4.4.3-300.fc23.gnu

11 files changed, 396 insertions, 254 deletions

diff --git a/freed-ora/current/f23/0001-Test-ata-fix.patch b/freed-ora/current/f23/0001-Test-ata-fix.patch
new file mode 100644
index 000000000..0ae2cf71e
--- /dev/null
+++ b/freed-ora/current/f23/0001-Test-ata-fix.patch
@@ -0,0 +1,27 @@
+From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@fedoraproject.org>
+Date: Thu, 25 Feb 2016 11:40:07 -0800
+Subject: [PATCH] Test ata fix
+
+Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
+---
+ drivers/ata/libahci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index 1f225cc..998c6a8 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap,
+ 
+ 	/* mark esata ports */
+ 	tmp = readl(port_mmio + PORT_CMD);
+-	if ((tmp & PORT_CMD_HPCP) ||
+-	    ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)))
++	if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))
+ 		ap->pflags |= ATA_PFLAG_EXTERNAL;
+ }
+ 
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f23/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch b/freed-ora/current/f23/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
deleted file mode 100644
index c02a0f53b..000000000
--- a/freed-ora/current/f23/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 6544a1df11c48c8413071aac3316792e4678fbfb Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Date: Mon, 11 Jan 2016 17:35:38 -0800
-Subject: [PATCH] Input: elantech - mark protocols v2 and v3 as semi-mt
-
-When using a protocol v2 or v3 hardware, elantech uses the function
-elantech_report_semi_mt_data() to report data. This devices are rather
-creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid
-touch is reported.
-
-Anyway, userspace (libinput) is now confused by these (0,0) touches,
-and detect them as palm, and rejects them.
-
-Commit 3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW")
-was sufficient enough for xf86-input-synaptics and libinput before it has
-palm rejection. Now we need to actually tell libinput that this device is
-a semi-mt one and it should not rely on the actual values of the 2 touches.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/mouse/elantech.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
-index 537ebb0e193a..78f93cf68840 100644
---- a/drivers/input/mouse/elantech.c
-+++ b/drivers/input/mouse/elantech.c
-@@ -1222,7 +1222,7 @@ static int elantech_set_input_params(struct psmouse *psmouse)
- 			input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2,
- 					     ETP_WMAX_V2, 0, 0);
- 		}
--		input_mt_init_slots(dev, 2, 0);
-+		input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT);
- 		input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0);
- 		input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0);
- 		break;
--- 
-2.5.0
-
diff --git a/freed-ora/current/f23/drm-nouveau-platform-Fix-deferred-probe.patch b/freed-ora/current/f23/drm-nouveau-platform-Fix-deferred-probe.patch
new file mode 100644
index 000000000..bae1dae7a
--- /dev/null
+++ b/freed-ora/current/f23/drm-nouveau-platform-Fix-deferred-probe.patch
@@ -0,0 +1,116 @@
+From patchwork Wed Feb 24 17:34:43 2016
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: drm/nouveau: platform: Fix deferred probe
+From: Thierry Reding <thierry.reding@gmail.com>
+X-Patchwork-Id: 587554
