Linux v4.4.3
- Fix automounting behavior of ATA drives (rhbz 1310682) - Fix suspend blacklight blanking behavior
This commit is contained in:
parent
9c7527faa4
commit
046b8e2419
|
@ -0,0 +1,27 @@
|
|||
From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 25 Feb 2016 11:40:07 -0800
|
||||
Subject: [PATCH] Test ata fix
|
||||
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
drivers/ata/libahci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
|
||||
index 1f225cc..998c6a8 100644
|
||||
--- a/drivers/ata/libahci.c
|
||||
+++ b/drivers/ata/libahci.c
|
||||
@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap,
|
||||
|
||||
/* mark esata ports */
|
||||
tmp = readl(port_mmio + PORT_CMD);
|
||||
- if ((tmp & PORT_CMD_HPCP) ||
|
||||
- ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)))
|
||||
+ if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))
|
||||
ap->pflags |= ATA_PFLAG_EXTERNAL;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From 6544a1df11c48c8413071aac3316792e4678fbfb Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Mon, 11 Jan 2016 17:35:38 -0800
|
||||
Subject: [PATCH] Input: elantech - mark protocols v2 and v3 as semi-mt
|
||||
|
||||
When using a protocol v2 or v3 hardware, elantech uses the function
|
||||
elantech_report_semi_mt_data() to report data. This devices are rather
|
||||
creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid
|
||||
touch is reported.
|
||||
|
||||
Anyway, userspace (libinput) is now confused by these (0,0) touches,
|
||||
and detect them as palm, and rejects them.
|
||||
|
||||
Commit 3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW")
|
||||
was sufficient enough for xf86-input-synaptics and libinput before it has
|
||||
palm rejection. Now we need to actually tell libinput that this device is
|
||||
a semi-mt one and it should not rely on the actual values of the 2 touches.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/elantech.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
|
||||
index 537ebb0e193a..78f93cf68840 100644
|
||||
--- a/drivers/input/mouse/elantech.c
|
||||
+++ b/drivers/input/mouse/elantech.c
|
||||
@@ -1222,7 +1222,7 @@ static int elantech_set_input_params(struct psmouse *psmouse)
|
||||
input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2,
|
||||
ETP_WMAX_V2, 0, 0);
|
||||
}
|
||||
- input_mt_init_slots(dev, 2, 0);
|
||||
+ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT);
|
||||
input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0);
|
||||
input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0);
|
||||
break;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Date: Fri, 15 Jan 2016 16:57:37 -0800
|
||||
Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
|
||||
|
||||
Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
|
||||
argument end is of type pgoff_t. It was being converted to a vaddr
|
||||
offset and passed to unmap_hugepage_range. However, end was also being
|
||||
used as an argument to the vma_interval_tree_foreach controlling loop.
|
||||
In addition, the conversion of end to vaddr offset was incorrect.
|
||||
|
||||
hugetlb_vmtruncate_list is called as part of a file truncate or
|
||||
fallocate hole punch operation.
|
||||
|
||||
When truncating a hugetlbfs file, this bug could prevent some pages from
|
||||
being unmapped. This is possible if there are multiple vmas mapping the
|
||||
file, and there is a sufficiently sized hole between the mappings. The
|
||||
size of the hole between two vmas (A,B) must be such that the starting
|
||||
virtual address of B is greater than (ending virtual address of A <<
|
||||
PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
|
||||
pages are not properly unmapped during truncate, the following BUG is
|
||||
hit:
|
||||
|
||||
kernel BUG at fs/hugetlbfs/inode.c:428!
|
||||
|
||||
In the fallocate hole punch case, this bug could prevent pages from
|
||||
being unmapped as in the truncate case. However, for hole punch the
|
||||
result is that unmapped pages will not be removed during the operation.
|
||||
For hole punch, it is also possible that more pages than desired will be
|
||||
unmapped. This unnecessary unmapping will cause page faults to
|
||||
reestablish the mappings on subsequent page access.
|
||||
|
||||
Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
|
||||
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Cc: Hugh Dickins <hughd@google.com>
|
||||
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||
Cc: Davidlohr Bueso <dave@stgolabs.net>
|
||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
||||
Cc: <stable@vger.kernel.org> [4.3]
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/hugetlbfs/inode.c | 19 +++++++++++--------
|
||||
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
|
||||
index bbc333b01ca3..9c07d2d754c9 100644
|
||||
--- a/fs/hugetlbfs/inode.c
|
||||
+++ b/fs/hugetlbfs/inode.c
|
||||
@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
*/
|
||||
vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
|
||||
unsigned long v_offset;
|
||||
+ unsigned long v_end;
|
||||
|
||||
/*
|
||||
* Can the expression below overflow on 32-bit arches?
|
||||
@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
else
|
||||
v_offset = 0;
|
||||
|
||||
- if (end) {
|
||||
- end = ((end - start) << PAGE_SHIFT) +
|
||||
- vma->vm_start + v_offset;
|
||||
- if (end > vma->vm_end)
|
||||
- end = vma->vm_end;
|
||||
- } else
|
||||
- end = vma->vm_end;
|
||||
+ if (!end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ else {
|
||||
+ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT)
|
||||
+ + vma->vm_start;
|
||||
+ if (v_end > vma->vm_end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ }
|
||||
|
||||
- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
|
||||
+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
|
||||
+ NULL);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
22
kernel.spec
22
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 301
|
||||
%global baserelease 300
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 2
|
||||
%define stable_update 3
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -596,9 +596,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
|
|||
#rhbz 1288687
|
||||
Patch572: alua_fix.patch
|
||||
|
||||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#rhbz 1083853
|
||||
|
@ -617,15 +614,9 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
|
|||
#rhbz 1255325
|
||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
#rhbz 1306987
|
||||
Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
|
||||
|
||||
#CVE-2015-8812 rhbz 1303532 1309548
|
||||
Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
|
||||
|
||||
|
@ -638,6 +629,10 @@ Patch655: iommu-fix.patch
|
|||
#CVE-2016-2550 rhbz 1311517 1311518
|
||||
Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch
|
||||
|
||||
#rhbz 1310682
|
||||
Patch657: 0001-Test-ata-fix.patch
|
||||
|
||||
Patch658: nouveau-displayoff-fix.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2081,6 +2076,11 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Feb 26 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.3-300
|
||||
- Linux v4.4.3
|
||||
- Fix automounting behavior of ATA drives (rhbz 1310682)
|
||||
- Fix suspend blacklight blanking behavior
|
||||
|
||||
* Thu Feb 25 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Fix deferred nouveau module loading on tegra
|
||||
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
Date: Thu, 18 Feb 2016 08:14:19 +1000
|
||||
Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link
|
||||
training
|
||||
|
||||
This can happen under some annoying circumstances, and is a quick fix
|
||||
until more substantial changes can be made.
|
||||
|
||||
Fixed eDP mode changes on (at least) the Lenovo P50.
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
index 74e2f7c..9688970 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w)
|
||||
.outp = outp,
|
||||
}, *dp = &_dp;
|
||||
u32 datarate = 0;
|
||||
+ u8 pwr;
|
||||
int ret;
|
||||
|
||||
if (!outp->base.info.location && disp->func->sor.magic)
|
||||
@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w)
|
||||
/* disable link interrupt handling during link training */
|
||||
nvkm_notify_put(&outp->irq);
|
||||
|
||||
+ /* ensure sink is not in a low-power state */
|
||||
+ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) {
|
||||
+ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) {
|
||||
+ pwr &= ~DPCD_SC00_SET_POWER;
|
||||
+ pwr |= DPCD_SC00_SET_POWER_D0;
|
||||
+ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* enable down-spreading and execute pre-train script from vbios */
|
||||
dp_link_train_init(dp, outp->dpcd[3] & 0x01);
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
index 9596290..6e10c5e 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
@@ -71,5 +71,11 @@
|
||||
#define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c
|
||||
#define DPCD_LS0C_LANE0_POST_CURSOR2 0x03
|
||||
|
||||
+/* DPCD Sink Control */
|
||||
+#define DPCD_SC00 0x00600
|
||||
+#define DPCD_SC00_SET_POWER 0x03
|
||||
+#define DPCD_SC00_SET_POWER_D0 0x01
|
||||
+#define DPCD_SC00_SET_POWER_D3 0x03
|
||||
+
|
||||
void nvkm_dp_train(struct work_struct *);
|
||||
#endif
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
|
@ -1,108 +0,0 @@
|
|||
From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001
|
||||
From: Jann Horn <jann@thejh.net>
|
||||
Date: Sat, 26 Dec 2015 03:52:31 +0100
|
||||
Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
|
||||
|
||||
ptrace_has_cap() checks whether the current process should be
|
||||
treated as having a certain capability for ptrace checks
|
||||
against another process. Until now, this was equivalent to
|
||||
has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
|
||||
|
||||
However, if a root-owned process wants to enter a user
|
||||
namespace for some reason without knowing who owns it and
|
||||
therefore can't change to the namespace owner's uid and gid
|
||||
before entering, as soon as it has entered the namespace,
|
||||
the namespace owner can attach to it via ptrace and thereby
|
||||
gain access to its uid and gid.
