[linux] 01/07: Update to 3.2.86
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Mar 7 02:36:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 784cce3f3f04533bbe9599c348a55749b06bacd3
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Mar 7 02:06:11 2017 +0000
Update to 3.2.86
Drop a large number of patches that are now upstream.
[rt] Un-fuzz one patch.
---
debian/changelog | 80 ++++
debian/config/defines | 1 +
.../alsa-pcm-call-kill_fasync-in-stream-lock.patch | 43 --
...lock-fix-use-after-free-in-sys_ioprio_get.patch | 120 ------
...reeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 ---
.../all/dccp-limit-sk_filter-trim-to-payload.patch | 90 ----
.../fbdev-color-map-copying-bounds-checking.patch | 79 ----
.../hid-core-prevent-out-of-bound-readings.patch | 43 --
...t-reset-tty-receive_room-when-attaching-s.patch | 47 ---
...lence-warning-if-config_lockdep-isn-t-set.patch | 43 --
...ia-info-leak-in-__media_device_enum_links.patch | 36 --
...signed-overflows-for-so_-snd-rcv-bufforce.patch | 45 --
.../all/net-cleanups-in-sock_setsockopt.patch | 96 -----
...-check-minimum-size-on-icmp-header-length.patch | 68 ---
...ket-fix-race-condition-in-packet_set_ring.patch | 88 ----
...ix-concurrent-sys_perf_event_open-vs.-mov.patch | 153 -------
.../bugfix/all/perf-do-not-double-free.patch | 48 ---
.../bugfix/all/perf-fix-event-ctx-locking.patch | 468 ---------------------
...rf-fix-perf_event_for_each-to-use-sibling.patch | 38 --
.../bugfix/all/perf-fix-race-in-swevent-hash.patch | 92 ----
.../all/rose-limit-sk_filter-trim-to-payload.patch | 94 -----
...lidate-chunk-len-before-actually-using-it.patch | 54 ---
...uble-free-when-drives-detach-during-sg_io.patch | 66 ---
...g_write-is-not-fit-to-be-called-under-ker.patch | 42 --
...ake-care-of-truncations-done-by-sk_filter.patch | 98 -----
...-ldisc-drivers-from-re-using-stale-tty-fi.patch | 75 ----
...-kl5kusb105-fix-line-state-error-handling.patch | 37 --
...llow-dma-mappings-to-be-marked-executable.patch | 37 --
.../fix-potential-infoleak-in-older-kernels.patch | 64 ---
...p-error-recovery-in-em_jmp_far-and-em_ret.patch | 125 ------
.../all/net-add-__sock_queue_rcv_skb.patch | 63 ---
.../rt/0192-rtmutex-futex-prepare-rt.patch.patch | 28 +-
debian/patches/series | 29 --
33 files changed, 92 insertions(+), 2445 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1973cb1..bd8d8fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,83 @@
+linux (3.2.86-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.85
+ - [x86] fbdev/efifb: Fix 16 color palette entry calculation
+ - netfilter: restart search if moved to other chain
+ - rtlwifi: Update regulatory database
+ - rtlwifi: Fix missing country code for Great Britain
+ - cx231xx: don't return error on success
+ - cx231xx: fix GPIOs for Pixelview SBTVD hybrid
+ - ext4: reinforce check of i_dtime when clearing high fields of uid and gid
+ - reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
+ - sctp: do not return the transmit err back to sctp_sendmsg
+ - [x86] iommu/amd: Free domain id when free a domain of struct
+ dma_ops_domain
+ - ALSA: ali5451: Fix out-of-bound position reporting
+ - usb: misc: legousbtower: Fix NULL pointer deference
+ - net/mlx4_core: Fix deadlock when switching between polling and event fw
+ commands
+ - ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants
+ - regulator: tps65910: Work around silicon erratum SWCZ010
+ - mmc: block: don't use CMD23 with very old MMC cards
+ - NFSv4: Open state recovery must account for file permission changes
+ - ext4: release bh in make_indexed_dir
+ - fuse: invalidate dir dentry after chmod
+ - fuse: fix killing s[ug]id in setattr
+ - fuse: listxattr: verify xattr list
+ - crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
+ - scsi: Fix use-after-free
+ - mac80211: discard multicast and 4-addr A-MSDUs
+ - isofs: Do not return EACCES for unknown filesystems
+ - Input: i8042 - add XMG C504 to keyboard reset table
+ - ubifs: Fix xattr_names length in exit paths
+ - ubifs: Abort readdir upon error
+ - [x86] ACPI / APEI: Fix incorrect return value of ghes_proc()
+ - dm table: fix missing dm_put_target_type() in dm_table_add_target()
+ - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough)
+ devices
+ - [x86] hv: do not lose pending heartbeat vmbus packets
+ - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
+ - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
+ - tty: vt, fix bogus division in csi_J
+ - tty: limit terminal size to 4M chars
+ - vt: clear selection before resizing
+ - netfilter: nf_conntrack_sip: extend request line validation
+ - lib/genalloc.c: start search from start of chunk
+ - [x86] KVM: fix wbinvd_dirty_mask use-after-free
+ - ubifs: Fix regression in ubifs_readdir()
+ - net/mlx4_en: Process all completions in RX rings after port goes up
+ - ipv6: Don't use ufo handling on later transformed packets
+ - can: bcm: fix warning in bcm_connect/proc_register
+ - usb: gadget: u_ether: remove interrupt throttling
+ - uwb: fix device reference leaks
+ - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
+ - firewire: net: fix fragmented datagram_size off-by-one
+ - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
+ - i2c: core: fix NULL pointer dereference under race condition
+ - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
+ - swapfile: fix memory corruption via malformed swapfile
+ - coredump: fix unfreezable coredumping task
+ - dib0700: fix nec repeat handling
+ - mfd: core: Fix device reference leak in mfd_clone_cell
+ - IB/uverbs: Fix leak of XRC target QPs
+ - IB/mlx4: Fix create CQ error flow
+ - mwifiex: printk() overflow with 32-byte SSIDs
+ - [x86] KVM: Disable irq while unregistering user notifier
+ - ext4: sanity check the block and cluster size at mount time
+ - locking/rtmutex: Prevent dequeue vs. unlock race
+ - tipc: check minimum bearer MTU
+ - net: ep93xx_eth: Do not crash unloading module
+ - fuse: fix clearing suid, sgid for chown()
+ - can: raw: raw_setsockopt: limit number of can_filter that can be set
+ - ser_gigaset: return -ENOMEM on error instead of success
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.86
+ - [x86] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
+ (CVE-2016-9588)
+ - tcp: avoid infinite loop in tcp_splice_read() (CVE-2017-6214)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Tue, 07 Mar 2017 01:47:48 +0000
+
linux (3.2.84-2) wheezy-security; urgency=high
[ Salvatore Bonaccorso ]
diff --git a/debian/config/defines b/debian/config/defines
index 75396dc..8b82ebe5 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -40,6 +40,7 @@ ignore-changes:
# No-one should depend on staging from OOT
module:drivers/staging/*
# Private to each family of drivers
+ module:drivers/net/ethernet/*
module:drivers/net/wireless/*
# Should not be used from OOT
kmsg_dump_register
diff --git a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
deleted file mode 100644
index f88465a..0000000
--- a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Thu, 14 Apr 2016 18:02:37 +0200
-Subject: ALSA: pcm : Call kill_fasync() in stream lock
-Origin: https://git.kernel.org/linus/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9794
-
-Currently kill_fasync() is called outside the stream lock in
-snd_pcm_period_elapsed(). This is potentially racy, since the stream
-may get released even during the irq handler is running. Although
-snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
-guarantee that the irq handler finishes, thus the kill_fasync() call
-outside the stream spin lock may be invoked after the substream is
-detached, as recently reported by KASAN.
-
-As a quick workaround, move kill_fasync() call inside the stream
-lock. The fasync is rarely used interface, so this shouldn't have a
-big impact from the performance POV.
-
-Ideally, we should implement some sync mechanism for the proper finish
-of stream and irq handler. But this oneliner should suffice for most
-cases, so far.
-
-Reported-by: Baozeng Ding <sploving1 at gmail.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-[bwh: Backported to 3.2: adjust context]
----
- sound/core/pcm_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/sound/core/pcm_lib.c
-+++ b/sound/core/pcm_lib.c
-@@ -1766,10 +1766,10 @@ void snd_pcm_period_elapsed(struct snd_p
- if (substream->timer_running)
- snd_timer_interrupt(substream->timer, 1);
- _end:
-- snd_pcm_stream_unlock_irqrestore(substream, flags);
- if (runtime->transfer_ack_end)
- runtime->transfer_ack_end(substream);
- kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
-+ snd_pcm_stream_unlock_irqrestore(substream, flags);
- }
-
- EXPORT_SYMBOL(snd_pcm_period_elapsed);
diff --git a/debian/patches/bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch b/debian/patches/bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
deleted file mode 100644
index 6d473c2..0000000
--- a/debian/patches/bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From: Omar Sandoval <osandov at fb.com>
-Date: Fri, 1 Jul 2016 00:39:35 -0700
-Subject: block: fix use-after-free in sys_ioprio_get()
-Origin: https://git.kernel.org/linus/8ba8682107ee2ca3347354e018865d8e1967c5f4
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7911
-
-get_task_ioprio() accesses the task->io_context without holding the task
-lock and thus can race with exit_io_context(), leading to a
-use-after-free. The reproducer below hits this within a few seconds on
-my 4-core QEMU VM:
-
-#define _GNU_SOURCE
-#include <assert.h>
-#include <unistd.h>
-#include <sys/syscall.h>
-#include <sys/wait.h>
-
-int main(int argc, char **argv)
-{
- pid_t pid, child;
- long nproc, i;
-
- /* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
- syscall(SYS_ioprio_set, 1, 0, 0x6000);
-
- nproc = sysconf(_SC_NPROCESSORS_ONLN);
-
- for (i = 0; i < nproc; i++) {
- pid = fork();
- assert(pid != -1);
- if (pid == 0) {
- for (;;) {
- pid = fork();
- assert(pid != -1);
- if (pid == 0) {
- _exit(0);
- } else {
- child = wait(NULL);
- assert(child == pid);
- }
- }
- }
-
- pid = fork();
- assert(pid != -1);
- if (pid == 0) {
- for (;;) {
- /* ioprio_get(IOPRIO_WHO_PGRP, 0); */
- syscall(SYS_ioprio_get, 2, 0);
- }
- }
- }
-
- for (;;) {
- /* ioprio_get(IOPRIO_WHO_PGRP, 0); */
- syscall(SYS_ioprio_get, 2, 0);
- }
-
- return 0;
-}
-
-This gets us KASAN dumps like this:
-
-[ 35.526914] ==================================================================
-[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
-[ 35.530009] Read of size 2 by task ioprio-gpf/363
-[ 35.530009] =============================================================================
-[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
-[ 35.530009] -----------------------------------------------------------------------------
-
-[ 35.530009] Disabling lock debugging due to kernel taint
-[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
-[ 35.530009] ___slab_alloc+0x55d/0x5a0
-[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
-[ 35.530009] kmem_cache_alloc_node+0x84/0x200
-[ 35.530009] create_task_io_context+0x2b/0x370
-[ 35.530009] get_task_io_context+0x92/0xb0
-[ 35.530009] copy_process.part.8+0x5029/0x5660
-[ 35.530009] _do_fork+0x155/0x7e0
-[ 35.530009] SyS_clone+0x19/0x20
-[ 35.530009] do_syscall_64+0x195/0x3a0
-[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
-[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
-[ 35.530009] __slab_free+0x27b/0x3d0
-[ 35.530009] kmem_cache_free+0x1fb/0x220
-[ 35.530009] put_io_context+0xe7/0x120
-[ 35.530009] put_io_context_active+0x238/0x380
-[ 35.530009] exit_io_context+0x66/0x80
-[ 35.530009] do_exit+0x158e/0x2b90
-[ 35.530009] do_group_exit+0xe5/0x2b0
-[ 35.530009] SyS_exit_group+0x1d/0x20
-[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
-[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
-[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
-[ 35.530009] ==================================================================
-
-Fix it by grabbing the task lock while we poke at the io_context.
