1 |
commit: 9288fa6d94a9020316950d84f455e3e52c9b7d5a |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Jan 10 11:47:11 2018 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jan 10 11:47:11 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9288fa6d |
7 |
|
8 |
Linux patch 4.9.76 |
9 |
|
10 |
0000_README | 4 + |
11 |
1075_linux-4.9.76.patch | 787 ++++++++++++++++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 791 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index 50f031f..f7c3cd9 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -343,6 +343,10 @@ Patch: 1074_linux-4.9.75.patch |
19 |
From: http://www.kernel.org |
20 |
Desc: Linux 4.9.75 |
21 |
|
22 |
+Patch: 1075_linux-4.9.76.patch |
23 |
+From: http://www.kernel.org |
24 |
+Desc: Linux 4.9.76 |
25 |
+ |
26 |
Patch: 1500_XATTR_USER_PREFIX.patch |
27 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
28 |
Desc: Support for namespace user.pax.* on tmpfs. |
29 |
|
30 |
diff --git a/1075_linux-4.9.76.patch b/1075_linux-4.9.76.patch |
31 |
new file mode 100644 |
32 |
index 0000000..ea4d1dd |
33 |
--- /dev/null |
34 |
+++ b/1075_linux-4.9.76.patch |
35 |
@@ -0,0 +1,787 @@ |
36 |
+diff --git a/Makefile b/Makefile |
37 |
+index acbc1b032db2..2637f0ed0a07 100644 |
38 |
+--- a/Makefile |
39 |
++++ b/Makefile |
40 |
+@@ -1,6 +1,6 @@ |
41 |
+ VERSION = 4 |
42 |
+ PATCHLEVEL = 9 |
43 |
+-SUBLEVEL = 75 |
44 |
++SUBLEVEL = 76 |
45 |
+ EXTRAVERSION = |
46 |
+ NAME = Roaring Lionus |
47 |
+ |
48 |
+diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h |
49 |
+index 41faf17cd28d..0684fd2f42e8 100644 |
50 |
+--- a/arch/arc/include/asm/uaccess.h |
51 |
++++ b/arch/arc/include/asm/uaccess.h |
52 |
+@@ -673,6 +673,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) |
53 |
+ return 0; |
54 |
+ |
55 |
+ __asm__ __volatile__( |
56 |
++ " mov lp_count, %5 \n" |
57 |
+ " lp 3f \n" |
58 |
+ "1: ldb.ab %3, [%2, 1] \n" |
59 |
+ " breq.d %3, 0, 3f \n" |
60 |
+@@ -689,8 +690,8 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) |
61 |
+ " .word 1b, 4b \n" |
62 |
+ " .previous \n" |
63 |
+ : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) |
64 |
+- : "g"(-EFAULT), "l"(count) |
65 |
+- : "memory"); |
66 |
++ : "g"(-EFAULT), "r"(count) |
67 |
++ : "lp_count", "lp_start", "lp_end", "memory"); |
68 |
+ |
69 |
+ return res; |
70 |
+ } |
71 |
+diff --git a/arch/parisc/include/asm/ldcw.h b/arch/parisc/include/asm/ldcw.h |
72 |
+index 8be707e1b6c7..82dea145574e 100644 |
73 |
+--- a/arch/parisc/include/asm/ldcw.h |
74 |
++++ b/arch/parisc/include/asm/ldcw.h |
75 |
+@@ -11,6 +11,7 @@ |
76 |
+ for the semaphore. */ |
77 |
+ |
78 |
+ #define __PA_LDCW_ALIGNMENT 16 |
79 |
++#define __PA_LDCW_ALIGN_ORDER 4 |
80 |
+ #define __ldcw_align(a) ({ \ |
81 |
+ unsigned long __ret = (unsigned long) &(a)->lock[0]; \ |
82 |
+ __ret = (__ret + __PA_LDCW_ALIGNMENT - 1) \ |
83 |
+@@ -28,6 +29,7 @@ |
84 |
+ ldcd). */ |
85 |
+ |
86 |
+ #define __PA_LDCW_ALIGNMENT 4 |
87 |
++#define __PA_LDCW_ALIGN_ORDER 2 |
88 |
+ #define __ldcw_align(a) (&(a)->slock) |
89 |
+ #define __LDCW "ldcw,co" |
90 |
+ |
91 |
+diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S |
92 |
+index 4fcff2dcc9c3..e3d3e8e1d708 100644 |
93 |
+--- a/arch/parisc/kernel/entry.S |
94 |
++++ b/arch/parisc/kernel/entry.S |
95 |
+@@ -35,6 +35,7 @@ |
96 |
+ #include <asm/pgtable.h> |
97 |
+ #include <asm/signal.h> |
98 |
+ #include <asm/unistd.h> |
99 |
++#include <asm/ldcw.h> |
100 |
+ #include <asm/thread_info.h> |
101 |
+ |
102 |
+ #include <linux/linkage.h> |
103 |
+@@ -46,6 +47,14 @@ |
104 |
+ #endif |
105 |
+ |
106 |
+ .import pa_tlb_lock,data |
107 |
++ .macro load_pa_tlb_lock reg |
108 |
++#if __PA_LDCW_ALIGNMENT > 4 |
109 |
++ load32 PA(pa_tlb_lock) + __PA_LDCW_ALIGNMENT-1, \reg |
110 |
++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \reg |
111 |
++#else |
112 |
++ load32 PA(pa_tlb_lock), \reg |
113 |
++#endif |
114 |
++ .endm |
115 |
+ |
116 |
+ /* space_to_prot macro creates a prot id from a space id */ |
117 |
+ |
118 |
+@@ -457,7 +466,7 @@ |
119 |
+ .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault |
120 |
+ #ifdef CONFIG_SMP |
121 |
+ cmpib,COND(=),n 0,\spc,2f |
122 |
+- load32 PA(pa_tlb_lock),\tmp |
123 |
++ load_pa_tlb_lock \tmp |
124 |
+ 1: LDCW 0(\tmp),\tmp1 |
125 |
+ cmpib,COND(=) 0,\tmp1,1b |
126 |
+ nop |
127 |
+@@ -480,7 +489,7 @@ |
128 |
+ /* Release pa_tlb_lock lock. */ |
129 |
+ .macro tlb_unlock1 spc,tmp |
130 |
+ #ifdef CONFIG_SMP |
131 |
+- load32 PA(pa_tlb_lock),\tmp |
132 |
++ load_pa_tlb_lock \tmp |
133 |
+ tlb_unlock0 \spc,\tmp |
134 |
+ #endif |
135 |
+ .endm |
136 |
+diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S |
137 |
+index adf7187f8951..2d40c4ff3f69 100644 |
138 |
+--- a/arch/parisc/kernel/pacache.S |
139 |
++++ b/arch/parisc/kernel/pacache.S |
140 |
+@@ -36,6 +36,7 @@ |
141 |
+ #include <asm/assembly.h> |
142 |
+ #include <asm/pgtable.h> |
143 |
+ #include <asm/cache.h> |
144 |
++#include <asm/ldcw.h> |
145 |
+ #include <linux/linkage.h> |
146 |
+ |
147 |
+ .text |
148 |
+@@ -333,8 +334,12 @@ ENDPROC_CFI(flush_data_cache_local) |
149 |
+ |
150 |
+ .macro tlb_lock la,flags,tmp |
151 |
+ #ifdef CONFIG_SMP |
152 |
+- ldil L%pa_tlb_lock,%r1 |
153 |
+- ldo R%pa_tlb_lock(%r1),\la |
154 |
++#if __PA_LDCW_ALIGNMENT > 4 |
155 |
++ load32 pa_tlb_lock + __PA_LDCW_ALIGNMENT-1, \la |
156 |
++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \la |
157 |
++#else |
158 |
++ load32 pa_tlb_lock, \la |
159 |
++#endif |
160 |
+ rsm PSW_SM_I,\flags |
161 |
+ 1: LDCW 0(\la),\tmp |
162 |
+ cmpib,<>,n 0,\tmp,3f |
163 |
+diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c |
164 |
+index 7593787ed4c3..c3a532abac03 100644 |
165 |
+--- a/arch/parisc/kernel/process.c |
166 |
++++ b/arch/parisc/kernel/process.c |
167 |
+@@ -39,6 +39,7 @@ |
168 |
+ #include <linux/kernel.h> |
169 |
+ #include <linux/mm.h> |
170 |
+ #include <linux/fs.h> |
171 |
++#include <linux/cpu.h> |
172 |
+ #include <linux/module.h> |
173 |
+ #include <linux/personality.h> |
174 |
+ #include <linux/ptrace.h> |
175 |
+@@ -180,6 +181,44 @@ int dump_task_fpu (struct task_struct *tsk, elf_fpregset_t *r) |
176 |
+ return 1; |
177 |
+ } |
178 |
+ |
179 |
++/* |
180 |
++ * Idle thread support |
181 |
++ * |
182 |
++ * Detect when running on QEMU with SeaBIOS PDC Firmware and let |
183 |
++ * QEMU idle the host too. |
184 |
++ */ |
185 |
++ |
186 |
++int running_on_qemu __read_mostly; |
187 |
++ |
188 |
++void __cpuidle arch_cpu_idle_dead(void) |
189 |
++{ |
190 |
++ /* nop on real hardware, qemu will offline CPU. */ |
191 |
++ asm volatile("or %%r31,%%r31,%%r31\n":::); |
192 |
++} |
193 |
++ |
194 |
++void __cpuidle arch_cpu_idle(void) |
195 |
++{ |
196 |
++ local_irq_enable(); |
197 |
++ |
198 |
++ /* nop on real hardware, qemu will idle sleep. */ |
199 |
++ asm volatile("or %%r10,%%r10,%%r10\n":::); |
200 |
++} |
201 |
++ |
202 |
++static int __init parisc_idle_init(void) |
203 |
++{ |
204 |
++ const char *marker; |
205 |
++ |
206 |
++ /* check QEMU/SeaBIOS marker in PAGE0 */ |
207 |
++ marker = (char *) &PAGE0->pad0; |
208 |
++ running_on_qemu = (memcmp(marker, "SeaBIOS", 8) == 0); |
209 |
++ |
210 |
++ if (!running_on_qemu) |
211 |
++ cpu_idle_poll_ctrl(1); |
212 |
++ |
213 |
++ return 0; |
214 |
++} |
215 |
++arch_initcall(parisc_idle_init); |
216 |
++ |
217 |
+ /* |
218 |
+ * Copy architecture-specific thread state |
219 |
+ */ |
220 |
+diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c |
221 |
+index 0f9cd90c11af..f06a9a0063f1 100644 |
222 |
+--- a/arch/s390/kernel/compat_linux.c |
223 |
++++ b/arch/s390/kernel/compat_linux.c |
224 |
+@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, int, gidsetsize, u16 __user *, grouplis |
225 |
+ return retval; |
226 |
+ } |
227 |
+ |
228 |
++ groups_sort(group_info); |
229 |
+ retval = set_current_groups(group_info); |
230 |
+ put_group_info(group_info); |
231 |
+ |
232 |
+diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c |
233 |
+index 636c4b341f36..6bb7e92c6d50 100644 |
234 |
+--- a/arch/x86/entry/vsyscall/vsyscall_64.c |
235 |
++++ b/arch/x86/entry/vsyscall/vsyscall_64.c |
236 |
+@@ -66,6 +66,11 @@ static int __init vsyscall_setup(char *str) |
237 |
+ } |
238 |
+ early_param("vsyscall", vsyscall_setup); |
239 |
+ |
240 |
++bool vsyscall_enabled(void) |
241 |
++{ |
242 |
++ return vsyscall_mode != NONE; |
243 |
++} |
244 |
++ |
245 |
+ static void warn_bad_vsyscall(const char *level, struct pt_regs *regs, |
246 |
+ const char *message) |
247 |
+ { |
248 |
+diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h |
249 |
+index 6ba66ee79710..4865e10dbb55 100644 |
250 |
+--- a/arch/x86/include/asm/vsyscall.h |
251 |
++++ b/arch/x86/include/asm/vsyscall.h |
252 |
+@@ -12,12 +12,14 @@ extern void map_vsyscall(void); |
253 |
+ * Returns true if handled. |
254 |
+ */ |
255 |
+ extern bool emulate_vsyscall(struct pt_regs *regs, unsigned long address); |
256 |
++extern bool vsyscall_enabled(void); |
257 |
+ #else |
258 |
+ static inline void map_vsyscall(void) {} |
259 |
+ static inline bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) |
260 |
+ { |
261 |
+ return false; |
262 |
+ } |
263 |
++static inline bool vsyscall_enabled(void) { return false; } |
264 |
+ #endif |
265 |
+ |
266 |
+ #endif /* _ASM_X86_VSYSCALL_H */ |
267 |
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c |
268 |
+index 017bda12caae..b74bb29db6b9 100644 |
269 |
+--- a/arch/x86/kernel/cpu/microcode/amd.c |
270 |
++++ b/arch/x86/kernel/cpu/microcode/amd.c |
271 |
+@@ -592,6 +592,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size, |
272 |
+ #define F14H_MPB_MAX_SIZE 1824 |
273 |
+ #define F15H_MPB_MAX_SIZE 4096 |
274 |
+ #define F16H_MPB_MAX_SIZE 3458 |
275 |
++#define F17H_MPB_MAX_SIZE 3200 |
276 |
+ |
277 |
+ switch (family) { |
278 |
+ case 0x14: |
279 |
+@@ -603,6 +604,9 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size, |
280 |
+ case 0x16: |
281 |
+ max_size = F16H_MPB_MAX_SIZE; |
282 |
+ break; |
283 |
++ case 0x17: |
284 |
++ max_size = F17H_MPB_MAX_SIZE; |
285 |
++ break; |
286 |
+ default: |
287 |
+ max_size = F1XH_MPB_MAX_SIZE; |
288 |
+ break; |
289 |
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c |
290 |
+index 1e779bca4f3e..f92bdb9f4e46 100644 |
291 |
+--- a/arch/x86/mm/init.c |
292 |
++++ b/arch/x86/mm/init.c |
293 |
+@@ -768,7 +768,7 @@ DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = { |
294 |
+ .state = 0, |
295 |
+ .cr4 = ~0UL, /* fail hard if we screw up cr4 shadow initialization */ |
296 |
+ }; |
297 |
+-EXPORT_SYMBOL_GPL(cpu_tlbstate); |
298 |
++EXPORT_PER_CPU_SYMBOL(cpu_tlbstate); |
299 |
+ |
300 |
+ void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache) |
301 |
+ { |
302 |
+diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c |
303 |
+index d8376b4ad9f0..8f8e5e03d083 100644 |
304 |
+--- a/arch/x86/mm/kaiser.c |
305 |
++++ b/arch/x86/mm/kaiser.c |
306 |
+@@ -19,6 +19,7 @@ |
307 |
+ #include <asm/pgalloc.h> |
308 |
+ #include <asm/desc.h> |
309 |
+ #include <asm/cmdline.h> |
310 |
++#include <asm/vsyscall.h> |
311 |
+ |
312 |
+ int kaiser_enabled __read_mostly = 1; |
313 |
+ EXPORT_SYMBOL(kaiser_enabled); /* for inlined TLB flush functions */ |
314 |
+@@ -110,12 +111,13 @@ static inline unsigned long get_pa_from_mapping(unsigned long vaddr) |
315 |
+ * |
316 |
+ * Returns a pointer to a PTE on success, or NULL on failure. |
317 |
+ */ |
318 |
+-static pte_t *kaiser_pagetable_walk(unsigned long address) |
319 |
++static pte_t *kaiser_pagetable_walk(unsigned long address, bool user) |
320 |
+ { |
321 |
+ pmd_t *pmd; |
322 |
+ pud_t *pud; |
323 |
+ pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(address)); |
324 |
+ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO); |
325 |
++ unsigned long prot = _KERNPG_TABLE; |
326 |
+ |
327 |
+ if (pgd_none(*pgd)) { |
328 |
