diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-13 21:54:39 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-13 21:54:39 +0100 |
commit | 1893ddbe5da629b6792fce9a474a6cd524d4bb25 (patch) | |
tree | 87f0f6c51191b37fb87b6fcada9d3e64cfc195c1 | |
parent | 10737c8c302f5fa252f75870fe4c696e5e1ec25c (diff) | |
parent | 1c83e43b5490e7c09f3ce0677cf7c54fed844cdb (diff) | |
download | kernel-1893ddbe5da629b6792fce9a474a6cd524d4bb25.tar.gz kernel-1893ddbe5da629b6792fce9a474a6cd524d4bb25.tar.xz kernel-1893ddbe5da629b6792fce9a474a6cd524d4bb25.zip |
merge originkernel-4.9.14-200.vanilla.knurd.1.fc25
-rw-r--r-- | 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch | 311 | ||||
-rw-r--r-- | arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch | 66 | ||||
-rw-r--r-- | config-arm64 | 2 | ||||
-rw-r--r-- | config-armv7-generic | 2 | ||||
-rw-r--r-- | config-generic | 2 | ||||
-rw-r--r-- | dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 | ||||
-rw-r--r-- | kernel.spec | 43 | ||||
-rw-r--r-- | sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch | 66 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | vc4-fix-vblank-cursor-update-issue.patch | 59 | ||||
-rw-r--r-- | w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch | 360 |
11 files changed, 474 insertions, 486 deletions
diff --git a/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch b/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch new file mode 100644 index 000000000..b6cd8b211 --- /dev/null +++ b/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch @@ -0,0 +1,311 @@ +From 1dea7a8061ad9212f4464464a80d0dcd477eceab Mon Sep 17 00:00:00 2001 +From: Alexander Popov <alex.popov@linux.com> +Date: Tue, 28 Feb 2017 19:28:54 +0300 +Subject: [PATCH 1/1] tty: n_hdlc: get rid of racy n_hdlc.tbuf + +Currently N_HDLC line discipline uses a self-made singly linked list for +data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after +an error. + +The commit be10eb7589337e5defbe214dae038a53dd21add8 +("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. +After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put +one data buffer to tx_free_buf_list twice. That causes double free in +n_hdlc_release(). + +Let's use standard kernel linked list and get rid of n_hdlc.tbuf: +in case of tx error put current data buffer after the head of tx_buf_list. + +Signed-off-by: Alexander Popov <alex.popov@linux.com> +--- + drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------ + 1 file changed, 69 insertions(+), 63 deletions(-) + +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +index eb27883..728c824 100644 +--- a/drivers/tty/n_hdlc.c ++++ b/drivers/tty/n_hdlc.c +@@ -114,7 +114,7 @@ + #define DEFAULT_TX_BUF_COUNT 3 + + struct n_hdlc_buf { +- struct n_hdlc_buf *link; ++ struct list_head list_item; + int count; + char buf[1]; + }; +@@ -122,8 +122,7 @@ struct n_hdlc_buf { + #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) + + struct n_hdlc_buf_list { +- struct n_hdlc_buf *head; +- struct n_hdlc_buf *tail; ++ struct list_head list; + int count; + spinlock_t spinlock; + }; +@@ -136,7 +135,6 @@ struct n_hdlc_buf_list { + * @backup_tty - TTY to use if tty gets closed + * @tbusy - reentrancy flag for tx wakeup code + * @woke_up - FIXME: describe this field +- * @tbuf - currently transmitting tx buffer + * @tx_buf_list - list of pending transmit frame buffers + * @rx_buf_list - list of received frame buffers + * @tx_free_buf_list - list unused transmit frame buffers +@@ -149,7 +147,6 @@ struct n_hdlc { + struct tty_struct *backup_tty; + int tbusy; + int woke_up; +- struct n_hdlc_buf *tbuf; + struct n_hdlc_buf_list tx_buf_list; + struct n_hdlc_buf_list rx_buf_list; + struct n_hdlc_buf_list tx_free_buf_list; +@@ -159,6 +156,8 @@ struct n_hdlc { + /* + * HDLC buffer list manipulation functions + */ ++static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list, ++ struct n_hdlc_buf *buf); + static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, + struct n_hdlc_buf *buf); + static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list); +@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty) + { + struct