-
-Cc: stable at vger.kernel.org
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Omar Sandoval <osandov at fb.com>
-Signed-off-by: Jens Axboe <axboe at fb.com>
-[bwh: Backported to 3.2: adjust filename]
----
- block/ioprio.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/ioprio.c
-+++ b/fs/ioprio.c
-@@ -161,8 +161,10 @@ static int get_task_ioprio(struct task_s
- if (ret)
- goto out;
- ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
-+ task_lock(p);
- if (p->io_context)
- ret = p->io_context->ioprio;
-+ task_unlock(p);
- out:
- return ret;
- }
diff --git a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
deleted file mode 100644
index 4421444..0000000
--- a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Thu, 16 Feb 2017 17:22:46 +0100
-Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
-Origin: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
-
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if
-dccp_v6_conn_request successfully returns.
-
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
-is saved to ireq->pktopts and the ref count for skb is incremented in
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
-in dccp_rcv_state_process.
-
-Fix by calling consume_skb instead of doing goto discard and therefore
-calling __kfree_skb.
-
-Similar fixes for TCP:
-
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
-simply consumed
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/dccp/input.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba34718..8fedc2d 100644
---- a/net/dccp/input.c
-+++ b/net/dccp/input.c
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
- if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
- skb) < 0)
- return 1;
-- goto discard;
-+ consume_skb(skb);
-+ return 0;
- }
- if (dh->dccph_type == DCCP_PKT_RESET)
- goto discard;
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch b/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
deleted file mode 100644
index 695ff37..0000000
--- a/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Tue, 12 Jul 2016 18:18:57 -0400
-Subject: dccp: limit sk_filter trim to payload
-Origin: https://git.kernel.org/linus/4f0c40d94461cfd23893a17335b2ab78ecb333c8
-
-Dccp verifies packet integrity, including length, at initial rcv in
-dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.
-
-A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
-skb_copy_datagram_msg interprets this as a negative value, so
-(correctly) fails with EFAULT. The negative length is reported in
-ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.
-
-Introduce an sk_receive_skb variant that caps how small a filter
-program can trim packets, and call this in dccp with the header
-length. Excessively trimmed packets are now processed normally and
-queued for reception as 0B payloads.
-
-Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1268,8 +1268,13 @@ static inline void sock_put(struct sock
- sk_free(sk);
- }
-
--extern int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
-- const int nested);
-+int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested,
-+ unsigned int trim_cap);
-+static inline int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
-+ const int nested)
-+{
-+ return __sk_receive_skb(sk, skb, nested, 1);
-+}
-
- static inline void sk_tx_queue_set(struct sock *sk, int tx_queue)
- {
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -336,11 +336,12 @@ int sock_queue_rcv_skb(struct sock *sk,
- }
- EXPORT_SYMBOL(sock_queue_rcv_skb);
-
--int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
-+int __sk_receive_skb(struct sock *sk, struct sk_buff *skb,
-+ const int nested, unsigned int trim_cap)
- {
- int rc = NET_RX_SUCCESS;
-
-- if (sk_filter(sk, skb))
-+ if (sk_filter_trim_cap(sk, skb, trim_cap))
- goto discard_and_relse;
-
- skb->dev = NULL;
-@@ -376,7 +377,7 @@ discard_and_relse:
- kfree_skb(skb);
- goto out;
- }
--EXPORT_SYMBOL(sk_receive_skb);
-+EXPORT_SYMBOL(__sk_receive_skb);
-
- void sk_reset_txq(struct sock *sk)
- {
---- a/net/dccp/ipv4.c
-+++ b/net/dccp/ipv4.c
-@@ -877,7 +877,7 @@ static int dccp_v4_rcv(struct sk_buff *s
- goto discard_and_relse;
- nf_reset(skb);
-
-- return sk_receive_skb(sk, skb, 1);
-+ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4);
-
- no_dccp_socket:
- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -817,7 +817,7 @@ static int dccp_v6_rcv(struct sk_buff *s
- if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
- goto discard_and_relse;
-
-- return sk_receive_skb(sk, skb, 1) ? -1 : 0;
-+ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4) ? -1 : 0;
-
- no_dccp_socket:
- if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
diff --git a/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
deleted file mode 100644
index 63b092a..0000000
--- a/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong at google.com>
-Cc: Dan Carpenter <dan.carpenter at oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.2: adjust filename]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/video/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
---- a/drivers/video/fbcmap.c
-+++ b/drivers/video/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cma
-
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *f
-
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
diff --git a/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch b/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch
deleted file mode 100644
index 6ef059d..0000000
--- a/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Date: Tue, 19 Jan 2016 12:34:58 +0100
-Subject: HID: core: prevent out-of-bound readings
-Origin: https://git.kernel.org/linus/50220dead1650609206efe91f0cc116132d59b3f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7915
-
-Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
-out-of-bound readings.
-
-The fields are allocated up to MAX_USAGE, meaning that potentially, we do
-not have enough fields to fit the incoming values.
-Add checks and silence KASAN.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -989,6 +989,7 @@ static void hid_input_field(struct hid_d
- /* Ignore report if ErrorRollOver */
- if (!(field->flags & HID_MAIN_ITEM_VARIABLE) &&
- value[n] >= min && value[n] <= max &&
-+ value[n] - min < field->maxusage &&
- field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1)
- goto exit;
- }
-@@ -1001,11 +1002,13 @@ static void hid_input_field(struct hid_d
- }
-
- if (field->value[n] >= min && field->value[n] <= max
-+ && field->value[n] - min < field->maxusage
- && field->usage[field->value[n] - min].hid
- && search(value, field->value[n], count))
- hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt);
-
- if (value[n] >= min && value[n] <= max
-+ && value[n] - min < field->maxusage
- && field->usage[value[n] - min].hid
- && search(field->value, value[n], count))
- hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
diff --git a/debian/patches/bugfix/all/isdn-gigaset-reset-tty-receive_room-when-attaching-s.patch b/debian/patches/bugfix/all/isdn-gigaset-reset-tty-receive_room-when-attaching-s.patch
deleted file mode 100644
index c6b5b10..0000000
--- a/debian/patches/bugfix/all/isdn-gigaset-reset-tty-receive_room-when-attaching-s.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Tilman Schmidt <tilman at imap.cc>
-Date: Tue, 14 Jul 2015 00:37:13 +0200
-Subject: isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
-Origin: https://git.kernel.org/linus/fd98e9419d8d622a4de91f76b306af6aa627aa9c
-
-Commit 79901317ce80 ("n_tty: Don't flush buffer when closing ldisc"),
-first merged in kernel release 3.10, caused the following regression
-in the Gigaset M101 driver:
-
-Before that commit, when closing the N_TTY line discipline in
-preparation to switching to N_GIGASET_M101, receive_room would be
-reset to a non-zero value by the call to n_tty_flush_buffer() in
-n_tty's close method. With the removal of that call, receive_room
-might be left at zero, blocking data reception on the serial line.
-
-The present patch fixes that regression by setting receive_room
-to an appropriate value in the ldisc open method.
-
-Fixes: 79901317ce80 ("n_tty: Don't flush buffer when closing ldisc")
-Signed-off-by: Tilman Schmidt <tilman at imap.cc>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/isdn/gigaset/ser-gigaset.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
---- a/drivers/isdn/gigaset/ser-gigaset.c
-+++ b/drivers/isdn/gigaset/ser-gigaset.c
-@@ -526,9 +526,18 @@ gigaset_tty_open(struct tty_struct *tty)
- cs->hw.ser->tty = tty;
- atomic_set(&cs->hw.ser->refcnt, 1);
- init_completion(&cs->hw.ser->dead_cmp);
--
- tty->disc_data = cs;
-
-+ /* Set the amount of data we're willing to receive per call
-+ * from the hardware driver to half of the input buffer size
-+ * to leave some reserve.
-+ * Note: We don't do flow control towards the hardware driver.
-+ * If more data is received than will fit into the input buffer,
-+ * it will be dropped and an error will be logged. This should
-+ * never happen as the device is slow and the buffer size ample.
-+ */
-+ tty->receive_room = RBUFSIZE/2;
-+
- /* OK.. Initialization of the datastructures and the HW is done.. Now
- * startup system and notify the LL that we are ready to run
- */
diff --git a/debian/patches/bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch b/debian/patches/bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch
deleted file mode 100644
index 4b6e218..0000000
--- a/debian/patches/bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Paul Bolle <pebolle at tiscali.nl>
-Date: Thu, 24 Jan 2013 21:53:17 +0100
-Subject: lockdep: Silence warning if CONFIG_LOCKDEP isn't set
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/5cd3f5affad2109fd1458aab3f6216f2181e26ea
-
-Since commit c9a4962881929df7f1ef6e63e1b9da304faca4dd ("nfsd:
-make client_lock per net") compiling nfs4state.o without
-CONFIG_LOCKDEP set, triggers this GCC warning:
-
- fs/nfsd/nfs4state.c: In function ‘free_client’:
- fs/nfsd/nfs4state.c:1051:19: warning: unused variable ‘nn’ [-Wunused-variable]
-
-The cause of that warning is that lockdep_assert_held() compiles
-away if CONFIG_LOCKDEP is not set. Silence this warning by using
-the argument to lockdep_assert_held() as a nop if CONFIG_LOCKDEP
-is not set.
-
-Signed-off-by: Paul Bolle <pebolle at tiscali.nl>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Stanislav Kinsbursky <skinsbursky at parallels.com>
-Cc: J. Bruce Fields <bfields at redhat.com>
-Link: http://lkml.kernel.org/r/1359060797.1325.33.camel@x61.thuisdomein
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- include/linux/lockdep.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/include/linux/lockdep.h
-+++ b/include/linux/lockdep.h
-@@ -394,7 +394,7 @@ struct lock_class_key { };
-
- #define lockdep_depth(tsk) (0)
-
--#define lockdep_assert_held(l) do { } while (0)
-+#define lockdep_assert_held(l) do { (void)(l); } while (0)
- #define lockdep_assert_held_once(l) do { (void)(l); } while (0)
-
- #endif /* !LOCKDEP */
diff --git a/debian/patches/bugfix/all/media-info-leak-in-__media_device_enum_links.patch b/debian/patches/bugfix/all/media-info-leak-in-__media_device_enum_links.patch
deleted file mode 100644
index ae156f9..0000000
--- a/debian/patches/bugfix/all/media-info-leak-in-__media_device_enum_links.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Sat, 13 Apr 2013 06:32:15 -0300
-Subject: [media] media: info leak in __media_device_enum_links()
-Origin: https://git.kernel.org/linus/c88e739b1fad662240e99ecbd0bdaac871717987
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-9895
-
-These structs have holes and reserved struct members which aren't
-cleared. I've added a memset() so we don't leak stack information.
-
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/media/media-device.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/media/media-device.c
-+++ b/drivers/media/media-device.c
-@@ -142,6 +142,8 @@ static long media_device_enum_links(stru
-
- for (p = 0; p < entity->num_pads; p++) {
- struct media_pad_desc pad;
-+
-+ memset(&pad, 0, sizeof(pad));
- media_device_kpad_to_upad(&entity->pads[p], &pad);
- if (copy_to_user(&links.pads[p], &pad, sizeof(pad)))
- return -EFAULT;
-@@ -159,6 +161,7 @@ static long media_device_enum_links(stru
- if (entity->links[l].source->entity != entity)
- continue;
-
-+ memset(&link, 0, sizeof(link));
- media_device_kpad_to_upad(entity->links[l].source,
- &link.source);
- media_device_kpad_to_upad(entity->links[l].sink,
diff --git a/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch b/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
deleted file mode 100644
index c883bcc..0000000
--- a/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 2 Dec 2016 09:44:53 -0800
-Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
-Origin: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9793
-
-CAP_NET_ADMIN users should not be allowed to set negative
-sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
-corruptions, crashes, OOM...
-
-Note that before commit 82981930125a ("net: cleanups in
-sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
-and SO_RCVBUF were vulnerable.
-
-This needs to be backported to all known linux kernels.
-
-Again, many thanks to syzkaller team for discovering this gem.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/core/sock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -533,7 +533,7 @@ int sock_setsockopt(struct socket *sock,
- val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
-- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
- /* Wake up sending tasks if we upped the value. */
- sk->sk_write_space(sk);
- break;
-@@ -569,7 +569,7 @@ set_rcvbuf:
- * returning the value we actually used in getsockopt
- * is the most desirable behavior.
- */
-- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
-+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
- break;
-
- case SO_RCVBUFFORCE:
diff --git a/debian/patches/bugfix/all/net-cleanups-in-sock_setsockopt.patch b/debian/patches/bugfix/all/net-cleanups-in-sock_setsockopt.patch
deleted file mode 100644
index 2e1756d..0000000
--- a/debian/patches/bugfix/all/net-cleanups-in-sock_setsockopt.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Thu, 26 Apr 2012 20:07:59 +0000
-Subject: net: cleanups in sock_setsockopt()
-Origin: https://git.kernel.org/linus/82981930125abfd39d7c8378a9cfdf5e1be2002b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2012-6704
-
-Use min_t()/max_t() macros, reformat two comments, use !!test_bit() to
-match !!sock_flag()
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/core/sock.c | 42 +++++++++++++++---------------------------
- 1 file changed, 15 insertions(+), 27 deletions(-)
-
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -526,23 +526,15 @@ int sock_setsockopt(struct socket *sock,
- break;
- case SO_SNDBUF:
- /* Don't error on this BSD doesn't and if you think
-- about it this is right. Otherwise apps have to
-- play 'guess the biggest size' games. RCVBUF/SNDBUF
-- are treated in BSD as hints */
--
-- if (val > sysctl_wmem_max)
-- val = sysctl_wmem_max;
-+ * about it this is right. Otherwise apps have to
-+ * play 'guess the biggest size' games. RCVBUF/SNDBUF
-+ * are treated in BSD as hints
-+ */
-+ val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
-- if ((val * 2) < SOCK_MIN_SNDBUF)
-- sk->sk_sndbuf = SOCK_MIN_SNDBUF;
-- else
-- sk->sk_sndbuf = val * 2;
--
-- /*
-- * Wake up sending tasks if we
-- * upped the value.
-- */
-+ sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+ /* Wake up sending tasks if we upped the value. */
- sk->sk_write_space(sk);
- break;
-
-@@ -555,12 +547,11 @@ set_sndbuf:
-
- case SO_RCVBUF:
- /* Don't error on this BSD doesn't and if you think
-- about it this is right. Otherwise apps have to
-- play 'guess the biggest size' games. RCVBUF/SNDBUF
-- are treated in BSD as hints */
--
-- if (val > sysctl_rmem_max)
-- val = sysctl_rmem_max;
-+ * about it this is right. Otherwise apps have to
-+ * play 'guess the biggest size' games. RCVBUF/SNDBUF
-+ * are treated in BSD as hints
-+ */
-+ val = min_t(u32, val, sysctl_rmem_max);
- set_rcvbuf:
- sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
- /*
-@@ -578,10 +569,7 @@ set_rcvbuf:
- * returning the value we actually used in getsockopt
- * is the most desirable behavior.
- */
-- if ((val * 2) < SOCK_MIN_RCVBUF)
-- sk->sk_rcvbuf = SOCK_MIN_RCVBUF;
-- else
-- sk->sk_rcvbuf = val * 2;
-+ sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
- break;
-
- case SO_RCVBUFFORCE:
-@@ -923,7 +911,7 @@ int sock_getsockopt(struct socket *sock,
- break;
-
- case SO_PASSCRED:
-- v.val = test_bit(SOCK_PASSCRED, &sock->flags) ? 1 : 0;
-+ v.val = !!test_bit(SOCK_PASSCRED, &sock->flags);
- break;
-
- case SO_PEERCRED:
-@@ -958,7 +946,7 @@ int sock_getsockopt(struct socket *sock,
- break;
-
- case SO_PASSSEC:
-- v.val = test_bit(SOCK_PASSSEC, &sock->flags) ? 1 : 0;
-+ v.val = !!test_bit(SOCK_PASSSEC, &sock->flags);
- break;
-
- case SO_PEERSEC:
diff --git a/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch b/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
deleted file mode 100644
index cf36baa..0000000
--- a/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 5 Dec 2016 10:34:38 -0800
-Subject: net: ping: check minimum size on ICMP header length
-Origin: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8399
-
-Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
-was no check that the iovec contained enough bytes for an ICMP header,
-and the read loop would walk across neighboring stack contents. Since the
-iov_iter conversion, bad arguments are noticed, but the returned error is
-EFAULT. Returning EINVAL is a clearer error and also solves the problem
-prior to v3.19.
-
-This was found using trinity with KASAN on v3.18:
-
-BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
-Read of size 8 by task trinity-c2/9623
-page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
-flags: 0x0()
-page dumped because: kasan: bad access detected
-CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
-Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
-Call trace:
-[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
-[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
-[< inline >] __dump_stack lib/dump_stack.c:15
-[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
-[< inline >] print_address_description mm/kasan/report.c:147
-[< inline >] kasan_report_error mm/kasan/report.c:236
-[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
-[< inline >] check_memory_region mm/kasan/kasan.c:264
-[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
-[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
-[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
-[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
-[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
-[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
-[< inline >] __sock_sendmsg_nosec net/socket.c:624
-[< inline >] __sock_sendmsg net/socket.c:632
-[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
-[< inline >] SYSC_sendto net/socket.c:1797
-[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
-
-CVE-2016-8399
-
-Reported-by: Qidan He <i at flanker017.me>
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Cc: stable at vger.kernel.org
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: only ICMPv4 is supported]
----
- net/ipv4/ping.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -482,6 +482,10 @@ static int ping_sendmsg(struct kiocb *io
- if (len > 0xFFFF)
- return -EMSGSIZE;
-
-+ /* Must have at least a full ICMP header. */
-+ if (len < sizeof(struct icmphdr))
-+ return -EINVAL;
-+
- /*
- * Check the flags.
- */
diff --git a/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
deleted file mode 100644
index 648d263..0000000
--- a/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Philip Pettersson <philip.pettersson at gmail.com>
-Date: Wed, 30 Nov 2016 14:55:36 -0800
-Subject: packet: fix race condition in packet_set_ring
-Origin: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8655
-
-When packet_set_ring creates a ring buffer it will initialize a
-struct timer_list if the packet version is TPACKET_V3. This value
-can then be raced by a different thread calling setsockopt to
-set the version to TPACKET_V1 before packet_set_ring has finished.
-
-This leads to a use-after-free on a function pointer in the
-struct timer_list when the socket is closed as the previously
-initialized timer will not be deleted.
-
-The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
-changing the packet version while also taking the lock at the start
-of packet_set_ring.
-
-Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
-Signed-off-by: Philip Pettersson <philip.pettersson at gmail.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3077,19 +3077,25 @@ packet_setsockopt(struct socket *sock, i
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- switch (val) {
- case TPACKET_V1:
- case TPACKET_V2:
- case TPACKET_V3:
-- po->tp_version = val;
-- return 0;
-+ break;
- default:
- return -EINVAL;
- }
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_version = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_RESERVE:
- {
-@@ -3560,6 +3566,7 @@ static int packet_set_ring(struct sock *
- /* Added to avoid minimal code churn */
- struct tpacket_req *req = &req_u->req;
-
-+ lock_sock(sk);
- /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
- if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
- WARN(1, "Tx-ring is not supported.\n");
-@@ -3637,7 +3644,6 @@ static int packet_set_ring(struct sock *
- goto out;
- }
-
-- lock_sock(sk);
-
- /* Detach socket from network */
- spin_lock(&po->bind_lock);
-@@ -3686,11 +3692,11 @@ static int packet_set_ring(struct sock *
- if (!tx_ring)
- prb_shutdown_retire_blk_timer(po, tx_ring, rb_queue);
- }
-- release_sock(sk);
-
- if (pg_vec)
- free_pg_vec(pg_vec, order, req->tp_block_nr);
- out:
-+ release_sock(sk);
- return err;
- }
-
diff --git a/debian/patches/bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch b/debian/patches/bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch
deleted file mode 100644
index fd0c3ca..0000000
--- a/debian/patches/bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Wed, 11 Jan 2017 21:09:50 +0100
-Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
-Origin: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6001
-
-Di Shen reported a race between two concurrent sys_perf_event_open()
-calls where both try and move the same pre-existing software group
-into a hardware context.
-
-The problem is exactly that described in commit:
-
- f63a8daa5812 ("perf: Fix event->ctx locking")
-
-... where, while we wait for a ctx->mutex acquisition, the event->ctx
-relation can have changed under us.
-
-That very same commit failed to recognise sys_perf_event_context() as an
-external access vector to the events and thereby didn't apply the
-established locking rules correctly.
-
-So while one sys_perf_event_open() call is stuck waiting on
-mutex_lock_double(), the other (which owns said locks) moves the group
-about. So by the time the former sys_perf_event_open() acquires the
-locks, the context we've acquired is stale (and possibly dead).
