diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-02 21:24:33 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-02 21:24:33 +0100 |
commit | 065f053da2d43d08a2decf8c59f89991cdd77d7b (patch) | |
tree | 0f34077d1679c220e892d97cc5744f74e9f97544 | |
parent | d8201e7ce5500ba1d291f8457cc0533397eaecea (diff) | |
parent | ab7079edfbceac58727bb52b6631b5a6da3a06e3 (diff) | |
download | kernel-065f053da2d43d08a2decf8c59f89991cdd77d7b.tar.gz kernel-065f053da2d43d08a2decf8c59f89991cdd77d7b.tar.xz kernel-065f053da2d43d08a2decf8c59f89991cdd77d7b.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.9.7-200.vanilla.knurd.1.fc25
-rw-r--r-- | bcm2837-initial-support.patch | 195 | ||||
-rw-r--r-- | drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch | 82 | ||||
-rw-r--r-- | kernel.spec | 21 | ||||
-rw-r--r-- | kvm-fix-page-struct-leak-in-handle_vmon.patch | 48 | ||||
-rw-r--r-- | mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch | 42 | ||||
-rw-r--r-- | sources | 2 |
6 files changed, 116 insertions, 274 deletions
diff --git a/bcm2837-initial-support.patch b/bcm2837-initial-support.patch index dd64598aa..c59b68258 100644 --- a/bcm2837-initial-support.patch +++ b/bcm2837-initial-support.patch @@ -1,24 +1,16 @@ -From cdb86691df26e0962f081981f4bfa97ee43bd391 Mon Sep 17 00:00:00 2001 +From 49a6e9faf9a4e3b56c2bffd516f17ca1b6244084 Mon Sep 17 00:00:00 2001 From: Peter Robinson <pbrobinson@gmail.com> -Date: Mon, 29 Aug 2016 09:14:15 +0100 -Subject: [PATCH] ARM: bcm283x: Add devicetree for the Raspberry Pi 3. - -For now this doesn't support the new hardware present on the Pi 3 (BT, -wifi, GPIO expander). - -Rebased to the patch that went upstream for ARM64 +Date: Tue, 31 Jan 2017 23:21:32 +0000 +Subject: [PATCH] ARM: bcm2835: include rather than copy the commits for arm32 + RPi3 support so it's always in sync Signed-off-by: Peter Robinson <pbrobinson@gmail.com> --- - arch/arm/boot/dts/Makefile | 3 +- - arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 30 ++++++++++++++ - arch/arm/boot/dts/bcm2837.dtsi | 76 +++++++++++++++++++++++++++++++++++ - 3 files changed, 108 insertions(+), 1 deletion(-) - create mode 100644 arch/arm/boot/dts/bcm2837-rpi-3-b.dts - create mode 100644 arch/arm/boot/dts/bcm2837.dtsi + arch/arm/boot/dts/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile -index befcd26..c96fb38 100644 +index f10fe85..4c46851 100644 --- a/arch/arm/boot/dts/Makefile +++ b/arch/arm/boot/dts/Makefile @@ -70,7 +70,8 @@ dtb-$(CONFIG_ARCH_BCM2835) += \ @@ -27,181 +19,10 @@ index befcd26..c96fb38 100644 bcm2836-rpi-2-b.dtb \ - bcm2835-rpi-zero.dtb + bcm2835-rpi-zero.dtb \ -+ bcm2837-rpi-3-b.dtb ++ ../../../arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dtb dtb-$(CONFIG_ARCH_BCM_5301X) += \ bcm4708-asus-rt-ac56u.dtb \ bcm4708-asus-rt-ac68u.dtb \ -diff --git a/arch/arm/boot/dts/bcm2837-rpi-3-b.dts b/arch/arm/boot/dts/bcm2837-rpi-3-b.dts -new file mode 100644 -index 0000000..7841b72 ---- /dev/null -+++ b/arch/arm/boot/dts/bcm2837-rpi-3-b.dts -@@ -0,0 +1,30 @@ -+/dts-v1/; -+#include "bcm2837.dtsi" -+#include "bcm2835-rpi.dtsi" -+#include "bcm283x-rpi-smsc9514.dtsi" -+ -+/ { -+ compatible = "raspberrypi,3-model-b", "brcm,bcm2837"; -+ model = "Raspberry Pi 3 Model B"; -+ -+ memory { -+ reg = <0 0x40000000>; -+ }; -+ -+ leds { -+ act { -+ gpios = <&gpio 47 0>; -+ }; -+ -+ pwr { -+ label = "PWR"; -+ gpios = <&gpio 35 0>; -+ default-state = "keep"; -+ linux,default-trigger = "default-on"; -+ }; -+ }; -+}; -+ -+&uart1 { -+ status = "okay"; -+}; -diff --git a/arch/arm/boot/dts/bcm2837.dtsi b/arch/arm/boot/dts/bcm2837.dtsi -new file mode 100644 -index 0000000..8216bbb ---- /dev/null -+++ b/arch/arm/boot/dts/bcm2837.dtsi -@@ -0,0 +1,76 @@ -+#include "bcm283x.dtsi" -+ -+/ { -+ compatible = "brcm,bcm2836"; -+ -+ soc { -+ ranges = <0x7e000000 0x3f000000 0x1000000>, -+ <0x40000000 0x40000000 0x00001000>; -+ dma-ranges = <0xc0000000 0x00000000 0x3f000000>; -+ -+ local_intc: local_intc { -+ compatible = "brcm,bcm2836-l1-intc"; -+ reg = <0x40000000 0x100>; -+ interrupt-controller; -+ #interrupt-cells = <1>; -+ interrupt-parent = <&local_intc>; -+ }; -+ }; -+ -+ timer { -+ compatible = "arm,armv7-timer"; -+ interrupt-parent = <&local_intc>; -+ interrupts = <0>, // PHYS_SECURE_PPI -+ <1>, // PHYS_NONSECURE_PPI -+ <3>, // VIRT_PPI -+ <2>; // HYP_PPI -+ always-on; -+ }; -+ -+ cpus: cpus { -+ #address-cells = <1>; -+ #size-cells = <0>; -+ -+ cpu0: cpu@0 { -+ device_type = "cpu"; -+ compatible = "arm,cortex-a53"; -+ reg = <0>; -+ enable-method = "spin-table"; -+ cpu-release-addr = <0x0 0x000000d8>; -+ }; -+ -+ cpu1: cpu@1 { -+ device_type = "cpu"; -+ compatible = "arm,cortex-a53"; -+ reg = <1>; -+ enable-method = "spin-table"; -+ cpu-release-addr = <0x0 0x000000e0>; -+ }; -+ -+ cpu2: cpu@2 { -+ device_type = "cpu"; -+ compatible = "arm,cortex-a53"; -+ reg = <2>; -+ enable-method = "spin-table"; -+ cpu-release-addr = <0x0 0x000000e8>; -+ }; -+ -+ cpu3: cpu@3 { -+ device_type = "cpu"; -+ compatible = "arm,cortex-a53"; -+ reg = <3>; -+ enable-method = "spin-table"; -+ cpu-release-addr = <0x0 0x000000f0>; -+ }; -+ }; -+}; -+ -+/* Make the BCM2835-style global interrupt controller be a child of the -+ * CPU-local interrupt controller. -+ */ -+&intc { -+ compatible = "brcm,bcm2836-armctrl-ic"; -+ reg = <0x7e00b200 0x200>; -+ interrupt-parent = <&local_intc>; -+ interrupts = <8>; -+}; --- -2.7.4 - -From 345863374ebec9aa11ea97b99f5adbf97f99bbdf Mon Sep 17 00:00:00 2001 -From: Peter Robinson <pbrobinson@gmail.com> -Date: Mon, 16 Jan 2017 06:38:08 +0000 -Subject: [PATCH] add upstream RPi3 fixes from arm64 DT - -Signed-off-by: Peter Robinson <pbrobinson@gmail.com> ---- - arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 8 +------- - arch/arm/boot/dts/bcm2837.dtsi | 8 +++++++- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/arch/arm/boot/dts/bcm2837-rpi-3-b.dts b/arch/arm/boot/dts/bcm2837-rpi-3-b.dts -index 7841b72..c309633 100644 ---- a/arch/arm/boot/dts/bcm2837-rpi-3-b.dts -+++ b/arch/arm/boot/dts/bcm2837-rpi-3-b.dts -@@ -2,6 +2,7 @@ - #include "bcm2837.dtsi" - #include "bcm2835-rpi.dtsi" - #include "bcm283x-rpi-smsc9514.dtsi" -+#include "bcm283x-rpi-usb-host.dtsi" - - / { - compatible = "raspberrypi,3-model-b", "brcm,bcm2837"; -@@ -15,13 +16,6 @@ - act { - gpios = <&gpio 47 0>; - }; -- -- pwr { -- label = "PWR"; -- gpios = <&gpio 35 0>; -- default-state = "keep"; -- linux,default-trigger = "default-on"; -- }; - }; - }; - -diff --git a/arch/arm/boot/dts/bcm2837.dtsi b/arch/arm/boot/dts/bcm2837.dtsi -index 8216bbb..19f2fe6 100644 ---- a/arch/arm/boot/dts/bcm2837.dtsi -+++ b/arch/arm/boot/dts/bcm2837.dtsi -@@ -1,7 +1,7 @@ - #include "bcm283x.dtsi" - - / { -- compatible = "brcm,bcm2836"; -+ compatible = "brcm,bcm2837"; - - soc { - ranges = <0x7e000000 0x3f000000 0x1000000>, -- 2.9.3 diff --git a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch b/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch deleted file mode 100644 index 37f012073..000000000 --- a/drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Eric Anholt <eric@anholt.net> -To: dri-devel@lists.freedesktop.org -Subject: [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary - allocation layout. -Date: Wed, 18 Jan 2017 07:20:49 +1100 - -We copy the unvalidated ioctl arguments from the user into kernel -temporary memory to run the validation from, to avoid a race where the -user updates the unvalidate contents in between validating them and -copying them into the validated BO. - -However, in setting up the layout of the kernel side, we failed to -check one of the additions (the roundup() for shader_rec_offset) -against integer overflow, allowing a nearly MAX_UINT value of -bin_cl_size to cause us to under-allocate the temporary space that we -then copy_from_user into. - -Reported-by: Murray McAllister <murray.mcallister@insomniasec.com> -Signed-off-by: Eric Anholt <eric@anholt.net> -Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") ---- - drivers/gpu/drm/vc4/vc4_gem.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c -index db920771bfb5..c5fe3554858e 100644 ---- a/drivers/gpu/drm/vc4/vc4_gem.c -+++ b/drivers/gpu/drm/vc4/vc4_gem.c -@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) - args->shader_rec_count); - struct vc4_bo *bo; - -- if (uniforms_offset < shader_rec_offset || -+ if (shader_rec_offset < args->bin_cl_size || -+ uniforms_offset < shader_rec_offset || - exec_size < uniforms_offset || - args->shader_rec_count >= (UINT_MAX / - sizeof(struct vc4_shader_state)) || --- -2.11.0 - -_______________________________________________ -dri-devel mailing list -dri-devel@lists.freedesktop.org -https://lists.freedesktop.org/mailman/listinfo/dri-devel - -From: Eric Anholt <eric@anholt.net> -To: dri-devel@lists.freedesktop.org -Subject: [PATCH 2/2] drm/vc4: Return -EINVAL on the overflow checks failing. -Date: Wed, 18 Jan 2017 07:20:50 +1100 - -By failing to set the errno, we'd continue on to trying to set up the -RCL, and then oops on trying to dereference the tile_bo that binning -validation should have set up. - -Reported-by: Ingo Molnar <mingo@kernel.org> -Signed-off-by: Eric Anholt <eric@anholt.net> -Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") ---- - drivers/gpu/drm/vc4/vc4_gem.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c -index c5fe3554858e..ab3016982466 100644 ---- a/drivers/gpu/drm/vc4/vc4_gem.c -+++ b/drivers/gpu/drm/vc4/vc4_gem.c -@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec) - sizeof(struct vc4_shader_state)) || - temp_size < exec_size) { - DRM_ERROR("overflow in exec arguments\n"); -+ ret = -EINVAL; - goto fail; - } - --- -2.11.0 - -_______________________________________________ -dri-devel mailing list -dri-devel@lists.freedesktop.org -https://lists.freedesktop.org/mailman/listinfo/dri-devel - diff --git a/kernel.spec b/kernel.spec index a63b31037..882cf9aea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -546,6 +546,8 @@ Patch432: bcm283x-fixes.patch # http://www.spinics.net/lists/linux-mmc/msg41151.html Patch433: bcm283x-mmc-imp-speed.patch +Patch434: mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch + Patch440: AllWinner-net-emac.patch Patch442: ARM-Drop-fixed-200-Hz-timer-requirement-from-Samsung-platforms.patch @@ -648,12 +650,12 @@ Patch851: selinux-namespace-fix.patch #rhbz 1390308 Patch852: nouveau-add-maxwell-to-backlight-init.patch -#CVE-2017-5576 CVE-2017-5577 rhbz 1416436 1416437 1416439 -Patch853: drm_vc4_Fix_an_integer_overflow_in_temporary_allocation_layout.patch - #The saddest EFI firmware bug Patch854: 0001-x86-efi-always-map-first-physical-page-into-EFI-page.patch +# CVE-2017-2596 rhbz 1417812 1417813 +Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch + # END OF PATCH DEFINITIONS %endif @@ -2204,12 +2206,23 @@ fi # # %changelog +* Thu Feb 02 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.7-200 +- Linux v4.9.7 + +* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813) + +* Tue Jan 31 2017 Peter Robinson <pbrobinson@fedoraproject.org> +- Fix CMA compaction regression (Raspberry Pi and others) + * Thu Jan 26 2017 Peter Robinson <pbrobinson@fedoraproject.org> - arm64: dma-mapping: Fix dma_mapping_error() when bypassing SWIOTLB * Thu Jan 26 2017 Laura Abbott <labbott@redhat.com> - 4.9.6-200 - Linux v4.9.6 - Bring in fix for bogus EFI firmware +- Fixes CVE-2017-5547, CVE-2016-10153, CVE-2017-5548, CVE-2017-5551 + (rhbz 1416096 1416101 1416110 1416126 1416128) * Wed Jan 25 2017 Justin M. Forbes <jforbes@fedoraproject.org> - CVE-2017-5576 CVE-2017-5577 vc4 overflows (rhbz 1416436 1416437 1416439) diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch new file mode 100644 index 000000000..38443abcb --- /dev/null +++ b/kvm-fix-page-struct-leak-in-handle_vmon.patch @@ -0,0 +1,48 @@ +From fc66c84bfca091a28d01ba4a2d18b6cfd72ce270 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 24 Jan 2017 11:56:21 +0100 +Subject: [PATCH] kvm: fix page struct leak in handle_vmon + +handle_vmon gets a reference on VMXON region page, +but does not release it. Release the reference. + +Found by syzkaller; based on a patch by Dmitry. + +[labbott@redhat.com: Fixed kvm_skip_emulated_instruction for 4.9.x] +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +--- + arch/x86/kvm/vmx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 64774f4..7fef0a9 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6925,14 +6925,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, + } + + page = nested_get_page(vcpu, vmptr); +- if (page == NULL || +- *(u32 *)kmap(page) != VMCS12_REVISION) { ++ if (page == NULL) { + nested_vmx_failInvalid(vcpu); ++ skip_emulated_instruction(vcpu); ++ return 1; ++ } ++ if (*(u32 *)kmap(page) != VMCS12_REVISION) { + kunmap(page); ++ nested_release_page_clean(page); ++ nested_vmx_failInvalid(vcpu); + skip_emulated_instruction(vcpu); + return 1; + } + kunmap(page); ++ nested_release_page_clean(page); + vmx->nested.vmxon_ptr = vmptr; + break; + case EXIT_REASON_VMCLEAR: +-- +2.7.4 + diff --git a/mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch b/mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch new file mode 100644 index 000000000..0e542dc4f --- /dev/null +++ b/mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch @@ -0,0 +1,42 @@ +From 424f6c4818bbf1b8ccf58aa012ecc19c0bb9b446 Mon Sep 17 00:00:00 2001 +From: Lucas Stach <l.stach@pengutronix.de> +Date: Tue, 24 Jan 2017 15:18:05 -0800 +Subject: [PATCH 179/273] mm: alloc_contig: re-allow CMA to compact FS pages + +Commit 73e64c51afc5 ("mm, compaction: allow compaction for GFP_NOFS +requests") changed compation to skip FS pages if not explicitly allowed +to touch them, but missed to update the CMA compact_control. + +This leads to a very high isolation failure rate, crippling performance +of CMA even on a lightly loaded system. Re-allow CMA to compact FS +pages by setting the correct GFP flags, restoring CMA behavior and +performance to the kernel 4.9 level. + +Fixes: 73e64c51afc5 (mm, compaction: allow compaction for GFP_NOFS requests) +Link: http://lkml.kernel.org/r/20170113115155.24335-1-l.stach@pengutronix.de +Signed-off-by: Lucas Stach <l.stach@pengutronix.de> +Acked-by: Michal Hocko <mhocko@suse.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> +Cc: Mel Gorman <mgorman@techsingularity.net> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + mm/page_alloc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index d604d25..41d5e2e 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -7248,6 +7248,7 @@ int alloc_contig_range(unsigned long start, unsigned long end, + .zone = page_zone(pfn_to_page(start)), + .mode = MIGRATE_SYNC, + .ignore_skip_hint = true, ++ .gfp_mask = GFP_KERNEL, + }; + INIT_LIST_HEAD(&cc.migratepages); + +-- +2.9.3 + @@ -1,3 +1,3 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.9.6.xz) = 230ab118639d19b7a473e75f5463ea9add3db8cb70fe3ba546e053fc1bd32b1d353eb1c107f5467e5f24a26c43c623cf79cf8d5a5cef85613e4da989a6c0326a +SHA512 (patch-4.9.7.xz) = 48592d15efd6111eaacfa47a6def496bcc120f39bd93afccf4f23c7b93cc320638349890c67ba14792b5330a9a4c7e7fa74db6f84f4df92d20a2bf5a3eb3dcc6 |