diff options
| -rw-r--r-- | 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch | 67 | ||||
| -rw-r--r-- | bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch | 92 | ||||
| -rw-r--r-- | config-arm-generic | 6 | ||||
| -rw-r--r-- | config-armv7 | 3 | ||||
| -rw-r--r-- | config-armv7-generic | 1 | ||||
| -rw-r--r-- | drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch | 68 | ||||
| -rw-r--r-- | iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch | 41 | ||||
| -rw-r--r-- | kbuild-AFTER_LINK.patch | 6 | ||||
| -rw-r--r-- | kernel.spec | 57 | ||||
| -rw-r--r-- | nouveau-displayoff-fix.patch | 61 | ||||
| -rw-r--r-- | pipe-limit-the-per-user-amount-of-pages-allocated-in.patch | 250 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | unix-correctly-track-in-flight-fds-in-sending-proces.patch | 159 |
13 files changed, 363 insertions, 450 deletions
diff --git a/0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch b/0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch new file mode 100644 index 000000000..462f1132a --- /dev/null +++ b/0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch @@ -0,0 +1,67 @@ +From e2e407dc093f530b771ee8bf8fe1be41e3cea8b3 Mon Sep 17 00:00:00 2001 +From: Matt Roper <matthew.d.roper@intel.com> +Date: Mon, 8 Feb 2016 11:05:28 -0800 +Subject: [PATCH] drm/i915: Pretend cursor is always on for ILK-style WM + calculations (v2) + +Due to our lack of two-step watermark programming, our driver has +historically pretended that the cursor plane is always on for the +purpose of watermark calculations; this helps avoid serious flickering +when the cursor turns off/on (e.g., when the user moves the mouse +pointer to a different screen). That workaround was accidentally +dropped as we started working toward atomic watermark updates. Since we +still aren't quite there yet with two-stage updates, we need to +resurrect the workaround and treat the cursor as always active. + +v2: Tweak cursor width calculations slightly to more closely match the + logic we used before the atomic overhaul began. (Ville) + +Cc: simdev11@outlook.com +Cc: manfred.kitzbichler@gmail.com +Cc: drm-intel-fixes@lists.freedesktop.org +Reported-by: simdev11@outlook.com +Reported-by: manfred.kitzbichler@gmail.com +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93892 +Fixes: 43d59eda1 ("drm/i915: Eliminate usage of plane_wm_parameters from ILK-style WM code (v2)") +Signed-off-by: Matt Roper <matthew.d.roper@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1454479611-6804-1-git-send-email-matthew.d.roper@intel.com +(cherry picked from commit b2435692dbb709d4c8ff3b2f2815c9b8423b72bb) +Signed-off-by: Jani Nikula <jani.nikula@intel.com> +Link: http://patchwork.freedesktop.org/patch/msgid/1454958328-30129-1-git-send-email-matthew.d.roper@intel.com +--- + drivers/gpu/drm/i915/intel_pm.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c +index eb5fa05..a234687 100644 +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -1783,16 +1783,20 @@ static uint32_t ilk_compute_cur_wm(const struct intel_crtc_state *cstate, + const struct intel_plane_state *pstate, + uint32_t mem_value) + { +- int bpp = pstate->base.fb ? pstate->base.fb->bits_per_pixel / 8 : 0; ++ /* ++ * We treat the cursor plane as always-on for the purposes of watermark ++ * calculation. Until we have two-stage watermark programming merged, ++ * this is necessary to avoid flickering. ++ */ ++ int cpp = 4; ++ int width = pstate->visible ? pstate->base.crtc_w : 64; + +- if (!cstate->base.active || !pstate->visible) ++ if (!cstate->base.active) + return 0; + + return ilk_wm_method2(ilk_pipe_pixel_rate(cstate), + cstate->base.adjusted_mode.crtc_htotal, +- drm_rect_width(&pstate->dst), +- bpp, +- mem_value); ++ width, cpp, mem_value); + } + + /* Only for WM_LP. */ +-- +2.5.0 + diff --git a/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch b/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch deleted file mode 100644 index fc5a1a504..000000000 --- a/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch +++ /dev/null @@ -1,92 +0,0 @@ -From a1b14d27ed0965838350f1377ff97c93ee383492 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Wed, 10 Feb 2016 16:47:11 +0100 -Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching - ctx expansion - -When ctx access is used, the kernel often needs to expand/rewrite -instructions, so after that patching, branch offsets have to be -adjusted for both forward and backward jumps in the new eBPF program, -but for backward jumps it fails to account the delta. Meaning, for -example, if the expansion happens exactly on the insn that sits at -the jump target, it doesn't fix up the back jump offset. - -Analysis on what the check in adjust_branches() is currently doing: - - /* adjust offset of jmps if necessary */ - if (i < pos && i + insn->off + 1 > pos) - insn->off += delta; - else if (i > pos && i + insn->off + 1 < pos) - insn->off -= delta; - -First condition (forward jumps): - - Before: After: - - insns[0] insns[0] - insns[1] <--- i/insn insns[1] <--- i/insn - insns[2] <--- pos insns[P] <--- pos - insns[3] insns[P] `------| delta - insns[4] <--- target_X insns[P] `-----| - insns[5] insns[3] - insns[4] <--- target_X - insns[5] - -First case is if we cross pos-boundary and the jump instruction was -before pos. This is handeled correctly. I.e. if i == pos, then this -would mean our jump that we currently check was the patchlet itself -that we just injected. Since such patchlets are self-contained and -have no awareness of any insns before or after the patched one, the -delta is correctly not adjusted. Also, for the second condition in -case of i + insn->off + 1 == pos, means we jump to that newly patched -instruction, so no offset adjustment are needed. That part is correct. - -Second condition (backward jumps): - - Before: After: - - insns[0] insns[0] - insns[1] <--- target_X insns[1] <--- target_X - insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y - insns[3] insns[P] `------| delta - insns[4] <--- i/insn insns[P] `-----| - insns[5] insns[3] - insns[4] <--- i/insn - insns[5] - -Second interesting case is where we cross pos-boundary and the jump -instruction was after pos. Backward jump with i == pos would be -impossible and pose a bug somewhere in the patchlet, so the first -condition checking i > pos is okay only by itself. However, i + -insn->off + 1 < pos does not always work as intended to trigger the -adjustment. It works when jump targets would be far off where the -delta wouldn't matter. But, for example, where the fixed insn->off -before pointed to pos (target_Y), it now points to pos + delta, so -that additional room needs to be taken into account for the check. -This means that i) both tests here need to be adjusted into pos + delta, -and ii) for the second condition, the test needs to be <= as pos -itself can be a target in the backjump, too. - -Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields") -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - kernel/bpf/verifier.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index d1d3e8f57de9..2e7f7ab739e4 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2082,7 +2082,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta) - /* adjust offset of jmps if necessary */ - if (i < pos && i + insn->off + 1 > pos) - insn->off += delta; -- else if (i > pos && i + insn->off + 1 < pos) -+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta) - insn->off -= delta; - } - } --- -2.5.0 - diff --git a/config-arm-generic b/config-arm-generic index 399bfaf23..0831ea38e 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -122,6 +122,7 @@ CONFIG_SND_SOC_ROCKCHIP_RT5645=m CONFIG_SND_SOC_ROCKCHIP_SPDIF=m CONFIG_REGULATOR_ACT8865=m CONFIG_ROCKCHIP_PM_DOMAINS=y +CONFIG_ROCKCHIP_EFUSE=m # Tegra # CONFIG_TEGRA_AHB is not set @@ -167,6 +168,9 @@ CONFIG_ARM_MHU=m # CONFIG_PL320_MBOX is not set CONFIG_ARM_SCPI_PROTOCOL=m +# NVMem +CONFIG_NVMEM=m + # USB CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_EHCI_HCD_PLATFORM=m @@ -249,7 +253,7 @@ CONFIG_PINMUX=y CONFIG_PINCONF=y CONFIG_PINCTRL=y CONFIG_GENERIC_PINCONF=y -CONFIG_PINCTRL_SINGLE=m +CONFIG_PINCTRL_SINGLE=y #i2c CONFIG_I2C_ARB_GPIO_CHALLENGE=m diff --git a/config-armv7 b/config-armv7 index eaa6d4ebf..50c4cc594 100644 --- a/config-armv7 +++ b/config-armv7 @@ -349,6 +349,8 @@ CONFIG_QCOM_SMD_RPM=m CONFIG_QCOM_SMEM=m CONFIG_REGULATOR_QCOM_SMD_RPM=m # CONFIG_QCOM_SMEM is not set +CONFIG_QCOM_SMEM=m +CONFIG_QCOM_QFPROM=m # i.MX # CONFIG_MXC_DEBUG_BOARD is not set @@ -419,6 +421,7 @@ CONFIG_FB_MXS=m # CONFIG_FB_MX3 is not set # CONFIG_FB_IMX is not set CONFIG_TOUCHSCREEN_IMX6UL_TSC=m +CONFIG_NVMEM_IMX_OCOTP=m CONFIG_SND_IMX_SOC=m CONFIG_SND_SOC_FSL_ASOC_CARD=m diff --git a/config-armv7-generic b/config-armv7-generic index 285b4dca0..23068c57a 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -222,6 +222,7 @@ CONFIG_USB_MUSB_SUNXI=m CONFIG_CRYPTO_DEV_SUN4I_SS=m CONFIG_SND_SUN4I_CODEC=m CONFIG_SUNXI_RSB=m +CONFIG_NVMEM_SUNXI_SID=m # Exynos CONFIG_ARCH_EXYNOS3=y diff --git a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch deleted file mode 100644 index cd53bf71c..000000000 --- a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 41ed5ee704b784a4fca02787311d59c243563013 Mon Sep 17 00:00:00 2001 -From: Jani Nikula <jani.nikula@intel.com> -Date: Thu, 7 Jan 2016 10:29:10 +0200 -Subject: [PATCH] drm/i915: shut up gen8+ SDE irq dmesg noise, again - -We still keep getting - -[ 4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)! - -This reverts - -commit 820da7ae46332fa709b171eb7ba57cbd023fa6df -Author: Jani Nikula <jani.nikula@intel.com> -Date: Wed Nov 25 16:47:23 2015 +0200 - - Revert "drm/i915: shut up gen8+ SDE irq dmesg noise" - -which in itself is a revert, so this is just doing - -commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab -Author: Daniel Vetter <daniel.vetter@ffwll.ch> -Date: Fri Oct 23 10:56:12 2015 +0200 - - drm/i915: shut up gen8+ SDE irq dmesg noise - -all over again. I'll stop pretending I understand what's going on like I -did when I thought I'd fixed this for good in - -commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77 -Author: Jani Nikula <jani.nikula@intel.com> -Date: Wed Nov 25 16:47:22 2015 +0200 - - drm/i915: fix the SDE irq dmesg warnings properly - -Reported-by: Chris Wilson <chris@chris-wilson.co.uk> -Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084 -Cc: drm-intel-fixes@lists.freedesktop.org -Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"") -Signed-off-by: Jani Nikula <jani.nikula@intel.com> ---- - drivers/gpu/drm/i915/i915_irq.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index 0d228f909dcb..0f42a2782afc 100644 ---- a/drivers/gpu/drm/i915/i915_irq.c -+++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) - spt_irq_handler(dev, pch_iir); - else - cpt_irq_handler(dev, pch_iir); -- } else -- DRM_ERROR("The master control interrupt lied (SDE)!\n"); -- -+ } else { -+ /* -+ * Like on previous PCH there seems to be something -+ * fishy going on with forwarding PCH interrupts. -+ */ -+ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n"); -+ } - } - - I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL); --- -2.5.0 - diff --git a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch deleted file mode 100644 index 9c517cf49..000000000 --- a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001 -From: Hariprasad S <hariprasad@chelsio.com> -Date: Fri, 11 Dec 2015 13:59:17 +0530 -Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success - -The cxgb3_*_send() functions return NET_XMIT_ values, which are -positive integers values. So don't treat positive return values -as an error. - -Signed-off-by: Steve Wise <swise@opengridcomputing.com> -Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com> -Signed-off-by: Doug Ledford <dledford@redhat.com> ---- - drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c -index cb78b1e9bcd9..f504ba73e5dc 100644 ---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c -+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c -@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en - error = l2t_send(tdev, skb, l2e); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) -@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) - error = cxgb3_ofld_send(tdev, skb); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) --- -2.5.0 - diff --git a/kbuild-AFTER_LINK.patch b/kbuild-AFTER_LINK.patch index 805b6eef8..6cbf7d643 100644 --- a/kbuild-AFTER_LINK.patch +++ b/kbuild-AFTER_LINK.patch @@ -1,4 +1,4 @@ -From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001 +From 3430f2441f7176d543a76aa73ae7315db355a5b0 Mon Sep 17 00:00:00 2001 From: Roland McGrath <roland@redhat.com> Date: Mon, 6 Oct 2008 23:03:03 -0700 Subject: [PATCH] kbuild: AFTER_LINK @@ -107,11 +107,11 @@ index 265c0ed..fd90c7d 100644 VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \ $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh -index dacf71a..72cbefd 100755 +index ba6c34e..245501e 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -65,6 +65,10 @@ vmlinux_link() - -lutil -lrt ${1} + -lutil -lrt -lpthread ${1} rm -f linux fi + if [ -n "${AFTER_LINK}" ]; then diff --git a/kernel.spec b/kernel.spec index b0f69fdc6..413954321 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -619,8 +619,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #rhbz 1288687 Patch572: alua_fix.patch -Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch - #rhbz 1083853 Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch @@ -637,27 +635,22 @@ Patch645: cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch -#CVE-2016-2383 rhbz 1308452 1308453 -Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch - -#CVE-2015-8812 rhbz 1303532 1309548 -Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch - #Known use after free, possibly rhbz 1310579 Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch #rhbz 1310258 Patch655: iommu-fix.patch -#CVE-2016-2550 rhbz 1311517 1311518 -Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch - #rhbz 1310682 Patch657: 0001-Test-ata-fix.patch -Patch658: nouveau-displayoff-fix.patch -# END OF PATCH DEFINITIONS +#Mitigates CVE-2013-4312 rhbz 1313428 1313433 +Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch +#rhbz 1310252 1313318 +Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch + +# END OF PATCH DEFINITIONS %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1339,25 +1332,21 @@ ApplyPatch cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 ApplyPatch HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch -#CVE-2016-2383 rhbz 1308452 1308453 -ApplyPatch bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch - -#CVE-2015-8812 rhbz 1303532 1309548 -ApplyPatch iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch - #Known use after free, possibly rhbz 1310579 ApplyPatch 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch #rhbz 1310258 ApplyPatch iommu-fix.patch -#CVE-2016-2550 rhbz 1311517 1311518 -ApplyPatch unix-correctly-track-in-flight-fds-in-sending-proces.patch - #rhbz 1310682 ApplyPatch 0001-Test-ata-fix.patch -ApplyPatch nouveau-displayoff-fix.patch +#Mitigates CVE-2013-4312 rhbz 1313428 1313433 +ApplyPatch pipe-limit-the-per-user-amount-of-pages-allocated-in.patch + +#rhbz 1310252 1313318 +ApplyPatch 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch + # END OF PATCH APPLICATIONS %endif @@ -2207,6 +2196,26 @@ fi # # %changelog +* Thu Mar 03 2016 Laura Abbott <labbott@redhat.com> - 4.4.4-200 +- Linux v4.4.4 +- Switch back to not setting CONFIG_ACPI_REV_OVERRIDE_POSSIBLE + +* Thu Mar 03 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Partial SMAP bypass on 64-bit kernels (rhbz 1314253 1314255) + +* Wed Mar 02 2016 Laura Abbott <labbott@redhat.com> +- Fix for flickering on Intel graphics (rhbz 1310252 1313318) + +* Wed Mar 02 2016 Laura Abbott <labbott@redhat.com> +- Re-enable dropped CONFIG_ACPI_REV_OVERRIDE_POSSIBLE (rhbz 1313434) + +* Wed Mar 02 2016 Josh Boyer <jwboyer@fedoraproject.org> +- pipe: limit the per-user amount of pages allocated in pipes (rhbz 1313428 1313433) + +* Sat Feb 27 2016 Peter Robinson <pbrobinson@fedoraproject.org> 4.4.3-201 +- Bring missed 4.4 ARMv7 fixes from F-23 kernel +- Fix deferred nouveau module loading on tegra + * Fri Feb 26 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.3-200 - Linux v4.4.3 diff --git a/nouveau-displayoff-fix.patch b/nouveau-displayoff-fix.patch deleted file mode 100644 index 32045d3c8..000000000 --- a/nouveau-displayoff-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001 -From: Ben Skeggs <bskeggs@redhat.com> -Date: Thu, 18 Feb 2016 08:14:19 +1000 -Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link - training - -This can happen under some annoying circumstances, and is a quick fix -until more substantial changes can be made. - -Fixed eDP mode changes on (at least) the Lenovo P50. - -Signed-off-by: Ben Skeggs <bskeggs@redhat.com> -Cc: stable@vger.kernel.org - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -index 74e2f7c..9688970 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w) - .outp = outp, - }, *dp = &_dp; - u32 datarate = 0; -+ u8 pwr; - int ret; - - if (!outp->base.info.location && disp->func->sor.magic) -@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w) - /* disable link interrupt handling during link training */ - nvkm_notify_put(&outp->irq); - -+ /* ensure sink is not in a low-power state */ -+ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) { -+ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) { -+ pwr &= ~DPCD_SC00_SET_POWER; -+ pwr |= DPCD_SC00_SET_POWER_D0; -+ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1); -+ } -+ } -+ - /* enable down-spreading and execute pre-train script from vbios */ - dp_link_train_init(dp, outp->dpcd[3] & 0x01); - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -index 9596290..6e10c5e 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -@@ -71,5 +71,11 @@ - #define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c - #define DPCD_LS0C_LANE0_POST_CURSOR2 0x03 - -+/* DPCD Sink Control */ -+#define DPCD_SC00 0x00600 -+#define DPCD_SC00_SET_POWER 0x03 -+#define DPCD_SC00_SET_POWER_D0 0x01 -+#define DPCD_SC00_SET_POWER_D3 0x03 -+ - void nvkm_dp_train(struct work_struct *); - #endif --- -cgit v0.10.2 - diff --git a/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch b/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch new file mode 100644 index 000000000..7502c277f --- /dev/null +++ b/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch @@ -0,0 +1,250 @@ +From 759c01142a5d0f364a462346168a56de28a80f52 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau <w@1wt.eu> +Date: Mon, 18 Jan 2016 16:36:09 +0100 +Subject: [PATCH] pipe: limit the per-user amount of pages allocated in pipes + +On no-so-small systems, it is possible for a single process to cause an +OOM condition by filling large pipes with data that are never read. A +typical process filling 4000 pipes with 1 MB of data will use 4 GB of +memory. On small systems it may be tricky to set the pipe max size to +prevent this from happening. + +This patch makes it possible to enforce a per-user soft limit above +which new pipes will be limited to a single page, effectively limiting +them to 4 kB each, as well as a hard limit above which no new pipes may +be created for this user. This has the effect of protecting the system +against memory abuse without hurting other users, and still allowing +pipes to work correctly though with less data at once. + +The limit are controlled by two new sysctls : pipe-user-pages-soft, and +pipe-user-pages-hard. Both may be disabled by setting them to zero. The +default soft limit allows the default number of FDs per process (1024) +to create pipes of the default size (64kB), thus reaching a limit of 64MB +before starting to create only smaller pipes. With 256 processes limited +to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB = +1084 MB of memory allocated for a user. The hard limit is disabled by +default to avoid breaking existing applications that make intensive use +of pipes (eg: for splicing). + +Reported-by: socketpair@gmail.com +Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Mitigates: CVE-2013-4312 (Linux 2.0+) +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Willy Tarreau <w@1wt.eu> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + Documentation/sysctl/fs.txt | 23 ++++++++++++++++++++++ + fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++++-- + include/linux/pipe_fs_i.h | 4 ++++ + include/linux/sched.h | 1 + + kernel/sysctl.c | 14 ++++++++++++++ + 5 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 88152f214f48..302b5ed616a6 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: + - nr_open + - overflowuid + - overflowgid ++- pipe-user-pages-hard ++- pipe-user-pages-soft + - protected_hardlinks + - protected_symlinks + - suid_dumpable +@@ -159,6 +161,27 @@ The default is 65534. + + ============================================================== + ++pipe-user-pages-hard: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes. ++Once this limit is reached, no new pipes may be allocated until usage goes ++below the limit again. When set to 0, no limit is applied, which is the default ++setting. ++ ++============================================================== ++ ++pipe-user-pages-soft: ++ ++Maximum total number of pages a non-privileged user may allocate for pipes ++before the pipe size gets limited to a single page. Once this limit is reached, ++new pipes will be limited to a single page in size for this user in order to ++limit total memory usage, and trying to increase them using fcntl() will be ++denied until usage goes below the limit again. The default value allows to ++allocate up to 1024 pipes at their default size. When set to 0, no limit is ++applied. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +diff --git a/fs/pipe.c b/fs/pipe.c +index 42cf8ddf0e55..ab8dad3ccb6a 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -38,6 +38,12 @@ unsigned int pipe_max_size = 1048576; + */ + unsigned int pipe_min_size = PAGE_SIZE; + ++/* Maximum allocatable pages per user. Hard limit is unset by default, soft ++ * matches default values. ++ */ ++unsigned long pipe_user_pages_hard; ++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR; ++ + /* + * We use a start+len construction, which provides full use of the + * allocated memory. +@@ -583,20 +589,49 @@ pipe_fasync(int fd, struct file *filp, int on) + return retval; + } + ++static void account_pipe_buffers(struct pipe_inode_info *pipe, ++ unsigned long old, unsigned long new) ++{ ++ atomic_long_add(new - old, &pipe->user->pipe_bufs); ++} ++ ++static bool too_many_pipe_buffers_soft(struct user_struct *user) ++{ ++ return pipe_user_pages_soft && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft; ++} ++ ++static bool too_many_pipe_buffers_hard(struct user_struct *user) ++{ ++ return pipe_user_pages_hard && ++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard; ++} ++ + struct pipe_inode_info *alloc_pipe_info(void) + { + struct pipe_inode_info *pipe; + + pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL); + if (pipe) { +- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * PIPE_DEF_BUFFERS, GFP_KERNEL); ++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS; ++ struct user_struct *user = get_current_user(); ++ ++ if (!too_many_pipe_buffers_hard(user)) { ++ if (too_many_pipe_buffers_soft(user)) ++ pipe_bufs = 1; ++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) * pipe_bufs, GFP_KERNEL); ++ } ++ + if (pipe->bufs) { + init_waitqueue_head(&pipe->wait); + pipe->r_counter = pipe->w_counter = 1; +- pipe->buffers = PIPE_DEF_BUFFERS; ++ pipe->buffers = pipe_bufs; ++ pipe->user = user; ++ account_pipe_buffers(pipe, 0, pipe_bufs); + mutex_init(&pipe->mutex); + return pipe; + } ++ free_uid(user); + kfree(pipe); + } + +@@ -607,6 +642,8 @@ void free_pipe_info(struct pipe_inode_info *pipe) + { + int i; + ++ account_pipe_buffers(pipe, pipe->buffers, 0); ++ free_uid(pipe->user); + for (i = 0; i < pipe->buffers; i++) { + struct pipe_buffer *buf = pipe->bufs + i; + if (buf->ops) +@@ -998,6 +1035,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages) + memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer)); + } + ++ account_pipe_buffers(pipe, pipe->buffers, nr_pages); + pipe->curbuf = 0; + kfree(pipe->bufs); + pipe->bufs = bufs; +@@ -1069,6 +1107,11 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg) + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) { + ret = -EPERM; + goto out; ++ } else if ((too_many_pipe_buffers_hard(pipe->user) || ++ too_many_pipe_buffers_soft(pipe->user)) && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { ++ ret = -EPERM; ++ goto out; + } + ret = pipe_set_size(pipe, nr_pages); + break; +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index eb8b8ac6df3c..24f5470d3944 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -42,6 +42,7 @@ struct pipe_buffer { + * @fasync_readers: reader side fasync + * @fasync_writers: writer side fasync + * @bufs: the circular array of pipe buffers ++ * @user: the user who created this pipe + **/ + struct pipe_inode_info { + struct mutex mutex; +@@ -57,6 +58,7 @@ struct pipe_inode_info { + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; + struct pipe_buffer *bufs; ++ struct user_struct *user; + }; + + /* +@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info *); + void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *); + + extern unsigned int pipe_max_size, pipe_min_size; ++extern unsigned long pipe_user_pages_hard; ++extern unsigned long pipe_user_pages_soft; + int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *); + + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 61aa9bbea871..1589ddc88e38 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -835,6 +835,7 @@ struct user_struct { + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ + unsigned long unix_inflight; /* How many files in flight in unix sockets */ ++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index c810f8afdb7f..f6fd236429bd 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1757,6 +1757,20 @@ static struct ctl_table fs_table[] = { + .proc_handler = &pipe_proc_fn, + .extra1 = &pipe_min_size, + }, ++ { ++ .procname = "pipe-user-pages-hard", ++ .data = &pipe_user_pages_hard, ++ .maxlen = sizeof(pipe_user_pages_hard), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, ++ { ++ .procname = "pipe-user-pages-soft", ++ .data = &pipe_user_pages_soft, ++ .maxlen = sizeof(pipe_user_pages_soft), ++ .mode = 0644, ++ .proc_handler = proc_doulongvec_minmax, ++ }, + { } + }; + +-- +2.5.0 + @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -078427483ee96f3e072e7b5409b5a117 patch-4.4.3.xz +07e9b2c5d0daf7fc2a1ee26a52adcbc0 patch-4.4.4.xz diff --git a/unix-correctly-track-in-flight-fds-in-sending-proces.patch b/unix-correctly-track-in-flight-fds-in-sending-proces.patch deleted file mode 100644 index eb513ef6b..000000000 --- a/unix-correctly-track-in-flight-fds-in-sending-proces.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa <hannes@stressinduktion.org> -Date: Wed, 3 Feb 2016 02:11:03 +0100 -Subject: [PATCH] unix: correctly track in-flight fds in sending process - user_struct - -The commit referenced in the Fixes tag incorrectly accounted the number -of in-flight fds over a unix domain socket to the original opener -of the file-descriptor. This allows another process to arbitrary -deplete the original file-openers resource limit for the maximum of -open files. Instead the sending processes and its struct cred should -be credited. - -To do so, we add a reference counted struct user_struct pointer to the -scm_fp_list and use it to account for the number of inflight unix fds. - -Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets") -Reported-by: David Herrmann <dh.herrmann@gmail.com> -Cc: David Herrmann <dh.herrmann@gmail.com> -Cc: Willy Tarreau <w@1wt.eu> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/net/af_unix.h | 4 ++-- - include/net/scm.h | 1 + - net/core/scm.c | 7 +++++++ - net/unix/af_unix.c | 4 ++-- - net/unix/garbage.c | 8 ++++---- - 5 files changed, 16 insertions(+), 8 deletions(-) - -diff --git a/include/net/af_unix.h b/include/net/af_unix.h -index 2a91a0561a47..9b4c418bebd8 100644 ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -6,8 +6,8 @@ - #include <linux/mutex.h> - #include <net/sock.h> - --void unix_inflight(struct file *fp); --void unix_notinflight(struct file *fp); -+void unix_inflight(struct user_struct *user, struct file *fp); -+void unix_notinflight(struct user_struct *user, struct file *fp); - void unix_gc(void); - void wait_for_unix_gc(void); - struct sock *unix_get_socket(struct file *filp); -diff --git a/include/net/scm.h b/include/net/scm.h -index 262532d111f5..59fa93c01d2a 100644 ---- a/include/net/scm.h -+++ b/include/net/scm.h -@@ -21,6 +21,7 @@ struct scm_creds { - struct scm_fp_list { - short count; - short max; -+ struct user_struct *user; - struct file *fp[SCM_MAX_FD]; - }; - -diff --git a/net/core/scm.c b/net/core/scm.c -index 14596fb37172..2696aefdc148 100644 ---- a/net/core/scm.c -+++ b/net/core/scm.c -@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fplp = fpl; - fpl->count = 0; - fpl->max = SCM_MAX_FD; -+ fpl->user = NULL; - } - fpp = &fpl->fp[fpl->count]; - -@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fpp++ = file; - fpl->count++; - } -+ -+ if (!fpl->user) -+ fpl->user = get_uid(current_user()); -+ - return num; - } - -@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) - scm->fp = NULL; - for (i=fpl->count-1; i>=0; i--) - fput(fpl->fp[i]); -+ free_uid(fpl->user); - kfree(fpl); - } - } -@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) - for (i = 0; i < fpl->count; i++) - get_file(fpl->fp[i]); - new_fpl->max = new_fpl->count; -+ new_fpl->user = get_uid(fpl->user); - } - return new_fpl; - } -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 49d5093eb055..29be035f9c65 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) - UNIXCB(skb).fp = NULL; - - for (i = scm->fp->count-1; i >= 0; i--) -- unix_notinflight(scm->fp->fp[i]); -+ unix_notinflight(scm->fp->user, scm->fp->fp[i]); - } - - static void unix_destruct_scm(struct sk_buff *skb) -@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - return -ENOMEM; - - for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -+ unix_inflight(scm->fp->user, scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 8fcdc2283af5..6a0d48525fcf 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp) - * descriptor if it is for an AF_UNIX socket. - */ - --void unix_inflight(struct file *fp) -+void unix_inflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp) - } - unix_tot_inflight++; - } -- fp->f_cred->user->unix_inflight++; -+ user->unix_inflight++; - spin_unlock(&unix_gc_lock); - } - --void unix_notinflight(struct file *fp) -+void unix_notinflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp) - list_del_init(&u->link); - unix_tot_inflight--; - } -- fp->f_cred->user->unix_inflight--; -+ user->unix_inflight--; - spin_unlock(&unix_gc_lock); - } - --- -2.5.0 - |