From 966488336fbad5400887c5416012f476dddf810e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Jun 2016 12:37:35 +0100 Subject: [PATCH 01/14] [mips*] Fix ABI change in 4.6.2 --- debian/changelog | 6 ++ .../debian/mips-fix-abi-change-in-4.6.2.patch | 92 +++++++++++++++++++ debian/patches/series | 3 + 3 files changed, 101 insertions(+) create mode 100644 debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch diff --git a/debian/changelog b/debian/changelog index cff35f6d300b..671f277131ba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.6.2-2) UNRELEASED; urgency=medium + + * [mips*] Fix ABI change in 4.6.2 + + -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 + linux (4.6.2-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch b/debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch new file mode 100644 index 000000000000..d9664d2026ce --- /dev/null +++ b/debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch @@ -0,0 +1,92 @@ +From: Ben Hutchings +Date: Thu, 16 Jun 2016 11:32:49 +0100 +Subject: MIPS: Fix ABI change in 4.6.2 +Forwarded: not-needed + +genksyms only looks at the (preprocessed) token stream of a struct +definition, not the real types, so commit 5daebc477da4 ("MIPS: Fix +siginfo.h to use strict posix types") results in a different hash +even though it doesn't change types. + +--- a/arch/mips/include/uapi/asm/siginfo.h ++++ b/arch/mips/include/uapi/asm/siginfo.h +@@ -30,6 +30,8 @@ + + #include + ++#ifndef __GENKSYMS__ ++ + /* We can't use generic siginfo_t, because our si_code and si_errno are swapped */ + typedef struct siginfo { + int si_signo; +@@ -112,6 +114,70 @@ typedef struct siginfo { + } _sifields; + } siginfo_t; + ++#else /* __GENKSYMS__ */ ++ ++/* Definition using the 'wrong' type names, to keep genksyms happy */ ++typedef struct siginfo { ++ int si_signo; ++ int si_code; ++ int si_errno; ++ int __pad0[SI_MAX_SIZE / sizeof(int) - SI_PAD_SIZE - 3]; ++ union { ++ int _pad[SI_PAD_SIZE]; ++ struct { ++ pid_t _pid; ++ __ARCH_SI_UID_T _uid; ++ } _kill; ++ struct { ++ timer_t _tid; ++ int _overrun; ++ char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)]; ++ sigval_t _sigval; ++ int _sys_private; ++ } _timer; ++ struct { ++ pid_t _pid; ++ __ARCH_SI_UID_T _uid; ++ sigval_t _sigval; ++ } _rt; ++ struct { ++ pid_t _pid; ++ __ARCH_SI_UID_T _uid; ++ int _status; ++ clock_t _utime; ++ clock_t _stime; ++ } _sigchld; ++ struct { ++ pid_t _pid; ++ clock_t _utime; ++ int _status; ++ clock_t _stime; ++ } _irix_sigchld; ++ struct { ++ void __user *_addr; ++ short _addr_lsb; ++ union { ++ struct { ++ void __user *_lower; ++ void __user *_upper; ++ } _addr_bnd; ++ __u32 _pkey; ++ }; ++ } _sigfault; ++ struct { ++ __ARCH_SI_BAND_T _band; ++ int _fd; ++ } _sigpoll; ++ struct { ++ void __user *_call_addr; ++ int _syscall; ++ unsigned int _arch; ++ } _sigsys; ++ } _sifields; ++} siginfo_t; ++ ++#endif /* __GENKSYMS__ */ ++ + /* + * si_code values + * Again these have been chosen to be IRIX compatible. diff --git a/debian/patches/series b/debian/patches/series index 5886d4260018..453515fc66e1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -113,6 +113,9 @@ bugfix/all/sched-panic-on-corrupted-stack-end.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch +# ABI maintenance +debian/mips-fix-abi-change-in-4.6.2.patch + # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch bugfix/all/kbuild-fix-recordmcount-dependency.patch From 9edbacb8a55ee2585207bb084b7f542c76e671f6 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 17 Jun 2016 01:50:50 +0100 Subject: [PATCH 02/14] MIPS: libgcc: Fix ABI change in 4.6.2 --- debian/changelog | 2 +- .../mips-libgcc-fix-abi-change-in-4.6.2.patch | 106 ++++++++++++++++++ ...ips-siginfo-fix-abi-change-in-4.6.2.patch} | 2 +- debian/patches/series | 3 +- 4 files changed, 110 insertions(+), 3 deletions(-) create mode 100644 debian/patches/debian/mips-libgcc-fix-abi-change-in-4.6.2.patch rename debian/patches/debian/{mips-fix-abi-change-in-4.6.2.patch => mips-siginfo-fix-abi-change-in-4.6.2.patch} (97%) diff --git a/debian/changelog b/debian/changelog index 671f277131ba..ef4cf0ea2804 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ linux (4.6.2-2) UNRELEASED; urgency=medium - * [mips*] Fix ABI change in 4.6.2 + * [mips*] Fix ABI changes in 4.6.2 -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/debian/mips-libgcc-fix-abi-change-in-4.6.2.patch b/debian/patches/debian/mips-libgcc-fix-abi-change-in-4.6.2.patch new file mode 100644 index 000000000000..7c13a4fbf040 --- /dev/null +++ b/debian/patches/debian/mips-libgcc-fix-abi-change-in-4.6.2.patch @@ -0,0 +1,106 @@ +From: Ben Hutchings +Date: Fri, 17 Jun 2016 01:46:59 +0100 +Subject: MIPS: libgcc: Fix ABI change in 4.6.2 +Forwarded: not-needed + +Commit aedcfbe06558 ("MIPS: lib: Mark intrinsics notrace") causes the +hashes of these functions to change, even though their ABI hasn't. +Hide the 'notrace' from genksyms. + +--- +--- a/arch/mips/lib/ashldi3.c ++++ b/arch/mips/lib/ashldi3.c +@@ -2,6 +2,11 @@ + + #include "libgcc.h" + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + long long notrace __ashldi3(long long u, word_type b) + { + DWunion uu, w; +--- a/arch/mips/lib/ashrdi3.c ++++ b/arch/mips/lib/ashrdi3.c +@@ -2,6 +2,11 @@ + + #include "libgcc.h" + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + long long notrace __ashrdi3(long long u, word_type b) + { + DWunion uu, w; +--- a/arch/mips/lib/bswapdi.c ++++ b/arch/mips/lib/bswapdi.c +@@ -1,5 +1,10 @@ + #include + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + unsigned long long notrace __bswapdi2(unsigned long long u) + { + return (((u) & 0xff00000000000000ull) >> 56) | +--- a/arch/mips/lib/bswapsi.c ++++ b/arch/mips/lib/bswapsi.c +@@ -1,5 +1,10 @@ + #include + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + unsigned int notrace __bswapsi2(unsigned int u) + { + return (((u) & 0xff000000) >> 24) | +--- a/arch/mips/lib/cmpdi2.c ++++ b/arch/mips/lib/cmpdi2.c +@@ -2,6 +2,11 @@ + + #include "libgcc.h" + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + word_type notrace __cmpdi2(long long a, long long b) + { + const DWunion au = { +--- a/arch/mips/lib/lshrdi3.c ++++ b/arch/mips/lib/lshrdi3.c +@@ -2,6 +2,11 @@ + + #include "libgcc.h" + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + long long notrace __lshrdi3(long long u, word_type b) + { + DWunion uu, w; +--- a/arch/mips/lib/ucmpdi2.c ++++ b/arch/mips/lib/ucmpdi2.c +@@ -2,6 +2,11 @@ + + #include "libgcc.h" + ++#ifdef __GENKSYMS__ ++#undef notrace ++#define notrace ++#endif ++ + word_type notrace __ucmpdi2(unsigned long long a, unsigned long long b) + { + const DWunion au = {.ll = a}; diff --git a/debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch b/debian/patches/debian/mips-siginfo-fix-abi-change-in-4.6.2.patch similarity index 97% rename from debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch rename to debian/patches/debian/mips-siginfo-fix-abi-change-in-4.6.2.patch index d9664d2026ce..099c5dcca9aa 100644 --- a/debian/patches/debian/mips-fix-abi-change-in-4.6.2.patch +++ b/debian/patches/debian/mips-siginfo-fix-abi-change-in-4.6.2.patch @@ -1,6 +1,6 @@ From: Ben Hutchings Date: Thu, 16 Jun 2016 11:32:49 +0100 -Subject: MIPS: Fix ABI change in 4.6.2 +Subject: MIPS: siginfo: Fix ABI change in 4.6.2 Forwarded: not-needed genksyms only looks at the (preprocessed) token stream of a struct diff --git a/debian/patches/series b/debian/patches/series index 453515fc66e1..0810e58fac23 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -114,7 +114,8 @@ bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch # ABI maintenance -debian/mips-fix-abi-change-in-4.6.2.patch +debian/mips-siginfo-fix-abi-change-in-4.6.2.patch +debian/mips-libgcc-fix-abi-change-in-4.6.2.patch # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch From b9ef626a40846c309f9c69b1ba1fc1b66634a9c1 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 19 Jun 2016 22:11:38 +0100 Subject: [PATCH 03/14] [rt] Update to 4.6.2-rt5 --- debian/changelog | 3 ++ ...k-unlock-symetry-versus-pi_lock-and-.patch | 2 +- ...n-translation-section-permission-fau.patch | 2 +- .../rt/ARM-imx-always-use-TWD-on-IMX6Q.patch | 2 +- ...intk-drop-the-logbuf_lock-more-often.patch | 2 +- ...wngrade-preempt_disable-d-region-to-.patch | 2 +- ...-mark-LAPIC-timer-handler-as-irqsafe.patch | 2 +- ...acpi_gbl_hardware-lock-back-to-a-raw.patch | 2 +- .../arch-arm64-Add-lazy-preempt-support.patch | 2 +- ...reempt-add-TIF_NEED_RESCHED_LAZY-to-.patch | 2 +- ...ove-irq-handler-when-clock-is-unused.patch | 2 +- ...-tclib-default-to-tclib-timer-for-rt.patch | 2 +- .../all/rt/arm-convert-boot-lock-to-raw.patch | 2 +- .../all/rt/arm-enable-highmem-for-rt.patch | 2 +- .../rt/arm-highmem-flush-tlb-on-unmap.patch | 2 +- ...zy-preempt-correct-resched-condition.patch | 2 +- .../all/rt/arm-preempt-lazy-support.patch | 2 +- .../all/rt/arm-unwind-use_raw_lock.patch | 2 +- ...arm64-xen--Make-XEN-depend-on-non-rt.patch | 2 +- .../rt/at91_dont_enable_disable_clock.patch | 2 +- .../rt/ata-disable-interrupts-if-non-rt.patch | 2 +- ...ne-notifier-to-POST_D.patchto-POST_D.patch | 2 +- .../all/rt/block-blk-mq-use-swait.patch | 2 +- ...k-mq-don-t-complete-requests-via-IPI.patch | 2 +- .../rt/block-mq-drop-preempt-disable.patch | 2 +- .../all/rt/block-mq-use-cpu_light.patch | 2 +- ...k-shorten-interrupt-disabled-regions.patch | 2 +- .../features/all/rt/block-use-cpu-chill.patch | 2 +- .../all/rt/bug-rt-dependend-variants.patch | 2 +- ...heduling-while-atomic-in-cgroup-code.patch | 2 +- ...roups-use-simple-wait-in-css_release.patch | 4 +-- ...ers-timer-atmel-pit-fix-double-free_.patch | 2 +- ...source-tclib-allow-higher-clockrates.patch | 2 +- .../completion-use-simple-wait-queues.patch | 2 +- .../all/rt/cond-resched-lock-rt-tweak.patch | 2 +- .../all/rt/cond-resched-softirq-rt.patch | 2 +- ...ument-why-PREEMPT_RT-uses-a-spinlock.patch | 2 +- ...tplug-lock-a-sleeping-spinlock-on-rt.patch | 2 +- .../all/rt/cpu-rt-rework-cpu-down.patch | 2 +- ...-a-UNINTERRUPTIBLE-hrtimer_nanosleep.patch | 2 +- .../cpu_down_move_migrate_enable_back.patch | 2 +- ...rop-K8-s-driver-from-beeing-selected.patch | 2 +- .../rt/cpumask-disable-offstack-on-rt.patch | 2 +- ...-preempt-disabled-regions-more-algos.patch | 2 +- .../crypto-ccp-remove-rwlocks_types.h.patch | 2 +- .../features/all/rt/debugobjects-rt.patch | 2 +- .../features/all/rt/dm-make-rt-aware.patch | 2 +- ...am-Replace-bit-spinlocks-with-rtmute.patch | 2 +- .../drivers-net-8139-disable-irq-nosync.patch | 2 +- .../rt/drivers-net-fix-livelock-issues.patch | 2 +- ...rivers-net-vortex-fix-locking-issues.patch | 2 +- ...andom-reduce-preempt-disabled-region.patch | 2 +- .../rt/drivers-tty-fix-omap-lock-crap.patch | 2 +- ...rivers-tty-pl011-irq-disable-madness.patch | 2 +- ...op-trace_i915_gem_ring_dispatch-onrt.patch | 2 +- ...rq()_in_intel_pipe_update_startend().patch | 2 +- ...disableenable_rt()_where_recommended.patch | 2 +- ...on-t-disable-preemption-during-trace.patch | 2 +- .../all/rt/epoll-use-get-cpu-light.patch | 2 +- .../all/rt/fs-aio-simple-simple-work.patch | 4 +-- .../features/all/rt/fs-block-rt-support.patch | 2 +- ...cache-use-cpu-chill-in-trylock-loops.patch | 2 +- .../all/rt/fs-jbd-replace-bh_state-lock.patch | 2 +- ...ull-your-plug-when-waiting-for-space.patch | 2 +- .../all/rt/fs-namespace-preemption-fix.patch | 2 +- .../rt/fs-ntfs-disable-interrupt-non-rt.patch | 2 +- .../fs-replace-bh_uptodate_lock-for-rt.patch | 2 +- .../rt/ftrace-migrate-disable-tracing.patch | 2 +- .../all/rt/futex-requeue-pi-fix.patch | 2 +- .../all/rt/genirq-disable-irqpoll-on-rt.patch | 2 +- ...voke-the-affinity-callback-via-a-wor.patch | 2 +- .../all/rt/genirq-force-threading.patch | 2 +- ...-irq_set_irqchip_state-documentation.patch | 2 +- ...cpus_allowed_ptr-in-sync_unplug_thre.patch | 2 +- .../rt/hotplug-light-get-online-cpus.patch | 2 +- ...ync_unplug-no-27-5cn-27-in-task-name.patch | 2 +- .../all/rt/hotplug-use-migrate-disable.patch | 2 +- ...-schedule_work-call-to-helper-thread.patch | 2 +- .../rt/hrtimer-enfore-64byte-alignment.patch | 2 +- ...timer-callback-changes-for-preempt-r.patch | 2 +- .../rt/hrtimers-prepare-full-preemption.patch | 2 +- ...on-t-ignore-threshold-module-paramet.patch | 2 +- ...pdate-hwlat_detector-to-add-outer-lo.patch | 2 +- ...r-Use-thread-instead-of-stop-machine.patch | 2 +- ...r-Use-trace_clock_local-if-available.patch | 2 +- .../patches/features/all/rt/hwlatdetect.patch | 2 +- ...-omap-drop-the-lock-hard-irq-context.patch | 2 +- ...ng-from-i915-when-running-on-PREEMPT.patch | 2 +- .../features/all/rt/i915_compile_fix.patch | 2 +- .../rt/ide-use-nort-local-irq-variants.patch | 2 +- .../idr-use-local-lock-for-protection.patch | 2 +- .../infiniband-mellanox-ib-use-nort-irq.patch | 2 +- ...finiband-ulp-ipoib-remove-pkey_mutex.patch | 2 +- .../rt/inpt-gameport-use-local-irq-nort.patch | 2 +- .../introduce_migrate_disable_cpu_light.patch | 2 +- .../all/rt/iommu-amd--Use-WARN_ON_NORT.patch | 2 +- ...Implement-lockless-pipelined-wakeups.patch | 2 +- .../rt/ipc-sem-rework-semaphore-wakeups.patch | 2 +- ...irq-processing-in-irq-thread-context.patch | 2 +- ...rk-Move-irq-safe-work-to-irq-context.patch | 2 +- ...-push_most_work_into_softirq_context.patch | 2 +- .../features/all/rt/jump-label-rt.patch | 2 +- .../rt/kconfig-disable-a-few-options-rt.patch | 2 +- .../all/rt/kconfig-preempt-rt-full.patch | 2 +- ...el-SRCU-provide-a-static-initializer.patch | 2 +- ...pu-down-problem-if-kthread-s-cpu-is-.patch | 2 +- ...restore-original-cpu-mask-oncpu-down.patch | 2 +- ...isable-do-fastpath-in-atomic-irqs-of.patch | 2 +- ...-perf_cpu_context-s-timer-as-irqsafe.patch | 2 +- ...n-t-try-to-print-from-IRQ-NMI-region.patch | 2 +- ...nly-warn-once-on-a-try-lock-from-bad.patch | 2 +- .../kernel-softirq-unlock-with-irqs-on.patch | 2 +- .../all/rt/kgb-serial-hackaround.patch | 2 +- .../features/all/rt/latency-hist.patch | 2 +- ...tency_hist-update-sched_wakeup-probe.patch | 2 +- .../rt/latencyhist-disable-jump-labels.patch | 2 +- ...ds-trigger-disable-CPU-trigger-on-RT.patch | 2 +- .../patches/features/all/rt/lglocks-rt.patch | 2 +- .../list_bl-fixup-bogus-lockdep-warning.patch | 2 +- ..._bl.h-make-list-head-locking-RT-safe.patch | 2 +- .../rt/local-irq-rt-depending-variants.patch | 2 +- .../all/rt/locallock-add-local_lock_on.patch | 2 +- .../features/all/rt/localversion.patch | 4 +-- .../lockdep-no-softirq-accounting-on-rt.patch | 2 +- ...-fix-warnings-due-to-missing-PREEMPT.patch | 2 +- ...ardirq-context-test-for-raw-spinlock.patch | 2 +- ...ure-Do-NOT-include-rwlock.h-directly.patch | 2 +- ...()_in_lg_double_locklg_double_unlock.patch | 2 +- .../features/all/rt/md-disable-bcache.patch | 2 +- .../md-raid5-percpu-handling-rt-aware.patch | 2 +- .../all/rt/mips-disable-highmem-on-rt.patch | 2 +- ...--rt--Fix-generic-kmap_atomic-for-RT.patch | 2 +- ...on-t-disable-IRQs-in-wb_congested_pu.patch | 2 +- .../rt/mm-bounce-local-irq-save-nort.patch | 2 +- .../rt/mm-convert-swap-to-percpu-locked.patch | 2 +- .../features/all/rt/mm-disable-sloub-rt.patch | 2 +- .../features/all/rt/mm-enable-slub.patch | 2 +- .../all/rt/mm-make-vmstat-rt-aware.patch | 2 +- ...n-t-call-schedule_work_on-in-preempt.patch | 2 +- .../rt/mm-memcontrol-do_not_disable_irq.patch | 2 +- ...m_cgroup_migrate-replace-another-loc.patch | 30 +++++++++++++++++++ ...e-alloc-use-local-lock-on-target-cpu.patch | 2 +- ...e_alloc-reduce-lock-sections-further.patch | 2 +- ...page_alloc-rt-friendly-per-cpu-pages.patch | 2 +- ...m-perform-lru_add_drain_all-remotely.patch | 2 +- .../rt/mm-protect-activate-switch-mm.patch | 2 +- .../all/rt/mm-rt-kmap-atomic-scheduling.patch | 2 +- ...-scatterlist-dont-disable-irqs-on-RT.patch | 2 +- .../all/rt/mm-vmalloc-use-get-cpu-light.patch | 2 +- ...-not-protect-workingset_shadow_nodes.patch | 2 +- ...get-put_cpu_light-in-zs_map_object-z.patch | 2 +- .../all/rt/mmci-remove-bogus-irq-save.patch | 2 +- .../move_sched_delayed_work_to_helper.patch | 2 +- .../features/all/rt/mutex-no-spin-on-rt.patch | 2 +- ...al-irq-disable-alloc-atomic-headache.patch | 2 +- ...tplug-drain-input_pkt_queue-lockless.patch | 2 +- ...-users-of-napi_alloc_cache-against-r.patch | 2 +- ...ake-qdisc-s-busylock-in-__dev_xmit_s.patch | 2 +- ...ble-xt-write-recseq-begin-rt-fallout.patch | 2 +- .../net-make-devnet_rename_seq-a-mutex.patch | 2 +- ...recursion-to-per-task-variable-on-RT.patch | 2 +- .../all/rt/net-prevent-abba-deadlock.patch | 2 +- ...y-to-delegate-processing-a-softirq-t.patch | 2 +- ...activate_many-use-msleep-1-instead-o.patch | 2 +- .../net-tx-action-avoid-livelock-on-rt.patch | 2 +- .../features/all/rt/net-use-cpu-chill.patch | 2 +- .../all/rt/net-wireless-warn-nort.patch | 2 +- ...-rcu_expedited_conditional-on-non-rt.patch | 2 +- .../features/all/rt/oleg-signal-rt-fix.patch | 2 +- .../all/rt/panic-disable-random-on-rt.patch | 2 +- ...ce-rcu-bh-qs-where-safe-from-softirq.patch | 2 +- .../pci-access-use-__wake_up_all_locked.patch | 2 +- .../all/rt/percpu_ida-use-locklocks.patch | 2 +- .../perf-make-swevent-hrtimer-irqsafe.patch | 2 +- .../all/rt/peter_zijlstra-frob-rcu.patch | 2 +- .../all/rt/peterz-srcu-crypto-chain.patch | 2 +- .../all/rt/pid.h-include-atomic.h.patch | 4 +-- .../patches/features/all/rt/ping-sysrq.patch | 2 +- .../all/rt/posix-timers-no-broadcast.patch | 2 +- ...timers-thread-posix-cpu-timers-on-rt.patch | 2 +- .../all/rt/power-disable-highmem-on-rt.patch | 2 +- .../rt/power-use-generic-rwsem-on-rt.patch | 2 +- ...ble-in-kernel-MPIC-emulation-for-PRE.patch | 2 +- .../all/rt/powerpc-preempt-lazy-support.patch | 2 +- ...ce-init.c-adapt-to-completions-using.patch | 2 +- .../preempt-lazy-check-preempt_schedule.patch | 2 +- .../all/rt/preempt-lazy-support.patch | 2 +- .../all/rt/preempt-nort-rt-variants.patch | 2 +- ...27-boot-param-to-help-with-debugging.patch | 2 +- .../patches/features/all/rt/printk-kill.patch | 2 +- .../features/all/rt/printk-rt-aware.patch | 2 +- ...ace-fix-ptrace-vs-tasklist_lock-race.patch | 2 +- .../features/all/rt/radix-tree-rt-aware.patch | 2 +- .../all/rt/random-make-it-work-on-rt.patch | 2 +- ...nate-softirq-processing-from-rcutree.patch | 2 +- .../rt/rcu-disable-more-spots-of-rcu_bh.patch | 2 +- .../rt/rcu-disable-rcu-fast-no-hz-on-rt.patch | 2 +- .../rt/rcu-make-RCU_BOOST-default-on-RT.patch | 2 +- ...merge-rcu-bh-into-rcu-preempt-for-rt.patch | 2 +- ...nt-out-rcu_bh-ops-on-PREEMPT_RT_FULL.patch | 2 +- ...s-disable-irq-while-calling-rcu_pree.patch | 2 +- ...ate_disable-race-with-cpu-hotplug-3f.patch | 2 +- ...l-arm-coredump-fails-for-cpu-3e-3d-4.patch | 2 +- .../all/rt/relay-fix-timer-madness.patch | 2 +- ...function-called-from-invalid-context.patch | 2 +- .../features/all/rt/rt-add-rt-locks.patch | 2 +- .../all/rt/rt-introduce-cpu-chill.patch | 2 +- .../features/all/rt/rt-local-irq-lock.patch | 2 +- ...-Reenable-migration-accross-schedule.patch | 2 +- .../all/rt/rt-preempt-base-config.patch | 2 +- .../features/all/rt/rt-serial-warn-fix.patch | 2 +- ...ndle-non-enqueued-waiters-gracefully.patch | 2 +- ...tmutex-Use-chainwalking-control-enum.patch | 2 +- ...rtmutex-add-a-first-shot-of-ww_mutex.patch | 2 +- .../all/rt/rtmutex-avoid-include-hell.patch | 2 +- .../all/rt/rtmutex-futex-prepare-rt.patch | 2 +- .../all/rt/rtmutex-lock-killable.patch | 2 +- ...wn-migrate_disable-into-rt_spin_lock.patch | 2 +- .../rt/rtmutex-trylock-is-okay-on-RT.patch | 2 +- .../all/rt/rtmutex_dont_include_rcu.patch | 2 +- ...t-t-disable-interrupts-in-qc_issue-h.patch | 2 +- ...is7xx_Drop_bogus_use_of_IRQF_ONESHOT.patch | 2 +- ...line-dl_task_timer-has-to-be-irqsafe.patch | 2 +- .../all/rt/sched-delay-put-task.patch | 2 +- .../sched-disable-rt-group-sched-on-rt.patch | 2 +- .../all/rt/sched-disable-ttwu-queue.patch | 2 +- .../all/rt/sched-limit-nr-migrate.patch | 2 +- ...might-sleep-do-not-account-rcu-depth.patch | 2 +- .../all/rt/sched-mmdrop-delayed.patch | 2 +- ...empt-Fix-preempt_count-manipulations.patch | 2 +- ...provide-a-tsk_nr_cpus_allowed-helper.patch | 2 +- .../all/rt/sched-rt-mutex-wakeup.patch | 2 +- ...twu-ensure-success-return-is-correct.patch | 2 +- ...us_allowed-instead-of-accessing-cpus.patch | 2 +- ...Only-wake-up-idle-workers-if-not-blo.patch | 2 +- .../features/all/rt/scsi-fcoe-rt-aware.patch | 2 +- ...function-called-from-invalid-context.patch | 2 +- .../rt/seqlock-prevent-rt-starvation.patch | 2 +- .../all/rt/signal-fix-up-rcu-wreckage.patch | 2 +- .../signal-revert-ptrace-preempt-magic.patch | 2 +- ...t-tasks-to-cache-one-sigqueue-struct.patch | 2 +- .../features/all/rt/skbufhead-raw-lock.patch | 2 +- .../rt/slub-disable-SLUB_CPU_PARTIAL.patch | 2 +- .../all/rt/slub-enable-irqs-for-no-wait.patch | 2 +- ...pcm_stream_lock-irqs_disabled-splats.patch | 2 +- ...oftirq-disable-softirq-stacks-for-rt.patch | 2 +- .../all/rt/softirq-preempt-fix-3-re.patch | 2 +- .../features/all/rt/softirq-split-locks.patch | 2 +- ...plit-timer-softirqs-out-of-ksoftirqd.patch | 2 +- ...arc64-use-generic-rwsem-spinlocks-rt.patch | 2 +- .../all/rt/spinlock-types-separate-raw.patch | 2 +- ...eate-lg_global_trylock_relax-primiti.patch | 2 +- ...e-lg_global_trylock_relax-to-dead-wi.patch | 2 +- .../all/rt/stop-machine-raw-lock.patch | 2 +- ...nvert-stop_machine_run-to-PREEMPT_RT.patch | 2 +- ...vc_xprt_do_enqueue-use-get_cpu_light.patch | 2 +- .../suspend-prevernt-might-sleep-splats.patch | 2 +- .../all/rt/sysfs-realtime-entry.patch | 2 +- ...-from-going-into-infinite-spin-in-rt.patch | 2 +- ...rmal-Defer-thermal-wakups-to-threads.patch | 4 +-- ...tick-broadcast--Make-hrtimer-irqsafe.patch | 2 +- .../rt/timekeeping-split-jiffies-lock.patch | 2 +- ...-waking-softirqs-from-the-jiffy-tick.patch | 2 +- .../all/rt/timer-fd-avoid-live-lock.patch | 2 +- ...id-the-base-null-otptimization-on-rt.patch | 2 +- .../all/rt/timers-preempt-rt-support.patch | 2 +- .../timers-prepare-for-full-preemption.patch | 2 +- ...f-by-one-while-recording-the-trace-e.patch | 2 +- ...st-Consider-new-argument-when-probin.patch | 2 +- ...sion_for_preemptoff_hist_trace_point.patch | 2 +- ...-for-preempt-off-in-preempt_schedule.patch | 2 +- ...0-don-t-take-the-trylock-during-oops.patch | 2 +- ...ove-preemption-disabling-in-netif_rx.patch | 2 +- .../all/rt/usb-use-_nort-in-giveback.patch | 2 +- .../all/rt/user-use-local-irq-nort.patch | 2 +- .../all/rt/wait.h-include-atomic.h.patch | 2 +- ...rk-around-irqsafe-timer-optimization.patch | 2 +- ...mple-Simple-work-queue-implemenation.patch | 20 ++++++------- .../rt/workqueue-distangle-from-rq-lock.patch | 2 +- .../rt/workqueue-prevent-deadlock-stall.patch | 2 +- .../all/rt/workqueue-use-locallock.patch | 2 +- .../features/all/rt/workqueue-use-rcu.patch | 2 +- .../rt/x86-UV-raw_spinlock-conversion.patch | 2 +- ...ypto-reduce-preempt-disabled-regions.patch | 2 +- ...highmem-add-a-already-used-pte-check.patch | 2 +- .../all/rt/x86-io-apic-migra-no-unmask.patch | 2 +- .../rt/x86-kvm-require-const-tsc-for-rt.patch | 2 +- .../all/rt/x86-mce-timer-hrtimer.patch | 2 +- ...-mce-use-swait-queue-for-mce-wakeups.patch | 4 +-- .../features/all/rt/x86-preempt-lazy.patch | 2 +- ...ignal-delay-calling-signals-on-32bit.patch | 2 +- .../rt/x86-stackprot-no-random-on-rt.patch | 2 +- .../rt/x86-use-gen-rwsem-spinlocks-rt.patch | 2 +- debian/patches/series-rt | 1 + 294 files changed, 339 insertions(+), 307 deletions(-) create mode 100644 debian/patches/features/all/rt/mm-memcontrol-mem_cgroup_migrate-replace-another-loc.patch diff --git a/debian/changelog b/debian/changelog index ef4cf0ea2804..7c768ec7ef3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ linux (4.6.2-2) UNRELEASED; urgency=medium * [mips*] Fix ABI changes in 4.6.2 + * [rt] Update to 4.6.2-rt5: + - mm/memcontrol: mem_cgroup_migrate() - replace another local_irq_disable() + w. local_lock_irq() -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/features/all/rt/0005-futex-Ensure-lock-unlock-symetry-versus-pi_lock-and-.patch b/debian/patches/features/all/rt/0005-futex-Ensure-lock-unlock-symetry-versus-pi_lock-and-.patch index 5118efc25aa7..f01b90606f2b 100644 --- a/debian/patches/features/all/rt/0005-futex-Ensure-lock-unlock-symetry-versus-pi_lock-and-.patch +++ b/debian/patches/features/all/rt/0005-futex-Ensure-lock-unlock-symetry-versus-pi_lock-and-.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 1 Mar 2013 11:17:42 +0100 Subject: futex: Ensure lock/unlock symetry versus pi_lock and hash bucket lock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz In exit_pi_state_list() we have the following locking construct: diff --git a/debian/patches/features/all/rt/ARM-enable-irq-in-translation-section-permission-fau.patch b/debian/patches/features/all/rt/ARM-enable-irq-in-translation-section-permission-fau.patch index da60a2196ab6..7335c9f3ee2e 100644 --- a/debian/patches/features/all/rt/ARM-enable-irq-in-translation-section-permission-fau.patch +++ b/debian/patches/features/all/rt/ARM-enable-irq-in-translation-section-permission-fau.patch @@ -1,7 +1,7 @@ From: "Yadi.hu" Date: Wed, 10 Dec 2014 10:32:09 +0800 Subject: ARM: enable irq in translation/section permission fault handlers -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Probably happens on all ARM, with CONFIG_PREEMPT_RT_FULL diff --git a/debian/patches/features/all/rt/ARM-imx-always-use-TWD-on-IMX6Q.patch b/debian/patches/features/all/rt/ARM-imx-always-use-TWD-on-IMX6Q.patch index 43eb21349e86..4ae196a10f5f 100644 --- a/debian/patches/features/all/rt/ARM-imx-always-use-TWD-on-IMX6Q.patch +++ b/debian/patches/features/all/rt/ARM-imx-always-use-TWD-on-IMX6Q.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 6 Apr 2016 17:30:28 +0200 Subject: [PATCH] ARM: imx: always use TWD on IMX6Q -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There is no reason to limit the TWD to be used on SMP kernels only if the hardware has it available. diff --git a/debian/patches/features/all/rt/HACK-printk-drop-the-logbuf_lock-more-often.patch b/debian/patches/features/all/rt/HACK-printk-drop-the-logbuf_lock-more-often.patch index 0fce7f3c1947..3b662f1bea36 100644 --- a/debian/patches/features/all/rt/HACK-printk-drop-the-logbuf_lock-more-often.patch +++ b/debian/patches/features/all/rt/HACK-printk-drop-the-logbuf_lock-more-often.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 21 Mar 2013 19:01:05 +0100 Subject: printk: Drop the logbuf_lock more often -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The lock is hold with irgs off. The latency drops 500us+ on my arm bugs with a "full" buffer after executing "dmesg" on the shell. diff --git a/debian/patches/features/all/rt/KVM-arm-arm64-downgrade-preempt_disable-d-region-to-.patch b/debian/patches/features/all/rt/KVM-arm-arm64-downgrade-preempt_disable-d-region-to-.patch index 89d7097e8df4..3a724e61a942 100644 --- a/debian/patches/features/all/rt/KVM-arm-arm64-downgrade-preempt_disable-d-region-to-.patch +++ b/debian/patches/features/all/rt/KVM-arm-arm64-downgrade-preempt_disable-d-region-to-.patch @@ -1,7 +1,7 @@ From: Josh Cartwright Date: Thu, 11 Feb 2016 11:54:01 -0600 Subject: KVM: arm/arm64: downgrade preempt_disable()d region to migrate_disable() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz kvm_arch_vcpu_ioctl_run() disables the use of preemption when updating the vgic and timer states to prevent the calling task from migrating to diff --git a/debian/patches/features/all/rt/KVM-lapic-mark-LAPIC-timer-handler-as-irqsafe.patch b/debian/patches/features/all/rt/KVM-lapic-mark-LAPIC-timer-handler-as-irqsafe.patch index 7644e58ca740..15c075bcac59 100644 --- a/debian/patches/features/all/rt/KVM-lapic-mark-LAPIC-timer-handler-as-irqsafe.patch +++ b/debian/patches/features/all/rt/KVM-lapic-mark-LAPIC-timer-handler-as-irqsafe.patch @@ -1,7 +1,7 @@ From: Marcelo Tosatti Date: Wed, 8 Apr 2015 20:33:25 -0300 Subject: KVM: lapic: mark LAPIC timer handler as irqsafe -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Since lapic timer handler only wakes up a simple waitqueue, it can be executed from hardirq context. diff --git a/debian/patches/features/all/rt/acpi-rt-Convert-acpi_gbl_hardware-lock-back-to-a-raw.patch b/debian/patches/features/all/rt/acpi-rt-Convert-acpi_gbl_hardware-lock-back-to-a-raw.patch index 755ac51bfae0..5bd1dfea7fc3 100644 --- a/debian/patches/features/all/rt/acpi-rt-Convert-acpi_gbl_hardware-lock-back-to-a-raw.patch +++ b/debian/patches/features/all/rt/acpi-rt-Convert-acpi_gbl_hardware-lock-back-to-a-raw.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Wed, 13 Feb 2013 09:26:05 -0500 Subject: acpi/rt: Convert acpi_gbl_hardware lock back to a raw_spinlock_t -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We hit the following bug with 3.6-rt: diff --git a/debian/patches/features/all/rt/arch-arm64-Add-lazy-preempt-support.patch b/debian/patches/features/all/rt/arch-arm64-Add-lazy-preempt-support.patch index 27ba6846e143..c118f0038af3 100644 --- a/debian/patches/features/all/rt/arch-arm64-Add-lazy-preempt-support.patch +++ b/debian/patches/features/all/rt/arch-arm64-Add-lazy-preempt-support.patch @@ -1,7 +1,7 @@ From: Anders Roxell Date: Thu, 14 May 2015 17:52:17 +0200 Subject: arch/arm64: Add lazy preempt support -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz arm64 is missing support for PREEMPT_RT. The main feature which is lacking is support for lazy preemption. The arch-specific entry code, diff --git a/debian/patches/features/all/rt/arm-arm64-lazy-preempt-add-TIF_NEED_RESCHED_LAZY-to-.patch b/debian/patches/features/all/rt/arm-arm64-lazy-preempt-add-TIF_NEED_RESCHED_LAZY-to-.patch index a0675382b2da..355d502bac06 100644 --- a/debian/patches/features/all/rt/arm-arm64-lazy-preempt-add-TIF_NEED_RESCHED_LAZY-to-.patch +++ b/debian/patches/features/all/rt/arm-arm64-lazy-preempt-add-TIF_NEED_RESCHED_LAZY-to-.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 22 Jan 2016 21:33:39 +0100 Subject: arm+arm64: lazy-preempt: add TIF_NEED_RESCHED_LAZY to _TIF_WORK_MASK -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz _TIF_WORK_MASK is used to check for TIF_NEED_RESCHED so we need to check for TIF_NEED_RESCHED_LAZY here, too. diff --git a/debian/patches/features/all/rt/arm-at91-pit-remove-irq-handler-when-clock-is-unused.patch b/debian/patches/features/all/rt/arm-at91-pit-remove-irq-handler-when-clock-is-unused.patch index 3cd356210663..70166631daf2 100644 --- a/debian/patches/features/all/rt/arm-at91-pit-remove-irq-handler-when-clock-is-unused.patch +++ b/debian/patches/features/all/rt/arm-at91-pit-remove-irq-handler-when-clock-is-unused.patch @@ -1,7 +1,7 @@ From: Benedikt Spranger Date: Sat, 6 Mar 2010 17:47:10 +0100 Subject: ARM: AT91: PIT: Remove irq handler when clock event is unused -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Setup and remove the interrupt handler in clock event mode selection. This avoids calling the (shared) interrupt handler when the device is diff --git a/debian/patches/features/all/rt/arm-at91-tclib-default-to-tclib-timer-for-rt.patch b/debian/patches/features/all/rt/arm-at91-tclib-default-to-tclib-timer-for-rt.patch index f4fef985df20..d79082a2b07c 100644 --- a/debian/patches/features/all/rt/arm-at91-tclib-default-to-tclib-timer-for-rt.patch +++ b/debian/patches/features/all/rt/arm-at91-tclib-default-to-tclib-timer-for-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sat, 1 May 2010 18:29:35 +0200 Subject: ARM: at91: tclib: Default to tclib timer for RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT is not too happy about the shared timer interrupt in AT91 devices. Default to tclib timer for RT. diff --git a/debian/patches/features/all/rt/arm-convert-boot-lock-to-raw.patch b/debian/patches/features/all/rt/arm-convert-boot-lock-to-raw.patch index 6cf9774e0c20..7f78397723f8 100644 --- a/debian/patches/features/all/rt/arm-convert-boot-lock-to-raw.patch +++ b/debian/patches/features/all/rt/arm-convert-boot-lock-to-raw.patch @@ -1,7 +1,7 @@ From: Frank Rowand Date: Mon, 19 Sep 2011 14:51:14 -0700 Subject: arm: Convert arm boot_lock to raw -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The arm boot_lock is used by the secondary processor startup code. The locking task is the idle thread, which has idle->sched_class == &idle_sched_class. diff --git a/debian/patches/features/all/rt/arm-enable-highmem-for-rt.patch b/debian/patches/features/all/rt/arm-enable-highmem-for-rt.patch index 718110a3f597..7188e4145d30 100644 --- a/debian/patches/features/all/rt/arm-enable-highmem-for-rt.patch +++ b/debian/patches/features/all/rt/arm-enable-highmem-for-rt.patch @@ -1,7 +1,7 @@ Subject: arm: Enable highmem for rt From: Thomas Gleixner Date: Wed, 13 Feb 2013 11:03:11 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz fixup highmem for ARM. diff --git a/debian/patches/features/all/rt/arm-highmem-flush-tlb-on-unmap.patch b/debian/patches/features/all/rt/arm-highmem-flush-tlb-on-unmap.patch index 95ebf0e45863..6ea9e19dafef 100644 --- a/debian/patches/features/all/rt/arm-highmem-flush-tlb-on-unmap.patch +++ b/debian/patches/features/all/rt/arm-highmem-flush-tlb-on-unmap.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 11 Mar 2013 21:37:27 +0100 Subject: arm/highmem: Flush tlb on unmap -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The tlb should be flushed on unmap and thus make the mapping entry invalid. This is only done in the non-debug case which does not look diff --git a/debian/patches/features/all/rt/arm-lazy-preempt-correct-resched-condition.patch b/debian/patches/features/all/rt/arm-lazy-preempt-correct-resched-condition.patch index 38592e4a464f..9dbdd84eb50c 100644 --- a/debian/patches/features/all/rt/arm-lazy-preempt-correct-resched-condition.patch +++ b/debian/patches/features/all/rt/arm-lazy-preempt-correct-resched-condition.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 24 May 2016 12:56:38 +0200 Subject: [PATCH] arm: lazy preempt: correct resched condition -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If we get out of preempt_schedule_irq() then we check for NEED_RESCHED and call the former function again if set because the preemption counter diff --git a/debian/patches/features/all/rt/arm-preempt-lazy-support.patch b/debian/patches/features/all/rt/arm-preempt-lazy-support.patch index e6b1b25c318f..c48735e55a23 100644 --- a/debian/patches/features/all/rt/arm-preempt-lazy-support.patch +++ b/debian/patches/features/all/rt/arm-preempt-lazy-support.patch @@ -1,7 +1,7 @@ Subject: arm: Add support for lazy preemption From: Thomas Gleixner Date: Wed, 31 Oct 2012 12:04:11 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Implement the arm pieces for lazy preempt. diff --git a/debian/patches/features/all/rt/arm-unwind-use_raw_lock.patch b/debian/patches/features/all/rt/arm-unwind-use_raw_lock.patch index 9e5c26d6b3cd..af969eb0af1f 100644 --- a/debian/patches/features/all/rt/arm-unwind-use_raw_lock.patch +++ b/debian/patches/features/all/rt/arm-unwind-use_raw_lock.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 20 Sep 2013 14:31:54 +0200 Subject: arm/unwind: use a raw_spin_lock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Mostly unwind is done with irqs enabled however SLUB may call it with irqs disabled while creating a new SLUB cache. diff --git a/debian/patches/features/all/rt/arm64-xen--Make-XEN-depend-on-non-rt.patch b/debian/patches/features/all/rt/arm64-xen--Make-XEN-depend-on-non-rt.patch index e1f6da1ca586..574dafc3bdd5 100644 --- a/debian/patches/features/all/rt/arm64-xen--Make-XEN-depend-on-non-rt.patch +++ b/debian/patches/features/all/rt/arm64-xen--Make-XEN-depend-on-non-rt.patch @@ -1,7 +1,7 @@ Subject: arm64/xen: Make XEN depend on !RT From: Thomas Gleixner Date: Mon, 12 Oct 2015 11:18:40 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz It's not ready and probably never will be, unless xen folks have a look at it. diff --git a/debian/patches/features/all/rt/at91_dont_enable_disable_clock.patch b/debian/patches/features/all/rt/at91_dont_enable_disable_clock.patch index a1df39444469..acba74961ab4 100644 --- a/debian/patches/features/all/rt/at91_dont_enable_disable_clock.patch +++ b/debian/patches/features/all/rt/at91_dont_enable_disable_clock.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 09 Mar 2016 10:51:06 +0100 Subject: arm: at91: do not disable/enable clocks in a row -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Currently the driver will disable the clock and enable it one line later if it is switching from periodic mode into one shot. diff --git a/debian/patches/features/all/rt/ata-disable-interrupts-if-non-rt.patch b/debian/patches/features/all/rt/ata-disable-interrupts-if-non-rt.patch index 587730338216..4b4d10d5cd97 100644 --- a/debian/patches/features/all/rt/ata-disable-interrupts-if-non-rt.patch +++ b/debian/patches/features/all/rt/ata-disable-interrupts-if-non-rt.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Fri, 3 Jul 2009 08:44:29 -0500 Subject: ata: Do not disable interrupts in ide code for preempt-rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the local_irq_*_nort variants. diff --git a/debian/patches/features/all/rt/blk-mq-revert-raw-locks-post-pone-notifier-to-POST_D.patchto-POST_D.patch b/debian/patches/features/all/rt/blk-mq-revert-raw-locks-post-pone-notifier-to-POST_D.patchto-POST_D.patch index 1bec16480ead..c825fe1df559 100644 --- a/debian/patches/features/all/rt/blk-mq-revert-raw-locks-post-pone-notifier-to-POST_D.patchto-POST_D.patch +++ b/debian/patches/features/all/rt/blk-mq-revert-raw-locks-post-pone-notifier-to-POST_D.patchto-POST_D.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Sat, 3 May 2014 11:00:29 +0200 Subject: blk-mq: revert raw locks, post pone notifier to POST_DEAD -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The blk_mq_cpu_notify_lock should be raw because some CPU down levels are called with interrupts off. The notifier itself calls currently one diff --git a/debian/patches/features/all/rt/block-blk-mq-use-swait.patch b/debian/patches/features/all/rt/block-blk-mq-use-swait.patch index cf5860359d57..8afb5290b00b 100644 --- a/debian/patches/features/all/rt/block-blk-mq-use-swait.patch +++ b/debian/patches/features/all/rt/block-blk-mq-use-swait.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 13 Feb 2015 11:01:26 +0100 Subject: block: blk-mq: Use swait -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz | BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:914 | in_atomic(): 1, irqs_disabled(): 0, pid: 255, name: kworker/u257:6 diff --git a/debian/patches/features/all/rt/block-mq-don-t-complete-requests-via-IPI.patch b/debian/patches/features/all/rt/block-mq-don-t-complete-requests-via-IPI.patch index aca2e72a2b5b..fd2874084d57 100644 --- a/debian/patches/features/all/rt/block-mq-don-t-complete-requests-via-IPI.patch +++ b/debian/patches/features/all/rt/block-mq-don-t-complete-requests-via-IPI.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 29 Jan 2015 15:10:08 +0100 Subject: block/mq: don't complete requests via IPI -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The IPI runs in hardirq context and there are sleeping locks. This patch moves the completion into a workqueue. diff --git a/debian/patches/features/all/rt/block-mq-drop-preempt-disable.patch b/debian/patches/features/all/rt/block-mq-drop-preempt-disable.patch index e75435767112..0bbf93a3a95e 100644 --- a/debian/patches/features/all/rt/block-mq-drop-preempt-disable.patch +++ b/debian/patches/features/all/rt/block-mq-drop-preempt-disable.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: block/mq: do not invoke preempt_disable() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz preempt_disable() and get_cpu() don't play well together with the sleeping locks it tries to allocate later. diff --git a/debian/patches/features/all/rt/block-mq-use-cpu_light.patch b/debian/patches/features/all/rt/block-mq-use-cpu_light.patch index caee572941a3..8af016551c82 100644 --- a/debian/patches/features/all/rt/block-mq-use-cpu_light.patch +++ b/debian/patches/features/all/rt/block-mq-use-cpu_light.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 9 Apr 2014 10:37:23 +0200 Subject: block: mq: use cpu_light() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz there is a might sleep splat because get_cpu() disables preemption and later we grab a lock. As a workaround for this we use get_cpu_light(). diff --git a/debian/patches/features/all/rt/block-shorten-interrupt-disabled-regions.patch b/debian/patches/features/all/rt/block-shorten-interrupt-disabled-regions.patch index 7e3d3b025a6a..1a310102fe9b 100644 --- a/debian/patches/features/all/rt/block-shorten-interrupt-disabled-regions.patch +++ b/debian/patches/features/all/rt/block-shorten-interrupt-disabled-regions.patch @@ -1,7 +1,7 @@ Subject: block: Shorten interrupt disabled regions From: Thomas Gleixner Date: Wed, 22 Jun 2011 19:47:02 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Moving the blk_sched_flush_plug() call out of the interrupt/preempt disabled region in the scheduler allows us to replace diff --git a/debian/patches/features/all/rt/block-use-cpu-chill.patch b/debian/patches/features/all/rt/block-use-cpu-chill.patch index 777e23b8ffa1..c75ae41224a0 100644 --- a/debian/patches/features/all/rt/block-use-cpu-chill.patch +++ b/debian/patches/features/all/rt/block-use-cpu-chill.patch @@ -1,7 +1,7 @@ Subject: block: Use cpu_chill() for retry loops From: Thomas Gleixner Date: Thu, 20 Dec 2012 18:28:26 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Retry loops on RT might loop forever when the modifying side was preempted. Steven also observed a live lock when there was a diff --git a/debian/patches/features/all/rt/bug-rt-dependend-variants.patch b/debian/patches/features/all/rt/bug-rt-dependend-variants.patch index 7e89eb99f5ca..8a3d77ff98ee 100644 --- a/debian/patches/features/all/rt/bug-rt-dependend-variants.patch +++ b/debian/patches/features/all/rt/bug-rt-dependend-variants.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:58 -0500 Subject: bug: BUG_ON/WARN_ON variants dependend on RT/!RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Introduce RT/NON-RT WARN/BUG statements to avoid ifdefs in the code. diff --git a/debian/patches/features/all/rt/cgroups-scheduling-while-atomic-in-cgroup-code.patch b/debian/patches/features/all/rt/cgroups-scheduling-while-atomic-in-cgroup-code.patch index f1e72d29f8aa..456af419e65a 100644 --- a/debian/patches/features/all/rt/cgroups-scheduling-while-atomic-in-cgroup-code.patch +++ b/debian/patches/features/all/rt/cgroups-scheduling-while-atomic-in-cgroup-code.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Sat, 21 Jun 2014 10:09:48 +0200 Subject: memcontrol: Prevent scheduling while atomic in cgroup code -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz mm, memcg: make refill_stock() use get_cpu_light() diff --git a/debian/patches/features/all/rt/cgroups-use-simple-wait-in-css_release.patch b/debian/patches/features/all/rt/cgroups-use-simple-wait-in-css_release.patch index bfb9a1d0fc7e..5cc6cfd93d79 100644 --- a/debian/patches/features/all/rt/cgroups-use-simple-wait-in-css_release.patch +++ b/debian/patches/features/all/rt/cgroups-use-simple-wait-in-css_release.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 13 Feb 2015 15:52:24 +0100 Subject: cgroups: use simple wait in css_release() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz To avoid: |BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:914 @@ -39,7 +39,7 @@ Signed-off-by: Sebastian Andrzej Siewior #include #include #include -+#include ++#include #ifdef CONFIG_CGROUPS diff --git a/debian/patches/features/all/rt/clockevents-drivers-timer-atmel-pit-fix-double-free_.patch b/debian/patches/features/all/rt/clockevents-drivers-timer-atmel-pit-fix-double-free_.patch index c01ceae7c643..8377d56bb9a4 100644 --- a/debian/patches/features/all/rt/clockevents-drivers-timer-atmel-pit-fix-double-free_.patch +++ b/debian/patches/features/all/rt/clockevents-drivers-timer-atmel-pit-fix-double-free_.patch @@ -1,7 +1,7 @@ From: Alexandre Belloni Date: Thu, 17 Mar 2016 21:09:43 +0100 Subject: [PATCH] clockevents/drivers/timer-atmel-pit: fix double free_irq -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz clockevents_exchange_device() changes the state from detached to shutdown and so at that point the IRQ has not yet been requested. diff --git a/debian/patches/features/all/rt/clocksource-tclib-allow-higher-clockrates.patch b/debian/patches/features/all/rt/clocksource-tclib-allow-higher-clockrates.patch index 3151eccd2271..68e2da4e370d 100644 --- a/debian/patches/features/all/rt/clocksource-tclib-allow-higher-clockrates.patch +++ b/debian/patches/features/all/rt/clocksource-tclib-allow-higher-clockrates.patch @@ -1,7 +1,7 @@ From: Benedikt Spranger Date: Mon, 8 Mar 2010 18:57:04 +0100 Subject: clocksource: TCLIB: Allow higher clock rates for clock events -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz As default the TCLIB uses the 32KiHz base clock rate for clock events. Add a compile time selection to allow higher clock resulution. diff --git a/debian/patches/features/all/rt/completion-use-simple-wait-queues.patch b/debian/patches/features/all/rt/completion-use-simple-wait-queues.patch index afc7af4272e5..aa786cf11b52 100644 --- a/debian/patches/features/all/rt/completion-use-simple-wait-queues.patch +++ b/debian/patches/features/all/rt/completion-use-simple-wait-queues.patch @@ -1,7 +1,7 @@ Subject: completion: Use simple wait queues From: Thomas Gleixner Date: Fri, 11 Jan 2013 11:23:51 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Completions have no long lasting callbacks and therefor do not need the complex waitqueue variant. Use simple waitqueues which reduces the diff --git a/debian/patches/features/all/rt/cond-resched-lock-rt-tweak.patch b/debian/patches/features/all/rt/cond-resched-lock-rt-tweak.patch index 6b9284b2b64a..c8372926e99a 100644 --- a/debian/patches/features/all/rt/cond-resched-lock-rt-tweak.patch +++ b/debian/patches/features/all/rt/cond-resched-lock-rt-tweak.patch @@ -1,7 +1,7 @@ Subject: sched: Use the proper LOCK_OFFSET for cond_resched() From: Thomas Gleixner Date: Sun, 17 Jul 2011 22:51:33 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT does not increment preempt count when a 'sleeping' spinlock is locked. Update PREEMPT_LOCK_OFFSET for that case. diff --git a/debian/patches/features/all/rt/cond-resched-softirq-rt.patch b/debian/patches/features/all/rt/cond-resched-softirq-rt.patch index 05d00c05cc1f..3614b28df109 100644 --- a/debian/patches/features/all/rt/cond-resched-softirq-rt.patch +++ b/debian/patches/features/all/rt/cond-resched-softirq-rt.patch @@ -1,7 +1,7 @@ Subject: sched: Take RT softirq semantics into account in cond_resched() From: Thomas Gleixner Date: Thu, 14 Jul 2011 09:56:44 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The softirq semantics work different on -RT. There is no SOFTIRQ_MASK in the preemption counter which leads to the BUG_ON() statement in diff --git a/debian/patches/features/all/rt/cpu-hotplug-Document-why-PREEMPT_RT-uses-a-spinlock.patch b/debian/patches/features/all/rt/cpu-hotplug-Document-why-PREEMPT_RT-uses-a-spinlock.patch index c6f314bbd3f8..29df05a3d2d6 100644 --- a/debian/patches/features/all/rt/cpu-hotplug-Document-why-PREEMPT_RT-uses-a-spinlock.patch +++ b/debian/patches/features/all/rt/cpu-hotplug-Document-why-PREEMPT_RT-uses-a-spinlock.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Thu, 5 Dec 2013 09:16:52 -0500 Subject: cpu hotplug: Document why PREEMPT_RT uses a spinlock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The patch: diff --git a/debian/patches/features/all/rt/cpu-rt-make-hotplug-lock-a-sleeping-spinlock-on-rt.patch b/debian/patches/features/all/rt/cpu-rt-make-hotplug-lock-a-sleeping-spinlock-on-rt.patch index 262d4ec6388a..6b1ac95105c7 100644 --- a/debian/patches/features/all/rt/cpu-rt-make-hotplug-lock-a-sleeping-spinlock-on-rt.patch +++ b/debian/patches/features/all/rt/cpu-rt-make-hotplug-lock-a-sleeping-spinlock-on-rt.patch @@ -1,7 +1,7 @@ Subject: cpu: Make hotplug.lock a "sleeping" spinlock on RT From: Steven Rostedt Date: Fri, 02 Mar 2012 10:36:57 -0500 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Tasks can block on hotplug.lock in pin_current_cpu(), but their state might be != RUNNING. So the mutex wakeup will set the state diff --git a/debian/patches/features/all/rt/cpu-rt-rework-cpu-down.patch b/debian/patches/features/all/rt/cpu-rt-rework-cpu-down.patch index fc5090a6557a..0d622d2784da 100644 --- a/debian/patches/features/all/rt/cpu-rt-rework-cpu-down.patch +++ b/debian/patches/features/all/rt/cpu-rt-rework-cpu-down.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Mon, 16 Jul 2012 08:07:43 +0000 Subject: cpu/rt: Rework cpu down for PREEMPT_RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Bringing a CPU down is a pain with the PREEMPT_RT kernel because tasks can be preempted in many more places than in non-RT. In diff --git a/debian/patches/features/all/rt/cpu_chill-Add-a-UNINTERRUPTIBLE-hrtimer_nanosleep.patch b/debian/patches/features/all/rt/cpu_chill-Add-a-UNINTERRUPTIBLE-hrtimer_nanosleep.patch index 150c930d0f06..6d392bb9d207 100644 --- a/debian/patches/features/all/rt/cpu_chill-Add-a-UNINTERRUPTIBLE-hrtimer_nanosleep.patch +++ b/debian/patches/features/all/rt/cpu_chill-Add-a-UNINTERRUPTIBLE-hrtimer_nanosleep.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Tue, 4 Mar 2014 12:28:32 -0500 Subject: cpu_chill: Add a UNINTERRUPTIBLE hrtimer_nanosleep -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We hit another bug that was caused by switching cpu_chill() from msleep() to hrtimer_nanosleep(). diff --git a/debian/patches/features/all/rt/cpu_down_move_migrate_enable_back.patch b/debian/patches/features/all/rt/cpu_down_move_migrate_enable_back.patch index c21a1aac3f5d..f649457d0aa7 100644 --- a/debian/patches/features/all/rt/cpu_down_move_migrate_enable_back.patch +++ b/debian/patches/features/all/rt/cpu_down_move_migrate_enable_back.patch @@ -1,7 +1,7 @@ From: Tiejun Chen Subject: cpu_down: move migrate_enable() back Date: Thu, 7 Nov 2013 10:06:07 +0800 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Commit 08c1ab68, "hotplug-use-migrate-disable.patch", intends to use migrate_enable()/migrate_disable() to replace that combination diff --git a/debian/patches/features/all/rt/cpufreq-drop-K8-s-driver-from-beeing-selected.patch b/debian/patches/features/all/rt/cpufreq-drop-K8-s-driver-from-beeing-selected.patch index 035d811e93df..8dde00e17aa2 100644 --- a/debian/patches/features/all/rt/cpufreq-drop-K8-s-driver-from-beeing-selected.patch +++ b/debian/patches/features/all/rt/cpufreq-drop-K8-s-driver-from-beeing-selected.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 9 Apr 2015 15:23:01 +0200 Subject: cpufreq: drop K8's driver from beeing selected -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Ralf posted a picture of a backtrace from diff --git a/debian/patches/features/all/rt/cpumask-disable-offstack-on-rt.patch b/debian/patches/features/all/rt/cpumask-disable-offstack-on-rt.patch index 8594874b1075..6f3158b2bd44 100644 --- a/debian/patches/features/all/rt/cpumask-disable-offstack-on-rt.patch +++ b/debian/patches/features/all/rt/cpumask-disable-offstack-on-rt.patch @@ -1,7 +1,7 @@ Subject: cpumask: Disable CONFIG_CPUMASK_OFFSTACK for RT From: Thomas Gleixner Date: Wed, 14 Dec 2011 01:03:49 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We can't deal with the cpumask allocations which happen in atomic context (see arch/x86/kernel/apic/io_apic.c) on RT right now. diff --git a/debian/patches/features/all/rt/crypto-Reduce-preempt-disabled-regions-more-algos.patch b/debian/patches/features/all/rt/crypto-Reduce-preempt-disabled-regions-more-algos.patch index 7b4f22e25f89..84a0f8a359f6 100644 --- a/debian/patches/features/all/rt/crypto-Reduce-preempt-disabled-regions-more-algos.patch +++ b/debian/patches/features/all/rt/crypto-Reduce-preempt-disabled-regions-more-algos.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 21 Feb 2014 17:24:04 +0100 Subject: crypto: Reduce preempt disabled regions, more algos -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Don Estabrook reported | kernel: WARNING: CPU: 2 PID: 858 at kernel/sched/core.c:2428 migrate_disable+0xed/0x100() diff --git a/debian/patches/features/all/rt/crypto-ccp-remove-rwlocks_types.h.patch b/debian/patches/features/all/rt/crypto-ccp-remove-rwlocks_types.h.patch index 8b4a63a3d1ab..ad9be73cf82b 100644 --- a/debian/patches/features/all/rt/crypto-ccp-remove-rwlocks_types.h.patch +++ b/debian/patches/features/all/rt/crypto-ccp-remove-rwlocks_types.h.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 11 May 2016 11:56:18 +0200 Subject: crypto/ccp: remove rwlocks_types.h -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Users of rwlocks should include spinlock.h instead including this header file. The current users of rwlocks_types.h are internal. diff --git a/debian/patches/features/all/rt/debugobjects-rt.patch b/debian/patches/features/all/rt/debugobjects-rt.patch index 6d29a582342e..780ed8418bce 100644 --- a/debian/patches/features/all/rt/debugobjects-rt.patch +++ b/debian/patches/features/all/rt/debugobjects-rt.patch @@ -1,7 +1,7 @@ Subject: debugobjects: Make RT aware From: Thomas Gleixner Date: Sun, 17 Jul 2011 21:41:35 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Avoid filling the pool / allocating memory with irqs off(). diff --git a/debian/patches/features/all/rt/dm-make-rt-aware.patch b/debian/patches/features/all/rt/dm-make-rt-aware.patch index 3febf17b8635..c9a963fb3047 100644 --- a/debian/patches/features/all/rt/dm-make-rt-aware.patch +++ b/debian/patches/features/all/rt/dm-make-rt-aware.patch @@ -1,7 +1,7 @@ Subject: dm: Make rt aware From: Thomas Gleixner Date: Mon, 14 Nov 2011 23:06:09 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the BUG_ON_NORT variant for the irq_disabled() checks. RT has interrupts legitimately enabled here as we cant deadlock against the diff --git a/debian/patches/features/all/rt/drivers-block-zram-Replace-bit-spinlocks-with-rtmute.patch b/debian/patches/features/all/rt/drivers-block-zram-Replace-bit-spinlocks-with-rtmute.patch index afa3cfb99db3..aab89d495570 100644 --- a/debian/patches/features/all/rt/drivers-block-zram-Replace-bit-spinlocks-with-rtmute.patch +++ b/debian/patches/features/all/rt/drivers-block-zram-Replace-bit-spinlocks-with-rtmute.patch @@ -2,7 +2,7 @@ From: Mike Galbraith Date: Thu, 31 Mar 2016 04:08:28 +0200 Subject: [PATCH] drivers/block/zram: Replace bit spinlocks with rtmutex for -rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz They're nondeterministic, and lead to ___might_sleep() splats in -rt. OTOH, they're a lot less wasteful than an rtmutex per page. diff --git a/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch b/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch index 026a67d70308..6f8564a8826e 100644 --- a/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch +++ b/debian/patches/features/all/rt/drivers-net-8139-disable-irq-nosync.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:24 -0500 Subject: drivers/net: Use disable_irq_nosync() in 8139too -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use disable_irq_nosync() instead of disable_irq() as this might be called in atomic context with netpoll. diff --git a/debian/patches/features/all/rt/drivers-net-fix-livelock-issues.patch b/debian/patches/features/all/rt/drivers-net-fix-livelock-issues.patch index 92e31cf155b2..5bc8aa9fcc9c 100644 --- a/debian/patches/features/all/rt/drivers-net-fix-livelock-issues.patch +++ b/debian/patches/features/all/rt/drivers-net-fix-livelock-issues.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sat, 20 Jun 2009 11:36:54 +0200 Subject: drivers/net: fix livelock issues -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Preempt-RT runs into a live lock issue with the NETDEV_TX_LOCKED micro optimization. The reason is that the softirq thread is rescheduling diff --git a/debian/patches/features/all/rt/drivers-net-vortex-fix-locking-issues.patch b/debian/patches/features/all/rt/drivers-net-vortex-fix-locking-issues.patch index d298a16abe0e..94b29f2eed22 100644 --- a/debian/patches/features/all/rt/drivers-net-vortex-fix-locking-issues.patch +++ b/debian/patches/features/all/rt/drivers-net-vortex-fix-locking-issues.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Fri, 3 Jul 2009 08:30:00 -0500 Subject: drivers/net: vortex fix locking issues -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Argh, cut and paste wasn't enough... diff --git a/debian/patches/features/all/rt/drivers-random-reduce-preempt-disabled-region.patch b/debian/patches/features/all/rt/drivers-random-reduce-preempt-disabled-region.patch index 7e5013417142..76f8a30a2a91 100644 --- a/debian/patches/features/all/rt/drivers-random-reduce-preempt-disabled-region.patch +++ b/debian/patches/features/all/rt/drivers-random-reduce-preempt-disabled-region.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:30 -0500 Subject: drivers: random: Reduce preempt disabled region -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz No need to keep preemption disabled across the whole function. diff --git a/debian/patches/features/all/rt/drivers-tty-fix-omap-lock-crap.patch b/debian/patches/features/all/rt/drivers-tty-fix-omap-lock-crap.patch index a650af614d08..aef5671be4b1 100644 --- a/debian/patches/features/all/rt/drivers-tty-fix-omap-lock-crap.patch +++ b/debian/patches/features/all/rt/drivers-tty-fix-omap-lock-crap.patch @@ -1,7 +1,7 @@ Subject: tty/serial/omap: Make the locking RT aware From: Thomas Gleixner Date: Thu, 28 Jul 2011 13:32:57 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The lock is a sleeping lock and local_irq_save() is not the optimsation we are looking for. Redo it to make it work on -RT and diff --git a/debian/patches/features/all/rt/drivers-tty-pl011-irq-disable-madness.patch b/debian/patches/features/all/rt/drivers-tty-pl011-irq-disable-madness.patch index 2cc4e1c11634..48d1934c5538 100644 --- a/debian/patches/features/all/rt/drivers-tty-pl011-irq-disable-madness.patch +++ b/debian/patches/features/all/rt/drivers-tty-pl011-irq-disable-madness.patch @@ -1,7 +1,7 @@ Subject: tty/serial/pl011: Make the locking work on RT From: Thomas Gleixner Date: Tue, 08 Jan 2013 21:36:51 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The lock is a sleeping lock and local_irq_save() is not the optimsation we are looking for. Redo it to make it work on -RT and non-RT. diff --git a/debian/patches/features/all/rt/drm-i915-drop-trace_i915_gem_ring_dispatch-onrt.patch b/debian/patches/features/all/rt/drm-i915-drop-trace_i915_gem_ring_dispatch-onrt.patch index e5bc9349ecfa..a94717cba970 100644 --- a/debian/patches/features/all/rt/drm-i915-drop-trace_i915_gem_ring_dispatch-onrt.patch +++ b/debian/patches/features/all/rt/drm-i915-drop-trace_i915_gem_ring_dispatch-onrt.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 25 Apr 2013 18:12:52 +0200 Subject: drm/i915: drop trace_i915_gem_ring_dispatch on rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This tracepoint is responsible for: diff --git a/debian/patches/features/all/rt/drmi915_Use_local_lockunlock_irq()_in_intel_pipe_update_startend().patch b/debian/patches/features/all/rt/drmi915_Use_local_lockunlock_irq()_in_intel_pipe_update_startend().patch index de66aefebe42..de99cf7ba2dc 100644 --- a/debian/patches/features/all/rt/drmi915_Use_local_lockunlock_irq()_in_intel_pipe_update_startend().patch +++ b/debian/patches/features/all/rt/drmi915_Use_local_lockunlock_irq()_in_intel_pipe_update_startend().patch @@ -1,7 +1,7 @@ Subject: drm,i915: Use local_lock/unlock_irq() in intel_pipe_update_start/end() From: Mike Galbraith Date: Sat, 27 Feb 2016 09:01:42 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz [ 8.014039] BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:918 diff --git a/debian/patches/features/all/rt/drmradeoni915_Use_preempt_disableenable_rt()_where_recommended.patch b/debian/patches/features/all/rt/drmradeoni915_Use_preempt_disableenable_rt()_where_recommended.patch index 84a26ca89069..e16ff2faeabe 100644 --- a/debian/patches/features/all/rt/drmradeoni915_Use_preempt_disableenable_rt()_where_recommended.patch +++ b/debian/patches/features/all/rt/drmradeoni915_Use_preempt_disableenable_rt()_where_recommended.patch @@ -1,7 +1,7 @@ Subject: drm,radeon,i915: Use preempt_disable/enable_rt() where recommended From: Mike Galbraith Date: Sat, 27 Feb 2016 08:09:11 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz DRM folks identified the spots, so use them. diff --git a/debian/patches/features/all/rt/dump-stack-don-t-disable-preemption-during-trace.patch b/debian/patches/features/all/rt/dump-stack-don-t-disable-preemption-during-trace.patch index 0a69dcd89853..bec2ca6e645c 100644 --- a/debian/patches/features/all/rt/dump-stack-don-t-disable-preemption-during-trace.patch +++ b/debian/patches/features/all/rt/dump-stack-don-t-disable-preemption-during-trace.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Sun, 16 Aug 2015 14:27:50 +0200 Subject: dump stack: don't disable preemption during trace -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz I see here large latencies during a stack dump on x86. The preempt_disable() and get_cpu() should forbid moving the task to another diff --git a/debian/patches/features/all/rt/epoll-use-get-cpu-light.patch b/debian/patches/features/all/rt/epoll-use-get-cpu-light.patch index 74e934f7ffb3..bdf675b26401 100644 --- a/debian/patches/features/all/rt/epoll-use-get-cpu-light.patch +++ b/debian/patches/features/all/rt/epoll-use-get-cpu-light.patch @@ -1,7 +1,7 @@ Subject: fs/epoll: Do not disable preemption on RT From: Thomas Gleixner Date: Fri, 08 Jul 2011 16:35:35 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz ep_call_nested() takes a sleeping lock so we can't disable preemption. The light version is enough since ep_call_nested() doesn't mind beeing diff --git a/debian/patches/features/all/rt/fs-aio-simple-simple-work.patch b/debian/patches/features/all/rt/fs-aio-simple-simple-work.patch index e014543c238d..5c710c948b16 100644 --- a/debian/patches/features/all/rt/fs-aio-simple-simple-work.patch +++ b/debian/patches/features/all/rt/fs-aio-simple-simple-work.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 16 Feb 2015 18:49:10 +0100 Subject: fs/aio: simple simple work -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz |BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:768 |in_atomic(): 1, irqs_disabled(): 0, pid: 26, name: rcuos/2 @@ -34,7 +34,7 @@ Signed-off-by: Sebastian Andrzej Siewior #include #include #include -+#include ++#include #include #include diff --git a/debian/patches/features/all/rt/fs-block-rt-support.patch b/debian/patches/features/all/rt/fs-block-rt-support.patch index 059be971689a..d26cf92d24e3 100644 --- a/debian/patches/features/all/rt/fs-block-rt-support.patch +++ b/debian/patches/features/all/rt/fs-block-rt-support.patch @@ -1,7 +1,7 @@ Subject: block: Turn off warning which is bogus on RT From: Thomas Gleixner Date: Tue, 14 Jun 2011 17:05:09 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On -RT the context is always with IRQs enabled. Ignore this warning on -RT. diff --git a/debian/patches/features/all/rt/fs-dcache-use-cpu-chill-in-trylock-loops.patch b/debian/patches/features/all/rt/fs-dcache-use-cpu-chill-in-trylock-loops.patch index 00700e98054e..5defe34d7a35 100644 --- a/debian/patches/features/all/rt/fs-dcache-use-cpu-chill-in-trylock-loops.patch +++ b/debian/patches/features/all/rt/fs-dcache-use-cpu-chill-in-trylock-loops.patch @@ -1,7 +1,7 @@ Subject: fs: dcache: Use cpu_chill() in trylock loops From: Thomas Gleixner Date: Wed, 07 Mar 2012 21:00:34 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Retry loops on RT might loop forever when the modifying side was preempted. Use cpu_chill() instead of cpu_relax() to let the system diff --git a/debian/patches/features/all/rt/fs-jbd-replace-bh_state-lock.patch b/debian/patches/features/all/rt/fs-jbd-replace-bh_state-lock.patch index 604043f5a540..75c6fc891e45 100644 --- a/debian/patches/features/all/rt/fs-jbd-replace-bh_state-lock.patch +++ b/debian/patches/features/all/rt/fs-jbd-replace-bh_state-lock.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 18 Mar 2011 10:11:25 +0100 Subject: fs: jbd/jbd2: Make state lock and journal head lock rt safe -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz bit_spin_locks break under RT. diff --git a/debian/patches/features/all/rt/fs-jbd2-pull-your-plug-when-waiting-for-space.patch b/debian/patches/features/all/rt/fs-jbd2-pull-your-plug-when-waiting-for-space.patch index 97d6d17bd1ce..b6f4e536964e 100644 --- a/debian/patches/features/all/rt/fs-jbd2-pull-your-plug-when-waiting-for-space.patch +++ b/debian/patches/features/all/rt/fs-jbd2-pull-your-plug-when-waiting-for-space.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 17 Feb 2014 17:30:03 +0100 Subject: fs: jbd2: pull your plug when waiting for space -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Two cps in parallel managed to stall the the ext4 fs. It seems that journal code is either waiting for locks or sleeping waiting for diff --git a/debian/patches/features/all/rt/fs-namespace-preemption-fix.patch b/debian/patches/features/all/rt/fs-namespace-preemption-fix.patch index 93adf9200f79..dd548f1e3f51 100644 --- a/debian/patches/features/all/rt/fs-namespace-preemption-fix.patch +++ b/debian/patches/features/all/rt/fs-namespace-preemption-fix.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 19 Jul 2009 08:44:27 -0500 Subject: fs: namespace preemption fix -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On RT we cannot loop with preemption disabled here as mnt_make_readonly() might have been preempted. We can safely enable diff --git a/debian/patches/features/all/rt/fs-ntfs-disable-interrupt-non-rt.patch b/debian/patches/features/all/rt/fs-ntfs-disable-interrupt-non-rt.patch index eb0b65cfa70d..b237357bc903 100644 --- a/debian/patches/features/all/rt/fs-ntfs-disable-interrupt-non-rt.patch +++ b/debian/patches/features/all/rt/fs-ntfs-disable-interrupt-non-rt.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Fri, 3 Jul 2009 08:44:12 -0500 Subject: fs: ntfs: disable interrupt only on !RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On Sat, 2007-10-27 at 11:44 +0200, Ingo Molnar wrote: > * Nick Piggin wrote: diff --git a/debian/patches/features/all/rt/fs-replace-bh_uptodate_lock-for-rt.patch b/debian/patches/features/all/rt/fs-replace-bh_uptodate_lock-for-rt.patch index e46ac733243f..9c095c34ca8d 100644 --- a/debian/patches/features/all/rt/fs-replace-bh_uptodate_lock-for-rt.patch +++ b/debian/patches/features/all/rt/fs-replace-bh_uptodate_lock-for-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 18 Mar 2011 09:18:52 +0100 Subject: buffer_head: Replace bh_uptodate_lock for -rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Wrap the bit_spin_lock calls into a separate inline and add the RT replacements with a real spinlock. diff --git a/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch b/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch index bff1482310f9..8225833c5f73 100644 --- a/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch +++ b/debian/patches/features/all/rt/ftrace-migrate-disable-tracing.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 17 Jul 2011 21:56:42 +0200 Subject: trace: Add migrate-disabled counter to tracing output -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Signed-off-by: Thomas Gleixner --- diff --git a/debian/patches/features/all/rt/futex-requeue-pi-fix.patch b/debian/patches/features/all/rt/futex-requeue-pi-fix.patch index 661ce2abb812..113441d9342e 100644 --- a/debian/patches/features/all/rt/futex-requeue-pi-fix.patch +++ b/debian/patches/features/all/rt/futex-requeue-pi-fix.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: futex: Fix bug on when a requeued RT task times out -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Requeue with timeout causes a bug with PREEMPT_RT_FULL. diff --git a/debian/patches/features/all/rt/genirq-disable-irqpoll-on-rt.patch b/debian/patches/features/all/rt/genirq-disable-irqpoll-on-rt.patch index 534134cc86c4..b93b787c795a 100644 --- a/debian/patches/features/all/rt/genirq-disable-irqpoll-on-rt.patch +++ b/debian/patches/features/all/rt/genirq-disable-irqpoll-on-rt.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:57 -0500 Subject: genirq: Disable irqpoll on -rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Creates long latencies for no value diff --git a/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch b/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch index a0d32df5efc3..f157b794441d 100644 --- a/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch +++ b/debian/patches/features/all/rt/genirq-do-not-invoke-the-affinity-callback-via-a-wor.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 21 Aug 2013 17:48:46 +0200 Subject: genirq: Do not invoke the affinity callback via a workqueue on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Joe Korty reported, that __irq_set_affinity_locked() schedules a workqueue while holding a rawlock which results in a might_sleep() diff --git a/debian/patches/features/all/rt/genirq-force-threading.patch b/debian/patches/features/all/rt/genirq-force-threading.patch index f92a2c6c0795..54572fb2fb2f 100644 --- a/debian/patches/features/all/rt/genirq-force-threading.patch +++ b/debian/patches/features/all/rt/genirq-force-threading.patch @@ -1,7 +1,7 @@ Subject: genirq: Force interrupt thread on RT From: Thomas Gleixner Date: Sun, 03 Apr 2011 11:57:29 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Force threaded_irqs and optimize the code (force_irqthreads) in regard to this. diff --git a/debian/patches/features/all/rt/genirq-update-irq_set_irqchip_state-documentation.patch b/debian/patches/features/all/rt/genirq-update-irq_set_irqchip_state-documentation.patch index 3b78dbb6d69a..3a34fa631bc3 100644 --- a/debian/patches/features/all/rt/genirq-update-irq_set_irqchip_state-documentation.patch +++ b/debian/patches/features/all/rt/genirq-update-irq_set_irqchip_state-documentation.patch @@ -1,7 +1,7 @@ From: Josh Cartwright Date: Thu, 11 Feb 2016 11:54:00 -0600 Subject: genirq: update irq_set_irqchip_state documentation -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On -rt kernels, the use of migrate_disable()/migrate_enable() is sufficient to guarantee a task isn't moved to another CPU. Update the diff --git a/debian/patches/features/all/rt/hotplug-Use-set_cpus_allowed_ptr-in-sync_unplug_thre.patch b/debian/patches/features/all/rt/hotplug-Use-set_cpus_allowed_ptr-in-sync_unplug_thre.patch index 34b339144dce..fb2d63262c3c 100644 --- a/debian/patches/features/all/rt/hotplug-Use-set_cpus_allowed_ptr-in-sync_unplug_thre.patch +++ b/debian/patches/features/all/rt/hotplug-Use-set_cpus_allowed_ptr-in-sync_unplug_thre.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Tue, 24 Mar 2015 08:14:49 +0100 Subject: hotplug: Use set_cpus_allowed_ptr() in sync_unplug_thread() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz do_set_cpus_allowed() is not safe vs ->sched_class change. diff --git a/debian/patches/features/all/rt/hotplug-light-get-online-cpus.patch b/debian/patches/features/all/rt/hotplug-light-get-online-cpus.patch index 9ff92d8e4c19..6f7f4b15a3ca 100644 --- a/debian/patches/features/all/rt/hotplug-light-get-online-cpus.patch +++ b/debian/patches/features/all/rt/hotplug-light-get-online-cpus.patch @@ -1,7 +1,7 @@ Subject: hotplug: Lightweight get online cpus From: Thomas Gleixner Date: Wed, 15 Jun 2011 12:36:06 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz get_online_cpus() is a heavy weight function which involves a global mutex. migrate_disable() wants a simpler construct which prevents only diff --git a/debian/patches/features/all/rt/hotplug-sync_unplug-no-27-5cn-27-in-task-name.patch b/debian/patches/features/all/rt/hotplug-sync_unplug-no-27-5cn-27-in-task-name.patch index 2ed9c912e90c..9486a8892bdb 100644 --- a/debian/patches/features/all/rt/hotplug-sync_unplug-no-27-5cn-27-in-task-name.patch +++ b/debian/patches/features/all/rt/hotplug-sync_unplug-no-27-5cn-27-in-task-name.patch @@ -1,7 +1,7 @@ Subject: hotplug: sync_unplug: No "\n" in task name From: Yong Zhang Date: Sun, 16 Oct 2011 18:56:43 +0800 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Otherwise the output will look a little odd. diff --git a/debian/patches/features/all/rt/hotplug-use-migrate-disable.patch b/debian/patches/features/all/rt/hotplug-use-migrate-disable.patch index f9a2bc887876..cad9f6b88bec 100644 --- a/debian/patches/features/all/rt/hotplug-use-migrate-disable.patch +++ b/debian/patches/features/all/rt/hotplug-use-migrate-disable.patch @@ -1,7 +1,7 @@ Subject: hotplug: Use migrate disable on unplug From: Thomas Gleixner Date: Sun, 17 Jul 2011 19:35:29 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Migration needs to be disabled accross the unplug handling to make sure that the unplug thread is off the unplugged cpu. diff --git a/debian/patches/features/all/rt/hrtimer-Move-schedule_work-call-to-helper-thread.patch b/debian/patches/features/all/rt/hrtimer-Move-schedule_work-call-to-helper-thread.patch index e051672d9ca5..175fdf9730b7 100644 --- a/debian/patches/features/all/rt/hrtimer-Move-schedule_work-call-to-helper-thread.patch +++ b/debian/patches/features/all/rt/hrtimer-Move-schedule_work-call-to-helper-thread.patch @@ -1,7 +1,7 @@ From: Yang Shi Date: Mon, 16 Sep 2013 14:09:19 -0700 Subject: hrtimer: Move schedule_work call to helper thread -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When run ltp leapsec_timer test, the following call trace is caught: diff --git a/debian/patches/features/all/rt/hrtimer-enfore-64byte-alignment.patch b/debian/patches/features/all/rt/hrtimer-enfore-64byte-alignment.patch index 2b9842f83945..f0e9194d3ade 100644 --- a/debian/patches/features/all/rt/hrtimer-enfore-64byte-alignment.patch +++ b/debian/patches/features/all/rt/hrtimer-enfore-64byte-alignment.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 23 Dec 2015 20:57:41 +0100 Subject: hrtimer: enfore 64byte alignment -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The patch "hrtimer: Fixup hrtimer callback changes for preempt-rt" adds a list_head expired to struct hrtimer_clock_base and with it we run into diff --git a/debian/patches/features/all/rt/hrtimer-fixup-hrtimer-callback-changes-for-preempt-r.patch b/debian/patches/features/all/rt/hrtimer-fixup-hrtimer-callback-changes-for-preempt-r.patch index 1904208a88e4..e08c6041d91d 100644 --- a/debian/patches/features/all/rt/hrtimer-fixup-hrtimer-callback-changes-for-preempt-r.patch +++ b/debian/patches/features/all/rt/hrtimer-fixup-hrtimer-callback-changes-for-preempt-r.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 3 Jul 2009 08:44:31 -0500 Subject: hrtimer: Fixup hrtimer callback changes for preempt-rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz In preempt-rt we can not call the callbacks which take sleeping locks from the timer interrupt context. diff --git a/debian/patches/features/all/rt/hrtimers-prepare-full-preemption.patch b/debian/patches/features/all/rt/hrtimers-prepare-full-preemption.patch index 567212b8386d..e04ff81f7344 100644 --- a/debian/patches/features/all/rt/hrtimers-prepare-full-preemption.patch +++ b/debian/patches/features/all/rt/hrtimers-prepare-full-preemption.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:34 -0500 Subject: hrtimers: Prepare full preemption -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Make cancellation of a running callback in softirq context safe against preemption. diff --git a/debian/patches/features/all/rt/hwlat-detector-Don-t-ignore-threshold-module-paramet.patch b/debian/patches/features/all/rt/hwlat-detector-Don-t-ignore-threshold-module-paramet.patch index bcb2ef58bc5d..852ac07c0d49 100644 --- a/debian/patches/features/all/rt/hwlat-detector-Don-t-ignore-threshold-module-paramet.patch +++ b/debian/patches/features/all/rt/hwlat-detector-Don-t-ignore-threshold-module-paramet.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Fri, 30 Aug 2013 07:57:25 +0200 Subject: hwlat-detector: Don't ignore threshold module parameter -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If the user specified a threshold at module load time, use it. diff --git a/debian/patches/features/all/rt/hwlat-detector-Update-hwlat_detector-to-add-outer-lo.patch b/debian/patches/features/all/rt/hwlat-detector-Update-hwlat_detector-to-add-outer-lo.patch index b43b67948a41..b0e311dac477 100644 --- a/debian/patches/features/all/rt/hwlat-detector-Update-hwlat_detector-to-add-outer-lo.patch +++ b/debian/patches/features/all/rt/hwlat-detector-Update-hwlat_detector-to-add-outer-lo.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Mon, 19 Aug 2013 17:33:25 -0400 Subject: hwlat-detector: Update hwlat_detector to add outer loop detection -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The hwlat_detector reads two timestamps in a row, then reports any gap between those calls. The problem is, it misses everything between diff --git a/debian/patches/features/all/rt/hwlat-detector-Use-thread-instead-of-stop-machine.patch b/debian/patches/features/all/rt/hwlat-detector-Use-thread-instead-of-stop-machine.patch index 5542608fcd0d..ba426488241d 100644 --- a/debian/patches/features/all/rt/hwlat-detector-Use-thread-instead-of-stop-machine.patch +++ b/debian/patches/features/all/rt/hwlat-detector-Use-thread-instead-of-stop-machine.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Mon, 19 Aug 2013 17:33:27 -0400 Subject: hwlat-detector: Use thread instead of stop machine -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There's no reason to use stop machine to search for hardware latency. Simply disabling interrupts while running the loop will do enough to diff --git a/debian/patches/features/all/rt/hwlat-detector-Use-trace_clock_local-if-available.patch b/debian/patches/features/all/rt/hwlat-detector-Use-trace_clock_local-if-available.patch index 61ec75104193..86a27aa25c8a 100644 --- a/debian/patches/features/all/rt/hwlat-detector-Use-trace_clock_local-if-available.patch +++ b/debian/patches/features/all/rt/hwlat-detector-Use-trace_clock_local-if-available.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Mon, 19 Aug 2013 17:33:26 -0400 Subject: hwlat-detector: Use trace_clock_local if available -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz As ktime_get() calls into the timing code which does a read_seq(), it may be affected by other CPUS that touch that lock. To remove this diff --git a/debian/patches/features/all/rt/hwlatdetect.patch b/debian/patches/features/all/rt/hwlatdetect.patch index 24ba4d8148b3..030cd4eb3a5c 100644 --- a/debian/patches/features/all/rt/hwlatdetect.patch +++ b/debian/patches/features/all/rt/hwlatdetect.patch @@ -1,7 +1,7 @@ Subject: hwlatdetect.patch From: Carsten Emde Date: Tue, 19 Jul 2011 13:53:12 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Jon Masters developed this wonderful SMI detector. For details please consult Documentation/hwlat_detector.txt. It could be ported to Linux diff --git a/debian/patches/features/all/rt/i2c-omap-drop-the-lock-hard-irq-context.patch b/debian/patches/features/all/rt/i2c-omap-drop-the-lock-hard-irq-context.patch index a63dda235d20..6a29586f24ad 100644 --- a/debian/patches/features/all/rt/i2c-omap-drop-the-lock-hard-irq-context.patch +++ b/debian/patches/features/all/rt/i2c-omap-drop-the-lock-hard-irq-context.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 21 Mar 2013 11:35:49 +0100 Subject: i2c/omap: drop the lock hard irq context -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The lock is taken while reading two registers. On RT the first lock is taken in hard irq where it might sleep and in the threaded irq. diff --git a/debian/patches/features/all/rt/i915-bogus-warning-from-i915-when-running-on-PREEMPT.patch b/debian/patches/features/all/rt/i915-bogus-warning-from-i915-when-running-on-PREEMPT.patch index 202f08b56cf9..49672be0872e 100644 --- a/debian/patches/features/all/rt/i915-bogus-warning-from-i915-when-running-on-PREEMPT.patch +++ b/debian/patches/features/all/rt/i915-bogus-warning-from-i915-when-running-on-PREEMPT.patch @@ -1,7 +1,7 @@ From: Clark Williams Date: Tue, 26 May 2015 10:43:43 -0500 Subject: i915: bogus warning from i915 when running on PREEMPT_RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The i915 driver has a 'WARN_ON(!in_interrupt())' in the display handler, which whines constanly on the RT kernel (since the interrupt diff --git a/debian/patches/features/all/rt/i915_compile_fix.patch b/debian/patches/features/all/rt/i915_compile_fix.patch index 7337dad44c59..341d9fabec74 100644 --- a/debian/patches/features/all/rt/i915_compile_fix.patch +++ b/debian/patches/features/all/rt/i915_compile_fix.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: gpu/i915: don't open code these things -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The opencode part is gone in 1f83fee0 ("drm/i915: clear up wedged transitions") the owner check is still there. diff --git a/debian/patches/features/all/rt/ide-use-nort-local-irq-variants.patch b/debian/patches/features/all/rt/ide-use-nort-local-irq-variants.patch index b3af10ddcefd..6d240b8effb4 100644 --- a/debian/patches/features/all/rt/ide-use-nort-local-irq-variants.patch +++ b/debian/patches/features/all/rt/ide-use-nort-local-irq-variants.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:30:16 -0500 Subject: ide: Do not disable interrupts for PREEMPT-RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the local_irq_*_nort variants. diff --git a/debian/patches/features/all/rt/idr-use-local-lock-for-protection.patch b/debian/patches/features/all/rt/idr-use-local-lock-for-protection.patch index cafcb0039254..173cbbb1b456 100644 --- a/debian/patches/features/all/rt/idr-use-local-lock-for-protection.patch +++ b/debian/patches/features/all/rt/idr-use-local-lock-for-protection.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: idr: Use local lock instead of preempt enable/disable -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We need to protect the per cpu variable and prevent migration. diff --git a/debian/patches/features/all/rt/infiniband-mellanox-ib-use-nort-irq.patch b/debian/patches/features/all/rt/infiniband-mellanox-ib-use-nort-irq.patch index 2fb70d74f061..6aacb3f5f50f 100644 --- a/debian/patches/features/all/rt/infiniband-mellanox-ib-use-nort-irq.patch +++ b/debian/patches/features/all/rt/infiniband-mellanox-ib-use-nort-irq.patch @@ -1,7 +1,7 @@ From: Sven-Thorsten Dietrich Date: Fri, 3 Jul 2009 08:30:35 -0500 Subject: infiniband: Mellanox IB driver patch use _nort() primitives -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Fixes in_atomic stack-dump, when Mellanox module is loaded into the RT Kernel. diff --git a/debian/patches/features/all/rt/infiniband-ulp-ipoib-remove-pkey_mutex.patch b/debian/patches/features/all/rt/infiniband-ulp-ipoib-remove-pkey_mutex.patch index 34eabae3d08b..aaa803cb770f 100644 --- a/debian/patches/features/all/rt/infiniband-ulp-ipoib-remove-pkey_mutex.patch +++ b/debian/patches/features/all/rt/infiniband-ulp-ipoib-remove-pkey_mutex.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 11 May 2016 11:52:23 +0200 Subject: infiniband/ulp/ipoib: remove pkey_mutex -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The last user of pkey_mutex was removed in db84f8803759 ("IB/ipoib: Use P_Key change event instead of P_Key polling mechanism") but the lock diff --git a/debian/patches/features/all/rt/inpt-gameport-use-local-irq-nort.patch b/debian/patches/features/all/rt/inpt-gameport-use-local-irq-nort.patch index c2ce3f72f189..a827cbc4ef98 100644 --- a/debian/patches/features/all/rt/inpt-gameport-use-local-irq-nort.patch +++ b/debian/patches/features/all/rt/inpt-gameport-use-local-irq-nort.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:30:16 -0500 Subject: input: gameport: Do not disable interrupts on PREEMPT_RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the _nort() primitives. diff --git a/debian/patches/features/all/rt/introduce_migrate_disable_cpu_light.patch b/debian/patches/features/all/rt/introduce_migrate_disable_cpu_light.patch index e5017a77de9a..a6a662d93ce6 100644 --- a/debian/patches/features/all/rt/introduce_migrate_disable_cpu_light.patch +++ b/debian/patches/features/all/rt/introduce_migrate_disable_cpu_light.patch @@ -1,7 +1,7 @@ Subject: Intrduce migrate_disable() + cpu_light() From: Thomas Gleixner Date: Fri, 17 Jun 2011 15:42:38 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Introduce migrate_disable(). The task can't be pushed to another CPU but can be preempted. diff --git a/debian/patches/features/all/rt/iommu-amd--Use-WARN_ON_NORT.patch b/debian/patches/features/all/rt/iommu-amd--Use-WARN_ON_NORT.patch index 68726692a2fe..09b784108609 100644 --- a/debian/patches/features/all/rt/iommu-amd--Use-WARN_ON_NORT.patch +++ b/debian/patches/features/all/rt/iommu-amd--Use-WARN_ON_NORT.patch @@ -1,7 +1,7 @@ Subject: iommu/amd: Use WARN_ON_NORT in __attach_device() From: Thomas Gleixner Date: Sat, 27 Feb 2016 10:22:23 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT does not disable interrupts here, but the protection is still correct. Fixup the WARN_ON so it won't yell on RT. diff --git a/debian/patches/features/all/rt/ipc-msg-Implement-lockless-pipelined-wakeups.patch b/debian/patches/features/all/rt/ipc-msg-Implement-lockless-pipelined-wakeups.patch index 804124c9adc1..3b665854d5c5 100644 --- a/debian/patches/features/all/rt/ipc-msg-Implement-lockless-pipelined-wakeups.patch +++ b/debian/patches/features/all/rt/ipc-msg-Implement-lockless-pipelined-wakeups.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 30 Oct 2015 11:59:07 +0100 Subject: ipc/msg: Implement lockless pipelined wakeups -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This patch moves the wakeup_process() invocation so it is not done under the perm->lock by making use of a lockless wake_q. With this change, the diff --git a/debian/patches/features/all/rt/ipc-sem-rework-semaphore-wakeups.patch b/debian/patches/features/all/rt/ipc-sem-rework-semaphore-wakeups.patch index 7d7027b6bd4f..8e085a56f102 100644 --- a/debian/patches/features/all/rt/ipc-sem-rework-semaphore-wakeups.patch +++ b/debian/patches/features/all/rt/ipc-sem-rework-semaphore-wakeups.patch @@ -1,7 +1,7 @@ Subject: ipc/sem: Rework semaphore wakeups From: Peter Zijlstra Date: Wed, 14 Sep 2011 11:57:04 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Current sysv sems have a weird ass wakeup scheme that involves keeping preemption disabled over a potential O(n^2) loop and busy waiting on diff --git a/debian/patches/features/all/rt/irq-allow-disabling-of-softirq-processing-in-irq-thread-context.patch b/debian/patches/features/all/rt/irq-allow-disabling-of-softirq-processing-in-irq-thread-context.patch index b03c10c010a4..597f25ce697b 100644 --- a/debian/patches/features/all/rt/irq-allow-disabling-of-softirq-processing-in-irq-thread-context.patch +++ b/debian/patches/features/all/rt/irq-allow-disabling-of-softirq-processing-in-irq-thread-context.patch @@ -1,7 +1,7 @@ Subject: genirq: Allow disabling of softirq processing in irq thread context From: Thomas Gleixner Date: Tue, 31 Jan 2012 13:01:27 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The processing of softirqs in irq thread context is a performance gain for the non-rt workloads of a system, but it's counterproductive for diff --git a/debian/patches/features/all/rt/irqwork-Move-irq-safe-work-to-irq-context.patch b/debian/patches/features/all/rt/irqwork-Move-irq-safe-work-to-irq-context.patch index efa3f15711bf..c796fa5f2077 100644 --- a/debian/patches/features/all/rt/irqwork-Move-irq-safe-work-to-irq-context.patch +++ b/debian/patches/features/all/rt/irqwork-Move-irq-safe-work-to-irq-context.patch @@ -1,7 +1,7 @@ Subject: irqwork: Move irq safe work to irq context From: Thomas Gleixner Date: Sun, 15 Nov 2015 18:40:17 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On architectures where arch_irq_work_has_interrupt() returns false, we end up running the irq safe work from the softirq context. That diff --git a/debian/patches/features/all/rt/irqwork-push_most_work_into_softirq_context.patch b/debian/patches/features/all/rt/irqwork-push_most_work_into_softirq_context.patch index cf5cd57b0cfe..9356ec1731c8 100644 --- a/debian/patches/features/all/rt/irqwork-push_most_work_into_softirq_context.patch +++ b/debian/patches/features/all/rt/irqwork-push_most_work_into_softirq_context.patch @@ -1,7 +1,7 @@ Subject: irqwork: push most work into softirq context From: Sebastian Andrzej Siewior Date: Tue, 23 Jun 2015 15:32:51 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Initially we defered all irqwork into softirq because we didn't want the latency spikes if perf or another user was busy and delayed the RT task. diff --git a/debian/patches/features/all/rt/jump-label-rt.patch b/debian/patches/features/all/rt/jump-label-rt.patch index 99f29328925b..526783dcf37e 100644 --- a/debian/patches/features/all/rt/jump-label-rt.patch +++ b/debian/patches/features/all/rt/jump-label-rt.patch @@ -1,7 +1,7 @@ Subject: jump-label: disable if stop_machine() is used From: Thomas Gleixner Date: Wed, 08 Jul 2015 17:14:48 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Some architectures are using stop_machine() while switching the opcode which leads to latency spikes. diff --git a/debian/patches/features/all/rt/kconfig-disable-a-few-options-rt.patch b/debian/patches/features/all/rt/kconfig-disable-a-few-options-rt.patch index 2ba0d960c8be..0b86d1ee5db2 100644 --- a/debian/patches/features/all/rt/kconfig-disable-a-few-options-rt.patch +++ b/debian/patches/features/all/rt/kconfig-disable-a-few-options-rt.patch @@ -1,7 +1,7 @@ Subject: kconfig: Disable config options which are not RT compatible From: Thomas Gleixner Date: Sun, 24 Jul 2011 12:11:43 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable stuff which is known to have issues on RT diff --git a/debian/patches/features/all/rt/kconfig-preempt-rt-full.patch b/debian/patches/features/all/rt/kconfig-preempt-rt-full.patch index 41e141c602cf..f4b713046b14 100644 --- a/debian/patches/features/all/rt/kconfig-preempt-rt-full.patch +++ b/debian/patches/features/all/rt/kconfig-preempt-rt-full.patch @@ -1,7 +1,7 @@ Subject: kconfig: Add PREEMPT_RT_FULL From: Thomas Gleixner Date: Wed, 29 Jun 2011 14:58:57 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Introduce the final symbol for PREEMPT_RT_FULL. diff --git a/debian/patches/features/all/rt/kernel-SRCU-provide-a-static-initializer.patch b/debian/patches/features/all/rt/kernel-SRCU-provide-a-static-initializer.patch index c1cbdfe8ec5a..4edb5db458de 100644 --- a/debian/patches/features/all/rt/kernel-SRCU-provide-a-static-initializer.patch +++ b/debian/patches/features/all/rt/kernel-SRCU-provide-a-static-initializer.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 19 Mar 2013 14:44:30 +0100 Subject: kernel/SRCU: provide a static initializer -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There are macros for static initializer for the three out of four possible notifier types, that are: diff --git a/debian/patches/features/all/rt/kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is-.patch b/debian/patches/features/all/rt/kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is-.patch index 6377691308c1..edbc95b60c90 100644 --- a/debian/patches/features/all/rt/kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is-.patch +++ b/debian/patches/features/all/rt/kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is-.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 7 Jun 2013 22:37:06 +0200 Subject: kernel/cpu: fix cpu down problem if kthread's cpu is going down -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If kthread is pinned to CPUx and CPUx is going down then we get into trouble: diff --git a/debian/patches/features/all/rt/kernel-hotplug-restore-original-cpu-mask-oncpu-down.patch b/debian/patches/features/all/rt/kernel-hotplug-restore-original-cpu-mask-oncpu-down.patch index beb03179e305..12864907974c 100644 --- a/debian/patches/features/all/rt/kernel-hotplug-restore-original-cpu-mask-oncpu-down.patch +++ b/debian/patches/features/all/rt/kernel-hotplug-restore-original-cpu-mask-oncpu-down.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 14 Jun 2013 17:16:35 +0200 Subject: kernel/hotplug: restore original cpu mask oncpu/down -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If a task which is allowed to run only on CPU X puts CPU Y down then it will be allowed on all CPUs but the on CPU Y after it comes back from diff --git a/debian/patches/features/all/rt/kernel-migrate_disable-do-fastpath-in-atomic-irqs-of.patch b/debian/patches/features/all/rt/kernel-migrate_disable-do-fastpath-in-atomic-irqs-of.patch index 285fa4c5c631..02f47674288d 100644 --- a/debian/patches/features/all/rt/kernel-migrate_disable-do-fastpath-in-atomic-irqs-of.patch +++ b/debian/patches/features/all/rt/kernel-migrate_disable-do-fastpath-in-atomic-irqs-of.patch @@ -2,7 +2,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 9 Feb 2016 18:18:01 +0100 Subject: kernel: migrate_disable() do fastpath in atomic & irqs-off -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz With interrupts off it makes no sense to do the long path since we can't leave the CPU anyway. Also we might end up in a recursion with lockdep. diff --git a/debian/patches/features/all/rt/kernel-perf-mark-perf_cpu_context-s-timer-as-irqsafe.patch b/debian/patches/features/all/rt/kernel-perf-mark-perf_cpu_context-s-timer-as-irqsafe.patch index ca3ec8acca39..4ba5309cfff1 100644 --- a/debian/patches/features/all/rt/kernel-perf-mark-perf_cpu_context-s-timer-as-irqsafe.patch +++ b/debian/patches/features/all/rt/kernel-perf-mark-perf_cpu_context-s-timer-as-irqsafe.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 4 Feb 2016 16:38:10 +0100 Subject: [PATCH] kernel/perf: mark perf_cpu_context's timer as irqsafe -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Otherwise we get a WARN_ON() backtrace and some events are reported as "not counted". diff --git a/debian/patches/features/all/rt/kernel-printk-Don-t-try-to-print-from-IRQ-NMI-region.patch b/debian/patches/features/all/rt/kernel-printk-Don-t-try-to-print-from-IRQ-NMI-region.patch index 7d6bde3cdabe..2eda1c59bf2a 100644 --- a/debian/patches/features/all/rt/kernel-printk-Don-t-try-to-print-from-IRQ-NMI-region.patch +++ b/debian/patches/features/all/rt/kernel-printk-Don-t-try-to-print-from-IRQ-NMI-region.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 19 May 2016 17:45:27 +0200 Subject: [PATCH] kernel/printk: Don't try to print from IRQ/NMI region -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On -RT we try to acquire sleeping locks which might lead to warnings from lockdep or a warn_on() from spin_try_lock() (which is a rtmutex on diff --git a/debian/patches/features/all/rt/kernel-rtmutex-only-warn-once-on-a-try-lock-from-bad.patch b/debian/patches/features/all/rt/kernel-rtmutex-only-warn-once-on-a-try-lock-from-bad.patch index 7c4c22c7709c..69b921b84952 100644 --- a/debian/patches/features/all/rt/kernel-rtmutex-only-warn-once-on-a-try-lock-from-bad.patch +++ b/debian/patches/features/all/rt/kernel-rtmutex-only-warn-once-on-a-try-lock-from-bad.patch @@ -2,7 +2,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 19 May 2016 17:12:34 +0200 Subject: [PATCH] kernel/rtmutex: only warn once on a try lock from bad context -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz One warning should be enough to get one motivated to fix this. It is possible that this happens more than once and so starts flooding the diff --git a/debian/patches/features/all/rt/kernel-softirq-unlock-with-irqs-on.patch b/debian/patches/features/all/rt/kernel-softirq-unlock-with-irqs-on.patch index 2acad1f6d428..bedb52f7ac60 100644 --- a/debian/patches/features/all/rt/kernel-softirq-unlock-with-irqs-on.patch +++ b/debian/patches/features/all/rt/kernel-softirq-unlock-with-irqs-on.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Tue, 9 Feb 2016 18:17:18 +0100 Subject: kernel: softirq: unlock with irqs on -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We unlock the lock while the interrupts are off. This isn't a problem now but will get because the migrate_disable() + enable are not diff --git a/debian/patches/features/all/rt/kgb-serial-hackaround.patch b/debian/patches/features/all/rt/kgb-serial-hackaround.patch index 07f7bbaaab70..e8eb5c056da7 100644 --- a/debian/patches/features/all/rt/kgb-serial-hackaround.patch +++ b/debian/patches/features/all/rt/kgb-serial-hackaround.patch @@ -1,7 +1,7 @@ From: Jason Wessel Date: Thu, 28 Jul 2011 12:42:23 -0500 Subject: kgdb/serial: Short term workaround -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On 07/27/2011 04:37 PM, Thomas Gleixner wrote: > - KGDB (not yet disabled) is reportedly unusable on -rt right now due diff --git a/debian/patches/features/all/rt/latency-hist.patch b/debian/patches/features/all/rt/latency-hist.patch index dc1c040fe53f..5ae254e87145 100644 --- a/debian/patches/features/all/rt/latency-hist.patch +++ b/debian/patches/features/all/rt/latency-hist.patch @@ -1,7 +1,7 @@ Subject: tracing: Add latency histograms From: Carsten Emde Date: Tue, 19 Jul 2011 14:03:41 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This patch provides a recording mechanism to store data of potential sources of system latencies. The recordings separately determine the diff --git a/debian/patches/features/all/rt/latency_hist-update-sched_wakeup-probe.patch b/debian/patches/features/all/rt/latency_hist-update-sched_wakeup-probe.patch index 78e05e3b4d8b..51148edf426f 100644 --- a/debian/patches/features/all/rt/latency_hist-update-sched_wakeup-probe.patch +++ b/debian/patches/features/all/rt/latency_hist-update-sched_wakeup-probe.patch @@ -1,7 +1,7 @@ Subject: latency_hist: Update sched_wakeup probe From: Mathieu Desnoyers Date: Sun, 25 Oct 2015 18:06:05 -0400 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz "sched: Introduce the 'trace_sched_waking' tracepoint" introduces a prototype change for the sched_wakeup probe: the "success" argument is diff --git a/debian/patches/features/all/rt/latencyhist-disable-jump-labels.patch b/debian/patches/features/all/rt/latencyhist-disable-jump-labels.patch index 0b4ccd2e878a..e7eedd5b7a49 100644 --- a/debian/patches/features/all/rt/latencyhist-disable-jump-labels.patch +++ b/debian/patches/features/all/rt/latencyhist-disable-jump-labels.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 4 Feb 2016 14:08:06 +0100 Subject: latencyhist: disable jump-labels -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Atleast on X86 we die a recursive death diff --git a/debian/patches/features/all/rt/leds-trigger-disable-CPU-trigger-on-RT.patch b/debian/patches/features/all/rt/leds-trigger-disable-CPU-trigger-on-RT.patch index f3f861990306..50d00116ccf0 100644 --- a/debian/patches/features/all/rt/leds-trigger-disable-CPU-trigger-on-RT.patch +++ b/debian/patches/features/all/rt/leds-trigger-disable-CPU-trigger-on-RT.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 23 Jan 2014 14:45:59 +0100 Subject: leds: trigger: disable CPU trigger on -RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz as it triggers: |CPU: 0 PID: 0 Comm: swapper Not tainted 3.12.8-rt10 #141 diff --git a/debian/patches/features/all/rt/lglocks-rt.patch b/debian/patches/features/all/rt/lglocks-rt.patch index 63f5b9b84572..6cf511d61767 100644 --- a/debian/patches/features/all/rt/lglocks-rt.patch +++ b/debian/patches/features/all/rt/lglocks-rt.patch @@ -1,7 +1,7 @@ Subject: lglocks: Provide a RT safe variant From: Thomas Gleixner Date: Wed, 15 Jun 2011 11:02:21 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz lglocks by itself will spin in order to get the lock. This will end up badly if a task with the highest priority keeps spinning while a task diff --git a/debian/patches/features/all/rt/list_bl-fixup-bogus-lockdep-warning.patch b/debian/patches/features/all/rt/list_bl-fixup-bogus-lockdep-warning.patch index 88f75faedc0d..a23d584b984d 100644 --- a/debian/patches/features/all/rt/list_bl-fixup-bogus-lockdep-warning.patch +++ b/debian/patches/features/all/rt/list_bl-fixup-bogus-lockdep-warning.patch @@ -1,7 +1,7 @@ From: Josh Cartwright Date: Thu, 31 Mar 2016 00:04:25 -0500 Subject: [PATCH] list_bl: fixup bogus lockdep warning -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz At first glance, the use of 'static inline' seems appropriate for INIT_HLIST_BL_HEAD(). diff --git a/debian/patches/features/all/rt/list_bl.h-make-list-head-locking-RT-safe.patch b/debian/patches/features/all/rt/list_bl.h-make-list-head-locking-RT-safe.patch index 99f32c836fc6..7e9b75e77737 100644 --- a/debian/patches/features/all/rt/list_bl.h-make-list-head-locking-RT-safe.patch +++ b/debian/patches/features/all/rt/list_bl.h-make-list-head-locking-RT-safe.patch @@ -1,7 +1,7 @@ From: Paul Gortmaker Date: Fri, 21 Jun 2013 15:07:25 -0400 Subject: list_bl: Make list head locking RT safe -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz As per changes in include/linux/jbd_common.h for avoiding the bit_spin_locks on RT ("fs: jbd/jbd2: Make state lock and journal diff --git a/debian/patches/features/all/rt/local-irq-rt-depending-variants.patch b/debian/patches/features/all/rt/local-irq-rt-depending-variants.patch index 190c9b6fb373..a8a30fe1a915 100644 --- a/debian/patches/features/all/rt/local-irq-rt-depending-variants.patch +++ b/debian/patches/features/all/rt/local-irq-rt-depending-variants.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 21 Jul 2009 22:34:14 +0200 Subject: rt: local_irq_* variants depending on RT/!RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Add local_irq_*_(no)rt variant which are mainly used to break interrupt disabled sections on PREEMPT_RT or to explicitely disable diff --git a/debian/patches/features/all/rt/locallock-add-local_lock_on.patch b/debian/patches/features/all/rt/locallock-add-local_lock_on.patch index b4b4f13b559c..7f28d4ef9712 100644 --- a/debian/patches/features/all/rt/locallock-add-local_lock_on.patch +++ b/debian/patches/features/all/rt/locallock-add-local_lock_on.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 27 May 2016 15:11:51 +0200 Subject: [PATCH] locallock: add local_lock_on() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Signed-off-by: Sebastian Andrzej Siewior --- diff --git a/debian/patches/features/all/rt/localversion.patch b/debian/patches/features/all/rt/localversion.patch index ab6b7975b914..8a122988a62d 100644 --- a/debian/patches/features/all/rt/localversion.patch +++ b/debian/patches/features/all/rt/localversion.patch @@ -1,7 +1,7 @@ Subject: Add localversion for -RT release From: Thomas Gleixner Date: Fri, 08 Jul 2011 20:25:16 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Signed-off-by: Thomas Gleixner --- @@ -11,4 +11,4 @@ Signed-off-by: Thomas Gleixner --- /dev/null +++ b/localversion-rt @@ -0,0 +1 @@ -+-rt3 ++-rt5 diff --git a/debian/patches/features/all/rt/lockdep-no-softirq-accounting-on-rt.patch b/debian/patches/features/all/rt/lockdep-no-softirq-accounting-on-rt.patch index e7273f1d6c6b..ad9dea5a8f74 100644 --- a/debian/patches/features/all/rt/lockdep-no-softirq-accounting-on-rt.patch +++ b/debian/patches/features/all/rt/lockdep-no-softirq-accounting-on-rt.patch @@ -1,7 +1,7 @@ Subject: lockdep: Make it RT aware From: Thomas Gleixner Date: Sun, 17 Jul 2011 18:51:23 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz teach lockdep that we don't really do softirqs on -RT. diff --git a/debian/patches/features/all/rt/lockdep-selftest-fix-warnings-due-to-missing-PREEMPT.patch b/debian/patches/features/all/rt/lockdep-selftest-fix-warnings-due-to-missing-PREEMPT.patch index c8ee10c08eb8..44933c5139c0 100644 --- a/debian/patches/features/all/rt/lockdep-selftest-fix-warnings-due-to-missing-PREEMPT.patch +++ b/debian/patches/features/all/rt/lockdep-selftest-fix-warnings-due-to-missing-PREEMPT.patch @@ -1,7 +1,7 @@ From: Josh Cartwright Date: Wed, 28 Jan 2015 13:08:45 -0600 Subject: lockdep: selftest: fix warnings due to missing PREEMPT_RT conditionals -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz "lockdep: Selftest: Only do hardirq context test for raw spinlock" disabled the execution of certain tests with PREEMPT_RT_FULL, but did diff --git a/debian/patches/features/all/rt/lockdep-selftest-only-do-hardirq-context-test-for-raw-spinlock.patch b/debian/patches/features/all/rt/lockdep-selftest-only-do-hardirq-context-test-for-raw-spinlock.patch index 6245c700b145..b3437ec68d30 100644 --- a/debian/patches/features/all/rt/lockdep-selftest-only-do-hardirq-context-test-for-raw-spinlock.patch +++ b/debian/patches/features/all/rt/lockdep-selftest-only-do-hardirq-context-test-for-raw-spinlock.patch @@ -1,7 +1,7 @@ Subject: lockdep: selftest: Only do hardirq context test for raw spinlock From: Yong Zhang Date: Mon, 16 Apr 2012 15:01:56 +0800 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz From: Yong Zhang diff --git a/debian/patches/features/all/rt/locking-locktorture-Do-NOT-include-rwlock.h-directly.patch b/debian/patches/features/all/rt/locking-locktorture-Do-NOT-include-rwlock.h-directly.patch index 5533d8e855d3..7ceff5969802 100644 --- a/debian/patches/features/all/rt/locking-locktorture-Do-NOT-include-rwlock.h-directly.patch +++ b/debian/patches/features/all/rt/locking-locktorture-Do-NOT-include-rwlock.h-directly.patch @@ -1,7 +1,7 @@ From: "Wolfgang M. Reimer" Date: Tue, 21 Jul 2015 16:20:07 +0200 Subject: locking: locktorture: Do NOT include rwlock.h directly -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Including rwlock.h directly will cause kernel builds to fail if CONFIG_PREEMPT_RT_FULL is defined. The correct header file diff --git a/debian/patches/features/all/rt/lockinglglocks_Use_preempt_enabledisable_nort()_in_lg_double_locklg_double_unlock.patch b/debian/patches/features/all/rt/lockinglglocks_Use_preempt_enabledisable_nort()_in_lg_double_locklg_double_unlock.patch index feb68bc7d0c8..606b1cb709ce 100644 --- a/debian/patches/features/all/rt/lockinglglocks_Use_preempt_enabledisable_nort()_in_lg_double_locklg_double_unlock.patch +++ b/debian/patches/features/all/rt/lockinglglocks_Use_preempt_enabledisable_nort()_in_lg_double_locklg_double_unlock.patch @@ -1,7 +1,7 @@ Subject: locking/lglocks: Use preempt_enable/disable_nort() in lg_double_[un]lock From: Mike Galbraith Date: Sat, 27 Feb 2016 08:34:43 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Let's not do that when snagging an rtmutex. diff --git a/debian/patches/features/all/rt/md-disable-bcache.patch b/debian/patches/features/all/rt/md-disable-bcache.patch index cbcdbee905dd..a98006944d87 100644 --- a/debian/patches/features/all/rt/md-disable-bcache.patch +++ b/debian/patches/features/all/rt/md-disable-bcache.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 29 Aug 2013 11:48:57 +0200 Subject: md: disable bcache -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz It uses anon semaphores |drivers/md/bcache/request.c: In function ‘cached_dev_write_complete’: diff --git a/debian/patches/features/all/rt/md-raid5-percpu-handling-rt-aware.patch b/debian/patches/features/all/rt/md-raid5-percpu-handling-rt-aware.patch index 9688ccc745d4..d130159af6fa 100644 --- a/debian/patches/features/all/rt/md-raid5-percpu-handling-rt-aware.patch +++ b/debian/patches/features/all/rt/md-raid5-percpu-handling-rt-aware.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 6 Apr 2010 16:51:31 +0200 Subject: md: raid5: Make raid5_percpu handling RT aware -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz __raid_run_ops() disables preemption with get_cpu() around the access to the raid5_percpu variables. That causes scheduling while atomic diff --git a/debian/patches/features/all/rt/mips-disable-highmem-on-rt.patch b/debian/patches/features/all/rt/mips-disable-highmem-on-rt.patch index 62f27079bfb2..538e6233aa8f 100644 --- a/debian/patches/features/all/rt/mips-disable-highmem-on-rt.patch +++ b/debian/patches/features/all/rt/mips-disable-highmem-on-rt.patch @@ -1,7 +1,7 @@ Subject: mips: Disable highmem on RT From: Thomas Gleixner Date: Mon, 18 Jul 2011 17:10:12 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The current highmem handling on -RT is not compatible and needs fixups. diff --git a/debian/patches/features/all/rt/mm--rt--Fix-generic-kmap_atomic-for-RT.patch b/debian/patches/features/all/rt/mm--rt--Fix-generic-kmap_atomic-for-RT.patch index e414af66c2a4..75c09e44d41a 100644 --- a/debian/patches/features/all/rt/mm--rt--Fix-generic-kmap_atomic-for-RT.patch +++ b/debian/patches/features/all/rt/mm--rt--Fix-generic-kmap_atomic-for-RT.patch @@ -1,7 +1,7 @@ Subject: mm: rt: Fix generic kmap_atomic for RT From: Thomas Gleixner Date: Sat, 19 Sep 2015 10:15:00 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The update to 4.1 brought in the mainline variant of the pagefault disable distangling from preempt count. That introduced a diff --git a/debian/patches/features/all/rt/mm-backing-dev-don-t-disable-IRQs-in-wb_congested_pu.patch b/debian/patches/features/all/rt/mm-backing-dev-don-t-disable-IRQs-in-wb_congested_pu.patch index 291036a14cfa..40ef409d0403 100644 --- a/debian/patches/features/all/rt/mm-backing-dev-don-t-disable-IRQs-in-wb_congested_pu.patch +++ b/debian/patches/features/all/rt/mm-backing-dev-don-t-disable-IRQs-in-wb_congested_pu.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 5 Feb 2016 12:17:14 +0100 Subject: mm: backing-dev: don't disable IRQs in wb_congested_put() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz it triggers: |BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:930 diff --git a/debian/patches/features/all/rt/mm-bounce-local-irq-save-nort.patch b/debian/patches/features/all/rt/mm-bounce-local-irq-save-nort.patch index c9d4f0f6e21f..84095dd803c3 100644 --- a/debian/patches/features/all/rt/mm-bounce-local-irq-save-nort.patch +++ b/debian/patches/features/all/rt/mm-bounce-local-irq-save-nort.patch @@ -1,7 +1,7 @@ Subject: mm: bounce: Use local_irq_save_nort From: Thomas Gleixner Date: Wed, 09 Jan 2013 10:33:09 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz kmap_atomic() is preemptible on RT. diff --git a/debian/patches/features/all/rt/mm-convert-swap-to-percpu-locked.patch b/debian/patches/features/all/rt/mm-convert-swap-to-percpu-locked.patch index 0ca9baa27c40..426f24368b37 100644 --- a/debian/patches/features/all/rt/mm-convert-swap-to-percpu-locked.patch +++ b/debian/patches/features/all/rt/mm-convert-swap-to-percpu-locked.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:51 -0500 Subject: mm/swap: Convert to percpu locked -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Replace global locks (get_cpu + local_irq_save) with "local_locks()". Currently there is one of for "rotate" and one for "swap". diff --git a/debian/patches/features/all/rt/mm-disable-sloub-rt.patch b/debian/patches/features/all/rt/mm-disable-sloub-rt.patch index 345b7f640b73..67e7f1a68f8a 100644 --- a/debian/patches/features/all/rt/mm-disable-sloub-rt.patch +++ b/debian/patches/features/all/rt/mm-disable-sloub-rt.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:44:03 -0500 Subject: mm: Allow only slub on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable SLAB and SLOB on -RT. Only SLUB is adopted to -RT needs. diff --git a/debian/patches/features/all/rt/mm-enable-slub.patch b/debian/patches/features/all/rt/mm-enable-slub.patch index 0a429c24f64f..46dcfe6980a7 100644 --- a/debian/patches/features/all/rt/mm-enable-slub.patch +++ b/debian/patches/features/all/rt/mm-enable-slub.patch @@ -1,7 +1,7 @@ Subject: mm: Enable SLUB for RT From: Thomas Gleixner Date: Thu, 25 Oct 2012 10:32:35 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Make SLUB RT aware by converting locks to raw and using free lists to move the freeing out of the lock held region. diff --git a/debian/patches/features/all/rt/mm-make-vmstat-rt-aware.patch b/debian/patches/features/all/rt/mm-make-vmstat-rt-aware.patch index cb7f97013a3e..5634a432c609 100644 --- a/debian/patches/features/all/rt/mm-make-vmstat-rt-aware.patch +++ b/debian/patches/features/all/rt/mm-make-vmstat-rt-aware.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:30:13 -0500 Subject: mm/vmstat: Protect per cpu variables with preempt disable on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable preemption on -RT for the vmstat code. On vanila the code runs in IRQ-off regions while on -RT it is not. "preempt_disable" ensures that the diff --git a/debian/patches/features/all/rt/mm-memcontrol-Don-t-call-schedule_work_on-in-preempt.patch b/debian/patches/features/all/rt/mm-memcontrol-Don-t-call-schedule_work_on-in-preempt.patch index d7a19a272fbf..11bd8d4957ab 100644 --- a/debian/patches/features/all/rt/mm-memcontrol-Don-t-call-schedule_work_on-in-preempt.patch +++ b/debian/patches/features/all/rt/mm-memcontrol-Don-t-call-schedule_work_on-in-preempt.patch @@ -1,7 +1,7 @@ From: Yang Shi Subject: mm/memcontrol: Don't call schedule_work_on in preemption disabled context Date: Wed, 30 Oct 2013 11:48:33 -0700 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The following trace is triggered when running ltp oom test cases: diff --git a/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch b/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch index 5bfa07aab95f..4ed2d41ce675 100644 --- a/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch +++ b/debian/patches/features/all/rt/mm-memcontrol-do_not_disable_irq.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Subject: mm/memcontrol: Replace local_irq_disable with local locks Date: Wed, 28 Jan 2015 17:14:16 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There are a few local_irq_disable() which then take sleeping locks. This patch converts them local locks. diff --git a/debian/patches/features/all/rt/mm-memcontrol-mem_cgroup_migrate-replace-another-loc.patch b/debian/patches/features/all/rt/mm-memcontrol-mem_cgroup_migrate-replace-another-loc.patch new file mode 100644 index 000000000000..54764164129d --- /dev/null +++ b/debian/patches/features/all/rt/mm-memcontrol-mem_cgroup_migrate-replace-another-loc.patch @@ -0,0 +1,30 @@ +From: Mike Galbraith +Date: Sun, 5 Jun 2016 08:11:13 +0200 +Subject: [PATCH] mm/memcontrol: mem_cgroup_migrate() - replace another + local_irq_disable() w. local_lock_irq() +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz + +v4.6 grew a local_irq_disable() in mm/memcontrol.c::mem_cgroup_migrate(). +Convert it to use the existing local lock (event_lock) like the others. + +Signed-off-by: Mike Galbraith +Signed-off-by: Sebastian Andrzej Siewior +--- + mm/memcontrol.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5554,10 +5554,10 @@ void mem_cgroup_migrate(struct page *old + + commit_charge(newpage, memcg, false); + +- local_irq_disable(); ++ local_lock_irq(event_lock); + mem_cgroup_charge_statistics(memcg, newpage, compound, nr_pages); + memcg_check_events(memcg, newpage); +- local_irq_enable(); ++ local_unlock_irq(event_lock); + } + + DEFINE_STATIC_KEY_FALSE(memcg_sockets_enabled_key); diff --git a/debian/patches/features/all/rt/mm-page-alloc-use-local-lock-on-target-cpu.patch b/debian/patches/features/all/rt/mm-page-alloc-use-local-lock-on-target-cpu.patch index e702ef0082ab..78b1b37c6c7f 100644 --- a/debian/patches/features/all/rt/mm-page-alloc-use-local-lock-on-target-cpu.patch +++ b/debian/patches/features/all/rt/mm-page-alloc-use-local-lock-on-target-cpu.patch @@ -1,7 +1,7 @@ Subject: mm: page_alloc: Use local_lock_on() instead of plain spinlock From: Thomas Gleixner Date: Thu, 27 Sep 2012 11:11:46 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The plain spinlock while sufficient does not update the local_lock internals. Use a proper local_lock function instead to ease debugging. diff --git a/debian/patches/features/all/rt/mm-page_alloc-reduce-lock-sections-further.patch b/debian/patches/features/all/rt/mm-page_alloc-reduce-lock-sections-further.patch index dc4b5ec1683d..ae4bfedcb49c 100644 --- a/debian/patches/features/all/rt/mm-page_alloc-reduce-lock-sections-further.patch +++ b/debian/patches/features/all/rt/mm-page_alloc-reduce-lock-sections-further.patch @@ -1,7 +1,7 @@ From: Peter Zijlstra Date: Fri Jul 3 08:44:37 2009 -0500 Subject: mm: page_alloc: Reduce lock sections further -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Split out the pages which are to be freed into a separate list and call free_pages_bulk() outside of the percpu page allocator locks. diff --git a/debian/patches/features/all/rt/mm-page_alloc-rt-friendly-per-cpu-pages.patch b/debian/patches/features/all/rt/mm-page_alloc-rt-friendly-per-cpu-pages.patch index c480cf6f5513..85189245fcf4 100644 --- a/debian/patches/features/all/rt/mm-page_alloc-rt-friendly-per-cpu-pages.patch +++ b/debian/patches/features/all/rt/mm-page_alloc-rt-friendly-per-cpu-pages.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:37 -0500 Subject: mm: page_alloc: rt-friendly per-cpu pages -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz rt-friendly per-cpu pages: convert the irqs-off per-cpu locking method into a preemptible, explicit-per-cpu-locks method. diff --git a/debian/patches/features/all/rt/mm-perform-lru_add_drain_all-remotely.patch b/debian/patches/features/all/rt/mm-perform-lru_add_drain_all-remotely.patch index 32393d8b8b66..42d56e67bea1 100644 --- a/debian/patches/features/all/rt/mm-perform-lru_add_drain_all-remotely.patch +++ b/debian/patches/features/all/rt/mm-perform-lru_add_drain_all-remotely.patch @@ -1,7 +1,7 @@ From: Luiz Capitulino Date: Fri, 27 May 2016 15:03:28 +0200 Subject: [PATCH] mm: perform lru_add_drain_all() remotely -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz lru_add_drain_all() works by scheduling lru_add_drain_cpu() to run on all CPUs that have non-empty LRU pagevecs and then waiting for diff --git a/debian/patches/features/all/rt/mm-protect-activate-switch-mm.patch b/debian/patches/features/all/rt/mm-protect-activate-switch-mm.patch index 4b964259e87f..a53c3d5f8188 100644 --- a/debian/patches/features/all/rt/mm-protect-activate-switch-mm.patch +++ b/debian/patches/features/all/rt/mm-protect-activate-switch-mm.patch @@ -1,7 +1,7 @@ From: Yong Zhang Date: Tue, 15 May 2012 13:53:56 +0800 Subject: mm: Protect activate_mm() by preempt_[disable&enable]_rt() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz User preempt_*_rt instead of local_irq_*_rt or otherwise there will be warning on ARM like below: diff --git a/debian/patches/features/all/rt/mm-rt-kmap-atomic-scheduling.patch b/debian/patches/features/all/rt/mm-rt-kmap-atomic-scheduling.patch index 4176bb60ef08..fc09d180c8d6 100644 --- a/debian/patches/features/all/rt/mm-rt-kmap-atomic-scheduling.patch +++ b/debian/patches/features/all/rt/mm-rt-kmap-atomic-scheduling.patch @@ -1,7 +1,7 @@ Subject: mm, rt: kmap_atomic scheduling From: Peter Zijlstra Date: Thu, 28 Jul 2011 10:43:51 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz In fact, with migrate_disable() existing one could play games with kmap_atomic. You could save/restore the kmap_atomic slots on context diff --git a/debian/patches/features/all/rt/mm-scatterlist-dont-disable-irqs-on-RT.patch b/debian/patches/features/all/rt/mm-scatterlist-dont-disable-irqs-on-RT.patch index fe4bdb9a26c5..6ec588d9308d 100644 --- a/debian/patches/features/all/rt/mm-scatterlist-dont-disable-irqs-on-RT.patch +++ b/debian/patches/features/all/rt/mm-scatterlist-dont-disable-irqs-on-RT.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 3 Jul 2009 08:44:34 -0500 Subject: mm/scatterlist: Do not disable irqs on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The local_irq_save() is not only used to get things done "fast" but also to ensure that in case of SG_MITER_ATOMIC we are in "atomic" diff --git a/debian/patches/features/all/rt/mm-vmalloc-use-get-cpu-light.patch b/debian/patches/features/all/rt/mm-vmalloc-use-get-cpu-light.patch index 5d55ea229084..f6b5e78a7ef7 100644 --- a/debian/patches/features/all/rt/mm-vmalloc-use-get-cpu-light.patch +++ b/debian/patches/features/all/rt/mm-vmalloc-use-get-cpu-light.patch @@ -1,7 +1,7 @@ Subject: mm/vmalloc: Another preempt disable region which sucks From: Thomas Gleixner Date: Tue, 12 Jul 2011 11:39:36 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Avoid the preempt disable version of get_cpu_var(). The inner-lock should provide enough serialisation. diff --git a/debian/patches/features/all/rt/mm-workingset-do-not-protect-workingset_shadow_nodes.patch b/debian/patches/features/all/rt/mm-workingset-do-not-protect-workingset_shadow_nodes.patch index c593baa70d7d..00932cb22081 100644 --- a/debian/patches/features/all/rt/mm-workingset-do-not-protect-workingset_shadow_nodes.patch +++ b/debian/patches/features/all/rt/mm-workingset-do-not-protect-workingset_shadow_nodes.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 29 Jan 2015 17:19:44 +0100 Subject: mm/workingset: Do not protect workingset_shadow_nodes with irq off -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz workingset_shadow_nodes is protected by local_irq_disable(). Some users use spin_lock_irq(). diff --git a/debian/patches/features/all/rt/mm-zsmalloc-Use-get-put_cpu_light-in-zs_map_object-z.patch b/debian/patches/features/all/rt/mm-zsmalloc-Use-get-put_cpu_light-in-zs_map_object-z.patch index 2f71be1fc8c9..d70735bb02b3 100644 --- a/debian/patches/features/all/rt/mm-zsmalloc-Use-get-put_cpu_light-in-zs_map_object-z.patch +++ b/debian/patches/features/all/rt/mm-zsmalloc-Use-get-put_cpu_light-in-zs_map_object-z.patch @@ -3,7 +3,7 @@ From: Mike Galbraith Date: Tue, 22 Mar 2016 11:16:09 +0100 Subject: [PATCH] mm/zsmalloc: Use get/put_cpu_light in zs_map_object()/zs_unmap_object() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Otherwise, we get a ___might_sleep() splat. diff --git a/debian/patches/features/all/rt/mmci-remove-bogus-irq-save.patch b/debian/patches/features/all/rt/mmci-remove-bogus-irq-save.patch index 97381e13c647..fc708baa8899 100644 --- a/debian/patches/features/all/rt/mmci-remove-bogus-irq-save.patch +++ b/debian/patches/features/all/rt/mmci-remove-bogus-irq-save.patch @@ -1,7 +1,7 @@ Subject: mmci: Remove bogus local_irq_save() From: Thomas Gleixner Date: Wed, 09 Jan 2013 12:11:12 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On !RT interrupt runs with interrupts disabled. On RT it's in a thread, so no need to disable interrupts at all. diff --git a/debian/patches/features/all/rt/move_sched_delayed_work_to_helper.patch b/debian/patches/features/all/rt/move_sched_delayed_work_to_helper.patch index 8858abe38a26..1f9687b9b200 100644 --- a/debian/patches/features/all/rt/move_sched_delayed_work_to_helper.patch +++ b/debian/patches/features/all/rt/move_sched_delayed_work_to_helper.patch @@ -1,7 +1,7 @@ Date: Wed, 26 Jun 2013 15:28:11 -0400 From: Steven Rostedt Subject: rt,ntp: Move call to schedule_delayed_work() to helper thread -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The ntp code for notify_cmos_timer() is called from a hard interrupt context. schedule_delayed_work() under PREEMPT_RT_FULL calls spinlocks diff --git a/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch b/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch index 3c982b44d390..13cfa49d8fa7 100644 --- a/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch +++ b/debian/patches/features/all/rt/mutex-no-spin-on-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 17 Jul 2011 21:51:45 +0200 Subject: locking: Disable spin on owner for RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Drop spin on owner for mutex / rwsem. We are most likely not using it but… diff --git a/debian/patches/features/all/rt/net-another-local-irq-disable-alloc-atomic-headache.patch b/debian/patches/features/all/rt/net-another-local-irq-disable-alloc-atomic-headache.patch index ce20fb58d262..a2c12a7ed281 100644 --- a/debian/patches/features/all/rt/net-another-local-irq-disable-alloc-atomic-headache.patch +++ b/debian/patches/features/all/rt/net-another-local-irq-disable-alloc-atomic-headache.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Wed, 26 Sep 2012 16:21:08 +0200 Subject: net: Another local_irq_disable/kmalloc headache -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Replace it by a local lock. Though that's pretty inefficient :( diff --git a/debian/patches/features/all/rt/net-core-cpuhotplug-drain-input_pkt_queue-lockless.patch b/debian/patches/features/all/rt/net-core-cpuhotplug-drain-input_pkt_queue-lockless.patch index 28eaad41c1bc..c32448f86e16 100644 --- a/debian/patches/features/all/rt/net-core-cpuhotplug-drain-input_pkt_queue-lockless.patch +++ b/debian/patches/features/all/rt/net-core-cpuhotplug-drain-input_pkt_queue-lockless.patch @@ -1,7 +1,7 @@ Subject: net/core/cpuhotplug: Drain input_pkt_queue lockless From: Grygorii Strashko Date: Fri, 9 Oct 2015 09:25:49 -0500 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz I can constantly see below error report with 4.1 RT-kernel on TI ARM dra7-evm if I'm trying to unplug cpu1: diff --git a/debian/patches/features/all/rt/net-core-protect-users-of-napi_alloc_cache-against-r.patch b/debian/patches/features/all/rt/net-core-protect-users-of-napi_alloc_cache-against-r.patch index 28dd40545491..c3621061a96a 100644 --- a/debian/patches/features/all/rt/net-core-protect-users-of-napi_alloc_cache-against-r.patch +++ b/debian/patches/features/all/rt/net-core-protect-users-of-napi_alloc_cache-against-r.patch @@ -2,7 +2,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 15 Jan 2016 16:33:34 +0100 Subject: net/core: protect users of napi_alloc_cache against reentrance -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On -RT the code running in BH can not be moved to another CPU so CPU local variable remain local. However the code can be preempted diff --git a/debian/patches/features/all/rt/net-dev-always-take-qdisc-s-busylock-in-__dev_xmit_s.patch b/debian/patches/features/all/rt/net-dev-always-take-qdisc-s-busylock-in-__dev_xmit_s.patch index a84253df7c35..195535dc7824 100644 --- a/debian/patches/features/all/rt/net-dev-always-take-qdisc-s-busylock-in-__dev_xmit_s.patch +++ b/debian/patches/features/all/rt/net-dev-always-take-qdisc-s-busylock-in-__dev_xmit_s.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 30 Mar 2016 13:36:29 +0200 Subject: [PATCH] net: dev: always take qdisc's busylock in __dev_xmit_skb() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The root-lock is dropped before dev_hard_start_xmit() is invoked and after setting the __QDISC___STATE_RUNNING bit. If this task is now pushed away diff --git a/debian/patches/features/all/rt/net-fix-iptable-xt-write-recseq-begin-rt-fallout.patch b/debian/patches/features/all/rt/net-fix-iptable-xt-write-recseq-begin-rt-fallout.patch index b0b0f2a40274..9a02ee90128d 100644 --- a/debian/patches/features/all/rt/net-fix-iptable-xt-write-recseq-begin-rt-fallout.patch +++ b/debian/patches/features/all/rt/net-fix-iptable-xt-write-recseq-begin-rt-fallout.patch @@ -1,7 +1,7 @@ Subject: net: netfilter: Serialize xt_write_recseq sections on RT From: Thomas Gleixner Date: Sun, 28 Oct 2012 11:18:08 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The netfilter code relies only on the implicit semantics of local_bh_disable() for serializing wt_write_recseq sections. RT breaks diff --git a/debian/patches/features/all/rt/net-make-devnet_rename_seq-a-mutex.patch b/debian/patches/features/all/rt/net-make-devnet_rename_seq-a-mutex.patch index be0cf0119ff5..724701ead8bf 100644 --- a/debian/patches/features/all/rt/net-make-devnet_rename_seq-a-mutex.patch +++ b/debian/patches/features/all/rt/net-make-devnet_rename_seq-a-mutex.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 20 Mar 2013 18:06:20 +0100 Subject: net: Add a mutex around devnet_rename_seq -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On RT write_seqcount_begin() disables preemption and device_rename() allocates memory with GFP_KERNEL and grabs later the sysfs_mutex diff --git a/debian/patches/features/all/rt/net-move-xmit_recursion-to-per-task-variable-on-RT.patch b/debian/patches/features/all/rt/net-move-xmit_recursion-to-per-task-variable-on-RT.patch index e72b9de07cd2..0f10736c24f9 100644 --- a/debian/patches/features/all/rt/net-move-xmit_recursion-to-per-task-variable-on-RT.patch +++ b/debian/patches/features/all/rt/net-move-xmit_recursion-to-per-task-variable-on-RT.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 13 Jan 2016 15:55:02 +0100 Subject: net: move xmit_recursion to per-task variable on -RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz A softirq on -RT can be preempted. That means one task is in __dev_queue_xmit(), gets preempted and another task may enter diff --git a/debian/patches/features/all/rt/net-prevent-abba-deadlock.patch b/debian/patches/features/all/rt/net-prevent-abba-deadlock.patch index fd5c90b00443..48a9121c83f6 100644 --- a/debian/patches/features/all/rt/net-prevent-abba-deadlock.patch +++ b/debian/patches/features/all/rt/net-prevent-abba-deadlock.patch @@ -1,7 +1,7 @@ Subject: net-flip-lock-dep-thingy.patch From: Thomas Gleixner Date: Tue, 28 Jun 2011 10:59:58 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz ======================================================= [ INFO: possible circular locking dependency detected ] diff --git a/debian/patches/features/all/rt/net-provide-a-way-to-delegate-processing-a-softirq-t.patch b/debian/patches/features/all/rt/net-provide-a-way-to-delegate-processing-a-softirq-t.patch index fe2e5c46c377..8c986a62d517 100644 --- a/debian/patches/features/all/rt/net-provide-a-way-to-delegate-processing-a-softirq-t.patch +++ b/debian/patches/features/all/rt/net-provide-a-way-to-delegate-processing-a-softirq-t.patch @@ -2,7 +2,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 20 Jan 2016 15:39:05 +0100 Subject: net: provide a way to delegate processing a softirq to ksoftirqd -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If the NET_RX uses up all of his budget it moves the following NAPI invocations into the `ksoftirqd`. On -RT it does not do so. Instead it diff --git a/debian/patches/features/all/rt/net-sched-dev_deactivate_many-use-msleep-1-instead-o.patch b/debian/patches/features/all/rt/net-sched-dev_deactivate_many-use-msleep-1-instead-o.patch index 6d10a097d133..232b9323dc4a 100644 --- a/debian/patches/features/all/rt/net-sched-dev_deactivate_many-use-msleep-1-instead-o.patch +++ b/debian/patches/features/all/rt/net-sched-dev_deactivate_many-use-msleep-1-instead-o.patch @@ -1,7 +1,7 @@ From: Marc Kleine-Budde Date: Wed, 5 Mar 2014 00:49:47 +0100 Subject: net: sched: Use msleep() instead of yield() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On PREEMPT_RT enabled systems the interrupt handler run as threads at prio 50 (by default). If a high priority userspace process tries to shut down a busy diff --git a/debian/patches/features/all/rt/net-tx-action-avoid-livelock-on-rt.patch b/debian/patches/features/all/rt/net-tx-action-avoid-livelock-on-rt.patch index 36cff2b6b6d1..418b2afac720 100644 --- a/debian/patches/features/all/rt/net-tx-action-avoid-livelock-on-rt.patch +++ b/debian/patches/features/all/rt/net-tx-action-avoid-livelock-on-rt.patch @@ -1,7 +1,7 @@ Subject: net: Avoid livelock in net_tx_action() on RT From: Steven Rostedt Date: Thu, 06 Oct 2011 10:48:39 -0400 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz qdisc_lock is taken w/o disabling interrupts or bottom halfs. So code holding a qdisc_lock() can be interrupted and softirqs can run on the diff --git a/debian/patches/features/all/rt/net-use-cpu-chill.patch b/debian/patches/features/all/rt/net-use-cpu-chill.patch index 01e96dd974ce..4a13a9d895a3 100644 --- a/debian/patches/features/all/rt/net-use-cpu-chill.patch +++ b/debian/patches/features/all/rt/net-use-cpu-chill.patch @@ -1,7 +1,7 @@ Subject: net: Use cpu_chill() instead of cpu_relax() From: Thomas Gleixner Date: Wed, 07 Mar 2012 21:10:04 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Retry loops on RT might loop forever when the modifying side was preempted. Use cpu_chill() instead of cpu_relax() to let the system diff --git a/debian/patches/features/all/rt/net-wireless-warn-nort.patch b/debian/patches/features/all/rt/net-wireless-warn-nort.patch index a82733b7ccda..e98a9c00d007 100644 --- a/debian/patches/features/all/rt/net-wireless-warn-nort.patch +++ b/debian/patches/features/all/rt/net-wireless-warn-nort.patch @@ -1,7 +1,7 @@ Subject: net/wireless: Use WARN_ON_NORT() From: Thomas Gleixner Date: Thu, 21 Jul 2011 21:05:33 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The softirq counter is meaningless on RT, so the check triggers a false positive. diff --git a/debian/patches/features/all/rt/net__Make_synchronize-rcu_expedited_conditional-on-non-rt.patch b/debian/patches/features/all/rt/net__Make_synchronize-rcu_expedited_conditional-on-non-rt.patch index 6bff0fc9e491..a917a260db9b 100644 --- a/debian/patches/features/all/rt/net__Make_synchronize-rcu_expedited_conditional-on-non-rt.patch +++ b/debian/patches/features/all/rt/net__Make_synchronize-rcu_expedited_conditional-on-non-rt.patch @@ -1,7 +1,7 @@ Date: Tue, 27 Oct 2015 07:31:53 -0500 From: Josh Cartwright Subject: net: Make synchronize_rcu_expedited() conditional on !RT_FULL -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz While the use of synchronize_rcu_expedited() might make synchronize_net() "faster", it does so at significant cost on RT diff --git a/debian/patches/features/all/rt/oleg-signal-rt-fix.patch b/debian/patches/features/all/rt/oleg-signal-rt-fix.patch index a74e5c0fabdc..8d5dda3baed6 100644 --- a/debian/patches/features/all/rt/oleg-signal-rt-fix.patch +++ b/debian/patches/features/all/rt/oleg-signal-rt-fix.patch @@ -1,7 +1,7 @@ From: Oleg Nesterov Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: signal/x86: Delay calling signals in atomic -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On x86_64 we must disable preemption before we enable interrupts for stack faults, int3 and debugging, because the current task is using diff --git a/debian/patches/features/all/rt/panic-disable-random-on-rt.patch b/debian/patches/features/all/rt/panic-disable-random-on-rt.patch index 8588f9cc9bb9..ea10630f87c9 100644 --- a/debian/patches/features/all/rt/panic-disable-random-on-rt.patch +++ b/debian/patches/features/all/rt/panic-disable-random-on-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: panic: skip get_random_bytes for RT_FULL in init_oops_id -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable on -RT. If this is invoked from irq-context we will have problems to acquire the sleeping lock. diff --git a/debian/patches/features/all/rt/patch-to-introduce-rcu-bh-qs-where-safe-from-softirq.patch b/debian/patches/features/all/rt/patch-to-introduce-rcu-bh-qs-where-safe-from-softirq.patch index a3fc870b8853..caefb2a02bbf 100644 --- a/debian/patches/features/all/rt/patch-to-introduce-rcu-bh-qs-where-safe-from-softirq.patch +++ b/debian/patches/features/all/rt/patch-to-introduce-rcu-bh-qs-where-safe-from-softirq.patch @@ -1,7 +1,7 @@ Subject: rcu: Make ksoftirqd do RCU quiescent states From: "Paul E. McKenney" Date: Wed, 5 Oct 2011 11:45:18 -0700 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Implementing RCU-bh in terms of RCU-preempt makes the system vulnerable to network-based denial-of-service attacks. This patch therefore diff --git a/debian/patches/features/all/rt/pci-access-use-__wake_up_all_locked.patch b/debian/patches/features/all/rt/pci-access-use-__wake_up_all_locked.patch index 16623d1b0dc1..d5154505e515 100644 --- a/debian/patches/features/all/rt/pci-access-use-__wake_up_all_locked.patch +++ b/debian/patches/features/all/rt/pci-access-use-__wake_up_all_locked.patch @@ -1,7 +1,7 @@ Subject: pci: Use __wake_up_all_locked in pci_unblock_user_cfg_access() From: Thomas Gleixner Date: Thu, 01 Dec 2011 00:07:16 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The waitqueue is protected by the pci_lock, so we can just avoid to lock the waitqueue lock itself. That prevents the diff --git a/debian/patches/features/all/rt/percpu_ida-use-locklocks.patch b/debian/patches/features/all/rt/percpu_ida-use-locklocks.patch index 25dae926de99..17c9359ba862 100644 --- a/debian/patches/features/all/rt/percpu_ida-use-locklocks.patch +++ b/debian/patches/features/all/rt/percpu_ida-use-locklocks.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 9 Apr 2014 11:58:17 +0200 Subject: percpu_ida: Use local locks -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz the local_irq_save() + spin_lock() does not work that well on -RT diff --git a/debian/patches/features/all/rt/perf-make-swevent-hrtimer-irqsafe.patch b/debian/patches/features/all/rt/perf-make-swevent-hrtimer-irqsafe.patch index b079f96e7d83..89b53edbd591 100644 --- a/debian/patches/features/all/rt/perf-make-swevent-hrtimer-irqsafe.patch +++ b/debian/patches/features/all/rt/perf-make-swevent-hrtimer-irqsafe.patch @@ -1,7 +1,7 @@ From: Yong Zhang Date: Wed, 11 Jul 2012 22:05:21 +0000 Subject: perf: Make swevent hrtimer run in irq instead of softirq -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Otherwise we get a deadlock like below: diff --git a/debian/patches/features/all/rt/peter_zijlstra-frob-rcu.patch b/debian/patches/features/all/rt/peter_zijlstra-frob-rcu.patch index 4e3dad1e8ba7..27f290fa7197 100644 --- a/debian/patches/features/all/rt/peter_zijlstra-frob-rcu.patch +++ b/debian/patches/features/all/rt/peter_zijlstra-frob-rcu.patch @@ -1,7 +1,7 @@ Subject: rcu: Frob softirq test From: Peter Zijlstra Date: Sat Aug 13 00:23:17 CEST 2011 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz With RT_FULL we get the below wreckage: diff --git a/debian/patches/features/all/rt/peterz-srcu-crypto-chain.patch b/debian/patches/features/all/rt/peterz-srcu-crypto-chain.patch index 6fd7a4fd00a3..83d16fe2c595 100644 --- a/debian/patches/features/all/rt/peterz-srcu-crypto-chain.patch +++ b/debian/patches/features/all/rt/peterz-srcu-crypto-chain.patch @@ -1,7 +1,7 @@ Subject: crypto: Convert crypto notifier chain to SRCU From: Peter Zijlstra Date: Fri, 05 Oct 2012 09:03:24 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The crypto notifier deadlocks on RT. Though this can be a real deadlock on mainline as well due to fifo fair rwsems. diff --git a/debian/patches/features/all/rt/pid.h-include-atomic.h.patch b/debian/patches/features/all/rt/pid.h-include-atomic.h.patch index 0776823ac8c4..6dd643c30f21 100644 --- a/debian/patches/features/all/rt/pid.h-include-atomic.h.patch +++ b/debian/patches/features/all/rt/pid.h-include-atomic.h.patch @@ -1,7 +1,7 @@ From: Grygorii Strashko Date: Tue, 21 Jul 2015 19:43:56 +0300 -Subject: wait.h: include atomic.h -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Subject: pid.h: include atomic.h +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This patch fixes build error: CC kernel/pid_namespace.o diff --git a/debian/patches/features/all/rt/ping-sysrq.patch b/debian/patches/features/all/rt/ping-sysrq.patch index ca5769aefa1f..223da539cf4b 100644 --- a/debian/patches/features/all/rt/ping-sysrq.patch +++ b/debian/patches/features/all/rt/ping-sysrq.patch @@ -1,7 +1,7 @@ Subject: net: sysrq via icmp From: Carsten Emde Date: Tue, 19 Jul 2011 13:51:17 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There are (probably rare) situations when a system crashed and the system console becomes unresponsive but the network icmp layer still is alive. diff --git a/debian/patches/features/all/rt/posix-timers-no-broadcast.patch b/debian/patches/features/all/rt/posix-timers-no-broadcast.patch index c79792150747..d97bd844411f 100644 --- a/debian/patches/features/all/rt/posix-timers-no-broadcast.patch +++ b/debian/patches/features/all/rt/posix-timers-no-broadcast.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 3 Jul 2009 08:29:20 -0500 Subject: posix-timers: Prevent broadcast signals -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Posix timers should not send broadcast signals and kernel only signals. Prevent it. diff --git a/debian/patches/features/all/rt/posix-timers-thread-posix-cpu-timers-on-rt.patch b/debian/patches/features/all/rt/posix-timers-thread-posix-cpu-timers-on-rt.patch index b655561be06e..610a419d4d38 100644 --- a/debian/patches/features/all/rt/posix-timers-thread-posix-cpu-timers-on-rt.patch +++ b/debian/patches/features/all/rt/posix-timers-thread-posix-cpu-timers-on-rt.patch @@ -1,7 +1,7 @@ From: John Stultz Date: Fri, 3 Jul 2009 08:29:58 -0500 Subject: posix-timers: Thread posix-cpu-timers on -rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz posix-cpu-timer code takes non -rt safe locks in hard irq context. Move it to a thread. diff --git a/debian/patches/features/all/rt/power-disable-highmem-on-rt.patch b/debian/patches/features/all/rt/power-disable-highmem-on-rt.patch index 9c2be349999b..bc50f1a56a9e 100644 --- a/debian/patches/features/all/rt/power-disable-highmem-on-rt.patch +++ b/debian/patches/features/all/rt/power-disable-highmem-on-rt.patch @@ -1,7 +1,7 @@ Subject: powerpc: Disable highmem on RT From: Thomas Gleixner Date: Mon, 18 Jul 2011 17:08:34 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The current highmem handling on -RT is not compatible and needs fixups. diff --git a/debian/patches/features/all/rt/power-use-generic-rwsem-on-rt.patch b/debian/patches/features/all/rt/power-use-generic-rwsem-on-rt.patch index 61ea546518ad..c12c4ecb7715 100644 --- a/debian/patches/features/all/rt/power-use-generic-rwsem-on-rt.patch +++ b/debian/patches/features/all/rt/power-use-generic-rwsem-on-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 14 Jul 2015 14:26:34 +0200 Subject: powerpc: Use generic rwsem on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use generic code which uses rtmutex diff --git a/debian/patches/features/all/rt/powerpc-kvm-Disable-in-kernel-MPIC-emulation-for-PRE.patch b/debian/patches/features/all/rt/powerpc-kvm-Disable-in-kernel-MPIC-emulation-for-PRE.patch index d1dcd90d980e..85820143664f 100644 --- a/debian/patches/features/all/rt/powerpc-kvm-Disable-in-kernel-MPIC-emulation-for-PRE.patch +++ b/debian/patches/features/all/rt/powerpc-kvm-Disable-in-kernel-MPIC-emulation-for-PRE.patch @@ -1,7 +1,7 @@ From: Bogdan Purcareata Date: Fri, 24 Apr 2015 15:53:13 +0000 Subject: powerpc/kvm: Disable in-kernel MPIC emulation for PREEMPT_RT_FULL -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz While converting the openpic emulation code to use a raw_spinlock_t enables guests to run on RT, there's still a performance issue. For interrupts sent in diff --git a/debian/patches/features/all/rt/powerpc-preempt-lazy-support.patch b/debian/patches/features/all/rt/powerpc-preempt-lazy-support.patch index 2a28464f7977..57017f4064e8 100644 --- a/debian/patches/features/all/rt/powerpc-preempt-lazy-support.patch +++ b/debian/patches/features/all/rt/powerpc-preempt-lazy-support.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Thu, 1 Nov 2012 10:14:11 +0100 Subject: powerpc: Add support for lazy preemption -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Implement the powerpc pieces for lazy preempt. diff --git a/debian/patches/features/all/rt/powerpc-ps3-device-init.c-adapt-to-completions-using.patch b/debian/patches/features/all/rt/powerpc-ps3-device-init.c-adapt-to-completions-using.patch index 5a765eb5a05d..9329f21ec3ee 100644 --- a/debian/patches/features/all/rt/powerpc-ps3-device-init.c-adapt-to-completions-using.patch +++ b/debian/patches/features/all/rt/powerpc-ps3-device-init.c-adapt-to-completions-using.patch @@ -1,7 +1,7 @@ From: Paul Gortmaker Date: Sun, 31 May 2015 14:44:42 -0400 Subject: powerpc: ps3/device-init.c - adapt to completions using swait vs wait -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz To fix: diff --git a/debian/patches/features/all/rt/preempt-lazy-check-preempt_schedule.patch b/debian/patches/features/all/rt/preempt-lazy-check-preempt_schedule.patch index 1cd2e3c80562..86d3b2cf73dc 100644 --- a/debian/patches/features/all/rt/preempt-lazy-check-preempt_schedule.patch +++ b/debian/patches/features/all/rt/preempt-lazy-check-preempt_schedule.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 20 Jan 2016 15:13:30 +0100 Subject: preempt-lazy: Add the lazy-preemption check to preempt_schedule() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Probably in the rebase onto v4.1 this check got moved into less commonly used preempt_schedule_notrace(). This patch ensures that both functions use it. diff --git a/debian/patches/features/all/rt/preempt-lazy-support.patch b/debian/patches/features/all/rt/preempt-lazy-support.patch index ddb538f3e13e..ac55329f0fba 100644 --- a/debian/patches/features/all/rt/preempt-lazy-support.patch +++ b/debian/patches/features/all/rt/preempt-lazy-support.patch @@ -1,7 +1,7 @@ Subject: sched: Add support for lazy preemption From: Thomas Gleixner Date: Fri, 26 Oct 2012 18:50:54 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz It has become an obsession to mitigate the determinism vs. throughput loss of RT. Looking at the mainline semantics of preemption points diff --git a/debian/patches/features/all/rt/preempt-nort-rt-variants.patch b/debian/patches/features/all/rt/preempt-nort-rt-variants.patch index 119d9d4a933c..2a87be86b826 100644 --- a/debian/patches/features/all/rt/preempt-nort-rt-variants.patch +++ b/debian/patches/features/all/rt/preempt-nort-rt-variants.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 24 Jul 2009 12:38:56 +0200 Subject: preempt: Provide preempt_*_(no)rt variants -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT needs a few preempt_disable/enable points which are not necessary otherwise. Implement variants to avoid #ifdeffery. diff --git a/debian/patches/features/all/rt/printk-27force_early_printk-27-boot-param-to-help-with-debugging.patch b/debian/patches/features/all/rt/printk-27force_early_printk-27-boot-param-to-help-with-debugging.patch index 79c9da32894a..a33f56ab225d 100644 --- a/debian/patches/features/all/rt/printk-27force_early_printk-27-boot-param-to-help-with-debugging.patch +++ b/debian/patches/features/all/rt/printk-27force_early_printk-27-boot-param-to-help-with-debugging.patch @@ -1,7 +1,7 @@ Subject: printk: Add "force_early_printk" boot param to help with debugging From: Peter Zijlstra Date: Fri, 02 Sep 2011 14:41:29 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Gives me an option to screw printk and actually see what the machine says. diff --git a/debian/patches/features/all/rt/printk-kill.patch b/debian/patches/features/all/rt/printk-kill.patch index dff4953f8750..f8506a874d19 100644 --- a/debian/patches/features/all/rt/printk-kill.patch +++ b/debian/patches/features/all/rt/printk-kill.patch @@ -1,7 +1,7 @@ Subject: printk: Add a printk kill switch From: Ingo Molnar Date: Fri, 22 Jul 2011 17:58:40 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Add a prinkt-kill-switch. This is used from (NMI) watchdog to ensure that it does not dead-lock with the early printk code. diff --git a/debian/patches/features/all/rt/printk-rt-aware.patch b/debian/patches/features/all/rt/printk-rt-aware.patch index 8a872ad5c688..b149f69870d1 100644 --- a/debian/patches/features/all/rt/printk-rt-aware.patch +++ b/debian/patches/features/all/rt/printk-rt-aware.patch @@ -1,7 +1,7 @@ Subject: printk: Make rt aware From: Thomas Gleixner Date: Wed, 19 Sep 2012 14:50:37 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Drop the lock before calling the console driver and do not disable interrupts while printing to a serial console. diff --git a/debian/patches/features/all/rt/ptrace-fix-ptrace-vs-tasklist_lock-race.patch b/debian/patches/features/all/rt/ptrace-fix-ptrace-vs-tasklist_lock-race.patch index d328c6565203..0305ce905f41 100644 --- a/debian/patches/features/all/rt/ptrace-fix-ptrace-vs-tasklist_lock-race.patch +++ b/debian/patches/features/all/rt/ptrace-fix-ptrace-vs-tasklist_lock-race.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Thu, 29 Aug 2013 18:21:04 +0200 Subject: ptrace: fix ptrace vs tasklist_lock race -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz As explained by Alexander Fyodorov : diff --git a/debian/patches/features/all/rt/radix-tree-rt-aware.patch b/debian/patches/features/all/rt/radix-tree-rt-aware.patch index f61da51e626b..1418b17567c3 100644 --- a/debian/patches/features/all/rt/radix-tree-rt-aware.patch +++ b/debian/patches/features/all/rt/radix-tree-rt-aware.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 17 Jul 2011 21:33:18 +0200 Subject: radix-tree: Make RT aware -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable radix_tree_preload() on -RT. This functions returns with preemption disabled which may cause high latencies and breaks if the diff --git a/debian/patches/features/all/rt/random-make-it-work-on-rt.patch b/debian/patches/features/all/rt/random-make-it-work-on-rt.patch index 32b0e59f7b56..91c837a06f6d 100644 --- a/debian/patches/features/all/rt/random-make-it-work-on-rt.patch +++ b/debian/patches/features/all/rt/random-make-it-work-on-rt.patch @@ -1,7 +1,7 @@ Subject: random: Make it work on rt From: Thomas Gleixner Date: Tue, 21 Aug 2012 20:38:50 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Delegate the random insertion to the forced threaded interrupt handler. Store the return IP of the hard interrupt handler in the irq diff --git a/debian/patches/features/all/rt/rcu-Eliminate-softirq-processing-from-rcutree.patch b/debian/patches/features/all/rt/rcu-Eliminate-softirq-processing-from-rcutree.patch index e16c2db4993e..d5f34f5239e9 100644 --- a/debian/patches/features/all/rt/rcu-Eliminate-softirq-processing-from-rcutree.patch +++ b/debian/patches/features/all/rt/rcu-Eliminate-softirq-processing-from-rcutree.patch @@ -1,7 +1,7 @@ From: "Paul E. McKenney" Date: Mon, 4 Nov 2013 13:21:10 -0800 Subject: rcu: Eliminate softirq processing from rcutree -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Running RCU out of softirq is a problem for some workloads that would like to manage RCU core processing independently of other softirq work, diff --git a/debian/patches/features/all/rt/rcu-disable-more-spots-of-rcu_bh.patch b/debian/patches/features/all/rt/rcu-disable-more-spots-of-rcu_bh.patch index ddf65f3c3184..d55b9c18af6d 100644 --- a/debian/patches/features/all/rt/rcu-disable-more-spots-of-rcu_bh.patch +++ b/debian/patches/features/all/rt/rcu-disable-more-spots-of-rcu_bh.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 10 Feb 2016 18:30:56 +0100 Subject: rcu: disable more spots of rcu_bh -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We don't use ru_bh on -RT but we still fork a thread for it and keep it as a flavour. No more. diff --git a/debian/patches/features/all/rt/rcu-disable-rcu-fast-no-hz-on-rt.patch b/debian/patches/features/all/rt/rcu-disable-rcu-fast-no-hz-on-rt.patch index 5c0f4c8570d3..ffa194a319c7 100644 --- a/debian/patches/features/all/rt/rcu-disable-rcu-fast-no-hz-on-rt.patch +++ b/debian/patches/features/all/rt/rcu-disable-rcu-fast-no-hz-on-rt.patch @@ -1,7 +1,7 @@ Subject: rcu: Disable RCU_FAST_NO_HZ on RT From: Thomas Gleixner Date: Sun, 28 Oct 2012 13:26:09 +0000 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This uses a timer_list timer from the irq disabled guts of the idle code. Disable it for now to prevent wreckage. diff --git a/debian/patches/features/all/rt/rcu-make-RCU_BOOST-default-on-RT.patch b/debian/patches/features/all/rt/rcu-make-RCU_BOOST-default-on-RT.patch index 55c1ca759cda..53a13e4ab869 100644 --- a/debian/patches/features/all/rt/rcu-make-RCU_BOOST-default-on-RT.patch +++ b/debian/patches/features/all/rt/rcu-make-RCU_BOOST-default-on-RT.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 21 Mar 2014 20:19:05 +0100 Subject: rcu: make RCU_BOOST default on RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Since it is no longer invoked from the softirq people run into OOM more often if the priority of the RCU thread is too low. Making boosting diff --git a/debian/patches/features/all/rt/rcu-merge-rcu-bh-into-rcu-preempt-for-rt.patch b/debian/patches/features/all/rt/rcu-merge-rcu-bh-into-rcu-preempt-for-rt.patch index b27961993e0a..218144c428c5 100644 --- a/debian/patches/features/all/rt/rcu-merge-rcu-bh-into-rcu-preempt-for-rt.patch +++ b/debian/patches/features/all/rt/rcu-merge-rcu-bh-into-rcu-preempt-for-rt.patch @@ -1,7 +1,7 @@ Subject: rcu: Merge RCU-bh into RCU-preempt Date: Wed, 5 Oct 2011 11:59:38 -0700 From: Thomas Gleixner -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The Linux kernel has long RCU-bh read-side critical sections that intolerably increase scheduling latency under mainline's RCU-bh rules, diff --git a/debian/patches/features/all/rt/rcutorture-comment-out-rcu_bh-ops-on-PREEMPT_RT_FULL.patch b/debian/patches/features/all/rt/rcutorture-comment-out-rcu_bh-ops-on-PREEMPT_RT_FULL.patch index 671ea8abd287..ecdfb553717b 100644 --- a/debian/patches/features/all/rt/rcutorture-comment-out-rcu_bh-ops-on-PREEMPT_RT_FULL.patch +++ b/debian/patches/features/all/rt/rcutorture-comment-out-rcu_bh-ops-on-PREEMPT_RT_FULL.patch @@ -1,7 +1,7 @@ From: Clark Williams Date: Fri, 26 Feb 2016 13:19:20 -0600 Subject: rcu/torture: Comment out rcu_bh ops on PREEMPT_RT_FULL -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT has dropped support of rcu_bh, comment out in rcutorture. diff --git a/debian/patches/features/all/rt/rcutree-rcu_bh_qs-disable-irq-while-calling-rcu_pree.patch b/debian/patches/features/all/rt/rcutree-rcu_bh_qs-disable-irq-while-calling-rcu_pree.patch index 8d42c7e9903a..847dc7c3c770 100644 --- a/debian/patches/features/all/rt/rcutree-rcu_bh_qs-disable-irq-while-calling-rcu_pree.patch +++ b/debian/patches/features/all/rt/rcutree-rcu_bh_qs-disable-irq-while-calling-rcu_pree.patch @@ -1,7 +1,7 @@ From: Tiejun Chen Date: Wed, 18 Dec 2013 17:51:49 +0800 Subject: rcutree/rcu_bh_qs: Disable irq while calling rcu_preempt_qs() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Any callers to the function rcu_preempt_qs() must disable irqs in order to protect the assignment to ->rcu_read_unlock_special. In diff --git a/debian/patches/features/all/rt/re-migrate_disable-race-with-cpu-hotplug-3f.patch b/debian/patches/features/all/rt/re-migrate_disable-race-with-cpu-hotplug-3f.patch index 0c283afc29dd..3a2b9269e40a 100644 --- a/debian/patches/features/all/rt/re-migrate_disable-race-with-cpu-hotplug-3f.patch +++ b/debian/patches/features/all/rt/re-migrate_disable-race-with-cpu-hotplug-3f.patch @@ -1,7 +1,7 @@ From: Yong Zhang Date: Thu, 28 Jul 2011 11:16:00 +0800 Subject: hotplug: Reread hotplug_pcp on pin_current_cpu() retry -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When retry happens, it's likely that the task has been migrated to another cpu (except unplug failed), but it still derefernces the diff --git a/debian/patches/features/all/rt/re-preempt_rt_full-arm-coredump-fails-for-cpu-3e-3d-4.patch b/debian/patches/features/all/rt/re-preempt_rt_full-arm-coredump-fails-for-cpu-3e-3d-4.patch index dea255e39b67..4606daac3e49 100644 --- a/debian/patches/features/all/rt/re-preempt_rt_full-arm-coredump-fails-for-cpu-3e-3d-4.patch +++ b/debian/patches/features/all/rt/re-preempt_rt_full-arm-coredump-fails-for-cpu-3e-3d-4.patch @@ -1,7 +1,7 @@ Subject: ARM: Initialize split page table locks for vector page From: Frank Rowand Date: Sat, 1 Oct 2011 18:58:13 -0700 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Without this patch, ARM can not use SPLIT_PTLOCK_CPUS if PREEMPT_RT_FULL=y because vectors_user_mapping() creates a diff --git a/debian/patches/features/all/rt/relay-fix-timer-madness.patch b/debian/patches/features/all/rt/relay-fix-timer-madness.patch index b4ff608fdf28..6b23b0d4cf40 100644 --- a/debian/patches/features/all/rt/relay-fix-timer-madness.patch +++ b/debian/patches/features/all/rt/relay-fix-timer-madness.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:44:07 -0500 Subject: relay: Fix timer madness -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz remove timer calls (!!!) from deep within the tracing infrastructure. This was totally bogus code that can cause lockups and worse. Poll diff --git a/debian/patches/features/all/rt/rfc-arm-smp-__cpu_disable-fix-sleeping-function-called-from-invalid-context.patch b/debian/patches/features/all/rt/rfc-arm-smp-__cpu_disable-fix-sleeping-function-called-from-invalid-context.patch index c8c115b49b06..8e7345bb06cf 100644 --- a/debian/patches/features/all/rt/rfc-arm-smp-__cpu_disable-fix-sleeping-function-called-from-invalid-context.patch +++ b/debian/patches/features/all/rt/rfc-arm-smp-__cpu_disable-fix-sleeping-function-called-from-invalid-context.patch @@ -1,7 +1,7 @@ Subject: ARM: smp: Move clear_tasks_mm_cpumask() call to __cpu_die() From: Grygorii Strashko Date: Fri, 11 Sep 2015 21:21:23 +0300 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When running with the RT-kernel (4.1.5-rt5) on TI OMAP dra7-evm and trying to do Suspend to RAM, the following backtrace occurs: diff --git a/debian/patches/features/all/rt/rt-add-rt-locks.patch b/debian/patches/features/all/rt/rt-add-rt-locks.patch index 28b370f4f776..2e66acbf9084 100644 --- a/debian/patches/features/all/rt/rt-add-rt-locks.patch +++ b/debian/patches/features/all/rt/rt-add-rt-locks.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 26 Jul 2009 19:39:56 +0200 Subject: rt: Add the preempt-rt lock replacement APIs -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Map spinlocks, rwlocks, rw_semaphores and semaphores to the rt_mutex based locking functions for preempt-rt. diff --git a/debian/patches/features/all/rt/rt-introduce-cpu-chill.patch b/debian/patches/features/all/rt/rt-introduce-cpu-chill.patch index 6708c5d764ea..8cbf28c5bcad 100644 --- a/debian/patches/features/all/rt/rt-introduce-cpu-chill.patch +++ b/debian/patches/features/all/rt/rt-introduce-cpu-chill.patch @@ -1,7 +1,7 @@ Subject: rt: Introduce cpu_chill() From: Thomas Gleixner Date: Wed, 07 Mar 2012 20:51:03 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Retry loops on RT might loop forever when the modifying side was preempted. Add cpu_chill() to replace cpu_relax(). cpu_chill() diff --git a/debian/patches/features/all/rt/rt-local-irq-lock.patch b/debian/patches/features/all/rt/rt-local-irq-lock.patch index 8a1d0fb189d7..6ba7dff6937a 100644 --- a/debian/patches/features/all/rt/rt-local-irq-lock.patch +++ b/debian/patches/features/all/rt/rt-local-irq-lock.patch @@ -1,7 +1,7 @@ Subject: rt: Add local irq locks From: Thomas Gleixner Date: Mon, 20 Jun 2011 09:03:47 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Introduce locallock. For !RT this maps to preempt_disable()/ local_irq_disable() so there is not much that changes. For RT this will diff --git a/debian/patches/features/all/rt/rt-locking-Reenable-migration-accross-schedule.patch b/debian/patches/features/all/rt/rt-locking-Reenable-migration-accross-schedule.patch index 7e87d6be6d70..461b06248555 100644 --- a/debian/patches/features/all/rt/rt-locking-Reenable-migration-accross-schedule.patch +++ b/debian/patches/features/all/rt/rt-locking-Reenable-migration-accross-schedule.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Mon, 8 Feb 2016 16:15:28 +0100 Subject: rt/locking: Reenable migration accross schedule -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We currently disable migration across lock acquisition. That includes the part where we block on the lock and schedule out. We cannot disable migration after diff --git a/debian/patches/features/all/rt/rt-preempt-base-config.patch b/debian/patches/features/all/rt/rt-preempt-base-config.patch index 2bb67dcc9e00..f480b28a1d19 100644 --- a/debian/patches/features/all/rt/rt-preempt-base-config.patch +++ b/debian/patches/features/all/rt/rt-preempt-base-config.patch @@ -1,7 +1,7 @@ Subject: rt: Provide PREEMPT_RT_BASE config switch From: Thomas Gleixner Date: Fri, 17 Jun 2011 12:39:57 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Introduce PREEMPT_RT_BASE which enables parts of PREEMPT_RT_FULL. Forces interrupt threading and enables some of the RT diff --git a/debian/patches/features/all/rt/rt-serial-warn-fix.patch b/debian/patches/features/all/rt/rt-serial-warn-fix.patch index c4b90a3b3c02..8ff5e61dc5f6 100644 --- a/debian/patches/features/all/rt/rt-serial-warn-fix.patch +++ b/debian/patches/features/all/rt/rt-serial-warn-fix.patch @@ -1,7 +1,7 @@ Subject: rt: Improve the serial console PASS_LIMIT From: Ingo Molnar Date: Wed Dec 14 13:05:54 CET 2011 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Beyond the warning: diff --git a/debian/patches/features/all/rt/rtmutex--Handle-non-enqueued-waiters-gracefully.patch b/debian/patches/features/all/rt/rtmutex--Handle-non-enqueued-waiters-gracefully.patch index 366ea7f05076..648c2c1625d8 100644 --- a/debian/patches/features/all/rt/rtmutex--Handle-non-enqueued-waiters-gracefully.patch +++ b/debian/patches/features/all/rt/rtmutex--Handle-non-enqueued-waiters-gracefully.patch @@ -1,7 +1,7 @@ Subject: rtmutex: Handle non enqueued waiters gracefully From: Thomas Gleixner Date: Fri, 06 Nov 2015 18:51:03 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Yimin debugged that in case of a PI wakeup in progress when rt_mutex_start_proxy_lock() calls task_blocks_on_rt_mutex() the latter diff --git a/debian/patches/features/all/rt/rtmutex-Use-chainwalking-control-enum.patch b/debian/patches/features/all/rt/rtmutex-Use-chainwalking-control-enum.patch index 11b3e35b1580..7ce43cfe57f4 100644 --- a/debian/patches/features/all/rt/rtmutex-Use-chainwalking-control-enum.patch +++ b/debian/patches/features/all/rt/rtmutex-Use-chainwalking-control-enum.patch @@ -1,7 +1,7 @@ From: "bmouring@ni.com" Date: Tue, 15 Dec 2015 17:07:30 -0600 Subject: rtmutex: Use chainwalking control enum -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz In 8930ed80 (rtmutex: Cleanup deadlock detector debug logic), chainwalking control enums were introduced to limit the deadlock diff --git a/debian/patches/features/all/rt/rtmutex-add-a-first-shot-of-ww_mutex.patch b/debian/patches/features/all/rt/rtmutex-add-a-first-shot-of-ww_mutex.patch index 8eb9bc1f0fe5..32736b62df16 100644 --- a/debian/patches/features/all/rt/rtmutex-add-a-first-shot-of-ww_mutex.patch +++ b/debian/patches/features/all/rt/rtmutex-add-a-first-shot-of-ww_mutex.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 28 Oct 2013 09:36:37 +0100 Subject: rtmutex: Add RT aware ww locks -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz lockdep says: | -------------------------------------------------------------------------- diff --git a/debian/patches/features/all/rt/rtmutex-avoid-include-hell.patch b/debian/patches/features/all/rt/rtmutex-avoid-include-hell.patch index 5639c8f9c524..37b147c2d584 100644 --- a/debian/patches/features/all/rt/rtmutex-avoid-include-hell.patch +++ b/debian/patches/features/all/rt/rtmutex-avoid-include-hell.patch @@ -1,7 +1,7 @@ Subject: rtmutex: Avoid include hell From: Thomas Gleixner Date: Wed, 29 Jun 2011 20:06:39 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Include only the required raw types. This avoids pulling in the complete spinlock header which in turn requires rtmutex.h at some point. diff --git a/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch b/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch index 0a040def8360..9a124f51c935 100644 --- a/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch +++ b/debian/patches/features/all/rt/rtmutex-futex-prepare-rt.patch @@ -1,7 +1,7 @@ Subject: rtmutex: Handle the various new futex race conditions From: Thomas Gleixner Date: Fri, 10 Jun 2011 11:04:15 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT opens a few new interesting race conditions in the rtmutex/futex combo due to futex hash bucket lock being a 'sleeping' spinlock and diff --git a/debian/patches/features/all/rt/rtmutex-lock-killable.patch b/debian/patches/features/all/rt/rtmutex-lock-killable.patch index 435761ce6316..dcf4e95396a7 100644 --- a/debian/patches/features/all/rt/rtmutex-lock-killable.patch +++ b/debian/patches/features/all/rt/rtmutex-lock-killable.patch @@ -1,7 +1,7 @@ Subject: rtmutex: Add rtmutex_lock_killable() From: Thomas Gleixner Date: Thu, 09 Jun 2011 11:43:52 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Add "killable" type to rtmutex. We need this since rtmutex are used as "normal" mutexes which do use this type. diff --git a/debian/patches/features/all/rt/rtmutex-push-down-migrate_disable-into-rt_spin_lock.patch b/debian/patches/features/all/rt/rtmutex-push-down-migrate_disable-into-rt_spin_lock.patch index 314f861df329..8aa01f209c71 100644 --- a/debian/patches/features/all/rt/rtmutex-push-down-migrate_disable-into-rt_spin_lock.patch +++ b/debian/patches/features/all/rt/rtmutex-push-down-migrate_disable-into-rt_spin_lock.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 5 Feb 2016 18:26:11 +0100 Subject: rtmutex: push down migrate_disable() into rt_spin_lock() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz No point in having the migrate disable/enable invocations in all the macro/inlines. That's just more code for no win as we do a function diff --git a/debian/patches/features/all/rt/rtmutex-trylock-is-okay-on-RT.patch b/debian/patches/features/all/rt/rtmutex-trylock-is-okay-on-RT.patch index 43312175856e..76e3507056be 100644 --- a/debian/patches/features/all/rt/rtmutex-trylock-is-okay-on-RT.patch +++ b/debian/patches/features/all/rt/rtmutex-trylock-is-okay-on-RT.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed 02 Dec 2015 11:34:07 +0100 Subject: rtmutex: trylock is okay on -RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz non-RT kernel could deadlock on rt_mutex_trylock() in softirq context. On -RT we don't run softirqs in IRQ context but in thread context so it is diff --git a/debian/patches/features/all/rt/rtmutex_dont_include_rcu.patch b/debian/patches/features/all/rt/rtmutex_dont_include_rcu.patch index f6e016a99db0..419c7886c5cf 100644 --- a/debian/patches/features/all/rt/rtmutex_dont_include_rcu.patch +++ b/debian/patches/features/all/rt/rtmutex_dont_include_rcu.patch @@ -1,6 +1,6 @@ From: Sebastian Andrzej Siewior Subject: rbtree: don't include the rcu header -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The RCU header pulls in spinlock.h and fails due not yet defined types: diff --git a/debian/patches/features/all/rt/sas-ata-isci-dont-t-disable-interrupts-in-qc_issue-h.patch b/debian/patches/features/all/rt/sas-ata-isci-dont-t-disable-interrupts-in-qc_issue-h.patch index d255738a4f46..07e8edc8a228 100644 --- a/debian/patches/features/all/rt/sas-ata-isci-dont-t-disable-interrupts-in-qc_issue-h.patch +++ b/debian/patches/features/all/rt/sas-ata-isci-dont-t-disable-interrupts-in-qc_issue-h.patch @@ -1,7 +1,7 @@ From: Paul Gortmaker Date: Sat, 14 Feb 2015 11:01:16 -0500 Subject: sas-ata/isci: dont't disable interrupts in qc_issue handler -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On 3.14-rt we see the following trace on Canoe Pass for SCSI_ISCI "Intel(R) C600 Series Chipset SAS Controller" diff --git a/debian/patches/features/all/rt/sc16is7xx_Drop_bogus_use_of_IRQF_ONESHOT.patch b/debian/patches/features/all/rt/sc16is7xx_Drop_bogus_use_of_IRQF_ONESHOT.patch index 1f0bdd3cbbc6..dbb364396fce 100644 --- a/debian/patches/features/all/rt/sc16is7xx_Drop_bogus_use_of_IRQF_ONESHOT.patch +++ b/debian/patches/features/all/rt/sc16is7xx_Drop_bogus_use_of_IRQF_ONESHOT.patch @@ -1,7 +1,7 @@ Subject: sc16is7xx: Drop bogus use of IRQF_ONESHOT From: Josh Cartwright Date: Thu, 18 Feb 2016 11:26:12 -0600 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The use of IRQF_ONESHOT when registering an interrupt handler with request_irq() is non-sensical. diff --git a/debian/patches/features/all/rt/sched-deadline-dl_task_timer-has-to-be-irqsafe.patch b/debian/patches/features/all/rt/sched-deadline-dl_task_timer-has-to-be-irqsafe.patch index 9c59f660f4f2..7cbd396d284c 100644 --- a/debian/patches/features/all/rt/sched-deadline-dl_task_timer-has-to-be-irqsafe.patch +++ b/debian/patches/features/all/rt/sched-deadline-dl_task_timer-has-to-be-irqsafe.patch @@ -1,7 +1,7 @@ From: Juri Lelli Date: Tue, 13 May 2014 15:30:20 +0200 Subject: sched/deadline: dl_task_timer has to be irqsafe -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz As for rt_period_timer, dl_task_timer has to be irqsafe. diff --git a/debian/patches/features/all/rt/sched-delay-put-task.patch b/debian/patches/features/all/rt/sched-delay-put-task.patch index bee19e3e7ec0..44f22fcca70d 100644 --- a/debian/patches/features/all/rt/sched-delay-put-task.patch +++ b/debian/patches/features/all/rt/sched-delay-put-task.patch @@ -1,7 +1,7 @@ Subject: sched: Move task_struct cleanup to RCU From: Thomas Gleixner Date: Tue, 31 May 2011 16:59:16 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz __put_task_struct() does quite some expensive work. We don't want to burden random tasks with that. diff --git a/debian/patches/features/all/rt/sched-disable-rt-group-sched-on-rt.patch b/debian/patches/features/all/rt/sched-disable-rt-group-sched-on-rt.patch index 697cc8e48415..2a96598b05a1 100644 --- a/debian/patches/features/all/rt/sched-disable-rt-group-sched-on-rt.patch +++ b/debian/patches/features/all/rt/sched-disable-rt-group-sched-on-rt.patch @@ -1,7 +1,7 @@ Subject: sched: Disable CONFIG_RT_GROUP_SCHED on RT From: Thomas Gleixner Date: Mon, 18 Jul 2011 17:03:52 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Carsten reported problems when running: diff --git a/debian/patches/features/all/rt/sched-disable-ttwu-queue.patch b/debian/patches/features/all/rt/sched-disable-ttwu-queue.patch index 693072a575ba..842f594b34ad 100644 --- a/debian/patches/features/all/rt/sched-disable-ttwu-queue.patch +++ b/debian/patches/features/all/rt/sched-disable-ttwu-queue.patch @@ -1,7 +1,7 @@ Subject: sched: Disable TTWU_QUEUE on RT From: Thomas Gleixner Date: Tue, 13 Sep 2011 16:42:35 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The queued remote wakeup mechanism can introduce rather large latencies if the number of migrated tasks is high. Disable it for RT. diff --git a/debian/patches/features/all/rt/sched-limit-nr-migrate.patch b/debian/patches/features/all/rt/sched-limit-nr-migrate.patch index 903069bd8bea..ffb876ce8305 100644 --- a/debian/patches/features/all/rt/sched-limit-nr-migrate.patch +++ b/debian/patches/features/all/rt/sched-limit-nr-migrate.patch @@ -1,7 +1,7 @@ Subject: sched: Limit the number of task migrations per batch From: Thomas Gleixner Date: Mon, 06 Jun 2011 12:12:51 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Put an upper limit on the number of tasks which are migrated per batch to avoid large latencies. diff --git a/debian/patches/features/all/rt/sched-might-sleep-do-not-account-rcu-depth.patch b/debian/patches/features/all/rt/sched-might-sleep-do-not-account-rcu-depth.patch index 3602d3fefe83..6d761ff0f6e1 100644 --- a/debian/patches/features/all/rt/sched-might-sleep-do-not-account-rcu-depth.patch +++ b/debian/patches/features/all/rt/sched-might-sleep-do-not-account-rcu-depth.patch @@ -1,7 +1,7 @@ Subject: sched: Do not account rcu_preempt_depth on RT in might_sleep() From: Thomas Gleixner Date: Tue, 07 Jun 2011 09:19:06 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT changes the rcu_preempt_depth semantics, so we cannot check for it in might_sleep(). diff --git a/debian/patches/features/all/rt/sched-mmdrop-delayed.patch b/debian/patches/features/all/rt/sched-mmdrop-delayed.patch index 53c6b42743ed..1db54a7ab2ad 100644 --- a/debian/patches/features/all/rt/sched-mmdrop-delayed.patch +++ b/debian/patches/features/all/rt/sched-mmdrop-delayed.patch @@ -1,7 +1,7 @@ Subject: sched: Move mmdrop to RCU on RT From: Thomas Gleixner Date: Mon, 06 Jun 2011 12:20:33 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Takes sleeping locks and calls into the memory allocator, so nothing we want to do in task switch and oder atomic contexts. diff --git a/debian/patches/features/all/rt/sched-preempt-Fix-preempt_count-manipulations.patch b/debian/patches/features/all/rt/sched-preempt-Fix-preempt_count-manipulations.patch index 434063bc3754..608c69436098 100644 --- a/debian/patches/features/all/rt/sched-preempt-Fix-preempt_count-manipulations.patch +++ b/debian/patches/features/all/rt/sched-preempt-Fix-preempt_count-manipulations.patch @@ -1,7 +1,7 @@ From: Peter Zijlstra Date: Mon, 16 May 2016 15:01:11 +0200 Subject: [PATCH] sched,preempt: Fix preempt_count manipulations -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Vikram reported that his ARM64 compiler managed to 'optimize' away the preempt_count manipulations in code like: diff --git a/debian/patches/features/all/rt/sched-provide-a-tsk_nr_cpus_allowed-helper.patch b/debian/patches/features/all/rt/sched-provide-a-tsk_nr_cpus_allowed-helper.patch index 2db86992af4c..c59bc15a9f44 100644 --- a/debian/patches/features/all/rt/sched-provide-a-tsk_nr_cpus_allowed-helper.patch +++ b/debian/patches/features/all/rt/sched-provide-a-tsk_nr_cpus_allowed-helper.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Mon, 18 Jan 2016 17:21:59 +0100 Subject: sched: provide a tsk_nr_cpus_allowed() helper -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz tsk_nr_cpus_allowed() is an accessor for task->nr_cpus_allowed which allows us to change the representation of ->nr_cpus_allowed if required. diff --git a/debian/patches/features/all/rt/sched-rt-mutex-wakeup.patch b/debian/patches/features/all/rt/sched-rt-mutex-wakeup.patch index e15b0cca277e..43054ede3c71 100644 --- a/debian/patches/features/all/rt/sched-rt-mutex-wakeup.patch +++ b/debian/patches/features/all/rt/sched-rt-mutex-wakeup.patch @@ -1,7 +1,7 @@ Subject: sched: Add saved_state for tasks blocked on sleeping locks From: Thomas Gleixner Date: Sat, 25 Jun 2011 09:21:04 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Spinlocks are state preserving in !RT. RT changes the state when a task gets blocked on a lock. So we need to remember the state before diff --git a/debian/patches/features/all/rt/sched-ttwu-ensure-success-return-is-correct.patch b/debian/patches/features/all/rt/sched-ttwu-ensure-success-return-is-correct.patch index 5b02413ed777..49df8e1876da 100644 --- a/debian/patches/features/all/rt/sched-ttwu-ensure-success-return-is-correct.patch +++ b/debian/patches/features/all/rt/sched-ttwu-ensure-success-return-is-correct.patch @@ -1,7 +1,7 @@ Subject: sched: ttwu: Return success when only changing the saved_state value From: Thomas Gleixner Date: Tue, 13 Dec 2011 21:42:19 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When a task blocks on a rt lock, it saves the current state in p->saved_state, so a lock related wake up will not destroy the diff --git a/debian/patches/features/all/rt/sched-use-tsk_cpus_allowed-instead-of-accessing-cpus.patch b/debian/patches/features/all/rt/sched-use-tsk_cpus_allowed-instead-of-accessing-cpus.patch index 37b65a941525..cd65b9287818 100644 --- a/debian/patches/features/all/rt/sched-use-tsk_cpus_allowed-instead-of-accessing-cpus.patch +++ b/debian/patches/features/all/rt/sched-use-tsk_cpus_allowed-instead-of-accessing-cpus.patch @@ -2,7 +2,7 @@ From: Thomas Gleixner Date: Mon, 18 Jan 2016 17:10:39 +0100 Subject: sched: use tsk_cpus_allowed() instead of accessing ->cpus_allowed -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the future-safe accessor for struct task_struct's. diff --git a/debian/patches/features/all/rt/sched-workqueue-Only-wake-up-idle-workers-if-not-blo.patch b/debian/patches/features/all/rt/sched-workqueue-Only-wake-up-idle-workers-if-not-blo.patch index 0b556e8b57cc..38ed6bd57e3e 100644 --- a/debian/patches/features/all/rt/sched-workqueue-Only-wake-up-idle-workers-if-not-blo.patch +++ b/debian/patches/features/all/rt/sched-workqueue-Only-wake-up-idle-workers-if-not-blo.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Mon, 18 Mar 2013 15:12:49 -0400 Subject: sched/workqueue: Only wake up idle workers if not blocked on sleeping spin lock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz In -rt, most spin_locks() turn into mutexes. One of these spin_lock conversions is performed on the workqueue gcwq->lock. When the idle diff --git a/debian/patches/features/all/rt/scsi-fcoe-rt-aware.patch b/debian/patches/features/all/rt/scsi-fcoe-rt-aware.patch index a13618052862..7402b7a96fff 100644 --- a/debian/patches/features/all/rt/scsi-fcoe-rt-aware.patch +++ b/debian/patches/features/all/rt/scsi-fcoe-rt-aware.patch @@ -1,7 +1,7 @@ Subject: scsi/fcoe: Make RT aware. From: Thomas Gleixner Date: Sat, 12 Nov 2011 14:00:48 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Do not disable preemption while taking sleeping locks. All user look safe for migrate_diable() only. diff --git a/debian/patches/features/all/rt/scsi-qla2xxx-fix-bug-sleeping-function-called-from-invalid-context.patch b/debian/patches/features/all/rt/scsi-qla2xxx-fix-bug-sleeping-function-called-from-invalid-context.patch index 3dd5a5771f5a..20c9ff5a1683 100644 --- a/debian/patches/features/all/rt/scsi-qla2xxx-fix-bug-sleeping-function-called-from-invalid-context.patch +++ b/debian/patches/features/all/rt/scsi-qla2xxx-fix-bug-sleeping-function-called-from-invalid-context.patch @@ -1,7 +1,7 @@ Subject: scsi: qla2xxx: Use local_irq_save_nort() in qla2x00_poll From: John Kacur Date: Fri, 27 Apr 2012 12:48:46 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz RT triggers the following: diff --git a/debian/patches/features/all/rt/seqlock-prevent-rt-starvation.patch b/debian/patches/features/all/rt/seqlock-prevent-rt-starvation.patch index c95eb4bc5aa8..2e9f6019454a 100644 --- a/debian/patches/features/all/rt/seqlock-prevent-rt-starvation.patch +++ b/debian/patches/features/all/rt/seqlock-prevent-rt-starvation.patch @@ -1,7 +1,7 @@ Subject: seqlock: Prevent rt starvation From: Thomas Gleixner Date: Wed, 22 Feb 2012 12:03:30 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If a low prio writer gets preempted while holding the seqlock write locked, a high prio reader spins forever on RT. diff --git a/debian/patches/features/all/rt/signal-fix-up-rcu-wreckage.patch b/debian/patches/features/all/rt/signal-fix-up-rcu-wreckage.patch index 9d69068fd2c2..d37806659cd6 100644 --- a/debian/patches/features/all/rt/signal-fix-up-rcu-wreckage.patch +++ b/debian/patches/features/all/rt/signal-fix-up-rcu-wreckage.patch @@ -1,7 +1,7 @@ Subject: signal: Make __lock_task_sighand() RT aware From: Thomas Gleixner Date: Fri, 22 Jul 2011 08:07:08 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz local_irq_save() + spin_lock(&sighand->siglock) does not work on -RT. Use the nort variants. diff --git a/debian/patches/features/all/rt/signal-revert-ptrace-preempt-magic.patch b/debian/patches/features/all/rt/signal-revert-ptrace-preempt-magic.patch index 3da4be8a0ec6..b7cf8aa067f7 100644 --- a/debian/patches/features/all/rt/signal-revert-ptrace-preempt-magic.patch +++ b/debian/patches/features/all/rt/signal-revert-ptrace-preempt-magic.patch @@ -1,7 +1,7 @@ Subject: signal: Revert ptrace preempt magic From: Thomas Gleixner Date: Wed, 21 Sep 2011 19:57:12 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Upstream commit '53da1d9456fe7f8 fix ptrace slowness' is nothing more than a bandaid around the ptrace design trainwreck. It's not a diff --git a/debian/patches/features/all/rt/signals-allow-rt-tasks-to-cache-one-sigqueue-struct.patch b/debian/patches/features/all/rt/signals-allow-rt-tasks-to-cache-one-sigqueue-struct.patch index a8a583433536..3a05125c531b 100644 --- a/debian/patches/features/all/rt/signals-allow-rt-tasks-to-cache-one-sigqueue-struct.patch +++ b/debian/patches/features/all/rt/signals-allow-rt-tasks-to-cache-one-sigqueue-struct.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Fri, 3 Jul 2009 08:44:56 -0500 Subject: signals: Allow rt tasks to cache one sigqueue struct -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz To avoid allocation allow rt tasks to cache one sigqueue struct in task struct. diff --git a/debian/patches/features/all/rt/skbufhead-raw-lock.patch b/debian/patches/features/all/rt/skbufhead-raw-lock.patch index 783f3f02288a..d10574f59ae7 100644 --- a/debian/patches/features/all/rt/skbufhead-raw-lock.patch +++ b/debian/patches/features/all/rt/skbufhead-raw-lock.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 12 Jul 2011 15:38:34 +0200 Subject: net: Use skbufhead with raw lock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the rps lock as rawlock so we can keep irq-off regions. It looks low latency. However we can't kfree() from this context therefore we defer this diff --git a/debian/patches/features/all/rt/slub-disable-SLUB_CPU_PARTIAL.patch b/debian/patches/features/all/rt/slub-disable-SLUB_CPU_PARTIAL.patch index e24f71eb0b91..304eee312ab3 100644 --- a/debian/patches/features/all/rt/slub-disable-SLUB_CPU_PARTIAL.patch +++ b/debian/patches/features/all/rt/slub-disable-SLUB_CPU_PARTIAL.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 15 Apr 2015 19:00:47 +0200 Subject: slub: Disable SLUB_CPU_PARTIAL -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz |BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:915 |in_atomic(): 1, irqs_disabled(): 0, pid: 87, name: rcuop/7 diff --git a/debian/patches/features/all/rt/slub-enable-irqs-for-no-wait.patch b/debian/patches/features/all/rt/slub-enable-irqs-for-no-wait.patch index 998ed475732d..2251ddf254e3 100644 --- a/debian/patches/features/all/rt/slub-enable-irqs-for-no-wait.patch +++ b/debian/patches/features/all/rt/slub-enable-irqs-for-no-wait.patch @@ -1,7 +1,7 @@ Subject: slub: Enable irqs for __GFP_WAIT From: Thomas Gleixner Date: Wed, 09 Jan 2013 12:08:15 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz SYSTEM_RUNNING might be too late for enabling interrupts. Allocations with GFP_WAIT can happen before that. So use this as an indicator. diff --git a/debian/patches/features/all/rt/snd-pcm-fix-snd_pcm_stream_lock-irqs_disabled-splats.patch b/debian/patches/features/all/rt/snd-pcm-fix-snd_pcm_stream_lock-irqs_disabled-splats.patch index 56d00d1adda6..25fcd21fd632 100644 --- a/debian/patches/features/all/rt/snd-pcm-fix-snd_pcm_stream_lock-irqs_disabled-splats.patch +++ b/debian/patches/features/all/rt/snd-pcm-fix-snd_pcm_stream_lock-irqs_disabled-splats.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Wed, 18 Feb 2015 15:09:23 +0100 Subject: snd/pcm: fix snd_pcm_stream_lock*() irqs_disabled() splats -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Locking functions previously using read_lock_irq()/read_lock_irqsave() were changed to local_irq_disable/save(), leading to gripes. Use nort variants. diff --git a/debian/patches/features/all/rt/softirq-disable-softirq-stacks-for-rt.patch b/debian/patches/features/all/rt/softirq-disable-softirq-stacks-for-rt.patch index d3c618c896f1..1a61f55837f1 100644 --- a/debian/patches/features/all/rt/softirq-disable-softirq-stacks-for-rt.patch +++ b/debian/patches/features/all/rt/softirq-disable-softirq-stacks-for-rt.patch @@ -1,7 +1,7 @@ Subject: softirq: Disable softirq stacks for RT From: Thomas Gleixner Date: Mon, 18 Jul 2011 13:59:17 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Disable extra stacks for softirqs. We want to preempt softirqs and having them on special IRQ-stack does not make this easier. diff --git a/debian/patches/features/all/rt/softirq-preempt-fix-3-re.patch b/debian/patches/features/all/rt/softirq-preempt-fix-3-re.patch index 302ce451c18a..b1373eed17f1 100644 --- a/debian/patches/features/all/rt/softirq-preempt-fix-3-re.patch +++ b/debian/patches/features/all/rt/softirq-preempt-fix-3-re.patch @@ -1,7 +1,7 @@ Subject: softirq: Check preemption after reenabling interrupts From: Thomas Gleixner Date: Sun, 13 Nov 2011 17:17:09 +0100 (CET) -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz raise_softirq_irqoff() disables interrupts and wakes the softirq daemon, but after reenabling interrupts there is no preemption check, diff --git a/debian/patches/features/all/rt/softirq-split-locks.patch b/debian/patches/features/all/rt/softirq-split-locks.patch index 803ff4f866d9..c6a9374f9dd7 100644 --- a/debian/patches/features/all/rt/softirq-split-locks.patch +++ b/debian/patches/features/all/rt/softirq-split-locks.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Thu, 04 Oct 2012 14:20:47 +0100 Subject: softirq: Split softirq locks -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The 3.x RT series removed the split softirq implementation in favour of pushing softirq processing into the context of the thread which diff --git a/debian/patches/features/all/rt/softirq-split-timer-softirqs-out-of-ksoftirqd.patch b/debian/patches/features/all/rt/softirq-split-timer-softirqs-out-of-ksoftirqd.patch index 16e790f31279..8a956062bc07 100644 --- a/debian/patches/features/all/rt/softirq-split-timer-softirqs-out-of-ksoftirqd.patch +++ b/debian/patches/features/all/rt/softirq-split-timer-softirqs-out-of-ksoftirqd.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 20 Jan 2016 16:34:17 +0100 Subject: softirq: split timer softirqs out of ksoftirqd -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The softirqd runs in -RT with SCHED_FIFO (prio 1) and deals mostly with timer wakeup which can not happen in hardirq context. The prio has been diff --git a/debian/patches/features/all/rt/sparc64-use-generic-rwsem-spinlocks-rt.patch b/debian/patches/features/all/rt/sparc64-use-generic-rwsem-spinlocks-rt.patch index c094fc7ffebf..76f0b5a4d30f 100644 --- a/debian/patches/features/all/rt/sparc64-use-generic-rwsem-spinlocks-rt.patch +++ b/debian/patches/features/all/rt/sparc64-use-generic-rwsem-spinlocks-rt.patch @@ -1,7 +1,7 @@ From: Allen Pais Date: Fri, 13 Dec 2013 09:44:41 +0530 Subject: sparc64: use generic rwsem spinlocks rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Signed-off-by: Allen Pais Signed-off-by: Sebastian Andrzej Siewior diff --git a/debian/patches/features/all/rt/spinlock-types-separate-raw.patch b/debian/patches/features/all/rt/spinlock-types-separate-raw.patch index 96bcbc5229ca..b9b3380943dd 100644 --- a/debian/patches/features/all/rt/spinlock-types-separate-raw.patch +++ b/debian/patches/features/all/rt/spinlock-types-separate-raw.patch @@ -1,7 +1,7 @@ Subject: spinlock: Split the lock types header From: Thomas Gleixner Date: Wed, 29 Jun 2011 19:34:01 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Split raw_spinlock into its own file and the remaining spinlock_t into its own non-RT header. The non-RT header will be replaced later by sleeping diff --git a/debian/patches/features/all/rt/stomp-machine-create-lg_global_trylock_relax-primiti.patch b/debian/patches/features/all/rt/stomp-machine-create-lg_global_trylock_relax-primiti.patch index 3a6aac6b2f5a..a7d7b5b446b9 100644 --- a/debian/patches/features/all/rt/stomp-machine-create-lg_global_trylock_relax-primiti.patch +++ b/debian/patches/features/all/rt/stomp-machine-create-lg_global_trylock_relax-primiti.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Fri, 2 May 2014 13:13:22 +0200 Subject: stomp-machine: create lg_global_trylock_relax() primitive -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Create lg_global_trylock_relax() for use by stopper thread when it cannot schedule, to deal with stop_cpus_lock, which is now an lglock. diff --git a/debian/patches/features/all/rt/stomp-machine-use-lg_global_trylock_relax-to-dead-wi.patch b/debian/patches/features/all/rt/stomp-machine-use-lg_global_trylock_relax-to-dead-wi.patch index 28c5379bb343..45135220dfbc 100644 --- a/debian/patches/features/all/rt/stomp-machine-use-lg_global_trylock_relax-to-dead-wi.patch +++ b/debian/patches/features/all/rt/stomp-machine-use-lg_global_trylock_relax-to-dead-wi.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Fri, 2 May 2014 13:13:34 +0200 Subject: stomp-machine: use lg_global_trylock_relax() to dead with stop_cpus_lock lglock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If the stop machinery is called from inactive CPU we cannot use lg_global_lock(), because some other stomp machine invocation might be diff --git a/debian/patches/features/all/rt/stop-machine-raw-lock.patch b/debian/patches/features/all/rt/stop-machine-raw-lock.patch index 0ced95963a53..90440ed2eb0c 100644 --- a/debian/patches/features/all/rt/stop-machine-raw-lock.patch +++ b/debian/patches/features/all/rt/stop-machine-raw-lock.patch @@ -1,7 +1,7 @@ Subject: stop_machine: Use raw spinlocks From: Thomas Gleixner Date: Wed, 29 Jun 2011 11:01:51 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use raw-locks in stomp_machine() to allow locking in irq-off regions. diff --git a/debian/patches/features/all/rt/stop_machine-convert-stop_machine_run-to-PREEMPT_RT.patch b/debian/patches/features/all/rt/stop_machine-convert-stop_machine_run-to-PREEMPT_RT.patch index c9131764f57b..92c5cd0dd3e0 100644 --- a/debian/patches/features/all/rt/stop_machine-convert-stop_machine_run-to-PREEMPT_RT.patch +++ b/debian/patches/features/all/rt/stop_machine-convert-stop_machine_run-to-PREEMPT_RT.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:30:27 -0500 Subject: stop_machine: convert stop_machine_run() to PREEMPT_RT -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Instead of playing with non-preemption, introduce explicit startup serialization. This is more robust and cleaner as diff --git a/debian/patches/features/all/rt/sunrpc-make-svc_xprt_do_enqueue-use-get_cpu_light.patch b/debian/patches/features/all/rt/sunrpc-make-svc_xprt_do_enqueue-use-get_cpu_light.patch index daaf6c175af8..30d27f46f981 100644 --- a/debian/patches/features/all/rt/sunrpc-make-svc_xprt_do_enqueue-use-get_cpu_light.patch +++ b/debian/patches/features/all/rt/sunrpc-make-svc_xprt_do_enqueue-use-get_cpu_light.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Wed, 18 Feb 2015 16:05:28 +0100 Subject: sunrpc: Make svc_xprt_do_enqueue() use get_cpu_light() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz |BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:915 |in_atomic(): 1, irqs_disabled(): 0, pid: 3194, name: rpc.nfsd diff --git a/debian/patches/features/all/rt/suspend-prevernt-might-sleep-splats.patch b/debian/patches/features/all/rt/suspend-prevernt-might-sleep-splats.patch index 361d44d4d76d..0908e68fd5b8 100644 --- a/debian/patches/features/all/rt/suspend-prevernt-might-sleep-splats.patch +++ b/debian/patches/features/all/rt/suspend-prevernt-might-sleep-splats.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Thu, 15 Jul 2010 10:29:00 +0200 Subject: suspend: Prevent might sleep splats -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz timekeeping suspend/resume calls read_persistant_clock() which takes rtc_lock. That results in might sleep warnings because at that point diff --git a/debian/patches/features/all/rt/sysfs-realtime-entry.patch b/debian/patches/features/all/rt/sysfs-realtime-entry.patch index a6bb1a634a5d..7a061baa681d 100644 --- a/debian/patches/features/all/rt/sysfs-realtime-entry.patch +++ b/debian/patches/features/all/rt/sysfs-realtime-entry.patch @@ -1,7 +1,7 @@ Subject: sysfs: Add /sys/kernel/realtime entry From: Clark Williams Date: Sat Jul 30 21:55:53 2011 -0500 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Add a /sys/kernel entry to indicate that the kernel is a realtime kernel. diff --git a/debian/patches/features/all/rt/tasklet-rt-prevent-tasklets-from-going-into-infinite-spin-in-rt.patch b/debian/patches/features/all/rt/tasklet-rt-prevent-tasklets-from-going-into-infinite-spin-in-rt.patch index 056faa01ccf0..7bfb528c5c58 100644 --- a/debian/patches/features/all/rt/tasklet-rt-prevent-tasklets-from-going-into-infinite-spin-in-rt.patch +++ b/debian/patches/features/all/rt/tasklet-rt-prevent-tasklets-from-going-into-infinite-spin-in-rt.patch @@ -1,7 +1,7 @@ Subject: tasklet: Prevent tasklets from going into infinite spin in RT From: Ingo Molnar Date: Tue Nov 29 20:18:22 2011 -0500 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When CONFIG_PREEMPT_RT_FULL is enabled, tasklets run as threads, and spinlocks turn are mutexes. But this can cause issues with diff --git a/debian/patches/features/all/rt/thermal-Defer-thermal-wakups-to-threads.patch b/debian/patches/features/all/rt/thermal-Defer-thermal-wakups-to-threads.patch index e1b215a220db..435f6403424d 100644 --- a/debian/patches/features/all/rt/thermal-Defer-thermal-wakups-to-threads.patch +++ b/debian/patches/features/all/rt/thermal-Defer-thermal-wakups-to-threads.patch @@ -1,7 +1,7 @@ From: Daniel Wagner Date: Tue, 17 Feb 2015 09:37:44 +0100 Subject: thermal: Defer thermal wakups to threads -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On RT the spin lock in pkg_temp_thermal_platfrom_thermal_notify will call schedule while we run in irq context. @@ -33,7 +33,7 @@ Signed-off-by: Sebastian Andrzej Siewior #include #include #include -+#include ++#include #include #include diff --git a/debian/patches/features/all/rt/tick-broadcast--Make-hrtimer-irqsafe.patch b/debian/patches/features/all/rt/tick-broadcast--Make-hrtimer-irqsafe.patch index bd32afa203c7..3c6360914217 100644 --- a/debian/patches/features/all/rt/tick-broadcast--Make-hrtimer-irqsafe.patch +++ b/debian/patches/features/all/rt/tick-broadcast--Make-hrtimer-irqsafe.patch @@ -1,7 +1,7 @@ Subject: tick/broadcast: Make broadcast hrtimer irqsafe From: Thomas Gleixner Date: Sat, 27 Feb 2016 10:47:10 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Otherwise we end up with the following: diff --git a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch index 829fcd820ae2..cb8bc13054ba 100644 --- a/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch +++ b/debian/patches/features/all/rt/timekeeping-split-jiffies-lock.patch @@ -1,7 +1,7 @@ Subject: timekeeping: Split jiffies seqlock From: Thomas Gleixner Date: Thu, 14 Feb 2013 22:36:59 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Replace jiffies_lock seqlock with a simple seqcounter and a rawlock so it can be taken in atomic context on RT. diff --git a/debian/patches/features/all/rt/timer-delay-waking-softirqs-from-the-jiffy-tick.patch b/debian/patches/features/all/rt/timer-delay-waking-softirqs-from-the-jiffy-tick.patch index 5376545f2bf9..98b2527a7af2 100644 --- a/debian/patches/features/all/rt/timer-delay-waking-softirqs-from-the-jiffy-tick.patch +++ b/debian/patches/features/all/rt/timer-delay-waking-softirqs-from-the-jiffy-tick.patch @@ -1,7 +1,7 @@ From: Peter Zijlstra Date: Fri, 21 Aug 2009 11:56:45 +0200 Subject: timer: delay waking softirqs from the jiffy tick -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz People were complaining about broken balancing with the recent -rt series. diff --git a/debian/patches/features/all/rt/timer-fd-avoid-live-lock.patch b/debian/patches/features/all/rt/timer-fd-avoid-live-lock.patch index 99d622380061..c6dfff8ddad4 100644 --- a/debian/patches/features/all/rt/timer-fd-avoid-live-lock.patch +++ b/debian/patches/features/all/rt/timer-fd-avoid-live-lock.patch @@ -1,7 +1,7 @@ Subject: timer-fd: Prevent live lock From: Thomas Gleixner Date: Wed, 25 Jan 2012 11:08:40 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz If hrtimer_try_to_cancel() requires a retry, then depending on the priority setting te retry loop might prevent timer callback completion diff --git a/debian/patches/features/all/rt/timers-avoid-the-base-null-otptimization-on-rt.patch b/debian/patches/features/all/rt/timers-avoid-the-base-null-otptimization-on-rt.patch index 45c3c06ce908..5c44fe5dec69 100644 --- a/debian/patches/features/all/rt/timers-avoid-the-base-null-otptimization-on-rt.patch +++ b/debian/patches/features/all/rt/timers-avoid-the-base-null-otptimization-on-rt.patch @@ -1,7 +1,7 @@ Subject: timers: Avoid the switch timers base set to NULL trick on RT From: Thomas Gleixner Date: Thu, 21 Jul 2011 15:23:39 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz On RT that code is preemptible, so we cannot assign NULL to timers base as a preempter would spin forever in lock_timer_base(). diff --git a/debian/patches/features/all/rt/timers-preempt-rt-support.patch b/debian/patches/features/all/rt/timers-preempt-rt-support.patch index af43931dab8b..863ca5e6f0bf 100644 --- a/debian/patches/features/all/rt/timers-preempt-rt-support.patch +++ b/debian/patches/features/all/rt/timers-preempt-rt-support.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:30:20 -0500 Subject: timers: Preempt-rt support -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The base->lock is a sleeping lock. Try not to workaround with a spin_trylock(). The rt-mutex lock is not irq save even the try-lock diff --git a/debian/patches/features/all/rt/timers-prepare-for-full-preemption.patch b/debian/patches/features/all/rt/timers-prepare-for-full-preemption.patch index 610b0021f496..3b4111650379 100644 --- a/debian/patches/features/all/rt/timers-prepare-for-full-preemption.patch +++ b/debian/patches/features/all/rt/timers-prepare-for-full-preemption.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:34 -0500 Subject: timers: Prepare for full preemption -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When softirqs can be preempted we need to make sure that cancelling the timer from the active thread can not deadlock vs. a running timer diff --git a/debian/patches/features/all/rt/trace-correct-off-by-one-while-recording-the-trace-e.patch b/debian/patches/features/all/rt/trace-correct-off-by-one-while-recording-the-trace-e.patch index 3036d908f323..64d7a5e44091 100644 --- a/debian/patches/features/all/rt/trace-correct-off-by-one-while-recording-the-trace-e.patch +++ b/debian/patches/features/all/rt/trace-correct-off-by-one-while-recording-the-trace-e.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Wed, 25 May 2016 14:03:50 +0200 Subject: [PATCH] trace: correct off by one while recording the trace-event -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Trace events like raw_syscalls show always a preempt code of one. The reason is that on PREEMPT kernels rcu_read_lock_sched_notrace() diff --git a/debian/patches/features/all/rt/trace-latency-hist-Consider-new-argument-when-probin.patch b/debian/patches/features/all/rt/trace-latency-hist-Consider-new-argument-when-probin.patch index 13375ce999f0..ef0eb26611f7 100644 --- a/debian/patches/features/all/rt/trace-latency-hist-Consider-new-argument-when-probin.patch +++ b/debian/patches/features/all/rt/trace-latency-hist-Consider-new-argument-when-probin.patch @@ -2,7 +2,7 @@ From: Carsten Emde Date: Tue, 5 Jan 2016 10:21:59 +0100 Subject: trace/latency-hist: Consider new argument when probing the sched_switch tracer -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The sched_switch tracer has got a new argument. Fix the latency tracer accordingly. diff --git a/debian/patches/features/all/rt/trace_Use_rcuidle_version_for_preemptoff_hist_trace_point.patch b/debian/patches/features/all/rt/trace_Use_rcuidle_version_for_preemptoff_hist_trace_point.patch index 141826849c10..f876e3323a13 100644 --- a/debian/patches/features/all/rt/trace_Use_rcuidle_version_for_preemptoff_hist_trace_point.patch +++ b/debian/patches/features/all/rt/trace_Use_rcuidle_version_for_preemptoff_hist_trace_point.patch @@ -1,7 +1,7 @@ Subject: trace: Use rcuidle version for preemptoff_hist trace point From: Yang Shi Date: Tue, 23 Feb 2016 13:23:23 -0800 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When running -rt kernel with both PREEMPT_OFF_HIST and LOCKDEP enabled, the below error is reported: diff --git a/debian/patches/features/all/rt/tracing-account-for-preempt-off-in-preempt_schedule.patch b/debian/patches/features/all/rt/tracing-account-for-preempt-off-in-preempt_schedule.patch index ae3d34be12d3..aa0dabf30901 100644 --- a/debian/patches/features/all/rt/tracing-account-for-preempt-off-in-preempt_schedule.patch +++ b/debian/patches/features/all/rt/tracing-account-for-preempt-off-in-preempt_schedule.patch @@ -1,7 +1,7 @@ From: Steven Rostedt Date: Thu, 29 Sep 2011 12:24:30 -0500 Subject: tracing: Account for preempt off in preempt_schedule() -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz The preempt_schedule() uses the preempt_disable_notrace() version because it can cause infinite recursion by the function tracer as diff --git a/debian/patches/features/all/rt/tty-serial-8250-don-t-take-the-trylock-during-oops.patch b/debian/patches/features/all/rt/tty-serial-8250-don-t-take-the-trylock-during-oops.patch index 0e2a93a14d94..4b3ece265576 100644 --- a/debian/patches/features/all/rt/tty-serial-8250-don-t-take-the-trylock-during-oops.patch +++ b/debian/patches/features/all/rt/tty-serial-8250-don-t-take-the-trylock-during-oops.patch @@ -2,7 +2,7 @@ From 08552bb6e497a6f37a31884083cdd2c046d0f674 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Mon, 11 Apr 2016 16:55:02 +0200 Subject: [PATCH] tty: serial: 8250: don't take the trylock during oops -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz An oops with irqs off (panic() from irqsafe hrtimer like the watchdog timer) will lead to a lockdep warning on each invocation and as such diff --git a/debian/patches/features/all/rt/upstream-net-rt-remove-preemption-disabling-in-netif_rx.patch b/debian/patches/features/all/rt/upstream-net-rt-remove-preemption-disabling-in-netif_rx.patch index 9200afa41cf0..5843a95a80b8 100644 --- a/debian/patches/features/all/rt/upstream-net-rt-remove-preemption-disabling-in-netif_rx.patch +++ b/debian/patches/features/all/rt/upstream-net-rt-remove-preemption-disabling-in-netif_rx.patch @@ -1,7 +1,7 @@ Subject: net: Remove preemption disabling in netif_rx() From: Priyanka Jain Date: Thu, 17 May 2012 09:35:11 +0530 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz 1)enqueue_to_backlog() (called from netif_rx) should be bind to a particluar CPU. This can be achieved by diff --git a/debian/patches/features/all/rt/usb-use-_nort-in-giveback.patch b/debian/patches/features/all/rt/usb-use-_nort-in-giveback.patch index 57ac226393a8..1f87c21e66cf 100644 --- a/debian/patches/features/all/rt/usb-use-_nort-in-giveback.patch +++ b/debian/patches/features/all/rt/usb-use-_nort-in-giveback.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Fri, 8 Nov 2013 17:34:54 +0100 Subject: usb: Use _nort in giveback function -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Since commit 94dfd7ed ("USB: HCD: support giveback of URB in tasklet context") I see diff --git a/debian/patches/features/all/rt/user-use-local-irq-nort.patch b/debian/patches/features/all/rt/user-use-local-irq-nort.patch index 72932c69c791..af372a68efce 100644 --- a/debian/patches/features/all/rt/user-use-local-irq-nort.patch +++ b/debian/patches/features/all/rt/user-use-local-irq-nort.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Tue, 21 Jul 2009 23:06:05 +0200 Subject: core: Do not disable interrupts on RT in kernel/users.c -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use the local_irq_*_nort variants to reduce latencies in RT. The code is serialized by the locks. No need to disable interrupts. diff --git a/debian/patches/features/all/rt/wait.h-include-atomic.h.patch b/debian/patches/features/all/rt/wait.h-include-atomic.h.patch index 39475d5bb3e5..965f8774383f 100644 --- a/debian/patches/features/all/rt/wait.h-include-atomic.h.patch +++ b/debian/patches/features/all/rt/wait.h-include-atomic.h.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 28 Oct 2013 12:19:57 +0100 Subject: wait.h: include atomic.h -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz | CC init/main.o |In file included from include/linux/mmzone.h:9:0, diff --git a/debian/patches/features/all/rt/work-queue-work-around-irqsafe-timer-optimization.patch b/debian/patches/features/all/rt/work-queue-work-around-irqsafe-timer-optimization.patch index 9310085b2015..17b0edf79c3e 100644 --- a/debian/patches/features/all/rt/work-queue-work-around-irqsafe-timer-optimization.patch +++ b/debian/patches/features/all/rt/work-queue-work-around-irqsafe-timer-optimization.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Mon, 01 Jul 2013 11:02:42 +0200 Subject: workqueue: Prevent workqueue versus ata-piix livelock -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz An Intel i7 system regularly detected rcu_preempt stalls after the kernel was upgraded from 3.6-rt to 3.8-rt. When the stall happened, disk I/O was no diff --git a/debian/patches/features/all/rt/work-simple-Simple-work-queue-implemenation.patch b/debian/patches/features/all/rt/work-simple-Simple-work-queue-implemenation.patch index 0a16469df806..41f2da564d70 100644 --- a/debian/patches/features/all/rt/work-simple-Simple-work-queue-implemenation.patch +++ b/debian/patches/features/all/rt/work-simple-Simple-work-queue-implemenation.patch @@ -1,25 +1,23 @@ From: Daniel Wagner Date: Fri, 11 Jul 2014 15:26:11 +0200 Subject: work-simple: Simple work queue implemenation -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Provides a framework for enqueuing callbacks from irq context PREEMPT_RT_FULL safe. The callbacks are executed in kthread context. Bases on wait-simple. -Signed-off-by: Daniel Wagner Cc: Sebastian Andrzej Siewior +Signed-off-by: Daniel Wagner --- - include/linux/work-simple.h | 24 ++++++ - kernel/sched/Makefile | 2 - kernel/sched/work-simple.c | 173 ++++++++++++++++++++++++++++++++++++++++++++ + include/linux/swork.h | 24 ++++++ + kernel/sched/Makefile | 2 + kernel/sched/swork.c | 173 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 198 insertions(+), 1 deletion(-) - create mode 100644 include/linux/work-simple.h - create mode 100644 kernel/sched/work-simple.c --- /dev/null -+++ b/include/linux/work-simple.h ++++ b/include/linux/swork.h @@ -0,0 +1,24 @@ +#ifndef _LINUX_SWORK_H +#define _LINUX_SWORK_H @@ -52,12 +50,12 @@ Cc: Sebastian Andrzej Siewior obj-y += core.o loadavg.o clock.o cputime.o obj-y += idle_task.o fair.o rt.o deadline.o stop_task.o -obj-y += wait.o swait.o completion.o idle.o -+obj-y += wait.o swait.o work-simple.o completion.o idle.o ++obj-y += wait.o swait.o swork.o completion.o idle.o obj-$(CONFIG_SMP) += cpupri.o cpudeadline.o obj-$(CONFIG_SCHED_AUTOGROUP) += auto_group.o obj-$(CONFIG_SCHEDSTATS) += stats.o --- /dev/null -+++ b/kernel/sched/work-simple.c ++++ b/kernel/sched/swork.c @@ -0,0 +1,173 @@ +/* + * Copyright (C) 2014 BMW Car IT GmbH, Daniel Wagner daniel.wagner@bmw-carit.de @@ -67,7 +65,7 @@ Cc: Sebastian Andrzej Siewior + */ + +#include -+#include ++#include +#include +#include +#include diff --git a/debian/patches/features/all/rt/workqueue-distangle-from-rq-lock.patch b/debian/patches/features/all/rt/workqueue-distangle-from-rq-lock.patch index 928a8a7ca942..46431e8d7e0c 100644 --- a/debian/patches/features/all/rt/workqueue-distangle-from-rq-lock.patch +++ b/debian/patches/features/all/rt/workqueue-distangle-from-rq-lock.patch @@ -22,7 +22,7 @@ Cc: Jens Axboe Cc: Linus Torvalds Link: http://lkml.kernel.org/r/20110622174919.135236139@linutronix.de Signed-off-by: Thomas Gleixner -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz --- kernel/sched/core.c | 81 ++++++++------------------------------------ diff --git a/debian/patches/features/all/rt/workqueue-prevent-deadlock-stall.patch b/debian/patches/features/all/rt/workqueue-prevent-deadlock-stall.patch index a37fb7dc3483..d21d63991e68 100644 --- a/debian/patches/features/all/rt/workqueue-prevent-deadlock-stall.patch +++ b/debian/patches/features/all/rt/workqueue-prevent-deadlock-stall.patch @@ -1,7 +1,7 @@ Subject: workqueue: Prevent deadlock/stall on RT From: Thomas Gleixner Date: Fri, 27 Jun 2014 16:24:52 +0200 (CEST) -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Austin reported a XFS deadlock/stall on RT where scheduled work gets never exececuted and tasks are waiting for each other for ever. diff --git a/debian/patches/features/all/rt/workqueue-use-locallock.patch b/debian/patches/features/all/rt/workqueue-use-locallock.patch index f6a145242c8a..73389da3a1ff 100644 --- a/debian/patches/features/all/rt/workqueue-use-locallock.patch +++ b/debian/patches/features/all/rt/workqueue-use-locallock.patch @@ -1,7 +1,7 @@ Subject: workqueue: Use local irq lock instead of irq disable regions From: Thomas Gleixner Date: Sun, 17 Jul 2011 21:42:26 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Use a local_irq_lock as a replacement for irq off regions. We keep the semantic of irq-off in regard to the pool->lock and remain preemptible. diff --git a/debian/patches/features/all/rt/workqueue-use-rcu.patch b/debian/patches/features/all/rt/workqueue-use-rcu.patch index 8a293a0d9e31..2fbbcb51a72f 100644 --- a/debian/patches/features/all/rt/workqueue-use-rcu.patch +++ b/debian/patches/features/all/rt/workqueue-use-rcu.patch @@ -1,7 +1,7 @@ Subject: workqueue: Use normal rcu From: Thomas Gleixner Date: Wed, 24 Jul 2013 15:26:54 +0200 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz There is no need for sched_rcu. The undocumented reason why sched_rcu is used is to avoid a few explicit rcu_read_lock()/unlock() pairs by diff --git a/debian/patches/features/all/rt/x86-UV-raw_spinlock-conversion.patch b/debian/patches/features/all/rt/x86-UV-raw_spinlock-conversion.patch index d3eb7e5a1ad8..6e5fb6a2a330 100644 --- a/debian/patches/features/all/rt/x86-UV-raw_spinlock-conversion.patch +++ b/debian/patches/features/all/rt/x86-UV-raw_spinlock-conversion.patch @@ -1,7 +1,7 @@ From: Mike Galbraith Date: Sun, 2 Nov 2014 08:31:37 +0100 Subject: x86: UV: raw_spinlock conversion -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Shrug. Lots of hobbyists have a beast in their basement, right? diff --git a/debian/patches/features/all/rt/x86-crypto-reduce-preempt-disabled-regions.patch b/debian/patches/features/all/rt/x86-crypto-reduce-preempt-disabled-regions.patch index f59f6418b6b5..3a48d7d02153 100644 --- a/debian/patches/features/all/rt/x86-crypto-reduce-preempt-disabled-regions.patch +++ b/debian/patches/features/all/rt/x86-crypto-reduce-preempt-disabled-regions.patch @@ -1,7 +1,7 @@ Subject: x86: crypto: Reduce preempt disabled regions From: Peter Zijlstra Date: Mon, 14 Nov 2011 18:19:27 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Restrict the preempt disabled regions to the actual floating point operations and enable preemption for the administrative actions. diff --git a/debian/patches/features/all/rt/x86-highmem-add-a-already-used-pte-check.patch b/debian/patches/features/all/rt/x86-highmem-add-a-already-used-pte-check.patch index 15bee5f7a20e..91a59356eb30 100644 --- a/debian/patches/features/all/rt/x86-highmem-add-a-already-used-pte-check.patch +++ b/debian/patches/features/all/rt/x86-highmem-add-a-already-used-pte-check.patch @@ -1,7 +1,7 @@ From: Sebastian Andrzej Siewior Date: Mon, 11 Mar 2013 17:09:55 +0100 Subject: x86/highmem: Add a "already used pte" check -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz This is a copy from kmap_atomic_prot(). diff --git a/debian/patches/features/all/rt/x86-io-apic-migra-no-unmask.patch b/debian/patches/features/all/rt/x86-io-apic-migra-no-unmask.patch index 1d61f2691392..65e83c0573c5 100644 --- a/debian/patches/features/all/rt/x86-io-apic-migra-no-unmask.patch +++ b/debian/patches/features/all/rt/x86-io-apic-migra-no-unmask.patch @@ -1,7 +1,7 @@ From: Ingo Molnar Date: Fri, 3 Jul 2009 08:29:27 -0500 Subject: x86/ioapic: Do not unmask io_apic when interrupt is in progress -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz With threaded interrupts we might see an interrupt in progress on migration. Do not unmask it when this is the case. diff --git a/debian/patches/features/all/rt/x86-kvm-require-const-tsc-for-rt.patch b/debian/patches/features/all/rt/x86-kvm-require-const-tsc-for-rt.patch index 84ab1441dafc..bc940ca873da 100644 --- a/debian/patches/features/all/rt/x86-kvm-require-const-tsc-for-rt.patch +++ b/debian/patches/features/all/rt/x86-kvm-require-const-tsc-for-rt.patch @@ -1,7 +1,7 @@ Subject: x86: kvm Require const tsc for RT From: Thomas Gleixner Date: Sun, 06 Nov 2011 12:26:18 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Non constant TSC is a nightmare on bare metal already, but with virtualization it becomes a complete disaster because the workarounds diff --git a/debian/patches/features/all/rt/x86-mce-timer-hrtimer.patch b/debian/patches/features/all/rt/x86-mce-timer-hrtimer.patch index 9541f7445772..56f62998cffb 100644 --- a/debian/patches/features/all/rt/x86-mce-timer-hrtimer.patch +++ b/debian/patches/features/all/rt/x86-mce-timer-hrtimer.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Mon, 13 Dec 2010 16:33:39 +0100 Subject: x86: Convert mce timer to hrtimer -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz mce_timer is started in atomic contexts of cpu bringup. This results in might_sleep() warnings on RT. Convert mce_timer to a hrtimer to diff --git a/debian/patches/features/all/rt/x86-mce-use-swait-queue-for-mce-wakeups.patch b/debian/patches/features/all/rt/x86-mce-use-swait-queue-for-mce-wakeups.patch index ea044f161bae..47182366b49b 100644 --- a/debian/patches/features/all/rt/x86-mce-use-swait-queue-for-mce-wakeups.patch +++ b/debian/patches/features/all/rt/x86-mce-use-swait-queue-for-mce-wakeups.patch @@ -1,7 +1,7 @@ Subject: x86/mce: use swait queue for mce wakeups From: Steven Rostedt Date: Fri, 27 Feb 2015 15:20:37 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz We had a customer report a lockup on a 3.0-rt kernel that had the following backtrace: @@ -65,7 +65,7 @@ Signed-off-by: Daniel Wagner #include #include #include -+#include ++#include #include #include diff --git a/debian/patches/features/all/rt/x86-preempt-lazy.patch b/debian/patches/features/all/rt/x86-preempt-lazy.patch index f8acb413a8c2..e3ea81466a6a 100644 --- a/debian/patches/features/all/rt/x86-preempt-lazy.patch +++ b/debian/patches/features/all/rt/x86-preempt-lazy.patch @@ -1,7 +1,7 @@ Subject: x86: Support for lazy preemption From: Thomas Gleixner Date: Thu, 01 Nov 2012 11:03:47 +0100 -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Implement the x86 pieces for lazy preempt. diff --git a/debian/patches/features/all/rt/x86-signal-delay-calling-signals-on-32bit.patch b/debian/patches/features/all/rt/x86-signal-delay-calling-signals-on-32bit.patch index 82c73697528f..8b38c9b245be 100644 --- a/debian/patches/features/all/rt/x86-signal-delay-calling-signals-on-32bit.patch +++ b/debian/patches/features/all/rt/x86-signal-delay-calling-signals-on-32bit.patch @@ -1,7 +1,7 @@ From: Yang Shi Date: Thu, 10 Dec 2015 10:58:51 -0800 Subject: x86/signal: delay calling signals on 32bit -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz When running some ptrace single step tests on x86-32 machine, the below problem is triggered: diff --git a/debian/patches/features/all/rt/x86-stackprot-no-random-on-rt.patch b/debian/patches/features/all/rt/x86-stackprot-no-random-on-rt.patch index dd3475c868cb..3b1f82ed4139 100644 --- a/debian/patches/features/all/rt/x86-stackprot-no-random-on-rt.patch +++ b/debian/patches/features/all/rt/x86-stackprot-no-random-on-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Thu, 16 Dec 2010 14:25:18 +0100 Subject: x86: stackprotector: Avoid random pool on rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz CPU bringup calls into the random pool to initialize the stack canary. During boot that works nicely even on RT as the might sleep diff --git a/debian/patches/features/all/rt/x86-use-gen-rwsem-spinlocks-rt.patch b/debian/patches/features/all/rt/x86-use-gen-rwsem-spinlocks-rt.patch index 02b3e29e6053..974be0c8b470 100644 --- a/debian/patches/features/all/rt/x86-use-gen-rwsem-spinlocks-rt.patch +++ b/debian/patches/features/all/rt/x86-use-gen-rwsem-spinlocks-rt.patch @@ -1,7 +1,7 @@ From: Thomas Gleixner Date: Sun, 26 Jul 2009 02:21:32 +0200 Subject: x86: Use generic rwsem_spinlocks on -rt -Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.1-rt3.tar.xz +Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.6/older/patches-4.6.2-rt5.tar.xz Simplifies the separation of anon_rw_semaphores and rw_semaphores for -rt. diff --git a/debian/patches/series-rt b/debian/patches/series-rt index 461a8dab3c3c..1870d9ed9a7e 100644 --- a/debian/patches/series-rt +++ b/debian/patches/series-rt @@ -244,6 +244,7 @@ features/all/rt/slub-disable-SLUB_CPU_PARTIAL.patch features/all/rt/mm-page-alloc-use-local-lock-on-target-cpu.patch features/all/rt/mm-memcontrol-Don-t-call-schedule_work_on-in-preempt.patch features/all/rt/mm-memcontrol-do_not_disable_irq.patch +features/all/rt/mm-memcontrol-mem_cgroup_migrate-replace-another-loc.patch features/all/rt/mm-backing-dev-don-t-disable-IRQs-in-wb_congested_pu.patch features/all/rt/mm-zsmalloc-Use-get-put_cpu_light-in-zs_map_object-z.patch From b782c52536466b386bc65af74d9aa6f7687ce11d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 25 Jun 2016 00:09:02 +0200 Subject: [PATCH 04/14] KEYS: potential uninitialized variable (CVE-2016-4470) --- debian/changelog | 1 + ...eys-potential-uninitialized-variable.patch | 86 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 88 insertions(+) create mode 100644 debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch diff --git a/debian/changelog b/debian/changelog index 7c768ec7ef3a..5a8271d89615 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ linux (4.6.2-2) UNRELEASED; urgency=medium * [rt] Update to 4.6.2-rt5: - mm/memcontrol: mem_cgroup_migrate() - replace another local_irq_disable() w. local_lock_irq() + * KEYS: potential uninitialized variable (CVE-2016-4470) -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch b/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch new file mode 100644 index 000000000000..fbe460ba8243 --- /dev/null +++ b/debian/patches/bugfix/all/keys-potential-uninitialized-variable.patch @@ -0,0 +1,86 @@ +From: Dan Carpenter +Date: Thu, 16 Jun 2016 15:48:57 +0100 +Subject: KEYS: potential uninitialized variable +Origin: https://git.kernel.org/linus/38327424b40bcebe2de92d07312c89360ac9229a + +If __key_link_begin() failed then "edit" would be uninitialized. I've +added a check to fix that. + +This allows a random user to crash the kernel, though it's quite +difficult to achieve. There are three ways it can be done as the user +would have to cause an error to occur in __key_link(): + + (1) Cause the kernel to run out of memory. In practice, this is difficult + to achieve without ENOMEM cropping up elsewhere and aborting the + attempt. + + (2) Revoke the destination keyring between the keyring ID being looked up + and it being tested for revocation. In practice, this is difficult to + time correctly because the KEYCTL_REJECT function can only be used + from the request-key upcall process. Further, users can only make use + of what's in /sbin/request-key.conf, though this does including a + rejection debugging test - which means that the destination keyring + has to be the caller's session keyring in practice. + + (3) Have just enough key quota available to create a key, a new session + keyring for the upcall and a link in the session keyring, but not then + sufficient quota to create a link in the nominated destination keyring + so that it fails with EDQUOT. + +The bug can be triggered using option (3) above using something like the +following: + + echo 80 >/proc/sys/kernel/keys/root_maxbytes + keyctl request2 user debug:fred negate @t + +The above sets the quota to something much lower (80) to make the bug +easier to trigger, but this is dependent on the system. Note also that +the name of the keyring created contains a random number that may be +between 1 and 10 characters in size, so may throw the test off by +changing the amount of quota used. + +Assuming the failure occurs, something like the following will be seen: + + kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h + ------------[ cut here ]------------ + kernel BUG at ../mm/slab.c:2821! + ... + RIP: 0010:[] kfree_debugcheck+0x20/0x25 + RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092 + RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000 + RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300 + RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000 + R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202 + R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001 + ... + Call Trace: + kfree+0xde/0x1bc + assoc_array_cancel_edit+0x1f/0x36 + __key_link_end+0x55/0x63 + key_reject_and_link+0x124/0x155 + keyctl_reject_key+0xb6/0xe0 + keyctl_negate_key+0x10/0x12 + SyS_keyctl+0x9f/0xe7 + do_syscall_64+0x63/0x13a + entry_SYSCALL64_slow_path+0x25/0x25 + +Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()') +Signed-off-by: Dan Carpenter +Signed-off-by: David Howells +cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +--- + security/keys/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -584,7 +584,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(&key_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, &key->index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ diff --git a/debian/patches/series b/debian/patches/series index 0810e58fac23..c3affbcb263a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -112,6 +112,7 @@ bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch bugfix/all/sched-panic-on-corrupted-stack-end.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch +bugfix/all/keys-potential-uninitialized-variable.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From f5f99415a20f4ed243d406fb3533fbe5cc01f65f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 25 Jun 2016 00:11:57 +0200 Subject: [PATCH 05/14] percpu: Fix synchronization with chunk destruction (CVE-2016-4794) --- debian/changelog | 4 + ...ronization-between-chunk-map_extend_.patch | 153 ++++++++++++++++++ ...ronization-between-synchronous-map-e.patch | 104 ++++++++++++ debian/patches/series | 2 + 4 files changed, 263 insertions(+) create mode 100644 debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch create mode 100644 debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch diff --git a/debian/changelog b/debian/changelog index 5a8271d89615..4866ab860ef3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,10 @@ linux (4.6.2-2) UNRELEASED; urgency=medium - mm/memcontrol: mem_cgroup_migrate() - replace another local_irq_disable() w. local_lock_irq() * KEYS: potential uninitialized variable (CVE-2016-4470) + * percpu: fix synchronization between chunk->map_extend_work and chunk + destruction (CVE-2016-4794) + * percpu: fix synchronization between synchronous map extension and + chunk destruction (CVE-2016-4794) -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch b/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch new file mode 100644 index 000000000000..341016831977 --- /dev/null +++ b/debian/patches/bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch @@ -0,0 +1,153 @@ +From: Tejun Heo +Date: Wed, 25 May 2016 11:48:25 -0400 +Subject: percpu: fix synchronization between chunk->map_extend_work and chunk + destruction +Origin: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3 + +Atomic allocations can trigger async map extensions which is serviced +by chunk->map_extend_work. pcpu_balance_work which is responsible for +destroying idle chunks wasn't synchronizing properly against +chunk->map_extend_work and may end up freeing the chunk while the work +item is still in flight. + +This patch fixes the bug by rolling async map extension operations +into pcpu_balance_work. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Alexei Starovoitov +Reported-by: Vlastimil Babka +Reported-by: Sasha Levin +Cc: stable@vger.kernel.org # v3.18+ +Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space") +--- + mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++--------------------- + 1 file changed, 36 insertions(+), 21 deletions(-) + +diff --git a/mm/percpu.c b/mm/percpu.c +index 0c59684f1ff2..b1d2a3844792 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -112,7 +112,7 @@ struct pcpu_chunk { + int map_used; /* # of map entries used before the sentry */ + int map_alloc; /* # of map entries allocated */ + int *map; /* allocation map */ +- struct work_struct map_extend_work;/* async ->map[] extension */ ++ struct list_head map_extend_list;/* on pcpu_map_extend_chunks */ + + void *data; /* chunk data */ + int first_free; /* no free below this */ +@@ -166,6 +166,9 @@ static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */ + + static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */ + ++/* chunks which need their map areas extended, protected by pcpu_lock */ ++static LIST_HEAD(pcpu_map_extend_chunks); ++ + /* + * The number of empty populated pages, protected by pcpu_lock. The + * reserved chunk doesn't contribute to the count. +@@ -395,13 +398,19 @@ static int pcpu_need_to_extend(struct pcpu_chunk *chunk, bool is_atomic) + { + int margin, new_alloc; + ++ lockdep_assert_held(&pcpu_lock); ++ + if (is_atomic) { + margin = 3; + + if (chunk->map_alloc < +- chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW && +- pcpu_async_enabled) +- schedule_work(&chunk->map_extend_work); ++ chunk->map_used + PCPU_ATOMIC_MAP_MARGIN_LOW) { ++ if (list_empty(&chunk->map_extend_list)) { ++ list_add_tail(&chunk->map_extend_list, ++ &pcpu_map_extend_chunks); ++ pcpu_schedule_balance_work(); ++ } ++ } + } else { + margin = PCPU_ATOMIC_MAP_MARGIN_HIGH; + } +@@ -467,20 +476,6 @@ out_unlock: + return 0; + } + +-static void pcpu_map_extend_workfn(struct work_struct *work) +-{ +- struct pcpu_chunk *chunk = container_of(work, struct pcpu_chunk, +- map_extend_work); +- int new_alloc; +- +- spin_lock_irq(&pcpu_lock); +- new_alloc = pcpu_need_to_extend(chunk, false); +- spin_unlock_irq(&pcpu_lock); +- +- if (new_alloc) +- pcpu_extend_area_map(chunk, new_alloc); +-} +- + /** + * pcpu_fit_in_area - try to fit the requested allocation in a candidate area + * @chunk: chunk the candidate area belongs to +@@ -740,7 +735,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void) + chunk->map_used = 1; + + INIT_LIST_HEAD(&chunk->list); +- INIT_WORK(&chunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&chunk->map_extend_list); + chunk->free_size = pcpu_unit_size; + chunk->contig_hint = pcpu_unit_size; + +@@ -1129,6 +1124,7 @@ static void pcpu_balance_workfn(struct work_struct *work) + if (chunk == list_first_entry(free_head, struct pcpu_chunk, list)) + continue; + ++ list_del_init(&chunk->map_extend_list); + list_move(&chunk->list, &to_free); + } + +@@ -1146,6 +1142,25 @@ static void pcpu_balance_workfn(struct work_struct *work) + pcpu_destroy_chunk(chunk); + } + ++ /* service chunks which requested async area map extension */ ++ do { ++ int new_alloc = 0; ++ ++ spin_lock_irq(&pcpu_lock); ++ ++ chunk = list_first_entry_or_null(&pcpu_map_extend_chunks, ++ struct pcpu_chunk, map_extend_list); ++ if (chunk) { ++ list_del_init(&chunk->map_extend_list); ++ new_alloc = pcpu_need_to_extend(chunk, false); ++ } ++ ++ spin_unlock_irq(&pcpu_lock); ++ ++ if (new_alloc) ++ pcpu_extend_area_map(chunk, new_alloc); ++ } while (chunk); ++ + /* + * Ensure there are certain number of free populated pages for + * atomic allocs. Fill up from the most packed so that atomic +@@ -1644,7 +1659,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, + */ + schunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0); + INIT_LIST_HEAD(&schunk->list); +- INIT_WORK(&schunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&schunk->map_extend_list); + schunk->base_addr = base_addr; + schunk->map = smap; + schunk->map_alloc = ARRAY_SIZE(smap); +@@ -1673,7 +1688,7 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, + if (dyn_size) { + dchunk = memblock_virt_alloc(pcpu_chunk_struct_size, 0); + INIT_LIST_HEAD(&dchunk->list); +- INIT_WORK(&dchunk->map_extend_work, pcpu_map_extend_workfn); ++ INIT_LIST_HEAD(&dchunk->map_extend_list); + dchunk->base_addr = base_addr; + dchunk->map = dmap; + dchunk->map_alloc = ARRAY_SIZE(dmap); diff --git a/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch b/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch new file mode 100644 index 000000000000..e8a70c5b99c2 --- /dev/null +++ b/debian/patches/bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch @@ -0,0 +1,104 @@ +From: Tejun Heo +Date: Wed, 25 May 2016 11:48:25 -0400 +Subject: percpu: fix synchronization between synchronous map extension and + chunk destruction +Origin: https://git.kernel.org/linus/6710e594f71ccaad8101bc64321152af7cd9ea28 + +For non-atomic allocations, pcpu_alloc() can try to extend the area +map synchronously after dropping pcpu_lock; however, the extension +wasn't synchronized against chunk destruction and the chunk might get +freed while extension is in progress. + +This patch fixes the bug by putting most of non-atomic allocations +under pcpu_alloc_mutex to synchronize against pcpu_balance_work which +is responsible for async chunk management including destruction. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Alexei Starovoitov +Reported-by: Vlastimil Babka +Reported-by: Sasha Levin +Cc: stable@vger.kernel.org # v3.18+ +Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population") +--- + mm/percpu.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/percpu.c b/mm/percpu.c +index b1d2a3844792..9903830aaebb 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -162,7 +162,7 @@ static struct pcpu_chunk *pcpu_reserved_chunk; + static int pcpu_reserved_chunk_limit; + + static DEFINE_SPINLOCK(pcpu_lock); /* all internal data structures */ +-static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop */ ++static DEFINE_MUTEX(pcpu_alloc_mutex); /* chunk create/destroy, [de]pop, map ext */ + + static struct list_head *pcpu_slot __read_mostly; /* chunk list slots */ + +@@ -444,6 +444,8 @@ static int pcpu_extend_area_map(struct pcpu_chunk *chunk, int new_alloc) + size_t old_size = 0, new_size = new_alloc * sizeof(new[0]); + unsigned long flags; + ++ lockdep_assert_held(&pcpu_alloc_mutex); ++ + new = pcpu_mem_zalloc(new_size); + if (!new) + return -ENOMEM; +@@ -890,6 +892,9 @@ static void __percpu *pcpu_alloc(size_t size, size_t align, bool reserved, + return NULL; + } + ++ if (!is_atomic) ++ mutex_lock(&pcpu_alloc_mutex); ++ + spin_lock_irqsave(&pcpu_lock, flags); + + /* serve reserved allocations from the reserved chunk if available */ +@@ -962,12 +967,9 @@ restart: + if (is_atomic) + goto fail; + +- mutex_lock(&pcpu_alloc_mutex); +- + if (list_empty(&pcpu_slot[pcpu_nr_slots - 1])) { + chunk = pcpu_create_chunk(); + if (!chunk) { +- mutex_unlock(&pcpu_alloc_mutex); + err = "failed to allocate new chunk"; + goto fail; + } +@@ -978,7 +980,6 @@ restart: + spin_lock_irqsave(&pcpu_lock, flags); + } + +- mutex_unlock(&pcpu_alloc_mutex); + goto restart; + + area_found: +@@ -988,8 +989,6 @@ area_found: + if (!is_atomic) { + int page_start, page_end, rs, re; + +- mutex_lock(&pcpu_alloc_mutex); +- + page_start = PFN_DOWN(off); + page_end = PFN_UP(off + size); + +@@ -1000,7 +999,6 @@ area_found: + + spin_lock_irqsave(&pcpu_lock, flags); + if (ret) { +- mutex_unlock(&pcpu_alloc_mutex); + pcpu_free_area(chunk, off, &occ_pages); + err = "failed to populate"; + goto fail_unlock; +@@ -1040,6 +1038,8 @@ fail: + /* see the flag handling in pcpu_blance_workfn() */ + pcpu_atomic_alloc_failed = true; + pcpu_schedule_balance_work(); ++ } else { ++ mutex_unlock(&pcpu_alloc_mutex); + } + return NULL; + } diff --git a/debian/patches/series b/debian/patches/series index c3affbcb263a..3d57f4fb6e20 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -113,6 +113,8 @@ bugfix/all/sched-panic-on-corrupted-stack-end.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch bugfix/all/keys-potential-uninitialized-variable.patch +bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch +bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From 9fd7bbdf1a3a97886fc50e6b8619571e1ce776de Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 24 Jun 2016 23:29:28 +0200 Subject: [PATCH 06/14] netfilter: x_tables: Add fixes for CVE-2016-4997, CVE-2016-4998 ...and probably other issues never assigned an ID. --- debian/changelog | 18 + ...bles-simplify-translate_compat_table.patch | 210 +++++ ...bles-simplify-translate_compat_table.patch | 185 ++++ ...les-simplify-translate_compat_table-.patch | 185 ++++ ...es-add-and-use-xt_check_entry_offset.patch | 151 ++++ ...es-add-compat-version-of-xt_check_en.patch | 105 +++ ...-x_tables-assert-minimum-target-size.patch | 25 + ...tables-check-for-bogus-target-offset.patch | 164 ++++ ...ables-check-standard-target-size-too.patch | 60 ++ ...es-do-compat-validation-via-translat.patch | 798 ++++++++++++++++++ ...es-don-t-move-to-non-existent-next-r.patch | 100 +++ ...es-don-t-reject-valid-target-size-on.patch | 54 ++ ...es-introduce-and-use-xt_copy_counter.patch | 328 +++++++ ...ter-x_tables-kill-check_entry-helper.patch | 149 ++++ ...es-validate-all-offsets-and-sizes-in.patch | 137 +++ ...r-x_tables-validate-targets-of-jumps.patch | 127 +++ ...es-xt_compat_match_from_user-doesn-t.patch | 234 +++++ debian/patches/series | 16 + 18 files changed, 3046 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch create mode 100644 debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch create mode 100644 debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch create mode 100644 debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch diff --git a/debian/changelog b/debian/changelog index 4866ab860ef3..0c33506f43ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,24 @@ linux (4.6.2-2) UNRELEASED; urgency=medium destruction (CVE-2016-4794) * percpu: fix synchronization between synchronous map extension and chunk destruction (CVE-2016-4794) + * netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs + (CVE-2016-4997, CVE-2016-4998) + - don't move to non-existent next rule + - validate targets of jumps + - add and use xt_check_entry_offsets + - kill check_entry helper + - assert minimum target size + - add compat version of xt_check_entry_offsets + - check standard target size too + - check for bogus target offset + - validate all offsets and sizes in a rule + - don't reject valid target size on some + - arp_tables: simplify translate_compat_table args + - ip_tables: simplify translate_compat_table args + - ip6_tables: simplify translate_compat_table args + - xt_compat_match_from_user doesn't need a retval + - do compat validation via translate_table + - introduce and use xt_copy_counters_from_user -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch new file mode 100644 index 000000000000..3c9dc86fad15 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch @@ -0,0 +1,210 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:32 +0200 +Subject: netfilter: arp_tables: simplify translate_compat_table args +Origin: https://git.kernel.org/linus/8dddd32756f6fe8e4e82a63361119b7e2384e02f + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 82 ++++++++++++++++++----------------------- + 1 file changed, 36 insertions(+), 46 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1214,6 +1214,18 @@ static int do_add_counters(struct net *n + } + + #ifdef CONFIG_COMPAT ++struct compat_arpt_replace { ++ char name[XT_TABLE_MAXNAMELEN]; ++ u32 valid_hooks; ++ u32 num_entries; ++ u32 size; ++ u32 hook_entry[NF_ARP_NUMHOOKS]; ++ u32 underflow[NF_ARP_NUMHOOKS]; ++ u32 num_counters; ++ compat_uptr_t counters; ++ struct compat_arpt_entry entries[0]; ++}; ++ + static inline void compat_release_entry(struct compat_arpt_entry *e) + { + struct xt_entry_target *t; +@@ -1229,8 +1241,7 @@ check_compat_entry_size_and_hooks(struct + const unsigned char *base, + const unsigned char *limit, + const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned int *underflows) + { + struct xt_entry_target *t; + struct xt_target *target; +@@ -1301,7 +1312,7 @@ out: + + static int + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; +@@ -1334,14 +1345,9 @@ compat_copy_entry_from_user(struct compa + return ret; + } + +-static int translate_compat_table(const char *name, +- unsigned int valid_hooks, +- struct xt_table_info **pinfo, ++static int translate_compat_table(struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_arpt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; +@@ -1353,8 +1359,8 @@ static int translate_compat_table(const + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; ++ size = compatr->size; ++ info->number = compatr->num_entries; + + /* Init all hooks to impossible value. */ + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +@@ -1365,40 +1371,39 @@ static int translate_compat_table(const + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(NFPROTO_ARP); +- xt_compat_init_offsets(NFPROTO_ARP, number); ++ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size, ++ compatr->hook_entry, ++ compatr->underflow); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + + /* Check hooks all assigned */ + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) ++ if (!(compatr->valid_hooks & (1 << i))) + continue; + if (info->hook_entry[i] == 0xFFFFFFFF) { + duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); ++ i, info->hook_entry[i]); + goto out_unlock; + } + if (info->underflow[i] == 0xFFFFFFFF) { + duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); ++ i, info->underflow[i]); + goto out_unlock; + } + } +@@ -1408,17 +1413,17 @@ static int translate_compat_table(const + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; + newinfo->underflow[i] = info->underflow[i]; + } + entry1 = newinfo->entries; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); ++ newinfo, entry1); + if (ret != 0) + break; + } +@@ -1428,7 +1433,7 @@ static int translate_compat_table(const + goto free_newinfo; + + ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) ++ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) + goto free_newinfo; + + i = 0; +@@ -1439,7 +1444,7 @@ static int translate_compat_table(const + break; + } + +- ret = check_target(iter1, name); ++ ret = check_target(iter1, compatr->name); + if (ret != 0) { + xt_percpu_counter_free(iter1->counters.pcnt); + break; +@@ -1481,7 +1486,7 @@ static int translate_compat_table(const + free_newinfo: + xt_free_table_info(newinfo); + out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); +@@ -1493,18 +1498,6 @@ out_unlock: + goto out; + } + +-struct compat_arpt_replace { +- char name[XT_TABLE_MAXNAMELEN]; +- u32 valid_hooks; +- u32 num_entries; +- u32 size; +- u32 hook_entry[NF_ARP_NUMHOOKS]; +- u32 underflow[NF_ARP_NUMHOOKS]; +- u32 num_counters; +- compat_uptr_t counters; +- struct compat_arpt_entry entries[0]; +-}; +- + static int compat_do_replace(struct net *net, void __user *user, + unsigned int len) + { +@@ -1537,10 +1530,7 @@ static int compat_do_replace(struct net + goto free_newinfo; + } + +- ret = translate_compat_table(tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + diff --git a/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch new file mode 100644 index 000000000000..109fd0d1ee76 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch @@ -0,0 +1,185 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:31 +0200 +Subject: netfilter: ip6_tables: simplify translate_compat_table args +Origin: https://git.kernel.org/linus/329a0807124f12fe1c8032f95d8a8eb47047fb0e + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv6/netfilter/ip6_tables.c | 59 +++++++++++++++++------------------------ + 1 file changed, 24 insertions(+), 35 deletions(-) + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1461,7 +1461,6 @@ compat_copy_entry_to_user(struct ip6t_en + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ip6t_ip6 *ipv6, + int *size) + { +@@ -1498,8 +1497,7 @@ check_compat_entry_size_and_hooks(struct + const unsigned char *base, + const unsigned char *limit, + const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned int *underflows) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; +@@ -1535,7 +1533,7 @@ check_compat_entry_size_and_hooks(struct + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, &e->ipv6, &off); ++ ret = compat_find_calc_match(ematch, &e->ipv6, &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1584,7 +1582,7 @@ release_matches: + + static int + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; +@@ -1664,14 +1662,9 @@ static int compat_check_entry(struct ip6 + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ip6t_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; +@@ -1683,8 +1676,8 @@ translate_compat_table(struct net *net, + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; ++ size = compatr->size; ++ info->number = compatr->num_entries; + + /* Init all hooks to impossible value. */ + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +@@ -1695,40 +1688,39 @@ translate_compat_table(struct net *net, + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET6); +- xt_compat_init_offsets(AF_INET6, number); ++ xt_compat_init_offsets(AF_INET6, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size, ++ compatr->hook_entry, ++ compatr->underflow); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + + /* Check hooks all assigned */ + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) ++ if (!(compatr->valid_hooks & (1 << i))) + continue; + if (info->hook_entry[i] == 0xFFFFFFFF) { + duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); ++ i, info->hook_entry[i]); + goto out_unlock; + } + if (info->underflow[i] == 0xFFFFFFFF) { + duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); ++ i, info->underflow[i]); + goto out_unlock; + } + } +@@ -1738,17 +1730,17 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; + newinfo->underflow[i] = info->underflow[i]; + } + entry1 = newinfo->entries; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); ++ newinfo, entry1); + if (ret != 0) + break; + } +@@ -1758,12 +1750,12 @@ translate_compat_table(struct net *net, + goto free_newinfo; + + ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) ++ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) + goto free_newinfo; + + i = 0; + xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); ++ ret = compat_check_entry(iter1, net, compatr->name); + if (ret != 0) + break; + ++i; +@@ -1803,7 +1795,7 @@ translate_compat_table(struct net *net, + free_newinfo: + xt_free_table_info(newinfo); + out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); +@@ -1848,10 +1840,7 @@ compat_do_replace(struct net *net, void + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + diff --git a/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch b/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch new file mode 100644 index 000000000000..05603e542d7a --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch @@ -0,0 +1,185 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:30 +0200 +Subject: netfilter: ip_tables: simplify translate_compat_table args +Origin: https://git.kernel.org/linus/7d3f843eed29222254c9feab481f55175a1afcc9 + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/ip_tables.c | 59 +++++++++++++++++------------------------- + 1 file changed, 24 insertions(+), 35 deletions(-) + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1449,7 +1449,6 @@ compat_copy_entry_to_user(struct ipt_ent + + static int + compat_find_calc_match(struct xt_entry_match *m, +- const char *name, + const struct ipt_ip *ip, + int *size) + { +@@ -1486,8 +1485,7 @@ check_compat_entry_size_and_hooks(struct + const unsigned char *base, + const unsigned char *limit, + const unsigned int *hook_entries, +- const unsigned int *underflows, +- const char *name) ++ const unsigned int *underflows) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; +@@ -1523,7 +1521,7 @@ check_compat_entry_size_and_hooks(struct + entry_offset = (void *)e - (void *)base; + j = 0; + xt_ematch_foreach(ematch, e) { +- ret = compat_find_calc_match(ematch, name, &e->ip, &off); ++ ret = compat_find_calc_match(ematch, &e->ip, &off); + if (ret != 0) + goto release_matches; + ++j; +@@ -1572,7 +1570,7 @@ release_matches: + + static int + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, +- unsigned int *size, const char *name, ++ unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) + { + struct xt_entry_target *t; +@@ -1655,14 +1653,9 @@ compat_check_entry(struct ipt_entry *e, + + static int + translate_compat_table(struct net *net, +- const char *name, +- unsigned int valid_hooks, + struct xt_table_info **pinfo, + void **pentry0, +- unsigned int total_size, +- unsigned int number, +- unsigned int *hook_entries, +- unsigned int *underflows) ++ const struct compat_ipt_replace *compatr) + { + unsigned int i, j; + struct xt_table_info *newinfo, *info; +@@ -1674,8 +1667,8 @@ translate_compat_table(struct net *net, + + info = *pinfo; + entry0 = *pentry0; +- size = total_size; +- info->number = number; ++ size = compatr->size; ++ info->number = compatr->num_entries; + + /* Init all hooks to impossible value. */ + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +@@ -1686,40 +1679,39 @@ translate_compat_table(struct net *net, + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET); +- xt_compat_init_offsets(AF_INET, number); ++ xt_compat_init_offsets(AF_INET, compatr->num_entries); + /* Walk through entries, checking offsets. */ +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + total_size, +- hook_entries, +- underflows, +- name); ++ entry0 + compatr->size, ++ compatr->hook_entry, ++ compatr->underflow); + if (ret != 0) + goto out_unlock; + ++j; + } + + ret = -EINVAL; +- if (j != number) { ++ if (j != compatr->num_entries) { + duprintf("translate_compat_table: %u not %u entries\n", +- j, number); ++ j, compatr->num_entries); + goto out_unlock; + } + + /* Check hooks all assigned */ + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + /* Only hooks which are valid */ +- if (!(valid_hooks & (1 << i))) ++ if (!(compatr->valid_hooks & (1 << i))) + continue; + if (info->hook_entry[i] == 0xFFFFFFFF) { + duprintf("Invalid hook entry %u %u\n", +- i, hook_entries[i]); ++ i, info->hook_entry[i]); + goto out_unlock; + } + if (info->underflow[i] == 0xFFFFFFFF) { + duprintf("Invalid underflow %u %u\n", +- i, underflows[i]); ++ i, info->underflow[i]); + goto out_unlock; + } + } +@@ -1729,17 +1721,17 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + +- newinfo->number = number; ++ newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; + newinfo->underflow[i] = info->underflow[i]; + } + entry1 = newinfo->entries; + pos = entry1; +- size = total_size; +- xt_entry_foreach(iter0, entry0, total_size) { ++ size = compatr->size; ++ xt_entry_foreach(iter0, entry0, compatr->size) { + ret = compat_copy_entry_from_user(iter0, &pos, &size, +- name, newinfo, entry1); ++ newinfo, entry1); + if (ret != 0) + break; + } +@@ -1749,12 +1741,12 @@ translate_compat_table(struct net *net, + goto free_newinfo; + + ret = -ELOOP; +- if (!mark_source_chains(newinfo, valid_hooks, entry1)) ++ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) + goto free_newinfo; + + i = 0; + xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, name); ++ ret = compat_check_entry(iter1, net, compatr->name); + if (ret != 0) + break; + ++i; +@@ -1794,7 +1786,7 @@ translate_compat_table(struct net *net, + free_newinfo: + xt_free_table_info(newinfo); + out: +- xt_entry_foreach(iter0, entry0, total_size) { ++ xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); +@@ -1839,10 +1831,7 @@ compat_do_replace(struct net *net, void + goto free_newinfo; + } + +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, +- &newinfo, &loc_cpu_entry, tmp.size, +- tmp.num_entries, tmp.hook_entry, +- tmp.underflow); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch new file mode 100644 index 000000000000..42ed724e32ac --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch @@ -0,0 +1,151 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:23 +0200 +Subject: netfilter: x_tables: add and use xt_check_entry_offsets +Origin: https://git.kernel.org/linus/7d35812c3214afa5b37a675113555259cfd67b98 + +Currently arp/ip and ip6tables each implement a short helper to check that +the target offset is large enough to hold one xt_entry_target struct and +that t->u.target_size fits within the current rule. + +Unfortunately these checks are not sufficient. + +To avoid adding new tests to all of ip/ip6/arptables move the current +checks into a helper, then extend this helper in followup patches. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/x_tables.h | 4 ++++ + net/ipv4/netfilter/arp_tables.c | 11 +---------- + net/ipv4/netfilter/ip_tables.c | 12 +----------- + net/ipv6/netfilter/ip6_tables.c | 12 +----------- + net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++++++++++++ + 5 files changed, 41 insertions(+), 32 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -242,6 +242,10 @@ void xt_unregister_match(struct xt_match + int xt_register_matches(struct xt_match *match, unsigned int n); + void xt_unregister_matches(struct xt_match *match, unsigned int n); + ++int xt_check_entry_offsets(const void *base, ++ unsigned int target_offset, ++ unsigned int next_offset); ++ + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -496,19 +496,10 @@ next: + + static inline int check_entry(const struct arpt_entry *e) + { +- const struct xt_entry_target *t; +- + if (!arp_checkentry(&e->arp)) + return -EINVAL; + +- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) +- return -EINVAL; +- +- t = arpt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; ++ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); + } + + static inline int check_target(struct arpt_entry *e, const char *name) +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -590,20 +590,10 @@ static void cleanup_match(struct xt_entr + static int + check_entry(const struct ipt_entry *e) + { +- const struct xt_entry_target *t; +- + if (!ip_checkentry(&e->ip)) + return -EINVAL; + +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ipt_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; ++ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); + } + + static int +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -602,20 +602,10 @@ static void cleanup_match(struct xt_entr + static int + check_entry(const struct ip6t_entry *e) + { +- const struct xt_entry_target *t; +- + if (!ip6_checkentry(&e->ipv6)) + return -EINVAL; + +- if (e->target_offset + sizeof(struct xt_entry_target) > +- e->next_offset) +- return -EINVAL; +- +- t = ip6t_get_target_c(e); +- if (e->target_offset + t->u.target_size > e->next_offset) +- return -EINVAL; +- +- return 0; ++ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); + } + + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -541,6 +541,40 @@ int xt_compat_match_to_user(const struct + EXPORT_SYMBOL_GPL(xt_compat_match_to_user); + #endif /* CONFIG_COMPAT */ + ++/** ++ * xt_check_entry_offsets - validate arp/ip/ip6t_entry ++ * ++ * @base: pointer to arp/ip/ip6t_entry ++ * @target_offset: the arp/ip/ip6_t->target_offset ++ * @next_offset: the arp/ip/ip6_t->next_offset ++ * ++ * validates that target_offset and next_offset are sane. ++ * ++ * The arp/ip/ip6t_entry structure @base must have passed following tests: ++ * - it must point to a valid memory location ++ * - base to base + next_offset must be accessible, i.e. not exceed allocated ++ * length. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++int xt_check_entry_offsets(const void *base, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ const struct xt_entry_target *t; ++ const char *e = base; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ return 0; ++} ++EXPORT_SYMBOL(xt_check_entry_offsets); ++ + int xt_check_target(struct xt_tgchk_param *par, + unsigned int size, u_int8_t proto, bool inv_proto) + { diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch new file mode 100644 index 000000000000..c08d01c8a676 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch @@ -0,0 +1,105 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:26 +0200 +Subject: netfilter: x_tables: add compat version of xt_check_entry_offsets +Origin: https://git.kernel.org/linus/fc1221b3a163d1386d1052184202d5dc50d302d1 + +32bit rulesets have different layout and alignment requirements, so once +more integrity checks get added to xt_check_entry_offsets it will reject +well-formed 32bit rulesets. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/x_tables.h | 3 +++ + net/ipv4/netfilter/arp_tables.c | 3 ++- + net/ipv4/netfilter/ip_tables.c | 3 ++- + net/ipv6/netfilter/ip6_tables.c | 3 ++- + net/netfilter/x_tables.c | 22 ++++++++++++++++++++++ + 5 files changed, 31 insertions(+), 3 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -494,6 +494,9 @@ void xt_compat_target_from_user(struct x + unsigned int *size); + int xt_compat_target_to_user(const struct xt_entry_target *t, + void __user **dstptr, unsigned int *size); ++int xt_compat_check_entry_offsets(const void *base, ++ unsigned int target_offset, ++ unsigned int next_offset); + + #endif /* CONFIG_COMPAT */ + #endif /* _X_TABLES_H */ +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1254,7 +1254,8 @@ check_compat_entry_size_and_hooks(struct + if (!arp_checkentry(&e->arp)) + return -EINVAL; + +- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ ret = xt_compat_check_entry_offsets(e, e->target_offset, ++ e->next_offset); + if (ret) + return ret; + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1513,7 +1513,8 @@ check_compat_entry_size_and_hooks(struct + if (!ip_checkentry(&e->ip)) + return -EINVAL; + +- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ ret = xt_compat_check_entry_offsets(e, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1525,7 +1525,8 @@ check_compat_entry_size_and_hooks(struct + if (!ip6_checkentry(&e->ipv6)) + return -EINVAL; + +- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ ret = xt_compat_check_entry_offsets(e, ++ e->target_offset, e->next_offset); + if (ret) + return ret; + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -539,6 +539,27 @@ int xt_compat_match_to_user(const struct + return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_to_user); ++ ++int xt_compat_check_entry_offsets(const void *base, ++ unsigned int target_offset, ++ unsigned int next_offset) ++{ ++ const struct compat_xt_entry_target *t; ++ const char *e = base; ++ ++ if (target_offset + sizeof(*t) > next_offset) ++ return -EINVAL; ++ ++ t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ ++ if (target_offset + t->u.target_size > next_offset) ++ return -EINVAL; ++ ++ return 0; ++} ++EXPORT_SYMBOL(xt_compat_check_entry_offsets); + #endif /* CONFIG_COMPAT */ + + /** +@@ -549,6 +570,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_use + * @next_offset: the arp/ip/ip6_t->next_offset + * + * validates that target_offset and next_offset are sane. ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. + * + * The arp/ip/ip6t_entry structure @base must have passed following tests: + * - it must point to a valid memory location diff --git a/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch b/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch new file mode 100644 index 000000000000..6a13a02d0ac9 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch @@ -0,0 +1,25 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:25 +0200 +Subject: netfilter: x_tables: assert minimum target size +Origin: https://git.kernel.org/linus/a08e4e190b866579896c09af59b3bdca821da2cd + +The target size includes the size of the xt_entry_target struct. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -568,6 +568,9 @@ int xt_check_entry_offsets(const void *b + return -EINVAL; + + t = (void *)(e + target_offset); ++ if (t->u.target_size < sizeof(*t)) ++ return -EINVAL; ++ + if (target_offset + t->u.target_size > next_offset) + return -EINVAL; + diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch new file mode 100644 index 000000000000..a7617869b9d5 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch @@ -0,0 +1,164 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:28 +0200 +Subject: netfilter: x_tables: check for bogus target offset +Origin: https://git.kernel.org/linus/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c + +We're currently asserting that targetoff + targetsize <= nextoff. + +Extend it to also check that targetoff is >= sizeof(xt_entry). +Since this is generic code, add an argument pointing to the start of the +match/target, we can then derive the base structure size from the delta. + +We also need the e->elems pointer in a followup change to validate matches. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/x_tables.h | 4 ++-- + net/ipv4/netfilter/arp_tables.c | 5 +++-- + net/ipv4/netfilter/ip_tables.c | 5 +++-- + net/ipv6/netfilter/ip6_tables.c | 5 +++-- + net/netfilter/x_tables.c | 17 +++++++++++++++-- + 5 files changed, 26 insertions(+), 10 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -242,7 +242,7 @@ void xt_unregister_match(struct xt_match + int xt_register_matches(struct xt_match *match, unsigned int n); + void xt_unregister_matches(struct xt_match *match, unsigned int n); + +-int xt_check_entry_offsets(const void *base, ++int xt_check_entry_offsets(const void *base, const char *elems, + unsigned int target_offset, + unsigned int next_offset); + +@@ -494,7 +494,7 @@ void xt_compat_target_from_user(struct x + unsigned int *size); + int xt_compat_target_to_user(const struct xt_entry_target *t, + void __user **dstptr, unsigned int *size); +-int xt_compat_check_entry_offsets(const void *base, ++int xt_compat_check_entry_offsets(const void *base, const char *elems, + unsigned int target_offset, + unsigned int next_offset); + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -592,7 +592,8 @@ static inline int check_entry_size_and_h + if (!arp_checkentry(&e->arp)) + return -EINVAL; + +- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); + if (err) + return err; + +@@ -1254,7 +1255,7 @@ check_compat_entry_size_and_hooks(struct + if (!arp_checkentry(&e->arp)) + return -EINVAL; + +- ret = xt_compat_check_entry_offsets(e, e->target_offset, ++ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset, + e->next_offset); + if (ret) + return ret; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -754,7 +754,8 @@ check_entry_size_and_hooks(struct ipt_en + if (!ip_checkentry(&e->ip)) + return -EINVAL; + +- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); + if (err) + return err; + +@@ -1513,7 +1514,7 @@ check_compat_entry_size_and_hooks(struct + if (!ip_checkentry(&e->ip)) + return -EINVAL; + +- ret = xt_compat_check_entry_offsets(e, ++ ret = xt_compat_check_entry_offsets(e, e->elems, + e->target_offset, e->next_offset); + if (ret) + return ret; +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -766,7 +766,8 @@ check_entry_size_and_hooks(struct ip6t_e + if (!ip6_checkentry(&e->ipv6)) + return -EINVAL; + +- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset, ++ e->next_offset); + if (err) + return err; + +@@ -1525,7 +1526,7 @@ check_compat_entry_size_and_hooks(struct + if (!ip6_checkentry(&e->ipv6)) + return -EINVAL; + +- ret = xt_compat_check_entry_offsets(e, ++ ret = xt_compat_check_entry_offsets(e, e->elems, + e->target_offset, e->next_offset); + if (ret) + return ret; +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -546,14 +546,17 @@ struct compat_xt_standard_target { + compat_uint_t verdict; + }; + +-/* see xt_check_entry_offsets */ +-int xt_compat_check_entry_offsets(const void *base, ++int xt_compat_check_entry_offsets(const void *base, const char *elems, + unsigned int target_offset, + unsigned int next_offset) + { ++ long size_of_base_struct = elems - (const char *)base; + const struct compat_xt_entry_target *t; + const char *e = base; + ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ + if (target_offset + sizeof(*t) > next_offset) + return -EINVAL; + +@@ -577,12 +580,16 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs + * xt_check_entry_offsets - validate arp/ip/ip6t_entry + * + * @base: pointer to arp/ip/ip6t_entry ++ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems + * @target_offset: the arp/ip/ip6_t->target_offset + * @next_offset: the arp/ip/ip6_t->next_offset + * + * validates that target_offset and next_offset are sane. + * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. + * ++ * This function does not validate the targets or matches themselves, it ++ * only tests that all the offsets and sizes are correct. ++ * + * The arp/ip/ip6t_entry structure @base must have passed following tests: + * - it must point to a valid memory location + * - base to base + next_offset must be accessible, i.e. not exceed allocated +@@ -591,12 +598,18 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs + * Return: 0 on success, negative errno on failure. + */ + int xt_check_entry_offsets(const void *base, ++ const char *elems, + unsigned int target_offset, + unsigned int next_offset) + { ++ long size_of_base_struct = elems - (const char *)base; + const struct xt_entry_target *t; + const char *e = base; + ++ /* target start is within the ip/ip6/arpt_entry struct */ ++ if (target_offset < size_of_base_struct) ++ return -EINVAL; ++ + if (target_offset + sizeof(*t) > next_offset) + return -EINVAL; + diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch new file mode 100644 index 000000000000..427d31b860fb --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch @@ -0,0 +1,60 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:27 +0200 +Subject: netfilter: x_tables: check standard target size too +Origin: https://git.kernel.org/linus/7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 + +We have targets and standard targets -- the latter carries a verdict. + +The ip/ip6tables validation functions will access t->verdict for the +standard targets to fetch the jump offset or verdict for chainloop +detection, but this happens before the targets get checked/validated. + +Thus we also need to check for verdict presence here, else t->verdict +can point right after a blob. + +Spotted with UBSAN while testing malformed blobs. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/x_tables.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -540,6 +540,13 @@ int xt_compat_match_to_user(const struct + } + EXPORT_SYMBOL_GPL(xt_compat_match_to_user); + ++/* non-compat version may have padding after verdict */ ++struct compat_xt_standard_target { ++ struct compat_xt_entry_target t; ++ compat_uint_t verdict; ++}; ++ ++/* see xt_check_entry_offsets */ + int xt_compat_check_entry_offsets(const void *base, + unsigned int target_offset, + unsigned int next_offset) +@@ -557,6 +564,10 @@ int xt_compat_check_entry_offsets(const + if (target_offset + t->u.target_size > next_offset) + return -EINVAL; + ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ target_offset + sizeof(struct compat_xt_standard_target) != next_offset) ++ return -EINVAL; ++ + return 0; + } + EXPORT_SYMBOL(xt_compat_check_entry_offsets); +@@ -596,6 +607,10 @@ int xt_check_entry_offsets(const void *b + if (target_offset + t->u.target_size > next_offset) + return -EINVAL; + ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && ++ target_offset + sizeof(struct xt_standard_target) != next_offset) ++ return -EINVAL; ++ + return 0; + } + EXPORT_SYMBOL(xt_check_entry_offsets); diff --git a/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch b/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch new file mode 100644 index 000000000000..75270cf93a06 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch @@ -0,0 +1,798 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:34 +0200 +Subject: netfilter: x_tables: do compat validation via translate_table +Origin: https://git.kernel.org/linus/09d9686047dbbe1cf4faa558d3ecc4aae2046054 + +This looks like refactoring, but its also a bug fix. + +Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few +sanity tests that are done in the normal path. + +For example, we do not check for underflows and the base chain policies. + +While its possible to also add such checks to the compat path, its more +copy&pastry, for instance we cannot reuse check_underflow() helper as +e->target_offset differs in the compat case. + +Other problem is that it makes auditing for validation errors harder; two +places need to be checked and kept in sync. + +At a high level 32 bit compat works like this: +1- initial pass over blob: + validate match/entry offsets, bounds checking + lookup all matches and targets + do bookkeeping wrt. size delta of 32/64bit structures + assign match/target.u.kernel pointer (points at kernel + implementation, needed to access ->compatsize etc.) + +2- allocate memory according to the total bookkeeping size to + contain the translated ruleset + +3- second pass over original blob: + for each entry, copy the 32bit representation to the newly allocated + memory. This also does any special match translations (e.g. + adjust 32bit to 64bit longs, etc). + +4- check if ruleset is free of loops (chase all jumps) + +5-first pass over translated blob: + call the checkentry function of all matches and targets. + +The alternative implemented by this patch is to drop steps 3&4 from the +compat process, the translation is changed into an intermediate step +rather than a full 1:1 translate_table replacement. + +In the 2nd pass (step #3), change the 64bit ruleset back to a kernel +representation, i.e. put() the kernel pointer and restore ->u.user.name . + +This gets us a 64bit ruleset that is in the format generated by a 64bit +iptables userspace -- we can then use translate_table() to get the +'native' sanity checks. + +This has two drawbacks: + +1. we re-validate all the match and target entry structure sizes even +though compat translation is supposed to never generate bogus offsets. +2. we put and then re-lookup each match and target. + +THe upside is that we get all sanity tests and ruleset validations +provided by the normal path and can remove some duplicated compat code. + +iptables-restore time of autogenerated ruleset with 300k chains of form +-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002 +-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003 + +shows no noticeable differences in restore times: +old: 0m30.796s +new: 0m31.521s +64bit: 0m25.674s + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 114 ++++++----------------------- + net/ipv4/netfilter/ip_tables.c | 155 ++++++++-------------------------------- + net/ipv6/netfilter/ip6_tables.c | 148 ++++++-------------------------------- + net/netfilter/x_tables.c | 8 +++ + 4 files changed, 83 insertions(+), 342 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1234,19 +1234,17 @@ static inline void compat_release_entry( + module_put(t->u.kernel.target->me); + } + +-static inline int ++static int + check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows) ++ const unsigned char *limit) + { + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || +@@ -1291,17 +1289,6 @@ check_compat_entry_size_and_hooks(struct + if (ret) + goto release_target; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_ARP_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + release_target: +@@ -1351,7 +1338,7 @@ static int translate_compat_table(struct + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_arpt_entry *iter0; +- struct arpt_entry *iter1; ++ struct arpt_replace repl; + unsigned int size; + int ret = 0; + +@@ -1360,12 +1347,6 @@ static int translate_compat_table(struct + size = compatr->size; + info->number = compatr->num_entries; + +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } +- + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(NFPROTO_ARP); +@@ -1374,9 +1355,7 @@ static int translate_compat_table(struct + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + compatr->size, +- compatr->hook_entry, +- compatr->underflow); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; +@@ -1389,23 +1368,6 @@ static int translate_compat_table(struct + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(compatr->valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, info->hook_entry[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, info->underflow[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) +@@ -1422,55 +1384,26 @@ static int translate_compat_table(struct + xt_entry_foreach(iter0, entry0, compatr->size) + compat_copy_entry_from_user(iter0, &pos, &size, + newinfo, entry1); ++ ++ /* all module references in entry0 are now gone */ ++ + xt_compat_flush_offsets(NFPROTO_ARP); + xt_compat_unlock(NFPROTO_ARP); + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +- goto free_newinfo; +- +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- iter1->counters.pcnt = xt_percpu_counter_alloc(); +- if (IS_ERR_VALUE(iter1->counters.pcnt)) { +- ret = -ENOMEM; +- break; +- } ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- ret = check_target(iter1, compatr->name); +- if (ret != 0) { +- xt_percpu_counter_free(iter1->counters.pcnt); +- break; +- } +- ++i; +- if (strcmp(arpt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_ARP_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; ++ + *pinfo = newinfo; + *pentry0 = entry1; + xt_free_table_info(info); +@@ -1478,17 +1411,16 @@ static int translate_compat_table(struct + + free_newinfo: + xt_free_table_info(newinfo); +-out: ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(NFPROTO_ARP); ++ xt_compat_unlock(NFPROTO_ARP); + xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(NFPROTO_ARP); +- xt_compat_unlock(NFPROTO_ARP); +- goto out; + } + + static int compat_do_replace(struct net *net, void __user *user, +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1483,16 +1483,14 @@ check_compat_entry_size_and_hooks(struct + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || +@@ -1544,17 +1542,6 @@ check_compat_entry_size_and_hooks(struct + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1597,6 +1584,7 @@ compat_copy_entry_from_user(struct compa + xt_compat_target_from_user(t, dstptr, size); + + de->next_offset = e->next_offset - (origsize - *size); ++ + for (h = 0; h < NF_INET_NUMHOOKS; h++) { + if ((unsigned char *)de - base < newinfo->hook_entry[h]) + newinfo->hook_entry[h] -= origsize - *size; +@@ -1606,48 +1594,6 @@ compat_copy_entry_from_user(struct compa + } + + static int +-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name) +-{ +- struct xt_entry_match *ematch; +- struct xt_mtchk_param mtpar; +- unsigned int j; +- int ret = 0; +- +- e->counters.pcnt = xt_percpu_counter_alloc(); +- if (IS_ERR_VALUE(e->counters.pcnt)) +- return -ENOMEM; +- +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ip; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV4; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- +- xt_percpu_counter_free(e->counters.pcnt); +- +- return ret; +-} +- +-static int + translate_compat_table(struct net *net, + struct xt_table_info **pinfo, + void **pentry0, +@@ -1657,7 +1603,7 @@ translate_compat_table(struct net *net, + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ipt_entry *iter0; +- struct ipt_entry *iter1; ++ struct ipt_replace repl; + unsigned int size; + int ret; + +@@ -1666,12 +1612,6 @@ translate_compat_table(struct net *net, + size = compatr->size; + info->number = compatr->num_entries; + +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } +- + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET); +@@ -1680,9 +1620,7 @@ translate_compat_table(struct net *net, + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + compatr->size, +- compatr->hook_entry, +- compatr->underflow); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; +@@ -1695,23 +1633,6 @@ translate_compat_table(struct net *net, + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(compatr->valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, info->hook_entry[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, info->underflow[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) +@@ -1719,8 +1640,8 @@ translate_compat_table(struct net *net, + + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries; + pos = entry1; +@@ -1729,47 +1650,30 @@ translate_compat_table(struct net *net, + compat_copy_entry_from_user(iter0, &pos, &size, + newinfo, entry1); + ++ /* all module references in entry0 are now gone. ++ * entry1/newinfo contains a 64bit ruleset that looks exactly as ++ * generated by 64bit userspace. ++ * ++ * Call standard translate_table() to validate all hook_entrys, ++ * underflows, check for loops, etc. ++ */ + xt_compat_flush_offsets(AF_INET); + xt_compat_unlock(AF_INET); + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, compatr->name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ipt_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; ++ + *pinfo = newinfo; + *pentry0 = entry1; + xt_free_table_info(info); +@@ -1777,17 +1681,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET); ++ xt_compat_unlock(AF_INET); + xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET); +- xt_compat_unlock(AF_INET); +- goto out; + } + + static int +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1495,16 +1495,14 @@ check_compat_entry_size_and_hooks(struct + struct xt_table_info *newinfo, + unsigned int *size, + const unsigned char *base, +- const unsigned char *limit, +- const unsigned int *hook_entries, +- const unsigned int *underflows) ++ const unsigned char *limit) + { + struct xt_entry_match *ematch; + struct xt_entry_target *t; + struct xt_target *target; + unsigned int entry_offset; + unsigned int j; +- int ret, off, h; ++ int ret, off; + + duprintf("check_compat_entry_size_and_hooks %p\n", e); + if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || +@@ -1556,17 +1554,6 @@ check_compat_entry_size_and_hooks(struct + if (ret) + goto out; + +- /* Check hooks & underflows */ +- for (h = 0; h < NF_INET_NUMHOOKS; h++) { +- if ((unsigned char *)e - base == hook_entries[h]) +- newinfo->hook_entry[h] = hook_entries[h]; +- if ((unsigned char *)e - base == underflows[h]) +- newinfo->underflow[h] = underflows[h]; +- } +- +- /* Clear counters and comefrom */ +- memset(&e->counters, 0, sizeof(e->counters)); +- e->comefrom = 0; + return 0; + + out: +@@ -1615,47 +1602,6 @@ compat_copy_entry_from_user(struct compa + } + } + +-static int compat_check_entry(struct ip6t_entry *e, struct net *net, +- const char *name) +-{ +- unsigned int j; +- int ret = 0; +- struct xt_mtchk_param mtpar; +- struct xt_entry_match *ematch; +- +- e->counters.pcnt = xt_percpu_counter_alloc(); +- if (IS_ERR_VALUE(e->counters.pcnt)) +- return -ENOMEM; +- j = 0; +- mtpar.net = net; +- mtpar.table = name; +- mtpar.entryinfo = &e->ipv6; +- mtpar.hook_mask = e->comefrom; +- mtpar.family = NFPROTO_IPV6; +- xt_ematch_foreach(ematch, e) { +- ret = check_match(ematch, &mtpar); +- if (ret != 0) +- goto cleanup_matches; +- ++j; +- } +- +- ret = check_target(e, net, name); +- if (ret) +- goto cleanup_matches; +- return 0; +- +- cleanup_matches: +- xt_ematch_foreach(ematch, e) { +- if (j-- == 0) +- break; +- cleanup_match(ematch, net); +- } +- +- xt_percpu_counter_free(e->counters.pcnt); +- +- return ret; +-} +- + static int + translate_compat_table(struct net *net, + struct xt_table_info **pinfo, +@@ -1666,7 +1612,7 @@ translate_compat_table(struct net *net, + struct xt_table_info *newinfo, *info; + void *pos, *entry0, *entry1; + struct compat_ip6t_entry *iter0; +- struct ip6t_entry *iter1; ++ struct ip6t_replace repl; + unsigned int size; + int ret = 0; + +@@ -1675,12 +1621,6 @@ translate_compat_table(struct net *net, + size = compatr->size; + info->number = compatr->num_entries; + +- /* Init all hooks to impossible value. */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- info->hook_entry[i] = 0xFFFFFFFF; +- info->underflow[i] = 0xFFFFFFFF; +- } +- + duprintf("translate_compat_table: size %u\n", info->size); + j = 0; + xt_compat_lock(AF_INET6); +@@ -1689,9 +1629,7 @@ translate_compat_table(struct net *net, + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, + entry0, +- entry0 + compatr->size, +- compatr->hook_entry, +- compatr->underflow); ++ entry0 + compatr->size); + if (ret != 0) + goto out_unlock; + ++j; +@@ -1704,23 +1642,6 @@ translate_compat_table(struct net *net, + goto out_unlock; + } + +- /* Check hooks all assigned */ +- for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- /* Only hooks which are valid */ +- if (!