diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-01-20 07:35:41 +0100 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-01-20 07:35:41 +0100 |
| commit | 14f0dc051017e65984398222565527955ea91a5b (patch) | |
| tree | 3e07b2c32847f63d876747308b4d553ee1d4860a | |
| parent | ffa91da10d0fc2b1b18dc0390b7d40d2425dfde1 (diff) | |
| parent | 1af40db9c4ef369c0a3392d066691f41d5175065 (diff) | |
| download | kernel-14f0dc051017e65984398222565527955ea91a5b.tar.gz kernel-14f0dc051017e65984398222565527955ea91a5b.tar.xz kernel-14f0dc051017e65984398222565527955ea91a5b.zip | |
merge origin/f22kernel-4.3.3-200.vanilla.knurd.1.fc22
80 files changed, 6787 insertions, 947 deletions
diff --git a/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch b/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch deleted file mode 100644 index 15640604b..000000000 --- a/0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch +++ /dev/null @@ -1,76 +0,0 @@ -From d856e14fb043b742f94170db36b812770a2591d0 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Thu, 15 Oct 2015 17:21:37 +0100 -Subject: [PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an - uninstantiated keyring - - The following sequence of commands: - - i=`keyctl add user a a @s` - keyctl request2 keyring foo bar @t - keyctl unlink $i @s - - tries to invoke an upcall to instantiate a keyring if one doesn't already - exist by that name within the user's keyring set. However, if the upcall - fails, the code sets keyring->type_data.reject_error to -ENOKEY or some - other error code. When the key is garbage collected, the key destroy - function is called unconditionally and keyring_destroy() uses list_empty() - on keyring->type_data.link - which is in a union with reject_error. - Subsequently, the kernel tries to unlink the keyring from the keyring names - list - which oopses like this: - - BUG: unable to handle kernel paging request at 00000000ffffff8a - IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 - ... - Workqueue: events key_garbage_collector - ... - RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88 - RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 - RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 - RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 - RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 - R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 - R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 - ... - CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 - ... - Call Trace: - [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f - [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351 - [<ffffffff8105ec9b>] process_one_work+0x28e/0x547 - [<ffffffff8105fd17>] worker_thread+0x26e/0x361 - [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8 - [<ffffffff810648ad>] kthread+0xf3/0xfb - [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 - [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70 - [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 - - Note the value in RAX. This is a 32-bit representation of -ENOKEY. - - The solution is to only call ->destroy() if the key was successfully - instantiated. - - Reported-by: Dmitry Vyukov <dvyukov@google.com> - Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/keys/gc.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/security/keys/gc.c b/security/keys/gc.c -index c7952375ac53..11c36627adbf 100644 ---- a/security/keys/gc.c -+++ b/security/keys/gc.c -@@ -149,7 +149,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys) - atomic_dec(&key->user->nikeys); - - /* now throw away the key memory */ -- if (key->type->destroy) -+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && -+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && -+ key->type->destroy) - key->type->destroy(key); - - key_user_put(key->user); --- -2.4.3 - diff --git a/0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch b/0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch deleted file mode 100644 index 6395b1746..000000000 --- a/0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch +++ /dev/null @@ -1,169 +0,0 @@ -From 1d8007bdee074fdffcf3539492d8a151a1fb3436 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 12 Oct 2015 13:38:32 +0200 -Subject: [PATCH] KVM: x86: build kvm_userspace_memory_region in - x86_set_memory_region -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The next patch will make x86_set_memory_region fill the -userspace_addr. Since the struct is not used untouched -anymore, it makes sense to build it in x86_set_memory_region -directly; it also simplifies the callers. - -Reported-by: Alexandre DERUMIER <aderumier@odiso.com> -Cc: stable@vger.kernel.org -Fixes: 9da0e4d5ac969909f6b435ce28ea28135a9cbd69 -Reviewed-by: Radim Krčmář <rkrcmar@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - arch/x86/include/asm/kvm_host.h | 6 ++---- - arch/x86/kvm/vmx.c | 26 ++++++-------------------- - arch/x86/kvm/x86.c | 31 +++++++++++++------------------ - 3 files changed, 21 insertions(+), 42 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 49ec903..4e7ad7e 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -1199,9 +1199,7 @@ void kvm_complete_insn_gp(struct kvm_vcpu *vcpu, int err); - - int kvm_is_in_guest(void); - --int __x86_set_memory_region(struct kvm *kvm, -- const struct kvm_userspace_memory_region *mem); --int x86_set_memory_region(struct kvm *kvm, -- const struct kvm_userspace_memory_region *mem); -+int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size); -+int x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size); - - #endif /* _ASM_X86_KVM_HOST_H */ -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 18c30b4..8461e0c 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -4105,17 +4105,13 @@ static void seg_setup(int seg) - static int alloc_apic_access_page(struct kvm *kvm) - { - struct page *page; -- struct kvm_userspace_memory_region kvm_userspace_mem; - int r = 0; - - mutex_lock(&kvm->slots_lock); - if (kvm->arch.apic_access_page_done) - goto out; -- kvm_userspace_mem.slot = APIC_ACCESS_PAGE_PRIVATE_MEMSLOT; -- kvm_userspace_mem.flags = 0; -- kvm_userspace_mem.guest_phys_addr = APIC_DEFAULT_PHYS_BASE; -- kvm_userspace_mem.memory_size = PAGE_SIZE; -- r = __x86_set_memory_region(kvm, &kvm_userspace_mem); -+ r = __x86_set_memory_region(kvm, APIC_ACCESS_PAGE_PRIVATE_MEMSLOT, -+ APIC_DEFAULT_PHYS_BASE, PAGE_SIZE); - if (r) - goto out; - -@@ -4140,17 +4136,12 @@ static int alloc_identity_pagetable(struct kvm *kvm) - { - /* Called with kvm->slots_lock held. */ - -- struct kvm_userspace_memory_region kvm_userspace_mem; - int r = 0; - - BUG_ON(kvm->arch.ept_identity_pagetable_done); - -- kvm_userspace_mem.slot = IDENTITY_PAGETABLE_PRIVATE_MEMSLOT; -- kvm_userspace_mem.flags = 0; -- kvm_userspace_mem.guest_phys_addr = -- kvm->arch.ept_identity_map_addr; -- kvm_userspace_mem.memory_size = PAGE_SIZE; -- r = __x86_set_memory_region(kvm, &kvm_userspace_mem); -+ r = __x86_set_memory_region(kvm, IDENTITY_PAGETABLE_PRIVATE_MEMSLOT, -+ kvm->arch.ept_identity_map_addr, PAGE_SIZE); - - return r; - } -@@ -4949,14 +4940,9 @@ static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu) - static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr) - { - int ret; -- struct kvm_userspace_memory_region tss_mem = { -- .slot = TSS_PRIVATE_MEMSLOT, -- .guest_phys_addr = addr, -- .memory_size = PAGE_SIZE * 3, -- .flags = 0, -- }; - -- ret = x86_set_memory_region(kvm, &tss_mem); -+ ret = x86_set_memory_region(kvm, TSS_PRIVATE_MEMSLOT, addr, -+ PAGE_SIZE * 3); - if (ret) - return ret; - kvm->arch.tss_addr = addr; -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 373328b..b12665b 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -7721,18 +7721,21 @@ void kvm_arch_sync_events(struct kvm *kvm) - kvm_free_pit(kvm); - } - --int __x86_set_memory_region(struct kvm *kvm, -- const struct kvm_userspace_memory_region *mem) -+int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size) - { - int i, r; - - /* Called with kvm->slots_lock held. */ -- BUG_ON(mem->slot >= KVM_MEM_SLOTS_NUM); -+ if (WARN_ON(id >= KVM_MEM_SLOTS_NUM)) -+ return -EINVAL; - - for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) { -- struct kvm_userspace_memory_region m = *mem; -+ struct kvm_userspace_memory_region m; - -- m.slot |= i << 16; -+ m.slot = id | (i << 16); -+ m.flags = 0; -+ m.guest_phys_addr = gpa; -+ m.memory_size = size; - r = __kvm_set_memory_region(kvm, &m); - if (r < 0) - return r; -@@ -7742,13 +7745,12 @@ int __x86_set_memory_region(struct kvm *kvm, - } - EXPORT_SYMBOL_GPL(__x86_set_memory_region); - --int x86_set_memory_region(struct kvm *kvm, -- const struct kvm_userspace_memory_region *mem) -+int x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size) - { - int r; - - mutex_lock(&kvm->slots_lock); -- r = __x86_set_memory_region(kvm, mem); -+ r = __x86_set_memory_region(kvm, id, gpa, size); - mutex_unlock(&kvm->slots_lock); - - return r; -@@ -7763,16 +7765,9 @@ void kvm_arch_destroy_vm(struct kvm *kvm) - * unless the the memory map has changed due to process exit - * or fd copying. - */ -- struct kvm_userspace_memory_region mem; -- memset(&mem, 0, sizeof(mem)); -- mem.slot = APIC_ACCESS_PAGE_PRIVATE_MEMSLOT; -- x86_set_memory_region(kvm, &mem); -- -- mem.slot = IDENTITY_PAGETABLE_PRIVATE_MEMSLOT; -- x86_set_memory_region(kvm, &mem); -- -- mem.slot = TSS_PRIVATE_MEMSLOT; -- x86_set_memory_region(kvm, &mem); -+ x86_set_memory_region(kvm, APIC_ACCESS_PAGE_PRIVATE_MEMSLOT, 0, 0); -+ x86_set_memory_region(kvm, IDENTITY_PAGETABLE_PRIVATE_MEMSLOT, 0, 0); -+ x86_set_memory_region(kvm, TSS_PRIVATE_MEMSLOT, 0, 0); - } - kvm_iommu_unmap_guest(kvm); - kfree(kvm->arch.vpic); diff --git a/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch b/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch new file mode 100644 index 000000000..7dab1ff5c --- /dev/null +++ b/0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch @@ -0,0 +1,63 @@ +From 721ebb3cf4788107424f92ac2da6cfce20c67297 Mon Sep 17 00:00:00 2001 +From: Peter Robinson <pbrobinson@gmail.com> +Date: Sun, 1 Nov 2015 23:54:08 +0000 +Subject: [PATCH] watchdog: omap_wdt: fix null pointer dereference + +Fix issue from two patches overlapping causing a kernel oops + +[ 3569.297449] Unable to handle kernel NULL pointer dereference at virtual address 00000088 +[ 3569.306272] pgd = dc894000 +[ 3569.309287] [00000088] *pgd=00000000 +[ 3569.313104] Internal error: Oops: 5 [#1] SMP ARM +[ 3569.317986] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_security ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_filter ip6_tables iptable_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle musb_dsps cppi41 musb_hdrc phy_am335x udc_core phy_generic phy_am335x_control omap_sham omap_aes omap_rng omap_hwspinlock omap_mailbox hwspinlock_core musb_am335x omap_wdt at24 8250_omap leds_gpio cpufreq_dt smsc davinci_mdio mmc_block ti_cpsw cpsw_common ptp pps_core cpsw_ale davinci_cpdma omap_hsmmc omap_dma mmc_core i2c_dev +[ 3569.386293] CPU: 0 PID: 1429 Comm: wdctl Not tainted 4.3.0-0.rc7.git0.1.fc24.armv7hl #1 +[ 3569.394740] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 3569.401179] task: dbd11a00 ti: dbaac000 task.ti: dbaac000 +[ 3569.406917] PC is at omap_wdt_get_timeleft+0xc/0x20 [omap_wdt] +[ 3569.413106] LR is at watchdog_ioctl+0x3cc/0x42c +[ 3569.417902] pc : [<bf0ab138>] lr : [<c0739c54>] psr: 600f0013 +[ 3569.417902] sp : dbaadf18 ip : 00000003 fp : 7f5d3bbe +[ 3569.430014] r10: 00000000 r9 : 00000003 r8 : bef21ab8 +[ 3569.435535] r7 : dbbc0f7c r6 : dbbc0f18 r5 : bef21ab8 r4 : 00000000 +[ 3569.442427] r3 : 00000000 r2 : 00000000 r1 : 8004570a r0 : dbbc0f18 +[ 3569.449323] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 3569.456858] Control: 10c5387d Table: 9c894019 DAC: 00000051 +[ 3569.462927] Process wdctl (pid: 1429, stack limit = 0xdbaac220) +[ 3569.469179] Stack: (0xdbaadf18 to 0xdbaae000) +[ 3569.473790] df00: bef21ab8 dbf60e38 +[ 3569.482441] df20: dc91b840 8004570a bef21ab8 c03988a4 dbaadf48 dc854000 00000000 dd313850 +[ 3569.491092] df40: ddf033b8 0000570a dc91b80b dbaadf3c dbf60e38 00000020 c0df9250 c0df6c48 +[ 3569.499741] df60: dc91b840 8004570a 00000000 dc91b840 dc91b840 8004570a bef21ab8 00000003 +[ 3569.508389] df80: 00000000 c03989d4 bef21b74 7f5d3bad 00000003 00000036 c020fcc4 dbaac000 +[ 3569.517037] dfa0: 00000000 c020fb00 bef21b74 7f5d3bad 00000003 8004570a bef21ab8 00000001 +[ 3569.525685] dfc0: bef21b74 7f5d3bad 00000003 00000036 00000001 00000000 7f5e4eb0 7f5d3bbe +[ 3569.534334] dfe0: 7f5e4f10 bef21a3c 7f5d0a54 b6e97e0c a00f0010 00000003 00000000 00000000 +[ 3569.543038] [<bf0ab138>] (omap_wdt_get_timeleft [omap_wdt]) from [<c0739c54>] (watchdog_ioctl+0x3cc/0x42c) +[ 3569.553266] [<c0739c54>] (watchdog_ioctl) from [<c03988a4>] (do_vfs_ioctl+0x5bc/0x698) +[ 3569.561648] [<c03988a4>] (do_vfs_ioctl) from [<c03989d4>] (SyS_ioctl+0x54/0x7c) +[ 3569.569400] [<c03989d4>] (SyS_ioctl) from [<c020fb00>] (ret_fast_syscall+0x0/0x3c) +[ 3569.577413] Code: e12fff1e e52de004 e8bd4000 e5903060 (e5933088) +[ 3569.584089] ---[ end trace cec3039bd3ae610a ]--- + +Cc: <stable@vger.kernel.org> # v4.2+ +Signed-off-by: Peter Robinson <pbrobinson@gmail.com> +--- + drivers/watchdog/omap_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/omap_wdt.c b/drivers/watchdog/omap_wdt.c +index d96bee0..6f17c93 100644 +--- a/drivers/watchdog/omap_wdt.c ++++ b/drivers/watchdog/omap_wdt.c +@@ -205,7 +205,7 @@ static int omap_wdt_set_timeout(struct watchdog_device *wdog, + + static unsigned int omap_wdt_get_timeleft(struct watchdog_device *wdog) + { +- struct omap_wdt_dev *wdev = watchdog_get_drvdata(wdog); ++ struct omap_wdt_dev *wdev = to_omap_wdt_dev(wdog); + void __iomem *base = wdev->base; + u32 value; + +-- +2.5.0 + diff --git a/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch b/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch deleted file mode 100644 index 727ee6aca..000000000 --- a/0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 93f27344ac019135dd5ff31a518f1ef2d9e4e4a1 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Mon, 19 Oct 2015 11:33:38 +0100 -Subject: [PATCH 2/2] KEYS: Don't permit request_key() to construct a new - keyring - - If request_key() is used to find a keyring, only do the search part - don't - do the construction part if the keyring was not found by the search. We - don't really want keyrings in the negative instantiated state since the - rejected/negative instantiation error value in the payload is unioned with - keyring metadata. - - Signed-off-by: David Howells <dhowells@redhat.com> ---- - security/keys/request_key.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/security/keys/request_key.c b/security/keys/request_key.c -index 486ef6fa393b..0d6253124278 100644 ---- a/security/keys/request_key.c -+++ b/security/keys/request_key.c -@@ -440,6 +440,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, - - kenter(""); - -+ if (ctx->index_key.type == &key_type_keyring) -+ return ERR_PTR(-EPERM); -+ - user = key_user_lookup(current_fsuid()); - if (!user) - return ERR_PTR(-ENOMEM); --- -2.4.3 - diff --git a/0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch b/0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch deleted file mode 100644 index 261c6e10f..000000000 --- a/0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch +++ /dev/null @@ -1,134 +0,0 @@ -From f0d648bdf0a5bbc91da6099d5282f77996558ea4 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 12 Oct 2015 13:56:27 +0200 -Subject: [PATCH] KVM: x86: map/unmap private slots in __x86_set_memory_region -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise, two copies (one of them never populated and thus bogus) -are allocated for the regular and SMM address spaces. This breaks -SMM with EPT but without unrestricted guest support, because the -SMM copy of the identity page map is all zeros. - -By moving the allocation to the caller we also remove the last -vestiges of kernel-allocated memory regions (not accessible anymore -in userspace since commit b74a07beed0e, "KVM: Remove kernel-allocated -memory regions", 2010-06-21); that is a nice bonus. - -Reported-by: Alexandre DERUMIER <aderumier@odiso.com> -Cc: stable@vger.kernel.org -Fixes: 9da0e4d5ac969909f6b435ce28ea28135a9cbd69 -Reviewed-by: Radim Krčmář <rkrcmar@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - arch/x86/kvm/x86.c | 62 ++++++++++++++++++++++++++---------------------------- - 1 file changed, 30 insertions(+), 32 deletions(-) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 7bf8096..3ac33f8 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -7477,23 +7477,53 @@ void kvm_arch_sync_events(struct kvm *kvm) - int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size) - { - int i, r; -+ u64 hva; -+ struct kvm_memslots *slots = kvm_memslots(kvm); -+ struct kvm_memory_slot *slot, old; - - /* Called with kvm->slots_lock held. */ - if (WARN_ON(id >= KVM_MEM_SLOTS_NUM)) - return -EINVAL; - -+ slot = id_to_memslot(slots, id); -+ if (size) { -+ if (WARN_ON(slot->npages)) -+ return -EEXIST; -+ -+ /* -+ * MAP_SHARED to prevent internal slot pages from being moved -+ * by fork()/COW. -+ */ -+ hva = vm_mmap(NULL, 0, size, PROT_READ | PROT_WRITE, -+ MAP_SHARED | MAP_ANONYMOUS, 0); -+ if (IS_ERR((void *)hva)) -+ return PTR_ERR((void *)hva); -+ } else { -+ if (!slot->npages) -+ return 0; -+ -+ hva = 0; -+ } -+ -+ old = *slot; - for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) { - struct kvm_userspace_memory_region m; - - m.slot = id | (i << 16); - m.flags = 0; - m.guest_phys_addr = gpa; -+ m.userspace_addr = hva; - m.memory_size = size; - r = __kvm_set_memory_region(kvm, &m); - if (r < 0) - return r; - } - -+ if (!size) { -+ r = vm_munmap(old.userspace_addr, old.npages * PAGE_SIZE); -+ WARN_ON(r < 0); -+ } -+ - return 0; - } - EXPORT_SYMBOL_GPL(__x86_set_memory_region); -@@ -7623,27 +7653,6 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, - const struct kvm_userspace_memory_region *mem, - enum kvm_mr_change change) - { -- /* -- * Only private memory slots need to be mapped here since -- * KVM_SET_MEMORY_REGION ioctl is no longer supported. -- */ -- if ((memslot->id >= KVM_USER_MEM_SLOTS) && (change == KVM_MR_CREATE)) { -- unsigned long userspace_addr; -- -- /* -- * MAP_SHARED to prevent internal slot pages from being moved -- * by fork()/COW. -- */ -- userspace_addr = vm_mmap(NULL, 0, memslot->npages * PAGE_SIZE, -- PROT_READ | PROT_WRITE, -- MAP_SHARED | MAP_ANONYMOUS, 0); -- -- if (IS_ERR((void *)userspace_addr)) -- return PTR_ERR((void *)userspace_addr); -- -- memslot->userspace_addr = userspace_addr; -- } -- - return 0; - } - -@@ -7705,17 +7714,6 @@ void kvm_arch_commit_memory_region(struct kvm *kvm, - { - int nr_mmu_pages = 0; - -- if (change == KVM_MR_DELETE && old->id >= KVM_USER_MEM_SLOTS) { -- int ret; -- -- ret = vm_munmap(old->userspace_addr, -- old->npages * PAGE_SIZE); -- if (ret < 0) -- printk(KERN_WARNING -- "kvm_vm_ioctl_set_memory_region: " -- "failed to munmap memory\n"); -- } -- - if (!kvm->arch.n_requested_mmu_pages) - nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm); - --- -2.5.0 - diff --git a/0003-KVM-x86-fix-previous-commit-for-32-bit.patch b/0003-KVM-x86-fix-previous-commit-for-32-bit.patch deleted file mode 100644 index df99e60f0..000000000 --- a/0003-KVM-x86-fix-previous-commit-for-32-bit.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 25188b9986cf6b0cadcf1bc1d1693a2e9c50ed47 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Wed, 14 Oct 2015 15:51:08 +0200 -Subject: [PATCH] KVM: x86: fix previous commit for 32-bit - -Unfortunately I only noticed this after pushing. - -Fixes: f0d648bdf0a5bbc91da6099d5282f77996558ea4 -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - arch/x86/kvm/x86.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 6e03546..9a9a198 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -7482,7 +7482,7 @@ void kvm_arch_sync_events(struct kvm *kvm) - int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size) - { - int i, r; -- u64 hva; -+ unsigned long hva; - struct kvm_memslots *slots = kvm_memslots(kvm); - struct kvm_memory_slot *slot, old; - --- -2.5.0 - diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch index 88709a324..38236753e 100644 --- a/ACPI-Limit-access-to-custom_method.patch +++ b/ACPI-Limit-access-to-custom_method.patch @@ -1,6 +1,7 @@ +From 4b85149b764cd024e3dd2aff9eb22a9e1aadd1fa Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH] ACPI: Limit access to custom_method +Subject: [PATCH 04/20] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -25,3 +26,6 @@ index c68e72414a67..4277938af700 100644 if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) +-- +2.4.3 + diff --git a/ARM-dts-Add-am335x-bonegreen.patch b/ARM-dts-Add-am335x-bonegreen.patch new file mode 100644 index 000000000..35fb3e4ef --- /dev/null +++ b/ARM-dts-Add-am335x-bonegreen.patch @@ -0,0 +1,103 @@ +From patchwork Fri Sep 25 15:10:31 2015 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: ARM: dts: Add am335x-bonegreen +From: Robert Nelson <robertcnelson@gmail.com> +X-Patchwork-Id: 7265851 +Message-Id: <1443193831-5693-1-git-send-email-robertcnelson@gmail.com> +To: tony@atomide.com, devicetree@vger.kernel.org +Cc: linux-omap@vger.kernel.org, linux-arm-kernel@lists.infradead.org, + Robert Nelson <robertcnelson@gmail.com>, Jason Kridner <jkridner@gmail.com> +Date: Fri, 25 Sep 2015 10:10:31 -0500 + +SeeedStudio BeagleBone Green (BBG) is clone of the BeagleBone Black (BBB) minus +the HDMI port and addition of two Grove connectors (i2c2 and usart2). + +This board can be identified by the 1A value after A335BNLT (BBB) in the at24 eeprom: +1A: [aa 55 33 ee 41 33 33 35 42 4e 4c 54 1a 00 00 00 |.U3.A335BNLT....|] + +http://beagleboard.org/green +http://www.seeedstudio.com/wiki/Beaglebone_green + +Signed-off-by: Robert Nelson <robertcnelson@gmail.com> +CC: Tony Lindgren <tony@atomide.com> +CC: Jason Kridner <jkridner@gmail.com> + +--- +arch/arm/boot/dts/Makefile | 1 + + arch/arm/boot/dts/am335x-bonegreen.dts | 53 ++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+) + create mode 100644 arch/arm/boot/dts/am335x-bonegreen.dts + +diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile +index 233159d..e45d771 100644 +--- a/arch/arm/boot/dts/Makefile ++++ b/arch/arm/boot/dts/Makefile +@@ -446,6 +446,7 @@ dtb-$(CONFIG_SOC_AM33XX) += \ + am335x-base0033.dtb \ + am335x-bone.dtb \ + am335x-boneblack.dtb \ ++ am335x-bonegreen.dtb \ + am335x-sl50.dtb \ + am335x-evm.dtb \ + am335x-evmsk.dtb \ +diff --git a/arch/arm/boot/dts/am335x-bonegreen.dts b/arch/arm/boot/dts/am335x-bonegreen.dts +new file mode 100644 +index 0000000..0f65bda +--- /dev/null ++++ b/arch/arm/boot/dts/am335x-bonegreen.dts +@@ -0,0 +1,53 @@ ++/* ++ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/ ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++/dts-v1/; ++ ++#include "am33xx.dtsi" ++#include "am335x-bone-common.dtsi" ++ ++/ { ++ model = "TI AM335x BeagleBone Green"; ++ compatible = "ti,am335x-bone-green", "ti,am335x-bone-black", "ti,am335x-bone", "ti,am33xx"; ++}; ++ ++&ldo3_reg { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-always-on; ++}; ++ ++&mmc1 { ++ vmmc-supply = <&vmmcsd_fixed>; ++}; ++ ++&mmc2 { ++ vmmc-supply = <&vmmcsd_fixed>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&emmc_pins>; ++ bus-width = <8>; ++ status = "okay"; ++}; ++ ++&am33xx_pinmux { ++ uart2_pins: uart2_pins { ++ pinctrl-single,pins = < ++ 0x150 (PIN_INPUT | MUX_MODE1) /* spi0_sclk.uart2_rxd */ ++ 0x154 (PIN_OUTPUT | MUX_MODE1) /* spi0_d0.uart2_txd */ ++ >; ++ }; ++}; ++ ++&uart2 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart2_pins>; ++ status = "okay"; ++}; ++ ++&rtc { ++ system-power-controller; ++}; diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index c4feebea5..06ddd1596 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,6 +1,7 @@ +From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH] Add an EFI signature blob parser and key loader. +Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -32,7 +33,7 @@ index 4870f28403f5..4a1b50d73b80 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index e47fcd9ac5e8..6512f6596785 100644 +index cd1406f9b14a..d9db380bbe53 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o @@ -173,3 +174,6 @@ index fac43c611614..414c3c3d988d 100644 /** * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address +-- +2.4.3 + diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch index ff4fc0512..015371b8b 100644 --- a/Add-option-to-automatically-enforce-module-signature.patch +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,8 @@ +From 37431394b3eeb1ef6d38d0e6b2693210606c2c2c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH] Add option to automatically enforce module signatures when in - Secure Boot mode +Subject: [PATCH 10/20] Add option to automatically enforce module signatures + when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -20,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 82fbdbc1e0b0..a811210ad486 100644 +index 95a4d34af3fd..b8527c6b7646 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning +@@ -31,6 +31,8 @@ Offset Proto Name Meaning 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) @@ -33,10 +34,10 @@ index 82fbdbc1e0b0..a811210ad486 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 3dbb7e7909ca..4da6644b1fd0 100644 +index cc0d73eac047..14db458f4774 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1703,6 +1703,16 @@ config EFI_MIXED +@@ -1734,6 +1734,16 @@ config EFI_MIXED If unsure, say N. @@ -54,7 +55,7 @@ index 3dbb7e7909ca..4da6644b1fd0 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 2c82bd150d43..1ef8ea7f8ed9 100644 +index ee1b6d346b98..b4de3faa3f29 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -115,7 +116,7 @@ index 2c82bd150d43..1ef8ea7f8ed9 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index ab456dc233b5..74ba4083e7ce 100644 +index 329254373479..b61f8533c0fd 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -134,7 +134,8 @@ struct boot_params { @@ -129,10 +130,10 @@ index ab456dc233b5..74ba4083e7ce 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 80f874bf999e..c2e4f52cad30 100644 +index baadbf90a7c5..1ac118146e90 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -146,10 +147,10 @@ index 80f874bf999e..c2e4f52cad30 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 57474384b66b..b69d657c3700 100644 +index db386349cd01..4b8df91f03cd 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -189,6 +189,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); struct notifier_block; @@ -163,10 +164,10 @@ index 57474384b66b..b69d657c3700 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index e9869c497175..87fa14fedc88 100644 +index 7f045246e123..2b403ab0ef29 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4084,6 +4084,13 @@ void module_layout(struct module *mod, +@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -180,3 +181,6 @@ index e9869c497175..87fa14fedc88 100644 bool secure_modules(void) { #ifdef CONFIG_MODULE_SIG +-- +2.4.3 + diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch index 158e7f1d2..b6e039ff0 100644 --- a/Add-secure_modules-call.patch +++ b/Add-secure_modules-call.patch @@ -1,6 +1,7 @@ +From a1aaf20cffb1a949c5d6b1198690c7c30cfda4d5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH] Add secure_modules() call +Subject: [PATCH 01/20] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -16,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index d67b1932cc59..57474384b66b 100644 +index 3a19c79918e0..db386349cd01 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -551,6 +551,8 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module) return module && module->async_probe_requested; } @@ -28,7 +29,7 @@ index d67b1932cc59..57474384b66b 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -667,6 +669,10 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } @@ -40,10 +41,10 @@ index d67b1932cc59..57474384b66b 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 4d2b82e610e2..e9869c497175 100644 +index b86b7bf1be38..7f045246e123 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4083,3 +4083,13 @@ void module_layout(struct module *mod, +@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -57,3 +58,6 @@ index 4d2b82e610e2..e9869c497175 100644 +#endif +} +EXPORT_SYMBOL(secure_modules); +-- +2.4.3 + diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index ffc460849..4600848cf 100644 --- a/Add-sysrq-option-to-disable-secure-boot-mode.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -1,6 +1,7 @@ +From 16d2ba5d5bc46e67e6aa7a3d113fbcc18c217388 Mon Sep 17 00:00:00 2001 From: Kyle McMartin <kyle@redhat.com> Date: Fri, 30 Aug 2013 09:28:51 -0400 -Subject: [PATCH] Add sysrq option to disable secure boot mode +Subject: [PATCH 20/20] Add sysrq option to disable secure boot mode Bugzilla: N/A Upstream-status: Fedora mustard @@ -15,7 +16,7 @@ Upstream-status: Fedora mustard 7 files changed, 64 insertions(+), 9 deletions(-) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 5def6b4143fa..1eac9d22cb0b 100644 +index f93826b8522c..41679b1aca83 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -70,6 +70,11 @@ @@ -30,7 +31,7 @@ index 5def6b4143fa..1eac9d22cb0b 100644 #include <video/edid.h> #include <asm/mtrr.h> -@@ -1286,6 +1291,37 @@ void __init i386_reserve_resources(void) +@@ -1261,6 +1266,37 @@ void __init i386_reserve_resources(void) #endif /* CONFIG_X86_32 */ @@ -69,10 +70,10 @@ index 5def6b4143fa..1eac9d22cb0b 100644 .notifier_call = dump_kernel_offset }; diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c -index 421e29e4cd81..61c1eb97806c 100644 +index 345df9b03aed..dea6a6c4a39b 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c -@@ -366,6 +366,7 @@ static int uinput_allocate_device(struct uinput_device *udev) +@@ -364,6 +364,7 @@ static int uinput_allocate_device(struct uinput_device *udev) if (!udev->dev) return -ENOMEM; @@ -81,10 +82,10 @@ index 421e29e4cd81..61c1eb97806c 100644 input_set_drvdata(udev->dev, udev); diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c -index b5b427888b24..289c7898a3b0 100644 +index 95b330a9ea98..dfa3e154a719 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c -@@ -465,6 +465,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { +@@ -472,6 +472,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = { /* x: May be registered on mips for TLB dump */ /* x: May be registered on ppc/powerpc for xmon */ /* x: May be registered on sparc64 for global PMU dump */ @@ -92,7 +93,7 @@ index b5b427888b24..289c7898a3b0 100644 NULL, /* x */ /* y: May be registered on sparc64 for global register dump */ NULL, /* y */ -@@ -508,7 +509,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) +@@ -515,7 +516,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p) sysrq_key_table[i] = op_p; } @@ -101,7 +102,7 @@ index b5b427888b24..289c7898a3b0 100644 { struct sysrq_key_op *op_p; int orig_log_level; -@@ -528,11 +529,15 @@ void __handle_sysrq(int key, bool check_mask) +@@ -535,11 +536,15 @@ void __handle_sysrq(int key, bool check_mask) op_p = __sysrq_get_key_op(key); if (op_p) { @@ -118,7 +119,7 @@ index b5b427888b24..289c7898a3b0 100644 pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); -@@ -564,7 +569,7 @@ void __handle_sysrq(int key, bool check_mask) +@@ -571,7 +576,7 @@ void __handle_sysrq(int key, bool check_mask) void handle_sysrq(int key) { if (sysrq_on()) @@ -127,7 +128,7 @@ index b5b427888b24..289c7898a3b0 100644 } EXPORT_SYMBOL(handle_sysrq); -@@ -645,7 +650,7 @@ static void sysrq_do_reset(unsigned long _state) +@@ -652,7 +657,7 @@ static void sysrq_do_reset(unsigned long _state) static void sysrq_handle_reset_request(struct sysrq_state *state) { if (state->reset_requested) @@ -136,7 +137,7 @@ index b5b427888b24..289c7898a3b0 100644 if (sysrq_reset_downtime_ms) mod_timer(&state->keyreset_timer, -@@ -796,8 +801,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, +@@ -803,8 +808,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq, default: if (sysrq->active && value && value != 2) { @@ -148,7 +149,7 @@ index b5b427888b24..289c7898a3b0 100644 } break; } -@@ -1077,7 +1084,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, +@@ -1084,7 +1091,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf, if (get_user(c, buf)) return -EFAULT; @@ -228,7 +229,7 @@ index 4121345498e0..0ff3cef5df96 100644 return 0; diff --git a/kernel/module.c b/kernel/module.c -index 87fa14fedc88..61385e686d49 100644 +index 2b403ab0ef29..7818c110e95c 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -292,7 +292,7 @@ static void module_assert_mutex_or_preempt(void) @@ -240,3 +241,6 @@ index 87fa14fedc88..61385e686d49 100644 #ifndef CONFIG_MODULE_SIG_FORCE module_param(sig_enforce, bool_enable_only, 0644); #endif /* !CONFIG_MODULE_SIG_FORCE */ +-- +2.4.3 + diff --git a/Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch b/Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch new file mode 100644 index 000000000..63f66fb1b --- /dev/null +++ b/Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch @@ -0,0 +1,119 @@ +From 259072b7a1c20f8612dcaa8e0e027004aa98f864 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 6 Jan 2016 22:42:35 +0000 +Subject: [PATCH 2/2] Btrfs: fix fitrim discarding device area reserved for + boot loader's use + +As of the 4.3 kernel release, the fitrim ioctl can now discard any region +of a disk that is not allocated to any chunk/block group, including the +first megabyte which is used for our primary superblock and by the boot +loader (grub for example). + +Fix this by not allowing to trim/discard any region in the device starting +with an offset not greater than min(alloc_start_mount_option, 1Mb), just +as it was not possible before 4.3. + +A reproducer test case for xfstests follows. + + seq=`basename $0` + seqres=$RESULT_DIR/$seq + echo "QA output created by $seq" + tmp=/tmp/$$ + status=1 # failure is the default! + trap "_cleanup; exit \$status" 0 1 2 3 15 + + _cleanup() + { + cd / + rm -f $tmp.* + } + + # get standard environment, filters and checks + . ./common/rc + . ./common/filter + + # real QA test starts here + _need_to_be_root + _supported_fs btrfs + _supported_os Linux + _require_scratch + + rm -f $seqres.full + + _scratch_mkfs >>$seqres.full 2>&1 + + # Write to the [0, 64Kb[ and [68Kb, 1Mb[ ranges of the device. These ranges are + # reserved for a boot loader to use (GRUB for example) and btrfs should never + # use them - neither for allocating metadata/data nor should trim/discard them. + # The range [64Kb, 68Kb[ is used for the primary superblock of the filesystem. + $XFS_IO_PROG -c "pwrite -S 0xfd 0 64K" $SCRATCH_DEV | _filter_xfs_io + $XFS_IO_PROG -c "pwrite -S 0xfd 68K 956K" $SCRATCH_DEV | _filter_xfs_io + + # Now mount the filesystem and perform a fitrim against it. + _scratch_mount + _require_batched_discard $SCRATCH_MNT + $FSTRIM_PROG $SCRATCH_MNT + + # Now unmount the filesystem and verify the content of the ranges was not + # modified (no trim/discard happened on them). + _scratch_unmount + echo "Content of the ranges [0, 64Kb] and [68Kb, 1Mb[ after fitrim:" + od -t x1 -N $((64 * 1024)) $SCRATCH_DEV + od -t x1 -j $((68 * 1024)) -N $((956 * 1024)) $SCRATCH_DEV + + status=0 + exit + +Reported-by: Vincent Petry <PVince81@yahoo.fr> +Reported-by: Andrei Borzenkov <arvidjaar@gmail.com> +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109341 +Fixes: 499f377f49f0 (btrfs: iterate over unused chunk space in FITRIM) +Cc: stable@vger.kernel.org # 4.3+ +Signed-off-by: Filipe Manana <fdmanana@suse.com> +--- + fs/btrfs/volumes.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index b816b3a2e118..96f8c827d563 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1208,6 +1208,15 @@ int find_free_dev_extent_start(struct btrfs_transaction *transaction, + int ret; + int slot; + struct extent_buffer *l; ++ u64 min_search_start; ++ ++ /* ++ * We don't want to overwrite the superblock on the drive nor any area ++ * used by the boot loader (grub for example), so we make sure to start ++ * at an offset of at least 1MB. ++ */ ++ min_search_start = max(root->fs_info->alloc_start, 1024ull * 1024); ++ search_start = max(search_start, min_search_start); + + path = btrfs_alloc_path(); + if (!path) +@@ -1348,18 +1357,9 @@ int find_free_dev_extent(struct btrfs_trans_handle *trans, + struct btrfs_device *device, u64 num_bytes, + u64 *start, u64 *len) + { +- struct btrfs_root *root = device->dev_root; +- u64 search_start; +- + /* FIXME use last free of some kind */ +- +- /* +- * we don't want to overwrite the superblock on the drive, +- * so we make sure to start at an offset of at least 1MB +- */ +- search_start = max(root->fs_info->alloc_start, 1024ull * 1024); + return find_free_dev_extent_start(trans->transaction, device, +- num_bytes, search_start, start, len); ++ num_bytes, 0, start, len); + } + + static int btrfs_free_dev_extent(struct btrfs_trans_handle *trans, +-- +2.5.0 + diff --git a/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch b/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch new file mode 100644 index 000000000..f6bb5794f --- /dev/null +++ b/HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch @@ -0,0 +1,133 @@ +From 84ac7d370783d4819c5986da1c5d5c62d360dc8f Mon Sep 17 00:00:00 2001 +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Wed, 7 Oct 2015 15:33:43 +0300 +Subject: [PATCH] HID: multitouch: Fetch feature reports on demand for Win8 + devices + +Some newer Intel Skylake based Dell laptops with Win8 precision touchpad +fail when initial feature reports are fetched from it. Below is an example +output with some additional debug included: + + i2c_hid i2c-DLL0704:01: Fetching the HID descriptor + i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=20 00 + i2c_hid i2c-DLL0704:01: HID Descriptor: 1e 00 00 01 99 02 21 00 24 ... + ... + i2c_hid i2c-DLL0704:01: i2c_hid_get_report + i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 38 02 23 00 + i2c_hid i2c-DLL0704:01: report (len=4): 04 00 08 05 + i2c_hid i2c-DLL0704:01: report id 13 + i2c_hid i2c-DLL0704:01: i2c_hid_get_report + i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 3d 02 23 00 + i2c_hid i2c-DLL0704:01: failed to retrieve report from device. + i2c_hid i2c-DLL0704:01: report id 7 + i2c_hid i2c-DLL0704:01: i2c_hid_get_report + i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 37 02 23 00 + i2c_hid i2c-DLL0704:01: report (len=259): 03 01 07 fc 28 fe 84 40 ... + i2c_hid i2c-DLL0704:01: report id 4 + i2c_hid i2c-DLL0704:01: i2c_hid_get_report + i2c_hid i2c-DLL0704:01: __i2c_hid_command: cmd=22 00 34 02 23 00 + +We manage to fetch few reports but then the touchpad dies: + + i2c_designware i2c_designware.1: i2c_dw_handle_tx_abort: lost arbitration + i2c_hid i2c-DLL0704:01: failed to retrieve report from device. + +it eventually pulls the whole I2C bus low: + + i2c_designware i2c_designware.1: controller timed out + i2c_hid i2c-DLL0704:01: failed to set a report to device. + +Fix this by preventing initial feature report retrieval for Win8 devices. +Instead we fetch reports as needed in mt_feature_mapping(). This prevents +fetching reports which might cause problems with the device in question. + +Suggested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Tested-by: Seth Forshee <seth.forshee@canonical.