Update to 4.3.5
Drop several patches that are included in it. Fix/ignore various ABI changes.
This commit is contained in:
parent
20ed8bdbac
commit
ba1393105a
|
@ -1,4 +1,4 @@
|
||||||
linux (4.3.4-1) UNRELEASED; urgency=medium
|
linux (4.3.5-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
|
||||||
|
@ -50,16 +50,169 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
|
||||||
- af_unix: Revert 'lock_interruptible' in stream receive code
|
- af_unix: Revert 'lock_interruptible' in stream receive code
|
||||||
- tcp: restore fastopen with no data in SYN packet
|
- tcp: restore fastopen with no data in SYN packet
|
||||||
- rhashtable: Fix walker list corruption
|
- rhashtable: Fix walker list corruption
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5
|
||||||
|
- [x86] smpboot: Re-enable init_udelay=0 by default on modern CPUs
|
||||||
|
- [x86] mpx: Fix instruction decoder condition
|
||||||
|
- [x86] signal: Fix restart_syscall number for x32 tasks
|
||||||
|
- [x86] paravirt: Prevent rtc_cmos platform device init on PV guests
|
||||||
|
- [x86] mce: Ensure offline CPUs don't participate in rendezvous process
|
||||||
|
- [x86] xen: don't reset vcpu_info on a cancelled suspend
|
||||||
|
- [x86] KVM: VMX: fix SMEP and SMAP without EPT
|
||||||
|
- [powerpc*] KVM: Book3S HV: Don't dynamically split core when already split
|
||||||
|
- [powerpc*] KVM: Book3S HV: Prohibit setting illegal transaction state
|
||||||
|
in MSR
|
||||||
|
- [x86] KVM: expose MSR_TSC_AUX to userspace
|
||||||
|
- [x86] KVM: correctly print #AC in traces
|
||||||
|
- [x86] reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
|
||||||
|
- [x86] boot: Double BOOT_HEAP_SIZE to 64KB
|
||||||
|
- [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
|
||||||
|
(CVE-2016-2069)
|
||||||
|
- [x86] mm: Improve switch_mm() barrier comments
|
||||||
|
- timers: Use proper base migration in add_timer_on()
|
||||||
|
- ipmi: Start the timer and thread on internal msgs
|
||||||
|
- ipmi: move timer init to before irq is setup
|
||||||
|
- [x86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after
|
||||||
|
resume back
|
||||||
|
- ALSA: hda - Disable 64bit address for Creative HDA controllers
|
||||||
|
- ALSA: hda - Fix lost 4k BDL boundary workaround
|
||||||
|
- [x86] ALSA: hda - Add Intel Lewisburg device IDs Audio
|
||||||
|
- [x86] ALSA: hda - Apply pin fixup for HP ProBook 6550b
|
||||||
|
- ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in
|
||||||
|
- ALSA: hda - Apply HP headphone fixups more generically
|
||||||
|
- [x86] ALSA: hda - Fix noise on Dell Latitude E6440
|
||||||
|
- [x86] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
|
||||||
|
- [x86] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back
|
||||||
|
from S3
|
||||||
|
- [x86] ALSA: hda - Fix noise on Gigabyte Z170X mobo
|
||||||
|
- ALSA: hda - Skip ELD notification during system suspend
|
||||||
|
- ALSA: rme96: Fix unexpected volume reset after rate changes
|
||||||
|
- [x86] ALSA: hda - Add inverted dmic for Packard Bell DOTS
|
||||||
|
- ALSA: hda - Fixing speaker noise on the two latest thinkpad models
|
||||||
|
- [x86] ALSA: hda - Fix noise problems on Thinkpad T440s
|
||||||
|
- [x86] ALSA: hda/ca0132 - quirk for Alienware 17 2015
|
||||||
|
- [x86] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
|
||||||
|
- [x86] ALSA: hda - Apply click noise workaround for Thinkpads generically
|
||||||
|
- [x86] ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
|
||||||
|
- [x86] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
|
||||||
|
- ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
|
||||||
|
- ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly
|
||||||
|
- ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
|
||||||
|
- [x86] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
|
||||||
|
- [x86] ALSA: hda - Add mic mute hotkey quirk for Lenovo ThinkCentre AIO
|
||||||
|
- ALSA: hda - Add keycode map for alc input device
|
||||||
|
- [x86] ALSA: usb: Add native DSD support for Oppo HA-1
|
||||||
|
- ALSA: hda - Fixup inverted internal mic for Lenovo E50-80
|
||||||
|
- ALSA: seq: Fix missing NULL check at remove_events ioctl
|
||||||
|
- ALSA: usb-audio: Avoid calling usb_autopm_put_interface() at disconnect
|
||||||
|
- ALSA: seq: Fix race at timer setup and close
|
||||||
|
- [x86] ALSA: hda - Fix white noise on Dell Latitude E5550
|
||||||
|
- ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices
|
||||||
|
- ALSA: timer: Harden slave timer list handling
|
||||||
|
- [x86] ALSA: hda - fix the headset mic detection problem for a Dell laptop
|
||||||
|
- ALSA: timer: Fix race among timer ioctls
|
||||||
|
- ALSA: timer: Fix double unlink of active_list
|
||||||
|
- [x86] ALSA: hda - Add fixup for Dell Latitidue E6540
|
||||||
|
- ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
|
||||||
|
- ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
|
||||||
|
- ALSA: hrtimer: Fix stall by hrtimer_cancel()
|
||||||
|
- ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
|
||||||
|
- [x86] ALSA: hda - Fix bass pin fixup for ASUS N550JX
|
||||||
|
- ALSA: hda - Flush the pending probe work at remove
|
||||||
|
- ALSA: timer: Handle disconnection more safely
|
||||||
|
- ASoC: rt286: Fix run time error while modifying const data
|
||||||
|
- ASoC: rsnd: fixup SCU_SYS_INT_EN1 address
|
||||||
|
- ASoC: wm8962: correct addresses for HPF_C_0/1
|
||||||
|
- ASoC: es8328: Fix deemphasis values
|
||||||
|
- ASoC: wm8974: set cache type for regmap
|
||||||
|
- ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx
|
||||||
|
- ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
|
||||||
|
- ASoC: wm5110: Fix PGA clear when disabling DRE
|
||||||
|
- ASoC: compress: Fix compress device direction check
|
||||||
|
- usb: xhci: fix config fail of FS hub behind a HS hub with MTT
|
||||||
|
- airspy: increase USB control message buffer size
|
||||||
|
- USB: fix invalid memory access in hub_activate()
|
||||||
|
- USB: ipaq.c: fix a timeout loop
|
||||||
|
- USB: cp210x: add ID for ELV Marble Sound Board 1
|
||||||
|
- usb: core: lpm: fix usb3_hardware_lpm sysfs node
|
||||||
|
- xhci: refuse loading if nousb is used
|
||||||
|
- openvswitch: correct encoding of set tunnel action attributes
|
||||||
|
- veth: don’t modify ip_summed; doing so treats packets with bad checksums
|
||||||
|
as good.
