Merge branch 'f23' of ssh://pkgs.fedoraproject.org/kernel into f23-pf
This commit is contained in:
commit
f28d83846e
|
@ -0,0 +1,27 @@
|
|||
From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Thu, 25 Feb 2016 11:40:07 -0800
|
||||
Subject: [PATCH] Test ata fix
|
||||
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
drivers/ata/libahci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
|
||||
index 1f225cc..998c6a8 100644
|
||||
--- a/drivers/ata/libahci.c
|
||||
+++ b/drivers/ata/libahci.c
|
||||
@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap,
|
||||
|
||||
/* mark esata ports */
|
||||
tmp = readl(port_mmio + PORT_CMD);
|
||||
- if ((tmp & PORT_CMD_HPCP) ||
|
||||
- ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)))
|
||||
+ if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))
|
||||
ap->pflags |= ATA_PFLAG_EXTERNAL;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
From 07197eb61cfabc153846b1ae9d080a5d6c449d12 Mon Sep 17 00:00:00 2001
|
||||
From: "Du, Changbin" <changbin.du@intel.com>
|
||||
Date: Mon, 22 Feb 2016 10:08:36 +0800
|
||||
Subject: [PATCH] usb: hub: fix panic in usb_reset_and_verify_device
|
||||
|
||||
Signed-off-by: Du, Changbin <changbin.du@intel.com>
|
||||
---
|
||||
drivers/usb/core/hub.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
|
||||
index 350dcd9..045f951 100644
|
||||
--- a/drivers/usb/core/hub.c
|
||||
+++ b/drivers/usb/core/hub.c
|
||||
@@ -5501,8 +5501,10 @@ done:
|
||||
return 0;
|
||||
|
||||
re_enumerate:
|
||||
- usb_release_bos_descriptor(udev);
|
||||
- udev->bos = bos;
|
||||
+ if (udev->bos != bos) {
|
||||
+ usb_release_bos_descriptor(udev);
|
||||
+ udev->bos = bos;
|
||||
+ }
|
||||
re_enumerate_no_bos:
|
||||
/* LPM state doesn't matter when we're about to destroy the device. */
|
||||
hub_port_logical_disconnect(parent_hub, port1);
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From 6544a1df11c48c8413071aac3316792e4678fbfb Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Date: Mon, 11 Jan 2016 17:35:38 -0800
|
||||
Subject: [PATCH] Input: elantech - mark protocols v2 and v3 as semi-mt
|
||||
|
||||
When using a protocol v2 or v3 hardware, elantech uses the function
|
||||
elantech_report_semi_mt_data() to report data. This devices are rather
|
||||
creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid
|
||||
touch is reported.
|
||||
|
||||
Anyway, userspace (libinput) is now confused by these (0,0) touches,
|
||||
and detect them as palm, and rejects them.
|
||||
|
||||
Commit 3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW")
|
||||
was sufficient enough for xf86-input-synaptics and libinput before it has
|
||||
palm rejection. Now we need to actually tell libinput that this device is
|
||||
a semi-mt one and it should not rely on the actual values of the 2 touches.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/elantech.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
|
||||
index 537ebb0e193a..78f93cf68840 100644
|
||||
--- a/drivers/input/mouse/elantech.c
|
||||
+++ b/drivers/input/mouse/elantech.c
|
||||
@@ -1222,7 +1222,7 @@ static int elantech_set_input_params(struct psmouse *psmouse)
|
||||
input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2,
|
||||
ETP_WMAX_V2, 0, 0);
|
||||
}
|
||||
- input_mt_init_slots(dev, 2, 0);
|
||||
+ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT);
|
||||
input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0);
|
||||
input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0);
|
||||
break;
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,116 @@
|
|||
From patchwork Wed Feb 24 17:34:43 2016
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: drm/nouveau: platform: Fix deferred probe
|
||||
From: Thierry Reding <thierry.reding@gmail.com>
|
||||
X-Patchwork-Id: 587554
|
||||
Message-Id: <1456335283-22097-1-git-send-email-thierry.reding@gmail.com>
|
||||
To: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: Alexandre Courbot <gnurou@gmail.com>, Nicolas Chauvet <kwizart@gmail.com>,
|
||||
dri-devel@lists.freedesktop.org, linux-tegra@vger.kernel.org
|
||||
Date: Wed, 24 Feb 2016 18:34:43 +0100
|
||||
|
||||
From: Thierry Reding <treding@nvidia.com>
|
||||
|
||||
The error cleanup paths aren't quite correct and will crash upon
|
||||
deferred probe.
|
||||
|
||||
Cc: stable@vger.kernel.org # v4.3+
|
||||
Signed-off-by: Thierry Reding <treding@nvidia.com>
|
||||
Reviewed-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
|
||||
---
|
||||
drivers/gpu/drm/nouveau/nouveau_platform.c | 2 +-
|
||||
drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 40 ++++++++++++++++------
|
||||
2 files changed, 30 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nouveau_platform.c b/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
index 8a70cec59bcd..2dfe58af12e4 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nouveau_platform.c
|
||||
@@ -24,7 +24,7 @@
|
||||
static int nouveau_platform_probe(struct platform_device *pdev)
|
||||
{
|
||||
const struct nvkm_device_tegra_func *func;
|
||||
- struct nvkm_device *device;
|
||||
+ struct nvkm_device *device = NULL;
|
||||
struct drm_device *drm;
|
||||
int ret;
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
index 7f8a42721eb2..e7e581d6a8ff 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
|
||||
@@ -252,32 +252,40 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
|
||||
|
||||
if (!(tdev = kzalloc(sizeof(*tdev), GFP_KERNEL)))
|
||||
return -ENOMEM;
|
||||
- *pdevice = &tdev->device;
|
||||
+
|
||||
tdev->func = func;
|
||||
tdev->pdev = pdev;
|
||||
tdev->irq = -1;
|
||||
|
||||
tdev->vdd = devm_regulator_get(&pdev->dev, "vdd");
|
||||
- if (IS_ERR(tdev->vdd))
|
||||
- return PTR_ERR(tdev->vdd);
|
||||
+ if (IS_ERR(tdev->vdd)) {
|
||||
+ ret = PTR_ERR(tdev->vdd);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->rst = devm_reset_control_get(&pdev->dev, "gpu");
|
||||
- if (IS_ERR(tdev->rst))
|
||||
- return PTR_ERR(tdev->rst);
|
||||
+ if (IS_ERR(tdev->rst)) {
|
||||
+ ret = PTR_ERR(tdev->rst);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->clk = devm_clk_get(&pdev->dev, "gpu");
|
||||
- if (IS_ERR(tdev->clk))
|
||||
- return PTR_ERR(tdev->clk);
|
||||
+ if (IS_ERR(tdev->clk)) {
|
||||
+ ret = PTR_ERR(tdev->clk);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
tdev->clk_pwr = devm_clk_get(&pdev->dev, "pwr");
|
||||
- if (IS_ERR(tdev->clk_pwr))
|
||||
- return PTR_ERR(tdev->clk_pwr);
|
||||
+ if (IS_ERR(tdev->clk_pwr)) {
|
||||
+ ret = PTR_ERR(tdev->clk_pwr);
|
||||
+ goto free;
|
||||
+ }
|
||||
|
||||
nvkm_device_tegra_probe_iommu(tdev);
|
||||
|
||||
ret = nvkm_device_tegra_power_up(tdev);
|
||||
if (ret)
|
||||
- return ret;
|
||||
+ goto remove;
|
||||
|
||||
tdev->gpu_speedo = tegra_sku_info.gpu_speedo_value;
|
||||
ret = nvkm_device_ctor(&nvkm_device_tegra_func, NULL, &pdev->dev,
|
||||
@@ -285,9 +293,19 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
|
||||
cfg, dbg, detect, mmio, subdev_mask,
|
||||
&tdev->device);
|
||||
if (ret)
|
||||
- return ret;
|
||||
+ goto powerdown;
|
||||
+
|
||||
+ *pdevice = &tdev->device;
|
||||
|
||||
return 0;
|
||||
+
|
||||
+powerdown:
|
||||
+ nvkm_device_tegra_power_down(tdev);
|
||||
+remove:
|
||||
+ nvkm_device_tegra_remove_iommu(tdev);
|
||||
+free:
|
||||
+ kfree(tdev);
|
||||
+ return ret;
|
||||
}
|
||||
#else
|
||||
int
|
|
@ -1,86 +0,0 @@
|
|||
From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Date: Fri, 15 Jan 2016 16:57:37 -0800
|
||||
Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
|
||||
|
||||
Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
|
||||
argument end is of type pgoff_t. It was being converted to a vaddr
|
||||
offset and passed to unmap_hugepage_range. However, end was also being
|
||||
used as an argument to the vma_interval_tree_foreach controlling loop.
|
||||
In addition, the conversion of end to vaddr offset was incorrect.
|
||||
|
||||
hugetlb_vmtruncate_list is called as part of a file truncate or
|
||||
fallocate hole punch operation.
|
||||
|
||||
When truncating a hugetlbfs file, this bug could prevent some pages from
|
||||
being unmapped. This is possible if there are multiple vmas mapping the
|
||||
file, and there is a sufficiently sized hole between the mappings. The
|
||||
size of the hole between two vmas (A,B) must be such that the starting
|
||||
virtual address of B is greater than (ending virtual address of A <<
|
||||
PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
|
||||
pages are not properly unmapped during truncate, the following BUG is
|
||||
hit:
|
||||
|
||||
kernel BUG at fs/hugetlbfs/inode.c:428!
|
||||
|
||||
In the fallocate hole punch case, this bug could prevent pages from
|
||||
being unmapped as in the truncate case. However, for hole punch the
|
||||
result is that unmapped pages will not be removed during the operation.
|
||||
For hole punch, it is also possible that more pages than desired will be
|
||||
unmapped. This unnecessary unmapping will cause page faults to
|
||||
reestablish the mappings on subsequent page access.
|
||||
|
||||
Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
|
||||
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Cc: Hugh Dickins <hughd@google.com>
|
||||
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||
Cc: Davidlohr Bueso <dave@stgolabs.net>
|
||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
||||
Cc: <stable@vger.kernel.org> [4.3]
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/hugetlbfs/inode.c | 19 +++++++++++--------
|
||||
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
|
||||
index bbc333b01ca3..9c07d2d754c9 100644
|
||||
--- a/fs/hugetlbfs/inode.c
|
||||
+++ b/fs/hugetlbfs/inode.c
|
||||
@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
*/
|
||||
vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
|
||||
unsigned long v_offset;
|
||||
+ unsigned long v_end;
|
||||
|
||||
/*
|
||||
* Can the expression below overflow on 32-bit arches?
|
||||
@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
else
|
||||
v_offset = 0;
|
||||
|
||||
- if (end) {
|
||||
- end = ((end - start) << PAGE_SHIFT) +
|
||||
- vma->vm_start + v_offset;
|
||||
- if (end > vma->vm_end)
|
||||
- end = vma->vm_end;
|
||||
- } else
|
||||
- end = vma->vm_end;
|
||||
+ if (!end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ else {
|
||||
+ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT)
|
||||
+ + vma->vm_start;
|
||||
+ if (v_end > vma->vm_end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ }
|
||||
|
||||
- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
|
||||
+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
|
||||
+ NULL);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -0,0 +1,92 @@
|
|||
From b91309eedd77374fdecc379942c44f903e2dedff Mon Sep 17 00:00:00 2001
|
||||
From: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
|
||||
Date: Tue, 23 Feb 2016 13:03:30 +0100
|
||||
Subject: [PATCH] iommu/amd: Fix boot warning when device 00:00.0 is not iommu
|
||||
covered
|
||||
|
||||
The setup code for the performance counters in the AMD IOMMU driver
|
||||
tests whether the counters can be written. It tests to setup a counter
|
||||
for device 00:00.0, which fails on systems where this particular device
|
||||
is not covered by the IOMMU.
|
||||
|
||||
Fix this by not relying on device 00:00.0 but only on the IOMMU being
|
||||
present.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
|
||||
Signed-off-by: Joerg Roedel <jroedel@suse.de>
|
||||
---
|
||||
drivers/iommu/amd_iommu_init.c | 34 ++++++++++++++++++++++------------
|
||||
1 file changed, 22 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
|
||||
index 013bdff..d06a6d9 100644
|
||||
--- a/drivers/iommu/amd_iommu_init.c
|
||||
+++ b/drivers/iommu/amd_iommu_init.c
|
||||
@@ -228,6 +228,10 @@ static int amd_iommu_enable_interrupts(void);
|
||||
static int __init iommu_go_to_state(enum iommu_init_state state);
|
||||
static void init_device_table_dma(void);
|
||||
|
||||
+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu,
|
||||
+ u8 bank, u8 cntr, u8 fxn,
|
||||
+ u64 *value, bool is_write);
|
||||
+
|
||||
static inline void update_last_devid(u16 devid)
|
||||
{
|
||||
if (devid > amd_iommu_last_bdf)
|
||||
@@ -1142,8 +1146,8 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
|
||||
amd_iommu_pc_present = true;
|
||||
|
||||
/* Check if the performance counters can be written to */
|
||||
- if ((0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val, true)) ||
|
||||
- (0 != amd_iommu_pc_get_set_reg_val(0, 0, 0, 0, &val2, false)) ||
|
||||
+ if ((0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val, true)) ||
|
||||
+ (0 != iommu_pc_get_set_reg_val(iommu, 0, 0, 0, &val2, false)) ||
|
||||
(val != val2)) {
|
||||
pr_err("AMD-Vi: Unable to write to IOMMU perf counter.\n");
|
||||
amd_iommu_pc_present = false;
|
||||
@@ -2283,22 +2287,15 @@ u8 amd_iommu_pc_get_max_counters(u16 devid)
|
||||
}
|
||||
EXPORT_SYMBOL(amd_iommu_pc_get_max_counters);
|
||||
|
||||
-int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
+static int iommu_pc_get_set_reg_val(struct amd_iommu *iommu,
|
||||
+ u8 bank, u8 cntr, u8 fxn,
|
||||
u64 *value, bool is_write)
|
||||
{
|
||||
- struct amd_iommu *iommu;
|
||||
u32 offset;
|
||||
u32 max_offset_lim;
|
||||
|
||||
- /* Make sure the IOMMU PC resource is available */
|
||||
- if (!amd_iommu_pc_present)
|
||||
- return -ENODEV;
|
||||
-
|
||||
- /* Locate the iommu associated with the device ID */
|
||||
- iommu = amd_iommu_rlookup_table[devid];
|
||||
-
|
||||
/* Check for valid iommu and pc register indexing */
|
||||
- if (WARN_ON((iommu == NULL) || (fxn > 0x28) || (fxn & 7)))
|
||||
+ if (WARN_ON((fxn > 0x28) || (fxn & 7)))
|
||||
return -ENODEV;
|
||||
|
||||
offset = (u32)(((0x40|bank) << 12) | (cntr << 8) | fxn);
|
||||
@@ -2322,3 +2319,16 @@ int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL(amd_iommu_pc_get_set_reg_val);
|
||||
+
|
||||
+int amd_iommu_pc_get_set_reg_val(u16 devid, u8 bank, u8 cntr, u8 fxn,
|
||||
+ u64 *value, bool is_write)
|
||||
+{
|
||||
+ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid];
|
||||
+
|
||||
+ /* Make sure the IOMMU PC resource is available */
|
||||
+ if (!amd_iommu_pc_present || iommu == NULL)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ return iommu_pc_get_set_reg_val(iommu, bank, cntr, fxn,
|
||||
+ value, is_write);
|
||||
+}
|
||||
--
|
||||
1.8.4.5
|
43
kernel.spec
43
kernel.spec
|
@ -52,8 +52,12 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
<<<<<<< HEAD
|
||||
#+Hu Pf against 4.4.2(?) v4.4-pf5: https://pf.natalenko.name/news/?p=157
|
||||
%define stable_update 2
|
||||
=======
|
||||
%define stable_update 3
|
||||
>>>>>>> 046b8e241965544e2e53642a573eb5c4c7a517c8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -508,6 +512,8 @@ Patch456: arm64-acpi-drop-expert-patch.patch
|
|||
|
||||
Patch457: ARM-tegra-usb-no-reset.patch
|
||||
|
||||
Patch458: drm-nouveau-platform-Fix-deferred-probe.patch
|
||||
|
||||
Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
|
||||
|
||||
Patch463: arm-i.MX6-Utilite-device-dtb.patch
|
||||
|
@ -600,9 +606,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
|
|||
#rhbz 1288687
|
||||
Patch572: alua_fix.patch
|
||||
|
||||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
|
||||
|
||||
#rhbz 1083853
|
||||
|
@ -643,18 +646,25 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
|
|||
#rhbz 1255325
|
||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
#CVE-2016-2383 rhbz 1308452 1308453
|
||||
Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
|
||||
#rhbz 1306987
|
||||
Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
|
||||
|
||||
#CVE-2015-8812 rhbz 1303532 1309548
|
||||
Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
|
||||
|
||||
#Known use after free, possibly rhbz 1310579
|
||||
Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
|
||||
|
||||
#rhbz 1310258
|
||||
Patch655: iommu-fix.patch
|
||||
|
||||
#CVE-2016-2550 rhbz 1311517 1311518
|
||||
Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch
|
||||
|
||||
#rhbz 1310682
|
||||
Patch657: 0001-Test-ata-fix.patch
|
||||
|
||||
Patch658: nouveau-displayoff-fix.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2103,6 +2113,21 @@ fi
|
|||
# and build.
|
||||
#
|
||||
%changelog
|
||||
* Fri Feb 26 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.3-300
|
||||
- Linux v4.4.3
|
||||
- Fix automounting behavior of ATA drives (rhbz 1310682)
|
||||
- Fix suspend blacklight blanking behavior
|
||||
|
||||
* Thu Feb 25 2016 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Fix deferred nouveau module loading on tegra
|
||||
|
||||
* Wed Feb 24 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-2550 af_unix: incorrect accounting on in-flight fds (rhbz 1311517 1311518)
|
||||
|
||||
* Tue Feb 23 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.2-301
|
||||
- Fix a known use after free issue in the USB hub code
|
||||
- Fix AMD IOMMU warning spew on every boot (rhbz 1310258)
|
||||
|
||||
* Mon Feb 22 2016 Pavel Alexeev <Pahan@Hubbitus.info> - 4.4.2-300.hu.1.pf5
|
||||
- Merge upstream changes. Step to 4.4.2!
|
||||
- Update pf patch to v4.4-pf5
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
Date: Thu, 18 Feb 2016 08:14:19 +1000
|
||||
Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link
|
||||
training
|
||||
|
||||
This can happen under some annoying circumstances, and is a quick fix
|
||||
until more substantial changes can be made.
|
||||
|
||||
Fixed eDP mode changes on (at least) the Lenovo P50.
