Linux v4.14.17
This commit is contained in:
parent
34149598a0
commit
6fdd3afab7
10
kernel.spec
10
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 16
|
||||
%define stable_update 17
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -603,8 +603,6 @@ Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe
|
|||
# bcm2837 bluetooth support
|
||||
Patch323: bcm2837-bluetooth-support.patch
|
||||
|
||||
Patch324: rpi-graphics-fix.patch
|
||||
|
||||
# Generic fixes and enablement for Socionext SoC and 96board
|
||||
# https://patchwork.kernel.org/patch/9980861/
|
||||
Patch331: PCI-aspm-deal-with-missing-root-ports-in-link-state-handling.patch
|
||||
|
@ -621,9 +619,6 @@ Patch335: arm-exynos-fix-usb3.patch
|
|||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# CVE-2018-5344 rhbz 1533909 1533911
|
||||
Patch507: loop-fix-concurrent-lo_open-lo_release.patch
|
||||
|
||||
# 550-600 Meltdown and Spectre Fixes
|
||||
Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
|
||||
|
||||
|
@ -2243,6 +2238,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Feb 05 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.17-200
|
||||
- Linux v4.14.17
|
||||
|
||||
* Wed Jan 31 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.16-200
|
||||
- Linux v4.14.16
|
||||
|
||||
|
|
|
@ -1,55 +0,0 @@
|
|||
From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Fri, 5 Jan 2018 16:26:00 -0800
|
||||
Subject: [PATCH] loop: fix concurrent lo_open/lo_release
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
|
||||
The reason is due to insufficient serialization in lo_release(), which
|
||||
will continue to use the loop device even after it has decremented the
|
||||
lo_refcnt to zero.
|
||||
|
||||
In the meantime, another process can come in, open the loop device
|
||||
again as it is being shut down. Confusion ensues.
|
||||
|
||||
Reported-by: 范龙飞 <long7573@126.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
drivers/block/loop.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
|
||||
index bc8e61506968..d5fe720cf149 100644
|
||||
--- a/drivers/block/loop.c
|
||||
+++ b/drivers/block/loop.c
|
||||
@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
|
||||
return err;
|
||||
}
|
||||
|
||||
-static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||
+static void __lo_release(struct loop_device *lo)
|
||||
{
|
||||
- struct loop_device *lo = disk->private_data;
|
||||
int err;
|
||||
|
||||
if (atomic_dec_return(&lo->lo_refcnt))
|
||||
@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||
mutex_unlock(&lo->lo_ctl_mutex);
|
||||
}
|
||||
|
||||
+static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||
+{
|
||||
+ mutex_lock(&loop_index_mutex);
|
||||
+ __lo_release(disk->private_data);
|
||||
+ mutex_unlock(&loop_index_mutex);
|
||||
+}
|
||||
+
|
||||
static const struct block_device_operations lo_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = lo_open,
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 253696ccd613fbdaa5aba1de44c461a058e0a114 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Schake <stschake@gmail.com>
|
||||
Date: Fri, 10 Nov 2017 02:05:06 +0100
|
||||
Subject: drm/vc4: Account for interrupts in flight
|
||||
|
||||
Synchronously disable the IRQ to make the following cancel_work_sync
|
||||
invocation effective.
|
||||
|
||||
An interrupt in flight could enqueue further overflow mem work. As we
|
||||
free the binner BO immediately following vc4_irq_uninstall this caused
|
||||
a NULL pointer dereference in the work callback vc4_overflow_mem_work.
|
||||
|
||||
Link: https://github.com/anholt/linux/issues/114
|
||||
Signed-off-by: Stefan Schake <stschake@gmail.com>
|
||||
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Reviewed-by: Eric Anholt <eric@anholt.net>
|
||||
Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com
|
||||
|
||||
diff --git a/drivers/gpu/drm/vc4/vc4_irq.c b/drivers/gpu/drm/vc4/vc4_irq.c
|
||||
index 7d7af3a..61b2e53 100644
|
||||
--- a/drivers/gpu/drm/vc4/vc4_irq.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_irq.c
|
||||
@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *dev)
|
||||
{
|
||||
struct vc4_dev *vc4 = to_vc4_dev(dev);
|
||||
|
||||
+ /* Undo the effects of a previous vc4_irq_uninstall. */
|
||||
+ enable_irq(dev->irq);
|
||||
+
|
||||
/* Enable both the render done and out of memory interrupts. */
|
||||
V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
|
||||
|
||||
@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev)
|
||||
/* Clear any pending interrupts we might have left. */
|
||||
V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS);
|
||||
|
||||
+ /* Finish any interrupt handler still in flight. */
|
||||
+ disable_irq(dev->irq);
|
||||
+
|
||||
cancel_work_sync(&vc4->overflow_mem_work);
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
|
||||
SHA512 (patch-4.14.16.xz) = 7ba492011915a356ea696a6ae2269ff85725f726f6dd382973ceb417ac3289c7b4384bdffbde8ddea04b386126e07a3ea3aacf18253db4fcbc461e7c7e75d371
|
||||
SHA512 (patch-4.14.17.xz) = fd785f0ab864ef4d2b18041183d867fb3a00e6d8718cb016d61a5c6de9f29f6653678ae6cc72593224da3e1bc44cc061d285a2f426ca1d62b4eb571549c440e3
|
||||
|
|
Loading…
Reference in New Issue