n_hdlc *n_hdlc = tty2n_hdlc(tty); + struct n_hdlc_buf *buf; +- unsigned long flags; + + while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list))) + n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf); +- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags); +- if (n_hdlc->tbuf) { +- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf); +- n_hdlc->tbuf = NULL; +- } +- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); + } + + static struct tty_ldisc_ops n_hdlc_ldisc = { +@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc) + } else + break; + } +- kfree(n_hdlc->tbuf); + kfree(n_hdlc); + + } /* end of n_hdlc_release() */ +@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) + n_hdlc->woke_up = 0; + spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags); + +- /* get current transmit buffer or get new transmit */ +- /* buffer from list of pending transmit buffers */ +- +- tbuf = n_hdlc->tbuf; +- if (!tbuf) +- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list); +- ++ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list); + while (tbuf) { + if (debuglevel >= DEBUG_LEVEL_INFO) + printk("%s(%d)sending frame %p, count=%d\n", +@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) + + /* rollback was possible and has been done */ + if (actual == -ERESTARTSYS) { +- n_hdlc->tbuf = tbuf; ++ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf); + break; + } + /* if transmit error, throw frame away by */ +@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) + + /* free current transmit buffer */ + n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf); +- +- /* this tx buffer is done */ +- n_hdlc->tbuf = NULL; +- ++ + /* wait up sleeping writers */ + wake_up_interruptible(&tty->write_wait); + +@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty) + if (debuglevel >= DEBUG_LEVEL_INFO) + printk("%s(%d)frame %p pending\n", + __FILE__,__LINE__,tbuf); +- +- /* buffer not accepted by driver */ +- /* set this buffer as pending buffer */ +- n_hdlc->tbuf = tbuf; ++ ++ /* ++ * the buffer was not accepted by driver, ++ * return it back into tx queue ++ */ ++ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf); + break; + } + } +@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, + int error = 0; + int count; + unsigned long flags; +- ++ struct n_hdlc_buf *buf = NULL; ++ + if (debuglevel >= DEBUG_LEVEL_INFO) + printk("%s(%d)n_hdlc_tty_ioctl() called %d\n", + __FILE__,__LINE__,cmd); +@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, + /* report count of read data available */ + /* in next available frame (if any) */ + spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags); +- if (n_hdlc->rx_buf_list.head) +- count = n_hdlc->rx_buf_list.head->count; ++ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list, ++ struct n_hdlc_buf, list_item); ++ if (buf) ++ count = buf->count; + else + count = 0; + spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags); +@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file, + count = tty_chars_in_buffer(tty); + /* add size of next output frame in queue */ + spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags); +- if (n_hdlc->tx_buf_list.head) +- count += n_hdlc->tx_buf_list.head->count; ++ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list, ++ struct n_hdlc_buf, list_item); ++ if (buf) ++ count += buf->count; + spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags); + error = put_user(count, (int __user *)arg); + break; +@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp, + poll_wait(filp, &tty->write_wait, wait); + + /* set bits for operations that won't block */ +- if (n_hdlc->rx_buf_list.head) ++ if (!list_empty(&n_hdlc->rx_buf_list.list)) + mask |= POLLIN | POLLRDNORM; /* readable */ + if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) + mask |= POLLHUP; + if (tty_hung_up_p(filp)) + mask |= POLLHUP; + if (!tty_is_writelocked(tty) && +- n_hdlc->tx_free_buf_list.head) ++ !list_empty(&n_hdlc->tx_free_buf_list.list)) + mask |= POLLOUT | POLLWRNORM; /* writable */ + } + return