+Message-Id: <1456335283-22097-1-git-send-email-thierry.reding@gmail.com>
+To: Ben Skeggs <bskeggs@redhat.com>
+Cc: Alexandre Courbot <gnurou@gmail.com>, Nicolas Chauvet <kwizart@gmail.com>,
+ dri-devel@lists.freedesktop.org, linux-tegra@vger.kernel.org
+Date: Wed, 24 Feb 2016 18:34:43 +0100
+
+From: Thierry Reding <treding@nvidia.com>
+
+The error cleanup paths aren't quite correct and will crash upon
+deferred probe.
+
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Reviewed-by: Ben Skeggs <bskeggs@redhat.com>
+Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
+---
+ drivers/gpu/drm/nouveau/nouveau_platform.c         |  2 +-
+ drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 40 ++++++++++++++++------
+ 2 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_platform.c b/drivers/gpu/drm/nouveau/nouveau_platform.c
+index 8a70cec59bcd..2dfe58af12e4 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_platform.c
++++ b/drivers/gpu/drm/nouveau/nouveau_platform.c
+@@ -24,7 +24,7 @@
+ static int nouveau_platform_probe(struct platform_device *pdev)
+ {
+ 	const struct nvkm_device_tegra_func *func;
+-	struct nvkm_device *device;
++	struct nvkm_device *device = NULL;
+ 	struct drm_device *drm;
+ 	int ret;
+ 
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
+index 7f8a42721eb2..e7e581d6a8ff 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c
+@@ -252,32 +252,40 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
+ 
+ 	if (!(tdev = kzalloc(sizeof(*tdev), GFP_KERNEL)))
+ 		return -ENOMEM;
+-	*pdevice = &tdev->device;
++
+ 	tdev->func = func;
+ 	tdev->pdev = pdev;
+ 	tdev->irq = -1;
+ 
+ 	tdev->vdd = devm_regulator_get(&pdev->dev, "vdd");
+-	if (IS_ERR(tdev->vdd))
+-		return PTR_ERR(tdev->vdd);
++	if (IS_ERR(tdev->vdd)) {
++		ret = PTR_ERR(tdev->vdd);
++		goto free;
++	}
+ 
+ 	tdev->rst = devm_reset_control_get(&pdev->dev, "gpu");
+-	if (IS_ERR(tdev->rst))
+-		return PTR_ERR(tdev->rst);
++	if (IS_ERR(tdev->rst)) {
++		ret = PTR_ERR(tdev->rst);
++		goto free;
++	}
+ 
+ 	tdev->clk = devm_clk_get(&pdev->dev, "gpu");
+-	if (IS_ERR(tdev->clk))
+-		return PTR_ERR(tdev->clk);
++	if (IS_ERR(tdev->clk)) {
++		ret = PTR_ERR(tdev->clk);
++		goto free;
++	}
+ 
+ 	tdev->clk_pwr = devm_clk_get(&pdev->dev, "pwr");
+-	if (IS_ERR(tdev->clk_pwr))
+-		return PTR_ERR(tdev->clk_pwr);
++	if (IS_ERR(tdev->clk_pwr)) {
++		ret = PTR_ERR(tdev->clk_pwr);
++		goto free;
++	}
+ 
+ 	nvkm_device_tegra_probe_iommu(tdev);
+ 
+ 	ret = nvkm_device_tegra_power_up(tdev);
+ 	if (ret)
+-		return ret;
++		goto remove;
+ 
+ 	tdev->gpu_speedo = tegra_sku_info.gpu_speedo_value;
+ 	ret = nvkm_device_ctor(&nvkm_device_tegra_func, NULL, &pdev->dev,
+@@ -285,9 +293,19 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func,
+ 			       cfg, dbg, detect, mmio, subdev_mask,
+ 			       &tdev->device);
+ 	if (ret)
+-		return ret;
++		goto powerdown;
++
++	*pdevice = &tdev->device;
+ 
+ 	return 0;
++
++powerdown:
++	nvkm_device_tegra_power_down(tdev);
++remove:
++	nvkm_device_tegra_remove_iommu(tdev);
++free:
++	kfree(tdev);
++	return ret;
+ }
+ #else
+ int
diff --git a/freed-ora/current/f23/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch b/freed-ora/current/f23/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
deleted file mode 100644
index 90bf05310..000000000
--- a/freed-ora/current/f23/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001
-From: Mike Kravetz <mike.kravetz@oracle.com>
-Date: Fri, 15 Jan 2016 16:57:37 -0800
-Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
-
-Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine.  The
-argument end is of type pgoff_t.  It was being converted to a vaddr
-offset and passed to unmap_hugepage_range.  However, end was also being
-used as an argument to the vma_interval_tree_foreach controlling loop.
-In addition, the conversion of end to vaddr offset was incorrect.
-
-hugetlb_vmtruncate_list is called as part of a file truncate or
-fallocate hole punch operation.
-
-When truncating a hugetlbfs file, this bug could prevent some pages from
-being unmapped.  This is possible if there are multiple vmas mapping the
-file, and there is a sufficiently sized hole between the mappings.  The
-size of the hole between two vmas (A,B) must be such that the starting
-virtual address of B is greater than (ending virtual address of A <<
-PAGE_SHIFT).  In this case, the pages in B would not be unmapped.  If
-pages are not properly unmapped during truncate, the following BUG is
-hit:
-
-	kernel BUG at fs/hugetlbfs/inode.c:428!
-
-In the fallocate hole punch case, this bug could prevent pages from
-being unmapped as in the truncate case.  However, for hole punch the
-result is that unmapped pages will not be removed during the operation.
-For hole punch, it is also possible that more pages than desired will be
-unmapped.  This unnecessary unmapping will cause page faults to
-reestablish the mappings on subsequent page access.
-
-Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
-Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Cc: Davidlohr Bueso <dave@stgolabs.net>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: <stable@vger.kernel.org>	[4.3]
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- fs/hugetlbfs/inode.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index bbc333b01ca3..9c07d2d754c9 100644
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
- 	 */
- 	vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
- 		unsigned long v_offset;
-+		unsigned long v_end;
- 
- 		/*
- 		 * Can the expression below overflow on 32-bit arches?
-@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
- 		else
- 			v_offset = 0;
- 
--		if (end) {
--			end = ((end - start) << PAGE_SHIFT) +
--			       vma->vm_start + v_offset;
--			if (end > vma->vm_end)
--				end = vma->vm_end;
--		} else
--			end = vma->vm_end;
-+		if (!end)
-+			v_end = vma->vm_end;
-+		else {
-+			v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT)
-+							+ vma->vm_start;
-+			if (v_end > vma->vm_end)
-+				v_end = vma->vm_end;
-+		}
- 
--		unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
-+		unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
-+									NULL);
- 	}
- }
- 
--- 
-2.5.0
-
diff --git a/freed-ora/current/f23/kernel.spec b/freed-ora/current/f23/kernel.spec
index 20d267f9d..c10f9129c 100644
--- a/freed-ora/current/f23/kernel.spec
+++ b/freed-ora/current/f23/kernel.spec
@@ -40,7 +40,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 301
+%global baserelease 300
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -90,7 +90,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -550,6 +550,8 @@ Patch456: arm64-acpi-drop-expert-patch.patch
 
 Patch457: ARM-tegra-usb-no-reset.patch
 
+Patch458: drm-nouveau-platform-Fix-deferred-probe.patch
+
 Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
 
 Patch463: arm-i.MX6-Utilite-device-dtb.patch
@@ -642,9 +644,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
 #rhbz 1288687
 Patch572: alua_fix.patch
 
-#CVE-2015-8709 rhbz 1295287 1295288
-Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
-
 Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch
 
 #rhbz 1083853
@@ -663,15 +662,9 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
 #rhbz 1255325
 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
 
-#CVE-2016-0617 rhbz 1305803 1305804
-Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
-
 #CVE-2016-2383 rhbz 1308452 1308453
 Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
 
-#rhbz 1306987
-Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch
-
 #CVE-2015-8812 rhbz 1303532 1309548
 Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
 
@@ -681,6 +674,13 @@ Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch
 #rhbz 1310258
 Patch655: iommu-fix.patch
 
+#CVE-2016-2550 rhbz 1311517 1311518
+Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch
+
+#rhbz 1310682
+Patch657: 0001-Test-ata-fix.patch
+
+Patch658: nouveau-displayoff-fix.patch
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2221,6 +2221,20 @@ fi
 #
 # 
 %changelog
+* Sun Feb 28 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.4.3-gnu.
+
+* Fri Feb 26 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.3-300
+- Linux v4.4.3
+- Fix automounting behavior of ATA drives (rhbz 1310682)
+- Fix suspend blacklight blanking behavior
+
+* Thu Feb 25 2016 Peter Robinson <pbrobinson@fedoraproject.org>
+- Fix deferred nouveau module loading on tegra
+
+* Wed Feb 24 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2550 af_unix: incorrect accounting on in-flight fds (rhbz 1311517 1311518)
+
 * Tue Feb 23 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.2-301
 - Fix a known use after free issue in the USB hub code
 - Fix AMD IOMMU warning spew on every boot (rhbz 1310258)
diff --git a/freed-ora/current/f23/nouveau-displayoff-fix.patch b/freed-ora/current/f23/nouveau-displayoff-fix.patch
new file mode 100644
index 000000000..32045d3c8
--- /dev/null
+++ b/freed-ora/current/f23/nouveau-displayoff-fix.patch
@@ -0,0 +1,61 @@
+From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Thu, 18 Feb 2016 08:14:19 +1000
+Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link
+ training
+
+This can happen under some annoying circumstances, and is a quick fix
+until more substantial changes can be made.
+
+Fixed eDP mode changes on (at least) the Lenovo P50.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Cc: stable@vger.kernel.org
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
+index 74e2f7c..9688970 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c
+@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w)
+ 		.outp = outp,
+ 	}, *dp = &_dp;
+ 	u32 datarate = 0;
++	u8  pwr;
+ 	int ret;
+ 
+ 	if (!outp->base.info.location && disp->func->sor.magic)
+@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w)
+ 	/* disable link interrupt handling during link training */
+ 	nvkm_notify_put(&outp->irq);
+ 
++	/* ensure sink is not in a low-power state */
++	if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) {
++		if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) {
++			pwr &= ~DPCD_SC00_SET_POWER;
++			pwr |=  DPCD_SC00_SET_POWER_D0;
++			nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1);
++		}
++	}
++
+ 	/* enable down-spreading and execute pre-train script from vbios */
+ 	dp_link_train_init(dp, outp->dpcd[3] & 0x01);
+ 
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
+index 9596290..6e10c5e 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h
+@@ -71,5 +71,11 @@
+ #define DPCD_LS0C_LANE1_POST_CURSOR2                                       0x0c
+ #define DPCD_LS0C_LANE0_POST_CURSOR2                                       0x03
+ 
++/* DPCD Sink Control */
++#define DPCD_SC00                                                       0x00600
++#define DPCD_SC00_SET_POWER                                                0x03
++#define DPCD_SC00_SET_POWER_D0                                             0x01
++#define DPCD_SC00_SET_POWER_D3                                             0x03
++
+ void nvkm_dp_train(struct work_struct *);
+ #endif
+-- 
+cgit v0.10.2
+
diff --git a/freed-ora/current/f23/patch-4.4-gnu-4.4.2-gnu.xz.sign b/freed-ora/current/f23/patch-4.4-gnu-4.4.2-gnu.xz.sign
deleted file mode 100644
index d98210116..000000000
--- a/freed-ora/current/f23/patch-4.4-gnu-4.4.2-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlbFAgcACgkQvLfPh359R6fcUwCglBH0SauQfStJFH8cCxOD0+SA
-41UAn2Pu7jNDgqUZ8e2qKg/dQw97lkAy
-=UopQ
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f23/patch-4.4-gnu-4.4.3-gnu.xz.sign b/freed-ora/current/f23/patch-4.4-gnu-4.4.3-gnu.xz.sign
new file mode 100644
index 000000000..26c63b3a4
--- /dev/null
+++ b/freed-ora/current/f23/patch-4.4-gnu-4.4.3-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlbQQ1AACgkQvLfPh359R6d97ACghl0j2MG+HAk0iQIAINny5muR
+MYAAnj6QPVc6C/Udq/pp8uEDEw6TatO9
+=FUKe
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f23/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch b/freed-ora/current/f23/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
deleted file mode 100644
index 55c3ab9d1..000000000
--- a/freed-ora/current/f23/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jann@thejh.net>
-Date: Sat, 26 Dec 2015 03:52:31 +0100
-Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
-
-ptrace_has_cap() checks whether the current process should be
-treated as having a certain capability for ptrace checks
-against another process. Until now, this was equivalent to
-has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
-
-However, if a root-owned process wants to enter a user
-namespace for some reason without knowing who owns it and
-therefore can't change to the namespace owner's uid and gid
-before entering, as soon as it has entered the namespace,
-the namespace owner can attach to it via ptrace and thereby
-gain access to its uid and gid.
-
-While it is possible for the entering process to switch to
-the uid of a claimed namespace owner before entering,
-causing the attempt to enter to fail if the claimed uid is
-wrong, this doesn't solve the problem of determining an
-appropriate gid.
-
-With this change, the entering process can first enter the
-namespace and then safely inspect the namespace's
-properties, e.g. through /proc/self/{uid_map,gid_map},
-assuming that the namespace owner doesn't have access to
-uid 0.
-
-Changed in v2: The caller needs to be capable in the
-namespace into which tcred's uids/gids can be mapped.
-
-Signed-off-by: Jann Horn <jann@thejh.net>
----
- kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
- 1 file changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 787320de68e0..407c382b45c8 100644
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -20,6 +20,7 @@
- #include <linux/uio.h>
- #include <linux/audit.h>
- #include <linux/pid_namespace.h>
-+#include <linux/user_namespace.h>
- #include <linux/syscalls.h>
- #include <linux/uaccess.h>
- #include <linux/regset.h>
-@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
- 	return ret;
- }
- 
--static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
-+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
- {
-+	struct user_namespace *tns = tcred->user_ns;
-+
-+	/* When a root-owned process enters a user namespace created by a
-+	 * malicious user, the user shouldn't be able to execute code under
-+	 * uid 0 by attaching to the root-owned process via ptrace.
-+	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
-+	 * verify that all the uids and gids of the target process are
-+	 * mapped into a namespace below the current one in which the caller
-+	 * is capable.
-+	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-+	 * either.
-+	 */
-+	while (
-+	    !kuid_has_mapping(tns, tcred->euid) ||
-+	    !kuid_has_mapping(tns, tcred->suid) ||
-+	    !kuid_has_mapping(tns, tcred->uid)  ||
-+	    !kgid_has_mapping(tns, tcred->egid) ||
-+	    !kgid_has_mapping(tns, tcred->sgid) ||
-+	    !kgid_has_mapping(tns, tcred->gid)) {
-+		tns = tns->parent;
-+	}
-+
- 	if (mode & PTRACE_MODE_NOAUDIT)
--		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
-+		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
- 	else
--		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
-+		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
- }
- 
- /* Returns 0 on success, -errno on denial. */
-@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- 	    gid_eq(cred->gid, tcred->sgid) &&
- 	    gid_eq(cred->gid, tcred->gid))
- 		goto ok;
--	if (ptrace_has_cap(tcred->user_ns, mode))
-+	if (ptrace_has_cap(tcred, mode))
- 		goto ok;
- 	rcu_read_unlock();
- 	return -EPERM;
-@@ -252,7 +275,7 @@ ok:
- 		dumpable = get_dumpable(task->mm);
- 	rcu_read_lock();
- 	if (dumpable != SUID_DUMP_USER &&
--	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
-+	    !ptrace_has_cap(__task_cred(task), mode)) {
- 		rcu_read_unlock();
- 		return -EPERM;
- 	}
--- 
-2.5.0
-
diff --git a/freed-ora/current/f23/sources b/freed-ora/current/f23/sources
index fb6c8e7a5..71956c404 100644
--- a/freed-ora/current/f23/sources
+++ b/freed-ora/current/f23/sources
@@ -1,3 +1,3 @@
 5f34e3272b5229cd1868113e321267bd  linux-libre-4.4-gnu.tar.xz
 dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-75dd9840ae01a6bd998e2f24b7ca45bb  patch-4.4-gnu-4.4.2-gnu.xz
+454bc4b04ee51a82f3d84d5190aafc26  patch-4.4-gnu-4.4.3-gnu.xz
diff --git a/freed-ora/current/f23/unix-correctly-track-in-flight-fds-in-sending-proces.patch b/freed-ora/current/f23/unix-correctly-track-in-flight-fds-in-sending-proces.patch
new file mode 100644
index 000000000..eb513ef6b
--- /dev/null
+++ b/freed-ora/current/f23/unix-correctly-track-in-flight-fds-in-sending-proces.patch
@@ -0,0 +1,159 @@
+From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed, 3 Feb 2016 02:11:03 +0100
+Subject: [PATCH] unix: correctly track in-flight fds in sending process
+ user_struct
+
+The commit referenced in the Fixes tag incorrectly accounted the number
+of in-flight fds over a unix domain socket to the original opener
+of the file-descriptor. This allows another process to arbitrary
+deplete the original file-openers resource limit for the maximum of
+open files. Instead the sending processes and its struct cred should
+be credited.
+
+To do so, we add a reference counted struct user_struct pointer to the
+scm_fp_list and use it to account for the number of inflight unix fds.
+
+Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+Reported-by: David Herrmann <dh.herrmann@gmail.com>
+Cc: David Herrmann <dh.herrmann@gmail.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h     | 1 +
+ net/core/scm.c        | 7 +++++++
+ net/unix/af_unix.c    | 4 ++--
+ net/unix/garbage.c    | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/af_unix.h b/include/net/af_unix.h
+index 2a91a0561a47..9b4c418bebd8 100644
+--- a/include/net/af_unix.h
++++ b/include/net/af_unix.h
+@@ -6,8 +6,8 @@
+ #include <linux/mutex.h>
+ #include <net/sock.h>
+ 
+-void unix_inflight(struct file *fp);
+-void unix_notinflight(struct file *fp);
++void unix_inflight(struct user_struct *user, struct file *fp);
++void unix_notinflight(struct user_struct *user, struct file *fp);
+ void unix_gc(void);
+ void wait_for_unix_gc(void);
+ struct sock *unix_get_socket(struct file *filp);
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 262532d111f5..59fa93c01d2a 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -21,6 +21,7 @@ struct scm_creds {
+ struct scm_fp_list {
+ 	short			count;
+ 	short			max;
++	struct user_struct	*user;
+ 	struct file		*fp[SCM_MAX_FD];
+ };
+ 
+diff --git a/net/core/scm.c b/net/core/scm.c
+index 14596fb37172..2696aefdc148 100644
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
+ 		*fplp = fpl;
+ 		fpl->count = 0;
+ 		fpl->max = SCM_MAX_FD;
++		fpl->user = NULL;
+ 	}
+ 	fpp = &fpl->fp[fpl->count];
+ 
+@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
+ 		*fpp++ = file;
+ 		fpl->count++;
+ 	}
++
++	if (!fpl->user)
++		fpl->user = get_uid(current_user());
++
+ 	return num;
+ }
+ 
+@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
+ 		scm->fp = NULL;
+ 		for (i=fpl->count-1; i>=0; i--)
+ 			fput(fpl->fp[i]);
++		free_uid(fpl->user);
+ 		kfree(fpl);
+ 	}
+ }
+@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
+ 		for (i = 0; i < fpl->count; i++)
+ 			get_file(fpl->fp[i]);
+ 		new_fpl->max = new_fpl->count;
++		new_fpl->user = get_uid(fpl->user);
+ 	}
+ 	return new_fpl;
+ }
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 49d5093eb055..29be035f9c65 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 	UNIXCB(skb).fp = NULL;
+ 
+ 	for (i = scm->fp->count-1; i >= 0; i--)
+-		unix_notinflight(scm->fp->fp[i]);
++		unix_notinflight(scm->fp->user, scm->fp->fp[i]);
+ }
+ 
+ static void unix_destruct_scm(struct sk_buff *skb)
+@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 		return -ENOMEM;
+ 
+ 	for (i = scm->fp->count - 1; i >= 0; i--)
+-		unix_inflight(scm->fp->fp[i]);
++		unix_inflight(scm->fp->user, scm->fp->fp[i]);
+ 	return max_level;
+ }
+ 
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 8fcdc2283af5..6a0d48525fcf 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
+  * descriptor if it is for an AF_UNIX socket.
+  */
+ 
+-void unix_inflight(struct file *fp)
++void unix_inflight(struct user_struct *user, struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
+@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
+ 		}
+ 		unix_tot_inflight++;
+ 	}
+-	fp->f_cred->user->unix_inflight++;
++	user->unix_inflight++;
+ 	spin_unlock(&unix_gc_lock);
+ }
+ 
+-void unix_notinflight(struct file *fp)
++void unix_notinflight(struct user_struct *user, struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
+@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
+ 			list_del_init(&u->link);
+ 		unix_tot_inflight--;
+ 	}
+-	fp->f_cred->user->unix_inflight--;
++	user->unix_inflight--;
+ 	spin_unlock(&unix_gc_lock);
+ }
+ 
+-- 
+2.5.0
+