[linux] 01/01: Update to 4.6.5
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jul 31 00:51:47 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit e8c1b8e3069228c4d28e84d3494c53f0537e826d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Jul 31 01:47:16 2016 +0100
Update to 4.6.5
Drop patches applied upstream.
There are some ABI changes still to be resolved.
---
debian/changelog | 209 +++++++++++++++++++++
...validate-num_values-for-HIDIOCGUSAGES-HID.patch | 44 -----
...x-oops-validate-buffer-size-in-apparmor_s.patch | 115 ------------
.../keys-potential-uninitialized-variable.patch | 86 ---------
.../nfsd-check-permissions-when-setting-acls.patch | 145 --------------
...synchronization-between-chunk-map_extend_.patch | 153 ---------------
...synchronization-between-synchronous-map-e.patch | 104 ----------
.../bugfix/all/posix_acl-add-set_posix_acl.patch | 82 --------
...always-reclaim-in-start_thread-for-exec-c.patch | 106 -----------
debian/patches/series | 8 -
10 files changed, 209 insertions(+), 843 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4fe6c40..1ad0b91 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,212 @@
+linux (4.6.5-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5
+ - cfg80211: remove get/set antenna and tx power warnings
+ - mac80211: fix fast_tx header alignment
+ - mac80211: mesh: flush mesh paths unconditionally
+ - mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
+ - mac80211: Fix mesh estab_plinks counting in STA removal case
+ - cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC
+ header
+ - EDAC: Fix workqueues poll period resetting
+ - [x86] EDAC, sb_edac: Fix rank lookup on Broadwell
+ - futex: Calculate the futex key based on a tail page for file-based futexes
+ - IB/core: Fix bit curruption in ib_device_cap_flags structure
+ - IB/cm: Fix a recently introduced locking bug
+ - IB/rdmavt: Correct qp_priv_alloc() return value test
+ - IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
+ - [powerpc*] iommu: Remove the dependency on EEH struct in DDW mechanism
+ - [powerpc*] pseries: Fix PCI config address for DDW
+ - [powerpc*] pseries: Fix IBM_ARCH_VEC_NRCORES_OFFSET since POWER8NVL was
+ added
+ - USB: EHCI: declare hostpc register as zero-length array
+ - USB: don't free bandwidth_mutex too early
+ - usb: common: otg-fsm: add license to usb-otg-fsm
+ - mnt: fs_fully_visible test the proper mount for MNT_LOCKED
+ - mnt: Account for MS_RDONLY in fs_fully_visible
+ - mnt: If fs_fully_visible fails call put_filesystem.
+ - of: fix autoloading due to broken modalias with no 'compatible'
+ - of: irq: fix of_irq_get[_byname]() kernel-doc
+ - [x86] msr: Use the proper trace point conditional for writes
+ - locking/ww_mutex: Report recursive ww_mutex locking early
+ - locking/qspinlock: Fix spin_unlock_wait() some more
+ - locking/static_key: Fix concurrent static_key_slow_inc()
+ - [x86] kprobes: Clear TF bit in fault on single-stepping
+ - [x86] perf/intel/rapl: Fix pmus free during cleanup
+ - [x86] amd_nb: Fix boot crash on non-AMD systems
+ - [x86] perf: Fix 32-bit perf user callgraph collection
+ - [armhf] extcon: palmas: Fix boot up state of VBUS when using GPIO
+ detection
+ - gpio: make library immune to error pointers
+ - [x86] gpio: sch: Fix Oops on module load on Asus Eee PC 1201
+ - Revert "gpiolib: Split GPIO flags parsing and GPIO configuration"
+ - autofs braino fix for do_last()
+ - rtlwifi: Fix scheduling while atomic error from commit 49f86ec21c01
+ - uvc: Forward compat ioctls to their handlers directly
+ - thermal: cpu_cooling: fix improper order during initialization
+ - writeback: use higher precision calculation in domain_dirty_limits()
+ - sd: Fix rw_max for devices that report an optimal xfer size
+ - nfsd4/rpc: move backchannel create logic into rpc code
+ - nfsd: Always lock state exclusively.
+ - nfsd: Extend the mutex holding region around in nfsd4_process_open2()
+ - pnfs_nfs: fix _cancel_empty_pagelist
+ - NFS: Fix a double page unlock
+ - make nfs_atomic_open() call d_drop() on all ->open_context() errors.
+ - NFS: Fix another OPEN_DOWNGRADE bug
+ - SUNRPC: fix xprt leak on xps allocation failure
+ - rpc: share one xps between all backchannels
+ - [arm64] regulator: qcom_smd: add list_voltage callback
+ - [arm64] regulator: qcom_smd: add regulator ops for pm8941 lnldo
+ - [armhf] imx6ul: Fix Micrel PHY mask
+ - [armel,armhf] 8578/1: mm: ensure pmd_present only checks the valid bit
+ - [armel,armhf] 8579/1: mm: Fix definition of pmd_mknotpresent
+ - [armhf] dts: sun6i: yones-toptech-bs1078-v2: Drop constraints on dc1sw
+ regulator
+ - [armhf] dts: sun6i: primo81: Drop constraints on dc1sw regulator
+ - mm: Export migrate_page_move_mapping and migrate_page_copy
+ - UBIFS: Implement ->migratepage()
+ - sched/fair: Fix cfs_rq avg tracking underflow
+ - packet: Use symmetric hash for PACKET_FANOUT_HASH.
