[linux] 01/03: Merge tag 'debian/4.5.3-2'
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon May 9 00:43:21 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit be31f1ecd545857f7d6e95659b64674d0eadc989
Merge: ae6831e 9f2cb7b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun May 8 21:47:32 2016 +0100
Merge tag 'debian/4.5.3-2'
Drop the ABI reference files and patches.
Rebase patches added on the sid branch.
debian/README.source | 7 +-
debian/bin/ckt-stable-update.sh | 76 --------
debian/bin/stable-update | 126 +++++++++++++
debian/bin/stable-update.sh | 80 +-------
debian/changelog | 205 +++++++++++++++++++++
debian/config/armhf/config.armmp | 8 +
debian/lib/python/debian_linux/debian.py | 16 +-
...pf-fix-check_map_func_compatibility-logic.patch | 110 +++++++++++
.../bugfix/all/bpf-fix-refcnt-overflow.patch | 147 +++++++++++++++
.../powerpc-fix-sstep-compile-on-powerpcspe.patch | 48 +++++
...00_tco-fix-the-device-check-for-SB800-and.patch | 73 ++++++++
debian/patches/series | 4 +
debian/templates/image.bug/control | 2 +-
13 files changed, 738 insertions(+), 164 deletions(-)
diff --cc debian/changelog
index 143b9e1,f01683d..703b27b
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,42 -1,208 +1,247 @@@
+linux (4.6~rc6-1~exp1) UNRELEASED; urgency=medium
+
+ * New upstream release candidate
+
+ [ Martin Michlmayr ]
+ * i2c-modules udeb: Add modules from i2c/busses.
+
+ [ Ben Hutchings ]
+ * [hppa] Enable MLONGCALLS (fixes FTBFS)
+ * [alpha] fs: Disable BINFMT_EM86 (obsoleted by binfmt_misc; fixes FTBFS)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 05 May 2016 10:54:38 +0100
+
+linux (4.6~rc5-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+
+ [ Ben Hutchings ]
+ * [armhf] Enable EFI, RTC_DRV_EFI
+ * Update config for renaming/removal/replacement/merging/splitting of various
+ symbols
+ * *lockdep*,linux-perf: Remove '-rcN' from installation paths
+
+ [ Martin Michlmayr ]
+ * [armel, armhf] Use new Marvell CESA driver.
+ * [arm64] Enable support for NVIDIA Tegra.
+ * [arm64] udeb: Create fb-modules.
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 29 Apr 2016 10:40:36 +0200
+
+linux (4.6~rc3-1~exp1) experimental; urgency=medium
+
+ * New upstream release candidate
+
+ [ Ben Hutchings ]
+ * aufs: Update support patches to aufs4.x-rcN-20160328
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 14 Apr 2016 23:55:15 +0100
+
+ linux (4.5.3-2) unstable; urgency=medium
+
+ * [s390x] PCI: Ignore zpci ABI changes; these functions are not used by
+ modules
+ * [powerpc*] Fix sstep compile on powerpcspe (Closes: #823526; thanks to
+ Lennart Sorensen)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 08 May 2016 15:03:45 +0100
+
+ linux (4.5.3-1) unstable; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3
+ - mmc: block: Use the mmc host device index as the mmcblk device index
+ - block: partition: initialize percpuref before sending out KOBJ_ADD
+ - block: loop: fix filesystem corruption in case of aio/dio
+ - [arm64] efi: Don't apply MEMBLOCK_NOMAP to UEFI memory map mapping
+ - [x86] mce: Avoid using object after free in genpool
+ - [x86] kvm: do not leak guest xcr0 into host interrupt handlers
+ - [arm*] KVM: Handle forward time correction gracefully
+ - [armhf] mvebu: Correct unit address for linksys
+ - [armhf] OMAP2: Fix up interconnect barrier initialization for DRA7
