Linux v4.4.4
This commit is contained in:
parent
3a54d452cc
commit
d6de1e1a14
|
@ -1,92 +0,0 @@
|
|||
From a1b14d27ed0965838350f1377ff97c93ee383492 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Borkmann <daniel@iogearbox.net>
|
||||
Date: Wed, 10 Feb 2016 16:47:11 +0100
|
||||
Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching
|
||||
ctx expansion
|
||||
|
||||
When ctx access is used, the kernel often needs to expand/rewrite
|
||||
instructions, so after that patching, branch offsets have to be
|
||||
adjusted for both forward and backward jumps in the new eBPF program,
|
||||
but for backward jumps it fails to account the delta. Meaning, for
|
||||
example, if the expansion happens exactly on the insn that sits at
|
||||
the jump target, it doesn't fix up the back jump offset.
|
||||
|
||||
Analysis on what the check in adjust_branches() is currently doing:
|
||||
|
||||
/* adjust offset of jmps if necessary */
|
||||
if (i < pos && i + insn->off + 1 > pos)
|
||||
insn->off += delta;
|
||||
else if (i > pos && i + insn->off + 1 < pos)
|
||||
insn->off -= delta;
|
||||
|
||||
First condition (forward jumps):
|
||||
|
||||
Before: After:
|
||||
|
||||
insns[0] insns[0]
|
||||
insns[1] <--- i/insn insns[1] <--- i/insn
|
||||
insns[2] <--- pos insns[P] <--- pos
|
||||
insns[3] insns[P] `------| delta
|
||||
insns[4] <--- target_X insns[P] `-----|
|
||||
insns[5] insns[3]
|
||||
insns[4] <--- target_X
|
||||
insns[5]
|
||||
|
||||
First case is if we cross pos-boundary and the jump instruction was
|
||||
before pos. This is handeled correctly. I.e. if i == pos, then this
|
||||
would mean our jump that we currently check was the patchlet itself
|
||||
that we just injected. Since such patchlets are self-contained and
|
||||
have no awareness of any insns before or after the patched one, the
|
||||
delta is correctly not adjusted. Also, for the second condition in
|
||||
case of i + insn->off + 1 == pos, means we jump to that newly patched
|
||||
instruction, so no offset adjustment are needed. That part is correct.
|
||||
|
||||
Second condition (backward jumps):
|
||||
|
||||
Before: After:
|
||||
|
||||
insns[0] insns[0]
|
||||
insns[1] <--- target_X insns[1] <--- target_X
|
||||
insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y
|
||||
insns[3] insns[P] `------| delta
|
||||
insns[4] <--- i/insn insns[P] `-----|
|
||||
insns[5] insns[3]
|
||||
insns[4] <--- i/insn
|
||||
insns[5]
|
||||
|
||||
Second interesting case is where we cross pos-boundary and the jump
|
||||
instruction was after pos. Backward jump with i == pos would be
|
||||
impossible and pose a bug somewhere in the patchlet, so the first
|
||||
condition checking i > pos is okay only by itself. However, i +
|
||||
insn->off + 1 < pos does not always work as intended to trigger the
|
||||
adjustment. It works when jump targets would be far off where the
|
||||
delta wouldn't matter. But, for example, where the fixed insn->off
|
||||
before pointed to pos (target_Y), it now points to pos + delta, so
|
||||
that additional room needs to be taken into account for the check.
|
||||
This means that i) both tests here need to be adjusted into pos + delta,
|
||||
and ii) for the second condition, the test needs to be <= as pos
|
||||
itself can be a target in the backjump, too.
|
||||
|
||||
Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields")
|
||||
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
kernel/bpf/verifier.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
|
||||
index d1d3e8f57de9..2e7f7ab739e4 100644
|
||||
--- a/kernel/bpf/verifier.c
|
||||
+++ b/kernel/bpf/verifier.c
|
||||
@@ -2082,7 +2082,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
|
||||
/* adjust offset of jmps if necessary */
|
||||
if (i < pos && i + insn->off + 1 > pos)
|
||||
insn->off += delta;
|
||||
- else if (i > pos && i + insn->off + 1 < pos)
|
||||
+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
|
||||
insn->off -= delta;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
From 41ed5ee704b784a4fca02787311d59c243563013 Mon Sep 17 00:00:00 2001
|
||||
From: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Thu, 7 Jan 2016 10:29:10 +0200
|
||||
Subject: [PATCH] drm/i915: shut up gen8+ SDE irq dmesg noise, again
|
||||
|
||||
We still keep getting
|
||||
|
||||
[ 4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)!