-
-Apply the established locking rules as per perf_event_ctx_lock_nested()
-to the mutex_lock_double() for the 'move_group' case. This obviously means
-we need to validate state after we acquire the locks.
-
-Reported-by: Di Shen (Keen Lab)
-Tested-by: John Dias <joaodias at google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme at kernel.org>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Min Chong <mchong at google.com>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Stephane Eranian <eranian at google.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Vince Weaver <vincent.weaver at maine.edu>
-Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
-Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.2:
- - Use ACCESS_ONCE() instead of READ_ONCE()
- - Test perf_event::group_flags instead of group_caps
- - Add the err_locked cleanup block, which we didn't need before
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/events/core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 54 insertions(+), 4 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6479,6 +6479,37 @@ static void mutex_lock_double(struct mut
- mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
- }
-
-+/*
-+ * Variation on perf_event_ctx_lock_nested(), except we take two context
-+ * mutexes.
-+ */
-+static struct perf_event_context *
-+__perf_event_ctx_lock_double(struct perf_event *group_leader,
-+ struct perf_event_context *ctx)
-+{
-+ struct perf_event_context *gctx;
-+
-+again:
-+ rcu_read_lock();
-+ gctx = ACCESS_ONCE(group_leader->ctx);
-+ if (!atomic_inc_not_zero(&gctx->refcount)) {
-+ rcu_read_unlock();
-+ goto again;
-+ }
-+ rcu_read_unlock();
-+
-+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
-+
-+ if (group_leader->ctx != gctx) {
-+ mutex_unlock(&ctx->mutex);
-+ mutex_unlock(&gctx->mutex);
-+ put_ctx(gctx);
-+ goto again;
-+ }
-+
-+ return gctx;
-+}
-+
- /**
- * sys_perf_event_open - open a performance event, associate it to a task/cpu
- *
-@@ -6669,14 +6700,31 @@ SYSCALL_DEFINE5(perf_event_open,
- }
-
- if (move_group) {
-- gctx = group_leader->ctx;
-+ gctx = __perf_event_ctx_lock_double(group_leader, ctx);
-+
-+ /*
-+ * Check if we raced against another sys_perf_event_open() call
-+ * moving the software group underneath us.
-+ */
-+ if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
-+ /*
-+ * If someone moved the group out from under us, check
-+ * if this new event wound up on the same ctx, if so
-+ * its the regular !move_group case, otherwise fail.
-+ */
-+ if (gctx != ctx) {
-+ err = -EINVAL;
-+ goto err_locked;
-+ } else {
-+ perf_event_ctx_unlock(group_leader, gctx);
-+ move_group = 0;
-+ }
-+ }
-
- /*
- * See perf_event_ctx_lock() for comments on the details
- * of swizzling perf_event::ctx.
- */
-- mutex_lock_double(&gctx->mutex, &ctx->mutex);
--
- perf_remove_from_context(group_leader, false);
-
- /*
-@@ -6718,7 +6766,7 @@ SYSCALL_DEFINE5(perf_event_open,
- perf_unpin_context(ctx);
-
- if (move_group) {
-- mutex_unlock(&gctx->mutex);
-+ perf_event_ctx_unlock(group_leader, gctx);
- put_ctx(gctx);
- }
- mutex_unlock(&ctx->mutex);
-@@ -6745,6 +6793,11 @@ SYSCALL_DEFINE5(perf_event_open,
- fd_install(event_fd, event_file);
- return event_fd;
-
-+err_locked:
-+ if (move_group)
-+ perf_event_ctx_unlock(group_leader, gctx);
-+ mutex_unlock(&ctx->mutex);
-+ fput(event_file);
- err_context:
- perf_unpin_context(ctx);
- put_ctx(ctx);
diff --git a/debian/patches/bugfix/all/perf-do-not-double-free.patch b/debian/patches/bugfix/all/perf-do-not-double-free.patch
deleted file mode 100644
index f74cb9e..0000000
--- a/debian/patches/bugfix/all/perf-do-not-double-free.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Wed, 24 Feb 2016 18:45:41 +0100
-Subject: perf: Do not double free
-Origin: https:/.git.kernel.org/linus/130056275ade730e7a79c110212c8815202773ee
-
-In case of: err_file: fput(event_file), we'll end up calling
-perf_release() which in turn will free the event.
-
-Do not then free the event _again_.
-
-Tested-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Reviewed-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: dvyukov at google.com
-Cc: eranian at google.com
-Cc: oleg at redhat.com
-Cc: panand at redhat.com
-Cc: sasha.levin at oracle.com
-Cc: vince at deater.net
-Link: http://lkml.kernel.org/r/20160224174947.697350349@infradead.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/events/core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -6749,7 +6749,12 @@ err_context:
- perf_unpin_context(ctx);
- put_ctx(ctx);
- err_alloc:
-- free_event(event);
-+ /*
-+ * If event_file is set, the fput() above will have called ->release()
-+ * and that will take care of freeing the event.
-+ */
-+ if (!event_file)
-+ free_event(event);
- err_task:
- if (task)
- put_task_struct(task);
diff --git a/debian/patches/bugfix/all/perf-fix-event-ctx-locking.patch b/debian/patches/bugfix/all/perf-fix-event-ctx-locking.patch
deleted file mode 100644
index af9cbcf..0000000
--- a/debian/patches/bugfix/all/perf-fix-event-ctx-locking.patch
+++ /dev/null
@@ -1,468 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Fri, 23 Jan 2015 12:24:14 +0100
-Subject: perf: Fix event->ctx locking
-Origin: https://git.kernel.org/linus/f63a8daa5812afef4f06c962351687e1ff9ccb2b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-6786
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-6787
-
-There have been a few reported issues wrt. the lack of locking around
-changing event->ctx. This patch tries to address those.
-
-It avoids the whole rwsem thing; and while it appears to work, please
-give it some thought in review.
-
-What I did fail at is sensible runtime checks on the use of
-event->ctx, the RCU use makes it very hard.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Paul E. McKenney <paulmck at linux.vnet.ibm.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme at kernel.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.2:
- - We don't have perf_pmu_migrate_context()
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -670,6 +670,76 @@ static void put_ctx(struct perf_event_co
- }
- }
-
-+/*
-+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group we
-+ * need some magic.
-+ *
-+ * Those places that change perf_event::ctx will hold both
-+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value.
-+ *
-+ * Lock ordering is by mutex address. There is one other site where
-+ * perf_event_context::mutex nests and that is put_event(). But remember that
-+ * that is a parent<->child context relation, and migration does not affect
-+ * children, therefore these two orderings should not interact.
-+ *
-+ * The change in perf_event::ctx does not affect children (as claimed above)
-+ * because the sys_perf_event_open() case will install a new event and break
-+ * the ctx parent<->child relation.
-+ *
-+ * The places that change perf_event::ctx will issue:
-+ *
-+ * perf_remove_from_context();
-+ * synchronize_rcu();
-+ * perf_install_in_context();
-+ *
-+ * to affect the change. The remove_from_context() + synchronize_rcu() should
-+ * quiesce the event, after which we can install it in the new location. This
-+ * means that only external vectors (perf_fops, prctl) can perturb the event
-+ * while in transit. Therefore all such accessors should also acquire
-+ * perf_event_context::mutex to serialize against this.
-+ *
-+ * However; because event->ctx can change while we're waiting to acquire
-+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock()
-+ * function.
-+ *
-+ * Lock order:
-+ * task_struct::perf_event_mutex
-+ * perf_event_context::mutex
-+ * perf_event_context::lock
-+ * perf_event::child_mutex;
-+ * perf_event::mmap_mutex
-+ * mmap_sem
-+ */
-+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+again:
-+ rcu_read_lock();
-+ ctx = ACCESS_ONCE(event->ctx);
-+ if (!atomic_inc_not_zero(&ctx->refcount)) {
-+ rcu_read_unlock();
-+ goto again;
-+ }
-+ rcu_read_unlock();
-+
-+ mutex_lock(&ctx->mutex);
-+ if (event->ctx != ctx) {
-+ mutex_unlock(&ctx->mutex);
-+ put_ctx(ctx);
-+ goto again;
-+ }
-+
-+ return ctx;
-+}
-+
-+static void perf_event_ctx_unlock(struct perf_event *event,
-+ struct perf_event_context *ctx)
-+{
-+ mutex_unlock(&ctx->mutex);
-+ put_ctx(ctx);
-+}
-+
- static void unclone_ctx(struct perf_event_context *ctx)
- {
- if (ctx->parent_ctx) {
-@@ -1330,7 +1400,7 @@ static int __perf_event_disable(void *in
- * is the current context on this CPU and preemption is disabled,
- * hence we can't get into perf_event_task_sched_out for this context.
- */
--void perf_event_disable(struct perf_event *event)
-+static void _perf_event_disable(struct perf_event *event)
- {
- struct perf_event_context *ctx = event->ctx;
- struct task_struct *task = ctx->task;
-@@ -1372,6 +1442,19 @@ retry:
- raw_spin_unlock_irq(&ctx->lock);
- }
-
-+/*
-+ * Strictly speaking kernel users cannot create groups and therefore this
-+ * interface does not need the perf_event_ctx_lock() magic.
-+ */
-+void perf_event_disable(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ _perf_event_disable(event);
-+ perf_event_ctx_unlock(event, ctx);
-+}
-+
- static void perf_set_shadow_time(struct perf_event *event,
- struct perf_event_context *ctx,
- u64 tstamp)
-@@ -1818,7 +1901,7 @@ unlock:
- * perf_event_for_each_child or perf_event_for_each as described
- * for perf_event_disable.
- */
--void perf_event_enable(struct perf_event *event)
-+static void _perf_event_enable(struct perf_event *event)
- {
- struct perf_event_context *ctx = event->ctx;
- struct task_struct *task = ctx->task;
-@@ -1875,7 +1958,19 @@ out:
- raw_spin_unlock_irq(&ctx->lock);
- }
-
--int perf_event_refresh(struct perf_event *event, int refresh)
-+/*
-+ * See perf_event_disable();
-+ */
-+void perf_event_enable(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ _perf_event_enable(event);
-+ perf_event_ctx_unlock(event, ctx);
-+}
-+
-+static int _perf_event_refresh(struct perf_event *event, int refresh)
- {
- /*
- * not supported on inherited events
-@@ -1884,10 +1979,25 @@ int perf_event_refresh(struct perf_event
- return -EINVAL;
-
- atomic_add(refresh, &event->event_limit);
-- perf_event_enable(event);
-+ _perf_event_enable(event);
-
- return 0;
- }
-+
-+/*
-+ * See perf_event_disable()
-+ */
-+int perf_event_refresh(struct perf_event *event, int refresh)
-+{
-+ struct perf_event_context *ctx;
-+ int ret;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ ret = _perf_event_refresh(event, refresh);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
-+}
- EXPORT_SYMBOL_GPL(perf_event_refresh);
-
- static void ctx_sched_out(struct perf_event_context *ctx,
-@@ -3115,7 +3225,16 @@ static void put_event(struct perf_event
- rcu_read_unlock();
-
- if (owner) {
-- mutex_lock(&owner->perf_event_mutex);
-+ /*
-+ * If we're here through perf_event_exit_task() we're already
-+ * holding ctx->mutex which would be an inversion wrt. the
-+ * normal lock order.
-+ *
-+ * However we can safely take this lock because its the child
-+ * ctx->mutex.
-+ */
-+ mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING);
-+
- /*
- * We have to re-check the event->owner field, if it is cleared
- * we raced with perf_event_exit_task(), acquiring the mutex
-@@ -3167,12 +3286,13 @@ static int perf_event_read_group(struct
- u64 read_format, char __user *buf)
- {
- struct perf_event *leader = event->group_leader, *sub;
-- int n = 0, size = 0, ret = -EFAULT;
- struct perf_event_context *ctx = leader->ctx;
-- u64 values[5];
-+ int n = 0, size = 0, ret;
- u64 count, enabled, running;
-+ u64 values[5];
-+
-+ lockdep_assert_held(&ctx->mutex);
-
-- mutex_lock(&ctx->mutex);
- count = perf_event_read_value(leader, &enabled, &running);
-
- values[n++] = 1 + leader->nr_siblings;
-@@ -3187,7 +3307,7 @@ static int perf_event_read_group(struct
- size = n * sizeof(u64);
-
- if (copy_to_user(buf, values, size))
-- goto unlock;
-+ return -EFAULT;
-
- ret = size;
-
-@@ -3201,14 +3321,11 @@ static int perf_event_read_group(struct
- size = n * sizeof(u64);
-
- if (copy_to_user(buf + ret, values, size)) {
-- ret = -EFAULT;
-- goto unlock;
-+ return -EFAULT;
- }
-
- ret += size;
- }
--unlock:
-- mutex_unlock(&ctx->mutex);
-
- return ret;
- }
-@@ -3267,8 +3384,14 @@ static ssize_t
- perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
- {
- struct perf_event *event = file->private_data;
-+ struct perf_event_context *ctx;
-+ int ret;
-
-- return perf_read_hw(event, buf, count);
-+ ctx = perf_event_ctx_lock(event);
-+ ret = perf_read_hw(event, buf, count);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
- }
-
- static unsigned int perf_poll(struct file *file, poll_table *wait)
-@@ -3292,7 +3415,7 @@ static unsigned int perf_poll(struct fil
- return events;
- }
-
--static void perf_event_reset(struct perf_event *event)
-+static void _perf_event_reset(struct perf_event *event)
- {
- (void)perf_event_read(event);
- local64_set(&event->count, 0);
-@@ -3311,6 +3434,7 @@ static void perf_event_for_each_child(st
- struct perf_event *child;
-
- WARN_ON_ONCE(event->ctx->parent_ctx);
-+
- mutex_lock(&event->child_mutex);
- func(event);
- list_for_each_entry(child, &event->child_list, child_list)
-@@ -3324,15 +3448,14 @@ static void perf_event_for_each(struct p
- struct perf_event_context *ctx = event->ctx;
- struct perf_event *sibling;
-
-- WARN_ON_ONCE(ctx->parent_ctx);
-- mutex_lock(&ctx->mutex);
-+ lockdep_assert_held(&ctx->mutex);
-+
- event = event->group_leader;
-
- perf_event_for_each_child(event, func);
- func(event);
- list_for_each_entry(sibling, &event->sibling_list, group_entry)
- perf_event_for_each_child(sibling, func);
-- mutex_unlock(&ctx->mutex);
- }
-
- static int perf_event_period(struct perf_event *event, u64 __user *arg)
-@@ -3391,25 +3514,24 @@ static int perf_event_set_output(struct
- struct perf_event *output_event);
- static int perf_event_set_filter(struct perf_event *event, void __user *arg);
-
--static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
- {
-- struct perf_event *event = file->private_data;
- void (*func)(struct perf_event *);
- u32 flags = arg;
-
- switch (cmd) {
- case PERF_EVENT_IOC_ENABLE:
-- func = perf_event_enable;
-+ func = _perf_event_enable;
- break;
- case PERF_EVENT_IOC_DISABLE:
-- func = perf_event_disable;
-+ func = _perf_event_disable;
- break;
- case PERF_EVENT_IOC_RESET:
-- func = perf_event_reset;
-+ func = _perf_event_reset;
- break;
-
- case PERF_EVENT_IOC_REFRESH:
-- return perf_event_refresh(event, arg);
-+ return _perf_event_refresh(event, arg);
-
- case PERF_EVENT_IOC_PERIOD:
- return perf_event_period(event, (u64 __user *)arg);
-@@ -3450,6 +3572,19 @@ static long perf_ioctl(struct file *file
- return 0;
- }
-
-+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+ struct perf_event *event = file->private_data;
-+ struct perf_event_context *ctx;
-+ long ret;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ ret = _perf_ioctl(event, cmd, arg);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
-+}
-+
- #ifdef CONFIG_COMPAT
- static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- unsigned long arg)
-@@ -3471,11 +3606,15 @@ static long perf_compat_ioctl(struct fil
-
- int perf_event_task_enable(void)
- {
-+ struct perf_event_context *ctx;
- struct perf_event *event;
-
- mutex_lock(¤t->perf_event_mutex);
-- list_for_each_entry(event, ¤t->perf_event_list, owner_entry)
-- perf_event_for_each_child(event, perf_event_enable);
-+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) {
-+ ctx = perf_event_ctx_lock(event);
-+ perf_event_for_each_child(event, _perf_event_enable);
-+ perf_event_ctx_unlock(event, ctx);
-+ }
- mutex_unlock(¤t->perf_event_mutex);
-
- return 0;
-@@ -3483,11 +3622,15 @@ int perf_event_task_enable(void)
-
- int perf_event_task_disable(void)
- {
-+ struct perf_event_context *ctx;
- struct perf_event *event;
-
- mutex_lock(¤t->perf_event_mutex);
-- list_for_each_entry(event, ¤t->perf_event_list, owner_entry)
-- perf_event_for_each_child(event, perf_event_disable);
-+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) {
-+ ctx = perf_event_ctx_lock(event);
-+ perf_event_for_each_child(event, _perf_event_disable);
-+ perf_event_ctx_unlock(event, ctx);
-+ }
- mutex_unlock(¤t->perf_event_mutex);
-
- return 0;
-@@ -6327,6 +6470,15 @@ out:
- return ret;
- }
-
-+static void mutex_lock_double(struct mutex *a, struct mutex *b)
-+{
-+ if (b < a)
-+ swap(a, b);
-+
-+ mutex_lock(a);
-+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
-+}
-+
- /**
- * sys_perf_event_open - open a performance event, associate it to a task/cpu
- *
-@@ -6342,7 +6494,7 @@ SYSCALL_DEFINE5(perf_event_open,
- struct perf_event *group_leader = NULL, *output_event = NULL;
- struct perf_event *event, *sibling;
- struct perf_event_attr attr;
-- struct perf_event_context *ctx;
-+ struct perf_event_context *ctx, *uninitialized_var(gctx);
- struct file *event_file = NULL;
- struct file *group_file = NULL;
- struct task_struct *task = NULL;
-@@ -6517,9 +6669,14 @@ SYSCALL_DEFINE5(perf_event_open,
- }
-
- if (move_group) {
-- struct perf_event_context *gctx = group_leader->ctx;
-+ gctx = group_leader->ctx;
-+
-+ /*
-+ * See perf_event_ctx_lock() for comments on the details
-+ * of swizzling perf_event::ctx.
-+ */
-+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
-
-- mutex_lock(&gctx->mutex);
- perf_remove_from_context(group_leader, false);
-
- /*
-@@ -6534,14 +6691,19 @@ SYSCALL_DEFINE5(perf_event_open,
- perf_event__state_init(sibling);
- put_ctx(gctx);
- }
-- mutex_unlock(&gctx->mutex);
-- put_ctx(gctx);
-+ } else {
-+ mutex_lock(&ctx->mutex);
- }
-
- WARN_ON_ONCE(ctx->parent_ctx);
-- mutex_lock(&ctx->mutex);
-
- if (move_group) {
-+ /*
-+ * Wait for everybody to stop referencing the events through
-+ * the old lists, before installing it on new lists.
-+ */
-+ synchronize_rcu();
-+
- perf_install_in_context(ctx, group_leader, cpu);
- get_ctx(ctx);
- list_for_each_entry(sibling, &group_leader->sibling_list,
-@@ -6554,6 +6716,11 @@ SYSCALL_DEFINE5(perf_event_open,
- perf_install_in_context(ctx, event, cpu);
- ++ctx->generation;
- perf_unpin_context(ctx);
-+
-+ if (move_group) {
-+ mutex_unlock(&gctx->mutex);
-+ put_ctx(gctx);
-+ }
- mutex_unlock(&ctx->mutex);
-
- event->owner = current;
diff --git a/debian/patches/bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch b/debian/patches/bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
deleted file mode 100644
index e407526..0000000
--- a/debian/patches/bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Michael Ellerman <michael at ellerman.id.au>
-Date: Wed, 11 Apr 2012 11:54:13 +1000
-Subject: perf: Fix perf_event_for_each() to use sibling
-Origin: https://git.kernel.org/linus/724b6daa13e100067c30cfc4d1ad06629609dc4e
-
-In perf_event_for_each() we call a function on an event, and then
-iterate over the siblings of the event.
-
-However we don't call the function on the siblings, we call it
-repeatedly on the original event - it seems "obvious" that we should
-be calling it with sibling as the argument.
-
-It looks like this broke in commit 75f937f24bd9 ("Fix ctx->mutex
-vs counter->mutex inversion").
-
-The only effect of the bug is that the PERF_IOC_FLAG_GROUP parameter
-to the ioctls doesn't work.
-
-Signed-off-by: Michael Ellerman <michael at ellerman.id.au>
-Signed-off-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
-Link: http://lkml.kernel.org/r/1334109253-31329-1-git-send-email-michael@ellerman.id.au
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/events/core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -3331,7 +3331,7 @@ static void perf_event_for_each(struct p
- perf_event_for_each_child(event, func);
- func(event);
- list_for_each_entry(sibling, &event->sibling_list, group_entry)
-- perf_event_for_each_child(event, func);
-+ perf_event_for_each_child(sibling, func);
- mutex_unlock(&ctx->mutex);
- }
-
diff --git a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
deleted file mode 100644
index a48ac54..0000000
--- a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Tue, 15 Dec 2015 13:49:05 +0100
-Subject: perf: Fix race in swevent hash
-Origin: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8963
-
-There's a race on CPU unplug where we free the swevent hash array
-while it can still have events on. This will result in a
-use-after-free which is BAD.
-
-Simply do not free the hash array on unplug. This leaves the thing
-around and no use-after-free takes place.
-
-When the last swevent dies, we do a for_each_possible_cpu() iteration
-anyway to clean these up, at which time we'll free it, so no leakage
-will occur.
-
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Tested-by: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Stephane Eranian <eranian at google.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Vince Weaver <vincent.weaver at maine.edu>
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- kernel/events/core.c | 20 +-------------------
- 1 file changed, 1 insertion(+), 19 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -4958,9 +4958,6 @@ struct swevent_htable {
-
- /* Recursion avoidance in each contexts */
- int recursion[PERF_NR_CONTEXTS];
--
-- /* Keeps track of cpu being initialized/exited */
-- bool online;
- };
-
- static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
-@@ -5203,14 +5200,8 @@ static int perf_swevent_add(struct perf_
- hwc->state = !(flags & PERF_EF_START);
-
- head = find_swevent_head(swhash, event);
-- if (!head) {
-- /*
-- * We can race with cpu hotplug code. Do not
-- * WARN if the cpu just got unplugged.
-- */
-- WARN_ON_ONCE(swhash->online);
-+ if (WARN_ON_ONCE(!head))
- return -EINVAL;
-- }
-
- hlist_add_head_rcu(&event->hlist_entry, head);
-
-@@ -5282,7 +5273,6 @@ static int swevent_hlist_get_cpu(struct
- int err = 0;
-
- mutex_lock(&swhash->hlist_mutex);
--
- if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
- struct swevent_hlist *hlist;
-
-@@ -7149,7 +7139,6 @@ static void __cpuinit perf_event_init_cp
- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
-
- mutex_lock(&swhash->hlist_mutex);
-- swhash->online = true;
- if (swhash->hlist_refcount > 0) {
- struct swevent_hlist *hlist;
-
-@@ -7202,14 +7191,7 @@ static void perf_event_exit_cpu_context(
-
- static void perf_event_exit_cpu(int cpu)
- {
-- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
--
- perf_event_exit_cpu_context(cpu);
--
-- mutex_lock(&swhash->hlist_mutex);
-- swhash->online = false;
-- swevent_hlist_release(swhash);
-- mutex_unlock(&swhash->hlist_mutex);
- }
- #else
- static inline void perf_event_exit_cpu(int cpu) { }
diff --git a/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch b/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
deleted file mode 100644
index d2fbb02..0000000
--- a/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Tue, 12 Jul 2016 18:18:56 -0400
-Subject: rose: limit sk_filter trim to payload
-Origin: https://git.kernel.org/linus/f4979fcea7fd36d8e2f556abef86f80e0d5af1ba
-
-Sockets can have a filter program attached that drops or trims
-incoming packets based on the filter program return value.
-
-Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
-verifies this on arrival in rose_route_frame and unconditionally pulls
-the bytes in rose_recvmsg. The filter can trim packets to below this
-value in-between, causing pull to fail, leaving the partial header at
-the time of skb_copy_datagram_msg.
-
-Place a lower bound on the size to which sk_filter may trim packets
-by introducing sk_filter_trim_cap and call this for rose packets.
-
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- include/linux/filter.h | 6 +++++-
- net/core/filter.c | 10 +++++-----
- net/rose/rose_in.c | 3 ++-
- 3 files changed, 12 insertions(+), 7 deletions(-)
-
---- a/include/linux/filter.h
-+++ b/include/linux/filter.h
-@@ -150,7 +150,11 @@ static inline unsigned int sk_filter_len
- return fp->len * sizeof(struct sock_filter) + sizeof(*fp);
- }
-
--extern int sk_filter(struct sock *sk, struct sk_buff *skb);
-+int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
-+static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
-+{
-+ return sk_filter_trim_cap(sk, skb, 1);
-+}
- extern unsigned int sk_run_filter(const struct sk_buff *skb,
- const struct sock_filter *filter);
- extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -64,9 +64,10 @@ static inline void *load_pointer(const s
- }
-
- /**
-- * sk_filter - run a packet through a socket filter
-+ * sk_filter_trim_cap - run a packet through a socket filter
- * @sk: sock associated with &sk_buff
- * @skb: buffer to filter
-+ * @cap: limit on how short the eBPF program may trim the packet
- *
- * Run the filter code and then cut skb->data to correct size returned by
- * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
-@@ -75,7 +76,7 @@ static inline void *load_pointer(const s
- * be accepted or -EPERM if the packet should be tossed.
- *
- */
--int sk_filter(struct sock *sk, struct sk_buff *skb)
-+int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap)
- {
- int err;
- struct sk_filter *filter;
-@@ -88,14 +89,13 @@ int sk_filter(struct sock *sk, struct sk
- filter = rcu_dereference(sk->sk_filter);
- if (filter) {
- unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
--
-- err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
-+ err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM;
- }
- rcu_read_unlock();
-
- return err;
- }
--EXPORT_SYMBOL(sk_filter);
-+EXPORT_SYMBOL(sk_filter_trim_cap);
-
- /**
- * sk_run_filter - run a filter on a socket
---- a/net/rose/rose_in.c
-+++ b/net/rose/rose_in.c
-@@ -165,7 +165,8 @@ static int rose_state3_machine(struct so
- rose_frames_acked(sk, nr);
- if (ns == rose->vr) {
- rose_start_idletimer(sk);
-- if (sock_queue_rcv_skb(sk, skb) == 0) {
-+ if (sk_filter_trim_cap(sk, skb, ROSE_MIN_LEN) == 0 &&
-+ __sock_queue_rcv_skb(sk, skb) == 0) {
- rose->vr = (rose->vr + 1) % ROSE_MODULUS;
- queued = 1;
- } else {
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
deleted file mode 100644
index f6aae13..0000000
--- a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Tue, 25 Oct 2016 14:27:39 -0200
-Subject: sctp: validate chunk len before actually using it
-Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
-
-Andrey Konovalov reported that KASAN detected that SCTP was using a slab
-beyond the boundaries. It was caused because when handling out of the
-blue packets in function sctp_sf_ootb() it was checking the chunk len
-only after already processing the first chunk, validating only for the
-2nd and subsequent ones.
-
-The fix is to just move the check upwards so it's also validated for the
-1st chunk.
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: moved code is slightly different]
----
- net/sctp/sm_statefuns.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -3354,6 +3354,12 @@ sctp_disposition_t sctp_sf_ootb(const st
- return sctp_sf_violation_chunklen(ep, asoc, type, arg,
- commands);
-
-+ /* Report violation if chunk len overflows */
-+ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
-+ if (ch_end > skb_tail_pointer(skb))
-+ return sctp_sf_violation_chunklen(ep, asoc, type, arg,
-+ commands);
-+
- /* Now that we know we at least have a chunk header,
- * do things that are type appropriate.
- */
-@@ -3385,12 +3391,6 @@ sctp_disposition_t sctp_sf_ootb(const st
- }
- }
-
-- /* Report violation if chunk len overflows */
-- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
-- if (ch_end > skb_tail_pointer(skb))
-- return sctp_sf_violation_chunklen(ep, asoc, type, arg,
-- commands);
--
- ch = (sctp_chunkhdr_t *) ch_end;
- } while (ch_end < skb_tail_pointer(skb));
-
diff --git a/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch b/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
deleted file mode 100644
index 7b45bc1..0000000
--- a/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Calvin Owens <calvinowens at fb.com>
-Date: Fri, 30 Oct 2015 16:57:00 -0700
-Subject: sg: Fix double-free when drives detach during SG_IO
-Origin: https://git.kernel.org/linus/f3951a3709ff50990bf3e188c27d346792103432
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8962
-
-In sg_common_write(), we free the block request and return -ENODEV if
-the device is detached in the middle of the SG_IO ioctl().
-
-Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
-end up freeing rq->cmd in the already free rq object, and then free
-the object itself out from under the current user.
-
-This ends up corrupting random memory via the list_head on the rq
-object. The most common crash trace I saw is this:
-
- ------------[ cut here ]------------
- kernel BUG at block/blk-core.c:1420!
- Call Trace:
- [<ffffffff81281eab>] blk_put_request+0x5b/0x80
- [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
- [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
- [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
- [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
- [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
- [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
- [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
- [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
- [<ffffffff81602afb>] tracesys+0xdd/0xe2
- RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
-
-The solution is straightforward: just set srp->rq to NULL in the
-failure branch so that sg_finish_rem_req() doesn't attempt to re-free
-it.
-
-Additionally, since sg_rq_end_io() will never be called on the object
-when this happens, we need to free memory backing ->cmd if it isn't
-embedded in the object itself.
-
-KASAN was extremely helpful in finding the root cause of this bug.
-
-Signed-off-by: Calvin Owens <calvinowens at fb.com>
-Acked-by: Douglas Gilbert <dgilbert at interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-[bwh: Backported to 3.2:
- - sg_finish_rem_req() would not free srp->rq->cmd so don't do it here either
- - Adjust context]
----
- drivers/scsi/sg.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -742,8 +742,11 @@ sg_common_write(Sg_fd * sfp, Sg_request
- return k; /* probably out of space --> ENOMEM */
- }
- if (sdp->detached) {
-- if (srp->bio)
-+ if (srp->bio) {
- blk_end_request_all(srp->rq, -EIO);
-+ srp->rq = NULL;
-+ }
-+
- sg_finish_rem_req(srp);
- return -ENODEV;
- }
diff --git a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
deleted file mode 100644
index f25980c..0000000
--- a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 16 Dec 2016 13:42:06 -0500
-Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
-Origin: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9576
-
-Both damn things interpret userland pointers embedded into the payload;
-worse, they are actually traversing those. Leaving aside the bad
-API design, this is very much _not_ safe to call with KERNEL_DS.
-Bail out early if that happens.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- block/bsg.c | 3 +++
- drivers/scsi/sg.c | 3 +++
- 2 files changed, 6 insertions(+)
-
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -675,6 +675,9 @@ bsg_write(struct file *file, const char
-
- dprintk("%s: write %Zd bytes\n", bd->name, count);
-
-+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+ return -EINVAL;
-+
- bsg_set_block(bd, file);
-
- bytes_written = 0;
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -544,6 +544,9 @@ sg_write(struct file *filp, const char _
- sg_io_hdr_t *hp;
- unsigned char cmnd[MAX_COMMAND_SIZE];
-
-+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+ return -EINVAL;
-+
- if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
- return -ENXIO;
- SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
diff --git a/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch b/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
deleted file mode 100644
index f55e2a3..0000000
--- a/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Thu, 10 Nov 2016 13:12:35 -0800
-Subject: tcp: take care of truncations done by sk_filter()
-Origin: https://git.kernel.org/linus/ac6e780070e30e4c35bd395acfe9191e6268bdd3
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8645
-
-With syzkaller help, Marco Grassi found a bug in TCP stack,
-crashing in tcp_collapse()
-
-Root cause is that sk_filter() can truncate the incoming skb,
-but TCP stack was not really expecting this to happen.
-It probably was expecting a simple DROP or ACCEPT behavior.
-
-We first need to make sure no part of TCP header could be removed.