|
||||||
|
- ipv6/addrlabel: fix ip6addrlbl_get()
|
||||||
|
- addrconf: always initialize sysctl table data
|
||||||
|
- net: cdc_ncm: avoid changing RX/TX buffers on MTU changes
|
||||||
|
- sctp: sctp should release assoc when sctp_make_abort_user return NULL
|
||||||
|
in sctp_close
|
||||||
|
- connector: bump skb->users before callback invocation
|
||||||
|
- af_unix: Fix splice-bind deadlock
|
||||||
|
- bridge: Only call /sbin/bridge-stp for the initial network namespace
|
||||||
|
- net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
|
||||||
|
- net: sched: fix missing free per cpu on qstats
|
||||||
|
- net: possible use after free in dst_release
|
||||||
|
- tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
|
||||||
|
- vxlan: fix test which detect duplicate vxlan iface
|
||||||
|
- net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
|
||||||
|
- ipv6: tcp: add rcu locking in tcp_v6_send_synack()
|
||||||
|
- tcp_yeah: don't set ssthresh below 2
|
||||||
|
- sched,cls_flower: set key address type when present
|
||||||
|
- net: pktgen: fix null ptr deref in skb allocation
|
||||||
|
- udp: disallow UFO for sockets with SO_NO_CHECK option
|
||||||
|
- net: preserve IP control block during GSO segmentation
|
||||||
|
- bonding: Prevent IPv6 link local address on enslaved devices
|
||||||
|
- phonet: properly unshare skbs in phonet_rcv()
|
||||||
|
- net: bpf: reject invalid shifts
|
||||||
|
- ipv6: update skb->csum when CE mark is propagated
|
||||||
|
- bridge: fix lockdep addr_list_lock false positive splat
|
||||||
|
- batman-adv: Avoid recursive call_rcu for batadv_bla_claim
|
||||||
|
- batman-adv: Avoid recursive call_rcu for batadv_nc_node
|
||||||
|
- batman-adv: Drop immediate batadv_orig_ifinfo free function
|
||||||
|
- batman-adv: Drop immediate batadv_neigh_node free function
|
||||||
|
- batman-adv: Drop immediate neigh_ifinfo free function
|
||||||
|
- batman-adv: Drop immediate batadv_hard_iface free function
|
||||||
|
- batman-adv: Drop immediate orig_node free function
|
||||||
|
- net/mlx5_core: Fix trimming down IRQ number
|
||||||
|
- team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
|
||||||
|
- xfrm: dst_entries_init() per-net dst_ops
|
||||||
|
- [powerpc*] tm: Block signal return setting invalid MSR state
|
||||||
|
- [powerpc*] tm: Check for already reclaimed tasks
|
||||||
|
- [powerpc*] opal-irqchip: Fix double endian conversion
|
||||||
|
- [powerpc*] opal-irqchip: Fix deadlock introduced by "Fix double endian
|
||||||
|
conversion"
|
||||||
|
- [powerpc*] powernv: pr_warn_once on unsupported OPAL_MSG type
|
||||||
|
- [powerpc*] Make value-returning atomics fully ordered
|
||||||
|
- [powerpc*] Make {cmp}xchg* and their atomic_ versions fully ordered
|
||||||
|
- [powerpc*] scripts/recordmcount.pl: support data in text section
|
||||||
|
- [powerpc*] module: Handle R_PPC64_ENTRY relocations
|
||||||
|
- [arm64] recordmcount: Replace the ignored mcount call into nop
|
||||||
|
- [arm64] bpf: fix div-by-zero case
|
||||||
|
- [arm64] bpf: fix mod-by-zero case
|
||||||
|
- [arm64] cmpxchg_dbl: fix return value type
|
||||||
|
- [arm64] kernel: pause/unpause function graph tracer in cpu_suspend()
|
||||||
|
- [arm*] KVM: test properly for a PTE's uncachedness
|
||||||
|
- [arm64] KVM: Fix AArch32 to AArch64 register mapping
|
||||||
|
- [arm*] KVM: correct PTE uncachedness check
|
||||||
|
- [arm64] Clear out any singlestep state on a ptrace detach operation
|
||||||
|
- [arm64] mm: ensure that the zero page is visible to the page table walker
|
||||||
|
- [arm64] kernel: enforce pmuserenr_el0 initialization and restore
|
||||||
|
- [arm*] iommu/arm-smmu: Fix error checking for ASID and VMID allocation
|
||||||
|
- [x86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints
|
||||||
|
- [hppa] iommu: fix panic due to trying to allocate too large region
|
||||||
|
- HID: wacom: Tie cached HID_DG_CONTACTCOUNT indices to report ID
|
||||||
|
- HID: wacom: Expect 'touch_max' touches if HID_DG_CONTACTCOUNT not present
|
||||||
|
- HID: core: Avoid uninitialized buffer access
|
||||||
|
- staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
|
||||||
|
- direct-io: Fix negative return from dio read beyond eof
|
||||||
|
- fix the regression from "direct-io: Fix negative return from dio read
|
||||||
|
beyond eof"
|
||||||
|
- [arm64] restore bogomips information in /proc/cpuinfo
|
||||||
|
- [arm64] KVM: Add workaround for Cortex-A57 erratum 834220
|
||||||
|
- [arm64] kernel: fix architected PMU registers unconditional access
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
|
* fuse: break infinite loop in fuse_fill_write_pages() (CVE-2015-8785)
|
||||||
* SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
|
* SCSI: fix crashes in sd and sr runtime PM (Closes: #801925)
|
||||||
* [x86] mm: Add barriers and document switch_mm()-vs-flush synchronization
|
|
||||||
(CVE-2016-2069)
|
|
||||||
* [x86] mm: Improve switch_mm() barrier comments
|
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
|
|
||||||
* netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
|
* netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
|
||||||
|
|
||||||
[ Aurelien Jarno ]
|
[ Aurelien Jarno ]
|
||||||
|
|
|
@ -16,6 +16,9 @@ ignore-changes:
|
||||||
# Can't be used from OOT
|
# Can't be used from OOT
|
||||||
pin_is_valid
|
pin_is_valid
|
||||||
pinctrl_*
|
pinctrl_*
|
||||||
|
# Shouldn't be used from OOT
|
||||||
|
module:drivers/net/ethernet/mellanox/**
|
||||||
|
pv_info
|
||||||
|
|
||||||
[base]
|
[base]
|
||||||
arches:
|
arches:
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
From: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Date: Sun, 1 Nov 2015 16:21:24 +0000
|
|
||||||
Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
|
|
||||||
Origin: https://git.kernel.org/linus/0baa57d8dc32db78369d8b5176ef56c5e2e18ab3
|
|
||||||
|
|
||||||
Compile-tested only.
|
|
||||||
|
|
||||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
|
|
||||||
index c4198fa..86f9abe 100644
|
|
||||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
|
||||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
|
||||||
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
|
|
||||||
is->compflags = 0;
|
|
||||||
|
|
||||||
is->reset = isdn_ppp_ccp_reset_alloc(is);
|
|
||||||
+ if (!is->reset)
|
|
||||||
+ return -ENOMEM;
|
|
||||||
|
|
||||||
is->lp = NULL;
|
|
||||||
is->mp_seqno = 0; /* MP sequence number */
|
|
||||||
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
|
|
||||||
* VJ header compression init
|
|
||||||
*/
|
|
||||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
|
||||||
+ if (!is->slcomp) {
|
|
||||||
+ isdn_ppp_ccp_reset_free(is);
|
|
||||||
+ return -ENOMEM;
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
#ifdef CONFIG_IPPP_FILTER
|
|
||||||
is->pass_filter = NULL;
|
|
|
@ -1,31 +0,0 @@
|
||||||
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
|
|
||||||
Date: Wed, 7 Oct 2015 07:09:26 -0300
|
|
||||||
Subject: [media] media/vivid-osd: fix info leak in ioctl
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
|
|
||||||
|
|
||||||
The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
|
|
||||||
struct fb_vblank after the ->hcount member. Add an explicit
|
|
||||||
memset(0) before filling the structure to avoid the info leak.
|
|
||||||
|
|
||||||
Signed-off-by: Salva Peiró <speirofr@gmail.com>
|
|
||||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
|
||||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
||||||
---
|
|
||||||
drivers/media/platform/vivid/vivid-osd.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
|
|
||||||
index 084d346..e15eef6 100644
|
|
||||||
--- a/drivers/media/platform/vivid/vivid-osd.c
|
|
||||||
+++ b/drivers/media/platform/vivid/vivid-osd.c
|
|
||||||
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
|
|
||||||
case FBIOGET_VBLANK: {
|
|
||||||
struct fb_vblank vblank;
|
|
||||||
|
|
||||||
+ memset(&vblank, 0, sizeof(vblank));
|
|
||||||
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
|
|
||||||
FB_VBLANK_HAVE_VSYNC;
|
|
||||||
vblank.count = 0;
|
|
|
@ -1,128 +0,0 @@
|
||||||
From: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Date: Sun, 1 Nov 2015 16:22:53 +0000
|
|
||||||
Subject: ppp, slip: Validate VJ compression slot parameters completely
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
Origin: https://git.kernel.org/linus/4ab42d78e37a294ac7bc56901d563c642e03c4ae
|
|
||||||
|
|
||||||
Currently slhc_init() treats out-of-range values of rslots and tslots
|
|
||||||
as equivalent to 0, except that if tslots is too large it will
|
|
||||||
dereference a null pointer (CVE-2015-7799).
|
|
||||||
|
|
||||||
Add a range-check at the top of the function and make it return an
|
|
||||||
ERR_PTR() on error instead of NULL. Change the callers accordingly.
|
|
||||||
|
|
||||||
Compile-tested only.