|
||||
|
||||
This reverts
|
||||
|
||||
commit 820da7ae46332fa709b171eb7ba57cbd023fa6df
|
||||
Author: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Wed Nov 25 16:47:23 2015 +0200
|
||||
|
||||
Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"
|
||||
|
||||
which in itself is a revert, so this is just doing
|
||||
|
||||
commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab
|
||||
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
Date: Fri Oct 23 10:56:12 2015 +0200
|
||||
|
||||
drm/i915: shut up gen8+ SDE irq dmesg noise
|
||||
|
||||
all over again. I'll stop pretending I understand what's going on like I
|
||||
did when I thought I'd fixed this for good in
|
||||
|
||||
commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77
|
||||
Author: Jani Nikula <jani.nikula@intel.com>
|
||||
Date: Wed Nov 25 16:47:22 2015 +0200
|
||||
|
||||
drm/i915: fix the SDE irq dmesg warnings properly
|
||||
|
||||
Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
|
||||
Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084
|
||||
Cc: drm-intel-fixes@lists.freedesktop.org
|
||||
Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"")
|
||||
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
||||
---
|
||||
drivers/gpu/drm/i915/i915_irq.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
|
||||
index 0d228f909dcb..0f42a2782afc 100644
|
||||
--- a/drivers/gpu/drm/i915/i915_irq.c
|
||||
+++ b/drivers/gpu/drm/i915/i915_irq.c
|
||||
@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg)
|
||||
spt_irq_handler(dev, pch_iir);
|
||||
else
|
||||
cpt_irq_handler(dev, pch_iir);
|
||||
- } else
|
||||
- DRM_ERROR("The master control interrupt lied (SDE)!\n");
|
||||
-
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * Like on previous PCH there seems to be something
|
||||
+ * fishy going on with forwarding PCH interrupts.
|
||||
+ */
|
||||
+ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n");
|
||||
+ }
|
||||
}
|
||||
|
||||
I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL);
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,116 +0,0 @@
|
|||
From patchwork Wed Feb 24 17:34:43 2016
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: drm/nouveau: platform: Fix deferred probe
|
||||
From: Thierry Reding <thierry.reding@gmail.com>
|
||||
X-Patchwork-Id: 587554
|
||||
Message-Id: <1456335283-22097-1-git-send-email-thierry.reding@gmail.com>
|
||||
To: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: Alexandre Courbot <gnurou@gmail.com>, Nicolas Chauvet <kwizart@gmail.com>,
|
||||
dri-devel@lists.freedesktop.org, linux-tegra@vger.kernel.org
|
||||
Date: Wed, 24 Feb 2016 18:34:43 +0100
|
||||
|
||||
From: Thierry Reding <treding@nvidia.com>
|
||||
|
||||
The error cleanup paths aren't quite correct and will crash upon
|
||||
deferred probe.
