From 6c7ce3f64c352b8ff014a5c73971bb19bbb2c92a Mon Sep 17 00:00:00 2001 From: Alexandre Oliva Date: Wed, 30 Jul 2014 17:26:38 +0000 Subject: 3.15.7-200.fc20.gnu --- ...Add-use_native_backlight-quirk-for-HP-Pro.patch | 45 +++++ ...Add-video.use_native_backlight-1-for-HP-E.patch | 43 +++++ ...ist-using-streams-on-the-Etron-EJ168-cont.patch | 99 ++++++++++ ...i915-reverse-dp-link-param-selection-pref.patch | 43 ----- ...der-to-avoid-regression-when-merging-mode.patch | 214 +++++++++++++++++++++ .../f20/fs-umount-on-symlink-leaks-mnt-count.patch | 41 ++++ freed-ora/current/f20/kernel.spec | 80 +++++++- ...p-inherit-auth_capable-on-INIT-collisions.patch | 212 ++++++++++++++++++++ .../f20/s390-ptrace-fix-PSW-mask-check.patch | 59 ++++++ .../sched-fix-sched_setparam-policy-1-logic.patch | 68 +++++++ freed-ora/current/f20/sources | 2 +- 11 files changed, 855 insertions(+), 51 deletions(-) create mode 100644 freed-ora/current/f20/0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch create mode 100644 freed-ora/current/f20/0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch create mode 100644 freed-ora/current/f20/0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch delete mode 100644 freed-ora/current/f20/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch create mode 100644 freed-ora/current/f20/drm-try-harder-to-avoid-regression-when-merging-mode.patch create mode 100644 freed-ora/current/f20/fs-umount-on-symlink-leaks-mnt-count.patch create mode 100644 freed-ora/current/f20/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch create mode 100644 freed-ora/current/f20/s390-ptrace-fix-PSW-mask-check.patch create mode 100644 freed-ora/current/f20/sched-fix-sched_setparam-policy-1-logic.patch (limited to 'freed-ora/current/f20') diff --git a/freed-ora/current/f20/0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch b/freed-ora/current/f20/0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch new file mode 100644 index 000000000..80062ca59 --- /dev/null +++ b/freed-ora/current/f20/0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch @@ -0,0 +1,45 @@ +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1025690 +Upstream-status: Included in 3.16 +Note: Not needed for 3.16 and higher since use_native_backlight=1 is the +default there, upstream is maintaining the quirk list for now in case it is +decided to flip the default back. + +From 4cf465b579c20bee868464f5d664f8d2d96cd370 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 16 Jul 2014 13:28:34 +0200 +Subject: [PATCH] ACPI / video: Add use_native_backlight quirk for HP ProBook + 4540s + +As reported here: +https://bugzilla.redhat.com/show_bug.cgi?id=1025690 +This is yet another model which needs this quirk. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1025690 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +--- + drivers/acpi/video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c +index 29649c1..350d52a 100644 +--- a/drivers/acpi/video.c ++++ b/drivers/acpi/video.c +@@ -581,6 +581,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { + }, + { + .callback = video_set_use_native_backlight, ++ .ident = "HP ProBook 4540s", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "HP ProBook 4540s"), ++ }, ++ }, ++ { ++ .callback = video_set_use_native_backlight, + .ident = "HP ProBook 2013 models", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +-- +2.0.1 + diff --git a/freed-ora/current/f20/0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch b/freed-ora/current/f20/0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch new file mode 100644 index 000000000..cce82d9ff --- /dev/null +++ b/freed-ora/current/f20/0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch @@ -0,0 +1,43 @@ +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1123565 +Upstream-status: Send upstream for 3.17 with Cc: stable +Note: Not needed for 3.16 and higher since use_native_backlight=1 is the +default there, upstream is maintaining the quirk list for now in case it is +decided to flip the default back. + +From e1eaa90a9691696df34040f40f5dbc1d91a394f0 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 28 Jul 2014 17:31:44 +0200 +Subject: [PATCH] acpi-video: Add video.use_native_backlight=1 for HP EliteBook + 2014 models + +https://bugzilla.redhat.com/show_bug.cgi?id=1123565 + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +--- + drivers/acpi/video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c +index 18c0e69..8268843 100644 +--- a/drivers/acpi/video.c ++++ b/drivers/acpi/video.c +@@ -673,6 +673,15 @@ static struct dmi_system_id video_dmi_table[] __initdata = { + }, + { + .callback = video_set_use_native_backlight, ++ .ident = "HP EliteBook 2014 models", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook "), ++ DMI_MATCH(DMI_PRODUCT_NAME, " G2"), ++ }, ++ }, ++ { ++ .callback = video_set_use_native_backlight, + .ident = "HP ZBook 14", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), +-- +2.0.1 + diff --git a/freed-ora/current/f20/0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch b/freed-ora/current/f20/0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch new file mode 100644 index 000000000..ee66d70c3 --- /dev/null +++ b/freed-ora/current/f20/0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch @@ -0,0 +1,99 @@ +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1121288 +Upstream-status: Send upstream for 3.16/3.17 with Cc: stable + +From 82170a95391209b87bbedd0b3aa7636161573ddb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 25 Jul 2014 12:28:02 +0200 +Subject: [PATCH] xhci: Blacklist using streams on the Etron EJ168 controller + +Streams on the EJ168 do not work as they should. I've spend 2 days trying +to get them to work, but without success. + +The first problem is that when ever you ring the stream-ring doorbell, the +controller starts executing trbs at the beginning of the first ring segment, +event if it ended somewhere else previously. This can be worked around by +allowing enqueing only one td (not a problem with how streams are typically +used) and then resetting our copies of the enqueueing en dequeueing pointers +on a td completion to match what the controller seems to be doing. + +This way things seem to start working with uas and instead of being able +to complete only the very first scsi command, the scsi core can probe the disk. + +But then things break later on when td-s get enqueued with more then one +trb. The controller does seem to increase its dequeue pointer while executing +a stream-ring (data transfer events I inserted for debugging do trigger). +However execution seems to stop at the final normal trb of a multi trb td, +even if there is a data transfer event inserted after the final trb. + +The first problem alone is a serious deviation from the spec, and esp. +dealing with cancellation would have been very tricky if not outright +impossible, but the second problem simply is a deal breaker altogether, +so this patch simply disables streams. + +Note this will cause the usb-storage + uas driver pair to automatically switch +to using usb-storage instead of uas on these devices, essentially reverting +to the 3.14 and earlier behavior when uas was marked CONFIG_BROKEN. + +https://bugzilla.redhat.com/show_bug.cgi?id=1121288 +https://bugzilla.kernel.org/show_bug.cgi?id=80101 + +Cc: stable@vger.kernel.org # 3.15 +Signed-off-by: Hans de Goede +--- + drivers/usb/host/xhci-pci.c | 4 +++- + drivers/usb/host/xhci.c | 3 ++- + drivers/usb/host/xhci.h | 2 ++ + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index e20520f..464049f 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -143,6 +143,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci_dbg_trace(xhci, trace_xhci_dbg_quirks, + "QUIRK: Resetting on resume"); + xhci->quirks |= XHCI_TRUST_TX_LENGTH; ++ xhci->quirks |= XHCI_BROKEN_STREAMS; + } + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && + pdev->device == 0x0015) +@@ -230,7 +231,8 @@ static int xhci_pci_probe(struct pci_dev *dev, const struct pci_device_id *id) + goto put_usb3_hcd; + /* Roothub already marked as USB 3.0 speed */ + +- if (HCC_MAX_PSA(xhci->hcc_params) >= 4) ++ if (!(xhci->quirks & XHCI_BROKEN_STREAMS) && ++ HCC_MAX_PSA(xhci->hcc_params) >= 4) + xhci->shared_hcd->can_do_streams = 1; + + /* USB-2 and USB-3 roothubs initialized, allow runtime pm suspend */ +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 7d02e1b..758bc31 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3163,7 +3163,8 @@ int xhci_alloc_streams(struct usb_hcd *hcd, struct usb_device *udev, + num_streams); + + /* MaxPSASize value 0 (2 streams) means streams are not supported */ +- if (HCC_MAX_PSA(xhci->hcc_params) < 4) { ++ if ((xhci->quirks & XHCI_BROKEN_STREAMS) || ++ HCC_MAX_PSA(xhci->hcc_params) < 4) { + xhci_dbg(xhci, "xHCI controller does not support streams.\n"); + return -ENOSYS; + } +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 1411069..88b2958 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1558,6 +1558,8 @@ struct xhci_hcd { + #define XHCI_PLAT (1 << 16) + #define XHCI_SLOW_SUSPEND (1 << 17) + #define XHCI_SPURIOUS_WAKEUP (1 << 18) ++/* For controllers with a broken beyond repair streams implementation */ ++#define XHCI_BROKEN_STREAMS (1 << 19) + unsigned int num_active_eps; + unsigned int limit_active_eps; + /* There are two roothubs to keep track of bus suspend info for */ +-- +2.0.1 + diff --git a/freed-ora/current/f20/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch b/freed-ora/current/f20/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch deleted file mode 100644 index 25aff2f13..000000000 --- a/freed-ora/current/f20/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch +++ /dev/null @@ -1,43 +0,0 @@ -Bugzilla: 1117008 -Upstream-status: Sent to intel-gfx - -From b22370f0cf68e49ddcb3dd7033aba5ff6454dfcc Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Mon, 14 Jul 2014 10:54:20 +1000 -Subject: [PATCH] Revert "drm/i915: reverse dp link param selection, prefer - fast over wide again" - -This reverts commit 38aecea0ccbb909d635619cba22f1891e589b434. - -This breaks Haswell Thinkpad + Lenovo dock in SST mode with a HDMI monitor attached. - -Before this we can 1920x1200 mode, after this we only ever get 1024x768, and -a lot of deferring. - -This didn't revert clean, but this should be fine. - -bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1117008 -Cc: stable@vger.kernel.org # v3.15 -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/i915/intel_dp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index 2a00cb8..61963d3 100644 ---- a/drivers/gpu/drm/i915/intel_dp.c -+++ b/drivers/gpu/drm/i915/intel_dp.c -@@ -833,8 +833,8 @@ intel_dp_compute_config(struct intel_encoder *encoder, - mode_rate = intel_dp_link_required(adjusted_mode->crtc_clock, - bpp); - -- for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) { -- for (clock = min_clock; clock <= max_clock; clock++) { -+ for (clock = min_clock; clock <= max_clock; clock++) { -+ for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) { - link_clock = drm_dp_bw_code_to_link_rate(bws[clock]); - link_avail = intel_dp_max_data_rate(link_clock, - lane_count); --- -1.9.3 - diff --git a/freed-ora/current/f20/drm-try-harder-to-avoid-regression-when-merging-mode.patch b/freed-ora/current/f20/drm-try-harder-to-avoid-regression-when-merging-mode.patch new file mode 100644 index 000000000..c4518a9f1 --- /dev/null +++ b/freed-ora/current/f20/drm-try-harder-to-avoid-regression-when-merging-mode.patch @@ -0,0 +1,214 @@ +Bugzilla: 1060327 +Upstream-status: 3.16 + +From b87577b7c768683736eea28f70779e8c75b4df62 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 1 May 2014 09:26:53 +1000 +Subject: [PATCH] drm: try harder to avoid regression when merging mode bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For QXL hw we really want the bits to be replaced as we change +the preferred mode on the fly, and the same goes for virgl when +I get to it, however the original fix for this seems to have caused +a wierd regression on Intel G33 that in a stunning display of failure +at opposition to his normal self, Daniel failed to diagnose. + +So we are left doing this, ugly ugly ugly ugly, Daniel you fixed +that G33 yet?, ugly, ugly. + +Tested-by: Marc-AndrĂ© Lureau +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/drm_modes.c | 9 ++++-- + drivers/gpu/drm/drm_probe_helper.c | 64 +++++++++++++++++++++++++------------ + drivers/gpu/drm/qxl/qxl_display.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 +- + include/drm/drm_crtc_helper.h | 4 +++ + include/drm/drm_modes.h | 2 +- + 6 files changed, 57 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c +index 8b410576fce4..bedf1894e17e 100644 +--- a/drivers/gpu/drm/drm_modes.c ++++ b/drivers/gpu/drm/drm_modes.c +@@ -1013,6 +1013,7 @@ EXPORT_SYMBOL(drm_mode_sort); + /** + * drm_mode_connector_list_update - update the mode list for the connector + * @connector: the connector to update ++ * @merge_type_bits: whether to merge or overright type bits. + * + * This moves the modes from the @connector probed_modes list + * to the actual mode list. It compares the probed mode against the current +@@ -1021,7 +1022,8 @@ EXPORT_SYMBOL(drm_mode_sort); + * This is just a helper functions doesn't validate any modes itself and also + * doesn't prune any invalid modes. Callers need to do that themselves. + */ +-void drm_mode_connector_list_update(struct drm_connector *connector) ++void drm_mode_connector_list_update(struct drm_connector *connector, ++ bool merge_type_bits) + { + struct drm_display_mode *mode; + struct drm_display_mode *pmode, *pt; +@@ -1039,7 +1041,10 @@ void drm_mode_connector_list_update(struct drm_connector *connector) + /* if equal delete the probed mode */ + mode->status = pmode->status; + /* Merge type bits together */ +- mode->type |= pmode->type; ++ if (merge_type_bits) ++ mode->type |= pmode->type; ++ else ++ mode->type = pmode->type; + list_del(&pmode->head); + drm_mode_destroy(connector->dev, pmode); + break; +diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c +index e70f54d4a581..8afdd0998a8c 100644 +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -82,26 +82,8 @@ static void drm_mode_validate_flag(struct drm_connector *connector, + return; + } + +-/** +- * drm_helper_probe_single_connector_modes - get complete set of display modes +- * @connector: connector to probe +- * @maxX: max width for modes +- * @maxY: max height for modes +- * +- * Based on the helper callbacks implemented by @connector try to detect all +- * valid modes. Modes will first be added to the connector's probed_modes list, +- * then culled (based on validity and the @maxX, @maxY parameters) and put into +- * the normal modes list. +- * +- * Intended to be use as a generic implementation of the ->fill_modes() +- * @connector vfunc for drivers that use the crtc helpers for output mode +- * filtering and detection. +- * +- * Returns: +- * The number of modes found on @connector. +- */ +-int drm_helper_probe_single_connector_modes(struct drm_connector *connector, +- uint32_t maxX, uint32_t maxY) ++static int drm_helper_probe_single_connector_modes_merge_bits(struct drm_connector *connector, ++ uint32_t maxX, uint32_t maxY, bool merge_type_bits) + { + struct drm_device *dev = connector->dev; + struct drm_display_mode *mode; +@@ -155,7 +137,7 @@ int drm_helper_probe_single_connector_modes(struct drm_connector *connector, + if (count == 0) + goto prune; + +- drm_mode_connector_list_update(connector); ++ drm_mode_connector_list_update(connector, merge_type_bits); + + if (maxX && maxY) + drm_mode_validate_size(dev, &connector->modes, maxX, maxY); +@@ -194,9 +176,49 @@ prune: + + return count; + } ++ ++/** ++ * drm_helper_probe_single_connector_modes - get complete set of display modes ++ * @connector: connector to probe ++ * @maxX: max width for modes ++ * @maxY: max height for modes ++ * ++ * Based on the helper callbacks implemented by @connector try to detect all ++ * valid modes. Modes will first be added to the connector's probed_modes list, ++ * then culled (based on validity and the @maxX, @maxY parameters) and put into ++ * the normal modes list. ++ * ++ * Intended to be use as a generic implementation of the ->fill_modes() ++ * @connector vfunc for drivers that use the crtc helpers for output mode ++ * filtering and detection. ++ * ++ * Returns: ++ * The number of modes found on @connector. ++ */ ++int drm_helper_probe_single_connector_modes(struct drm_connector *connector, ++ uint32_t maxX, uint32_t maxY) ++{ ++ return drm_helper_probe_single_connector_modes_merge_bits(connector, maxX, maxY, true); ++} + EXPORT_SYMBOL(drm_helper_probe_single_connector_modes); + + /** ++ * drm_helper_probe_single_connector_modes_nomerge - get complete set of display modes ++ * @connector: connector to probe ++ * @maxX: max width for modes ++ * @maxY: max height for modes ++ * ++ * This operates like drm_hehlper_probe_single_connector_modes except it ++ * replaces the mode bits instead of merging them for preferred modes. ++ */ ++int drm_helper_probe_single_connector_modes_nomerge(struct drm_connector *connector, ++ uint32_t maxX, uint32_t maxY) ++{ ++ return drm_helper_probe_single_connector_modes_merge_bits(connector, maxX, maxY, false); ++} ++EXPORT_SYMBOL(drm_helper_probe_single_connector_modes_nomerge); ++ ++/** + * drm_kms_helper_hotplug_event - fire off KMS hotplug events + * @dev: drm_device whose connector state changed + * +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 41bdd174657e..3ab9072d3623 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -841,7 +841,7 @@ static const struct drm_connector_funcs qxl_connector_funcs = { + .save = qxl_conn_save, + .restore = qxl_conn_restore, + .detect = qxl_conn_detect, +- .fill_modes = drm_helper_probe_single_connector_modes, ++ .fill_modes = drm_helper_probe_single_connector_modes_nomerge, + .set_property = qxl_conn_set_property, + .destroy = qxl_conn_destroy, + }; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index a2dde5ad8138..e7199b454ca0 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2001,7 +2001,7 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector, + if (du->pref_mode) + list_move(&du->pref_mode->head, &connector->probed_modes); + +- drm_mode_connector_list_update(connector); ++ drm_mode_connector_list_update(connector, true); + + return 1; + } +diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h +index 36a5febac2a6..f51c8393e9a8 100644 +--- a/include/drm/drm_crtc_helper.h ++++ b/include/drm/drm_crtc_helper.h +@@ -165,6 +165,10 @@ extern void drm_helper_resume_force_mode(struct drm_device *dev); + extern int drm_helper_probe_single_connector_modes(struct drm_connector + *connector, uint32_t maxX, + uint32_t maxY); ++extern int drm_helper_probe_single_connector_modes_nomerge(struct drm_connector ++ *connector, ++ uint32_t maxX, ++ uint32_t maxY); + extern void drm_kms_helper_poll_init(struct drm_device *dev); + extern void drm_kms_helper_poll_fini(struct drm_device *dev); + extern bool drm_helper_hpd_irq_event(struct drm_device *dev); +diff --git a/include/drm/drm_modes.h b/include/drm/drm_modes.h +index 2dbbf9976669..91d0582f924e 100644 +--- a/include/drm/drm_modes.h ++++ b/include/drm/drm_modes.h +@@ -223,7 +223,7 @@ void drm_mode_validate_size(struct drm_device *dev, + void drm_mode_prune_invalid(struct drm_device *dev, + struct list_head *mode_list, bool verbose); + void drm_mode_sort(struct list_head *mode_list); +-void drm_mode_connector_list_update(struct drm_connector *connector); ++void drm_mode_connector_list_update(struct drm_connector *connector, bool merge_type_bits); + + /* parsing cmdline modes */ + bool +-- +1.9.3 + diff --git a/freed-ora/current/f20/fs-umount-on-symlink-leaks-mnt-count.patch b/freed-ora/current/f20/fs-umount-on-symlink-leaks-mnt-count.patch new file mode 100644 index 000000000..ed0e8a397 --- /dev/null +++ b/freed-ora/current/f20/fs-umount-on-symlink-leaks-mnt-count.patch @@ -0,0 +1,41 @@ +Bugzilla: 1122482 +Upstream-status: Sent for 3.16 +From: Vasily Averin +Subject: [PATCH v4] fs: umount on symlink leaks mnt count +Currently umount on symlink blocks following umount: + +/vz is separate mount + +# ls /vz/ -al | grep test +drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir +lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir +# umount -l /vz/testlink +umount: /vz/testlink: not mounted (expected) +# lsof /vz +# umount /vz +umount: /vz: device is busy. (unexpected) + +In this case mountpoint_last() gets an extra refcount on path->mnt + +Signed-off-by: Vasily Averin +--- + fs/namei.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) +diff --git a/fs/namei.c b/fs/namei.c +index 985c6f3..9eb787e 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2256,9 +2256,10 @@ done: + goto out; + } + path->dentry = dentry; +- path->mnt = mntget(nd->path.mnt); ++ path->mnt = nd->path.mnt; + if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) + return 1; ++ mntget(path->mnt); + follow_mount(path); + error = 0; + out: +-- +1.7.5.4 diff --git a/freed-ora/current/f20/kernel.spec b/freed-ora/current/f20/kernel.spec index 3be4f3b21..942433dbb 100644 --- a/freed-ora/current/f20/kernel.spec +++ b/freed-ora/current/f20/kernel.spec @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -805,12 +805,33 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1114768 Patch25112: 0001-synaptics-Add-min-max-quirk-for-pnp-id-LEN2002-Edge-.patch -#rhbz 1117008 -Patch25114: Revert-drm-i915-reverse-dp-link-param-selection-pref.patch - #CVE-2014-4943 rhbz 1119458 1120542 Patch25115: net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch +#CVE-2014-3534 rhbz 1114089 1122612 +Patch25117: s390-ptrace-fix-PSW-mask-check.patch + +#rhbz 1117942 +Patch25118: sched-fix-sched_setparam-policy-1-logic.patch + +#CVE-2014-5045 rhbz 1122472 1122482 +Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch + +#rhbz 1060327 +Patch25123: drm-try-harder-to-avoid-regression-when-merging-mode.patch + +#CVE-2014-5077 rhbz 1122982 1123696 +Patch25124: net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch + +#rhbz 1025690 +Patch25125: 0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch + +#rhbz 1123565 +Patch25126: 0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch + +#rhbz 1121288 +Patch25127: 0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch + # END OF PATCH DEFINITIONS %endif @@ -1575,12 +1596,33 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1114768 ApplyPatch 0001-synaptics-Add-min-max-quirk-for-pnp-id-LEN2002-Edge-.patch -#rhbz 1117008 -ApplyPatch Revert-drm-i915-reverse-dp-link-param-selection-pref.patch - #CVE-2014-4943 rhbz 1119458 1120542 ApplyPatch net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch +#CVE-2014-3534 rhbz 1114089 1122612 +ApplyPatch s390-ptrace-fix-PSW-mask-check.patch + +#rhbz 1117942 +ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch + +#CVE-2014-5045 rhbz 1122472 1122482 +ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch + +#rhbz 1060327 +ApplyPatch drm-try-harder-to-avoid-regression-when-merging-mode.patch + +#CVE-2014-5077 rhbz 1122982 1123696 +ApplyPatch net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch + +#rhbz 1025690 +ApplyPatch 0001-ACPI-video-Add-use_native_backlight-quirk-for-HP-Pro.patch + +#rhbz 1123565 +ApplyPatch 0001-acpi-video-Add-video.use_native_backlight-1-for-HP-E.patch + +#rhbz 1121288 +ApplyPatch 0001-xhci-Blacklist-using-streams-on-the-Etron-EJ168-cont.patch + # END OF PATCH APPLICATIONS %endif @@ -2403,6 +2445,30 @@ fi # ||----w | # || || %changelog +* Mon Jul 28 2014 Alexandre Oliva -libre +- GNU Linux-libre 3.15.7-gnu. + +* Mon Jul 28 2014 Justin M. Forbes 3.15.7-200 +- Linux v3.15.7 + +* Mon Jul 28 2014 Hans de Goede +- Add use_native_backlight=1 quirk for HP ProBook 4540s (rhbz#1025690) +- Add use_native_backlight=1 quirk for HP EliteBook 2014 series (rhbz#1123565) +- Blacklist usb bulk streams on Etron EJ168 xhci controllers (rhbz#1121288) + +* Mon Jul 28 2014 Josh Boyer +- CVE-2014-5077 sctp: fix NULL ptr dereference (rhbz 1122982 1123696) + +* Fri Jul 25 2014 Josh Boyer +- Re-add patch fixing spice resize (rhbz 1060327) + +* Thu Jul 24 2014 Josh Boyer +- CVE-2014-4171 shmem: denial of service (rhbz 1111180 1118247) +- CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482) +- Fix regression in sched_setparam (rhbz 1117942) +- CVE-2014-3534 s390: ptrace: insufficient sanitization with psw mask (rhbz 1114089 1122612) +- Fix ath3k bluetooth regression (rhbz 1121785) + * Fri Jul 18 2014 Alexandre Oliva -libre - GNU Linux-libre 3.15.6-gnu. diff --git a/freed-ora/current/f20/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch b/freed-ora/current/f20/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch new file mode 100644 index 000000000..73bad5276 --- /dev/null +++ b/freed-ora/current/f20/net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch @@ -0,0 +1,212 @@ +Bugzilla: 1123696 +Upstream-status: Queued for 3.16 + +From patchwork Tue Jul 22 13:22:45 2014 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [net,v2] net: sctp: inherit auth_capable on INIT collisions +From: Daniel Borkmann +X-Patchwork-Id: 372475 +Message-Id: <1406035365-1154-1-git-send-email-dborkman@redhat.com> +To: davem@davemloft.net +Cc: jgunthorpe@obsidianresearch.com, netdev@vger.kernel.org, + linux-sctp@vger.kernel.org, Vlad Yasevich +Date: Tue, 22 Jul 2014 15:22:45 +0200 + +Jason reported an oops caused by SCTP on his ARM machine with +SCTP authentication enabled: + +Internal error: Oops: 17 [#1] ARM +CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1 +task: c6eefa40 ti: c6f52000 task.ti: c6f52000 +PC is at sctp_auth_calculate_hmac+0xc4/0x10c +LR is at sg_init_table+0x20/0x38 +pc : [] lr : [] psr: 40000013 +sp : c6f538e8 ip : 00000000 fp : c6f53924 +r10: c6f50d80 r9 : 00000000 r8 : 00010000 +r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254 +r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660 +Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 0005397f Table: 06f28000 DAC: 00000015 +Process sctp-test (pid: 104, stack limit = 0xc6f521c0) +Stack: (0xc6f538e8 to 0xc6f54000) +[...] +Backtrace: +[] (sctp_auth_calculate_hmac+0x0/0x10c) from [] (sctp_packet_transmit+0x33c/0x5c8) +[] (sctp_packet_transmit+0x0/0x5c8) from [] (sctp_outq_flush+0x7fc/0x844) +[] (sctp_outq_flush+0x0/0x844) from [] (sctp_outq_uncork+0x24/0x28) +[] (sctp_outq_uncork+0x0/0x28) from [] (sctp_side_effects+0x1134/0x1220) +[] (sctp_side_effects+0x0/0x1220) from [] (sctp_do_sm+0xac/0xd4) +[] (sctp_do_sm+0x0/0xd4) from [] (sctp_assoc_bh_rcv+0x118/0x160) +[] (sctp_assoc_bh_rcv+0x0/0x160) from [] (sctp_inq_push+0x6c/0x74) +[] (sctp_inq_push+0x0/0x74) from [] (sctp_rcv+0x7d8/0x888) + +While we already had various kind of bugs in that area +ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if +we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache +auth_enable per endpoint"), this one is a bit of a different +kind. + +Giving a bit more background on why SCTP authentication is +needed can be found in RFC4895: + + SCTP uses 32-bit verification tags to protect itself against + blind attackers. These values are not changed during the + lifetime of an SCTP association. + + Looking at new SCTP extensions, there is the need to have a + method of proving that an SCTP chunk(s) was really sent by + the original peer that started the association and not by a + malicious attacker. + +To cause this bug, we're triggering an INIT collision between +peers; normal SCTP handshake where both sides intent to +authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO +parameters that are being negotiated among peers: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + -------------------- COOKIE-ECHO --------------------> + <-------------------- COOKIE-ACK --------------------- + +RFC4895 says that each endpoint therefore knows its own random +number and the peer's random number *after* the association +has been established. The local and peer's random number along +with the shared key are then part of the secret used for +calculating the HMAC in the AUTH chunk. + +Now, in our scenario, we have 2 threads with 1 non-blocking +SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY +and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling +sctp_bindx(3), listen(2) and connect(2) against each other, +thus the handshake looks similar to this, e.g.: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------- + -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------> + ... + +Since such collisions can also happen with verification tags, +the RFC4895 for AUTH rather vaguely says under section 6.1: + + In case of INIT collision, the rules governing the handling + of this Random Number follow the same pattern as those for + the Verification Tag, as explained in Section 5.2.4 of + RFC 2960 [5]. Therefore, each endpoint knows its own Random + Number and the peer's Random Number after the association + has been established. + +In RFC2960, section 5.2.4, we're eventually hitting Action B: + + B) In this case, both sides may be attempting to start an + association at about the same time but the peer endpoint + started its INIT after responding to the local endpoint's + INIT. Thus it may have picked a new Verification Tag not + being aware of the previous Tag it had sent this endpoint. + The endpoint should stay in or enter the ESTABLISHED + state but it MUST update its peer's Verification Tag from + the State Cookie, stop any init or cookie timers that may + running and send a COOKIE ACK. + +In other words, the handling of the Random parameter is the +same as behavior for the Verification Tag as described in +Action B of section 5.2.4. + +Looking at the code, we exactly hit the sctp_sf_do_dupcook_b() +case which triggers an SCTP_CMD_UPDATE_ASSOC command to the +side effect interpreter, and in fact it properly copies over +peer_{random, hmacs, chunks} parameters from the newly created +association to update the existing one. + +Also, the old asoc_shared_key is being released and based on +the new params, sctp_auth_asoc_init_active_key() updated. +However, the issue observed in this case is that the previous +asoc->peer.auth_capable was 0, and has *not* been updated, so +that instead of creating a new secret, we're doing an early +return from the function sctp_auth_asoc_init_active_key() +leaving asoc->asoc_shared_key as NULL. However, we now have to +authenticate chunks from the updated chunk list (e.g. COOKIE-ACK). + +That in fact causes the server side when responding with ... + + <------------------ AUTH; COOKIE-ACK ----------------- + +... to trigger a NULL pointer dereference, since in +sctp_packet_transmit(), it discovers that an AUTH chunk is +being queued for xmit, and thus it calls sctp_auth_calculate_hmac(). + +Since the asoc->active_key_id is still inherited from the +endpoint, and the same as encoded into the chunk, it uses +asoc->asoc_shared_key, which is still NULL, as an asoc_key +and dereferences it in ... + + crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len) + +... causing an oops. All this happens because sctp_make_cookie_ack() +called with the *new* association has the peer.auth_capable=1 +and therefore marks the chunk with auth=1 after checking +sctp_auth_send_cid(), but it is *actually* sent later on over +the then *updated* association's transport that didn't initialize +its shared key due to peer.auth_capable=0. Since control chunks +in that case are not sent by the temporary association which +are scheduled for deletion, they are issued for xmit via +SCTP_CMD_REPLY in the interpreter with the context of the +*updated* association. peer.auth_capable was 0 in the updated +association (which went from COOKIE_WAIT into ESTABLISHED state), +since all previous processing that performed sctp_process_init() +was being done on temporary associations, that we eventually +throw away each time. + +The correct fix is to update to the new peer.auth_capable +value as well in the collision case via sctp_assoc_update(), +so that in case the collision migrated from 0 -> 1, +sctp_auth_asoc_init_active_key() can properly recalculate +the secret. This therefore fixes the observed server panic. + +Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") +Reported-by: Jason Gunthorpe +Signed-off-by: Daniel Borkmann +Tested-by: Jason Gunthorpe +Cc: Vlad Yasevich +Acked-by: Vlad Yasevich +--- + v1 -> v2, more notes: + + I've only updated the commit description for now, this bug seems + clear to me that we would need to fix it; since RFC4895 mentions + it explicitly that on collisions, we need to *update* these params + accordingly as we would do so in RFC2960. So in other words, this + can be explained by having an *inconsistency* when doing the update + as auth_capable is *tightly coupled* with peer_random, peer_chunks, + peer_hmacs and eventually the asoc_shared_key creation. + + For the rest, I went through the code and currently could not + find where we could oops if we don't have the others for now. It + needs more time and testing however. It's also not too clear from + RFC2960/RFC4960 what needs to be carried over in addition: so we + know "The endpoint should stay in or enter the ESTABLISHED state + but it MUST update its peer's Verification Tag from the State + Cookie, stop any init or cookie timers that may running and send + a COOKIE ACK." and we know that we need to update all AUTH related + members, which we do *now*. + + In addition, we also need to fix AUTH + COOKIE_ECHO collisions, + as they currently cannot be resolved properly into a handshake. + + net/sctp/associola.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 9de23a2..06a9ee6 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, + asoc->peer.i.initial_tsn, GFP_ATOMIC); diff --git a/freed-ora/current/f20/s390-ptrace-fix-PSW-mask-check.patch b/freed-ora/current/f20/s390-ptrace-fix-PSW-mask-check.patch new file mode 100644 index 000000000..9d5484049 --- /dev/null +++ b/freed-ora/current/f20/s390-ptrace-fix-PSW-mask-check.patch @@ -0,0 +1,59 @@ +Bugzilla: 1122612 +Upstream-status: 3.16 and CC'd to stable + +From dab6cf55f81a6e16b8147aed9a843e1691dcd318 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 23 Jun 2014 15:29:40 +0200 +Subject: [PATCH] s390/ptrace: fix PSW mask check + +The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect. +The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace +interface accepts all combinations for the address-space-control +bits. To protect the kernel space the PSW mask check in ptrace needs +to reject the address-space-control bit combination for home space. + +Fixes CVE-2014-3534 + +Cc: stable@vger.kernel.org +Signed-off-by: Martin Schwidefsky +--- + arch/s390/kernel/ptrace.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 2d716734b5b1..5dc7ad9e2fbf 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + unsigned long mask = PSW_MASK_USER; + + mask |= is_ri_task(child) ? PSW_MASK_RI : 0; +- if ((data & ~mask) != PSW_USER_BITS) ++ if ((data ^ PSW_USER_BITS) & ~mask) ++ /* Invalid psw mask. */ ++ return -EINVAL; ++ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME) ++ /* Invalid address-space-control bits */ + return -EINVAL; + if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA)) ++ /* Invalid addressing mode bits */ + return -EINVAL; + } + *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data; +@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child, + + mask |= is_ri_task(child) ? PSW32_MASK_RI : 0; + /* Build a 64 bit psw mask from 31 bit mask. */ +- if ((tmp & ~mask) != PSW32_USER_BITS) ++ if ((tmp ^ PSW32_USER_BITS) & ~mask) + /* Invalid psw mask. */ + return -EINVAL; ++ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME) ++ /* Invalid address-space-control bits */ ++ return -EINVAL; + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) | + (regs->psw.mask & PSW_MASK_BA) | + (__u64)(tmp & mask) << 32; +-- +1.9.3 + diff --git a/freed-ora/current/f20/sched-fix-sched_setparam-policy-1-logic.patch b/freed-ora/current/f20/sched-fix-sched_setparam-policy-1-logic.patch new file mode 100644 index 000000000..060e0dcef --- /dev/null +++ b/freed-ora/current/f20/sched-fix-sched_setparam-policy-1-logic.patch @@ -0,0 +1,68 @@ +Bugzilla: 1117942 +Upstream-status: Sent for 3.16 and seen by peterz + +The scheduler uses policy=-1 to preserve the current policy state to +implement sched_setparam(). But, as (int) -1 is equals to 0xffffffff, +it's matching the if (policy & SCHED_RESET_ON_FORK) on +_sched_setscheduler(). This match changes the policy value to an +invalid value, breaking the sched_setparam() syscall. + +This patch checks policy=-1 before check the SCHED_RESET_ON_FORK flag. + +The following program shows the bug: + +int main(void) +{ + struct sched_param param = { + .sched_priority = 5, + }; + + sched_setscheduler(0, SCHED_FIFO, ¶m); + param.sched_priority = 1; + sched_setparam(0, ¶m); + param.sched_priority = 0; + sched_getparam(0, ¶m); + if (param.sched_priority != 1) + printf("failed priority setting (found %d instead of 1)\n", + param.sched_priority); + else + printf("priority setting fine\n"); +} + +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org # 3.14+ +Fixes: 7479f3c9cf67 "sched: Move SCHED_RESET_ON_FORK into attr::sched_flags" +Reviewed-by: Steven Rostedt +Signed-off-by: Daniel Bristot de Oliveira + +--- + kernel/sched/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index bc1638b..0acf96b 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3558,9 +3558,10 @@ static int _sched_setscheduler(struct task_struct *p, int policy, + }; + + /* +- * Fixup the legacy SCHED_RESET_ON_FORK hack ++ * Fixup the legacy SCHED_RESET_ON_FORK hack, except if ++ * the policy=-1 was passed by sched_setparam(). + */ +- if (policy & SCHED_RESET_ON_FORK) { ++ if ((policy != -1) && (policy & SCHED_RESET_ON_FORK)) { + attr.sched_flags |= SCHED_FLAG_RESET_ON_FORK; + policy &= ~SCHED_RESET_ON_FORK; + attr.sched_policy = policy; +-- +1.9.3 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/freed-ora/current/f20/sources b/freed-ora/current/f20/sources index 7791bde7c..233478d7c 100644 --- a/freed-ora/current/f20/sources +++ b/freed-ora/current/f20/sources @@ -1,2 +1,2 @@ 3e6ef6e8e5153050cbc0ecd305cb2cb9 linux-libre-3.15-gnu.tar.xz -25e4c27b4aff5e14dc4b3dc0029fd05d patch-3.15.6.xz +2f09ab9d30dfe6d59469990a46d20cc4 patch-3.15.7.xz -- cgit v1.2.1