Update to 4.6-rc7

6 files changed, 1 insertions, 338 deletions

diff --git a/debian/changelog b/debian/changelog
index 703b27b82a0c..e0fa92bf6b93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.6~rc6-1~exp1) UNRELEASED; urgency=medium
+linux (4.6~rc7-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release candidate
 
diff --git a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch b/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
deleted file mode 100644
index 48f34107fdf2..000000000000
--- a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: Alexei Starovoitov <ast@fb.com>
-Date: Wed, 27 Apr 2016 18:56:21 -0700
-Subject: [3/3] bpf: fix check_map_func_compatibility logic
-Origin: https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca
-
-The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
-introduced clever way to check bpf_helper<->map_type compatibility.
-Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted
-the logic and inadvertently broke it.
-Get rid of the clever bool compare and go back to two-way check
-from map and from helper perspective.
-
-Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- kernel/bpf/verifier.c | 65 +++++++++++++++++++++++++++++++--------------------
- 1 file changed, 40 insertions(+), 25 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 89bcaa0966da..c5c17a62f509 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -239,16 +239,6 @@ static const char * const reg_type_str[] = {
- 	[CONST_IMM]		= "imm",
- };
- 
--static const struct {
--	int map_type;
--	int func_id;
--} func_limit[] = {
--	{BPF_MAP_TYPE_PROG_ARRAY, BPF_FUNC_tail_call},
--	{BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_read},
--	{BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_output},
--	{BPF_MAP_TYPE_STACK_TRACE, BPF_FUNC_get_stackid},
--};
--
- static void print_verifier_state(struct verifier_env *env)
- {
- 	enum bpf_reg_type t;
-@@ -921,27 +911,52 @@ static int check_func_arg(struct verifier_env *env, u32 regno,
- 
- static int check_map_func_compatibility(struct bpf_map *map, int func_id)
- {
--	bool bool_map, bool_func;
--	int i;
--
- 	if (!map)
- 		return 0;
- 
--	for (i = 0; i < ARRAY_SIZE(func_limit); i++) {
--		bool_map = (map->map_type == func_limit[i].map_type);
--		bool_func = (func_id == func_limit[i].func_id);
--		/* only when map & func pair match it can continue.
--		 * don't allow any other map type to be passed into
--		 * the special func;
--		 */
--		if (bool_func && bool_map != bool_func) {
--			verbose("cannot pass map_type %d into func %d\n",
--				map->map_type, func_id);
--			return -EINVAL;
--		}
-+	/* We need a two way check, first is from map perspective ... */
-+	switch (map->map_type) {
-+	case BPF_MAP_TYPE_PROG_ARRAY:
-+		if (func_id != BPF_FUNC_tail_call)
-+			goto error;
-+		break;
-+	case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
-+		if (func_id != BPF_FUNC_perf_event_read &&
-+		    func_id != BPF_FUNC_perf_event_output)
-+			goto error;
-+		break;
-+	case BPF_MAP_TYPE_STACK_TRACE:
-+		if (func_id != BPF_FUNC_get_stackid)
-+			goto error;
-+		break;
-+	default:
-+		break;
-+	}
-+
-+	/* ... and second from the function itself. */
-+	switch (func_id) {
-+	case BPF_FUNC_tail_call:
-+		if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
-+			goto error;
-+		break;
-+	case BPF_FUNC_perf_event_read:
-+	case BPF_FUNC_perf_event_output:
-+		if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
-+			goto error;
-+		break;
-+	case BPF_FUNC_get_stackid:
-+		if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
-+			goto error;
-+		break;
-+	default:
-+		break;
- 	}
- 
- 	return 0;
-+error:
-+	verbose("cannot pass map_type %d into func %d\n",
-+		map->map_type, func_id);
-+	return -EINVAL;
- }
- 
- static int check_call(struct verifier_env *env, int func_id)
diff --git a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch b/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch
deleted file mode 100644
index 396671871b7f..000000000000
--- a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From: Alexei Starovoitov <ast@fb.com>
-Date: Wed, 27 Apr 2016 18:56:20 -0700
-Subject: [2/3] bpf: fix refcnt overflow
-Origin: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e
-
-On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
-the malicious application may overflow 32-bit bpf program refcnt.
-It's also possible to overflow map refcnt on 1Tb system.
-Impose 32k hard limit which means that the same bpf program or
-map cannot be shared by more than 32k processes.
-
-Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/bpf.h   |  3 ++-
- kernel/bpf/inode.c    |  7 ++++---
- kernel/bpf/syscall.c  | 24 ++++++++++++++++++++----
- kernel/bpf/verifier.c | 11 +++++++----
- 4 files changed, 33 insertions(+), 12 deletions(-)
-
---- a/include/linux/bpf.h
-+++ b/include/linux/bpf.h
-@@ -171,12 +171,13 @@ void bpf_register_prog_type(struct bpf_p
- void bpf_register_map_type(struct bpf_map_type_list *tl);
- 
- struct bpf_prog *bpf_prog_get(u32 ufd);
-+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
- void bpf_prog_put(struct bpf_prog *prog);
- void bpf_prog_put_rcu(struct bpf_prog *prog);
- 
- struct bpf_map *bpf_map_get_with_uref(u32 ufd);
- struct bpf_map *__bpf_map_get(struct fd f);
--void bpf_map_inc(struct bpf_map *map, bool uref);
-+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
- void bpf_map_put_with_uref(struct bpf_map *map);
- void bpf_map_put(struct bpf_map *map);
- int bpf_map_precharge_memlock(u32 pages);
---- a/kernel/bpf/inode.c
-+++ b/kernel/bpf/inode.c
-@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum
- {
- 	switch (type) {
- 	case BPF_TYPE_PROG:
--		atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
-+		raw = bpf_prog_inc(raw);
- 		break;
- 	case BPF_TYPE_MAP:
--		bpf_map_inc(raw, true);
-+		raw = bpf_map_inc(raw, true);
- 		break;
- 	default:
- 		WARN_ON_ONCE(1);
-@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct
- 		goto out;
- 
- 	raw = bpf_any_get(inode->i_private, *type);
--	touch_atime(&path);
-+	if (!IS_ERR(raw))
-+		touch_atime(&path);
- 
- 	path_put(&path);
- 	return raw;
---- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -218,11 +218,18 @@ struct bpf_map *__bpf_map_get(struct fd
- 	return f.file->private_data;
- }
- 
--void bpf_map_inc(struct bpf_map *map, bool uref)
-+/* prog's and map's refcnt limit */
-+#define BPF_MAX_REFCNT 32768
-+
-+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
- {
--	atomic_inc(&map->refcnt);
-+	if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
-+		atomic_dec(&map->refcnt);
-+		return ERR_PTR(-EBUSY);
-+	}
- 	if (uref)
- 		atomic_inc(&map->usercnt);
-+	return map;
- }
- 
- struct bpf_map *bpf_map_get_with_uref(u32 ufd)
-@@ -234,7 +241,7 @@ struct bpf_map *bpf_map_get_with_uref(u3
- 	if (IS_ERR(map))
- 		return map;
- 
--	bpf_map_inc(map, true);
-+	map = bpf_map_inc(map, true);
- 	fdput(f);
- 
- 	return map;
-@@ -658,6 +665,15 @@ static struct bpf_prog *__bpf_prog_get(s
- 	return f.file->private_data;
- }
- 
-+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
-+{
-+	if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
-+		atomic_dec(&prog->aux->refcnt);
-+		return ERR_PTR(-EBUSY);
-+	}
-+	return prog;
-+}
-+
- /* called by sockets/tracing/seccomp before attaching program to an event
-  * pairs with bpf_prog_put()
-  */
-@@ -670,7 +686,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
- 	if (IS_ERR(prog))
- 		return prog;
- 
--	atomic_inc(&prog->aux->refcnt);
-+	prog = bpf_prog_inc(prog);
- 	fdput(f);
- 
- 	return prog;
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2049,15 +2049,18 @@ static int replace_map_fd_with_map_ptr(s
- 				return -E2BIG;
- 			}
- 
--			/* remember this map */
--			env->used_maps[env->used_map_cnt++] = map;
--
- 			/* hold the map. If the program is rejected by verifier,
- 			 * the map will be released by release_maps() or it
- 			 * will be used by the valid program until it's unloaded
- 			 * and all maps are released in free_bpf_prog_info()
- 			 */
--			bpf_map_inc(map, false);
-+			map = bpf_map_inc(map, false);
-+			if (IS_ERR(map)) {
-+				fdput(f);
-+				return PTR_ERR(map);
-+			}
-+			env->used_maps[env->used_map_cnt++] = map;
-+
- 			fdput(f);
- next_insn:
- 			insn++;
diff --git a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch b/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch
deleted file mode 100644
index 56b97f29df56..000000000000
--- a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Date: Thu, 14 Apr 2016 20:14:41 +0200
-Subject: sparc: Implement and wire up modalias_show for vio.
-Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/sparc.git/commit?id=36128d204b81c099b5779771127a5546eac549c9
-Bug-Debian: https://bugs.debian.org/815977
-
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Acked-by: Sam Ravnborg <sam@ravnborg.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- arch/sparc/kernel/vio.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/arch/sparc/kernel/vio.c b/arch/sparc/kernel/vio.c
-index cb5789c9f961..d7055609a41c 100644
---- a/arch/sparc/kernel/vio.c
-+++ b/arch/sparc/kernel/vio.c
-@@ -105,9 +105,18 @@ static ssize_t type_show(struct device *dev,
- 	return sprintf(buf, "%s\n", vdev->type);
- }
- 
-+static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
-+			     char *buf)
-+{
-+	const struct vio_dev *vdev = to_vio_dev(dev);
-+
-+	return sprintf(buf, "vio:T%sS%s\n", vdev->type, vdev->compat);
-+}
-+
- static struct device_attribute vio_dev_attrs[] = {
- 	__ATTR_RO(devspec),
- 	__ATTR_RO(type),
-+	__ATTR_RO(modalias),
- 	__ATTR_NULL
- };
- 
diff --git a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch b/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch
deleted file mode 100644
index 3c276bd74dad..000000000000
--- a/debian/patches/bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Date: Thu, 14 Apr 2016 20:14:42 +0200
-Subject: sparc: Implement and wire up vio_hotplug for vio.
-Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/sparc.git/commit?id=5bde2c9be701c4583f0a9243bd46590ec401bfba
-Bug-Debian: https://bugs.debian.org/815977
-
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Acked-by: Sam Ravnborg <sam@ravnborg.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- arch/sparc/kernel/vio.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/arch/sparc/kernel/vio.c b/arch/sparc/kernel/vio.c
-index d7055609a41c..f6bb857254fc 100644
---- a/arch/sparc/kernel/vio.c
-+++ b/arch/sparc/kernel/vio.c
-@@ -45,6 +45,14 @@ static const struct vio_device_id *vio_match_device(
- 	return NULL;
- }
- 
-+static int vio_hotplug(struct device *dev, struct kobj_uevent_env *env)
-+{
-+	const struct vio_dev *vio_dev = to_vio_dev(dev);
-+
-+	add_uevent_var(env, "MODALIAS=vio:T%sS%s", vio_dev->type, vio_dev->compat);
-+	return 0;
-+}
-+
- static int vio_bus_match(struct device *dev, struct device_driver *drv)
- {
- 	struct vio_dev *vio_dev = to_vio_dev(dev);
-@@ -123,6 +131,7 @@ static struct device_attribute vio_dev_attrs[] = {
- static struct bus_type vio_bus_type = {
- 	.name		= "vio",
- 	.dev_attrs	= vio_dev_attrs,
-+	.uevent         = vio_hotplug,
- 	.match		= vio_bus_match,
- 	.probe		= vio_device_probe,
- 	.remove		= vio_device_remove,
diff --git a/debian/patches/series b/debian/patches/series
index 9f7645bb3f7c..5d311b0ba838 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,8 +45,6 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 
 # Arch bug fixes
 bugfix/mips/MIPS-Allow-emulation-for-unaligned-LSDXC1-instructions.patch
-bugfix/sparc/sparc-implement-and-wire-up-modalias_show-for-vio.patch
-bugfix/sparc/sparc-implement-and-wire-up-vio_hotplug-for-vio.patch
 bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch
 bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch
 
@@ -99,8 +97,6 @@ features/all/securelevel/enable-cold-boot-attack-mitigation.patch
 # Security fixes
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/bpf-fix-refcnt-overflow.patch
-bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
 
 # Tools bug fixes
 bugfix/all/usbip-document-tcp-wrappers.patch