|
||||
|
||||
Cc: stable@vger.kernel.org # v4.3+
|
||||
Signed-off-by: Thierry Reding <treding@nvidia.com>
|
||||
Reviewed-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nouveau_platform.c | 2 +-
|
||||
drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 40 ++++++++++++++++------
|
||||
2 files changed, 30 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nouveau_platform.c b/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
index 8a70cec59bcd..2dfe58af12e4 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
@@ -24,7 +24,7 @@
|
||||
static int nouveau_platform_probe(struct platform_device *pdev)
|
||||
{
|
||||
const struct nvkm_device_tegra_func *func;
|
||||
- struct nvkm_device *device;
|
||||
+ struct nvkm_device *device = NULL;
|
||||
struct drm_device *drm;
|
||||
int ret;
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
index 7f8a42721eb2..e7e581d6a8ff 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
@@ -252,32 +252,40 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
|
||||
|
||||
if (!(tdev = kzalloc(sizeof(*tdev), GFP_KERNEL)))
|
||||
return -ENOMEM;
|
||||
- *pdevice = &tdev->device;
|
||||
+
|
||||
tdev->func = func;
|
||||
tdev->pdev = pdev;
|
||||
tdev->irq = -1;
|
||||
|
||||
tdev->vdd = devm_regulator_get(&pdev->dev, "vdd");
|
||||
- if (IS_ERR(tdev->vdd))
|
||||
- return PTR_ERR(tdev->vdd);
|
||||
+ if (IS_ERR(tdev->vdd)) {
|
||||
+ ret = PTR_ERR(tdev->vdd);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->rst = devm_reset_control_get(&pdev->dev, "gpu");
|
||||
- if (IS_ERR(tdev->rst))
|
||||
- return PTR_ERR(tdev->rst);
|
||||
+ if (IS_ERR(tdev->rst)) {
|
||||
+ ret = PTR_ERR(tdev->rst);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->clk = devm_clk_get(&pdev->dev, "gpu");
|
||||
- if (IS_ERR(tdev->clk))
|
||||
- return PTR_ERR(tdev->clk);
|
||||
+ if (IS_ERR(tdev->clk)) {
|
||||
+ ret = PTR_ERR(tdev->clk);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->clk_pwr = devm_clk_get(&pdev->dev, "pwr");
|
||||
- if (IS_ERR(tdev->clk_pwr))
|
||||
- return PTR_ERR(tdev->clk_pwr);
|
||||
+ if (IS_ERR(tdev->clk_pwr)) {
|
||||
+ ret = PTR_ERR(tdev->clk_pwr);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
nvkm_device_tegra_probe_iommu(tdev);
|
||||
|
||||
ret = nvkm_device_tegra_power_up(tdev);
|
||||
if (ret)
|
||||
- return ret;
|
||||
+ goto remove;
|
||||
|
||||
tdev->gpu_speedo = tegra_sku_info.gpu_speedo_value;
|
||||
ret = nvkm_device_ctor(&nvkm_device_tegra_func, NULL, &pdev->dev,
|
||||
@@ -285,9 +293,19 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
|
||||
cfg, dbg, detect, mmio, subdev_mask,
|
||||
&tdev->device);
|
||||
if (ret)
|
||||
- return ret;
|
||||
+ goto powerdown;
|
||||
+
|
||||
+ *pdevice = &tdev->device;
|
||||
|
||||
return 0;
|
||||
+
|
||||
+powerdown:
|
||||
+ nvkm_device_tegra_power_down(tdev);
|
||||
+remove:
|
||||
+ nvkm_device_tegra_remove_iommu(tdev);
|
||||
+free:
|
||||
+ kfree(tdev);
|
||||
+ return ret;
|
||||
}
|
||||
#else
|
||||
int
|
|
@ -1,41 +0,0 @@
|
|||
From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001
|
||||
From: Hariprasad S <hariprasad@chelsio.com>
|
||||
Date: Fri, 11 Dec 2015 13:59:17 +0530
|
||||
Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success
|
||||
|
||||
The cxgb3_*_send() functions return NET_XMIT_ values, which are
|
||||
positive integers values. So don't treat positive return values
|
||||
as an error.
|
||||
|
||||
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
|
||||
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
|
||||
Signed-off-by: Doug Ledford <dledford@redhat.com>
|
||||
---
|
||||
drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
|
||||
index cb78b1e9bcd9..f504ba73e5dc 100644
|
||||
--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
|
||||
+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
|
||||
@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en
|
||||
error = l2t_send(tdev, skb, l2e);
|
||||
if (error < 0)
|
||||
kfree_skb(skb);
|
||||
- return error;
|
||||
+ return error < 0 ? error : 0;
|
||||
}
|
||||
|
||||
int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
|
||||
@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
|
||||
error = cxgb3_ofld_send(tdev, skb);
|
||||
if (error < 0)
|
||||
kfree_skb(skb);
|
||||
- return error;
|
||||
+ return error < 0 ? error : 0;
|
||||
}
|
||||
|
||||
static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001
|
||||
From 3430f2441f7176d543a76aa73ae7315db355a5b0 Mon Sep 17 00:00:00 2001
|
||||