+ - [armhf] OMAP2+: hwmod: Fix updating of sysconfig register
+ - assoc_array: don't call compare_object() on a node
+ - [x86] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
+ - xhci: resume USB 3 roothub first
+ - usb: host: xhci: add a new quirk XHCI_NO_64BIT_SUPPORT
+ - usb: xhci: fix wild pointers in xhci_mem_cleanup
+ - xhci: fix 10 second timeout on removal of PCI hotpluggable xhci
+ controllers
+ - usb: host: xhci-plat: Make enum xhci_plat_type start at a non zero value
+ - usb: hcd: out of bounds access in for_each_companion
+ - usb: gadget: f_fs: Fix use-after-free
+ - dm cache metadata: fix READ_LOCK macros and cleanup WRITE_LOCK macros
+ - dm cache metadata: fix cmd_read_lock() acquiring write lock
+ - lib: lz4: fixed zram with lz4 on big endian machines
+ - debugfs: Make automount point inodes permanently empty
+ - dmaengine: dw: fix master selection
+ - [armhf] dmaengine: omap-dma: Fix polled channel completion detection
+ and handling
+ - dmaengine: edma: Remove dynamic TPTC power management feature
+ - mtd: nand: pxa3xx_nand: fix dmaengine initialization
+ - sched/cgroup: Fix/cleanup cgroup teardown/init
+ - [x86] EDAC, sb_edac.c: Repair damage introduced when "fixing"
+ channel address
+ - [x86] EDAC, sb_edac.c: Take account of channel hashing when needed
+ - ALSA: hda - Don't trust the reported actual power state
+ - [x86] ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m
+ - ALSA: hda - Keep powering up ADCs on Cirrus codecs
+ - [x86] ALSA: hda - add PCI ID for Intel Broxton-T
+ - ALSA: pcxhr: Fix missing mutex unlock
+ - [x86] ALSA: hda - Add dock support for ThinkPad X260
+ - [x86] ALSA: hda - Update BCLK also at hotplug for i915 HSW/BDW
+ - asm-generic/futex: Re-enable preemption in futex_atomic_cmpxchg_inatomic()
+ - futex: Handle unlock_pi race gracefully
+ - futex: Acknowledge a new waiter in counter before plist
+ - drm/nouveau/core: use vzalloc for allocating ramht
+ - drm/qxl: fix cursor position with non-zero hotspot
+ - [x86] drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
+ - Revert "drm/radeon: disable runtime pm on PX laptops without dGPU
+ power control"
+ - [armhf] Revert "PCI: imx6: Add support for active-low reset GPIO"
+ - usbvision: revert commit 588afcc1
+ - [x86] Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU
+ power control"
+ - cpufreq: intel_pstate: Fix processing for turbo activation ratio
+ - [s390x] pci: add extra padding to function measurement block
+ - iwlwifi: pcie: lower the debug level for RSA semaphore access
+ - iwlwifi: mvm: fix memory leak in paging
+ - crypto: rsa-pkcs1pad - fix dst len
+ - [x86] crypto: ccp - Prevent information leakage on export
+ - crypto: sha1-mb - use corrcet pointer while completing jobs
+ - [powerpc*] scan_features() updates incorrect bits for REAL_LE
+ - [powerpc*] Update cpu_user_features2 in scan_features()
+ - [powerpc*] Update TM user feature bits in scan_features()
+ - nl80211: check netlink protocol in socket release notification
+ - netlink: don't send NETLINK_URELEASE for unbound sockets
+ - pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
+ - [x86] iommu/amd: Fix checking of pci dma aliases
+ - iommu/dma: Restore scatterlist offsets correctly
+ - [x86] drm/amdgpu: when suspending, if uvd/vce was running. need to cancel
+ delay work.
