Merge branch 'master' into f23-user-thl-vanilla-rawhidekernel-4.4.0-0.rc8.git3.1.vanilla.knurd.1.fc23

9 files changed, 347 insertions, 79 deletions

diff --git a/config-generic b/config-generic
index 48837af22..6c999c510 100644
--- a/config-generic
+++ b/config-generic
@@ -1799,13 +1799,13 @@ CONFIG_B43_PCMCIA=y
 CONFIG_B43_SDIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BCMA_PIO=y
-# CONFIG_B43_DEBUG is not set
+CONFIG_B43_DEBUG=y
 CONFIG_B43_PHY_LP=y
 CONFIG_B43_PHY_N=y
 CONFIG_B43_PHY_HT=y
 CONFIG_B43_PHY_G=y
 CONFIG_B43LEGACY=m
-# CONFIG_B43LEGACY_DEBUG is not set
+CONFIG_B43LEGACY_DEBUG=y
 CONFIG_B43LEGACY_DMA=y
 CONFIG_B43LEGACY_PIO=y
 CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@@ -5046,7 +5046,7 @@ CONFIG_PM_DEBUG=y
 # CONFIG_DPM_WATCHDOG is not set # revisit this in debug
 CONFIG_PM_TRACE=y
 CONFIG_PM_TRACE_RTC=y
-# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_TEST_SUSPEND=y
 # CONFIG_PM_OPP is not set
 # CONFIG_PM_AUTOSLEEP is not set
 # CONFIG_PM_WAKELOCKS is not set
diff --git a/config-nodebug b/config-nodebug
index 65e8accd1..1b93255c0 100644
--- a/config-nodebug
+++ b/config-nodebug
@@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y
 CONFIG_SND_DEBUG=y
 CONFIG_SND_PCM_XRUN_DEBUG=y
 
-# CONFIG_DEBUG_ATOMIC_SLEEP is not set
-
-# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_RT_MUTEXES is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_LOCK_TORTURE_TEST is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_DEBUG_SPINLOCK is not set
-# CONFIG_PROVE_RCU is not set
+CONFIG_DEBUG_ATOMIC_SLEEP=y
+
+CONFIG_DEBUG_MUTEXES=y
+CONFIG_DEBUG_RT_MUTEXES=y
+CONFIG_DEBUG_LOCK_ALLOC=y
+CONFIG_LOCK_TORTURE_TEST=m
+CONFIG_PROVE_LOCKING=y
+CONFIG_DEBUG_SPINLOCK=y
+CONFIG_PROVE_RCU=y
 # CONFIG_PROVE_RCU_REPEATEDLY is not set
-# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_DEBUG_PER_CPU_MAPS=y
 CONFIG_CPUMASK_OFFSTACK=y
 
-# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
+CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
 
-# CONFIG_FAULT_INJECTION is not set
-# CONFIG_FAILSLAB is not set
-# CONFIG_FAIL_PAGE_ALLOC is not set
-# CONFIG_FAIL_MAKE_REQUEST is not set
-# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
-# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
-# CONFIG_FAIL_IO_TIMEOUT is not set
-# CONFIG_FAIL_MMC_REQUEST is not set
+CONFIG_FAULT_INJECTION=y
+CONFIG_FAILSLAB=y
+CONFIG_FAIL_PAGE_ALLOC=y
+CONFIG_FAIL_MAKE_REQUEST=y
+CONFIG_FAULT_INJECTION_DEBUG_FS=y
+CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
+CONFIG_FAIL_IO_TIMEOUT=y
+CONFIG_FAIL_MMC_REQUEST=y
 
-# CONFIG_LOCK_STAT is not set
+CONFIG_LOCK_STAT=y
 
-# CONFIG_DEBUG_STACK_USAGE is not set
+CONFIG_DEBUG_STACK_USAGE=y
 
-# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_DEBUG=y
 # CONFIG_ACPI_DEBUGGER is not set
 
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_PI_LIST is not set
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_PI_LIST=y
 
 # CONFIG_PAGE_EXTENSION is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_DEBUG_PAGEALLOC is not set
 
-# CONFIG_DEBUG_OBJECTS is not set
+CONFIG_DEBUG_OBJECTS=y
 # CONFIG_DEBUG_OBJECTS_SELFTEST is not set
-# CONFIG_DEBUG_OBJECTS_FREE is not set
-# CONFIG_DEBUG_OBJECTS_TIMERS is not set
-# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
+CONFIG_DEBUG_OBJECTS_FREE=y
+CONFIG_DEBUG_OBJECTS_TIMERS=y
+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
 CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
 
 CONFIG_X86_PTDUMP=y
-# CONFIG_ARM64_PTDUMP is not set
-# CONFIG_EFI_PGT_DUMP is not set
+CONFIG_ARM64_PTDUMP=y
+CONFIG_EFI_PGT_DUMP=y
 
-# CONFIG_CAN_DEBUG_DEVICES is not set
+CONFIG_CAN_DEBUG_DEVICES=y
 
-# CONFIG_MODULE_FORCE_UNLOAD is not set
+CONFIG_MODULE_FORCE_UNLOAD=y
 
 
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_NOTIFIERS=y
 
-# CONFIG_DMA_API_DEBUG is not set
+CONFIG_DMA_API_DEBUG=y
 
-# CONFIG_MMIOTRACE is not set
+CONFIG_MMIOTRACE=y
 
-# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_DEBUG_CREDENTIALS=y
 
 # off in both production debug and nodebug builds,
 #  on in rawhide nodebug builds
-# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
 
-# CONFIG_EXT4_DEBUG is not set
+CONFIG_EXT4_DEBUG=y
 
 # CONFIG_XFS_WARN is not set
 
-# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_DEBUG_PERF_USE_VMALLOC=y
 
-# CONFIG_JBD2_DEBUG is not set
+CONFIG_JBD2_DEBUG=y
 
-# CONFIG_NFSD_FAULT_INJECTION is not set
+CONFIG_NFSD_FAULT_INJECTION=y
 
-# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_DEBUG_BLK_CGROUP=y
 
-# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_DRBD_FAULT_INJECTION=y
 
-# CONFIG_ATH_DEBUG is not set
-# CONFIG_CARL9170_DEBUGFS is not set
-# CONFIG_IWLWIFI_DEVICE_TRACING is not set
+CONFIG_ATH_DEBUG=y
+CONFIG_CARL9170_DEBUGFS=y
+CONFIG_IWLWIFI_DEVICE_TRACING=y
 
 # CONFIG_RTLWIFI_DEBUG is not set
 
-# CONFIG_DEBUG_OBJECTS_WORK is not set
+CONFIG_DEBUG_OBJECTS_WORK=y
 
-# CONFIG_DMADEVICES_DEBUG is not set
+CONFIG_DMADEVICES_DEBUG=y
 # CONFIG_DMADEVICES_VDEBUG is not set
 
 CONFIG_PM_ADVANCED_DEBUG=y
 
-# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
-# CONFIG_QUOTA_DEBUG is not set
+CONFIG_CEPH_LIB_PRETTYDEBUG=y
+CONFIG_QUOTA_DEBUG=y
 
 
 CONFIG_KGDB_KDB=y
@@ -104,18 +104,18 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 
-# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
 # CONFIG_PERCPU_TEST is not set
-# CONFIG_TEST_LIST_SORT is not set
+CONFIG_TEST_LIST_SORT=y
 # CONFIG_TEST_STRING_HELPERS is not set
 
-# CONFIG_DETECT_HUNG_TASK is not set
+CONFIG_DETECT_HUNG_TASK=y
 CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
 
-# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 
-# CONFIG_DEBUG_KMEMLEAK is not set
+CONFIG_DEBUG_KMEMLEAK=y
 CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
@@ -126,4 +126,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
 
 # CONFIG_SPI_DEBUG is not set
 
-# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
diff --git a/config-x86-generic b/config-x86-generic
index a436377af..83254f3bc 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -368,7 +368,7 @@ CONFIG_SP5100_TCO=m
 
 # CONFIG_MEMTEST is not set
 # CONFIG_DEBUG_TLBFLUSH is not set
-# CONFIG_MAXSMP is not set
+CONFIG_MAXSMP=y
 
 
 CONFIG_HP_ILO=m
diff --git a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
new file mode 100644
index 000000000..cd53bf71c
--- /dev/null
+++ b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
@@ -0,0 +1,68 @@
+From 41ed5ee704b784a4fca02787311d59c243563013 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 7 Jan 2016 10:29:10 +0200
+Subject: [PATCH] drm/i915: shut up gen8+ SDE irq dmesg noise, again
+
+We still keep getting
+
+[    4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)!
+
+This reverts
+
+commit 820da7ae46332fa709b171eb7ba57cbd023fa6df
+Author: Jani Nikula <jani.nikula@intel.com>
+Date:   Wed Nov 25 16:47:23 2015 +0200
+
+    Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"
+
+which in itself is a revert, so this is just doing
+
+commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date:   Fri Oct 23 10:56:12 2015 +0200
+
+    drm/i915: shut up gen8+ SDE irq dmesg noise
+
+all over again. I'll stop pretending I understand what's going on like I
+did when I thought I'd fixed this for good in
+
+commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77
+Author: Jani Nikula <jani.nikula@intel.com>
+Date:   Wed Nov 25 16:47:22 2015 +0200
+
+    drm/i915: fix the SDE irq dmesg warnings properly
+
+Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084
+Cc: drm-intel-fixes@lists.freedesktop.org
+Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"")
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+---
+ drivers/gpu/drm/i915/i915_irq.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
+index 0d228f909dcb..0f42a2782afc 100644
+--- a/drivers/gpu/drm/i915/i915_irq.c
++++ b/drivers/gpu/drm/i915/i915_irq.c
+@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg)
+ 				spt_irq_handler(dev, pch_iir);
+ 			else
+ 				cpt_irq_handler(dev, pch_iir);
+-		} else
+-			DRM_ERROR("The master control interrupt lied (SDE)!\n");
+-
++		} else {
++			/*
++			 * Like on previous PCH there seems to be something
++			 * fishy going on with forwarding PCH interrupts.
++			 */
++			DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n");
++		}
+ 	}
+ 
+ 	I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL);
+-- 
+2.5.0
+
diff --git a/drm-udl-Use-unlocked-gem-unreferencing.patch b/drm-udl-Use-unlocked-gem-unreferencing.patch
new file mode 100644
index 000000000..e2dbabe83
--- /dev/null
+++ b/drm-udl-Use-unlocked-gem-unreferencing.patch
@@ -0,0 +1,58 @@
+From patchwork Mon Nov 23 09:32:42 2015
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [09/29] drm/udl: Use unlocked gem unreferencing
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+X-Patchwork-Id: 65722
+Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch>
+To: DRI Development <dri-devel@lists.freedesktop.org>
+Cc: Daniel Vetter <daniel.vetter@intel.com>,
+ Daniel Vetter <daniel.vetter@ffwll.ch>,
+ Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
+ Dave Airlie <airlied@redhat.com>
+Date: Mon, 23 Nov 2015 10:32:42 +0100
+
+For drm_gem_object_unreference callers are required to hold
+dev->struct_mutex, which these paths don't. Enforcing this requirement
+has become a bit more strict with
+
+commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date:   Thu Oct 15 09:36:25 2015 +0200
+
+    drm/gem: Check locking in drm_gem_object_unreference
+
+Cc: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+---
+ drivers/gpu/drm/udl/udl_fb.c  | 2 +-
+ drivers/gpu/drm/udl/udl_gem.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
+index 200419d4d43c..18a2acbccb7d 100644
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper,
+ out_destroy_fbi:
+ 	drm_fb_helper_release_fbi(helper);
+ out_gfree:
+-	drm_gem_object_unreference(&ufbdev->ufb.obj->base);
++	drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
+ out:
+ 	return ret;
+ }
+diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c
+index 2a0a784ab6ee..d7528e0d8442 100644
+--- a/drivers/gpu/drm/udl/udl_gem.c
++++ b/drivers/gpu/drm/udl/udl_gem.c
+@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file,
+ 		return ret;
+ 	}
+ 
+-	drm_gem_object_unreference(&obj->base);
++	drm_gem_object_unreference_unlocked(&obj->base);
+ 	*handle_p = handle;
+ 	return 0;
+ }
diff --git a/gitrev b/gitrev
index ce69c59b4..05a6a3d01 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-24bc3ea5df2e1d89e9d50ecca57c210b87ad61d2
+02006f7a7a715af10974a30b7ad8e6ee340f954c
diff --git a/kernel.spec b/kernel.spec
index 6fc760455..d2b5c1e2b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -75,7 +75,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 8
 # The git snapshot level
-%define gitrev 0
+%define gitrev 3
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -130,7 +130,7 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 1 for production (build separate debug kernels)
 #  and 0 for rawhide (all kernels are debug kernels).
 # See also 'make debug' and 'make release'.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0
 
 # Want to build a vanilla kernel build without any non-upstream patches?
 %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1}
@@ -615,23 +615,31 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
 #rhbz 1288687
 Patch572: alua_fix.patch
 
+#CVE-2015-8709 rhbz 1295287 1295288
+Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
+
+Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
+
 #rhbz 1275718
-Patch577: 0001-device-property-always-check-for-fwnode-type.patch
-Patch578: 0002-device-property-rename-helper-functions.patch
-Patch579: 0003-device-property-refactor-built-in-properties-support.patch
-Patch580: 0004-device-property-keep-single-value-inplace.patch
-Patch581: 0005-device-property-helper-macros-for-property-entry-cre.patch
-Patch582: 0006-device-property-improve-readability-of-macros.patch
-Patch583: 0007-device-property-return-EINVAL-when-property-isn-t-fo.patch
-Patch584: 0008-device-property-Fallback-to-secondary-fwnode-if-prim.patch
-Patch585: 0009-device-property-Take-a-copy-of-the-property-set.patch
-Patch586: 0010-driver-core-platform-Add-support-for-built-in-device.patch
-Patch587: 0011-driver-core-Do-not-overwrite-secondary-fwnode-with-N.patch
-Patch588: 0012-mfd-core-propagate-device-properties-to-sub-devices-.patch
-Patch589: 0013-mfd-intel-lpss-Add-support-for-passing-device-proper.patch
-Patch590: 0014-mfd-intel-lpss-Pass-SDA-hold-time-to-I2C-host-contro.patch
-Patch591: 0015-mfd-intel-lpss-Pass-HSUART-configuration-via-propert.patch
-Patch592: 0016-i2c-designware-Convert-to-use-unified-device-propert.patch
+Patch605: 0001-device-property-always-check-for-fwnode-type.patch
+Patch606: 0002-device-property-rename-helper-functions.patch
+Patch607: 0003-device-property-refactor-built-in-properties-support.patch
+Patch608: 0004-device-property-keep-single-value-inplace.patch
+Patch609: 0005-device-property-helper-macros-for-property-entry-cre.patch
+Patch610: 0006-device-property-improve-readability-of-macros.patch
+Patch611: 0007-device-property-return-EINVAL-when-property-isn-t-fo.patch
+Patch612: 0008-device-property-Fallback-to-secondary-fwnode-if-prim.patch
+Patch613: 0009-device-property-Take-a-copy-of-the-property-set.patch
+Patch614: 0010-driver-core-platform-Add-support-for-built-in-device.patch
+Patch615: 0011-driver-core-Do-not-overwrite-secondary-fwnode-with-N.patch
+Patch616: 0012-mfd-core-propagate-device-properties-to-sub-devices-.patch
+Patch617: 0013-mfd-intel-lpss-Add-support-for-passing-device-proper.patch
+Patch618: 0014-mfd-intel-lpss-Pass-SDA-hold-time-to-I2C-host-contro.patch
+Patch619: 0015-mfd-intel-lpss-Pass-HSUART-configuration-via-propert.patch
+Patch620: 0016-i2c-designware-Convert-to-use-unified-device-propert.patch
+
+#rhbz 1295646
+Patch621: drm-udl-Use-unlocked-gem-unreferencing.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2079,6 +2087,31 @@ fi
 #
 # 
 %changelog
+* Fri Jan 08 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git3.1
+- Linux v4.4-rc8-36-g02006f7a
+
+* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com>
+- Fix unlocked gem warning (rhbz 1295646)
+
+* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com>
+- Bring back patches for Lenovo Yoga touchpad (rhbz 1275718)
+
+* Thu Jan 07 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git2.1
+- Linux v4.4-rc8-26-gb06f3a1
+
+* Thu Jan 07 2016 Josh Boyer <jwboyer@fedorparoject.org>
+- Quiet i915 gen8 irq messages
+
+* Wed Jan 06 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git1.1
+- Linux v4.4-rc8-5-gee9a7d2
+- Reenable debugging options.
+
+* Tue Jan 05 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8709 ptrace: potential priv escalation with userns (rhbz 1295287 1295288)
+
+* Tue Jan 05 2016 Laura Abbott <labbott@redhat.com>
+- Drop patches for Lenovo Yoga Touchpad (rhbz 1275718)
+
 * Mon Jan 04 2016 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc8.git0.1
 - Linux v4.4-rc8
 - Disable debugging options.
diff --git a/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
new file mode 100644
index 000000000..55c3ab9d1
--- /dev/null
+++ b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
@@ -0,0 +1,108 @@
+From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Sat, 26 Dec 2015 03:52:31 +0100
+Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
+
+ptrace_has_cap() checks whether the current process should be
+treated as having a certain capability for ptrace checks
+against another process. Until now, this was equivalent to
+has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+However, if a root-owned process wants to enter a user
+namespace for some reason without knowing who owns it and
+therefore can't change to the namespace owner's uid and gid
+before entering, as soon as it has entered the namespace,
+the namespace owner can attach to it via ptrace and thereby
+gain access to its uid and gid.
+
+While it is possible for the entering process to switch to
+the uid of a claimed namespace owner before entering,
+causing the attempt to enter to fail if the claimed uid is
+wrong, this doesn't solve the problem of determining an
+appropriate gid.
+
+With this change, the entering process can first enter the
+namespace and then safely inspect the namespace's
+properties, e.g. through /proc/self/{uid_map,gid_map},
+assuming that the namespace owner doesn't have access to
+uid 0.
+
+Changed in v2: The caller needs to be capable in the
+namespace into which tcred's uids/gids can be mapped.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+---
+ kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
+ 1 file changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 787320de68e0..407c382b45c8 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -20,6 +20,7 @@
+ #include <linux/uio.h>
+ #include <linux/audit.h>
+ #include <linux/pid_namespace.h>
++#include <linux/user_namespace.h>
+ #include <linux/syscalls.h>
+ #include <linux/uaccess.h>
+ #include <linux/regset.h>
+@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
+ 	return ret;
+ }
+ 
+-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
++static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+ {
++	struct user_namespace *tns = tcred->user_ns;
++
++	/* When a root-owned process enters a user namespace created by a
++	 * malicious user, the user shouldn't be able to execute code under
++	 * uid 0 by attaching to the root-owned process via ptrace.
++	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
++	 * verify that all the uids and gids of the target process are
++	 * mapped into a namespace below the current one in which the caller
++	 * is capable.
++	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
++	 * either.
++	 */
++	while (
++	    !kuid_has_mapping(tns, tcred->euid) ||
++	    !kuid_has_mapping(tns, tcred->suid) ||
++	    !kuid_has_mapping(tns, tcred->uid)  ||
++	    !kgid_has_mapping(tns, tcred->egid) ||
++	    !kgid_has_mapping(tns, tcred->sgid) ||
++	    !kgid_has_mapping(tns, tcred->gid)) {
++		tns = tns->parent;
++	}
++
+ 	if (mode & PTRACE_MODE_NOAUDIT)
+-		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
++		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+ 	else
+-		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
++		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+ }
+ 
+ /* Returns 0 on success, -errno on denial. */
+@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	    gid_eq(cred->gid, tcred->sgid) &&
+ 	    gid_eq(cred->gid, tcred->gid))
+ 		goto ok;
+-	if (ptrace_has_cap(tcred->user_ns, mode))
++	if (ptrace_has_cap(tcred, mode))
+ 		goto ok;
+ 	rcu_read_unlock();
+ 	return -EPERM;
+@@ -252,7 +275,7 @@ ok:
+ 		dumpable = get_dumpable(task->mm);
+ 	rcu_read_lock();
+ 	if (dumpable != SUID_DUMP_USER &&
+-	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
++	    !ptrace_has_cap(__task_cred(task), mode)) {
+ 		rcu_read_unlock();
+ 		return -EPERM;
+ 	}
+-- 
+2.5.0
+
diff --git a/sources b/sources
index 3293d44c9..7061b09ec 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
 58b35794eee3b6d52ce7be39357801e7  linux-4.3.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
 70fe8bc57b91cf35f400b176f10da6ec  patch-4.4-rc8.xz
+8f5c7fd9806b4aece5c02ca2c09b6d6c  patch-4.4-rc8-git3.xz