diff --git a/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch b/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch deleted file mode 100644 index 0373d3a..0000000 --- a/0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch +++ /dev/null @@ -1,46 +0,0 @@ -From bdc54d8e3cb4a41dddcabfd86d9eb3aa5f622b75 Mon Sep 17 00:00:00 2001 -From: Trond Myklebust -Date: Sat, 16 Jul 2016 11:47:00 -0400 -Subject: [PATCH] SUNRPC: Fix infinite looping in - rpc_clnt_iterate_for_each_xprt - -If there were less than 2 entries in the multipath list, then -xprt_iter_next_entry_multiple() would never advance beyond the -first entry, which is correct for round robin behaviour, but not -for the list iteration. - -The end result would be infinite looping in rpc_clnt_iterate_for_each_xprt() -as we would never see the xprt == NULL condition fulfilled. - -Reported-by: Oleg Drokin -Fixes: 80b14d5e61ca ("SUNRPC: Add a structure to track multiple transports") -Signed-off-by: Trond Myklebust ---- - net/sunrpc/xprtmultipath.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/net/sunrpc/xprtmultipath.c b/net/sunrpc/xprtmultipath.c -index e7fd769..66c9d63 100644 ---- a/net/sunrpc/xprtmultipath.c -+++ b/net/sunrpc/xprtmultipath.c -@@ -271,14 +271,12 @@ struct rpc_xprt *xprt_iter_next_entry_multiple(struct rpc_xprt_iter *xpi, - xprt_switch_find_xprt_t find_next) - { - struct rpc_xprt_switch *xps = rcu_dereference(xpi->xpi_xpswitch); -- struct list_head *head; - - if (xps == NULL) - return NULL; -- head = &xps->xps_xprt_list; -- if (xps->xps_nxprts < 2) -- return xprt_switch_find_first_entry(head); -- return xprt_switch_set_next_cursor(head, &xpi->xpi_cursor, find_next); -+ return xprt_switch_set_next_cursor(&xps->xps_xprt_list, -+ &xpi->xpi_cursor, -+ find_next); - } - - static --- -2.7.4 - diff --git a/aacraid-Check-size-values-after-double-fetch-from-us.patch b/aacraid-Check-size-values-after-double-fetch-from-us.patch deleted file mode 100644 index 6ff7711..0000000 --- a/aacraid-Check-size-values-after-double-fetch-from-us.patch +++ /dev/null @@ -1,65 +0,0 @@ -From fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 Mon Sep 17 00:00:00 2001 -From: Dave Carroll -Date: Fri, 5 Aug 2016 13:44:10 -0600 -Subject: [PATCH] aacraid: Check size values after double-fetch from user - -In aacraid's ioctl_send_fib() we do two fetches from userspace, one the -get the fib header's size and one for the fib itself. Later we use the -size field from the second fetch to further process the fib. If for some -reason the size from the second fetch is different than from the first -fix, we may encounter an out-of- bounds access in aac_fib_send(). We -also check the sender size to insure it is not out of bounds. This was -reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was -assigned CVE-2016-6480. - -Reported-by: Pengfei Wang -Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' -Cc: stable@vger.kernel.org -Signed-off-by: Dave Carroll -Reviewed-by: Johannes Thumshirn -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/aacraid/commctrl.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index b381b37..5648b71 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - struct fib *fibptr; - struct hw_fib * hw_fib = (struct hw_fib *)0; - dma_addr_t hw_fib_pa = (dma_addr_t)0LL; -- unsigned size; -+ unsigned int size, osize; - int retval; - - if (dev->in_reset) { -@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - * will not overrun the buffer when we copy the memory. Return - * an error if we would. - */ -- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); -+ osize = size = le16_to_cpu(kfib->header.Size) + -+ sizeof(struct aac_fibhdr); - if (size < le16_to_cpu(kfib->header.SenderSize)) - size = le16_to_cpu(kfib->header.SenderSize); - if (size > dev->max_fib_size) { -@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) - goto cleanup; - } - -+ /* Sanity check the second copy */ -+ if ((osize != le16_to_cpu(kfib->header.Size) + -+ sizeof(struct aac_fibhdr)) -+ || (size < le16_to_cpu(kfib->header.SenderSize))) { -+ retval = -EINVAL; -+ goto cleanup; -+ } -+ - if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { - aac_adapter_interrupt(dev); - /* --- -2.7.4 - diff --git a/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch b/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch deleted file mode 100644 index a5dc6f3..0000000 --- a/drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 74f829a6e44fe217b6161f8935524fc807be0648 Mon Sep 17 00:00:00 2001 -From: Chris Wilson -Date: Sat, 9 Jul 2016 11:01:20 +0100 -Subject: [PATCH] drm/i915: Acquire audio powerwell for HD-Audio registers - -On Haswell/Broadwell, the HD-Audio block is inside the HDMI/display -power well and so the sna-hda audio codec acquires the display power -well while it is operational. However, Skylake separates the powerwells -again, but yet we still need the audio powerwell to setup the registers. -(But then the hardware uses those registers even while powered off???) - -v2: Grab both rpm wakelock and audio wakelock - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96214 -Fixes: 03b135cebc47 "ALSA: hda - remove dependency on i915 power well for SKL") -Signed-off-by: Chris Wilson -Cc: Libin Yang -Cc: Takashi Iwai -Cc: Marius Vlad ---- - drivers/gpu/drm/i915/intel_audio.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/gpu/drm/i915/intel_audio.c b/drivers/gpu/drm/i915/intel_audio.c -index 5d5f6bc10e85..948a7a52e3f8 100644 ---- a/drivers/gpu/drm/i915/intel_audio.c -+++ b/drivers/gpu/drm/i915/intel_audio.c -@@ -600,6 +600,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev, - if (!IS_SKYLAKE(dev_priv) && !IS_KABYLAKE(dev_priv)) - return; - -+ i915_audio_component_get_power(dev); -+ - /* - * Enable/disable generating the codec wake signal, overriding the - * internal logic to generate the codec wake to controller. -@@ -615,6 +617,8 @@ static void i915_audio_component_codec_wake_override(struct device *dev, - I915_WRITE(HSW_AUD_CHICKENBIT, tmp); - usleep_range(1000, 1500); - } -+ -+ i915_audio_component_put_power(dev); - } - - /* Get CDCLK in kHz */ -@@ -648,6 +652,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev, - !IS_HASWELL(dev_priv)) - return 0; - -+ i915_audio_component_get_power(dev); - mutex_lock(&dev_priv->av_mutex); - /* 1. get the pipe */ - intel_encoder = dev_priv->dig_port_map[port]; -@@ -698,6 +703,7 @@ static int i915_audio_component_sync_audio_rate(struct device *dev, - - unlock: - mutex_unlock(&dev_priv->av_mutex); -+ i915_audio_component_put_power(dev); - return err; - } - --- -2.8.1 - diff --git a/kernel.spec b/kernel.spec index b9cb0fd..8ee3afd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 101 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -618,15 +618,9 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch -# https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/ -Patch838: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch - #rhbz 1353558 Patch844: 0001-selinux-Only-apply-bounds-checking-to-source-types.patch -#CVE-2016-6480 rhbz 1362466 1362467 -Patch855: aacraid-Check-size-values-after-double-fetch-from-us.patch - #rhbz 1365940 Patch856: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch @@ -639,12 +633,12 @@ Patch858: 0001-OOM-detection-regressions-since-4.7.patch #rhbz 1360688 Patch859: rc-core-fix-repeat-events.patch -#rhbz 1371237 -Patch860: 0001-SUNRPC-Fix-infinite-looping-in-rpc_clnt_iterate_for_.patch - # https://lkml.org/lkml/2016/8/30/566 Patch861: 0001-cgroup-reduce-read-locked-section-of-cgroup_threadgr.patch +#rhbz 1350174 +Patch862: tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch + # END OF PATCH DEFINITIONS %endif @@ -2167,6 +2161,10 @@ fi # # %changelog +* Wed Sep 07 2017 - 4.7.3-100 +- Linux v4.7.3 +- Silence KASLR warning (rhbz 1350174) + * Fri Sep 02 2016 - Add fix for known cgroup deadlock diff --git a/sources b/sources index cec90d7..c33fe9c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz -64e8a8969536c5d700c9e6a591d28dad patch-4.7.2.xz +803bdedd9b9cd4ef43d9d5d41801f234 patch-4.7.3.xz diff --git a/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch b/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch new file mode 100644 index 0000000..7d79fbc --- /dev/null +++ b/tip-x86-boot-x86-KASLR-x86-power-Remove-x86-hibernation-restrictions.patch @@ -0,0 +1,131 @@ +From patchwork Sun Jun 26 11:01:18 2016 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [tip:x86/boot] x86/KASLR, + x86/power: Remove x86 hibernation restrictions +From: tip-bot for Jacob Shin +X-Patchwork-Id: 9199367 +Message-Id: +To: linux-tip-commits@vger.kernel.org +Cc: pavel@ucw.cz, linux-pm@vger.kernel.org, yinghai@kernel.org, + mingo@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de, + corbet@lwn.net, dvlasenk@redhat.com, sds@tycho.nsa.gov, + peterz@infradead.org, logang@deltatee.com, bhe@redhat.com, + torvalds@linux-foundation.org, bp@alien8.de, luto@kernel.org, + keescook@chromium.org, hpa@zytor.com, brgerst@gmail.com, + len.brown@intel.com +Date: Sun, 26 Jun 2016 04:01:18 -0700 + +Commit-ID: 65fe935dd2387a4faf15314c73f5e6d31ef0217e +Gitweb: http://git.kernel.org/tip/65fe935dd2387a4faf15314c73f5e6d31ef0217e +Author: Kees Cook +AuthorDate: Mon, 13 Jun 2016 15:10:02 -0700 +Committer: Ingo Molnar +CommitDate: Sun, 26 Jun 2016 12:32:03 +0200 + +x86/KASLR, x86/power: Remove x86 hibernation restrictions + +With the following fix: + + 70595b479ce1 ("x86/power/64: Fix crash whan the hibernation code passes control to the image kernel") + +... there is no longer a problem with hibernation resuming a +KASLR-booted kernel image, so remove the restriction. + +Signed-off-by: Kees Cook +Cc: Andy Lutomirski +Cc: Baoquan He +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Jonathan Corbet +Cc: Len Brown +Cc: Linus Torvalds +Cc: Linux PM list +Cc: Logan Gunthorpe +Cc: Pavel Machek +Cc: Peter Zijlstra +Cc: Stephen Smalley +Cc: Thomas Gleixner +Cc: Yinghai Lu +Cc: linux-doc@vger.kernel.org +Link: http://lkml.kernel.org/r/20160613221002.GA29719@www.outflux.net +Signed-off-by: Ingo Molnar +--- + Documentation/kernel-parameters.txt | 10 ++++------ + arch/x86/boot/compressed/kaslr.c | 7 ------- + kernel/power/hibernate.c | 6 ------ + 3 files changed, 4 insertions(+), 19 deletions(-) + +-- +To unsubscribe from this list: send the line "unsubscribe linux-pm" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index 82b42c9..fa8c6d4 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1803,12 +1803,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + js= [HW,JOY] Analog joystick + See Documentation/input/joystick.txt. + +- kaslr/nokaslr [X86] +- Enable/disable kernel and module base offset ASLR +- (Address Space Layout Randomization) if built into +- the kernel. When CONFIG_HIBERNATION is selected, +- kASLR is disabled by default. When kASLR is enabled, +- hibernation will be disabled. ++ nokaslr [KNL] ++ When CONFIG_RANDOMIZE_BASE is set, this disables ++ kernel and module base offset ASLR (Address Space ++ Layout Randomization). + + keepinitrd [HW,ARM] + +diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c +index cfeb025..dff4217 100644 +--- a/arch/x86/boot/compressed/kaslr.c ++++ b/arch/x86/boot/compressed/kaslr.c +@@ -471,17 +471,10 @@ unsigned char *choose_random_location(unsigned long input, + unsigned long choice = output; + unsigned long random_addr; + +-#ifdef CONFIG_HIBERNATION +- if (!cmdline_find_option_bool("kaslr")) { +- warn("KASLR disabled: 'kaslr' not on cmdline (hibernation selected)."); +- goto out; +- } +-#else + if (cmdline_find_option_bool("nokaslr")) { + warn("KASLR disabled: 'nokaslr' on cmdline."); + goto out; + } +-#endif + + boot_params->hdr.loadflags |= KASLR_FLAG; + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index fca9254..9021387 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -1154,11 +1154,6 @@ static int __init nohibernate_setup(char *str) + return 1; + } + +-static int __init kaslr_nohibernate_setup(char *str) +-{ +- return nohibernate_setup(str); +-} +- + static int __init page_poison_nohibernate_setup(char *str) + { + #ifdef CONFIG_PAGE_POISONING_ZERO +@@ -1182,5 +1177,4 @@ __setup("hibernate=", hibernate_setup); + __setup("resumewait", resumewait_setup); + __setup("resumedelay=", resumedelay_setup); + __setup("nohibernate", nohibernate_setup); +-__setup("kaslr", kaslr_nohibernate_setup); + __setup("page_poison=", page_poison_nohibernate_setup);