+ - [x86] drm/amdgpu: use defines for CRTCs and AMFT blocks
+ - [x86] drm/amdgpu: bump the afmt limit for CZ, ST, Polaris
+ - [x86] amdgpu/uvd: add uvd fw version for amdgpu
+ - [x86] drm/amdgpu: fix regression on CIK (v2)
+ - drm/radeon: add a quirk for a XFX R9 270X
+ - drm/radeon: fix initial connector audio value
+ - drm/radeon: forbid mapping of userptr bo through radeon device file
+ - drm/radeon: fix vertical bars appear on monitor (v2)
+ - [mips*el/loongson-3] drm: Loongson-3 doesn't fully support wc memory
+ - drm/nouveau/gr/gf100: select a stream master to fixup tfb offset queries
+ - drm/dp/mst: Validate port in drm_dp_payload_send_msg()
+ - drm/dp/mst: Restore primary hub guid on resume
+ - drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
+ - [x86] drm/i915: Pass the correct encoder to intel_ddi_clk_select()
+ with MST
+ - [x86] drm/i915: Cleanup phys status page too
+ - [x86] drm/i915: Use the active wm config for merging on ILK-BDW
+ - [x86] drm/i915: Start WM computation from scratch on ILK-BDW
+ - [x86] drm/i915: skl_update_scaler() wants a rotation bitmask instead of
+ bit number
+ - [x86] drm/amdkfd: uninitialized variable in
+ dbgdev_wave_control_set_registers()
+ - [x86] drm/i915/skl: Fix DMC load on Skylake J0 and K0
+ - [x86] drm/i915/skl: Fix spurious gpu hang with gt3/gt4 revs
+ - [x86] drm/i915: Fixup the free space logic in ring_prepare
+ - [x86] drm/i915: Force ringbuffers to not be at offset 0
+ - [x86] drm/i915: Use fw_domains_put_with_fifo() on HSW
+ - drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail
+ - [x86] perf intel-pt: Fix segfault tracing transactions
+ - [armhf] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C
+ clock prepared
+ - ACPICA / Interpreter: Fix a regression triggered because of wrong Linux
+ ECDT support
+ - [x86] mmc: sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs
+ - [x86] toshiba_acpi: Fix regression caused by hotkey enabling value
+ - [x86] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder
+ callback
+ - [x86] ASoC: ssm4567: Reset device before regcache_sync()
+ - [x86] ASoC: rt5640: Correct the digital interface data select
+ - vb2-memops: Fix over allocation of frame vectors
+ - media: vb2: Fix regression on poll() for RW mode
+ - videobuf2-core: Check user space planes array in dqbuf
+ - videobuf2-v4l2: Verify planes array in buffer dequeueing (CVE-2016-4568)
+ - v4l2-dv-timings.h: fix polarity for 4k formats
+ - IB/core: Fix oops in ib_cache_gid_set_default_gid
+ - mwifiex: fix IBSS data path issue.
+ - IB/mlx5: Expose correct max_sge_rd limit
+ - IB/security: Restrict use of the write() interface (CVE-2016-4565)
+ - efi: Fix out-of-bounds read in variable_matches()
+ - efi: Expose non-blocking set_variable() wrapper to efivars
+ - [x86] apic: Handle zero vector gracefully in clear_vector_irq()
+ - workqueue: fix ghost PENDING flag while doing MQ IO
+ - slub: clean up code for kmem cgroup support to kmem_cache_free_bulk
+ - cgroup, cpuset: replace cpuset_post_attach_flush() with
+ cgroup_subsys->post_attach callback
+ - memcg: relocate charge moving from ->attach to ->post_attach
+ - mm: exclude HugeTLB pages from THP page_mapped() logic
+ - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
+ - numa: fix /proc/<pid>/numa_maps for THP
+ - mm: vmscan: reclaim highmem zone if buffer_heads is over limit
+ - mm/hwpoison: fix wrong num_poisoned_pages accounting
+ - locking/mcs: Fix mcs_spin_lock() ordering
+ - [armhf] spi/rockchip: Make sure spi clk is on in rockchip_spi_set_cs
+ - [armhf] irqchip/sunxi-nmi: Fix error check of of_io_request_and_map()