-Then we need to adjust TCP_SKB_CB(skb)->end_seq
-
-Many thanks to syzkaller team and Marco for giving us a reproducer.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Marco Grassi <marco.gra at gmail.com>
-Reported-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- include/net/tcp.h | 1 +
- net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
- net/ipv6/tcp_ipv6.c | 6 ++++--
- 3 files changed, 23 insertions(+), 3 deletions(-)
-
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -966,6 +966,7 @@ static inline int tcp_prequeue(struct so
- return 1;
- }
-
-+int tcp_filter(struct sock *sk, struct sk_buff *skb);
-
- #undef STATE_TRACE
-
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1647,6 +1647,21 @@ csum_err:
- }
- EXPORT_SYMBOL(tcp_v4_do_rcv);
-
-+int tcp_filter(struct sock *sk, struct sk_buff *skb)
-+{
-+ struct tcphdr *th = (struct tcphdr *)skb->data;
-+ unsigned int eaten = skb->len;
-+ int err;
-+
-+ err = sk_filter_trim_cap(sk, skb, th->doff * 4);
-+ if (!err) {
-+ eaten -= skb->len;
-+ TCP_SKB_CB(skb)->end_seq -= eaten;
-+ }
-+ return err;
-+}
-+EXPORT_SYMBOL(tcp_filter);
-+
- /*
- * From tcp_input.c
- */
-@@ -1709,8 +1724,10 @@ process:
- goto discard_and_relse;
- nf_reset(skb);
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard_and_relse;
-+ th = (const struct tcphdr *)skb->data;
-+ iph = ip_hdr(skb);
-
- skb->dev = NULL;
-
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1585,7 +1585,7 @@ static int tcp_v6_do_rcv(struct sock *sk
- goto discard;
- #endif
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard;
-
- /*
-@@ -1743,8 +1743,10 @@ process:
- if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
- goto discard_and_relse;
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard_and_relse;
-+ th = (const struct tcphdr *)skb->data;
-+ hdr = ipv6_hdr(skb);
-
- skb->dev = NULL;
-
diff --git a/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch b/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
deleted file mode 100644
index 6b4fc00..0000000
--- a/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Peter Hurley <peter at hurleysoftware.com>
-Date: Fri, 27 Nov 2015 14:30:21 -0500
-Subject: tty: Prevent ldisc drivers from re-using stale tty fields
-Origin: https://git.kernel.org/linus/dd42bf1197144ede075a9d4793123f7689e164bc
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8964
-
-Line discipline drivers may mistakenly misuse ldisc-related fields
-when initializing. For example, a failure to initialize tty->receive_room
-in the N_GIGASET_M101 line discipline was recently found and fixed [1].
-Now, the N_X25 line discipline has been discovered accessing the previous
-line discipline's already-freed private data [2].
-
-Harden the ldisc interface against misuse by initializing revelant
-tty fields before instancing the new line discipline.
-
-[1]
- commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
- Author: Tilman Schmidt <tilman at imap.cc>
- Date: Tue Jul 14 00:37:13 2015 +0200
-
- isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
-
-[2] Report from Sasha Levin <sasha.levin at oracle.com>
- [ 634.336761] ==================================================================
- [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
- [ 634.339558] Read of size 4 by task syzkaller_execu/8981
- [ 634.340359] =============================================================================
- [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
- ...
- [ 634.405018] Call Trace:
- [ 634.405277] dump_stack (lib/dump_stack.c:52)
- [ 634.405775] print_trailer (mm/slub.c:655)
- [ 634.406361] object_err (mm/slub.c:662)
- [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
- [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
- [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
- [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
- [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
- [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
- [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
- [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
- [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
-
-Cc: Tilman Schmidt <tilman at imap.cc>
-Cc: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: Peter Hurley <peter at hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.2: adjust context]
----
- drivers/tty/tty_ldisc.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/tty/tty_ldisc.c
-+++ b/drivers/tty/tty_ldisc.c
-@@ -424,6 +424,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
- * they are not on hot paths so a little discipline won't do
- * any harm.
- *
-+ * The line discipline-related tty_struct fields are reset to
-+ * prevent the ldisc driver from re-using stale information for
-+ * the new ldisc instance.
-+ *
- * Locking: takes termios_mutex
- */
-
-@@ -432,6 +436,9 @@ static void tty_set_termios_ldisc(struct
- mutex_lock(&tty->termios_mutex);
- tty->termios->c_line = num;
- mutex_unlock(&tty->termios_mutex);
-+
-+ tty->disc_data = NULL;
-+ tty->receive_room = 0;
- }
-
- /**
diff --git a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
deleted file mode 100644
index 81b5a69..0000000
--- a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Tue, 10 Jan 2017 12:05:37 +0100
-Subject: USB: serial: kl5kusb105: fix line-state error handling
-Origin: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5549
-
-The current implementation failed to detect short transfers when
-attempting to read the line state, and also, to make things worse,
-logged the content of the uninitialised heap transfer buffer.
-
-Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable <stable at vger.kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/kl5kusb105.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/drivers/usb/serial/kl5kusb105.c
-+++ b/drivers/usb/serial/kl5kusb105.c
-@@ -209,10 +209,11 @@ static int klsi_105_get_line_state(struc
- status_buf, KLSI_STATUSBUF_LEN,
- 10000
- );
-- if (rc < 0)
-- dev_err(&port->dev, "Reading line status failed (error = %d)\n",
-- rc);
-- else {
-+ if (rc != KLSI_STATUSBUF_LEN) {
-+ dev_err(&port->dev, "reading line status failed: %d\n", rc);
-+ if (rc >= 0)
-+ rc = -EIO;
-+ } else {
- status = get_unaligned_le16(status_buf);
-
- dev_info(&port->serial->dev->dev, "read status %x %x",
diff --git a/debian/patches/bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch b/debian/patches/bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch
deleted file mode 100644
index 1ba852c..0000000
--- a/debian/patches/bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Russell King <rmk+kernel at arm.linux.org.uk>
-Date: Wed, 23 Oct 2013 16:14:59 +0100
-Subject: ARM: dma-mapping: don't allow DMA mappings to be marked executable
-Origin: https://git.kernel.org/linux/0ea1ec713f04bdfac343c9702b21cd3a7c711826
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-9888
-
-DMA mapping permissions were being derived from pgprot_kernel directly
-without using PAGE_KERNEL. This causes them to be marked with executable
-permission, which is not what we want. Fix this.
-
-Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/arm/mm/dma-mapping.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/arm/mm/dma-mapping.c
-+++ b/arch/arm/mm/dma-mapping.c
-@@ -374,7 +374,7 @@ dma_alloc_coherent(struct device *dev, s
- return memory;
-
- return __dma_alloc(dev, size, handle, gfp,
-- pgprot_dmacoherent(pgprot_kernel));
-+ pgprot_dmacoherent(PAGE_KERNEL));
- }
- EXPORT_SYMBOL(dma_alloc_coherent);
-
-@@ -386,7 +386,7 @@ void *
- dma_alloc_writecombine(struct device *dev, size_t size, dma_addr_t *handle, gfp_t gfp)
- {
- return __dma_alloc(dev, size, handle, gfp,
-- pgprot_writecombine(pgprot_kernel));
-+ pgprot_writecombine(PAGE_KERNEL));
- }
- EXPORT_SYMBOL(dma_alloc_writecombine);
-
diff --git a/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch b/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
deleted file mode 100644
index 34da72b..0000000
--- a/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From: Linus Torvalds <torvalds at linux-foundation.org>
-Date: Tue, 8 Nov 2016 11:17:00 +0100
-Subject: Fix potential infoleak in older kernels
-Origin: https://git.kernel.org/linus/dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9178
-
-Not upstream as it is not needed there.
-
-So a patch something like this might be a safe way to fix the
-potential infoleak in older kernels.
-
-THIS IS UNTESTED. It's a very obvious patch, though, so if it compiles
-it probably works. It just initializes the output variable with 0 in
-the inline asm description, instead of doing it in the exception
-handler.
-
-It will generate slightly worse code (a few unnecessary ALU
-operations), but it doesn't have any interactions with the exception
-handler implementation.
-
-
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.2: adjust context]
----
- arch/x86/include/asm/uaccess.h | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/arch/x86/include/asm/uaccess.h
-+++ b/arch/x86/include/asm/uaccess.h
-@@ -347,7 +347,7 @@ do { \
- #define __get_user_asm_u64(x, ptr, retval, errret) \
- __get_user_asm(x, ptr, retval, "q", "", "=r", errret)
- #define __get_user_asm_ex_u64(x, ptr) \
-- __get_user_asm_ex(x, ptr, "q", "", "=r")
-+ __get_user_asm_ex(x, ptr, "q", "", "=&r")
- #endif
-
- #define __get_user_size(x, ptr, size, retval, errret) \
-@@ -389,13 +389,13 @@ do { \
- __chk_user_ptr(ptr); \
- switch (size) { \
- case 1: \
-- __get_user_asm_ex(x, ptr, "b", "b", "=q"); \
-+ __get_user_asm_ex(x, ptr, "b", "b", "=&q"); \
- break; \
- case 2: \
-- __get_user_asm_ex(x, ptr, "w", "w", "=r"); \
-+ __get_user_asm_ex(x, ptr, "w", "w", "=&r"); \
- break; \
- case 4: \
-- __get_user_asm_ex(x, ptr, "l", "k", "=r"); \
-+ __get_user_asm_ex(x, ptr, "l", "k", "=&r"); \
- break; \
- case 8: \
- __get_user_asm_ex_u64(x, ptr); \
-@@ -409,7 +409,7 @@ do { \
- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
- "2:\n" \
- _ASM_EXTABLE(1b, 2b - 1b) \
-- : ltype(x) : "m" (__m(addr)))
-+ : ltype(x) : "m" (__m(addr)), "0" (0))
-
- #define __put_user_nocheck(x, ptr, size) \
- ({ \
diff --git a/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch b/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
deleted file mode 100644
index 63dde23..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar at redhat.com>
-Date: Wed, 23 Nov 2016 21:15:00 +0100
-Subject: KVM: x86: drop error recovery in em_jmp_far and em_ret_far
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/2117d5398c81554fbf803f5fd1dc55eb78216c0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9756
-
-em_jmp_far and em_ret_far assumed that setting IP can only fail in 64
-bit mode, but syzkaller proved otherwise (and SDM agrees).
-Code segment was restored upon failure, but it was left uninitialized
-outside of long mode, which could lead to a leak of host kernel stack.
-We could have fixed that by always saving and restoring the CS, but we
-take a simpler approach and just break any guest that manages to fail
-as the error recovery is error-prone and modern CPUs don't need emulator
-for this.
-
-Found by syzkaller:
-
- WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480
- Kernel panic - not syncing: panic_on_warn set ...
-
- CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- [...]
- Call Trace:
- [...] __dump_stack lib/dump_stack.c:15
- [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
- [...] panic+0x1b7/0x3a3 kernel/panic.c:179
- [...] __warn+0x1c4/0x1e0 kernel/panic.c:542
- [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
- [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217
- [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227
- [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294
- [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545
- [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116
- [...] complete_emulated_io arch/x86/kvm/x86.c:6870
- [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934
- [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978
- [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
- [...] vfs_ioctl fs/ioctl.c:43
- [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
- [...] SYSC_ioctl fs/ioctl.c:694
- [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
- [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Fixes: d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far jumps")
-Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
-[bwh: Backported to 3.2: adjust context]
----
- arch/x86/kvm/emulate.c | 36 +++++++++++-------------------------
- 1 file changed, 11 insertions(+), 25 deletions(-)
-
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -1699,16 +1699,10 @@ static int em_iret(struct x86_emulate_ct
- static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
- {
- int rc;
-- unsigned short sel, old_sel;
-- struct desc_struct old_desc, new_desc;
-- const struct x86_emulate_ops *ops = ctxt->ops;
-+ unsigned short sel;
-+ struct desc_struct new_desc;
- u8 cpl = ctxt->ops->cpl(ctxt);
-
-- /* Assignment of RIP may only fail in 64-bit mode */
-- if (ctxt->mode == X86EMUL_MODE_PROT64)
-- ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
-- VCPU_SREG_CS);
--
- memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
-
- rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl,
-@@ -1717,12 +1711,10 @@ static int em_jmp_far(struct x86_emulate
- return rc;
-
- rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
-- if (rc != X86EMUL_CONTINUE) {
-- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
-- /* assigning eip failed; restore the old cs */
-- ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
-- return rc;
-- }
-+ /* Error handling is not implemented. */
-+ if (rc != X86EMUL_CONTINUE)
-+ return X86EMUL_UNHANDLEABLE;
-+
- return rc;
- }
-
-@@ -1876,14 +1868,8 @@ static int em_ret_far(struct x86_emulate
- {
- int rc;
- unsigned long eip, cs;
-- u16 old_cs;
- int cpl = ctxt->ops->cpl(ctxt);
-- struct desc_struct old_desc, new_desc;
-- const struct x86_emulate_ops *ops = ctxt->ops;
--
-- if (ctxt->mode == X86EMUL_MODE_PROT64)
-- ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
-- VCPU_SREG_CS);
-+ struct desc_struct new_desc;
-
- rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
- if (rc != X86EMUL_CONTINUE)
-@@ -1899,10 +1885,10 @@ static int em_ret_far(struct x86_emulate
- if (rc != X86EMUL_CONTINUE)
- return rc;
- rc = assign_eip_far(ctxt, eip, new_desc.l);
-- if (rc != X86EMUL_CONTINUE) {
-- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
-- ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
-- }
-+ /* Error handling is not implemented. */
-+ if (rc != X86EMUL_CONTINUE)
-+ return X86EMUL_UNHANDLEABLE;
-+
- return rc;
- }
-
diff --git a/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch b/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch
deleted file mode 100644
index 1456f65..0000000
--- a/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Thu, 29 Dec 2016 03:06:54 +0000
-Subject: net: Add __sock_queue_rcv_skb()
-Forwarded: not-needed
-
-Extraxcted from commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac
-"udp: remove headers from UDP packets before queueing".
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1629,6 +1629,7 @@ extern void sk_reset_timer(struct sock *
-
- extern void sk_stop_timer(struct sock *sk, struct timer_list* timer);
-
-+int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
- extern int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
-
- extern int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb);
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -281,9 +281,8 @@ static void sock_disable_timestamp(struc
- }
-
-
--int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
- {
-- int err;
- int skb_len;
- unsigned long flags;
- struct sk_buff_head *list = &sk->sk_receive_queue;
-@@ -294,10 +293,6 @@ int sock_queue_rcv_skb(struct sock *sk,
- return -ENOMEM;
- }
-
-- err = sk_filter(sk, skb);
-- if (err)
-- return err;
--
- if (!sk_rmem_schedule(sk, skb->truesize)) {
- atomic_inc(&sk->sk_drops);
- return -ENOBUFS;
-@@ -327,6 +322,18 @@ int sock_queue_rcv_skb(struct sock *sk,
- sk->sk_data_ready(sk, skb_len);
- return 0;
- }
-+EXPORT_SYMBOL(__sock_queue_rcv_skb);
-+
-+int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+{
-+ int err;
-+
-+ err = sk_filter(sk, skb);
-+ if (err)
-+ return err;
-+
-+ return __sock_queue_rcv_skb(sk, skb);
-+}
- EXPORT_SYMBOL(sock_queue_rcv_skb);
-
- int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
diff --git a/debian/patches/features/all/rt/0192-rtmutex-futex-prepare-rt.patch.patch b/debian/patches/features/all/rt/0192-rtmutex-futex-prepare-rt.patch.patch
index 1171e5d..e647544 100644
--- a/debian/patches/features/all/rt/0192-rtmutex-futex-prepare-rt.patch.patch
+++ b/debian/patches/features/all/rt/0192-rtmutex-futex-prepare-rt.patch.patch
@@ -10,8 +10,6 @@ Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
kernel/rtmutex_common.h | 2 ++
3 files changed, 90 insertions(+), 18 deletions(-)
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 9dc2c7192b2e..bc35f1cc923f 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1569,6 +1569,16 @@ retry_private:
@@ -31,7 +29,7 @@ index 9dc2c7192b2e..bc35f1cc923f 100644
} else if (ret) {
/* -EDEADLK */
this->pi_state = NULL;
-@@ -2411,7 +2421,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
+@@ -2411,7 +2421,7 @@ static int futex_wait_requeue_pi(u32 __u
struct hrtimer_sleeper timeout, *to = NULL;
struct rt_mutex_waiter rt_waiter;
struct rt_mutex *pi_mutex = NULL;
@@ -40,7 +38,7 @@ index 9dc2c7192b2e..bc35f1cc923f 100644
union futex_key key2 = FUTEX_KEY_INIT;
struct futex_q q = futex_q_init;
int res, ret;
-@@ -2468,20 +2478,55 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
+@@ -2468,20 +2478,55 @@ static int futex_wait_requeue_pi(u32 __u
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
futex_wait_queue_me(hb, &q, to);
@@ -107,7 +105,7 @@ index 9dc2c7192b2e..bc35f1cc923f 100644
/* Check if the requeue code acquired the second futex for us. */
if (!q.rt_waiter) {
-@@ -2490,14 +2535,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
+@@ -2490,14 +2535,15 @@ static int futex_wait_requeue_pi(u32 __u
* did a lock-steal - fix up the PI-state in that case.
*/
if (q.pi_state && (q.pi_state->owner != current)) {
@@ -125,7 +123,7 @@ index 9dc2c7192b2e..bc35f1cc923f 100644
}
} else {
/*
-@@ -2510,7 +2556,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
+@@ -2510,7 +2556,8 @@ static int futex_wait_requeue_pi(u32 __u
ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
debug_rt_mutex_free_waiter(&rt_waiter);
@@ -135,12 +133,10 @@ index 9dc2c7192b2e..bc35f1cc923f 100644
/*
* Fixup the pi_state owner and possibly acquire the lock if we
* haven't already.
-diff --git a/kernel/rtmutex.c b/kernel/rtmutex.c
-index 04595617c43d..10b11b2e884a 100644
--- a/kernel/rtmutex.c
+++ b/kernel/rtmutex.c
-@@ -67,6 +67,11 @@ static void fixup_rt_mutex_waiters(struct rt_mutex *lock)
- clear_rt_mutex_waiters(lock);
+@@ -131,6 +131,11 @@ static void fixup_rt_mutex_waiters(struc
+ ACCESS_ONCE(*p) = owner & ~RT_MUTEX_HAS_WAITERS;
}
+static int rt_mutex_real_waiter(struct rt_mutex_waiter *waiter)
@@ -151,7 +147,7 @@ index 04595617c43d..10b11b2e884a 100644
/*
* We can speed up the acquire/release, if the architecture
* supports cmpxchg and if there's no debugging state to be set up
-@@ -270,7 +275,7 @@ static int rt_mutex_adjust_prio_chain(struct task_struct *task,
+@@ -334,7 +339,7 @@ static int rt_mutex_adjust_prio_chain(st
* reached or the state of the chain has changed while we
* dropped the locks.
*/
@@ -160,7 +156,7 @@ index 04595617c43d..10b11b2e884a 100644
goto out_unlock_pi;
/*
-@@ -525,6 +530,23 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
+@@ -589,6 +594,23 @@ static int task_blocks_on_rt_mutex(struc
return -EDEADLK;
raw_spin_lock_irqsave(&task->pi_lock, flags);
@@ -184,7 +180,7 @@ index 04595617c43d..10b11b2e884a 100644
__rt_mutex_adjust_prio(task);
waiter->task = task;
waiter->lock = lock;
-@@ -549,7 +571,7 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
+@@ -613,7 +635,7 @@ static int task_blocks_on_rt_mutex(struc
plist_add(&waiter->pi_list_entry, &owner->pi_waiters);
__rt_mutex_adjust_prio(owner);
@@ -193,7 +189,7 @@ index 04595617c43d..10b11b2e884a 100644
chain_walk = 1;
} else if (debug_rt_mutex_detect_deadlock(waiter, detect_deadlock)) {
chain_walk = 1;
-@@ -700,7 +722,8 @@ void rt_mutex_adjust_pi(struct task_struct *task)
+@@ -764,7 +786,8 @@ void rt_mutex_adjust_pi(struct task_stru
raw_spin_lock_irqsave(&task->pi_lock, flags);
waiter = task->pi_blocked_on;
@@ -203,11 +199,9 @@ index 04595617c43d..10b11b2e884a 100644
raw_spin_unlock_irqrestore(&task->pi_lock, flags);
return;
}
-diff --git a/kernel/rtmutex_common.h b/kernel/rtmutex_common.h
-index 53a66c85261b..b43d832f4f6f 100644
--- a/kernel/rtmutex_common.h
+++ b/kernel/rtmutex_common.h
-@@ -103,6 +103,8 @@ static inline struct task_struct *rt_mutex_owner(struct rt_mutex *lock)
+@@ -103,6 +103,8 @@ static inline struct task_struct *rt_mut
/*
* PI-futex support (proxy locking functions, etc.):
*/
diff --git a/debian/patches/series b/debian/patches/series
index c75c011..aad22d2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1106,35 +1106,6 @@ features/all/hpsa/0011-hpsa-add-in-P840ar-controller-model-name.patch
bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
-bugfix/all/net-cleanups-in-sock_setsockopt.patch
-bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
-bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
-bugfix/all/perf-fix-race-in-swevent-hash.patch
-bugfix/all/isdn-gigaset-reset-tty-receive_room-when-attaching-s.patch
-bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
-bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
-bugfix/all/hid-core-prevent-out-of-bound-readings.patch
-bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
-bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
-bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
-bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
-bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
-bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
-bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
-features/all/net-add-__sock_queue_rcv_skb.patch
-bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
-bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
-bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
-bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
-bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch
-bugfix/all/media-info-leak-in-__media_device_enum_links.patch
-bugfix/all/perf-fix-perf_event_for_each-to-use-sibling.patch
-bugfix/all/lockdep-silence-warning-if-config_lockdep-isn-t-set.patch
-bugfix/all/perf-fix-event-ctx-locking.patch
-bugfix/all/fbdev-color-map-copying-bounds-checking.patch
-bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
-bugfix/all/perf-do-not-double-free.patch
-bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list