allocatable pages per user. Hard limit is unset by default, soft
-+ * matches default values.
-+ */
-+unsigned long pipe_user_pages_hard;
-+unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
-+
- /*
- * We use a start+len construction, which provides full use of the
- * allocated memory.
-@@ -585,20 +591,49 @@ pipe_fasync(int fd, struct file *filp, i
- return retval;
- }
-
-+static void account_pipe_buffers(struct pipe_inode_info *pipe,
-+ unsigned long old, unsigned long new)
-+{
-+ atomic_long_add(new - old, &pipe->user->pipe_bufs);
-+}
-+
-+static bool too_many_pipe_buffers_soft(struct user_struct *user)
-+{
-+ return pipe_user_pages_soft &&
-+ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft;
-+}
-+
-+static bool too_many_pipe_buffers_hard(struct user_struct *user)
-+{
-+ return pipe_user_pages_hard &&
-+ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard;
-+}
-+
- struct pipe_inode_info *alloc_pipe_info(void)
- {
- struct pipe_inode_info *pipe;
-
- pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
- if (pipe) {
-- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL);
-+ unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
-+ struct user_struct *user = get_current_user();
-+
-+ if (!too_many_pipe_buffers_hard(user)) {
-+ if (too_many_pipe_buffers_soft(user))
-+ pipe_bufs = 1;
-+ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL);
-+ }
-+
- if (pipe->bufs) {
- init_waitqueue_head(&pipe->wait);
- pipe->r_counter = pipe->w_counter = 1;
-- pipe->buffers = PIPE_DEF_BUFFERS;
-+ pipe->buffers = pipe_bufs;
-+ pipe->user = user;
-+ account_pipe_buffers(pipe, 0, pipe_bufs);
- mutex_init(&pipe->mutex);
- return pipe;
- }
-+ free_uid(user);
- kfree(pipe);
- }
-
-@@ -609,6 +644,8 @@ void free_pipe_info(struct pipe_inode_in
- {
- int i;
-
-+ account_pipe_buffers(pipe, pipe->buffers, 0);
-+ free_uid(pipe->user);
- for (i = 0; i < pipe->buffers; i++) {
- struct pipe_buffer *buf = pipe->bufs + i;
- if (buf->ops)
-@@ -999,6 +1036,7 @@ static long pipe_set_size(struct pipe_in
- memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));
- }
-
-+ account_pipe_buffers(pipe, pipe->buffers, nr_pages);
- pipe->curbuf = 0;
- kfree(pipe->bufs);
- pipe->bufs = bufs;
-@@ -1070,6 +1108,11 @@ long pipe_fcntl(struct file *file, unsig
- if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
- ret = -EPERM;
- goto out;
-+ } else if ((too_many_pipe_buffers_hard(pipe->user) ||
-+ too_many_pipe_buffers_soft(pipe->user)) &&
-+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
-+ ret = -EPERM;
-+ goto out;
- }
- ret = pipe_set_size(pipe, nr_pages);
- break;
---- a/include/linux/pipe_fs_i.h
-+++ b/include/linux/pipe_fs_i.h
-@@ -42,6 +42,7 @@ struct pipe_buffer {
- * @fasync_readers: reader side fasync
- * @fasync_writers: writer side fasync
- * @bufs: the circular array of pipe buffers
-+ * @user: the user who created this pipe
- **/
- struct pipe_inode_info {
- struct mutex mutex;
-@@ -57,6 +58,7 @@ struct pipe_inode_info {
- struct fasync_struct *fasync_readers;
- struct fasync_struct *fasync_writers;
- struct pipe_buffer *bufs;
-+ struct user_struct *user;
- };
-
- /*
-@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info
- void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);
-
- extern unsigned int pipe_max_size, pipe_min_size;
-+extern unsigned long pipe_user_pages_hard;
-+extern unsigned long pipe_user_pages_soft;
- int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
-
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -764,6 +764,7 @@ struct user_struct {
- #endif
- unsigned long locked_shm; /* How many pages of mlocked shm ? */
- unsigned long unix_inflight; /* How many files in flight in unix sockets */
-+ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
-
- #ifdef CONFIG_KEYS
- struct key *uid_keyring; /* UID specific keyring */
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -1683,6 +1683,20 @@ static struct ctl_table fs_table[] = {
- .proc_handler = &pipe_proc_fn,
- .extra1 = &pipe_min_size,
- },
-+ {
-+ .procname = "pipe-user-pages-hard",
-+ .data = &pipe_user_pages_hard,
-+ .maxlen = sizeof(pipe_user_pages_hard),
-+ .mode = 0644,
-+ .proc_handler = proc_doulongvec_minmax,
-+ },
-+ {
-+ .procname = "pipe-user-pages-soft",
-+ .data = &pipe_user_pages_soft,
-+ .maxlen = sizeof(pipe_user_pages_soft),
-+ .mode = 0644,
-+ .proc_handler = proc_doulongvec_minmax,
-+ },
- { }
- };
-
diff --git a/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch b/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
deleted file mode 100644
index 25d1a64..0000000
--- a/debian/patches/bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sat, 02 Jan 2016 01:11:55 +0000
-Subject: Revert "net: add length argument to skb_copy_and_csum_datagram_iovec"
-Bug-Debian: https://bugs.debian.org/808293
-
-This reverts commit fa89ae5548ed282f0ceb4660b3b93e4e2ee875f3. That fixed
-the problem of buffer over-reads introduced by backporting commit
-89c22d8c3b27 ("net: Fix skb csum races when peeking"), but resulted in
-incorrect checksumming for short reads. It will be replaced with a
-complete fix.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/linux/skbuff.h
-+++ b/include/linux/skbuff.h
-@@ -2525,7 +2525,7 @@
- int skb_copy_datagram_iovec(const struct sk_buff *from, int offset,
- struct iovec *to, int size);
- int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, int hlen,
-- struct iovec *iov, int len);
-+ struct iovec *iov);
- int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
- const struct iovec *from, int from_offset,
- int len);
---- a/net/core/datagram.c
-+++ b/net/core/datagram.c
-@@ -818,7 +818,6 @@
- * @skb: skbuff
- * @hlen: hardware length
- * @iov: io vector
-- * @len: amount of data to copy from skb to iov
- *
- * Caller _must_ check that skb will fit to this iovec.
- *
-@@ -828,14 +827,11 @@
- * can be modified!
- */
- int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-- int hlen, struct iovec *iov, int len)
-+ int hlen, struct iovec *iov)
- {
- __wsum csum;
- int chunk = skb->len - hlen;
-
-- if (chunk > len)
-- chunk = len;
--
- if (!chunk)
- return 0;
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -4906,7 +4906,7 @@
- err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
- else
- err = skb_copy_and_csum_datagram_iovec(skb, hlen,
-- tp->ucopy.iov, chunk);
-+ tp->ucopy.iov);
-
- if (!err) {
- tp->ucopy.len -= chunk;
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1307,7 +1307,7 @@
- else {
- err = skb_copy_and_csum_datagram_iovec(skb,
- sizeof(struct udphdr),
-- msg->msg_iov, copied);
-+ msg->msg_iov);
-
- if (err == -EINVAL)
- goto csum_copy_err;
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -492,7 +492,7 @@
- goto csum_copy_err;
- err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
- } else {
-- err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
-+ err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -428,8 +428,7 @@
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied);
- else {
-- err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-- msg->msg_iov, copied);
-+ err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
diff --git a/debian/patches/bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch b/debian/patches/bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
deleted file mode 100644
index 8f9fe88..0000000
--- a/debian/patches/bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From: Tejun Heo <tj at kernel.org>
-Date: Tue, 9 Feb 2016 18:14:48 -0500
-Subject: Revert "workqueue: make sure delayed work run in local cpu"
-Origin: http://mid.gmane.org/1455059690-18765-2-git-send-email-tj@kernel.org
-
-This reverts commit 874bbfe600a660cba9c776b3957b1ce393151b76.
-
-Workqueue used to implicity guarantee that work items queued without
-explicit CPU specified are put on the local CPU. Recent changes in
-timer broke the guarantee and led to vmstat breakage which was fixed
-by 176bed1de5bf ("vmstat: explicitly schedule per-cpu work on the CPU
-we need it to run on").
-
-vmstat is the most likely to expose the issue and it's quite possible
-that there are other similar problems which are a lot more difficult
-to trigger. As a preventive measure, 874bbfe600a6 ("workqueue: make
-sure delayed work run in local cpu") was applied to restore the local
-CPU guarnatee. Unfortunately, the change exposed a bug in timer code
-which got fixed by 22b886dd1018 ("timers: Use proper base migration in
-add_timer_on()"). Due to code restructuring, the commit couldn't be
-backported beyond certain point and stable kernels which only had
-874bbfe600a6 started crashing.
-
-The local CPU guarantee was accidental more than anything else and we
-want to get rid of it anyway. As, with the vmstat case fixed,
-874bbfe600a6 is causing more problems than it's fixing, it has been
-decided to take the chance and officially break the guarantee by
-reverting the commit. A debug feature will be added to force foreign
-CPU assignment to expose cases relying on the guarantee and fixes for
-the individual cases will be backported to stable as necessary.
-
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Fixes: 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu")
-Link: http://lkml.kernel.org/g/20160120211926.GJ10810@quack.suse.cz
-Cc: stable at vger.kernel.org
-Cc: Mike Galbraith <umgwanakikbuti at gmail.com>
-Cc: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
-Cc: Daniel Bilik <daniel.bilik at neosystem.cz>
-Cc: Jan Kara <jack at suse.cz>
-Cc: Shaohua Li <shli at fb.com>
-Cc: Sasha Levin <sasha.levin at oracle.com>
-Cc: Ben Hutchings <ben at decadent.org.uk>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Daniel Bilik <daniel.bilik at neosystem.cz>
-Cc: Jiri Slaby <jslaby at suse.cz>
-Cc: Michal Hocko <mhocko at kernel.org>
----
- kernel/workqueue.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -1463,13 +1463,13 @@ static void __queue_delayed_work(int cpu
- timer_stats_timer_set_start_info(&dwork->timer);
-
- dwork->wq = wq;
-- /* timer isn't guaranteed to run in this cpu, record earlier */
-- if (cpu == WORK_CPU_UNBOUND)
-- cpu = raw_smp_processor_id();
- dwork->cpu = cpu;
- timer->expires = jiffies + delay;
-
-- add_timer_on(timer, cpu);
-+ if (unlikely(cpu != WORK_CPU_UNBOUND))
-+ add_timer_on(timer, cpu);
-+ else
-+ add_timer(timer);
- }
-
- /**
diff --git a/debian/patches/bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch b/debian/patches/bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
deleted file mode 100644
index a0fe6ae..0000000
--- a/debian/patches/bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sat, 02 Jan 2016 03:03:27 +0000
-Subject: Revert "xhci: don't finish a TD if we get a short transfer event mid TD"
-Bug-Debian: https://bugs.debian.org/808602
-Bug-Debian: https://bugs.debian.org/808953
-
-This reverts commit dbd81f75b991c972970764ba75287cbbc8f066be, which
-was commit e210c422b6fdd2dc123bedc588f399aefd8bf9de upstream. It
-caused serious regressions as referenced above.