+ - [armhf] regulator: s5m8767: fix get_register() error handling
+ - scsi_dh: force modular build if SCSI is a module
+ - lib/mpi: Endianness fix
+ - [x86] misc: mic/scif: fix wrap around tests
+ - PM / OPP: Initialize u_volt_min/max to a valid value
+ - PM / Domains: Fix removal of a subdomain
+ - drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
+ - perf evlist: Reference count the cpu and thread maps at set_maps()
+ - perf tools: Fix perf script python database export crash
+ - [x86] mm/kmmio: Fix mmiotrace for hugepages
+ - ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
+ - f2fs crypto: fix corrupted symlink in encrypted case
+ - f2fs: slightly reorganize read_raw_super_block
+ - f2fs: cover large section in sanity check of super
+ - ext4/fscrypto: avoid RCU lookup in d_revalidate
+ - f2fs: do f2fs_balance_fs when block is allocated
+ - f2fs: don't need to call set_page_dirty for io error
+ - f2fs crypto: handle unexpected lack of encryption keys
+ - f2fs crypto: make sure the encryption info is initialized on opendir(2)
+ - bus: uniphier-system-bus: fix condition of overlap check
+ - mtd: spi-nor: remove micron_quad_enable()
+ - mtd: brcmnand: Fix v7.1 register offsets
+ - mtd: nand: Drop mtd.owner requirement in nand_scan
+ - perf hists browser: Only offer symbol scripting when a symbol is under
+ the cursor
+ - perf hists browser: Fix dump to show correct callchain style
+ - perf tools: handle spaces in file names obtained from /proc/pid/maps
+ - NTB: Remove _addr functions from ntb_hw_amd
+ - perf/core: Don't leak event in the syscall error path
+ - perf/core: Fix time tracking bug with multiplexing
+ - perf hists: Fix determination of a callchain node's childlessness
+ - [armhf] OMAP3: Add cpuidle parameters table for omap3430
+ - [armhf] dts: armada-375: use armada-370-sata for SATA
+ - [armhf] dts: am33xx: Fix GPMC dma properties
+ - btrfs: fix memory leak of fs_info in block group cache
+ - btrfs: cleaner_kthread() doesn't need explicit freeze
+ - [armhf] thermal: rockchip: fix a impossible condition caused by the
+ warning
+ - sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects
+ a race
+ - megaraid_sas: add missing curly braces in ioctl handler
+ - tpm: fix checks for policy digest existence in tpm2_seal_trusted()
+ - tpm: fix: set continueSession attribute for the unseal operation
+
+ [ Uwe Kleine-König ]
+ * [armhf] enable I2C_MUX_PCA954x, MMC_SDHCI_PXAV3, AHCI_MVEBU
+
+ [ Ben Hutchings ]
+ * bug control: Update list of related firmware packages
+ * Revert "sp5100_tco: fix the device check for SB800 and later chipsets"
+ (Closes: #823146; probably fixes #822651)
+ * bpf: fix double-fdput in replace_map_fd_with_map_ptr() (CVE-2016-4557)
+ (Closes: #823603)
+ * bpf: fix refcnt overflow (CVE-2016-4558)
+ * bpf: fix check_map_func_compatibility logic
+ * stable-update: Rewrite stable-update.sh in Python
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 07 May 2016 21:59:15 +0100
+
linux (4.5.2-1) unstable; urgency=medium
* New upstream stable update:
diff --cc debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
index 0000000,83a0254..48f3410
mode 000000,100644..100644
--- a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
+++ b/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
@@@ -1,0 -1,94 +1,110 @@@
+ From: Alexei Starovoitov <ast at fb.com>
+ Date: Wed, 27 Apr 2016 18:56:21 -0700
+ Subject: [3/3] bpf: fix check_map_func_compatibility logic
+ Origin: https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca
+
+ The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
+ introduced clever way to check bpf_helper<->map_type compatibility.
+ Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted
+ the logic and inadvertently broke it.
+ Get rid of the clever bool compare and go back to two-way check
+ from map and from helper perspective.
+
+ Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
+ Reported-by: Jann Horn <jannh at google.com>
+ Signed-off-by: Alexei Starovoitov <ast at kernel.org>
+ Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 4.5:
- - Drop the STACK_TRACE case
- - No verbose() logging]
+ ---
++ kernel/bpf/verifier.c | 65 +++++++++++++++++++++++++++++++--------------------
++ 1 file changed, 40 insertions(+), 25 deletions(-)
++
++diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
++index 89bcaa0966da..c5c17a62f509 100644
+ --- a/kernel/bpf/verifier.c
+ +++ b/kernel/bpf/verifier.c
-@@ -239,15 +239,6 @@ static const char * const reg_type_str[]
++@@ -239,16 +239,6 @@ static const char * const reg_type_str[] = {
+ [CONST_IMM] = "imm",
+ };
+
+ -static const struct {
+ - int map_type;
+ - int func_id;
+ -} func_limit[] = {
+ - {BPF_MAP_TYPE_PROG_ARRAY, BPF_FUNC_tail_call},
+ - {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_read},
+ - {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_output},
++- {BPF_MAP_TYPE_STACK_TRACE, BPF_FUNC_get_stackid},
+ -};
+ -
+ static void print_verifier_state(struct verifier_env *env)
+ {
+ enum bpf_reg_type t;
-@@ -898,24 +889,42 @@ static int check_func_arg(struct verifie
++@@ -921,27 +911,52 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
+
+ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
+ {
+ - bool bool_map, bool_func;
+ - int i;
+ -
+ if (!map)
+ return 0;
+
+ - for (i = 0; i < ARRAY_SIZE(func_limit); i++) {
+ - bool_map = (map->map_type == func_limit[i].map_type);
+ - bool_func = (func_id == func_limit[i].func_id);
+ - /* only when map & func pair match it can continue.
+ - * don't allow any other map type to be passed into
+ - * the special func;
+ - */
-- if (bool_func && bool_map != bool_func)
++- if (bool_func && bool_map != bool_func) {
++- verbose("cannot pass map_type %d into func %d\n",
++- map->map_type, func_id);
+ - return -EINVAL;
++- }
+ + /* We need a two way check, first is from map perspective ... */
+ + switch (map->map_type) {
+ + case BPF_MAP_TYPE_PROG_ARRAY:
+ + if (func_id != BPF_FUNC_tail_call)
+ + goto error;
+ + break;
+ + case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
+ + if (func_id != BPF_FUNC_perf_event_read &&
+ + func_id != BPF_FUNC_perf_event_output)
+ + goto error;
+ + break;
+++ case BPF_MAP_TYPE_STACK_TRACE:
+++ if (func_id != BPF_FUNC_get_stackid)
+++ goto error;
+++ break;
+ + default:
+ + break;
+ + }
+ +
+ + /* ... and second from the function itself. */
+ + switch (func_id) {
+ + case BPF_FUNC_tail_call:
+ + if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
+ + goto error;
+ + break;
+ + case BPF_FUNC_perf_event_read:
+ + case BPF_FUNC_perf_event_output:
+ + if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
+ + goto error;
+ + break;
+++ case BPF_FUNC_get_stackid:
+++ if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
+++ goto error;
+++ break;
+ + default:
+ + break;
+ }
+
+ return 0;
+ +error:
+++ verbose("cannot pass map_type %d into func %d\n",
+++ map->map_type, func_id);
+ + return -EINVAL;
+ }
+
+ static int check_call(struct verifier_env *env, int func_id)
diff --cc debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch
index 0000000,a5b3d77..3966718
mode 000000,100644..100644
--- a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch
+++ b/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch
@@@ -1,0 -1,147 +1,147 @@@
+ From: Alexei Starovoitov <ast at fb.com>
+ Date: Wed, 27 Apr 2016 18:56:20 -0700
+ Subject: [2/3] bpf: fix refcnt overflow
+ Origin: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e
+
+ On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
+ the malicious application may overflow 32-bit bpf program refcnt.
