Linux v4.1.4
This commit is contained in:
parent
359ba4a5a5
commit
e7a2da13e8
|
@ -1,45 +0,0 @@
|
|||
From 3881b164810a564714dfdc16520b0fe538ae4bf7 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 27 Jul 2015 15:23:43 +0100
|
||||
Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
|
||||
|
||||
__key_link_end is not freeing the associated array edit structure
|
||||
and this leads to a 512 byte memory leak each time an identical
|
||||
existing key is added with add_key().
|
||||
|
||||
The reason the add_key() system call returns okay is that
|
||||
key_create_or_update() calls __key_link_begin() before checking to see
|
||||
whether it can update a key directly rather than adding/replacing - which
|
||||
it turns out it can. Thus __key_link() is not called through
|
||||
__key_instantiate_and_link() and __key_link_end() must cancel the edit.
|
||||
|
||||
CVE-2015-1333
|
||||
|
||||
Signed-off-by: Colin Ian King <colin.king@canonical.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/keyring.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
|
||||
index e72548b5897e..d33437007ad2 100644
|
||||
--- a/security/keys/keyring.c
|
||||
+++ b/security/keys/keyring.c
|
||||
@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
|
||||
if (index_key->type == &key_type_keyring)
|
||||
up_write(&keyring_serialise_link_sem);
|
||||
|
||||
- if (edit && !edit->dead_leaf) {
|
||||
- key_payload_reserve(keyring,
|
||||
- keyring->datalen - KEYQUOTA_LINK_BYTES);
|
||||
+ if (edit) {
|
||||
+ if (!edit->dead_leaf) {
|
||||
+ key_payload_reserve(keyring,
|
||||
+ keyring->datalen - KEYQUOTA_LINK_BYTES);
|
||||
+ }
|
||||
assoc_array_cancel_edit(edit);
|
||||
}
|
||||
up_write(&keyring->sem);
|
||||
--
|
||||
2.4.3
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
If there are too many pending per work I/O, too many
|
||||
high priority work thread can be generated so that
|
||||
system performance can be effected.
|
||||
|
||||
This patch limits the max pending per work I/O as 16,
|
||||
and will fackback to single queue mode when the max
|
||||
number is reached.
|
||||
|
||||
This patch fixes Fedora 22 live booting performance
|
||||
regression when it is booted from squashfs over dm
|
||||
based on loop, and looks the following reasons are
|
||||
related with the problem:
|
||||
|
||||
- not like other filesyststems(such as ext4), squashfs
|
||||
is a bit special, and I observed that increasing I/O jobs
|
||||
to access file in squashfs only improve I/O performance a
|
||||
little, but it can make big difference for ext4
|
||||
|
||||
- nested loop: both squashfs.img and ext3fs.img are mounted
|
||||
as loop block, and ext3fs.img is inside the squashfs
|
||||
|
||||
- during booting, lots of tasks may run concurrently
|
||||
|
||||
Fixes: b5dd2f6047ca108001328aac0e8588edd15f1778
|
||||
Cc: stable@vger.kernel.org (v4.0)
|
||||
Reported-by: Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
Signed-off-by: Ming Lei <ming.lei@canonical.com>
|
||||
---
|
||||
drivers/block/loop.c | 19 +++++++++++++++++--
|
||||
drivers/block/loop.h | 2 ++
|
||||
2 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
|
||||
index ae3fcb4..5a728c6 100644
|
||||
--- a/drivers/block/loop.c
|
||||
+++ b/drivers/block/loop.c
|
||||
@@ -1425,13 +1425,24 @@ static int loop_queue_rq(struct blk_mq_hw_ctx *hctx,
|
||||
const struct blk_mq_queue_data *bd)
|
||||
{
|
||||
struct loop_cmd *cmd = blk_mq_rq_to_pdu(bd->rq);
|
||||
+ struct loop_device *lo = cmd->rq->q->queuedata;
|
||||
+ bool single_queue = !!(cmd->rq->cmd_flags & REQ_WRITE);
|
||||
+
|
||||
+ /*
|
||||
+ * Fallback to single queue mode if the pending per work
|
||||
+ * I/O number reaches 16, otherwise too many high priority
|
||||
+ * worker thread may effect system performance as reported
|
||||
+ * in fedora live booting from squashfs over loop.