mask; +@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void) + spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock); + spin_lock_init(&n_hdlc->rx_buf_list.spinlock); + spin_lock_init(&n_hdlc->tx_buf_list.spinlock); +- ++ ++ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list); ++ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list); ++ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list); ++ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list); ++ + /* allocate free rx buffer list */ + for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) { + buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL); +@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void) + } /* end of n_hdlc_alloc() */ + + /** ++ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list ++ * @buf_list - pointer to the buffer list ++ * @buf - pointer to the buffer ++ */ ++static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list, ++ struct n_hdlc_buf *buf) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&buf_list->spinlock, flags); ++ ++ list_add(&buf->list_item, &buf_list->list); ++ buf_list->count++; ++ ++ spin_unlock_irqrestore(&buf_list->spinlock, flags); ++} ++ ++/** + * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list +- * @list - pointer to buffer list ++ * @buf_list - pointer to buffer list + * @buf - pointer to buffer + */ +-static void n_hdlc_buf_put(struct n_hdlc_buf_list *list, ++static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list, + struct n_hdlc_buf *buf) + { + unsigned long flags; +- spin_lock_irqsave(&list->spinlock,flags); +- +- buf->link=NULL; +- if (list->tail) +- list->tail->link = buf; +- else +- list->head = buf; +- list->tail = buf; +- (list->count)++; +- +- spin_unlock_irqrestore(&list->spinlock,flags); +- ++ ++ spin_lock_irqsave(&buf_list->spinlock, flags); ++ ++ list_add_tail(&buf->list_item, &buf_list->list); ++ buf_list->count++; ++ ++ spin_unlock_irqrestore(&buf_list->spinlock, flags); + } /* end of n_hdlc_buf_put() */ + + /** + * n_hdlc_buf_get - remove and return an HDLC buffer from list +- * @list - pointer to HDLC buffer list ++ * @buf_list - pointer to HDLC buffer list + * + * Remove and return an HDLC buffer from the head of the specified HDLC buffer + * list. + * Returns a pointer to HDLC buffer if available, otherwise %NULL. + */ +-static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list) ++static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list) + { + unsigned long flags; + struct n_hdlc_buf *buf; +- spin_lock_irqsave(&list->spinlock,flags); +- +- buf = list->head; ++ ++ spin_lock_irqsave(&buf_list->spinlock, flags); ++ ++ buf = list_first_entry_or_null(&buf_list->list, ++ struct n_hdlc_buf, list_item); + if (buf) { +- list->head = buf->link; +- (list->count)--; ++ list_del(&buf->list_item); ++ buf_list->count--; + } +- if (!list->head) +- list->tail = NULL; +- +- spin_unlock_irqrestore(&list->spinlock,flags); ++ ++ spin_unlock_irqrestore(&buf_list->spinlock, flags); + return buf; +- + } /* end of n_hdlc_buf_get() */ + + static char hdlc_banner[] __initdata = +-- +2.7.4 + diff --git a/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch b/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch deleted file mode 100644 index 2e7f51ec6..000000000 --- a/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch +++ /dev/null @@ -1,66 +0,0 @@ -From patchwork Wed Jan 25 18:31:31 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [v2] arm64: dma-mapping: Fix dma_mapping_error() when bypassing - SWIOTLB -From: Robin Murphy <robin.murphy@arm.com> -X-Patchwork-Id: 9537723 -Message-Id: <840027acb4750542003dff17b4a8902ba8972754.1485368348.git.robin.murphy@arm.com> -To: will.deacon@arm.com, - catalin.marinas@arm.com -Cc: Jisheng Zhang <jszhang@marvell.com>, arnd@arndb.de, - konrad.wilk@oracle.com, aaro.koskinen@iki.fi, stable@vger.kernel.org, - linux-rpi-kernel@lists.infradead.org, linux-arm-kernel@lists.infradead.org -Date: Wed, 25 Jan 2017 18:31:31 +0000 - -When bypassing SWIOTLB on small-memory systems, we need to avoid calling -into swiotlb_dma_mapping_error() in exactly the same way