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
index 74e2f7c..9688970 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
|
||||
@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w)
|
||||
.outp = outp,
|
||||
}, *dp = &_dp;
|
||||
u32 datarate = 0;
|
||||
+ u8 pwr;
|
||||
int ret;
|
||||
|
||||
if (!outp->base.info.location && disp->func->sor.magic)
|
||||
@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w)
|
||||
/* disable link interrupt handling during link training */
|
||||
nvkm_notify_put(&outp->irq);
|
||||
|
||||
+ /* ensure sink is not in a low-power state */
|
||||
+ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) {
|
||||
+ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) {
|
||||
+ pwr &= ~DPCD_SC00_SET_POWER;
|
||||
+ pwr |= DPCD_SC00_SET_POWER_D0;
|
||||
+ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* enable down-spreading and execute pre-train script from vbios */
|
||||
dp_link_train_init(dp, outp->dpcd[3] & 0x01);
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
index 9596290..6e10c5e 100644
|
||||
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
|
||||
@@ -71,5 +71,11 @@
|
||||
#define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c
|
||||
#define DPCD_LS0C_LANE0_POST_CURSOR2 0x03
|
||||
|
||||
+/* DPCD Sink Control */
|
||||
+#define DPCD_SC00 0x00600
|
||||
+#define DPCD_SC00_SET_POWER 0x03
|
||||
+#define DPCD_SC00_SET_POWER_D0 0x01
|
||||
+#define DPCD_SC00_SET_POWER_D3 0x03
|
||||
+
|
||||
void nvkm_dp_train(struct work_struct *);
|
||||
#endif
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
|
@ -1,108 +0,0 @@
|
|||
From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001
|
||||
From: Jann Horn <jann@thejh.net>
|
||||
Date: Sat, 26 Dec 2015 03:52:31 +0100
|
||||
Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
|
||||
|
||||
ptrace_has_cap() checks whether the current process should be
|
||||
treated as having a certain capability for ptrace checks
|
||||
against another process. Until now, this was equivalent to
|
||||
has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
|
||||
|
||||
However, if a root-owned process wants to enter a user
|
||||
namespace for some reason without knowing who owns it and
|
||||
therefore can't change to the namespace owner's uid and gid
|
||||
before entering, as soon as it has entered the namespace,
|
||||
the namespace owner can attach to it via ptrace and thereby
|
||||
gain access to its uid and gid.
|
||||
|
||||
While it is possible for the entering process to switch to
|
||||
the uid of a claimed namespace owner before entering,
|
||||
causing the attempt to enter to fail if the claimed uid is
|
||||
wrong, this doesn't solve the problem of determining an
|
||||
appropriate gid.
|
||||
|
||||
With this change, the entering process can first enter the
|
||||
namespace and then safely inspect the namespace's
|
||||
properties, e.g. through /proc/self/{uid_map,gid_map},
|
||||
assuming that the namespace owner doesn't have access to
|
||||
uid 0.
|
||||
|
||||
Changed in v2: The caller needs to be capable in the
|
||||
namespace into which tcred's uids/gids can be mapped.
|
||||
|
||||
Signed-off-by: Jann Horn <jann@thejh.net>
|
||||
---
|
||||
kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
|
||||
1 file changed, 28 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
|
||||
index 787320de68e0..407c382b45c8 100644
|
||||
--- a/kernel/ptrace.c
|
||||
+++ b/kernel/ptrace.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <linux/uio.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/pid_namespace.h>
|
||||
+#include <linux/user_namespace.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/regset.h>
|
||||
@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
|
||||
+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
|
||||
{
|
||||
+ struct user_namespace *tns = tcred->user_ns;
|
||||
+
|
||||
+ /* When a root-owned process enters a user namespace created by a
|
||||
+ * malicious user, the user shouldn't be able to execute code under
|
||||
+ * uid 0 by attaching to the root-owned process via ptrace.
|
||||
+ * Therefore, similar to the capable_wrt_inode_uidgid() check,
|
||||
+ * verify that all the uids and gids of the target process are
|
||||
+ * mapped into a namespace below the current one in which the caller
|
||||
+ * is capable.
|
||||
+ * No fsuid/fsgid check because __ptrace_may_access doesn't do it
|
||||
+ * either.
|
||||
+ */
|
||||
+ while (
|
||||
+ !kuid_has_mapping(tns, tcred->euid) ||
|
||||
+ !kuid_has_mapping(tns, tcred->suid) ||
|
||||
+ !kuid_has_mapping(tns, tcred->uid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->egid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->sgid) ||
|
||||
+ !kgid_has_mapping(tns, tcred->gid)) {
|
||||
+ tns = tns->parent;
|
||||
+ }
|
||||
+
|
||||
if (mode & PTRACE_MODE_NOAUDIT)
|
||||
- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
|
||||
+ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
|
||||
else
|
||||
- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
|
||||
+ return has_ns_capability(current, tns, CAP_SYS_PTRACE);
|
||||
}
|
||||
|
||||
/* Returns 0 on success, -errno on denial. */
|
||||
@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
||||
gid_eq(cred->gid, tcred->sgid) &&
|
||||
gid_eq(cred->gid, tcred->gid))
|
||||
goto ok;
|
||||
- if (ptrace_has_cap(tcred->user_ns, mode))
|
||||
+ if (ptrace_has_cap(tcred, mode))
|
||||
goto ok;
|
||||
rcu_read_unlock();
|
||||
return -EPERM;
|
||||
@@ -252,7 +275,7 @@ ok:
|
||||
dumpable = get_dumpable(task->mm);
|
||||
rcu_read_lock();
|
||||
if (dumpable != SUID_DUMP_USER &&
|
||||
- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
|
||||
+ !ptrace_has_cap(__task_cred(task), mode)) {
|
||||
rcu_read_unlock();
|
||||
return -EPERM;
|
||||
}
|
||||
--
|
||||
2.5.0
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz
|
||||
dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz
|
||||
abdfe599a4ea827f9975cf0631148e70 patch-4.4.2.xz
|
||||
078427483ee96f3e072e7b5409b5a117 patch-4.4.3.xz
|
||||
|
|
|
@ -0,0 +1,159 @@
|
|||
From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Wed, 3 Feb 2016 02:11:03 +0100
|
||||
Subject: [PATCH] unix: correctly track in-flight fds in sending process
|
||||
user_struct
|
||||
|
||||
The commit referenced in the Fixes tag incorrectly accounted the number
|
||||
of in-flight fds over a unix domain socket to the original opener
|
||||
of the file-descriptor. This allows another process to arbitrary
|
||||
deplete the original file-openers resource limit for the maximum of
|
||||
open files. Instead the sending processes and its struct cred should
|
||||
be credited.
|
||||
|
||||
To do so, we add a reference counted struct user_struct pointer to the
|
||||
scm_fp_list and use it to account for the number of inflight unix fds.
|
||||
|
||||
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
|
||||
Reported-by: David Herrmann <dh.herrmann@gmail.com>
|
||||
Cc: David Herrmann <dh.herrmann@gmail.com>
|
||||
Cc: Willy Tarreau <w@1wt.eu>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/af_unix.h | 4 ++--
|
||||
include/net/scm.h | 1 +
|
||||
net/core/scm.c | 7 +++++++
|
||||
net/unix/af_unix.c | 4 ++--
|
||||
net/unix/garbage.c | 8 ++++----
|
||||
5 files changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
|
||||
index 2a91a0561a47..9b4c418bebd8 100644
|
||||
--- a/include/net/af_unix.h
|
||||
+++ b/include/net/af_unix.h
|
||||
@@ -6,8 +6,8 @@
|
||||
#include <linux/mutex.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
-void unix_inflight(struct file *fp);
|
||||
-void unix_notinflight(struct file *fp);
|
||||
+void unix_inflight(struct user_struct *user, struct file *fp);
|
||||
+void unix_notinflight(struct user_struct *user, struct file *fp);
|
||||
void unix_gc(void);
|
||||
void wait_for_unix_gc(void);
|
||||
struct sock *unix_get_socket(struct file *filp);
|
||||
diff --git a/include/net/scm.h b/include/net/scm.h
|
||||
index 262532d111f5..59fa93c01d2a 100644
|
||||
--- a/include/net/scm.h
|
||||
+++ b/include/net/scm.h
|
||||
@@ -21,6 +21,7 @@ struct scm_creds {
|
||||
struct scm_fp_list {
|
||||
short count;
|
||||
short max;
|
||||
+ struct user_struct *user;
|
||||
struct file *fp[SCM_MAX_FD];
|
||||
};
|
||||
|
||||
diff --git a/net/core/scm.c b/net/core/scm.c
|
||||
index 14596fb37172..2696aefdc148 100644
|
||||
--- a/net/core/scm.c
|
||||
+++ b/net/core/scm.c
|
||||
@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
||||
*fplp = fpl;
|
||||
fpl->count = 0;
|
||||
fpl->max = SCM_MAX_FD;
|
||||
+ fpl->user = NULL;
|
||||
}
|
||||
fpp = &fpl->fp[fpl->count];
|
||||
|
||||
@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
||||
*fpp++ = file;
|
||||
fpl->count++;
|
||||
}
|
||||
+
|
||||
+ if (!fpl->user)
|
||||
+ fpl->user = get_uid(current_user());
|
||||
+
|
||||
return num;
|
||||
}
|
||||
|
||||
@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
|
||||
scm->fp = NULL;
|
||||
for (i=fpl->count-1; i>=0; i--)
|
||||
fput(fpl->fp[i]);
|
||||
+ free_uid(fpl->user);
|
||||
kfree(fpl);
|
||||
}
|
||||
}
|
||||
@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
|
||||
for (i = 0; i < fpl->count; i++)
|
||||
get_file(fpl->fp[i]);
|
||||
new_fpl->max = new_fpl->count;
|
||||
+ new_fpl->user = get_uid(fpl->user);
|
||||
}
|
||||
return new_fpl;
|
||||
}
|
||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
||||
index 49d5093eb055..29be035f9c65 100644
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
UNIXCB(skb).fp = NULL;
|
||||
|
||||
for (i = scm->fp->count-1; i >= 0; i--)
|
||||
- unix_notinflight(scm->fp->fp[i]);
|
||||
+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
|
||||
}
|
||||
|
||||
static void unix_destruct_scm(struct sk_buff *skb)
|
||||
@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
||||
return -ENOMEM;
|
||||
|
||||
for (i = scm->fp->count - 1; i >= 0; i--)
|
||||
- unix_inflight(scm->fp->fp[i]);
|
||||
+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
|
||||
return max_level;
|
||||
}
|
||||
|
||||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
|
||||
index 8fcdc2283af5..6a0d48525fcf 100644
|
||||
--- a/net/unix/garbage.c
|
||||
+++ b/net/unix/garbage.c
|
||||
@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
|
||||
* descriptor if it is for an AF_UNIX socket.
|
||||
*/
|
||||
|
||||
-void unix_inflight(struct file *fp)
|
||||
+void unix_inflight(struct user_struct *user, struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
|
||||
}
|
||||
unix_tot_inflight++;
|
||||
}
|
||||
- fp->f_cred->user->unix_inflight++;
|
||||
+ user->unix_inflight++;
|
||||
spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
-void unix_notinflight(struct file *fp)
|
||||
+void unix_notinflight(struct user_struct *user, struct file *fp)
|
||||
{
|
||||
struct sock *s = unix_get_socket(fp);
|
||||
|
||||
@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
|
||||
list_del_init(&u->link);
|
||||
unix_tot_inflight--;
|
||||
}
|
||||
- fp->f_cred->user->unix_inflight--;
|
||||
+ user->unix_inflight--;
|
||||
spin_unlock(&unix_gc_lock);
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue