From a7237117c42893bdd0818db9ab2779074b4f836a Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mar 04 2016 01:48:26 +0000 Subject: Linux v4.4.4 --- diff --git a/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch b/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch deleted file mode 100644 index fc5a1a5..0000000 --- a/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch +++ /dev/null @@ -1,92 +0,0 @@ -From a1b14d27ed0965838350f1377ff97c93ee383492 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Wed, 10 Feb 2016 16:47:11 +0100 -Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching - ctx expansion - -When ctx access is used, the kernel often needs to expand/rewrite -instructions, so after that patching, branch offsets have to be -adjusted for both forward and backward jumps in the new eBPF program, -but for backward jumps it fails to account the delta. Meaning, for -example, if the expansion happens exactly on the insn that sits at -the jump target, it doesn't fix up the back jump offset. - -Analysis on what the check in adjust_branches() is currently doing: - - /* adjust offset of jmps if necessary */ - if (i < pos && i + insn->off + 1 > pos) - insn->off += delta; - else if (i > pos && i + insn->off + 1 < pos) - insn->off -= delta; - -First condition (forward jumps): - - Before: After: - - insns[0] insns[0] - insns[1] <--- i/insn insns[1] <--- i/insn - insns[2] <--- pos insns[P] <--- pos - insns[3] insns[P] `------| delta - insns[4] <--- target_X insns[P] `-----| - insns[5] insns[3] - insns[4] <--- target_X - insns[5] - -First case is if we cross pos-boundary and the jump instruction was -before pos. This is handeled correctly. I.e. if i == pos, then this -would mean our jump that we currently check was the patchlet itself -that we just injected. Since such patchlets are self-contained and -have no awareness of any insns before or after the patched one, the -delta is correctly not adjusted. Also, for the second condition in -case of i + insn->off + 1 == pos, means we jump to that newly patched -instruction, so no offset adjustment are needed. That part is correct. - -Second condition (backward jumps): - - Before: After: - - insns[0] insns[0] - insns[1] <--- target_X insns[1] <--- target_X - insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y - insns[3] insns[P] `------| delta - insns[4] <--- i/insn insns[P] `-----| - insns[5] insns[3] - insns[4] <--- i/insn - insns[5] - -Second interesting case is where we cross pos-boundary and the jump -instruction was after pos. Backward jump with i == pos would be -impossible and pose a bug somewhere in the patchlet, so the first -condition checking i > pos is okay only by itself. However, i + -insn->off + 1 < pos does not always work as intended to trigger the -adjustment. It works when jump targets would be far off where the -delta wouldn't matter. But, for example, where the fixed insn->off -before pointed to pos (target_Y), it now points to pos + delta, so -that additional room needs to be taken into account for the check. -This means that i) both tests here need to be adjusted into pos + delta, -and ii) for the second condition, the test needs to be <= as pos -itself can be a target in the backjump, too. - -Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields") -Signed-off-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - kernel/bpf/verifier.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index d1d3e8f57de9..2e7f7ab739e4 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2082,7 +2082,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta) - /* adjust offset of jmps if necessary */ - if (i < pos && i + insn->off + 1 > pos) - insn->off += delta; -- else if (i > pos && i + insn->off + 1 < pos) -+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta) - insn->off -= delta; - } - } --- -2.5.0 - diff --git a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch b/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch deleted file mode 100644 index cd53bf7..0000000 --- a/drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 41ed5ee704b784a4fca02787311d59c243563013 Mon Sep 17 00:00:00 2001 -From: Jani Nikula -Date: Thu, 7 Jan 2016 10:29:10 +0200 -Subject: [PATCH] drm/i915: shut up gen8+ SDE irq dmesg noise, again - -We still keep getting - -[ 4.249930] [drm:gen8_irq_handler [i915]] *ERROR* The master control interrupt lied (SDE)! - -This reverts - -commit 820da7ae46332fa709b171eb7ba57cbd023fa6df -Author: Jani Nikula -Date: Wed Nov 25 16:47:23 2015 +0200 - - Revert "drm/i915: shut up gen8+ SDE irq dmesg noise" - -which in itself is a revert, so this is just doing - -commit 97e5ed1111dcc5300a0f59a55248cd243937a8ab -Author: Daniel Vetter -Date: Fri Oct 23 10:56:12 2015 +0200 - - drm/i915: shut up gen8+ SDE irq dmesg noise - -all over again. I'll stop pretending I understand what's going on like I -did when I thought I'd fixed this for good in - -commit 6a39d7c986be4fd18eb019e9cdbf774ec36c9f77 -Author: Jani Nikula -Date: Wed Nov 25 16:47:22 2015 +0200 - - drm/i915: fix the SDE irq dmesg warnings properly - -Reported-by: Chris Wilson -Reference: http://mid.gmane.org/20151213124945.GA5715@nuc-i3427.alporthouse.com -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92084 -Cc: drm-intel-fixes@lists.freedesktop.org -Fixes: 820da7ae4633 ("Revert "drm/i915: shut up gen8+ SDE irq dmesg noise"") -Signed-off-by: Jani Nikula ---- - drivers/gpu/drm/i915/i915_irq.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index 0d228f909dcb..0f42a2782afc 100644 ---- a/drivers/gpu/drm/i915/i915_irq.c -+++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -2354,9 +2354,13 @@ static irqreturn_t gen8_irq_handler(int irq, void *arg) - spt_irq_handler(dev, pch_iir); - else - cpt_irq_handler(dev, pch_iir); -- } else -- DRM_ERROR("The master control interrupt lied (SDE)!\n"); -- -+ } else { -+ /* -+ * Like on previous PCH there seems to be something -+ * fishy going on with forwarding PCH interrupts. -+ */ -+ DRM_DEBUG_DRIVER("The master control interrupt lied (SDE)!\n"); -+ } - } - - I915_WRITE_FW(GEN8_MASTER_IRQ, GEN8_MASTER_IRQ_CONTROL); --- -2.5.0 - diff --git a/drm-nouveau-platform-Fix-deferred-probe.patch b/drm-nouveau-platform-Fix-deferred-probe.patch deleted file mode 100644 index bae1dae..0000000 --- a/drm-nouveau-platform-Fix-deferred-probe.patch +++ /dev/null @@ -1,116 +0,0 @@ -From patchwork Wed Feb 24 17:34:43 2016 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: drm/nouveau: platform: Fix deferred probe -From: Thierry Reding -X-Patchwork-Id: 587554 -Message-Id: <1456335283-22097-1-git-send-email-thierry.reding@gmail.com> -To: Ben Skeggs -Cc: Alexandre Courbot , Nicolas Chauvet , - dri-devel@lists.freedesktop.org, linux-tegra@vger.kernel.org -Date: Wed, 24 Feb 2016 18:34:43 +0100 - -From: Thierry Reding - -The error cleanup paths aren't quite correct and will crash upon -deferred probe. - -Cc: stable@vger.kernel.org # v4.3+ -Signed-off-by: Thierry Reding -Reviewed-by: Ben Skeggs -Reviewed-by: Alexandre Courbot ---- - drivers/gpu/drm/nouveau/nouveau_platform.c | 2 +- - drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 40 ++++++++++++++++------ - 2 files changed, 30 insertions(+), 12 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_platform.c b/drivers/gpu/drm/nouveau/nouveau_platform.c -index 8a70cec59bcd..2dfe58af12e4 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_platform.c -+++ b/drivers/gpu/drm/nouveau/nouveau_platform.c -@@ -24,7 +24,7 @@ - static int nouveau_platform_probe(struct platform_device *pdev) - { - const struct nvkm_device_tegra_func *func; -- struct nvkm_device *device; -+ struct nvkm_device *device = NULL; - struct drm_device *drm; - int ret; - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c -index 7f8a42721eb2..e7e581d6a8ff 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c -@@ -252,32 +252,40 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func, - - if (!(tdev = kzalloc(sizeof(*tdev), GFP_KERNEL))) - return -ENOMEM; -- *pdevice = &tdev->device; -+ - tdev->func = func; - tdev->pdev = pdev; - tdev->irq = -1; - - tdev->vdd = devm_regulator_get(&pdev->dev, "vdd"); -- if (IS_ERR(tdev->vdd)) -- return PTR_ERR(tdev->vdd); -+ if (IS_ERR(tdev->vdd)) { -+ ret = PTR_ERR(tdev->vdd); -+ goto free; -+ } - - tdev->rst = devm_reset_control_get(&pdev->dev, "gpu"); -- if (IS_ERR(tdev->rst)) -- return PTR_ERR(tdev->rst); -+ if (IS_ERR(tdev->rst)) { -+ ret = PTR_ERR(tdev->rst); -+ goto free; -+ } - - tdev->clk = devm_clk_get(&pdev->dev, "gpu"); -- if (IS_ERR(tdev->clk)) -- return PTR_ERR(tdev->clk); -+ if (IS_ERR(tdev->clk)) { -+ ret = PTR_ERR(tdev->clk); -+ goto free; -+ } - - tdev->clk_pwr = devm_clk_get(&pdev->dev, "pwr"); -- if (IS_ERR(tdev->clk_pwr)) -- return PTR_ERR(tdev->clk_pwr); -+ if (IS_ERR(tdev->clk_pwr)) { -+ ret = PTR_ERR(tdev->clk_pwr); -+ goto free; -+ } - - nvkm_device_tegra_probe_iommu(tdev); - - ret = nvkm_device_tegra_power_up(tdev); - if (ret) -- return ret; -+ goto remove; - - tdev->gpu_speedo = tegra_sku_info.gpu_speedo_value; - ret = nvkm_device_ctor(&nvkm_device_tegra_func, NULL, &pdev->dev, -@@ -285,9 +293,19 @@ nvkm_device_tegra_new(const struct nvkm_device_tegra_func *func, - cfg, dbg, detect, mmio, subdev_mask, - &tdev->device); - if (ret) -- return ret; -+ goto powerdown; -+ -+ *pdevice = &tdev->device; - - return 0; -+ -+powerdown: -+ nvkm_device_tegra_power_down(tdev); -+remove: -+ nvkm_device_tegra_remove_iommu(tdev); -+free: -+ kfree(tdev); -+ return ret; - } - #else - int diff --git a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch b/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch deleted file mode 100644 index 9c517cf..0000000 --- a/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 Mon Sep 17 00:00:00 2001 -From: Hariprasad S -Date: Fri, 11 Dec 2015 13:59:17 +0530 -Subject: [PATCH] iw_cxgb3: Fix incorrectly returning error on success - -The cxgb3_*_send() functions return NET_XMIT_ values, which are -positive integers values. So don't treat positive return values -as an error. - -Signed-off-by: Steve Wise -Signed-off-by: Hariprasad Shenai -Signed-off-by: Doug Ledford ---- - drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c -index cb78b1e9bcd9..f504ba73e5dc 100644 ---- a/drivers/infiniband/hw/cxgb3/iwch_cm.c -+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c -@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en - error = l2t_send(tdev, skb, l2e); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) -@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb) - error = cxgb3_ofld_send(tdev, skb); - if (error < 0) - kfree_skb(skb); -- return error; -+ return error < 0 ? error : 0; - } - - static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb) --- -2.5.0 - diff --git a/kbuild-AFTER_LINK.patch b/kbuild-AFTER_LINK.patch index 805b6ee..6cbf7d6 100644 --- a/kbuild-AFTER_LINK.patch +++ b/kbuild-AFTER_LINK.patch @@ -1,4 +1,4 @@ -From a9488dbeccf188f0bd83b9d5704892f2c0f97fdc Mon Sep 17 00:00:00 2001 +From 3430f2441f7176d543a76aa73ae7315db355a5b0 Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Mon, 6 Oct 2008 23:03:03 -0700 Subject: [PATCH] kbuild: AFTER_LINK @@ -107,11 +107,11 @@ index 265c0ed..fd90c7d 100644 VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \ $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS) diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh -index dacf71a..72cbefd 100755 +index ba6c34e..245501e 100755 --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh @@ -65,6 +65,10 @@ vmlinux_link() - -lutil -lrt ${1} + -lutil -lrt -lpthread ${1} rm -f linux fi + if [ -n "${AFTER_LINK}" ]; then diff --git a/kernel.spec b/kernel.spec index 0ff355d..65d27c5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -52,7 +52,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -502,8 +502,6 @@ Patch456: arm64-acpi-drop-expert-patch.patch Patch457: ARM-tegra-usb-no-reset.patch -Patch458: drm-nouveau-platform-Fix-deferred-probe.patch - Patch460: mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch Patch463: arm-i.MX6-Utilite-device-dtb.patch @@ -596,8 +594,6 @@ Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch #rhbz 1288687 Patch572: alua_fix.patch -Patch604: drm-i915-shut-up-gen8-SDE-irq-dmesg-noise-again.patch - #rhbz 1083853 Patch610: PNP-Add-Broadwell-to-Intel-MCH-size-workaround.patch @@ -614,35 +610,21 @@ Patch645: cfg80211-wext-fix-message-ordering.patch #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch -#CVE-2016-2383 rhbz 1308452 1308453 -Patch650: bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch - -#CVE-2015-8812 rhbz 1303532 1309548 -Patch653: iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch - #Known use after free, possibly rhbz 1310579 Patch654: 0001-usb-hub-fix-panic-in-usb_reset_and_verify_device.patch #rhbz 1310258 Patch655: iommu-fix.patch -#CVE-2016-2550 rhbz 1311517 1311518 -Patch656: unix-correctly-track-in-flight-fds-in-sending-proces.patch - #rhbz 1310682 Patch657: 0001-Test-ata-fix.patch -Patch658: nouveau-displayoff-fix.patch - #Mitigates CVE-2013-4312 rhbz 1313428 1313433 Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch -#rhbz 1314253 1314255 -Patch661: x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch - # END OF PATCH DEFINITIONS %endif @@ -2085,6 +2067,9 @@ fi # # %changelog +* Thu Mar 03 2016 Laura Abbott +- Linux v4.4.4 + * Thu Mar 03 2016 Josh Boyer - Partial SMAP bypass on 64-bit kernels (rhbz 1314253 1314255) diff --git a/nouveau-displayoff-fix.patch b/nouveau-displayoff-fix.patch deleted file mode 100644 index 32045d3..0000000 --- a/nouveau-displayoff-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 95664e66fad964c3dd7945d6edfb1d0931844664 Mon Sep 17 00:00:00 2001 -From: Ben Skeggs -Date: Thu, 18 Feb 2016 08:14:19 +1000 -Subject: drm/nouveau/disp/dp: ensure sink is powered up before attempting link - training - -This can happen under some annoying circumstances, and is a quick fix -until more substantial changes can be made. - -Fixed eDP mode changes on (at least) the Lenovo P50. - -Signed-off-by: Ben Skeggs -Cc: stable@vger.kernel.org - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -index 74e2f7c..9688970 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.c -@@ -328,6 +328,7 @@ nvkm_dp_train(struct work_struct *w) - .outp = outp, - }, *dp = &_dp; - u32 datarate = 0; -+ u8 pwr; - int ret; - - if (!outp->base.info.location && disp->func->sor.magic) -@@ -355,6 +356,15 @@ nvkm_dp_train(struct work_struct *w) - /* disable link interrupt handling during link training */ - nvkm_notify_put(&outp->irq); - -+ /* ensure sink is not in a low-power state */ -+ if (!nvkm_rdaux(outp->aux, DPCD_SC00, &pwr, 1)) { -+ if ((pwr & DPCD_SC00_SET_POWER) != DPCD_SC00_SET_POWER_D0) { -+ pwr &= ~DPCD_SC00_SET_POWER; -+ pwr |= DPCD_SC00_SET_POWER_D0; -+ nvkm_wraux(outp->aux, DPCD_SC00, &pwr, 1); -+ } -+ } -+ - /* enable down-spreading and execute pre-train script from vbios */ - dp_link_train_init(dp, outp->dpcd[3] & 0x01); - -diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -index 9596290..6e10c5e 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dport.h -@@ -71,5 +71,11 @@ - #define DPCD_LS0C_LANE1_POST_CURSOR2 0x0c - #define DPCD_LS0C_LANE0_POST_CURSOR2 0x03 - -+/* DPCD Sink Control */ -+#define DPCD_SC00 0x00600 -+#define DPCD_SC00_SET_POWER 0x03 -+#define DPCD_SC00_SET_POWER_D0 0x01 -+#define DPCD_SC00_SET_POWER_D3 0x03 -+ - void nvkm_dp_train(struct work_struct *); - #endif --- -cgit v0.10.2 - diff --git a/sources b/sources index be63b52..7da2ff0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -078427483ee96f3e072e7b5409b5a117 patch-4.4.3.xz +07e9b2c5d0daf7fc2a1ee26a52adcbc0 patch-4.4.4.xz diff --git a/unix-correctly-track-in-flight-fds-in-sending-proces.patch b/unix-correctly-track-in-flight-fds-in-sending-proces.patch deleted file mode 100644 index eb513ef..0000000 --- a/unix-correctly-track-in-flight-fds-in-sending-proces.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 415e3d3e90ce9e18727e8843ae343eda5a58fad6 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Wed, 3 Feb 2016 02:11:03 +0100 -Subject: [PATCH] unix: correctly track in-flight fds in sending process - user_struct - -The commit referenced in the Fixes tag incorrectly accounted the number -of in-flight fds over a unix domain socket to the original opener -of the file-descriptor. This allows another process to arbitrary -deplete the original file-openers resource limit for the maximum of -open files. Instead the sending processes and its struct cred should -be credited. - -To do so, we add a reference counted struct user_struct pointer to the -scm_fp_list and use it to account for the number of inflight unix fds. - -Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets") -Reported-by: David Herrmann -Cc: David Herrmann -Cc: Willy Tarreau -Cc: Linus Torvalds -Suggested-by: Linus Torvalds -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/af_unix.h | 4 ++-- - include/net/scm.h | 1 + - net/core/scm.c | 7 +++++++ - net/unix/af_unix.c | 4 ++-- - net/unix/garbage.c | 8 ++++---- - 5 files changed, 16 insertions(+), 8 deletions(-) - -diff --git a/include/net/af_unix.h b/include/net/af_unix.h -index 2a91a0561a47..9b4c418bebd8 100644 ---- a/include/net/af_unix.h -+++ b/include/net/af_unix.h -@@ -6,8 +6,8 @@ - #include - #include - --void unix_inflight(struct file *fp); --void unix_notinflight(struct file *fp); -+void unix_inflight(struct user_struct *user, struct file *fp); -+void unix_notinflight(struct user_struct *user, struct file *fp); - void unix_gc(void); - void wait_for_unix_gc(void); - struct sock *unix_get_socket(struct file *filp); -diff --git a/include/net/scm.h b/include/net/scm.h -index 262532d111f5..59fa93c01d2a 100644 ---- a/include/net/scm.h -+++ b/include/net/scm.h -@@ -21,6 +21,7 @@ struct scm_creds { - struct scm_fp_list { - short count; - short max; -+ struct user_struct *user; - struct file *fp[SCM_MAX_FD]; - }; - -diff --git a/net/core/scm.c b/net/core/scm.c -index 14596fb37172..2696aefdc148 100644 ---- a/net/core/scm.c -+++ b/net/core/scm.c -@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fplp = fpl; - fpl->count = 0; - fpl->max = SCM_MAX_FD; -+ fpl->user = NULL; - } - fpp = &fpl->fp[fpl->count]; - -@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) - *fpp++ = file; - fpl->count++; - } -+ -+ if (!fpl->user) -+ fpl->user = get_uid(current_user()); -+ - return num; - } - -@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) - scm->fp = NULL; - for (i=fpl->count-1; i>=0; i--) - fput(fpl->fp[i]); -+ free_uid(fpl->user); - kfree(fpl); - } - } -@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) - for (i = 0; i < fpl->count; i++) - get_file(fpl->fp[i]); - new_fpl->max = new_fpl->count; -+ new_fpl->user = get_uid(fpl->user); - } - return new_fpl; - } -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 49d5093eb055..29be035f9c65 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) - UNIXCB(skb).fp = NULL; - - for (i = scm->fp->count-1; i >= 0; i--) -- unix_notinflight(scm->fp->fp[i]); -+ unix_notinflight(scm->fp->user, scm->fp->fp[i]); - } - - static void unix_destruct_scm(struct sk_buff *skb) -@@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) - return -ENOMEM; - - for (i = scm->fp->count - 1; i >= 0; i--) -- unix_inflight(scm->fp->fp[i]); -+ unix_inflight(scm->fp->user, scm->fp->fp[i]); - return max_level; - } - -diff --git a/net/unix/garbage.c b/net/unix/garbage.c -index 8fcdc2283af5..6a0d48525fcf 100644 ---- a/net/unix/garbage.c -+++ b/net/unix/garbage.c -@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp) - * descriptor if it is for an AF_UNIX socket. - */ - --void unix_inflight(struct file *fp) -+void unix_inflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp) - } - unix_tot_inflight++; - } -- fp->f_cred->user->unix_inflight++; -+ user->unix_inflight++; - spin_unlock(&unix_gc_lock); - } - --void unix_notinflight(struct file *fp) -+void unix_notinflight(struct user_struct *user, struct file *fp) - { - struct sock *s = unix_get_socket(fp); - -@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp) - list_del_init(&u->link); - unix_tot_inflight--; - } -- fp->f_cred->user->unix_inflight--; -+ user->unix_inflight--; - spin_unlock(&unix_gc_lock); - } - --- -2.5.0 - diff --git a/x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch b/x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch deleted file mode 100644 index 0b4be7b..0000000 --- a/x86-entry-compat-Add-missing-CLAC-to-entry_INT80_32.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski -Date: Wed, 24 Feb 2016 12:18:49 -0800 -Subject: [PATCH] x86/entry/compat: Add missing CLAC to entry_INT80_32 - -This doesn't seem to fix a regression -- I don't think the CLAC was -ever there. - -I double-checked in a debugger: entries through the int80 gate do -not automatically clear AC. - -Stable maintainers: I can provide a backport to 4.3 and earlier if -needed. This needs to be backported all the way to 3.10. - -Reported-by: Brian Gerst -Signed-off-by: Andy Lutomirski -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Denys Vlasenko -Cc: H. Peter Anvin -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: # v3.10 and later -Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access") -Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org -Signed-off-by: Ingo Molnar ---- - arch/x86/entry/entry_64_compat.S | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S -index ff1c6d61f332..3c990eeee40b 100644 ---- a/arch/x86/entry/entry_64_compat.S -+++ b/arch/x86/entry/entry_64_compat.S -@@ -261,6 +261,7 @@ ENTRY(entry_INT80_compat) - * Interrupts are off on entry. - */ - PARAVIRT_ADJUST_EXCEPTION_FRAME -+ ASM_CLAC /* Do this early to minimize exposure */ - SWAPGS - - /* --- -2.5.0 -