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + drivers/hid/hid-multitouch.c | 45 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 44 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 426b2f1a3450..4afe8d78b366 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -309,6 +309,41 @@ static struct attribute_group mt_attribute_group = { + .attrs = sysfs_attrs + }; + ++static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) ++{ ++ struct mt_device *td = hid_get_drvdata(hdev); ++ int ret, size = hid_report_len(report); ++ u8 *buf; ++ ++ /* ++ * Only fetch the feature report if initial reports are not already ++ * been retrieved. Currently this is only done for Windows 8 touch ++ * devices. ++ */ ++ if (!(hdev->quirks & HID_QUIRK_NO_INIT_REPORTS)) ++ return; ++ if (td->mtclass.name != MT_CLS_WIN_8) ++ return; ++ ++ buf = hid_alloc_report_buf(report, GFP_KERNEL); ++ if (!buf) ++ return; ++ ++ ret = hid_hw_raw_request(hdev, report->id, buf, size, ++ HID_FEATURE_REPORT, HID_REQ_GET_REPORT); ++ if (ret < 0) { ++ dev_warn(&hdev->dev, "failed to fetch feature %d\n", ++ report->id); ++ } else { ++ ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, ++ size, 0); ++ if (ret) ++ dev_warn(&hdev->dev, "failed to report feature\n"); ++ } ++ ++ kfree(buf); ++} ++ + static void mt_feature_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { +@@ -327,6 +362,8 @@ static void mt_feature_mapping(struct hid_device *hdev, + + break; + case HID_DG_CONTACTMAX: ++ mt_get_feature(hdev, field->report); ++ + td->maxcontact_report_id = field->report->id; + td->maxcontacts = field->value[0]; + if (!td->maxcontacts && +@@ -343,6 +380,7 @@ static void mt_feature_mapping(struct hid_device *hdev, + break; + } + ++ mt_get_feature(hdev, field->report); + if (field->value[usage->usage_index] == MT_BUTTONTYPE_CLICKPAD) + td->is_buttonpad = true; + +@@ -1026,8 +1064,13 @@ static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id) + * reports. Fortunately, the Win8 spec says that all touches + * should be sent during each report, making the initialization + * of input reports unnecessary. ++ * ++ * In addition some touchpads do not behave well if we read ++ * all feature reports from them. Instead we prevent ++ * initial report fetching and then selectively fetch each ++ * report we are interested in. + */ +- hdev->quirks |= HID_QUIRK_NO_INIT_INPUT_REPORTS; ++ hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS; + + td = devm_kzalloc(&hdev->dev, sizeof(struct mt_device), GFP_KERNEL); + if (!td) { +-- +2.5.0 + diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch index fe06d51b9..be35564a6 100644 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -1,6 +1,7 @@ +From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH] KEYS: Add a system blacklist keyring +Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -9,72 +10,15 @@ useful in cases where third party certificates are used for module signing. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> --- + certs/system_keyring.c | 27 +++++++++++++++++++++++++++ include/keys/system_keyring.h | 4 ++++ init/Kconfig | 9 +++++++++ - kernel/module_signing.c | 12 ++++++++++++ - kernel/system_keyring.c | 17 +++++++++++++++++ - 4 files changed, 42 insertions(+) + 3 files changed, 40 insertions(+) -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 72665eb80692..2c7b80d31366 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -28,4 +28,8 @@ static inline struct key *get_system_trusted_keyring(void) - } - #endif - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+extern struct key *system_blacklist_keyring; -+#endif -+ - #endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/init/Kconfig b/init/Kconfig -index af09b4fb43d2..62f6fd191e4f 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1752,6 +1752,15 @@ config SYSTEM_TRUSTED_KEYRING - - Keys in this keyring are used by module signature checking. - -+config SYSTEM_BLACKLIST_KEYRING -+ bool "Provide system-wide ring of blacklisted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which blacklisted keys can be added. -+ Keys in the keyring are considered entirely untrusted. Keys in this -+ keyring are used by the module signature checking to reject loading -+ of modules signed with a blacklisted key. -+ - config PROFILING - bool "Profiling support" - help -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index be5b8fac4bd0..fed815fcdaf2 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(system_trusted_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) -diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index 875f64e8935b..c15e93f5a418 100644 ---- a/kernel/system_keyring.c -+++ b/kernel/system_keyring.c +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 2570598b784d..53733822993f 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c @@ -20,6 +20,9 @@ struct key *system_trusted_keyring; @@ -90,7 +34,7 @@ index 875f64e8935b..c15e93f5a418 100644 set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); + -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", + KUIDT_INIT(0), KGIDT_INIT(0), + current_cred(), @@ -106,3 +50,56 @@ index 875f64e8935b..c15e93f5a418 100644 return 0; } +@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len, + if (ret < 0) + goto error; + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted); ++ if (!ret) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key is in the blacklist\n"); ++ ret = -EKEYREJECTED; ++ goto error; ++ } ++#endif ++ + ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); + if (ret < 0) + goto error; +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index b20cd885c1fd..51d8ddc60e0f 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len, + enum key_being_used_for usage); + #endif + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++extern struct key *system_blacklist_keyring; ++#endif ++ + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/init/Kconfig b/init/Kconfig +index 02da9f1fd9df..782d26f02885 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION + module verification, kexec image verification and firmware blob + verification. + ++config SYSTEM_BLACKLIST_KEYRING ++ bool "Provide system-wide ring of blacklisted keys" ++ depends on KEYS ++ help ++ Provide a system keyring to which blacklisted keys can be added. ++ Keys in the keyring are considered entirely untrusted. Keys in this ++ keyring are used by the module signature checking to reject loading ++ of modules signed with a blacklisted key. ++ + config PROFILING + bool "Profiling support" + help +-- +2.4.3 + diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000..5eec95c62 --- /dev/null +++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,78 @@ +From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 18 Jan 2016 10:53:31 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +RH-bugzilla: 1298036 +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 43b4cddbf2b3..7877e5cd4e23 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.5.0 + diff --git a/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch b/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch new file mode 100644 index 000000000..a9d88a009 --- /dev/null +++ b/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch @@ -0,0 +1,59 @@ +From f3b9db45027a40369fe13c4661c4249d1df8c8d0 Mon Sep 17 00:00:00 2001 +From: Andrew Honig <ahonig@google.com> +Date: Wed, 18 Nov 2015 14:50:23 -0800 +Subject: [PATCH] KVM: x86: Reload pit counters for all channels when restoring + state + +Currently if userspace restores the pit counters with a count of 0 +on channels 1 or 2 and the guest attempts to read the count on those +channels, then KVM will perform a mod of 0 and crash. This will ensure +that 0 values are converted to 65536 as per the spec. + +This is CVE-2015-7513. + +Signed-off-by: Andy Honig <ahonig@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[Backported to 4.3.y by Josh Boyer <jwboyer@fedoraproject.org>] +--- + arch/x86/kvm/x86.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 43609af03283..e124f9c8391e 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3437,10 +3437,11 @@ static int kvm_vm_ioctl_get_pit(struct kvm *kvm, struct kvm_pit_state *ps) + static int kvm_vm_ioctl_set_pit(struct kvm *kvm, struct kvm_pit_state *ps) + { + int r = 0; +- ++ int i; + mutex_lock(&kvm->arch.vpit->pit_state.lock); + memcpy(&kvm->arch.vpit->pit_state, ps, sizeof(struct kvm_pit_state)); +- kvm_pit_load_count(kvm, 0, ps->channels[0].count, 0); ++ for (i = 0; i < 3; i++) ++ kvm_pit_load_count(kvm, i, ps->channels[i].count, 0); + mutex_unlock(&kvm->arch.vpit->pit_state.lock); + return r; + } +@@ -3461,6 +3462,7 @@ static int kvm_vm_ioctl_get_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps) + static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps) + { + int r = 0, start = 0; ++ int i; + u32 prev_legacy, cur_legacy; + mutex_lock(&kvm->arch.vpit->pit_state.lock); + prev_legacy = kvm->arch.vpit->pit_state.flags & KVM_PIT_FLAGS_HPET_LEGACY; +@@ -3470,7 +3472,8 @@ static int kvm_vm_ioctl_set_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps) + memcpy(&kvm->arch.vpit->pit_state.channels, &ps->channels, + sizeof(kvm->arch.vpit->pit_state.channels)); + kvm->arch.vpit->pit_state.flags = ps->flags; +- kvm_pit_load_count(kvm, 0, kvm->arch.vpit->pit_state.channels[0].count, start); ++ for (i = 0; i < 3; i++) ++ kvm_pit_load_count(kvm, i, kvm->arch.vpit->pit_state.channels[i].count, start); + mutex_unlock(&kvm->arch.vpit->pit_state.lock); + return r; + } +-- +2.5.0 + diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index dafc0a668..8a484b6d8 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,3 +1,4 @@ +From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 26 Oct 2012 12:42:16 -0400 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot @@ -25,12 +26,12 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> create mode 100644 kernel/modsign_uefi.c diff --git a/include/linux/efi.h b/include/linux/efi.h -index 414c3c3d988d..d920a6be6c8b 100644 +index 85ef051ac6fb..a042b2ece788 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -601,6 +601,12 @@ void efi_native_runtime_setup(void); - #define EFI_CERT_X509_GUID \ - EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) +@@ -600,6 +600,12 @@ typedef struct { + u64 table; + } efi_config_table_64_t; +#define EFI_IMAGE_SECURITY_DATABASE_GUID \ + EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) @@ -40,12 +41,12 @@ index 414c3c3d988d..d920a6be6c8b 100644 + typedef struct { efi_guid_t guid; - u64 table; + u32 table; diff --git a/init/Kconfig b/init/Kconfig -index 62f6fd191e4f..648bb79d6b73 100644 +index 02da9f1fd9df..90c73a0564b1 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1906,6 +1906,15 @@ config MODULE_SIG_ALL +@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -62,26 +63,26 @@ index 62f6fd191e4f..648bb79d6b73 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index 43c4c920f30a..3193574387ac 100644 +index d4988410b410..55e886239e7e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -48,6 +48,7 @@ obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +@@ -47,6 +47,7 @@ endif + obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o +obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -101,6 +102,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o + obj-$(CONFIG_KEXEC_CORE) += kexec_core.o +@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o - $(obj)/configs.o: $(obj)/config_data.h + obj-$(CONFIG_HAS_IOMEM) += memremap.o +$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar + + $(obj)/configs.o: $(obj)/config_data.h + # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 index 000000000000..94b0eb38a284 @@ -180,3 +181,6 @@ index 000000000000..94b0eb38a284 + return rc; +} +late_initcall(load_uefi_certs); +-- +2.4.3 + diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index 4782e734f..bb5ae2a2c 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -1,6 +1,7 @@ +From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH] MODSIGN: Support not importing certs from db +Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. @@ -78,3 +79,6 @@ index 94b0eb38a284..ae28b974d49a 100644 } mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +2.4.3 + diff --git a/Makefile.config b/Makefile.config index 63549f642..148e21fef 100644 --- a/Makefile.config +++ b/Makefile.config @@ -12,9 +12,9 @@ CONFIGFILES = \ $(CFG)-armv7hl.config $(CFG)-armv7hl-lpae.config \ $(CFG)-aarch64.config \ $(CFG)-ppc64.config $(CFG)-ppc64p7.config $(CFG)-ppc64-debug.config \ - $(CFG)-ppc64le.config + $(CFG)-ppc64le.config $(CFG)-ppc64le-debug.config -PLATFORMS = x86 x86_64 powerpc powerpc64 s390x arm arm64 +PLATFORMS = x86 x86_64 powerpc s390x arm arm64 TEMPFILES = $(addprefix temp-, $(addsuffix -generic, $(PLATFORMS))) configs: $(CONFIGFILES) @@ -74,18 +74,12 @@ temp-x86_64-generic: temp-x86-64 temp-generic temp-x86_64-debug-generic: temp-x86-64 temp-debug-generic perl merge.pl $^ > $@ -temp-powerpc-generic: config-powerpc-generic temp-generic +temp-powerpc64-generic: config-powerpc64-generic temp-generic perl merge.pl $^ > $@ -temp-powerpc-debug-generic: config-powerpc-generic temp-debug-generic +temp-powerpc64-debug-generic: config-powerpc64-generic temp-debug-generic perl merge.pl $^ > $@ -temp-powerpc64-generic: config-powerpc64 temp-powerpc-generic - perl merge.pl $^ > $@ - -temp-powerpc64le-generic: config-powerpc64le temp-powerpc64-generic - perl merge.pl $^ > $@ - temp-s390-generic: config-s390x temp-generic perl merge.pl $^ > $@ @@ -107,16 +101,19 @@ $(CFG)-x86_64.config: /dev/null temp-x86_64-generic $(CFG)-x86_64-debug.config: /dev/null temp-x86_64-debug-generic perl merge.pl $^ x86_64 > $@ -$(CFG)-ppc64.config: /dev/null temp-powerpc64-generic +$(CFG)-ppc64.config: config-powerpc64 temp-powerpc64-generic perl merge.pl $^ powerpc > $@ -$(CFG)-ppc64-debug.config: temp-powerpc64-generic temp-powerpc-debug-generic +$(CFG)-ppc64-debug.config: config-powerpc64 temp-powerpc64-debug-generic perl merge.pl $^ powerpc > $@ $(CFG)-ppc64p7.config: config-powerpc64p7 temp-powerpc64-generic perl merge.pl $^ powerpc > $@ -$(CFG)-ppc64le.config: /dev/null temp-powerpc64le-generic +$(CFG)-ppc64le.config: config-powerpc64le temp-powerpc64-generic + perl merge.pl $^ powerpc > $@ + +$(CFG)-ppc64le-debug.config: config-powerpc64le temp-powerpc64-debug-generic perl merge.pl $^ powerpc > $@ $(CFG)-s390x.config: config-s390x temp-s390-generic diff --git a/Makefile.release b/Makefile.release index f7b704237..fcd90814f 100644 --- a/Makefile.release +++ b/Makefile.release @@ -82,7 +82,3 @@ config-release: @# Change defaults back to sane things. @perl -pi -e 's/CONFIG_MAXSMP=y/# CONFIG_MAXSMP is not set/' config-x86-generic - - @perl -pi -e 's/CONFIG_SCHEDSTATS=y/# CONFIG_SCHEDSTATS is not set/' config-nodebug - @perl -pi -e 's/CONFIG_LATENCYTOP=y/# CONFIG_LATENCYTOP is not set/' config-nodebug - diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 92e028d07..23a514f3b 100644 --- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,6 +1,8 @@ +From 655fbf360e1481db4f06001f893d388c15ac307f Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH] PCI: Lock down BAR access when module security is enabled +Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is + enabled Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to modify @@ -111,3 +113,6 @@ index b91c4da68365..98f5637304d1 100644 return -EPERM; dev = pci_get_bus_and_slot(bus, dfn); +-- +2.4.3 + diff --git a/PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch b/PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch new file mode 100644 index 000000000..3a877105d --- /dev/null +++ b/PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch @@ -0,0 +1,101 @@ +From 61feb31b0dfecfd7949e672a54ac7256f4dd2c3d Mon Sep 17 00:00:00 2001 +From: Christophe Le Roy <christophe.fish@gmail.com> +Date: Fri, 11 Dec 2015 09:13:42 +0100 +Subject: [PATCH] PNP: Add Broadwell to Intel MCH size workaround + +Add device ID 0x1604 for Broadwell to commit cb171f7abb9a ("PNP: +Work around BIOS defects in Intel MCH area reporting"). + +>From a Lenovo ThinkPad T550: + + system 00:01: [io 0x1800-0x189f] could not be reserved + system 00:01: [io 0x0800-0x087f] has been reserved + system 00:01: [io 0x0880-0x08ff] has been reserved + system 00:01: [io 0x0900-0x097f] has been reserved + system 00:01: [io 0x0980-0x09ff] has been reserved + system 00:01: [io 0x0a00-0x0a7f] has been reserved + system 00:01: [io 0x0a80-0x0aff] has been reserved + system 00:01: [io 0x0b00-0x0b7f] has been reserved + system 00:01: [io 0x0b80-0x0bff] has been reserved + system 00:01: [io 0x15e0-0x15ef] has been reserved + system 00:01: [io 0x1600-0x167f] has been reserved + system 00:01: [io 0x1640-0x165f] has been reserved + system 00:01: [mem 0xf8000000-0xfbffffff] could not be reserved + system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved + system 00:01: [mem 0xfed10000-0xfed13fff] has been reserved + system 00:01: [mem 0xfed18000-0xfed18fff] has been reserved + system 00:01: [mem 0xfed19000-0xfed19fff] has been reserved + system 00:01: [mem 0xfed45000-0xfed4bfff] has been reserved + system 00:01: Plug and Play ACPI device, IDs PNP0c02 (active) + [...] + resource sanity check: requesting [mem 0xfed10000-0xfed15fff], which spans more than pnp 00:01 [mem 0xfed10000-0xfed13fff] + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1 at /build/linux-CrHvZ_/linux-4.2.6/arch/x86/mm/ioremap.c:198 __ioremap_caller+0x2ee/0x360() + Info: mapping multiple BARs. Your kernel is fine. + Modules linked in: + CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.2.0-1-amd64 #1 Debian 4.2.6-1 + Hardware name: LENOVO 20CKCTO1WW/20CKCTO1WW, BIOS N11ET34W (1.10 ) 08/20/2015 + 0000000000000000 ffffffff817e6868 ffffffff8154e2f6 ffff8802241efbf8 + ffffffff8106e5b1 ffffc90000e98000 0000000000006000 ffffc90000e98000 + 0000000000006000 0000000000000000 ffffffff8106e62a ffffffff817e68c8 + Call Trace: + [<ffffffff8154e2f6>] ? dump_stack+0x40/0x50 + [<ffffffff8106e5b1>] ? warn_slowpath_common+0x81/0xb0 + [<ffffffff8106e62a>] ? warn_slowpath_fmt+0x4a/0x50 + [<ffffffff810742a3>] ? iomem_map_sanity_check+0xb3/0xc0 + [<ffffffff8105dade>] ? __ioremap_caller+0x2ee/0x360 + [<ffffffff81036ae6>] ? snb_uncore_imc_init_box+0x66/0x90 + [<ffffffff810351a8>] ? uncore_pci_probe+0xc8/0x1a0 + [<ffffffff81302d7f>] ? local_pci_probe+0x3f/0xa0 + [<ffffffff81303ea4>] ? pci_device_probe+0xc4/0x110 + [<ffffffff813d9b1e>] ? driver_probe_device+0x1ee/0x450 + [<ffffffff813d9dfb>] ? __driver_attach+0x7b/0x80 + [<ffffffff813d9d80>] ? driver_probe_device+0x450/0x450 + [<ffffffff813d796a>] ? bus_for_each_dev+0x5a/0x90 + [<ffffffff813d9091>] ? bus_add_driver+0x1f1/0x290 + [<ffffffff81b37fa8>] ? uncore_cpu_setup+0xc/0xc + [<ffffffff813da73f>] ? driver_register+0x5f/0xe0 + [<ffffffff81b38074>] ? intel_uncore_init+0xcc/0x2b0 + [<ffffffff81b37fa8>] ? uncore_cpu_setup+0xc/0xc + [<ffffffff8100213e>] ? do_one_initcall+0xce/0x200 + [<ffffffff8108a100>] ? parse_args+0x140/0x4e0 + [<ffffffff81b2b0cb>] ? kernel_init_freeable+0x162/0x1e8 + [<ffffffff815443f0>] ? rest_init+0x80/0x80 + [<ffffffff815443fe>] ? kernel_init+0xe/0xf0 + [<ffffffff81553e5f>] ? ret_from_fork+0x3f/0x70 + [<ffffffff815443f0>] ? rest_init+0x80/0x80 + ---[ end trace 472e7959536abf12 ]--- + + 00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09) + Subsystem: Lenovo Device 2223 + Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- + Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx- + Latency: 0 + Capabilities: [e0] Vendor Specific Information: Len=0c <?> + Kernel driver in use: bdw_uncore + 00: 86 80 04 16 06 00 90 20 09 00 00 06 00 00 00 00 + 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 20: 00 00 00 00 00 00 00 00 00 00 00 00 aa 17 23 22 + 30: 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Christophe Le Roy <christophe.fish@gmail.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +--- + drivers/pnp/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c +index 943c1cb9566c..f700723ca5d6 100644 +--- a/drivers/pnp/quirks.c ++++ b/drivers/pnp/quirks.c +@@ -343,6 +343,7 @@ static void quirk_amd_mmconfig_area(struct pnp_dev *dev) + static const unsigned int mch_quirk_devices[] = { + 0x0154, /* Ivy Bridge */ + 0x0c00, /* Haswell */ ++ 0x1604, /* Broadwell */ + }; + + static struct pci_dev *get_intel_host(void) +-- +2.5.0 + diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 27e4b2370..acf28cf88 100644 --- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,6 +1,7 @@ +From d4ae417828427de74e9f857f9caa49580aecf1fe Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -36,3 +37,6 @@ index 53fe675f9bd7..b52c88860532 100644 if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); +-- +2.4.3 + diff --git a/SCSI-fix-bug-in-scsi_dev_info_list-matching.patch b/SCSI-fix-bug-in-scsi_dev_info_list-matching.patch new file mode 100644 index 000000000..d79ccf923 --- /dev/null +++ b/SCSI-fix-bug-in-scsi_dev_info_list-matching.patch @@ -0,0 +1,140 @@ +From 4abc12dd59bed74aa1730c2b3129d1750604d530 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 3 Aug 2015 11:57:29 -0400 +Subject: [PATCH 2/2] SCSI: fix bug in scsi_dev_info_list matching + +The "compatible" matching algorithm used for looking up old-style +blacklist entries in a scsi_dev_info_list is buggy. The core of the +algorithm looks like this: + + if (memcmp(devinfo->vendor, vendor, + min(max, strlen(devinfo->vendor)))) + /* not a match */ + +where max is the length of the device's vendor string after leading +spaces have been removed but trailing spaces have not. Because of the +min() computation, either entry could be a proper substring of the +other and the code would still think that they match. + +In the case originally reported, the device's vendor and product +strings were "Inateck " and " ". These matched against +the following entry in the global device list: + + {"", "Scanner", "1.80", BLIST_NOLUN} + +because "" is a substring of "Inateck " and "" (the result of removing +leading spaces from the device's product string) is a substring of +"Scanner". The mistaken match prevented the system from scanning and +finding the device's second Logical Unit. + +This patch fixes the problem by making two changes. First, the code +for leading-space removal is hoisted out of the loop. (This means it +will sometimes run unnecessarily, but since a large percentage of all +lookups involve the "compatible" entries in global device list, this +should be an overall improvement.) Second and more importantly, the +patch removes trailing spaces and adds a check to verify that the two +resulting strings are exactly the same length. This prevents matches +where one entry is a proper substring of the other. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: Giulio Bernardi <ugilio@gmail.com> +Tested-by: Giulio Bernardi <ugilio@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +--- + drivers/scsi/scsi_devinfo.c | 69 +++++++++++++++++++++++---------------------- + 1 file changed, 35 insertions(+), 34 deletions(-) + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 2f49a224462d..2c1160c7ec92 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -407,51 +407,52 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor, + struct scsi_dev_info_list *devinfo; + struct scsi_dev_info_list_table *devinfo_table = + scsi_devinfo_lookup_by_key(key); ++ size_t vmax, mmax; ++ const char *vskip, *mskip; + + if (IS_ERR(devinfo_table)) + return (struct scsi_dev_info_list *) devinfo_table; + ++ /* Prepare for "compatible" matches */ ++ ++ /* ++ * XXX why skip leading spaces? If an odd INQUIRY ++ * value, that should have been part of the ++ * scsi_static_device_list[] entry, such as " FOO" ++ * rather than "FOO". Since this code is already ++ * here, and we don't know what device it is ++ * trying to work with, leave it as-is. ++ */ ++ vmax = 8; /* max length of vendor */ ++ vskip = vendor; ++ while (vmax > 0 && *vskip == ' ') { ++ vmax--; ++ vskip++; ++ } ++ /* Also skip trailing spaces */ ++ while (vmax > 0 && vskip[vmax - 1] == ' ') ++ --vmax; ++ ++ mmax = 16; /* max length of model */ ++ mskip = model; ++ while (mmax > 0 && *mskip == ' ') { ++ mmax--; ++ mskip++; ++ } ++ while (mmax > 0 && mskip[mmax - 1] == ' ') ++ --mmax; ++ + list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list, + dev_info_list) { + if (devinfo->compatible) { + /* + * Behave like the older version of get_device_flags. + */ +- size_t max; +- /* +- * XXX why skip leading spaces? If an odd INQUIRY +- * value, that should have been part of the +- * scsi_static_device_list[] entry, such as " FOO" +- * rather than "FOO". Since this code is already +- * here, and we don't know what device it is +- * trying to work with, leave it as-is. +- */ +- max = 8; /* max length of vendor */ +- while ((max > 0) && *vendor == ' ') { +- max--; +- vendor++; +- } +- /* +- * XXX removing the following strlen() would be +- * good, using it means that for a an entry not in +- * the list, we scan every byte of every vendor +- * listed in scsi_static_device_list[], and never match +- * a single one (and still have to compare at +- * least the first byte of each vendor). +- */ +- if (memcmp(devinfo->vendor, vendor, +- min(max, strlen(devinfo->vendor)))) ++ if (memcmp(devinfo->vendor, vskip, vmax) || ++ devinfo->vendor[vmax]) + continue; +- /* +- * Skip spaces again. +- */ +- max = 16; /* max length of model */ +- while ((max > 0) && *model == ' ') { +- max--; +- model++; +- } +- if (memcmp(devinfo->model, model, +- min(max, strlen(devinfo->model)))) ++ if (memcmp(devinfo->model, mskip, mmax) || ++ devinfo->model[mmax]) + continue; + return devinfo; + } else { +-- +2.5.0 + diff --git a/SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch b/SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch new file mode 100644 index 000000000..e87baad50 --- /dev/null +++ b/SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch @@ -0,0 +1,183 @@ +From 26d61e8347b27a981d647d3ea4ec8c7f462c1fcf Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Mon, 3 Aug 2015 11:57:21 -0400 +Subject: [PATCH 1/2] SCSI: refactor device-matching code in scsi_devinfo.c + +In drivers/scsi/scsi_devinfo.c, the scsi_dev_info_list_del_keyed() and +scsi_get_device_flags_keyed() routines contain a large amount of +duplicate code for finding vendor/product matches in a +scsi_dev_info_list. This patch factors out the duplicate code and +puts it in a separate function, scsi_dev_info_list_find(). + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Suggested-by: Giulio Bernardi <ugilio@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Odin.com> +--- + drivers/scsi/scsi_devinfo.c | 112 ++++++++++++++++---------------------------- + 1 file changed, 41 insertions(+), 71 deletions(-) + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 9f77d23239a2..2f49a224462d 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -390,25 +390,26 @@ int scsi_dev_info_list_add_keyed(int compatible, char *vendor, char *model, + EXPORT_SYMBOL(scsi_dev_info_list_add_keyed); + + /** +- * scsi_dev_info_list_del_keyed - remove one dev_info list entry. ++ * scsi_dev_info_list_find - find a matching dev_info list entry. + * @vendor: vendor string + * @model: model (product) string + * @key: specify list to use + * + * Description: +- * Remove and destroy one dev_info entry for @vendor, @model ++ * Finds the first dev_info entry matching @vendor, @model + * in list specified by @key. + * +- * Returns: 0 OK, -error on failure. ++ * Returns: pointer to matching entry, or ERR_PTR on failure. + **/ +-int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key) ++static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor, ++ const char *model, int key) + { +- struct scsi_dev_info_list *devinfo, *found = NULL; ++ struct scsi_dev_info_list *devinfo; + struct scsi_dev_info_list_table *devinfo_table = + scsi_devinfo_lookup_by_key(key); + + if (IS_ERR(devinfo_table)) +- return PTR_ERR(devinfo_table); ++ return (struct scsi_dev_info_list *) devinfo_table; + + list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list, + dev_info_list) { +@@ -452,25 +453,42 @@ int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key) + if (memcmp(devinfo->model, model, + min(max, strlen(devinfo->model)))) + continue; +- found = devinfo; ++ return devinfo; + } else { + if (!memcmp(devinfo->vendor, vendor, + sizeof(devinfo->vendor)) && + !memcmp(devinfo->model, model, + sizeof(devinfo->model))) +- found = devinfo; ++ return devinfo; + } +- if (found) +- break; + } + +- if (found) { +- list_del(&found->dev_info_list); +- kfree(found); +- return 0; +- } ++ return ERR_PTR(-ENOENT); ++} ++ ++/** ++ * scsi_dev_info_list_del_keyed - remove one dev_info list entry. ++ * @vendor: vendor string ++ * @model: model (product) string ++ * @key: specify list to use ++ * ++ * Description: ++ * Remove and destroy one dev_info entry for @vendor, @model ++ * in list specified by @key. ++ * ++ * Returns: 0 OK, -error on failure. ++ **/ ++int scsi_dev_info_list_del_keyed(char *vendor, char *model, int key) ++{ ++ struct scsi_dev_info_list *found; + +- return -ENOENT; ++ found = scsi_dev_info_list_find(vendor, model, key); ++ if (IS_ERR(found)) ++ return PTR_ERR(found); ++ ++ list_del(&found->dev_info_list); ++ kfree(found); ++ return 0; + } + EXPORT_SYMBOL(scsi_dev_info_list_del_keyed); + +@@ -565,64 +583,16 @@ int scsi_get_device_flags_keyed(struct scsi_device *sdev, + int key) + { + struct scsi_dev_info_list *devinfo; +- struct scsi_dev_info_list_table *devinfo_table; ++ int err; + +- devinfo_table = scsi_devinfo_lookup_by_key(key); ++ devinfo = scsi_dev_info_list_find(vendor, model, key); ++ if (!IS_ERR(devinfo)) ++ return devinfo->flags; + +- if (IS_ERR(devinfo_table)) +- return PTR_ERR(devinfo_table); ++ err = PTR_ERR(devinfo); ++ if (err != -ENOENT) ++ return err; + +- list_for_each_entry(devinfo, &devinfo_table->scsi_dev_info_list, +- dev_info_list) { +- if (devinfo->compatible) { +- /* +- * Behave like the older version of get_device_flags. +- */ +- size_t max; +- /* +- * XXX why skip leading spaces? If an odd INQUIRY +- * value, that should have been part of the +- * scsi_static_device_list[] entry, such as " FOO" +- * rather than "FOO". Since this code is already +- * here, and we don't know what device it is +- * trying to work with, leave it as-is. +- */ +- max = 8; /* max length of vendor */ +- while ((max > 0) && *vendor == ' ') { +- max--; +- vendor++; +- } +- /* +- * XXX removing the following strlen() would be +- * good, using it means that for a an entry not in +- * the list, we scan every byte of every vendor +- * listed in scsi_static_device_list[], and never match +- * a single one (and still have to compare at +- * least the first byte of each vendor). +- */ +- if (memcmp(devinfo->vendor, vendor, +- min(max, strlen(devinfo->vendor)))) +- continue; +- /* +- * Skip spaces again. +- */ +- max = 16; /* max length of model */ +- while ((max > 0) && *model == ' ') { +- max--; +- model++; +- } +- if (memcmp(devinfo->model, model, +- min(max, strlen(devinfo->model)))) +- continue; +- return devinfo->flags; +- } else { +- if (!memcmp(devinfo->vendor, vendor, +- sizeof(devinfo->vendor)) && +- !memcmp(devinfo->model, model, +- sizeof(devinfo->model))) +- return devinfo->flags; +- } +- } + /* nothing found, return nothing */ + if (key != SCSI_DEVINFO_GLOBAL) + return 0; +-- +2.5.0 + diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 807b59841..2794b155f 100644 --- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,8 @@ +From 32d3dc2147823a32c8a7771d8fe0f2d1ef057c6a Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH] acpi: Ignore acpi_rsdp kernel parameter when module loading - is restricted +Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module + loading is restricted This option allows userspace to pass the RSDP address to the kernel, which makes it possible for a user to circumvent any restrictions imposed on @@ -13,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 3b8963f21b36..a5ae6a7fef5e 100644 +index 739a4a6b3b9b..9ef2a020a7a9 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ +@@ -40,6 +40,7 @@ #include <linux/list.h> #include <linux/jiffies.h> #include <linux/semaphore.h> @@ -24,7 +25,7 @@ index 3b8963f21b36..a5ae6a7fef5e 100644 #include <asm/io.h> #include <asm/uaccess.h> -@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -33,3 +34,6 @@ index 3b8963f21b36..a5ae6a7fef5e 100644 return acpi_rsdp; #endif +-- +2.4.3 + diff --git a/alua_fix.patch b/alua_fix.patch new file mode 100644 index 000000000..eb278fabb --- /dev/null +++ b/alua_fix.patch @@ -0,0 +1,41 @@ +From 221255aee67ec1c752001080aafec0c4e9390d95 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke <hare@suse.de> +Date: Tue, 1 Dec 2015 10:16:42 +0100 +Subject: scsi: ignore errors from scsi_dh_add_device() + +device handler initialisation might fail due to a number of +reasons. But as device_handlers are optional this shouldn't +cause us to disable the device entirely. +So just ignore errors from scsi_dh_add_device(). + +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +--- + drivers/scsi/scsi_sysfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index fc3cd26..d015374 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1120,11 +1120,12 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev) + } + + error = scsi_dh_add_device(sdev); +- if (error) { ++ if (error) ++ /* ++ * device_handler is optional, so any error can be ignored ++ */ + sdev_printk(KERN_INFO, sdev, + "failed to add device handler: %d\n", error); +- return error; +- } + + device_enable_async_suspend(&sdev->sdev_dev); + error = device_add(&sdev->sdev_dev); +-- +cgit v0.11.2 + diff --git a/arm64-acpi-drop-expert-patch.patch b/arm64-acpi-drop-expert-patch.patch new file mode 100644 index 000000000..6122732d6 --- /dev/null +++ b/arm64-acpi-drop-expert-patch.patch @@ -0,0 +1,21 @@ +From: Peter Robinson <pbrobinson@gmail.com> +Date: Sun, 3 May 2015 18:35:23 +0100 +Subject: [PATCH] arm64: acpi drop expert patch + +--- + drivers/acpi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig +index 114cf48085ab..70ba3ef9a37b 100644 +--- a/drivers/acpi/Kconfig ++++ b/drivers/acpi/Kconfig +@@ -5,7 +5,7 @@ + menuconfig ACPI + bool "ACPI (Advanced Configuration and Power Interface) Support" + depends on !IA64_HP_SIM +- depends on IA64 || X86 || (ARM64 && EXPERT) ++ depends on IA64 || X86 || ARM64 + depends on PCI + select PNP + default y diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 12a657cb9..3ab7b85ea 100644 --- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,8 @@ +From 32f701d40657cc3c982b8cba4bf73452ccdd6697 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH] asus-wmi: Restrict debugfs interface when module loading is - restricted +Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module + loading is restricted We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to @@ -48,3 +49,6 @@ index efbc3f0c592b..071171be4b7f 100644 status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, 1, asus->debug.method_id, &input, &output); +-- +2.4.3 + diff --git a/block-ensure-to-split-after-potentially-bouncing-a-b.patch b/block-ensure-to-split-after-potentially-bouncing-a-b.patch new file mode 100644 index 000000000..6dda59a4c --- /dev/null +++ b/block-ensure-to-split-after-potentially-bouncing-a-b.patch @@ -0,0 +1,43 @@ +From 23688bf4f830a89866fd0ed3501e342a7360fe4f Mon Sep 17 00:00:00 2001 +From: Junichi Nomura <j-nomura@ce.jp.nec.com> +Date: Tue, 22 Dec 2015 10:23:44 -0700 +Subject: [PATCH] block: ensure to split after potentially bouncing a bio + +blk_queue_bio() does split then bounce, which makes the segment +counting based on pages before bouncing and could go wrong. Move +the split to after bouncing, like we do for blk-mq, and the we +fix the issue of having the bio count for segments be wrong. + +Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios") +Cc: stable@vger.kernel.org +Tested-by: Artem S. Tashkinov <t.artem@lycos.com> +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + block/blk-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 3636be469fa2..c487b94c59e3 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1689,8 +1689,6 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio) + struct request *req; + unsigned int request_count = 0; + +- blk_queue_split(q, &bio, q->bio_split); +- + /* + * low level driver can indicate that it wants pages above a + * certain limit bounced to low memory (ie for highmem, or even +@@ -1698,6 +1696,8 @@ static blk_qc_t blk_queue_bio(struct request_queue *q, struct bio *bio) + */ + blk_queue_bounce(q, &bio); + ++ blk_queue_split(q, &bio, q->bio_split); ++ + if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) { + bio->bi_error = -EIO; + bio_endio(bio); +-- +2.5.0 + diff --git a/bluetooth-Validate-socket-address-length-in-sco_sock.patch b/bluetooth-Validate-socket-address-length-in-sco_sock.patch new file mode 100644 index 000000000..1ee23fcf4 --- /dev/null +++ b/bluetooth-Validate-socket-address-length-in-sco_sock.patch @@ -0,0 +1,27 @@ +From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" <davem@davemloft.net> +Date: Tue, 15 Dec 2015 15:39:08 -0500 +Subject: [PATCH] bluetooth: Validate socket address length in sco_sock_bind(). + +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/bluetooth/sco.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index fe129663bd3f..f52bcbf2e58c 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { +-- +2.5.0 + diff --git a/btrfs-handle-invalid-num_stripes-in-sys_array.patch b/btrfs-handle-invalid-num_stripes-in-sys_array.patch new file mode 100644 index 000000000..20bf403bc --- /dev/null +++ b/btrfs-handle-invalid-num_stripes-in-sys_array.patch @@ -0,0 +1,66 @@ +From 43d10880aa4ac713cf73dbac428be9671ef1bf9d Mon Sep 17 00:00:00 2001 +From: David Sterba <dsterba@suse.com> +Date: Mon, 30 Nov 2015 17:27:06 +0100 +Subject: [PATCH 1/2] btrfs: handle invalid num_stripes in sys_array + +We can handle the special case of num_stripes == 0 directly inside +btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to +catch other unhandled cases where we fail to validate external data. + +A crafted or corrupted image crashes at mount time: + +BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0 +BTRFS info (device loop0): disk space caching is enabled +BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()! +Kernel panic - not syncing: BUG! +CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25 +Stack: + 637af890 60062489 602aeb2e 604192ba + 60387961 00000011 637af8a0 6038a835 + 637af9c0 6038776b 634ef32b 00000000 +Call Trace: + [<6001c86d>] show_stack+0xfe/0x15b + [<6038a835>] dump_stack+0x2a/0x2c + [<6038776b>] panic+0x13e/0x2b3 + [<6020f099>] btrfs_read_sys_array+0x25d/0x2ff + [<601cfbbe>] open_ctree+0x192d/0x27af + [<6019c2c1>] btrfs_mount+0x8f5/0xb9a + [<600bc9a7>] mount_fs+0x11/0xf3 + [<600d5167>] vfs_kern_mount+0x75/0x11a + [<6019bcb0>] btrfs_mount+0x2e4/0xb9a + [<600bc9a7>] mount_fs+0x11/0xf3 + [<600d5167>] vfs_kern_mount+0x75/0x11a + [<600d710b>] do_mount+0xa35/0xbc9 + [<600d7557>] SyS_mount+0x95/0xc8 + [<6001e884>] handle_syscall+0x6b/0x8e + +Reported-by: Jiri Slaby <jslaby@suse.com> +Reported-by: Vegard Nossum <vegard.nossum@oracle.com> +CC: stable@vger.kernel.org # 3.19+ +Signed-off-by: David Sterba <dsterba@suse.com> +--- + fs/btrfs/volumes.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 6fc735869c18..b816b3a2e118 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6399,6 +6399,14 @@ int btrfs_read_sys_array(struct btrfs_root *root) + goto out_short_read; + + num_stripes = btrfs_chunk_num_stripes(sb, chunk); ++ if (!num_stripes) { ++ printk(KERN_ERR ++ "BTRFS: invalid number of stripes %u in sys_array at offset %u\n", ++ num_stripes, cur_offset); ++ ret = -EIO; ++ break; ++ } ++ + len = btrfs_chunk_item_size(num_stripes); + if (cur_offset + len > array_size) + goto out_short_read; +-- +2.5.0 + diff --git a/config-arm-generic b/config-arm-generic index 12c9168da..c8984594e 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -40,6 +40,8 @@ CONFIG_FB_SIMPLE=y CONFIG_HAVE_PERF_REGS=y CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_ARM_PMU=y + # ARM AMBA generic HW CONFIG_ARM_AMBA=y CONFIG_KERNEL_MODE_NEON=y @@ -64,6 +66,17 @@ CONFIG_RTC_DRV_PL031=y CONFIG_PL330_DMA=m CONFIG_GPIO_PL061=y CONFIG_USB_ISP1760=m +CONFIG_ARM_PL172_MPMC=m + +# HW crypto and rng +CONFIG_ARM_CRYPTO=y +CONFIG_CRYPTO_AES_ARM=y +CONFIG_CRYPTO_AES_ARM_BS=y +CONFIG_CRYPTO_SHA1_ARM=y +CONFIG_CRYPTO_SHA256_ARM=y +CONFIG_CRYPTO_SHA1_ARM_NEON=y +CONFIG_CRYPTO_SHA512_ARM_NEON=y +CONFIG_CRYPTO_SHA512_ARM=y # ARM VExpress CONFIG_ARCH_VEXPRESS=y @@ -106,6 +119,8 @@ CONFIG_OF_NET=y CONFIG_OF_OVERLAY=y CONFIG_OF_PCI_IRQ=m CONFIG_OF_PCI=m +# CONFIG_PCI_HOST_GENERIC is not set +# CONFIG_PCIE_IPROC is not set CONFIG_OF_RESERVED_MEM=y CONFIG_OF_RESOLVE=y CONFIG_PM_GENERIC_DOMAINS_OF=y @@ -122,15 +137,6 @@ CONFIG_MAILBOX=y CONFIG_ARM_MHU=m # CONFIG_PL320_MBOX is not set -# HW crypto and rng -CONFIG_ARM_CRYPTO=y -CONFIG_CRYPTO_AES_ARM=m -# CONFIG_CRYPTO_AES_ARM_BS is not set -CONFIG_CRYPTO_SHA1_ARM=m -CONFIG_CRYPTO_SHA256_ARM=m -CONFIG_CRYPTO_SHA1_ARM_NEON=m -CONFIG_CRYPTO_SHA512_ARM_NEON=m -CONFIG_CRYPTO_SHA512_ARM=m # USB CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_EHCI_HCD_PLATFORM=m @@ -213,6 +219,7 @@ CONFIG_I2C_MUX_GPIO=m CONFIG_I2C_MUX_PINCTRL=m CONFIG_I2C_MUX_PCA9541=m CONFIG_I2C_MUX_PCA954x=m +CONFIG_I2C_MUX_REG=m # spi CONFIG_SPI_PL022=m @@ -280,6 +287,7 @@ CONFIG_VFIO_AMBA=m # CONFIG_KEYBOARD_OMAP4 is not set # CONFIG_KEYBOARD_BCM is not set # CONFIG_PHY_SAMSUNG_USB2 is not set +# CONFIG_OMAP_GPMC_DEBUG is not set ### turn off things which make no sense on embedded SoC @@ -349,3 +357,6 @@ CONFIG_VFIO_AMBA=m # CONFIG_BMP085_SPI is not set # CONFIG_TI_DAC7512 is not set # CONFIG_SPI_ROCKCHIP is not set + +# https://fedoraproject.org/wiki/Features/Checkpoint_Restore +CONFIG_CHECKPOINT_RESTORE=y diff --git a/config-arm64 b/config-arm64 index 60d432f59..2c2139bd6 100644 --- a/config-arm64 +++ b/config-arm64 @@ -18,6 +18,10 @@ CONFIG_ARCH_XGENE=y # CONFIG_ARCH_QCOM is not set # CONFIG_ARCH_SPRD is not set # CONFIG_ARCH_ZYNQMP is not set +# CONFIG_ARCH_BCM_IPROC is not set +# CONFIG_ARCH_BERLIN is not set +# CONFIG_ARCH_ROCKCHIP is not set + # Erratum CONFIG_ARM64_ERRATUM_826319=y @@ -36,7 +40,10 @@ CONFIG_ARM_SMMU_V3=y CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y CONFIG_ARCH_REQUIRE_GPIOLIB=y CONFIG_ARM64_64K_PAGES=y -# CONFIG_COMPAT is not set + +CONFIG_ARM64_HW_AFDBM=y +CONFIG_ARM64_PAN=y +CONFIG_ARM64_LSE_ATOMICS=y CONFIG_BCMA_POSSIBLE=y CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 @@ -83,13 +90,13 @@ CONFIG_ACPI_NFIT=m CONFIG_PCC=y CONFIG_ARM64_CRYPTO=y -CONFIG_CRYPTO_SHA1_ARM64_CE=m -CONFIG_CRYPTO_SHA2_ARM64_CE=m +CONFIG_CRYPTO_SHA1_ARM64_CE=y +CONFIG_CRYPTO_SHA2_ARM64_CE=y CONFIG_CRYPTO_GHASH_ARM64_CE=m -CONFIG_CRYPTO_AES_ARM64_CE=m -CONFIG_CRYPTO_AES_ARM64_CE_CCM=m -CONFIG_CRYPTO_AES_ARM64_CE_BLK=m -CONFIG_CRYPTO_AES_ARM64_NEON_BLK=m +CONFIG_CRYPTO_AES_ARM64_CE=y +CONFIG_CRYPTO_AES_ARM64_CE_CCM=y +CONFIG_CRYPTO_AES_ARM64_CE_BLK=y +CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y CONFIG_CRYPTO_CRC32_ARM64=m CONFIG_CRYPTO_DEV_CCP=y CONFIG_CRYPTO_DEV_CCP_DD=m @@ -138,6 +145,10 @@ CONFIG_AMD_XGBE_PHY=m # HiSilicon CONFIG_POWER_RESET_HISI=y CONFIG_HISI_THERMAL=m +CONFIG_STUB_CLK_HI6220=y + +# ThunderX +# CONFIG_MDIO_OCTEON is not set CONFIG_NET_VENDOR_MELLANOX=y CONFIG_MLX4_EN=m @@ -165,3 +176,4 @@ CONFIG_ND_BLK=m CONFIG_DEBUG_SECTION_MISMATCH=y # CONFIG_FSL_MC_BUS is not set +# CONFIG_FUJITSU_ES is not set diff --git a/config-armv7 b/config-armv7 index b39acc274..7c81e1d70 100644 --- a/config-armv7 +++ b/config-armv7 @@ -25,8 +25,6 @@ CONFIG_SOC_OMAP3430=y CONFIG_SOC_TI81XX=y # CONFIG_MACH_NOKIA_RX51 is not set # CONFIG_MACH_OMAP_LDP is not set -# CONFIG_MACH_OMAP3530_LV_SOM is not set -# CONFIG_MACH_OMAP3_TORPEDO is not set # CONFIG_MACH_OMAP3517EVM is not set # CONFIG_MACH_OMAP3_PANDORA is not set @@ -284,6 +282,7 @@ CONFIG_PINCTRL_MSM8960=m CONFIG_PINCTRL_MSM8X74=m CONFIG_PINCTRL_MSM8916=m CONFIG_PINCTRL_QCOM_SPMI_PMIC=m +CONFIG_PINCTRL_QCOM_SSBI_PMIC=m CONFIG_COMMON_CLK_QCOM=m # CONFIG_MSM_GCC_8916 is not set # CONFIG_IPQ_LCC_806X is not set @@ -339,6 +338,13 @@ CONFIG_SND_SOC_LPASS_PLATFORM=m CONFIG_SND_SOC_STORM=m CONFIG_PHY_QCOM_UFS=m CONFIG_HWSPINLOCK_QCOM=m +CONFIG_QCOM_COINCELL=m +CONFIG_USB_QCOM_8X16_PHY=m +CONFIG_QCOM_SMD=m +CONFIG_QCOM_SMD_RPM=m +CONFIG_QCOM_SMEM=m +CONFIG_REGULATOR_QCOM_SMD_RPM=m +# CONFIG_QCOM_SMEM is not set # i.MX # CONFIG_MXC_DEBUG_BOARD is not set @@ -348,6 +354,7 @@ CONFIG_SOC_IMX53=y CONFIG_SOC_IMX6Q=y CONFIG_SOC_IMX6SL=y CONFIG_SOC_IMX6SX=y +CONFIG_SOC_IMX6UL=y CONFIG_SOC_IMX7D=y # CONFIG_SOC_LS1021A is not set # CONFIG_SOC_VF610 is not set @@ -371,6 +378,7 @@ CONFIG_NET_VENDOR_FREESCALE=y CONFIG_FEC=m # CONFIG_FSL_PQ_MDIO is not set # CONFIG_FSL_XGMAC_MDIO is not set +CONFIG_KEYBOARD_SNVS_PWRKEY=m CONFIG_KEYBOARD_IMX=m CONFIG_KEYBOARD_STMPE=m CONFIG_TOUCHSCREEN_STMPE=m @@ -404,6 +412,7 @@ CONFIG_RTC_DRV_SNVS=m CONFIG_FB_MXS=m # CONFIG_FB_MX3 is not set # CONFIG_FB_IMX is not set +CONFIG_TOUCHSCREEN_IMX6UL_TSC=m CONFIG_SND_IMX_SOC=m CONFIG_SND_SOC_FSL_ASOC_CARD=m @@ -493,8 +502,6 @@ CONFIG_ARCH_EXYNOS4=y CONFIG_SOC_EXYNOS4212=y CONFIG_SOC_EXYNOS4412=y CONFIG_SOC_EXYNOS4415=y -CONFIG_ARM_EXYNOS4210_CPUFREQ=y -CONFIG_ARM_EXYNOS4X12_CPUFREQ=y CONFIG_AK8975=m CONFIG_CM36651=m CONFIG_KEYBOARD_SAMSUNG=m @@ -620,6 +627,7 @@ CONFIG_CADENCE_WATCHDOG=m CONFIG_REGULATOR_ISL9305=m CONFIG_EDAC_SYNOPSYS=m CONFIG_PINCTRL_ZYNQ=y +CONFIG_AXI_DMAC=m # Multi function devices CONFIG_MFD_88PM800=m diff --git a/config-armv7-generic b/config-armv7-generic index 2b578e7b2..1fcaa9662 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -33,6 +33,7 @@ CONFIG_XZ_DEC_ARMTHUMB=y CONFIG_ARCH_HAS_TICK_BROADCAST=y CONFIG_IRQ_CROSSBAR=y CONFIG_IOMMU_IO_PGTABLE_LPAE=y +CONFIG_CPU_SW_DOMAIN_PAN=y # CONFIG_MCPM is not set # CONFIG_OABI_COMPAT is not set @@ -141,7 +142,6 @@ CONFIG_XZ_DEC_ARM=y CONFIG_PCI_HOST_GENERIC=y # CONFIG_PCI_LAYERSCAPE is not set -# CONFIG_PCIE_IPROC is not set # Do NOT enable this, it breaks stuff and makes things go slow # CONFIG_UACCESS_WITH_MEMCPY is not set @@ -183,6 +183,7 @@ CONFIG_MACH_SUN7I=y CONFIG_MACH_SUN8I=y # CONFIG_MACH_SUN9I is not set CONFIG_SUNXI_SRAM=y +CONFIG_DMA_SUN4I=m CONFIG_DMA_SUN6I=m CONFIG_SUNXI_WATCHDOG=m CONFIG_NET_VENDOR_ALLWINNER=y @@ -215,6 +216,8 @@ CONFIG_MTD_NAND_SUNXI=m CONFIG_SERIO_SUN4I_PS2=m CONFIG_KEYBOARD_SUN4I_LRADC=m CONFIG_PWM_SUN4I=m +CONFIG_USB_MUSB_SUNXI=m +CONFIG_CRYPTO_DEV_SUN4I_SS=m # Exynos CONFIG_ARCH_EXYNOS3=y @@ -229,8 +232,6 @@ CONFIG_SOC_EXYNOS5410=y CONFIG_SOC_EXYNOS5800=y CONFIG_SERIAL_SAMSUNG=y CONFIG_SERIAL_SAMSUNG_CONSOLE=y -CONFIG_ARM_EXYNOS_CPUFREQ=m -CONFIG_ARM_EXYNOS5250_CPUFREQ=y CONFIG_ARM_EXYNOS5440_CPUFREQ=m CONFIG_ARM_EXYNOS_CPU_FREQ_BOOST_SW=y # CONFIG_ARM_EXYNOS_CPUIDLE is not set @@ -352,6 +353,9 @@ CONFIG_DRM_ROCKCHIP=m CONFIG_ROCKCHIP_DW_HDMI=m CONFIG_PHY_ROCKCHIP_USB=m CONFIG_DWMAC_ROCKCHIP=m +CONFIG_SND_SOC_ROCKCHIP_MAX98090=m +CONFIG_SND_SOC_ROCKCHIP_RT5645=m +CONFIG_REGULATOR_ACT8865=m # Tegra CONFIG_ARCH_TEGRA_114_SOC=y @@ -393,6 +397,8 @@ CONFIG_TEGRA_SOCTHERM=m CONFIG_TEGRA_MC=y CONFIG_TEGRA124_EMC=y CONFIG_ARM_TEGRA_DEVFREQ=m +# CONFIG_ARM_TEGRA20_CPUFREQ is not set +CONFIG_ARM_TEGRA124_CPUFREQ=m # Jetson TK1 CONFIG_PINCTRL_AS3722=y @@ -457,6 +463,7 @@ CONFIG_COMMON_CLK_SI5351=m CONFIG_RTC_DRV_ARMADA38X=m # CONFIG_CACHE_FEROCEON_L2 is not set # CONFIG_CACHE_FEROCEON_L2_WRITETHROUGH is not set +CONFIG_LEDS_NS2=m # DRM panels CONFIG_DRM_PANEL=y @@ -464,6 +471,9 @@ CONFIG_DRM_PANEL_SIMPLE=m CONFIG_DRM_PANEL_LD9040=m CONFIG_DRM_PANEL_S6E8AA0=m CONFIG_DRM_PANEL_SHARP_LQ101R1SX01=m +CONFIG_DRM_PANEL_LG_LG4573=m +CONFIG_DRM_PANEL_SAMSUNG_LD9040=m +CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0=m CONFIG_DRM_DW_HDMI=m # regmap @@ -718,6 +728,7 @@ CONFIG_REGULATOR_DA9211=m CONFIG_REGULATOR_ISL9305=m CONFIG_REGULATOR_MAX77802=m CONFIG_REGULATOR_PWM=m +# CONFIG_REGULATOR_MT6311 is not set CONFIG_SENSORS_LTC2978_REGULATOR=y CONFIG_POWER_AVS=y @@ -748,6 +759,7 @@ CONFIG_SENSORS_ISL29028=m CONFIG_SENSORS_LIS3_SPI=m CONFIG_SENSORS_LM70=m CONFIG_SENSORS_MAX1111=m +CONFIG_MPL3115=m CONFIG_SI7005=m CONFIG_SI7020=m @@ -856,6 +868,7 @@ CONFIG_R8188EU=m # CONFIG_DRM_TILCDC is not set # CONFIG_DRM_IMX is not set # CONFIG_DRM_STI is not set +# CONFIG_DRM_FSL_DCU is not set # CONFIG_AHCI_IMX is not set # CONFIG_IMX_THERMAL is not set # CONFIG_TI_DAC7512 is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index 5166b6cd4..483c49960 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -12,6 +12,7 @@ CONFIG_ARCH_KEYSTONE=y # CONFIG_ARCH_AXXIA is not set CONFIG_ARM_LPAE=y +# CONFIG_CPU_SW_DOMAIN_PAN is not set CONFIG_SYS_SUPPORTS_HUGETLBFS=y CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y CONFIG_ARM_VIRT_EXT=y diff --git a/config-debug b/config-debug index cfb1d380b..d57a218ea 100644 --- a/config-debug +++ b/config-debug @@ -90,7 +90,7 @@ CONFIG_RTLWIFI_DEBUG=y CONFIG_DEBUG_OBJECTS_WORK=y CONFIG_DMADEVICES_DEBUG=y -CONFIG_DMADEVICES_VDEBUG=y +# CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y diff --git a/config-generic b/config-generic index de0c6bc29..bc0e2970c 100644 --- a/config-generic +++ b/config-generic @@ -51,8 +51,10 @@ CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y CONFIG_FUTEX=y +# CONFIG_FAIL_FUTEX is not set CONFIG_EPOLL=y CONFIG_BPF_SYSCALL=y +CONFIG_USERFAULTFD=y CONFIG_IOSCHED_NOOP=y CONFIG_IOSCHED_DEADLINE=y CONFIG_IOSCHED_CFQ=y @@ -67,6 +69,7 @@ CONFIG_NET_NS=y CONFIG_USER_NS=y CONFIG_POSIX_MQUEUE=y +CONFIG_KDBUS=m # CONFIG_PREEMPT_NONE is not set CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set @@ -143,6 +146,8 @@ CONFIG_MMC_TIFM_SD=m CONFIG_MMC_WBSD=m CONFIG_MMC_VIA_SDMMC=m CONFIG_MMC_SDHCI_PLTFM=m +# CONFIG_MMC_SDHCI_OF is not set +# CONFIG_MMC_SDHCI_OF_AT91 is not set CONFIG_MMC_CB710=m CONFIG_MMC_RICOH_MMC=y CONFIG_MMC_USHC=m @@ -172,10 +177,12 @@ CONFIG_INFINIBAND_SRPT=m CONFIG_INFINIBAND_USER_MAD=m CONFIG_INFINIBAND_USER_ACCESS=m CONFIG_INFINIBAND_ON_DEMAND_PAGING=y -CONFIG_INFINIBAND_IPATH=m +# Deprecated and moved to staging +# CONFIG_INFINIBAND_IPATH is not set CONFIG_INFINIBAND_ISER=m CONFIG_INFINIBAND_ISERT=m -CONFIG_INFINIBAND_AMSO1100=m +# Deprecated and moved to staging +# CONFIG_INFINIBAND_AMSO1100 is not set # CONFIG_INFINIBAND_AMSO1100_DEBUG is not set CONFIG_INFINIBAND_CXGB3=m CONFIG_INFINIBAND_CXGB4=m @@ -320,6 +327,8 @@ CONFIG_MTD_CFI_I2=y # CONFIG_MTD_NAND_ECC_BCH is not set # CONFIG_MTD_NAND_DISKONCHIP is not set # CONFIG_MTD_NAND_HISI504 is not set +# CONFIG_MTD_NAND_DENALI_PCI is not set +# CONFIG_MTD_NAND_DENALI_DT is not set # CONFIG_MTD_LPDDR is not set CONFIG_MTD_UBI=m CONFIG_MTD_UBI_WL_THRESHOLD=4096 @@ -349,6 +358,7 @@ CONFIG_HOTPLUG_PCI_ACPI_IBM=m # CONFIG_ND_BLK is not set # CONFIG_BTT is not set +# CONFIG_NVMEM is not set # # Block devices @@ -382,6 +392,7 @@ CONFIG_BLK_DEV_RAM_SIZE=16384 CONFIG_BLK_DEV_PMEM=m CONFIG_BLK_DEV_INITRD=y CONFIG_BLK_DEV_IO_TRACE=y +CONFIG_BLK_DEV_RAM_DAX=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y @@ -818,6 +829,7 @@ CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_PROTO_SCTP=y CONFIG_IP_VS_FO=m +CONFIG_IP_VS_OVF=m CONFIG_IP_VS_IPV6=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m @@ -846,6 +858,7 @@ CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_IPV6_MIP6=y +CONFIG_IPV6_ILA=m CONFIG_IPV6_VTI=m CONFIG_IPV6_SIT=m CONFIG_IPV6_SIT_6RD=y @@ -1073,8 +1086,12 @@ CONFIG_NFT_REJECT=m CONFIG_NFT_COMPAT=m CONFIG_NF_TABLES_IPV4=m +CONFIG_NF_DUP_IPV4=m +CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_DUP_IPV6=m CONFIG_NFT_CHAIN_ROUTE_IPV4=m CONFIG_NFT_CHAIN_NAT_IPV4=m CONFIG_NF_TABLES_ARP=m @@ -1262,6 +1279,7 @@ CONFIG_BATMAN_ADV_MCAST=y # CONFIG_BATMAN_ADV_DEBUG is not set CONFIG_OPENVSWITCH=m +CONFIG_OPENVSWITCH_CONNTRACK=y CONFIG_OPENVSWITCH_GRE=y CONFIG_OPENVSWITCH_VXLAN=y CONFIG_OPENVSWITCH_GENEVE=y @@ -1300,6 +1318,7 @@ CONFIG_TUN=m # CONFIG_TUN_VNET_CROSS_LE is not set CONFIG_VETH=m CONFIG_NLMON=m +CONFIG_NET_VRF=m # # ATM @@ -1353,6 +1372,8 @@ CONFIG_L2TP_ETH=m # CONFIG_CAIF is not set +CONFIG_LWTUNNEL=y + CONFIG_RFKILL=m CONFIG_RFKILL_GPIO=m CONFIG_RFKILL_INPUT=y @@ -1574,6 +1595,9 @@ CONFIG_SUNGEM=m CONFIG_CASSINI=m CONFIG_NIU=m +# CONFIG_NET_VENDOR_SYNOPSYS is not set +# CONFIG_SYNOPSYS_DWC_ETH_QOS is not set + CONFIG_NET_VENDOR_TEHUTI=y CONFIG_TEHUTI=m @@ -1600,6 +1624,7 @@ CONFIG_BCM87XX_PHY=m CONFIG_CICADA_PHY=m CONFIG_DAVICOM_PHY=m CONFIG_DP83640_PHY=m +CONFIG_MICROCHIP_PHY=m CONFIG_FIXED_PHY=y CONFIG_MDIO_BITBANG=m CONFIG_MDIO_BCM_UNIMAC=m @@ -1617,7 +1642,10 @@ CONFIG_STE10XP=m CONFIG_VITESSE_PHY=m CONFIG_MICREL_PHY=m CONFIG_DP83867_PHY=m +CONFIG_DP83848_PHY=m # CONFIG_MICREL_KS8995MA is not set +CONFIG_AQUANTIA_PHY=m +CONFIG_TERANETICS_PHY=m CONFIG_MII=m CONFIG_NET_CORE=y @@ -1632,6 +1660,7 @@ CONFIG_BCMGENET=m CONFIG_BNX2=m CONFIG_BNX2X=m CONFIG_BNX2X_SRIOV=y +CONFIG_BNX2X_VXLAN=y CONFIG_CNIC=m CONFIG_FEALNX=m CONFIG_ETHOC=m @@ -1649,6 +1678,7 @@ CONFIG_JME=m # CONFIG_MLX4_EN is not set # CONFIG_MLX4_EN_VXLAN is not set # CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set # CONFIG_SFC is not set # CONFIG_FDDI is not set @@ -1861,6 +1891,7 @@ CONFIG_USB_NET_RNDIS_WLAN=m CONFIG_USB_NET_KALMIA=m CONFIG_USB_NET_QMI_WWAN=m CONFIG_USB_NET_SMSC75XX=m +CONFIG_USB_NET_CH9200=m # CONFIG_WL_TI is not set CONFIG_ZD1211RW=m # CONFIG_ZD1211RW_DEBUG is not set @@ -1893,14 +1924,15 @@ CONFIG_IEEE802154_SOCKET=m CONFIG_IEEE802154_6LOWPAN=m CONFIG_IEEE802154_DRIVERS=m CONFIG_IEEE802154_FAKELB=m +CONFIG_IEEE802154_ATUSB=m CONFIG_IEEE802154_CC2520=m # CONFIG_IEEE802154_AT86RF230 is not set # CONFIG_IEEE802154_MRF24J40 is not set -CONFIG_IEEE802154_ATUSB=m CONFIG_MAC802154=m CONFIG_NET_MPLS_GSO=m CONFIG_MPLS_ROUTING=m +CONFIG_MPLS_IPTUNNEL=m CONFIG_NET_SWITCHDEV=y @@ -2017,6 +2049,7 @@ CONFIG_NFC_ST21NFCA_I2C=m # CONFIG_NFC_NCI_SPI is not set # CONFIG_NFC_NCI_UART is not set # CONFIG_NFC_ST_NCI is not set +# CONFIG_NFC_S3FWRN5_I2C is not set # @@ -2062,6 +2095,7 @@ CONFIG_WINBOND_FIR=m # CONFIG_BT=m CONFIG_BT_BREDR=y +CONFIG_BT_HS=y CONFIG_BT_LE=y CONFIG_BT_6LOWPAN=m # CONFIG_BT_SELFTEST is not set @@ -2090,6 +2124,7 @@ CONFIG_BT_HCIUART_ATH3K=y CONFIG_BT_HCIUART_3WIRE=y CONFIG_BT_HCIUART_INTEL=y CONFIG_BT_HCIUART_BCM=y +CONFIG_BT_HCIUART_QCA=y CONFIG_BT_HCIDTL1=m CONFIG_BT_HCIBT3C=m CONFIG_BT_HCIBLUECARD=m @@ -2103,6 +2138,7 @@ CONFIG_BT_HCIUART_LL=y CONFIG_BT_MRVL=m CONFIG_BT_MRVL_SDIO=m CONFIG_BT_ATH3K=m +CONFIG_BT_QCA=m CONFIG_BT_WILINK=m # @@ -2420,6 +2456,7 @@ CONFIG_TOUCHSCREEN_ZFORCE=m # CONFIG_TOUCHSCREEN_CHIPONE_ICN8318 is not set # CONFIG_TOUCHSCREEN_SX8654 is not set # CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set +# CONFIG_TOUCHSCREEN_IMX6UL_TSC is not set CONFIG_INPUT_MISC=y CONFIG_INPUT_E3X0_BUTTON=m @@ -2483,7 +2520,7 @@ CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_CONSOLE=y CONFIG_SERIAL_8250_CS=m CONFIG_SERIAL_8250_NR_UARTS=32 -CONFIG_SERIAL_8250_RUNTIME_UARTS=4 +CONFIG_SERIAL_8250_RUNTIME_UARTS=32 CONFIG_SERIAL_8250_EXTENDED=y CONFIG_SERIAL_8250_MANY_PORTS=y CONFIG_SERIAL_8250_SHARE_IRQ=y @@ -2503,6 +2540,7 @@ CONFIG_SERIAL_JSM=m # CONFIG_SERIAL_ALTERA_JTAGUART is not set # CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_UARTLITE is not set # # Non-8250 serial port support @@ -2542,6 +2580,7 @@ CONFIG_I2C_CHARDEV=m # CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PINCTRL is not set +# CONFIG_I2C_MUX_REG is not set # # @@ -2570,6 +2609,7 @@ CONFIG_I2C_ALGOPCA=m # CONFIG_I2C_NFORCE2_S4985 is not set # CONFIG_I2C_EG20T is not set # CONFIG_I2C_CBUS_GPIO is not set +# CONFIG_I2C_EMEV2 is not set CONFIG_I2C_VIPERBOARD=m CONFIG_EEPROM_AT24=m @@ -2761,6 +2801,7 @@ CONFIG_SENSORS_AD7314=m CONFIG_PMBUS=m CONFIG_SENSORS_PMBUS=m CONFIG_SENSORS_MAX16064=m +CONFIG_SENSORS_MAX20751=m CONFIG_SENSORS_LM25066=m CONFIG_SENSORS_LTC2978=m CONFIG_SENSORS_MAX34440=m @@ -2788,7 +2829,7 @@ CONFIG_HID_SENSOR_IIO_TRIGGER=m # CONFIG_AD5380 is not set # CONFIG_AD5064 is not set # CONFIG_BMA180 is not set -# CONFIG_BMC150_ACCEL is not set +CONFIG_BMC150_ACCEL=m # CONFIG_MAX1363 is not set # CONFIG_MAX517 is not set # CONFIG_MAX5821 is not set @@ -2882,6 +2923,9 @@ CONFIG_ACPI_ALS=m CONFIG_KXCJK1013=m # CONFIG_ISL29125 is not set # CONFIG_JSA1212 is not set +CONFIG_RPR0521=m +CONFIG_OPT3001=m +CONFIG_PA12203001=m # CONFIG_TCS3414 is not set # CONFIG_AK09911 is not set # CONFIG_T5403 is not set @@ -3106,6 +3150,7 @@ CONFIG_RTC_DRV_PCF85063=m # CONFIG_RTC_DRV_ISL12057 is not set # CONFIG_RTC_DRV_XGENE is not set # CONFIG_RTC_DRV_ABB5ZES3 is not set +# CONFIG_RTC_DRV_ZYNQMP is not set CONFIG_R3964=m # CONFIG_APPLICOM is not set @@ -3131,6 +3176,7 @@ CONFIG_VGA_ARB_MAX_GPUS=16 CONFIG_DRM=m +CONFIG_DRM_FBDEV_EMULATION=y CONFIG_DRM_LOAD_EDID_FIRMWARE=y CONFIG_DRM_AST=m # do not enable on f17 or older CONFIG_DRM_CIRRUS_QEMU=m # do not enable on f17 or older @@ -3159,6 +3205,8 @@ CONFIG_DRM_NOUVEAU_BACKLIGHT=y CONFIG_DRM_I2C_ADV7511=m CONFIG_DRM_I2C_CH7006=m CONFIG_DRM_I2C_SIL164=m +# CONFIG_DRM_NXP_PTN3460 is not set +# CONFIG_DRM_PARADE_PS8622 is not set CONFIG_DRM_I2C_NXP_TDA998X=m CONFIG_DRM_UDL=m CONFIG_DRM_VMWGFX=m @@ -3171,6 +3219,7 @@ CONFIG_DRM_PS8622=m # CONFIG_DRM_PANEL is not set # CONFIG_DRM_PANEL_SIMPLE is not set # CONFIG_DRM_PANEL_S6E8AA0 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set CONFIG_DRM_VGEM=m # @@ -3342,6 +3391,7 @@ CONFIG_DVB_FIREDTV=m CONFIG_DVB_NGENE=m CONFIG_DVB_DDBRIDGE=m CONFIG_DVB_SMIPCIE=m +CONFIG_DVB_NETUP_UNIDVB=m CONFIG_DVB_USB_TECHNISAT_USB2=m CONFIG_DVB_USB_V2=m @@ -3443,6 +3493,7 @@ CONFIG_V4L_MEM2MEM_DRIVERS=y # CONFIG_VIDEO_SH_VEU is not set # CONFIG_VIDEO_RENESAS_VSP1 is not set # CONFIG_V4L_TEST_DRIVERS is not set +# CONFIG_DVB_PLATFORM_DRIVERS is not set # # Broadcom Crystal HD video decoder driver @@ -3525,6 +3576,7 @@ CONFIG_FB_EFI=y # CONFIG_FB_UDL is not set # CONFIG_FB_GOLDFISH is not set # CONFIG_FB_OPENCORES is not set +# CONFIG_FB_SM712 is not set # CONFIG_FIRMWARE_EDID is not set @@ -3765,6 +3817,7 @@ CONFIG_USB_SL811_HCD_ISO=y # CONFIG_USB_SL811_CS is not set # CONFIG_USB_R8A66597_HCD is not set CONFIG_USB_XHCI_HCD=y +# CONFIG_USB_XHCI_PLATFORM is not set # CONFIG_USB_MAX3421_HCD is not set # @@ -3873,6 +3926,7 @@ CONFIG_HID_EMS_FF=m CONFIG_HID_ELECOM=m CONFIG_HID_ELO=m CONFIG_HID_EZKEY=m +CONFIG_HID_GEMBIRD=m CONFIG_HID_UCLOGIC=m CONFIG_HID_WALTOP=m CONFIG_HID_ACRUX=m @@ -3976,6 +4030,7 @@ CONFIG_USB_KAWETH=m CONFIG_USB_PEGASUS=m CONFIG_USB_RTL8150=m CONFIG_USB_RTL8152=m +CONFIG_USB_LAN78XX=m CONFIG_USB_USBNET=m CONFIG_USB_SPEEDTOUCH=m CONFIG_USB_NET_AX8817X=m @@ -4260,6 +4315,7 @@ CONFIG_MFD_VIPERBOARD=m # CONFIG_MFD_RT5033 is not set # CONFIG_MFD_SKY81452 is not set # CONFIG_MFD_MAX77843 is not set +# CONFIG_MFD_DA9062 is not set # CONFIG_EZX_PCAP is not set # CONFIG_INTEL_SOC_PMIC is not set @@ -4273,7 +4329,7 @@ CONFIG_MISC_FILESYSTEMS=y # CONFIG_EXT2_FS is not set # CONFIG_EXT3_FS is not set CONFIG_EXT4_FS=y -CONFIG_EXT4_USE_FOR_EXT23=y +CONFIG_EXT4_USE_FOR_EXT2=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_ENCRYPTION is not set @@ -4310,7 +4366,7 @@ CONFIG_AUTOFS4_FS=y # CONFIG_EXOFS_FS is not set # CONFIG_EXOFS_DEBUG is not set CONFIG_NILFS2_FS=m -# CONFIG_FS_DAX is not set +CONFIG_FS_DAX=y # CONFIG_LOGFS is not set CONFIG_CEPH_FS=m CONFIG_CEPH_FSCACHE=y @@ -4609,6 +4665,7 @@ CONFIG_HEADERS_CHECK=y # CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set # CONFIG_DEBUG_LOCKDEP is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_STATIC_KEYS_SELFTEST is not set # DEBUG options that don't get enabled/disabled with 'make debug/release' @@ -4846,6 +4903,7 @@ CONFIG_BACKLIGHT_LP855X=m # CONFIG_BACKLIGHT_GPIO is not set # CONFIG_BACKLIGHT_LV5207LP is not set # CONFIG_BACKLIGHT_BD6107 is not set +# CONFIG_BACKLIGHT_PM8941_WLED is not set CONFIG_LCD_CLASS_DEVICE=m CONFIG_LCD_PLATFORM=m @@ -4879,6 +4937,7 @@ CONFIG_CGROUPS=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_SCHED=y CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y @@ -5065,6 +5124,10 @@ CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_TS3A227E is not set # CONFIG_SND_SOC_XTFPGA_I2S is not set # CONFIG_SND_SOC_STA32X is not set +# CONFIG_SND_SOC_CS4349 is not set +# CONFIG_SND_SOC_GTM601 is not set +# CONFIG_SND_SOC_STI_SAS is not set +# CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y @@ -5128,6 +5191,7 @@ CONFIG_DMA_ENGINE=y CONFIG_DW_DMAC_CORE=m CONFIG_DW_DMAC=m CONFIG_DW_DMAC_PCI=m +# CONFIG_IDMA64 is not set # CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set # CONFIG_TIMB_DMA is not set # CONFIG_DMATEST is not set @@ -5353,6 +5417,7 @@ CONFIG_STAGING_MEDIA=y # CONFIG_I2C_BCM2048 is not set # CONFIG_DT3155 is not set # CONFIG_PRISM2_USB is not set +# CONFIG_MOST is not set CONFIG_USB_ATMEL=m # CONFIG_COMEDI is not set # CONFIG_PANEL is not set @@ -5404,6 +5469,7 @@ CONFIG_USBIP_HOST=m # CONFIG_FB_SM7XX is not set # CONFIG_FB_TFT is not set # CONFIG_FB_SM750 is not set +# CONFIG_STAGING_RDMA is not set # END OF STAGING # @@ -5481,6 +5547,8 @@ CONFIG_ZSMALLOC=y # CONFIG_ZSMALLOC_STAT is not set # CONFIG_PGTABLE_MAPPING is not set +# CONFIG_IDLE_PAGE_TRACKING is not set + # CONFIG_MDIO_GPIO is not set # CONFIG_KEYBOARD_GPIO is not set # CONFIG_KEYBOARD_GPIO_POLLED is not set @@ -5528,6 +5596,7 @@ CONFIG_GPIO_VIPERBOARD=m # CONFIG_GPIO_MCP23S08 is not set # CONFIG_GPIO_XILINX is not set # CONFIG_GPIO_ALTERA is not set +# CONFIG_GPIO_ZX is not set # FIXME: Why? @@ -5568,6 +5637,7 @@ CONFIG_PSTORE_RAM=m # CONFIG_MEMTEST is not set # CONFIG_TEST_HEXDUMP is not set # CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_STATIC_KEYS is not set # CONFIG_AVERAGE is not set # CONFIG_VMXNET3 is not set diff --git a/config-powerpc-generic b/config-powerpc64-generic index ce547a8d2..7f0b10585 100644 --- a/config-powerpc-generic +++ b/config-powerpc64-generic @@ -14,6 +14,7 @@ CONFIG_PPC_PSERIES=y # CONFIG_PPC_PMAC is not set # CONFIG_PPC_PMAC64 is not set # CONFIG_PPC_PS3 is not set +CONFIG_HIBERNATION=n CONFIG_EXTRA_TARGETS="" @@ -127,6 +128,7 @@ CONFIG_MTD_POWERNV_FLASH=m CONFIG_PPC_TRANSACTIONAL_MEM=y CONFIG_BLK_DEV_RSXX=m CONFIG_CXL=m +CONFIG_CXLFLASH=m CONFIG_IBMEBUS=y CONFIG_EHEA=m CONFIG_INFINIBAND_EHCA=m @@ -209,6 +211,7 @@ CONFIG_CAPI_EICON=y CONFIG_LEDS_TRIGGER_TIMER=m CONFIG_LEDS_TRIGGER_HEARTBEAT=m CONFIG_LEDS_TRIGGER_GPIO=m +CONFIG_LEDS_POWERNV=m CONFIG_USB_EHCI_HCD_PPC_OF=y CONFIG_USB_OHCI_HCD_PCI=y @@ -358,6 +361,8 @@ CONFIG_I2C_MPC=m # CONFIG_NET_VENDOR_PASEMI is not set # CONFIG_NET_VENDOR_TOSHIBA is not set +CONFIG_MDIO_OCTEON=m + # CONFIG_OF_UNITTEST is not set # CONFIG_OF_OVERLAY is not set # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set diff --git a/config-powerpc64le b/config-powerpc64le index 48c8c0d8a..7d9f3fc3a 100644 --- a/config-powerpc64le +++ b/config-powerpc64le @@ -1,3 +1,6 @@ CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_POWER7_CPU=y + +# https://fedoraproject.org/wiki/Features/Checkpoint_Restore +CONFIG_CHECKPOINT_RESTORE=y diff --git a/config-s390x b/config-s390x index f58e4d8b4..ae94aa82d 100644 --- a/config-s390x +++ b/config-s390x @@ -201,6 +201,7 @@ CONFIG_VMCP=y CONFIG_SCHED_MC=y CONFIG_SCHED_BOOK=y CONFIG_SCHED_TOPOLOGY=y +# CONFIG_NUMA is not set # CONFIG_WARN_DYNAMIC_STACK is not set @@ -290,6 +291,7 @@ CONFIG_HOTPLUG_PCI_S390=y # CONFIG_SH_ETH is not set # CONFIG_NET_VENDOR_VIA is not set # CONFIG_IEEE802154_DRIVERS is not set +# CONFIG_MDIO_OCTEON is not set # CONFIG_FMC is not set diff --git a/config-x86-generic b/config-x86-generic index b82a9b12b..807f6025d 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -4,6 +4,8 @@ CONFIG_X86_EXTENDED_PLATFORM=y CONFIG_X86_GENERIC=y +# CONFIG_X86_LEGACY_VM86 is not set + CONFIG_HPET=y CONFIG_HPET_TIMER=y # CONFIG_HPET_MMAP is not set @@ -34,9 +36,7 @@ CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_X86_PM_TIMER=y -# This requires changes to binutils and the compiler. Plus you can't actually -# buy hardware with MPX yet. So... leave it off until all of that seems set. -# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MPX=y CONFIG_EFI=y CONFIG_EFI_STUB=y @@ -111,6 +111,7 @@ CONFIG_XPOWER_PMIC_OPREGION=y CONFIG_GPIO_CRYSTAL_COVE=y CONFIG_AXP288_ADC=y CONFIG_AXP288_FUEL_GAUGE=y +# CONFIG_PWM_CRC is not set CONFIG_X86_INTEL_PSTATE=y @@ -133,6 +134,7 @@ CONFIG_CRYPTO_DEV_CCP=y CONFIG_CRYPTO_DEV_CCP_DD=m CONFIG_CRYPTO_DEV_CCP_CRYPTO=m CONFIG_CRYPTO_DEV_QAT_DH895xCC=m +CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m CONFIG_GENERIC_ISA_DMA=y @@ -310,6 +312,9 @@ CONFIG_XEN_PCIDEV_BACKEND=m CONFIG_XEN_ACPI_PROCESSOR=m # CONFIG_XEN_SCSI_FRONTEND is not set # CONFIG_XEN_SCSI_BACKEND is not set +CONFIG_XEN_SYMS=y + +CONFIG_SPI_PXA2XX=m CONFIG_MTD_ESB2ROM=m CONFIG_MTD_CK804XROM=m @@ -457,6 +462,8 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_HP_ACCEL=m +CONFIG_SURFACE_PRO3_BUTTON=m + # CONFIG_RAPIDIO is not set CONFIG_SCHED_SMT=y @@ -498,10 +505,14 @@ CONFIG_NFC_MICROREAD_MEI=m # CONFIG_X86_GOLDFISH is not set CONFIG_X86_INTEL_LPSS=y +CONFIG_IDMA64=m # CONFIG_X86_AMD_PLATFORM_DEVICE is not set # CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +CONFIG_MFD_INTEL_LPSS_ACPI=m +CONFIG_MFD_INTEL_LPSS_PCI=m + CONFIG_IOSF_MBI=m # CONFIG_IOSF_MBI_DEBUG is not set CONFIG_PWM_LPSS=m @@ -536,6 +547,7 @@ CONFIG_X86_PKG_TEMP_THERMAL=m CONFIG_INTEL_SOC_DTS_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEL_RAPL=m +CONFIG_INTEL_PCH_THERMAL=m CONFIG_VMWARE_VMCI=m CONFIG_VMWARE_VMCI_VSOCKETS=m @@ -554,6 +566,8 @@ CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_FORCE is not set +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="" CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y CONFIG_EFI_SIGNATURE_LIST_PARSER=y @@ -563,9 +577,11 @@ CONFIG_EFI_SIGNATURE_LIST_PARSER=y CONFIG_MODULE_SIG_UEFI=y CONFIG_VMXNET3=m +CONFIG_FUJITSU_ES=m CONFIG_VFIO_PCI_VGA=y CONFIG_PCH_CAN=m # CONFIG_X86_DEBUG_FPU is not set # CONFIG_PUNIT_ATOM_DEBUG is not set +# CONFIG_AMD_MCE_INJ is not set diff --git a/config-x86_64-generic b/config-x86_64-generic index 94c476027..272999819 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -86,6 +86,8 @@ CONFIG_CRYPTO_SERPENT_AVX_X86_64=m CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m CONFIG_CRYPTO_DES3_EDE_X86_64=m +CONFIG_CRYPTO_POLY1305_X86_64=m +CONFIG_CRYPTO_CHACHA20_X86_64=m # staging crypto # CONFIG_CRYPTO_SKEIN is not set @@ -134,6 +136,7 @@ CONFIG_XEN_SYS_HYPERVISOR=y # CONFIG_XEN_MCE_LOG is not set # CONFIG_XEN_STUB is not set # CONFIG_XEN_PVH is not set +CONFIG_XEN_512GB=y CONFIG_PROVIDE_OHCI1394_DMA_INIT=y @@ -199,6 +202,8 @@ CONFIG_BTT=y CONFIG_ND_BTT=m CONFIG_ND_BLK=m +CONFIG_MDIO_OCTEON=m + CONFIG_NO_HZ_FULL=y # CONFIG_NO_HZ_IDLE is not set # CONFIG_NO_HZ_FULL_ALL is not set diff --git a/disable-i8042-check-on-apple-mac.patch b/disable-i8042-check-on-apple-mac.patch index 970d833d4..e75028da2 100644 --- a/disable-i8042-check-on-apple-mac.patch +++ b/disable-i8042-check-on-apple-mac.patch @@ -1,3 +1,4 @@ +From 31e64826785b5bafef7a6361516c060be2bca253 Mon Sep 17 00:00:00 2001 From: Bastien Nocera <hadess@hadess.net> Date: Thu, 20 May 2010 10:30:31 -0400 Subject: [PATCH] disable i8042 check on apple mac @@ -17,11 +18,11 @@ Signed-off-by: Bastien Nocera <hadess@hadess.net> 1 file changed, 22 insertions(+) diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c -index 4022b75eaad7..1aaf06aa7b0f 100644 +index c9c98f0ab284..5137185e14a9 100644 --- a/drivers/input/serio/i8042.c +++ b/drivers/input/serio/i8042.c -@@ -1506,6 +1506,22 @@ static struct platform_driver i8042_driver = { - .shutdown = i8042_shutdown, +@@ -1540,6 +1540,22 @@ static struct notifier_block i8042_kbd_bind_notifier_block = { + .notifier_call = i8042_kbd_bind_notifier, }; +#ifdef CONFIG_DMI @@ -43,7 +44,7 @@ index 4022b75eaad7..1aaf06aa7b0f 100644 static int __init i8042_init(void) { struct platform_device *pdev; -@@ -1513,6 +1529,12 @@ static int __init i8042_init(void) +@@ -1547,6 +1563,12 @@ static int __init i8042_init(void) dbg_init(); @@ -56,3 +57,6 @@ index 4022b75eaad7..1aaf06aa7b0f 100644 err = i8042_platform_init(); if (err) return err; +-- +2.4.3 + diff --git a/drm-i915-hush-check-crtc-state.patch b/drm-i915-hush-check-crtc-state.patch index 31df993a0..fa4baffbf 100644 --- a/drm-i915-hush-check-crtc-state.patch +++ b/drm-i915-hush-check-crtc-state.patch @@ -1,3 +1,4 @@ +From 02f47b49ab1cdbe62ceb71b658e2c469799ae368 Mon Sep 17 00:00:00 2001 From: Adam Jackson <ajax@redhat.com> Date: Wed, 13 Nov 2013 10:17:24 -0500 Subject: [PATCH] drm/i915: hush check crtc state @@ -14,15 +15,18 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 647b1404c441..e102a06f26e0 100644 +index ca9278be49f7..308ac0539a87 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -12322,7 +12322,7 @@ check_crtc_state(struct drm_device *dev) - - if (active && - !intel_pipe_config_compare(dev, crtc->config, &pipe_config)) { +@@ -12688,7 +12688,7 @@ check_crtc_state(struct drm_device *dev, struct drm_atomic_state *old_state) + sw_config = to_intel_crtc_state(crtc->state); + if (!intel_pipe_config_compare(dev, sw_config, + pipe_config, false)) { - I915_STATE_WARN(1, "pipe state doesn't match!\n"); + DRM_DEBUG_KMS("pipe state doesn't match!\n"); - intel_dump_pipe_config(crtc, &pipe_config, + intel_dump_pipe_config(intel_crtc, pipe_config, "[hw state]"); - intel_dump_pipe_config(crtc, crtc->config, + intel_dump_pipe_config(intel_crtc, sw_config, +-- +2.4.3 + diff --git a/drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch b/drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch new file mode 100644 index 000000000..49bcefbf0 --- /dev/null +++ b/drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch @@ -0,0 +1,204 @@ +From 424f582d0ec7f206dcc59d34c9a2fa1c8087a8aa Mon Sep 17 00:00:00 2001 +From: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Tue, 10 Nov 2015 17:37:31 +0100 +Subject: [PATCH] drm/nouveau: Fix pre-nv50 pageflip events (v4) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Apparently pre-nv50 pageflip events happen before the actual vblank +period. Therefore that functionality got semi-disabled in + +commit af4870e406126b7ac0ae7c7ce5751f25ebe60f28 +Author: Mario Kleiner <mario.kleiner.de@gmail.com> +Date: Tue May 13 00:42:08 2014 +0200 + + drm/nouveau/kms/nv04-nv40: fix pageflip events via special case. + +Unfortunately that hack got uprooted in + +commit cc1ef118fc099295ae6aabbacc8af94d8d8885eb +Author: Thierry Reding <treding@nvidia.com> +Date: Wed Aug 12 17:00:31 2015 +0200 + + drm/irq: Make pipe unsigned and name consistent + +Triggering a warning when trying to sample the vblank timestamp for a +non-existing pipe. There's a few ways to fix this: + +- Open-code the old behaviour, which just enshrines this slight + breakage of the userspace ABI. + +- Revert Mario's commit and again inflict broken timestamps, again not + pretty. + +- Fix this for real by delaying the pageflip TS until the next vblank + interrupt, thereby making it accurate. + +This patch implements the third option. Since having a page flip +interrupt that happens when the pageflip gets armed and not when it +completes in the next vblank seems to be fairly common (older i915 hw +works very similarly) create a new helper to arm vblank events for +such drivers. + +v2 (Mario Kleiner): +- Fix function prototypes in drmP.h +- Add missing vblank_put() for pageflip completion without + pageflip event. +- Initialize sequence number for queued pageflip event to avoid + trouble in drm_handle_vblank_events(). +- Remove dead code and spelling fix. + +v3 (Mario Kleiner): +- Add a signed-off-by and cc stable tag per Ilja's advice. + +v4 (Thierry Reding): +- Fix kerneldoc typo, discovered by Michel Dänzer +- Rearrange tags and changelog + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=106431 +Cc: Thierry Reding <treding@nvidia.com> +Cc: Mario Kleiner <mario.kleiner.de@gmail.com> +Acked-by: Ben Skeggs <bskeggs@redhat.com> +Cc: Ilia Mirkin <imirkin@alum.mit.edu> +Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> +Reviewed-by: Mario Kleiner <mario.kleiner.de@gmail.com> +Cc: stable@vger.kernel.org # v4.3 +Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + drivers/gpu/drm/drm_irq.c | 54 ++++++++++++++++++++++++++++++- + drivers/gpu/drm/nouveau/nouveau_display.c | 19 ++++++----- + include/drm/drmP.h | 4 +++ + 3 files changed, 68 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c +index 22d207e211e7..c5f20e41dcc6 100644 +--- a/drivers/gpu/drm/drm_irq.c ++++ b/drivers/gpu/drm/drm_irq.c +@@ -944,7 +944,8 @@ static void send_vblank_event(struct drm_device *dev, + struct drm_pending_vblank_event *e, + unsigned long seq, struct timeval *now) + { +- WARN_ON_SMP(!spin_is_locked(&dev->event_lock)); ++ assert_spin_locked(&dev->event_lock); ++ + e->event.sequence = seq; + e->event.tv_sec = now->tv_sec; + e->event.tv_usec = now->tv_usec; +@@ -957,6 +958,57 @@ static void send_vblank_event(struct drm_device *dev, + } + + /** ++ * drm_arm_vblank_event - arm vblank event after pageflip ++ * @dev: DRM device ++ * @pipe: CRTC index ++ * @e: the event to prepare to send ++ * ++ * A lot of drivers need to generate vblank events for the very next vblank ++ * interrupt. For example when the page flip interrupt happens when the page ++ * flip gets armed, but not when it actually executes within the next vblank ++ * period. This helper function implements exactly the required vblank arming ++ * behaviour. ++ * ++ * Caller must hold event lock. Caller must also hold a vblank reference for ++ * the event @e, which will be dropped when the next vblank arrives. ++ * ++ * This is the legacy version of drm_crtc_arm_vblank_event(). ++ */ ++void drm_arm_vblank_event(struct drm_device *dev, unsigned int pipe, ++ struct drm_pending_vblank_event *e) ++{ ++ assert_spin_locked(&dev->event_lock); ++ ++ e->pipe = pipe; ++ e->event.sequence = drm_vblank_count(dev, pipe); ++ list_add_tail(&e->base.link, &dev->vblank_event_list); ++} ++EXPORT_SYMBOL(drm_arm_vblank_event); ++ ++/** ++ * drm_crtc_arm_vblank_event - arm vblank event after pageflip ++ * @crtc: the source CRTC of the vblank event ++ * @e: the event to send ++ * ++ * A lot of drivers need to generate vblank events for the very next vblank ++ * interrupt. For example when the page flip interrupt happens when the page ++ * flip gets armed, but not when it actually executes within the next vblank ++ * period. This helper function implements exactly the required vblank arming ++ * behaviour. ++ * ++ * Caller must hold event lock. Caller must also hold a vblank reference for ++ * the event @e, which will be dropped when the next vblank arrives. ++ * ++ * This is the native KMS version of drm_arm_vblank_event(). ++ */ ++void drm_crtc_arm_vblank_event(struct drm_crtc *crtc, ++ struct drm_pending_vblank_event *e) ++{ ++ drm_arm_vblank_event(crtc->dev, drm_crtc_index(crtc), e); ++} ++EXPORT_SYMBOL(drm_crtc_arm_vblank_event); ++ ++/** + * drm_send_vblank_event - helper to send vblank event after pageflip + * @dev: DRM device + * @pipe: CRTC index +diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c +index e905c00acf1a..54183bcca48f 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_display.c ++++ b/drivers/gpu/drm/nouveau/nouveau_display.c +@@ -827,7 +827,6 @@ nouveau_finish_page_flip(struct nouveau_channel *chan, + struct drm_device *dev = drm->dev; + struct nouveau_page_flip_state *s; + unsigned long flags; +- int crtcid = -1; + + spin_lock_irqsave(&dev->event_lock, flags); + +@@ -839,15 +838,19 @@ nouveau_finish_page_flip(struct nouveau_channel *chan, + + s = list_first_entry(&fctx->flip, struct nouveau_page_flip_state, head); + if (s->event) { +- /* Vblank timestamps/counts are only correct on >= NV-50 */ +- if (drm->device.info.family >= NV_DEVICE_INFO_V0_TESLA) +- crtcid = s->crtc; ++ if (drm->device.info.family < NV_DEVICE_INFO_V0_TESLA) { ++ drm_arm_vblank_event(dev, s->crtc, s->event); ++ } else { ++ drm_send_vblank_event(dev, s->crtc, s->event); + +- drm_send_vblank_event(dev, crtcid, s->event); ++ /* Give up ownership of vblank for page-flipped crtc */ ++ drm_vblank_put(dev, s->crtc); ++ } ++ } ++ else { ++ /* Give up ownership of vblank for page-flipped crtc */ ++ drm_vblank_put(dev, s->crtc); + } +- +- /* Give up ownership of vblank for page-flipped crtc */ +- drm_vblank_put(dev, s->crtc); + + list_del(&s->head); + if (ps) +diff --git a/include/drm/drmP.h b/include/drm/drmP.h +index 8b5ce7c5d9bb..c98f01046bd0 100644 +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -932,6 +932,10 @@ extern void drm_send_vblank_event(struct drm_device *dev, unsigned int pipe, + struct drm_pending_vblank_event *e); + extern void drm_crtc_send_vblank_event(struct drm_crtc *crtc, + struct drm_pending_vblank_event *e); ++extern void drm_arm_vblank_event(struct drm_device *dev, unsigned int pipe, ++ struct drm_pending_vblank_event *e); ++extern void drm_crtc_arm_vblank_event(struct drm_crtc *crtc, ++ struct drm_pending_vblank_event *e); + extern bool drm_handle_vblank(struct drm_device *dev, unsigned int pipe); + extern bool drm_crtc_handle_vblank(struct drm_crtc *crtc); + extern int drm_vblank_get(struct drm_device *dev, unsigned int pipe); +-- +2.5.0 + diff --git a/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch b/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch new file mode 100644 index 000000000..6ad5796e8 --- /dev/null +++ b/drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch @@ -0,0 +1,31 @@ +From 65fbb05cbbf9ef7f531712634c3e914b54171707 Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot <acourbot@nvidia.com> +Date: Thu, 3 Sep 2015 17:39:52 +0900 +Subject: [PATCH] drm/nouveau/pmu: do not assume a PMU is present + +Some devices may not have a PMU. Avoid a NULL pointer dereference in +such cases by checking whether the pointer given to nvkm_pmu_pgob() is +valid. + +Signed-off-by: Alexandre Courbot <acourbot@nvidia.com> +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> +--- + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c +index 27a79c0c3888..d95eb8659d1b 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c +@@ -28,7 +28,7 @@ + void + nvkm_pmu_pgob(struct nvkm_pmu *pmu, bool enable) + { +- if (pmu->func->pgob) ++ if (pmu && pmu->func->pgob) + pmu->func->pgob(pmu, enable); + } + +-- +2.5.0 + diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch index 318a8e70d..94f7fe768 100644 --- a/efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,6 +1,7 @@ +From b4467813ec088c13bd8c9f1eafb7c29d889d7c8f Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 13/20] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -12,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c2e4f52cad30..5def6b4143fa 100644 +index 1ac118146e90..f93826b8522c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -37,3 +38,6 @@ index 85ef051ac6fb..de3e45088d4a 100644 #ifdef CONFIG_EFI /* +-- +2.4.3 + diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index 6fd94c8ee..ba2f3cefa 100644 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -1,6 +1,7 @@ +From 9ef94251448aa463c5937ee8e8e27d6fd9529509 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH] efi: Disable secure boot if shim is in insecure mode +Subject: [PATCH 11/20] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called @@ -14,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 1ef8ea7f8ed9..d82dc9c1c19e 100644 +index b4de3faa3f29..5cc2ef570390 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -830,8 +830,9 @@ out: @@ -52,3 +53,6 @@ index 1ef8ea7f8ed9..d82dc9c1c19e 100644 return 1; } +-- +2.4.3 + diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 5bdd21b9d..095bea782 100644 --- a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,6 +1,7 @@ +From 0081083434db41c15b72eced975da0bd9b80566b Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 12/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -11,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 4da6644b1fd0..341a1457f7c7 100644 +index 14db458f4774..f6ff0a86d841 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1704,7 +1704,8 @@ config EFI_MIXED +@@ -1735,7 +1735,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -24,3 +25,6 @@ index 4da6644b1fd0..341a1457f7c7 100644 prompt "Force module signing when UEFI Secure Boot is enabled" ---help--- UEFI Secure Boot provides a mechanism for ensuring that the +-- +2.4.3 + diff --git a/filter-aarch64.sh b/filter-aarch64.sh index e3623aa97..dae47aaa3 100644..100755 --- a/filter-aarch64.sh +++ b/filter-aarch64.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" diff --git a/filter-armv7hl.sh b/filter-armv7hl.sh index 3056b23c3..5803dd01f 100644..100755 --- a/filter-armv7hl.sh +++ b/filter-armv7hl.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn media memstick message nfc ntb pcmcia platform ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" diff --git a/filter-i686.sh b/filter-i686.sh index 0533bd53d..784ab37e4 100644..100755 --- a/filter-i686.sh +++ b/filter-i686.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn leds media memstick mfd mmc mtd nfc ntb pcmcia platform power ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub hid-sensor-magn-3d hid-sensor-incl-3d hid-sensor-gyro-3d hid-sensor-iio-common hid-sensor-accel-3d hid-sensor-trigger hid-sensor-als hid-sensor-rotation target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub hid-sensor-magn-3d hid-sensor-incl-3d hid-sensor-gyro-3d hid-sensor-iio-common hid-sensor-accel-3d hid-sensor-trigger hid-sensor-als hid-sensor-rotation target_core_user" diff --git a/filter-modules.sh b/filter-modules.sh index 5abfc8627..31b78ce29 100755 --- a/filter-modules.sh +++ b/filter-modules.sh @@ -32,7 +32,7 @@ netprots="appletalk atm ax25 batman-adv bluetooth can dccp dsa ieee802154 irda l drmdrvs="ast gma500 mgag200 via nouveau" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub target_core_user" # Grab the arch-specific filter list overrides source ./filter-$2.sh diff --git a/filter-ppc64.sh b/filter-ppc64.sh index d98e14eb2..8001e0944 100644..100755 --- a/filter-ppc64.sh +++ b/filter-ppc64.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" diff --git a/filter-ppc64le.sh b/filter-ppc64le.sh index eb0808c6a..c8948c94d 100644..100755 --- a/filter-ppc64le.sh +++ b/filter-ppc64le.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" diff --git a/filter-ppc64p7.sh b/filter-ppc64p7.sh index ff5c9fd5f..32c43a489 100644..100755 --- a/filter-ppc64p7.sh +++ b/filter-ppc64p7.sh @@ -11,4 +11,4 @@ driverdirs="atm auxdisplay bcma bluetooth fmc infiniband isdn leds media memstick message mmc mtd nfc ntb pcmcia platform power ssb staging uio uwb" -singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs iscsi_tcp megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" +singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user" diff --git a/filter-s390x.sh b/filter-s390x.sh index 04f7110ad..04f7110ad 100644..100755 --- a/filter-s390x.sh +++ b/filter-s390x.sh diff --git a/filter-x86_64.sh b/filter-x86_64.sh index 1aa80f2e0..1aa80f2e0 100644..100755 --- a/filter-x86_64.sh +++ b/filter-x86_64.sh diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch index 9450e8bf3..f62ea08b0 100644 --- a/hibernate-Disable-in-a-signed-modules-environment.patch +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,6 +1,7 @@ +From 51abecb00c48941cc3db19701cc73e65082924bb Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH] hibernate: Disable in a signed modules environment +Subject: [PATCH 14/20] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -33,3 +34,6 @@ index 690f78f210f2..037303a1cba9 100644 } /** +-- +2.4.3 + diff --git a/i915-stable-backports.patch b/i915-stable-backports.patch new file mode 100644 index 000000000..f366fda66 --- /dev/null +++ b/i915-stable-backports.patch @@ -0,0 +1,1962 @@ +From 5c19e5ee394c36652c59c247855a3c7e5a83a015 Mon Sep 17 00:00:00 2001 +From: Jani Nikula <jani.nikula@intel.com> +Date: Thu, 7 Jan 2016 10:29:10 +0200 +Subject: [PATCH 01/26] drm/i915: shut up gen8+ SDE irq dmesg noise, again + +We still keep getting + +[ 4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)! + +This reverts + +commit 820da7ae46332fa709b171eb7ba57cbd023fa6df +Author: Jani Nikula <jani.nikula@intel.com> +Date: Wed Nov 25 16:47:23 2015 +0200 + + Revert "drm/i915: shut up gen8+ SDE irq dmesg noise" + +which in itself is a revert, so this is just doing + +commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab +Author: Daniel Vetter <daniel.vetter@ffwll.ch> +Date: Fri Oct 23 10:56:12 2015 +0200 + + drm/i915: shut up gen8+ SDE irq dmesg noise + +all over again. I'll stop pretending I understand what's going on like I +did when I thought I'd fixed this for good in + +commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77 +Author: Jani Nikula <jani.nikula@intel.com> +Date: Wed Nov 25 16:47:22 2015 +0200 + + drm/i915: fix the SDE irq dmesg warnings properly + +Reported-by: Chris Wilson <chris@chris-wilson.co.uk> +Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084 +Cc: drm-intel-fixes@lists.freedesktop.org +Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"") +Signed-off-by: Jani Nikula <jani.nikula@intel.com> + +[Backported to 4.3.y by Josh Boyer <jwboyer@fedoraproject.org>] +--- + drivers/gpu/drm/i915/i915_irq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index 39d73dbc1c47..fa7f82d54762 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -2168,8 +2168,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) + I915_WRITE(SDEIIR, pch_iir); + ret = IRQ_HANDLED; + cpt_irq_handler(dev, pch_iir); +- } else +- DRM_ERROR("The master control interrupt lied (SDE)!\n"); ++ } else { ++ /* ++ * Like on previous PCH there seems to be something ++ * fishy going on with forwarding PCH interrupts. ++ */ ++ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n"); ++ } + + } + +-- +2.5.0 + + +From 65dcf0f52e9705d0094e76a9225bbe770329c96d Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Thu, 1 Oct 2015 12:34:46 +0100 +Subject: [PATCH 02/26] drm/i915: Fix userptr deadlock with aliased GTT + mmappings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit e4b946bfe1e36680e27a5f39163980979fa61a5d + +Michał Winiarski found a really evil way to trigger a struct_mutex +deadlock with userptr. He found that if he allocated a userptr bo and +then GTT mmaped another bo, or even itself, at the same address as the +userptr using MAP_FIXED, he could then cause a deadlock any time we then +had to invalidate the GTT mmappings (so at will). Tvrtko then found by +repeatedly allocating GTT mmappings he could alias with an old userptr +mmap and also trigger the deadlock. + +To counter act the deadlock, we make the observation that we only need +to take the struct_mutex if the object has any pages to revoke, and that +before userspace can alias with the userptr address space, it must have +invalidated the userptr->pages. Thus if we can check for those pages +outside of the struct_mutex, we can avoid the deadlock. To do so we +introduce a separate flag for userptr objects that we can inspect from +the mmu-notifier underneath its spinlock. + +The patch makes one eye-catching change. That is the removal serial=0 +after detecting a to-be-freed object inside the invalidate walker. I +felt setting serial=0 was a questionable pessimisation: it denies us the +chance to reuse the current iterator for the next loop (before it is +freed) and being explicit makes the reader question the validity of the +locking (since the object-free race could occur elsewhere). The +serialisation of the iterator is through the spinlock, if the object is +freed before the next loop then the notifier.serial will be incremented +and we start the walk from the beginning as we detect the invalid cache. + +To try and tame the error paths and interactions with the userptr->active +flag, we have to do a fair amount of rearranging of get_pages_userptr(). + +v2: Grammar fixes +v3: Reorder set-active so that it is only set when obj->pages is set +(and so needs cancellation). Only the order of setting obj->pages and +the active-flag is crucial. Calling gup after invalidate-range begin +means the userptr sees the new set of backing storage (and so will not +need to invalidate its new pages), but we have to be careful not to set +the active-flag prior to successfully establishing obj->pages. +v4: Take the active->flag early so we know in the mmu-notifier when we +have to cancel a pending gup-worker. +v5: Rearrange the error path so that is not so convoluted +v6: Set pinned to 0 when negative before calling release_pages() + +Reported-by: Michał Winiarski <michal.winiarski@intel.com> +Testcase: igt/gem_userptr_blits/map-fixed* +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Michał Winiarski <michal.winiarski@intel.com> +Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Cc: stable@vger.kernel.org +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/i915_gem_userptr.c | 176 ++++++++++++++++++++------------ + 1 file changed, 110 insertions(+), 66 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c +index a96b9006a51e..ba321f0c41c5 100644 +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c +@@ -59,6 +59,7 @@ struct i915_mmu_object { + struct interval_tree_node it; + struct list_head link; + struct drm_i915_gem_object *obj; ++ bool active; + bool is_linear; + }; + +@@ -114,7 +115,8 @@ restart: + + obj = mo->obj; + +- if (!kref_get_unless_zero(&obj->base.refcount)) ++ if (!mo->active || ++ !kref_get_unless_zero(&obj->base.refcount)) + continue; + + spin_unlock(&mn->lock); +@@ -151,7 +153,8 @@ static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn, + else + it = interval_tree_iter_first(&mn->objects, start, end); + if (it != NULL) { +- obj = container_of(it, struct i915_mmu_object, it)->obj; ++ struct i915_mmu_object *mo = ++ container_of(it, struct i915_mmu_object, it); + + /* The mmu_object is released late when destroying the + * GEM object so it is entirely possible to gain a +@@ -160,11 +163,9 @@ static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn, + * the struct_mutex - and consequently use it after it + * is freed and then double free it. + */ +- if (!kref_get_unless_zero(&obj->base.refcount)) { +- spin_unlock(&mn->lock); +- serial = 0; +- continue; +- } ++ if (mo->active && ++ kref_get_unless_zero(&mo->obj->base.refcount)) ++ obj = mo->obj; + + serial = mn->serial; + } +@@ -566,6 +567,30 @@ __i915_gem_userptr_set_pages(struct drm_i915_gem_object *obj, + } + + static void ++__i915_gem_userptr_set_active(struct drm_i915_gem_object *obj, ++ bool value) ++{ ++ /* During mm_invalidate_range we need to cancel any userptr that ++ * overlaps the range being invalidated. Doing so requires the ++ * struct_mutex, and that risks recursion. In order to cause ++ * recursion, the user must alias the userptr address space with ++ * a GTT mmapping (possible with a MAP_FIXED) - then when we have ++ * to invalidate that mmaping, mm_invalidate_range is called with ++ * the userptr address *and* the struct_mutex held. To prevent that ++ * we set a flag under the i915_mmu_notifier spinlock to indicate ++ * whether this object is valid. ++ */ ++#if defined(CONFIG_MMU_NOTIFIER) ++ if (obj->userptr.mmu_object == NULL) ++ return; ++ ++ spin_lock(&obj->userptr.mmu_object->mn->lock); ++ obj->userptr.mmu_object->active = value; ++ spin_unlock(&obj->userptr.mmu_object->mn->lock); ++#endif ++} ++ ++static void + __i915_gem_userptr_get_pages_worker(struct work_struct *_work) + { + struct get_pages_work *work = container_of(_work, typeof(*work), work); +@@ -612,6 +637,9 @@ __i915_gem_userptr_get_pages_worker(struct work_struct *_work) + + pinned = 0; + } ++ obj->userptr.work = ERR_PTR(ret); ++ if (ret) ++ __i915_gem_userptr_set_active(obj, false); + } + + obj->userptr.work = ERR_PTR(ret); +@@ -627,11 +655,60 @@ __i915_gem_userptr_get_pages_worker(struct work_struct *_work) + } + + static int ++__i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj, ++ bool *active) ++{ ++ struct get_pages_work *work; ++ ++ /* Spawn a worker so that we can acquire the ++ * user pages without holding our mutex. Access ++ * to the user pages requires mmap_sem, and we have ++ * a strict lock ordering of mmap_sem, struct_mutex - ++ * we already hold struct_mutex here and so cannot ++ * call gup without encountering a lock inversion. ++ * ++ * Userspace will keep on repeating the operation ++ * (thanks to EAGAIN) until either we hit the fast ++ * path or the worker completes. If the worker is ++ * cancelled or superseded, the task is still run ++ * but the results ignored. (This leads to ++ * complications that we may have a stray object ++ * refcount that we need to be wary of when ++ * checking for existing objects during creation.) ++ * If the worker encounters an error, it reports ++ * that error back to this function through ++ * obj->userptr.work = ERR_PTR. ++ */ ++ if (obj->userptr.workers >= I915_GEM_USERPTR_MAX_WORKERS) ++ return -EAGAIN; ++ ++ work = kmalloc(sizeof(*work), GFP_KERNEL); ++ if (work == NULL) ++ return -ENOMEM; ++ ++ obj->userptr.work = &work->work; ++ obj->userptr.workers++; ++ ++ work->obj = obj; ++ drm_gem_object_reference(&obj->base); ++ ++ work->task = current; ++ get_task_struct(work->task); ++ ++ INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker); ++ schedule_work(&work->work); ++ ++ *active = true; ++ return -EAGAIN; ++} ++ ++static int + i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj) + { + const int num_pages = obj->base.size >> PAGE_SHIFT; + struct page **pvec; + int pinned, ret; ++ bool active; + + /* If userspace should engineer that these pages are replaced in + * the vma between us binding this page into the GTT and completion +@@ -649,6 +726,18 @@ i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj) + * to the vma (discard or cloning) which should prevent the more + * egregious cases from causing harm. + */ ++ if (IS_ERR(obj->userptr.work)) { ++ /* active flag will have been dropped already by the worker */ ++ ret = PTR_ERR(obj->userptr.work); ++ obj->userptr.work = NULL; ++ return ret; ++ } ++ if (obj->userptr.work) ++ /* active flag should still be held for the pending work */ ++ return -EAGAIN; ++ ++ /* Let the mmu-notifier know that we have begun and need cancellation */ ++ __i915_gem_userptr_set_active(obj, true); + + pvec = NULL; + pinned = 0; +@@ -657,73 +746,27 @@ i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj) + GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY); + if (pvec == NULL) { + pvec = drm_malloc_ab(num_pages, sizeof(struct page *)); +- if (pvec == NULL) ++ if (pvec == NULL) { ++ __i915_gem_userptr_set_active(obj, false); + return -ENOMEM; ++ } + } + + pinned = __get_user_pages_fast(obj->userptr.ptr, num_pages, + !obj->userptr.read_only, pvec); + } +- if (pinned < num_pages) { +- if (pinned < 0) { +- ret = pinned; +- pinned = 0; +- } else { +- /* Spawn a worker so that we can acquire the +- * user pages without holding our mutex. Access +- * to the user pages requires mmap_sem, and we have +- * a strict lock ordering of mmap_sem, struct_mutex - +- * we already hold struct_mutex here and so cannot +- * call gup without encountering a lock inversion. +- * +- * Userspace will keep on repeating the operation +- * (thanks to EAGAIN) until either we hit the fast +- * path or the worker completes. If the worker is +- * cancelled or superseded, the task is still run +- * but the results ignored. (This leads to +- * complications that we may have a stray object +- * refcount that we need to be wary of when +- * checking for existing objects during creation.) +- * If the worker encounters an error, it reports +- * that error back to this function through +- * obj->userptr.work = ERR_PTR. +- */ +- ret = -EAGAIN; +- if (obj->userptr.work == NULL && +- obj->userptr.workers < I915_GEM_USERPTR_MAX_WORKERS) { +- struct get_pages_work *work; +- +- work = kmalloc(sizeof(*work), GFP_KERNEL); +- if (work != NULL) { +- obj->userptr.work = &work->work; +- obj->userptr.workers++; +- +- work->obj = obj; +- drm_gem_object_reference(&obj->base); +- +- work->task = current; +- get_task_struct(work->task); +- +- INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker); +- schedule_work(&work->work); +- } else +- ret = -ENOMEM; +- } else { +- if (IS_ERR(obj->userptr.work)) { +- ret = PTR_ERR(obj->userptr.work); +- obj->userptr.work = NULL; +- } +- } +- } +- } else { ++ ++ active = false; ++ if (pinned < 0) ++ ret = pinned, pinned = 0; ++ else if (pinned < num_pages) ++ ret = __i915_gem_userptr_get_pages_schedule(obj, &active); ++ else + ret = __i915_gem_userptr_set_pages(obj, pvec, num_pages); +- if (ret == 0) { +- obj->userptr.work = NULL; +- pinned = 0; +- } ++ if (ret) { ++ __i915_gem_userptr_set_active(obj, active); ++ release_pages(pvec, pinned, 0); + } +- +- release_pages(pvec, pinned, 0); + drm_free_large(pvec); + return ret; + } +@@ -734,6 +777,7 @@ i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj) + struct sg_page_iter sg_iter; + + BUG_ON(obj->userptr.work != NULL); ++ __i915_gem_userptr_set_active(obj, false); + + if (obj->madv != I915_MADV_WILLNEED) + obj->dirty = 0; +-- +2.5.0 + + +From d9cc6dc69e3a5f7f68e22227baf0e0f7743e448c Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Date: Thu, 22 Oct 2015 13:56:34 +0200 +Subject: [PATCH 03/26] drm/i915/skl: Prevent unclaimed register writes on + skylake. + +Upstream commit b10f1b20171945b49988b2b1fe68cb312cc36d32 + +I'm getting unclaimed register writes when checking the WM registers +after the crtc is disabled. So I would imagine those are guarded by +the crtc power well. Fix this by not reading out wm state when the +power well is off. + +Cc: stable@vger.kernel.org # v4.3 +Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92181 +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_pm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index ddbb7ed0a193..5e91e795fd99 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2899,7 +2899,12 @@ void skl_ddb_get_hw_state(struct drm_i915_private *dev_priv, + int plane; + u32 val; + ++ memset(ddb, 0, sizeof(*ddb)); ++ + for_each_pipe(dev_priv, pipe) { ++ if (!intel_display_power_is_enabled(dev_priv, POWER_DOMAIN_PIPE(pipe))) ++ continue; ++ + for_each_plane(dev_priv, pipe, plane) { + val = I915_READ(PLANE_BUF_CFG(pipe, plane)); + skl_ddb_entry_init_from_hw(&ddb->plane[pipe][plane], +-- +2.5.0 + + +From 0ee1dd6b04a4e8eb34f948842fe4385c09695270 Mon Sep 17 00:00:00 2001 +From: Jani Nikula <jani.nikula@intel.com> +Date: Fri, 30 Oct 2015 14:50:24 +0200 +Subject: [PATCH 04/26] drm/i915: add quirk to enable backlight on Dell + Chromebook 11 (2015) + +Upstream commit 9be64eee3a87dc03218ca9a12834d1150a57b8a8 + +Reported-by: Keith Webb <khwebb@gmail.com> +Suggested-by: Keith Webb <khwebb@gmail.com> +Cc: stable@vger.kernel.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=106671 +Reviewed-by: Clint Taylor <Clinton.A.Taylor@intel.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1446209424-28801-1-git-send-email-jani.nikula@intel.com +--- + drivers/gpu/drm/i915/intel_display.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 1d2ff8e6fb4a..8f258092cada 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -14678,6 +14678,9 @@ static struct intel_quirk intel_quirks[] = { + + /* Dell Chromebook 11 */ + { 0x0a06, 0x1028, 0x0a35, quirk_backlight_present }, ++ ++ /* Dell Chromebook 11 (2015 version) */ ++ { 0x0a16, 0x1028, 0x0a35, quirk_backlight_present }, + }; + + static void intel_init_quirks(struct drm_device *dev) +-- +2.5.0 + + +From 06d7e7fe18b63244ec4e6e633fc40dd5bea39099 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Date: Tue, 3 Nov 2015 08:31:41 +0100 +Subject: [PATCH 05/26] drm/i915: Extend DSL readout fix to BDW and SKL. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit b291681926a142958112eedde62823230d6afb84 + +Those platforms have the same bug as haswell, and the same fix applies +to them. + +The original HSW fix that this extends is + +commit 41b578fb0e8b930f2470d3f673b0fa279e77a7b8 +Author: Jesse Barnes <jbarnes@virtuousgeek.org> +Date: Tue Sep 22 12:15:54 2015 -0700 + + drm/i915: workaround bad DSL readout v3 + +Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Acked-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Cc: stable@vger.kernel.org # v4.3 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91579 +Link: http://patchwork.freedesktop.org/patch/msgid/1446535913-31970-3-git-send-email-maarten.lankhorst@linux.intel.com +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c +index fa7f82d54762..d83d12eeb3fe 100644 +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -651,7 +651,7 @@ static int __intel_get_crtc_scanline(struct intel_crtc *crtc) + * problem. We may need to extend this to include other platforms, + * but so far testing only shows the problem on HSW. + */ +- if (IS_HASWELL(dev) && !position) { ++ if (HAS_DDI(dev) && !position) { + int i, temp; + + for (i = 0; i < 100; i++) { +-- +2.5.0 + + +From f5268273f194155f0a5f3cbfa7bf271774a7a9d6 Mon Sep 17 00:00:00 2001 +From: Jani Nikula <jani.nikula@intel.com> +Date: Thu, 5 Nov 2015 11:49:59 +0200 +Subject: [PATCH 06/26] drm/i915: quirk backlight present on Macbook 4, 1 + +Upstream commit 1b9448b071caa7d10bb2569fabe3020a2c25ae59 + +Unsurprisingly macbooks have backlights, just the VBT doesn't seem to +know it in this case. + +Reported-and-tested-by: Daniel Nicoletti <dantti12@gmail.com> +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88325 +Fixes: c675949ec58c ("drm/i915: do not setup backlight if not available according to VBT") +Cc: stable@vger.kernel.org # v3.15+ +Reviewed-by: Ander Conselvan de Oliveira <conselvan2@gmail.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1446716999-1796-1-git-send-email-jani.nikula@intel.com +--- + drivers/gpu/drm/i915/intel_display.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 8f258092cada..2e348788ecaa 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -14670,6 +14670,9 @@ static struct intel_quirk intel_quirks[] = { + /* Apple Macbook 2,1 (Core 2 T7400) */ + { 0x27a2, 0x8086, 0x7270, quirk_backlight_present }, + ++ /* Apple Macbook 4,1 */ ++ { 0x2a02, 0x106b, 0x00a1, quirk_backlight_present }, ++ + /* Toshiba CB35 Chromebook (Celeron 2955U) */ + { 0x0a06, 0x1179, 0x0a88, quirk_backlight_present }, + +-- +2.5.0 + + +From dddd84b8b5f7f8c0b0037a1bb53f81f5bc70115b Mon Sep 17 00:00:00 2001 +From: Imre Deak <imre.deak@intel.com> +Date: Wed, 4 Nov 2015 21:25:32 +0200 +Subject: [PATCH 07/26] drm/i915: get runtime PM reference around GEM + set_caching IOCTL + +Upstream commit fd0fe6acf1dd88aabfbf383f7e4c16315387a7b7 + +After Damien's D3 fix I started to get runtime suspend residency for the +first time and that revealed a breakage on the set_caching IOCTL path +that accesses the HW but doesn't take an RPM ref. Fix this up. + +Signed-off-by: Imre Deak <imre.deak@intel.com> +Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com> +Cc: stable@vger.kernel.org +Link: http://patchwork.freedesktop.org/patch/msgid/1446665132-22491-1-git-send-email-imre.deak@intel.com +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_gem.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index 4d631a946481..dee065c2b6d8 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -3728,6 +3728,7 @@ int i915_gem_get_caching_ioctl(struct drm_device *dev, void *data, + int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + struct drm_file *file) + { ++ struct drm_i915_private *dev_priv = dev->dev_private; + struct drm_i915_gem_caching *args = data; + struct drm_i915_gem_object *obj; + enum i915_cache_level level; +@@ -3747,9 +3748,11 @@ int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + return -EINVAL; + } + ++ intel_runtime_pm_get(dev_priv); ++ + ret = i915_mutex_lock_interruptible(dev); + if (ret) +- return ret; ++ goto rpm_put; + + obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle)); + if (&obj->base == NULL) { +@@ -3762,6 +3765,9 @@ int i915_gem_set_caching_ioctl(struct drm_device *dev, void *data, + drm_gem_object_unreference(&obj->base); + unlock: + mutex_unlock(&dev->struct_mutex); ++rpm_put: ++ intel_runtime_pm_put(dev_priv); ++ + return ret; + } + +-- +2.5.0 + + +From df79b28d6a73835c70222506405bdb54774395c9 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst <maarten@mblankhorst.nl> +Date: Mon, 16 Nov 2015 12:49:14 +0100 +Subject: [PATCH 08/26] drm/i915: Clear intel_crtc->atomic before updating it. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit ba8af3e592f7175b5f9a92d2cfcc00b82097d1be + +If an atomic update fails intel_crtc->atomic may have have some values left +from the last atomic check. One example is atomic->wait_for_vblank, +which results in spurious errors in kms_flip. + +[ 1551.892708] ------------[ cut here ]------------ +[ 1551.892721] WARNING: CPU: 3 PID: 4179 at ../drivers/gpu/drm/drm_irq.c:1199 drm_wait_one_vblank+0x197/0x1a0 [drm]() +[ 1551.892722] vblank not available on crtc 2, ret=-22 +[ 1551.892751] Modules linked in: snd_hda_intel i915 drm_kms_helper drm +intel_gtt i2c_algo_bit cfbfillrect syscopyarea cfbimgblt sysfillrect +sysimgblt fb_sys_fops cfbcopyarea agpgart cfg80211 binfmt_misc +snd_hda_codec_hdmi intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp +kvm_intel snd_hda_codec_realtek kvm snd_hda_codec_generic iTCO_wdt +aesni_intel aes_x86_64 glue_helper lrw snd_hda_codec gf128mul +ablk_helper cryptd snd_hwdep psmouse snd_hda_core pcspkr snd_pcm +snd_timer snd lpc_ich i2c_i801 mfd_core soundcore wmi evdev [last +unloaded: drm] +[ 1551.892753] CPU: 3 PID: 4179 Comm: kms_pipe_crc_ba Tainted: G U W 4.3.0-reg+ #6 +[ 1551.892754] Hardware name: /DZ77BH-55K, BIOS BHZ7710H.86A.0100.2013.0517.0942 05/17/2013 +[ 1551.892758] ffffffffa03128d8 ffff8800cec73890 ffffffff812c0f3c ffff8800cec738d8 +[ 1551.892760] ffff8800cec738c8 ffffffff8104ff36 ffff880116ae2290 0000000000000002 +[ 1551.892762] ffff8800d39fcda0 ffff8800d038b4d0 ffff8800d42b5550 ffff8800cec73928 +[ 1551.892763] Call Trace: +[ 1551.892768] [<ffffffff812c0f3c>] dump_stack+0x4e/0x82 +[ 1551.892771] [<ffffffff8104ff36>] warn_slowpath_common+0x86/0xc0 +[ 1551.892773] [<ffffffff8104ffbc>] warn_slowpath_fmt+0x4c/0x50 +[ 1551.892781] [<ffffffffa02e6708>] ? drm_vblank_get+0x78/0xd0 [drm] +[ 1551.892787] [<ffffffffa02e6d47>] drm_wait_one_vblank+0x197/0x1a0 [drm] +[ 1551.892813] [<ffffffffa03d052f>] intel_post_plane_update+0xef/0x120 [i915] +[ 1551.892832] [<ffffffffa03d11d2>] intel_atomic_commit+0x4c2/0x1600 [i915] +[ 1551.892862] [<ffffffffa02ff0c7>] ? drm_atomic_check_only+0x147/0x5e0 [drm] +[ 1551.892872] [<ffffffffa02feeb7>] ? drm_atomic_add_affected_connectors+0x27/0xf0 [drm] +[ 1551.892881] [<ffffffffa02ff597>] drm_atomic_commit+0x37/0x60 [drm] +[ 1551.892887] [<ffffffffa034301a>] restore_fbdev_mode+0x28a/0x2c0 [drm_kms_helper] +[ 1551.892895] [<ffffffffa0345253>] drm_fb_helper_restore_fbdev_mode_unlocked+0x33/0x80 [drm_kms_helper] +[ 1551.892900] [<ffffffffa03452cd>] drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper] +[ 1551.892920] [<ffffffffa03e7a9a>] intel_fbdev_set_par+0x1a/0x60 [i915] +[ 1551.892923] [<ffffffff8131a5a7>] fb_set_var+0x1a7/0x3f0 +[ 1551.892927] [<ffffffff8109732f>] ? trace_hardirqs_on_caller+0x12f/0x1c0 +[ 1551.892931] [<ffffffff81314f32>] fbcon_blank+0x212/0x2f0 +[ 1551.892935] [<ffffffff81373f4a>] do_unblank_screen+0xba/0x1d0 +[ 1551.892937] [<ffffffff8136b725>] vt_ioctl+0x13d5/0x1450 +[ 1551.892940] [<ffffffff8107cdd1>] ? preempt_count_sub+0x41/0x50 +[ 1551.892943] [<ffffffff8135d8a3>] tty_ioctl+0x423/0xe30 +[ 1551.892947] [<ffffffff8119f721>] do_vfs_ioctl+0x301/0x560 +[ 1551.892949] [<ffffffff8119b1e3>] ? putname+0x53/0x60 +[ 1551.892952] [<ffffffff811ab376>] ? __fget_light+0x66/0x90 +[ 1551.892955] [<ffffffff8119f9f9>] SyS_ioctl+0x79/0x90 +[ 1551.892958] [<ffffffff81552e97>] entry_SYSCALL_64_fastpath+0x12/0x6f +[ 1551.892961] ---[ end trace 3e764d4b6628c91c ]--- + +Testcase: kms_flip +Reported-and-tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Cc: stable@vger.kernel.org #v4.3 +Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Reviewed-by: Daniel Stone <daniels@collabora.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/5649C2BA.6080300@mblankhorst.nl +--- + drivers/gpu/drm/i915/intel_display.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 2e348788ecaa..7e13bea3b4d5 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -13005,6 +13005,9 @@ static int intel_atomic_check(struct drm_device *dev, + struct intel_crtc_state *pipe_config = + to_intel_crtc_state(crtc_state); + ++ memset(&to_intel_crtc(crtc)->atomic, 0, ++ sizeof(struct intel_crtc_atomic_commit)); ++ + /* Catch I915_MODE_FLAG_INHERITED */ + if (crtc_state->mode.private_flags != crtc->state->mode.private_flags) + crtc_state->mode_changed = true; +-- +2.5.0 + + +From eb02e7a4b15ec47b50fd7447471ac3bb75cce53f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com> +Date: Wed, 11 Nov 2015 19:11:28 +0200 +Subject: [PATCH 09/26] drm/i915: Don't clobber the addfb2 ioctl params +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit 76dc3769d7c3cdcfa7c4c7768a7cb87cd91af12f + +We try to convert the old way of of specifying fb tiling (obj->tiling) +into the new fb modifiers. We store the result in the passed in mode_cmd +structure. But that structure comes directly from the addfb2 ioctl, and +gets copied back out to userspace, which means we're clobbering the +modifiers that the user provided (all 0 since the DRM_MODE_FB_MODIFIERS +flag wasn't even set by the user). Hence if the user reuses the struct +for another addfb2, the ioctl will be rejected since it's now asking for +some modifiers w/o the flag set. + +Fix the problem by making a copy of the user provided structure. We can +play any games we want with the copy. + +IGT-Version: 1.12-git (x86_64) (Linux: 4.4.0-rc1-stereo+ x86_64) +... +Subtest basic-X-tiled: SUCCESS (0.001s) +Test assertion failure function pitch_tests, file kms_addfb_basic.c:167: +Failed assertion: drmIoctl(fd, DRM_IOCTL_MODE_ADDFB2, &f) == 0 +Last errno: 22, Invalid argument +Stack trace: + #0 [__igt_fail_assert+0x101] + #1 [pitch_tests+0x619] + #2 [__real_main426+0x2f] + #3 [main+0x23] + #4 [__libc_start_main+0xf0] + #5 [_start+0x29] + #6 [<unknown>+0x29] + Subtest framebuffer-vs-set-tiling failed. + **** DEBUG **** + Test assertion failure function pitch_tests, file kms_addfb_basic.c:167: + Failed assertion: drmIoctl(fd, DRM_IOCTL_MODE_ADDFB2, &f) == 0 + Last errno: 22, Invalid argument + **** END **** + Subtest framebuffer-vs-set-tiling: FAIL (0.003s) + ... + +IGT-Version: 1.12-git (x86_64) (Linux: 4.4.0-rc1-stereo+ x86_64) +Subtest framebuffer-vs-set-tiling: SUCCESS (0.000s) + +Cc: stable@vger.kernel.org # v4.1+ +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com> +Fixes: 2a80eada326f ("drm/i915: Add fb format modifier support") +Testcase: igt/kms_addfb_basic/clobbered-modifier +Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1447261890-3960-1-git-send-email-ville.syrjala@linux.intel.com +--- + drivers/gpu/drm/i915/intel_display.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 7e13bea3b4d5..d07d98aeb72c 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -14330,16 +14330,17 @@ static int intel_framebuffer_init(struct drm_device *dev, + static struct drm_framebuffer * + intel_user_framebuffer_create(struct drm_device *dev, + struct drm_file *filp, +- struct drm_mode_fb_cmd2 *mode_cmd) ++ struct drm_mode_fb_cmd2 *user_mode_cmd) + { + struct drm_i915_gem_object *obj; ++ struct drm_mode_fb_cmd2 mode_cmd = *user_mode_cmd; + + obj = to_intel_bo(drm_gem_object_lookup(dev, filp, +- mode_cmd->handles[0])); ++ mode_cmd.handles[0])); + if (&obj->base == NULL) + return ERR_PTR(-ENOENT); + +- return intel_framebuffer_create(dev, mode_cmd, obj); ++ return intel_framebuffer_create(dev, &mode_cmd, obj); + } + + #ifndef CONFIG_DRM_FBDEV_EMULATION +-- +2.5.0 + + +From 687b4f4810c6a23420994e9cf4bb2d420a80217d Mon Sep 17 00:00:00 2001 +From: Mika Kuoppala <mika.kuoppala@linux.intel.com> +Date: Tue, 17 Nov 2015 18:14:26 +0200 +Subject: [PATCH 10/26] drm/i915: Fix gpu frequency change tracing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit 0f94592efd36213c961145fe1ab0c3bc323ec053 + +With gen < 9 we have had always 50Mhz units as our hw +ratio. With gen >= 9 the hw ratio changed to 16.667Mhz (50/3). +The result was that our gpu frequency tracing started to output +values 3 times larger than expected due to hardcoded scaling +value. Fix this by using Use intel_gpu_freq() when generating Mhz +value from ratio for 'intel_gpu_freq_change' trace event. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92591 +Cc: stable@vger.kernel.org # v4.3+ +Reported-by: Eero Tamminen <eero.t.tamminen@intel.com> +Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com> +Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1447776866-29384-1-git-send-email-mika.kuoppala@intel.com +--- + drivers/gpu/drm/i915/intel_pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 5e91e795fd99..2a689522cd89 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4503,7 +4503,7 @@ static void gen6_set_rps(struct drm_device *dev, u8 val) + POSTING_READ(GEN6_RPNSWREQ); + + dev_priv->rps.cur_freq = val; +- trace_intel_gpu_freq_change(val * 50); ++ trace_intel_gpu_freq_change(intel_gpu_freq(dev_priv, val)); + } + + static void valleyview_set_rps(struct drm_device *dev, u8 val) +-- +2.5.0 + + +From efee83c75bf454e745ebaddd96b9fe741c706317 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Thu, 19 Nov 2015 09:58:05 +0000 +Subject: [PATCH 11/26] drm/i915: Mark uneven memory banks on gen4 desktop as + unknown swizzling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit 0b466dc238cb660bbdb9ef6e121e1757057484c3 + +We have varied reports of swizzling corruption on gen4 desktop, and +confirmation that one at least is triggered by uneven memory banks +(L-shaped memory). The implication is that the swizzling varies between +the paired channels and the remainder of memory on the single channel. As +the object then has unpredictable swizzling (it will vary depending on +exact page allocation and may even change during the object's lifetime as +the pages are replaced), we have to report to userspace that the swizzling +is unknown. + +However, some existing userspace is buggy when it meets an unknown +swizzling configuration and so we need to tell another white lie and +mark the swizzling as NONE but report it as UNKNOWN through the extended +get-tiling-ioctl. See + +commit 5eb3e5a5e11d14f9deb2a4b83555443b69ab9940 +Author: Chris Wilson <chris@chris-wilson.co.uk> +Date: Sun Jun 28 09:19:26 2015 +0100 + + drm/i915: Declare the swizzling unknown for L-shaped configurations + +for the previous example where we found that telling the truth to +userspace just ends up in a world of hurt. + +Also since we don't truly know what the swizzling is on the pages, we +need to keep them pinned to prevent swapping as the reports also +suggest that some gen4 devices have previously undetected bit17 +swizzling. + +v2: Combine unknown + quirk patches to prevent userspace ever seeing +unknown swizzling through the normal get-tiling-ioctl. Also use the same +path for the existing uneven bank detection for mobile gen4. + +Reported-by: Matti Hämäläinen <ccr@tnsp.org> +Tested-by: Matti Hämäläinen <ccr@tnsp.org> +References: https://bugs.freedesktop.org/show_bug.cgi?id=90725 +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Cc: Matti Hämäläinen <ccr@tnsp.org> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Jani Nikula <jani.nikula@intel.com> +Cc: stable@vger.kernel.org +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1447927085-31726-1-git-send-email-chris@chris-wilson.co.uk +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_gem_fence.c | 36 ++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_fence.c b/drivers/gpu/drm/i915/i915_gem_fence.c +index af1f8c461060..716c3d8f027c 100644 +--- a/drivers/gpu/drm/i915/i915_gem_fence.c ++++ b/drivers/gpu/drm/i915/i915_gem_fence.c +@@ -647,11 +647,10 @@ i915_gem_detect_bit_6_swizzle(struct drm_device *dev) + } + + /* check for L-shaped memory aka modified enhanced addressing */ +- if (IS_GEN4(dev)) { +- uint32_t ddc2 = I915_READ(DCC2); +- +- if (!(ddc2 & DCC2_MODIFIED_ENHANCED_DISABLE)) +- dev_priv->quirks |= QUIRK_PIN_SWIZZLED_PAGES; ++ if (IS_GEN4(dev) && ++ !(I915_READ(DCC2) & DCC2_MODIFIED_ENHANCED_DISABLE)) { ++ swizzle_x = I915_BIT_6_SWIZZLE_UNKNOWN; ++ swizzle_y = I915_BIT_6_SWIZZLE_UNKNOWN; + } + + if (dcc == 0xffffffff) { +@@ -680,16 +679,35 @@ i915_gem_detect_bit_6_swizzle(struct drm_device *dev) + * matching, which was the case for the swizzling required in + * the table above, or from the 1-ch value being less than + * the minimum size of a rank. ++ * ++ * Reports indicate that the swizzling actually ++ * varies depending upon page placement inside the ++ * channels, i.e. we see swizzled pages where the ++ * banks of memory are paired and unswizzled on the ++ * uneven portion, so leave that as unknown. + */ +- if (I915_READ16(C0DRB3) != I915_READ16(C1DRB3)) { +- swizzle_x = I915_BIT_6_SWIZZLE_NONE; +- swizzle_y = I915_BIT_6_SWIZZLE_NONE; +- } else { ++ if (I915_READ16(C0DRB3) == I915_READ16(C1DRB3)) { + swizzle_x = I915_BIT_6_SWIZZLE_9_10; + swizzle_y = I915_BIT_6_SWIZZLE_9; + } + } + ++ if (swizzle_x == I915_BIT_6_SWIZZLE_UNKNOWN || ++ swizzle_y == I915_BIT_6_SWIZZLE_UNKNOWN) { ++ /* Userspace likes to explode if it sees unknown swizzling, ++ * so lie. We will finish the lie when reporting through ++ * the get-tiling-ioctl by reporting the physical swizzle ++ * mode as unknown instead. ++ * ++ * As we don't strictly know what the swizzling is, it may be ++ * bit17 dependent, and so we need to also prevent the pages ++ * from being moved. ++ */ ++ dev_priv->quirks |= QUIRK_PIN_SWIZZLED_PAGES; ++ swizzle_x = I915_BIT_6_SWIZZLE_NONE; ++ swizzle_y = I915_BIT_6_SWIZZLE_NONE; ++ } ++ + dev_priv->mm.bit_6_swizzle_x = swizzle_x; + dev_priv->mm.bit_6_swizzle_y = swizzle_y; + } +-- +2.5.0 + + +From b9aa6e409916793c7b2c6302df80f9a8c36ddcf2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 25 Nov 2015 15:26:47 +0100 +Subject: [PATCH 12/26] drm/i915: Don't compare has_drrs strictly in pipe + config + +Upstream commit 13b13dfaaa39ab52b0f433c6744f4638793cbf7b + +The commit [cfb23ed622d0: drm/i915: Allow fuzzy matching in +pipe_config_compare, v2] relaxed the way to compare the pipe +configurations, but one new comparison sneaked in there: it added the +strict has_drrs value check. This causes a regression on many +machines, typically HP laptops with a docking port, where the kernel +spews warnings and eventually fails to set the mode properly like: + [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in has_drrs (expected 1, found 0) + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 79 at drivers/gpu/drm/i915/intel_display.c:12700 intel_modeset_check_state+0x5aa/0x870 [i915]() + pipe state doesn't match! + .... + +This patch just removes the check again for fixing the regression. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104041 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92456 +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=956397 +Fixes: cfb23ed622d0 ('drm/i915: Allow fuzzy matching in pipe_config_compare, v2') +Cc: <stable@vger.kernel.org> # v4.3+ +Reported-and-tested-by: Max Lin <mlin@suse.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1448461607-16868-1-git-send-email-tiwai@suse.de +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_display.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index d07d98aeb72c..58e08fb47d1f 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -12427,7 +12427,6 @@ intel_pipe_config_compare(struct drm_device *dev, + if (INTEL_INFO(dev)->gen < 8) { + PIPE_CONF_CHECK_M_N(dp_m_n); + +- PIPE_CONF_CHECK_I(has_drrs); + if (current_config->has_drrs) + PIPE_CONF_CHECK_M_N(dp_m2_n2); + } else +-- +2.5.0 + + +From 17e09098ed89ccc44a9420b0eee361b2e4f1f58c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Thu, 19 Nov 2015 12:09:56 +0100 +Subject: [PATCH 13/26] drm/i915: Don't override output type for DDI HDMI + +Upstream commit 2540058f7a9d9a843b4d9a28d4f8168dd034d030 + +Currently a DDI port may register the DP hotplug handler even though +it's used with HDMI, and the DP HPD handler overrides the encoder +type forcibly to DP. This caused the inconsistency on a machine +connected with a HDMI monitor; upon a hotplug event, the DDI port is +suddenly switched to be handled as a DP although the same monitor is +kept connected, and this leads to the erroneous blank output. + +This patch papers over the bug by excluding the previous HDMI encoder +type from this override. This should be fixed more fundamentally, +e.g. by moving the encoder type reset from the HPD or by having +individual encoder objects for HDMI and DP. But since the bug has +been present for a long time (3.17), it's better to have a +quick-n-dirty fix for now, and keep working on a cleaner fix. + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=955190 +Fixes: 0e32b39ceed6 ('drm/i915: add DP 1.2 MST support (v0.7)') +Cc: <stable@vger.kernel.org> # v3.17+ +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1447931396-19147-1-git-send-email-tiwai@suse.de +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_dp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c +index 0a2e33fbf20d..a7b7a64d8d27 100644 +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -4921,7 +4921,8 @@ intel_dp_hpd_pulse(struct intel_digital_port *intel_dig_port, bool long_hpd) + enum intel_display_power_domain power_domain; + enum irqreturn ret = IRQ_NONE; + +- if (intel_dig_port->base.type != INTEL_OUTPUT_EDP) ++ if (intel_dig_port->base.type != INTEL_OUTPUT_EDP && ++ intel_dig_port->base.type != INTEL_OUTPUT_HDMI) + intel_dig_port->base.type = INTEL_OUTPUT_DISPLAYPORT; + + if (long_hpd && intel_dig_port->base.type == INTEL_OUTPUT_EDP) { +-- +2.5.0 + + +From 5cbff55f4355dc1cec8124c8741fdfd98f644c73 Mon Sep 17 00:00:00 2001 +From: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Date: Sat, 12 Sep 2015 10:17:50 +0530 +Subject: [PATCH 14/26] drm/i915: Add IS_SKL_GT3 and IS_SKL_GT4 macro. + +Upstream commit 7a58bad0e63295dfa803973efcebc80cb730c7bd + +It will be usefull to specify w/a that affects only SKL GT3 and GT4. + +Signed-off-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Reviewed-by: Alex Dai <yu.dai@intel.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/i915_drv.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index e1db8de52851..3c16f6237251 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -2475,6 +2475,11 @@ struct drm_i915_cmd_table { + #define IS_SKL_ULX(dev) (INTEL_DEVID(dev) == 0x190E || \ + INTEL_DEVID(dev) == 0x1915 || \ + INTEL_DEVID(dev) == 0x191E) ++#define IS_SKL_GT3(dev) (IS_SKYLAKE(dev) && \ ++ (INTEL_DEVID(dev) & 0x00F0) == 0x0020) ++#define IS_SKL_GT4(dev) (IS_SKYLAKE(dev) && \ ++ (INTEL_DEVID(dev) & 0x00F0) == 0x0030) ++ + #define IS_PRELIMINARY_HW(intel_info) ((intel_info)->is_preliminary) + + #define SKL_REVID_A0 (0x0) +-- +2.5.0 + + +From baed978880f2c32e82587cc514227aad82daecd5 Mon Sep 17 00:00:00 2001 +From: Arun Siluvery <arun.siluvery@linux.intel.com> +Date: Fri, 18 Sep 2015 17:52:47 +0100 +Subject: [PATCH 15/26] drm/i915/bxt: Update revision id for BXT C0 + +Upstream commit 5ca4163a612068d8f942c454218d3d631f22af1b + +Cc: Nick Hoath <nicholas.hoath@intel.com> +Cc: Imre Deak <imre.deak@intel.com> +Signed-off-by: Arun Siluvery <arun.siluvery@linux.intel.com> +Reviewed-by: Imre Deak <imre.deak@intel.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 3c16f6237251..475b03e9d584 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -2491,7 +2491,7 @@ struct drm_i915_cmd_table { + + #define BXT_REVID_A0 (0x0) + #define BXT_REVID_B0 (0x3) +-#define BXT_REVID_C0 (0x6) ++#define BXT_REVID_C0 (0x9) + + /* + * The genX designation typically refers to the render engine, so render +-- +2.5.0 + + +From c80bd95bfeb85ce970c5f7711718a274e4b38b55 Mon Sep 17 00:00:00 2001 +From: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Date: Sat, 12 Sep 2015 10:17:51 +0530 +Subject: [PATCH 16/26] drm/i915: WaRsDisableCoarsePowerGating + +Upstream commit f2d2fe95072acd5404f8051b8bf1195c61a47fb5 + +WaRsDisableCoarsePowerGating: Coarse Power Gating (CPG) needs to be +disabled for platforms prior to BXT B0 and SKL GT3/GT4 till E0. + +v2: Added GT3/GT4 Check. + +Change-Id: Ia3c4c16e050c88d3e259f601054875c812d69c3a +Signed-off-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Reviewed-by: Alex Dai <yu.dai@intel.com> +[danvet: Align continuation properly.] +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/intel_pm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 2a689522cd89..56a5568ffeb7 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4851,11 +4851,14 @@ static void gen9_enable_rc6(struct drm_device *dev) + + /* + * 3b: Enable Coarse Power Gating only when RC6 is enabled. +- * WaDisableRenderPowerGating:skl,bxt - Render PG need to be disabled with RC6. ++ * WaRsDisableCoarsePowerGating:skl,bxt - Render/Media PG need to be disabled with RC6. + */ +- I915_WRITE(GEN9_PG_ENABLE, (rc6_mask & GEN6_RC_CTL_RC6_ENABLE) ? +- GEN9_MEDIA_PG_ENABLE : 0); +- ++ if ((IS_BROXTON(dev) && (INTEL_REVID(dev) < BXT_REVID_B0)) || ++ ((IS_SKL_GT3(dev) || IS_SKL_GT4(dev)) && (INTEL_REVID(dev) <= SKL_REVID_E0))) ++ I915_WRITE(GEN9_PG_ENABLE, 0); ++ else ++ I915_WRITE(GEN9_PG_ENABLE, (rc6_mask & GEN6_RC_CTL_RC6_ENABLE) ? ++ (GEN9_RENDER_PG_ENABLE | GEN9_MEDIA_PG_ENABLE) : 0); + + intel_uncore_forcewake_put(dev_priv, FORCEWAKE_ALL); + +-- +2.5.0 + + +From c6b1dd5d44c09a9c0032066415ccf8539efb5856 Mon Sep 17 00:00:00 2001 +From: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Date: Sat, 12 Sep 2015 10:17:52 +0530 +Subject: [PATCH 17/26] drm/i915: WaRsUseTimeoutMode + +Upstream commit e3429cd240b06c79df3ea90f28065a7e011744cd + +Enable TO mode for RC6 for SKL till D0 and BXT till A0. + +Cc: Tom O'Rourke <Tom.O'Rourke@intel.com> +Cc: Akash Goel <akash.goel@intel.com> +Signed-off-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Reviewed-by: Alex Dai <yu.dai@intel.com> +[danvet: Fixup line continuation alignment.] +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/intel_pm.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 56a5568ffeb7..ab54c645c2ee 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4845,9 +4845,16 @@ static void gen9_enable_rc6(struct drm_device *dev) + rc6_mask = GEN6_RC_CTL_RC6_ENABLE; + DRM_INFO("RC6 %s\n", (rc6_mask & GEN6_RC_CTL_RC6_ENABLE) ? + "on" : "off"); +- I915_WRITE(GEN6_RC_CONTROL, GEN6_RC_CTL_HW_ENABLE | +- GEN6_RC_CTL_EI_MODE(1) | +- rc6_mask); ++ ++ if ((IS_SKYLAKE(dev) && INTEL_REVID(dev) <= SKL_REVID_D0) || ++ (IS_BROXTON(dev) && INTEL_REVID(dev) <= BXT_REVID_A0)) ++ I915_WRITE(GEN6_RC_CONTROL, GEN6_RC_CTL_HW_ENABLE | ++ GEN7_RC_CTL_TO_MODE | ++ rc6_mask); ++ else ++ I915_WRITE(GEN6_RC_CONTROL, GEN6_RC_CTL_HW_ENABLE | ++ GEN6_RC_CTL_EI_MODE(1) | ++ rc6_mask); + + /* + * 3b: Enable Coarse Power Gating only when RC6 is enabled. +-- +2.5.0 + + +From a7af36dfaaa2136be0454787130f73d207c2f34d Mon Sep 17 00:00:00 2001 +From: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Date: Sat, 12 Sep 2015 10:17:53 +0530 +Subject: [PATCH 18/26] drm/i915: WaRsDoubleRc6WrlWithCoarsePowerGating + +Upstream commit 63a4dec2c168b74a39df1eac494501f0f6bf3708 + +Cc: Tom O'Rourke <Tom.O'Rourke@intel.com> +Cc: Akash Goel <akash.goel@intel.com> +Signed-off-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Reviewed-by: Alex Dai <yu.dai@intel.com> +[danvet: Fix continuation alignment.] +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +--- + drivers/gpu/drm/i915/intel_pm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index ab54c645c2ee..7c7b6386121f 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4828,7 +4828,13 @@ static void gen9_enable_rc6(struct drm_device *dev) + I915_WRITE(GEN6_RC_CONTROL, 0); + + /* 2b: Program RC6 thresholds.*/ +- I915_WRITE(GEN6_RC6_WAKE_RATE_LIMIT, 54 << 16); ++ ++ /* WaRsDoubleRc6WrlWithCoarsePowerGating: Doubling WRL only when CPG is enabled */ ++ if (IS_SKYLAKE(dev) && !((IS_SKL_GT3(dev) || IS_SKL_GT4(dev)) && ++ (INTEL_REVID(dev) <= SKL_REVID_E0))) ++ I915_WRITE(GEN6_RC6_WAKE_RATE_LIMIT, 108 << 16); ++ else ++ I915_WRITE(GEN6_RC6_WAKE_RATE_LIMIT, 54 << 16); + I915_WRITE(GEN6_RC_EVALUATION_INTERVAL, 125000); /* 12500 * 1280ns */ + I915_WRITE(GEN6_RC_IDLE_HYSTERSIS, 25); /* 25 * 1280ns */ + for_each_ring(ring, dev_priv, unused) +-- +2.5.0 + + +From b925cfd49203fc37c491fa28310221be23a2634d Mon Sep 17 00:00:00 2001 +From: Mika Kuoppala <mika.kuoppala@linux.intel.com> +Date: Mon, 7 Dec 2015 18:29:44 +0200 +Subject: [PATCH 19/26] drm/i915/skl: Disable coarse power gating up until F0 + +Upstream commit 344df9809f4521c8c11d67c5ef18764b54358950 + +There is conflicting info between E0 and F0 steppings +for this workarounds. Trust more authoritative source and +be conservative and extend also for F0. + +This prevents numerous (>50) gpu hangs with SKL GT4e +during piglit run. + +References: HSD: gen9lp/2134184 +Cc: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com> +Reviewed-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1449505785-20812-1-git-send-email-mika.kuoppala@intel.com +(cherry picked from commit 6686ece19f7446f0e29c77d9e0402e1d0ce10c48) +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 7c7b6386121f..d04f123f4ccf 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4867,7 +4867,7 @@ static void gen9_enable_rc6(struct drm_device *dev) + * WaRsDisableCoarsePowerGating:skl,bxt - Render/Media PG need to be disabled with RC6. + */ + if ((IS_BROXTON(dev) && (INTEL_REVID(dev) < BXT_REVID_B0)) || +- ((IS_SKL_GT3(dev) || IS_SKL_GT4(dev)) && (INTEL_REVID(dev) <= SKL_REVID_E0))) ++ ((IS_SKL_GT3(dev) || IS_SKL_GT4(dev)) && (INTEL_REVID(dev) <= SKL_REVID_F0))) + I915_WRITE(GEN9_PG_ENABLE, 0); + else + I915_WRITE(GEN9_PG_ENABLE, (rc6_mask & GEN6_RC_CTL_RC6_ENABLE) ? +-- +2.5.0 + + +From 302e759f64e1c4bed49f31459329acbb2cddce8a Mon Sep 17 00:00:00 2001 +From: Mika Kuoppala <mika.kuoppala@linux.intel.com> +Date: Mon, 7 Dec 2015 18:29:45 +0200 +Subject: [PATCH 20/26] drm/i915/skl: Double RC6 WRL always on + +Upstream commit 6704d45528537ea6088aeea0667d87b605b82d51 + +WaRsDoubleRc6WrlWithCoarsePowerGating should +be enabled for all Skylakes. Make it so. + +Cc: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com> +Reviewed-by: Sagar Arun Kamble <sagar.a.kamble@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1449505785-20812-2-git-send-email-mika.kuoppala@intel.com +(cherry picked from commit e7674b8c31717dd0c58b3a9493d43249722071eb) +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_pm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index d04f123f4ccf..33db474fae02 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4830,8 +4830,7 @@ static void gen9_enable_rc6(struct drm_device *dev) + /* 2b: Program RC6 thresholds.*/ + + /* WaRsDoubleRc6WrlWithCoarsePowerGating: Doubling WRL only when CPG is enabled */ +- if (IS_SKYLAKE(dev) && !((IS_SKL_GT3(dev) || IS_SKL_GT4(dev)) && +- (INTEL_REVID(dev) <= SKL_REVID_E0))) ++ if (IS_SKYLAKE(dev)) + I915_WRITE(GEN6_RC6_WAKE_RATE_LIMIT, 108 << 16); + else + I915_WRITE(GEN6_RC6_WAKE_RATE_LIMIT, 54 << 16); +-- +2.5.0 + + +From c4c390176eaf6b4321c1f90065107711845e9aff Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Date: Mon, 23 Nov 2015 10:25:28 +0100 +Subject: [PATCH 21/26] drm/i915: Do a better job at disabling primary plane in + the noatomic case. + +Upstream commit 634b3a4a476e96816d5d6cd5bb9f8900a53f56ba + +When disable_noatomic is called plane_mask is not correct yet, and +plane_state->visible = true is left as true after disabling the primary +plane. + +Other planes are already disabled as part of crtc sanitization, only the +primary is left active. But the plane_mask is not updated here. It gets +updated during fb takeover in modeset_gem_init, or set to the new value +on resume. + +This means that to disable the primary plane 1 << drm_plane_index(primary) +needs to be used. + +Afterwards because the crtc is no longer active it's forbidden to keep +plane_state->visible set, or a WARN_ON in +intel_plane_atomic_calc_changes triggers. There are other code points +that rely on accurate plane_state->visible too, so make sure the bool is +cleared. + +The other planes are already disabled in intel_sanitize_crtc, so they +don't have to be handled here. + +Cc: stable@vger.kernel.org #v4.3, v4.2? +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92655 +Tested-by: Tomas Mezzadra <tmezzadra@gmail.com> +Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/5652DB88.9070208@linux.intel.com +(cherry picked from commit 54a4196188eab82e6f0a5f05716626e9f18b8fb6) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_display.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 58e08fb47d1f..35fad110cc26 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -6225,9 +6225,11 @@ static void intel_crtc_disable_noatomic(struct drm_crtc *crtc) + if (to_intel_plane_state(crtc->primary->state)->visible) { + intel_crtc_wait_for_pending_flips(crtc); + intel_pre_disable_primary(crtc); ++ ++ intel_crtc_disable_planes(crtc, 1 << drm_plane_index(crtc->primary)); ++ to_intel_plane_state(crtc->primary->state)->visible = false; + } + +- intel_crtc_disable_planes(crtc, crtc->state->plane_mask); + dev_priv->display.crtc_disable(crtc); + intel_disable_shared_dpll(intel_crtc); + +-- +2.5.0 + + +From 42ab5c413c7cf61fab4b2fbce9cb4ab7f7be6356 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Fri, 11 Dec 2015 11:32:57 +0000 +Subject: [PATCH 22/26] drm/i915: Break busywaiting for requests on pending + signals + +Upstream commit e7571f7fd66c77a760338340adbe41d994fe93ac + +The busywait in __i915_spin_request() does not respect pending signals +and so may consume the entire timeslice for the task instead of +returning to userspace to handle the signal. + +In the worst case this could cause a delay in signal processing of 20ms, +which would be a noticeable jitter in cursor tracking. If a higher +resolution signal was being used, for example to provide fairness of a +server timeslices between clients, we could expect to detect some +unfairness between clients (i.e. some windows not updating as fast as +others). This issue was noticed when inspecting a report of poor +interactivity resulting from excessively high __i915_spin_request usage. + +Fixes regression from +commit 2def4ad99befa25775dd2f714fdd4d92faec6e34 [v4.2] +Author: Chris Wilson <chris@chris-wilson.co.uk> +Date: Tue Apr 7 16:20:41 2015 +0100 + + drm/i915: Optimistically spin for the request completion + +v2: Try to assess the impact of the bug + +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: Jens Axboe <axboe@kernel.dk> +Cc; "Rogozhkin, Dmitry V" <dmitry.v.rogozhkin@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: Eero Tamminen <eero.t.tamminen@intel.com> +Cc: "Rantala, Valtteri" <valtteri.rantala@intel.com> +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1449833608-22125-2-git-send-email-chris@chris-wilson.co.uk +(cherry picked from commit 91b0c352ace9afec1fb51590c7b8bd60e0eb9fbd) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_gem.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index dee065c2b6d8..c6e3ab72882f 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1144,7 +1144,7 @@ static bool missed_irq(struct drm_i915_private *dev_priv, + return test_bit(ring->id, &dev_priv->gpu_error.missed_irq_rings); + } + +-static int __i915_spin_request(struct drm_i915_gem_request *req) ++static int __i915_spin_request(struct drm_i915_gem_request *req, int state) + { + unsigned long timeout; + +@@ -1156,6 +1156,9 @@ static int __i915_spin_request(struct drm_i915_gem_request *req) + if (i915_gem_request_completed(req, true)) + return 0; + ++ if (signal_pending_state(state, current)) ++ break; ++ + if (time_after_eq(jiffies, timeout)) + break; + +@@ -1195,6 +1198,7 @@ int __i915_wait_request(struct drm_i915_gem_request *req, + struct drm_i915_private *dev_priv = dev->dev_private; + const bool irq_test_in_progress = + ACCESS_ONCE(dev_priv->gpu_error.test_irq_rings) & intel_ring_flag(ring); ++ int state = interruptible ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE; + DEFINE_WAIT(wait); + unsigned long timeout_expire; + s64 before, now; +@@ -1219,7 +1223,7 @@ int __i915_wait_request(struct drm_i915_gem_request *req, + before = ktime_get_raw_ns(); + + /* Optimistic spin for the next jiffie before touching IRQs */ +- ret = __i915_spin_request(req); ++ ret = __i915_spin_request(req, state); + if (ret == 0) + goto out; + +@@ -1231,8 +1235,7 @@ int __i915_wait_request(struct drm_i915_gem_request *req, + for (;;) { + struct timer_list timer; + +- prepare_to_wait(&ring->irq_queue, &wait, +- interruptible ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); ++ prepare_to_wait(&ring->irq_queue, &wait, state); + + /* We need to check whether any gpu reset happened in between + * the caller grabbing the seqno and now ... */ +@@ -1250,7 +1253,7 @@ int __i915_wait_request(struct drm_i915_gem_request *req, + break; + } + +- if (interruptible && signal_pending(current)) { ++ if (signal_pending_state(state, current)) { + ret = -ERESTARTSYS; + break; + } +-- +2.5.0 + + +From 8cbf415a2aadd85cf9dfab28296a821ffea96d87 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Fri, 11 Dec 2015 11:32:58 +0000 +Subject: [PATCH 23/26] drm/i915: Limit the busy wait on requests to 5us not + 10ms! + +Upstream commit f87a780f07b22b6dc4642dbaf44af65112076cb8 + +When waiting for high frequency requests, the finite amount of time +required to set up the irq and wait upon it limits the response rate. By +busywaiting on the request completion for a short while we can service +the high frequency waits as quick as possible. However, if it is a slow +request, we want to sleep as quickly as possible. The tradeoff between +waiting and sleeping is roughly the time it takes to sleep on a request, +on the order of a microsecond. Based on measurements of synchronous +workloads from across big core and little atom, I have set the limit for +busywaiting as 10 microseconds. In most of the synchronous cases, we can +reduce the limit down to as little as 2 miscroseconds, but that leaves +quite a few test cases regressing by factors of 3 and more. + +The code currently uses the jiffie clock, but that is far too coarse (on +the order of 10 milliseconds) and results in poor interactivity as the +CPU ends up being hogged by slow requests. To get microsecond resolution +we need to use a high resolution timer. The cheapest of which is polling +local_clock(), but that is only valid on the same CPU. If we switch CPUs +because the task was preempted, we can also use that as an indicator that + the system is too busy to waste cycles on spinning and we should sleep +instead. + +__i915_spin_request was introduced in +commit 2def4ad99befa25775dd2f714fdd4d92faec6e34 [v4.2] +Author: Chris Wilson <chris@chris-wilson.co.uk> +Date: Tue Apr 7 16:20:41 2015 +0100 + + drm/i915: Optimistically spin for the request completion + +v2: Drop full u64 for unsigned long - the timer is 32bit wraparound safe, +so we can use native register sizes on smaller architectures. Mention +the approximate microseconds units for elapsed time and add some extra +comments describing the reason for busywaiting. + +v3: Raise the limit to 10us +v4: Now 5us. + +Reported-by: Jens Axboe <axboe@kernel.dk> +Link: https://lkml.org/lkml/2015/11/12/621 +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: "Rogozhkin, Dmitry V" <dmitry.v.rogozhkin@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: Eero Tamminen <eero.t.tamminen@intel.com> +Cc: "Rantala, Valtteri" <valtteri.rantala@intel.com> +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1449833608-22125-3-git-send-email-chris@chris-wilson.co.uk +(cherry picked from commit ca5b721e238226af1d767103ac852aeb8e4c0764) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_gem.c | 47 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 45 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index c6e3ab72882f..205316d056f1 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1144,14 +1144,57 @@ static bool missed_irq(struct drm_i915_private *dev_priv, + return test_bit(ring->id, &dev_priv->gpu_error.missed_irq_rings); + } + ++static unsigned long local_clock_us(unsigned *cpu) ++{ ++ unsigned long t; ++ ++ /* Cheaply and approximately convert from nanoseconds to microseconds. ++ * The result and subsequent calculations are also defined in the same ++ * approximate microseconds units. The principal source of timing ++ * error here is from the simple truncation. ++ * ++ * Note that local_clock() is only defined wrt to the current CPU; ++ * the comparisons are no longer valid if we switch CPUs. Instead of ++ * blocking preemption for the entire busywait, we can detect the CPU ++ * switch and use that as indicator of system load and a reason to ++ * stop busywaiting, see busywait_stop(). ++ */ ++ *cpu = get_cpu(); ++ t = local_clock() >> 10; ++ put_cpu(); ++ ++ return t; ++} ++ ++static bool busywait_stop(unsigned long timeout, unsigned cpu) ++{ ++ unsigned this_cpu; ++ ++ if (time_after(local_clock_us(&this_cpu), timeout)) ++ return true; ++ ++ return this_cpu != cpu; ++} ++ + static int __i915_spin_request(struct drm_i915_gem_request *req, int state) + { + unsigned long timeout; ++ unsigned cpu; ++ ++ /* When waiting for high frequency requests, e.g. during synchronous ++ * rendering split between the CPU and GPU, the finite amount of time ++ * required to set up the irq and wait upon it limits the response ++ * rate. By busywaiting on the request completion for a short while we ++ * can service the high frequency waits as quick as possible. However, ++ * if it is a slow request, we want to sleep as quickly as possible. ++ * The tradeoff between waiting and sleeping is roughly the time it ++ * takes to sleep on a request, on the order of a microsecond. ++ */ + + if (i915_gem_request_get_ring(req)->irq_refcount) + return -EBUSY; + +- timeout = jiffies + 1; ++ timeout = local_clock_us(&cpu) + 5; + while (!need_resched()) { + if (i915_gem_request_completed(req, true)) + return 0; +@@ -1159,7 +1202,7 @@ static int __i915_spin_request(struct drm_i915_gem_request *req, int state) + if (signal_pending_state(state, current)) + break; + +- if (time_after_eq(jiffies, timeout)) ++ if (busywait_stop(timeout, cpu)) + break; + + cpu_relax_lowlatency(); +-- +2.5.0 + + +From 7b94b8683d8d2ac4b29099e24e351e03f163e462 Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Fri, 11 Dec 2015 11:32:59 +0000 +Subject: [PATCH 24/26] drm/i915: Only spin whilst waiting on the current + request + +Upstream commit 0f0cd472062eca6f9fac8be0cd5585f9a2df1ab2 + +Limit busywaiting only to the request currently being processed by the +GPU. If the request is not currently being processed by the GPU, there +is a very low likelihood of it being completed within the 2 microsecond +spin timeout and so we will just be wasting CPU cycles. + +v2: Check for logical inversion when rebasing - we were incorrectly +checking for this request being active, and instead busywaiting for +when the GPU was not yet processing the request of interest. + +v3: Try another colour for the seqno names. +v4: Another colour for the function names. + +v5: Remove the forced coherency when checking for the active request. On +reflection and plenty of recent experimentation, the issue is not a +cache coherency problem - but an irq/seqno ordering problem (timing issue). +Here, we do not need the w/a to force ordering of the read with an +interrupt. + +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: "Rogozhkin, Dmitry V" <dmitry.v.rogozhkin@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com> +Cc: Eero Tamminen <eero.t.tamminen@intel.com> +Cc: "Rantala, Valtteri" <valtteri.rantala@intel.com> +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1449833608-22125-4-git-send-email-chris@chris-wilson.co.uk +(cherry picked from commit 821485dc2ad665f136c57ee589bf7a8210160fe2) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/i915_drv.h | 27 +++++++++++++++++++-------- + drivers/gpu/drm/i915/i915_gem.c | 8 +++++++- + 2 files changed, 26 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 475b03e9d584..bd6df685ae61 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -2178,8 +2178,17 @@ struct drm_i915_gem_request { + struct drm_i915_private *i915; + struct intel_engine_cs *ring; + +- /** GEM sequence number associated with this request. */ +- uint32_t seqno; ++ /** GEM sequence number associated with the previous request, ++ * when the HWS breadcrumb is equal to this the GPU is processing ++ * this request. ++ */ ++ u32 previous_seqno; ++ ++ /** GEM sequence number associated with this request, ++ * when the HWS breadcrumb is equal or greater than this the GPU ++ * has finished processing this request. ++ */ ++ u32 seqno; + + /** Position in the ringbuffer of the start of the request */ + u32 head; +@@ -2880,15 +2889,17 @@ i915_seqno_passed(uint32_t seq1, uint32_t seq2) + return (int32_t)(seq1 - seq2) >= 0; + } + ++static inline bool i915_gem_request_started(struct drm_i915_gem_request *req, ++ bool lazy_coherency) ++{ ++ u32 seqno = req->ring->get_seqno(req->ring, lazy_coherency); ++ return i915_seqno_passed(seqno, req->previous_seqno); ++} ++ + static inline bool i915_gem_request_completed(struct drm_i915_gem_request *req, + bool lazy_coherency) + { +- u32 seqno; +- +- BUG_ON(req == NULL); +- +- seqno = req->ring->get_seqno(req->ring, lazy_coherency); +- ++ u32 seqno = req->ring->get_seqno(req->ring, lazy_coherency); + return i915_seqno_passed(seqno, req->seqno); + } + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index 205316d056f1..1bf658dc6553 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1191,9 +1191,13 @@ static int __i915_spin_request(struct drm_i915_gem_request *req, int state) + * takes to sleep on a request, on the order of a microsecond. + */ + +- if (i915_gem_request_get_ring(req)->irq_refcount) ++ if (req->ring->irq_refcount) + return -EBUSY; + ++ /* Only spin if we know the GPU is processing this request */ ++ if (!i915_gem_request_started(req, true)) ++ return -EAGAIN; ++ + timeout = local_clock_us(&cpu) + 5; + while (!need_resched()) { + if (i915_gem_request_completed(req, true)) +@@ -1207,6 +1211,7 @@ static int __i915_spin_request(struct drm_i915_gem_request *req, int state) + + cpu_relax_lowlatency(); + } ++ + if (i915_gem_request_completed(req, false)) + return 0; + +@@ -2591,6 +2596,7 @@ void __i915_add_request(struct drm_i915_gem_request *request, + request->batch_obj = obj; + + request->emitted_jiffies = jiffies; ++ request->previous_seqno = ring->last_submitted_seqno; + ring->last_submitted_seqno = request->seqno; + list_add_tail(&request->list, &ring->request_list); + +-- +2.5.0 + + +From bf0176f1bb4bb6316102f4ca4d9314a20c228098 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com> +Date: Fri, 18 Dec 2015 19:24:39 +0200 +Subject: [PATCH 25/26] drm/i915: Workaround CHV pipe C cursor fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit ef8dd37af85a8f37ca3a29074647511e52c56181 + +Turns out CHV pipe C was glued on somewhat poorly, and there's something +wrong with the cursor. If the cursor straddles the left screen edge, +and is then moved away from the edge or disabled, the pipe will often +underrun. If enough underruns are triggered quickly enough the pipe +will fall over and die (it just scans out a solid color and reports +a constant underrun). We need to turn the disp2d power well off and +on again to recover the pipe. + +None of that is very nice for the user, so let's just refuse to place +the cursor in the compromised position. The ddx appears to fall back +to swcursor when the ioctl returns an error, so theoretically there's +no loss of functionality for the user (discounting swcursor bugs). +I suppose most cursors images actually have the hotspot not exactly +at 0,0 so under typical conditions the fallback will in fact kick in +as soon as the cursor touches the left edge of the screen. + +Any atomic compositor should anyway be prepared to fall back to +GPU composition when things don't work out, so there should be no +problem with those. + +Other things that I tried to solve this include flipping all +display related clock gating knobs I could find, increasing the +minimum gtt alignment all the way up to 512k. I also tried to see +if there are more specific screen coordinates that hit the bug, but +the findings were somewhat inconclusive. Sometimes the failures +happen almost across the whole left edge, sometimes more at the very +top and around the bottom half. I wasn't able to find any real pattern +to these variations, so it seems our only choice is to just refuse +to straddle the left screen edge at all. + +Cc: stable@vger.kernel.org +Cc: Jason Plum <max@warheads.net> +Testcase: igt/kms_chv_cursor_fail +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92826 +Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1450459479-16286-1-git-send-email-ville.syrjala@linux.intel.com +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +(cherry picked from commit b29ec92c4f5e6d45d8bae8194e664427a01c6687) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_display.