Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.7.3-200.vanilla.knurd.1.fc24

6 files changed, 141 insertions, 187 deletions

diff --git a/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch b/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch
deleted file mode 100644
index 0373d3a2a..000000000
--- a/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From bdc54d8e3cb4a41dddcabfd86d9eb3aa5f622b75 Mon Sep 17 00:00:00 2001
-From: Trond Myklebust <trond.myklebust@primarydata.com>
-Date: Sat, 16 Jul 2016 11:47:00 -0400
-Subject: [PATCH] SUNRPC: Fix infinite looping in
- rpc_clnt_iterate_for_each_xprt
-
-If there were less than 2 entries in the multipath list, then
-xprt_iter_next_entry_multiple() would never advance beyond the
-first entry, which is correct for round robin behaviour, but not
-for the list iteration.
-
-The end result would be infinite looping in rpc_clnt_iterate_for_each_xprt()
-as we would never see the xprt == NULL condition fulfilled.
-
-Reported-by: Oleg Drokin <green@linuxhacker.ru>
-Fixes: 80b14d5e61ca ("SUNRPC: Add a structure to track multiple transports")
-Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
----
- net/sunrpc/xprtmultipath.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/net/sunrpc/xprtmultipath.c b/net/sunrpc/xprtmultipath.c
-index e7fd769..66c9d63 100644
---- a/net/sunrpc/xprtmultipath.c
-+++ b/net/sunrpc/xprtmultipath.c
-@@ -271,14 +271,12 @@ struct rpc_xprt *xprt_iter_next_entry_multiple(struct rpc_xprt_iter *xpi,
- 		xprt_switch_find_xprt_t find_next)
- {
- 	struct rpc_xprt_switch *xps = rcu_dereference(xpi->xpi_xpswitch);
--	struct list_head *head;
- 
- 	if (xps == NULL)
- 		return NULL;
--	head = &xps->xps_xprt_list;
--	if (xps->xps_nxprts < 2)
--		return xprt_switch_find_first_entry(head);
--	return xprt_switch_set_next_cursor(head, &xpi->xpi_cursor, find_next);
-+	return xprt_switch_set_next_cursor(&xps->xps_xprt_list,
-+			&xpi->xpi_cursor,
-+			find_next);
- }
- 
- static
--- 
-2.7.4
-
diff --git a/aacraid-Check-size-values-after-double-fetch-from-us.patch b/aacraid-Check-size-values-after-double-fetch-from-us.patch
deleted file mode 100644
index 6ff771160..000000000
--- a/aacraid-Check-size-values-after-double-fetch-from-us.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001
-From: Dave Carroll <david.carroll@microsemi.com>
-Date: Fri, 5 Aug 2016 13:44:10 -0600
-Subject: [PATCH] aacraid: Check size values after double-fetch from user
-
-In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
-get the fib header's size and one for the fib itself. Later we use the
-size field from the second fetch to further process the fib. If for some
-reason the size from the second fetch is different than from the first
-fix, we may encounter an out-of- bounds access in aac_fib_send(). We
-also check the sender size to insure it is not out of bounds. This was
-reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
-assigned CVE-2016-6480.
-
-Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
-Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
-Cc: stable@vger.kernel.org
-Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
-Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
----
- drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index b381b37..5648b71 100644
---- a/drivers/scsi/aacraid/commctrl.c
-+++ b/drivers/scsi/aacraid/commctrl.c
-@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- 	struct fib *fibptr;
- 	struct hw_fib * hw_fib = (struct hw_fib *)0;
- 	dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
--	unsigned size;
-+	unsigned int size, osize;
- 	int retval;
-
- 	if (dev->in_reset) {
-@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- 	 *	will not overrun the buffer when we copy the memory. Return
- 	 *	an error if we would.
- 	 */
--	size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
-+	osize = size = le16_to_cpu(kfib->header.Size) +
-+		sizeof(struct aac_fibhdr);
- 	if (size < le16_to_cpu(kfib->header.SenderSize))
- 		size = le16_to_cpu(kfib->header.SenderSize);
- 	if (size > dev->max_fib_size) {
-@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
- 		goto cleanup;
- 	}
-
-+	/* Sanity check the second copy */
-+	if ((osize != le16_to_cpu(kfib->header.Size) +
-+		sizeof(struct aac_fibhdr))
-+		|| (size < le16_to_cpu(kfib->header.SenderSize))) {
-+		retval = -EINVAL;
-+		goto cleanup;
-+	}
-+
- 	if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
- 		aac_adapter_interrupt(dev);
- 		/*
--- 
-2.7.4
-
diff --git a/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch b/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
deleted file mode 100644
index a5dc6f3a2..000000000
--- a/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 74f829a6e44fe217b6161f8935524fc807be0648 Mon Sep 17 00:00:00 2001
-From: Chris Wilson <chris@chris-wilson.co.uk>
-Date: Sat, 9 Jul 2016 11:01:20 +0100
-Subject: [PATCH] drm/i915: Acquire audio powerwell for HD-Audio registers
-
-On Haswell/Broadwell, the HD-Audio block is inside the HDMI/display
-power well and so the sna-hda audio codec acquires the display power
-well while it is operational. However, Skylake separates the powerwells
-again, but yet we still need the audio powerwell to setup the registers.
-(But then the hardware uses those registers even while powered off???)
-
-v2: Grab both rpm wakelock and audio wakelock
-
-Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96214
-Fixes: 03b135cebc47 "ALSA: hda - remove dependency on i915 power well for SKL")
-Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
-Cc: Libin Yang <libin.yang@intel.com>
-Cc: Takashi Iwai <tiwai@suse.de>
-Cc: Marius Vlad <marius.c.vlad@intel.com>
----
- drivers/gpu/drm/i915/intel_audio.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c
-index 5d5f6bc10e85..948a7a52e3f8 100644
---- a/drivers/gpu/drm/i915/intel_audio.c
-+++ b/drivers/gpu/drm/i915/intel_audio.c
-@@ -600,6 +600,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev,
- 	if (!IS_SKYLAKE(dev_priv) && !IS_KABYLAKE(dev_priv))
- 		return;
- 
-+	i915_audio_component_get_power(dev);
-+
- 	/*
- 	 * Enable/disable generating the codec wake signal, overriding the
- 	 * internal logic to generate the codec wake to controller.
-@@ -615,6 +617,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev,
- 		I915_WRITE(HSW_AUD_CHICKENBIT, tmp);
- 		usleep_range(1000, 1500);
- 	}
-+
-+	i915_audio_component_put_power(dev);
- }
- 
- /* Get CDCLK in kHz  */
-@@ -648,6 +652,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev,
- 	    !IS_HASWELL(dev_priv))
- 		return 0;
- 
-+	i915_audio_component_get_power(dev);
- 	mutex_lock(&dev_priv->av_mutex);
- 	/* 1. get the pipe */
- 	intel_encoder = dev_priv->dig_port_map[port];
-@@ -698,6 +703,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev,
- 
-  unlock:
- 	mutex_unlock(&dev_priv->av_mutex);
-+	i915_audio_component_put_power(dev);
- 	return err;
- }
- 
--- 
-2.8.1
-
diff --git a/kernel.spec b/kernel.spec
index 7b573ab71..cef9cec43 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -44,7 +44,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 201
+%global baserelease 200
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -637,15 +637,9 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
 Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
 Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
 
-# https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/
-Patch838: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
-
 #rhbz 1353558
 Patch844: 0001-selinux-Only-apply-bounds-checking-to-source-types.patch
 
-#CVE-2016-6480 rhbz 1362466 1362467
-Patch855: aacraid-Check-size-values-after-double-fetch-from-us.patch
-
 #rhbz 1365940
 Patch856: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch
 
@@ -658,12 +652,12 @@ Patch858: 0001-OOM-detection-regressions-since-4.7.patch
 #rhbz 1360688
 Patch859: rc-core-fix-repeat-events.patch
 
-#rhbz 1371237
-Patch860: 0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch
-
 # https://lkml.org/lkml/2016/8/30/566
 Patch861: 0001-cgroup-reduce-read-locked-section-of-cgroup_threadgr.patch
 
+#rhbz 1350174
+Patch862: tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2194,6 +2188,10 @@ fi
 #
 # 
 %changelog
+* Wed Sep 07 2017 <labbott@fedoraproject.org> - 4.7.3-200
+- Linux v4.7.3
+- Silence KASLR warning (rhbz 1350174)
+
 * Fri Sep 02 2016 <labbott@fedoraproject.org>
 - Add fix for known cgroup deadlock
 
diff --git a/sources b/sources
index cec90d779..c33fe9c55 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 5276563eb1f39a048e4a8a887408c031  linux-4.7.tar.xz
 fe259c02c75eec61d1aa4b1211f3c853  perf-man-4.7.tar.gz
-64e8a8969536c5d700c9e6a591d28dad  patch-4.7.2.xz
+803bdedd9b9cd4ef43d9d5d41801f234  patch-4.7.3.xz
diff --git a/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch b/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch
new file mode 100644
index 000000000..7d79fbcef
--- /dev/null
+++ b/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch
@@ -0,0 +1,131 @@
+From patchwork Sun Jun 26 11:01:18 2016
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [tip:x86/boot] x86/KASLR,
+ x86/power: Remove x86 hibernation restrictions
+From: tip-bot for Jacob Shin <tipbot@zytor.com>
+X-Patchwork-Id: 9199367
+Message-Id: <tip-65fe935dd2387a4faf15314c73f5e6d31ef0217e@git.kernel.org>
+To: linux-tip-commits@vger.kernel.org
+Cc: pavel@ucw.cz, linux-pm@vger.kernel.org, yinghai@kernel.org,
+ mingo@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de,
+ corbet@lwn.net, dvlasenk@redhat.com, sds@tycho.nsa.gov,
+ peterz@infradead.org, logang@deltatee.com, bhe@redhat.com,
+ torvalds@linux-foundation.org, bp@alien8.de, luto@kernel.org,
+ keescook@chromium.org, hpa@zytor.com, brgerst@gmail.com,
+ len.brown@intel.com
+Date: Sun, 26 Jun 2016 04:01:18 -0700
+
+Commit-ID:  65fe935dd2387a4faf15314c73f5e6d31ef0217e
+Gitweb:     http://git.kernel.org/tip/65fe935dd2387a4faf15314c73f5e6d31ef0217e
+Author:     Kees Cook <keescook@chromium.org>
+AuthorDate: Mon, 13 Jun 2016 15:10:02 -0700
+Committer:  Ingo Molnar <mingo@kernel.org>
+CommitDate: Sun, 26 Jun 2016 12:32:03 +0200
+
+x86/KASLR, x86/power: Remove x86 hibernation restrictions
+
+With the following fix:
+
+  70595b479ce1 ("x86/power/64: Fix crash whan the hibernation code passes control to the image kernel")
+
+... there is no longer a problem with hibernation resuming a
+KASLR-booted kernel image, so remove the restriction.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Linux PM list <linux-pm@vger.kernel.org>
+Cc: Logan Gunthorpe <logang@deltatee.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephen Smalley <sds@tycho.nsa.gov>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: linux-doc@vger.kernel.org
+Link: http://lkml.kernel.org/r/20160613221002.GA29719@www.outflux.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ Documentation/kernel-parameters.txt | 10 ++++------
+ arch/x86/boot/compressed/kaslr.c    |  7 -------
+ kernel/power/hibernate.c            |  6 ------
+ 3 files changed, 4 insertions(+), 19 deletions(-)
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-pm" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 82b42c9..fa8c6d4 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1803,12 +1803,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 	js=		[HW,JOY] Analog joystick
+ 			See Documentation/input/joystick.txt.
+ 
+-	kaslr/nokaslr	[X86]
+-			Enable/disable kernel and module base offset ASLR
+-			(Address Space Layout Randomization) if built into
+-			the kernel. When CONFIG_HIBERNATION is selected,
+-			kASLR is disabled by default. When kASLR is enabled,
+-			hibernation will be disabled.
++	nokaslr		[KNL]
++			When CONFIG_RANDOMIZE_BASE is set, this disables
++			kernel and module base offset ASLR (Address Space
++			Layout Randomization).
+ 
+ 	keepinitrd	[HW,ARM]
+ 
+diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
+index cfeb025..dff4217 100644
+--- a/arch/x86/boot/compressed/kaslr.c
++++ b/arch/x86/boot/compressed/kaslr.c
+@@ -471,17 +471,10 @@ unsigned char *choose_random_location(unsigned long input,
+ 	unsigned long choice = output;
+ 	unsigned long random_addr;
+ 
+-#ifdef CONFIG_HIBERNATION
+-	if (!cmdline_find_option_bool("kaslr")) {
+-		warn("KASLR disabled: 'kaslr' not on cmdline (hibernation selected).");
+-		goto out;
+-	}
+-#else
+ 	if (cmdline_find_option_bool("nokaslr")) {
+ 		warn("KASLR disabled: 'nokaslr' on cmdline.");
+ 		goto out;
+ 	}
+-#endif
+ 
+ 	boot_params->hdr.loadflags |= KASLR_FLAG;
+ 
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index fca9254..9021387 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -1154,11 +1154,6 @@ static int __init nohibernate_setup(char *str)
+ 	return 1;
+ }
+ 
+-static int __init kaslr_nohibernate_setup(char *str)
+-{
+-	return nohibernate_setup(str);
+-}
+-
+ static int __init page_poison_nohibernate_setup(char *str)
+ {
+ #ifdef CONFIG_PAGE_POISONING_ZERO
+@@ -1182,5 +1177,4 @@ __setup("hibernate=", hibernate_setup);
+ __setup("resumewait", resumewait_setup);
+ __setup("resumedelay=", resumedelay_setup);
+ __setup("nohibernate", nohibernate_setup);
+-__setup("kaslr", kaslr_nohibernate_setup);
+ __setup("page_poison=", page_poison_nohibernate_setup);