|
||||
+ */
|
||||
+ if (atomic_read(&lo->pending_per_work_io) >= 16)
|
||||
+ single_queue = true;
|
||||
|
||||
blk_mq_start_request(bd->rq);
|
||||
|
||||
- if (cmd->rq->cmd_flags & REQ_WRITE) {
|
||||
- struct loop_device *lo = cmd->rq->q->queuedata;
|
||||
+ if (single_queue) {
|
||||
bool need_sched = true;
|
||||
|
||||
+ cmd->per_work_io = false;
|
||||
spin_lock_irq(&lo->lo_lock);
|
||||
if (lo->write_started)
|
||||
need_sched = false;
|
||||
@@ -1443,6 +1454,8 @@ static int loop_queue_rq(struct blk_mq_hw_ctx *hctx,
|
||||
if (need_sched)
|
||||
queue_work(loop_wq, &lo->write_work);
|
||||
} else {
|
||||
+ atomic_inc(&lo->pending_per_work_io);
|
||||
+ cmd->per_work_io = true;
|
||||
queue_work(loop_wq, &cmd->read_work);
|
||||
}
|
||||
|
||||
@@ -1467,6 +1480,8 @@ static void loop_handle_cmd(struct loop_cmd *cmd)
|
||||
if (ret)
|
||||
cmd->rq->errors = -EIO;
|
||||
blk_mq_complete_request(cmd->rq);
|
||||
+ if (cmd->per_work_io)
|
||||
+ atomic_dec(&lo->pending_per_work_io);
|
||||
}
|
||||
|
||||
static void loop_queue_write_work(struct work_struct *work)
|
||||
diff --git a/drivers/block/loop.h b/drivers/block/loop.h
|
||||
index 301c27f..eb855f5 100644
|
||||
--- a/drivers/block/loop.h
|
||||
+++ b/drivers/block/loop.h
|
||||
@@ -57,6 +57,7 @@ struct loop_device {
|
||||
struct list_head write_cmd_head;
|
||||
struct work_struct write_work;
|
||||
bool write_started;
|
||||
+ atomic_t pending_per_work_io;
|
||||
int lo_state;
|
||||
struct mutex lo_ctl_mutex;
|
||||
|
||||
@@ -68,6 +69,7 @@ struct loop_device {
|
||||
struct loop_cmd {
|
||||
struct work_struct read_work;
|
||||
struct request *rq;
|
||||
+ bool per_work_io;
|
||||
struct list_head list;
|
||||
};
|
||||
|
||||
--
|
||||
1.9.1
|
25
kernel.spec
25
kernel.spec
|
@ -40,7 +40,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -52,7 +52,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -599,12 +599,6 @@ Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
|
|||
#rhbz 1212230
|
||||
Patch26176: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
|
||||
|
||||
#rhbz 1210857
|
||||
Patch26192: blk-loop-avoid-too-many-pending-per-work-IO.patch
|
||||
|
||||
#rhbz 1220118
|
||||
Patch26202: media-Fix-regression-in-some-more-dib0700-based-devi.patch
|
||||
|
||||
Patch26203: v4l-uvcvideo-Fix-incorrect-bandwidth-with-Chicony-de.patch
|
||||
|
||||
#rhbz 1217249
|
||||
|
@ -631,9 +625,6 @@ Patch26251: ideapad_laptop-Lenovo-G50-30-fix-rfkill-reports-wire.patch
|
|||
# rhbz 1180920 1206724
|
||||
Patch26252: pcmcia-fix-a-boot-time-warning-in-pcmcia-cs-code.patch
|
||||
|
||||
#CVE-2015-1333 rhbz 1244171
|
||||
Patch26253: KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
|
||||
|
||||
# CVE-2015-3290 CVE-2015-3291 rhbz 1243465 1245927
|
||||
Patch26254: x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch
|
||||
Patch26255: x86-entry-Stop-using-PER_CPU_VAR-kernel_stack.patch
|
||||
|
@ -1357,12 +1348,6 @@ ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
|
|||
#rhbz 1212230
|
||||
ApplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
|
||||
|
||||
#rhbz 1210857
|
||||
ApplyPatch blk-loop-avoid-too-many-pending-per-work-IO.patch
|
||||
|
||||
#rhbz 1220118
|
||||
ApplyPatch media-Fix-regression-in-some-more-dib0700-based-devi.patch
|
||||
|
||||
ApplyPatch v4l-uvcvideo-Fix-incorrect-bandwidth-with-Chicony-de.patch
|
||||
|
||||
#rhbz 1217249
|
||||
|
@ -1394,9 +1379,6 @@ ApplyPatch ideapad_laptop-Lenovo-G50-30-fix-rfkill-reports-wire.patch
|
|||
# rhbz 1180920 1206724
|
||||
ApplyPatch pcmcia-fix-a-boot-time-warning-in-pcmcia-cs-code.patch
|
||||
|
||||
#CVE-2015-1333 rhbz 1244171
|
||||
ApplyPatch KEYS-ensure-we-free-the-assoc-array-edit-if-edit-is-.patch
|
||||
|
||||
# CVE-2015-3290 CVE-2015-3291 rhbz 1243465 1245927
|
||||
ApplyPatch x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch
|
||||
ApplyPatch x86-entry-Stop-using-PER_CPU_VAR-kernel_stack.patch
|
||||
|
@ -2258,6 +2240,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.4-200
|
||||
- Linux v4.1.4
|
||||
|
||||
* Wed Jul 29 2015 Laura Abbott <labbott@redhat.com> - 4.1.3-201
|
||||
- tag and build for CVE fixes
|
||||
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
From: Thomas Reitmayr <treitmayr@devbase.at>
|
||||
Date: Fri, 1 May 2015 20:18:04 -0300
|
||||
Subject: [PATCH] media: Fix regression in some more dib0700 based devices
|
||||
|
||||
Fix an oops during device initialization by correctly setting size_of_priv
|
||||
instead of leaving it 0.
|
||||
The regression was introduced by 8abe4a0a3f6d4217b16a ("[media] dib7000:
|
||||
export just one symbol") and only fixed for one type of dib0700 based
|
||||
devices in 9e334c75642b6e5bfb95 ("[media] Fix regression in some dib0700
|
||||
based devices").
|
||||
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=92301
|
||||
|
||||
Fixes: 8abe4a0a3f6d4217b16a ("[media] dib7000: export just one symbol")
|
||||
|
||||
Cc: stable@vger.kernel.org # for version 3.17+
|
||||
Signed-off-by: Thomas Reitmayr <treitmayr@devbase.at>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb/dib0700_devices.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
index e1757b8f5f5d..6aa4e9f4e441 100644
|
||||
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
@@ -3947,6 +3947,8 @@ struct dvb_usb_device_properties dib0700_devices[] = {
|
||||
|
||||
DIB0700_DEFAULT_STREAMING_CONFIG(0x02),
|
||||
}},
|
||||
+ .size_of_priv = sizeof(struct
|
||||
+ dib0700_adapter_state),
|
||||
}, {
|
||||
.num_frontends = 1,
|
||||
.fe = {{
|
||||
@@ -3959,6 +3961,8 @@ struct dvb_usb_device_properties dib0700_devices[] = {
|
||||
|
||||
DIB0700_DEFAULT_STREAMING_CONFIG(0x03),
|
||||
}},
|
||||
+ .size_of_priv = sizeof(struct
|
||||
+ dib0700_adapter_state),
|
||||
}
|
||||
},
|
||||
|
||||
@@ -4012,6 +4016,8 @@ struct dvb_usb_device_properties dib0700_devices[] = {
|
||||
|
||||
DIB0700_DEFAULT_STREAMING_CONFIG(0x02),
|
||||
}},
|
||||
+ .size_of_priv = sizeof(struct
|
||||
+ dib0700_adapter_state),
|
||||
},
|
||||
},
|
||||
|
Loading…
Reference in New Issue