diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-05 09:15:26 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-05 09:15:26 +0200 |
commit | c6f688a1b8ed42af35d2d86d8dc4d4c05d55589b (patch) | |
tree | 808b74f04cf76ae92a4833f9111712388cf38af7 | |
parent | d2a02b99231f946f4e78263d22a321fc8a7a15cd (diff) | |
parent | 80a7c46d89843815652c3e32503b6c265f408fb9 (diff) | |
download | kernel-4.4.8-200.vanilla.knurd.1.fc22.tar.gz kernel-4.4.8-200.vanilla.knurd.1.fc22.tar.xz kernel-4.4.8-200.vanilla.knurd.1.fc22.zip |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.8-200.vanilla.knurd.1.fc22
-rw-r--r-- | 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch | 169 | ||||
-rw-r--r-- | 0001-cdc-acm-fix-NULL-pointer-reference.patch | 46 | ||||
-rw-r--r-- | 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch | 37 | ||||
-rw-r--r-- | 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch | 45 | ||||
-rw-r--r-- | 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch | 58 | ||||
-rw-r--r-- | USB-usbfs-fix-potential-infoleak-in-devio.patch | 41 | ||||
-rw-r--r-- | USB-usbip-fix-potential-out-of-bounds-write.patch | 45 | ||||
-rw-r--r-- | antenna_select.patch | 227 | ||||
-rw-r--r-- | config-armv7-generic | 1 | ||||
-rw-r--r-- | config-generic | 4 | ||||
-rw-r--r-- | ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch | 97 | ||||
-rw-r--r-- | ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 148 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | usbnet-cleanup-after-bind-in-probe.patch | 39 | ||||
-rw-r--r-- | usbvision-fix-crash-on-detecting-device-with-invalid.patch | 49 | ||||
-rw-r--r-- | x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch | 94 | ||||
-rw-r--r-- | x86-xen-suppress-hugetlbfs-in-PV-guests.patch | 70 |
18 files changed, 795 insertions, 417 deletions
diff --git a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch new file mode 100644 index 000000000..a76603900 --- /dev/null +++ b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch @@ -0,0 +1,169 @@ +From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Wed, 23 Mar 2016 21:07:39 -0700 +Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling + via _OSC + +There are several reports of freeze on enabling HWP (Hardware PStates) +feature on Skylake-based systems by the Intel P-states driver. The root +cause is identified as the HWP interrupts causing BIOS code to freeze. + +HWP interrupts use the thermal LVT which can be handled by Linux +natively, but on the affected Skylake-based systems SMM will respond +to it by default. This is a problem for several reasons: + - On the affected systems the SMM thermal LVT handler is broken (it + will crash when invoked) and a BIOS update is necessary to fix it. + - With thermal interrupt handled in SMM we lose all of the reporting + features of the arch/x86/kernel/cpu/mcheck/therm_throt driver. + - Some thermal drivers like x86-package-temp depend on the thermal + threshold interrupts signaled via the thermal LVT. + - The HWP interrupts are useful for debugging and tuning + performance (if the kernel can handle them). +The native handling of thermal interrupts needs to be enabled +because of that. + +This requires some way to tell SMM that the OS can handle thermal +interrupts. That can be done by using _OSC/_PDC in processor +scope very early during ACPI initialization. + +The meaning of _OSC/_PDC bit 12 in processor scope is whether or +not the OS supports native handling of interrupts for Collaborative +Processor Performance Control (CPPC) notifications. Since on +HWP-capable systems CPPC is a firmware interface to HWP, setting +this bit effectively tells the firmware that the OS will handle +thermal interrupts natively going forward. + +For details on _OSC/_PDC refer to: +http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-acpi-specification.html + +To implement the _OSC/_PDC handshake as described, introduce a new +function, acpi_early_processor_osc(), that walks the ACPI +namespace looking for ACPI processor objects and invokes _OSC for +them with bit 12 in the capabilities buffer set and terminates the +namespace walk on the first success. + +Also modify intel_thermal_interrupt() to clear HWP status bits in +the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents +them from firing continuously). + +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +[ rjw: Subject & changelog, function rename ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +--- + arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 ++ + drivers/acpi/acpi_processor.c | 52 ++++++++++++++++++++++++++++++++ + drivers/acpi/bus.c | 3 ++ + drivers/acpi/internal.h | 6 ++++ + 4 files changed, 64 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c +index 2c5aaf8..0553858 100644 +--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c ++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c +@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void) + { + __u64 msr_val; + ++ if (static_cpu_has(X86_FEATURE_HWP)) ++ wrmsrl_safe(MSR_HWP_STATUS, 0); ++ + rdmsrl(MSR_IA32_THERM_STATUS, msr_val); + + /* Check for violation of core thermal thresholds*/ +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index b5e54f2..0d92d0f 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct acpi_device *device) + } + #endif /* CONFIG_ACPI_HOTPLUG_CPU */ + ++#ifdef CONFIG_X86 ++static bool acpi_hwp_native_thermal_lvt_set; ++static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle, ++ u32 lvl, ++ void *context, ++ void **rv) ++{ ++ u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953"; ++ u32 capbuf[2]; ++ struct acpi_osc_context osc_context = { ++ .uuid_str = sb_uuid_str, ++ .rev = 1, ++ .cap.length = 8, ++ .cap.pointer = capbuf, ++ }; ++ ++ if (acpi_hwp_native_thermal_lvt_set) ++ return AE_CTRL_TERMINATE; ++ ++ capbuf[0] = 0x0000; ++ capbuf[1] = 0x1000; /* set bit 12 */ ++ ++ if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) { ++ if (osc_context.ret.pointer && osc_context.ret.length > 1) { ++ u32 *capbuf_ret = osc_context.ret.pointer; ++ ++ if (capbuf_ret[1] & 0x1000) { ++ acpi_handle_info(handle, ++ "_OSC native thermal LVT Acked\n"); ++ acpi_hwp_native_thermal_lvt_set = true; ++ } ++ } ++ kfree(osc_context.ret.pointer); ++ } ++ ++ return AE_OK; ++} ++ ++void __init acpi_early_processor_osc(void) ++{ ++ if (boot_cpu_has(X86_FEATURE_HWP)) { ++ acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT, ++ ACPI_UINT32_MAX, ++ acpi_hwp_native_thermal_lvt_osc, ++ NULL, NULL, NULL); ++ acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID, ++ acpi_hwp_native_thermal_lvt_osc, ++ NULL, NULL); ++ } ++} ++#endif ++ + /* + * The following ACPI IDs are known to be suitable for representing as + * processor devices. +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 891c42d..f9081b7 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void) + goto error1; + } + ++ /* Set capability bits for _OSC under processor scope */ ++ acpi_early_processor_osc(); ++ + /* + * _OSC method may exist in module level code, + * so it must be run after ACPI_FULL_INITIALIZATION +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h +index 1e6833a..6f41c73 100644 +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void); + static inline void acpi_early_processor_set_pdc(void) {} + #endif + ++#ifdef CONFIG_X86 ++void acpi_early_processor_osc(void); ++#else ++static inline void acpi_early_processor_osc(void) {} ++#endif ++ + /* -------------------------------------------------------------------------- + Embedded Controller + -------------------------------------------------------------------------- */ +-- +2.5.5 + diff --git a/0001-cdc-acm-fix-NULL-pointer-reference.patch b/0001-cdc-acm-fix-NULL-pointer-reference.patch deleted file mode 100644 index 3d63411c0..000000000 --- a/0001-cdc-acm-fix-NULL-pointer-reference.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001 -From: Oliver Neukum <oneukum@suse.com> -Date: Thu, 7 Jan 2016 11:01:00 +0100 -Subject: [PATCH] cdc-acm: fix NULL pointer reference - -The union descriptor must be checked. Its usage was conditional -before the parser was introduced. This is important, because -many RNDIS device, which also use the common parser, have -bogus extra descriptors. - -Signed-off-by: Oliver Neukum <oneukum@suse.com> -Tested-by: Vasily Galkin <galkin-vv@yandex.ru> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - drivers/net/usb/cdc_ether.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c -index 3da70bf..7cba2c3 100644 ---- a/drivers/net/usb/cdc_ether.c -+++ b/drivers/net/usb/cdc_ether.c -@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) - info->u = header.usb_cdc_union_desc; - info->header = header.usb_cdc_header_desc; - info->ether = header.usb_cdc_ether_desc; -+ if (!info->u) { -+ if (rndis) -+ goto skip; -+ else /* in that case a quirk is mandatory */ -+ goto bad_desc; -+ } - /* we need a master/control interface (what we're - * probed with) and a slave/data interface; union - * descriptors sort this all out. -@@ -256,7 +262,7 @@ skip: - goto bad_desc; - } - -- } else if (!info->header || !info->u || (!rndis && !info->ether)) { -+ } else if (!info->header || (!rndis && !info->ether)) { - dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", - info->header ? "" : "header ", - info->u ? "" : "union ", --- -2.5.0 - diff --git a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch new file mode 100644 index 000000000..d26c5d52d --- /dev/null +++ b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch @@ -0,0 +1,37 @@ +From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001 +From: Peter Robinson <pbrobinson@gmail.com> +Date: Wed, 27 Apr 2016 13:44:05 +0100 +Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading + +--- + drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index e00db3f..abb98c7 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) + goto err_register; + } + +- pdev->dev.of_node = of_node; + pdev->dev.parent = dev; + + ret = platform_device_add_data(pdev, ®->pdata, +@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) + platform_device_put(pdev); + goto err_register; + } ++ ++ /* ++ * Set of_node only after calling platform_device_add. Otherwise ++ * the platform:imx-ipuv3-crtc modalias won't be used. ++ */ ++ pdev->dev.of_node = of_node; + } + + return 0; +-- +2.7.4 + diff --git a/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch b/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch deleted file mode 100644 index b6c446829..000000000 --- a/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 16 Mar 2016 13:20:51 +0100 -Subject: [PATCH] uas: Limit qdepth at the scsi-host level - -Commit 64d513ac31bd ("scsi: use host wide tags by default") causes -the scsi-core to queue more cmnds then we can handle on devices with -multiple LUNs, limit the qdepth at the scsi-host level instead of -per slave to fix this. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013 -Cc: stable@vger.kernel.org # 4.4.x and 4.5.x -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/usb/storage/uas.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c -index c90a7e4..b5cb7ab 100644 ---- a/drivers/usb/storage/uas.c -+++ b/drivers/usb/storage/uas.c -@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev) - if (devinfo->flags & US_FL_BROKEN_FUA) - sdev->broken_fua = 1; - -- scsi_change_queue_depth(sdev, devinfo->qdepth - 2); - return 0; - } - -@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id) - if (result) - goto set_alt0; - -+ /* -+ * 1 tag is reserved for untagged commands + -+ * 1 tag to avoid of by one errors in some bridge firmwares -+ */ -+ shost->can_queue = devinfo->qdepth - 2; -+ - usb_set_intfdata(intf, shost); - result = scsi_add_host(shost, &intf->dev); - if (result) --- -2.7.3 - diff --git a/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch b/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch deleted file mode 100644 index e2dbabe83..000000000 --- a/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch +++ /dev/null @@ -1,58 +0,0 @@ -From patchwork Mon Nov 23 09:32:42 2015 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [09/29] drm/udl: Use unlocked gem unreferencing -From: Daniel Vetter <daniel.vetter@ffwll.ch> -X-Patchwork-Id: 65722 -Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch> -To: DRI Development <dri-devel@lists.freedesktop.org> -Cc: Daniel Vetter <daniel.vetter@intel.com>, - Daniel Vetter <daniel.vetter@ffwll.ch>, - Intel Graphics Development <intel-gfx@lists.freedesktop.org>, - Dave Airlie <airlied@redhat.com> -Date: Mon, 23 Nov 2015 10:32:42 +0100 - -For drm_gem_object_unreference callers are required to hold -dev->struct_mutex, which these paths don't. Enforcing this requirement -has become a bit more strict with - -commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663 -Author: Daniel Vetter <daniel.vetter@ffwll.ch> -Date: Thu Oct 15 09:36:25 2015 +0200 - - drm/gem: Check locking in drm_gem_object_unreference - -Cc: Dave Airlie <airlied@redhat.com> -Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> ---- - drivers/gpu/drm/udl/udl_fb.c | 2 +- - drivers/gpu/drm/udl/udl_gem.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c -index 200419d4d43c..18a2acbccb7d 100644 ---- a/drivers/gpu/drm/udl/udl_fb.c -+++ b/drivers/gpu/drm/udl/udl_fb.c -@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper, - out_destroy_fbi: - drm_fb_helper_release_fbi(helper); - out_gfree: -- drm_gem_object_unreference(&ufbdev->ufb.obj->base); -+ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base); - out: - return ret; - } -diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c -index 2a0a784ab6ee..d7528e0d8442 100644 ---- a/drivers/gpu/drm/udl/udl_gem.c -+++ b/drivers/gpu/drm/udl/udl_gem.c -@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file, - return ret; - } - -- drm_gem_object_unreference(&obj->base); -+ drm_gem_object_unreference_unlocked(&obj->base); - *handle_p = handle; - return 0; - } diff --git a/USB-usbfs-fix-potential-infoleak-in-devio.patch b/USB-usbfs-fix-potential-infoleak-in-devio.patch new file mode 100644 index 000000000..48360c930 --- /dev/null +++ b/USB-usbfs-fix-potential-infoleak-in-devio.patch @@ -0,0 +1,41 @@ +From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:32:16 -0400 +Subject: [PATCH] USB: usbfs: fix potential infoleak in devio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “ci” has a total size of 8 bytes. Its last 3 bytes +are padding bytes which are not initialized and leaked to userland +via “copy_to_user”. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/core/devio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 52c4461dfccd..9b7f1f75e887 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) + + static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci = { +- .devnum = ps->dev->devnum, +- .slow = ps->dev->speed == USB_SPEED_LOW +- }; ++ struct usbdevfs_connectinfo ci; ++ ++ memset(&ci, 0, sizeof(ci)); ++ ci.devnum = ps->dev->devnum; ++ ci.slow = ps->dev->speed == USB_SPEED_LOW; + + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; +-- +2.5.5 + diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 000000000..3d9f7c294 --- /dev/null +++ b/USB-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,45 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin <ignat.korchagin@gmail.com> +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: [PATCH] USB: usbip: fix potential out-of-bounds write + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index facaaf003f19..e40da7759a0e 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb) + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret); +-- +2.5.5 + diff --git a/antenna_select.patch b/antenna_select.patch new file mode 100644 index 000000000..15763e9bc --- /dev/null +++ b/antenna_select.patch @@ -0,0 +1,227 @@ +From c18d8f5095715c56bb3cd9cba64242542632054b Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 16 Mar 2016 13:33:34 -0500 +Subject: rtlwifi: rtl8723be: Add antenna select module parameter + +A number of new laptops have been delivered with only a single antenna. +In principle, this is OK; however, a problem arises when the on-board +EEPROM is programmed to use the other antenna connection. The option +of opening the computer and moving the connector is not always possible +as it will void the warranty in some cases. In addition, this solution +breaks the Windows driver when the box dual boots Linux and Windows. + +A fix involving a new module parameter has been developed. This commit +adds the new parameter and implements the changes needed for the driver. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Stable <stable@vger.kernel.org> [V4.0+] +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c | 5 +++++ + drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 3 +++ + drivers/net/wireless/realtek/rtlwifi/wifi.h | 3 +++ + 3 files changed, 11 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c +index c983d2f..5a3df91 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c +@@ -2684,6 +2684,7 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw, + bool auto_load_fail, u8 *hwinfo) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); ++ struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params; + u8 value; + u32 tmpu_32; + +@@ -2702,6 +2703,10 @@ void rtl8723be_read_bt_coexist_info_from_hwpg(struct ieee80211_hw *hw, + rtlpriv->btcoexist.btc_info.ant_num = ANT_X2; + } + ++ /* override ant_num / ant_path */ ++ if (mod_params->ant_sel) ++ rtlpriv->btcoexist.btc_info.ant_num = ++ (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1); + } + + void rtl8723be_bt_reg_init(struct ieee80211_hw *hw) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c +index a78eaed..2101793 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c +@@ -273,6 +273,7 @@ static struct rtl_mod_params rtl8723be_mod_params = { + .msi_support = false, + .disable_watchdog = false, + .debug = DBG_EMERG, ++ .ant_sel = 0, + }; + + static struct rtl_hal_cfg rtl8723be_hal_cfg = { +@@ -394,6 +395,7 @@ module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444); + module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444); + module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog, + bool, 0444); ++module_param_named(ant_sel, rtl8723be_mod_params.ant_sel, int, 0444); + MODULE_PARM_DESC(swenc, "Set to 1 for software crypto (default 0)\n"); + MODULE_PARM_DESC(ips, "Set to 0 to not use link power save (default 1)\n"); + MODULE_PARM_DESC(swlps, "Set to 1 to use SW control power save (default 0)\n"); +@@ -402,6 +404,7 @@ MODULE_PARM_DESC(msi, "Set to 1 to use MSI interrupts mode (default 0)\n"); + MODULE_PARM_DESC(debug, "Set debug level (0-5) (default 0)"); + MODULE_PARM_DESC(disable_watchdog, + "Set to 1 to disable the watchdog (default 0)\n"); ++MODULE_PARM_DESC(ant_sel, "Set to 1 or 2 to force antenna number (default 0)\n"); + + static SIMPLE_DEV_PM_OPS(rtlwifi_pm_ops, rtl_pci_suspend, rtl_pci_resume); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 554d814..93bd7fc 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2246,6 +2246,9 @@ struct rtl_mod_params { + + /* default 0: 1 means do not disable interrupts */ + bool int_clear; ++ ++ /* select antenna */ ++ int ant_sel; + }; + + struct rtl_hal_usbint_cfg { +-- +cgit v0.12 + +From baa1702290953295e421f0f433e2b1ff4815827c Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 16 Mar 2016 13:33:35 -0500 +Subject: rtlwifi: btcoexist: Implement antenna selection + +The previous patch added an option to rtl8723be to manually select the +antenna for those cases when only a single antenna is present, and the +on-board EEPROM is incorrectly programmed. This patch implements the +necessary changes in the Bluetooth coexistence driver. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Stable <stable@vger.kernel.org> [V4.0+] +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + .../realtek/rtlwifi/btcoexist/halbtc8723b2ant.c | 9 ++++++-- + .../realtek/rtlwifi/btcoexist/halbtcoutsrc.c | 27 +++++++++++++++++++++- + .../realtek/rtlwifi/btcoexist/halbtcoutsrc.h | 2 +- + .../wireless/realtek/rtlwifi/btcoexist/rtl_btc.c | 5 +++- + 4 files changed, 38 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c +index c43ab59..77cbd10 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c +@@ -1203,7 +1203,6 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist, + + /* Force GNT_BT to low */ + btcoexist->btc_write_1byte_bitmask(btcoexist, 0x765, 0x18, 0x0); +- btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); + + if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) { + /* tell firmware "no antenna inverse" */ +@@ -1211,19 +1210,25 @@ static void btc8723b2ant_set_ant_path(struct btc_coexist *btcoexist, + h2c_parameter[1] = 1; /* ext switch type */ + btcoexist->btc_fill_h2c(btcoexist, 0x65, 2, + h2c_parameter); ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); + } else { + /* tell firmware "antenna inverse" */ + h2c_parameter[0] = 1; + h2c_parameter[1] = 1; /* ext switch type */ + btcoexist->btc_fill_h2c(btcoexist, 0x65, 2, + h2c_parameter); ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280); + } + } + + /* ext switch setting */ + if (use_ext_switch) { + /* fixed internal switch S1->WiFi, S0->BT */ +- btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); ++ if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); ++ else ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280); ++ + switch (antpos_type) { + case BTC_ANT_WIFI_AT_MAIN: + /* ext switch main at wifi */ +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c +index b2791c8..babd149 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c +@@ -965,13 +965,38 @@ void exhalbtc_set_chip_type(u8 chip_type) + } + } + +-void exhalbtc_set_ant_num(u8 type, u8 ant_num) ++void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num) + { + if (BT_COEX_ANT_TYPE_PG == type) { + gl_bt_coexist.board_info.pg_ant_num = ant_num; + gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ /* The antenna position: ++ * Main (default) or Aux for pgAntNum=2 && btdmAntNum =1. ++ * The antenna position should be determined by ++ * auto-detect mechanism. ++ * The following is assumed to main, ++ * and those must be modified ++ * if y auto-detect mechanism is ready ++ */ ++ if ((gl_bt_coexist.board_info.pg_ant_num == 2) && ++ (gl_bt_coexist.board_info.btdm_ant_num == 1)) ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; ++ else ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; + } else if (BT_COEX_ANT_TYPE_ANTDIV == type) { + gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; ++ } else if (type == BT_COEX_ANT_TYPE_DETECTED) { ++ gl_bt_coexist.board_info.btdm_ant_num = ant_num; ++ if (rtlpriv->cfg->mod_params->ant_sel == 1) ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_AUX_PORT; ++ else ++ gl_bt_coexist.board_info.btdm_ant_pos = ++ BTC_ANTENNA_AT_MAIN_PORT; + } + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h +index 0a903ea..f41ca57 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.h +@@ -535,7 +535,7 @@ void exhalbtc_set_bt_patch_version(u16 bt_hci_version, u16 bt_patch_version); + void exhalbtc_update_min_bt_rssi(char bt_rssi); + void exhalbtc_set_bt_exist(bool bt_exist); + void exhalbtc_set_chip_type(u8 chip_type); +-void exhalbtc_set_ant_num(u8 type, u8 ant_num); ++void exhalbtc_set_ant_num(struct rtl_priv *rtlpriv, u8 type, u8 ant_num); + void exhalbtc_display_bt_coex_info(struct btc_coexist *btcoexist); + void exhalbtc_signal_compensation(struct btc_coexist *btcoexist, + u8 *rssi_wifi, u8 *rssi_bt); +diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c +index b9b0cb7..d3fd921 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c +@@ -72,7 +72,10 @@ void rtl_btc_init_hal_vars(struct rtl_priv *rtlpriv) + __func__, bt_type); + exhalbtc_set_chip_type(bt_type); + +- exhalbtc_set_ant_num(BT_COEX_ANT_TYPE_PG, ant_num); ++ if (rtlpriv->cfg->mod_params->ant_sel == 1) ++ exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_DETECTED, 1); ++ else ++ exhalbtc_set_ant_num(rtlpriv, BT_COEX_ANT_TYPE_PG, ant_num); + } + + void rtl_btc_init_hw_config(struct rtl_priv *rtlpriv) +-- +cgit v0.12 + diff --git a/config-armv7-generic b/config-armv7-generic index 23068c57a..717c23320 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -779,7 +779,6 @@ CONFIG_LIBERTAS_SPI=m CONFIG_P54_SPI=m CONFIG_P54_SPI_DEFAULT_EEPROM=n CONFIG_MICREL_KS8995MA=m -CONFIG_IEEE802154_AT86RF230=m CONFIG_IEEE802154_MRF24J40=m CONFIG_ARM_KPROBES_TEST=m diff --git a/config-generic b/config-generic index 508543b4f..f796b90f2 100644 --- a/config-generic +++ b/config-generic @@ -1945,10 +1945,10 @@ CONFIG_IEEE802154_DRIVERS=m CONFIG_IEEE802154_FAKELB=m CONFIG_IEEE802154_ATUSB=m CONFIG_IEEE802154_CC2520=m -# CONFIG_IEEE802154_AT86RF230 is not set +CONFIG_IEEE802154_AT86RF230=m +# CONFIG_IEEE802154_AT86RF230_DEBUGFS is not set # CONFIG_IEEE802154_MRF24J40 is not set # CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set -# CONFIG_IEEE802154_AT86RF230_DEBUGFS is not set CONFIG_MAC802154=m CONFIG_NET_MPLS_GSO=m diff --git a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch deleted file mode 100644 index 48e4762e3..000000000 --- a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch +++ /dev/null @@ -1,97 +0,0 @@ -From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001 -From: "David S. Miller" <davem@davemloft.net> -Date: Sun, 13 Mar 2016 23:28:00 -0400 -Subject: ipv4: Don't do expensive useless work during inetdev destroy. - -When an inetdev is destroyed, every address assigned to the interface -is removed. And in this scenerio we do two pointless things which can -be very expensive if the number of assigned interfaces is large: - -1) Address promotion. We are deleting all addresses, so there is no - point in doing this. - -2) A full nf conntrack table purge for every address. We only need to - do this once, as is already caught by the existing - masq_dev_notifier so masq_inet_event() can skip this. - -Reported-by: Solar Designer <solar@openwall.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Tested-by: Cyrill Gorcunov <gorcunov@openvz.org> ---- - net/ipv4/devinet.c | 4 ++++ - net/ipv4/fib_frontend.c | 4 ++++ - net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++-- - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c -index 65e76a4..e333bc8 100644 ---- a/net/ipv4/devinet.c -+++ b/net/ipv4/devinet.c -@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, - - ASSERT_RTNL(); - -+ if (in_dev->dead) -+ goto no_promotions; -+ - /* 1. Deleting primary ifaddr forces deletion all secondaries - * unless alias promotion is set - **/ -@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, - fib_del_ifaddr(ifa, ifa1); - } - -+no_promotions: - /* 2. Unlink it */ - - *ifap = ifa1->ifa_next; -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 4734475..21add55 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - subnet = 1; - } - -+ if (in_dev->dead) -+ goto no_promotions; -+ - /* Deletion is more complicated than add. - * We should take care of not to delete too much :-) - * -@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - } - } - -+no_promotions: - if (!(ok & BRD_OK)) - fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); - if (subnet && ifa->ifa_prefixlen < 31) { -diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -index c6eb421..ea91058 100644 ---- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -+++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c -@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this, - unsigned long event, - void *ptr) - { -- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; -+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; - struct netdev_notifier_info info; - -- netdev_notifier_info_init(&info, dev); -+ /* The masq_dev_notifier will catch the case of the device going -+ * down. So if the inetdev is dead and being destroyed we have -+ * no work to do. Otherwise this is an individual address removal -+ * and we have to perform the flush. -+ */ -+ if (idev->dead) -+ return NOTIFY_DONE; -+ -+ netdev_notifier_info_init(&info, idev->dev); - return masq_device_event(this, event, &info); - } - --- -cgit v0.12 - diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch new file mode 100644 index 000000000..9e4cf4e0e --- /dev/null +++ b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch @@ -0,0 +1,40 @@ +From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni <pabeni@redhat.com> +Date: Thu, 21 Apr 2016 20:23:31 -0400 +Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if + in_dev is dead + +After commit fbd40ea0180a ("ipv4: Don't do expensive useless work +during inetdev destroy.") when deleting an interface, +fib_del_ifaddr() can be executed without any primary address +present on the dead interface. + +The above is safe, but triggers some "bug: prim == NULL" warnings. + +This commit avoids warning if the in_dev is dead + +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +--- + net/ipv4/fib_frontend.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 8a9246deccfe..63566ec54794 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + if (ifa->ifa_flags & IFA_F_SECONDARY) { + prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask); + if (!prim) { +- pr_warn("%s: bug: prim == NULL\n", __func__); ++ /* if the device has been deleted, we don't perform ++ * address promotion ++ */ ++ if (!in_dev->dead) ++ pr_warn("%s: bug: prim == NULL\n", __func__); + return; + } + if (iprim && iprim != prim) { +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index bed17f105..f2b313d44 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -362,7 +362,7 @@ Summary: The Linux kernel # Packages that need to be installed before the kernel is, because the %%post # scripts use them. # -%define kernel_prereq fileutils, systemd >= 203-2 +%define kernel_prereq fileutils, systemd >= 203-2, /usr/bin/kernel-install %define initrd_prereq dracut >= 027 @@ -521,6 +521,8 @@ Patch05: kbuild-AFTER_LINK.patch Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +Patch452: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch + Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch Patch456: arm64-acpi-drop-expert-patch.patch @@ -607,9 +609,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#CVE-2015-7833 rhbz 1270158 1270160 -Patch567: usbvision-fix-crash-on-detecting-device-with-invalid.patch - #rhbz 1287819 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch @@ -640,27 +639,15 @@ Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch -#rhbz 1316719 -Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch - #CVE-2016-3135 rhbz 1317386 1317387 Patch664: netfilter-x_tables-check-for-size-overflow.patch #CVE-2016-3134 rhbz 1317383 1317384 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch -#CVE-2016-3135 rhbz 1318172 1318270 -Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch - -#rhbz 1315013 -Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch - #CVE-2016-2187 rhbz 1317017 1317010 Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch -#rhbz 1295646 -Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch - # CVE-2016-3672 rhbz 1324749 1324750 Patch690: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch @@ -672,10 +659,27 @@ Patch694: ext4-fix-races-of-writeback-with-punch-hole-and-zero.patch #CVE-2016-3951 rhbz 1324782 1324815 Patch695: cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch -Patch696: usbnet-cleanup-after-bind-in-probe.patch -#rhbz 1317116 -Patch697: HID-wacom-fix-Bamboo-ONE-oops.patch +#rhbz 1309980 +Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch + +# CVE-2016-3961 rhbz 1327219 1323956 +Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch + +# CVE-2016-3955 rhbz 1328478 1328479 +Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch + +#rhbz 1309487 +Patch701: antenna_select.patch + +# Follow on for CVE-2016-3156 +Patch702: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch + +# Stop splashing crap about broken firmware BGRT +Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch + +#CVE-2016-4482 rhbz 1332931 1332932 +Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch # END OF PATCH DEFINITIONS %endif @@ -1250,6 +1254,8 @@ ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch ApplyPatch arm64-acpi-drop-expert-patch.patch +ApplyPatch 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch + ApplyPatch ARM-tegra-usb-no-reset.patch ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch @@ -1332,9 +1338,6 @@ ApplyPatch drm-i915-turn-off-wc-mmaps.patch ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch -#CVE-2015-7833 rhbz 1270158 1270160 -ApplyPatch usbvision-fix-crash-on-detecting-device-with-invalid.patch - #rhbz 1287819 ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch @@ -1365,68 +1368,15 @@ ApplyPatch pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 ApplyPatch 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch -ApplyPatch 0001-cdc-acm-fix-NULL-pointer-reference.patch - -#rhbz 1316136 -ApplyPatch USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch - #CVE-2016-3135 rhbz 1317386 1317387 ApplyPatch netfilter-x_tables-check-for-size-overflow.patch #CVE-2016-3134 rhbz 1317383 1317384 ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch -#CVE-2016-3135 rhbz 1318172 1318270 -ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch - -#CVE-2016-2184 rhbz 1317012 1317470 -ApplyPatch ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch -ApplyPatch ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch -ApplyPatch ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch -ApplyPatch ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch - -#CVE-2016-3137 rhbz 1317010 1316996 -ApplyPatch cypress_m8-add-sanity-checking.patch - -#CVE-2016-2186 rhbz 1317015 1317464 -ApplyPatch USB-input-powermate-fix-oops-with-malicious-USB-desc.patch - -#CVE-2016-2188 rhbz 1317018 1317467 -ApplyPatch USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch - -#CVE-2016-2185 rhbz 1317014 1317471 -ApplyPatch usb_driver_claim_interface-add-sanity-checking.patch -ApplyPatch Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch - -#CVE-2016-3138 rhbz 1317010 1316204 -ApplyPatch cdc-acm-more-sanity-checking.patch - -#CVE-2016-3140 rhbz 1317010 1316995 -ApplyPatch digi_acceleport-do-sanity-checking-for-the-number-of.patch - -ApplyPatch ims-pcu-sanity-check-against-missing-interfaces.patch - -#rhbz 1315013 -ApplyPatch 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch - -#rhbz 1317190 -ApplyPatch thermal-fix.patch - -#rhbz 1318079 -ApplyPatch 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch - #CVE-2016-2187 rhbz 1317017 1317010 ApplyPatch input-gtco-fix-crash-on-detecting-device-without-end.patch -#CVE-2016-3136 rhbz 1317007 1317010 -ApplyPatch mct_u232-sanity-checking-in-probe.patch - -#rhbz 1295646 -ApplyPatch 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch - -# CVE-2016-3157 rhbz 1315711 1321948 -ApplyPatch x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch - # CVE-2016-3672 rhbz 1324749 1324750 ApplyPatch x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch @@ -1438,10 +1388,24 @@ ApplyPatch ext4-fix-races-of-writeback-with-punch-hole-and-zero.patch #CVE-2016-3951 rhbz 1324782 1324815 ApplyPatch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch -ApplyPatch usbnet-cleanup-after-bind-in-probe.patch -#rhbz 1317116 -ApplyPatch HID-wacom-fix-Bamboo-ONE-oops.patch +#rhbz 1309980 +ApplyPatch 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch + +# CVE-2016-3961 rhbz 1327219 1323956 +ApplyPatch x86-xen-suppress-hugetlbfs-in-PV-guests.patch + +# CVE-2016-3955 rhbz 1328478 1328479 +ApplyPatch USB-usbip-fix-potential-out-of-bounds-write.patch + +#rhbz 1309487 +ApplyPatch antenna_select.patch + +# Follow on for CVE-2016-3156 +ApplyPatch ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch + +#CVE-2016-4482 rhbz 1332931 1332932 +ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch # END OF PATCH APPLICATIONS @@ -2292,6 +2256,32 @@ fi # # %changelog +* Wed May 04 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932) + +* Fri Apr 29 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Add patch to fix i.MX6 graphics + +* Thu Apr 28 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Don't splash warnings from broken BGRT firmware implementations +- Require /usr/bin/kernel-install (rhbz 1331012) + +* Tue Apr 26 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Enable IEEE802154_AT86RF230 on more arches (rhbz 1330356) + +* Wed Apr 20 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.8-200 +- Linux v4.4.8 +- Allow antenna selection for rtl8723be (rhbz 1309487) + +* Tue Apr 19 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3955 usbip: buffer overflow by trusting length of incoming packets (rhbz 1328478 1328479) + +* Fri Apr 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3961 xen: hugetlbfs use may crash PV guests (rhbz 1327219 1323956) + +* Wed Apr 13 2016 Laura Abbott <labbott@fedoraproject.org> +- Fix for Skylake pstate issues (rhbz 1309980) + * Tue Apr 12 2016 Laura Abbott <labbott@redhat.com> - 4.4.7-200 - Linux v4.4.7 @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -2286314f215706401dd51bf07b179ae4 patch-4.4.7.xz +c1d8f46e5b2ee7c925fc38f20a3726d3 patch-4.4.8.xz diff --git a/usbnet-cleanup-after-bind-in-probe.patch b/usbnet-cleanup-after-bind-in-probe.patch deleted file mode 100644 index dc231a943..000000000 --- a/usbnet-cleanup-after-bind-in-probe.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1666984c8625b3db19a9abc298931d35ab7bc64b Mon Sep 17 00:00:00 2001 -From: Oliver Neukum <oneukum@suse.com> -Date: Mon, 7 Mar 2016 11:31:10 +0100 -Subject: [PATCH] usbnet: cleanup after bind() in probe() - -In case bind() works, but a later error forces bailing -in probe() in error cases work and a timer may be scheduled. -They must be killed. This fixes an error case related to -the double free reported in -http://www.spinics.net/lists/netdev/msg367669.html -and needs to go on top of Linus' fix to cdc-ncm. - -Signed-off-by: Oliver Neukum <ONeukum@suse.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - drivers/net/usb/usbnet.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 0b0ba7ef14e4..10798128c03f 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -1769,6 +1769,13 @@ out3: - if (info->unbind) - info->unbind (dev, udev); - out1: -+ /* subdrivers must undo all they did in bind() if they -+ * fail it, but we may fail later and a deferred kevent -+ * may trigger an error resubmitting itself and, worse, -+ * schedule a timer. So we kill it all just in case. -+ */ -+ cancel_work_sync(&dev->kevent); -+ del_timer_sync(&dev->delay); - free_netdev(net); - out: - return status; --- -2.5.5 - diff --git a/usbvision-fix-crash-on-detecting-device-with-invalid.patch b/usbvision-fix-crash-on-detecting-device-with-invalid.patch deleted file mode 100644 index a03e37907..000000000 --- a/usbvision-fix-crash-on-detecting-device-with-invalid.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2ea39fc263c6a7589e15edb7d2d1c89fa569be53 Mon Sep 17 00:00:00 2001 -From: Vladis Dronov <vdronov@redhat.com> -Date: Mon, 16 Nov 2015 15:55:11 -0200 -Subject: [PATCH] usbvision: fix crash on detecting device with invalid - configuration - -The usbvision driver crashes when a specially crafted usb device with invalid -number of interfaces or endpoints is detected. This fix adds checks that the -device has proper configuration expected by the driver. - -Reported-by: Ralf Spenneberg <ralf@spenneberg.net> -Signed-off-by: Vladis Dronov <vdronov@redhat.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> ---- - drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c -index b693206f66dd..d1dc1a198e3e 100644 ---- a/drivers/media/usb/usbvision/usbvision-video.c -+++ b/drivers/media/usb/usbvision/usbvision-video.c -@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_interface *intf, - - if (usbvision_device_data[model].interface >= 0) - interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; -- else -+ else if (ifnum < dev->actconfig->desc.bNumInterfaces) - interface = &dev->actconfig->interface[ifnum]->altsetting[0]; -+ else { -+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", -+ ifnum, dev->actconfig->desc.bNumInterfaces - 1); -+ ret = -ENODEV; -+ goto err_usb; -+ } -+ -+ if (interface->desc.bNumEndpoints < 2) { -+ dev_err(&intf->dev, "interface %d has %d endpoints, but must" -+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); -+ ret = -ENODEV; -+ goto err_usb; -+ } - endpoint = &interface->endpoint[1].desc; -+ - if (!usb_endpoint_xfer_isoc(endpoint)) { - dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", - __func__, ifnum); --- -2.5.0 - diff --git a/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch b/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch new file mode 100644 index 000000000..d3d0aa2c3 --- /dev/null +++ b/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch @@ -0,0 +1,94 @@ +From 3e4f68f273ef86e6ed8be24a86f8ef514deaecc0 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Wed, 27 Apr 2016 08:37:41 -0400 +Subject: [PATCH] x86/efi-bgrt: Switch all pr_err() to pr_debug() for invalid + BGRT + +The promise of pretty boot splashes from firmware via BGRT was at +best only that; a promise. The kernel diligently checks to make +sure the BGRT data firmware gives it is valid, and dutifully warns +the user when it isn't. However, it does so via the pr_err log +level which seems unnecessary. The user cannot do anything about +this and there really isn't an error on the part of Linux to +correct. + +This lowers the log level by using pr_debug instead. Users will +no longer have their boot process uglified by the kernel reminding +us that firmware can and often is broken. Ironic, considering +BGRT is supposed to make boot pretty to begin with. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + arch/x86/platform/efi/efi-bgrt.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/platform/efi/efi-bgrt.c b/arch/x86/platform/efi/efi-bgrt.c +index ea48449b2e63..87da4108785b 100644 +--- a/arch/x86/platform/efi/efi-bgrt.c ++++ b/arch/x86/platform/efi/efi-bgrt.c +@@ -41,17 +41,17 @@ void __init efi_bgrt_init(void) + return; + + if (bgrt_tab->header.length < sizeof(*bgrt_tab)) { +- pr_err("Ignoring BGRT: invalid length %u (expected %zu)\n", ++ pr_debug("Ignoring BGRT: invalid length %u (expected %zu)\n", + bgrt_tab->header.length, sizeof(*bgrt_tab)); + return; + } + if (bgrt_tab->version != 1) { +- pr_err("Ignoring BGRT: invalid version %u (expected 1)\n", ++ pr_debug("Ignoring BGRT: invalid version %u (expected 1)\n", + bgrt_tab->version); + return; + } + if (bgrt_tab->status & 0xfe) { +- pr_err("Ignoring BGRT: reserved status bits are non-zero %u\n", ++ pr_debug("Ignoring BGRT: reserved status bits are non-zero %u\n", + bgrt_tab->status); + return; + } +@@ -61,12 +61,12 @@ void __init efi_bgrt_init(void) + return; + } + if (bgrt_tab->image_type != 0) { +- pr_err("Ignoring BGRT: invalid image type %u (expected 0)\n", ++ pr_debug("Ignoring BGRT: invalid image type %u (expected 0)\n", + bgrt_tab->image_type); + return; + } + if (!bgrt_tab->image_address) { +- pr_err("Ignoring BGRT: null image address\n"); ++ pr_debug("Ignoring BGRT: null image address\n"); + return; + } + +@@ -76,7 +76,7 @@ void __init efi_bgrt_init(void) + sizeof(bmp_header)); + ioremapped = true; + if (!image) { +- pr_err("Ignoring BGRT: failed to map image header memory\n"); ++ pr_debug("Ignoring BGRT: failed to map image header memory\n"); + return; + } + } +@@ -88,7 +88,7 @@ void __init efi_bgrt_init(void) + + bgrt_image = kmalloc(bgrt_image_size, GFP_KERNEL | __GFP_NOWARN); + if (!bgrt_image) { +- pr_err("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n", ++ pr_debug("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n", + bgrt_image_size); + return; + } +@@ -97,7 +97,7 @@ void __init efi_bgrt_init(void) + image = early_ioremap(bgrt_tab->image_address, + bmp_header.size); + if (!image) { +- pr_err("Ignoring BGRT: failed to map image memory\n"); ++ pr_debug("Ignoring BGRT: failed to map image memory\n"); + kfree(bgrt_image); + bgrt_image = NULL; + return; +-- +2.5.5 + diff --git a/x86-xen-suppress-hugetlbfs-in-PV-guests.patch b/x86-xen-suppress-hugetlbfs-in-PV-guests.patch new file mode 100644 index 000000000..1b7c8f24a --- /dev/null +++ b/x86-xen-suppress-hugetlbfs-in-PV-guests.patch @@ -0,0 +1,70 @@ +From 72c339e0c6d9969e664c2cf63e162753d7d859ae Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Thu, 14 Apr 2016 13:03:47 +0000 +Subject: [PATCH] x86/xen: suppress hugetlbfs in PV guests + +Huge pages are not normally available to PV guests. Not suppressing +hugetlbfs use results in an endless loop of page faults when user mode +code tries to access a hugetlbfs mapped area (since the hypervisor +denies such PTEs to be created, but error indications can't be +propagated out of xen_set_pte_at(), just like for various of its +siblings), and - once killed in an oops like this: + +kernel BUG at .../fs/hugetlbfs/inode.c:428! +invalid opcode: 0000 [#1] SMP +Modules linked in: ... +Supported: Yes +CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G W 4.4.0-2016-01-20-pv #2 +Hardware name: ... +task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000 +RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320 +RSP: e02b:ffff880803c879a8 EFLAGS: 00010202 +RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38 +RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960 +RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0 +FS: 00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000 +CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660 +Stack: + ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0 + ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000 + ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758 +Call Trace: + [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40 + [<ffffffff81167b3d>] evict+0xbd/0x1b0 + [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0 + [<ffffffff81165b0e>] dput+0x1fe/0x220 + [<ffffffff81150535>] __fput+0x155/0x200 + [<ffffffff81079fc0>] task_work_run+0x60/0xa0 + [<ffffffff81063510>] do_exit+0x160/0x400 + [<ffffffff810637eb>] do_group_exit+0x3b/0xa0 + [<ffffffff8106e8bd>] get_signal+0x1ed/0x470 + [<ffffffff8100f854>] do_signal+0x14/0x110 + [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0 + [<ffffffff814178a5>] retint_user+0x8/0x13 + +This is XSA-174. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Cc: stable@vger.kernel.org +--- + arch/x86/include/asm/hugetlb.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h +index f8a29d2c97b0..e6a8613fbfb0 100644 +--- a/arch/x86/include/asm/hugetlb.h ++++ b/arch/x86/include/asm/hugetlb.h +@@ -4,6 +4,7 @@ + #include <asm/page.h> + #include <asm-generic/hugetlb.h> + ++#define hugepages_supported() cpu_has_pse + + static inline int is_hugepage_only_range(struct mm_struct *mm, + unsigned long addr, +-- +2.5.5 + |