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 35fad110cc26..c70a6cb8914f 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -13614,6 +13614,7 @@ intel_check_cursor_plane(struct drm_plane *plane, + struct drm_crtc *crtc = crtc_state->base.crtc; + struct drm_framebuffer *fb = state->base.fb; + struct drm_i915_gem_object *obj = intel_fb_obj(fb); ++ enum pipe pipe = to_intel_plane(plane)->pipe; + unsigned stride; + int ret; + +@@ -13647,6 +13648,22 @@ intel_check_cursor_plane(struct drm_plane *plane, + return -EINVAL; + } + ++ /* ++ * There's something wrong with the cursor on CHV pipe C. ++ * If it straddles the left edge of the screen then ++ * moving it away from the edge or disabling it often ++ * results in a pipe underrun, and often that can lead to ++ * dead pipe (constant underrun reported, and it scans ++ * out just a solid color). To recover from that, the ++ * display power well must be turned off and on again. ++ * Refuse the put the cursor into that compromised position. ++ */ ++ if (IS_CHERRYVIEW(plane->dev) && pipe == PIPE_C && ++ state->visible && state->base.crtc_x < 0) { ++ DRM_DEBUG_KMS("CHV cursor C not allowed to straddle the left screen edge\n"); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.5.0 + + +From 036933da945df1526e0b5ee17fe8a8a77c1380e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com> +Date: Thu, 10 Dec 2015 18:22:31 +0200 +Subject: [PATCH 26/26] drm/i915: Unbreak check_digital_port_conflicts() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream commit ae35b56e367b9fef7f5de701cf8c1c3dd954dded + +Atomic changes broke check_digital_port_conflicts(). It needs to look +at the global situation instead of just trying to find a conflict +within the current atomic state. + +This bug made my HSW explode spectacularly after I had split the DDI +encoders into separate DP and HDMI encoders. With the fix, things +seem much more solid. + +I hope holding the connection_mutex is enough protection that we can +actually walk the connectors even if they're not part of the current +atomic state... + +v2: Regenerate the patch so that it actually applies (Jani) + +Cc: stable@vger.kernel.org +Cc: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com> +Fixes: 5448a00d3f06 ("drm/i915: Don't use staged config in check_digital_port_conflicts()") +Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: http://patchwork.freedesktop.org/patch/msgid/1449764551-12466-1-git-send-email-ville.syrjala@linux.intel.com +(cherry picked from commit 0bff4858653312a10c83709e0009c3adb87e6f1e) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +--- + drivers/gpu/drm/i915/intel_display.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index c70a6cb8914f..aafe3e3de3ae 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -12026,18 +12026,22 @@ static void intel_dump_pipe_config(struct intel_crtc *crtc, + static bool check_digital_port_conflicts(struct drm_atomic_state *state) + { + struct drm_device *dev = state->dev; +- struct intel_encoder *encoder; + struct drm_connector *connector; +- struct drm_connector_state *connector_state; + unsigned int used_ports = 0; +- int i; + + /* + * Walk the connector list instead of the encoder + * list to detect the problem on ddi platforms + * where there's just one encoder per digital port. + */ +- for_each_connector_in_state(state, connector, connector_state, i) { ++ drm_for_each_connector(connector, dev) { ++ struct drm_connector_state *connector_state; ++ struct intel_encoder *encoder; ++ ++ connector_state = drm_atomic_get_existing_connector_state(state, connector); ++ if (!connector_state) ++ connector_state = connector->state; ++ + if (!connector_state->best_encoder) + continue; + +-- +2.5.0 + diff --git a/ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch b/ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch new file mode 100644 index 000000000..da0c82750 --- /dev/null +++ b/ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch @@ -0,0 +1,40 @@ +From 90da345613c5c0910b54b72019664e0b2ada19f9 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Tue, 12 Jan 2016 07:54:39 -0500 +Subject: [PATCH] ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list + +Like the Yoga 900 models the Lenovo Yoga 700 does not have a +hw rfkill switch, and trying to read the hw rfkill switch through the +ideapad module causes it to always reported blocking breaking wifi. + +This commit adds the Lenovo Yoga 700 to the no_hw_rfkill dmi list, fixing +the wifi breakage. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1295272 +Cc: stable@vger.kernel.org +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/platform/x86/ideapad-laptop.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index d28db0e793df..51178626305d 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -900,6 +900,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = { + }, + }, + { ++ .ident = "Lenogo Yoga 700", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"), ++ }, ++ }, ++ { + .ident = "Lenovo Yoga 900", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +-- +2.5.0 + diff --git a/kbuild-AFTER_LINK.patch b/kbuild-AFTER_LINK.patch index 2dfb637e8..7a18fd241 100644 --- a/kbuild-AFTER_LINK.patch +++ b/kbuild-AFTER_LINK.patch @@ -1,3 +1,4 @@ +From 7877d76b409181af38d307b98d8fed1024f3c9c2 Mon Sep 17 00:00:00 2001 From: Roland McGrath <roland@redhat.com> Date: Mon, 6 Oct 2008 23:03:03 -0700 Subject: [PATCH] kbuild: AFTER_LINK @@ -62,7 +63,7 @@ index effca9404b17..713891a92d23 100644 cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile -index 8ad2b34ad151..e153572ab351 100644 +index ee8a18e50a25..63e33fa049f8 100644 --- a/arch/s390/kernel/vdso32/Makefile +++ b/arch/s390/kernel/vdso32/Makefile @@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S @@ -76,7 +77,7 @@ index 8ad2b34ad151..e153572ab351 100644 cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile -index 2a8ddfd12a5b..452ca53561fe 100644 +index c4b03f9ed228..550450fc2f95 100644 --- a/arch/s390/kernel/vdso64/Makefile +++ b/arch/s390/kernel/vdso64/Makefile @@ -43,7 +43,8 @@ $(obj-vdso64): %.o: %.S @@ -90,7 +91,7 @@ index 2a8ddfd12a5b..452ca53561fe 100644 cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile -index e97032069f88..9ea82f444dea 100644 +index a3d0767a6b29..078c9be1db8f 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -172,8 +172,9 @@ $(vdso32-images:%=$(obj)/%.dbg): $(obj)/vdso32-%.so.dbg: FORCE \ @@ -103,7 +104,7 @@ index e97032069f88..9ea82f444dea 100644 + $(if $(AFTER_LINK),; $(AFTER_LINK)) && \ + sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@' - VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \ + VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \ $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh index 1a10d8ac8162..092d0c0cf72c 100755 @@ -120,3 +121,6 @@ index 1a10d8ac8162..092d0c0cf72c 100755 } +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 9aef0b5d5..b1e915307 100644 --- a/kernel.spec +++ b/kernel.spec @@ -49,7 +49,7 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 2 +%define base_sublevel 3 ## If this is a released kernel ## %if 0%{?released_kernel} @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -408,7 +408,11 @@ BuildRequires: rpm-build, elfutils %define debuginfo_args --strict-build-id -r %endif -BuildRequires: openssl +%ifarch %{ix86} x86_64 +# MODULE_SIG is enabled in config-x86-generic and needs these: +BuildRequires: openssl openssl-devel +%endif + %if %{signmodules} BuildRequires: pesign >= 0.10-4 %endif @@ -451,7 +455,7 @@ Source32: config-x86-32-generic Source40: config-x86_64-generic -Source50: config-powerpc-generic +Source50: config-powerpc64-generic Source53: config-powerpc64 Source54: config-powerpc64p7 Source55: config-powerpc64le @@ -515,134 +519,107 @@ Patch05: kbuild-AFTER_LINK.patch # Standalone patches -Patch450: input-kill-stupid-messages.patch -Patch452: no-pcspkr-modalias.patch +Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch -Patch458: regulator-axp20x-module-alias.patch -Patch470: die-floppy-die.patch +Patch452: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch -Patch510: input-silence-i8042-noise.patch -Patch530: silence-fbcon-logo.patch +Patch453: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch -Patch600: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch -#rhbz 1126580 -Patch601: Kbuild-Add-an-option-to-enable-GCC-VTA.patch +Patch455: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -Patch800: crash-driver.patch +Patch456: arm64-acpi-drop-expert-patch.patch -# crypto/ +Patch457: ARM-tegra-usb-no-reset.patch -# secure boot -Patch1000: Add-secure_modules-call.patch -Patch1001: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch -Patch1002: x86-Lock-down-IO-port-access-when-module-security-is.patch -Patch1003: ACPI-Limit-access-to-custom_method.patch -Patch1004: asus-wmi-Restrict-debugfs-interface-when-module-load.patch -Patch1005: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch -Patch1006: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch -Patch1007: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch -Patch1008: x86-Restrict-MSR-access-when-module-loading-is-restr.patch -Patch1009: Add-option-to-automatically-enforce-module-signature.patch -Patch1010: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch -Patch1011: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch -Patch1012: efi-Add-EFI_SECURE_BOOT-bit.patch -Patch1013: hibernate-Disable-in-a-signed-modules-environment.patch +Patch458: ARM-dts-Add-am335x-bonegreen.patch -Patch1014: Add-EFI-signature-data-types.patch -Patch1015: Add-an-EFI-signature-blob-parser-and-key-loader.patch -Patch1016: KEYS-Add-a-system-blacklist-keyring.patch -Patch1017: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch -Patch1018: MODSIGN-Support-not-importing-certs-from-db.patch +Patch459: 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch -Patch1019: Add-sysrq-option-to-disable-secure-boot-mode.patch +Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch -# virt + ksm patches +Patch463: arm-i.MX6-Utilite-device-dtb.patch -# DRM +Patch466: input-kill-stupid-messages.patch -# nouveau + drm fixes -# intel drm is all merged upstream -Patch1826: drm-i915-hush-check-crtc-state.patch +Patch467: die-floppy-die.patch -# Quiet boot fixes +Patch468: no-pcspkr-modalias.patch -# fs fixes +Patch470: silence-fbcon-logo.patch -# NFSv4 +Patch471: Kbuild-Add-an-option-to-enable-GCC-VTA.patch -# patches headed upstream -Patch12016: disable-i8042-check-on-apple-mac.patch +Patch472: crash-driver.patch -Patch14010: lis3-improve-handling-of-null-rate.patch +Patch473: Add-secure_modules-call.patch -Patch15000: watchdog-Disable-watchdog-on-virtual-machines.patch +Patch474: PCI-Lock-down-BAR-access-when-module-security-is-ena.patch -# PPC +Patch475: x86-Lock-down-IO-port-access-when-module-security-is.patch -# ARM64 -Patch16000: amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch -Patch16001: amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch -Patch16002: arm64-avoid-needing-console-to-enable-serial-console.patch -Patch16003: usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -Patch16004: showmem-cma-correct-reserved-memory-calculation.patch +Patch476: ACPI-Limit-access-to-custom_method.patch -# ARMv7 -Patch16020: ARM-tegra-usb-no-reset.patch -Patch16021: arm-dts-am335x-boneblack-lcdc-add-panel-info.patch -Patch16022: arm-dts-am335x-boneblack-add-cpu0-opp-points.patch -Patch16025: arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch -Patch16026: pinctrl-pinctrl-single-must-be-initialized-early.patch +Patch477: asus-wmi-Restrict-debugfs-interface-when-module-load.patch -Patch16028: arm-i.MX6-Utilite-device-dtb.patch +Patch478: Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch -#rhbz 754518 -Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch +Patch479: acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch -# https://fedoraproject.org/wiki/Features/Checkpoint_Restore -Patch21242: criu-no-expert.patch +Patch480: kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch -#rhbz 892811 -Patch21247: ath9k-rx-dma-stop-check.patch +Patch481: x86-Restrict-MSR-access-when-module-loading-is-restr.patch -#CVE-2015-2150 rhbz 1196266 1200397 -Patch26175: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch +Patch482: Add-option-to-automatically-enforce-module-signature.patch -#rhbz 1212230 -Patch26176: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch +Patch483: efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch -#rhbz 1133378 -Patch26219: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch +Patch484: efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch -#rhbz 1226743 -Patch26221: drm-i915-turn-off-wc-mmaps.patch +Patch485: efi-Add-EFI_SECURE_BOOT-bit.patch +Patch486: hibernate-Disable-in-a-signed-modules-environment.patch -#rhbz 1244511 -Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch +Patch487: Add-EFI-signature-data-types.patch -Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch +Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch + +Patch489: KEYS-Add-a-system-blacklist-keyring.patch + +Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch + +Patch491: MODSIGN-Support-not-importing-certs-from-db.patch + +Patch492: Add-sysrq-option-to-disable-secure-boot-mode.patch + +Patch493: drm-i915-hush-check-crtc-state.patch + +Patch494: disable-i8042-check-on-apple-mac.patch + +Patch495: lis3-improve-handling-of-null-rate.patch + +Patch496: watchdog-Disable-watchdog-on-virtual-machines.patch + +Patch497: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch + +Patch498: criu-no-expert.patch + +Patch499: ath9k-rx-dma-stop-check.patch -#rhbz 1239050 -Patch509: ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch +Patch500: xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch -#rhbz 1253789 -Patch511: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch +Patch501: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch -#rhbz 1257534 -Patch515: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch +Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch -#rhbz 1257500 -Patch517: vmwgfx-Rework-device-initialization.patch -Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch +Patch503: drm-i915-turn-off-wc-mmaps.patch -#rhbz 1272172 -Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch -Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch #CVE-2015-7799 rhbz 1271134 1271135 -Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch -Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch +Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch #CVE-2015-8104 rhbz 1278496 1279691 Patch551: KVM-svm-unconditionally-intercept-DB.patch @@ -658,11 +635,6 @@ Patch556: netfilter-ipset-Fix-extension-alignment.patch Patch557: netfilter-ipset-Fix-hash-type-expiration.patch Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch -#rhbz 1278688 -Patch560: 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch -Patch561: 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch -Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch - #rhbz 1284059 Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -678,14 +650,66 @@ Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch #rhbz 1286293 Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch +#rhbz 1288687 +Patch572: alua_fix.patch + #CVE-XXXX-XXXX rhbz 1291329 1291332 Patch574: ovl-fix-permission-checking-for-setattr.patch #CVE-2015-7550 rhbz 1291197 1291198 Patch575: KEYS-Fix-race-between-read-and-revoke.patch -#CVE-2015-8543 rhbz 1290475 1290477 -Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch +Patch601: vrf-fix-memory-leak-on-registration.patch + +#CVE-2015-8709 rhbz 1295287 1295288 +Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch + +#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch + +#CVE-2015-7513 rhbz 1284847 1296142 +Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch + +#rhbz 1296677 +Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch + +#rhbz 1281368 +Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch + +#rhbz 1296820 +Patch608: drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch + +#rhbz 1083853 +Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch + +#CVE-2015-7566 rhbz 1296466 1297517 +Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch + +#rhbz 1298309 +#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch + +#rhbz 1298996 +Patch625: block-ensure-to-split-after-potentially-bouncing-a-b.patch + +#rhbz 1298192 +Patch626: selinux-fix-bug-in-conditional-rules-handling.patch + +#rhbz 1295272 +Patch627: ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch + +Patch628: i915-stable-backports.patch +Patch635: nouveau-stable-backports.patch + +#rhbz 1299810 +Patch629: SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch +Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch + +Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch +Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch + +Patch633: net_43.mbox + +#CVE-2016-0728 rhbz 1296623 1297475 +Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch # END OF PATCH DEFINITIONS @@ -1254,183 +1278,104 @@ ApplyPatch kbuild-AFTER_LINK.patch %if !%{nopatches} -# Architecture patches -# x86(-64) ApplyPatch lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch -# PPC - -# ARM64 ApplyPatch amd-xgbe-a0-Add-support-for-XGBE-on-A0.patch + ApplyPatch amd-xgbe-phy-a0-Add-support-for-XGBE-PHY-on-A0.patch + ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch + ApplyPatch usb-make-xhci-platform-driver-use-64-bit-or-32-bit-D.patch -ApplyPatch showmem-cma-correct-reserved-memory-calculation.patch +ApplyPatch arm64-acpi-drop-expert-patch.patch -# -# ARM -# ApplyPatch ARM-tegra-usb-no-reset.patch -ApplyPatch arm-dts-am335x-boneblack-lcdc-add-panel-info.patch -ApplyPatch arm-dts-am335x-boneblack-add-cpu0-opp-points.patch -ApplyPatch arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch -ApplyPatch pinctrl-pinctrl-single-must-be-initialized-early.patch - -ApplyPatch arm-i.MX6-Utilite-device-dtb.patch - -# -# bugfixes to drivers and filesystems -# - -# ext4 - -# xfs - -# btrfs - -# eCryptfs - -# NFSv4 - -# USB - -# WMI - -# ACPI - -# -# PCI -# - -# -# SCSI Bits. -# +ApplyPatch ARM-dts-Add-am335x-bonegreen.patch -# ACPI +ApplyPatch 0001-watchdog-omap_wdt-fix-null-pointer-dereference.patch -# ALSA +ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch -# Networking +ApplyPatch arm-i.MX6-Utilite-device-dtb.patch -# Misc fixes -# The input layer spews crap no-one cares about. ApplyPatch input-kill-stupid-messages.patch -# stop floppy.ko from autoloading during udev... ApplyPatch die-floppy-die.patch ApplyPatch no-pcspkr-modalias.patch -# Silence some useless messages that still get printed with 'quiet' -ApplyPatch input-silence-i8042-noise.patch - -# Make fbcon not show the penguins with 'quiet' ApplyPatch silence-fbcon-logo.patch -# Changes to upstream defaults. -#rhbz 1126580 ApplyPatch Kbuild-Add-an-option-to-enable-GCC-VTA.patch -# /dev/crash driver. ApplyPatch crash-driver.patch -# crypto/ - -# secure boot ApplyPatch Add-secure_modules-call.patch + ApplyPatch PCI-Lock-down-BAR-access-when-module-security-is-ena.patch + ApplyPatch x86-Lock-down-IO-port-access-when-module-security-is.patch + ApplyPatch ACPI-Limit-access-to-custom_method.patch + ApplyPatch asus-wmi-Restrict-debugfs-interface-when-module-load.patch + ApplyPatch Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch + ApplyPatch acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch + ApplyPatch kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch + ApplyPatch x86-Restrict-MSR-access-when-module-loading-is-restr.patch + ApplyPatch Add-option-to-automatically-enforce-module-signature.patch + ApplyPatch efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch + ApplyPatch efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch + ApplyPatch efi-Add-EFI_SECURE_BOOT-bit.patch + ApplyPatch hibernate-Disable-in-a-signed-modules-environment.patch ApplyPatch Add-EFI-signature-data-types.patch + ApplyPatch Add-an-EFI-signature-blob-parser-and-key-loader.patch + ApplyPatch KEYS-Add-a-system-blacklist-keyring.patch + ApplyPatch MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch + ApplyPatch MODSIGN-Support-not-importing-certs-from-db.patch ApplyPatch Add-sysrq-option-to-disable-secure-boot-mode.patch -# Assorted Virt Fixes - -# DRM core - -# Nouveau DRM - -# Intel DRM ApplyPatch drm-i915-hush-check-crtc-state.patch -# Radeon DRM - -# Patches headed upstream ApplyPatch disable-i8042-check-on-apple-mac.patch ApplyPatch lis3-improve-handling-of-null-rate.patch -# Disable watchdog on virtual machines. ApplyPatch watchdog-Disable-watchdog-on-virtual-machines.patch -#rhbz 754518 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch -# https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch -#rhbz 892811 ApplyPatch ath9k-rx-dma-stop-check.patch -#CVE-2015-2150 rhbz 1196266 1200397 ApplyPatch xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch -#rhbz 1212230 ApplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch -#rhbz 1133378 ApplyPatch firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch -#rhbz 1226743 ApplyPatch drm-i915-turn-off-wc-mmaps.patch -#rhbz 1212230 -# pplyPatch Input-Revert-Revert-synaptics-use-dmax-in-input_mt_a.patch -# pplyPatch Input-synaptics-allocate-3-slots-to-keep-stability-i.patch -# pplyPatch Input-synaptics-pin-3-touches-when-the-firmware-repo.patch - -#rhbz 1244511 -ApplyPatch HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch - ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#rhbz 1239050 -ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-3-14-to-no_hw_rfkill-.patch - -#rhbz 1253789 -ApplyPatch iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch - -#rhbz 1257534 -ApplyPatch nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch - -#rhbz 1257500 -ApplyPatch vmwgfx-Rework-device-initialization.patch -ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch - -ApplyPatch regulator-axp20x-module-alias.patch - -#rhbz 1272172 -ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch -ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch - #CVE-2015-7799 rhbz 1271134 1271135 ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch @@ -1449,11 +1394,6 @@ ApplyPatch netfilter-ipset-Fix-extension-alignment.patch ApplyPatch netfilter-ipset-Fix-hash-type-expiration.patch ApplyPatch netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch -#rhbz 1278688 -ApplyPatch 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch -ApplyPatch 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch -ApplyPatch 0003-KVM-x86-fix-previous-commit-for-32-bit.patch - #rhbz 1284059 ApplyPatch KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -1469,14 +1409,66 @@ ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch #rhbz 1286293 ApplyPatch ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch +#rhbz 1288687 +ApplyPatch alua_fix.patch + #CVE-XXXX-XXXX rhbz 1291329 1291332 ApplyPatch ovl-fix-permission-checking-for-setattr.patch #CVE-2015-7550 rhbz 1291197 1291198 ApplyPatch KEYS-Fix-race-between-read-and-revoke.patch -#CVE-2015-8543 rhbz 1290475 1290477 -ApplyPatch net-add-validation-for-the-socket-syscall-protocol-a.patch +ApplyPatch vrf-fix-memory-leak-on-registration.patch + +#CVE-2015-8709 rhbz 1295287 1295288 +ApplyPatch ptrace-being-capable-wrt-a-process-requires-mapped-u.patch + +#atch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch + +#CVE-2015-7513 rhbz 1284847 1296142 +ApplyPatch KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch + +#rhbz 1296677 +ApplyPatch HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch + +#rhbz 1281368 +ApplyPatch drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch + +#rhbz 1296820 +ApplyPatch drm-nouveau-pmu-do-not-assume-a-PMU-is-present.patch + +#rhbz 1083853 +ApplyPatch PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch + +#CVE-2015-7566 rhbz 1296466 1297517 +ApplyPatch usb-serial-visor-fix-crash-on-detecting-device-witho.patch + +#rhbz 1298309 +#atch624: drm-i915-Do-a-better-job-at-disabling-primary-plane-.patch + +#rhbz 1298996 +ApplyPatch block-ensure-to-split-after-potentially-bouncing-a-b.patch + +#rhbz 1298192 +ApplyPatch selinux-fix-bug-in-conditional-rules-handling.patch + +#rhbz 1295272 +ApplyPatch ideapad-laptop-Add-Lenovo-Yoga-700-to-no_hw_rfkill-d.patch + +ApplyPatch i915-stable-backports.patch +ApplyPatch nouveau-stable-backports.patch + +#rhbz 1299810 +ApplyPatch SCSI-refactor-device-matching-code-in-scsi_devinfo.c.patch +ApplyPatch SCSI-fix-bug-in-scsi_dev_info_list-matching.patch + +ApplyPatch btrfs-handle-invalid-num_stripes-in-sys_array.patch +ApplyPatch Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch + +ApplyPatch net_43.mbox + +#CVE-2016-0728 rhbz 1296623 1297475 +ApplyPatch KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch # END OF PATCH APPLICATIONS @@ -1597,11 +1589,9 @@ BuildKernel() { cp configs/$Config .config %if %{signmodules} - cp %{SOURCE11} . + cp %{SOURCE11} certs/. %endif - chmod +x scripts/sign-file - Arch=`head -1 .config | cut -b 3-` echo USING ARCH=$Arch @@ -1837,8 +1827,8 @@ BuildKernel() { %if %{signmodules} # Save the signing keys so we can sign the modules in __modsign_install_post - cp signing_key.priv signing_key.priv.sign${Flav} - cp signing_key.x509 signing_key.x509.sign${Flav} + cp certs/signing_key.pem certs/signing_key.pem.sign${Flav} + cp certs/signing_key.x509 certs/signing_key.x509.sign${Flav} %endif # Move the devel headers out of the root file system @@ -1933,16 +1923,16 @@ popd %define __modsign_install_post \ if [ "%{signmodules}" -eq "1" ]; then \ if [ "%{with_pae}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \ fi \ if [ "%{with_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \ fi \ if [ "%{with_pae_debug}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign+%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ + %{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \ fi \ if [ "%{with_up}" -ne "0" ]; then \ - %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ + %{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ fi \ fi \ if [ "%{zipmodules}" -eq "1" ]; then \ @@ -2203,6 +2193,7 @@ fi %dir %{_libdir}/traceevent/plugins %{_libdir}/traceevent/plugins/* %dir %{_libexecdir}/perf-core +%{_datadir}/perf-core/* %{_libexecdir}/perf-core/* %{_mandir}/man[1-8]/perf* %{_sysconfdir}/bash_completion.d/perf @@ -2328,6 +2319,33 @@ fi # # %changelog +* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.3-200 +- Rebase to 4.3.y +- Backport nouveau stable fixes (rhbz 1299349) +- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623 1297475) +- Add currently queued networking stable patches +- Add a couple btrfs patches cc'd to stable upstream +- Add SCSI patches to avoid blacklist false positives (rhbz 1299810) + +* Fri Jan 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8767 sctp: DoS during timeout (rhbz 1297389 1298437) + +* Tue Jan 12 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7566 usb: visor: Crash on invalid USB dev descriptors (rhbz 1296466 1297517) +- Fix backtrace from PNP conflict on Broadwell (rhbz 1083853) + +* Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org> +- CVE-2015-7513 kvm: divide by zero DoS (rhbz 1284847 1296142) + +* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288) + +* Fri Dec 18 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841) + +* Thu Dec 17 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8569 info leak from getsockname (rhbz 1292045 1292047) + * Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-200 - Linux v4.2.8 diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index cc821411d..a5832ea70 100644 --- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,3 +1,4 @@ +From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module @@ -13,18 +14,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index a785c1015e25..81d6b404f33c 100644 +index 4c5edc357923..db431971dbd4 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -36,6 +36,7 @@ - #include <linux/syscore_ops.h> - #include <linux/compiler.h> - #include <linux/hugetlb.h> +@@ -10,6 +10,7 @@ + #include <linux/mm.h> + #include <linux/file.h> + #include <linux/kexec.h> +#include <linux/module.h> - - #include <asm/page.h> - #include <asm/uaccess.h> -@@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + #include <linux/mutex.h> + #include <linux/list.h> + #include <linux/syscalls.h> +@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -38,3 +39,6 @@ index a785c1015e25..81d6b404f33c 100644 * Verify we have a legal set of flags * This leaves us room for future extensions. */ +-- +2.4.3 + diff --git a/mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch b/mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch new file mode 100644 index 000000000..dfedd2ab0 --- /dev/null +++ b/mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch @@ -0,0 +1,28 @@ +From 567a18f57213647e2c31bbdc7f6b8f9991d22fad Mon Sep 17 00:00:00 2001 +From: Peter Robinson <pbrobinson@gmail.com> +Date: Fri, 13 Nov 2015 19:03:29 +0000 +Subject: [PATCH] mfd: wm8994: Ensure that the whole MFD is built into a single + module + +Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> +--- + drivers/mfd/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/Makefile b/drivers/mfd/Makefile +index a59e3fc..4a767ef 100644 +--- a/drivers/mfd/Makefile ++++ b/drivers/mfd/Makefile +@@ -61,7 +61,8 @@ wm8350-objs := wm8350-core.o wm8350-regmap.o wm8350-gpio.o + wm8350-objs += wm8350-irq.o + obj-$(CONFIG_MFD_WM8350) += wm8350.o + obj-$(CONFIG_MFD_WM8350_I2C) += wm8350-i2c.o +-obj-$(CONFIG_MFD_WM8994) += wm8994-core.o wm8994-irq.o wm8994-regmap.o ++wm8994-objs := wm8994-core.o wm8994-irq.o wm8994-regmap.o ++obj-$(CONFIG_MFD_WM8994) += wm8994.o + + obj-$(CONFIG_TPS6105X) += tps6105x.o + obj-$(CONFIG_TPS65010) += tps65010.o +-- +2.5.0 + diff --git a/net_43.mbox b/net_43.mbox new file mode 100644 index 000000000..94e4c71ec --- /dev/null +++ b/net_43.mbox @@ -0,0 +1,2086 @@ +From 14b602561ad208203fb04a8eb3df052ad2c6551a Mon Sep 17 00:00:00 2001 +From: Guillaume Nault <g.nault@alphalink.fr> +Date: Thu, 3 Dec 2015 16:49:32 +0100 +Subject: [PATCH 01/34] pppoe: fix memory corruption in padt work structure + +[ Upstream commit fe53985aaac83d516b38358d4f39921d9942a0e2 ] + +pppoe_connect() mustn't touch the padt_work field of pppoe sockets +because that work could be already pending. + +[ 21.473147] BUG: unable to handle kernel NULL pointer dereference at 00000004 +[ 21.474523] IP: [<c1043177>] process_one_work+0x29/0x31c +[ 21.475164] *pde = 00000000 +[ 21.475513] Oops: 0000 [#1] SMP +[ 21.475910] Modules linked in: pppoe pppox ppp_generic slhc crc32c_intel aesni_intel virtio_net xts aes_i586 lrw gf128mul ablk_helper cryptd evdev acpi_cpufreq processor serio_raw button ext4 crc16 mbcache jbd2 virtio_blk virtio_pci virtio_ring virtio +[ 21.476168] CPU: 2 PID: 164 Comm: kworker/2:2 Not tainted 4.4.0-rc1 #1 +[ 21.476168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 +[ 21.476168] task: f5f83c00 ti: f5e28000 task.ti: f5e28000 +[ 21.476168] EIP: 0060:[<c1043177>] EFLAGS: 00010046 CPU: 2 +[ 21.476168] EIP is at process_one_work+0x29/0x31c +[ 21.484082] EAX: 00000000 EBX: f678b2a0 ECX: 00000004 EDX: 00000000 +[ 21.484082] ESI: f6c69940 EDI: f5e29ef0 EBP: f5e29f0c ESP: f5e29edc +[ 21.484082] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +[ 21.484082] CR0: 80050033 CR2: 000000a4 CR3: 317ad000 CR4: 00040690 +[ 21.484082] Stack: +[ 21.484082] 00000000 f6c69950 00000000 f6c69940 c0042338 f5e29f0c c1327945 00000000 +[ 21.484082] 00000008 f678b2a0 f6c69940 f678b2b8 f5e29f30 c1043984 f5f83c00 f6c69970 +[ 21.484082] f678b2a0 c10437d3 f6775e80 f678b2a0 c10437d3 f5e29fac c1047059 f5e29f74 +[ 21.484082] Call Trace: +[ 21.484082] [<c1327945>] ? _raw_spin_lock_irq+0x28/0x30 +[ 21.484082] [<c1043984>] worker_thread+0x1b1/0x244 +[ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229 +[ 21.484082] [<c10437d3>] ? rescuer_thread+0x229/0x229 +[ 21.484082] [<c1047059>] kthread+0x8f/0x94 +[ 21.484082] [<c1327a32>] ? _raw_spin_unlock_irq+0x22/0x26 +[ 21.484082] [<c1327ee9>] ret_from_kernel_thread+0x21/0x38 +[ 21.484082] [<c1046fca>] ? kthread_parkme+0x19/0x19 +[ 21.496082] Code: 5d c3 55 89 e5 57 56 53 89 c3 83 ec 24 89 d0 89 55 e0 8d 7d e4 e8 6c d8 ff ff b9 04 00 00 00 89 45 d8 8b 43 24 89 45 dc 8b 45 d8 <8b> 40 04 8b 80 e0 00 00 00 c1 e8 05 24 01 88 45 d7 8b 45 e0 8d +[ 21.496082] EIP: [<c1043177>] process_one_work+0x29/0x31c SS:ESP 0068:f5e29edc +[ 21.496082] CR2: 0000000000000004 +[ 21.496082] ---[ end trace e362cc9cf10dae89 ]--- + +Reported-by: Andrew <nitr0@seti.kr.ua> +Fixes: 287f3a943fef ("pppoe: Use workqueue to die properly when a PADT is received") +Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ppp/pppoe.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 5e0b432..0a37f84 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket *sock, int kern) + sk->sk_family = PF_PPPOX; + sk->sk_protocol = PX_PROTO_OE; + ++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, ++ pppoe_unbind_sock_work); ++ + return 0; + } + +@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + + lock_sock(sk); + +- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work); +- + error = -EINVAL; + if (sp->sa_protocol != PX_PROTO_OE) + goto end; +@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, + po->pppoe_dev = NULL; + } + +- memset(sk_pppox(po) + 1, 0, +- sizeof(struct pppox_sock) - sizeof(struct sock)); ++ po->pppoe_ifindex = 0; ++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); ++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay)); ++ memset(&po->chan, 0, sizeof(po->chan)); ++ po->next = NULL; ++ po->num = 0; ++ + sk->sk_state = PPPOX_NONE; + } + +-- +2.4.1 + + +From 2d5925b5a6011084d1fac6b8d8625ddbcb7d95a6 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Date: Thu, 3 Dec 2015 17:21:50 +0100 +Subject: [PATCH 02/34] gre6: allow to update all parameters via rtnl + +[ Upstream commit 6a61d4dbf4f54b5683e0f1e58d873cecca7cb977 ] + +Parameters were updated only if the kernel was unable to find the tunnel +with the new parameters, ie only if core pamareters were updated (keys, +addr, link, type). +Now it's possible to update ttl, hoplimit, flowinfo and flags. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/ip6_gre.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 3c7b931..e5ea177 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[], + return -EEXIST; + } else { + t = nt; +- +- ip6gre_tunnel_unlink(ign, t); +- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); +- ip6gre_tunnel_link(ign, t); +- netdev_state_change(dev); + } + ++ ip6gre_tunnel_unlink(ign, t); ++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]); ++ ip6gre_tunnel_link(ign, t); + return 0; + } + +-- +2.4.1 + + +From 3960bc911e092832dac3f9a42b435d2ec566e412 Mon Sep 17 00:00:00 2001 +From: Pavel Machek <pavel@ucw.cz> +Date: Fri, 4 Dec 2015 09:50:00 +0100 +Subject: [PATCH 03/34] atl1c: Improve driver not to do order 4 GFP_ATOMIC + allocation + +[ Upstream commit f2a3771ae8aca879c32336c76ad05a017629bae2 ] + +atl1c driver is doing order-4 allocation with GFP_ATOMIC +priority. That often breaks networking after resume. Switch to +GFP_KERNEL. Still not ideal, but should be significantly better. + +atl1c_setup_ring_resources() is called from .open() function, and +already uses GFP_KERNEL, so this change is safe. + +Signed-off-by: Pavel Machek <pavel@ucw.cz> +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +index 2795d6d..8b5988e 100644 +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct atl1c_adapter *adapter) + sizeof(struct atl1c_recv_ret_status) * rx_desc_count + + 8 * 4; + +- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size, +- &ring_header->dma); ++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size, ++ &ring_header->dma, GFP_KERNEL); + if (unlikely(!ring_header->desc)) { +- dev_err(&pdev->dev, "pci_alloc_consistend failed\n"); ++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n"); + goto err_nomem; + } +- memset(ring_header->desc, 0, ring_header->size); + /* init TPD ring */ + + tpd_ring[0].dma = roundup(ring_header->dma, 8); +-- +2.4.1 + + +From cf2265157f68424a83d74a70962781c0470d3e83 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> +Date: Fri, 4 Dec 2015 14:15:08 +0100 +Subject: [PATCH 04/34] ipv6: keep existing flags when setting IFA_F_OPTIMISTIC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9a1ec4612c9bfc94d4185e3459055a37a685e575 ] + +Commit 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +failed to update the setting of the IFA_F_OPTIMISTIC flag, causing +the IFA_F_STABLE_PRIVACY flag to be lost if IFA_F_OPTIMISTIC is set. + +Cc: Erik Kline <ek@google.com> +Cc: Fernando Gont <fgont@si6networks.com> +Cc: Lorenzo Colitti <lorenzo@google.com> +Cc: YOSHIFUJI Hideaki/吉藤英明 <hideaki.yoshifuji@miraclelinux.com> +Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> +Fixes: 64236f3f3d74 ("ipv6: introduce IFA_F_STABLE_PRIVACY flag") +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/addrconf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 3939dd2..ff873c8 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2453,7 +2453,7 @@ ok: + #ifdef CONFIG_IPV6_OPTIMISTIC_DAD + if (in6_dev->cnf.optimistic_dad && + !net->ipv6.devconf_all->forwarding && sllao) +- addr_flags = IFA_F_OPTIMISTIC; ++ addr_flags |= IFA_F_OPTIMISTIC; + #endif + + /* Do not allow to create too much of autoconfigured +-- +2.4.1 + + +From e37caf36e65b943cb28ce6ce2d7bfb3c406ec277 Mon Sep 17 00:00:00 2001 +From: Jiri Benc <jbenc@redhat.com> +Date: Fri, 4 Dec 2015 13:54:03 +0100 +Subject: [PATCH 05/34] vxlan: fix incorrect RCO bit in VXLAN header + +[ Upstream commit c5fb8caaf91ea6a92920cf24db10cfc94d58de0f ] + +Commit 3511494ce2f3d ("vxlan: Group Policy extension") changed definition of +VXLAN_HF_RCO from 0x00200000 to BIT(24). This is obviously incorrect. It's +also in violation with the RFC draft. + +Fixes: 3511494ce2f3d ("vxlan: Group Policy extension") +Cc: Thomas Graf <tgraf@suug.ch> +Cc: Tom Herbert <therbert@google.com> +Signed-off-by: Jiri Benc <jbenc@redhat.com> +Acked-by: Tom Herbert <tom@herbertland.