+ It's also possible to overflow map refcnt on 1Tb system.
+ Impose 32k hard limit which means that the same bpf program or
+ map cannot be shared by more than 32k processes.
+
+ Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
+ Reported-by: Jann Horn <jannh at google.com>
+ Signed-off-by: Alexei Starovoitov <ast at kernel.org>
+ Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ ---
+ include/linux/bpf.h | 3 ++-
+ kernel/bpf/inode.c | 7 ++++---
+ kernel/bpf/syscall.c | 24 ++++++++++++++++++++----
+ kernel/bpf/verifier.c | 11 +++++++----
+ 4 files changed, 33 insertions(+), 12 deletions(-)
+
+ --- a/include/linux/bpf.h
+ +++ b/include/linux/bpf.h
-@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_p
++@@ -171,12 +171,13 @@ void bpf_register_prog_type(struct bpf_p
+ void bpf_register_map_type(struct bpf_map_type_list *tl);
+
+ struct bpf_prog *bpf_prog_get(u32 ufd);
+ +struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
+ void bpf_prog_put(struct bpf_prog *prog);
+ void bpf_prog_put_rcu(struct bpf_prog *prog);
+
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd);
+ struct bpf_map *__bpf_map_get(struct fd f);
+ -void bpf_map_inc(struct bpf_map *map, bool uref);
+ +struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
+ void bpf_map_put_with_uref(struct bpf_map *map);
+ void bpf_map_put(struct bpf_map *map);
-
++ int bpf_map_precharge_memlock(u32 pages);
+ --- a/kernel/bpf/inode.c
+ +++ b/kernel/bpf/inode.c
+ @@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum
+ {
+ switch (type) {
+ case BPF_TYPE_PROG:
+ - atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
+ + raw = bpf_prog_inc(raw);
+ break;
+ case BPF_TYPE_MAP:
+ - bpf_map_inc(raw, true);
+ + raw = bpf_map_inc(raw, true);
+ break;
+ default:
+ WARN_ON_ONCE(1);
+ @@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct
+ goto out;
+
+ raw = bpf_any_get(inode->i_private, *type);
+ - touch_atime(&path);
+ + if (!IS_ERR(raw))
+ + touch_atime(&path);
+
+ path_put(&path);
+ return raw;
+ --- a/kernel/bpf/syscall.c
+ +++ b/kernel/bpf/syscall.c
-@@ -201,11 +201,18 @@ struct bpf_map *__bpf_map_get(struct fd
++@@ -218,11 +218,18 @@ struct bpf_map *__bpf_map_get(struct fd
+ return f.file->private_data;
+ }
+
+ -void bpf_map_inc(struct bpf_map *map, bool uref)
+ +/* prog's and map's refcnt limit */
+ +#define BPF_MAX_REFCNT 32768
+ +
+ +struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
+ {
+ - atomic_inc(&map->refcnt);
+ + if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
+ + atomic_dec(&map->refcnt);
+ + return ERR_PTR(-EBUSY);
+ + }
+ if (uref)
+ atomic_inc(&map->usercnt);
+ + return map;
+ }
+
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
-@@ -217,7 +224,7 @@ struct bpf_map *bpf_map_get_with_uref(u3
++@@ -234,7 +241,7 @@ struct bpf_map *bpf_map_get_with_uref(u3
+ if (IS_ERR(map))
+ return map;
+
+ - bpf_map_inc(map, true);
+ + map = bpf_map_inc(map, true);
+ fdput(f);
+
+ return map;
-@@ -600,6 +607,15 @@ static struct bpf_prog *__bpf_prog_get(s
++@@ -658,6 +665,15 @@ static struct bpf_prog *__bpf_prog_get(s
+ return f.file->private_data;
+ }
+
+ +struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
+ +{
+ + if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
+ + atomic_dec(&prog->aux->refcnt);
+ + return ERR_PTR(-EBUSY);
+ + }
+ + return prog;
+ +}
+ +
+ /* called by sockets/tracing/seccomp before attaching program to an event
+ * pairs with bpf_prog_put()
+ */
-@@ -612,7 +628,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
++@@ -670,7 +686,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
+ if (IS_ERR(prog))
+ return prog;
+
+ - atomic_inc(&prog->aux->refcnt);
+ + prog = bpf_prog_inc(prog);
+ fdput(f);
+
+ return prog;
+ --- a/kernel/bpf/verifier.c
+ +++ b/kernel/bpf/verifier.c
-@@ -2022,15 +2022,18 @@ static int replace_map_fd_with_map_ptr(s
++@@ -2049,15 +2049,18 @@ static int replace_map_fd_with_map_ptr(s
+ return -E2BIG;
+ }
+
+ - /* remember this map */
+ - env->used_maps[env->used_map_cnt++] = map;
+ -
+ /* hold the map. If the program is rejected by verifier,
+ * the map will be released by release_maps() or it
+ * will be used by the valid program until it's unloaded
+ * and all maps are released in free_bpf_prog_info()
+ */
+ - bpf_map_inc(map, false);
+ + map = bpf_map_inc(map, false);
+ + if (IS_ERR(map)) {
+ + fdput(f);
+ + return PTR_ERR(map);
+ + }
+ + env->used_maps[env->used_map_cnt++] = map;
+ +
+ fdput(f);
+ next_insn:
+ insn++;
diff --cc debian/patches/series
index 923c06f,d4fe692..9f7645b
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -45,8 -46,13 +45,10 @@@ bugfix/x86/viafb-autoload-on-olpc-xo1.5
# Arch bug fixes
bugfix/mips/MIPS-Allow-emulation-for-unaligned-LSDXC1-instructions.patch
-bugfix/x86/vmxnet3-fix-lock-imbalance-in-vmxnet3_tq_xmit.patch
-bugfix/x86/acpi-processor-request-native-thermal-interrupt-hand.patch
-bugfix/arm/arm-dts-kirkwood-fix-sd-slot-default-configuration-f.patch
bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch
bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch
+ bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch
+ bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch
# Arch features
features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch
@@@ -96,8 -115,29 +98,10 @@@ features/all/securelevel/enable-cold-bo
# Security fixes
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
-bugfix/x86/x86-mm-page-align-the-_end-symbol-to-avoid-pfn-conve.patch
-bugfix/x86/x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-n.patch
-bugfix/x86/x86-efi-map-ram-into-the-identity-page-table-for-mix.patch
-bugfix/x86/x86-efi-hoist-page-table-switching-code-into-efi_cal.patch
-bugfix/x86/x86-efi-build-our-own-page-table-structures.patch
-bugfix/x86/x86-efi-setup-separate-efi-page-tables-in-kexec-path.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/x86/x86-efi-bgrt-fix-kernel-panic-when-mapping-bgrt-data.patch
-bugfix/x86/x86-efi-bgrt-replace-early_memremap-with-memremap.patch
-bugfix/x86/x86-mm-pat-fix-boot-crash-when-1gb-pages-are-not-supported.patch
-bugfix/all/netfilter-x_tables-check-for-size-overflow.patch
-bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
-bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch
-bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
-bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
+ bugfix/all/bpf-fix-refcnt-overflow.patch
+ bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
-# ABI maintenance
-debian/ib-fix-abi-change-in-4.5.3.patch
-debian/v4l2-fix-abi-changes-in-4.5.3.patch
-debian/cgroup-fix-abi-change-in-4.5.3.patch
-
# Tools bug fixes
bugfix/all/usbip-document-tcp-wrappers.patch
bugfix/all/kbuild-fix-recordmcount-dependency.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list