From a1907d2235cdb0e58015932c52902bf92c494a8e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 21 May 2014 20:33:13 +0000 Subject: [PATCH 1/9] [x86] ACPICA: Tables: Fix invalid pointer accesses in acpi_tb_parse_root_table(). (Closes: #748574) svn path=/dists/sid/linux/; revision=21354 --- debian/changelog | 7 ++ ...x-invalid-pointer-accesses-in-acpi_t.patch | 64 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 72 insertions(+) create mode 100644 debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch diff --git a/debian/changelog b/debian/changelog index 442e08512..6af2ea06a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (3.14.4-2) UNRELEASED; urgency=medium + + * [x86] ACPICA: Tables: Fix invalid pointer accesses in + acpi_tb_parse_root_table(). (Closes: #748574) + + -- Ben Hutchings Wed, 21 May 2014 21:24:50 +0100 + linux (3.14.4-1) unstable; urgency=high * New upstream stable update: diff --git a/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch b/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch new file mode 100644 index 000000000..636d6d033 --- /dev/null +++ b/debian/patches/bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch @@ -0,0 +1,64 @@ +From: Lv Zheng +Date: Wed, 30 Apr 2014 10:05:40 +0800 +Subject: ACPICA: Tables: Fix invalid pointer accesses in + acpi_tb_parse_root_table(). +Origin: https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git/commit?id=d48dc067450d84324067f4472dc0b169e9af4454 +Bug-Debian: https://bugs.debian.org/748574 + +Linux XSDT validation mechanism backport has introduced a regreession: + Commit: 671cc68dc61f029d44b43a681356078e02d8dab8 + Subject: ACPICA: Back port and refine validation of the XSDT root table. +There is a pointer still accessed after unmapping. + +This patch fixes this issue. Lv Zheng. + +Fixes: 671cc68dc61f (ACPICA: Back port and refine validation of the XSDT root table.) +References: https://bugzilla.kernel.org/show_bug.cgi?id=73911 +References: https://bugs.archlinux.org/task/39811 +Signed-off-by: Lv Zheng +Reported-and-tested-by: Bruce Chiarelli +Reported-and-tested-by: Spyros Stathopoulos +Signed-off-by: Bob Moore +Cc: 3.14+ # 3.14+ +Signed-off-by: Rafael J. Wysocki +--- + drivers/acpi/acpica/tbutils.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpica/tbutils.c b/drivers/acpi/acpica/tbutils.c +index a4702ee..9fb85f3 100644 +--- a/drivers/acpi/acpica/tbutils.c ++++ b/drivers/acpi/acpica/tbutils.c +@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) + u32 table_count; + struct acpi_table_header *table; + acpi_physical_address address; ++ acpi_physical_address rsdt_address; + u32 length; + u8 *table_entry; + acpi_status status; +@@ -488,11 +489,14 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) + * as per the ACPI specification. + */ + address = (acpi_physical_address) rsdp->xsdt_physical_address; ++ rsdt_address = ++ (acpi_physical_address) rsdp->rsdt_physical_address; + table_entry_size = ACPI_XSDT_ENTRY_SIZE; + } else { + /* Root table is an RSDT (32-bit physical addresses) */ + + address = (acpi_physical_address) rsdp->rsdt_physical_address; ++ rsdt_address = address; + table_entry_size = ACPI_RSDT_ENTRY_SIZE; + } + +@@ -515,8 +519,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) + + /* Fall back to the RSDT */ + +- address = +- (acpi_physical_address) rsdp->rsdt_physical_address; ++ address = rsdt_address; + table_entry_size = ACPI_RSDT_ENTRY_SIZE; + } + } diff --git a/debian/patches/series b/debian/patches/series index 8aeea64f3..a0bb044a3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -86,3 +86,4 @@ bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch debian/libata-avoid-abi-change-in-3.14.4.patch debian/dm-avoid-abi-change-in-3.14.4.patch +bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch From 235e811596a9d904dd3572fe338f60d56db441bc Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 22 May 2014 18:23:45 +0000 Subject: [PATCH 2/9] [arm64] Initial kernel configuration and packaging. svn path=/dists/sid/linux/; revision=21356 --- debian/changelog | 3 ++ debian/config/arm64/config | 51 +++++++++++++++++++ debian/config/arm64/defines | 14 ++++- debian/config/arm64/none/defines | 3 ++ debian/installer/arm64/kernel-versions | 2 + .../installer/arm64/modules/arm64/ata-modules | 1 + .../arm64/modules/arm64/btrfs-modules | 1 + .../arm64/modules/arm64/core-modules | 1 + .../installer/arm64/modules/arm64/crc-modules | 1 + .../arm64/modules/arm64/crypto-dm-modules | 1 + .../arm64/modules/arm64/crypto-modules | 1 + .../arm64/modules/arm64/event-modules | 1 + .../arm64/modules/arm64/ext4-modules | 1 + .../installer/arm64/modules/arm64/fat-modules | 1 + .../arm64/modules/arm64/fuse-modules | 1 + .../arm64/modules/arm64/input-modules | 1 + .../arm64/modules/arm64/isofs-modules | 1 + .../installer/arm64/modules/arm64/jfs-modules | 1 + .../arm64/modules/arm64/kernel-image | 1 + .../arm64/modules/arm64/loop-modules | 1 + .../installer/arm64/modules/arm64/md-modules | 1 + .../installer/arm64/modules/arm64/mmc-modules | 1 + .../arm64/modules/arm64/multipath-modules | 1 + .../installer/arm64/modules/arm64/nbd-modules | 1 + .../installer/arm64/modules/arm64/nic-modules | 1 + .../arm64/modules/arm64/nic-shared-modules | 1 + .../arm64/modules/arm64/nic-usb-modules | 1 + .../arm64/modules/arm64/nic-wireless-modules | 1 + .../installer/arm64/modules/arm64/ppp-modules | 1 + .../arm64/modules/arm64/sata-modules | 1 + .../arm64/modules/arm64/scsi-core-modules | 1 + .../arm64/modules/arm64/scsi-modules | 2 + .../arm64/modules/arm64/squashfs-modules | 1 + .../installer/arm64/modules/arm64/udf-modules | 1 + .../arm64/modules/arm64/uinput-modules | 1 + .../installer/arm64/modules/arm64/usb-modules | 1 + .../arm64/modules/arm64/usb-storage-modules | 2 + .../arm64/modules/arm64/zlib-modules | 1 + debian/installer/arm64/package-list | 7 +++ debian/rules.real | 2 +- 40 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 debian/config/arm64/config create mode 100644 debian/config/arm64/none/defines create mode 100644 debian/installer/arm64/kernel-versions create mode 100644 debian/installer/arm64/modules/arm64/ata-modules create mode 100644 debian/installer/arm64/modules/arm64/btrfs-modules create mode 100644 debian/installer/arm64/modules/arm64/core-modules create mode 100644 debian/installer/arm64/modules/arm64/crc-modules create mode 100644 debian/installer/arm64/modules/arm64/crypto-dm-modules create mode 100644 debian/installer/arm64/modules/arm64/crypto-modules create mode 100644 debian/installer/arm64/modules/arm64/event-modules create mode 100644 debian/installer/arm64/modules/arm64/ext4-modules create mode 100644 debian/installer/arm64/modules/arm64/fat-modules create mode 100644 debian/installer/arm64/modules/arm64/fuse-modules create mode 100644 debian/installer/arm64/modules/arm64/input-modules create mode 100644 debian/installer/arm64/modules/arm64/isofs-modules create mode 100644 debian/installer/arm64/modules/arm64/jfs-modules create mode 100644 debian/installer/arm64/modules/arm64/kernel-image create mode 100644 debian/installer/arm64/modules/arm64/loop-modules create mode 100644 debian/installer/arm64/modules/arm64/md-modules create mode 100644 debian/installer/arm64/modules/arm64/mmc-modules create mode 100644 debian/installer/arm64/modules/arm64/multipath-modules create mode 100644 debian/installer/arm64/modules/arm64/nbd-modules create mode 100644 debian/installer/arm64/modules/arm64/nic-modules create mode 100644 debian/installer/arm64/modules/arm64/nic-shared-modules create mode 100644 debian/installer/arm64/modules/arm64/nic-usb-modules create mode 100644 debian/installer/arm64/modules/arm64/nic-wireless-modules create mode 100644 debian/installer/arm64/modules/arm64/ppp-modules create mode 100644 debian/installer/arm64/modules/arm64/sata-modules create mode 100644 debian/installer/arm64/modules/arm64/scsi-core-modules create mode 100644 debian/installer/arm64/modules/arm64/scsi-modules create mode 100644 debian/installer/arm64/modules/arm64/squashfs-modules create mode 100644 debian/installer/arm64/modules/arm64/udf-modules create mode 100644 debian/installer/arm64/modules/arm64/uinput-modules create mode 100644 debian/installer/arm64/modules/arm64/usb-modules create mode 100644 debian/installer/arm64/modules/arm64/usb-storage-modules create mode 100644 debian/installer/arm64/modules/arm64/zlib-modules create mode 100644 debian/installer/arm64/package-list diff --git a/debian/changelog b/debian/changelog index 6af2ea06a..cf58c689f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ linux (3.14.4-2) UNRELEASED; urgency=medium * [x86] ACPICA: Tables: Fix invalid pointer accesses in acpi_tb_parse_root_table(). (Closes: #748574) + [ Ian Campbell ] + * [arm64] Initial kernel configuration and packaging (Closes: #745349). + -- Ben Hutchings Wed, 21 May 2014 21:24:50 +0100 linux (3.14.4-1) unstable; urgency=high diff --git a/debian/config/arm64/config b/debian/config/arm64/config new file mode 100644 index 000000000..f4ffa8c3f --- /dev/null +++ b/debian/config/arm64/config @@ -0,0 +1,51 @@ +## +## file: arch/arm64/Kconfig +## +CONFIG_ARCH_VEXPRESS=y +CONFIG_ARCH_XGENE=y +CONFIG_SMP=y +CONFIG_XEN=y + +## +## file: drivers/mmc/Kconfig +## +CONFIG_MMC=y + +## +## file: drivers/mmc/host/Kconfig +## +CONFIG_MMC_ARMMMCI=m +CONFIG_MMC_SPI=m + +## +## file: drivers/power/reset/Kconfig +## +CONFIG_POWER_RESET_VEXPRESS=y +CONFIG_POWER_RESET_XGENE=y + +## +## file: drivers/tty/serial/Kconfig +## +CONFIG_SERIAL_AMBA_PL010=y +CONFIG_SERIAL_AMBA_PL010_CONSOLE=y +CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +CONFIG_SERIAL_OF_PLATFORM=y + +## +## file: drivers/tty/serial/8250/Kconfig +## +CONFIG_SERIAL_8250=y +CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_DMA=y +CONFIG_SERIAL_8250_NR_UARTS=4 +CONFIG_SERIAL_8250_RUNTIME_UARTS=4 +# CONFIG_SERIAL_8250_EXTENDED is not set +CONFIG_SERIAL_8250_DW=y +# CONFIG_SERIAL_8250_EM is not set + +## +## file: drivers/virtio/Kconfig +## +CONFIG_VIRTIO_MMIO=m diff --git a/debian/config/arm64/defines b/debian/config/arm64/defines index d201ee90a..eba3b6f2d 100644 --- a/debian/config/arm64/defines +++ b/debian/config/arm64/defines @@ -1,4 +1,16 @@ [base] kernel-arch: arm64 featuresets: -# empty; we don't have initramfs working yet + none + +[build] +debug-info: true +image-file: arch/arm64/boot/Image + +[image] +install-stem: vmlinuz + +[arm64_description] +hardware: 64-bit ARMv8 machines + +[arm64_image] diff --git a/debian/config/arm64/none/defines b/debian/config/arm64/none/defines new file mode 100644 index 000000000..fdea40cbc --- /dev/null +++ b/debian/config/arm64/none/defines @@ -0,0 +1,3 @@ +[base] +flavours: + arm64 diff --git a/debian/installer/arm64/kernel-versions b/debian/installer/arm64/kernel-versions new file mode 100644 index 000000000..11d739954 --- /dev/null +++ b/debian/installer/arm64/kernel-versions @@ -0,0 +1,2 @@ +# arch version flavour installedname suffix build-depends +arm64 - arm64 - - - diff --git a/debian/installer/arm64/modules/arm64/ata-modules b/debian/installer/arm64/modules/arm64/ata-modules new file mode 100644 index 000000000..04d9c8841 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/ata-modules @@ -0,0 +1 @@ +libata diff --git a/debian/installer/arm64/modules/arm64/btrfs-modules b/debian/installer/arm64/modules/arm64/btrfs-modules new file mode 100644 index 000000000..e261e1388 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/btrfs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/core-modules b/debian/installer/arm64/modules/arm64/core-modules new file mode 100644 index 000000000..f05d06298 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/core-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/crc-modules b/debian/installer/arm64/modules/arm64/crc-modules new file mode 100644 index 000000000..7e00de705 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/crc-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/crypto-dm-modules b/debian/installer/arm64/modules/arm64/crypto-dm-modules new file mode 100644 index 000000000..4c8f2354c --- /dev/null +++ b/debian/installer/arm64/modules/arm64/crypto-dm-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/crypto-modules b/debian/installer/arm64/modules/arm64/crypto-modules new file mode 100644 index 000000000..3a1e862b4 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/crypto-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/event-modules b/debian/installer/arm64/modules/arm64/event-modules new file mode 100644 index 000000000..f8819afd3 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/event-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/ext4-modules b/debian/installer/arm64/modules/arm64/ext4-modules new file mode 100644 index 000000000..394c577ce --- /dev/null +++ b/debian/installer/arm64/modules/arm64/ext4-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/fat-modules b/debian/installer/arm64/modules/arm64/fat-modules new file mode 100644 index 000000000..274584eb6 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/fat-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/fuse-modules b/debian/installer/arm64/modules/arm64/fuse-modules new file mode 100644 index 000000000..0b6ba0c8c --- /dev/null +++ b/debian/installer/arm64/modules/arm64/fuse-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/input-modules b/debian/installer/arm64/modules/arm64/input-modules new file mode 100644 index 000000000..5ecb595a4 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/input-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/isofs-modules b/debian/installer/arm64/modules/arm64/isofs-modules new file mode 100644 index 000000000..da4fa9a3c --- /dev/null +++ b/debian/installer/arm64/modules/arm64/isofs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/jfs-modules b/debian/installer/arm64/modules/arm64/jfs-modules new file mode 100644 index 000000000..7e4d912b9 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/jfs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/kernel-image b/debian/installer/arm64/modules/arm64/kernel-image new file mode 100644 index 000000000..1bb8bf6d7 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/kernel-image @@ -0,0 +1 @@ +# empty diff --git a/debian/installer/arm64/modules/arm64/loop-modules b/debian/installer/arm64/modules/arm64/loop-modules new file mode 100644 index 000000000..c1c948fa3 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/loop-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/md-modules b/debian/installer/arm64/modules/arm64/md-modules new file mode 100644 index 000000000..26115e10b --- /dev/null +++ b/debian/installer/arm64/modules/arm64/md-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/mmc-modules b/debian/installer/arm64/modules/arm64/mmc-modules new file mode 100644 index 000000000..dadfd5334 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/mmc-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/multipath-modules b/debian/installer/arm64/modules/arm64/multipath-modules new file mode 100644 index 000000000..a8b69b253 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/multipath-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/nbd-modules b/debian/installer/arm64/modules/arm64/nbd-modules new file mode 100644 index 000000000..3c9b3e5d4 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/nbd-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/nic-modules b/debian/installer/arm64/modules/arm64/nic-modules new file mode 100644 index 000000000..2512e8395 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/nic-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/nic-shared-modules b/debian/installer/arm64/modules/arm64/nic-shared-modules new file mode 100644 index 000000000..cc84b14dc --- /dev/null +++ b/debian/installer/arm64/modules/arm64/nic-shared-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/nic-usb-modules b/debian/installer/arm64/modules/arm64/nic-usb-modules new file mode 100644 index 000000000..c479669b4 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/nic-usb-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/nic-wireless-modules b/debian/installer/arm64/modules/arm64/nic-wireless-modules new file mode 100644 index 000000000..53fd18d7f --- /dev/null +++ b/debian/installer/arm64/modules/arm64/nic-wireless-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/ppp-modules b/debian/installer/arm64/modules/arm64/ppp-modules new file mode 100644 index 000000000..1f26aa1ee --- /dev/null +++ b/debian/installer/arm64/modules/arm64/ppp-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/sata-modules b/debian/installer/arm64/modules/arm64/sata-modules new file mode 100644 index 000000000..01318c258 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/sata-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/scsi-core-modules b/debian/installer/arm64/modules/arm64/scsi-core-modules new file mode 100644 index 000000000..dd65d6614 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/scsi-core-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/scsi-modules b/debian/installer/arm64/modules/arm64/scsi-modules new file mode 100644 index 000000000..675462a14 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/scsi-modules @@ -0,0 +1,2 @@ +#include + diff --git a/debian/installer/arm64/modules/arm64/squashfs-modules b/debian/installer/arm64/modules/arm64/squashfs-modules new file mode 100644 index 000000000..42d77887a --- /dev/null +++ b/debian/installer/arm64/modules/arm64/squashfs-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/udf-modules b/debian/installer/arm64/modules/arm64/udf-modules new file mode 100644 index 000000000..b90d7ee9b --- /dev/null +++ b/debian/installer/arm64/modules/arm64/udf-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/uinput-modules b/debian/installer/arm64/modules/arm64/uinput-modules new file mode 100644 index 000000000..58a833779 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/uinput-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/usb-modules b/debian/installer/arm64/modules/arm64/usb-modules new file mode 100644 index 000000000..c598dedd8 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/usb-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/modules/arm64/usb-storage-modules b/debian/installer/arm64/modules/arm64/usb-storage-modules new file mode 100644 index 000000000..6938b5cf1 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/usb-storage-modules @@ -0,0 +1,2 @@ +#include +usb-storage - diff --git a/debian/installer/arm64/modules/arm64/zlib-modules b/debian/installer/arm64/modules/arm64/zlib-modules new file mode 100644 index 000000000..e02ad64bf --- /dev/null +++ b/debian/installer/arm64/modules/arm64/zlib-modules @@ -0,0 +1 @@ +#include diff --git a/debian/installer/arm64/package-list b/debian/installer/arm64/package-list new file mode 100644 index 000000000..aefbc7e74 --- /dev/null +++ b/debian/installer/arm64/package-list @@ -0,0 +1,7 @@ +# This file is used to build up the control file. The kernel version and +# "-di" are appended to the package names. Section can be left out. So can +# architecture, which is derived from the files in the modules directory. +# It overwrites specifications from /usr/share/kernel-wedge/package-list. +# + +Package: kernel-image diff --git a/debian/rules.real b/debian/rules.real index f1a861d61..1dabb3f66 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -373,7 +373,7 @@ endif install-image_$(ARCH)_$(FEATURESET)_$(FLAVOUR)_plain_dt: DT_INSTALL_DIR = $(PACKAGE_DIR)/usr/lib/linux-image-$(REAL_VERSION) install-image_$(ARCH)_$(FEATURESET)_$(FLAVOUR)_plain_dt: -ifneq ($(filter armel armhf,$(ARCH)),) +ifneq ($(filter arm64 armel armhf,$(ARCH)),) +$(MAKE_CLEAN) -C $(DIR) dtbs shopt -s nullglob ; for i in $(DIR)/arch/$(KERNEL_ARCH)/boot/dts/*.dtb ; do \ install -D -m644 $$i '$(DT_INSTALL_DIR)'/$$(basename $$i) ; \ From df5e9abf749fcd4fffa16085476e74ca67906365 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Sat, 31 May 2014 10:34:06 +0000 Subject: [PATCH 3/9] arm64: Add some NIC drivers and virtio udebs Used for vexpress/qemu/fastmodel. svn path=/dists/sid/linux/; revision=21365 --- debian/config/arm64/config | 23 +++++++++++++++++++ .../installer/arm64/modules/arm64/nic-modules | 2 ++ .../arm64/modules/arm64/virtio-modules | 1 + 3 files changed, 26 insertions(+) create mode 100644 debian/installer/arm64/modules/arm64/virtio-modules diff --git a/debian/config/arm64/config b/debian/config/arm64/config index f4ffa8c3f..877106627 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -17,6 +17,29 @@ CONFIG_MMC=y CONFIG_MMC_ARMMMCI=m CONFIG_MMC_SPI=m +## +## file: drivers/net/ethernet/8390/Kconfig +## +CONFIG_NET_VENDOR_8390=y +CONFIG_NE2K_PCI=m + +## +## file: drivers/net/ethernet/realtek/Kconfig +## +CONFIG_8139CP=m +CONFIG_8139TOO=m +# CONFIG_8139TOO_PIO is not set +CONFIG_8139TOO_TUNE_TWISTER=y +CONFIG_8139TOO_8129=y +# CONFIG_8139_OLD_RX_RESET is not set + +## +## file: drivers/net/ethernet/smsc/Kconfig +## +CONFIG_NET_VENDOR_SMSC=y +CONFIG_SMC91X=m +CONFIG_SMSC911X=m + ## ## file: drivers/power/reset/Kconfig ## diff --git a/debian/installer/arm64/modules/arm64/nic-modules b/debian/installer/arm64/modules/arm64/nic-modules index 2512e8395..a530f19fd 100644 --- a/debian/installer/arm64/modules/arm64/nic-modules +++ b/debian/installer/arm64/modules/arm64/nic-modules @@ -1 +1,3 @@ #include +smc91x +smsc911x diff --git a/debian/installer/arm64/modules/arm64/virtio-modules b/debian/installer/arm64/modules/arm64/virtio-modules new file mode 100644 index 000000000..61da39659 --- /dev/null +++ b/debian/installer/arm64/modules/arm64/virtio-modules @@ -0,0 +1 @@ +#include From 5c79ca4fc16f93523329786475e7dc090e5a7f21 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Sat, 31 May 2014 10:34:09 +0000 Subject: [PATCH 4/9] [armhf] Add virtio-modules udeb svn path=/dists/sid/linux/; revision=21366 --- debian/changelog | 1 + debian/installer/armhf/modules/armhf-armmp/virtio-modules | 1 + 2 files changed, 2 insertions(+) create mode 100644 debian/installer/armhf/modules/armhf-armmp/virtio-modules diff --git a/debian/changelog b/debian/changelog index cf58c689f..b6b98b5ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ linux (3.14.4-2) UNRELEASED; urgency=medium [ Ian Campbell ] * [arm64] Initial kernel configuration and packaging (Closes: #745349). + * [armhf] Add virtio-modules udeb. -- Ben Hutchings Wed, 21 May 2014 21:24:50 +0100 diff --git a/debian/installer/armhf/modules/armhf-armmp/virtio-modules b/debian/installer/armhf/modules/armhf-armmp/virtio-modules new file mode 100644 index 000000000..61da39659 --- /dev/null +++ b/debian/installer/armhf/modules/armhf-armmp/virtio-modules @@ -0,0 +1 @@ +#include From 1b04c94599e33221e79a8cdad05ca698dbd31577 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 1 Jun 2014 19:09:19 +0000 Subject: [PATCH 5/9] Update to 3.14.5 Drop some networking fixes that are included in it. Update PREEMPT_RT patch series. svn path=/dists/sid/linux/; revision=21368 --- debian/changelog | 86 ++++++++++++++++++- ...la-extensions-to-peek-beyond-the-end.patch | 78 ----------------- ...orrect-mac_len-in-skb_network_protoc.patch | 40 --------- ...-group_info-should-be-put-after-usin.patch | 61 ------------- ...-x86-preempt-fix-preemption-for-i386.patch | 51 +++++++++++ .../rt/timekeeping-split-jiffies-lock.patch | 14 ++- debian/patches/series | 3 - debian/patches/series-rt | 1 + 8 files changed, 148 insertions(+), 186 deletions(-) delete mode 100644 debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch delete mode 100644 debian/patches/bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch delete mode 100644 debian/patches/bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch create mode 100644 debian/patches/features/all/rt/revert-x86-preempt-fix-preemption-for-i386.patch diff --git a/debian/changelog b/debian/changelog index b6b98b5ac..81bad1c91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,89 @@ -linux (3.14.4-2) UNRELEASED; urgency=medium +linux (3.14.5-1) UNRELEASED; urgency=medium + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.5 + - SCSI: dual scan thread bug fix + - SCSI: megaraid: missing bounds check in mimd_to_kioc() + - [x86] KVM: remove WARN_ON from get_kernel_ns() + - audit: convert PPIDs to the inital PID namespace. + - netfilter: nf_tables: fix nft_cmp_fast failure on big endian for size < 4 + - netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len + (Closes: #741667) + - netfilter: Can't fail and free after table replacement + - [i386] x86,preempt: Fix preemption for i386 + - rbd: fix error paths in rbd_img_request_fill() + - [x86] drm/i915: restore QUIRK_NO_PCH_PWM_ENABLE (regression in 3.14) + - tick-sched: Don't call update_wall_time() when delta is lesser than + tick_period (regression in 3.14) + - tick-sched: Check tick_nohz_enabled in tick_nohz_switch_to_nohz() + (regression in 3.13) + - [hppa] change value of SHMLBA from 0x00400000 to PAGE_SIZE + - [hppa] fix epoll_pwait syscall on compat kernel + - [hppa] remove _STK_LIM_MAX override + - vfs: don't bother with {get,put}_write_access() on non-regular files + - cifs: Wait for writebacks to complete before attempting write. + - xen/spinlock: Don't enable them unconditionally. (regression in 3.12) + - thp: close race between split and zap huge pages (regression in 3.13) + - mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages() + - mm: use paravirt friendly ops for NUMA hinting ptes + - USB: io_ti: fix firmware download on big-endian machines + - fs: Don't return 0 from get_anon_bdev (regression in 3.14) + - [x86] drm/vmwgfx: Make sure user-space can't DMA across buffer object + boundaries v2 + - [x86] drm/i915: Do not dereference pointers from ring buffer in evict + event (regression in 3.13) + - net: core: don't account for udp header size when computing seglen + (regression in 3.14) + - bridge: Fix double free and memory leak around br_allowed_ingress + - filter: prevent nla extensions to peek beyond the end of the message + (CVE-2014-3144, CVE-2014-3145) + - Revert "net: sctp: Fix a_rwnd/rwnd management to reflect real state of + the receiver's buffer" (regression in 3.14) + - ip6_gre: don't allow to remove the fb_tunnel_dev + - net: sctp: cache auth_enable per endpoint + - net: Fix ns_capable check in sock_diag_put_filterinfo + - rtnetlink: Warn when interface's information won't fit in our packet + - rtnetlink: Only supply IFLA_VF_PORTS information when RTEXT_FILTER_VF + is set + - tcp_cubic: fix the range of delayed_ack + - net: cdc_ncm: fix buffer overflow (regression in 3.13) + - ip_tunnel: Set network header properly for IP_ECN_decapsulate() + (regression in 3.11) + - ipv4: ip_tunnels: disable cache for nbma gre tunnels (regression in 3.14) + - net: cdc_mbim: __vlan_find_dev_deep need rcu_read_lock + (regression in 3.13) + - net: ipv4: ip_forward: fix inverted local_df test (regression in 3.14) + - net: ipv6: send pkttoobig immediately if orig frag size > mtu + (regression in 3.14) + - ip6_tunnel: fix potential NULL pointer dereference + - neigh: set nud_state to NUD_INCOMPLETE when probing router reachability + (regression in 3.14) + - batman-adv: fix neigh_ifinfo imbalance (regression in 3.14) + - batman-adv: fix neigh reference imbalance (regression in 3.14) + - batman-adv: always run purge_orig_neighbors (regression in 3.14) + - batman-adv: fix removing neigh_ifinfo (regression in 3.14) + - [s390,x86] net: filter: fix JIT address randomization + - net: avoid dependency of net_get_random_once on nop patching + (regression in 3.13) + - ipv6: fix calculation of option len in ip6_append_data + (regression in 3.13) + - rtnetlink: wait for unregistering devices in rtnl_link_unregister() + - bonding: fix out of range parameters for bond_intmax_tbl + (regression in 3.14) + - net: gro: make sure skb->cb[] initial content has not to be zero + (regression in 3.13) + - batman-adv: fix indirect hard_iface NULL dereference (regression in 3.14) + - batman-adv: fix reference counting imbalance while sending fragment + (regression in 3.14) + - batman-adv: increase orig refcount when storing ref in gw_node + - batman-adv: fix local TT check for outgoing arp requests in DAT + (regression in 3.13) + - net_sched: fix an oops in tcindex filter (regression in 3.14) + - ipv6: gro: fix CHECKSUM_COMPLETE support (regression in 3.14) + - ipv4: initialise the itag variable in __mkroute_input + - net-gro: reset skb->truesize in napi_reuse_skb() + + [ Ben Hutchings ] * [x86] ACPICA: Tables: Fix invalid pointer accesses in acpi_tb_parse_root_table(). (Closes: #748574) diff --git a/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch deleted file mode 100644 index 58224c7e6..000000000 --- a/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Mathias Krause -Date: Sun, 13 Apr 2014 18:23:33 +0200 -Subject: filter: prevent nla extensions to peek beyond the end of the message -Origin: https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 - -The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check -for a minimal message length before testing the supplied offset to be -within the bounds of the message. This allows the subtraction of the nla -header to underflow and therefore -- as the data type is unsigned -- -allowing far to big offset and length values for the search of the -netlink attribute. - -The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is -also wrong. It has the minuend and subtrahend mixed up, therefore -calculates a huge length value, allowing to overrun the end of the -message while looking for the netlink attribute. - -The following three BPF snippets will trigger the bugs when attached to -a UNIX datagram socket and parsing a message with length 1, 2 or 3. - - ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- - | ld #0x87654321 - | ldx #42 - | ld #nla - | ret a - `--- - - ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- - | ld #0x87654321 - | ldx #42 - | ld #nlan - | ret a - `--- - - ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- - | ; (needs a fake netlink header at offset 0) - | ld #0 - | ldx #42 - | ld #nlan - | ret a - `--- - -Fix the first issue by ensuring the message length fulfills the minimal -size constrains of a nla header. Fix the second bug by getting the math -for the remainder calculation right. - -Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") -Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") -Cc: Patrick McHardy -Cc: Pablo Neira Ayuso -Signed-off-by: Mathias Krause -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller -[bwh: Backported to 3.14: This code is all in sk_run_filter(), not - separate functions] ---- - net/core/filter.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/net/core/filter.c -+++ b/net/core/filter.c -@@ -371,11 +371,15 @@ load_b: - - if (skb_is_nonlinear(skb)) - return 0; -+ if (skb->len < sizeof(struct nlattr)) -+ return 0; -+ if (skb->len < sizeof(struct nlattr)) -+ return 0; - if (A > skb->len - sizeof(struct nlattr)) - return 0; - - nla = (struct nlattr *)&skb->data[A]; -- if (nla->nla_len > A - skb->len) -+ if (nla->nla_len > skb->len - A) - return 0; - - nla = nla_find_nested(nla, X); diff --git a/debian/patches/bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch b/debian/patches/bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch deleted file mode 100644 index 7e59d291c..000000000 --- a/debian/patches/bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Vlad Yasevich -Date: Mon, 14 Apr 2014 17:37:26 -0400 -Subject: net: Start with correct mac_len in skb_network_protocol -Origin: https://git.kernel.org/linus/1e785f48d29a09b6cf96db7b49b6320dada332e1 - -Sometimes, when the packet arrives at skb_mac_gso_segment() -its skb->mac_len already accounts for some of the mac lenght -headers in the packet. This seems to happen when forwarding -through and OpenSSL tunnel. - -When we start looking for any vlan headers in skb_network_protocol() -we seem to ignore any of the already known mac headers and start -with an ETH_HLEN. This results in an incorrect offset, dropped -TSO frames and general slowness of the connection. - -We can start counting from the known skb->mac_len -and return at least that much if all mac level headers -are known and accounted for. - -Fixes: 53d6471cef17262d3ad1c7ce8982a234244f68ec (net: Account for all vlan headers in skb_mac_gso_segment) -CC: Eric Dumazet -CC: Daniel Borkman -Tested-by: Martin Filip -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- - net/core/dev.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -2289,7 +2289,7 @@ EXPORT_SYMBOL(skb_checksum_help); - __be16 skb_network_protocol(struct sk_buff *skb, int *depth) - { - __be16 type = skb->protocol; -- int vlan_depth = ETH_HLEN; -+ int vlan_depth = skb->mac_len; - - /* Tunnel gso handlers can set protocol to ethernet. */ - if (type == htons(ETH_P_TEB)) { diff --git a/debian/patches/bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch b/debian/patches/bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch deleted file mode 100644 index 21160df21..000000000 --- a/debian/patches/bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: "Wang, Xiaoming" -Date: Mon, 14 Apr 2014 12:30:45 -0400 -Subject: net: ipv4: current group_info should be put after using. -Origin: https://git.kernel.org/linus/b04c46190219a4f845e46a459e3102137b7f6cac - -Plug a group_info refcount leak in ping_init. -group_info is only needed during initialization and -the code failed to release the reference on exit. -While here move grabbing the reference to a place -where it is actually needed. - -Signed-off-by: Chuansheng Liu -Signed-off-by: Zhang Dongxing -Signed-off-by: xiaoming wang -Signed-off-by: David S. Miller ---- - net/ipv4/ping.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index f4b19e5..8210964 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk) - { - struct net *net = sock_net(sk); - kgid_t group = current_egid(); -- struct group_info *group_info = get_current_groups(); -- int i, j, count = group_info->ngroups; -+ struct group_info *group_info; -+ int i, j, count; - kgid_t low, high; -+ int ret = 0; - - inet_get_ping_group_range_net(net, &low, &high); - if (gid_lte(low, group) && gid_lte(group, high)) - return 0; - -+ group_info = get_current_groups(); -+ count = group_info->ngroups; - for (i = 0; i < group_info->nblocks; i++) { - int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); - for (j = 0; j < cp_count; j++) { - kgid_t gid = group_info->blocks[i][j]; - if (gid_lte(low, gid) && gid_lte(gid, high)) -- return 0; -+ goto out_release_group; - } - - count -= cp_count; - } - -- return -EACCES; -+ ret = -EACCES; -+ -+out_release_group: -+ put_group_info(group_info); -+ return ret; - } - EXPORT_SYMBOL_GPL(ping_init_sock); - diff --git a/debian/patches/features/all/rt/revert-x86-preempt-fix-preemption-for-i386.patch b/debian/patches/features/all/rt/revert-x86-preempt-fix-preemption-for-i386.patch new file mode 100644 index 000000000..61f78a904 --- /dev/null +++ b/debian/patches/features/all/rt/revert-x86-preempt-fix-preemption-for-i386.patch @@ -0,0 +1,51 @@ +From: Ben Hutchings +Date: Sun, 01 Jun 2014 20:05:38 +0100 +Subject: Revert "x86,preempt: Fix preemption for i386" + +This reverts commit 4c03d4699182312ed42257834b915492af16022a from +Linux 3.14.5, which conflicts with the current PREEMPT_RT patch +series. + +--- a/arch/x86/include/asm/preempt.h ++++ b/arch/x86/include/asm/preempt.h +@@ -5,18 +5,6 @@ + #include + #include + +-#ifdef CONFIG_X86_32 +-/* +- * i386's current_thread_info() depends on ESP and for interrupt/exception +- * stacks this doesn't yield the actual task thread_info. +- * +- * We hard rely on the fact that all the TIF_NEED_RESCHED bits are +- * the same, therefore use the slightly more expensive version below. +- */ +-#undef tif_need_resched +-#define tif_need_resched() test_tsk_thread_flag(current, TIF_NEED_RESCHED) +-#endif +- + DECLARE_PER_CPU(int, __preempt_count); + + /* +--- a/include/linux/preempt.h ++++ b/include/linux/preempt.h +@@ -15,8 +15,6 @@ + */ + #define PREEMPT_NEED_RESCHED 0x80000000 + +-#define tif_need_resched() test_thread_flag(TIF_NEED_RESCHED) +- + #include + + #if defined(CONFIG_DEBUG_PREEMPT) || defined(CONFIG_PREEMPT_TRACER) +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -118,6 +118,8 @@ + */ + } + ++#define tif_need_resched() test_thread_flag(TIF_NEED_RESCHED) ++ + #if defined TIF_RESTORE_SIGMASK && !defined HAVE_SET_RESTORE_SIGMASK + /* + * An arch can define its own version of set_restore_sigmask() to get the diff --git a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch index 0daf980fc..615b46f9b 100644 --- a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch +++ b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch @@ -4,6 +4,9 @@ Date: Thu, 14 Feb 2013 22:36:59 +0100 Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/3.14/patches-3.14.3-rt5.tar.xz Signed-off-by: Thomas Gleixner +[bwh: Update new call to write_sequnlock() in tick_do_update_jiffies64() + added by commit 27630532ef5e ("tick-sched: Check tick_nohz_enabled in + tick_nohz_switch_to_nohz()")] --- kernel/time/jiffies.c | 7 ++++--- kernel/time/tick-common.c | 10 ++++++---- @@ -92,9 +95,14 @@ Signed-off-by: Thomas Gleixner delta = ktime_sub(now, last_jiffies_update); if (delta.tv64 >= tick_period.tv64) { -@@ -85,7 +86,8 @@ static void tick_do_update_jiffies64(kti +@@ -85,10 +86,12 @@ static void tick_do_update_jiffies64(kti /* Keep the tick_next_period variable up to date */ tick_next_period = ktime_add(last_jiffies_update, tick_period); + } else { +- write_sequnlock(&jiffies_lock); ++ write_seqcount_end(&jiffies_seq); ++ raw_spin_unlock(&jiffies_lock); + return; } - write_sequnlock(&jiffies_lock); + write_seqcount_end(&jiffies_seq); @@ -102,7 +110,7 @@ Signed-off-by: Thomas Gleixner update_wall_time(); } -@@ -96,12 +98,14 @@ static ktime_t tick_init_jiffy_update(vo +@@ -99,12 +102,14 @@ static ktime_t tick_init_jiffy_update(vo { ktime_t period; @@ -119,7 +127,7 @@ Signed-off-by: Thomas Gleixner return period; } -@@ -537,10 +541,10 @@ static ktime_t tick_nohz_stop_sched_tick +@@ -540,10 +545,10 @@ static ktime_t tick_nohz_stop_sched_tick /* Read jiffies and the time when jiffies were updated last */ do { diff --git a/debian/patches/series b/debian/patches/series index a0bb044a3..88f5c4bda 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -81,9 +81,6 @@ features/arm/ARM-dt-sun4i-Add-A10-SPI-controller-nodes.patch features/arm/PHY-sunxi-Add-driver-for-sunxi-usb-phy.patch features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch -bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch -bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch -bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch debian/libata-avoid-abi-change-in-3.14.4.patch debian/dm-avoid-abi-change-in-3.14.4.patch bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch diff --git a/debian/patches/series-rt b/debian/patches/series-rt index f870030da..d692371fc 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -617,6 +617,7 @@ features/all/rt/rcu-Eliminate-softirq-processing-from-rcutree.patch features/all/rt/rcu-make-RCU_BOOST-default-on-RT.patch # PREEMPT LAZY +features/all/rt/revert-x86-preempt-fix-preemption-for-i386.patch features/all/rt/preempt-lazy-support.patch features/all/rt/x86-preempt-lazy.patch features/all/rt/arm-preempt-lazy-support.patch From 5ce668d89434e96e933e5ac1afbf8292e2785d95 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 1 Jun 2014 22:42:19 +0000 Subject: [PATCH 6/9] Fix/ignore ABI changes in 3.14.5 as appropriate - Revert the struct net_device lockdep changes - Revert the sock_diag_put_filterinfo() parameter change - Revert the removal from struct scsi_target and hide the compatible type change from genksyms - Hide the change to struct nf_ct_ext from genksyms and limit its effect to modules that actually use it - Ignore the vsock_core_init() change svn path=/dists/sid/linux/; revision=21370 --- debian/changelog | 1 + debian/config/defines | 4 + ...net-revert-lockdep-changes-in-3.14.5.patch | 260 ++++++++++++++++++ ...netfilter-avoid-abi-change-in-3.14.5.patch | 46 ++++ .../sockdiag-avoid-abi-change-in-3.14.5.patch | 40 +++ .../target-avoid-abi-change-in-3.14.5.patch | 43 +++ debian/patches/series | 4 + 7 files changed, 398 insertions(+) create mode 100644 debian/patches/debian/net-revert-lockdep-changes-in-3.14.5.patch create mode 100644 debian/patches/debian/netfilter-avoid-abi-change-in-3.14.5.patch create mode 100644 debian/patches/debian/sockdiag-avoid-abi-change-in-3.14.5.patch create mode 100644 debian/patches/debian/target-avoid-abi-change-in-3.14.5.patch diff --git a/debian/changelog b/debian/changelog index 81bad1c91..d03da4616 100644 --- a/debian/changelog +++ b/debian/changelog @@ -86,6 +86,7 @@ linux (3.14.5-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * [x86] ACPICA: Tables: Fix invalid pointer accesses in acpi_tb_parse_root_table(). (Closes: #748574) + * net: Revert lockdep changes in 3.14.5 to avoid an ABI change [ Ian Campbell ] * [arm64] Initial kernel configuration and packaging (Closes: #745349). diff --git a/debian/config/defines b/debian/config/defines index 2625534c1..f1f919e88 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -8,6 +8,10 @@ ignore-changes: g450_mnp2f matrox_* matroxfb_* +# Not used OOT (at least not in open-vm-tools) + vsock_core_init +# Cannot be used OOT + nf_ct_extend_register [base] arches: diff --git a/debian/patches/debian/net-revert-lockdep-changes-in-3.14.5.patch b/debian/patches/debian/net-revert-lockdep-changes-in-3.14.5.patch new file mode 100644 index 000000000..e50f25b20 --- /dev/null +++ b/debian/patches/debian/net-revert-lockdep-changes-in-3.14.5.patch @@ -0,0 +1,260 @@ +From: Ben Hutchings +Date: Sun, 01 Jun 2014 20:33:54 +0100 +Subject: net: Revert lockdep changes in 3.14.5 + +These changes fixed false lockep warnings, but result in an ABI +change. As lockdep is not enabled in our binary packages, they +don't fix any problem either. + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 9dde3ea..1831fb7 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -518,11 +518,6 @@ static struct lock_class_key macvlan_netdev_addr_lock_key; + #define MACVLAN_STATE_MASK \ + ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT)) + +-static int macvlan_get_nest_level(struct net_device *dev) +-{ +- return ((struct macvlan_dev *)netdev_priv(dev))->nest_level; +-} +- + static void macvlan_set_lockdep_class_one(struct net_device *dev, + struct netdev_queue *txq, + void *_unused) +@@ -533,9 +528,8 @@ static void macvlan_set_lockdep_class_one(struct net_device *dev, + + static void macvlan_set_lockdep_class(struct net_device *dev) + { +- lockdep_set_class_and_subclass(&dev->addr_list_lock, +- &macvlan_netdev_addr_lock_key, +- macvlan_get_nest_level(dev)); ++ lockdep_set_class(&dev->addr_list_lock, ++ &macvlan_netdev_addr_lock_key); + netdev_for_each_tx_queue(dev, macvlan_set_lockdep_class_one, NULL); + } + +@@ -737,7 +731,6 @@ static const struct net_device_ops macvlan_netdev_ops = { + .ndo_fdb_add = macvlan_fdb_add, + .ndo_fdb_del = macvlan_fdb_del, + .ndo_fdb_dump = ndo_dflt_fdb_dump, +- .ndo_get_lock_subclass = macvlan_get_nest_level, + }; + + void macvlan_common_setup(struct net_device *dev) +@@ -866,7 +859,6 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + vlan->dev = dev; + vlan->port = port; + vlan->set_features = MACVLAN_FEATURES; +- vlan->nest_level = dev_get_nest_level(lowerdev, netif_is_macvlan) + 1; + + vlan->mode = MACVLAN_MODE_VEPA; + if (data && data[IFLA_MACVLAN_MODE]) +diff --git a/include/linux/if_macvlan.h b/include/linux/if_macvlan.h +index a9a53b1..7c8b20b 100644 +--- a/include/linux/if_macvlan.h ++++ b/include/linux/if_macvlan.h +@@ -56,7 +56,6 @@ struct macvlan_dev { + int numqueues; + netdev_features_t tap_features; + int minor; +- int nest_level; + }; + + static inline void macvlan_count_rx(const struct macvlan_dev *vlan, +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 72ba6f5..bbedfb5 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -73,7 +73,7 @@ static inline struct vlan_ethhdr *vlan_eth_hdr(const struct sk_buff *skb) + /* found in socket.c */ + extern void vlan_ioctl_set(int (*hook)(struct net *, void __user *)); + +-static inline bool is_vlan_dev(struct net_device *dev) ++static inline int is_vlan_dev(struct net_device *dev) + { + return dev->priv_flags & IFF_802_1Q_VLAN; + } +@@ -158,7 +158,6 @@ struct vlan_dev_priv { + #ifdef CONFIG_NET_POLL_CONTROLLER + struct netpoll *netpoll; + #endif +- unsigned int nest_level; + }; + + static inline struct vlan_dev_priv *vlan_dev_priv(const struct net_device *dev) +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 911718f..daafd95 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1145,7 +1145,6 @@ struct net_device_ops { + netdev_tx_t (*ndo_dfwd_start_xmit) (struct sk_buff *skb, + struct net_device *dev, + void *priv); +- int (*ndo_get_lock_subclass)(struct net_device *dev); + }; + + /* +@@ -2862,12 +2861,7 @@ static inline void netif_addr_lock(struct net_device *dev) + + static inline void netif_addr_lock_nested(struct net_device *dev) + { +- int subclass = SINGLE_DEPTH_NESTING; +- +- if (dev->netdev_ops->ndo_get_lock_subclass) +- subclass = dev->netdev_ops->ndo_get_lock_subclass(dev); +- +- spin_lock_nested(&dev->addr_list_lock, subclass); ++ spin_lock_nested(&dev->addr_list_lock, SINGLE_DEPTH_NESTING); + } + + static inline void netif_addr_lock_bh(struct net_device *dev) +@@ -2994,14 +2988,6 @@ void *netdev_lower_get_next_private_rcu(struct net_device *dev, + priv; \ + priv = netdev_lower_get_next_private_rcu(dev, &(iter))) + +-void *netdev_lower_get_next(struct net_device *dev, +- struct list_head **iter); +-#define netdev_for_each_lower_dev(dev, ldev, iter) \ +- for (iter = &(dev)->adj_list.lower, \ +- ldev = netdev_lower_get_next(dev, &(iter)); \ +- ldev; \ +- ldev = netdev_lower_get_next(dev, &(iter))) +- + void *netdev_adjacent_get_private(struct list_head *adj_list); + void *netdev_lower_get_first_private_rcu(struct net_device *dev); + struct net_device *netdev_master_upper_dev_get(struct net_device *dev); +@@ -3017,8 +3003,6 @@ void netdev_upper_dev_unlink(struct net_device *dev, + void netdev_adjacent_rename_links(struct net_device *dev, char *oldname); + void *netdev_lower_dev_get_private(struct net_device *dev, + struct net_device *lower_dev); +-int dev_get_nest_level(struct net_device *dev, +- bool (*type_check)(struct net_device *dev)); + int skb_checksum_help(struct sk_buff *skb); + struct sk_buff *__skb_gso_segment(struct sk_buff *skb, + netdev_features_t features, bool tx_path); +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 44ebd5c..175273f 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -169,7 +169,6 @@ int register_vlan_dev(struct net_device *dev) + if (err < 0) + goto out_uninit_mvrp; + +- vlan->nest_level = dev_get_nest_level(real_dev, is_vlan_dev) + 1; + err = register_netdevice(dev); + if (err < 0) + goto out_uninit_mvrp; +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index cc0d218..27bfe2f 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -524,11 +524,6 @@ static void vlan_dev_set_lockdep_class(struct net_device *dev, int subclass) + netdev_for_each_tx_queue(dev, vlan_dev_set_lockdep_one, &subclass); + } + +-static int vlan_dev_get_lock_subclass(struct net_device *dev) +-{ +- return vlan_dev_priv(dev)->nest_level; +-} +- + static const struct header_ops vlan_header_ops = { + .create = vlan_dev_hard_header, + .rebuild = vlan_dev_rebuild_header, +@@ -564,7 +559,7 @@ static const struct net_device_ops vlan_netdev_ops; + static int vlan_dev_init(struct net_device *dev) + { + struct net_device *real_dev = vlan_dev_priv(dev)->real_dev; +- int i; ++ int subclass = 0, i; + + netif_carrier_off(dev); + +@@ -613,7 +608,10 @@ static int vlan_dev_init(struct net_device *dev) + + SET_NETDEV_DEVTYPE(dev, &vlan_type); + +- vlan_dev_set_lockdep_class(dev, vlan_dev_get_lock_subclass(dev)); ++ if (is_vlan_dev(real_dev)) ++ subclass = 1; ++ ++ vlan_dev_set_lockdep_class(dev, subclass); + + vlan_dev_priv(dev)->vlan_pcpu_stats = alloc_percpu(struct vlan_pcpu_stats); + if (!vlan_dev_priv(dev)->vlan_pcpu_stats) +@@ -793,7 +791,6 @@ static const struct net_device_ops vlan_netdev_ops = { + .ndo_netpoll_cleanup = vlan_dev_netpoll_cleanup, + #endif + .ndo_fix_features = vlan_dev_fix_features, +- .ndo_get_lock_subclass = vlan_dev_get_lock_subclass, + }; + + void vlan_setup(struct net_device *dev) +diff --git a/net/core/dev.c b/net/core/dev.c +index 7c22974..6088927 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4605,32 +4605,6 @@ void *netdev_lower_get_next_private_rcu(struct net_device *dev, + EXPORT_SYMBOL(netdev_lower_get_next_private_rcu); + + /** +- * netdev_lower_get_next - Get the next device from the lower neighbour +- * list +- * @dev: device +- * @iter: list_head ** of the current position +- * +- * Gets the next netdev_adjacent from the dev's lower neighbour +- * list, starting from iter position. The caller must hold RTNL lock or +- * its own locking that guarantees that the neighbour lower +- * list will remain unchainged. +- */ +-void *netdev_lower_get_next(struct net_device *dev, struct list_head **iter) +-{ +- struct netdev_adjacent *lower; +- +- lower = list_entry((*iter)->next, struct netdev_adjacent, list); +- +- if (&lower->list == &dev->adj_list.lower) +- return NULL; +- +- *iter = &lower->list; +- +- return lower->dev; +-} +-EXPORT_SYMBOL(netdev_lower_get_next); +- +-/** + * netdev_lower_get_first_private_rcu - Get the first ->private from the + * lower neighbour list, RCU + * variant +@@ -5080,30 +5054,6 @@ void *netdev_lower_dev_get_private(struct net_device *dev, + } + EXPORT_SYMBOL(netdev_lower_dev_get_private); + +- +-int dev_get_nest_level(struct net_device *dev, +- bool (*type_check)(struct net_device *dev)) +-{ +- struct net_device *lower = NULL; +- struct list_head *iter; +- int max_nest = -1; +- int nest; +- +- ASSERT_RTNL(); +- +- netdev_for_each_lower_dev(dev, lower, iter) { +- nest = dev_get_nest_level(lower, type_check); +- if (max_nest < nest) +- max_nest = nest; +- } +- +- if (type_check(dev)) +- max_nest++; +- +- return max_nest; +-} +-EXPORT_SYMBOL(dev_get_nest_level); +- + static void dev_change_rx_flags(struct net_device *dev, int flags) + { + const struct net_device_ops *ops = dev->netdev_ops; diff --git a/debian/patches/debian/netfilter-avoid-abi-change-in-3.14.5.patch b/debian/patches/debian/netfilter-avoid-abi-change-in-3.14.5.patch new file mode 100644 index 000000000..2c05d472a --- /dev/null +++ b/debian/patches/debian/netfilter-avoid-abi-change-in-3.14.5.patch @@ -0,0 +1,46 @@ +From: Ben Hutchings +Date: Sun, 01 Jun 2014 23:29:17 +0100 +Subject: netfilter: Avoid ABI change in 3.14.5 + +The types of fields in struct nf_ct_ext were changed by commit +223b02d923ec ("netfilter: nf_conntrack: reserve two bytes for +nf_ct_ext->len") as u8 is not large enough to store the offsets +that may be needed now. + +This ABI change should only affect the conntrack extension modules, +which must be in-tree as they have centrally assigned numbers. +However the structure definition is visible to all modules using +conntrack at all. Hide the ABI change from genksyms and use a macro +to rename the extension registration function so that it is still not +possible to mismatch conntrack core and extension modules. + +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -47,8 +47,19 @@ enum nf_ct_ext_id { + /* Extensions: optional stuff which isn't permanently in struct. */ + struct nf_ct_ext { + struct rcu_head rcu; ++#ifdef __GENKSYMS__ ++ /* Layout expected by modules calling nf_ct_extend_register() ++ * (which has been removed) ++ */ ++ u8 offset[NF_CT_EXT_NUM]; ++ u8 len; ++#else ++ /* Layout expected by modules calling nf_ct_extend_register_16() ++ * (all newly built modules, thanks to macro definition below) ++ */ + u16 offset[NF_CT_EXT_NUM]; + u16 len; ++#endif + char data[0]; + }; + +@@ -118,6 +129,7 @@ struct nf_ct_ext_type { + u8 alloc_size; + }; + ++#define nf_ct_extend_register nf_ct_extend_register_16 + int nf_ct_extend_register(struct nf_ct_ext_type *type); + void nf_ct_extend_unregister(struct nf_ct_ext_type *type); + #endif /* _NF_CONNTRACK_EXTEND_H */ diff --git a/debian/patches/debian/sockdiag-avoid-abi-change-in-3.14.5.patch b/debian/patches/debian/sockdiag-avoid-abi-change-in-3.14.5.patch new file mode 100644 index 000000000..6163d69a0 --- /dev/null +++ b/debian/patches/debian/sockdiag-avoid-abi-change-in-3.14.5.patch @@ -0,0 +1,40 @@ +From: Ben Hutchings +Date: Sun, 01 Jun 2014 20:38:59 +0100 +Subject: sockdiag: Avoid ABI change in 3.14.5 + +Add the user_namespace parameter back to sock_diag_put_filterinfo(), +but don't use it there. + +--- a/include/linux/sock_diag.h ++++ b/include/linux/sock_diag.h +@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u + void sock_diag_save_cookie(void *sk, __u32 *cookie); + + int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr); +-int sock_diag_put_filterinfo(struct sock *sk, ++int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk, + struct sk_buff *skb, int attrtype); + + #endif +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *s + } + EXPORT_SYMBOL_GPL(sock_diag_put_meminfo); + +-int sock_diag_put_filterinfo(struct sock *sk, ++int sock_diag_put_filterinfo(struct user_namespace *user_ns __always_unused, struct sock *sk, + struct sk_buff *skb, int attrtype) + { + struct nlattr *attr; +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, + goto out_nlmsg_trim; + + if ((req->pdiag_show & PACKET_SHOW_FILTER) && +- sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER)) ++ sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER)) + goto out_nlmsg_trim; + + return nlmsg_end(skb, nlh); diff --git a/debian/patches/debian/target-avoid-abi-change-in-3.14.5.patch b/debian/patches/debian/target-avoid-abi-change-in-3.14.5.patch new file mode 100644 index 000000000..f49c2a548 --- /dev/null +++ b/debian/patches/debian/target-avoid-abi-change-in-3.14.5.patch @@ -0,0 +1,43 @@ +From: Ben Hutchings +Date: Sun, 01 Jun 2014 20:47:46 +0100 +Subject: target: Avoid ABI change in 3.14.5 + +Commit e63ed0d7a980 ("scsi: fix our current target reap infrastructure") +removed one field (ew) and changed the type of another (reap_ref). + +Put back 'ew' and hide the type change to 'reap_ref', which remains +the same size and is only used within the SCSI core. + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -433,6 +433,8 @@ static struct scsi_target *scsi_alloc_ta + } + dev = &starget->dev; + device_initialize(dev); ++ /* bwh: assert binary compatibility */ ++ BUILD_BUG_ON(sizeof(starget->reap_ref) != sizeof(unsigned int)); + kref_init(&starget->reap_ref); + dev->parent = get_device(parent); + dev_set_name(dev, "target%d:%d:%d", shost->host_no, channel, id); +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -257,7 +257,11 @@ struct scsi_target { + struct list_head siblings; + struct list_head devices; + struct device dev; ++#ifdef __GENKSYMS__ ++ unsigned int reap_ref; ++#else + struct kref reap_ref; /* last put renders target invisible */ ++#endif + unsigned int channel; + unsigned int id; /* target id ... replace + * scsi_device.id eventually */ +@@ -284,6 +288,7 @@ struct scsi_target { + #define SCSI_DEFAULT_TARGET_BLOCKED 3 + + char scsi_level; ++ struct execute_work ew; /* bwh: unused, for binary compatibility */ + enum scsi_target_state state; + void *hostdata; /* available to low-level driver */ + unsigned long starget_data[0]; /* for the transport */ diff --git a/debian/patches/series b/debian/patches/series index 88f5c4bda..36a82377c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -84,3 +84,7 @@ features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch debian/libata-avoid-abi-change-in-3.14.4.patch debian/dm-avoid-abi-change-in-3.14.4.patch bugfix/x86/ACPICA-Tables-Fix-invalid-pointer-accesses-in-acpi_t.patch +debian/net-revert-lockdep-changes-in-3.14.5.patch +debian/sockdiag-avoid-abi-change-in-3.14.5.patch +debian/target-avoid-abi-change-in-3.14.5.patch +debian/netfilter-avoid-abi-change-in-3.14.5.patch From 013ec287e66cd3e16958fbe20b79d3522877f119 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Mon, 2 Jun 2014 09:00:38 +0000 Subject: [PATCH 7/9] [mips,mipsel] Fix branch emulation of branch likely instructions. svn path=/dists/sid/linux/; revision=21375 --- debian/changelog | 3 + ...emulation-of-branch-likely-instructi.patch | 65 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 69 insertions(+) create mode 100644 debian/patches/bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch diff --git a/debian/changelog b/debian/changelog index d03da4616..b35ed9192 100644 --- a/debian/changelog +++ b/debian/changelog @@ -92,6 +92,9 @@ linux (3.14.5-1) UNRELEASED; urgency=medium * [arm64] Initial kernel configuration and packaging (Closes: #745349). * [armhf] Add virtio-modules udeb. + [ Aurelien Jarno ] + * [mips,mipsel] Fix branch emulation of branch likely instructions. + -- Ben Hutchings Wed, 21 May 2014 21:24:50 +0100 linux (3.14.4-1) unstable; urgency=high diff --git a/debian/patches/bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch b/debian/patches/bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch new file mode 100644 index 000000000..3471e775b --- /dev/null +++ b/debian/patches/bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch @@ -0,0 +1,65 @@ +From: Ralf Baechle +Date: Thu, 22 May 2014 23:19:00 +0200 +Subject: MIPS: Fix branch emulation of branch likely instructions. +Origin: https://git.kernel.org/linus/41ca86e8502952116234fa558f4277092a5aaae9 + +Two issues: + + o For beql_op, beql_op, bne_op, bnel_op, blez_op, blezl_op, bgtz_op and + bgtzl_op the wrong field was being checked for the instruction opcode. + o For blez_op / blezl_op and bgtz_op / bgtzl_op the test was testing + for the wrong opcode. + +This bug got introduced by d8d4e3ae0b5c179c0bfd3f0af5b352d13bea9cfa [MIPS +Kprobes: Refactor branch emulation]. + +Signed-off-by: Ralf Baechle +Acked-by: Leonid Yegoshin +Acked-by: Victor Kamensky +--- + arch/mips/kernel/branch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/kernel/branch.c b/arch/mips/kernel/branch.c +index 4d78bf4..76122ff 100644 +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -317,7 +317,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, + if (regs->regs[insn.i_format.rs] == + regs->regs[insn.i_format.rt]) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +- if (insn.i_format.rt == beql_op) ++ if (insn.i_format.opcode == beql_op) + ret = BRANCH_LIKELY_TAKEN; + } else + epc += 8; +@@ -329,7 +329,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, + if (regs->regs[insn.i_format.rs] != + regs->regs[insn.i_format.rt]) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +- if (insn.i_format.rt == bnel_op) ++ if (insn.i_format.opcode == bnel_op) + ret = BRANCH_LIKELY_TAKEN; + } else + epc += 8; +@@ -341,7 +341,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, + /* rt field assumed to be zero */ + if ((long)regs->regs[insn.i_format.rs] <= 0) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +- if (insn.i_format.rt == bnel_op) ++ if (insn.i_format.opcode == blezl_op) + ret = BRANCH_LIKELY_TAKEN; + } else + epc += 8; +@@ -353,7 +353,7 @@ int __compute_return_epc_for_insn(struct pt_regs *regs, + /* rt field assumed to be zero */ + if ((long)regs->regs[insn.i_format.rs] > 0) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +- if (insn.i_format.rt == bnel_op) ++ if (insn.i_format.opcode == bgtzl_op) + ret = BRANCH_LIKELY_TAKEN; + } else + epc += 8; +-- +2.0.0.rc0 + diff --git a/debian/patches/series b/debian/patches/series index 36a82377c..abf2e67ce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -88,3 +88,4 @@ debian/net-revert-lockdep-changes-in-3.14.5.patch debian/sockdiag-avoid-abi-change-in-3.14.5.patch debian/target-avoid-abi-change-in-3.14.5.patch debian/netfilter-avoid-abi-change-in-3.14.5.patch +bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch From f0f833e1d425c0ad53f31fd81294a1ca069ba17d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 5 Jun 2014 12:44:33 +0000 Subject: [PATCH 8/9] Add futex security fixes including CVE-2014-3153 svn path=/dists/sid/linux/; revision=21395 --- debian/changelog | 7 + ...other-early-deadlock-detection-check.patch | 158 +++++++++ ...lways-cleanup-owner-tid-in-unlock_pi.patch | 131 ++++++++ ...tex-Make-lookup_pi_state-more-robust.patch | 309 ++++++++++++++++++ ...-Prevent-attaching-to-kernel-threads.patch | 50 +++ ...-acquisition-in-futex_lock_pi_atomic.patch | 86 +++++ ...tex-prevent-requeue-pi-on-same-futex.patch | 113 +++++++ debian/patches/series | 6 + 8 files changed, 860 insertions(+) create mode 100644 debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch create mode 100644 debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch create mode 100644 debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch create mode 100644 debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch create mode 100644 debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch create mode 100644 debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch diff --git a/debian/changelog b/debian/changelog index b35ed9192..b370cd6ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -87,6 +87,13 @@ linux (3.14.5-1) UNRELEASED; urgency=medium * [x86] ACPICA: Tables: Fix invalid pointer accesses in acpi_tb_parse_root_table(). (Closes: #748574) * net: Revert lockdep changes in 3.14.5 to avoid an ABI change + * futex: Add another early deadlock detection check + * futex: Prevent attaching to kernel threads + * futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) + (CVE-2014-3153) + * futex: Validate atomic acquisition in futex_lock_pi_atomic() + * futex: Always cleanup owner tid in unlock_pi + * futex: Make lookup_pi_state more robust [ Ian Campbell ] * [arm64] Initial kernel configuration and packaging (Closes: #745349). diff --git a/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch b/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch new file mode 100644 index 000000000..2f5e14dc7 --- /dev/null +++ b/debian/patches/bugfix/all/futex-Add-another-early-deadlock-detection-check.patch @@ -0,0 +1,158 @@ +From: Thomas Gleixner +Date: Mon, 12 May 2014 20:45:34 +0000 +Subject: futex: Add another early deadlock detection check + +commit 866293ee54227584ffcb4a42f69c1f365974ba7f upstream. + +Dave Jones trinity syscall fuzzer exposed an issue in the deadlock +detection code of rtmutex: + http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com + +That underlying issue has been fixed with a patch to the rtmutex code, +but the futex code must not call into rtmutex in that case because + - it can detect that issue early + - it avoids a different and more complex fixup for backing out + +If the user space variable got manipulated to 0x80000000 which means +no lock holder, but the waiters bit set and an active pi_state in the +kernel is found we can figure out the recursive locking issue by +looking at the pi_state owner. If that is the current task, then we +can safely return -EDEADLK. + +The check should have been added in commit 59fa62451 (futex: Handle +futex_pi OWNER_DIED take over correctly) already, but I did not see +the above issue caused by user space manipulation back then. + +Signed-off-by: Thomas Gleixner +Cc: Dave Jones +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Darren Hart +Cc: Davidlohr Bueso +Cc: Steven Rostedt +Cc: Clark Williams +Cc: Paul McKenney +Cc: Lai Jiangshan +Cc: Roland McGrath +Cc: Carlos ODonell +Cc: Jakub Jelinek +Cc: Michael Kerrisk +Cc: Sebastian Andrzej Siewior +Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de +Signed-off-by: Thomas Gleixner +--- + kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -731,7 +731,8 @@ void exit_pi_state_list(struct task_stru + + static int + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, +- union futex_key *key, struct futex_pi_state **ps) ++ union futex_key *key, struct futex_pi_state **ps, ++ struct task_struct *task) + { + struct futex_pi_state *pi_state = NULL; + struct futex_q *this, *next; +@@ -772,6 +773,16 @@ lookup_pi_state(u32 uval, struct futex_h + return -EINVAL; + } + ++ /* ++ * Protect against a corrupted uval. If uval ++ * is 0x80000000 then pid is 0 and the waiter ++ * bit is set. So the deadlock check in the ++ * calling code has failed and we did not fall ++ * into the check above due to !pid. ++ */ ++ if (task && pi_state->owner == task) ++ return -EDEADLK; ++ + atomic_inc(&pi_state->refcount); + *ps = pi_state; + +@@ -921,7 +932,7 @@ retry: + * We dont have the lock. Look up the PI state (or create it if + * we are the first waiter): + */ +- ret = lookup_pi_state(uval, hb, key, ps); ++ ret = lookup_pi_state(uval, hb, key, ps, task); + + if (unlikely(ret)) { + switch (ret) { +@@ -1333,7 +1344,7 @@ void requeue_pi_wake_futex(struct futex_ + * + * Return: + * 0 - failed to acquire the lock atomically; +- * 1 - acquired the lock; ++ * >0 - acquired the lock, return value is vpid of the top_waiter + * <0 - error + */ + static int futex_proxy_trylock_atomic(u32 __user *pifutex, +@@ -1344,7 +1355,7 @@ static int futex_proxy_trylock_atomic(u3 + { + struct futex_q *top_waiter = NULL; + u32 curval; +- int ret; ++ int ret, vpid; + + if (get_futex_value_locked(&curval, pifutex)) + return -EFAULT; +@@ -1372,11 +1383,13 @@ static int futex_proxy_trylock_atomic(u3 + * the contended case or if set_waiters is 1. The pi_state is returned + * in ps in contended cases. + */ ++ vpid = task_pid_vnr(top_waiter->task); + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, + set_waiters); +- if (ret == 1) ++ if (ret == 1) { + requeue_pi_wake_futex(top_waiter, key2, hb2); +- ++ return vpid; ++ } + return ret; + } + +@@ -1407,7 +1420,6 @@ static int futex_requeue(u32 __user *uad + struct futex_pi_state *pi_state = NULL; + struct futex_hash_bucket *hb1, *hb2; + struct futex_q *this, *next; +- u32 curval2; + + if (requeue_pi) { + /* +@@ -1495,16 +1507,25 @@ retry_private: + * At this point the top_waiter has either taken uaddr2 or is + * waiting on it. If the former, then the pi_state will not + * exist yet, look it up one more time to ensure we have a +- * reference to it. ++ * reference to it. If the lock was taken, ret contains the ++ * vpid of the top waiter task. + */ +- if (ret == 1) { ++ if (ret > 0) { + WARN_ON(pi_state); + drop_count++; + task_count++; +- ret = get_futex_value_locked(&curval2, uaddr2); +- if (!ret) +- ret = lookup_pi_state(curval2, hb2, &key2, +- &pi_state); ++ /* ++ * If we acquired the lock, then the user ++ * space value of uaddr2 should be vpid. It ++ * cannot be changed by the top waiter as it ++ * is blocked on hb2 lock if it tries to do ++ * so. If something fiddled with it behind our ++ * back the pi state lookup might unearth ++ * it. So we rather use the known value than ++ * rereading and handing potential crap to ++ * lookup_pi_state. ++ */ ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); + } + + switch (ret) { diff --git a/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch b/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch new file mode 100644 index 000000000..c4b2bb25f --- /dev/null +++ b/debian/patches/bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch @@ -0,0 +1,131 @@ +Return-Path: +Received: from Galois.linutronix.de (Galois.linutronix.de + [IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net + (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRBS5010805 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for + ; Tue, 3 Jun 2014 05:27:17 -0700 +Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by + Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from + ) id 1Wrno4-0002Sb-9g; Tue, 03 Jun 2014 14:27:08 +0200 +Message-Id: <20140603121944.949737592@linutronix.de> +User-Agent: quilt/0.63-1 +Date: Tue, 03 Jun 2014 12:27:07 -0000 +From: Thomas Gleixner +To: Linus Torvalds +Cc: Darren Hart , Kees Cook , + "security@kernel.org" , linux-distros@vs.openwall.org, + Sebastian Krahmer , Ingo Molnar , Kees + Cook , Will Drewry +Subject: [patch 3/4] futex: Always cleanup owner tid in unlock_pi +References: <20140603113303.799564413@linutronix.de> +MIME-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-15 +Content-Disposition: inline; filename=futex-cleanup-owner-tid-on-unlock.patch +X-Linutronix-Spam-Score: -1.0 +X-Linutronix-Spam-Level: - +X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, + ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 +Received-SPF: none (linutronix.de: No applicable sender policy available) + receiver=smtp.outflux.net; identity=mailfrom; + envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de; + client-ip="2001:470:1f0b:db:abcd:42:0:1" +Envelope-To: kees@outflux.net +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: Galois.linutronix.de +X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD +X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__ +X-Scanned-By: MIMEDefang 2.73 +Content-Length: 2854 +Lines: 93 + +If the owner died bit is set at futex_unlock_pi, we currently do not +cleanup the user space futex. So the owner TID of the current owner +(the unlocker) persists. That's observable inconsistant state, +especially when the ownership of the pi state got transferred. + +Clean it up unconditionally. + +Signed-off-by: Thomas Gleixner +Cc: Kees Cook +Cc: Will Drewry +Cc: Darren Hart +Cc: stable@vger.kernel.org +--- + kernel/futex.c | 44 ++++++++++++++++++++------------------------ + 1 file changed, 20 insertions(+), 24 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1038,6 +1038,7 @@ static int wake_futex_pi(u32 __user *uad + struct task_struct *new_owner; + struct futex_pi_state *pi_state = this->pi_state; + u32 uninitialized_var(curval), newval; ++ int ret = 0; + + if (!pi_state) + return -EINVAL; +@@ -1061,23 +1062,19 @@ static int wake_futex_pi(u32 __user *uad + new_owner = this->task; + + /* +- * We pass it to the next owner. (The WAITERS bit is always +- * kept enabled while there is PI state around. We must also +- * preserve the owner died bit.) +- */ +- if (!(uval & FUTEX_OWNER_DIED)) { +- int ret = 0; +- +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); +- +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) +- ret = -EFAULT; +- else if (curval != uval) +- ret = -EINVAL; +- if (ret) { +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); +- return ret; +- } ++ * We pass it to the next owner. The WAITERS bit is always ++ * kept enabled while there is PI state around. We cleanup the ++ * owner died bit, because we are the owner. ++ */ ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); ++ ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) ++ ret = -EFAULT; ++ else if (curval != uval) ++ ret = -EINVAL; ++ if (ret) { ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); ++ return ret; + } + + raw_spin_lock_irq(&pi_state->owner->pi_lock); +@@ -2337,9 +2334,10 @@ retry: + /* + * To avoid races, try to do the TID -> 0 atomic transition + * again. If it succeeds then we can return without waking +- * anyone else up: ++ * anyone else up. We only try this if neither the waiters nor ++ * the owner died bit are set. + */ +- if (!(uval & FUTEX_OWNER_DIED) && ++ if (!(uval & ~FUTEX_TID_MASK) && + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) + goto pi_faulted; + /* +@@ -2369,11 +2367,9 @@ retry: + /* + * No waiters - kernel unlocks the futex: + */ +- if (!(uval & FUTEX_OWNER_DIED)) { +- ret = unlock_futex_pi(uaddr, uval); +- if (ret == -EFAULT) +- goto pi_faulted; +- } ++ ret = unlock_futex_pi(uaddr, uval); ++ if (ret == -EFAULT) ++ goto pi_faulted; + + out_unlock: + spin_unlock(&hb->lock); diff --git a/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch b/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch new file mode 100644 index 000000000..db0fd4ee9 --- /dev/null +++ b/debian/patches/bugfix/all/futex-Make-lookup_pi_state-more-robust.patch @@ -0,0 +1,309 @@ +Return-Path: +Received: from Galois.linutronix.de (Galois.linutronix.de + [IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net + (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRPJj010831 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for + ; Tue, 3 Jun 2014 05:27:31 -0700 +Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by + Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from + ) id 1Wrno5-0002Se-1m; Tue, 03 Jun 2014 14:27:09 +0200 +Message-Id: <20140603121945.039282525@linutronix.de> +User-Agent: quilt/0.63-1 +Date: Tue, 03 Jun 2014 12:27:08 -0000 +From: Thomas Gleixner +To: Linus Torvalds +Cc: Darren Hart , Kees Cook , + "security@kernel.org" , linux-distros@vs.openwall.org, + Sebastian Krahmer , Ingo Molnar , Kees + Cook , Will Drewry +Subject: [patch 4/4] futex: Make lookup_pi_state more robust +References: <20140603113303.799564413@linutronix.de> +MIME-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-15 +Content-Disposition: inline; filename=futex-make-lookup-pi-state-more-robust.patch +X-Linutronix-Spam-Score: -1.0 +X-Linutronix-Spam-Level: - +X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, + ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 +Received-SPF: none (linutronix.de: No applicable sender policy available) + receiver=smtp.outflux.net; identity=mailfrom; + envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de; + client-ip="2001:470:1f0b:db:abcd:42:0:1" +Envelope-To: kees@outflux.net +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: Galois.linutronix.de +X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD +X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__ +X-Scanned-By: MIMEDefang 2.73 +Status: RO +Content-Length: 8955 +Lines: 270 + +The current implementation of lookup_pi_state has ambigous handling of +the TID value 0 in the user space futex. We can get into the kernel +even if the TID value is 0, because either there is a stale waiters +bit or the owner died bit is set or we are called from the requeue_pi +path or from user space just for fun. + +The current code avoids an explicit sanity check for pid = 0 in case +that kernel internal state (waiters) are found for the user space +address. This can lead to state leakage and worse under some +circumstances. + +Handle the cases explicit: + + Waiter | pi_state | pi->owner | uTID | uODIED | ? + +[1] NULL | --- | --- | 0 | 0/1 | Valid +[2] NULL | --- | --- | >0 | 0/1 | Valid + +[3] Found | NULL | -- | Any | 0/1 | Invalid + +[4] Found | Found | NULL | 0 | 1 | Valid +[5] Found | Found | NULL | >0 | 1 | Invalid + +[6] Found | Found | task | 0 | 1 | Valid + +[7] Found | Found | NULL | Any | 0 | Invalid + +[8] Found | Found | task | ==taskTID | 0/1 | Valid +[9] Found | Found | task | 0 | 0 | Invalid +[10] Found | Found | task | !=taskTID | 0/1 | Invalid + +[1] Indicates that the kernel can acquire the futex atomically. We + came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. + +[2] Valid, if TID does not belong to a kernel thread. If no matching + thread is found then it indicates that the owner TID has died. + +[3] Invalid. The waiter is queued on a non PI futex + +[4] Valid state after exit_robust_list(), which sets the user space + value to FUTEX_WAITERS | FUTEX_OWNER_DIED. + +[5] The user space value got manipulated between exit_robust_list() + and exit_pi_state_list() + +[6] Valid state after exit_pi_state_list() which sets the new owner in + the pi_state but cannot access the user space value. + +[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. + +[8] Owner and user space value match + +[9] There is no transient state which sets the user space TID to 0 + except exit_robust_list(), but this is indicated by the + FUTEX_OWNER_DIED bit. See [4] + +[10] There is no transient state which leaves owner and user space + TID out of sync. + +Signed-off-by: Thomas Gleixner +Cc: Kees Cook +Cc: Will Drewry +Cc: Darren Hart +Cc: stable@vger.kernel.org +--- + kernel/futex.c | 134 +++++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 106 insertions(+), 28 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -729,10 +729,58 @@ void exit_pi_state_list(struct task_stru + raw_spin_unlock_irq(&curr->pi_lock); + } + ++/* ++ * We need to check the following states: ++ * ++ * Waiter | pi_state | pi->owner | uTID | uODIED | ? ++ * ++ * [1] NULL | --- | --- | 0 | 0/1 | Valid ++ * [2] NULL | --- | --- | >0 | 0/1 | Valid ++ * ++ * [3] Found | NULL | -- | Any | 0/1 | Invalid ++ * ++ * [4] Found | Found | NULL | 0 | 1 | Valid ++ * [5] Found | Found | NULL | >0 | 1 | Invalid ++ * ++ * [6] Found | Found | task | 0 | 1 | Valid ++ * ++ * [7] Found | Found | NULL | Any | 0 | Invalid ++ * ++ * [8] Found | Found | task | ==taskTID | 0/1 | Valid ++ * [9] Found | Found | task | 0 | 0 | Invalid ++ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid ++ * ++ * [1] Indicates that the kernel can acquire the futex atomically. We ++ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. ++ * ++ * [2] Valid, if TID does not belong to a kernel thread. If no matching ++ * thread is found then it indicates that the owner TID has died. ++ * ++ * [3] Invalid. The waiter is queued on a non PI futex ++ * ++ * [4] Valid state after exit_robust_list(), which sets the user space ++ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED. ++ * ++ * [5] The user space value got manipulated between exit_robust_list() ++ * and exit_pi_state_list() ++ * ++ * [6] Valid state after exit_pi_state_list() which sets the new owner in ++ * the pi_state but cannot access the user space value. ++ * ++ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. ++ * ++ * [8] Owner and user space value match ++ * ++ * [9] There is no transient state which sets the user space TID to 0 ++ * except exit_robust_list(), but this is indicated by the ++ * FUTEX_OWNER_DIED bit. See [4] ++ * ++ * [10] There is no transient state which leaves owner and user space ++ * TID out of sync. ++ */ + static int + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, +- union futex_key *key, struct futex_pi_state **ps, +- struct task_struct *task) ++ union futex_key *key, struct futex_pi_state **ps) + { + struct futex_pi_state *pi_state = NULL; + struct futex_q *this, *next; +@@ -742,12 +790,13 @@ lookup_pi_state(u32 uval, struct futex_h + plist_for_each_entry_safe(this, next, &hb->chain, list) { + if (match_futex(&this->key, key)) { + /* +- * Another waiter already exists - bump up +- * the refcount and return its pi_state: ++ * Sanity check the waiter before increasing ++ * the refcount and attaching to it. + */ + pi_state = this->pi_state; + /* +- * Userspace might have messed up non-PI and PI futexes ++ * Userspace might have messed up non-PI and ++ * PI futexes [3] + */ + if (unlikely(!pi_state)) + return -EINVAL; +@@ -755,44 +804,70 @@ lookup_pi_state(u32 uval, struct futex_h + WARN_ON(!atomic_read(&pi_state->refcount)); + + /* +- * When pi_state->owner is NULL then the owner died +- * and another waiter is on the fly. pi_state->owner +- * is fixed up by the task which acquires +- * pi_state->rt_mutex. +- * +- * We do not check for pid == 0 which can happen when +- * the owner died and robust_list_exit() cleared the +- * TID. ++ * Handle the owner died case: + */ +- if (pid && pi_state->owner) { ++ if (uval & FUTEX_OWNER_DIED) { + /* +- * Bail out if user space manipulated the +- * futex value. ++ * exit_pi_state_list sets owner to NULL and ++ * wakes the topmost waiter. The task which ++ * acquires the pi_state->rt_mutex will fixup ++ * owner. + */ +- if (pid != task_pid_vnr(pi_state->owner)) ++ if (!pi_state->owner) { ++ /* ++ * No pi state owner, but the user ++ * space TID is not 0. Inconsistent ++ * state. [5] ++ */ ++ if (pid) ++ return -EINVAL; ++ /* ++ * Take a ref on the state and ++ * return. [4] ++ */ ++ goto out_state; ++ } ++ ++ /* ++ * If TID is 0, then either the dying owner ++ * has not yet executed exit_pi_state_list() ++ * or some waiter acquired the rtmutex in the ++ * pi state, but did not yet fixup the TID in ++ * user space. ++ * ++ * Take a ref on the state and return. [6] ++ */ ++ if (!pid) ++ goto out_state; ++ } else { ++ /* ++ * If the owner died bit is not set, ++ * then the pi_state must have an ++ * owner. [7] ++ */ ++ if (!pi_state->owner) + return -EINVAL; + } + + /* +- * Protect against a corrupted uval. If uval +- * is 0x80000000 then pid is 0 and the waiter +- * bit is set. So the deadlock check in the +- * calling code has failed and we did not fall +- * into the check above due to !pid. ++ * Bail out if user space manipulated the ++ * futex value. If pi state exists then the ++ * owner TID must be the same as the user ++ * space TID. [9/10] + */ +- if (task && pi_state->owner == task) +- return -EDEADLK; ++ if (pid != task_pid_vnr(pi_state->owner)) ++ return -EINVAL; + ++ out_state: + atomic_inc(&pi_state->refcount); + *ps = pi_state; +- + return 0; + } + } + + /* + * We are the first waiter - try to look up the real owner and attach +- * the new pi_state to it, but bail out when TID = 0 ++ * the new pi_state to it, but bail out when TID = 0 [1] + */ + if (!pid) + return -ESRCH; +@@ -825,6 +900,9 @@ lookup_pi_state(u32 uval, struct futex_h + return ret; + } + ++ /* ++ * No existing pi state. First waiter. [2] ++ */ + pi_state = alloc_pi_state(); + + /* +@@ -945,7 +1023,7 @@ retry: + * We dont have the lock. Look up the PI state (or create it if + * we are the first waiter): + */ +- ret = lookup_pi_state(uval, hb, key, ps, task); ++ ret = lookup_pi_state(uval, hb, key, ps); + + if (unlikely(ret)) { + switch (ret) { +@@ -1551,7 +1629,7 @@ retry_private: + * rereading and handing potential crap to + * lookup_pi_state. + */ +- ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state); + } + + switch (ret) { diff --git a/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch b/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch new file mode 100644 index 000000000..8be1947ef --- /dev/null +++ b/debian/patches/bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch @@ -0,0 +1,50 @@ +From: Thomas Gleixner +Date: Mon, 12 May 2014 20:45:35 +0000 +Subject: futex: Prevent attaching to kernel threads +Origin: https://git.kernel.org/linus/f0d71b3dcb8332f7971b5f2363632573e6d9486a + +We happily allow userspace to declare a random kernel thread to be the +owner of a user space PI futex. + +Found while analysing the fallout of Dave Jones syscall fuzzer. + +We also should validate the thread group for private futexes and find +some fast way to validate whether the "alleged" owner has RW access on +the file which backs the SHM, but that's a separate issue. + +Signed-off-by: Thomas Gleixner +Cc: Dave Jones +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Darren Hart +Cc: Davidlohr Bueso +Cc: Steven Rostedt +Cc: Clark Williams +Cc: Paul McKenney +Cc: Lai Jiangshan +Cc: Roland McGrath +Cc: Carlos ODonell +Cc: Jakub Jelinek +Cc: Michael Kerrisk +Cc: Sebastian Andrzej Siewior +Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +--- + kernel/futex.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -800,6 +800,11 @@ lookup_pi_state(u32 uval, struct futex_h + if (!p) + return -ESRCH; + ++ if (!p->mm) { ++ put_task_struct(p); ++ return -EPERM; ++ } ++ + /* + * We need to look at the task state flags to figure out, + * whether the task is exiting. To protect against the do_exit diff --git a/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch b/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch new file mode 100644 index 000000000..6bd7d0e8b --- /dev/null +++ b/debian/patches/bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch @@ -0,0 +1,86 @@ +Return-Path: +Received: from Galois.linutronix.de (Galois.linutronix.de + [IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net + (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRBqO010803 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for + ; Tue, 3 Jun 2014 05:27:17 -0700 +Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by + Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from + ) id 1Wrno3-0002SY-Hl; Tue, 03 Jun 2014 14:27:07 +0200 +Message-Id: <20140603121944.859726103@linutronix.de> +User-Agent: quilt/0.63-1 +Date: Tue, 03 Jun 2014 12:27:06 -0000 +From: Thomas Gleixner +To: Linus Torvalds +Cc: Darren Hart , Kees Cook , + "security@kernel.org" , linux-distros@vs.openwall.org, + Sebastian Krahmer , Ingo Molnar , Kees + Cook , Will Drewry +Subject: [patch 2/4] futex: Validate atomic acquisition in + futex_lock_pi_atomic() +References: <20140603113303.799564413@linutronix.de> +MIME-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-15 +Content-Disposition: inline; filename=futex-validate-atomic-acquisiton.patch +X-Linutronix-Spam-Score: -1.0 +X-Linutronix-Spam-Level: - +X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, + ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 +Received-SPF: none (linutronix.de: No applicable sender policy available) + receiver=smtp.outflux.net; identity=mailfrom; + envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de; + client-ip="2001:470:1f0b:db:abcd:42:0:1" +Envelope-To: kees@outflux.net +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: Galois.linutronix.de +X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD +X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__ +X-Scanned-By: MIMEDefang 2.73 +Content-Length: 1615 +Lines: 47 + +We need to protect the atomic acquisition in the kernel against rogue +user space which sets the user space futex to 0, so the kernel side +acquisition succeeds while there is existing state in the kernel +associated to the real owner. + +Verify whether the futex has waiters associated with kernel state. If +it has, return -EINVAL. The state is corrupted already, so no point in +cleaning it up. Subsequent calls will fail as well. Not our problem. + +[ tglx: Use futex_top_waiter() and explain why we do not need to try + restoring the already corrupted user space state. ] + +Signed-off-by: Darren Hart +Cc: Kees Cook +Cc: Will Drewry +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Gleixner +--- + kernel/futex.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -896,10 +896,18 @@ retry: + return -EDEADLK; + + /* +- * Surprise - we got the lock. Just return to userspace: ++ * Surprise - we got the lock, but we do not trust user space at all. + */ +- if (unlikely(!curval)) +- return 1; ++ if (unlikely(!curval)) { ++ /* ++ * We verify whether there is kernel state for this ++ * futex. If not, we can safely assume, that the 0 -> ++ * TID transition is correct. If state exists, we do ++ * not bother to fixup the user space state as it was ++ * corrupted already. ++ */ ++ return futex_top_waiter(hb, key) ? -EINVAL : 1; ++ } + + uval = curval; + diff --git a/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch b/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch new file mode 100644 index 000000000..370f384de --- /dev/null +++ b/debian/patches/bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch @@ -0,0 +1,113 @@ +Return-Path: +Received: from Galois.linutronix.de (Galois.linutronix.de + [IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net + (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRBLI010804 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for + ; Tue, 3 Jun 2014 05:27:17 -0700 +Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by + Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from + ) id 1Wrno2-0002SV-Po; Tue, 03 Jun 2014 14:27:06 +0200 +Message-Id: <20140603121944.770732571@linutronix.de> +User-Agent: quilt/0.63-1 +Date: Tue, 03 Jun 2014 12:27:06 -0000 +From: Thomas Gleixner +To: Linus Torvalds +Cc: Darren Hart , Kees Cook , + "security@kernel.org" , linux-distros@vs.openwall.org, + Sebastian Krahmer , Ingo Molnar , Will + Drewry , Kees Cook +Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex: + Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) +References: <20140603113303.799564413@linutronix.de> +MIME-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-15 +Content-Disposition: inline; filename=futex-prevent-requeue-pi-on-same-futex.patch +X-Linutronix-Spam-Score: -1.0 +X-Linutronix-Spam-Level: - +X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, + ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 +Received-SPF: none (linutronix.de: No applicable sender policy available) + receiver=smtp.outflux.net; identity=mailfrom; + envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de; + client-ip="2001:470:1f0b:db:abcd:42:0:1" +Envelope-To: kees@outflux.net +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: Galois.linutronix.de +X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD +X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__ +X-Scanned-By: MIMEDefang 2.73 +Status: RO +Content-Length: 2114 +Lines: 73 + +If uaddr == uaddr2, then we have broken the rule of only requeueing +from a non-pi futex to a pi futex with this call. If we attempt this, +then dangling pointers may be left for rt_waiter resulting in an +exploitable condition. + +This change brings futex_requeue() into line with +futex_wait_requeue_pi() which performs the same check as per commit +6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) + +[ tglx: Compare the resulting keys as well, as uaddrs might be + different depending on the mapping ] + +Fixes CVE-2014-3153. + +Reported-by: Pinkie Pie +Signed-off-by: Will Drewry +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Gleixner +--- + kernel/futex.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1428,6 +1428,13 @@ static int futex_requeue(u32 __user *uad + + if (requeue_pi) { + /* ++ * Requeue PI only works on two distinct uaddrs. This ++ * check is only valid for private futexes. See below. ++ */ ++ if (uaddr1 == uaddr2) ++ return -EINVAL; ++ ++ /* + * requeue_pi requires a pi_state, try to allocate it now + * without any locks in case it fails. + */ +@@ -1465,6 +1472,15 @@ retry: + if (unlikely(ret != 0)) + goto out_put_key1; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (requeue_pi && match_futex(&key1, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + hb1 = hash_futex(&key1); + hb2 = hash_futex(&key2); + +@@ -2511,6 +2527,15 @@ static int futex_wait_requeue_pi(u32 __u + if (ret) + goto out_key2; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (match_futex(&q.key, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + /* Queue the futex_q, drop the hb lock, wait for wakeup. */ + futex_wait_queue_me(hb, &q, to); + diff --git a/debian/patches/series b/debian/patches/series index abf2e67ce..d2f8fe8b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -89,3 +89,9 @@ debian/sockdiag-avoid-abi-change-in-3.14.5.patch debian/target-avoid-abi-change-in-3.14.5.patch debian/netfilter-avoid-abi-change-in-3.14.5.patch bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch +bugfix/all/futex-Add-another-early-deadlock-detection-check.patch +bugfix/all/futex-Prevent-attaching-to-kernel-threads.patch +bugfix/all/futex-prevent-requeue-pi-on-same-futex.patch +bugfix/all/futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch +bugfix/all/futex-Always-cleanup-owner-tid-in-unlock_pi.patch +bugfix/all/futex-Make-lookup_pi_state-more-robust.patch From 21ad04dfb192fb29f51325feaeab42bf87829387 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 5 Jun 2014 15:50:16 +0000 Subject: [PATCH 9/9] Prepare to release linux (3.14.5-1). svn path=/dists/sid/linux/; revision=21397 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index b370cd6ea..8d3f57f6b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.14.5-1) UNRELEASED; urgency=medium +linux (3.14.5-1) unstable; urgency=high * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.5 @@ -102,7 +102,7 @@ linux (3.14.5-1) UNRELEASED; urgency=medium [ Aurelien Jarno ] * [mips,mipsel] Fix branch emulation of branch likely instructions. - -- Ben Hutchings Wed, 21 May 2014 21:24:50 +0100 + -- Ben Hutchings Thu, 05 Jun 2014 13:49:15 +0100 linux (3.14.4-1) unstable; urgency=high