-
----
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -2191,10 +2191,6 @@ static int process_bulk_intr_td(struct x
- EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)));
- /* Fast path - was this the last TRB in the TD for this URB? */
- if (event_trb == td->last_trb) {
-- if (td->urb_length_set && trb_comp_code == COMP_SHORT_TX)
-- return finish_td(xhci, td, event_trb, event, ep,
-- status, false);
--
- if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) {
- td->urb->actual_length =
- td->urb->transfer_buffer_length -
-@@ -2246,12 +2242,6 @@ static int process_bulk_intr_td(struct x
- td->urb->actual_length +=
- TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) -
- EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
--
-- if (trb_comp_code == COMP_SHORT_TX) {
-- xhci_dbg(xhci, "mid bulk/intr SP, wait for last TRB event\n");
-- td->urb_length_set = true;
-- return 0;
-- }
- }
-
- return finish_td(xhci, td, event_trb, event, ep, status, false);
diff --git a/debian/patches/bugfix/all/sctp-prevent-soft-lockup-when-sctp_accept-is-called-.patch b/debian/patches/bugfix/all/sctp-prevent-soft-lockup-when-sctp_accept-is-called-.patch
deleted file mode 100644
index 1d4dd1f..0000000
--- a/debian/patches/bugfix/all/sctp-prevent-soft-lockup-when-sctp_accept-is-called-.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From: Karl Heiss <kheiss at gmail.com>
-Date: Thu, 24 Sep 2015 12:15:07 -0400
-Subject: sctp: Prevent soft lockup when sctp_accept() is called during a
- timeout event
-Origin: https://git.kernel.org/linus/635682a14427d241bab7bbdeebb48a7d7b91638e
-
-A case can occur when sctp_accept() is called by the user during
-a heartbeat timeout event after the 4-way handshake. Since
-sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the
-bh_sock_lock in sctp_generate_heartbeat_event() will be taken with
-the listening socket but released with the new association socket.
-The result is a deadlock on any future attempts to take the listening
-socket lock.
-
-Note that this race can occur with other SCTP timeouts that take
-the bh_lock_sock() in the event sctp_accept() is called.
-
- BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0]
- ...
- RIP: 0010:[<ffffffff8152d48e>] [<ffffffff8152d48e>] _spin_lock+0x1e/0x30
- RSP: 0018:ffff880028323b20 EFLAGS: 00000206
- RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000
- RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48
- RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000
- R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0
- R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225
- FS: 0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
- CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0
- DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
- DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
- Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0)
- Stack:
- ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000
- <d> 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00
- <d> ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8
- Call Trace:
- <IRQ>
- [<ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp]
- [<ffffffff8148c559>] ? nf_iterate+0x69/0xb0
- [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8148c716>] ? nf_hook_slow+0x76/0x120
- [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0
- [<ffffffff81497808>] ? ip_local_deliver+0x98/0xa0
- [<ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440
- [<ffffffff81497255>] ? ip_rcv+0x275/0x350
- [<ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750
- ...
-
-With lockdep debugging:
-
- =====================================
- [ BUG: bad unlock balance detected! ]
- -------------------------------------
- CslRx/12087 is trying to release lock (slock-AF_INET) at:
- [<ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp]
- but there are no more locks to release!
-
- other info that might help us debug this:
- 2 locks held by CslRx/12087:
- #0: (&asoc->timers[i]){+.-...}, at: [<ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0
- #1: (slock-AF_INET){+.-...}, at: [<ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp]
-
-Ensure the socket taken is also the same one that is released by
-saving a copy of the socket before entering the timeout event
-critical section.
-
-Signed-off-by: Karl Heiss <kheiss at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- net/sctp/sm_sideeffect.c | 42 +++++++++++++++++++++++-------------------
- 1 file changed, 23 insertions(+), 19 deletions(-)
-
-diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
-index f554b9a..6098d4c 100644
---- a/net/sctp/sm_sideeffect.c
-+++ b/net/sctp/sm_sideeffect.c
-@@ -244,12 +244,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
- int error;
- struct sctp_transport *transport = (struct sctp_transport *) peer;
- struct sctp_association *asoc = transport->asoc;
-- struct net *net = sock_net(asoc->base.sk);
-+ struct sock *sk = asoc->base.sk;
-+ struct net *net = sock_net(sk);
-
- /* Check whether a task is in the sock. */
-
-- bh_lock_sock(asoc->base.sk);
-- if (sock_owned_by_user(asoc->base.sk)) {
-+ bh_lock_sock(sk);
-+ if (sock_owned_by_user(sk)) {
- pr_debug("%s: sock is busy\n", __func__);
-
- /* Try again later. */
-@@ -272,10 +273,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer)
- transport, GFP_ATOMIC);
-
- if (error)
-- asoc->base.sk->sk_err = -error;
-+ sk->sk_err = -error;
-
- out_unlock:
-- bh_unlock_sock(asoc->base.sk);
-+ bh_unlock_sock(sk);
- sctp_transport_put(transport);
- }
-
-@@ -285,11 +286,12 @@ out_unlock:
- static void sctp_generate_timeout_event(struct sctp_association *asoc,
- sctp_event_timeout_t timeout_type)
- {
-- struct net *net = sock_net(asoc->base.sk);
-+ struct sock *sk = asoc->base.sk;
-+ struct net *net = sock_net(sk);
- int error = 0;
-
-- bh_lock_sock(asoc->base.sk);
-- if (sock_owned_by_user(asoc->base.sk)) {
-+ bh_lock_sock(sk);
-+ if (sock_owned_by_user(sk)) {
- pr_debug("%s: sock is busy: timer %d\n", __func__,
- timeout_type);
-
-@@ -312,10 +314,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc,
- (void *)timeout_type, GFP_ATOMIC);
-
- if (error)
-- asoc->base.sk->sk_err = -error;
-+ sk->sk_err = -error;
-
- out_unlock:
-- bh_unlock_sock(asoc->base.sk);
-+ bh_unlock_sock(sk);
- sctp_association_put(asoc);
- }
-
-@@ -365,10 +367,11 @@ void sctp_generate_heartbeat_event(unsigned long data)
- int error = 0;
- struct sctp_transport *transport = (struct sctp_transport *) data;
- struct sctp_association *asoc = transport->asoc;
-- struct net *net = sock_net(asoc->base.sk);
-+ struct sock *sk = asoc->base.sk;
-+ struct net *net = sock_net(sk);
-
-- bh_lock_sock(asoc->base.sk);
-- if (sock_owned_by_user(asoc->base.sk)) {
-+ bh_lock_sock(sk);
-+ if (sock_owned_by_user(sk)) {
- pr_debug("%s: sock is busy\n", __func__);
-
- /* Try again later. */
-@@ -389,10 +392,10 @@ void sctp_generate_heartbeat_event(unsigned long data)
- transport, GFP_ATOMIC);
-
- if (error)
-- asoc->base.sk->sk_err = -error;
-+ sk->sk_err = -error;
-
- out_unlock:
-- bh_unlock_sock(asoc->base.sk);
-+ bh_unlock_sock(sk);
- sctp_transport_put(transport);
- }
-
-@@ -403,10 +406,11 @@ void sctp_generate_proto_unreach_event(unsigned long data)
- {
- struct sctp_transport *transport = (struct sctp_transport *) data;
- struct sctp_association *asoc = transport->asoc;
-- struct net *net = sock_net(asoc->base.sk);
-+ struct sock *sk = asoc->base.sk;
-+ struct net *net = sock_net(sk);
-
-- bh_lock_sock(asoc->base.sk);
-- if (sock_owned_by_user(asoc->base.sk)) {
-+ bh_lock_sock(sk);
-+ if (sock_owned_by_user(sk)) {
- pr_debug("%s: sock is busy\n", __func__);
-
- /* Try again later. */
-@@ -427,7 +431,7 @@ void sctp_generate_proto_unreach_event(unsigned long data)
- asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
-
- out_unlock:
-- bh_unlock_sock(asoc->base.sk);
-+ bh_unlock_sock(sk);
- sctp_association_put(asoc);
- }
-
diff --git a/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
deleted file mode 100644
index 4545440..0000000
--- a/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Peter Hurley <peter at hurleysoftware.com>
-Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
-Date: Sun, 10 Jan 2016 22:40:55 -0800
-Origin: http://article.gmane.org/gmane.linux.kernel/2123249
-
-ioctl(TIOCGETD) retrieves the line discipline id directly from the
-ldisc because the line discipline id (c_line) in termios is untrustworthy;
-userspace may have set termios via ioctl(TCSETS*) without actually
-changing the line discipline via ioctl(TIOCSETD).
-
-However, directly accessing the current ldisc via tty->ldisc is
-unsafe; the ldisc ptr dereferenced may be stale if the line discipline
-is changing via ioctl(TIOCSETD) or hangup.
-
-Wait for the line discipline reference (just like read() or write())
-to retrieve the "current" line discipline id.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Peter Hurley <peter at hurleysoftware.com>
----
- drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
---- a/drivers/tty/tty_io.c
-+++ b/drivers/tty/tty_io.c
-@@ -2585,6 +2585,28 @@ static int tiocsetd(struct tty_struct *t
- }
-
- /**
-+ * tiocgetd - get line discipline
-+ * @tty: tty device
-+ * @p: pointer to user data
-+ *
-+ * Retrieves the line discipline id directly from the ldisc.
-+ *
-+ * Locking: waits for ldisc reference (in case the line discipline
-+ * is changing or the tty is being hungup)
-+ */
-+
-+static int tiocgetd(struct tty_struct *tty, int __user *p)
-+{
-+ struct tty_ldisc *ld;
-+ int ret;
-+
-+ ld = tty_ldisc_ref_wait(tty);
-+ ret = put_user(ld->ops->num, p);
-+ tty_ldisc_deref(ld);
-+ return ret;
-+}
-+
-+/**
- * send_break - performed time break
- * @tty: device to break on
- * @duration: timeout in mS
-@@ -2798,7 +2820,7 @@ long tty_ioctl(struct file *file, unsign
- case TIOCGSID:
- return tiocgsid(tty, real_tty, p);
- case TIOCGETD:
-- return put_user(tty->ldisc->ops->num, (int __user *)p);
-+ return tiocgetd(tty, p);
- case TIOCSETD:
- return tiocsetd(tty, p);
- case TIOCVHANGUP:
diff --git a/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch b/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
deleted file mode 100644
index f74d86f..0000000
--- a/debian/patches/bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 30 Dec 2015 08:51:12 -0500
-Subject: udp: properly support MSG_PEEK with truncated buffers
-Bug-Debian: https://bugs.debian.org/808293
-Origin: http://article.gmane.org/gmane.linux.kernel.stable/159132
-
-Backport of this upstream commit into stable kernels :
-89c22d8c3b27 ("net: Fix skb csum races when peeking")
-exposed a bug in udp stack vs MSG_PEEK support, when user provides
-a buffer smaller than skb payload.
-
-In this case,
-skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov);
-returns -EFAULT.
-
-This bug does not happen in upstream kernels since Al Viro did a great
-job to replace this into :
-skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
-This variant is safe vs short buffers.
-
-For the time being, instead reverting Herbert Xu patch and add back
-skb->ip_summed invalid changes, simply store the result of
-udp_lib_checksum_complete() so that we avoid computing the checksum a
-second time, and avoid the problematic
-skb_copy_and_csum_datagram_iovec() call.
-
-This patch can be applied on recent kernels as it avoids a double
-checksumming, then backported to stable kernels as a bug fix.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/ipv4/udp.c | 6 ++++--
- net/ipv6/udp.c | 6 ++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1274,6 +1274,7 @@ int udp_recvmsg(struct kiocb *iocb, stru
- int peeked, off = 0;
- int err;
- int is_udplite = IS_UDPLITE(sk);
-+ bool checksum_valid = false;
- bool slow;
-
- if (flags & MSG_ERRQUEUE)
-@@ -1299,11 +1300,12 @@ try_again:
- */
-
- if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
-- if (udp_lib_checksum_complete(skb))
-+ checksum_valid = !udp_lib_checksum_complete(skb);
-+ if (!checksum_valid)
- goto csum_copy_err;
- }
-
-- if (skb_csum_unnecessary(skb))
-+ if (checksum_valid || skb_csum_unnecessary(skb))
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied);
- else {
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -389,6 +389,7 @@ int udpv6_recvmsg(struct kiocb *iocb, st
- int peeked, off = 0;
- int err;
- int is_udplite = IS_UDPLITE(sk);
-+ bool checksum_valid = false;
- int is_udp4;
- bool slow;
-
-@@ -420,11 +421,12 @@ try_again:
- */
-
- if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
-- if (udp_lib_checksum_complete(skb))
-+ checksum_valid = !udp_lib_checksum_complete(skb);
-+ if (!checksum_valid)
- goto csum_copy_err;
- }
-
-- if (skb_csum_unnecessary(skb))
-+ if (checksum_valid || skb_csum_unnecessary(skb))
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied);
- else {
diff --git a/debian/patches/bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch b/debian/patches/bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch
deleted file mode 100644
index 8e50818..0000000
--- a/debian/patches/bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Date: Wed, 3 Feb 2016 02:11:03 +0100
-Subject: unix: correctly track in-flight fds in sending process user_struct
-Origin: https://git.kernel.org/linus/415e3d3e90ce9e18727e8843ae343eda5a58fad6
-
-The commit referenced in the Fixes tag incorrectly accounted the number
-of in-flight fds over a unix domain socket to the original opener
-of the file-descriptor. This allows another process to arbitrary
-deplete the original file-openers resource limit for the maximum of
-open files. Instead the sending processes and its struct cred should
-be credited.
-
-To do so, we add a reference counted struct user_struct pointer to the
-scm_fp_list and use it to account for the number of inflight unix fds.
-
-Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
-Reported-by: David Herrmann <dh.herrmann at gmail.com>
-Cc: David Herrmann <dh.herrmann at gmail.com>
-Cc: Willy Tarreau <w at 1wt.eu>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/net/af_unix.h | 4 ++--
- include/net/scm.h | 1 +
- net/core/scm.c | 7 +++++++
- net/unix/af_unix.c | 4 ++--
- net/unix/garbage.c | 8 ++++----
- 5 files changed, 16 insertions(+), 8 deletions(-)
-
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -6,8 +6,8 @@
- #include <linux/mutex.h>
- #include <net/sock.h>
-
--void unix_inflight(struct file *fp);
--void unix_notinflight(struct file *fp);
-+void unix_inflight(struct user_struct *user, struct file *fp);
-+void unix_notinflight(struct user_struct *user, struct file *fp);
- void unix_gc(void);
- void wait_for_unix_gc(void);
- struct sock *unix_get_socket(struct file *filp);
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -21,6 +21,7 @@ struct scm_creds {
- struct scm_fp_list {
- short count;
- short max;
-+ struct user_struct *user;
- struct file *fp[SCM_MAX_FD];
- };
-
---- a/net/core/scm.c
-+++ b/net/core/scm.c
-@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *c
- *fplp = fpl;
- fpl->count = 0;
- fpl->max = SCM_MAX_FD;
-+ fpl->user = NULL;
- }
- fpp = &fpl->fp[fpl->count];
-
-@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *c
- *fpp++ = file;
- fpl->count++;
- }
-+
-+ if (!fpl->user)
-+ fpl->user = get_uid(current_user());
-+
- return num;
- }
-
-@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *sc
- scm->fp = NULL;
- for (i=fpl->count-1; i>=0; i--)
- fput(fpl->fp[i]);
-+ free_uid(fpl->user);
- kfree(fpl);
- }
- }
-@@ -335,6 +341,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
- for (i = 0; i < fpl->count; i++)
- get_file(fpl->fp[i]);
- new_fpl->max = new_fpl->count;
-+ new_fpl->user = get_uid(fpl->user);
- }
- return new_fpl;
- }
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1469,7 +1469,7 @@ static void unix_detach_fds(struct scm_c
- UNIXCB(skb).fp = NULL;
-
- for (i = scm->fp->count-1; i >= 0; i--)
-- unix_notinflight(scm->fp->fp[i]);
-+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
- }
-
- static void unix_destruct_scm(struct sk_buff *skb)
-@@ -1534,7 +1534,7 @@ static int unix_attach_fds(struct scm_co
- return -ENOMEM;
-
- for (i = scm->fp->count - 1; i >= 0; i--)
-- unix_inflight(scm->fp->fp[i]);
-+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
- return max_level;
- }
-
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file
- * descriptor if it is for an AF_UNIX socket.
- */
-
--void unix_inflight(struct file *fp)
-+void unix_inflight(struct user_struct *user, struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-@@ -138,11 +138,11 @@ void unix_inflight(struct file *fp)
- }
- unix_tot_inflight++;
- }
-- fp->f_cred->user->unix_inflight++;
-+ user->unix_inflight++;
- spin_unlock(&unix_gc_lock);
- }
-
--void unix_notinflight(struct file *fp)
-+void unix_notinflight(struct user_struct *user, struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-
-@@ -155,7 +155,7 @@ void unix_notinflight(struct file *fp)
- list_del_init(&u->link);
- unix_tot_inflight--;
- }
-- fp->f_cred->user->unix_inflight--;
-+ user->unix_inflight--;
- spin_unlock(&unix_gc_lock);
- }
-
diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
deleted file mode 100644
index 2c8526f..0000000
--- a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From: willy tarreau <w at 1wt.eu>
-Date: Sun, 10 Jan 2016 07:54:56 +0100
-Subject: unix: properly account for FDs passed over unix sockets
-Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593
-
-It is possible for a process to allocate and accumulate far more FDs than
-the process' limit by sending them over a unix socket then closing them
-to keep the process' fd count low.
-
-This change addresses this problem by keeping track of the number of FDs
-in flight per user and preventing non-privileged processes from having
-more FDs in flight than their configured FD limit.
-
-Reported-by: socketpair at gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[carnil: Backported to 3.16: adjust context]
----
- include/linux/sched.h | 1 +
- net/unix/af_unix.c | 24 ++++++++++++++++++++----
- net/unix/garbage.c | 13 ++++++++-----
- 3 files changed, 29 insertions(+), 9 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -763,6 +763,7 @@ struct user_struct {
- unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
- #endif
- unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
-
- #ifdef CONFIG_KEYS
- struct key *uid_keyring; /* UID specific keyring */
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1486,6 +1486,21 @@ static void unix_destruct_scm(struct sk_
- sock_wfree(skb);
- }
-
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+ struct user_struct *user = current_user();
-+
-+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+ return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
-
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1494,6 +1509,9 @@ static int unix_attach_fds(struct scm_co
- unsigned char max_level = 0;
- int unix_sock_count = 0;
-
-+ if (too_many_unix_fds(current))
-+ return -ETOOMANYREFS;
-+
- for (i = scm->fp->count - 1; i >= 0; i--) {
- struct sock *sk = unix_get_socket(scm->fp->fp[i]);
-
-@@ -1515,10 +1533,8 @@ static int unix_attach_fds(struct scm_co
- if (!UNIXCB(skb).fp)
- return -ENOMEM;
-
-- if (unix_sock_count) {
-- for (i = scm->fp->count - 1; i >= 0; i--)
-- unix_inflight(scm->fp->fp[i]);
-- }
-+ for (i = scm->fp->count - 1; i >= 0; i--)
-+ unix_inflight(scm->fp->fp[i]);
- return max_level;
- }
-
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -125,9 +125,11 @@ struct sock *unix_get_socket(struct file
- void unix_inflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-+
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-- spin_lock(&unix_gc_lock);
- if (atomic_long_inc_return(&u->inflight) == 1) {
- BUG_ON(!list_empty(&u->link));
- list_add_tail(&u->link, &gc_inflight_list);
-@@ -135,22 +137,26 @@ void unix_inflight(struct file *fp)
- BUG_ON(list_empty(&u->link));
- }
- unix_tot_inflight++;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight++;
-+ spin_unlock(&unix_gc_lock);
- }
-
- void unix_notinflight(struct file *fp)
- {
- struct sock *s = unix_get_socket(fp);
-+
-+ spin_lock(&unix_gc_lock);
-+
- if (s) {
- struct unix_sock *u = unix_sk(s);
-- spin_lock(&unix_gc_lock);
- BUG_ON(list_empty(&u->link));
- if (atomic_long_dec_and_test(&u->inflight))
- list_del_init(&u->link);
- unix_tot_inflight--;
-- spin_unlock(&unix_gc_lock);
- }
-+ fp->f_cred->user->unix_inflight--;
-+ spin_unlock(&unix_gc_lock);
- }
-
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
diff --git a/debian/patches/bugfix/all/usb-fix-invalid-memory-access-in-hub_activate.patch b/debian/patches/bugfix/all/usb-fix-invalid-memory-access-in-hub_activate.patch
deleted file mode 100644
index 2ee0a07..0000000
--- a/debian/patches/bugfix/all/usb-fix-invalid-memory-access-in-hub_activate.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Alan Stern <stern at rowland.harvard.edu>
-Date: Wed, 16 Dec 2015 13:32:38 -0500
-Subject: USB: fix invalid memory access in hub_activate()
-Origin: https://git.kernel.org/linus/e50293ef9775c5f1cf3fcc093037dd6a8c5684ea
-
-Commit 8520f38099cc ("USB: change hub initialization sleeps to
-delayed_work") changed the hub_activate() routine to make part of it
-run in a workqueue. However, the commit failed to take a reference to
-the usb_hub structure or to lock the hub interface while doing so. As
-a result, if a hub is plugged in and quickly unplugged before the work
-routine can run, the routine will try to access memory that has been
-deallocated. Or, if the hub is unplugged while the routine is
-running, the memory may be deallocated while it is in active use.
-
-This patch fixes the problem by taking a reference to the usb_hub at
-the start of hub_activate() and releasing it at the end (when the work
-is finished), and by locking the hub interface while the work routine
-is running. It also adds a check at the start of the routine to see
-if the hub has already been disconnected, in which nothing should be
-done.
-
-Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
-Reported-by: Alexandru Cornea <alexandru.cornea at intel.com>
-Tested-by: Alexandru Cornea <alexandru.cornea at intel.com>
-Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[ luis: backported to 3.16:
- - Added forward declaration of hub_release() which mainline had with commit
- 32a6958998c5 ("usb: hub: convert khubd into workqueue") ]
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
----
- drivers/usb/core/hub.c | 23 ++++++++++++++++++++---
- 1 file changed, 20 insertions(+), 3 deletions(-)
-
---- a/drivers/usb/core/hub.c
-+++ b/drivers/usb/core/hub.c
-@@ -104,6 +104,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rws
- #define HUB_DEBOUNCE_STEP 25
- #define HUB_DEBOUNCE_STABLE 100
-
-+static void hub_release(struct kref *kref);
- static int usb_reset_and_verify_device(struct usb_device *udev);
-
- static inline char *portspeed(struct usb_hub *hub, int portstatus)
-@@ -1023,10 +1024,20 @@ static void hub_activate(struct usb_hub
- unsigned delay;
-
- /* Continue a partial initialization */
-- if (type == HUB_INIT2)
-- goto init2;
-- if (type == HUB_INIT3)
-+ if (type == HUB_INIT2 || type == HUB_INIT3) {
-+ device_lock(hub->intfdev);
-+
-+ /* Was the hub disconnected while we were waiting? */
-+ if (hub->disconnected) {
-+ device_unlock(hub->intfdev);
-+ kref_put(&hub->kref, hub_release);
-+ return;
-+ }
-+ if (type == HUB_INIT2)
-+ goto init2;
- goto init3;
-+ }
-+ kref_get(&hub->kref);
-
- /* The superspeed hub except for root hub has to use Hub Depth
- * value as an offset into the route string to locate the bits
-@@ -1224,6 +1235,7 @@ static void hub_activate(struct usb_hub
- queue_delayed_work(system_power_efficient_wq,
- &hub->init_work,
- msecs_to_jiffies(delay));
-+ device_unlock(hub->intfdev);
- return; /* Continues at init3: below */
- } else {
- msleep(delay);
-@@ -1245,6 +1257,11 @@ static void hub_activate(struct usb_hub
- /* Allow autosuspend if it was suppressed */
- if (type <= HUB_INIT3)
- usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
-+
-+ if (type == HUB_INIT2 || type == HUB_INIT3)
-+ device_unlock(hub->intfdev);
-+
-+ kref_put(&hub->kref, hub_release);
- }
-
- /* Implement the continuations for the delays above */
diff --git a/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
deleted file mode 100644
index 4b6a5d6..0000000
--- a/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Vladis Dronov <vdronov at redhat.com>
-Subject: usb: serial: visor: fix crash on detecting device without write_urbs
-Date: Tue, 12 Jan 2016 15:10:50 +0100
-Origin: http://article.gmane.org/gmane.linux.usb.general/136045
-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1296466
-
-The visor driver crashes in clie_5_attach() when a specially crafted USB
-device without bulk-out endpoint is detected. This fix adds a check that
-the device has proper configuration expected by the driver.
-
-Reported-by: Ralf Spenneberg <ralf at spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov at redhat.com>
----
- drivers/usb/serial/visor.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/drivers/usb/serial/visor.c
-+++ b/drivers/usb/serial/visor.c
-@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_seri
- */
-
- /* some sanity check */
-- if (serial->num_ports < 2)
-- return -1;
-+ if (serial->num_bulk_out < 2) {
-+ dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
-+ return -ENODEV;
-+ }
-
- /* port 0 now uses the modified endpoint Address */
- port = serial->port[0];
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
deleted file mode 100644
index 0092dd2..0000000
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Oliver Neukum <oneukum at suse.com>
-Date: Tue, 27 Oct 2015 09:51:34 -0200
-Subject: [media] usbvision fix overflow of interfaces array
-Origin: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=588afcc1c0e45358159090d95bf7b246fb67565f
-
-This fixes the crash reported in:
-http://seclists.org/bugtraq/2015/Oct/35
-The interface number needs a sanity check.
-
-Signed-off-by: Oliver Neukum <oneukum at suse.com>
-Cc: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
----
- drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/media/usb/usbvision/usbvision-video.c
-+++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1537,6 +1537,13 @@ static int usbvision_probe(struct usb_in
- printk(KERN_INFO "%s: %s found\n", __func__,
- usbvision_device_data[model].model_string);
-
-+ /*
-+ * this is a security check.
-+ * an exploit using an incorrect bInterfaceNumber is known
-+ */
-+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
-+ return -ENODEV;
-+
- if (usbvision_device_data[model].interface >= 0)
- interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
- else
diff --git a/debian/patches/bugfix/all/xen-add-ring_copy_request.patch b/debian/patches/bugfix/all/xen-add-ring_copy_request.patch
deleted file mode 100644
index 51e9546..0000000
--- a/debian/patches/bugfix/all/xen-add-ring_copy_request.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 14:58:08 +0000
-Subject: [1/7] xen: Add RING_COPY_REQUEST()
-Origin: https://git.kernel.org/linus/454d5d882c7e412b840e3c99010fe81a9862f6fb
-
-Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
-(i.e., by not considering that the other end may alter the data in the
-shared ring while it is being inspected). Safe usage of a request
-generally requires taking a local copy.
-
-Provide a RING_COPY_REQUEST() macro to use instead of
-RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
-ensuring that the copy is done correctly regardless of any possible
-compiler optimizations.
-
-Use a volatile source to prevent the compiler from reordering or
-omitting the copy.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- include/xen/interface/io/ring.h | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
-index 7d28aff..7dc685b4 100644
---- a/include/xen/interface/io/ring.h
-+++ b/include/xen/interface/io/ring.h
-@@ -181,6 +181,20 @@ struct __name##_back_ring { \
- #define RING_GET_REQUEST(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
-
-+/*
-+ * Get a local copy of a request.
-+ *
-+ * Use this in preference to RING_GET_REQUEST() so all processing is
-+ * done on a local copy that cannot be modified by the other end.
-+ *
-+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
-+ * to be ineffective where _req is a struct which consists of only bitfields.
-+ */
-+#define RING_COPY_REQUEST(_r, _idx, _req) do { \
-+ /* Use volatile to force the copy into _req. */ \
-+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
-+} while (0)
-+
- #define RING_GET_RESPONSE(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
-
diff --git a/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch b/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
deleted file mode 100644
index c7b12ce..0000000
--- a/debian/patches/bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau at citrix.com>
-Date: Tue, 3 Nov 2015 16:34:09 +0000
-Subject: [4/7] xen-blkback: only read request operation from shared ring once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/1f13d75ccb806260079e0679d55d9253e370ec8a
-
-A compiler may load a switch statement value multiple times, which could
-be bad when the value is in memory shared with the frontend.
-
-When converting a non-native request to a native one, ensure that
-src->operation is only loaded once by using READ_ONCE().
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/block/xen-blkback/common.h | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/drivers/block/xen-blkback/common.h
-+++ b/drivers/block/xen-blkback/common.h
-@@ -391,8 +391,8 @@ static inline void blkif_get_x86_32_req(
- struct blkif_x86_32_request *src)
- {
- int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j;
-- dst->operation = src->operation;
-- switch (src->operation) {
-+ dst->operation = READ_ONCE(src->operation);
-+ switch (dst->operation) {
- case BLKIF_OP_READ:
- case BLKIF_OP_WRITE:
- case BLKIF_OP_WRITE_BARRIER:
-@@ -439,8 +439,8 @@ static inline void blkif_get_x86_64_req(
- struct blkif_x86_64_request *src)
- {
- int i, n = BLKIF_MAX_SEGMENTS_PER_REQUEST, j;
-- dst->operation = src->operation;
-- switch (src->operation) {
-+ dst->operation = READ_ONCE(src->operation);
-+ switch (dst->operation) {
- case BLKIF_OP_READ:
- case BLKIF_OP_WRITE:
- case BLKIF_OP_WRITE_BARRIER:
diff --git a/debian/patches/bugfix/all/xen-blkback-read-from-indirect-descriptors-only-once.patch b/debian/patches/bugfix/all/xen-blkback-read-from-indirect-descriptors-only-once.patch
deleted file mode 100644
index de74707..0000000
--- a/debian/patches/bugfix/all/xen-blkback-read-from-indirect-descriptors-only-once.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau at citrix.com>
-Date: Tue, 3 Nov 2015 16:40:43 +0000
-Subject: [5/7] xen-blkback: read from indirect descriptors only once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/18779149101c0dd43ded43669ae2a92d21b6f9cb
-
-Since indirect descriptors are in memory shared with the frontend, the
-frontend could alter the first_sect and last_sect values after they have
-been validated but before they are recorded in the request. This may
-result in I/O requests that overflow the foreign page, possibly
-overwriting local pages when the I/O request is executed.
-
-When parsing indirect descriptors, only read first_sect and last_sect
-once.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-[bwh: For 4.3, s/XEN_PAGE_SIZE/PAGE_SIZE/]
----
- drivers/block/xen-blkback/blkback.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
---- a/drivers/block/xen-blkback/blkback.c
-+++ b/drivers/block/xen-blkback/blkback.c
-@@ -861,6 +861,8 @@ static int xen_blkbk_parse_indirect(stru
- goto unmap;
-
- for (n = 0, i = 0; n < nseg; n++) {
-+ uint8_t first_sect, last_sect;
-+
- if ((n % SEGS_PER_INDIRECT_FRAME) == 0) {
- /* Map indirect segments */
- if (segments)
-@@ -868,15 +870,18 @@ static int xen_blkbk_parse_indirect(stru
- segments = kmap_atomic(pages[n/SEGS_PER_INDIRECT_FRAME]->page);
- }
- i = n % SEGS_PER_INDIRECT_FRAME;
-+
- pending_req->segments[n]->gref = segments[i].gref;
-- seg[n].nsec = segments[i].last_sect -
-- segments[i].first_sect + 1;
-- seg[n].offset = (segments[i].first_sect << 9);
-- if ((segments[i].last_sect >= (PAGE_SIZE >> 9)) ||
-- (segments[i].last_sect < segments[i].first_sect)) {
-+
-+ first_sect = READ_ONCE(segments[i].first_sect);
-+ last_sect = READ_ONCE(segments[i].last_sect);
-+ if (last_sect >= (PAGE_SIZE >> 9) || last_sect < first_sect) {
- rc = -EINVAL;
- goto unmap;
- }
-+
-+ seg[n].nsec = last_sect - first_sect + 1;
-+ seg[n].offset = first_sect << 9;
- preq->nr_sects += seg[n].nsec;
- }
-
diff --git a/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch b/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
deleted file mode 100644
index 4322399..0000000
--- a/debian/patches/bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 15:16:01 +0000
-Subject: [2/7] xen-netback: don't use last request to determine minimum Tx
- credit
-Origin: https://git.kernel.org/linus/0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357
-
-The last from guest transmitted request gives no indication about the
-minimum amount of credit that the guest might need to send a packet
-since the last packet might have been a small one.
-
-Instead allow for the worst case 128 KiB packet.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Wei Liu <wei.liu2 at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/net/xen-netback/netback.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/drivers/net/xen-netback/netback.c
-+++ b/drivers/net/xen-netback/netback.c
-@@ -809,9 +809,7 @@ static void tx_add_credit(struct xenvif_
- * Allow a burst big enough to transmit a jumbo packet of up to 128kB.
- * Otherwise the interface can seize up due to insufficient credit.
- */
-- max_burst = RING_GET_REQUEST(&queue->tx, queue->tx.req_cons)->size;
-- max_burst = min(max_burst, 131072UL);
-- max_burst = max(max_burst, queue->credit_bytes);
-+ max_burst = max(131072UL, queue->credit_bytes);
-
- /* Take care that adding a new chunk of credit doesn't wrap to zero. */
- max_credit = queue->remaining_credit + queue->credit_bytes;
diff --git a/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch b/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
deleted file mode 100644
index d4bb7e1..0000000
--- a/debian/patches/bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From: David Vrabel <david.vrabel at citrix.com>
-Date: Fri, 30 Oct 2015 15:17:06 +0000
-Subject: [3/7] xen-netback: use RING_COPY_REQUEST() throughout
-Origin: https://git.kernel.org/linus/68a33bfd8403e4e22847165d149823a2e0e67c9c
-
-Instead of open-coding memcpy()s and directly accessing Tx and Rx
-requests, use the new RING_COPY_REQUEST() that ensures the local copy
-is correct.
-
-This is more than is strictly necessary for guest Rx requests since
-only the id and gref fields are used and it is harmless if the
-frontend modifies these.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Wei Liu <wei.liu2 at citrix.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/net/xen-netback/netback.c | 30 ++++++++++++++----------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
---- a/drivers/net/xen-netback/netback.c
-+++ b/drivers/net/xen-netback/netback.c
-@@ -288,18 +288,18 @@ static struct xenvif_rx_meta *get_next_r
- struct netrx_pending_operations *npo)
- {
- struct xenvif_rx_meta *meta;
-- struct xen_netif_rx_request *req;
-+ struct xen_netif_rx_request req;
-
-- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
-+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
-
- meta = npo->meta + npo->meta_prod++;
- meta->gso_type = XEN_NETIF_GSO_TYPE_NONE;
- meta->gso_size = 0;
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
-
- npo->copy_off = 0;
-- npo->copy_gref = req->gref;
-+ npo->copy_gref = req.gref;
-
- return meta;
- }
-@@ -450,7 +450,7 @@ static int xenvif_gop_skb(struct sk_buff
- struct xenvif *vif = netdev_priv(skb->dev);
- int nr_frags = skb_shinfo(skb)->nr_frags;
- int i;
-- struct xen_netif_rx_request *req;
-+ struct xen_netif_rx_request req;
- struct xenvif_rx_meta *meta;
- unsigned char *data;
- int head = 1;
-@@ -471,15 +471,15 @@ static int xenvif_gop_skb(struct sk_buff
-
- /* Set up a GSO prefix descriptor, if necessary */
- if ((1 << gso_type) & vif->gso_prefix_mask) {
-- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
-+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
- meta = npo->meta + npo->meta_prod++;
- meta->gso_type = gso_type;
- meta->gso_size = skb_shinfo(skb)->gso_size;
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
- }
-
-- req = RING_GET_REQUEST(&queue->rx, queue->rx.req_cons++);
-+ RING_COPY_REQUEST(&queue->rx, queue->rx.req_cons++, &req);
- meta = npo->meta + npo->meta_prod++;
-
- if ((1 << gso_type) & vif->gso_mask) {
-@@ -491,9 +491,9 @@ static int xenvif_gop_skb(struct sk_buff
- }
-
- meta->size = 0;
-- meta->id = req->id;
-+ meta->id = req.id;
- npo->copy_off = 0;
-- npo->copy_gref = req->gref;
-+ npo->copy_gref = req.gref;
-
- data = skb->data;
- while (data < skb_tail_pointer(skb)) {
-@@ -838,7 +838,7 @@ static void xenvif_tx_err(struct xenvif_
- spin_unlock_irqrestore(&queue->response_lock, flags);
- if (cons == end)
- break;
-- txp = RING_GET_REQUEST(&queue->tx, cons++);
-+ RING_COPY_REQUEST(&queue->tx, cons++, txp);
- } while (1);
- queue->tx.req_cons = cons;
- }
-@@ -905,8 +905,7 @@ static int xenvif_count_requests(struct
- if (drop_err)
- txp = &dropped_tx;
-
-- memcpy(txp, RING_GET_REQUEST(&queue->tx, cons + slots),
-- sizeof(*txp));
-+ RING_COPY_REQUEST(&queue->tx, cons + slots, txp);
-
- /* If the guest submitted a frame >= 64 KiB then
- * first->size overflowed and following slots will
-@@ -1258,8 +1257,7 @@ static int xenvif_get_extras(struct xenv
- return -EBADR;
- }
-
-- memcpy(&extra, RING_GET_REQUEST(&queue->tx, cons),
-- sizeof(extra));
-+ RING_COPY_REQUEST(&queue->tx, cons, &extra);
- if (unlikely(!extra.type ||
- extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) {
- queue->tx.req_cons = ++cons;
-@@ -1395,7 +1393,7 @@ static void xenvif_tx_build_gops(struct
-
- idx = queue->tx.req_cons;
- rmb(); /* Ensure that we see the request before we copy it. */
-- memcpy(&txreq, RING_GET_REQUEST(&queue->tx, idx), sizeof(txreq));
-+ RING_COPY_REQUEST(&queue->tx, idx, &txreq);
-
- /* Credit-based scheduling. */
- if (txreq.size > queue->remaining_credit &&
diff --git a/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch b/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
deleted file mode 100644
index de93cfa..0000000
--- a/debian/patches/bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 17:24:08 -0500
-Subject: [3/5] xen/pciback: Do not install an IRQ handler for MSI interrupts.
-Origin: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0
-
-Otherwise an guest can subvert the generic MSI code to trigger
-an BUG_ON condition during MSI interrupt freeing:
-
- for (i = 0; i < entry->nvec_used; i++)
- BUG_ON(irq_has_action(entry->irq + i));
-
-Xen PCI backed installs an IRQ handler (request_irq) for
-the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
-(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
-done in case the device has legacy interrupts the GSI line
-is shared by the backend devices.
-
-To subvert the backend the guest needs to make the backend
-to change the dev->irq from the GSI to the MSI interrupt line,
-make the backend allocate an interrupt handler, and then command
-the backend to free the MSI interrupt and hit the BUG_ON.
-
-Since the backend only calls 'request_irq' when the guest
-writes to the PCI_COMMAND register the guest needs to call
-XEN_PCI_OP_enable_msi before any other operation. This will
-cause the generic MSI code to setup an MSI entry and
-populate dev->irq with the new PIRQ value.
-
-Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
-and cause the backend to setup an IRQ handler for dev->irq
-(which instead of the GSI value has the MSI pirq). See
-'xen_pcibk_control_isr'.
-
-Then the guest disables the MSI: XEN_PCI_OP_disable_msi
-which ends up triggering the BUG_ON condition in 'free_msi_irqs'
-as there is an IRQ handler for the entry->irq (dev->irq).
-
-Note that this cannot be done using MSI-X as the generic
-code does not over-write dev->irq with the MSI-X PIRQ values.
-
-The patch inhibits setting up the IRQ handler if MSI or
-MSI-X (for symmetry reasons) code had been called successfully.
-
-P.S.
-Xen PCIBack when it sets up the device for the guest consumption
-ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
-XSA-120 addendum patch removed that - however when upstreaming said
-addendum we found that it caused issues with qemu upstream. That
-has now been fixed in qemu upstream.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index 029f33d..d0696ce 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -70,6 +70,13 @@ static void xen_pcibk_control_isr(struct pci_dev *dev, int reset)
- enable ? "enable" : "disable");
-
- if (enable) {
-+ /*
-+ * The MSI or MSI-X should not have an IRQ handler. Otherwise
-+ * if the guest terminates we BUG_ON in free_msi_irqs.
-+ */
-+ if (dev->msi_enabled || dev->msix_enabled)
-+ goto out;
-+
- rc = request_irq(dev_data->irq,
- xen_pcibk_guest_interrupt, IRQF_SHARED,
- dev_data->irq_name, dev);
diff --git a/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch b/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
deleted file mode 100644
index e6792b9..0000000
--- a/debian/patches/bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 18:13:27 -0500
-Subject: [5/5] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not
- set.
-Origin: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0
-
-commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way")
-teaches us that dealing with MSI-X can be troublesome.
-
-Further checks in the MSI-X architecture shows that if the
-PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we
-may not be able to access the BAR (since they are memory regions).
-
-Since the MSI-X tables are located in there.. that can lead
-to us causing PCIe errors. Inhibit us performing any
-operation on the MSI-X unless the MEMORY bit is set.
-
-Note that Xen hypervisor with:
-"x86/MSI-X: access MSI-X table only after having enabled MSI-X"
-will return:
-xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!
-
-When the generic MSI code tries to setup the PIRQ without
-MEMORY bit set. Which means with later versions of Xen
-(4.6) this patch is not neccessary.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index 4ee5fc0..73dafdc 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -212,6 +212,7 @@ int xen_pcibk_enable_msix(struct xen_pcibk_device *pdev,
- struct xen_pcibk_dev_data *dev_data;
- int i, result;
- struct msix_entry *entries;
-+ u16 cmd;
-
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n",
-@@ -223,7 +224,12 @@ int xen_pcibk_enable_msix(struct xen_pcibk_device *pdev,
- if (dev->msix_enabled)
- return -EALREADY;
-
-- if (dev->msi_enabled)
-+ /*
-+ * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
-+ * to access the BARs where the MSI-X entries reside.
-+ */
-+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
-+ if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
- return -ENXIO;
-
- entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL);
diff --git a/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch b/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
deleted file mode 100644
index 7b051d1..0000000
--- a/debian/patches/bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Wed, 1 Apr 2015 10:49:47 -0400
-Subject: [4/5] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if
- device has MSI(X) enabled.
-Origin: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49
-
-Otherwise just continue on, returning the same values as
-previously (return of 0, and op->result has the PIRQ value).
-
-This does not change the behavior of XEN_PCI_OP_disable_msi[|x].
-
-The pci_disable_msi or pci_disable_msix have the checks for
-msi_enabled or msix_enabled so they will error out immediately.
-
-However the guest can still call these operations and cause
-us to disable the 'ack_intr'. That means the backend IRQ handler
-for the legacy interrupt will not respond to interrupts anymore.
-
-This will lead to (if the device is causing an interrupt storm)
-for the Linux generic code to disable the interrupt line.
-
-Naturally this will only happen if the device in question
-is plugged in on the motherboard on shared level interrupt GSI.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index d0696ce..4ee5fc0 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -185,20 +185,23 @@ static
- int xen_pcibk_disable_msi(struct xen_pcibk_device *pdev,
- struct pci_dev *dev, struct xen_pci_op *op)
- {
-- struct xen_pcibk_dev_data *dev_data;
--
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: disable MSI\n",
- pci_name(dev));
-- pci_disable_msi(dev);
-
-+ if (dev->msi_enabled) {
-+ struct xen_pcibk_dev_data *dev_data;
-+
-+ pci_disable_msi(dev);
-+
-+ dev_data = pci_get_drvdata(dev);
-+ if (dev_data)
-+ dev_data->ack_intr = 1;
-+ }
- op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: MSI: %d\n", pci_name(dev),
- op->value);
-- dev_data = pci_get_drvdata(dev);
-- if (dev_data)
-- dev_data->ack_intr = 1;
- return 0;
- }
-
-@@ -264,23 +267,27 @@ static
- int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev,
- struct pci_dev *dev, struct xen_pci_op *op)
- {
-- struct xen_pcibk_dev_data *dev_data;
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: disable MSI-X\n",
- pci_name(dev));
-- pci_disable_msix(dev);
-
-+ if (dev->msix_enabled) {
-+ struct xen_pcibk_dev_data *dev_data;
-+
-+ pci_disable_msix(dev);
-+
-+ dev_data = pci_get_drvdata(dev);
-+ if (dev_data)
-+ dev_data->ack_intr = 1;
-+ }
- /*
- * SR-IOV devices (which don't have any legacy IRQ) have
- * an undefined IRQ value of zero.
- */
- op->value = dev->irq ? xen_pirq_from_irq(dev->irq) : 0;
- if (unlikely(verbose_request))
-- printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n", pci_name(dev),
-- op->value);
-- dev_data = pci_get_drvdata(dev);
-- if (dev_data)
-- dev_data->ack_intr = 1;
-+ printk(KERN_DEBUG DRV_NAME ": %s: MSI-X: %d\n",
-+ pci_name(dev), op->value);
- return 0;
- }
- #endif
diff --git a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch b/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
deleted file mode 100644
index 67cb747..0000000
--- a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Fri, 3 Apr 2015 11:08:22 -0400
-Subject: [1/5] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device
- has MSI or MSI-X enabled
-Origin: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d
-
-The guest sequence of:
-
- a) XEN_PCI_OP_enable_msi
- b) XEN_PCI_OP_enable_msi
- c) XEN_PCI_OP_disable_msi
-
-results in hitting an BUG_ON condition in the msi.c code.
-
-The MSI code uses an dev->msi_list to which it adds MSI entries.
-Under the above conditions an BUG_ON() can be hit. The device
-passed in the guest MUST have MSI capability.
-
-The a) adds the entry to the dev->msi_list and sets msi_enabled.
-The b) adds a second entry but adding in to SysFS fails (duplicate entry)
-and deletes all of the entries from msi_list and returns (with msi_enabled
-is still set). c) pci_disable_msi passes the msi_enabled checks and hits:
-
-BUG_ON(list_empty(dev_to_msi_list(&dev->dev)));
-
-and blows up.
-
-The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard
-against that. The check for msix_enabled is not stricly neccessary.
-
-This is part of XSA-157.
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index a0e0e3e..8bfb87c 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -144,7 +144,12 @@ int xen_pcibk_enable_msi(struct xen_pcibk_device *pdev,
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI\n", pci_name(dev));
-
-- status = pci_enable_msi(dev);
-+ if (dev->msi_enabled)
-+ status = -EALREADY;
-+ else if (dev->msix_enabled)
-+ status = -ENXIO;
-+ else
-+ status = pci_enable_msi(dev);
-
- if (status) {
- pr_warn_ratelimited("%s: error enabling MSI for guest %u: err %d\n",
diff --git a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch b/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
deleted file mode 100644
index 0d37a4c..0000000
--- a/debian/patches/bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 2 Nov 2015 18:07:44 -0500
-Subject: [2/5] xen/pciback: Return error on XEN_PCI_OP_enable_msix when device
- has MSI or MSI-X enabled
-Origin: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9
-
-The guest sequence of:
-
- a) XEN_PCI_OP_enable_msix
- b) XEN_PCI_OP_enable_msix
-
-results in hitting an NULL pointer due to using freed pointers.
-
-The device passed in the guest MUST have MSI-X capability.
-
-The a) constructs and SysFS representation of MSI and MSI groups.
-The b) adds a second set of them but adding in to SysFS fails (duplicate entry).
-'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that
-in a) pdev->msi_irq_groups is still set) and also free's ALL of the
-MSI-X entries of the device (the ones allocated in step a) and b)).
-
-The unwind code: 'free_msi_irqs' deletes all the entries and tries to
-delete the pdev->msi_irq_groups (which hasn't been set to NULL).
-However the pointers in the SysFS are already freed and we hit an
-NULL pointer further on when 'strlen' is attempted on a freed pointer.
-
-The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard
-against that. The check for msi_enabled is not stricly neccessary.
-
-This is part of XSA-157
-
-CC: stable at vger.kernel.org
-Reviewed-by: David Vrabel <david.vrabel at citrix.com>
-Reviewed-by: Jan Beulich <jbeulich at suse.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback_ops.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index 8bfb87c..029f33d 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -206,9 +206,16 @@ int xen_pcibk_enable_msix(struct xen_pcibk_device *pdev,
- if (unlikely(verbose_request))
- printk(KERN_DEBUG DRV_NAME ": %s: enable MSI-X\n",
- pci_name(dev));
-+
- if (op->value > SH_INFO_MAX_VEC)
- return -EINVAL;
-
-+ if (dev->msix_enabled)
-+ return -EALREADY;
-+
-+ if (dev->msi_enabled)
-+ return -ENXIO;
-+
- entries = kmalloc(op->value * sizeof(*entries), GFP_KERNEL);
- if (entries == NULL)
- return -ENOMEM;
diff --git a/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch b/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
deleted file mode 100644
index 101afe8..0000000
--- a/debian/patches/bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Date: Mon, 16 Nov 2015 12:40:48 -0500
-Subject: [7/7] xen/pciback: Save xen_pci_op commands before processing it
-Origin: https://git.kernel.org/linus/8135cf8b092723dbfcc611fe6fdcb3a36c9951c5
-
-Double fetch vulnerabilities that happen when a variable is
-fetched twice from shared memory but a security check is only
-performed the first time.
-
-The xen_pcibk_do_op function performs a switch statements on the op->cmd
-value which is stored in shared memory. Interestingly this can result
-in a double fetch vulnerability depending on the performed compiler
-optimization.