as we avoid -swiotlb_dma_supported(), because the former also relies on SWIOTLB state -being initialised. - -Under the assumptions for which we skip SWIOTLB, dma_map_{single,page}() -will only ever return the DMA-offset-adjusted physical address of the -page passed in, thus we can report success unconditionally. - -Fixes: b67a8b29df7e ("arm64: mm: only initialize swiotlb when necessary") -CC: stable@vger.kernel.org -CC: Jisheng Zhang <jszhang@marvell.com> -Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> -Signed-off-by: Robin Murphy <robin.murphy@arm.com> -Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi> ---- - -v2: Get the return value the right way round this time... After some - careful reasoning it really is that simple. - - arch/arm64/mm/dma-mapping.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c -index e04082700bb1..1ffb7d5d299a 100644 ---- a/arch/arm64/mm/dma-mapping.c -+++ b/arch/arm64/mm/dma-mapping.c -@@ -352,6 +352,13 @@ static int __swiotlb_dma_supported(struct device *hwdev, u64 mask) - return 1; - } - -+static int __swiotlb_dma_mapping_error(struct device *hwdev, dma_addr_t addr) -+{ -+ if (swiotlb) -+ return swiotlb_dma_mapping_error(hwdev, addr); -+ return 0; -+} -+ - static struct dma_map_ops swiotlb_dma_ops = { - .alloc = __dma_alloc, - .free = __dma_free, -@@ -366,7 +373,7 @@ static struct dma_map_ops swiotlb_dma_ops = { - .sync_sg_for_cpu = __swiotlb_sync_sg_for_cpu, - .sync_sg_for_device = __swiotlb_sync_sg_for_device, - .dma_supported = __swiotlb_dma_supported, -- .mapping_error = swiotlb_dma_mapping_error, -+ .mapping_error = __swiotlb_dma_mapping_error, - }; - - static int __init atomic_pool_init(void) diff --git a/config-arm64 b/config-arm64 index 8cca6201c..ee6c77087 100644 --- a/config-arm64 +++ b/config-arm64 @@ -210,7 +210,7 @@ CONFIG_SUNXI_WATCHDOG=m CONFIG_MFD_SUN6I_PRCM=y CONFIG_IR_SUNXI=m CONFIG_MMC_SUNXI=m -CONFIG_RTC_DRV_SUN6I=m +CONFIG_RTC_DRV_SUN6I=y CONFIG_PWM_SUN4I=m # CONFIG_PHY_SUN4I_USB is not set # CONFIG_PHY_SUN9I_USB is not set diff --git a/config-armv7-generic b/config-armv7-generic index 869ee0659..65f612339 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -226,7 +226,7 @@ CONFIG_MDIO_SUN4I=m CONFIG_DWMAC_SUNXI=m CONFIG_SUN4I_EMAC=m CONFIG_SUN8I_EMAC=m -CONFIG_RTC_DRV_SUN6I=m +CONFIG_RTC_DRV_SUN6I=y CONFIG_MTD_NAND_SUNXI=m CONFIG_SERIO_SUN4I_PS2=m CONFIG_KEYBOARD_SUN4I_LRADC=m diff --git a/config-generic b/config-generic index 4da90f2b1..11c3eeb96 100644 --- a/config-generic +++ b/config-generic @@ -1921,7 +1921,7 @@ CONFIG_IWLWIFI=m CONFIG_IWLDVM=m CONFIG_IWLMVM=m # CONFIG_IWLWIFI_BCAST_FILTERING is not set -CONFIG_IWLWIFI_PCIE_RTPM=y +# CONFIG_IWLWIFI_PCIE_RTPM is not set CONFIG_IWLWIFI_DEBUG=y CONFIG_IWLWIFI_DEBUGFS=y diff --git a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch deleted file mode 100644 index 433fd4b2b..000000000 --- a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov <andreyknvl@google.com> -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov <andreyknvl@google.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba34718..8fedc2d 100644 ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -cgit v0.12 - diff --git a/kernel.spec b/kernel.spec index b351a0db0..ffeb4b941 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,8 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 + # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -530,8 +531,6 @@ Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch # Fix OMAP4 (pandaboard) Patch427: arm-revert-mmc-omap_hsmmc-Use-dma_request_chan-for-reque.patch -Patch428: arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch - # Not particularly happy we don't yet have a proper upstream resolution this is the right direction # https://www.spinics.net/lists/arm-kernel/msg535191.html Patch429: arm64-mm-Fix-memmap-to-be-initialized-for-the-entire-section.patch @@ -548,6 +547,8 @@ Patch433: bcm283x-mmc-imp-speed.patch Patch434: mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch +Patch436: vc4-fix-vblank-cursor-update-issue.patch + Patch440: AllWinner-net-emac.patch Patch442: ARM-Drop-fixed-200-Hz-timer-requirement-from-Samsung-platforms.patch @@ -657,14 +658,14 @@ Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch Patch858: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch Patch859: 2-2-media-dvb-usb-firmware-don-t-do-DMA-on-stack.patch -#rhbz 1415397 -Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch - #rhbz 1422969 Patch862: rt2800-warning.patch -#CVE-2017-6074 -Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch +#CVE-2017-6353 rhbz 1428907 1428910 +Patch864: sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch + +# CVE-2017-2636 rhbz 1430049 +Patch668: 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch # END OF PATCH DEFINITIONS @@ -875,7 +876,6 @@ Summary: Development package for building kernel modules to match the %{?2:%{2} Group: System Environment/Kernel\ Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\ Provides: kernel-devel-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\ -Provides: kernel-devel = %{version}-%{release}%{?1:+%{1}}\ Provides: kernel-devel-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\ Provides: installonlypkg(kernel)\ AutoReqProv: no\ @@ -2216,6 +2216,31 @@ fi # # %changelog +* Mon Mar 13 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.14-200 +- Linux v4.9.14 + +* Tue Mar 07 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-201 +- Build for some CVEs + +* Tue Mar 07 2017 Laura Abbott <labbott@fedoraproject.org> +- CVE-2017-2636 Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release (rhbz 1430049) + +* Tue Mar 7 2017 Laura Abbott <labbott@redhat.com> +- Disable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135) + +* Mon Mar 6 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910) + +* Wed Mar 1 2017 Peter Robinson <pbrobinson@fedoraproject.org> +- Add patch to fix desktop lockups on RPi (vc4) RHBZ# 1389163 + +* Tue Feb 28 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-5669 shmat allows mmap null page protection bypass (rhbz 1427239) +- Fix kernel-devel virtual provide + +* Mon Feb 27 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-200 +- Linux v4.9.13 + * Thu Feb 23 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.12-200 - Linux v4.9.12 diff --git a/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch new file mode 100644 index 000000000..47f586ace --- /dev/null +++ b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch @@ -0,0 +1,66 @@ +From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Thu, 23 Feb 2017 09:31:18 -0300 +Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping + on it + +commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +attempted to avoid a BUG_ON call when the association being used for a +sendmsg() is blocked waiting for more sndbuf and another thread did a +peeloff operation on such asoc, moving it to another socket. + +As Ben Hutchings noticed, then in such case it would return without +locking back the socket and would cause two unlocks in a row. + +Further analysis also revealed that it could allow a double free if the +application managed to peeloff the asoc that is created during the +sendmsg call, because then sctp_sendmsg() would try to free the asoc +that was created only for that call. + +This patch takes another approach. It will deny the peeloff operation +if there is a thread sleeping on the asoc, so this situation doesn't +exist anymore. This avoids the issues described above and also honors +the syscalls that are already being handled (it can be multiple sendmsg +calls). + +Joint work with Xin Long. + +Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +Cc: Alexander Popov <alex.popov@linux.com> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/socket.