|
||||
|
||||
While it is possible for the entering process to switch to
|
||||
the uid of a claimed namespace owner before entering,
|
||||
causing the attempt to enter to fail if the claimed uid is
|
||||
wrong, this doesn't solve the problem of determining an
|
||||
appropriate gid.
|
||||
|
||||
With this change, the entering process can first enter the
|
||||
namespace and then safely inspect the namespace's
|
||||
properties, e.g. through /proc/self/{uid_map,gid_map},
|
||||
assuming that the namespace owner doesn't have access to
|
||||
uid 0.
|
||||
|
||||
Changed in v2: The caller needs to be capable in the
|
||||
namespace into which tcred's uids/gids can be mapped.
|
||||
|
||||
Signed-off-by: Jann Horn <jann@thejh.net>
|
||||
---
|
||||
kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
|
||||
1 file changed, 28 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
|
||||
index 787320de68e0..407c382b45c8 100644
|
||||
--- a/kernel/ptrace.c
|
||||
+++ b/kernel/ptrace.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <linux/uio.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/pid_namespace.h>
|
||||
+#include <linux/user_namespace.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/regset.h>
|
||||
@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
|
||||
+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
|
||||
{
|
||||
+ struct user_namespace *tns = tcred->user_ns;
|
||||
+
|
||||
+ /* When a root-owned process enters a user namespace created by a
|
||||
+ * malicious user, the user shouldn't be able to execute code under
|
||||
+ * uid 0 by attaching to the root-owned process via ptrace.
|
||||
+ * Therefore, similar to the capable_wrt_inode_uidgid() check,
|
||||
+ * verify that all the uids and gids of the target process are
|
||||
+ * mapped into a namespace below the current one in which the caller
|
||||
+ * is capable.
|
||||
+ * No fsuid/fsgid check because __ptrace_may_access doesn't do it
|
||||
+ * either.
|
||||
+ */
|
||||
+ while (
|
||||
+ !kuid_has_mapping(tns, tcred->euid) ||
|
||||
+ !kuid_has_mapping(tns, tcred->suid) ||
|
||||
+ !kuid_has_mapping(tns, tcred->uid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->egid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->sgid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->gid)) {
|
||||
+ tns = tns->parent;
|
||||
+ }
|
||||
+
|
||||
if (mode & PTRACE_MODE_NOAUDIT)
|
||||
- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
|
||||
+ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
|
||||
else
|
||||
- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
|
||||
+ return has_ns_capability(current, tns, CAP_SYS_PTRACE);
|
||||
}
|
||||
|
||||
/* Returns 0 on success, -errno on denial. */
|
||||
@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
||||
gid_eq(cred->gid, tcred->sgid) &&
|
||||
gid_eq(cred->gid, tcred->gid))
|
||||
goto ok;
|
||||
- if (ptrace_has_cap(tcred->user_ns, mode))
|
||||
+ if (ptrace_has_cap(tcred, mode))
|
||||
goto ok;
|
||||
rcu_read_unlock();
|
||||
return -EPERM;
|
||||
@@ -252,7 +275,7 @@ ok:
|
||||
dumpable = get_dumpable(task->mm);
|
||||
rcu_read_lock();
|
||||
if (dumpable != SUID_DUMP_USER &&
|
||||
- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
|
||||
+ !ptrace_has_cap(__task_cred(task), mode)) {
|
||||
rcu_read_unlock();
|
||||
return -EPERM;
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue