diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2016-01-19 13:44:04 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-01-19 13:44:04 +0000 |
commit | 7aef5117c344f16e3c69fa95e8c82646659d7c36 (patch) | |
tree | 4a41df103acfbbfec5a62e5663733019e86407e8 | |
parent | fbee7ded77e949f81e0591f68fa2f4d41772c2cc (diff) | |
parent | 6b3f710f745a897497d77f78fceb50547eaad633 (diff) | |
download | kernel_replicant_linux-7aef5117c344f16e3c69fa95e8c82646659d7c36.tar.gz kernel_replicant_linux-7aef5117c344f16e3c69fa95e8c82646659d7c36.tar.bz2 kernel_replicant_linux-7aef5117c344f16e3c69fa95e8c82646659d7c36.zip |
Merge tag 'debian/4.3.3-6'
34 files changed, 929 insertions, 65 deletions
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 9c0070f1ee9b..d3da5db4d366 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -25,6 +25,7 @@ class Gencontrol(Base): 'build': { 'debug-info': config.SchemaItemBoolean(), 'modules': config.SchemaItemBoolean(), + 'vdso': config.SchemaItemBoolean(), }, 'description': { 'parts': config.SchemaItemList(), @@ -369,6 +370,9 @@ class Gencontrol(Base): if extra.get('headers_arch_depends'): extra['headers_arch_depends'].append('%s (= ${binary:Version})' % packages_own[-1]['Package']) + if config_entry_build.get('vdso', False): + makeflags['VDSO'] = True + build_debug = config_entry_build.get('debug-info') if os.getenv('DEBIAN_KERNEL_DISABLE_DEBUG'): diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py index b83f31c09cd5..c3a4eea26d12 100755 --- a/debian/bin/genorig.py +++ b/debian/bin/genorig.py @@ -40,6 +40,7 @@ class Main(object): def __call__(self): import tempfile self.dir = tempfile.mkdtemp(prefix='genorig', dir='debian') + old_umask = os.umask(0o022) try: if os.path.isdir(self.input_files[0]): self.upstream_export(self.input_files[0]) @@ -59,8 +60,10 @@ class Main(object): .st_mtime)) self.debian_patch() + os.umask(old_umask) self.tar(orig_date) finally: + os.umask(old_umask) shutil.rmtree(self.dir) def upstream_export(self, input_repo): @@ -131,7 +134,7 @@ class Main(object): self.log("Generate tarball %s\n" % out) cmdline = '''(cd '%s' && find '%s' -print0) | LC_ALL=C sort -z | - tar -C '%s' --no-recursion --null -T - --mtime '%s' -caf '%s' + tar -C '%s' --no-recursion --null -T - --mtime '%s' --owner root --group root -caf '%s' ''' % (self.dir, self.orig, self.dir, orig_date, out) try: if os.spawnv(os.P_WAIT, '/bin/sh', ['sh', '-c', cmdline]): diff --git a/debian/changelog b/debian/changelog index 71ca4245a538..31c8f43766f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -94,6 +94,41 @@ linux (4.4~rc4-1~exp1) experimental; urgency=medium -- Ben Hutchings <ben@decadent.org.uk> Sun, 13 Dec 2015 16:25:45 +0000 +linux (4.3.3-6) unstable; urgency=medium + + [ Ben Hutchings ] + * debian.py: Implement stable order of fields in debian/tests/control + * debian.py: Implement stable order of fields not in the predefined order + * genorig.py: Make orig tarballs really reproducible: + - Override umask while extracting/exporting files + - Override user and group names in tarball + * xen/gntdev: Grant maps should not be subject to NUMA balancing + (Closes: #810472) + * gpio: Enable GPIO_SYSFS wherever GPIOLIB is enabled (Closes: #810085) + * [armhf] udeb: Include usbhid in input-modules (Closes: #809521) + * linux-image-dbg: Include debugging symbols for VDSOs + * [armel/kirkwood] power/reset: Re-enable POWER_RESET, POWER_RESET_GPIO + (regression in 3.17~rc5-1~exp1) + * usb: serial: visor: fix crash on detecting device without write_urbs + (CVE-2015-7566) + * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723) + * [x86] drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates + * bcache: Add upstream fixes marked for stable: + - fix a livelock when we cause a huge number of cache misses + - Add a cond_resched() call to gc + - clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device + - fix a leak in bch_cached_dev_run() + - unregister reboot notifier if bcache fails to unregister device + - allows use of register in udev to avoid "device_busy" error. + - prevent crash on changing writeback_running + - Change refill_dirty() to always scan entire disk if necessary + * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728) + + [ Salvatore Bonaccorso ] + * unix: properly account for FDs passed over unix sockets (CVE-2013-4312) + + -- Ben Hutchings <ben@decadent.org.uk> Tue, 19 Jan 2016 00:41:31 +0000 + linux (4.3.3-5) unstable; urgency=medium * [armhf] udeb: Fix duplication and circular dependency between core-modules diff --git a/debian/config/amd64/defines b/debian/config/amd64/defines index 224defcd1584..649a067b57e1 100644 --- a/debian/config/amd64/defines +++ b/debian/config/amd64/defines @@ -8,6 +8,7 @@ kernel-arch: x86 [build] debug-info: true image-file: arch/x86/boot/bzImage +vdso: true [image] bootloaders: grub-pc grub-efi extlinux diff --git a/debian/config/arm64/defines b/debian/config/arm64/defines index eba3b6f2d115..6880132da40e 100644 --- a/debian/config/arm64/defines +++ b/debian/config/arm64/defines @@ -6,6 +6,7 @@ featuresets: [build] debug-info: true image-file: arch/arm64/boot/Image +vdso: true [image] install-stem: vmlinuz diff --git a/debian/config/armel/config.kirkwood b/debian/config/armel/config.kirkwood index 8ab415d1b640..c636dcac2edc 100644 --- a/debian/config/armel/config.kirkwood +++ b/debian/config/armel/config.kirkwood @@ -159,11 +159,6 @@ CONFIG_DMADEVICES=y CONFIG_MV_XOR=y ## -## file: drivers/gpio/Kconfig -## -CONFIG_GPIO_SYSFS=y - -## ## file: drivers/gpu/drm/Kconfig ## # CONFIG_DRM is not set @@ -438,6 +433,8 @@ CONFIG_PCI_MVEBU=y ## ## file: drivers/power/reset/Kconfig ## +CONFIG_POWER_RESET=y +CONFIG_POWER_RESET_GPIO=y CONFIG_POWER_RESET_QNAP=y CONFIG_POWER_RESET_RESTART=y diff --git a/debian/config/armel/config.orion5x b/debian/config/armel/config.orion5x index 5727d4a4a21c..cda43ba00ea7 100644 --- a/debian/config/armel/config.orion5x +++ b/debian/config/armel/config.orion5x @@ -166,11 +166,6 @@ CONFIG_DMADEVICES=y CONFIG_MV_XOR=y ## -## file: drivers/gpio/Kconfig -## -CONFIG_GPIO_SYSFS=y - -## ## file: drivers/gpu/drm/Kconfig ## # CONFIG_DRM is not set diff --git a/debian/config/armhf/config.armmp b/debian/config/armhf/config.armmp index e86061944731..71480597d781 100644 --- a/debian/config/armhf/config.armmp +++ b/debian/config/armhf/config.armmp @@ -233,7 +233,6 @@ CONFIG_RASPBERRYPI_FIRMWARE=y ## file: drivers/gpio/Kconfig ## CONFIG_GPIOLIB=y -CONFIG_GPIO_SYSFS=y CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_GPIO_PCA953X=m CONFIG_GPIO_DA9052=m diff --git a/debian/config/armhf/defines b/debian/config/armhf/defines index fd62b693dcf1..8f7551f049fd 100644 --- a/debian/config/armhf/defines +++ b/debian/config/armhf/defines @@ -6,6 +6,7 @@ kernel-arch: arm [build] image-file: arch/arm/boot/zImage +vdso: true [image] suggests: fdutils diff --git a/debian/config/config b/debian/config/config index 9569f60fa34e..cf5bdd64b2b2 100644 --- a/debian/config/config +++ b/debian/config/config @@ -480,7 +480,7 @@ CONFIG_EFI_VARS_PSTORE=m ## # CONFIG_GPIOLIB is not set # CONFIG_DEBUG_GPIO is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_DWAPB is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_VX855 is not set diff --git a/debian/config/i386/defines b/debian/config/i386/defines index 90f576294b07..14f3b86ab948 100644 --- a/debian/config/i386/defines +++ b/debian/config/i386/defines @@ -7,6 +7,7 @@ kernel-arch: x86 [build] image-file: arch/x86/boot/bzImage +vdso: true [description] part-long-pae: This kernel requires PAE (Physical Address Extension). diff --git a/debian/config/kernelarch-arm/config b/debian/config/kernelarch-arm/config index 03046fe67804..ef877a98ad51 100644 --- a/debian/config/kernelarch-arm/config +++ b/debian/config/kernelarch-arm/config @@ -4,6 +4,7 @@ CONFIG_MMU=y CONFIG_AEABI=y # CONFIG_OABI_COMPAT is not set +CONFIG_CPU_SW_DOMAIN_PAN=y CONFIG_KEXEC=y ## diff --git a/debian/config/powerpc/defines b/debian/config/powerpc/defines index 8407a7416083..24b8b528facf 100644 --- a/debian/config/powerpc/defines +++ b/debian/config/powerpc/defines @@ -7,6 +7,7 @@ kernel-arch: powerpc [build] image-file: vmlinux +vdso: true [image] configs: diff --git a/debian/config/powerpcspe/defines b/debian/config/powerpcspe/defines index 667efcffff77..adb4bea0733d 100644 --- a/debian/config/powerpcspe/defines +++ b/debian/config/powerpcspe/defines @@ -5,6 +5,7 @@ kernel-arch: powerpc [build] image-file: vmlinux +vdso: true [image] suggests: mkvmlinuz diff --git a/debian/config/ppc64/defines b/debian/config/ppc64/defines index 98fcc3b6ec37..7efcb1a95b00 100644 --- a/debian/config/ppc64/defines +++ b/debian/config/ppc64/defines @@ -5,6 +5,7 @@ kernel-arch: powerpc [build] image-file: vmlinux +vdso: true [image] configs: diff --git a/debian/config/ppc64el/defines b/debian/config/ppc64el/defines index b5ec5ed6739d..987ab7df19ad 100644 --- a/debian/config/ppc64el/defines +++ b/debian/config/ppc64el/defines @@ -5,6 +5,7 @@ kernel-arch: powerpc [build] image-file: vmlinux +vdso: true [image] configs: diff --git a/debian/config/s390x/defines b/debian/config/s390x/defines index 5e0ff29eabd4..30d86c99ff10 100644 --- a/debian/config/s390x/defines +++ b/debian/config/s390x/defines @@ -5,6 +5,7 @@ kernel-arch: s390 [build] image-file: arch/s390/boot/image +vdso: true [image] bootloaders: s390-tools diff --git a/debian/installer/armhf/modules/armhf-armmp/input-modules b/debian/installer/armhf/modules/armhf-armmp/input-modules index 1a248663bdf0..5ecb595a4a49 100644 --- a/debian/installer/armhf/modules/armhf-armmp/input-modules +++ b/debian/installer/armhf/modules/armhf-armmp/input-modules @@ -1,4 +1 @@ #include <input-modules> -usbhid - -usbmouse - -usbkbd - diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py index b9164630c601..445547bbfae2 100644 --- a/debian/lib/python/debian_linux/debian.py +++ b/debian/lib/python/debian_linux/debian.py @@ -396,29 +396,7 @@ class PackageRelationEntry(object): self.restrictions = [] -class Package(dict): - _fields = collections.OrderedDict(( - ('Package', str), - ('Source', str), - ('Architecture', PackageArchitecture), - ('Section', str), - ('Priority', str), - ('Maintainer', str), - ('Uploaders', str), - ('Standards-Version', str), - ('Build-Depends', PackageRelation), - ('Build-Depends-Indep', PackageRelation), - ('Provides', PackageRelation), - ('Pre-Depends', PackageRelation), - ('Depends', PackageRelation), - ('Recommends', PackageRelation), - ('Suggests', PackageRelation), - ('Replaces', PackageRelation), - ('Breaks', PackageRelation), - ('Conflicts', PackageRelation), - ('Description', PackageDescription), - )) - +class _ControlFileDict(dict): def __setitem__(self, key, value): try: cls = self._fields[key] @@ -426,15 +404,15 @@ class Package(dict): value = cls(value) except KeyError: pass - super(Package, self).__setitem__(key, value) + super(_ControlFileDict, self).__setitem__(key, value) def keys(self): - keys = set(super(Package, self).keys()) + keys = set(super(_ControlFileDict, self).keys()) for i in self._fields.keys(): if i in self: keys.remove(i) yield i - for i in keys: + for i in sorted(list(keys)): yield i def items(self): @@ -446,22 +424,37 @@ class Package(dict): yield self[i] -class TestsControl(dict): - _fields = { - 'Tests': str, - 'Test-Command': str, - 'Restrictions': str, - 'Features': str, - 'Depends': PackageRelation, - 'Tests-Directory': str, - 'Classes': str, - } +class Package(_ControlFileDict): + _fields = collections.OrderedDict(( + ('Package', str), + ('Source', str), + ('Architecture', PackageArchitecture), + ('Section', str), + ('Priority', str), + ('Maintainer', str), + ('Uploaders', str), + ('Standards-Version', str), + ('Build-Depends', PackageRelation), + ('Build-Depends-Indep', PackageRelation), + ('Provides', PackageRelation), + ('Pre-Depends', PackageRelation), + ('Depends', PackageRelation), + ('Recommends', PackageRelation), + ('Suggests', PackageRelation), + ('Replaces', PackageRelation), + ('Breaks', PackageRelation), + ('Conflicts', PackageRelation), + ('Description', PackageDescription), + )) + - def __setitem__(self, key, value): - try: - cls = self._fields[key] - if not isinstance(value, cls): - value = cls(value) - except KeyError: - pass - super(TestsControl, self).__setitem__(key, value) +class TestsControl(_ControlFileDict): + _fields = collections.OrderedDict(( + ('Tests', str), + ('Test-Command', str), + ('Restrictions', str), + ('Features', str), + ('Depends', PackageRelation), + ('Tests-Directory', str), + ('Classes', str), + )) diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch new file mode 100644 index 000000000000..9c6a9697387d --- /dev/null +++ b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -0,0 +1,75 @@ +From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001 +From: Yevgeny Pats <yevgeny@perception-point.io> +Date: Mon, 11 Jan 2016 12:05:28 +0000 +Subject: KEYS: Fix keyring ref leak in join_session_keyring() + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include <stddef.h> + #include <stdio.h> + #include <sys/types.h> + #include <keyutils.h> + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats <yevgeny@perception-point.io> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index a3f85d2..e6d50172 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } +-- +2.7.0.rc3 + diff --git a/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch b/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch new file mode 100644 index 000000000000..0580e6163ea4 --- /dev/null +++ b/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch @@ -0,0 +1,26 @@ +From: Kent Overstreet <kmo@daterainc.com> +Date: Sun, 29 Nov 2015 17:18:33 -0800 +Subject: [2/8] bcache: Add a cond_resched() call to gc +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=c5f1e5adf956e3ba82d204c7c141a75da9fa449a + +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Tested-by: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/btree.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 4a1179c..22b9e34 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1741,6 +1741,7 @@ static void bch_btree_gc(struct cache_set *c) + do { + ret = btree_root(gc_root, c, &op, &writes, &stats); + closure_sync(&writes); ++ cond_resched(); + + if (ret && ret != -EAGAIN) + pr_warn("gc failed!"); diff --git a/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch b/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch new file mode 100644 index 000000000000..782979770e92 --- /dev/null +++ b/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch @@ -0,0 +1,46 @@ +From: Gabriel de Perthuis <g2p.code@gmail.com> +Date: Sun, 29 Nov 2015 18:40:23 -0800 +Subject: [6/8] bcache: allows use of register in udev to avoid "device_busy" + error. +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=d7076f21629f8f329bca4a44dc408d94670f49e2 + +Allows to use register, not register_quiet in udev to avoid "device_busy" error. +The initial patch proposed at https://lkml.org/lkml/2013/8/26/549 by Gabriel de Perthuis +<g2p.code@gmail.com> does not unlock the mutex and hangs the kernel. + +See http://thread.gmane.org/gmane.linux.kernel.bcache.devel/2594 for the discussion. + +Cc: Denis Bychkov <manover@gmail.com> +Cc: Kent Overstreet <kent.overstreet@gmail.com> +Cc: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Gabriel de Perthuis <g2p.code@gmail.com> +Cc: stable@vger.kernel.org + +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 18f14a2..8d0ead9 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1938,6 +1938,8 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr, + else + err = "device busy"; + mutex_unlock(&bch_register_lock); ++ if (attr == &ksysfs_register_quiet) ++ goto out; + } + goto err; + } +@@ -1976,8 +1978,7 @@ out: + err_close: + blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL); + err: +- if (attr != &ksysfs_register_quiet) +- pr_info("error opening %s: %s", path, err); ++ pr_info("error opening %s: %s", path, err); + ret = -EINVAL; + goto out; + } diff --git a/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch b/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch new file mode 100644 index 000000000000..7dae0c8e973b --- /dev/null +++ b/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch @@ -0,0 +1,91 @@ +From: Kent Overstreet <kent.overstreet@gmail.com> +Date: Sun, 29 Nov 2015 18:47:01 -0800 +Subject: [8/8] bcache: Change refill_dirty() to always scan entire disk if + necessary +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=627ccd20b4ad3ba836472468208e2ac4dfadbf03 + +Previously, it would only scan the entire disk if it was starting from +the very start of the disk - i.e. if the previous scan got to the end. + +This was broken by refill_full_stripes(), which updates last_scanned so +that refill_dirty was never triggering the searched_from_start path. + +But if we change refill_dirty() to always scan the entire disk if +necessary, regardless of what last_scanned was, the code gets cleaner +and we fix that bug too. + +Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/writeback.c | 37 ++++++++++++++++++++++++++++++------- + 1 file changed, 30 insertions(+), 7 deletions(-) + +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index b23f88d..b9346cd 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -323,6 +323,10 @@ void bcache_dev_sectors_dirty_add(struct cache_set *c, unsigned inode, + + static bool dirty_pred(struct keybuf *buf, struct bkey *k) + { ++ struct cached_dev *dc = container_of(buf, struct cached_dev, writeback_keys); ++ ++ BUG_ON(KEY_INODE(k) != dc->disk.id); ++ + return KEY_DIRTY(k); + } + +@@ -372,11 +376,24 @@ next: + } + } + ++/* ++ * Returns true if we scanned the entire disk ++ */ + static bool refill_dirty(struct cached_dev *dc) + { + struct keybuf *buf = &dc->writeback_keys; ++ struct bkey start = KEY(dc->disk.id, 0, 0); + struct bkey end = KEY(dc->disk.id, MAX_KEY_OFFSET, 0); +- bool searched_from_start = false; ++ struct bkey start_pos; ++ ++ /* ++ * make sure keybuf pos is inside the range for this disk - at bringup ++ * we might not be attached yet so this disk's inode nr isn't ++ * initialized then ++ */ ++ if (bkey_cmp(&buf->last_scanned, &start) < 0 || ++ bkey_cmp(&buf->last_scanned, &end) > 0) ++ buf->last_scanned = start; + + if (dc->partial_stripes_expensive) { + refill_full_stripes(dc); +@@ -384,14 +401,20 @@ static bool refill_dirty(struct cached_dev *dc) + return false; + } + +- if (bkey_cmp(&buf->last_scanned, &end) >= 0) { +- buf->last_scanned = KEY(dc->disk.id, 0, 0); +- searched_from_start = true; +- } +- ++ start_pos = buf->last_scanned; + bch_refill_keybuf(dc->disk.c, buf, &end, dirty_pred); + +- return bkey_cmp(&buf->last_scanned, &end) >= 0 && searched_from_start; ++ if (bkey_cmp(&buf->last_scanned, &end) < 0) ++ return false; ++ ++ /* ++ * If we get to the end start scanning again from the beginning, and ++ * only scan up to where we initially started scanning from: ++ */ ++ buf->last_scanned = start; ++ bch_refill_keybuf(dc->disk.c, buf, &start_pos, dirty_pred); ++ ++ return bkey_cmp(&buf->last_scanned, &start_pos) >= 0; + } + + static int bch_writeback_thread(void *arg) diff --git a/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch b/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch new file mode 100644 index 000000000000..83e0bf81febf --- /dev/null +++ b/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch @@ -0,0 +1,109 @@ +From: Zheng Liu <wenqing.lz@taobao.com> +Date: Sun, 29 Nov 2015 17:19:32 -0800 +Subject: [3/8] bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a + backing device +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=fecaee6f20ee122ad75402c53d8278f9bb142ddc + +This bug can be reproduced by the following script: + + #!/bin/bash + + bcache_sysfs="/sys/fs/bcache" + + function clear_cache() + { + if [ ! -e $bcache_sysfs ]; then + echo "no bcache sysfs" + exit + fi + + cset_uuid=$(ls -l $bcache_sysfs|head -n 2|tail -n 1|awk '{print $9}') + sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/detach" + sleep 5 + sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/attach" + } + + for ((i=0;i<10;i++)); do + clear_cache + done + +The warning messages look like below: +[ 275.948611] ------------[ cut here ]------------ +[ 275.963840] WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xb8/0xd0() (Tainted: P W +--------------- ) +[ 275.979253] Hardware name: Tecal RH2285 +[ 275.994106] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:09.0/0000:08:00.0/host4/target4:2:1/4:2:1:0/block/sdb/sdb1/bcache/cache' +[ 276.024105] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler +bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801 +i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas +pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan] +[ 276.072643] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1 +[ 276.089315] Call Trace: +[ 276.105801] [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0 +[ 276.122650] [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50 +[ 276.139361] [<ffffffff81205c08>] ? sysfs_add_one+0xb8/0xd0 +[ 276.156012] [<ffffffff8120609b>] ? sysfs_do_create_link+0x12b/0x170 +[ 276.172682] [<ffffffff81206113>] ? sysfs_create_link+0x13/0x20 +[ 276.189282] [<ffffffffa03bda21>] ? bcache_device_link+0xc1/0x110 [bcache] +[ 276.205993] [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache] +[ 276.222794] [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache] +[ 276.239680] [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110 +[ 276.256594] [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170 +[ 276.273364] [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0 +[ 276.290133] [<ffffffff811890b1>] ? sys_write+0x51/0x90 +[ 276.306368] [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b +[ 276.322301] ---[ end trace 9f5d4fcdd0c3edfb ]--- +[ 276.338241] ------------[ cut here ]------------ +[ 276.354109] WARNING: at /home/wenqing.lz/bcache/bcache/super.c:720 +bcache_device_link+0xdf/0x110 [bcache]() (Tainted: P W --------------- ) +[ 276.386017] Hardware name: Tecal RH2285 +[ 276.401430] Couldn't create device <-> cache set symlinks +[ 276.401759] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler +bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801 +i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas +pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan] +[ 276.465477] Pid: 2765, comm: sh Tainted: P W --------------- 2.6.32 #1 +[ 276.482169] Call Trace: +[ 276.498610] [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0 +[ 276.515405] [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50 +[ 276.532059] [<ffffffffa03bda3f>] ? bcache_device_link+0xdf/0x110 [bcache] +[ 276.548808] [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache] +[ 276.565569] [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache] +[ 276.582418] [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110 +[ 276.599341] [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170 +[ 276.616142] [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0 +[ 276.632607] [<ffffffff811890b1>] ? sys_write+0x51/0x90 +[ 276.648671] [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b +[ 276.664756] ---[ end trace 9f5d4fcdd0c3edfc ]--- + +We forget to clear BCACHE_DEV_UNLINK_DONE flag in bcache_device_attach() +function when we attach a backing device first time. After detaching this +backing device, this flag will be true and sysfs_remove_link() isn't called in +bcache_device_unlink(). Then when we attach this backing device again, +sysfs_create_link() will return EEXIST error in bcache_device_link(). + +So the fix is trival and we clear this flag in bcache_device_link(). + +Signed-off-by: Zheng Liu <wenqing.lz@taobao.com> +Tested-by: Joshua Schmid <jschmid@suse.com> +Tested-by: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 679a093..383f060 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -685,6 +685,8 @@ static void bcache_device_link(struct bcache_device *d, struct cache_set *c, + WARN(sysfs_create_link(&d->kobj, &c->kobj, "cache") || + sysfs_create_link(&c->kobj, &d->kobj, d->name), + "Couldn't create device <-> cache set symlinks"); ++ ++ clear_bit(BCACHE_DEV_UNLINK_DONE, &d->flags); + } + + static void bcache_device_detach(struct bcache_device *d) diff --git a/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch b/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch new file mode 100644 index 000000000000..b287e322635b --- /dev/null +++ b/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch @@ -0,0 +1,32 @@ +From: Al Viro <viro@ZenIV.linux.org.uk> +Date: Sun, 29 Nov 2015 17:20:59 -0800 +Subject: [4/8] bcache: fix a leak in bch_cached_dev_run() +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=4d4d8573a8451acc9f01cbea24b7e55f04a252fe + +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Tested-by: Joshua Schmid <jschmid@suse.com> +Tested-by: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 383f060..43e911e 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -849,8 +849,11 @@ void bch_cached_dev_run(struct cached_dev *dc) + buf[SB_LABEL_SIZE] = '\0'; + env[2] = kasprintf(GFP_KERNEL, "CACHED_LABEL=%s", buf); + +- if (atomic_xchg(&dc->running, 1)) ++ if (atomic_xchg(&dc->running, 1)) { ++ kfree(env[1]); ++ kfree(env[2]); + return; ++ } + + if (!d->c && + BDEV_STATE(&dc->sb) != BDEV_STATE_NONE) { diff --git a/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch b/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch new file mode 100644 index 000000000000..88a52f7b199b --- /dev/null +++ b/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch @@ -0,0 +1,67 @@ +From: Zheng Liu <gnehzuil.liu@gmail.com> +Date: Sun, 29 Nov 2015 17:17:05 -0800 +Subject: [1/8] bcache: fix a livelock when we cause a huge number of cache + misses +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ef9ccbfcb90cf84bdba320a571b18b05c41101b + +Subject : [PATCH v2] bcache: fix a livelock in btree lock +Date : Wed, 25 Feb 2015 20:32:09 +0800 (02/25/2015 04:32:09 AM) + +This commit tries to fix a livelock in bcache. This livelock might +happen when we causes a huge number of cache misses simultaneously. + +When we get a cache miss, bcache will execute the following path. + +->cached_dev_make_request() + ->cached_dev_read() + ->cached_lookup() + ->bch->btree_map_keys() + ->btree_root() <------------------------ + ->bch_btree_map_keys_recurse() | + ->cache_lookup_fn() | + ->cached_dev_cache_miss() | + ->bch_btree_insert_check_key() -| + [If btree->seq is not equal to seq + 1, we should return + EINTR and traverse btree again.] + +In bch_btree_insert_check_key() function we first need to check upgrade +flag (op->lock == -1), and when this flag is true we need to release +read btree->lock and try to take write btree->lock. During taking and +releasing this write lock, btree->seq will be monotone increased in +order to prevent other threads modify this in cache miss (see btree.h:74). +But if there are some cache misses caused by some requested, we could +meet a livelock because btree->seq is always changed by others. Thus no +one can make progress. + +This commit will try to take write btree->lock if it encounters a race +when we traverse btree. Although it sacrifice the scalability but we +can ensure that only one can modify the btree. + +Signed-off-by: Zheng Liu <wenqing.lz@taobao.com> +Tested-by: Joshua Schmid <jschmid@suse.com> +Tested-by: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Joshua Schmid <jschmid@suse.com> +Cc: Zhu Yanhai <zhu.yanhai@gmail.com> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 83392f8..4a1179c 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -2162,8 +2162,10 @@ int bch_btree_insert_check_key(struct btree *b, struct btree_op *op, + rw_lock(true, b, b->level); + + if (b->key.ptr[0] != btree_ptr || +- b->seq != seq + 1) ++ b->seq != seq + 1) { ++ op->lock = b->level; + goto out; ++ } + } + + SET_KEY_PTRS(check_key, 1); diff --git a/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch b/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch new file mode 100644 index 000000000000..5d4736fe6c9d --- /dev/null +++ b/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch @@ -0,0 +1,32 @@ +From: Stefan Bader <stefan.bader@canonical.com> +Date: Sun, 29 Nov 2015 18:44:49 -0800 +Subject: [7/8] bcache: prevent crash on changing writeback_running +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=8d16ce540c94c9d366eb36fc91b7154d92d6397b + +Added a safeguard in the shutdown case. At least while not being +attached it is also possible to trigger a kernel bug by writing into +writeback_running. This change adds the same check before trying to +wake up the thread for that case. + +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +Cc: Kent Overstreet <kent.overstreet@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/writeback.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/writeback.h b/drivers/md/bcache/writeback.h +index 0a9dab1..073a042 100644 +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -63,7 +63,8 @@ static inline bool should_writeback(struct cached_dev *dc, struct bio *bio, + + static inline void bch_writeback_queue(struct cached_dev *dc) + { +- wake_up_process(dc->writeback_thread); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) ++ wake_up_process(dc->writeback_thread); + } + + static inline void bch_writeback_add(struct cached_dev *dc) diff --git a/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch b/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch new file mode 100644 index 000000000000..538f34b021be --- /dev/null +++ b/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch @@ -0,0 +1,35 @@ +From: Zheng Liu <wenqing.lz@taobao.com> +Date: Sun, 29 Nov 2015 17:21:57 -0800 +Subject: [5/8] bcache: unregister reboot notifier if bcache fails to + unregister device +Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ecf0cdb2b437402110ab57546e02abfa68a716b + +In bcache_init() function it forgot to unregister reboot notifier if +bcache fails to unregister a block device. This commit fixes this. + +Signed-off-by: Zheng Liu <wenqing.lz@taobao.com> +Tested-by: Joshua Schmid <jschmid@suse.com> +Tested-by: Eric Wheeler <bcache@linux.ewheeler.net> +Cc: Kent Overstreet <kmo@daterainc.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@fb.com> +--- + drivers/md/bcache/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 43e911e..18f14a2 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -2071,8 +2071,10 @@ static int __init bcache_init(void) + closure_debug_init(); + + bcache_major = register_blkdev(0, "bcache"); +- if (bcache_major < 0) ++ if (bcache_major < 0) { ++ unregister_reboot_notifier(&reboot); + return bcache_major; ++ } + + if (!(bcache_wq = create_workqueue("bcache")) || + !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || diff --git a/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch new file mode 100644 index 000000000000..02fe5e74bcd6 --- /dev/null +++ b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch @@ -0,0 +1,63 @@ +From: Peter Hurley <peter@hurleysoftware.com> +Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) +Date: Sun, 10 Jan 2016 22:40:55 -0800 +Origin: http://article.gmane.org/gmane.linux.kernel/2123249 + +ioctl(TIOCGETD) retrieves the line discipline id directly from the +ldisc because the line discipline id (c_line) in termios is untrustworthy; +userspace may have set termios via ioctl(TCSETS*) without actually +changing the line discipline via ioctl(TIOCSETD). + +However, directly accessing the current ldisc via tty->ldisc is +unsafe; the ldisc ptr dereferenced may be stale if the line discipline +is changing via ioctl(TIOCSETD) or hangup. + +Wait for the line discipline reference (just like read() or write()) +to retrieve the "current" line discipline id. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Peter Hurley <peter@hurleysoftware.com> +--- + drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *t + } + + /** ++ * tiocgetd - get line discipline ++ * @tty: tty device ++ * @p: pointer to user data ++ * ++ * Retrieves the line discipline id directly from the ldisc. ++ * ++ * Locking: waits for ldisc reference (in case the line discipline ++ * is changing or the tty is being hungup) ++ */ ++ ++static int tiocgetd(struct tty_struct *tty, int __user *p) ++{ ++ struct tty_ldisc *ld; ++ int ret; ++ ++ ld = tty_ldisc_ref_wait(tty); ++ ret = put_user(ld->ops->num, p); ++ tty_ldisc_deref(ld); ++ return ret; ++} ++ ++/** + * send_break - performed time break + * @tty: device to break on + * @duration: timeout in mS +@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsign + case TIOCGSID: + return tiocgsid(tty, real_tty, p); + case TIOCGETD: +- return put_user(tty->ldisc->ops->num, (int __user *)p); ++ return tiocgetd(tty, p); + case TIOCSETD: + return tiocsetd(tty, p); + case TIOCVHANGUP: diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch new file mode 100644 index 000000000000..8cd6bb4ace1a --- /dev/null +++ b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch @@ -0,0 +1,140 @@ +From: willy tarreau <w@1wt.eu> +Date: Sun, 10 Jan 2016 07:54:56 +0100 +Subject: unix: properly account for FDs passed over unix sockets +Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593 + +It is possible for a process to allocate and accumulate far more FDs than +the process' limit by sending them over a unix socket then closing them +to keep the process' fd count low. + +This change addresses this problem by keeping track of the number of FDs +in flight per user and preventing non-privileged processes from having +more FDs in flight than their configured FD limit. + +Reported-by: socketpair@gmail.com +Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Mitigates: CVE-2013-4312 (Linux 2.0+) +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: Willy Tarreau <w@1wt.eu> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/linux/sched.h | 1 + + net/unix/af_unix.c | 24 ++++++++++++++++++++---- + net/unix/garbage.c | 13 ++++++++----- + 3 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index edad7a4..fbf25f1 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -830,6 +830,7 @@ struct user_struct { + unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ ++ unsigned long unix_inflight; /* How many files in flight in unix sockets */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index ef05cd9..e3f85bc 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb) + sock_wfree(skb); + } + ++/* ++ * The "user->unix_inflight" variable is protected by the garbage ++ * collection lock, and we just read it locklessly here. If you go ++ * over the limit, there might be a tiny race in actually noticing ++ * it across threads. Tough. ++ */ ++static inline bool too_many_unix_fds(struct task_struct *p) ++{ ++ struct user_struct *user = current_user(); ++ ++ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); ++ return false; ++} ++ + #define MAX_RECURSION_LEVEL 4 + + static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) +@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + unsigned char max_level = 0; + int unix_sock_count = 0; + ++ if (too_many_unix_fds(current)) ++ return -ETOOMANYREFS; ++ + for (i = scm->fp->count - 1; i >= 0; i--) { + struct sock *sk = unix_get_socket(scm->fp->fp[i]); + +@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + if (!UNIXCB(skb).fp) + return -ENOMEM; + +- if (unix_sock_count) { +- for (i = scm->fp->count - 1; i >= 0; i--) +- unix_inflight(scm->fp->fp[i]); +- } ++ for (i = scm->fp->count - 1; i >= 0; i--) ++ unix_inflight(scm->fp->fp[i]); + return max_level; + } + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index a73a226..8fcdc22 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) + { + struct sock *s = unix_get_socket(fp); + ++ spin_lock(&unix_gc_lock); ++ + if (s) { + struct unix_sock *u = unix_sk(s); + +- spin_lock(&unix_gc_lock); +- + if (atomic_long_inc_return(&u->inflight) == 1) { + BUG_ON(!list_empty(&u->link)); + list_add_tail(&u->link, &gc_inflight_list); +@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) + BUG_ON(list_empty(&u->link)); + } + unix_tot_inflight++; +- spin_unlock(&unix_gc_lock); + } ++ fp->f_cred->user->unix_inflight++; ++ spin_unlock(&unix_gc_lock); + } + + void unix_notinflight(struct file *fp) + { + struct sock *s = unix_get_socket(fp); + ++ spin_lock(&unix_gc_lock); ++ + if (s) { + struct unix_sock *u = unix_sk(s); + +- spin_lock(&unix_gc_lock); + BUG_ON(list_empty(&u->link)); + + if (atomic_long_dec_and_test(&u->inflight)) + list_del_init(&u->link); + unix_tot_inflight--; +- spin_unlock(&unix_gc_lock); + } ++ fp->f_cred->user->unix_inflight--; ++ spin_unlock(&unix_gc_lock); + } + + static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), +-- +2.7.0.rc3 + diff --git a/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch new file mode 100644 index 000000000000..4b6a5d63cb1e --- /dev/null +++ b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch @@ -0,0 +1,31 @@ +From: Vladis Dronov <vdronov@redhat.com> +Subject: usb: serial: visor: fix crash on detecting device without write_urbs +Date: Tue, 12 Jan 2016 15:10:50 +0100 +Origin: http://article.gmane.org/gmane.linux.usb.general/136045 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1296466 + +The visor driver crashes in clie_5_attach() when a specially crafted USB +device without bulk-out endpoint is detected. This fix adds a check that +the device has proper configuration expected by the driver. + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/usb/serial/visor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_seri + */ + + /* some sanity check */ +- if (serial->num_ports < 2) +- return -1; ++ if (serial->num_bulk_out < 2) { ++ dev_err(&serial->interface->dev, "missing bulk out endpoints\n"); ++ return -ENODEV; ++ } + + /* port 0 now uses the modified endpoint Address */ + port = serial->port[0]; diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch new file mode 100644 index 000000000000..dd2d3da59910 --- /dev/null +++ b/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch @@ -0,0 +1,60 @@ +From: Thomas Hellstrom <thellstrom@vmware.com> +Date: Fri, 8 Jan 2016 20:29:40 +0100 +Subject: drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates +Origin: https://git.kernel.org/linus/a50e2bf5a0f674d62b69f51f6935a30e82bd015c + +When the framebuffer is a vmwgfx dma buffer and a proxy surface is +created, the vmw_kms_update_proxy() function requires that the proxy +surface width and the framebuffer pitch are compatible, otherwise +display corruption occurs as seen in gnome-shell/native with software +3D. Since the framebuffer pitch is determined by user-space, allocate +a proxy surface the width of which is based on the framebuffer pitch +rather than on the framebuffer width. + +Cc: <stable@vger.kernel.org> +Reported-by: Raphael Hertzog <buxy@kali.org> +Tested-by: Mati Aharoni <muts@kali.org> +Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> +Reviewed-by: Brian Paul <brianp@vmware.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -725,21 +725,25 @@ static int vmw_create_dmabuf_proxy(struc + uint32_t format; + struct drm_vmw_size content_base_size; + struct vmw_resource *res; ++ unsigned int bytes_pp; + int ret; + + switch (mode_cmd->depth) { + case 32: + case 24: + format = SVGA3D_X8R8G8B8; ++ bytes_pp = 4; + break; + + case 16: + case 15: + format = SVGA3D_R5G6B5; ++ bytes_pp = 2; + break; + + case 8: + format = SVGA3D_P8; ++ bytes_pp = 1; + break; + + default: +@@ -747,7 +751,7 @@ static int vmw_create_dmabuf_proxy(struc + return -EINVAL; + } + +- content_base_size.width = mode_cmd->width; ++ content_base_size.width = mode_cmd->pitch / bytes_pp; + content_base_size.height = mode_cmd->height; + content_base_size.depth = 1; + diff --git a/debian/patches/series b/debian/patches/series index 125045fda91d..0805169e3032 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -96,3 +96,16 @@ features/all/grsecurity/grkernsec_perf_harden.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch +bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch +bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch +bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch +bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch +bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch +bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch +bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch +bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch +bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch +bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch +bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch +bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch +bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch diff --git a/debian/rules.real b/debian/rules.real index 4861fce359fb..9a284baa448b 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -91,16 +91,16 @@ mkdir -p '$(1)' cp -al $(filter-out debian .pc .svk .svn .git, $(wildcard * .[^.]*)) '$(1)' endef -$(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/linux-source-$(UPSTREAMVERSION) -$(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source +$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION) +$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source rm -rf '$@' '$(DIR)' $(call copy_source,$(DIR)) chmod -R u+rw,go=rX '$(DIR)' find '$(DIR)' -depth -newermt '$(SOURCE_DATE)' -print0 | \ xargs -0r touch --no-dereference --date='$(SOURCE_DATE)' - cd '$(BUILD_DIR)'; find 'linux-source-$(UPSTREAMVERSION)' -print0 | \ + cd '$(BUILD_DIR)'; find '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION)' -print0 | \ sort -z | \ - tar --no-recursion --null -T - -caf 'linux-source-$(UPSTREAMVERSION).tar.xz' + tar --no-recursion --null -T - -caf '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz' rm -rf '$(DIR)' $(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-%.patch.xz: $(STAMPS_DIR)/source_none $(STAMPS_DIR)/source_% @@ -429,6 +429,17 @@ ifeq ($(MODULES),True) find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/ -mindepth 1 -maxdepth 1 \! -name kernel -exec rm {} \+ rm $(DEBUG_DIR)/lib/firmware -rf endif +ifeq ($(VDSO),True) + +$(MAKE_CLEAN) -C $(DIR) vdso_install INSTALL_MOD_PATH='$(CURDIR)'/$(DEBUG_DIR) +# Fix .build-id links + find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id -name '*.debug' | while read link; do \ + rel_path="$${link#$(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id/}" && \ + mkdir -p "$(DEBUG_DIR)/.build-id/$$(dirname "$$rel_path")" && \ + ln -s -r -L "$$link" "$(DEBUG_DIR)/.build-id/$$rel_path" || \ + exit; \ + done + rm -r $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id +endif # Add symlinks to vmlinux from the locations expected by kdump-tools, # systemtap and others ln -s boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/ @@ -450,7 +461,7 @@ install-udeb_$(ARCH): install-source: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-source-$(VERSION) install-source: DH_OPTIONS = -p$(PACKAGE_NAME) -install-source: $(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz) +install-source: $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz) dh_testdir dh_testroot dh_installdirs /usr/src/linux-config-$(UPSTREAMVERSION) |