+ - net_sched: fix mirrored packets checksum
+ - geneve: fix max_mtu setting
+ - cdc_ncm: workaround for EM7455 "silent" data interface
+ - ipv6: Fix mem leak in rt6i_pcpu
+ - [x86] kvm: vmx: check apicv is active before using VT-d posted interrupt
+ - kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
+ - [s390x] KVM: mm: Fix CMMA reset during reboot
+ - [arm*] KVM: Stop leaking vcpu pid references
+ - [x86] KVM: nVMX: VMX instructions: fix segment checks when L1 is in
+ long mode.
+ - HID: elo: kill not flush the work
+ - Revert "HID: multitouch: enable palm rejection if device implements
+ confidence usage"
+ - HID: multitouch: enable palm rejection for Windows Precision Touchpad
+ - tracing: Handle NULL formats in hold_module_trace_bprintk_format()
+ - base: make module_create_drivers_dir race-free
+ - [armhf] iommu/rockchip: Fix zap cache during device attach
+ - [armhf] iommu/arm-smmu: Wire up map_sg for arm-smmu-v3
+ - [x86] iommu/vt-d: Enable QI on all IOMMUs before setting root entry
+ - [x86] iommu/amd: Fix unity mapping initialization race
+ - [x86] drm/mgag200: Black screen fix for G200e rev 4
+ - [armhf] drm/fsl-dcu: use flat regmap cache
+ - ipmi: Remove smi_msg from waiting_rcv_msgs list before
+ handle_one_recv_msg()
+ - [arm64] drm/nouveau/Revert "drm/nouveau/device/pci: set as
+ non-CPU-coherent on ARM64"
+ - [arm64] fix dump_instr when PAN and UAO are in use
+ - [arm64] mm: remove page_mapping check in __sync_icache_dcache
+ - [arm64] kernel: Save and restore UAO and addr_limit on exception entry
+ - vfs: add d_real_inode() helper
+ - af_unix: fix hard linked sockets on overlay
+ - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction
+ - [x86] drm/radeon: fix asic initialization for virtualized environments
+ - [x86] drm/amdgpu/gfx7: fix broken condition check
+ - [x86] drm/amdgpu: fix num_rbs exposed to userspace (v2)
+ - [x86] drm/amdgpu: initialize amdgpu_cgs_acpi_eval_object result value
+ - ubi: Make recover_peb power cut aware
+ - [x86] drm/amdkfd: unbind only existing processes
+ - [x86] drm/amdkfd: destroy dbgmgr in notifier release
+ - drm/dp/mst: Always clear proposed vcpi table for port.
+ - virtio_balloon: fix PFN format for virtio-1
+ - drm/nouveau/bios/disp: fix handling of "match any protocol" entries
+ - drm/nouveau/disp/sor/gf119: both links use the same training register
+ - drm/nouveau/gr/gf100-: update sm error decoding from gk20a nvgpu headers
+ - drm/nouveau/ltc/gm107-: fix typo in the address of NV_PLTCG_LTC0_LTS0_INTR
+ - drm/nouveau/fbcon: fix out-of-bounds memory accesses
+ - drm/nouveau/disp/sor/gm107: training pattern registers are like gm200
+ - drm/nouveau: fix for disabled fbdev emulation
+ - drm/nouveau/disp/sor/gf119: select correct sor when poking training
+ pattern
+ - [x86] drm/i915/ilk: Don't disable SSC source if it's in use
+ - [x86] drm/i915/fbc: Disable on HSW by default for now
+ - [x86] drm/i915: Refresh cached DP port register value on resume
+ - [x86] drm/i915: Update ifdeffery for mutex->owner
+ - drm: add missing drm_mode_set_crtcinfo call
+ - drm: make drm_atomic_set_mode_prop_for_crtc() more reliable
+ - drm: Wrap direct calls to driver->gem_free_object from CMA
+ - [x86] drm/amd/powerplay: fix bug that function parameter was incorect.
+ - [x86] drm/amd/powerplay: need to notify system bios pcie device ready
+ - [x86] drm/amd/powerplay: fix logic error.
+ - [x86] drm/amd/powerplay: incorrectly use of the function return value
+ - [x86] drm/amd/powerplay: fix incorrect voltage table value for tonga
+ - drm: atmel-hlcdc: actually disable scaling when no scaling is required
+ - drm/atomic: Make drm_atomic_legacy_backoff reset crtc->acquire_ctx
+ - drm/ttm: Make ttm_bo_mem_compat available
+ - [x86] drm/vmwgfx: Add an option to change assumed FB bpp
+ - [x86] drm/vmwgfx: Work around mode set failure in 2D VMs
+ - [x86] drm/vmwgfx: Check pin count before attempting to move a buffer
+ - [x86] drm/vmwgfx: Delay pinning fbdev framebuffer until after mode set
+ - [x86] drm/vmwgfx: Fix corner case screen target management
+ - [x86] drm/vmwgfx: Fix error paths when mapping framebuffer
+ - [armhf] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
+ - PCI: Fix unaligned accesses in VC code
+ - iio: Fix error handling in iio_trigger_attach_poll_func
+ - iio:st_pressure: fix sampling gains (bring inline with ABI)
+ - iio: light apds9960: Add the missing dev.parent
+ - iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
+ - iio: proximity: as3935: remove triggered buffer processing
+ - iio: proximity: as3935: fix buffer stack trashing
+ - iio: humidity: hdc100x: correct humidity integration time mask
+ - iio: humidity: hdc100x: fix IIO_TEMP channel reporting
+ - iio: hudmidity: hdc100x: fix incorrect shifting and scaling
+ - staging: iio: accel: fix error check
+ - iio: accel: kxsd9: fix the usage of spi_w8r8()
+ - iio:ad7266: Fix broken regulator error handling
+ - iio:ad7266: Fix support for optional regulators
+ - iio:ad7266: Fix probe deferral for vref
+ - tty: vt: Fix soft lockup in fbcon cursor blink timer.
+ - tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
+ - [x86] hwmon: (dell-smm) Restrict fan control and serial number to
+ CAP_SYS_ADMIN by default
+ - [x86] hwmon: (dell-smm) Disallow fan_type() calls on broken machines
+ - [x86] hwmon: (dell-smm) Cache fan_type() calls and change fan detection
+ - ALSA: dummy: Fix a use-after-free at closing
+ - ALSA: hdac_regmap - fix the register access for runtime PM
+ - [x86] ALSA: hda - Fix the headset mic jack detection on Dell machine
+ - [x86] ALSA: hda / realtek - add two more Thinkpad IDs (5050,5053) for
+ tpt460 fixup
+ - ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
+ - ALSA: echoaudio: Fix memory allocation
+ - ALSA: timer: Fix negative queue usage by racy accesses
+ - [x86] ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
+ - [x86] ALSA: hda - Add PCI ID for Kabylake-H
+ - ALSA: hda - fix read before array start
+ - ALSA: usb-audio: Fix quirks code is not called
+ - ALSA: hda/realtek - add new pin definition in alc225 pin quirk table
+ - ALSA: pcm: Free chmap at PCM free callback, too
+ - ALSA: ctl: Stop notification after disconnection
+ - ALSA: hda - fix use-after-free after module unload
+ - [x86] ALSA: hda: add AMD Stoney PCI ID with proper driver caps
+ - [armhf] sunxi/dt: make the CHIP inherit from allwinner,sun5i-a13
+ - [armhf] dts: armada-38x: fix MBUS_ID for crypto SRAM on Armada 385 Linksys
+ - [armel,armhf] mvebu: fix HW I/O coherency related deadlocks
+ - ovl: fix dentry leak for default_permissions
+ - ovl: get_write_access() in truncate
+ - ovl: Copy up underlying inode's ->i_mode to overlay inode
+ - ovl: handle ATTR_KILL*
+ - ovl: verify upper dentry in ovl_remove_and_whiteout()
+ - scsi: fix race between simultaneous decrements of ->host_failed
+ - [s390x] fix test_fp_ctl inline assembly contraints
+ - [s390x] Revert "s390/kdump: Clear subchannel ID to signal
+ non-CCW/SCSI IPL"
+ - 53c700: fix BUG on untagged commands
+ - cifs: Fix reconnect to not defer smb3 session reconnect long after socket
+ reconnect
+ - cifs: dynamic allocation of ntlmssp blob
+ - cifs: File names with trailing period or space need special case
+ conversion
+ - [x86] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
+ - tmpfs: don't undo fallocate past its last page
+ - tmpfs: fix regression hang in fallocate undo
+ - crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request struct
+ - [x86] crypto: qat - make qat_asym_algs.o depend on asn1 headers
+ - [x86] drm/i915: Revert DisplayPort fast link training feature
+ - ovl: Do d_type check only if work dir creation was successful
+ - ovl: warn instead of error if d_type is not supported
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 30 Jul 2016 14:23:58 +0100
+
linux (4.6.4-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch b/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
deleted file mode 100644
index e5e4cec..0000000
--- a/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Scott Bauer <sbauer at plzdonthack.me>
-Date: Thu, 23 Jun 2016 08:59:47 -0600
-Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
- commands
-Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
-
-This patch validates the num_values parameter from userland during the
-HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
-to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
-leading to a heap overflow.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Scott Bauer <sbauer at plzdonthack.me>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/usbhid/hiddev.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
-index 2f1ddca..700145b 100644
---- a/drivers/hid/usbhid/hiddev.c
-+++ b/drivers/hid/usbhid/hiddev.c
-@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
- goto inval;
- } else if (uref->usage_index >= field->report_count)
- goto inval;
--
-- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-- uref->usage_index + uref_multi->num_values > field->report_count))
-- goto inval;
- }
-
-+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-+ uref->usage_index + uref_multi->num_values > field->report_count))
-+ goto inval;
-+
- switch (cmd) {
- case HIDIOCGUSAGE:
- uref->value = field->value[uref->usage_index];
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch b/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
deleted file mode 100644
index 1703371..0000000
--- a/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From: Vegard Nossum <vegard.nossum at oracle.com>
-Date: Thu, 7 Jul 2016 13:41:11 -0700
-Subject: apparmor: fix oops, validate buffer size in apparmor_setprocattr()
-Origin: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca
-
-When proc_pid_attr_write() was changed to use memdup_user apparmor's
-(interface violating) assumption that the setprocattr buffer was always
-a single page was violated.
-
-The size test is not strictly speaking needed as proc_pid_attr_write()
-will reject anything larger, but for the sake of robustness we can keep
-it in.
-
-SMACK and SELinux look safe to me, but somebody else should probably
-have a look just in case.
-
-Based on original patch from Vegard Nossum <vegard.nossum at oracle.com>
-modified for the case that apparmor provides null termination.
-
-Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
-Reported-by: Vegard Nossum <vegard.nossum at oracle.com>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Cc: John Johansen <john.johansen at canonical.com>
-Cc: Paul Moore <paul at paul-moore.com>
-Cc: Stephen Smalley <sds at tycho.nsa.gov>
-Cc: Eric Paris <eparis at parisplace.org>
-Cc: Casey Schaufler <casey at schaufler-ca.com>
-Cc: stable at kernel.org
-Signed-off-by: John Johansen <john.johansen at canonical.com>
-Reviewed-by: Tyler Hicks <tyhicks at canonical.com>
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
- 1 file changed, 19 insertions(+), 17 deletions(-)
-
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct t
- {
- struct common_audit_data sa;
- struct apparmor_audit_data aad = {0,};
-- char *command, *args = value;
-+ char *command, *largs = NULL, *args = value;
- size_t arg_size;
- int error;
-
- if (size == 0)
- return -EINVAL;
-- /* args points to a PAGE_SIZE buffer, AppArmor requires that
-- * the buffer must be null terminated or have size <= PAGE_SIZE -1
-- * so that AppArmor can null terminate them
-- */
-- if (args[size - 1] != '\0') {
-- if (size == PAGE_SIZE)
-- return -EINVAL;
-- args[size] = '\0';
-- }
--
- /* task can only write its own attributes */
- if (current != task)
- return -EACCES;
-
-- args = value;
-+ /* AppArmor requires that the buffer must be null terminated atm */
-+ if (args[size - 1] != '\0') {
-+ /* null terminate */
-+ largs = args = kmalloc(size + 1, GFP_KERNEL);
-+ if (!args)
-+ return -ENOMEM;
-+ memcpy(args, value, size);
-+ args[size] = '\0';
-+ }
-+
-+ error = -EINVAL;
- args = strim(args);
- command = strsep(&args, " ");
- if (!args)
-- return -EINVAL;
-+ goto out;
- args = skip_spaces(args);
- if (!*args)
-- return -EINVAL;
-+ goto out;
-
- arg_size = size - (args - (char *) value);
- if (strcmp(name, "current") == 0) {
-@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct t
- goto fail;
- } else
- /* only support the "current" and "exec" process attributes */
-- return -EINVAL;
-+ goto fail;
-
- if (!error)
- error = size;
-+out:
-+ kfree(largs);
- return error;
-
- fail:
-@@ -588,9 +590,9 @@ fail:
- aad.profile = aa_current_profile();
- aad.op = OP_SETPROCATTR;
- aad.info = name;
-- aad.error = -EINVAL;
-+ aad.error = error = -EINVAL;
- aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
-- return -EINVAL;
-+ goto out;
- }
-
- static int apparmor_task_setrlimit(struct task_struct *task,
---
-2.8.1
-
diff --git a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch b/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
deleted file mode 100644
index fbe460b..0000000
--- a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Thu, 16 Jun 2016 15:48:57 +0100
-Subject: KEYS: potential uninitialized variable
-Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a
-
-If __key_link_begin() failed then "edit" would be uninitialized. I've
-added a check to fix that.
-
-This allows a random user to crash the kernel, though it's quite
-difficult to achieve. There are three ways it can be done as the user
-would have to cause an error to occur in __key_link():
-
- (1) Cause the kernel to run out of memory. In practice, this is difficult
- to achieve without ENOMEM cropping up elsewhere and aborting the
- attempt.
-
- (2) Revoke the destination keyring between the keyring ID being looked up
- and it being tested for revocation. In practice, this is difficult to
- time correctly because the KEYCTL_REJECT function can only be used
- from the request-key upcall process. Further, users can only make use
- of what's in /sbin/request-key.conf, though this does including a
- rejection debugging test - which means that the destination keyring
- has to be the caller's session keyring in practice.
-
- (3) Have just enough key quota available to create a key, a new session
- keyring for the upcall and a link in the session keyring, but not then
- sufficient quota to create a link in the nominated destination keyring
- so that it fails with EDQUOT.
-
-The bug can be triggered using option (3) above using something like the
-following:
-
- echo 80 >/proc/sys/kernel/keys/root_maxbytes
- keyctl request2 user debug:fred negate @t
-
-The above sets the quota to something much lower (80) to make the bug
-easier to trigger, but this is dependent on the system. Note also that
-the name of the keyring created contains a random number that may be
-between 1 and 10 characters in size, so may throw the test off by
-changing the amount of quota used.
-
-Assuming the failure occurs, something like the following will be seen:
-
- kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
- ------------[ cut here ]------------
- kernel BUG at ../mm/slab.c:2821!
- ...
- RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
- RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
- RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
- RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
- RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
- R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
- R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
- ...
- Call Trace:
- kfree+0xde/0x1bc
- assoc_array_cancel_edit+0x1f/0x36
- __key_link_end+0x55/0x63
- key_reject_and_link+0x124/0x155
- keyctl_reject_key+0xb6/0xe0
- keyctl_negate_key+0x10/0x12
- SyS_keyctl+0x9f/0xe7
- do_syscall_64+0x63/0x13a
- entry_SYSCALL64_slow_path+0x25/0x25
-
-Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-cc: stable at vger.kernel.org
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- security/keys/key.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/security/keys/key.c
-+++ b/security/keys/key.c
-@@ -584,7 +584,7 @@ int key_reject_and_link(struct key *key,
-
- mutex_unlock(&key_construction_mutex);
-
-- if (keyring)
-+ if (keyring && link_ret == 0)
- __key_link_end(keyring, &key->index_key, edit);
-
- /* wake up anyone waiting for a key to be constructed */
diff --git a/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch b/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch
deleted file mode 100644
index ce0aeb4..0000000
--- a/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Wed, 22 Jun 2016 19:43:35 +0100
-Subject: [PATCH] nfsd: check permissions when setting ACLs
-Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=999653786df6954a31044528ac3f7a5dadca08f4
-
-Use set_posix_acl, which includes proper permission checks, instead of
-calling ->set_acl directly. Without this anyone may be able to grant
-themselves permissions to a file by setting the ACL.
-
-Lock the inode to make the new checks atomic with respect to set_acl.
-(Also, nfsd was the only caller of set_acl not locking the inode, so I
-suspect this may fix other races.)
-
-This also simplifies the code, and ensures our ACLs are checked by
-posix_acl_valid.
-
-The permission checks and the inode locking were lost with commit
-4ac7249e, which changed nfsd to use the set_acl inode operation directly
-instead of going through xattr handlers.
-
-Reported-by: David Sinquin <david at sinquin.eu>
-[agreunba at redhat.com: use set_posix_acl]
-Fixes: 4ac7249e
-Cc: Christoph Hellwig <hch at infradead.org>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs2acl.c | 20 ++++++++++----------
- fs/nfsd/nfs3acl.c | 16 +++++++---------
- fs/nfsd/nfs4acl.c | 16 ++++++++--------
- 3 files changed, 25 insertions(+), 27 deletions(-)
-
---- a/fs/nfsd/nfs2acl.c
-+++ b/fs/nfsd/nfs2acl.c
-@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
- goto out;
-
- inode = d_inode(fh->fh_dentry);
-- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
-- error = -EOPNOTSUPP;
-- goto out_errno;
-- }
-
- error = fh_want_write(fh);
- if (error)
- goto out_errno;
-
-- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
-+ fh_lock(fh);
-+
-+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
- if (error)
-- goto out_drop_write;
-- error = inode->i_op->set_acl(inode, argp->acl_default,
-- ACL_TYPE_DEFAULT);
-+ goto out_drop_lock;
-+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
- if (error)
-- goto out_drop_write;
-+ goto out_drop_lock;
-+
-+ fh_unlock(fh);
-
- fh_drop_write(fh);
-
-@@ -131,7 +130,8 @@ out:
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
- return nfserr;
--out_drop_write:
-+out_drop_lock:
-+ fh_unlock(fh);
- fh_drop_write(fh);
- out_errno:
- nfserr = nfserrno(error);
---- a/fs/nfsd/nfs3acl.c
-+++ b/fs/nfsd/nfs3acl.c
-@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
- goto out;
-
- inode = d_inode(fh->fh_dentry);
-- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
-- error = -EOPNOTSUPP;
-- goto out_errno;
-- }
-
- error = fh_want_write(fh);
- if (error)
- goto out_errno;
-
-- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
-+ fh_lock(fh);
-+
-+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
- if (error)
-- goto out_drop_write;
-- error = inode->i_op->set_acl(inode, argp->acl_default,
-- ACL_TYPE_DEFAULT);
-+ goto out_drop_lock;
-+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
-
--out_drop_write:
-+out_drop_lock:
-+ fh_unlock(fh);
- fh_drop_write(fh);
- out_errno:
- nfserr = nfserrno(error);
---- a/fs/nfsd/nfs4acl.c
-+++ b/fs/nfsd/nfs4acl.c
-@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
- dentry = fhp->fh_dentry;
- inode = d_inode(dentry);
-
-- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
-- return nfserr_attrnotsupp;
--
- if (S_ISDIR(inode->i_mode))
- flags = NFS4_ACL_DIR;
-
-@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
- if (host_error < 0)
- goto out_nfserr;
-
-- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
-+ fh_lock(fhp);
-+
-+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
- if (host_error < 0)
-- goto out_release;
-+ goto out_drop_lock;
-
- if (S_ISDIR(inode->i_mode)) {
-- host_error = inode->i_op->set_acl(inode, dpacl,
-- ACL_TYPE_DEFAULT);
-+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
- }
-
--out_release:
-+out_drop_lock:
-+ fh_unlock(fhp);
-+
- posix_acl_release(pacl);
- posix_acl_release(dpacl);
- out_nfserr:
diff --git a/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch b/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch
deleted file mode 100644
index 3410168..0000000
--- a/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From: Tejun Heo <tj at kernel.org>
-Date: Wed, 25 May 2016 11:48:25 -0400
-Subject: percpu: fix synchronization between chunk->map_extend_work and chunk
- destruction
-Origin: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3
-
-Atomic allocations can trigger async map extensions which is serviced
-by chunk->map_extend_work. pcpu_balance_work which is responsible for
-destroying idle chunks wasn't synchronizing properly against
-chunk->map_extend_work and may end up freeing the chunk while the work
-item is still in flight.
-
-This patch fixes the bug by rolling async map extension operations
-into pcpu_balance_work.
-
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
-Reported-by: Vlastimil Babka <vbabka at suse.cz>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: stable at vger.kernel.org # v3.18+
-Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
----
- mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
- 1 file changed, 36 insertions(+), 21 deletions(-)
-
-diff --git a/mm/percpu.c b/mm/percpu.c
-index 0c59684f1ff2..b1d2a3844792 100644
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -112,7 +112,7 @@ struct pcpu_chunk {
- int map_used; /* # of map entries used before the sentry */
- int map_alloc; /* # of map entries allocated */
- int *map; /* allocation map */
-- struct work_struct map_extend_work;/* async ->map[] extension */
-+ struct list_head map_extend_list;/* on pcpu_map_extend_chunks */
-
- void *data; /* chunk data */
- int first_free; /* no free below this */
-@@ -166,6 +166,9 @@ static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
-
- static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
-
-+/* chunks which need their map areas extended, protected by pcpu_lock */
-+static LIST_HEAD(pcpu_map_extend_chunks);
-+
- /*
- * The number of empty populated pages, protected by pcpu_lock. The
- * reserved chunk doesn't contribute to the count.
-@@ -395,13 +398,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic)
- {
- int margin, new_alloc;
-
-+ lockdep_assert_held(&pcpu_lock);
-+
- if (is_atomic) {
- margin = 3;
-
- if (chunk->map_alloc <
-- chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW &&
-- pcpu_async_enabled)
-- schedule_work(&chunk->map_extend_work);
-+ chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) {
-+ if (list_empty(&chunk->map_extend_list)) {
-+ list_add_tail(&chunk->map_extend_list,
-+ &pcpu_map_extend_chunks);
-+ pcpu_schedule_balance_work();
-+ }
-+ }
- } else {
- margin = PCPU_ATOMIC_MAP_MARGIN_HIGH;
- }
-@@ -467,20 +476,6 @@ out_unlock:
- return 0;
- }
-
--static void pcpu_map_extend_workfn(struct work_struct *work)
--{
-- struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk,
-- map_extend_work);
-- int new_alloc;
--
-- spin_lock_irq(&pcpu_lock);
-- new_alloc = pcpu_need_to_extend(chunk, false);
-- spin_unlock_irq(&pcpu_lock);
--
-- if (new_alloc)
-- pcpu_extend_area_map(chunk, new_alloc);
--}
--
- /**
- * pcpu_fit_in_area - try to fit the requested allocation in a candidate area
- * @chunk: chunk the candidate area belongs to
-@@ -740,7 +735,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void)
- chunk->map_used = 1;
-
- INIT_LIST_HEAD(&chunk->list);
-- INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn);
-+ INIT_LIST_HEAD(&chunk->map_extend_list);
- chunk->free_size = pcpu_unit_size;
- chunk->contig_hint = pcpu_unit_size;
-
-@@ -1129,6 +1124,7 @@ static void pcpu_balance_workfn(struct work_struct *work)
- if (chunk == list_first_entry(free_head, struct pcpu_chunk, list))
- continue;
-
-+ list_del_init(&chunk->map_extend_list);
- list_move(&chunk->list, &to_free);
- }
-
-@@ -1146,6 +1142,25 @@ static void pcpu_balance_workfn(struct work_struct *work)
- pcpu_destroy_chunk(chunk);
- }
-
-+ /* service chunks which requested async area map extension */
-+ do {
-+ int new_alloc = 0;
-+
-+ spin_lock_irq(&pcpu_lock);
-+
-+ chunk = list_first_entry_or_null(&pcpu_map_extend_chunks,
-+ struct pcpu_chunk, map_extend_list);
-+ if (chunk) {
-+ list_del_init(&chunk->map_extend_list);
-+ new_alloc = pcpu_need_to_extend(chunk, false);
-+ }
-+
-+ spin_unlock_irq(&pcpu_lock);
-+
-+ if (new_alloc)
-+ pcpu_extend_area_map(chunk, new_alloc);
-+ } while (chunk);
-+
- /*
- * Ensure there are certain number of free populated pages for
- * atomic allocs. Fill up from the most packed so that atomic
-@@ -1644,7 +1659,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
- */
- schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
- INIT_LIST_HEAD(&schunk->list);
-- INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn);
-+ INIT_LIST_HEAD(&schunk->map_extend_list);
- schunk->base_addr = base_addr;
- schunk->map = smap;
- schunk->map_alloc = ARRAY_SIZE(smap);
-@@ -1673,7 +1688,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai,
- if (dyn_size) {
- dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0);
- INIT_LIST_HEAD(&dchunk->list);
-- INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn);
-+ INIT_LIST_HEAD(&dchunk->map_extend_list);
- dchunk->base_addr = base_addr;
- dchunk->map = dmap;
- dchunk->map_alloc = ARRAY_SIZE(dmap);
diff --git a/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch b/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
deleted file mode 100644
index e8a70c5..0000000
--- a/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From: Tejun Heo <tj at kernel.org>
-Date: Wed, 25 May 2016 11:48:25 -0400
-Subject: percpu: fix synchronization between synchronous map extension and
- chunk destruction
-Origin: https://git.kernel.org/linus/6710e594f71ccaad8101bc64321152af7cd9ea28
-
-For non-atomic allocations, pcpu_alloc() can try to extend the area
-map synchronously after dropping pcpu_lock; however, the extension
-wasn't synchronized against chunk destruction and the chunk might get
-freed while extension is in progress.
-
-This patch fixes the bug by putting most of non-atomic allocations
-under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
-is responsible for async chunk management including destruction.
-
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
-Reported-by: Vlastimil Babka <vbabka at suse.cz>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: stable at vger.kernel.org # v3.18+
-Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
----
- mm/percpu.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/mm/percpu.c b/mm/percpu.c
-index b1d2a3844792..9903830aaebb 100644
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -162,7 +162,7 @@ static struct pcpu_chunk *pcpu_reserved_chunk;
- static int pcpu_reserved_chunk_limit;
-
- static DEFINE_SPINLOCK(pcpu_lock); /* all internal data structures */
--static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */
-+static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop, map ext */
-
- static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */
-
-@@ -444,6 +444,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc)
- size_t old_size = 0, new_size = new_alloc * sizeof(new[0]);
- unsigned long flags;
-
-+ lockdep_assert_held(&pcpu_alloc_mutex);
-+
- new = pcpu_mem_zalloc(new_size);
- if (!new)
- return -ENOMEM;
-@@ -890,6 +892,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved,
- return NULL;
- }
-
-+ if (!is_atomic)
-+ mutex_lock(&pcpu_alloc_mutex);
-+
- spin_lock_irqsave(&pcpu_lock, flags);
-
- /* serve reserved allocations from the reserved chunk if available */
-@@ -962,12 +967,9 @@ restart:
- if (is_atomic)
- goto fail;
-
-- mutex_lock(&pcpu_alloc_mutex);
--
- if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) {
- chunk = pcpu_create_chunk();
- if (!chunk) {
-- mutex_unlock(&pcpu_alloc_mutex);
- err = "failed to allocate new chunk";
- goto fail;
- }
-@@ -978,7 +980,6 @@ restart:
- spin_lock_irqsave(&pcpu_lock, flags);
- }
-
-- mutex_unlock(&pcpu_alloc_mutex);
- goto restart;
-
- area_found:
-@@ -988,8 +989,6 @@ area_found:
- if (!is_atomic) {
- int page_start, page_end, rs, re;
-
-- mutex_lock(&pcpu_alloc_mutex);
--
- page_start = PFN_DOWN(off);
- page_end = PFN_UP(off + size);
-
-@@ -1000,7 +999,6 @@ area_found:
-
- spin_lock_irqsave(&pcpu_lock, flags);
- if (ret) {
-- mutex_unlock(&pcpu_alloc_mutex);
- pcpu_free_area(chunk, off, &occ_pages);
- err = "failed to populate";
- goto fail_unlock;
-@@ -1040,6 +1038,8 @@ fail:
- /* see the flag handling in pcpu_blance_workfn() */
- pcpu_atomic_alloc_failed = true;
- pcpu_schedule_balance_work();
-+ } else {
-+ mutex_unlock(&pcpu_alloc_mutex);
- }
- return NULL;
- }
diff --git a/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch b/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch
deleted file mode 100644
index 152fc8a..0000000
--- a/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From: Andreas Gruenbacher <agruenba at redhat.com>
-Date: Wed, 22 Jun 2016 23:57:25 +0200
-Subject: [PATCH] posix_acl: Add set_posix_acl
-Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
-
-Factor out part of posix_acl_xattr_set into a common function that takes
-a posix_acl, which nfsd can also call.
-
-The prototype already exists in include/linux/posix_acl.h.
-
-Signed-off-by: Andreas Gruenbacher <agruenba at redhat.com>
-Cc: stable at vger.kernel.org
-Cc: Christoph Hellwig <hch at infradead.org>
-Cc: Al Viro <viro at zeniv.linux.org.uk>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[bwh: Backported to 4.6: posix_acl_xattr_set() parameters are different]
----
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -786,39 +786,43 @@ posix_acl_xattr_get(const struct xattr_h
- return error;
- }
-
--static int
--posix_acl_xattr_set(const struct xattr_handler *handler,
-- struct dentry *dentry, const char *name,
-- const void *value, size_t size, int flags)
-+int
-+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
- {
-- struct inode *inode = d_backing_inode(dentry);
-- struct posix_acl *acl = NULL;
-- int ret;
--
- if (!IS_POSIXACL(inode))
- return -EOPNOTSUPP;
- if (!inode->i_op->set_acl)
- return -EOPNOTSUPP;
-
-- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
-- return value ? -EACCES : 0;
-+ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
-+ return acl ? -EACCES : 0;
- if (!inode_owner_or_capable(inode))
- return -EPERM;
-
-+ if (acl) {
-+ int ret = posix_acl_valid(acl);
-+ if (ret)
-+ return ret;
-+ }
-+ return inode->i_op->set_acl(inode, acl, type);
-+}
-+EXPORT_SYMBOL(set_posix_acl);
-+
-+static int
-+posix_acl_xattr_set(const struct xattr_handler *handler,
-+ struct dentry *dentry, const char *name,
-+ const void *value, size_t size, int flags)
-+{
-+ struct inode *inode = d_backing_inode(dentry);
-+ struct posix_acl *acl = NULL;
-+ int ret;
-+
- if (value) {
- acl = posix_acl_from_xattr(&init_user_ns, value, size);
- if (IS_ERR(acl))
- return PTR_ERR(acl);
--
-- if (acl) {
-- ret = posix_acl_valid(acl);
-- if (ret)
-- goto out;
-- }
- }
--
-- ret = inode->i_op->set_acl(inode, acl, handler->flags);
--out:
-+ ret = set_posix_acl(inode, handler->flags, acl);
- posix_acl_release(acl);
- return ret;
- }
diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
deleted file mode 100644
index d98651b..0000000
--- a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From: Cyril Bur <cyrilbur at gmail.com>
-Date: Fri, 17 Jun 2016 14:58:34 +1000
-Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
- syscalls
-Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
-
-Userspace can quite legitimately perform an exec() syscall with a
-suspended transaction. exec() does not return to the old process, rather
-it load a new one and starts that, the expectation therefore is that the
-new process starts not in a transaction. Currently exec() is not treated
-any differently to any other syscall which creates problems.
-
-Firstly it could allow a new process to start with a suspended
-transaction for a binary that no longer exists. This means that the
-checkpointed state won't be valid and if the suspended transaction were
-ever to be resumed and subsequently aborted (a possibility which is
-exceedingly likely as exec()ing will likely doom the transaction) the
-new process will jump to invalid state.
-
-Secondly the incorrect attempt to keep the transactional state while
-still zeroing state for the new process creates at least two TM Bad
-Things. The first triggers on the rfid to return to userspace as
-start_thread() has given the new process a 'clean' MSR but the suspend
-will still be set in the hardware MSR. The second TM Bad Thing triggers
-in __switch_to() as the processor is still transactionally suspended but
-__switch_to() wants to zero the TM sprs for the new process.
-
-This is an example of the outcome of calling exec() with a suspended
-transaction. Note the first 700 is likely the first TM bad thing
-decsribed earlier only the kernel can't report it as we've loaded
-userspace registers. c000000000009980 is the rfid in
-fast_exception_return()
-
- Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
- Oops: Bad kernel stack pointer, sig: 6 [#1]
- CPU: 0 PID: 2006 Comm: tm-execed Not tainted
- NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
- REGS: c00000003ffefd40 TRAP: 0700 Not tainted
- MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
- CFAR: c0000000000098b4 SOFTE: 0
- PACATMSCRATCH: b00000010000d033
- GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
- GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
- NIP [c000000000009980] fast_exception_return+0xb0/0xb8
- LR [0000000000000000] (null)
- Call Trace:
- Instruction dump:
- f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
- e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
-
- Kernel BUG at c000000000043e80 [verbose debug info unavailable]
- Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
- Oops: Unrecoverable exception, sig: 6 [#2]
- CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
- task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
- NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
- REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
- MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
- CFAR: c000000000015a20 SOFTE: 0
- PACATMSCRATCH: b00000010000d033
- GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
- GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
- GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
- GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
- GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
- GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
- GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
- GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
- NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
- LR [c000000000015a24] __switch_to+0x1f4/0x420
- Call Trace:
- Instruction dump:
- 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
- 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
-
-This fixes CVE-2016-5828.
-
-Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
-Cc: stable at vger.kernel.org # v3.9+
-Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
-Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
----
- arch/powerpc/kernel/process.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
---- a/arch/powerpc/kernel/process.c
-+++ b/arch/powerpc/kernel/process.c
-@@ -1503,6 +1503,16 @@ void start_thread(struct pt_regs *regs,
- current->thread.regs = regs - 1;
- }
-
-+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
-+ /*
-+ * Clear any transactional state, we're exec()ing. The cause is
-+ * not important as there will never be a recheckpoint so it's not
-+ * user visible.
-+ */
-+ if (MSR_TM_SUSPENDED(mfmsr()))
-+ tm_reclaim_current(0);
-+#endif
-+
- memset(regs->gpr, 0, sizeof(regs->gpr));
- regs->ctr = 0;
- regs->link = 0;
diff --git a/debian/patches/series b/debian/patches/series
index 5cf6b0e..41d22eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -107,14 +107,6 @@ bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
-bugfix/all/keys-potential-uninitialized-variable.patch
-bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch
-bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
-bugfix/all/posix_acl-add-set_posix_acl.patch
-bugfix/all/nfsd-check-permissions-when-setting-acls.patch
-bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
-bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
-bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
# ABI maintenance
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list