|
|
||||||
|
|
||||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
|
||||||
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
|
|
||||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
drivers/isdn/i4l/isdn_ppp.c | 10 ++++------
|
|
||||||
drivers/net/ppp/ppp_generic.c | 6 ++----
|
|
||||||
drivers/net/slip/slhc.c | 12 ++++++++----
|
|
||||||
drivers/net/slip/slip.c | 2 +-
|
|
||||||
4 files changed, 15 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
--- a/drivers/isdn/i4l/isdn_ppp.c
|
|
||||||
+++ b/drivers/isdn/i4l/isdn_ppp.c
|
|
||||||
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file
|
|
||||||
* VJ header compression init
|
|
||||||
*/
|
|
||||||
is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
|
|
||||||
- if (!is->slcomp) {
|
|
||||||
+ if (IS_ERR(is->slcomp)) {
|
|
||||||
isdn_ppp_ccp_reset_free(is);
|
|
||||||
- return -ENOMEM;
|
|
||||||
+ return PTR_ERR(is->slcomp);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#ifdef CONFIG_IPPP_FILTER
|
|
||||||
@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *fil
|
|
||||||
is->maxcid = val;
|
|
||||||
#ifdef CONFIG_ISDN_PPP_VJ
|
|
||||||
sltmp = slhc_init(16, val);
|
|
||||||
- if (!sltmp) {
|
|
||||||
- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
|
|
||||||
- return -ENOMEM;
|
|
||||||
- }
|
|
||||||
+ if (IS_ERR(sltmp))
|
|
||||||
+ return PTR_ERR(sltmp);
|
|
||||||
if (is->slcomp)
|
|
||||||
slhc_free(is->slcomp);
|
|
||||||
is->slcomp = sltmp;
|
|
||||||
--- a/drivers/net/ppp/ppp_generic.c
|
|
||||||
+++ b/drivers/net/ppp/ppp_generic.c
|
|
||||||
@@ -719,10 +719,8 @@ static long ppp_ioctl(struct file *file,
|
|
||||||
val &= 0xffff;
|
|
||||||
}
|
|
||||||
vj = slhc_init(val2+1, val+1);
|
|
||||||
- if (!vj) {
|
|
||||||
- netdev_err(ppp->dev,
|
|
||||||
- "PPP: no memory (VJ compressor)\n");
|
|
||||||
- err = -ENOMEM;
|
|
||||||
+ if (IS_ERR(vj)) {
|
|
||||||
+ err = PTR_ERR(vj);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
ppp_lock(ppp);
|
|
||||||
--- a/drivers/net/slip/slhc.c
|
|
||||||
+++ b/drivers/net/slip/slhc.c
|
|
||||||
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
|
|
||||||
static unsigned char * put16(unsigned char *cp, unsigned short x);
|
|
||||||
static unsigned short pull16(unsigned char **cpp);
|
|
||||||
|
|
||||||
-/* Initialize compression data structure
|
|
||||||
+/* Allocate compression data structure
|
|
||||||
* slots must be in range 0 to 255 (zero meaning no compression)
|
|
||||||
+ * Returns pointer to structure or ERR_PTR() on error.
|
|
||||||
*/
|
|
||||||
struct slcompress *
|
|
||||||
slhc_init(int rslots, int tslots)
|
|
||||||
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
|
|
||||||
register struct cstate *ts;
|
|
||||||
struct slcompress *comp;
|
|
||||||
|
|
||||||
+ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
|
|
||||||
+ return ERR_PTR(-EINVAL);
|
|
||||||
+
|
|
||||||
comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
|
|
||||||
if (! comp)
|
|
||||||
goto out_fail;
|
|
||||||
|
|
||||||
- if ( rslots > 0 && rslots < 256 ) {
|
|
||||||
+ if (rslots > 0) {
|
|
||||||
size_t rsize = rslots * sizeof(struct cstate);
|
|
||||||
comp->rstate = kzalloc(rsize, GFP_KERNEL);
|
|
||||||
if (! comp->rstate)
|
|
||||||
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
|
|
||||||
comp->rslot_limit = rslots - 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ( tslots > 0 && tslots < 256 ) {
|
|
||||||
+ if (tslots > 0) {
|
|
||||||
size_t tsize = tslots * sizeof(struct cstate);
|
|
||||||
comp->tstate = kzalloc(tsize, GFP_KERNEL);
|
|
||||||
if (! comp->tstate)
|
|
||||||
@@ -141,7 +145,7 @@ out_free2:
|
|
||||||
out_free:
|
|
||||||
kfree(comp);
|
|
||||||
out_fail:
|
|
||||||
- return NULL;
|
|
||||||
+ return ERR_PTR(-ENOMEM);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
--- a/drivers/net/slip/slip.c
|
|
||||||
+++ b/drivers/net/slip/slip.c
|
|
||||||
@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl
|
|
||||||
if (cbuff == NULL)
|
|
||||||
goto err_exit;
|
|
||||||
slcomp = slhc_init(16, 16);
|
|
||||||
- if (slcomp == NULL)
|
|
||||||
+ if (IS_ERR(slcomp))
|
|
||||||
goto err_exit;
|
|
||||||
#endif
|
|
||||||
spin_lock_bh(&sl->lock);
|
|
|
@ -1,63 +0,0 @@
|
||||||
From: Yuchung Cheng <ycheng@google.com>
|
|
||||||
Date: Wed, 6 Jan 2016 12:42:38 -0800
|
|
||||||
Subject: tcp: fix zero cwnd in tcp_cwnd_reduction
|
|
||||||
Origin: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390
|
|
||||||
|
|
||||||
Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
|
|
||||||
conditionally") introduced a bug that cwnd may become 0 when both
|
|
||||||
inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
|
|
||||||
to a div-by-zero if the connection starts another cwnd reduction
|
|
||||||
phase by setting tp->prior_cwnd to the current cwnd (0) in
|
|
||||||
tcp_init_cwnd_reduction().
|
|
||||||
|
|
||||||
To prevent this we skip PRR operation when nothing is acked or
|
|
||||||
sacked. Then cwnd must be positive in all cases as long as ssthresh
|
|
||||||
is positive:
|
|
||||||
|
|
||||||
1) The proportional reduction mode
|
|
||||||
inflight > ssthresh > 0
|
|
||||||
|
|
||||||
2) The reduction bound mode
|
|
||||||
a) inflight == ssthresh > 0
|
|
||||||
|
|
||||||
b) inflight < ssthresh
|
|
||||||
sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
|
|
||||||
|
|
||||||
Therefore in all cases inflight and sndcnt can not both be 0.
|
|
||||||
We check invalid tp->prior_cwnd to avoid potential div0 bugs.
|
|
||||||
|
|
||||||
In reality this bug is triggered only with a sequence of less common
|
|
||||||
events. For example, the connection is terminating an ECN-triggered
|
|
||||||
cwnd reduction with an inflight 0, then it receives reordered/old
|
|
||||||
ACKs or DSACKs from prior transmission (which acks nothing). Or the
|
|
||||||
connection is in fast recovery stage that marks everything lost,
|
|
||||||
but fails to retransmit due to local issues, then receives data
|
|
||||||
packets from other end which acks nothing.
|
|
||||||
|
|
||||||
Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
|
|
||||||
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
|
|
||||||
Signed-off-by: Yuchung Cheng <ycheng@google.com>
|
|
||||||
Signed-off-by: Neal Cardwell <ncardwell@google.com>
|
|
||||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
net/ipv4/tcp_input.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
|
|
||||||
index 2d656ee..d4c5115 100644
|
|
||||||
--- a/net/ipv4/tcp_input.c
|
|
||||||
+++ b/net/ipv4/tcp_input.c
|
|
||||||
@@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
|
|
||||||
int newly_acked_sacked = prior_unsacked -
|
|
||||||
(tp->packets_out - tp->sacked_out);
|
|
||||||
|
|
||||||
+ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
tp->prr_delivered += newly_acked_sacked;
|
|
||||||
if (delta < 0) {
|
|
||||||
u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
|
|
||||||
--
|
|
||||||
2.1.4
|
|
||||||
|
|
|
@ -1,140 +0,0 @@
|
||||||
From: willy tarreau <w@1wt.eu>
|
|
||||||
Date: Sun, 10 Jan 2016 07:54:56 +0100
|
|
||||||
Subject: unix: properly account for FDs passed over unix sockets
|
|
||||||
Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593
|
|
||||||
|
|
||||||
It is possible for a process to allocate and accumulate far more FDs than
|
|
||||||
the process' limit by sending them over a unix socket then closing them
|
|
||||||
to keep the process' fd count low.
|
|
||||||
|
|
||||||
This change addresses this problem by keeping track of the number of FDs
|
|
||||||
in flight per user and preventing non-privileged processes from having
|
|
||||||
more FDs in flight than their configured FD limit.
|
|
||||||
|
|
||||||
Reported-by: socketpair@gmail.com
|
|
||||||
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
|
||||||
Mitigates: CVE-2013-4312 (Linux 2.0+)
|
|
||||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
|
||||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
include/linux/sched.h | 1 +
|
|
||||||
net/unix/af_unix.c | 24 ++++++++++++++++++++----
|
|
||||||
net/unix/garbage.c | 13 ++++++++-----
|
|
||||||
3 files changed, 29 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/linux/sched.h b/include/linux/sched.h
|
|
||||||
index edad7a4..fbf25f1 100644
|
|
||||||
--- a/include/linux/sched.h
|
|
||||||
+++ b/include/linux/sched.h
|
|
||||||
@@ -830,6 +830,7 @@ struct user_struct {
|
|
||||||
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
|
|
||||||
#endif
|
|
||||||
unsigned long locked_shm; /* How many pages of mlocked shm ? */
|
|
||||||
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
|
|
||||||
|
|
||||||
#ifdef CONFIG_KEYS
|
|
||||||
struct key *uid_keyring; /* UID specific keyring */
|
|
||||||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
|
|
||||||
index ef05cd9..e3f85bc 100644
|
|
||||||
--- a/net/unix/af_unix.c
|
|
||||||
+++ b/net/unix/af_unix.c
|
|
||||||
@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
|
|
||||||
sock_wfree(skb);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * The "user->unix_inflight" variable is protected by the garbage
|
|
||||||
+ * collection lock, and we just read it locklessly here. If you go
|
|
||||||
+ * over the limit, there might be a tiny race in actually noticing
|
|
||||||
+ * it across threads. Tough.
|
|
||||||
+ */
|
|
||||||
+static inline bool too_many_unix_fds(struct task_struct *p)
|
|
||||||
+{
|
|
||||||
+ struct user_struct *user = current_user();
|
|
||||||
+
|
|
||||||
+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
|
|
||||||
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
|
|
||||||
+ return false;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#define MAX_RECURSION_LEVEL 4
|
|
||||||
|
|
||||||
static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
|
||||||
@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
|
||||||
unsigned char max_level = 0;
|
|
||||||
int unix_sock_count = 0;
|
|
||||||
|
|
||||||
+ if (too_many_unix_fds(current))
|
|
||||||
+ return -ETOOMANYREFS;
|
|
||||||
+
|
|
||||||
for (i = scm->fp->count - 1; i >= 0; i--) {
|
|
||||||
struct sock *sk = unix_get_socket(scm->fp->fp[i]);
|
|
||||||
|
|
||||||
@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
|
|
||||||
if (!UNIXCB(skb).fp)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
- if (unix_sock_count) {
|
|
||||||
- for (i = scm->fp->count - 1; i >= 0; i--)
|
|
||||||
- unix_inflight(scm->fp->fp[i]);
|
|
||||||
- }
|
|
||||||
+ for (i = scm->fp->count - 1; i >= 0; i--)
|
|
||||||
+ unix_inflight(scm->fp->fp[i]);
|
|
||||||
return max_level;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
|
|
||||||
index a73a226..8fcdc22 100644
|
|
||||||
--- a/net/unix/garbage.c
|
|
||||||
+++ b/net/unix/garbage.c
|
|
||||||
@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
|
|
||||||
{
|
|
||||||
struct sock *s = unix_get_socket(fp);
|
|
||||||
|
|
||||||
+ spin_lock(&unix_gc_lock);
|
|
||||||
+
|
|
||||||
if (s) {
|
|
||||||
struct unix_sock *u = unix_sk(s);
|
|
||||||
|
|
||||||
- spin_lock(&unix_gc_lock);
|
|
||||||
-
|
|
||||||
if (atomic_long_inc_return(&u->inflight) == 1) {
|
|
||||||
BUG_ON(!list_empty(&u->link));
|
|
||||||
list_add_tail(&u->link, &gc_inflight_list);
|
|
||||||
@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
|
|
||||||
BUG_ON(list_empty(&u->link));
|
|
||||||
}
|
|
||||||
unix_tot_inflight++;
|
|
||||||
- spin_unlock(&unix_gc_lock);
|
|
||||||
}
|
|
||||||
+ fp->f_cred->user->unix_inflight++;
|
|
||||||
+ spin_unlock(&unix_gc_lock);
|
|
||||||
}
|
|
||||||
|
|
||||||
void unix_notinflight(struct file *fp)
|
|
||||||
{
|
|
||||||
struct sock *s = unix_get_socket(fp);
|
|
||||||
|
|
||||||
+ spin_lock(&unix_gc_lock);
|
|
||||||
+
|
|
||||||
if (s) {
|
|
||||||
struct unix_sock *u = unix_sk(s);
|
|
||||||
|
|
||||||
- spin_lock(&unix_gc_lock);
|
|
||||||
BUG_ON(list_empty(&u->link));
|
|
||||||
|
|
||||||
if (atomic_long_dec_and_test(&u->inflight))
|
|
||||||
list_del_init(&u->link);
|
|
||||||
unix_tot_inflight--;
|
|
||||||
- spin_unlock(&unix_gc_lock);
|
|
||||||
}
|
|
||||||
+ fp->f_cred->user->unix_inflight--;
|
|
||||||
+ spin_unlock(&unix_gc_lock);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
|
|
||||||
--
|
|
||||||
2.7.0.rc3
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
|
||||||
Date: Tue, 10 Nov 2015 15:10:33 -0500
|
|
||||||
Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing
|
|
||||||
Origin: https://git.kernel.org/linus/9c17d96500f78d7ecdb71ca6942830158bc75a2b
|
|
||||||
Bug-Debian: https://bugs.debian.org/810472
|
|
||||||
|
|
||||||
Doing so will cause the grant to be unmapped and then, during
|
|
||||||
fault handling, the fault to be mistakenly treated as NUMA hint
|
|
||||||
fault.
|
|
||||||
|
|
||||||
In addition, even if those maps could partcipate in NUMA
|
|
||||||
balancing, it wouldn't provide any benefit since we are unable
|
|
||||||
to determine physical page's node (even if/when VNUMA is
|
|
||||||
implemented).
|
|
||||||
|
|
||||||
Marking grant maps' VMAs as VM_IO will exclude them from being
|
|
||||||
part of NUMA balancing.
|
|
||||||
|
|
||||||
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
|
|
||||||
---
|
|
||||||
drivers/xen/gntdev.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
|
|
||||||
index 2ea0b3b..1be5dd0 100644
|
|
||||||
--- a/drivers/xen/gntdev.c
|
|
||||||
+++ b/drivers/xen/gntdev.c
|
|
||||||
@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
|
|
||||||
|
|
||||||
vma->vm_ops = &gntdev_vmops;
|
|
||||||
|
|
||||||
- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
|
|
||||||
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
|
|
||||||
|
|
||||||
if (use_ptemod)
|
|
||||||
vma->vm_flags |= VM_DONTCOPY;
|
|
|
@ -1,75 +0,0 @@
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Tue, 10 Nov 2015 09:14:39 +0100
|
|
||||||
Subject: KVM: svm: unconditionally intercept #DB
|
|
||||||
Origin: https://git.kernel.org/linus/cbdb967af3d54993f5814f1cee0ed311a055377d
|
|
||||||
|
|
||||||
This is needed to avoid the possibility that the guest triggers
|
|
||||||
an infinite stream of #DB exceptions (CVE-2015-8104).
|
|
||||||
|
|
||||||
VMX is not affected: because it does not save DR6 in the VMCS,
|
|
||||||
it already intercepts #DB unconditionally.
|
|
||||||
|
|
||||||
Reported-by: Jan Beulich <jbeulich@suse.com>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/svm.c | 14 +++-----------
|
|
||||||
1 file changed, 3 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *s
|
|
||||||
set_exception_intercept(svm, UD_VECTOR);
|
|
||||||
set_exception_intercept(svm, MC_VECTOR);
|
|
||||||
set_exception_intercept(svm, AC_VECTOR);
|
|
||||||
+ set_exception_intercept(svm, DB_VECTOR);
|
|
||||||
|
|
||||||
set_intercept(svm, INTERCEPT_INTR);
|
|
||||||
set_intercept(svm, INTERCEPT_NMI);
|
|
||||||
@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v
|
|
||||||
mark_dirty(svm->vmcb, VMCB_SEG);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
|
|
||||||
+static void update_bp_intercept(struct kvm_vcpu *vcpu)
|
|
||||||
{
|
|
||||||
struct vcpu_svm *svm = to_svm(vcpu);
|
|
||||||
|
|
||||||
- clr_exception_intercept(svm, DB_VECTOR);
|
|
||||||
clr_exception_intercept(svm, BP_VECTOR);
|
|
||||||
|
|
||||||
- if (svm->nmi_singlestep)
|
|
||||||
- set_exception_intercept(svm, DB_VECTOR);
|
|
||||||
-
|
|
||||||
if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
|
|
||||||
- if (vcpu->guest_debug &
|
|
||||||
- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
|
|
||||||
- set_exception_intercept(svm, DB_VECTOR);
|
|
||||||
if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
|
|
||||||
set_exception_intercept(svm, BP_VECTOR);
|
|
||||||
} else
|
|
||||||
@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s
|
|
||||||
if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
|
|
||||||
svm->vmcb->save.rflags &=
|
|
||||||
~(X86_EFLAGS_TF | X86_EFLAGS_RF);
|
|
||||||
- update_db_bp_intercept(&svm->vcpu);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (svm->vcpu.guest_debug &
|
|
||||||
@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm
|
|
||||||
*/
|
|
||||||
svm->nmi_singlestep = true;
|
|
||||||
svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
|
|
||||||
- update_db_bp_intercept(vcpu);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
|
|
||||||
@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops =
|
|
||||||
.vcpu_load = svm_vcpu_load,
|
|
||||||
.vcpu_put = svm_vcpu_put,
|
|
||||||
|
|
||||||
- .update_db_bp_intercept = update_db_bp_intercept,
|
|
||||||
+ .update_db_bp_intercept = update_bp_intercept,
|
|
||||||
.get_msr = svm_get_msr,
|
|
||||||
.set_msr = svm_set_msr,
|
|
||||||
.get_segment_base = svm_get_segment_base,
|
|
|
@ -1,158 +0,0 @@
|
||||||
From: Andy Lutomirski <luto@kernel.org>
|
|
||||||
Date: Wed, 6 Jan 2016 12:21:01 -0800
|
|
||||||
Subject: x86/mm: Add barriers and document switch_mm()-vs-flush
|
|
||||||
synchronization
|
|
||||||
Origin: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e
|
|
||||||
|
|
||||||
When switch_mm() activates a new PGD, it also sets a bit that
|
|
||||||
tells other CPUs that the PGD is in use so that TLB flush IPIs
|
|
||||||
will be sent. In order for that to work correctly, the bit
|
|
||||||
needs to be visible prior to loading the PGD and therefore
|
|
||||||
starting to fill the local TLB.
|
|
||||||
|
|
||||||
Document all the barriers that make this work correctly and add
|
|
||||||
a couple that were missing.
|
|
||||||
|
|
||||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
|
||||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
|
||||||
Cc: Borislav Petkov <bp@alien8.de>
|
|
||||||
Cc: Brian Gerst <brgerst@gmail.com>
|
|
||||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
|
||||||
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
|
||||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
|
||||||
Cc: Rik van Riel <riel@redhat.com>
|
|
||||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Cc: linux-mm@kvack.org
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++-
|
|
||||||
arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++---
|
|
||||||
2 files changed, 58 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
|
|
||||||
index 379cd3658799..1edc9cd198b8 100644
|
|
||||||
--- a/arch/x86/include/asm/mmu_context.h
|
|
||||||
+++ b/arch/x86/include/asm/mmu_context.h
|
|
||||||
@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
|
|
||||||
#endif
|
|
||||||
cpumask_set_cpu(cpu, mm_cpumask(next));
|
|
||||||
|
|
||||||
- /* Re-load page tables */
|
|
||||||
+ /*
|
|
||||||
+ * Re-load page tables.
|
|
||||||
+ *
|
|
||||||
+ * This logic has an ordering constraint:
|
|
||||||
+ *
|
|
||||||
+ * CPU 0: Write to a PTE for 'next'
|
|
||||||
+ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
|
|
||||||
+ * CPU 1: set bit 1 in next's mm_cpumask
|
|
||||||
+ * CPU 1: load from the PTE that CPU 0 writes (implicit)
|
|
||||||
+ *
|
|
||||||
+ * We need to prevent an outcome in which CPU 1 observes
|
|
||||||
+ * the new PTE value and CPU 0 observes bit 1 clear in
|
|
||||||
+ * mm_cpumask. (If that occurs, then the IPI will never
|
|
||||||
+ * be sent, and CPU 0's TLB will contain a stale entry.)
|
|
||||||
+ *
|
|
||||||
+ * The bad outcome can occur if either CPU's load is
|
|
||||||
+ * reordered before that CPU's store, so both CPUs much
|
|
||||||
+ * execute full barriers to prevent this from happening.
|
|
||||||
+ *
|
|
||||||
+ * Thus, switch_mm needs a full barrier between the
|
|
||||||
+ * store to mm_cpumask and any operation that could load
|
|
||||||
+ * from next->pgd. This barrier synchronizes with
|
|
||||||
+ * remote TLB flushers. Fortunately, load_cr3 is
|
|
||||||
+ * serializing and thus acts as a full barrier.
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
load_cr3(next->pgd);
|
|
||||||
+
|
|
||||||
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
|
|
||||||
|
|
||||||
/* Stop flush ipis for the previous mm */
|
|
||||||
@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
|
|
||||||
* schedule, protecting us from simultaneous changes.
|
|
||||||
*/
|
|
||||||
cpumask_set_cpu(cpu, mm_cpumask(next));
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* We were in lazy tlb mode and leave_mm disabled
|
|
||||||
* tlb flush IPI delivery. We must reload CR3
|
|
||||||
* to make sure to use no freed page tables.
|
|
||||||
+ *
|
|
||||||
+ * As above, this is a barrier that forces
|
|
||||||
+ * TLB repopulation to be ordered after the
|
|
||||||
+ * store to mm_cpumask.
|
|
||||||
*/
|
|
||||||
load_cr3(next->pgd);
|
|
||||||
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
|
|
||||||
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
|
|
||||||
index 8ddb5d0d66fb..8f4cc3dfac32 100644
|
|
||||||
--- a/arch/x86/mm/tlb.c
|
|
||||||
+++ b/arch/x86/mm/tlb.c
|
|
||||||
@@ -161,7 +161,10 @@ void flush_tlb_current_task(void)
|
|
||||||
preempt_disable();
|
|
||||||
|
|
||||||
count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
|
|
||||||
+
|
|
||||||
+ /* This is an implicit full barrier that synchronizes with switch_mm. */
|
|
||||||
local_flush_tlb();
|
|
||||||
+
|
|
||||||
trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
|
|
||||||
if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
|
|
||||||
flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
|
|
||||||
@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
|
|
||||||
unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
|
|
||||||
|
|
||||||
preempt_disable();
|
|
||||||
- if (current->active_mm != mm)
|
|
||||||
+ if (current->active_mm != mm) {
|
|
||||||
+ /* Synchronize with switch_mm. */
|
|
||||||
+ smp_mb();
|
|
||||||
+
|
|
||||||
goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!current->mm) {
|
|
||||||
leave_mm(smp_processor_id());
|
|
||||||
+
|
|
||||||
+ /* Synchronize with switch_mm. */
|
|
||||||
+ smp_mb();
|
|
||||||
+
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
|
|
||||||
base_pages_to_flush = (end - start) >> PAGE_SHIFT;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Both branches below are implicit full barriers (MOV to CR or
|
|
||||||
+ * INVLPG) that synchronize with switch_mm.
|
|
||||||
+ */
|
|
||||||
if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
|
|
||||||
base_pages_to_flush = TLB_FLUSH_ALL;
|
|
||||||
count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
|
|
||||||
@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
|
|
||||||
preempt_disable();
|
|
||||||
|
|
||||||
if (current->active_mm == mm) {
|
|
||||||
- if (current->mm)
|
|
||||||
+ if (current->mm) {
|
|
||||||
+ /*
|
|
||||||
+ * Implicit full barrier (INVLPG) that synchronizes
|
|
||||||
+ * with switch_mm.