From: Roland McGrath <roland@redhat.com>
|
||||
Date: Mon, 6 Oct 2008 23:03:03 -0700
|
||||
Subject: [PATCH] kbuild: AFTER_LINK
|
||||
|
@ -107,11 +107,11 @@ index 265c0ed..fd90c7d 100644
|
|||
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
|
||||
$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
|
||||
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
|
||||
index dacf71a..72cbefd 100755
|
||||
index ba6c34e..245501e 100755
|
||||
--- a/scripts/link-vmlinux.sh
|
||||
+++ b/scripts/link-vmlinux.sh
|
||||
@@ -65,6 +65,10 @@ vmlinux_link()
|
||||
-lutil -lrt ${1}
|
||||
-lutil -lrt -lpthread ${1}
|
||||
rm -f linux
|
||||
fi
|
||||
+ if [ -n "${AFTER_LINK}" ]; then
|
||||
|
|
41
kernel.spec
41
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -508,8 +508,6 @@ Patch456: arm64-acpi-drop-expert-patch.patch
|
|||
|
||||
Patch457: ARM-tegra-usb-no-reset.patch
|
||||
|
||||
Patch458: drm-nouveau-platform-Fix-deferred-probe.patch
|
||||
|
||||
Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
|
||||
|
||||
Patch463: arm-i.MX6-Utilite-device-dtb.patch
|
||||
|
@ -602,8 +600,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
|
|||
#rhbz 1288687
|
||||
Patch572: alua_fix.patch
|
||||
|
||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#rhbz 1083853
|
||||
Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch
|
||||
|
||||
|
@ -620,35 +616,21 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
|
|||
#rhbz 1255325
|
||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
#CVE-2015-8812 rhbz 1303532 1309548
|
||||
Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
|
||||
|
||||
#Known use after free, possibly rhbz 1310579
|
||||
Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
|
||||
|
||||
#rhbz 1310258
|
||||
Patch655: iommu-fix.patch
|
||||
|
||||
#CVE-2016-2550 rhbz 1311517 1311518
|
||||
Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch
|
||||
|
||||
#rhbz 1310682
|
||||
Patch657: 0001-Test-ata-fix.patch
|
||||
|
||||
Patch658: nouveau-displayoff-fix.patch
|
||||
|
||||
#Mitigates CVE-2013-4312 rhbz 1313428 1313433
|
||||
Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
|
||||
|
||||
#rhbz 1310252 1313318
|
||||
Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
|
||||
|
||||
#rhbz 1314253 1314255
|
||||
Patch661: x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
%endif
|
||||
|
||||
|
@ -1220,8 +1202,6 @@ ApplyPatch arm64-acpi-drop-expert-patch.patch
|
|||
|
||||
ApplyPatch ARM-tegra-usb-no-reset.patch
|
||||
|
||||
ApplyPatch drm-nouveau-platform-Fix-deferred-probe.patch
|
||||
|
||||
ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
|
||||
|
||||
ApplyPatch arm-i.MX6-Utilite-device-dtb.patch
|
||||
|
@ -1330,35 +1310,21 @@ ApplyPatch cfg80211-wext-fix-message-ordering.patch
|
|||
#rhbz 1255325
|
||||
ApplyPatch HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
ApplyPatch bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
#CVE-2015-8812 rhbz 1303532 1309548
|
||||
ApplyPatch iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
|
||||
|
||||
#Known use after free, possibly rhbz 1310579
|
||||
ApplyPatch 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
|
||||
|
||||
#rhbz 1310258
|
||||
ApplyPatch iommu-fix.patch
|
||||
|
||||
#CVE-2016-2550 rhbz 1311517 1311518
|
||||
ApplyPatch unix-correctly-track-in-flight-fds-in-sending-proces.patch
|
||||
|
||||
#rhbz 1310682
|
||||
ApplyPatch 0001-Test-ata-fix.patch
|
||||
|
||||
ApplyPatch nouveau-displayoff-fix.patch
|
||||
|
||||
#Mitigates CVE-2013-4312 rhbz 1313428 1313433
|
||||
ApplyPatch pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
|
||||
|
||||
#rhbz 1310252 1313318
|
||||
ApplyPatch 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
|
||||
|
||||
#rhbz 1314253 1314255
|
||||
ApplyPatch x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2208,6 +2174,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Mar 03 2016 Laura Abbott <labbott@redhat.com>
|
||||
- Linux v4.4.4
|
||||
|
||||
* Thu Mar 03 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Partial SMAP bypass on 64-bit kernels (rhbz 1314253 1314255)
|
||||
|
||||
|
|
|
@ -1,61 +0,0 @@
|
|||
From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
Date: Thu, 18 Feb 2016 08:14:19 +1000
|
||||
Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link
|
||||
training
|
||||
|
||||
This can happen under some annoying circumstances, and is a quick fix
|
||||
until more substantial changes can be made.
|
||||
|
||||
Fixed eDP mode changes on (at least) the Lenovo P50.
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
index 74e2f7c..9688970 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w)
|
||||
.outp = outp,
|
||||
}, *dp = &_dp;
|
||||
u32 datarate = 0;
|
||||
+ u8 pwr;
|
||||
int ret;
|
||||
|
||||
if (!outp->base.info.location && disp->func->sor.magic)
|
||||
@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w)
|
||||
/* disable link interrupt handling during link training */
|
||||
nvkm_notify_put(&outp->irq);
|
||||
|
||||
+ /* ensure sink is not in a low-power state */
|
||||
+ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) {
|
||||
+ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) {
|
||||
+ pwr &= ~DPCD_SC00_SET_POWER;
|
||||
+ pwr |= DPCD_SC00_SET_POWER_D0;
|
||||
+ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* enable down-spreading and execute pre-train script from vbios */
|
||||
dp_link_train_init(dp, outp->dpcd[3] & 0x01);
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
index 9596290..6e10c5e 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
@@ -71,5 +71,11 @@
|
||||
#define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c
|
||||
#define DPCD_LS0C_LANE0_POST_CURSOR2 0x03
|
||||
|
||||
+/* DPCD Sink Control */
|
||||
+#define DPCD_SC00 0x00600
|
||||
+#define DPCD_SC00_SET_POWER 0x03
|
||||
+#define DPCD_SC00_SET_POWER_D0 0x01
|
||||
+#define DPCD_SC00_SET_POWER_D3 0x03
|
||||
+
|
||||
void nvkm_dp_train(struct work_struct *);
|
||||
#endif
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||
078427483ee96f3e072e7b5409b5a117 patch-4.4.3.xz
|
||||
07e9b2c5d0daf7fc2a1ee26a52adcbc0 patch-4.4.4.xz
|
||||
|
|
|
@ -1,159 +0,0 @@
|
|||
From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Wed, 3 Feb 2016 02:11:03 +0100
|
||||
Subject: [PATCH] unix: correctly track in-flight fds in sending process
|
||||
user_struct
|
||||
|
||||
The commit referenced in the Fixes tag incorrectly accounted the number
|
||||
of in-flight fds over a unix domain socket to the original opener
|
||||
of the file-descriptor. This allows another process to arbitrary
|
||||
deplete the original file-openers resource limit for the maximum of
|
||||
open files. Instead the sending processes and its struct cred should
|
||||
be credited.
|
||||
|
||||
To do so, we add a reference counted struct user_struct pointer to the
|
||||
scm_fp_list and use it to account for the number of inflight unix fds.
|
||||
|
||||
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
|
||||
Reported-by: David Herrmann <dh.herrmann@gmail.com>
|
||||
Cc: David Herrmann <dh.herrmann@gmail.com>
|
||||
Cc: Willy Tarreau <w@1wt.eu>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/af_unix.h | 4 ++--
|
||||
include/net/scm.h | 1 +
|
||||
net/core/scm.c | 7 +++++++
|
||||
net/unix/af_unix.c | 4 ++--
|
||||
net/unix/garbage.c | 8 ++++----
|
||||
5 files changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
|
||||
index 2a91a0561a47..9b4c418bebd8 100644
|
||||
--- a/include/net/af_unix.h
|
||||
+++ b/include/net/af_unix.h
|
||||
@@ -6,8 +6,8 @@
|
||||
#include <linux/mutex.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
-void unix_inflight(struct file *fp);
|
||||
-void unix_notinflight(struct file *fp);
|
||||
+void unix_inflight(struct user_struct *user, struct file *fp);
|
||||
+void unix_notinflight(struct user_struct *user, struct file *fp);
|
||||
void unix_gc(void);
|
||||
void wait_for_unix_gc(void);
|
||||
struct sock *unix_get_socket(struct file *filp);
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 262532d111f5..59fa93c01d2a 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -21,6 +21,7 @@ struct scm_creds {
|
||||
struct scm_fp_list {
|
||||
short count;
|
||||
short max;
|
||||
+ struct user_struct *user;
|
||||
struct file *fp[SCM_MAX_FD];
|
||||
};
|
||||
|
||||
diff --git a/net/core/scm.c b/net/core/scm.c
|
||||
index 14596fb37172..2696aefdc148 100644
|
||||
--- a/net/core/scm.c
|
||||
+++ b/net/core/scm.c
|
||||
@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
||||
*fplp = fpl;
|
||||
fpl->count = 0;
|
||||
fpl->max = SCM_MAX_FD;
|
||||
+ fpl->user = NULL;
|
||||
}
|
||||
fpp = &fpl->fp[fpl->count];
|
||||
|
||||
@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
||||
*fpp++ = file;
|
||||
fpl->count++;
|
||||
}
|
||||
+
|
||||
+ if (!fpl->user)
|
||||
+ fpl->user = get_uid(current_user());
|
||||
+
|
||||
return num;
|
||||
}
|
||||
|
||||
@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
|
||||
scm->fp = NULL;
|
||||
for (i=fpl->count-1; i>=0; i--)
|
||||
fput(fpl->fp[i]);
|
||||
+ free_uid(fpl->user);
|
||||
kfree(fpl);
|
||||
}
|
||||
}
|
||||
@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
|
||||
for (i = 0; i < fpl->count; i++)
|
||||
get_file(fpl->fp[i]);
|
||||
new_fpl->max = new_fpl->count;
|
||||
+ new_fpl->user = get_uid(fpl->user);
|
||||
}
|
||||
return new_fpl;
|
||||
}
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index 49d5093eb055..29be035f9c65 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
UNIXCB(skb).fp = NULL;
|
||||
|
||||
for (i = scm->fp->count-1; i >= 0; i--)
|
||||
- unix_notinflight(scm->fp->fp[i]);
|
||||
+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
|
||||
}
|
||||
|
||||
static void unix_destruct_scm(struct sk_buff *skb)
|
||||
@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
return -ENOMEM;
|
||||
|
||||
for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
- unix_inflight(scm->fp->fp[i]);
|
||||
+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
|
||||
return max_level;
|
||||
}
|
||||
|
||||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
|
||||
index 8fcdc2283af5..6a0d48525fcf 100644
|
||||
--- a/net/unix/garbage.c
|
||||
+++ b/net/unix/garbage.c
|
||||
@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
|
||||
* descriptor if it is for an AF_UNIX socket.
|
||||
*/
|
||||
|
||||
-void unix_inflight(struct file *fp)
|
||||
+void unix_inflight(struct user_struct *user, struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
|
||||
}
|
||||
unix_tot_inflight++;
|
||||
}
|
||||
- fp->f_cred->user->unix_inflight++;
|
||||
+ user->unix_inflight++;
|
||||
spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
-void unix_notinflight(struct file *fp)
|
||||
+void unix_notinflight(struct user_struct *user, struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
|
||||
list_del_init(&u->link);
|
||||
unix_tot_inflight--;
|
||||
}
|
||||
- fp->f_cred->user->unix_inflight--;
|
||||
+ user->unix_inflight--;
|
||||
spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@kernel.org>
|
||||
Date: Wed, 24 Feb 2016 12:18:49 -0800
|
||||
Subject: [PATCH] x86/entry/compat: Add missing CLAC to entry_INT80_32
|
||||
|
||||
This doesn't seem to fix a regression -- I don't think the CLAC was
|
||||
ever there.
|
||||
|
||||
I double-checked in a debugger: entries through the int80 gate do
|
||||
not automatically clear AC.
|
||||
|
||||
Stable maintainers: I can provide a backport to 4.3 and earlier if
|
||||
needed. This needs to be backported all the way to 3.10.
|
||||
|
||||
Reported-by: Brian Gerst <brgerst@gmail.com>
|
||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: <stable@vger.kernel.org> # v3.10 and later
|
||||
Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access")
|
||||
Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/entry/entry_64_compat.S | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
|
||||
index ff1c6d61f332..3c990eeee40b 100644
|
||||
--- a/arch/x86/entry/entry_64_compat.S
|
||||
+++ b/arch/x86/entry/entry_64_compat.S
|
||||
@@ -261,6 +261,7 @@ ENTRY(entry_INT80_compat)
|
||||
* Interrupts are off on entry.
|
||||
*/
|
||||
PARAVIRT_ADJUST_EXCEPTION_FRAME
|
||||
+ ASM_CLAC /* Do this early to minimize exposure */
|
||||
SWAPGS
|
||||
|
||||
/*
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue