From 046b8e241965544e2e53642a573eb5c4c7a517c8 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Feb 26 2016 18:23:49 +0000 Subject: Linux v4.4.3 - Fix automounting behavior of ATA drives (rhbz 1310682) - Fix suspend blacklight blanking behavior --- diff --git a/0001-Test-ata-fix.patch b/0001-Test-ata-fix.patch new file mode 100644 index 0000000..0ae2cf7 --- /dev/null +++ b/0001-Test-ata-fix.patch @@ -0,0 +1,27 @@ +From bb4d91481dd2122351866e500b46cff9399f579d Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Thu, 25 Feb 2016 11:40:07 -0800 +Subject: [PATCH] Test ata fix + +Signed-off-by: Laura Abbott +--- + drivers/ata/libahci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index 1f225cc..998c6a8 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1142,8 +1142,7 @@ static void ahci_port_init(struct device *dev, struct ata_port *ap, + + /* mark esata ports */ + tmp = readl(port_mmio + PORT_CMD); +- if ((tmp & PORT_CMD_HPCP) || +- ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS))) ++ if ((tmp & PORT_CMD_ESP) && (hpriv->cap & HOST_CAP_SXS)) + ap->pflags |= ATA_PFLAG_EXTERNAL; + } + +-- +2.5.0 + diff --git a/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch b/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch deleted file mode 100644 index c02a0f5..0000000 --- a/Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6544a1df11c48c8413071aac3316792e4678fbfb Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Mon, 11 Jan 2016 17:35:38 -0800 -Subject: [PATCH] Input: elantech - mark protocols v2 and v3 as semi-mt - -When using a protocol v2 or v3 hardware, elantech uses the function -elantech_report_semi_mt_data() to report data. This devices are rather -creepy because if num_finger is 3, (x2,y2) is (0,0). Yes, only one valid -touch is reported. - -Anyway, userspace (libinput) is now confused by these (0,0) touches, -and detect them as palm, and rejects them. - -Commit 3c0213d17a09 ("Input: elantech - fix semi-mt protocol for v3 HW") -was sufficient enough for xf86-input-synaptics and libinput before it has -palm rejection. Now we need to actually tell libinput that this device is -a semi-mt one and it should not rely on the actual values of the 2 touches. - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires -Signed-off-by: Dmitry Torokhov ---- - drivers/input/mouse/elantech.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 537ebb0e193a..78f93cf68840 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -1222,7 +1222,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) - input_set_abs_params(dev, ABS_TOOL_WIDTH, ETP_WMIN_V2, - ETP_WMAX_V2, 0, 0); - } -- input_mt_init_slots(dev, 2, 0); -+ input_mt_init_slots(dev, 2, INPUT_MT_SEMI_MT); - input_set_abs_params(dev, ABS_MT_POSITION_X, x_min, x_max, 0, 0); - input_set_abs_params(dev, ABS_MT_POSITION_Y, y_min, y_max, 0, 0); - break; --- -2.5.0 - diff --git a/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch b/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch deleted file mode 100644 index 90bf053..0000000 --- a/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001 -From: Mike Kravetz -Date: Fri, 15 Jan 2016 16:57:37 -0800 -Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() - -Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The -argument end is of type pgoff_t. It was being converted to a vaddr -offset and passed to unmap_hugepage_range. However, end was also being -used as an argument to the vma_interval_tree_foreach controlling loop. -In addition, the conversion of end to vaddr offset was incorrect. - -hugetlb_vmtruncate_list is called as part of a file truncate or -fallocate hole punch operation. - -When truncating a hugetlbfs file, this bug could prevent some pages from -being unmapped. This is possible if there are multiple vmas mapping the -file, and there is a sufficiently sized hole between the mappings. The -size of the hole between two vmas (A,B) must be such that the starting -virtual address of B is greater than (ending virtual address of A << -PAGE_SHIFT). In this case, the pages in B would not be unmapped. If -pages are not properly unmapped during truncate, the following BUG is -hit: - - kernel BUG at fs/hugetlbfs/inode.c:428! - -In the fallocate hole punch case, this bug could prevent pages from -being unmapped as in the truncate case. However, for hole punch the -result is that unmapped pages will not be removed during the operation. -For hole punch, it is also possible that more pages than desired will be -unmapped. This unnecessary unmapping will cause page faults to -reestablish the mappings on subsequent page access. - -Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton -Signed-off-by: Mike Kravetz -Cc: Hugh Dickins -Cc: Naoya Horiguchi -Cc: Davidlohr Bueso -Cc: Dave Hansen -Cc: [4.3] -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - fs/hugetlbfs/inode.c | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - -diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c -index bbc333b01ca3..9c07d2d754c9 100644 ---- a/fs/hugetlbfs/inode.c -+++ b/fs/hugetlbfs/inode.c -@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) - */ - vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) { - unsigned long v_offset; -+ unsigned long v_end; - - /* - * Can the expression below overflow on 32-bit arches? -@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) - else - v_offset = 0; - -- if (end) { -- end = ((end - start) << PAGE_SHIFT) + -- vma->vm_start + v_offset; -- if (end > vma->vm_end) -- end = vma->vm_end; -- } else -- end = vma->vm_end; -+ if (!end) -+ v_end = vma->vm_end; -+ else { -+ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT) -+ + vma->vm_start; -+ if (v_end > vma->vm_end) -+ v_end = vma->vm_end; -+ } - -- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL); -+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end, -+ NULL); - } - } - --- -2.5.0 - diff --git a/kernel.spec b/kernel.spec index 65946cf..d5f8096 100644 --- a/kernel.spec +++ b/kernel.spec @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -52,7 +52,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -596,9 +596,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #rhbz 1288687 Patch572: alua_fix.patch -#CVE-2015-8709 rhbz 1295287 1295288 -Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch - Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch #rhbz 1083853 @@ -617,15 +614,9 @@ Patch645: cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch -#CVE-2016-0617 rhbz 1305803 1305804 -Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch - #CVE-2016-2383 rhbz 1308452 1308453 Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch -#rhbz 1306987 -Patch651: Input-elantech-mark-protocols-v2-and-v3-as-semi-mt.patch - #CVE-2015-8812 rhbz 1303532 1309548 Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch @@ -638,6 +629,10 @@ Patch655: iommu-fix.patch #CVE-2016-2550 rhbz 1311517 1311518 Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch +#rhbz 1310682 +Patch657: 0001-Test-ata-fix.patch + +Patch658: nouveau-displayoff-fix.patch # END OF PATCH DEFINITIONS %endif @@ -2081,6 +2076,11 @@ fi # # %changelog +* Fri Feb 26 2016 Laura Abbott - 4.4.3-300 +- Linux v4.4.3 +- Fix automounting behavior of ATA drives (rhbz 1310682) +- Fix suspend blacklight blanking behavior + * Thu Feb 25 2016 Peter Robinson - Fix deferred nouveau module loading on tegra diff --git a/nouveau-displayoff-fix.patch b/nouveau-displayoff-fix.patch new file mode 100644 index 0000000..32045d3 --- /dev/null +++ b/nouveau-displayoff-fix.patch @@ -0,0 +1,61 @@ +From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Thu, 18 Feb 2016 08:14:19 +1000 +Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link + training + +This can happen under some annoying circumstances, and is a quick fix +until more substantial changes can be made. + +Fixed eDP mode changes on (at least) the Lenovo P50. + +Signed-off-by: Ben Skeggs +Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c +index 74e2f7c..9688970 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c +@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w) + .outp = outp, + }, *dp = &_dp; + u32 datarate = 0; ++ u8 pwr; + int ret; + + if (!outp->base.info.location && disp->func->sor.magic) +@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w) + /* disable link interrupt handling during link training */ + nvkm_notify_put(&outp->irq); + ++ /* ensure sink is not in a low-power state */ ++ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) { ++ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) { ++ pwr &= ~DPCD_SC00_SET_POWER; ++ pwr |= DPCD_SC00_SET_POWER_D0; ++ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1); ++ } ++ } ++ + /* enable down-spreading and execute pre-train script from vbios */ + dp_link_train_init(dp, outp->dpcd[3] & 0x01); + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h +index 9596290..6e10c5e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h +@@ -71,5 +71,11 @@ + #define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c + #define DPCD_LS0C_LANE0_POST_CURSOR2 0x03 + ++/* DPCD Sink Control */ ++#define DPCD_SC00 0x00600 ++#define DPCD_SC00_SET_POWER 0x03 ++#define DPCD_SC00_SET_POWER_D0 0x01 ++#define DPCD_SC00_SET_POWER_D3 0x03 ++ + void nvkm_dp_train(struct work_struct *); + #endif +-- +cgit v0.10.2 + diff --git a/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch b/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch deleted file mode 100644 index 55c3ab9..0000000 --- a/ptrace-being-capable-wrt-a-process-requires-mapped-u.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 64a37c8197f4e1c2637cd80326f4649282176369 Mon Sep 17 00:00:00 2001 -From: Jann Horn -Date: Sat, 26 Dec 2015 03:52:31 +0100 -Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids - -ptrace_has_cap() checks whether the current process should be -treated as having a certain capability for ptrace checks -against another process. Until now, this was equivalent to -has_ns_capability(current, target_ns, CAP_SYS_PTRACE). - -However, if a root-owned process wants to enter a user -namespace for some reason without knowing who owns it and -therefore can't change to the namespace owner's uid and gid -before entering, as soon as it has entered the namespace, -the namespace owner can attach to it via ptrace and thereby -gain access to its uid and gid. - -While it is possible for the entering process to switch to -the uid of a claimed namespace owner before entering, -causing the attempt to enter to fail if the claimed uid is -wrong, this doesn't solve the problem of determining an -appropriate gid. - -With this change, the entering process can first enter the -namespace and then safely inspect the namespace's -properties, e.g. through /proc/self/{uid_map,gid_map}, -assuming that the namespace owner doesn't have access to -uid 0. - -Changed in v2: The caller needs to be capable in the -namespace into which tcred's uids/gids can be mapped. - -Signed-off-by: Jann Horn ---- - kernel/ptrace.c | 33 ++++++++++++++++++++++++++++----- - 1 file changed, 28 insertions(+), 5 deletions(-) - -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 787320de68e0..407c382b45c8 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) - return ret; - } - --static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) -+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) - { -+ struct user_namespace *tns = tcred->user_ns; -+ -+ /* When a root-owned process enters a user namespace created by a -+ * malicious user, the user shouldn't be able to execute code under -+ * uid 0 by attaching to the root-owned process via ptrace. -+ * Therefore, similar to the capable_wrt_inode_uidgid() check, -+ * verify that all the uids and gids of the target process are -+ * mapped into a namespace below the current one in which the caller -+ * is capable. -+ * No fsuid/fsgid check because __ptrace_may_access doesn't do it -+ * either. -+ */ -+ while ( -+ !kuid_has_mapping(tns, tcred->euid) || -+ !kuid_has_mapping(tns, tcred->suid) || -+ !kuid_has_mapping(tns, tcred->uid) || -+ !kgid_has_mapping(tns, tcred->egid) || -+ !kgid_has_mapping(tns, tcred->sgid) || -+ !kgid_has_mapping(tns, tcred->gid)) { -+ tns = tns->parent; -+ } -+ - if (mode & PTRACE_MODE_NOAUDIT) -- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); -+ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); - else -- return has_ns_capability(current, ns, CAP_SYS_PTRACE); -+ return has_ns_capability(current, tns, CAP_SYS_PTRACE); - } - - /* Returns 0 on success, -errno on denial. */ -@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - gid_eq(cred->gid, tcred->sgid) && - gid_eq(cred->gid, tcred->gid)) - goto ok; -- if (ptrace_has_cap(tcred->user_ns, mode)) -+ if (ptrace_has_cap(tcred, mode)) - goto ok; - rcu_read_unlock(); - return -EPERM; -@@ -252,7 +275,7 @@ ok: - dumpable = get_dumpable(task->mm); - rcu_read_lock(); - if (dumpable != SUID_DUMP_USER && -- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { -+ !ptrace_has_cap(__task_cred(task), mode)) { - rcu_read_unlock(); - return -EPERM; - } --- -2.5.0 - diff --git a/sources b/sources index e225661..be63b52 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -abdfe599a4ea827f9975cf0631148e70 patch-4.4.2.xz +078427483ee96f3e072e7b5409b5a117 patch-4.4.3.xz