|
|
||||||
+ */
|
|
||||||
__flush_tlb_one(start);
|
|
||||||
- else
|
|
||||||
+ } else {
|
|
||||||
leave_mm(smp_processor_id());
|
|
||||||
+
|
|
||||||
+ /* Synchronize with switch_mm. */
|
|
||||||
+ smp_mb();
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
|
|
|
@ -1,64 +0,0 @@
|
||||||
From: Andy Lutomirski <luto@kernel.org>
|
|
||||||
Date: Tue, 12 Jan 2016 12:47:40 -0800
|
|
||||||
Subject: x86/mm: Improve switch_mm() barrier comments
|
|
||||||
Origin: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b
|
|
||||||
|
|
||||||
My previous comments were still a bit confusing and there was a
|
|
||||||
typo. Fix it up.
|
|
||||||
|
|
||||||
Reported-by: Peter Zijlstra <peterz@infradead.org>
|
|
||||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
|
||||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
|
||||||
Cc: Borislav Petkov <bp@alien8.de>
|
|
||||||
Cc: Brian Gerst <brgerst@gmail.com>
|
|
||||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
|
||||||
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
|
||||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Cc: Rik van Riel <riel@redhat.com>
|
|
||||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization")
|
|
||||||
Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org
|
|
||||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/mmu_context.h | 15 ++++++++-------
|
|
||||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
|
|
||||||
index 1edc9cd198b8..bfd9b2a35a0b 100644
|
|
||||||
--- a/arch/x86/include/asm/mmu_context.h
|
|
||||||
+++ b/arch/x86/include/asm/mmu_context.h
|
|
||||||
@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
|
|
||||||
* be sent, and CPU 0's TLB will contain a stale entry.)
|
|
||||||
*
|
|
||||||
* The bad outcome can occur if either CPU's load is
|
|
||||||
- * reordered before that CPU's store, so both CPUs much
|
|
||||||
+ * reordered before that CPU's store, so both CPUs must
|
|
||||||
* execute full barriers to prevent this from happening.
|
|
||||||
*
|
|
||||||
* Thus, switch_mm needs a full barrier between the
|
|
||||||
* store to mm_cpumask and any operation that could load
|
|
||||||
- * from next->pgd. This barrier synchronizes with
|
|
||||||
- * remote TLB flushers. Fortunately, load_cr3 is
|
|
||||||
- * serializing and thus acts as a full barrier.
|
|
||||||
+ * from next->pgd. TLB fills are special and can happen
|
|
||||||
+ * due to instruction fetches or for no reason at all,
|
|
||||||
+ * and neither LOCK nor MFENCE orders them.
|
|
||||||
+ * Fortunately, load_cr3() is serializing and gives the
|
|
||||||
+ * ordering guarantee we need.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
load_cr3(next->pgd);
|
|
||||||
@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
|
|
||||||
* tlb flush IPI delivery. We must reload CR3
|
|
||||||
* to make sure to use no freed page tables.
|
|
||||||
*
|
|
||||||
- * As above, this is a barrier that forces
|
|
||||||
- * TLB repopulation to be ordered after the
|
|
||||||
- * store to mm_cpumask.
|
|
||||||
+ * As above, load_cr3() is serializing and orders TLB
|
|
||||||
+ * fills with respect to the mm_cpumask write.
|
|
||||||
*/
|
|
||||||
load_cr3(next->pgd);
|
|
||||||
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Date: Mon, 01 Feb 2016 09:05:24 +0100
|
||||||
|
Subject: usb: Fix ABI change in 4.3.5
|
||||||
|
Forwarded: not-needed
|
||||||
|
|
||||||
|
struct usb_device gained two new bitfields, but there were plenty of
|
||||||
|
padding bits to spare. Hide them from genksyms.
|
||||||
|
|
||||||
|
---
|
||||||
|
--- a/include/linux/usb.h
|
||||||
|
+++ b/include/linux/usb.h
|
||||||
|
@@ -582,8 +582,11 @@ struct usb_device {
|
||||||
|
unsigned usb2_hw_lpm_enabled:1;
|
||||||
|
unsigned usb2_hw_lpm_allowed:1;
|
||||||
|
unsigned usb3_lpm_enabled:1;
|
||||||
|
+#ifndef __GENKSYMS__
|
||||||
|
unsigned usb3_lpm_u1_enabled:1;
|
||||||
|
unsigned usb3_lpm_u2_enabled:1;
|
||||||
|
+ /* 18 bits spare */
|
||||||
|
+#endif
|
||||||
|
int string_langid;
|
||||||
|
|
||||||
|
/* static strings from the device */
|
|
@ -100,13 +100,9 @@ bugfix/all/selftests-breakpoints-actually-build-it.patch
|
||||||
debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
|
debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
|
|
||||||
bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
|
|
||||||
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
|
bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
|
||||||
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
||||||
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
|
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
|
||||||
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
|
|
||||||
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
|
|
||||||
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
|
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
|
||||||
bugfix/all/xen-add-ring_copy_request.patch
|
bugfix/all/xen-add-ring_copy_request.patch
|
||||||
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
|
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
|
||||||
|
@ -127,11 +123,9 @@ bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
|
||||||
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
|
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
|
||||||
bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
|
bugfix/arm/crypto-sun4i-ss-add-missing-statesize.patch
|
||||||
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
|
bugfix/all/revert-xhci-don-t-finish-a-td-if-we-get-a-short-transfer.patch
|
||||||
bugfix/all/xen-gntdev-grant-maps-should-not-be-subject-to-numa-.patch
|
|
||||||
bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
|
bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
|
||||||
bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
|
bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
|
||||||
bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
|
bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
|
||||||
bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
|
|
||||||
debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
|
debian/unix-fix-abi-change-for-cve-2013-4312-fix.patch
|
||||||
bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
|
bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
|
||||||
bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
|
bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
|
||||||
|
@ -142,8 +136,6 @@ bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
|
||||||
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
|
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
|
||||||
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
|
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
|
||||||
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
|
bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
|
||||||
bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
|
|
||||||
bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
|
bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
|
||||||
bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
|
bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
|
||||||
bugfix/x86/x86-mm-Add-barriers-and-document-switch_mm-vs-flush-.patch
|
debian/usb-fix-abi-change-in-4.3.5.patch
|
||||||
bugfix/x86/x86-mm-Improve-switch_mm-barrier-comments.patch
|
|
||||||
|
|
Loading…
Reference in New Issue