diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-07-30 07:36:54 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-07-30 07:36:54 +0200 |
commit | 9454e5de09ac5b8aea670d6331e5e45259dc4238 (patch) | |
tree | b44b22ff62f1963f9a7d3b082de744f8125b3e44 | |
parent | c5dcc7d99bc15c0d77acf63177b5f4974146562b (diff) | |
parent | 0d42ed5eef5557821a50ef583a781ab4842d3896 (diff) | |
download | kernel-9454e5de09ac5b8aea670d6331e5e45259dc4238.tar.gz kernel-9454e5de09ac5b8aea670d6331e5e45259dc4238.tar.xz kernel-9454e5de09ac5b8aea670d6331e5e45259dc4238.zip |
Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.6.5-300.vanilla.knurd.1.fc24
28 files changed, 1604 insertions, 834 deletions
diff --git a/0001-drm-mgag200-Black-screen-fix-for-G200e-rev-4.patch b/0001-drm-mgag200-Black-screen-fix-for-G200e-rev-4.patch deleted file mode 100644 index e583d09e8..000000000 --- a/0001-drm-mgag200-Black-screen-fix-for-G200e-rev-4.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 1e5895f2c6068fb9ae5356e3a751a29a22af5f01 Mon Sep 17 00:00:00 2001 -From: Fedora Kernel Team <kernel-team@fedoraproject.org> -Date: Mon, 20 Jun 2016 14:53:03 +0200 -Subject: [PATCH 1/6] drm/mgag200: Black screen fix for G200e rev 4 - -Upstream: since drm-fixes-for-v4.7 -commit d3922b69617b62bb2509936b68301f837229d9f0 - -Author: Mathieu Larouche <mathieu.larouche@matrox.com> -AuthorDate: Fri May 27 15:12:50 2016 -0400 -Commit: Dave Airlie <airlied@redhat.com> -CommitDate: Wed Jun 1 15:25:04 2016 +1000 - - drm/mgag200: Black screen fix for G200e rev 4 - - - Fixed black screen for some resolutions of G200e rev4 - - Fixed testm & testn which had predetermined value. - - Reported-by: Jan Beulich <jbeulich@suse.com> - - Signed-off-by: Mathieu Larouche <mathieu.larouche@matrox.com> - Cc: stable@vger.kernel.org - Signed-off-by: Dave Airlie <airlied@redhat.com> ---- - drivers/gpu/drm/mgag200/mgag200_mode.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c b/drivers/gpu/drm/mgag200/mgag200_mode.c -index 14e64e0..d347dca 100644 ---- a/drivers/gpu/drm/mgag200/mgag200_mode.c -+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c -@@ -182,7 +182,7 @@ static int mga_g200se_set_plls(struct mga_device *mdev, long clock) - } - } - -- fvv = pllreffreq * testn / testm; -+ fvv = pllreffreq * (n + 1) / (m + 1); - fvv = (fvv - 800000) / 50000; - - if (fvv > 15) -@@ -202,6 +202,14 @@ static int mga_g200se_set_plls(struct mga_device *mdev, long clock) - WREG_DAC(MGA1064_PIX_PLLC_M, m); - WREG_DAC(MGA1064_PIX_PLLC_N, n); - WREG_DAC(MGA1064_PIX_PLLC_P, p); -+ -+ if (mdev->unique_rev_id >= 0x04) { -+ WREG_DAC(0x1a, 0x09); -+ msleep(20); -+ WREG_DAC(0x1a, 0x01); -+ -+ } -+ - return 0; - } - --- -2.7.4 - diff --git a/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch b/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch deleted file mode 100644 index d1c32b439..000000000 --- a/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 02510a8805db2c3f8ca2926f90c4b3793934404a Mon Sep 17 00:00:00 2001 -From: Fedora Kernel Team <kernel-team@fedoraproject.org> -Date: Mon, 20 Jun 2016 14:51:45 +0200 -Subject: [PATCH 2/6] drm/nouveau/fbcon: fix out-of-bounds memory accesses - -Upstream: drm-fixes for 4.7 (and cc'd 4.6-stable) -commit f045f459d925138fe7d6193a8c86406bda7e49da - -Author: Ben Skeggs <bskeggs@redhat.com> -AuthorDate: Thu Jun 2 12:23:31 2016 +1000 -Commit: Ben Skeggs <bskeggs@redhat.com> -CommitDate: Thu Jun 2 13:53:44 2016 +1000 - - drm/nouveau/fbcon: fix out-of-bounds memory accesses - - Reported by KASAN. - - Signed-off-by: Ben Skeggs <bskeggs@redhat.com> - Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + - drivers/gpu/drm/nouveau/nv04_fbcon.c | 7 ++----- - drivers/gpu/drm/nouveau/nv50_fbcon.c | 6 ++---- - drivers/gpu/drm/nouveau/nvc0_fbcon.c | 6 ++---- - 4 files changed, 7 insertions(+), 13 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c -index 59f27e7..bd89c86 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c -@@ -557,6 +557,7 @@ nouveau_fbcon_init(struct drm_device *dev) - if (ret) - goto fini; - -+ fbcon->helper.fbdev->pixmap.buf_align = 4; - return 0; - - fini: -diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c -index 789dc29..8f715fe 100644 ---- a/drivers/gpu/drm/nouveau/nv04_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c -@@ -82,7 +82,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - uint32_t fg; - uint32_t bg; - uint32_t dsize; -- uint32_t width; - uint32_t *data = (uint32_t *)image->data; - int ret; - -@@ -93,9 +92,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - if (ret) - return ret; - -- width = ALIGN(image->width, 8); -- dsize = ALIGN(width * image->height, 32) >> 5; -- - if (info->fix.visual == FB_VISUAL_TRUECOLOR || - info->fix.visual == FB_VISUAL_DIRECTCOLOR) { - fg = ((uint32_t *) info->pseudo_palette)[image->fg_color]; -@@ -111,10 +107,11 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - ((image->dx + image->width) & 0xffff)); - OUT_RING(chan, bg); - OUT_RING(chan, fg); -- OUT_RING(chan, (image->height << 16) | width); -+ OUT_RING(chan, (image->height << 16) | image->width); - OUT_RING(chan, (image->height << 16) | image->width); - OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff)); - -+ dsize = ALIGN(image->width * image->height, 32) >> 5; - while (dsize) { - int iter_len = dsize > 128 ? 128 : dsize; - -diff --git a/drivers/gpu/drm/nouveau/nv50_fbcon.c b/drivers/gpu/drm/nouveau/nv50_fbcon.c -index e05499d..a4e259a 100644 ---- a/drivers/gpu/drm/nouveau/nv50_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c -@@ -95,7 +95,7 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - struct nouveau_fbdev *nfbdev = info->par; - struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); - struct nouveau_channel *chan = drm->channel; -- uint32_t width, dwords, *data = (uint32_t *)image->data; -+ uint32_t dwords, *data = (uint32_t *)image->data; - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); - uint32_t *palette = info->pseudo_palette; - int ret; -@@ -107,9 +107,6 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - if (ret) - return ret; - -- width = ALIGN(image->width, 32); -- dwords = (width * image->height) >> 5; -- - BEGIN_NV04(chan, NvSub2D, 0x0814, 2); - if (info->fix.visual == FB_VISUAL_TRUECOLOR || - info->fix.visual == FB_VISUAL_DIRECTCOLOR) { -@@ -128,6 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - OUT_RING(chan, 0); - OUT_RING(chan, image->dy); - -+ dwords = ALIGN(image->width * image->height, 32) >> 5; - while (dwords) { - int push = dwords > 2047 ? 2047 : dwords; - -diff --git a/drivers/gpu/drm/nouveau/nvc0_fbcon.c b/drivers/gpu/drm/nouveau/nvc0_fbcon.c -index c97395b..f28315e 100644 ---- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c -@@ -95,7 +95,7 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - struct nouveau_fbdev *nfbdev = info->par; - struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); - struct nouveau_channel *chan = drm->channel; -- uint32_t width, dwords, *data = (uint32_t *)image->data; -+ uint32_t dwords, *data = (uint32_t *)image->data; - uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); - uint32_t *palette = info->pseudo_palette; - int ret; -@@ -107,9 +107,6 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - if (ret) - return ret; - -- width = ALIGN(image->width, 32); -- dwords = (width * image->height) >> 5; -- - BEGIN_NVC0(chan, NvSub2D, 0x0814, 2); - if (info->fix.visual == FB_VISUAL_TRUECOLOR || - info->fix.visual == FB_VISUAL_DIRECTCOLOR) { -@@ -128,6 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) - OUT_RING (chan, 0); - OUT_RING (chan, image->dy); - -+ dwords = ALIGN(image->width * image->height, 32) >> 5; - while (dwords) { - int push = dwords > 2047 ? 2047 : dwords; - --- -2.7.4 - diff --git a/0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch b/0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch deleted file mode 100644 index b93bdff17..000000000 --- a/0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch +++ /dev/null @@ -1,46 +0,0 @@ -From de35f524e89daf8862d49724b9045f9254bfdfea Mon Sep 17 00:00:00 2001 -From: Fedora Kernel Team <kernel-team@fedoraproject.org> -Date: Mon, 20 Jun 2016 14:52:01 +0200 -Subject: [PATCH 3/6] drm/nouveau/disp/sor/gf119: both links use the same - training register - -Upstream: drm-fixes for 4.7 (and cc'd 4.6-stable) -commit a8953c52b95167b5d21a66f0859751570271d834 - -Author: Ben Skeggs <bskeggs@redhat.com> -AuthorDate: Fri Jun 3 14:37:40 2016 +1000 -Commit: Ben Skeggs <bskeggs@redhat.com> -CommitDate: Tue Jun 7 08:11:14 2016 +1000 - - drm/nouveau/disp/sor/gf119: both links use the same training register - - It appears that, for whatever reason, both link A and B use the same - register to control the training pattern. It's a little odd, as the - GPUs before this (Tesla/Fermi1) have per-link registers, as do newer - GPUs (Maxwell). - - Fixes the third DP output on NVS 510 (GK107). - - Signed-off-by: Ben Skeggs <bskeggs@redhat.com> - Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -index b4b41b1..5111560 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -@@ -40,8 +40,7 @@ static int - gf119_sor_dp_pattern(struct nvkm_output_dp *outp, int pattern) - { - struct nvkm_device *device = outp->base.disp->engine.subdev.device; -- const u32 loff = gf119_sor_loff(outp); -- nvkm_mask(device, 0x61c110 + loff, 0x0f0f0f0f, 0x01010101 * pattern); -+ nvkm_mask(device, 0x61c110, 0x0f0f0f0f, 0x01010101 * pattern); - return 0; - } - --- -2.7.4 - diff --git a/0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch b/0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch deleted file mode 100644 index a0b6171d8..000000000 --- a/0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch +++ /dev/null @@ -1,195 +0,0 @@ -From eb4668302adce316f53896b0fd8144ffe380a3ad Mon Sep 17 00:00:00 2001 -From: Fedora Kernel Team <kernel-team@fedoraproject.org> -Date: Mon, 20 Jun 2016 14:52:06 +0200 -Subject: [PATCH 4/6] drm/nouveau/disp/sor/gm107: training pattern registers - are like gm200 - -Upstream: drm-fixes for 4.7 (and cc'd 4.6-stable) -commit 4691409b3e2250ed66aa8dcefa23fe765daf7add - -Author: Ben Skeggs <bskeggs@redhat.com> -AuthorDate: Fri Jun 3 15:05:52 2016 +1000 -Commit: Ben Skeggs <bskeggs@redhat.com> -CommitDate: Tue Jun 7 08:11:25 2016 +1000 - - drm/nouveau/disp/sor/gm107: training pattern registers are like gm200 - - Signed-off-by: Ben Skeggs <bskeggs@redhat.com> - Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/nouveau/nvkm/engine/disp/Kbuild | 1 + - drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c | 2 +- - drivers/gpu/drm/nouveau/nvkm/engine/disp/outpdp.h | 9 +++- - .../gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 2 +- - .../nvkm/engine/disp/{gm107.c => sorgm107.c} | 50 +++++++++++----------- - .../gpu/drm/nouveau/nvkm/engine/disp/sorgm200.c | 15 +------ - 6 files changed, 36 insertions(+), 43 deletions(-) - copy drivers/gpu/drm/nouveau/nvkm/engine/disp/{gm107.c => sorgm107.c} (55%) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/Kbuild b/drivers/gpu/drm/nouveau/nvkm/engine/disp/Kbuild -index a74c5dd..e2a64ed 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/Kbuild -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/Kbuild -@@ -18,6 +18,7 @@ nvkm-y += nvkm/engine/disp/piornv50.o - nvkm-y += nvkm/engine/disp/sornv50.o - nvkm-y += nvkm/engine/disp/sorg94.o - nvkm-y += nvkm/engine/disp/sorgf119.o -+nvkm-y += nvkm/engine/disp/sorgm107.o - nvkm-y += nvkm/engine/disp/sorgm200.o - nvkm-y += nvkm/engine/disp/dport.o - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c -index b694414..f4b9cf8 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c -@@ -36,7 +36,7 @@ gm107_disp = { - .outp.internal.crt = nv50_dac_output_new, - .outp.internal.tmds = nv50_sor_output_new, - .outp.internal.lvds = nv50_sor_output_new, -- .outp.internal.dp = gf119_sor_dp_new, -+ .outp.internal.dp = gm107_sor_dp_new, - .dac.nr = 3, - .dac.power = nv50_dac_power, - .dac.sense = nv50_dac_sense, -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outpdp.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outpdp.h -index e9067ba..4e983f6 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outpdp.h -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outpdp.h -@@ -62,7 +62,12 @@ int g94_sor_dp_lnk_pwr(struct nvkm_output_dp *, int); - int gf119_sor_dp_new(struct nvkm_disp *, int, struct dcb_output *, - struct nvkm_output **); - int gf119_sor_dp_lnk_ctl(struct nvkm_output_dp *, int, int, bool); -+int gf119_sor_dp_drv_ctl(struct nvkm_output_dp *, int, int, int, int); - --int gm200_sor_dp_new(struct nvkm_disp *, int, struct dcb_output *, -- struct nvkm_output **); -+int gm107_sor_dp_new(struct nvkm_disp *, int, struct dcb_output *, -+ struct nvkm_output **); -+int gm107_sor_dp_pattern(struct nvkm_output_dp *, int); -+ -+int gm200_sor_dp_new(struct nvkm_disp *, int, struct dcb_output *, -+ struct nvkm_output **); - #endif -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -index 5111560..22706c0 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -@@ -63,7 +63,7 @@ gf119_sor_dp_lnk_ctl(struct nvkm_output_dp *outp, int nr, int bw, bool ef) - return 0; - } - --static int -+int - gf119_sor_dp_drv_ctl(struct nvkm_output_dp *outp, - int ln, int vs, int pe, int pc) - { -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm107.c -similarity index 55% -copy from drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c -copy to drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm107.c -index b694414..37790b2 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/gm107.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm107.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2012 Red Hat Inc. -+ * Copyright 2016 Red Hat Inc. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), -@@ -19,35 +19,35 @@ - * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR - * OTHER DEALINGS IN THE SOFTWARE. - * -- * Authors: Ben Skeggs -+ * Authors: Ben Skeggs <bskeggs@redhat.com> - */ - #include "nv50.h" --#include "rootnv50.h" -+#include "outpdp.h" - --static const struct nv50_disp_func --gm107_disp = { -- .intr = gf119_disp_intr, -- .uevent = &gf119_disp_chan_uevent, -- .super = gf119_disp_intr_supervisor, -- .root = &gm107_disp_root_oclass, -- .head.vblank_init = gf119_disp_vblank_init, -- .head.vblank_fini = gf119_disp_vblank_fini, -- .head.scanoutpos = gf119_disp_root_scanoutpos, -- .outp.internal.crt = nv50_dac_output_new, -- .outp.internal.tmds = nv50_sor_output_new, -- .outp.internal.lvds = nv50_sor_output_new, -- .outp.internal.dp = gf119_sor_dp_new, -- .dac.nr = 3, -- .dac.power = nv50_dac_power, -- .dac.sense = nv50_dac_sense, -- .sor.nr = 4, -- .sor.power = nv50_sor_power, -- .sor.hda_eld = gf119_hda_eld, -- .sor.hdmi = gk104_hdmi_ctrl, -+int -+gm107_sor_dp_pattern(struct nvkm_output_dp *outp, int pattern) -+{ -+ struct nvkm_device *device = outp->base.disp->engine.subdev.device; -+ const u32 soff = outp->base.or * 0x800; -+ const u32 data = 0x01010101 * pattern; -+ if (outp->base.info.sorconf.link & 1) -+ nvkm_mask(device, 0x61c110 + soff, 0x0f0f0f0f, data); -+ else -+ nvkm_mask(device, 0x61c12c + soff, 0x0f0f0f0f, data); -+ return 0; -+} -+ -+static const struct nvkm_output_dp_func -+gm107_sor_dp_func = { -+ .pattern = gm107_sor_dp_pattern, -+ .lnk_pwr = g94_sor_dp_lnk_pwr, -+ .lnk_ctl = gf119_sor_dp_lnk_ctl, -+ .drv_ctl = gf119_sor_dp_drv_ctl, - }; - - int --gm107_disp_new(struct nvkm_device *device, int index, struct nvkm_disp **pdisp) -+gm107_sor_dp_new(struct nvkm_disp *disp, int index, -+ struct dcb_output *dcbE, struct nvkm_output **poutp) - { -- return gf119_disp_new_(&gm107_disp, device, index, pdisp); -+ return nvkm_output_dp_new_(&gm107_sor_dp_func, disp, index, dcbE, poutp); - } -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm200.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm200.c -index 2cfbef9..c44fa7e 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm200.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgm200.c -@@ -57,19 +57,6 @@ gm200_sor_dp_lane_map(struct nvkm_device *device, u8 lane) - } - - static int --gm200_sor_dp_pattern(struct nvkm_output_dp *outp, int pattern) --{ -- struct nvkm_device *device = outp->base.disp->engine.subdev.device; -- const u32 soff = gm200_sor_soff(outp); -- const u32 data = 0x01010101 * pattern; -- if (outp->base.info.sorconf.link & 1) -- nvkm_mask(device, 0x61c110 + soff, 0x0f0f0f0f, data); -- else -- nvkm_mask(device, 0x61c12c + soff, 0x0f0f0f0f, data); -- return 0; --} -- --static int - gm200_sor_dp_lnk_pwr(struct nvkm_output_dp *outp, int nr) - { - struct nvkm_device *device = outp->base.disp->engine.subdev.device; -@@ -129,7 +116,7 @@ gm200_sor_dp_drv_ctl(struct nvkm_output_dp *outp, - - static const struct nvkm_output_dp_func - gm200_sor_dp_func = { -- .pattern = gm200_sor_dp_pattern, -+ .pattern = gm107_sor_dp_pattern, - .lnk_pwr = gm200_sor_dp_lnk_pwr, - .lnk_ctl = gf119_sor_dp_lnk_ctl, - .drv_ctl = gm200_sor_dp_drv_ctl, --- -2.7.4 - diff --git a/0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch b/0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch deleted file mode 100644 index d95f2f4d0..000000000 --- a/0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 28d0147bded959b2c4d3eb1aa957452d5dbb0cc9 Mon Sep 17 00:00:00 2001 -From: Fedora Kernel Team <kernel-team@fedoraproject.org> -Date: Mon, 20 Jun 2016 14:52:10 +0200 -Subject: [PATCH 5/6] i915/fbc: Disable on HSW by default for now - -Upstream: posted on dri-devel (and r-b'd) - -Author: cpaul@redhat.com <cpaul@redhat.com> -AuthorDate: Thu Jun 9 11:58:15 2016 -0400 -Commit: Rob Clark <rclark@redhat.com> -CommitDate: Thu Jun 9 15:43:07 2016 -0400 - - i915/fbc: Disable on HSW by default for now - - >From https://bugs.freedesktop.org/show_bug.cgi?id=96461 : - - This was kind of a difficult bug to track down. If you're using a - Haswell system running GNOME and you have fbc completely enabled and - working, playing videos can result in video artifacts. Steps to - reproduce: - - - Run GNOME - - Ensure FBC is enabled and active - - Download a movie, I used the ogg version of Big Buck Bunny for this - - Run `gst-launch-1.0 filesrc location='some_movie.ogg' ! decodebin ! - glimagesink` in a terminal - - Watch for about over a minute, you'll see small horizontal lines go - down the screen. - - For the time being, disable FBC for Haswell by default. - - Signed-off-by: Lyude <cpaul@redhat.com> - Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com> - Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/i915/intel_fbc.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/intel_fbc.c b/drivers/gpu/drm/i915/intel_fbc.c -index 0f0492f..28f4407 100644 ---- a/drivers/gpu/drm/i915/intel_fbc.c -+++ b/drivers/gpu/drm/i915/intel_fbc.c -@@ -823,8 +823,7 @@ static bool intel_fbc_can_choose(struct intel_crtc *crtc) - { - struct drm_i915_private *dev_priv = crtc->base.dev->dev_private; - struct intel_fbc *fbc = &dev_priv->fbc; -- bool enable_by_default = IS_HASWELL(dev_priv) || -- IS_BROADWELL(dev_priv); -+ bool enable_by_default = IS_BROADWELL(dev_priv); - - if (intel_vgpu_active(dev_priv->dev)) { - fbc->no_fbc_reason = "VGPU is active"; --- -2.7.4 - diff --git a/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch b/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch deleted file mode 100644 index e84272ee7..000000000 --- a/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 93a2001bdfd5376c3dc2158653034c20392d15c5 Mon Sep 17 00:00:00 2001 -From: Scott Bauer <sbauer@plzdonthack.me> -Date: Thu, 23 Jun 2016 08:59:47 -0600 -Subject: [PATCH] HID: hiddev: validate num_values for HIDIOCGUSAGES, - HIDIOCSUSAGES commands - -This patch validates the num_values parameter from userland during the -HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set -to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter -leading to a heap overflow. - -Cc: stable@vger.kernel.org -Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- - drivers/hid/usbhid/hiddev.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c -index 2f1ddca6f2e0..700145b15088 100644 ---- a/drivers/hid/usbhid/hiddev.c -+++ b/drivers/hid/usbhid/hiddev.c -@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, - goto inval; - } else if (uref->usage_index >= field->report_count) - goto inval; -- -- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -- (uref_multi->num_values > HID_MAX_MULTI_USAGES || -- uref->usage_index + uref_multi->num_values > field->report_count)) -- goto inval; - } - -+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && -+ (uref_multi->num_values > HID_MAX_MULTI_USAGES || -+ uref->usage_index + uref_multi->num_values > field->report_count)) -+ goto inval; -+ - switch (cmd) { - case HIDIOCGUSAGE: - uref->value = field->value[uref->usage_index]; --- -2.5.5 - diff --git a/KEYS-potential-uninitialized-variable.patch b/KEYS-potential-uninitialized-variable.patch deleted file mode 100644 index 23cabbb2e..000000000 --- a/KEYS-potential-uninitialized-variable.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 82a50018782f84e733e718d4b24e1653d19333be Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Wed, 15 Jun 2016 09:31:45 -0400 -Subject: [PATCH] KEYS: potential uninitialized variable - -If __key_link_begin() failed then "edit" would be uninitialized. I've -added a check to fix that. - -Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> ---- - security/keys/key.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/keys/key.c b/security/keys/key.c -index bd5a272f28a6..346fbf201c22 100644 ---- a/security/keys/key.c -+++ b/security/keys/key.c -@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key, - - mutex_unlock(&key_construction_mutex); - -- if (keyring) -+ if (keyring && link_ret == 0) - __key_link_end(keyring, &key->index_key, edit); - - /* wake up anyone waiting for a key to be constructed */ --- -2.5.5 - diff --git a/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch b/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch new file mode 100644 index 000000000..339f84c40 --- /dev/null +++ b/Revert-ALSA-hda-remove-controller-dependency-on-i915.patch @@ -0,0 +1,44 @@ +From c0afc8df2c54301034e0ad8a537c7b817b72e06a Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Tue, 12 Jul 2016 22:40:01 +0200 +Subject: [PATCH] Revert "ALSA: hda - remove controller dependency on i915 + power well for SKL" + +This reverts commit 03b135cebc47d75ea2dc346770374ab741966955. +--- + sound/pci/hda/hda_intel.c | 4 +++- + sound/pci/hda/patch_hdmi.c | 3 +-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 94089fc71884..139ab83626fd 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -361,7 +361,9 @@ enum { + #define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \ + ((pci)->device == 0x0c0c) || \ + ((pci)->device == 0x0d0c) || \ +- ((pci)->device == 0x160c)) ++ ((pci)->device == 0x160c) || \ ++ ((pci)->device == 0xa170) || \ ++ ((pci)->device == 0x9d70)) + + #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170) + #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70) +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a010d704e0e2..6ee685a49a08 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2285,8 +2285,7 @@ static int patch_generic_hdmi(struct hda_codec *codec) + * can cover the codec power request, and so need not set this flag. + * For previous platforms, there is no such power well feature. + */ +- if (is_valleyview_plus(codec) || is_skylake(codec) || +- is_broxton(codec)) ++ if (is_valleyview_plus(codec) || is_broxton(codec)) + codec->core.link_power_control = 1; + + if (hdmi_parse_codec(codec) < 0) { +-- +2.7.4 + diff --git a/airspy-fix-error-logic-during-device-register.patch b/airspy-fix-error-logic-during-device-register.patch new file mode 100644 index 000000000..575090d9d --- /dev/null +++ b/airspy-fix-error-logic-during-device-register.patch @@ -0,0 +1,40 @@ +From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001 +From: James Patrick-Evans <james@jmp-e.com> +Date: Fri, 15 Jul 2016 12:40:45 -0300 +Subject: [media] airspy: fix error logic during device register + +This patch addresses CVE-2016-5400, a local DOS vulnerability caused by +a memory leak in the airspy usb device driver. + +The vulnerability is triggered when more than 64 usb devices register +with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can +emulate 64 of these devices then through continual emulated +connect/disconnect of the 65th device, cause the kernel to run out of +RAM and crash the kernel. + +The vulnerability exists in kernel versions from 3.17 to current 4.7. + +The memory leak is caused by the probe function of the airspy driver +mishandeling errors and not freeing the corresponding control structures +when an error occours registering the device to v4l2 core. + +Signed-off-by: James Patrick-Evans <james@jmp-e.com> +Cc: stable@vger.kernel.org # Up to Kernel 3.17 +Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> + +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c +index d807d58..19cd64c 100644 +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf, + if (ret) { + dev_err(s->dev, "Failed to register as video device (%d)\n", + ret); +- goto err_unregister_v4l2_dev; ++ goto err_free_controls; + } + dev_info(s->dev, "Registered as %s\n", + video_device_node_name(&s->vdev)); +-- +cgit v0.10.2 + diff --git a/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch b/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch new file mode 100644 index 000000000..6ee750466 --- /dev/null +++ b/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch @@ -0,0 +1,413 @@ +From 43761473c254b45883a64441dd0bc85a42f3645c Mon Sep 17 00:00:00 2001 +From: Paul Moore <paul@paul-moore.com> +Date: Tue, 19 Jul 2016 17:42:57 -0400 +Subject: [PATCH] audit: fix a double fetch in audit_log_single_execve_arg() + +There is a double fetch problem in audit_log_single_execve_arg() +where we first check the execve(2) argumnets for any "bad" characters +which would require hex encoding and then re-fetch the arguments for +logging in the audit record[1]. Of course this leaves a window of +opportunity for an unsavory application to munge with the data. + +This patch reworks things by only fetching the argument data once[2] +into a buffer where it is scanned and logged into the audit +records(s). In addition to fixing the double fetch, this patch +improves on the original code in a few other ways: better handling +of large arguments which require encoding, stricter record length +checking, and some performance improvements (completely unverified, +but we got rid of some strlen() calls, that's got to be a good +thing). + +As part of the development of this patch, I've also created a basic +regression test for the audit-testsuite, the test can be tracked on +GitHub at the following link: + + * https://github.com/linux-audit/audit-testsuite/issues/25 + +[1] If you pay careful attention, there is actually a triple fetch +problem due to a strnlen_user() call at the top of the function. + +[2] This is a tiny white lie, we do make a call to strnlen_user() +prior to fetching the argument data. I don't like it, but due to the +way the audit record is structured we really have no choice unless we +copy the entire argument at once (which would require a rather +wasteful allocation). The good news is that with this patch the +kernel no longer relies on this strnlen_user() value for anything +beyond recording it in the log, we also update it with a trustworthy +value whenever possible. + +Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + kernel/auditsc.c | 332 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 164 insertions(+), 168 deletions(-) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index aa3feec..c65af21 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -73,6 +73,7 @@ + #include <linux/compat.h> + #include <linux/ctype.h> + #include <linux/string.h> ++#include <linux/uaccess.h> + #include <uapi/linux/limits.h> + + #include "audit.h" +@@ -82,7 +83,8 @@ + #define AUDITSC_SUCCESS 1 + #define AUDITSC_FAILURE 2 + +-/* no execve audit message should be longer than this (userspace limits) */ ++/* no execve audit message should be longer than this (userspace limits), ++ * see the note near the top of audit_log_execve_info() about this value */ + #define MAX_EXECVE_AUDIT_LEN 7500 + + /* max length to print of cmdline/proctitle value during audit */ +@@ -992,184 +994,178 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, + return rc; + } + +-/* +- * to_send and len_sent accounting are very loose estimates. We aren't +- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being +- * within about 500 bytes (next page boundary) +- * +- * why snprintf? an int is up to 12 digits long. if we just assumed when +- * logging that a[%d]= was going to be 16 characters long we would be wasting +- * space in every audit message. In one 7500 byte message we can log up to +- * about 1000 min size arguments. That comes down to about 50% waste of space +- * if we didn't do the snprintf to find out how long arg_num_len was. +- */ +-static int audit_log_single_execve_arg(struct audit_context *context, +- struct audit_buffer **ab, +- int arg_num, +- size_t *len_sent, +- const char __user *p, +- char *buf) ++static void audit_log_execve_info(struct audit_context *context, ++ struct audit_buffer **ab) + { +- char arg_num_len_buf[12]; +- const char __user *tmp_p = p; +- /* how many digits are in arg_num? 5 is the length of ' a=""' */ +- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5; +- size_t len, len_left, to_send; +- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; +- unsigned int i, has_cntl = 0, too_long = 0; +- int ret; +- +- /* strnlen_user includes the null we don't want to send */ +- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; +- +- /* +- * We just created this mm, if we can't find the strings +- * we just copied into it something is _very_ wrong. Similar +- * for strings that are too long, we should not have created +- * any. +- */ +- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) { +- send_sig(SIGKILL, current, 0); +- return -1; ++ long len_max; ++ long len_rem; ++ long len_full; ++ long len_buf; ++ long len_abuf; ++ long len_tmp; ++ bool require_data; ++ bool encode; ++ unsigned int iter; ++ unsigned int arg; ++ char *buf_head; ++ char *buf; ++ const char __user *p = (const char __user *)current->mm->arg_start; ++ ++ /* NOTE: this buffer needs to be large enough to hold all the non-arg ++ * data we put in the audit record for this argument (see the ++ * code below) ... at this point in time 96 is plenty */ ++ char abuf[96]; ++ ++ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the ++ * current value of 7500 is not as important as the fact that it ++ * is less than 8k, a setting of 7500 gives us plenty of wiggle ++ * room if we go over a little bit in the logging below */ ++ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500); ++ len_max = MAX_EXECVE_AUDIT_LEN; ++ ++ /* scratch buffer to hold the userspace args */ ++ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); ++ if (!buf_head) { ++ audit_panic("out of memory for argv string"); ++ return; + } ++ buf = buf_head; + +- /* walk the whole argument looking for non-ascii chars */ ++ audit_log_format(*ab, "argc=%d", context->execve.argc); ++ ++ len_rem = len_max; ++ len_buf = 0; ++ len_full = 0; ++ require_data = true; ++ encode = false; ++ iter = 0; ++ arg = 0; + do { +- if (len_left > MAX_EXECVE_AUDIT_LEN) +- to_send = MAX_EXECVE_AUDIT_LEN; +- else +- to_send = len_left; +- ret = copy_from_user(buf, tmp_p, to_send); +- /* +- * There is no reason for this copy to be short. We just +- * copied them here, and the mm hasn't been exposed to user- +- * space yet. +- */ +- if (ret) { +- WARN_ON(1); +- send_sig(SIGKILL, current, 0); +- return -1; +- } +- buf[to_send] = '\0'; +- has_cntl = audit_string_contains_control(buf, to_send); +- if (has_cntl) { +- /* +- * hex messages get logged as 2 bytes, so we can only +- * send half as much in each message +- */ +- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; +- break; +- } +- len_left -= to_send; +- tmp_p += to_send; +- } while (len_left > 0); +- +- len_left = len; +- +- if (len > max_execve_audit_len) +- too_long = 1; +- +- /* rewalk the argument actually logging the message */ +- for (i = 0; len_left > 0; i++) { +- int room_left; +- +- if (len_left > max_execve_audit_len) +- to_send = max_execve_audit_len; +- else +- to_send = len_left; +- +- /* do we have space left to send this argument in this ab? */ +- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; +- if (has_cntl) +- room_left -= (to_send * 2); +- else +- room_left -= to_send; +- if (room_left < 0) { +- *len_sent = 0; +- audit_log_end(*ab); +- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE); +- if (!*ab) +- return 0; +- } ++ /* NOTE: we don't ever want to trust this value for anything ++ * serious, but the audit record format insists we ++ * provide an argument length for really long arguments, ++ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but ++ * to use strncpy_from_user() to obtain this value for ++ * recording in the log, although we don't use it ++ * anywhere here to avoid a double-fetch problem */ ++ if (len_full == 0) ++ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1; ++ ++ /* read more data from userspace */ ++ if (require_data) { ++ /* can we make more room in the buffer? */ ++ if (buf != buf_head) { ++ memmove(buf_head, buf, len_buf); ++ buf = buf_head; ++ } ++ ++ /* fetch as much as we can of the argument */ ++ len_tmp = strncpy_from_user(&buf_head[len_buf], p, ++ len_max - len_buf); ++ if (len_tmp == -EFAULT) { ++ /* unable to copy from userspace */ ++ send_sig(SIGKILL, current, 0); ++ goto out; ++ } else if (len_tmp == (len_max - len_buf)) { ++ /* buffer is not large enough */ ++ require_data = true; ++ /* NOTE: if we are going to span multiple ++ * buffers force the encoding so we stand ++ * a chance at a sane len_full value and ++ * consistent record encoding */ ++ encode = true; ++ len_full = len_full * 2; ++ p += len_tmp; ++ } else { ++ require_data = false; ++ if (!encode) ++ encode = audit_string_contains_control( ++ buf, len_tmp); ++ /* try to use a trusted value for len_full */ ++ if (len_full < len_max) ++ len_full = (encode ? ++ len_tmp * 2 : len_tmp); ++ p += len_tmp + 1; ++ } ++ len_buf += len_tmp; ++ buf_head[len_buf] = '\0'; + +- /* +- * first record needs to say how long the original string was +- * so we can be sure nothing was lost. +- */ +- if ((i == 0) && (too_long)) +- audit_log_format(*ab, " a%d_len=%zu", arg_num, +- has_cntl ? 2*len : len); +- +- /* +- * normally arguments are small enough to fit and we already +- * filled buf above when we checked for control characters +- * so don't bother with another copy_from_user +- */ +- if (len >= max_execve_audit_len) +- ret = copy_from_user(buf, p, to_send); +- else +- ret = 0; +- if (ret) { +- WARN_ON(1); +- send_sig(SIGKILL, current, 0); +- return -1; ++ /* length of the buffer in the audit record? */ ++ len_abuf = (encode ? len_buf * 2 : len_buf + 2); + } +- buf[to_send] = '\0'; +- +- /* actually log it */ +- audit_log_format(*ab, " a%d", arg_num); +- if (too_long) +- audit_log_format(*ab, "[%d]", i); +- audit_log_format(*ab, "="); +- if (has_cntl) +- audit_log_n_hex(*ab, buf, to_send); +- else +- audit_log_string(*ab, buf); +- +- p += to_send; +- len_left -= to_send; +- *len_sent += arg_num_len; +- if (has_cntl) +- *len_sent += to_send * 2; +- else +- *len_sent += to_send; +- } +- /* include the null we didn't log */ +- return len + 1; +-} + +-static void audit_log_execve_info(struct audit_context *context, +- struct audit_buffer **ab) +-{ +- int i, len; +- size_t len_sent = 0; +- const char __user *p; +- char *buf; ++ /* write as much as we can to the audit log */ ++ if (len_buf > 0) { ++ /* NOTE: some magic numbers here - basically if we ++ * can't fit a reasonable amount of data into the ++ * existing audit buffer, flush it and start with ++ * a new buffer */ ++ if ((sizeof(abuf) + 8) > len_rem) { ++ len_rem = len_max; ++ audit_log_end(*ab); ++ *ab = audit_log_start(context, ++ GFP_KERNEL, AUDIT_EXECVE); ++ if (!*ab) ++ goto out; ++ } + +- p = (const char __user *)current->mm->arg_start; ++ /* create the non-arg portion of the arg record */ ++ len_tmp = 0; ++ if (require_data || (iter > 0) || ++ ((len_abuf + sizeof(abuf)) > len_rem)) { ++ if (iter == 0) { ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d_len=%lu", ++ arg, len_full); ++ } ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d[%d]=", arg, iter++); ++ } else ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d=", arg); ++ WARN_ON(len_tmp >= sizeof(abuf)); ++ abuf[sizeof(abuf) - 1] = '\0'; ++ ++ /* log the arg in the audit record */ ++ audit_log_format(*ab, "%s", abuf); ++ len_rem -= len_tmp; ++ len_tmp = len_buf; ++ if (encode) { ++ if (len_abuf > len_rem) ++ len_tmp = len_rem / 2; /* encoding */ ++ audit_log_n_hex(*ab, buf, len_tmp); ++ len_rem -= len_tmp * 2; ++ len_abuf -= len_tmp * 2; ++ } else { ++ if (len_abuf > len_rem) ++ len_tmp = len_rem - 2; /* quotes */ ++ audit_log_n_string(*ab, buf, len_tmp); ++ len_rem -= len_tmp + 2; ++ /* don't subtract the "2" because we still need ++ * to add quotes to the remaining string */ ++ len_abuf -= len_tmp; ++ } ++ len_buf -= len_tmp; ++ buf += len_tmp; ++ } + +- audit_log_format(*ab, "argc=%d", context->execve.argc); ++ /* ready to move to the next argument? */ ++ if ((len_buf == 0) && !require_data) { ++ arg++; ++ iter = 0; ++ len_full = 0; ++ require_data = true; ++ encode = false; ++ } ++ } while (arg < context->execve.argc); + +- /* +- * we need some kernel buffer to hold the userspace args. Just +- * allocate one big one rather than allocating one of the right size +- * for every single argument inside audit_log_single_execve_arg() +- * should be <8k allocation so should be pretty safe. +- */ +- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); +- if (!buf) { +- audit_panic("out of memory for argv string"); +- return; +- } ++ /* NOTE: the caller handles the final audit_log_end() call */ + +- for (i = 0; i < context->execve.argc; i++) { +- len = audit_log_single_execve_arg(context, ab, i, +- &len_sent, p, buf); +- if (len <= 0) +- break; +- p += len; +- } +- kfree(buf); ++out: ++ kfree(buf_head); + } + + static void show_special(struct audit_context *context, int *call_panic) diff --git a/config-generic b/config-generic index b4f8f091f..7dee247fa 100644 --- a/config-generic +++ b/config-generic @@ -5526,8 +5526,7 @@ CONFIG_INPUT_GP2A=m # CONFIG_INTEL_MENLOW is not set CONFIG_ENCLOSURE_SERVICES=m -# Disable temporarily while I (pbr) work out why this filters properly when build with rpmbuild but not in koji -# CONFIG_IPWIRELESS is not set +CONFIG_IPWIRELESS=m CONFIG_MEMSTICK=m # CONFIG_MEMSTICK_DEBUG is not set diff --git a/drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch b/drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch new file mode 100644 index 000000000..562d20eb5 --- /dev/null +++ b/drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch @@ -0,0 +1,70 @@ +From patchwork Fri Jul 8 15:37:35 2016 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: drm/amdgpu: Disable RPM helpers while reprobing connectors on resume +From: cpaul@redhat.com +X-Patchwork-Id: 97837 +Message-Id: <1467992256-23832-1-git-send-email-cpaul@redhat.com> +To: amd-gfx@lists.freedesktop.org +Cc: Tom St Denis <tom.stdenis@amd.com>, Jammy Zhou <Jammy.Zhou@amd.com>, + open list <linux-kernel@vger.kernel.org>, stable@vger.kernel.org, + "open list:RADEON and AMDGPU DRM DRIVERS" + <dri-devel@lists.freedesktop.org>, + Alex Deucher <alexander.deucher@amd.com>, Lyude <cpaul@redhat.com>, + Flora Cui <Flora.Cui@amd.com>, + =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>, + Monk Liu <Monk.Liu@amd.com> +Date: Fri, 8 Jul 2016 11:37:35 -0400 + +Just about all of amdgpu's connector probing functions try to acquire +runtime PM refs. If we try to do this in the context of +amdgpu_resume_kms by calling drm_helper_hpd_irq_event(), we end up +deadlocking the system. + +Since we're guaranteed to be holding the spinlock for RPM in +amdgpu_resume_kms, and we already know the GPU is in working order, we +need to prevent the RPM helpers from trying to run during the initial +connector reprobe on resume. + +There's a couple of solutions I've explored for fixing this, but this +one by far seems to be the simplest and most reliable (plus I'm pretty +sure that's what disable_depth is there for anyway). + +Reproduction recipe: + - Get any laptop dual GPUs using PRIME + - Make sure runtime PM is enabled for amdgpu + - Boot the machine + - If the machine managed to boot without hanging, switch out of X to + another VT. This should definitely cause X to hang infinitely. + +Cc: stable@vger.kernel.org +Signed-off-by: Lyude <cpaul@redhat.com> +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 6e92008..46c1fee 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1841,7 +1841,19 @@ int amdgpu_resume_kms(struct drm_device *dev, bool resume, bool fbcon) + } + + drm_kms_helper_poll_enable(dev); ++ ++ /* ++ * Most of the connector probing functions try to acquire runtime pm ++ * refs to ensure that the GPU is powered on when connector polling is ++ * performed. Since we're calling this from a runtime PM callback, ++ * trying to acquire rpm refs will cause us to deadlock. ++ * ++ * Since we're guaranteed to be holding the rpm lock, it's safe to ++ * temporarily disable the rpm helpers so this doesn't deadlock us. ++ */ ++ dev->dev->power.disable_depth++; + drm_helper_hpd_irq_event(dev); ++ dev->dev->power.disable_depth--; + + if (fbcon) { + amdgpu_fbdev_set_suspend(adev, 0); diff --git a/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch b/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch new file mode 100644 index 000000000..24b19522b --- /dev/null +++ b/drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch @@ -0,0 +1,230 @@ +From bd363ae4ea5d124d5b284dd3aa7d2766ff2c19d7 Mon Sep 17 00:00:00 2001 +From: "cpaul@redhat.com" <cpaul@redhat.com> +Date: Tue, 12 Jul 2016 13:36:03 -0400 +Subject: [PATCH] drm/i915/skl: Add support for the SAGV, fix underrun hangs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since the watermark calculations for Skylake are still broken, we're apt +to hitting underruns very easily under multi-monitor configurations. +While it would be lovely if this was fixed, it's not. Another problem +that's been coming from this however, is the mysterious issue of +underruns causing full system hangs. An easy way to reproduce this with +a skylake system: + +- Get a laptop with a skylake GPU, and hook up two external monitors to + it +- Move the cursor from the built-in LCD to one of the external displays + as quickly as you can +- You'll get a few pipe underruns, and eventually the entire system will + just freeze. + +After doing a lot of investigation and reading through the bspec, I +found the existence of the SAGV, which is responsible for adjusting the +system agent voltage and clock frequencies depending on how much power +we need. According to the bspec: + +"The display engine access to system memory is blocked during the + adjustment time. SAGV defaults to enabled. Software must use the + GT-driver pcode mailbox to disable SAGV when the display engine is not + able to tolerate the blocking time." + +The rest of the bspec goes on to explain that software can simply leave +the SAGV enabled, and disable it when we use interlaced pipes/have more +then one pipe active. + +Sure enough, with this patchset the system hangs resulting from pipe +underruns on Skylake have completely vanished on my T460s. Additionally, +the bspec mentions turning off the SAGV with more then one pipe enabled +as a workaround for display underruns. While this patch doesn't entirely +fix that, it looks like it does improve the situation a little bit so +it's likely this is going to be required to make watermarks on Skylake +fully functional. + +Changes since v2: + - Really apply minor style nitpicks to patch this time +Changes since v1: + - Added comments about this probably being one of the requirements to + fixing Skylake's watermark issues + - Minor style nitpicks from Matt Roper + - Disable these functions on Broxton, since it doesn't have an SAGV + +Cc: Matt Roper <matthew.d.roper@intel.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> +Signed-off-by: Lyude <cpaul@redhat.com> +Reviewed-by: Matt Roper <matthew.d.roper@intel.com> +--- + drivers/gpu/drm/i915/i915_drv.h | 2 + + drivers/gpu/drm/i915/i915_reg.h | 5 ++ + drivers/gpu/drm/i915/intel_pm.c | 110 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 117 insertions(+) + +diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h +index 59092cbfeda1..d94e5598511f 100644 +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -1954,6 +1954,8 @@ struct drm_i915_private { + struct i915_suspend_saved_registers regfile; + struct vlv_s0ix_state vlv_s0ix_state; + ++ bool skl_sagv_enabled; ++ + struct { + /* + * Raw watermark latency values: +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 363bd79dea2e..3d13d0e551be 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -7029,6 +7029,11 @@ enum skl_disp_power_wells { + #define HSW_PCODE_DE_WRITE_FREQ_REQ 0x17 + #define DISPLAY_IPS_CONTROL 0x19 + #define HSW_PCODE_DYNAMIC_DUTY_CYCLE_CONTROL 0x1A ++#define GEN9_PCODE_SAGV_CONTROL 0x21 ++#define GEN9_SAGV_DISABLE 0x0 ++#define GEN9_SAGV_LOW_FREQ 0x1 ++#define GEN9_SAGV_HIGH_FREQ 0x2 ++#define GEN9_SAGV_DYNAMIC_FREQ 0x3 + #define GEN6_PCODE_DATA _MMIO(0x138128) + #define GEN6_PCODE_FREQ_IA_RATIO_SHIFT 8 + #define GEN6_PCODE_FREQ_RING_RATIO_SHIFT 16 +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index 70dcd2e23cca..38e0b448f461 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2786,6 +2786,109 @@ skl_wm_plane_id(const struct intel_plane *plane) + } + + static void ++skl_sagv_get_hw_state(struct drm_i915_private *dev_priv) ++{ ++ u32 temp; ++ int ret; ++ ++ if (IS_BROXTON(dev_priv)) ++ return; ++ ++ mutex_lock(&dev_priv->rps.hw_lock); ++ ret = sandybridge_pcode_read(dev_priv, GEN9_PCODE_SAGV_CONTROL, &temp); ++ mutex_unlock(&dev_priv->rps.hw_lock); ++ ++ if (!ret) { ++ dev_priv->skl_sagv_enabled = !!(temp & GEN9_SAGV_DYNAMIC_FREQ); ++ } else { ++ /* ++ * If for some reason we can't access the SAGV state, follow ++ * the bspec and assume it's enabled ++ */ ++ DRM_ERROR("Failed to get SAGV state, assuming enabled\n"); ++ dev_priv->skl_sagv_enabled = true; ++ } ++} ++ ++/* ++ * SAGV dynamically adjusts the system agent voltage and clock frequencies ++ * depending on power and performance requirements. The display engine access ++ * to system memory is blocked during the adjustment time. Having this enabled ++ * in multi-pipe configurations can cause issues (such as underruns causing ++ * full system hangs), and the bspec also suggests that software disable it ++ * when more then one pipe is enabled. ++ */ ++static int ++skl_enable_sagv(struct drm_i915_private *dev_priv) ++{ ++ int ret; ++ ++ if (IS_BROXTON(dev_priv)) ++ return 0; ++ if (dev_priv->skl_sagv_enabled) ++ return 0; ++ ++ mutex_lock(&dev_priv->rps.hw_lock); ++ DRM_DEBUG_KMS("Enabling the SAGV\n"); ++ ++ ret = sandybridge_pcode_write(dev_priv, GEN9_PCODE_SAGV_CONTROL, ++ GEN9_SAGV_DYNAMIC_FREQ); ++ if (!ret) ++ dev_priv->skl_sagv_enabled = true; ++ else ++ DRM_ERROR("Failed to enable the SAGV\n"); ++ ++ /* We don't need to wait for SAGV when enabling */ ++ mutex_unlock(&dev_priv->rps.hw_lock); ++ return ret; ++} ++ ++static int ++skl_disable_sagv(struct drm_i915_private *dev_priv) ++{ ++ int ret = 0; ++ unsigned long timeout; ++ u32 temp; ++ ++ if (IS_BROXTON(dev_priv)) ++ return 0; ++ if (!dev_priv->skl_sagv_enabled) ++ return 0; ++ ++ mutex_lock(&dev_priv->rps.hw_lock); ++ DRM_DEBUG_KMS("Disabling the SAGV\n"); ++ ++ /* bspec says to keep retrying for at least 1 ms */ ++ timeout = jiffies + msecs_to_jiffies(1); ++ do { ++ ret = sandybridge_pcode_write(dev_priv, GEN9_PCODE_SAGV_CONTROL, ++ GEN9_SAGV_DISABLE); ++ if (ret) { ++ DRM_ERROR("Failed to disable the SAGV\n"); ++ goto out; ++ } ++ ++ ret = sandybridge_pcode_read(dev_priv, GEN9_PCODE_SAGV_CONTROL, ++ &temp); ++ if (ret) { ++ DRM_ERROR("Failed to check the status of the SAGV\n"); ++ goto out; ++ } ++ } while (!(temp & 0x1) && jiffies < timeout); ++ ++ if (temp & 0x1) { ++ dev_priv->skl_sagv_enabled = false; ++ } else { ++ ret = -1; ++ DRM_ERROR("Request to disable SAGV timed out\n"); ++ } ++ ++out: ++ mutex_unlock(&dev_priv->rps.hw_lock); ++ return ret; ++} ++ ++static void + skl_ddb_get_pipe_allocation_limits(struct drm_device *dev, + const struct intel_crtc_state *cstate, + struct skl_ddb_entry *alloc, /* out */ +@@ -3464,6 +3567,11 @@ static void skl_write_wm_values(struct drm_i915_private *dev_priv, + struct drm_device *dev = dev_priv->dev; + struct intel_crtc *crtc; + ++ if (dev_priv->active_crtcs == 1) ++ skl_enable_sagv(dev_priv); ++ else ++ skl_disable_sagv(dev_priv); ++ + for_each_intel_crtc(dev, crtc) { + int i, level, max_level = ilk_wm_max_level(dev); + enum pipe pipe = crtc->pipe; +@@ -4008,6 +4116,8 @@ void skl_wm_get_hw_state(struct drm_device *dev) + skl_plane_relative_data_rate(cstate, pstate, 1); + } + } ++ ++ skl_sagv_get_hw_state(dev_priv); + } + + static void ilk_pipe_wm_get_hw_state(struct drm_crtc *crtc) +-- +2.7.4 + diff --git a/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch b/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch deleted file mode 100644 index 996b47918..000000000 --- a/drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 217215041b9285af2193a755b56a8f3ed408bfe2 Mon Sep 17 00:00:00 2001 -From: Ben Skeggs <bskeggs@redhat.com> -Date: Wed, 6 Jul 2016 06:50:36 +1000 -Subject: [PATCH] drm/nouveau/disp/sor/gf119: select correct sor when poking - training pattern - -Fixes a regression caused by a stupid thinko from "disp/sor/gf119: both -links use the same training register". - -Signed-off-by: Ben Skeggs <bskeggs@redhat.com> -Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -index 22706c0..49bd5da 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c -@@ -40,7 +40,8 @@ static int - gf119_sor_dp_pattern(struct nvkm_output_dp *outp, int pattern) - { - struct nvkm_device *device = outp->base.disp->engine.subdev.device; -- nvkm_mask(device, 0x61c110, 0x0f0f0f0f, 0x01010101 * pattern); -+ const u32 soff = gf119_sor_soff(outp); -+ nvkm_mask(device, 0x61c110 + soff, 0x0f0f0f0f, 0x01010101 * pattern); - return 0; - } - diff --git a/filter-aarch64.sh b/filter-aarch64.sh index cc560ca97..753358630 100644 --- a/filter-aarch64.sh +++ b/filter-aarch64.sh @@ -9,7 +9,7 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1" ethdrvs="3com adaptec arc alteon atheros broadcom cadence calxeda chelsio cisco dec dlink emulex icplus marvell micrel myricom neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis smsc stmicro sun tehuti ti via wiznet xircom" diff --git a/filter-armv7hl.sh b/filter-armv7hl.sh index 0ae6d925b..31c277c6d 100644 --- a/filter-armv7hl.sh +++ b/filter-armv7hl.sh @@ -9,7 +9,7 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn media memstick message mwave nfc ntb pcmcia platform ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn media memstick message mwave nfc ntb pcmcia platform ssb staging tty uio uwb w1" ethdrvs="3com adaptec alteon altera amd atheros broadcom cadence chelsio cisco dec dlink emulex icplus mellanox micrel myricom natsemi neterion nvidia oki-semi packetengines qlogic rdc renesas sfc silan sis sun tehuti via wiznet xircom" diff --git a/filter-i686.sh b/filter-i686.sh index dc6f42f5a..3a9f7b806 100644 --- a/filter-i686.sh +++ b/filter-i686.sh @@ -9,6 +9,6 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick mfd mmc mtd mwave nfc ntb pcmcia platform power ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick mfd mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1" singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject hid-sensor-hub hid-sensor-magn-3d hid-sensor-incl-3d hid-sensor-gyro-3d hid-sensor-iio-common hid-sensor-accel-3d hid-sensor-trigger hid-sensor-als hid-sensor-rotation target_core_user sbp_target" diff --git a/filter-ppc64.sh b/filter-ppc64.sh index e4990bbcb..b367bc673 100644 --- a/filter-ppc64.sh +++ b/filter-ppc64.sh @@ -9,6 +9,6 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1" singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target" diff --git a/filter-ppc64le.sh b/filter-ppc64le.sh index e44c88ec5..9469b6636 100644 --- a/filter-ppc64le.sh +++ b/filter-ppc64le.sh @@ -9,6 +9,6 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1" singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target" diff --git a/filter-ppc64p7.sh b/filter-ppc64p7.sh index b499f0e69..d0ad47fba 100644 --- a/filter-ppc64p7.sh +++ b/filter-ppc64p7.sh @@ -9,6 +9,6 @@ # modifications to the overrides below. If something should be removed across # all arches, remove it in the default instead of per-arch. -driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging uio uwb w1" +driverdirs="atm auxdisplay bcma bluetooth firewire fmc infiniband isdn leds media memstick message mmc mtd mwave nfc ntb pcmcia platform power ssb staging tty uio uwb w1" singlemods="ntb_netdev iscsi_ibft iscsi_boot_sysfs megaraid pmcraid qla1280 9pnet_rdma rpcrdma hid-picolcd hid-prodikeys hwa-hc hwpoison-inject target_core_user sbp_target" diff --git a/kernel.spec b/kernel.spec index efaa85499..9ea22ac74 100644 --- a/kernel.spec +++ b/kernel.spec @@ -59,7 +59,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -638,9 +638,6 @@ Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch #CVE-2016-5244 rhbz 1343338 1343337 Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt -#CVE-2016-4470 rhbz 1341716 1346626 -Patch727: KEYS-potential-uninitialized-variable.patch - #rhbz 1338025 Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch @@ -663,29 +660,31 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch -#other drm/kms fixes (most Cc-ed stable) -Patch821: 0001-drm-mgag200-Black-screen-fix-for-G200e-rev-4.patch -Patch822: 0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch -Patch823: 0003-drm-nouveau-disp-sor-gf119-both-links-use-the-same-t.patch -Patch824: 0004-drm-nouveau-disp-sor-gm107-training-pattern-register.patch -Patch825: 0005-i915-fbc-Disable-on-HSW-by-default-for-now.patch - -#CVE-2016-5829 rhbz 1350509 1350513 -Patch826: HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch - -#CVE-2016-1237 rhbz 1350845 1350847 -Patch830: posix_acl-Add-set_posix_acl.patch -Patch831: nfsd-check-permissions-when-setting-ACLs.patch - #CVE-2016-6156 rhbz 1353490 1353491 Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch -#rbhz 1351205 -Patch833: drm-nouveau-disp-sor-gf119-select-correct-sor-when.patch - #rhbz 1346753 Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch +#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615 +Patch835: tcp-make-challenge-acks-less-predictable.patch +Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch + +# https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/ +Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch +Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch +Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch + +#CVE-2016-5400 rhbz 1358184 1358186 +Patch840: airspy-fix-error-logic-during-device-register.patch + +#CVE-2016-6136 rhbz 1353533 1353534 +Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch + +#CVE-2016-5412 rhbz 1349916 1361040 +Patch842: kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch +Patch843: kvm-ppc-Book3S-HV-Save-restore-TM-state.patch + # END OF PATCH DEFINITIONS %endif @@ -2214,6 +2213,27 @@ fi # # %changelog +* Thu Jul 28 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-5412 powerpc: kvm: Infinite loop in HV mode (rhbz 1349916 1361040) + +* Thu Jul 28 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Fix IP Wireless driver filtering (rhbz 1356043) thanks lkundrak + +* Wed Jul 27 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.5-300 +- Linux v4.6.5 + +* Mon Jul 25 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-6136 race condition in auditsc.c (rhbz 1353533 1353534) + +* Mon Jul 25 2016 Justin Forbes <jforbes@fedoraproject.org> +- CVE-2016-5400 Fix memory leak in airspy driver (rhbz 1358184 1358186) + +* Thu Jul 14 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Fix various i915 uncore oopses (rhbz 1340218 1325020 1342722 1347681) + +* Tue Jul 12 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.4-301 +- CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615) + * Mon Jul 11 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.4-300 - Linux v4.6.4 diff --git a/kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch b/kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch new file mode 100644 index 000000000..b4259375f --- /dev/null +++ b/kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch @@ -0,0 +1,506 @@ +Subject: [PATCH 1/2] KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures +From: Paul Mackerras <paulus@ozlabs.org> +Date: 2016-07-28 6:11:18 + +This moves the transactional memory state save and restore sequences +out of the guest entry/exit paths into separate procedures. This is +so that these sequences can be used in going into and out of nap +in a subsequent patch. + +The only code changes here are (a) saving and restore LR on the +stack, since these new procedures get called with a bl instruction, +(b) explicitly saving r1 into the PACA instead of assuming that +HSTATE_HOST_R1(r13) is already set, and (c) removing an unnecessary +and redundant setting of MSR[TM] that should have been removed by +commit 9d4d0bdd9e0a ("KVM: PPC: Book3S HV: Add transactional memory +support", 2013-09-24) but wasn't. + +Cc: stable@vger.kernel.org # v3.15+ +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 449 +++++++++++++++++--------------- + 1 file changed, 237 insertions(+), 212 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index 0d246fc..cfa4031 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -689,112 +689,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BEGIN_FTR_SECTION +- b skip_tm +-END_FTR_SECTION_IFCLR(CPU_FTR_TM) +- +- /* Turn on TM/FP/VSX/VMX so we can restore them. */ +- mfmsr r5 +- li r6, MSR_TM >> 32 +- sldi r6, r6, 32 +- or r5, r5, r6 +- ori r5, r5, MSR_FP +- oris r5, r5, (MSR_VEC | MSR_VSX)@h +- mtmsrd r5 +- +- /* +- * The user may change these outside of a transaction, so they must +- * always be context switched. +- */ +- ld r5, VCPU_TFHAR(r4) +- ld r6, VCPU_TFIAR(r4) +- ld r7, VCPU_TEXASR(r4) +- mtspr SPRN_TFHAR, r5 +- mtspr SPRN_TFIAR, r6 +- mtspr SPRN_TEXASR, r7 +- +- ld r5, VCPU_MSR(r4) +- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 +- beq skip_tm /* TM not active in guest */ +- +- /* Make sure the failure summary is set, otherwise we'll program check +- * when we trechkpt. It's possible that this might have been not set +- * on a kvmppc_set_one_reg() call but we shouldn't let this crash the +- * host. +- */ +- oris r7, r7, (TEXASR_FS)@h +- mtspr SPRN_TEXASR, r7 +- +- /* +- * We need to load up the checkpointed state for the guest. +- * We need to do this early as it will blow away any GPRs, VSRs and +- * some SPRs. +- */ +- +- mr r31, r4 +- addi r3, r31, VCPU_FPRS_TM +- bl load_fp_state +- addi r3, r31, VCPU_VRS_TM +- bl load_vr_state +- mr r4, r31 +- lwz r7, VCPU_VRSAVE_TM(r4) +- mtspr SPRN_VRSAVE, r7 +- +- ld r5, VCPU_LR_TM(r4) +- lwz r6, VCPU_CR_TM(r4) +- ld r7, VCPU_CTR_TM(r4) +- ld r8, VCPU_AMR_TM(r4) +- ld r9, VCPU_TAR_TM(r4) +- mtlr r5 +- mtcr r6 +- mtctr r7 +- mtspr SPRN_AMR, r8 +- mtspr SPRN_TAR, r9 +- +- /* +- * Load up PPR and DSCR values but don't put them in the actual SPRs +- * till the last moment to avoid running with userspace PPR and DSCR for +- * too long. +- */ +- ld r29, VCPU_DSCR_TM(r4) +- ld r30, VCPU_PPR_TM(r4) +- +- std r2, PACATMSCRATCH(r13) /* Save TOC */ +- +- /* Clear the MSR RI since r1, r13 are all going to be foobar. */ +- li r5, 0 +- mtmsrd r5, 1 +- +- /* Load GPRs r0-r28 */ +- reg = 0 +- .rept 29 +- ld reg, VCPU_GPRS_TM(reg)(r31) +- reg = reg + 1 +- .endr +- +- mtspr SPRN_DSCR, r29 +- mtspr SPRN_PPR, r30 +- +- /* Load final GPRs */ +- ld 29, VCPU_GPRS_TM(29)(r31) +- ld 30, VCPU_GPRS_TM(30)(r31) +- ld 31, VCPU_GPRS_TM(31)(r31) +- +- /* TM checkpointed state is now setup. All GPRs are now volatile. */ +- TRECHKPT +- +- /* Now let's get back the state we need. */ +- HMT_MEDIUM +- GET_PACA(r13) +- ld r29, HSTATE_DSCR(r13) +- mtspr SPRN_DSCR, r29 +- ld r4, HSTATE_KVM_VCPU(r13) +- ld r1, HSTATE_HOST_R1(r13) +- ld r2, PACATMSCRATCH(r13) +- +- /* Set the MSR RI since we have our registers back. */ +- li r5, MSR_RI +- mtmsrd r5, 1 +-skip_tm: ++ bl kvmppc_restore_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) + #endif + + /* Load guest PMU registers */ +@@ -875,12 +771,6 @@ BEGIN_FTR_SECTION + /* Skip next section on POWER7 */ + b 8f + END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) +- /* Turn on TM so we can access TFHAR/TFIAR/TEXASR */ +- mfmsr r8 +- li r0, 1 +- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG +- mtmsrd r8 +- + /* Load up POWER8-specific registers */ + ld r5, VCPU_IAMR(r4) + lwz r6, VCPU_PSPB(r4) +@@ -1470,106 +1360,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BEGIN_FTR_SECTION +- b 2f +-END_FTR_SECTION_IFCLR(CPU_FTR_TM) +- /* Turn on TM. */ +- mfmsr r8 +- li r0, 1 +- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG +- mtmsrd r8 +- +- ld r5, VCPU_MSR(r9) +- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 +- beq 1f /* TM not active in guest. */ +- +- li r3, TM_CAUSE_KVM_RESCHED +- +- /* Clear the MSR RI since r1, r13 are all going to be foobar. */ +- li r5, 0 +- mtmsrd r5, 1 +- +- /* All GPRs are volatile at this point. */ +- TRECLAIM(R3) +- +- /* Temporarily store r13 and r9 so we have some regs to play with */ +- SET_SCRATCH0(r13) +- GET_PACA(r13) +- std r9, PACATMSCRATCH(r13) +- ld r9, HSTATE_KVM_VCPU(r13) +- +- /* Get a few more GPRs free. */ +- std r29, VCPU_GPRS_TM(29)(r9) +- std r30, VCPU_GPRS_TM(30)(r9) +- std r31, VCPU_GPRS_TM(31)(r9) +- +- /* Save away PPR and DSCR soon so don't run with user values. */ +- mfspr r31, SPRN_PPR +- HMT_MEDIUM +- mfspr r30, SPRN_DSCR +- ld r29, HSTATE_DSCR(r13) +- mtspr SPRN_DSCR, r29 +- +- /* Save all but r9, r13 & r29-r31 */ +- reg = 0 +- .rept 29 +- .if (reg != 9) && (reg != 13) +- std reg, VCPU_GPRS_TM(reg)(r9) +- .endif +- reg = reg + 1 +- .endr +- /* ... now save r13 */ +- GET_SCRATCH0(r4) +- std r4, VCPU_GPRS_TM(13)(r9) +- /* ... and save r9 */ +- ld r4, PACATMSCRATCH(r13) +- std r4, VCPU_GPRS_TM(9)(r9) +- +- /* Reload stack pointer and TOC. */ +- ld r1, HSTATE_HOST_R1(r13) +- ld r2, PACATOC(r13) +- +- /* Set MSR RI now we have r1 and r13 back. */ +- li r5, MSR_RI +- mtmsrd r5, 1 +- +- /* Save away checkpinted SPRs. */ +- std r31, VCPU_PPR_TM(r9) +- std r30, VCPU_DSCR_TM(r9) +- mflr r5 +- mfcr r6 +- mfctr r7 +- mfspr r8, SPRN_AMR +- mfspr r10, SPRN_TAR +- std r5, VCPU_LR_TM(r9) +- stw r6, VCPU_CR_TM(r9) +- std r7, VCPU_CTR_TM(r9) +- std r8, VCPU_AMR_TM(r9) +- std r10, VCPU_TAR_TM(r9) +- +- /* Restore r12 as trap number. */ +- lwz r12, VCPU_TRAP(r9) +- +- /* Save FP/VSX. */ +- addi r3, r9, VCPU_FPRS_TM +- bl store_fp_state +- addi r3, r9, VCPU_VRS_TM +- bl store_vr_state +- mfspr r6, SPRN_VRSAVE +- stw r6, VCPU_VRSAVE_TM(r9) +-1: +- /* +- * We need to save these SPRs after the treclaim so that the software +- * error code is recorded correctly in the TEXASR. Also the user may +- * change these outside of a transaction, so they must always be +- * context switched. +- */ +- mfspr r5, SPRN_TFHAR +- mfspr r6, SPRN_TFIAR +- mfspr r7, SPRN_TEXASR +- std r5, VCPU_TFHAR(r9) +- std r6, VCPU_TFIAR(r9) +- std r7, VCPU_TEXASR(r9) +-2: ++ bl kvmppc_save_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) + #endif + + /* Increment yield count if they have a VPA */ +@@ -2694,6 +2486,239 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + mr r4,r31 + blr + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++/* ++ * Save transactional state and TM-related registers. ++ * Called with r9 pointing to the vcpu struct. ++ * This can modify all checkpointed registers, but ++ * restores r1, r2 and r9 (vcpu pointer) before exit. ++ */ ++kvmppc_save_tm: ++ mflr r0 ++ std r0, PPC_LR_STKOFF(r1) ++ ++ /* Turn on TM. */ ++ mfmsr r8 ++ li r0, 1 ++ rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG ++ mtmsrd r8 ++ ++ ld r5, VCPU_MSR(r9) ++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 ++ beq 1f /* TM not active in guest. */ ++ ++ std r1, HSTATE_HOST_R1(r13) ++ li r3, TM_CAUSE_KVM_RESCHED ++ ++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */ ++ li r5, 0 ++ mtmsrd r5, 1 ++ ++ /* All GPRs are volatile at this point. */ ++ TRECLAIM(R3) ++ ++ /* Temporarily store r13 and r9 so we have some regs to play with */ ++ SET_SCRATCH0(r13) ++ GET_PACA(r13) ++ std r9, PACATMSCRATCH(r13) ++ ld r9, HSTATE_KVM_VCPU(r13) ++ ++ /* Get a few more GPRs free. */ ++ std r29, VCPU_GPRS_TM(29)(r9) ++ std r30, VCPU_GPRS_TM(30)(r9) ++ std r31, VCPU_GPRS_TM(31)(r9) ++ ++ /* Save away PPR and DSCR soon so don't run with user values. */ ++ mfspr r31, SPRN_PPR ++ HMT_MEDIUM ++ mfspr r30, SPRN_DSCR ++ ld r29, HSTATE_DSCR(r13) ++ mtspr SPRN_DSCR, r29 ++ ++ /* Save all but r9, r13 & r29-r31 */ ++ reg = 0 ++ .rept 29 ++ .if (reg != 9) && (reg != 13) ++ std reg, VCPU_GPRS_TM(reg)(r9) ++ .endif ++ reg = reg + 1 ++ .endr ++ /* ... now save r13 */ ++ GET_SCRATCH0(r4) ++ std r4, VCPU_GPRS_TM(13)(r9) ++ /* ... and save r9 */ ++ ld r4, PACATMSCRATCH(r13) ++ std r4, VCPU_GPRS_TM(9)(r9) ++ ++ /* Reload stack pointer and TOC. */ ++ ld r1, HSTATE_HOST_R1(r13) ++ ld r2, PACATOC(r13) ++ ++ /* Set MSR RI now we have r1 and r13 back. */ ++ li r5, MSR_RI ++ mtmsrd r5, 1 ++ ++ /* Save away checkpinted SPRs. */ ++ std r31, VCPU_PPR_TM(r9) ++ std r30, VCPU_DSCR_TM(r9) ++ mflr r5 ++ mfcr r6 ++ mfctr r7 ++ mfspr r8, SPRN_AMR ++ mfspr r10, SPRN_TAR ++ std r5, VCPU_LR_TM(r9) ++ stw r6, VCPU_CR_TM(r9) ++ std r7, VCPU_CTR_TM(r9) ++ std r8, VCPU_AMR_TM(r9) ++ std r10, VCPU_TAR_TM(r9) ++ ++ /* Restore r12 as trap number. */ ++ lwz r12, VCPU_TRAP(r9) ++ ++ /* Save FP/VSX. */ ++ addi r3, r9, VCPU_FPRS_TM ++ bl store_fp_state ++ addi r3, r9, VCPU_VRS_TM ++ bl store_vr_state ++ mfspr r6, SPRN_VRSAVE ++ stw r6, VCPU_VRSAVE_TM(r9) ++1: ++ /* ++ * We need to save these SPRs after the treclaim so that the software ++ * error code is recorded correctly in the TEXASR. Also the user may ++ * change these outside of a transaction, so they must always be ++ * context switched. ++ */ ++ mfspr r5, SPRN_TFHAR ++ mfspr r6, SPRN_TFIAR ++ mfspr r7, SPRN_TEXASR ++ std r5, VCPU_TFHAR(r9) ++ std r6, VCPU_TFIAR(r9) ++ std r7, VCPU_TEXASR(r9) ++ ++ ld r0, PPC_LR_STKOFF(r1) ++ mtlr r0 ++ blr ++ ++/* ++ * Restore transactional state and TM-related registers. ++ * Called with r4 pointing to the vcpu struct. ++ * This potentially modifies all checkpointed registers. ++ * It restores r1, r2, r4 from the PACA. ++ */ ++kvmppc_restore_tm: ++ mflr r0 ++ std r0, PPC_LR_STKOFF(r1) ++ ++ /* Turn on TM/FP/VSX/VMX so we can restore them. */ ++ mfmsr r5 ++ li r6, MSR_TM >> 32 ++ sldi r6, r6, 32 ++ or r5, r5, r6 ++ ori r5, r5, MSR_FP ++ oris r5, r5, (MSR_VEC | MSR_VSX)@h ++ mtmsrd r5 ++ ++ /* ++ * The user may change these outside of a transaction, so they must ++ * always be context switched. ++ */ ++ ld r5, VCPU_TFHAR(r4) ++ ld r6, VCPU_TFIAR(r4) ++ ld r7, VCPU_TEXASR(r4) ++ mtspr SPRN_TFHAR, r5 ++ mtspr SPRN_TFIAR, r6 ++ mtspr SPRN_TEXASR, r7 ++ ++ ld r5, VCPU_MSR(r4) ++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 ++ beqlr /* TM not active in guest */ ++ std r1, HSTATE_HOST_R1(r13) ++ ++ /* Make sure the failure summary is set, otherwise we'll program check ++ * when we trechkpt. It's possible that this might have been not set ++ * on a kvmppc_set_one_reg() call but we shouldn't let this crash the ++ * host. ++ */ ++ oris r7, r7, (TEXASR_FS)@h ++ mtspr SPRN_TEXASR, r7 ++ ++ /* ++ * We need to load up the checkpointed state for the guest. ++ * We need to do this early as it will blow away any GPRs, VSRs and ++ * some SPRs. ++ */ ++ ++ mr r31, r4 ++ addi r3, r31, VCPU_FPRS_TM ++ bl load_fp_state ++ addi r3, r31, VCPU_VRS_TM ++ bl load_vr_state ++ mr r4, r31 ++ lwz r7, VCPU_VRSAVE_TM(r4) ++ mtspr SPRN_VRSAVE, r7 ++ ++ ld r5, VCPU_LR_TM(r4) ++ lwz r6, VCPU_CR_TM(r4) ++ ld r7, VCPU_CTR_TM(r4) ++ ld r8, VCPU_AMR_TM(r4) ++ ld r9, VCPU_TAR_TM(r4) ++ mtlr r5 ++ mtcr r6 ++ mtctr r7 ++ mtspr SPRN_AMR, r8 ++ mtspr SPRN_TAR, r9 ++ ++ /* ++ * Load up PPR and DSCR values but don't put them in the actual SPRs ++ * till the last moment to avoid running with userspace PPR and DSCR for ++ * too long. ++ */ ++ ld r29, VCPU_DSCR_TM(r4) ++ ld r30, VCPU_PPR_TM(r4) ++ ++ std r2, PACATMSCRATCH(r13) /* Save TOC */ ++ ++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */ ++ li r5, 0 ++ mtmsrd r5, 1 ++ ++ /* Load GPRs r0-r28 */ ++ reg = 0 ++ .rept 29 ++ ld reg, VCPU_GPRS_TM(reg)(r31) ++ reg = reg + 1 ++ .endr ++ ++ mtspr SPRN_DSCR, r29 ++ mtspr SPRN_PPR, r30 ++ ++ /* Load final GPRs */ ++ ld 29, VCPU_GPRS_TM(29)(r31) ++ ld 30, VCPU_GPRS_TM(30)(r31) ++ ld 31, VCPU_GPRS_TM(31)(r31) ++ ++ /* TM checkpointed state is now setup. All GPRs are now volatile. */ ++ TRECHKPT ++ ++ /* Now let's get back the state we need. */ ++ HMT_MEDIUM ++ GET_PACA(r13) ++ ld r29, HSTATE_DSCR(r13) ++ mtspr SPRN_DSCR, r29 ++ ld r4, HSTATE_KVM_VCPU(r13) ++ ld r1, HSTATE_HOST_R1(r13) ++ ld r2, PACATMSCRATCH(r13) ++ ++ /* Set the MSR RI since we have our registers back. */ ++ li r5, MSR_RI ++ mtmsrd r5, 1 ++ ++ ld r0, PPC_LR_STKOFF(r1) ++ mtlr r0 ++ blr ++#endif ++ + /* + * We come here if we get any exception or interrupt while we are + * executing host real mode code while in guest MMU context. +-- +2.8.0.rc3 diff --git a/kvm-ppc-Book3S-HV-Save-restore-TM-state.patch b/kvm-ppc-Book3S-HV-Save-restore-TM-state.patch new file mode 100644 index 000000000..f63aa795d --- /dev/null +++ b/kvm-ppc-Book3S-HV-Save-restore-TM-state.patch @@ -0,0 +1,67 @@ +Subject: [PATCH 2/2] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE +From: Paul Mackerras <paulus@ozlabs.org> +Date: 2016-07-28 6:11:19 + +It turns out that if the guest does a H_CEDE while the CPU is in +a transactional state, and the H_CEDE does a nap, and the nap +loses the architected state of the CPU (which is is allowed to do), +then we lose the checkpointed state of the virtual CPU. In addition, +the transactional-memory state recorded in the MSR gets reset back +to non-transactional, and when we try to return to the guest, we take +a TM bad thing type of program interrupt because we are trying to +transition from non-transactional to transactional with a hrfid +instruction, which is not permitted. + +The result of the program interrupt occurring at that point is that +the host CPU will hang in an infinite loop with interrupts disabled. +Thus this is a denial of service vulnerability in the host which can +be triggered by any guest (and depending on the guest kernel, it can +potentially triggered by unprivileged userspace in the guest). + +This vulnerability has been assigned the ID CVE-2016-5412. + +To fix this, we save the TM state before napping and restore it +on exit from the nap, when handling a H_CEDE in real mode. The +case where H_CEDE exits to host virtual mode is already OK (as are +other hcalls which exit to host virtual mode) because the exit +path saves the TM state. + +Cc: stable@vger.kernel.org # v3.15+ +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +index cfa4031..543124f 100644 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -2093,6 +2093,13 @@ _GLOBAL(kvmppc_h_cede) /* r3 = vcpu pointer, r11 = msr, r13 = paca */ + /* save FP state */ + bl kvmppc_save_fp + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++BEGIN_FTR_SECTION ++ ld r9, HSTATE_KVM_VCPU(r13) ++ bl kvmppc_save_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) ++#endif ++ + /* + * Set DEC to the smaller of DEC and HDEC, so that we wake + * no later than the end of our timeslice (HDEC interrupts +@@ -2169,6 +2176,12 @@ kvm_end_cede: + bl kvmhv_accumulate_time + #endif + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++BEGIN_FTR_SECTION ++ bl kvmppc_restore_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) ++#endif ++ + /* load up FP state */ + bl kvmppc_load_fp + +-- +2.8.0.rc3 diff --git a/nfsd-check-permissions-when-setting-ACLs.patch b/nfsd-check-permissions-when-setting-ACLs.patch deleted file mode 100644 index 37ed435e0..000000000 --- a/nfsd-check-permissions-when-setting-ACLs.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 999653786df6954a31044528ac3f7a5dadca08f4 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings <ben@decadent.org.uk> -Date: Wed, 22 Jun 2016 19:43:35 +0100 -Subject: [PATCH] nfsd: check permissions when setting ACLs - -Use set_posix_acl, which includes proper permission checks, instead of -calling ->set_acl directly. Without this anyone may be able to grant -themselves permissions to a file by setting the ACL. - -Lock the inode to make the new checks atomic with respect to set_acl. -(Also, nfsd was the only caller of set_acl not locking the inode, so I -suspect this may fix other races.) - -This also simplifies the code, and ensures our ACLs are checked by -posix_acl_valid. - -The permission checks and the inode locking were lost with commit -4ac7249e, which changed nfsd to use the set_acl inode operation directly -instead of going through xattr handlers. - -Reported-by: David Sinquin <david@sinquin.eu> -[agreunba@redhat.com: use set_posix_acl] -Fixes: 4ac7249e -Cc: Christoph Hellwig <hch@infradead.org> -Cc: Al Viro <viro@zeniv.linux.org.uk> -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields <bfields@redhat.com> ---- - fs/nfsd/nfs2acl.c | 20 ++++++++++---------- - fs/nfsd/nfs3acl.c | 16 +++++++--------- - fs/nfsd/nfs4acl.c | 16 ++++++++-------- - 3 files changed, 25 insertions(+), 27 deletions(-) - -diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c -index 1580ea6fd64d..d08cd88155c7 100644 ---- a/fs/nfsd/nfs2acl.c -+++ b/fs/nfsd/nfs2acl.c -@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct svc_rqst * rqstp, - goto out; - - inode = d_inode(fh->fh_dentry); -- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { -- error = -EOPNOTSUPP; -- goto out_errno; -- } - - error = fh_want_write(fh); - if (error) - goto out_errno; - -- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); -+ fh_lock(fh); -+ -+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); - if (error) -- goto out_drop_write; -- error = inode->i_op->set_acl(inode, argp->acl_default, -- ACL_TYPE_DEFAULT); -+ goto out_drop_lock; -+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); - if (error) -- goto out_drop_write; -+ goto out_drop_lock; -+ -+ fh_unlock(fh); - - fh_drop_write(fh); - -@@ -131,7 +130,8 @@ out: - posix_acl_release(argp->acl_access); - posix_acl_release(argp->acl_default); - return nfserr; --out_drop_write: -+out_drop_lock: -+ fh_unlock(fh); - fh_drop_write(fh); - out_errno: - nfserr = nfserrno(error); -diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c -index 01df4cd7c753..0c890347cde3 100644 ---- a/fs/nfsd/nfs3acl.c -+++ b/fs/nfsd/nfs3acl.c -@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct svc_rqst * rqstp, - goto out; - - inode = d_inode(fh->fh_dentry); -- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { -- error = -EOPNOTSUPP; -- goto out_errno; -- } - - error = fh_want_write(fh); - if (error) - goto out_errno; - -- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); -+ fh_lock(fh); -+ -+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); - if (error) -- goto out_drop_write; -- error = inode->i_op->set_acl(inode, argp->acl_default, -- ACL_TYPE_DEFAULT); -+ goto out_drop_lock; -+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); - --out_drop_write: -+out_drop_lock: -+ fh_unlock(fh); - fh_drop_write(fh); - out_errno: - nfserr = nfserrno(error); -diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c -index 6adabd6049b7..71292a0d6f09 100644 ---- a/fs/nfsd/nfs4acl.c -+++ b/fs/nfsd/nfs4acl.c -@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, - dentry = fhp->fh_dentry; - inode = d_inode(dentry); - -- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) -- return nfserr_attrnotsupp; -- - if (S_ISDIR(inode->i_mode)) - flags = NFS4_ACL_DIR; - -@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqstp, struct svc_fh *fhp, - if (host_error < 0) - goto out_nfserr; - -- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); -+ fh_lock(fhp); -+ -+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); - if (host_error < 0) -- goto out_release; -+ goto out_drop_lock; - - if (S_ISDIR(inode->i_mode)) { -- host_error = inode->i_op->set_acl(inode, dpacl, -- ACL_TYPE_DEFAULT); -+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); - } - --out_release: -+out_drop_lock: -+ fh_unlock(fhp); -+ - posix_acl_release(pacl); - posix_acl_release(dpacl); - out_nfserr: --- -2.5.5 - diff --git a/posix_acl-Add-set_posix_acl.patch b/posix_acl-Add-set_posix_acl.patch deleted file mode 100644 index c067f7b85..000000000 --- a/posix_acl-Add-set_posix_acl.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c463b51e8ea1ae47a7bb8cc2777eb550ad3273e2 Mon Sep 17 00:00:00 2001 -From: Andreas Gruenbacher <agruenba@redhat.com> -Date: Wed, 22 Jun 2016 23:57:25 +0200 -Subject: [PATCH] posix_acl: Add set_posix_acl - -Factor out part of posix_acl_xattr_set into a common function that takes -a posix_acl, which nfsd can also call. - -The prototype already exists in include/linux/posix_acl.h. - -Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> -Cc: stable@vger.kernel.org -Cc: Christoph Hellwig <hch@infradead.org> -Cc: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: J. Bruce Fields <bfields@redhat.com> ---- - fs/posix_acl.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/fs/posix_acl.c b/fs/posix_acl.c -index 711dd5170376..f30caace5b84 100644 ---- a/fs/posix_acl.c -+++ b/fs/posix_acl.c -@@ -786,6 +786,28 @@ posix_acl_xattr_get(const struct xattr_handler *handler, - return error; - } - -+int -+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) -+{ -+ if (!IS_POSIXACL(inode)) -+ return -EOPNOTSUPP; -+ if (!inode->i_op->set_acl) -+ return -EOPNOTSUPP; -+ -+ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) -+ return acl ? -EACCES : 0; -+ if (!inode_owner_or_capable(inode)) -+ return -EPERM; -+ -+ if (acl) { -+ int ret = posix_acl_valid(acl); -+ if (ret) -+ return ret; -+ } -+ return inode->i_op->set_acl(inode, acl, type); -+} -+EXPORT_SYMBOL(set_posix_acl); -+ - static int - posix_acl_xattr_set(const struct xattr_handler *handler, - struct dentry *dentry, const char *name, --- -2.5.5 - @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -c8ff415734155965ae7a2a85ef9c9e03 patch-4.6.4.xz +ad32c9ec1c69a99811d160d6014f9b2d patch-4.6.5.xz diff --git a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch b/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch new file mode 100644 index 000000000..0a5eab8aa --- /dev/null +++ b/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch @@ -0,0 +1,102 @@ +From 8272c58d085e5611a7f839fa32e148ae62446375 Mon Sep 17 00:00:00 2001 +From: Jason Baron <jbaron@akamai.com> +Date: Thu, 14 Jul 2016 11:38:40 -0400 +Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks' + +The per-socket rate limit for 'challenge acks' was introduced in the +context of limiting ack loops: + +commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") + +And I think it can be extended to rate limit all 'challenge acks' on a +per-socket basis. + +Since we have the global tcp_challenge_ack_limit, this patch allows for +tcp_challenge_ack_limit to be set to a large value and effectively rely on +the per-socket limit, or set tcp_challenge_ack_limit to a lower value and +still prevents a single connections from consuming the entire challenge ack +quota. + +It further moves in the direction of eliminating the global limit at some +point, as Eric Dumazet has suggested. This a follow-up to: +Subject: tcp: make challenge acks less predictable + +Cc: Eric Dumazet <edumazet@google.com> +Cc: David S. Miller <davem@davemloft.net> +Cc: Neal Cardwell <ncardwell@google.com> +Cc: Yuchung Cheng <ycheng@google.com> +Cc: Yue Cao <ycao009@ucr.edu> +Signed-off-by: Jason Baron <jbaron@akamai.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 8c011359646b..796315104ad7 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3423,6 +3423,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 + return flag; + } + ++static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, ++ u32 *last_oow_ack_time) ++{ ++ if (*last_oow_ack_time) { ++ s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); ++ ++ if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { ++ NET_INC_STATS(net, mib_idx); ++ return true; /* rate-limited: don't send yet! */ ++ } ++ } ++ ++ *last_oow_ack_time = tcp_time_stamp; ++ ++ return false; /* not rate-limited: go ahead, send dupack now! */ ++} ++ + /* Return true if we're currently rate-limiting out-of-window ACKs and + * thus shouldn't send a dupack right now. We rate-limit dupacks in + * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS +@@ -3436,21 +3453,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb, + /* Data packets without SYNs are not likely part of an ACK loop. */ + if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && + !tcp_hdr(skb)->syn) +- goto not_rate_limited; +- +- if (*last_oow_ack_time) { +- s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); +- +- if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { +- NET_INC_STATS_BH(net, mib_idx); +- return true; /* rate-limited: don't send yet! */ +- } +- } +- +- *last_oow_ack_time = tcp_time_stamp; ++ return false; + +-not_rate_limited: +- return false; /* not rate-limited: go ahead, send dupack now! */ ++ return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); + } + + /* RFC 5961 7 [ACK Throttling] */ +@@ -3463,9 +3468,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + u32 count, now; + + /* First check our per-socket dupack rate limit. */ +- if (tcp_oow_rate_limited(sock_net(sk), skb, +- LINUX_MIB_TCPACKSKIPPEDCHALLENGE, +- &tp->last_oow_ack_time)) ++ if (__tcp_oow_rate_limited(sock_net(sk), ++ LINUX_MIB_TCPACKSKIPPEDCHALLENGE, ++ &tp->last_oow_ack_time)) + return; + + /* Then check host-wide RFC 5961 rate limit. */ +-- +2.7.4 + diff --git a/tcp-make-challenge-acks-less-predictable.patch b/tcp-make-challenge-acks-less-predictable.patch new file mode 100644 index 000000000..992e4f522 --- /dev/null +++ b/tcp-make-challenge-acks-less-predictable.patch @@ -0,0 +1,83 @@ +From 771209218b9ec051a573b9fddc149682a534190e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Sun, 10 Jul 2016 10:04:02 +0200 +Subject: [PATCH] tcp: make challenge acks less predictable + +Yue Cao claims that current host rate limiting of challenge ACKS +(RFC 5961) could leak enough information to allow a patient attacker +to hijack TCP sessions. He will soon provide details in an academic +paper. + +This patch increases the default limit from 100 to 1000, and adds +some randomization so that the attacker can no longer hijack +sessions without spending a considerable amount of probes. + +Based on initial analysis and patch from Linus. + +Note that we also have per socket rate limiting, so it is tempting +to remove the host limit in the future. + +v2: randomize the count of challenge acks per second, not the period. + +Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") +Reported-by: Yue Cao <ycao009@ucr.edu> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Yuchung Cheng <ycheng@google.com> +Cc: Neal Cardwell <ncardwell@google.com> +Acked-by: Neal Cardwell <ncardwell@google.com> +Acked-by: Yuchung Cheng <ycheng@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/tcp_input.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index c124c3c12f7c..8c011359646b 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); + + /* rfc5961 challenge ack rate limiting */ +-int sysctl_tcp_challenge_ack_limit = 100; ++int sysctl_tcp_challenge_ack_limit = 1000; + + int sysctl_tcp_stdurg __read_mostly; + int sysctl_tcp_rfc1337 __read_mostly; +@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + static u32 challenge_timestamp; + static unsigned int challenge_count; + struct tcp_sock *tp = tcp_sk(sk); +- u32 now; ++ u32 count, now; + + /* First check our per-socket dupack rate limit. */ + if (tcp_oow_rate_limited(sock_net(sk), skb, +@@ -3468,14 +3468,19 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + &tp->last_oow_ack_time)) + return; + +- /* Then check the check host-wide RFC 5961 rate limit. */ ++ /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; + if (now != challenge_timestamp) { ++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; ++ + challenge_timestamp = now; +- challenge_count = 0; ++ WRITE_ONCE(challenge_count, half + ++ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); + } +- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { +- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); ++ count = READ_ONCE(challenge_count); ++ if (count > 0) { ++ WRITE_ONCE(challenge_count, count - 1); ++ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); + tcp_send_ack(sk); + } + } +-- +2.5.5 + |