-
-This patch fixes it by saving the xen_pci_op command before
-processing it. We also use 'barrier' to make sure that the
-compiler does not perform any optimization.
-
-This is part of XSA155.
-
-CC: stable at vger.kernel.org
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
-Signed-off-by: Jan Beulich <JBeulich at suse.com>
-Signed-off-by: David Vrabel <david.vrabel at citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/pciback.h | 1 +
- drivers/xen/xen-pciback/pciback_ops.c | 15 ++++++++++++++-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/xen/xen-pciback/pciback.h b/drivers/xen/xen-pciback/pciback.h
-index 58e38d5..4d529f3 100644
---- a/drivers/xen/xen-pciback/pciback.h
-+++ b/drivers/xen/xen-pciback/pciback.h
-@@ -37,6 +37,7 @@ struct xen_pcibk_device {
- struct xen_pci_sharedinfo *sh_info;
- unsigned long flags;
- struct work_struct op_work;
-+ struct xen_pci_op op;
- };
-
- struct xen_pcibk_dev_data {
-diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
-index c4a0666..a0e0e3e 100644
---- a/drivers/xen/xen-pciback/pciback_ops.c
-+++ b/drivers/xen/xen-pciback/pciback_ops.c
-@@ -298,9 +298,11 @@ void xen_pcibk_do_op(struct work_struct *data)
- container_of(data, struct xen_pcibk_device, op_work);
- struct pci_dev *dev;
- struct xen_pcibk_dev_data *dev_data = NULL;
-- struct xen_pci_op *op = &pdev->sh_info->op;
-+ struct xen_pci_op *op = &pdev->op;
- int test_intx = 0;
-
-+ *op = pdev->sh_info->op;
-+ barrier();
- dev = xen_pcibk_get_pci_dev(pdev, op->domain, op->bus, op->devfn);
-
- if (dev == NULL)
-@@ -342,6 +344,17 @@ void xen_pcibk_do_op(struct work_struct *data)
- if ((dev_data->enable_intx != test_intx))
- xen_pcibk_control_isr(dev, 0 /* no reset */);
- }
-+ pdev->sh_info->op.err = op->err;
-+ pdev->sh_info->op.value = op->value;
-+#ifdef CONFIG_PCI_MSI
-+ if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
-+ unsigned int i;
-+
-+ for (i = 0; i < op->value; i++)
-+ pdev->sh_info->op.msix_entries[i].vector =
-+ op->msix_entries[i].vector;
-+ }
-+#endif
- /* Tell the driver domain that we're done. */
- wmb();
- clear_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
diff --git a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch b/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
deleted file mode 100644
index 5306caa..0000000
--- a/debian/patches/bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 6 Jan 2016 12:21:01 -0800
-Subject: x86/mm: Add barriers and document switch_mm()-vs-flush
- synchronization
-Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e
-
-When switch_mm() activates a new PGD, it also sets a bit that
-tells other CPUs that the PGD is in use so that TLB flush IPIs
-will be sent. In order for that to work correctly, the bit
-needs to be visible prior to loading the PGD and therefore
-starting to fill the local TLB.
-
-Document all the barriers that make this work correctly and add
-a couple that were missing.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Dave Hansen <dave.hansen at linux.intel.com>
-Cc: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Rik van Riel <riel at redhat.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: linux-mm at kvack.org
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.16: adjust context]
----
- arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++-
- arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++---
- 2 files changed, 58 insertions(+), 4 deletions(-)
-
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -86,9 +86,35 @@ static inline void switch_mm(struct mm_s
- #endif
- cpumask_set_cpu(cpu, mm_cpumask(next));
-
-- /* Re-load page tables */
-+ /*
-+ * Re-load page tables.
-+ *
-+ * This logic has an ordering constraint:
-+ *
-+ * CPU 0: Write to a PTE for 'next'
-+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
-+ * CPU 1: set bit 1 in next's mm_cpumask
-+ * CPU 1: load from the PTE that CPU 0 writes (implicit)
-+ *
-+ * We need to prevent an outcome in which CPU 1 observes
-+ * the new PTE value and CPU 0 observes bit 1 clear in
-+ * mm_cpumask. (If that occurs, then the IPI will never
-+ * be sent, and CPU 0's TLB will contain a stale entry.)
-+ *
-+ * The bad outcome can occur if either CPU's load is
-+ * reordered before that CPU's store, so both CPUs much
-+ * execute full barriers to prevent this from happening.
-+ *
-+ * Thus, switch_mm needs a full barrier between the
-+ * store to mm_cpumask and any operation that could load
-+ * from next->pgd. This barrier synchronizes with
-+ * remote TLB flushers. Fortunately, load_cr3 is
-+ * serializing and thus acts as a full barrier.
-+ *
-+ */
- load_cr3(next->pgd);
-
-+
- /* Stop flush ipis for the previous mm */
- cpumask_clear_cpu(cpu, mm_cpumask(prev));
-
-@@ -109,10 +135,15 @@ static inline void switch_mm(struct mm_s
- * schedule, protecting us from simultaneous changes.
- */
- cpumask_set_cpu(cpu, mm_cpumask(next));
-+
- /*
- * We were in lazy tlb mode and leave_mm disabled
- * tlb flush IPI delivery. We must reload CR3
- * to make sure to use no freed page tables.
-+ *
-+ * As above, this is a barrier that forces
-+ * TLB repopulation to be ordered after the
-+ * store to mm_cpumask.
- */
- load_cr3(next->pgd);
- load_mm_ldt(next);
---- a/arch/x86/mm/tlb.c
-+++ b/arch/x86/mm/tlb.c
-@@ -152,7 +152,10 @@ void flush_tlb_current_task(void)
- preempt_disable();
-
- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-+
-+ /* This is an implicit full barrier that synchronizes with switch_mm. */
- local_flush_tlb();
-+
- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
- flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
- preempt_enable();
-@@ -166,11 +169,19 @@ void flush_tlb_mm_range(struct mm_struct
- unsigned long nr_base_pages;
-
- preempt_disable();
-- if (current->active_mm != mm)
-+ if (current->active_mm != mm) {
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+
- goto flush_all;
-+ }
-
- if (!current->mm) {
- leave_mm(smp_processor_id());
-+
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+
- goto flush_all;
- }
-
-@@ -191,6 +202,10 @@ void flush_tlb_mm_range(struct mm_struct
- act_entries = mm->total_vm > act_entries ? act_entries : mm->total_vm;
- nr_base_pages = (end - start) >> PAGE_SHIFT;
-
-+ /*
-+ * Both branches below are implicit full barriers (MOV to CR or
-+ * INVLPG) that synchronize with switch_mm.
-+ */
- /* tlb_flushall_shift is on balance point, details in commit log */
- if (nr_base_pages > act_entries) {
- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
-@@ -222,10 +237,18 @@ void flush_tlb_page(struct vm_area_struc
- preempt_disable();
-
- if (current->active_mm == mm) {
-- if (current->mm)
-+ if (current->mm) {
-+ /*
-+ * Implicit full barrier (INVLPG) that synchronizes
-+ * with switch_mm.
-+ */
- __flush_tlb_one(start);
-- else
-+ } else {
- leave_mm(smp_processor_id());
-+
-+ /* Synchronize with switch_mm. */
-+ smp_mb();
-+ }
- }
-
- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
diff --git a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch b/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
deleted file mode 100644
index d43baeb..0000000
--- a/debian/patches/bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Tue, 12 Jan 2016 12:47:40 -0800
-Subject: x86/mm: Improve switch_mm() barrier comments
-Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b
-
-My previous comments were still a bit confusing and there was a
-typo. Fix it up.
-
-Reported-by: Peter Zijlstra <peterz at infradead.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Dave Hansen <dave.hansen at linux.intel.com>
-Cc: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Rik van Riel <riel at redhat.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization")
-Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- arch/x86/include/asm/mmu_context.h | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/arch/x86/include/asm/mmu_context.h
-+++ b/arch/x86/include/asm/mmu_context.h
-@@ -102,14 +102,16 @@ static inline void switch_mm(struct mm_s
- * be sent, and CPU 0's TLB will contain a stale entry.)
- *
- * The bad outcome can occur if either CPU's load is
-- * reordered before that CPU's store, so both CPUs much
-+ * reordered before that CPU's store, so both CPUs must
- * execute full barriers to prevent this from happening.
- *
- * Thus, switch_mm needs a full barrier between the
- * store to mm_cpumask and any operation that could load
-- * from next->pgd. This barrier synchronizes with
-- * remote TLB flushers. Fortunately, load_cr3 is
-- * serializing and thus acts as a full barrier.
-+ * from next->pgd. TLB fills are special and can happen
-+ * due to instruction fetches or for no reason at all,
-+ * and neither LOCK nor MFENCE orders them.
-+ * Fortunately, load_cr3() is serializing and gives the
-+ * ordering guarantee we need.
- *
- */
- load_cr3(next->pgd);
-@@ -141,9 +143,8 @@ static inline void switch_mm(struct mm_s
- * tlb flush IPI delivery. We must reload CR3
- * to make sure to use no freed page tables.
- *
-- * As above, this is a barrier that forces
-- * TLB repopulation to be ordered after the
-- * store to mm_cpumask.
-+ * As above, load_cr3() is serializing and orders TLB
-+ * fills with respect to the mm_cpumask write.
- */
- load_cr3(next->pgd);
- load_mm_ldt(next);
diff --git a/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch b/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
new file mode 100644
index 0000000..ee01687
--- /dev/null
+++ b/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
@@ -0,0 +1,137 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 02 Mar 2016 18:33:46 +0000
+Subject: crypto: Fix ABI change in 3.16.7-ckt25
+Forwarded: not-needed
+
+The addition of a has_setkey field to crypto_ahash and ablkcipher_tfm
+broke the ABI for crypto and several driver subsystems that use
+crypto.
+
+As it is effectively a cache of information about the algorithm,
+remove it and look up that information directly in the
+crypto_{ahash,ablkcipher}_has_setkey() functions.