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index b532148..465a9c8 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + if (!asoc) + return -EINVAL; + ++ /* If there is a thread waiting on more sndbuf space for ++ * sending on this asoc, it cannot be peeled. ++ */ ++ if (waitqueue_active(&asoc->wait)) ++ return -EBUSY; ++ + /* An association cannot be branched off from an already peeled-off + * socket, nor is this supported for tcp style sockets. + */ +@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- if (sk != asoc->base.sk) +- goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; +-- +2.9.3 + @@ -1,3 +1,3 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.9.12.xz) = 52314315fe960b3b4b11021a5a8a6271bd8a7e3f9f63cd983f72cf7585ac95408872ab48074d2cd578d681a64e10607ba69157a3fed14663736f20c5c2a78b0a +SHA512 (patch-4.9.14.xz) = 0bfb0f5e27081d96760884726cc44fa0dcb1c4f3658e8131de0a4d8b90689e95e8c2f3a0c95a165ae4a2c95b227392cd9249b3018d6242af4ee81a892edfc94f diff --git a/vc4-fix-vblank-cursor-update-issue.patch b/vc4-fix-vblank-cursor-update-issue.patch new file mode 100644 index 000000000..8537d67ca --- /dev/null +++ b/vc4-fix-vblank-cursor-update-issue.patch @@ -0,0 +1,59 @@ +From 6d24c1c5918907ab78a5729b78c0d165deb3cc2b Mon Sep 17 00:00:00 2001 +From: Michael Zoran <mzoran@crowfest.net> +Date: Thu, 23 Feb 2017 17:54:31 -0800 +Subject: drm/vc4: Don't wait for vblank when updating the cursor + +Commonly used desktop environments such as xfce4 and gnome +on debian sid can flood the graphics drivers with cursor +updates. Because the current implementation is waiting +for a vblank between cursor updates, this will cause the +display to hang for a long time since a typical refresh +rate is only 60Hz. + +This is unnecessary and unexpected by user mode software, +so simply swap out the cursor frame buffer without waiting. + +Signed-off-by: Michael Zoran <mzoran@crowfest.net> +Reviewed-by: Eric Anholt <eric@anholt.net> +Link: http://patchwork.freedesktop.org/patch/msgid/20170224015431.24583-1-mzoran@crowfest.net + +diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c +index f7a229d..110224c 100644 +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -20,6 +20,7 @@ + + #include "vc4_drv.h" + #include "vc4_regs.h" ++#include "drm_atomic.h" + #include "drm_atomic_helper.h" + #include "drm_fb_cma_helper.h" + #include "drm_plane_helper.h" +@@ -769,12 +770,6 @@ vc4_update_plane(struct drm_plane *plane, + if (!plane_state) + goto out; + +- /* If we're changing the cursor contents, do that in the +- * normal vblank-synced atomic path. +- */ +- if (fb != plane_state->fb) +- goto out; +- + /* No configuring new scaling in the fast path. */ + if (crtc_w != plane_state->crtc_w || + crtc_h != plane_state->crtc_h || +@@ -783,6 +778,11 @@ vc4_update_plane(struct drm_plane *plane, + goto out; + } + ++ if (fb != plane_state->fb) { ++ drm_atomic_set_fb_for_plane(plane->state, fb); ++ vc4_plane_async_set_fb(plane, fb); ++ } ++ + /* Set the cursor's position on the screen. This is the + * expected change from the drm_mode_cursor_universal() + * helper. +-- +cgit v0.10.2 + diff --git a/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch b/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch deleted file mode 100644 index 7e902b100..000000000 --- a/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch +++ /dev/null @@ -1,360 +0,0 @@ -From patchwork Wed Jan 18 20:31:11 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: w1: ds2490: USB transfer buffers need to be DMAable -From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name> -X-Patchwork-Id: 9524693 -Message-Id: <5ba98814-d0b0-fbd4-d631-eda3472f4017@maciej.szmigiero.name> -To: Evgeniy Polyakov <zbr@ioremap.net> -Cc: linux-kernel <linux-kernel@vger.kernel.org> -Date: Wed, 18 Jan 2017 21:31:11 +0100 - -ds2490 driver was doing USB transfers from / to buffers on a stack. -This is not permitted and made the driver non-working with vmapped stacks. - -Since all these transfers are done under the same bus_mutex lock we can -simply use shared buffers in a device private structure for two most common -of them. - -While we are at it, let's also fix a comparison between int and size_t in -ds9490r_search() which made the driver spin in this function if state -register get requests were failing. - -Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> -Cc: stable@vger.kernel.org ---- - drivers/w1/masters/ds2490.c | 142 ++++++++++++++++++++++++++------------------ - 1 file changed, 84 insertions(+), 58 deletions(-) - -diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c -index 049a884a756f..59d74d1b47a8 100644 ---- a/drivers/w1/masters/ds2490.c -+++ b/drivers/w1/masters/ds2490.c -@@ -153,6 +153,9 @@ struct ds_device - */ - u16 spu_bit; - -+ u8 st_buf[ST_SIZE]; -+ u8 byte_buf; -+ - struct w1_bus_master master; - }; - -@@ -174,7 +177,6 @@ struct ds_status - u8 data_in_buffer_status; - u8 reserved1; - u8 reserved2; -- - }; - - static struct usb_device_id ds_id_table [] = { -@@ -244,28 +246,6 @@ static int ds_send_control(struct ds_device *dev, u16 value, u16 index) - return err; - } - --static int ds_recv_status_nodump(struct ds_device *dev, struct ds_status *st, -- unsigned char *buf, int size) --{ -- int count, err; -- -- memset(st, 0, sizeof(*st)); -- -- count = 0; -- err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev, -- dev->ep[EP_STATUS]), buf, size, &count, 1000); -- if (err < 0) { -- pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n", -- dev->ep[EP_STATUS], err); -- return err; -- } -- -- if (count >= sizeof(*st)) -- memcpy(st, buf, sizeof(*st)); -- -- return count; --} -- - static inline void ds_print_msg(unsigned char *buf, unsigned char *str, int off) - { - pr_info("%45s: %8x\n", str, buf[off]); -@@ -324,6 +304,35 @@ static void ds_dump_status(struct ds_device *dev, unsigned char *buf, int count) - } - } - -+static int ds_recv_status(struct ds_device *dev, struct ds_status *st, -+ bool dump) -+{ -+ int count, err; -+ -+ if (st) -+ memset(st, 0, sizeof(*st)); -+ -+ count = 0; -+ err = usb_interrupt_msg(dev->udev, -+ usb_rcvintpipe(dev->udev, -+ dev->ep[EP_STATUS]), -+ dev->st_buf, sizeof(dev->st_buf), -+ &count, 1000); -+ if (err < 0) { -+ pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n", -+ dev->ep[EP_STATUS], err); -+ return err; -+ } -+ -+ if (dump) -+ ds_dump_status(dev, dev->st_buf, count); -+ -+ if (st && count >= sizeof(*st)) -+ memcpy(st, dev->st_buf, sizeof(*st)); -+ -+ return count; -+} -+ - static void ds_reset_device(struct ds_device *dev) - { - ds_send_control_cmd(dev, CTL_RESET_DEVICE, 0); -@@ -344,7 +353,6 @@ static void ds_reset_device(struct ds_device *dev) - static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size) - { - int count, err; -- struct ds_status st; - - /* Careful on size. If size is less than what is available in - * the input buffer, the device fails the bulk transfer and -@@ -359,14 +367,9 @@ static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size) - err = usb_bulk_msg(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]), - buf, size, &count, 1000); - if (err < 0) { -- u8 buf[ST_SIZE]; -- int count; -- - pr_info("Clearing ep0x%x.\n", dev->ep[EP_DATA_IN]); - usb_clear_halt(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN])); -- -- count = ds_recv_status_nodump(dev, &st, buf, sizeof(buf)); -- ds_dump_status(dev, buf, count); -+ ds_recv_status(dev, NULL, true); - return err; - } - -@@ -404,7 +407,6 @@ int ds_stop_pulse(struct ds_device *dev, int limit) - { - struct ds_status st; - int count = 0, err = 0; -- u8 buf[ST_SIZE]; - - do { - err = ds_send_control(dev, CTL_HALT_EXE_IDLE, 0); -@@ -413,7 +415,7 @@ int ds_stop_pulse(struct ds_device *dev, int limit) - err = ds_send_control(dev, CTL_RESUME_EXE, 0); - if (err) - break; -- err = ds_recv_status_nodump(dev, &st, buf, sizeof(buf)); -+ err = ds_recv_status(dev, &st, false); - if (err) - break; - -@@ -456,18 +458,17 @@ int ds_detect(struct ds_device *dev, struct ds_status *st) - - static int ds_wait_status(struct ds_device *dev, struct ds_status *st) - { -- u8 buf[ST_SIZE]; - int err, count = 0; - - do { - st->status = 0; -- err = ds_recv_status_nodump(dev, st, buf, sizeof(buf)); -+ err = ds_recv_status(dev, st, false); - #if 0 - if (err >= 0) { - int i; - printk("0x%x: count=%d, status: ", dev->ep[EP_STATUS], err); - for (i=0; i<err; ++i) -- printk("%02x ", buf[i]); -+ printk("%02x ", dev->st_buf[i]); - printk("\n"); - } - #endif -@@ -485,7 +486,7 @@ static int ds_wait_status(struct ds_device *dev, struct ds_status *st) - * can do something with it). - */ - if (err > 16 || count >= 100 || err < 0) -- ds_dump_status(dev, buf, err); -+ ds_dump_status(dev, dev->st_buf, err); - - /* Extended data isn't an error. Well, a short is, but the dump - * would have already told the user that and we can't do anything -@@ -608,7 +609,6 @@ static int ds_write_byte(struct ds_device *dev, u8 byte) - { - int err; - struct ds_status st; -- u8 rbyte; - - err = ds_send_control(dev, COMM_BYTE_IO | COMM_IM | dev->spu_bit, byte); - if (err) -@@ -621,11 +621,11 @@ static int ds_write_byte(struct ds_device *dev, u8 byte) - if (err) - return err; - -- err = ds_recv_data(dev, &rbyte, sizeof(rbyte)); -+ err = ds_recv_data(dev, &dev->byte_buf, 1); - if (err < 0) - return err; - -- return !(byte == rbyte); -+ return !(byte == dev->byte_buf); - } - - static int ds_read_byte(struct ds_device *dev, u8 *byte) -@@ -712,7 +712,6 @@ static void ds9490r_search(void *data, struct w1_master *master, - int err; - u16 value, index; - struct ds_status st; -- u8 st_buf[ST_SIZE]; - int search_limit; - int found = 0; - int i; -@@ -724,7 +723,12 @@ static void ds9490r_search(void *data, struct w1_master *master, - /* FIFO 128 bytes, bulk packet size 64, read a multiple of the - * packet size. - */ -- u64 buf[2*64/8]; -+ const size_t bufsize = 2 * 64; -+ u64 *buf; -+ -+ buf = kmalloc(bufsize, GFP_KERNEL); -+ if (!buf) -+ return; - - mutex_lock(&master->bus_mutex); - -@@ -745,10 +749,9 @@ static void ds9490r_search(void *data, struct w1_master *master, - do { - schedule_timeout(jtime); - -- if (ds_recv_status_nodump(dev, &st, st_buf, sizeof(st_buf)) < -- sizeof(st)) { -+ err = ds_recv_status(dev, &st, false); -+ if (err < 0 || err < sizeof(st)) - break; -- } - - if (st.data_in_buffer_status) { - /* Bulk in can receive partial ids, but when it does -@@ -758,7 +761,7 @@ static void ds9490r_search(void *data, struct w1_master *master, - * bulk without first checking if status says there - * is data to read. - */ -- err = ds_recv_data(dev, (u8 *)buf, sizeof(buf)); -+ err = ds_recv_data(dev, (u8 *)buf, bufsize); - if (err < 0) - break; - for (i = 0; i < err/8; ++i) { -@@ -794,9 +797,14 @@ static void ds9490r_search(void *data, struct w1_master *master, - } - search_out: - mutex_unlock(&master->bus_mutex); -+ kfree(buf); - } - - #if 0 -+/* -+ * FIXME: if this disabled code is ever used in the future all ds_send_data() -+ * calls must be changed to use a DMAable buffer. -+ */ - static int ds_match_access(struct ds_device *dev, u64 init) - { - int err; -@@ -845,13 +853,12 @@ static int ds_set_path(struct ds_device *dev, u64 init) - - static u8 ds9490r_touch_bit(void *data, u8 bit) - { -- u8 ret; - struct ds_device *dev = data; - -- if (ds_touch_bit(dev, bit, &ret)) -+ if (ds_touch_bit(dev, bit, &dev->byte_buf)) - return 0; - -- return ret; -+ return dev->byte_buf; - } - - #if 0 -@@ -866,13 +873,12 @@ static u8 ds9490r_read_bit(void *data) - { - struct ds_device *dev = data; - int err; -- u8 bit = 0; - -- err = ds_touch_bit(dev, 1, &bit); -+ err = ds_touch_bit(dev, 1, &dev->byte_buf); - if (err) - return 0; - -- return bit & 1; -+ return dev->byte_buf & 1; - } - #endif - -@@ -887,32 +893,52 @@ static u8 ds9490r_read_byte(void *data) - { - struct ds_device *dev = data; - int err; -- u8 byte = 0; - -- err = ds_read_byte(dev, &byte); -+ err = ds_read_byte(dev, &dev->byte_buf); - if (err) - return 0; - -- return byte; -+ return dev->byte_buf; - } - - static void ds9490r_write_block(void *data, const u8 *buf, int len) - { - struct ds_device *dev = data; -+ u8 *tbuf; -+ -+ if (len <= 0) -+ return; -+ -+ tbuf = kmalloc(len, GFP_KERNEL); -+ if (!tbuf) -+ return; - -- ds_write_block(dev, (u8 *)buf, len); -+ memcpy(tbuf, buf, len); -+ ds_write_block(dev, tbuf, len); -+ -+ kfree(tbuf); - } - - static u8 ds9490r_read_block(void *data, u8 *buf, int len) - { - struct ds_device *dev = data; - int err; -+ u8 *tbuf; - -- err = ds_read_block(dev, buf, len); -- if (err < 0) -+ if (len <= 0) -+ return 0; -+ -+ tbuf = kmalloc(len, GFP_KERNEL); -+ if (!tbuf) - return 0; - -- return len; -+ err = ds_read_block(dev, tbuf, len); -+ if (err >= 0) -+ memcpy(buf, tbuf, len); -+ -+ kfree(tbuf); -+ -+ return err >= 0 ? len : 0; - } - - static u8 ds9490r_reset(void *data) |