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/vxlan.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/vxlan.h b/include/net/vxlan.h +index 480a319..f4a4972 100644 +--- a/include/net/vxlan.h ++++ b/include/net/vxlan.h +@@ -79,7 +79,7 @@ struct vxlanhdr { + }; + + /* VXLAN header flags. */ +-#define VXLAN_HF_RCO BIT(24) ++#define VXLAN_HF_RCO BIT(21) + #define VXLAN_HF_VNI BIT(27) + #define VXLAN_HF_GBP BIT(31) + +-- +2.4.1 + + +From f7804be938a80839063eae490106d196281c763b Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Fri, 4 Dec 2015 15:14:03 -0200 +Subject: [PATCH 06/34] sctp: use the same clock as if sock source timestamps + were on + +[ Upstream commit cb5e173ed7c03a0d4630ce68a95a186cce3cc872 ] + +SCTP echoes a cookie o INIT ACK chunks that contains a timestamp, for +detecting stale cookies. This cookie is echoed back to the server by the +client and then that timestamp is checked. + +Thing is, if the listening socket is using packet timestamping, the +cookie is encoded with ktime_get() value and checked against +ktime_get_real(), as done by __net_timestamp(). + +The fix is to sctp also use ktime_get_real(), so we can compare bananas +with bananas later no matter if packet timestamping was enabled or not. + +Fixes: 52db882f3fc2 ("net: sctp: migrate cookie life from timeval to ktime") +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/sm_make_chunk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 7954c52..8d67d72 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep, + + /* Set an expiration time for the cookie. */ + cookie->c.expiration = ktime_add(asoc->cookie_life, +- ktime_get()); ++ ktime_get_real()); + + /* Copy the peer's init packet. */ + memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr, +@@ -1780,7 +1780,7 @@ no_hmac: + if (sock_flag(ep->base.sk, SOCK_TIMESTAMP)) + kt = skb_get_ktime(skb); + else +- kt = ktime_get(); ++ kt = ktime_get_real(); + + if (!asoc && ktime_before(bear_cookie->expiration, kt)) { + /* +-- +2.4.1 + + +From 46ad18aad09a087729289c5e5f57c86d1aab8d56 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Fri, 4 Dec 2015 15:14:04 -0200 +Subject: [PATCH 07/34] sctp: update the netstamp_needed counter when copying + sockets + +[ Upstream commit 01ce63c90170283a9855d1db4fe81934dddce648 ] + +Dmitry Vyukov reported that SCTP was triggering a WARN on socket destroy +related to disabling sock timestamp. + +When SCTP accepts an association or peel one off, it copies sock flags +but forgot to call net_enable_timestamp() if a packet timestamping flag +was copied, leading to extra calls to net_disable_timestamp() whenever +such clones were closed. + +The fix is to call net_enable_timestamp() whenever we copy a sock with +that flag on, like tcp does. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 2 -- + net/sctp/socket.c | 3 +++ + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index e237170..492855d 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -724,6 +724,8 @@ enum sock_flags { + SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */ + }; + ++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) ++ + static inline void sock_copy_flags(struct sock *nsk, struct sock *osk) + { + nsk->sk_flags = osk->sk_flags; +diff --git a/net/core/sock.c b/net/core/sock.c +index 3307c02..d7a7fc5 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name) + } + } + +-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE)) +- + static void sock_disable_timestamp(struct sock *sk, unsigned long flags) + { + if (sk->sk_flags & flags) { +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 3ec88be..f19a67c 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7195,6 +7195,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newinet->mc_ttl = 1; + newinet->mc_index = 0; + newinet->mc_list = NULL; ++ ++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP) ++ net_enable_timestamp(); + } + + static inline void sctp_copy_descendant(struct sock *sk_to, +-- +2.4.1 + + +From 0081745cc115ec4147644b9ed464efc1bff5846e Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Date: Fri, 4 Dec 2015 15:14:05 -0200 +Subject: [PATCH 08/34] sctp: also copy sk_tsflags when copying the socket + +[ Upstream commit 50a5ffb1ef535e3c6989711c51b5d61b543a3b45 ] + +As we are keeping timestamps on when copying the socket, we also have to +copy sk_tsflags. + +This is needed since b9f40e21ef42 ("net-timestamp: move timestamp flags +out of sk_flags"). + +Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/socket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index f19a67c..84b1b50 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk, + newsk->sk_type = sk->sk_type; + newsk->sk_bound_dev_if = sk->sk_bound_dev_if; + newsk->sk_flags = sk->sk_flags; ++ newsk->sk_tsflags = sk->sk_tsflags; + newsk->sk_no_check_tx = sk->sk_no_check_tx; + newsk->sk_no_check_rx = sk->sk_no_check_rx; + newsk->sk_reuse = sk->sk_reuse; +-- +2.4.1 + + +From f1cf5767d87c24f3e9c7a780651230cc34485c39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> +Date: Sat, 5 Dec 2015 13:01:50 +0100 +Subject: [PATCH 09/34] net: cdc_mbim: add "NDP to end" quirk for Huawei E3372 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f8c0cfa5eca902d388c0b57c7ca29a1ff2e6d8c6 ] + +The Huawei E3372 (12d1:157d) needs this quirk in MBIM mode +as well. Allow this by forcing the NTB to contain only a +single NDP, and add a device specific entry for this ID. + +Due to the way Huawei use device IDs, this might be applied +to other modems as well. It is assumed that those modems +will be based on the same firmware and will need this quirk +too. If not, it will still not harm normal usage, although +multiplexing performance could be impacted. + +Cc: Enrico Mioso <mrkiko.rs@gmail.com> +Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com> +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Acked-By: Enrico Mioso <mrkiko.rs@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/usb/cdc_mbim.c | 26 +++++++++++++++++++++++++- + drivers/net/usb/cdc_ncm.c | 10 +++++++++- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index efc18e0..b6ea6ff 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct usb_interface *intf) + if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) + goto err; + +- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0); ++ ret = cdc_ncm_bind_common(dev, intf, data_altsetting, dev->driver_info->data); + if (ret) + goto err; + +@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = { + .tx_fixup = cdc_mbim_tx_fixup, + }; + ++/* The spefication explicitly allows NDPs to be placed anywhere in the ++ * frame, but some devices fail unless the NDP is placed after the IP ++ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this ++ * behaviour. ++ * ++ * Note: The current implementation of this feature restricts each NTB ++ * to a single NDP, implying that multiplexed sessions cannot share an ++ * NTB. This might affect performace for multiplexed sessions. ++ */ ++static const struct driver_info cdc_mbim_info_ndp_to_end = { ++ .description = "CDC MBIM", ++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN, ++ .bind = cdc_mbim_bind, ++ .unbind = cdc_mbim_unbind, ++ .manage_power = cdc_mbim_manage_power, ++ .rx_fixup = cdc_mbim_rx_fixup, ++ .tx_fixup = cdc_mbim_tx_fixup, ++ .data = CDC_NCM_FLAG_NDP_TO_END, ++}; ++ + static const struct usb_device_id mbim_devs[] = { + /* This duplicate NCM entry is intentional. MBIM devices can + * be disguised as NCM by default, and this is necessary to +@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = { + { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info, + }, ++ /* Huawei E3372 fails unless NDP comes after the IP packets */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end, ++ }, + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index db40175..fa41a6d 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct cdc_ncm_ctx *ctx, struct sk_ + * NTH16 header as we would normally do. NDP isn't written to the SKB yet, and + * the wNdpIndex field in the header is actually not consistent with reality. It will be later. + */ +- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) ++ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) { + if (ctx->delayed_ndp16->dwSignature == sign) + return ctx->delayed_ndp16; + ++ /* We can only push a single NDP to the end. Return ++ * NULL to send what we've already got and queue this ++ * skb for later. ++ */ ++ else if (ctx->delayed_ndp16->dwSignature) ++ return NULL; ++ } ++ + /* follow the chain of NDPs, looking for a match */ + while (ndpoffset) { + ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset); +-- +2.4.1 + + +From 9ae2d6c090172e8f1782af19b10679f15bd42350 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren <stefan.wahren@i2se.com> +Date: Fri, 4 Dec 2015 16:29:10 +0100 +Subject: [PATCH 10/34] net: qca_spi: fix transmit queue timeout handling + +[ Upstream commit ed7d42e24effbd3681e909711a7a2119a85e9217 ] + +In case of a tx queue timeout every transmit is blocked until the +QCA7000 resets himself and triggers a sync which makes the driver +flushs the tx ring. So avoid this blocking situation by triggering +the sync immediately after the timeout. Waking the queue doesn't +make sense in this situation. + +Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com> +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 2f87909..60ccc29 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev) + netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n", + jiffies, jiffies - dev->trans_start); + qca->net_dev->stats.tx_errors++; +- /* wake the queue if there is room */ +- if (qcaspi_tx_ring_has_space(&qca->txr)) +- netif_wake_queue(dev); ++ /* Trigger tx queue flush and QCA7000 reset */ ++ qca->sync = QCASPI_SYNC_UNKNOWN; + } + + static int +-- +2.4.1 + + +From 43979766bb4c6f2e2c549793e0e659b22fb3c6de Mon Sep 17 00:00:00 2001 +From: Peter Wu <peter@lekensteyn.nl> +Date: Tue, 8 Dec 2015 12:17:42 +0100 +Subject: [PATCH 11/34] r8152: fix lockup when runtime PM is enabled + +[ Upstream commit 90186af404ada5a47b875bf3c16d0b02bb023ea0 ] + +When an interface is brought up which was previously suspended (via +runtime PM), it would hang. This happens because napi_disable is called +before napi_enable. + +Solve this by avoiding napi_enable in the resume during open function +(netif_running is true when open is called, IFF_UP is set after a +successful open; netif_running is false when close is called, but IFF_UP +is then still set). + +While at it, remove WORK_ENABLE check from rtl8152_open (introduced with +the original change) because it cannot happen: + + - After this patch, runtime resume will not set it during rtl8152_open. + - When link is up, rtl8152_open is not called. + - When link is down during system/auto suspend/resume, it is not set. + +Fixes: 41cec84cf285 ("r8152: don't enable napi before rx ready") +Link: https://lkml.kernel.org/r/20151205105912.GA1766@al +Signed-off-by: Peter Wu <peter@lekensteyn.nl> +Acked-by: Hayes Wang <hayeswang@realtek.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/usb/r8152.c | 21 +++------------------ + 1 file changed, 3 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index d9427ca..2e32c41 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev) + + mutex_lock(&tp->control); + +- /* The WORK_ENABLE may be set when autoresume occurs */ +- if (test_bit(WORK_ENABLE, &tp->flags)) { +- clear_bit(WORK_ENABLE, &tp->flags); +- usb_kill_urb(tp->intr_urb); +- cancel_delayed_work_sync(&tp->schedule); +- +- /* disable the tx/rx, if the workqueue has enabled them. */ +- if (netif_carrier_ok(netdev)) +- tp->rtl_ops.disable(tp); +- } +- + tp->rtl_ops.up(tp); + + rtl8152_set_speed(tp, AUTONEG_ENABLE, +@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev) + } else { + mutex_lock(&tp->control); + +- /* The autosuspend may have been enabled and wouldn't +- * be disable when autoresume occurs, because the +- * netif_running() would be false. +- */ +- rtl_runtime_suspend_enable(tp, false); +- + tp->rtl_ops.down(tp); + + mutex_unlock(&tp->control); +@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf) + netif_device_attach(tp->netdev); + } + +- if (netif_running(tp->netdev)) { ++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) { + if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { + rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); +@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf) + } + usb_submit_urb(tp->intr_urb, GFP_KERNEL); + } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) { ++ if (tp->netdev->flags & IFF_UP) ++ rtl_runtime_suspend_enable(tp, false); + clear_bit(SELECTIVE_SUSPEND, &tp->flags); + } + +-- +2.4.1 + + +From bc386e51daba6547cb14ac06baf1f56c9274abde Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 9 Dec 2015 07:25:06 -0800 +Subject: [PATCH 12/34] ipv6: sctp: clone options to avoid use after free + +[ Upstream commit 9470e24f35ab81574da54e69df90c1eb4a96b43f ] + +SCTP is lacking proper np->opt cloning at accept() time. + +TCP and DCCP use ipv6_dup_options() helper, do the same +in SCTP. + +We might later factorize this code in a common helper to avoid +future mistakes. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/ipv6.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index e917d27..40677cf 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + struct sock *newsk; + struct ipv6_pinfo *newnp, *np = inet6_sk(sk); + struct sctp6_sock *newsctp6sk; ++ struct ipv6_txoptions *opt; + + newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0); + if (!newsk) +@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); + ++ rcu_read_lock(); ++ opt = rcu_dereference(np->opt); ++ if (opt) ++ opt = ipv6_dup_options(newsk, opt); ++ RCU_INIT_POINTER(newnp->opt, opt); ++ rcu_read_unlock(); ++ + /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname() + * and getpeername(). + */ +-- +2.4.1 + + +From 15287a6a3cbca306a66640e371b2684e50a22565 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn <andrew@lunn.ch> +Date: Wed, 9 Dec 2015 19:56:31 +0100 +Subject: [PATCH 13/34] phy: micrel: Fix finding PHY properties in MAC node. + +[ Upstream commit 651df2183543bc92f5dbcf99cd9e236ead0bc4c5 ] + +commit 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, +not the bus' parent.") changed the parenting of PHY devices, making +them a child of the MDIO bus, instead of the MAC device. This broken +the Micrel PHY driver which has a deprecated feature of allowing PHY +properties to be placed into the MAC node. + +In order to find the MAC node, we need to walk up the tree of devices +until we find one with an OF node attached. + +Reported-by: Dinh Nguyen <dinguyen@opensource.altera.com> +Suggested-by: David Daney <david.daney@cavium.com> +Acked-by: David Daney <david.daney@cavium.com> +Fixes: 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, not the bus' parent.") +Signed-off-by: Andrew Lunn <andrew@lunn.ch> +Tested-by: Dinh Nguyen <dinguyen@opensource.altera.com> +Acked-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/phy/micrel.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index cf6312f..e13ad6c 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev) + { + const struct device *dev = &phydev->dev; + const struct device_node *of_node = dev->of_node; ++ const struct device *dev_walker; + +- if (!of_node && dev->parent->of_node) +- of_node = dev->parent->of_node; ++ /* The Micrel driver has a deprecated option to place phy OF ++ * properties in the MAC node. Walk up the tree of devices to ++ * find a device with an OF node. ++ */ ++ dev_walker = &phydev->dev; ++ do { ++ of_node = dev_walker->of_node; ++ dev_walker = dev_walker->parent; ++ ++ } while (!of_node && dev_walker); + + if (of_node) { + ksz9021_load_values_from_of(phydev, of_node, +-- +2.4.1 + + +From 73e71dcb1df404661314ec7cb9aa27d209407d70 Mon Sep 17 00:00:00 2001 +From: Joe Stringer <joe@ovn.org> +Date: Wed, 9 Dec 2015 14:07:39 -0800 +Subject: [PATCH 14/34] openvswitch: Fix helper reference leak + +[ Upstream commit 2f3ab9f9fc23811188b9d07d86e4d99ffee887f4 ] + +If the actions (re)allocation fails, or the actions list is larger than the +maximum size, and the conntrack action is the last action when these +problems are hit, then references to helper modules may be leaked. Fix +the issue. + +Fixes: cae3a2627520 ("openvswitch: Allow attaching helpers to ct action") +Signed-off-by: Joe Stringer <joe@ovn.org> +Acked-by: Pravin B Shelar <pshelar@nicira.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/openvswitch/conntrack.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index 5009582..a808b0f 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -53,6 +53,8 @@ struct ovs_conntrack_info { + struct md_labels labels; + }; + ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info); ++ + static u16 key_to_nfproto(const struct sw_flow_key *key) + { + switch (ntohs(key->eth.type)) { +@@ -708,7 +710,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr, + nf_conntrack_get(&ct_info.ct->ct_general); + return 0; + err_free_ct: +- nf_conntrack_free(ct_info.ct); ++ __ovs_ct_free_action(&ct_info); + return err; + } + +@@ -750,6 +752,11 @@ void ovs_ct_free_action(const struct nlattr *a) + { + struct ovs_conntrack_info *ct_info = nla_data(a); + ++ __ovs_ct_free_action(ct_info); ++} ++ ++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) ++{ + if (ct_info->helper) + module_put(ct_info->helper->me); + if (ct_info->ct) +-- +2.4.1 + + +From 7539fb022a74bb9b69fe5ad9125b899b83001a6d Mon Sep 17 00:00:00 2001 +From: Joe Stringer <joe@ovn.org> +Date: Wed, 9 Dec 2015 14:07:40 -0800 +Subject: [PATCH 15/34] openvswitch: Respect conntrack zone even if invalid + +[ Upstream commit d110986c5ddb1caf576e8576044c0c831e3e7fa4 ] + +If userspace executes ct(zone=1), and the connection tracker determines +that the packet is invalid, then the ct_zone flow key field is populated +with the default zone rather than the zone that was specified. Even +though connection tracking failed, this field should be updated with the +value that the action specified. Fix the issue. + +Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") +Signed-off-by: Joe Stringer <joe@ovn.org> +Acked-by: Pravin B Shelar <pshelar@nicira.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/openvswitch/conntrack.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c +index a808b0f..cad8c4b 100644 +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -143,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state, + * previously sent the packet to conntrack via the ct action. + */ + static void ovs_ct_update_key(const struct sk_buff *skb, ++ const struct ovs_conntrack_info *info, + struct sw_flow_key *key, bool post_ct) + { + const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; +@@ -160,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb, + zone = nf_ct_zone(ct); + } else if (post_ct) { + state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID; ++ if (info) ++ zone = &info->zone; + } + __ovs_ct_update_key(key, state, zone, ct); + } + + void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) + { +- ovs_ct_update_key(skb, key, false); ++ ovs_ct_update_key(skb, NULL, key, false); + } + + int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb) +@@ -420,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, + } + } + +- ovs_ct_update_key(skb, key, true); ++ ovs_ct_update_key(skb, info, key, true); + + return 0; + } +-- +2.4.1 + + +From 9226d3bc36e0da4f99f5fe9138f46e34b631fda8 Mon Sep 17 00:00:00 2001 +From: stephen hemminger <stephen@networkplumber.org> +Date: Thu, 10 Dec 2015 09:14:20 -0800 +Subject: [PATCH 16/34] uapi: export ila.h + +[ Upstream commit f7fc6bc414121954c45c5f18b70e2a8717d0d5b4 ] + +The file ila.h used for lightweight tunnels is being used by iproute2 +but is not exported yet. + +Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/uapi/linux/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild +index f7b2db4..7fc5733 100644 +--- a/include/uapi/linux/Kbuild ++++ b/include/uapi/linux/Kbuild +@@ -186,6 +186,7 @@ header-y += if_tunnel.h + header-y += if_vlan.h + header-y += if_x25.h + header-y += igmp.h ++header-y += ila.h + header-y += in6.h + header-y += inet_diag.h + header-y += in.h +-- +2.4.1 + + +From 204ce70323cdcff523324a2dd02f3a4fa2c01754 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: [PATCH 17/34] net: add validation for the socket syscall protocol + argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70 +kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80 +kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110 +kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80 +kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10 +kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang <cwang@twopensource.com> +Reported-by: 郭永刚 <guoyonggang@360.cn> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 492855d..7ae032e 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -387,6 +387,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index ae3a47f..fbd0acf 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 675cf94..6feddca 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1d0c3ad..4b16cf3 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 38d66dd..df095ee 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index fae6822..25f63a8 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +-- +2.4.1 + + +From 3b1d8cc00ea00bb6451a2db42b98179e109ac291 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> +Date: Fri, 4 Dec 2015 01:45:40 +0300 +Subject: [PATCH 18/34] sh_eth: fix kernel oops in skb_put() + +[ Upstream commit 248be83dcb3feb3f6332eb3d010a016402138484 ] + +In a low memory situation the following kernel oops occurs: + +Unable to handle kernel NULL pointer dereference at virtual address 00000050 +pgd = 8490c000 +[00000050] *pgd=4651e831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: +CPU: 0 Not tainted (3.4-at16 #9) +PC is at skb_put+0x10/0x98 +LR is at sh_eth_poll+0x2c8/0xa10 +pc : [<8035f780>] lr : [<8028bf50>] psr: 60000113 +sp : 84eb1a90 ip : 84eb1ac8 fp : 84eb1ac4 +r10: 0000003f r9 : 000005ea r8 : 00000000 +r7 : 00000000 r6 : 940453b0 r5 : 00030000 r4 : 9381b180 +r3 : 00000000 r2 : 00000000 r1 : 000005ea r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c53c7d Table: 4248c059 DAC: 00000015 +Process klogd (pid: 2046, stack limit = 0x84eb02e8) +[...] + +This is because netdev_alloc_skb() fails and 'mdp->rx_skbuff[entry]' is left +NULL but sh_eth_rx() later uses it without checking. Add such check... + +Reported-by: Yasushi SHOJI <yashi@atmark-techno.com> +Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index a484d8b..f3cbf90c 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + if (mdp->cd->shift_rd0) + desc_status >>= 16; + ++ skb = mdp->rx_skbuff[entry]; + if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 | + RD_RFS5 | RD_RFS6 | RD_RFS10)) { + ndev->stats.rx_errors++; +@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32 intr_status, int *quota) + ndev->stats.rx_missed_errors++; + if (desc_status & RD_RFS10) + ndev->stats.rx_over_errors++; +- } else { ++ } else if (skb) { + if (!mdp->cd->hw_swap) + sh_eth_soft_swap( + phys_to_virt(ALIGN(rxdesc->addr, 4)), + pkt_len + 2); +- skb = mdp->rx_skbuff[entry]; + mdp->rx_skbuff[entry] = NULL; + if (mdp->cd->rpadir) + skb_reserve(skb, NET_IP_ALIGN); +-- +2.4.1 + + +From 864f5d3880ba7e9e3d11f8ba725f29b7f45ae508 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 14 Dec 2015 14:08:53 -0800 +Subject: [PATCH 19/34] net: fix IP early demux races + +[ Upstream commit 5037e9ef9454917b047f9f3a19b4dd179fbf7cd4 ] + +David Wilder reported crashes caused by dst reuse. + +<quote David> + I am seeing a crash on a distro V4.2.3 kernel caused by a double + release of a dst_entry. In ipv4_dst_destroy() the call to + list_empty() finds a poisoned next pointer, indicating the dst_entry + has already been removed from the list and freed. The crash occurs + 18 to 24 hours into a run of a network stress exerciser. +</quote> + +Thanks to his detailed report and analysis, we were able to understand +the core issue. + +IP early demux can associate a dst to skb, after a lookup in TCP/UDP +sockets. + +When socket cache is not properly set, we want to store into +sk->sk_dst_cache the dst for future IP early demux lookups, +by acquiring a stable refcount on the dst. + +Problem is this acquisition is simply using an atomic_inc(), +which works well, unless the dst was queued for destruction from +dst_release() noticing dst refcount went to zero, if DST_NOCACHE +was set on dst. + +We need to make sure current refcount is not zero before incrementing +it, or risk double free as David reported. + +This patch, being a stable candidate, adds two new helpers, and use +them only from IP early demux problematic paths. + +It might be possible to merge in net-next skb_dst_force() and +skb_dst_force_safe(), but I prefer having the smallest patch for stable +kernels : Maybe some skb_dst_force() callers do not expect skb->dst +can suddenly be cleared. + +Can probably be backported back to linux-3.6 kernels + +Reported-by: David J. Wilder <dwilder@us.ibm.com> +Tested-by: David J. Wilder <dwilder@us.ibm.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/dst.h | 33 +++++++++++++++++++++++++++++++++ + include/net/sock.h | 2 +- + net/ipv4/tcp_ipv4.c | 5 ++--- + net/ipv6/tcp_ipv6.c | 3 +-- + 4 files changed, 37 insertions(+), 6 deletions(-) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 9261d92..e7fa2e2 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb) + } + } + ++/** ++ * dst_hold_safe - Take a reference on a dst if possible ++ * @dst: pointer to dst entry ++ * ++ * This helper returns false if it could not safely ++ * take a reference on a dst. ++ */ ++static inline bool dst_hold_safe(struct dst_entry *dst) ++{ ++ if (dst->flags & DST_NOCACHE) ++ return atomic_inc_not_zero(&dst->__refcnt); ++ dst_hold(dst); ++ return true; ++} ++ ++/** ++ * skb_dst_force_safe - makes sure skb dst is refcounted ++ * @skb: buffer ++ * ++ * If dst is not yet refcounted and not destroyed, grab a ref on it. ++ */ ++static inline void skb_dst_force_safe(struct sk_buff *skb) ++{ ++ if (skb_dst_is_noref(skb)) { ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (!dst_hold_safe(dst)) ++ dst = NULL; ++ ++ skb->_skb_refdst = (unsigned long)dst; ++ } ++} ++ + + /** + * __skb_tunnel_rx - prepare skb for rx reinsert +diff --git a/include/net/sock.h b/include/net/sock.h +index 7ae032e..bca709a 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -801,7 +801,7 @@ void sk_stream_write_space(struct sock *sk); + static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + { + /* dont let skb dst not refcounted, we are going to leave rcu lock */ +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + if (!sk->sk_backlog.tail) + sk->sk_backlog.head = skb; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a7739c8..d77be28 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb) + if (likely(sk->sk_rx_dst)) + skb_dst_drop(skb); + else +- skb_dst_force(skb); ++ skb_dst_force_safe(skb); + + __skb_queue_tail(&tp->ucopy.prequeue, skb); + tp->ucopy.memory += skb->truesize; +@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { +- dst_hold(dst); ++ if (dst && dst_hold_safe(dst)) { + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + } +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 9e9b77b..8935dc1 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); + +- if (dst) { ++ if (dst && dst_hold_safe(dst)) { + const struct rt6_info *rt = (const struct rt6_info *)dst; + +- dst_hold(dst); + sk->sk_rx_dst = dst; + inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; + inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt); +-- +2.4.1 + + +From 68743b8922086a882bf9ea135221a3a2229ca6be Mon Sep 17 00:00:00 2001 +From: WANG Cong <xiyou.wangcong@gmail.com> +Date: Mon, 14 Dec 2015 13:48:36 -0800 +Subject: [PATCH 20/34] pptp: verify sockaddr_len in pptp_bind() and + pptp_connect() + +[ Upstream commit 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ] + +Reported-by: Dmitry Vyukov <dvyukov@gmail.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ppp/pptp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 686f37d..b910cae 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + +-- +2.4.1 + + +From a745f3ea43700db573910f2231d87a0d0f82e03b Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich <vyasevich@gmail.com> +Date: Mon, 16 Nov 2015 15:43:44 -0500 +Subject: [PATCH 21/34] vlan: Fix untag operations of stacked vlans with + REORDER_HEADER off + +[ Upstream commit a6e18ff111701b4ff6947605bfbe9594ec42a6e8 ] + +When we have multiple stacked vlan devices all of which have +turned off REORDER_HEADER flag, the untag operation does not +locate the ethernet addresses correctly for nested vlans. +The reason is that in case of REORDER_HEADER flag being off, +the outer vlan headers are put back and the mac_len is adjusted +to account for the presense of the header. Then, the subsequent +untag operation, for the next level vlan, always use VLAN_ETH_HLEN +to locate the begining of the ethernet header and that ends up +being a multiple of 4 bytes short of the actuall beginning +of the mac header (the multiple depending on the how many vlan +encapsulations ethere are). + +As a reslult, if there are multiple levles of vlan devices +with REODER_HEADER being off, the recevied packets end up +being dropped. + +To solve this, we use skb->mac_len as the offset. The value +is always set on receive path and starts out as a ETH_HLEN. +The value is also updated when the vlan header manupations occur +so we know it will be correct. + +Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index fab4599..160193f 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4268,7 +4268,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN); ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; + } +-- +2.4.1 + + +From 3555f4b7a44fb052205049353ebf858291ae722d Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich <vyasevich@gmail.com> +Date: Mon, 14 Dec 2015 17:44:10 -0500 +Subject: [PATCH 22/34] skbuff: Fix offset error in skb_reorder_vlan_header + +[ Upstream commit f654861569872d10dcb79d9d7ca219b316f94ff0 ] + +skb_reorder_vlan_header is called after the vlan header has +been pulled. As a result the offset of the begining of +the mac header has been incrased by 4 bytes (VLAN_HLEN). +When moving the mac addresses, include this incrase in +the offset calcualation so that the mac addresses are +copied correctly. + +Fixes: a6e18ff1117 (vlan: Fix untag operations of stacked vlans with REORDER_HEADER off) +CC: Nicolas Dichtel <nicolas.dichtel@6wind.com> +CC: Patrick McHardy <kaber@trash.net> +Signed-off-by: Vladislav Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 160193f..1883d28 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4268,7 +4268,7 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len, ++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, + 2 * ETH_ALEN); + skb->mac_header += VLAN_HLEN; + return skb; +-- +2.4.1 + + +From ed74e375974b73498576c5e5305f0e1c0445e4f9 Mon Sep 17 00:00:00 2001 +From: WANG Cong <xiyou.wangcong@gmail.com> +Date: Wed, 16 Dec 2015 23:39:04 -0800 +Subject: [PATCH 23/34] net: check both type and procotol for tcp sockets + +[ Upstream commit ac5cc977991d2dce85fc734a6c71ddb33f6fe3c1 ] + +Dmitry reported the following out-of-bound access: + +Call Trace: + [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40 +mm/kasan/report.c:294 + [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880 + [< inline >] SYSC_setsockopt net/socket.c:1746 + [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729 + [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a +arch/x86/entry/entry_64.S:185 + +This is because we mistake a raw socket as a tcp socket. +We should check both sk->sk_type and sk->sk_protocol to ensure +it is a tcp socket. + +Willem points out __skb_complete_tx_timestamp() needs to fix as well. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Acked-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/skbuff.c | 3 ++- + net/core/sock.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 1883d28..1c1f87c 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, + serr->ee.ee_info = tstype; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; +- if (sk->sk_protocol == IPPROTO_TCP) ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) + serr->ee.ee_data -= sk->sk_tskey; + } + +diff --git a/net/core/sock.c b/net/core/sock.c +index d7a7fc5..dbbda99 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -860,7 +860,8 @@ set_rcvbuf: + + if (val & SOF_TIMESTAMPING_OPT_ID && + !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { +- if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_protocol == IPPROTO_TCP && ++ sk->sk_type == SOCK_STREAM) { + if (sk->sk_state != TCP_ESTABLISHED) { + ret = -EINVAL; + break; +-- +2.4.1 + + +From b5b6dd8ecd8cbbc029b0eaf3acc077c61d2a5611 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 15 Dec 2015 09:43:12 -0800 +Subject: [PATCH 24/34] net_sched: make qdisc_tree_decrease_qlen() work for non + mq + +[ Upstream commit 225734de70cd0a9e0b978f3583a4a87939271d5e ] + +Stas Nichiporovich reported a regression in his HFSC qdisc setup +on a non multi queue device. + +It turns out I mistakenly added a TCQ_F_NOPARENT flag on all qdisc +allocated in qdisc_create() for non multi queue devices, which was +rather buggy. I was clearly mislead by the TCQ_F_ONETXQUEUE that is +also set here for no good reason, since it only matters for the root +qdisc. + +Fixes: 4eaf3b84f288 ("net_sched: fix qdisc_tree_decrease_qlen() races") +Reported-by: Stas Nichiporovich <stasn77@gmail.com> +Tested-by: Stas Nichiporovich <stasn77@gmail.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 7ec667d..b5c2cf2 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue, + } + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock); + if (!netif_is_multiqueue(dev)) +- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT; ++ sch->flags |= TCQ_F_ONETXQUEUE; + } + + sch->handle = handle; +-- +2.4.1 + + +From a7ace68f6ce8e50a6c828595e1672c037f40c36a Mon Sep 17 00:00:00 2001 +From: "David S. Miller" <davem@davemloft.net> +Date: Tue, 15 Dec 2015 15:39:08 -0500 +Subject: [PATCH 25/34] bluetooth: Validate socket address length in + sco_sock_bind(). + +[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ] + +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/bluetooth/sco.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index f315c8d..15cb6c5 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le + if (!addr || addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + ++ if (addr_len < sizeof(struct sockaddr_sco)) ++ return -EINVAL; ++ + lock_sock(sk); + + if (sk->sk_state != BT_OPEN) { +-- +2.4.1 + + +From 0d4975246467f450ce902e9dc442d647eb7ad516 Mon Sep 17 00:00:00 2001 +From: "tadeusz.struk@intel.com" <tadeusz.struk@intel.com> +Date: Tue, 15 Dec 2015 10:46:17 -0800 +Subject: [PATCH 26/34] net: fix uninitialized variable issue + +[ Upstream commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b ] + +msg_iocb needs to be initialized on the recv/recvfrom path. +Otherwise afalg will wrongly interpret it as an async call. + +Cc: stable@vger.kernel.org +Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com> +Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/socket.c b/net/socket.c +index 9963a0b..f3fbe17 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + msg.msg_name = addr ? (struct sockaddr *)&address : NULL; + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; ++ msg.msg_iocb = NULL; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags); +-- +2.4.1 + + +From 055a98ed38bb76ad811feec778f287e47d20bf41 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Tue, 15 Dec 2015 22:59:12 +0100 +Subject: [PATCH 27/34] ipv6: automatically enable stable privacy mode if + stable_secret set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9b29c6962b70f232cde4076b1020191e1be0889d ] + +Bjørn reported that while we switch all interfaces to privacy stable mode +when setting the secret, we don't set this mode for new interfaces. This +does not make sense, so change this behaviour. + +Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf") +Reported-by: Bjørn Mork <bjorn@mork.no> +Cc: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/addrconf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index ff873c8..ddd3511 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev) + setup_timer(&ndev->rs_timer, addrconf_rs_timer, + (unsigned long)ndev); + memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf)); ++ ++ if (ndev->cnf.stable_secret.initialized) ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ else ++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64; ++ + ndev->cnf.mtu6 = dev->mtu; + ndev->cnf.sysctl = NULL; + ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl); +-- +2.4.1 + + +From e7763d6d443faf1a4a4026d3e8e98843784606c2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 15 Dec 2015 20:56:44 -0800 +Subject: [PATCH 28/34] inet: tcp: fix inetpeer_set_addr_v4() + +[ Upstream commit 887dc9f2cef6e98dcccf807da5e6faf4f60ba483 ] + +David Ahern added a vif field in the a4 part of inetpeer_addr struct. + +This broke IPv4 TCP fast open client side and more generally tcp metrics +cache, because inetpeer_addr_cmp() is now comparing two u32 instead of +one. + +inetpeer_set_addr_v4() needs to properly init vif field, otherwise +the comparison result depends on uninitialized data. + +Fixes: 192132b9a034 ("net: Add support for VRFs to inetpeer cache") +Reported-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Neal Cardwell <ncardwell@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/inetpeer.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h +index 4a6009d..235c781 100644 +--- a/include/net/inetpeer.h ++++ b/include/net/inetpeer.h +@@ -78,6 +78,7 @@ void inet_initpeers(void) __init; + static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32 ip) + { + iaddr->a4.addr = ip; ++ iaddr->a4.vif = 0; + iaddr->family = AF_INET; + } + +-- +2.4.1 + + +From dc6f25bdfbf1027db505506d8795fef1234f342c Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Wed, 16 Dec 2015 18:13:14 +0800 +Subject: [PATCH 29/34] rhashtable: Enforce minimum size on initial hash table + +[ Upstream commit 3a324606bbabfc30084ce9d08169910773ba9a92 ] + +William Hua <william.hua@canonical.com> wrote: +> +> I wasn't aware there was an enforced minimum size. I simply set the +> nelem_hint in the rhastable_params struct to 1, expecting it to grow as +> needed. This caused a segfault afterwards when trying to insert an +> element. + +OK we're doing the size computation before we enforce the limit +on min_size. + +---8<--- +We need to do the initial hash table size computation after we +have obtained the correct min_size/max_size parameters. Otherwise +we may end up with a hash table whose size is outside the allowed +envelope. + +Fixes: a998f712f77e ("rhashtable: Round up/down min/max_size to...") +Reported-by: William Hua <william.hua@canonical.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + lib/rhashtable.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index a54ff89..d2daf67e 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -723,9 +723,6 @@ int rhashtable_init(struct rhashtable *ht, + if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT)) + return -EINVAL; + +- if (params->nelem_hint) +- size = rounded_hashtable_size(params); +- + memset(ht, 0, sizeof(*ht)); + mutex_init(&ht->mutex); + spin_lock_init(&ht->lock); +@@ -745,6 +742,9 @@ int rhashtable_init(struct rhashtable *ht, + + ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE); + ++ if (params->nelem_hint) ++ size = rounded_hashtable_size(&ht->p); ++ + /* The maximum (not average) chain length grows with the + * size of the hash table, at a rate of (log N)/(log log N). + * The value of 16 is selected so that even if the hash +-- +2.4.1 + + +From b91eef0e59aebcdaceb9bfeb61aafe0a345d2d81 Mon Sep 17 00:00:00 2001 +From: Hamish Martin <hamish.martin@alliedtelesis.co.nz> +Date: Tue, 15 Dec 2015 14:14:50 +1300 +Subject: [PATCH 30/34] gianfar: Don't enable RX Filer if not supported + +[ Upstream commit 7bff47da1ee23d00d1257905f2944c29594f799d ] + +After commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the +Parser"), 'TSEC' model controllers (for example as seen on MPC8541E) +always have 8 bytes stripped from the front of received frames. +Only 'eTSEC' gianfar controllers have the RX Filer capability (amongst +other enhancements). Previously this was treated as always enabled +for both 'TSEC' and 'eTSEC' controllers. +In commit 15bf176db1fb ("gianfar: Don't enable the Filer w/o the Parser") +a subtle change was made to the setting of 'uses_rxfcb' to effectively +always set it (since 'rx_filer_enable' was always true). This had the +side-effect of always stripping 8 bytes from the front of received frames +on 'TSEC' type controllers. + +We now only enable the RX Filer capability on controller types that +support it, thereby avoiding the issue for 'TSEC' type controllers. + +Reviewed-by: Chris Packham <chris.packham@alliedtelesis.co.nz> +Reviewed-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz> +Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz> +Reviewed-by: Claudiu Manoil <claudiu.manoil@freescale.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ethernet/freescale/gianfar.c | 8 +++++--- + drivers/net/ethernet/freescale/gianfar.h | 1 + + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index ce38d26..bcb933e 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev, struct net_device **pdev) + FSL_GIANFAR_DEV_HAS_VLAN | + FSL_GIANFAR_DEV_HAS_MAGIC_PACKET | + FSL_GIANFAR_DEV_HAS_EXTENDED_HASH | +- FSL_GIANFAR_DEV_HAS_TIMER; ++ FSL_GIANFAR_DEV_HAS_TIMER | ++ FSL_GIANFAR_DEV_HAS_RX_FILER; + + err = of_property_read_string(np, "phy-connection-type", &ctype); + +@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev) + priv->rx_queue[i]->rxic = DEFAULT_RXIC; + } + +- /* always enable rx filer */ +- priv->rx_filer_enable = 1; ++ /* Always enable rx filer if available */ ++ priv->rx_filer_enable = ++ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0; + /* Enable most messages by default */ + priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1; + /* use pritority h/w tx queue scheduling for single queue devices */ +diff --git a/drivers/net/ethernet/freescale/gianfar.h b/drivers/net/ethernet/freescale/gianfar.h +index 8c19948..3755372 100644 +--- a/drivers/net/ethernet/freescale/gianfar.h ++++ b/drivers/net/ethernet/freescale/gianfar.h +@@ -917,6 +917,7 @@ struct gfar { + #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200 + #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400 + #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800 ++#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000 + + #if (MAXGROUPS == 2) + #define DEFAULT_MAPPING 0xAA +-- +2.4.1 + + +From e8fcabcaa1cc5d503b1dd7d94d9bb83e13610e96 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Tue, 15 Dec 2015 21:01:53 +0100 +Subject: [PATCH 31/34] fou: clean up socket with kfree_rcu + +[ Upstream commit 3036facbb7be3a169e35be3b271162b0fa564a2d ] + +fou->udp_offloads is managed by RCU. As it is actually included inside +the fou sockets, we cannot let the memory go out of scope before a grace +period. We either can synchronize_rcu or switch over to kfree_rcu to +manage the sockets. kfree_rcu seems appropriate as it is used by vxlan +and geneve. + +Fixes: 23461551c00628c ("fou: Support for foo-over-udp RX path") +Cc: Tom Herbert <tom@herbertland.com> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/fou.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index e0fcbbb..bd903fe 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -24,6 +24,7 @@ struct fou { + u16 type; + struct udp_offload udp_offloads; + struct list_head list; ++ struct rcu_head rcu; + }; + + #define FOU_F_REMCSUM_NOPARTIAL BIT(0) +@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou) + list_del(&fou->list); + udp_tunnel_sock_release(sock); + +- kfree(fou); ++ kfree_rcu(fou, rcu); + } + + static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg) +-- +2.4.1 + + +From 99450d55526ae8c64f343738542527c42e30ff78 Mon Sep 17 00:00:00 2001 +From: Rainer Weikusat <rweikusat@mobileactivedefense.com> +Date: Wed, 16 Dec 2015 20:09:25 +0000 +Subject: [PATCH 32/34] af_unix: Revert 'lock_interruptible' in stream receive + code + +[ Upstream commit 3822b5c2fc62e3de8a0f33806ff279fb7df92432 ] + +With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM +receive code was changed from using mutex_lock(&u->readlock) to +mutex_lock_interruptible(&u->readlock) to prevent signals from being +delayed for an indefinite time if a thread sleeping on the mutex +happened to be selected for handling the signal. But this was never a +problem with the stream receive code (as opposed to its datagram +counterpart) as that never went to sleep waiting for new messages with the +mutex held and thus, wouldn't cause secondary readers to block on the +mutex waiting for the sleeping primary reader. As the interruptible +locking makes the code more complicated in exchange for no benefit, +change it back to using mutex_lock. + +Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/unix/af_unix.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 128b098..0fc6dba 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state) + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +- err = mutex_lock_interruptible(&u->readlock); +- if (unlikely(err)) { +- /* recvmsg() in non blocking mode is supposed to return -EAGAIN +- * sk_rcvtimeo is not honored by mutex_lock_interruptible() +- */ +- err = noblock ? -EAGAIN : -ERESTARTSYS; +- goto out; +- } ++ mutex_lock(&u->readlock); + + if (flags & MSG_PEEK) + skip = sk_peek_offset(sk, flags); +@@ -2306,12 +2299,12 @@ again: + timeo = unix_stream_data_wait(sk, timeo, last, + last_len); + +- if (signal_pending(current) || +- mutex_lock_interruptible(&u->readlock)) { ++ if (signal_pending(current)) { + err = sock_intr_errno(timeo); + goto out; + } + ++ mutex_lock(&u->readlock); + continue; + unlock: + unix_state_unlock(sk); +-- +2.4.1 + + +From dc9c6c2fb77bda57cc2b06d2a2b1d1befd3819fc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 16 Dec 2015 13:53:10 -0800 +Subject: [PATCH 33/34] tcp: restore fastopen with no data in SYN packet + +[ Upstream commit 07e100f984975cb0417a7d5e626d0409efbad478 ] + +Yuchung tracked a regression caused by commit 57be5bdad759 ("ip: convert +tcp_sendmsg() to iov_iter primitives") for TCP Fast Open. + +Some Fast Open users do not actually add any data in the SYN packet. + +Fixes: 57be5bdad759 ("ip: convert tcp_sendmsg() to iov_iter primitives") +Reported-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Acked-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/tcp_output.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3dbee0d..c958596 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + { + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_request *fo = tp->fastopen_req; +- int syn_loss = 0, space, err = 0, copied; ++ int syn_loss = 0, space, err = 0; + unsigned long last_syn_loss = 0; + struct sk_buff *syn_data; + +@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn) + goto fallback; + syn_data->ip_summed = CHECKSUM_PARTIAL; + memcpy(syn_data->cb, syn->cb, sizeof(syn->cb)); +- copied = copy_from_iter(skb_put(syn_data, space), space, +- &fo->data->msg_iter); +- if (unlikely(!copied)) { +- kfree_skb(syn_data); +- goto fallback; +- } +- if (copied != space) { +- skb_trim(syn_data, copied); +- space = copied; ++ if (space) { ++ int copied = copy_from_iter(skb_put(syn_data, space), space, ++ &fo->data->msg_iter); ++ if (unlikely(!copied)) { ++ kfree_skb(syn_data); ++ goto fallback; ++ } ++ if (copied != space) { ++ skb_trim(syn_data, copied); ++ space = copied; ++ } + } +- + /* No more data pending in inet_wait_for_connect() */ + if (space == fo->size) + fo->data = NULL; +-- +2.4.1 + + +From 51a41cd14356285e5e69c7657c55061a92e7ed79 Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Wed, 16 Dec 2015 16:45:54 +0800 +Subject: [PATCH 34/34] rhashtable: Fix walker list corruption + +[ Upstream commit c6ff5268293ef98e48a99597e765ffc417e39fa5 ] + +The commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c ("rhashtable: +Fix sleeping inside RCU critical section in walk_stop") introduced +a new spinlock for the walker list. However, it did not convert +all existing users of the list over to the new spin lock. Some +continued to use the old mutext for this purpose. This obviously +led to corruption of the list. + +The fix is to use the spin lock everywhere where we touch the list. + +This also allows us to do rcu_rad_lock before we take the lock in +rhashtable_walk_start. With the old mutex this would've deadlocked +but it's safe with the new spin lock. + +Fixes: ba7c95ea3870 ("rhashtable: Fix sleeping inside RCU...") +Reported-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + lib/rhashtable.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/lib/rhashtable.c b/lib/rhashtable.c +index d2daf67e..aa388a7 100644 +--- a/lib/rhashtable.c ++++ b/lib/rhashtable.c +@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter) + if (!iter->walker) + return -ENOMEM; + +- mutex_lock(&ht->mutex); +- iter->walker->tbl = rht_dereference(ht->tbl, ht); ++ spin_lock(&ht->lock); ++ iter->walker->tbl = ++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock)); + list_add(&iter->walker->list, &iter->walker->tbl->walkers); +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + return 0; + } +@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init); + */ + void rhashtable_walk_exit(struct rhashtable_iter *iter) + { +- mutex_lock(&iter->ht->mutex); ++ spin_lock(&iter->ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- mutex_unlock(&iter->ht->mutex); ++ spin_unlock(&iter->ht->lock); + kfree(iter->walker); + } + EXPORT_SYMBOL_GPL(rhashtable_walk_exit); +@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter) + { + struct rhashtable *ht = iter->ht; + +- mutex_lock(&ht->mutex); ++ rcu_read_lock(); + ++ spin_lock(&ht->lock); + if (iter->walker->tbl) + list_del(&iter->walker->list); +- +- rcu_read_lock(); +- +- mutex_unlock(&ht->mutex); ++ spin_unlock(&ht->lock); + + if (!iter->walker->tbl) { + iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht); +-- +2.4.1 + diff --git a/nouveau-stable-backports.patch b/nouveau-stable-backports.patch new file mode 100644 index 000000000..bd6d210e0 --- /dev/null +++ b/nouveau-stable-backports.patch @@ -0,0 +1,105 @@ +From fe9c94340928d8ec3ea1ae74f99c3c9b18684129 Mon Sep 17 00:00:00 2001 +From: Martin Peres <martin.peres@free.fr> +Date: Sun, 29 Nov 2015 16:10:18 +0200 +Subject: [PATCH 1/3] drm/nouveau/bios/fan: hardcode the fan mode to linear +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is an oversight that made use of the trip-point-based fan managenent on +cards that never expose those. This led the fan to stay at fan_min. + +Fortunately, the emergency code would kick when the temperature would reach +90°C. + +Reported-by: Tom Englund <tomenglund26@gmail.com> +Tested-by: Tom Englund <tomenglund26@gmail.com> +Signed-off-by: Martin Peres <martin.peres@free.fr> +Tested-by: Daemon32 <lnf.purple@gmail.com> +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92126 +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c +index 43006db6fd58..80fed7e78dcb 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/fan.c +@@ -83,6 +83,7 @@ nvbios_fan_parse(struct nvkm_bios *bios, struct nvbios_therm_fan *fan) + fan->type = NVBIOS_THERM_FAN_UNK; + } + ++ fan->fan_mode = NVBIOS_THERM_FAN_LINEAR; + fan->min_duty = nvbios_rd08(bios, data + 0x02); + fan->max_duty = nvbios_rd08(bios, data + 0x03); + +-- +2.5.0 + + +From acdc10375119fc5dd76d7051a5ae4a41f61c45aa Mon Sep 17 00:00:00 2001 +From: Ben Skeggs <bskeggs@redhat.com> +Date: Mon, 4 Jan 2016 09:01:13 +1000 +Subject: [PATCH 2/3] drm/nouveau/gr/nv40: fix oops in interrupt handler + +fdo#93557 + +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c +index ffa902ece872..05a895496fc6 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/nv40.c +@@ -156,6 +156,7 @@ nv40_gr_chan_new(struct nvkm_gr *base, struct nvkm_fifo_chan *fifoch, + return -ENOMEM; + nvkm_object_ctor(&nv40_gr_chan, oclass, &chan->object); + chan->gr = gr; ++ chan->fifo = fifoch; + *pobject = &chan->object; + + spin_lock_irqsave(&chan->gr->base.engine.lock, flags); +-- +2.5.0 + + +From c5d07dcb6d6260a51a2309d5f62c3391637afa86 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs <bskeggs@redhat.com> +Date: Fri, 8 Jan 2016 08:56:51 +1000 +Subject: [PATCH 3/3] drm/nouveau/kms: take mode_config mutex in connector + hotplug path + +fdo#93634 + +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index 2e7cbe933533..2a5ed7460354 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -969,10 +969,13 @@ nouveau_connector_hotplug(struct nvif_notify *notify) + + NV_DEBUG(drm, "%splugged %s\n", plugged ? "" : "un", name); + ++ mutex_lock(&drm->dev->mode_config.mutex); + if (plugged) + drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON); + else + drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF); ++ mutex_unlock(&drm->dev->mode_config.mutex); ++ + drm_helper_hpd_irq_event(connector->dev); + } + +-- +2.5.0 + diff --git a/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch new file mode 100644 index 000000000..b891c5211 --- /dev/null +++ b/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch @@ -0,0 +1,39 @@ +From 16c5a158e97d5b1f6c8bf86b006c1349f025d4e0 Mon Sep 17 00:00:00 2001 +From: WANG Cong <xiyou.wangcong@gmail.com> +Date: Mon, 14 Dec 2015 13:48:36 -0800 +Subject: [PATCH] pptp: verify sockaddr_len in pptp_bind() and pptp_connect() + +Reported-by: Dmitry Vyukov <dvyukov@gmail.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/ppp/pptp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index fc69e41d0950..597c53e0a2ec 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr, + struct pptp_opt *opt = &po->proto.pptp; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + lock_sock(sk); + + opt->src_addr = sp->sa_addr.pptp; +@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + struct flowi4 fl4; + int error = 0; + ++ if (sockaddr_len < sizeof(struct sockaddr_pppox)) ++ return -EINVAL; ++ + if (sp->sa_protocol != PX_PROTO_PPTP) + return -EINVAL; + +-- +2.5.0 + diff --git a/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch new file mode 100644 index 000000000..55c3ab9d1 --- /dev/null +++ b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch @@ -0,0 +1,108 @@ +From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jann@thejh.net> +Date: Sat, 26 Dec 2015 03:52:31 +0100 +Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids + +ptrace_has_cap() checks whether the current process should be +treated as having a certain capability for ptrace checks +against another process. Until now, this was equivalent to +has_ns_capability(current, target_ns, CAP_SYS_PTRACE). + +However, if a root-owned process wants to enter a user +namespace for some reason without knowing who owns it and +therefore can't change to the namespace owner's uid and gid +before entering, as soon as it has entered the namespace, +the namespace owner can attach to it via ptrace and thereby +gain access to its uid and gid. + +While it is possible for the entering process to switch to +the uid of a claimed namespace owner before entering, +causing the attempt to enter to fail if the claimed uid is +wrong, this doesn't solve the problem of determining an +appropriate gid. + +With this change, the entering process can first enter the +namespace and then safely inspect the namespace's +properties, e.g. through /proc/self/{uid_map,gid_map}, +assuming that the namespace owner doesn't have access to +uid 0. + +Changed in v2: The caller needs to be capable in the +namespace into which tcred's uids/gids can be mapped. + +Signed-off-by: Jann Horn <jann@thejh.net> +--- + kernel/ptrace.c | 33 ++++++++++++++++++++++++++++----- + 1 file changed, 28 insertions(+), 5 deletions(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 787320de68e0..407c382b45c8 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -20,6 +20,7 @@ + #include <linux/uio.h> + #include <linux/audit.h> + #include <linux/pid_namespace.h> ++#include <linux/user_namespace.h> + #include <linux/syscalls.h> + #include <linux/uaccess.h> + #include <linux/regset.h> +@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) + return ret; + } + +-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) ++static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) + { ++ struct user_namespace *tns = tcred->user_ns; ++ ++ /* When a root-owned process enters a user namespace created by a ++ * malicious user, the user shouldn't be able to execute code under ++ * uid 0 by attaching to the root-owned process via ptrace. ++ * Therefore, similar to the capable_wrt_inode_uidgid() check, ++ * verify that all the uids and gids of the target process are ++ * mapped into a namespace below the current one in which the caller ++ * is capable. ++ * No fsuid/fsgid check because __ptrace_may_access doesn't do it ++ * either. ++ */ ++ while ( ++ !kuid_has_mapping(tns, tcred->euid) || ++ !kuid_has_mapping(tns, tcred->suid) || ++ !kuid_has_mapping(tns, tcred->uid) || ++ !kgid_has_mapping(tns, tcred->egid) || ++ !kgid_has_mapping(tns, tcred->sgid) || ++ !kgid_has_mapping(tns, tcred->gid)) { ++ tns = tns->parent; ++ } ++ + if (mode & PTRACE_MODE_NOAUDIT) +- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); ++ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); + else +- return has_ns_capability(current, ns, CAP_SYS_PTRACE); ++ return has_ns_capability(current, tns, CAP_SYS_PTRACE); + } + + /* Returns 0 on success, -errno on denial. */ +@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + gid_eq(cred->gid, tcred->sgid) && + gid_eq(cred->gid, tcred->gid)) + goto ok; +- if (ptrace_has_cap(tcred->user_ns, mode)) ++ if (ptrace_has_cap(tcred, mode)) + goto ok; + rcu_read_unlock(); + return -EPERM; +@@ -252,7 +275,7 @@ ok: + dumpable = get_dumpable(task->mm); + rcu_read_lock(); + if (dumpable != SUID_DUMP_USER && +- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { ++ !ptrace_has_cap(__task_cred(task), mode)) { + rcu_read_unlock(); + return -EPERM; + } +-- +2.5.0 + diff --git a/sctp-Prevent-soft-lockup-when-sctp_accept-is-called-.patch b/sctp-Prevent-soft-lockup-when-sctp_accept-is-called-.patch new file mode 100644 index 000000000..e9d709c67 --- /dev/null +++ b/sctp-Prevent-soft-lockup-when-sctp_accept-is-called-.patch @@ -0,0 +1,194 @@ +From 51d49d5d636dd24c1d729f79037d5d033eda7e65 Mon Sep 17 00:00:00 2001 +From: Karl Heiss <kheiss@gmail.com> +Date: Thu, 24 Sep 2015 12:15:07 -0400 +Subject: [PATCH] sctp: Prevent soft lockup when sctp_accept() is called during + a timeout event + +A case can occur when sctp_accept() is called by the user during +a heartbeat timeout event after the 4-way handshake. Since +sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the +bh_sock_lock in sctp_generate_heartbeat_event() will be taken with +the listening socket but released with the new association socket. +The result is a deadlock on any future attempts to take the listening +socket lock. + +Note that this race can occur with other SCTP timeouts that take +the bh_lock_sock() in the event sctp_accept() is called. + + BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0] + ... + RIP: 0010:[<ffffffff8152d48e>] [<ffffffff8152d48e>] _spin_lock+0x1e/0x30 + RSP: 0018:ffff880028323b20 EFLAGS: 00000206 + RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48 + RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000 + R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0 + R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225 + FS: 0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b + CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0) + Stack: + ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000 + <d> 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00 + <d> ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8 + Call Trace: + <IRQ> + [<ffffffffa01c2582>] ? sctp_rcv+0x492/0xa10 [sctp] + [<ffffffff8148c559>] ? nf_iterate+0x69/0xb0 + [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0 + [<ffffffff8148c716>] ? nf_hook_slow+0x76/0x120 + [<ffffffff814974a0>] ? ip_local_deliver_finish+0x0/0x2d0 + [<ffffffff8149757d>] ? ip_local_deliver_finish+0xdd/0x2d0 + [<ffffffff81497808>] ? ip_local_deliver+0x98/0xa0 + [<ffffffff81496ccd>] ? ip_rcv_finish+0x12d/0x440 + [<ffffffff81497255>] ? ip_rcv+0x275/0x350 + [<ffffffff8145cfeb>] ? __netif_receive_skb+0x4ab/0x750 + ... + +With lockdep debugging: + + ===================================== + [ BUG: bad unlock balance detected! ] + ------------------------------------- + CslRx/12087 is trying to release lock (slock-AF_INET) at: + [<ffffffffa01bcae0>] sctp_generate_timeout_event+0x40/0xe0 [sctp] + but there are no more locks to release! + + other info that might help us debug this: + 2 locks held by CslRx/12087: + #0: (&asoc->timers[i]){+.-...}, at: [<ffffffff8108ce1f>] run_timer_softirq+0x16f/0x3e0 + #1: (slock-AF_INET){+.-...}, at: [<ffffffffa01bcac3>] sctp_generate_timeout_event+0x23/0xe0 [sctp] + +Ensure the socket taken is also the same one that is released by +saving a copy of the socket before entering the timeout event +critical section. + +Signed-off-by: Karl Heiss <kheiss@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/sctp/sm_sideeffect.c | 44 ++++++++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c +index 85e6f03aeb70..61b7b81d29ab 100644 +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -244,12 +244,13 @@ void sctp_generate_t3_rtx_event(unsigned long peer) + int error; + struct sctp_transport *transport = (struct sctp_transport *) peer; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + + /* Check whether a task is in the sock. */ + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -272,10 +273,10 @@ void sctp_generate_t3_rtx_event(unsigned long peer) + transport, GFP_ATOMIC); + + if (error) +- asoc->base.sk->sk_err = -error; ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_transport_put(transport); + } + +@@ -285,11 +286,12 @@ out_unlock: + static void sctp_generate_timeout_event(struct sctp_association *asoc, + sctp_event_timeout_t timeout_type) + { +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + int error = 0; + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy: timer %d\n", __func__, + timeout_type); + +@@ -312,10 +314,10 @@ static void sctp_generate_timeout_event(struct sctp_association *asoc, + (void *)timeout_type, GFP_ATOMIC); + + if (error) +- asoc->base.sk->sk_err = -error; ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_association_put(asoc); + } + +@@ -365,10 +367,11 @@ void sctp_generate_heartbeat_event(unsigned long data) + int error = 0; + struct sctp_transport *transport = (struct sctp_transport *) data; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -388,11 +391,11 @@ void sctp_generate_heartbeat_event(unsigned long data) + asoc->state, asoc->ep, asoc, + transport, GFP_ATOMIC); + +- if (error) +- asoc->base.sk->sk_err = -error; ++ if (error) ++ sk->sk_err = -error; + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_transport_put(transport); + } + +@@ -403,10 +406,11 @@ void sctp_generate_proto_unreach_event(unsigned long data) + { + struct sctp_transport *transport = (struct sctp_transport *) data; + struct sctp_association *asoc = transport->asoc; +- struct net *net = sock_net(asoc->base.sk); ++ struct sock *sk = asoc->base.sk; ++ struct net *net = sock_net(sk); + +- bh_lock_sock(asoc->base.sk); +- if (sock_owned_by_user(asoc->base.sk)) { ++ bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { + pr_debug("%s: sock is busy\n", __func__); + + /* Try again later. */ +@@ -427,7 +431,7 @@ void sctp_generate_proto_unreach_event(unsigned long data) + asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC); + + out_unlock: +- bh_unlock_sock(asoc->base.sk); ++ bh_unlock_sock(sk); + sctp_association_put(asoc); + } + +-- +2.5.0 + diff --git a/selinux-fix-bug-in-conditional-rules-handling.patch b/selinux-fix-bug-in-conditional-rules-handling.patch new file mode 100644 index 000000000..6a78f5b2e --- /dev/null +++ b/selinux-fix-bug-in-conditional-rules-handling.patch @@ -0,0 +1,51 @@ +From f3bef67992e8698897b584616535803887c4a73e Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <sds@tycho.nsa.gov> +Date: Mon, 23 Nov 2015 16:07:41 -0500 +Subject: [PATCH] selinux: fix bug in conditional rules handling + +commit fa1aa143ac4a ("selinux: extended permissions for ioctls") +introduced a bug into the handling of conditional rules, skipping the +processing entirely when the caller does not provide an extended +permissions (xperms) structure. Access checks from userspace using +/sys/fs/selinux/access do not include such a structure since that +interface does not presently expose extended permission information. +As a result, conditional rules were being ignored entirely on userspace +access requests, producing denials when access was allowed by +conditional rules in the policy. Fix the bug by only skipping +computation of extended permissions in this situation, not the entire +conditional rules processing. + +Reported-by: Laurent Bigonville <bigon@debian.org> +Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> +[PM: fixed long lines in patch description] +Cc: stable@vger.kernel.org # 4.3 +Signed-off-by: Paul Moore <pmoore@redhat.com> +--- + security/selinux/ss/conditional.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c +index 18643bf9894d..456e1a9bcfde 100644 +--- a/security/selinux/ss/conditional.c ++++ b/security/selinux/ss/conditional.c +@@ -638,7 +638,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, + { + struct avtab_node *node; + +- if (!ctab || !key || !avd || !xperms) ++ if (!ctab || !key || !avd) + return; + + for (node = avtab_search_node(ctab, key); node; +@@ -657,7 +657,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, + if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == + (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) + avd->auditallow |= node->datum.u.data; +- if ((node->key.specified & AVTAB_ENABLED) && ++ if (xperms && (node->key.specified & AVTAB_ENABLED) && + (node->key.specified & AVTAB_XPERMS)) + services_compute_xperms_drivers(xperms, node); + } +-- +2.5.0 + diff --git a/showmem-cma-correct-reserved-memory-calculation.patch b/showmem-cma-correct-reserved-memory-calculation.patch deleted file mode 100644 index c22a84969..000000000 --- a/showmem-cma-correct-reserved-memory-calculation.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3a83eda52f34b97168b70098ef0e34dbcaeaaf8f Mon Sep 17 00:00:00 2001 -From: Vishnu Pratap Singh <vishnu.ps@samsung.com> -Date: Tue, 25 Aug 2015 00:04:44 +0000 -Subject: lib/show_mem.c: correct reserved memory calculation - -CMA reserved memory is not part of total reserved memory. -Currently when we print the total reserve memory it considers -cma as part of reserve memory and do minus of totalcma_pages -from reserved, which is wrong. In cases where total reserved -is less than cma reserved we will get negative values & while -printing we print as unsigned and we will get a very large value. - -Below is the show mem output on X86 ubuntu based system where -CMA reserved is 100MB (25600 pages) & total reserved is ~40MB(10316 pages). -And reserve memory shows a large value because of this bug. - -Before: -[ 127.066430] 898908 pages RAM -[ 127.066432] 671682 pages HighMem/MovableOnly -[ 127.066434] 4294952012 pages reserved -[ 127.066436] 25600 pages cma reserved - -After: -[ 44.663129] 898908 pages RAM -[ 44.663130] 671682 pages HighMem/MovableOnly -[ 44.663130] 10316 pages reserved -[ 44.663131] 25600 pages cma reserved - -Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com> -Cc: Michal Nazarewicz <mina86@mina86.com> -Cc: Marek Szyprowski <m.szyprowski@samsung.com> -Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> -Cc: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> -Cc: Sasha Levin <sasha.levin@oracle.com> -Cc: Danesh Petigara <dpetigara@broadcom.com> -Cc: Laura Abbott <lauraa@codeaurora.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> ---- - lib/show_mem.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/lib/show_mem.c b/lib/show_mem.c -index adc98e18..1feed6a 100644 ---- a/lib/show_mem.c -+++ b/lib/show_mem.c -@@ -38,11 +38,9 @@ void show_mem(unsigned int filter) - - printk("%lu pages RAM\n", total); - printk("%lu pages HighMem/MovableOnly\n", highmem); -+ printk("%lu pages reserved\n", reserved); - #ifdef CONFIG_CMA -- printk("%lu pages reserved\n", (reserved - totalcma_pages)); - printk("%lu pages cma reserved\n", totalcma_pages); --#else -- printk("%lu pages reserved\n", reserved); - #endif - #ifdef CONFIG_QUICKLIST - printk("%lu pages in pagetable cache\n", --- -cgit v0.11.2 - @@ -1,3 +1,3 @@ -3d5ea06d767e2f35c999eeadafc76523 linux-4.2.tar.xz -4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz -c000fd7de765fc8cd60942aa52a996ed patch-4.2.8.xz +58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz +7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz +d3235b3640ae6ac1ab579171943fda4b patch-4.3.3.xz diff --git a/usb-serial-visor-fix-crash-on-detecting-device-witho.patch b/usb-serial-visor-fix-crash-on-detecting-device-witho.patch new file mode 100644 index 000000000..ddd4fc5b9 --- /dev/null +++ b/usb-serial-visor-fix-crash-on-detecting-device-witho.patch @@ -0,0 +1,36 @@ +From b2476fe4c16be5c2b7ee950e50677cfaa9ab9bae Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Tue, 12 Jan 2016 14:10:50 -0500 +Subject: [PATCH] usb: serial: visor: fix crash on detecting device without + write_urbs + +The visor driver crashes in clie_5_attach() when a specially crafted USB +device without bulk-out endpoint is detected. This fix adds a check that +the device has proper configuration expected by the driver. + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/usb/serial/visor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c +index 60afb39eb73c..bbc90c059002 100644 +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_serial *serial) + */ + + /* some sanity check */ +- if (serial->num_ports < 2) +- return -1; ++ if (serial->num_bulk_out < 2) { ++ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); ++ return -ENODEV; ++ } + + /* port 0 now uses the modified endpoint Address */ + port = serial->port[0]; +-- +2.5.0 + diff --git a/vrf-fix-memory-leak-on-registration.patch b/vrf-fix-memory-leak-on-registration.patch new file mode 100644 index 000000000..86c3dff69 --- /dev/null +++ b/vrf-fix-memory-leak-on-registration.patch @@ -0,0 +1,42 @@ +From 5780068e17af44a98d432d31448bb18a99ce64dc Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 15 Dec 2015 15:12:43 +0000 +Subject: [PATCH] vrf: Fix memory leak on registration failure in vrf_newlink() + +The backported version of commit 7f109f7cc371 ("vrf: fix double free +and memory corruption on register_netdevice failure") incorrectly +removed a kfree() from the failure path as well as the free_netdev(). +Add that back. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/vrf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index c9e309c..6c25fd0 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, + { + struct net_vrf *vrf = netdev_priv(dev); + struct net_vrf_dev *vrf_ptr; ++ int err; + + if (!data || !data[IFLA_VRF_TABLE]) + return -EINVAL; +@@ -598,7 +599,10 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, + + rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); + +- return register_netdev(dev); ++ err = register_netdev(dev); ++ if (err) ++ kfree(vrf_ptr); ++ return err; + } + + static size_t vrf_nl_getsize(const struct net_device *dev) +-- +2.5.0 + diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch index 4c1211d43..708006c2e 100644 --- a/x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,6 +1,8 @@ +From 7a3cdd26e6d38031338a6cb591ec2f3faaa9234b Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH] x86: Lock down IO port access when module security is enabled +Subject: [PATCH 03/20] x86: Lock down IO port access when module security is + enabled IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register @@ -65,3 +67,6 @@ index 6b1721f978c2..53fe675f9bd7 100644 if (!access_ok(VERIFY_READ, buf, count)) return -EFAULT; while (count-- > 0 && i < 65536) { +-- +2.4.3 + diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 9053f2aea..5c91ab143 100644 --- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,6 +1,8 @@ +From c076ed5eed97cba612d7efec41359815c5547f4c Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH] x86: Restrict MSR access when module loading is restricted +Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is + restricted Writing to MSRs should not be allowed if module loading is restricted, since it could lead to execution of arbitrary code in kernel mode. Based @@ -37,3 +39,6 @@ index 113e70784854..26c2f83fc470 100644 if (copy_from_user(®s, uregs, sizeof regs)) { err = -EFAULT; break; +-- +2.4.3 + |