+
+---
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -375,7 +375,6 @@ static int crypto_init_ablkcipher_ops(st
+ }
+ crt->base = __crypto_ablkcipher_cast(tfm);
+ crt->ivsize = alg->ivsize;
+- crt->has_setkey = alg->max_keysize;
+
+ return 0;
+ }
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -444,7 +444,6 @@ static int crypto_ahash_init_tfm(struct
+ struct ahash_alg *alg = crypto_ahash_alg(hash);
+
+ hash->setkey = ahash_nosetkey;
+- hash->has_setkey = false;
+ hash->export = ahash_no_export;
+ hash->import = ahash_no_import;
+
+@@ -457,10 +456,8 @@ static int crypto_ahash_init_tfm(struct
+ hash->finup = alg->finup ?: ahash_def_finup;
+ hash->digest = alg->digest;
+
+- if (alg->setkey) {
++ if (alg->setkey)
+ hash->setkey = alg->setkey;
+- hash->has_setkey = true;
+- }
+ if (alg->export)
+ hash->export = alg->export;
+ if (alg->import)
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -24,11 +24,12 @@
+
+ static const struct crypto_type crypto_shash_type;
+
+-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen)
++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen)
+ {
+ return -ENOSYS;
+ }
++EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
+@@ -356,8 +357,6 @@ int crypto_init_shash_ops_async(struct c
+ crt->digest = shash_async_digest;
+ crt->setkey = shash_async_setkey;
+
+- crt->has_setkey = alg->setkey != shash_no_setkey;
+-
+ if (alg->export)
+ crt->export = shash_async_export;
+ if (alg->import)
+--- a/include/crypto/hash.h
++++ b/include/crypto/hash.h
+@@ -94,7 +94,6 @@ struct crypto_ahash {
+ unsigned int keylen);
+
+ unsigned int reqsize;
+- bool has_setkey;
+ struct crypto_tfm base;
+ };
+
+@@ -185,7 +184,22 @@ int crypto_ahash_setkey(struct crypto_ah
+
+ static inline bool crypto_ahash_has_setkey(struct crypto_ahash *tfm)
+ {
+- return tfm->has_setkey;
++ struct crypto_tfm *basetfm = crypto_ahash_tfm(tfm);
++
++ switch (crypto_tfm_alg_type(basetfm)) {
++ case CRYPTO_ALG_TYPE_SHASH: {
++ extern int shash_no_setkey(struct crypto_shash *tfm,
++ const u8 *key,
++ unsigned int keylen);
++ struct shash_alg *alg = container_of(basetfm->__crt_alg,
++ struct shash_alg, base);
++
++ return alg->setkey != shash_no_setkey;
++ }
++
++ default:
++ return tfm->setkey != NULL;
++ }
+ }
+
+ int crypto_ahash_finup(struct ahash_request *req);
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -354,7 +354,6 @@ struct ablkcipher_tfm {
+
+ unsigned int ivsize;
+ unsigned int reqsize;
+- bool has_setkey;
+ };
+
+ struct aead_tfm {
+@@ -667,9 +666,18 @@ static inline int crypto_ablkcipher_setk
+
+ static inline bool crypto_ablkcipher_has_setkey(struct crypto_ablkcipher *tfm)
+ {
+- struct ablkcipher_tfm *crt = crypto_ablkcipher_crt(tfm);
++ struct crypto_tfm *basetfm = crypto_ablkcipher_tfm(tfm);
+
+- return crt->has_setkey;
++ switch (crypto_tfm_alg_type(basetfm)) {
++ case CRYPTO_ALG_TYPE_ABLKCIPHER: {
++ struct ablkcipher_alg *alg = &basetfm->__crt_alg->cra_ablkcipher;
++
++ return alg->max_keysize != 0;
++ }
++
++ default:
++ return false;
++ }
+ }
+
+ static inline struct crypto_ablkcipher *crypto_ablkcipher_reqtfm(
diff --git a/debian/patches/debian/enclosure-fix-abi-change-in-3.16.7-ckt23.patch b/debian/patches/debian/enclosure-fix-abi-change-in-3.16.7-ckt23.patch
new file mode 100644
index 0000000..e613f7e
--- /dev/null
+++ b/debian/patches/debian/enclosure-fix-abi-change-in-3.16.7-ckt23.patch
@@ -0,0 +1,30 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 23 Jan 2016 18:47:29 +0000
+Subject: enclosure: Fix ABI change in 3.16.7-ckt23
+Forwarded: not-needed
+
+This is a bit ridiculous...
+---
+ include/linux/enclosure.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/linux/enclosure.h b/include/linux/enclosure.h
+index f6c229e..a146074 100644
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -29,11 +29,15 @@
+ /* A few generic types ... taken from ses-2 */
+ enum enclosure_component_type {
+ ENCLOSURE_COMPONENT_DEVICE = 0x01,
++#ifndef __GENKSYMS__
+ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
+ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
+ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
++#endif
+ ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
++#ifndef __GENKSYMS__
+ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
++#endif
+ };
+
+ /* ses-2 common element status */
diff --git a/debian/patches/debian/revert-cgroup-make-sure-a-parent-css-isn-t-offlined.patch b/debian/patches/debian/revert-cgroup-make-sure-a-parent-css-isn-t-offlined.patch
new file mode 100644
index 0000000..7131f05
--- /dev/null
+++ b/debian/patches/debian/revert-cgroup-make-sure-a-parent-css-isn-t-offlined.patch
@@ -0,0 +1,79 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 02 Mar 2016 16:30:16 +0000
+Subject: Revert "cgroup: make sure a parent css isn't offlined before its children"
+Forwarded: not-needed
+
+This reverts commit d9892cc2d91b31ea58c775531813a21dc24e50d0, which
+was commit aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 upstream. It
+seems to be a good fix but causes an unfixable ABI change as it
+extends a structure that's embedded in other structures.
+
+---
+--- a/include/linux/cgroup.h
++++ b/include/linux/cgroup.h
+@@ -88,12 +88,6 @@ struct cgroup_subsys_state {
+ */
+ u64 serial_nr;
+
+- /*
+- * Incremented by online self and children. Used to guarantee that
+- * parents are not offlined before their children.
+- */
+- atomic_t online_cnt;
+-
+ /* percpu_ref killing and RCU release */
+ struct rcu_head rcu_head;
+ struct work_struct destroy_work;
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4278,7 +4278,6 @@ static void init_and_link_css(struct cgr
+ INIT_LIST_HEAD(&css->sibling);
+ INIT_LIST_HEAD(&css->children);
+ css->serial_nr = css_serial_nr_next++;
+- atomic_set(&css->online_cnt, 0);
+
+ if (cgroup_parent(cgrp)) {
+ css->parent = cgroup_css(cgroup_parent(cgrp), ss);
+@@ -4301,10 +4300,6 @@ static int online_css(struct cgroup_subs
+ if (!ret) {
+ css->flags |= CSS_ONLINE;
+ rcu_assign_pointer(css->cgroup->subsys[ss->id], css);
+-
+- atomic_inc(&css->online_cnt);
+- if (css->parent)
+- atomic_inc(&css->parent->online_cnt);
+ }
+ return ret;
+ }
+@@ -4529,15 +4524,10 @@ static void css_killed_work_fn(struct wo
+ container_of(work, struct cgroup_subsys_state, destroy_work);
+
+ mutex_lock(&cgroup_mutex);
+-
+- do {
+- offline_css(css);
+- css_put(css);
+- /* @css can't go away while we're holding cgroup_mutex */
+- css = css->parent;
+- } while (css && atomic_dec_and_test(&css->online_cnt));
+-
++ offline_css(css);
+ mutex_unlock(&cgroup_mutex);
++
++ css_put(css);
+ }
+
+ /* css kill confirmation processing requires process context, bounce */
+@@ -4546,10 +4536,8 @@ static void css_killed_ref_fn(struct per
+ struct cgroup_subsys_state *css =
+ container_of(ref, struct cgroup_subsys_state, refcnt);
+
+- if (atomic_dec_and_test(&css->online_cnt)) {
+- INIT_WORK(&css->destroy_work, css_killed_work_fn);
+- queue_work(cgroup_destroy_wq, &css->destroy_work);
+- }
++ INIT_WORK(&css->destroy_work, css_killed_work_fn);
++ queue_work(cgroup_destroy_wq, &css->destroy_work);
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 3186b86..482e41b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -640,49 +640,15 @@ bugfix/all/nbd-remove-variable-pid.patch
bugfix/all/nbd-add-locking-for-tasks.patch
debian/ehci-fix-abi-change-in-3.16.7-ckt19.patch
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
-bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
-bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
-bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
debian/af_unix-avoid-abi-changes.patch
-bugfix/all/xen-add-ring_copy_request.patch
-bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
-bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
-bugfix/all/xen-blkback-only-read-request-operation-from-shared-.patch
-bugfix/all/xen-blkback-read-from-indirect-descriptors-only-once.patch
-bugfix/all/xen-pciback-save-xen_pci_op-commands-before-processi.patch
-bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msi-wh.patch
-bugfix/all/xen-pciback-return-error-on-xen_pci_op_enable_msix-w.patch
-bugfix/all/xen-pciback-do-not-install-an-irq-handler-for-msi-in.patch
-bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
-bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/ptrace-fix-abi-change-for-priv-esc-fix.patch
-bugfix/all/revert-net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
-bugfix/all/udp-properly-support-msg_peek-with-truncated-buffers.patch
-bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
-bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
-bugfix/all/sctp-prevent-soft-lockup-when-sctp_accept-is-called-.patch
-bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
-bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
-bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
debian/fix-abi-changes-for-cve-2013-4312-fix.patch
-bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
debian/drm-fix-abi-change-in-3.16.7-ckt22.patch
-bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
bugfix/all/aufs-tiny-extract-a-new-func-xino_fwrite_wkq.patch
bugfix/all/aufs-for-4.3-xino-handles-eintr-from-the-dying-proce.patch
-bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
-bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
-bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
-bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
-bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
-bugfix/all/unix-correctly-track-in-flight-fds-in-sending-process-user_struct.patch
-bugfix/all/usb-fix-invalid-memory-access-in-hub_activate.patch
-bugfix/all/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch
-bugfix/all/alsa-seq-fix-race-at-timer-setup-and-close.patch
-bugfix/all/alsa-timer-fix-double-unlink-of-active_list.patch
-bugfix/all/alsa-timer-fix-race-among-timer-ioctls.patch
-bugfix/all/alsa-timer-harden-slave-timer-list-handling.patch
-bugfix/all/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
bugfix/all/aio-properly-check-iovec-sizes.patch
+debian/enclosure-fix-abi-change-in-3.16.7-ckt23.patch
+debian/revert-cgroup-make-sure-a-parent-css-isn-t-offlined.patch
+debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list