+ WARN_ONCE(1, "All shadow pgds should have been populated"); |
329 |
+@@ -123,6 +125,17 @@ static pte_t *kaiser_pagetable_walk(unsigned long address) |
330 |
+ } |
331 |
+ BUILD_BUG_ON(pgd_large(*pgd) != 0); |
332 |
+ |
333 |
++ if (user) { |
334 |
++ /* |
335 |
++ * The vsyscall page is the only page that will have |
336 |
++ * _PAGE_USER set. Catch everything else. |
337 |
++ */ |
338 |
++ BUG_ON(address != VSYSCALL_ADDR); |
339 |
++ |
340 |
++ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER)); |
341 |
++ prot = _PAGE_TABLE; |
342 |
++ } |
343 |
++ |
344 |
+ pud = pud_offset(pgd, address); |
345 |
+ /* The shadow page tables do not use large mappings: */ |
346 |
+ if (pud_large(*pud)) { |
347 |
+@@ -135,7 +148,7 @@ static pte_t *kaiser_pagetable_walk(unsigned long address) |
348 |
+ return NULL; |
349 |
+ spin_lock(&shadow_table_allocation_lock); |
350 |
+ if (pud_none(*pud)) { |
351 |
+- set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page))); |
352 |
++ set_pud(pud, __pud(prot | __pa(new_pmd_page))); |
353 |
+ __inc_zone_page_state(virt_to_page((void *) |
354 |
+ new_pmd_page), NR_KAISERTABLE); |
355 |
+ } else |
356 |
+@@ -155,7 +168,7 @@ static pte_t *kaiser_pagetable_walk(unsigned long address) |
357 |
+ return NULL; |
358 |
+ spin_lock(&shadow_table_allocation_lock); |
359 |
+ if (pmd_none(*pmd)) { |
360 |
+- set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page))); |
361 |
++ set_pmd(pmd, __pmd(prot | __pa(new_pte_page))); |
362 |
+ __inc_zone_page_state(virt_to_page((void *) |
363 |
+ new_pte_page), NR_KAISERTABLE); |
364 |
+ } else |
365 |
+@@ -191,7 +204,7 @@ static int kaiser_add_user_map(const void *__start_addr, unsigned long size, |
366 |
+ ret = -EIO; |
367 |
+ break; |
368 |
+ } |
369 |
+- pte = kaiser_pagetable_walk(address); |
370 |
++ pte = kaiser_pagetable_walk(address, flags & _PAGE_USER); |
371 |
+ if (!pte) { |
372 |
+ ret = -ENOMEM; |
373 |
+ break; |
374 |
+@@ -318,6 +331,19 @@ void __init kaiser_init(void) |
375 |
+ |
376 |
+ kaiser_init_all_pgds(); |
377 |
+ |
378 |
++ /* |
379 |
++ * Note that this sets _PAGE_USER and it needs to happen when the |
380 |
++ * pagetable hierarchy gets created, i.e., early. Otherwise |
381 |
++ * kaiser_pagetable_walk() will encounter initialized PTEs in the |
382 |
++ * hierarchy and not set the proper permissions, leading to the |
383 |
++ * pagefaults with page-protection violations when trying to read the |
384 |
++ * vsyscall page. For example. |
385 |
++ */ |
386 |
++ if (vsyscall_enabled()) |
387 |
++ kaiser_add_user_map_early((void *)VSYSCALL_ADDR, |
388 |
++ PAGE_SIZE, |
389 |
++ __PAGE_KERNEL_VSYSCALL); |
390 |
++ |
391 |
+ for_each_possible_cpu(cpu) { |
392 |
+ void *percpu_vaddr = __per_cpu_user_mapped_start + |
393 |
+ per_cpu_offset(cpu); |
394 |
+diff --git a/crypto/chacha20poly1305.c b/crypto/chacha20poly1305.c |
395 |
+index e899ef51dc8e..cb1c3a3287b0 100644 |
396 |
+--- a/crypto/chacha20poly1305.c |
397 |
++++ b/crypto/chacha20poly1305.c |
398 |
+@@ -610,6 +610,11 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, |
399 |
+ algt->mask)); |
400 |
+ if (IS_ERR(poly)) |
401 |
+ return PTR_ERR(poly); |
402 |
++ poly_hash = __crypto_hash_alg_common(poly); |
403 |
++ |
404 |
++ err = -EINVAL; |
405 |
++ if (poly_hash->digestsize != POLY1305_DIGEST_SIZE) |
406 |
++ goto out_put_poly; |
407 |
+ |
408 |
+ err = -ENOMEM; |
409 |
+ inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); |
410 |
+@@ -618,7 +623,6 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, |
411 |
+ |
412 |
+ ctx = aead_instance_ctx(inst); |
413 |
+ ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize; |
414 |
+- poly_hash = __crypto_hash_alg_common(poly); |
415 |
+ err = crypto_init_ahash_spawn(&ctx->poly, poly_hash, |
416 |
+ aead_crypto_instance(inst)); |
417 |
+ if (err) |
418 |
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c |
419 |
+index ee9cfb99fe25..f8ec3d4ba4a8 100644 |
420 |
+--- a/crypto/pcrypt.c |
421 |
++++ b/crypto/pcrypt.c |
422 |
+@@ -254,6 +254,14 @@ static void pcrypt_aead_exit_tfm(struct crypto_aead *tfm) |
423 |
+ crypto_free_aead(ctx->child); |
424 |
+ } |
425 |
+ |
426 |
++static void pcrypt_free(struct aead_instance *inst) |
427 |
++{ |
428 |
++ struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst); |
429 |
++ |
430 |
++ crypto_drop_aead(&ctx->spawn); |
431 |
++ kfree(inst); |
432 |
++} |
433 |
++ |
434 |
+ static int pcrypt_init_instance(struct crypto_instance *inst, |
435 |
+ struct crypto_alg *alg) |
436 |
+ { |
437 |
+@@ -319,6 +327,8 @@ static int pcrypt_create_aead(struct crypto_template *tmpl, struct rtattr **tb, |
438 |
+ inst->alg.encrypt = pcrypt_aead_encrypt; |
439 |
+ inst->alg.decrypt = pcrypt_aead_decrypt; |
440 |
+ |
441 |
++ inst->free = pcrypt_free; |
442 |
++ |
443 |
+ err = aead_register_instance(tmpl, inst); |
444 |
+ if (err) |
445 |
+ goto out_drop_aead; |
446 |
+@@ -349,14 +359,6 @@ static int pcrypt_create(struct crypto_template *tmpl, struct rtattr **tb) |
447 |
+ return -EINVAL; |
448 |
+ } |
449 |
+ |
450 |
+-static void pcrypt_free(struct crypto_instance *inst) |
451 |
+-{ |
452 |
+- struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst); |
453 |
+- |
454 |
+- crypto_drop_aead(&ctx->spawn); |
455 |
+- kfree(inst); |
456 |
+-} |
457 |
+- |
458 |
+ static int pcrypt_cpumask_change_notify(struct notifier_block *self, |
459 |
+ unsigned long val, void *data) |
460 |
+ { |
461 |
+@@ -469,7 +471,6 @@ static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt) |
462 |
+ static struct crypto_template pcrypt_tmpl = { |
463 |
+ .name = "pcrypt", |
464 |
+ .create = pcrypt_create, |
465 |
+- .free = pcrypt_free, |
466 |
+ .module = THIS_MODULE, |
467 |
+ }; |
468 |
+ |
469 |
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c |
470 |
+index 7d506cb73e54..4d30da269060 100644 |
471 |
+--- a/drivers/block/nbd.c |
472 |
++++ b/drivers/block/nbd.c |
473 |
+@@ -272,6 +272,7 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) |
474 |
+ int result, flags; |
475 |
+ struct nbd_request request; |
476 |
+ unsigned long size = blk_rq_bytes(req); |
477 |
++ struct bio *bio; |
478 |
+ u32 type; |
479 |
+ |
480 |
+ if (req->cmd_type == REQ_TYPE_DRV_PRIV) |
481 |
+@@ -305,16 +306,20 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) |
482 |
+ return -EIO; |
483 |
+ } |
484 |
+ |
485 |
+- if (type == NBD_CMD_WRITE) { |
486 |
+- struct req_iterator iter; |
487 |
++ if (type != NBD_CMD_WRITE) |
488 |
++ return 0; |
489 |
++ |
490 |
++ flags = 0; |
491 |
++ bio = req->bio; |
492 |
++ while (bio) { |
493 |
++ struct bio *next = bio->bi_next; |
494 |
++ struct bvec_iter iter; |
495 |
+ struct bio_vec bvec; |
496 |
+- /* |
497 |
+- * we are really probing at internals to determine |
498 |
+- * whether to set MSG_MORE or not... |
499 |
+- */ |
500 |
+- rq_for_each_segment(bvec, req, iter) { |
501 |
+- flags = 0; |
502 |
+- if (!rq_iter_last(bvec, iter)) |
503 |
++ |
504 |
++ bio_for_each_segment(bvec, bio, iter) { |
505 |
++ bool is_last = !next && bio_iter_last(bvec, iter); |
506 |
++ |
507 |
++ if (is_last) |
508 |
+ flags = MSG_MORE; |
509 |
+ dev_dbg(nbd_to_dev(nbd), "request %p: sending %d bytes data\n", |
510 |
+ cmd, bvec.bv_len); |
511 |
+@@ -325,7 +330,16 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) |
512 |
+ result); |
513 |
+ return -EIO; |
514 |
+ } |
515 |
++ /* |
516 |
++ * The completion might already have come in, |
517 |
++ * so break for the last one instead of letting |
518 |
++ * the iterator do it. This prevents use-after-free |
519 |
++ * of the bio. |
520 |
++ */ |
521 |
++ if (is_last) |
522 |
++ break; |
523 |
+ } |
524 |
++ bio = next; |
525 |
+ } |
526 |
+ return 0; |
527 |
+ } |
528 |
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c |
529 |
+index 795c9d9c96a6..2051d926e303 100644 |
530 |
+--- a/drivers/bus/sunxi-rsb.c |
531 |
++++ b/drivers/bus/sunxi-rsb.c |
532 |
+@@ -178,6 +178,7 @@ static struct bus_type sunxi_rsb_bus = { |
533 |
+ .match = sunxi_rsb_device_match, |
534 |
+ .probe = sunxi_rsb_device_probe, |
535 |
+ .remove = sunxi_rsb_device_remove, |
536 |
++ .uevent = of_device_uevent_modalias, |
537 |
+ }; |
538 |
+ |
539 |
+ static void sunxi_rsb_dev_release(struct device *dev) |
540 |
+diff --git a/drivers/crypto/n2_core.c b/drivers/crypto/n2_core.c |
541 |
+index c5aac25a5738..b365ad78ac27 100644 |
542 |
+--- a/drivers/crypto/n2_core.c |
543 |
++++ b/drivers/crypto/n2_core.c |
544 |
+@@ -1620,6 +1620,7 @@ static int queue_cache_init(void) |
545 |
+ CWQ_ENTRY_SIZE, 0, NULL); |
546 |
+ if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) { |
547 |
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); |
548 |
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; |
549 |
+ return -ENOMEM; |
550 |
+ } |
551 |
+ return 0; |
552 |
+@@ -1629,6 +1630,8 @@ static void queue_cache_destroy(void) |
553 |
+ { |
554 |
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); |
555 |
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]); |
556 |
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; |
557 |
++ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL; |
558 |
+ } |
559 |
+ |
560 |
+ static int spu_queue_register(struct spu_queue *p, unsigned long q_type) |
561 |
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c |
562 |
+index cd834da5934a..59603a5728f7 100644 |
563 |
+--- a/drivers/input/mouse/elantech.c |
564 |
++++ b/drivers/input/mouse/elantech.c |
565 |
+@@ -1609,7 +1609,7 @@ static int elantech_set_properties(struct elantech_data *etd) |
566 |
+ case 5: |
567 |
+ etd->hw_version = 3; |
568 |
+ break; |
569 |
+- case 6 ... 14: |
570 |
++ case 6 ... 15: |
571 |
+ etd->hw_version = 4; |
572 |
+ break; |
573 |
+ default: |
574 |
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c |
575 |
+index d3d975ae24b7..7f294f785ce6 100644 |
576 |
+--- a/drivers/iommu/arm-smmu-v3.c |
577 |
++++ b/drivers/iommu/arm-smmu-v3.c |
578 |
+@@ -1547,13 +1547,15 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain) |
579 |
+ domain->pgsize_bitmap = pgtbl_cfg.pgsize_bitmap; |
580 |
+ domain->geometry.aperture_end = (1UL << ias) - 1; |
581 |
+ domain->geometry.force_aperture = true; |
582 |
+- smmu_domain->pgtbl_ops = pgtbl_ops; |
583 |
+ |
584 |
+ ret = finalise_stage_fn(smmu_domain, &pgtbl_cfg); |
585 |
+- if (ret < 0) |
586 |
++ if (ret < 0) { |
587 |
+ free_io_pgtable_ops(pgtbl_ops); |
588 |
++ return ret; |
589 |
++ } |
590 |
+ |
591 |
+- return ret; |
592 |
++ smmu_domain->pgtbl_ops = pgtbl_ops; |
593 |
++ return 0; |
594 |
+ } |
595 |
+ |
596 |
+ static __le64 *arm_smmu_get_step_for_sid(struct arm_smmu_device *smmu, u32 sid) |
597 |
+@@ -1580,7 +1582,7 @@ static __le64 *arm_smmu_get_step_for_sid(struct arm_smmu_device *smmu, u32 sid) |
598 |
+ |
599 |
+ static int arm_smmu_install_ste_for_dev(struct iommu_fwspec *fwspec) |
600 |
+ { |
601 |
+- int i; |
602 |
++ int i, j; |
603 |
+ struct arm_smmu_master_data *master = fwspec->iommu_priv; |
604 |
+ struct arm_smmu_device *smmu = master->smmu; |
605 |
+ |
606 |
+@@ -1588,6 +1590,13 @@ static int arm_smmu_install_ste_for_dev(struct iommu_fwspec *fwspec) |
607 |
+ u32 sid = fwspec->ids[i]; |
608 |
+ __le64 *step = arm_smmu_get_step_for_sid(smmu, sid); |
609 |
+ |
610 |
++ /* Bridged PCI devices may end up with duplicated IDs */ |
611 |
++ for (j = 0; j < i; j++) |
612 |
++ if (fwspec->ids[j] == sid) |
613 |
++ break; |
614 |
++ if (j < i) |
615 |
++ continue; |
616 |
++ |
617 |
+ arm_smmu_write_strtab_ent(smmu, sid, step, &master->ste); |
618 |
+ } |
619 |
+ |
620 |
+diff --git a/drivers/mtd/nand/pxa3xx_nand.c b/drivers/mtd/nand/pxa3xx_nand.c |
621 |
+index b121bf4ed73a..3b8911cd3a19 100644 |
622 |
+--- a/drivers/mtd/nand/pxa3xx_nand.c |
623 |
++++ b/drivers/mtd/nand/pxa3xx_nand.c |
624 |
+@@ -950,6 +950,7 @@ static void prepare_start_command(struct pxa3xx_nand_info *info, int command) |
625 |
+ |
626 |
+ switch (command) { |
627 |
+ case NAND_CMD_READ0: |
628 |
++ case NAND_CMD_READOOB: |
629 |
+ case NAND_CMD_PAGEPROG: |
630 |
+ info->use_ecc = 1; |
631 |
+ break; |
632 |
+diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c |
633 |
+index 62469c60be23..75f942ae5176 100644 |
634 |
+--- a/fs/nfsd/auth.c |
635 |
++++ b/fs/nfsd/auth.c |
636 |
+@@ -59,6 +59,9 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) |
637 |
+ gi->gid[i] = exp->ex_anon_gid; |
638 |
+ else |
639 |
+ gi->gid[i] = rqgi->gid[i]; |
640 |
++ |
641 |
++ /* Each thread allocates its own gi, no race */ |
642 |
++ groups_sort(gi); |
643 |
+ } |
644 |
+ } else { |
645 |
+ gi = get_group_info(rqgi); |
646 |
+diff --git a/include/linux/cred.h b/include/linux/cred.h |
647 |
+index f0e70a1bb3ac..cf1a5d0c4eb4 100644 |
648 |
+--- a/include/linux/cred.h |
649 |
++++ b/include/linux/cred.h |
650 |
+@@ -82,6 +82,7 @@ extern int set_current_groups(struct group_info *); |
651 |
+ extern void set_groups(struct cred *, struct group_info *); |
652 |
+ extern int groups_search(const struct group_info *, kgid_t); |
653 |
+ extern bool may_setgroups(void); |
654 |
++extern void groups_sort(struct group_info *); |
655 |
+ |
656 |
+ /* |
657 |
+ * The security context of a task |
658 |
+diff --git a/include/linux/fscache.h b/include/linux/fscache.h |
659 |
+index 115bb81912cc..94a8aae8f9e2 100644 |
660 |
+--- a/include/linux/fscache.h |
661 |
++++ b/include/linux/fscache.h |
662 |
+@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct fscache_cookie *cookie, |
663 |
+ { |
664 |
+ if (fscache_cookie_valid(cookie) && PageFsCache(page)) |
665 |
+ return __fscache_maybe_release_page(cookie, page, gfp); |
666 |
+- return false; |
667 |
++ return true; |
668 |
+ } |
669 |
+ |
670 |
+ /** |
671 |
+diff --git a/kernel/acct.c b/kernel/acct.c |
672 |
+index 74963d192c5d..37f1dc696fbd 100644 |
673 |
+--- a/kernel/acct.c |
674 |
++++ b/kernel/acct.c |
675 |
+@@ -99,7 +99,7 @@ static int check_free_space(struct bsd_acct_struct *acct) |
676 |
+ { |
677 |
+ struct kstatfs sbuf; |
678 |
+ |
679 |
+- if (time_is_before_jiffies(acct->needcheck)) |
680 |
++ if (time_is_after_jiffies(acct->needcheck)) |
681 |
+ goto out; |
682 |
+ |
683 |
+ /* May block */ |
684 |
+diff --git a/kernel/groups.c b/kernel/groups.c |
685 |
+index 2fcadd66a8fd..94bde5210e3d 100644 |
686 |
+--- a/kernel/groups.c |
687 |
++++ b/kernel/groups.c |
688 |
+@@ -77,7 +77,7 @@ static int groups_from_user(struct group_info *group_info, |
689 |
+ } |
690 |
+ |
691 |
+ /* a simple Shell sort */ |
692 |
+-static void groups_sort(struct group_info *group_info) |
693 |
++void groups_sort(struct group_info *group_info) |
694 |
+ { |
695 |
+ int base, max, stride; |
696 |
+ int gidsetsize = group_info->ngroups; |
697 |
+@@ -103,6 +103,7 @@ static void groups_sort(struct group_info *group_info) |
698 |
+ stride /= 3; |
699 |
+ } |
700 |
+ } |
701 |
++EXPORT_SYMBOL(groups_sort); |
702 |
+ |
703 |
+ /* a simple bsearch */ |
704 |
+ int groups_search(const struct group_info *group_info, kgid_t grp) |
705 |
+@@ -134,7 +135,6 @@ int groups_search(const struct group_info *group_info, kgid_t grp) |
706 |
+ void set_groups(struct cred *new, struct group_info *group_info) |
707 |
+ { |
708 |
+ put_group_info(new->group_info); |
709 |
+- groups_sort(group_info); |
710 |
+ get_group_info(group_info); |
711 |
+ new->group_info = group_info; |
712 |
+ } |
713 |
+@@ -218,6 +218,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) |
714 |
+ return retval; |
715 |
+ } |
716 |
+ |
717 |
++ groups_sort(group_info); |
718 |
+ retval = set_current_groups(group_info); |
719 |
+ put_group_info(group_info); |
720 |
+ |
721 |
+diff --git a/kernel/signal.c b/kernel/signal.c |
722 |
+index e48668c3c972..7ebe236a5364 100644 |
723 |
+--- a/kernel/signal.c |
724 |
++++ b/kernel/signal.c |
725 |
+@@ -72,7 +72,7 @@ static int sig_task_ignored(struct task_struct *t, int sig, bool force) |
726 |
+ handler = sig_handler(t, sig); |
727 |
+ |
728 |
+ if (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) && |
729 |
+- handler == SIG_DFL && !force) |
730 |
++ handler == SIG_DFL && !(force && sig_kernel_only(sig))) |
731 |
+ return 1; |
732 |
+ |
733 |
+ return sig_handler_ignored(handler, sig); |
734 |
+@@ -88,13 +88,15 @@ static int sig_ignored(struct task_struct *t, int sig, bool force) |
735 |
+ if (sigismember(&t->blocked, sig) || sigismember(&t->real_blocked, sig)) |
736 |
+ return 0; |
737 |
+ |
738 |
+- if (!sig_task_ignored(t, sig, force)) |
739 |
+- return 0; |
740 |
+- |
741 |
+ /* |
742 |
+- * Tracers may want to know about even ignored signals. |
743 |
++ * Tracers may want to know about even ignored signal unless it |
744 |
++ * is SIGKILL which can't be reported anyway but can be ignored |
745 |
++ * by SIGNAL_UNKILLABLE task. |
746 |
+ */ |
747 |
+- return !t->ptrace; |
748 |
++ if (t->ptrace && sig != SIGKILL) |
749 |
++ return 0; |
750 |
++ |
751 |
++ return sig_task_ignored(t, sig, force); |
752 |
+ } |
753 |
+ |
754 |
+ /* |
755 |
+@@ -917,9 +919,9 @@ static void complete_signal(int sig, struct task_struct *p, int group) |
756 |
+ * then start taking the whole group down immediately. |
757 |
+ */ |
758 |
+ if (sig_fatal(p, sig) && |
759 |
+- !(signal->flags & (SIGNAL_UNKILLABLE | SIGNAL_GROUP_EXIT)) && |
760 |
++ !(signal->flags & SIGNAL_GROUP_EXIT) && |
761 |
+ !sigismember(&t->real_blocked, sig) && |
762 |
+- (sig == SIGKILL || !t->ptrace)) { |
763 |
++ (sig == SIGKILL || !p->ptrace)) { |
764 |
+ /* |
765 |
+ * This signal will be fatal to the whole group. |
766 |
+ */ |
767 |
+diff --git a/kernel/uid16.c b/kernel/uid16.c |
768 |
+index cc40793464e3..dcffcce9d75e 100644 |
769 |
+--- a/kernel/uid16.c |
770 |
++++ b/kernel/uid16.c |
771 |
+@@ -190,6 +190,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist) |
772 |
+ return retval; |
773 |
+ } |
774 |
+ |
775 |
++ groups_sort(group_info); |
776 |
+ retval = set_current_groups(group_info); |
777 |
+ put_group_info(group_info); |
778 |
+ |
779 |
+diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c |
780 |
+index 25d9a9cf7b66..624c322af3ab 100644 |
781 |
+--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c |
782 |
++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c |
783 |
+@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, |
784 |
+ goto out_free_groups; |
785 |
+ creds->cr_group_info->gid[i] = kgid; |
786 |
+ } |
787 |
++ groups_sort(creds->cr_group_info); |
788 |
+ |
789 |
+ return 0; |
790 |
+ out_free_groups: |
791 |
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c |
792 |
+index 153082598522..6a08bc451247 100644 |
793 |
+--- a/net/sunrpc/auth_gss/svcauth_gss.c |
794 |
++++ b/net/sunrpc/auth_gss/svcauth_gss.c |
795 |
+@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd, |
796 |
+ goto out; |
797 |
+ rsci.cred.cr_group_info->gid[i] = kgid; |
798 |
+ } |
799 |
++ groups_sort(rsci.cred.cr_group_info); |
800 |
+ |
801 |
+ /* mech name */ |
802 |
+ len = qword_get(&mesg, buf, mlen); |
803 |
+diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c |
804 |
+index 64af4f034de6..738a243c68a2 100644 |
805 |
+--- a/net/sunrpc/svcauth_unix.c |
806 |
++++ b/net/sunrpc/svcauth_unix.c |
807 |
+@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd, |
808 |
+ ug.gi->gid[i] = kgid; |
809 |
+ } |
810 |
+ |
811 |
++ groups_sort(ug.gi); |
812 |
+ ugp = unix_gid_lookup(cd, uid); |
813 |
+ if (ugp) { |
814 |
+ struct cache_head *ch; |
815 |
+@@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp) |
816 |
+ kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv)); |
817 |
+ cred->cr_group_info->gid[i] = kgid; |
818 |
+ } |
819 |
++ groups_sort(cred->cr_group_info); |
820 |
+ if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { |
821 |
+ *authp = rpc_autherr_badverf; |
822 |
+ return SVC_DENIED; |