(compatr->valid_hooks & (1 << i))) +- continue; +- if (info->hook_entry[i] == 0xFFFFFFFF) { +- duprintf("Invalid hook entry %u %u\n", +- i, info->hook_entry[i]); +- goto out_unlock; +- } +- if (info->underflow[i] == 0xFFFFFFFF) { +- duprintf("Invalid underflow %u %u\n", +- i, info->underflow[i]); +- goto out_unlock; +- } +- } +- + ret = -ENOMEM; + newinfo = xt_alloc_table_info(size); + if (!newinfo) +@@ -1728,56 +1649,34 @@ translate_compat_table(struct net *net, + + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { +- newinfo->hook_entry[i] = info->hook_entry[i]; +- newinfo->underflow[i] = info->underflow[i]; ++ newinfo->hook_entry[i] = compatr->hook_entry[i]; ++ newinfo->underflow[i] = compatr->underflow[i]; + } + entry1 = newinfo->entries; + pos = entry1; ++ size = compatr->size; + xt_entry_foreach(iter0, entry0, compatr->size) + compat_copy_entry_from_user(iter0, &pos, &size, + newinfo, entry1); + ++ /* all module references in entry0 are now gone. */ + xt_compat_flush_offsets(AF_INET6); + xt_compat_unlock(AF_INET6); + +- ret = -ELOOP; +- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +- goto free_newinfo; ++ memcpy(&repl, compatr, sizeof(*compatr)); + +- i = 0; +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- ret = compat_check_entry(iter1, net, compatr->name); +- if (ret != 0) +- break; +- ++i; +- if (strcmp(ip6t_get_target(iter1)->u.user.name, +- XT_ERROR_TARGET) == 0) +- ++newinfo->stacksize; +- } +- if (ret) { +- /* +- * The first i matches need cleanup_entry (calls ->destroy) +- * because they had called ->check already. The other j-i +- * entries need only release. +- */ +- int skip = i; +- j -= i; +- xt_entry_foreach(iter0, entry0, newinfo->size) { +- if (skip-- > 0) +- continue; +- if (j-- == 0) +- break; +- compat_release_entry(iter0); +- } +- xt_entry_foreach(iter1, entry1, newinfo->size) { +- if (i-- == 0) +- break; +- cleanup_entry(iter1, net); +- } +- xt_free_table_info(newinfo); +- return ret; ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) { ++ repl.hook_entry[i] = newinfo->hook_entry[i]; ++ repl.underflow[i] = newinfo->underflow[i]; + } + ++ repl.num_counters = 0; ++ repl.counters = NULL; ++ repl.size = newinfo->size; ++ ret = translate_table(net, newinfo, entry1, &repl); ++ if (ret) ++ goto free_newinfo; ++ + *pinfo = newinfo; + *pentry0 = entry1; + xt_free_table_info(info); +@@ -1785,17 +1684,16 @@ translate_compat_table(struct net *net, + + free_newinfo: + xt_free_table_info(newinfo); +-out: ++ return ret; ++out_unlock: ++ xt_compat_flush_offsets(AF_INET6); ++ xt_compat_unlock(AF_INET6); + xt_entry_foreach(iter0, entry0, compatr->size) { + if (j-- == 0) + break; + compat_release_entry(iter0); + } + return ret; +-out_unlock: +- xt_compat_flush_offsets(AF_INET6); +- xt_compat_unlock(AF_INET6); +- goto out; + } + + static int +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -533,6 +533,7 @@ void xt_compat_match_from_user(struct xt + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; + int pad, off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; ++ char name[sizeof(m->u.user.name)]; + + m = *dstptr; + memcpy(m, cm, sizeof(*cm)); +@@ -546,6 +547,9 @@ void xt_compat_match_from_user(struct xt + + msize += off; + m->u.user.match_size = msize; ++ strlcpy(name, match->name, sizeof(name)); ++ module_put(match->me); ++ strncpy(m->u.user.name, name, sizeof(m->u.user.name)); + + *size += off; + *dstptr += msize; +@@ -763,6 +767,7 @@ void xt_compat_target_from_user(struct x + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; + int pad, off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; ++ char name[sizeof(t->u.user.name)]; + + t = *dstptr; + memcpy(t, ct, sizeof(*ct)); +@@ -776,6 +781,9 @@ void xt_compat_target_from_user(struct x + + tsize += off; + t->u.user.target_size = tsize; ++ strlcpy(name, target->name, sizeof(name)); ++ module_put(target->me); ++ strncpy(t->u.user.name, name, sizeof(t->u.user.name)); + + *size += off; + *dstptr += tsize; diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch new file mode 100644 index 000000000000..23ad93f795ac --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch @@ -0,0 +1,100 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:21 +0200 +Subject: netfilter: x_tables: don't move to non-existent next rule +Origin: https://git.kernel.org/linus/f24e230d257af1ad7476c6e81a8dc3127a74204e + +Ben Hawkes says: + + In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it + is possible for a user-supplied ipt_entry structure to have a large + next_offset field. This field is not bounds checked prior to writing a + counter value at the supplied offset. + +Base chains enforce absolute verdict. + +User defined chains are supposed to end with an unconditional return, +xtables userspace adds them automatically. + +But if such return is missing we will move to non-existent next rule. + +Reported-by: Ben Hawkes +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 8 +++++--- + net/ipv4/netfilter/ip_tables.c | 4 ++++ + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 3 files changed, 13 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -439,6 +439,8 @@ static int mark_source_chains(const stru + size = e->next_offset; + e = (struct arpt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -461,6 +463,8 @@ static int mark_source_chains(const stru + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct arpt_entry *) + (entry0 + newpos); +@@ -691,10 +695,8 @@ static int translate_table(struct xt_tab + } + } + +- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) { +- duprintf("Looping hook\n"); ++ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) + return -ELOOP; +- } + + /* Finally, each sanity check must pass */ + i = 0; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -520,6 +520,8 @@ mark_source_chains(const struct xt_table + size = e->next_offset; + e = (struct ipt_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -541,6 +543,8 @@ mark_source_chains(const struct xt_table + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ipt_entry *) + (entry0 + newpos); +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -532,6 +532,8 @@ mark_source_chains(const struct xt_table + size = e->next_offset; + e = (struct ip6t_entry *) + (entry0 + pos + size); ++ if (pos + size >= newinfo->size) ++ return 0; + e->counters.pcnt = pos; + pos += size; + } else { +@@ -553,6 +555,8 @@ mark_source_chains(const struct xt_table + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; ++ if (newpos >= newinfo->size) ++ return 0; + } + e = (struct ip6t_entry *) + (entry0 + newpos); diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch new file mode 100644 index 000000000000..75001438576b --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch @@ -0,0 +1,54 @@ +From: Florian Westphal +Date: Wed, 1 Jun 2016 02:04:44 +0200 +Subject: netfilter: x_tables: don't reject valid target size on some + architectures +Origin: https://git.kernel.org/linus/7b7eba0f3515fca3296b8881d583f7c1042f5226 + +Quoting John Stultz: + In updating a 32bit arm device from 4.6 to Linus' current HEAD, I + noticed I was having some trouble with networking, and realized that + /proc/net/ip_tables_names was suddenly empty. + Digging through the registration process, it seems we're catching on the: + + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && + target_offset + sizeof(struct xt_standard_target) != next_offset) + return -EINVAL; + + Where next_offset seems to be 4 bytes larger then the + offset + standard_target struct size. + +next_offset needs to be aligned via XT_ALIGN (so we can access all members +of ip(6)t_entry struct). + +This problem didn't show up on i686 as it only needs 4-byte alignment for +u64, but iptables userspace on other 32bit arches does insert extra padding. + +Reported-by: John Stultz +Tested-by: John Stultz +Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/x_tables.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -609,7 +609,7 @@ int xt_compat_check_entry_offsets(const + return -EINVAL; + + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && +- target_offset + sizeof(struct compat_xt_standard_target) != next_offset) ++ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) + return -EINVAL; + + /* compat_xt_entry match has less strict aligment requirements, +@@ -691,7 +691,7 @@ int xt_check_entry_offsets(const void *b + return -EINVAL; + + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && +- target_offset + sizeof(struct xt_standard_target) != next_offset) ++ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) + return -EINVAL; + + return xt_check_entry_match(elems, base + target_offset, diff --git a/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch b/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch new file mode 100644 index 000000000000..263f64d7c011 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch @@ -0,0 +1,328 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 15:37:59 +0200 +Subject: netfilter: x_tables: introduce and use xt_copy_counters_from_user +Origin: https://git.kernel.org/linus/d7591f0c41ce3e67600a982bab6989ef0f07b3ce + +The three variants use same copy&pasted code, condense this into a +helper and use that. + +Make sure info.name is 0-terminated. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/x_tables.h | 3 ++ + net/ipv4/netfilter/arp_tables.c | 48 +++---------------------- + net/ipv4/netfilter/ip_tables.c | 48 +++---------------------- + net/ipv6/netfilter/ip6_tables.c | 49 +++---------------------- + net/netfilter/x_tables.c | 74 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 92 insertions(+), 130 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -251,6 +251,9 @@ int xt_check_match(struct xt_mtchk_param + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, + bool inv_proto); + ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat); ++ + struct xt_table *xt_register_table(struct net *net, + const struct xt_table *table, + struct xt_table_info *bootstrap, +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1131,55 +1131,17 @@ static int do_add_counters(struct net *n + unsigned int i; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + struct arpt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; + +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- t = xt_find_table_lock(net, NFPROTO_ARP, name); ++ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1187,7 +1149,7 @@ static int do_add_counters(struct net *n + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1314,55 +1314,17 @@ do_add_counters(struct net *net, const v + unsigned int i; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- const char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + struct ipt_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; + +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); + +- t = xt_find_table_lock(net, AF_INET, name); ++ t = xt_find_table_lock(net, AF_INET, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1370,7 +1332,7 @@ do_add_counters(struct net *net, const v + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1326,55 +1326,16 @@ do_add_counters(struct net *net, const v + unsigned int i; + struct xt_counters_info tmp; + struct xt_counters *paddc; +- unsigned int num_counters; +- char *name; +- int size; +- void *ptmp; + struct xt_table *t; + const struct xt_table_info *private; + int ret = 0; + struct ip6t_entry *iter; + unsigned int addend; +-#ifdef CONFIG_COMPAT +- struct compat_xt_counters_info compat_tmp; + +- if (compat) { +- ptmp = &compat_tmp; +- size = sizeof(struct compat_xt_counters_info); +- } else +-#endif +- { +- ptmp = &tmp; +- size = sizeof(struct xt_counters_info); +- } +- +- if (copy_from_user(ptmp, user, size) != 0) +- return -EFAULT; +- +-#ifdef CONFIG_COMPAT +- if (compat) { +- num_counters = compat_tmp.num_counters; +- name = compat_tmp.name; +- } else +-#endif +- { +- num_counters = tmp.num_counters; +- name = tmp.name; +- } +- +- if (len != size + num_counters * sizeof(struct xt_counters)) +- return -EINVAL; +- +- paddc = vmalloc(len - size); +- if (!paddc) +- return -ENOMEM; +- +- if (copy_from_user(paddc, user + size, len - size) != 0) { +- ret = -EFAULT; +- goto free; +- } +- +- t = xt_find_table_lock(net, AF_INET6, name); ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); ++ if (IS_ERR(paddc)) ++ return PTR_ERR(paddc); ++ t = xt_find_table_lock(net, AF_INET6, tmp.name); + if (IS_ERR_OR_NULL(t)) { + ret = t ? PTR_ERR(t) : -ENOENT; + goto free; +@@ -1382,7 +1343,7 @@ do_add_counters(struct net *net, const v + + local_bh_disable(); + private = t->private; +- if (private->number != num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -752,6 +752,80 @@ int xt_check_target(struct xt_tgchk_para + } + EXPORT_SYMBOL_GPL(xt_check_target); + ++/** ++ * xt_copy_counters_from_user - copy counters and metadata from userspace ++ * ++ * @user: src pointer to userspace memory ++ * @len: alleged size of userspace memory ++ * @info: where to store the xt_counters_info metadata ++ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel ++ * ++ * Copies counter meta data from @user and stores it in @info. ++ * ++ * vmallocs memory to hold the counters, then copies the counter data ++ * from @user to the new memory and returns a pointer to it. ++ * ++ * If @compat is true, @info gets converted automatically to the 64bit ++ * representation. ++ * ++ * The metadata associated with the counters is stored in @info. ++ * ++ * Return: returns pointer that caller has to test via IS_ERR(). ++ * If IS_ERR is false, caller has to vfree the pointer. ++ */ ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len, ++ struct xt_counters_info *info, bool compat) ++{ ++ void *mem; ++ u64 size; ++ ++#ifdef CONFIG_COMPAT ++ if (compat) { ++ /* structures only differ in size due to alignment */ ++ struct compat_xt_counters_info compat_tmp; ++ ++ if (len <= sizeof(compat_tmp)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(compat_tmp); ++ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ strlcpy(info->name, compat_tmp.name, sizeof(info->name)); ++ info->num_counters = compat_tmp.num_counters; ++ user += sizeof(compat_tmp); ++ } else ++#endif ++ { ++ if (len <= sizeof(*info)) ++ return ERR_PTR(-EINVAL); ++ ++ len -= sizeof(*info); ++ if (copy_from_user(info, user, sizeof(*info)) != 0) ++ return ERR_PTR(-EFAULT); ++ ++ info->name[sizeof(info->name) - 1] = '\0'; ++ user += sizeof(*info); ++ } ++ ++ size = sizeof(struct xt_counters); ++ size *= info->num_counters; ++ ++ if (size != (u64)len) ++ return ERR_PTR(-EINVAL); ++ ++ mem = vmalloc(len); ++ if (!mem) ++ return ERR_PTR(-ENOMEM); ++ ++ if (copy_from_user(mem, user, len) == 0) ++ return mem; ++ ++ vfree(mem); ++ return ERR_PTR(-EFAULT); ++} ++EXPORT_SYMBOL_GPL(xt_copy_counters_from_user); ++ + #ifdef CONFIG_COMPAT + int xt_compat_target_offset(const struct xt_target *target) + { diff --git a/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch b/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch new file mode 100644 index 000000000000..37de1a8b7c01 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch @@ -0,0 +1,149 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:24 +0200 +Subject: netfilter: x_tables: kill check_entry helper +Origin: https://git.kernel.org/linus/aa412ba225dd3bc36d404c28cdc3d674850d80d0 + +Once we add more sanity testing to xt_check_entry_offsets it +becomes relvant if we're expecting a 32bit 'config_compat' blob +or a normal one. + +Since we already have a lot of similar-named functions (check_entry, +compat_check_entry, find_and_check_entry, etc.) and the current +incarnation is short just fold its contents into the callers. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 19 ++++++++----------- + net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------ + net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------ + 3 files changed, 24 insertions(+), 35 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -494,14 +494,6 @@ next: + return 1; + } + +-static inline int check_entry(const struct arpt_entry *e) +-{ +- if (!arp_checkentry(&e->arp)) +- return -EINVAL; +- +- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); +-} +- + static inline int check_target(struct arpt_entry *e, const char *name) + { + struct xt_entry_target *t = arpt_get_target(e); +@@ -597,7 +589,10 @@ static inline int check_entry_size_and_h + return -EINVAL; + } + +- err = check_entry(e); ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (err) + return err; + +@@ -1256,8 +1251,10 @@ check_compat_entry_size_and_hooks(struct + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct arpt_entry *)e); ++ if (!arp_checkentry(&e->arp)) ++ return -EINVAL; ++ ++ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (ret) + return ret; + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -588,15 +588,6 @@ static void cleanup_match(struct xt_entr + } + + static int +-check_entry(const struct ipt_entry *e) +-{ +- if (!ip_checkentry(&e->ip)) +- return -EINVAL; +- +- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); +-} +- +-static int + check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ipt_ip *ip = par->entryinfo; +@@ -760,7 +751,10 @@ check_entry_size_and_hooks(struct ipt_en + return -EINVAL; + } + +- err = check_entry(e); ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (err) + return err; + +@@ -1516,8 +1510,10 @@ check_compat_entry_size_and_hooks(struct + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ipt_entry *)e); ++ if (!ip_checkentry(&e->ip)) ++ return -EINVAL; ++ ++ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (ret) + return ret; + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -599,15 +599,6 @@ static void cleanup_match(struct xt_entr + module_put(par.match->me); + } + +-static int +-check_entry(const struct ip6t_entry *e) +-{ +- if (!ip6_checkentry(&e->ipv6)) +- return -EINVAL; +- +- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); +-} +- + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) + { + const struct ip6t_ip6 *ipv6 = par->entryinfo; +@@ -772,7 +763,10 @@ check_entry_size_and_hooks(struct ip6t_e + return -EINVAL; + } + +- err = check_entry(e); ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (err) + return err; + +@@ -1528,8 +1522,10 @@ check_compat_entry_size_and_hooks(struct + return -EINVAL; + } + +- /* For purposes of check_entry casting the compat entry is fine */ +- ret = check_entry((struct ip6t_entry *)e); ++ if (!ip6_checkentry(&e->ipv6)) ++ return -EINVAL; ++ ++ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); + if (ret) + return ret; + diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch new file mode 100644 index 000000000000..26923ed67e07 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch @@ -0,0 +1,137 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:29 +0200 +Subject: netfilter: x_tables: validate all offsets and sizes in a rule +Origin: https://git.kernel.org/linus/13631bfc604161a9d69cd68991dff8603edd66f9 + +Validate that all matches (if any) add up to the beginning of +the target and that each match covers at least the base structure size. + +The compat path should be able to safely re-use the function +as the structures only differ in alignment; added a +BUILD_BUG_ON just in case we have an arch that adds padding as well. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/x_tables.c | 81 +++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 76 insertions(+), 5 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -416,6 +416,47 @@ int xt_check_match(struct xt_mtchk_param + } + EXPORT_SYMBOL_GPL(xt_check_match); + ++/** xt_check_entry_match - check that matches end before start of target ++ * ++ * @match: beginning of xt_entry_match ++ * @target: beginning of this rules target (alleged end of matches) ++ * @alignment: alignment requirement of match structures ++ * ++ * Validates that all matches add up to the beginning of the target, ++ * and that each match covers at least the base structure size. ++ * ++ * Return: 0 on success, negative errno on failure. ++ */ ++static int xt_check_entry_match(const char *match, const char *target, ++ const size_t alignment) ++{ ++ const struct xt_entry_match *pos; ++ int length = target - match; ++ ++ if (length == 0) /* no matches */ ++ return 0; ++ ++ pos = (struct xt_entry_match *)match; ++ do { ++ if ((unsigned long)pos % alignment) ++ return -EINVAL; ++ ++ if (length < (int)sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size < sizeof(struct xt_entry_match)) ++ return -EINVAL; ++ ++ if (pos->u.match_size > length) ++ return -EINVAL; ++ ++ length -= pos->u.match_size; ++ pos = ((void *)((char *)(pos) + (pos)->u.match_size)); ++ } while (length > 0); ++ ++ return 0; ++} ++ + #ifdef CONFIG_COMPAT + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) + { +@@ -571,7 +612,14 @@ int xt_compat_check_entry_offsets(const + target_offset + sizeof(struct compat_xt_standard_target) != next_offset) + return -EINVAL; + +- return 0; ++ /* compat_xt_entry match has less strict aligment requirements, ++ * otherwise they are identical. In case of padding differences ++ * we need to add compat version of xt_check_entry_match. ++ */ ++ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match)); ++ ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct compat_xt_entry_match)); + } + EXPORT_SYMBOL(xt_compat_check_entry_offsets); + #endif /* CONFIG_COMPAT */ +@@ -584,17 +632,39 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs + * @target_offset: the arp/ip/ip6_t->target_offset + * @next_offset: the arp/ip/ip6_t->next_offset + * +- * validates that target_offset and next_offset are sane. +- * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. ++ * validates that target_offset and next_offset are sane and that all ++ * match sizes (if any) align with the target offset. + * + * This function does not validate the targets or matches themselves, it +- * only tests that all the offsets and sizes are correct. ++ * only tests that all the offsets and sizes are correct, that all ++ * match structures are aligned, and that the last structure ends where ++ * the target structure begins. ++ * ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. + * + * The arp/ip/ip6t_entry structure @base must have passed following tests: + * - it must point to a valid memory location + * - base to base + next_offset must be accessible, i.e. not exceed allocated + * length. + * ++ * A well-formed entry looks like this: ++ * ++ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry ++ * e->elems[]-----' | | ++ * matchsize | | ++ * matchsize | | ++ * | | ++ * target_offset---------------------------------' | ++ * next_offset---------------------------------------------------' ++ * ++ * elems[]: flexible array member at end of ip(6)/arpt_entry struct. ++ * This is where matches (if any) and the target reside. ++ * target_offset: beginning of target. ++ * next_offset: start of the next rule; also: size of this rule. ++ * Since targets have a minimum size, target_offset + minlen <= next_offset. ++ * ++ * Every match stores its size, sum of sizes must not exceed target_offset. ++ * + * Return: 0 on success, negative errno on failure. + */ + int xt_check_entry_offsets(const void *base, +@@ -624,7 +694,8 @@ int xt_check_entry_offsets(const void *b + target_offset + sizeof(struct xt_standard_target) != next_offset) + return -EINVAL; + +- return 0; ++ return xt_check_entry_match(elems, base + target_offset, ++ __alignof__(struct xt_entry_match)); + } + EXPORT_SYMBOL(xt_check_entry_offsets); + diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch new file mode 100644 index 000000000000..a610aaace035 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch @@ -0,0 +1,127 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:22 +0200 +Subject: netfilter: x_tables: validate targets of jumps +Origin: https://git.kernel.org/linus/36472341017529e2b12573093cc0f68719300997 + +When we see a jump also check that the offset gets us to beginning of +a rule (an ipt_entry). + +The extra overhead is negible, even with absurd cases. + +300k custom rules, 300k jumps to 'next' user chain: +[ plus one jump from INPUT to first userchain ]: + +Before: +real 0m24.874s +user 0m7.532s +sys 0m16.076s + +After: +real 0m27.464s +user 0m7.436s +sys 0m18.840s + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++ + net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++ + net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++ + 3 files changed, 48 insertions(+) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -367,6 +367,18 @@ static inline bool unconditional(const s + memcmp(&e->arp, &uncond, sizeof(uncond)) == 0; + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct arpt_entry *target) ++{ ++ struct arpt_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + * there are loops. Puts hook bitmask in comefrom. + */ +@@ -460,6 +472,10 @@ static int mark_source_chains(const stru + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct arpt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -443,6 +443,18 @@ ipt_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct ipt_entry *target) ++{ ++ struct ipt_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -540,6 +552,10 @@ mark_source_chains(const struct xt_table + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ipt_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -455,6 +455,18 @@ ip6t_do_table(struct sk_buff *skb, + #endif + } + ++static bool find_jump_target(const struct xt_table_info *t, ++ const struct ip6t_entry *target) ++{ ++ struct ip6t_entry *iter; ++ ++ xt_entry_foreach(iter, t->entries, t->size) { ++ if (iter == target) ++ return true; ++ } ++ return false; ++} ++ + /* Figures out from what hook each rule can be called: returns 0 if + there are loops. Puts hook bitmask in comefrom. */ + static int +@@ -552,6 +564,10 @@ mark_source_chains(const struct xt_table + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); ++ e = (struct ip6t_entry *) ++ (entry0 + newpos); ++ if (!find_jump_target(newinfo, e)) ++ return 0; + } else { + /* ... this is a fallthru */ + newpos = pos + e->next_offset; diff --git a/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch b/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch new file mode 100644 index 000000000000..15df53219a80 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch @@ -0,0 +1,234 @@ +From: Florian Westphal +Date: Fri, 1 Apr 2016 14:17:33 +0200 +Subject: netfilter: x_tables: xt_compat_match_from_user doesn't need a retval +Origin: https://git.kernel.org/linus/0188346f21e6546498c2a0f84888797ad4063fc5 + +Always returned 0. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/x_tables.h | 2 +- + net/ipv4/netfilter/arp_tables.c | 17 +++++------------ + net/ipv4/netfilter/ip_tables.c | 26 +++++++++----------------- + net/ipv6/netfilter/ip6_tables.c | 27 +++++++++------------------ + net/netfilter/x_tables.c | 5 ++--- + 5 files changed, 26 insertions(+), 51 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -484,7 +484,7 @@ void xt_compat_init_offsets(u_int8_t af, + int xt_compat_calc_jump(u_int8_t af, unsigned int offset); + + int xt_compat_match_offset(const struct xt_match *match); +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + unsigned int *size); + int xt_compat_match_to_user(const struct xt_entry_match *m, + void __user **dstptr, unsigned int *size); +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1310,7 +1310,7 @@ out: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, + unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) +@@ -1319,9 +1319,8 @@ compat_copy_entry_from_user(struct compa + struct xt_target *target; + struct arpt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + +- ret = 0; + origsize = *size; + de = (struct arpt_entry *)*dstptr; + memcpy(de, e, sizeof(struct arpt_entry)); +@@ -1342,7 +1341,6 @@ compat_copy_entry_from_user(struct compa + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; + } + + static int translate_compat_table(struct xt_table_info **pinfo, +@@ -1421,16 +1419,11 @@ static int translate_compat_table(struct + entry1 = newinfo->entries; + pos = entry1; + size = compatr->size; +- xt_entry_foreach(iter0, entry0, compatr->size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- newinfo, entry1); +- if (ret != 0) +- break; +- } ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); + xt_compat_flush_offsets(NFPROTO_ARP); + xt_compat_unlock(NFPROTO_ARP); +- if (ret) +- goto free_newinfo; + + ret = -ELOOP; + if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1568,7 +1568,7 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, + unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) +@@ -1577,10 +1577,9 @@ compat_copy_entry_from_user(struct compa + struct xt_target *target; + struct ipt_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ipt_entry *)*dstptr; + memcpy(de, e, sizeof(struct ipt_entry)); +@@ -1589,11 +1588,9 @@ compat_copy_entry_from_user(struct compa + *dstptr += sizeof(struct ipt_entry); + *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ipt_get_target(e); + target = t->u.kernel.target; +@@ -1606,7 +1603,6 @@ compat_copy_entry_from_user(struct compa + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; + } + + static int +@@ -1729,16 +1725,12 @@ translate_compat_table(struct net *net, + entry1 = newinfo->entries; + pos = entry1; + size = compatr->size; +- xt_entry_foreach(iter0, entry0, compatr->size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- newinfo, entry1); +- if (ret != 0) +- break; +- } ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ + xt_compat_flush_offsets(AF_INET); + xt_compat_unlock(AF_INET); +- if (ret) +- goto free_newinfo; + + ret = -ELOOP; + if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1580,7 +1580,7 @@ release_matches: + return ret; + } + +-static int ++static void + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, + unsigned int *size, + struct xt_table_info *newinfo, unsigned char *base) +@@ -1588,10 +1588,9 @@ compat_copy_entry_from_user(struct compa + struct xt_entry_target *t; + struct ip6t_entry *de; + unsigned int origsize; +- int ret, h; ++ int h; + struct xt_entry_match *ematch; + +- ret = 0; + origsize = *size; + de = (struct ip6t_entry *)*dstptr; + memcpy(de, e, sizeof(struct ip6t_entry)); +@@ -1600,11 +1599,9 @@ compat_copy_entry_from_user(struct compa + *dstptr += sizeof(struct ip6t_entry); + *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); + +- xt_ematch_foreach(ematch, e) { +- ret = xt_compat_match_from_user(ematch, dstptr, size); +- if (ret != 0) +- return ret; +- } ++ xt_ematch_foreach(ematch, e) ++ xt_compat_match_from_user(ematch, dstptr, size); ++ + de->target_offset = e->target_offset - (origsize - *size); + t = compat_ip6t_get_target(e); + xt_compat_target_from_user(t, dstptr, size); +@@ -1616,7 +1613,6 @@ compat_copy_entry_from_user(struct compa + if ((unsigned char *)de - base < newinfo->underflow[h]) + newinfo->underflow[h] -= origsize - *size; + } +- return ret; + } + + static int compat_check_entry(struct ip6t_entry *e, struct net *net, +@@ -1737,17 +1733,12 @@ translate_compat_table(struct net *net, + } + entry1 = newinfo->entries; + pos = entry1; +- size = compatr->size; +- xt_entry_foreach(iter0, entry0, compatr->size) { +- ret = compat_copy_entry_from_user(iter0, &pos, &size, +- newinfo, entry1); +- if (ret != 0) +- break; +- } ++ xt_entry_foreach(iter0, entry0, compatr->size) ++ compat_copy_entry_from_user(iter0, &pos, &size, ++ newinfo, entry1); ++ + xt_compat_flush_offsets(AF_INET6); + xt_compat_unlock(AF_INET6); +- if (ret) +- goto free_newinfo; + + ret = -ELOOP; + if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -526,8 +526,8 @@ int xt_compat_match_offset(const struct + } + EXPORT_SYMBOL_GPL(xt_compat_match_offset); + +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, +- unsigned int *size) ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, ++ unsigned int *size) + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; +@@ -549,7 +549,6 @@ int xt_compat_match_from_user(struct xt_ + + *size += off; + *dstptr += msize; +- return 0; + } + EXPORT_SYMBOL_GPL(xt_compat_match_from_user); + diff --git a/debian/patches/series b/debian/patches/series index 3d57f4fb6e20..ad115dd32830 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -115,6 +115,22 @@ bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch bugfix/all/keys-potential-uninitialized-variable.patch bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch +bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch +bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch +bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch +bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch +bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch +bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch +bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch +bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch +bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch +bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch +bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch +bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch +bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch +bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch +bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch +bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From 12183bf924db33672103a19328a4fa2ea89cec44 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 25 Jun 2016 00:56:15 +0200 Subject: [PATCH 07/14] nfsd: check permissions when setting ACLs (CVE-2016-XXXX) --- debian/changelog | 1 + ...-check-permissions-when-setting-acls.patch | 145 ++++++++++++++++++ .../all/posix_acl-add-set_posix_acl.patch | 82 ++++++++++ debian/patches/series | 2 + 4 files changed, 230 insertions(+) create mode 100644 debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch create mode 100644 debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch diff --git a/debian/changelog b/debian/changelog index 0c33506f43ee..467e056bf413 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,6 +27,7 @@ linux (4.6.2-2) UNRELEASED; urgency=medium - xt_compat_match_from_user doesn't need a retval - do compat validation via translate_table - introduce and use xt_copy_counters_from_user + * nfsd: check permissions when setting ACLs -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch b/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch new file mode 100644 index 000000000000..ce0aeb42176d --- /dev/null +++ b/debian/patches/bugfix/all/nfsd-check-permissions-when-setting-acls.patch @@ -0,0 +1,145 @@ +From: Ben Hutchings +Date: Wed, 22 Jun 2016 19:43:35 +0100 +Subject: [PATCH] nfsd: check permissions when setting ACLs +Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=999653786df6954a31044528ac3f7a5dadca08f4 + +Use set_posix_acl, which includes proper permission checks, instead of +calling ->set_acl directly. Without this anyone may be able to grant +themselves permissions to a file by setting the ACL. + +Lock the inode to make the new checks atomic with respect to set_acl. +(Also, nfsd was the only caller of set_acl not locking the inode, so I +suspect this may fix other races.) + +This also simplifies the code, and ensures our ACLs are checked by +posix_acl_valid. + +The permission checks and the inode locking were lost with commit +4ac7249e, which changed nfsd to use the set_acl inode operation directly +instead of going through xattr handlers. + +Reported-by: David Sinquin +[agreunba@redhat.com: use set_posix_acl] +Fixes: 4ac7249e +Cc: Christoph Hellwig +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +--- + fs/nfsd/nfs2acl.c | 20 ++++++++++---------- + fs/nfsd/nfs3acl.c | 16 +++++++--------- + fs/nfsd/nfs4acl.c | 16 ++++++++-------- + 3 files changed, 25 insertions(+), 27 deletions(-) + +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + if (error) +- goto out_drop_write; ++ goto out_drop_lock; ++ ++ fh_unlock(fh); + + fh_drop_write(fh); + +@@ -131,7 +130,8 @@ out: + posix_acl_release(argp->acl_access); + posix_acl_release(argp->acl_default); + return nfserr; +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +--- a/fs/nfsd/nfs3acl.c ++++ b/fs/nfsd/nfs3acl.c +@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s + goto out; + + inode = d_inode(fh->fh_dentry); +- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) { +- error = -EOPNOTSUPP; +- goto out_errno; +- } + + error = fh_want_write(fh); + if (error) + goto out_errno; + +- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS); ++ fh_lock(fh); ++ ++ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access); + if (error) +- goto out_drop_write; +- error = inode->i_op->set_acl(inode, argp->acl_default, +- ACL_TYPE_DEFAULT); ++ goto out_drop_lock; ++ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default); + +-out_drop_write: ++out_drop_lock: ++ fh_unlock(fh); + fh_drop_write(fh); + out_errno: + nfserr = nfserrno(error); +--- a/fs/nfsd/nfs4acl.c ++++ b/fs/nfsd/nfs4acl.c +@@ -770,9 +770,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst + dentry = fhp->fh_dentry; + inode = d_inode(dentry); + +- if (!inode->i_op->set_acl || !IS_POSIXACL(inode)) +- return nfserr_attrnotsupp; +- + if (S_ISDIR(inode->i_mode)) + flags = NFS4_ACL_DIR; + +@@ -782,16 +779,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst + if (host_error < 0) + goto out_nfserr; + +- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS); ++ fh_lock(fhp); ++ ++ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl); + if (host_error < 0) +- goto out_release; ++ goto out_drop_lock; + + if (S_ISDIR(inode->i_mode)) { +- host_error = inode->i_op->set_acl(inode, dpacl, +- ACL_TYPE_DEFAULT); ++ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl); + } + +-out_release: ++out_drop_lock: ++ fh_unlock(fhp); ++ + posix_acl_release(pacl); + posix_acl_release(dpacl); + out_nfserr: diff --git a/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch b/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch new file mode 100644 index 000000000000..152fc8ad670c --- /dev/null +++ b/debian/patches/bugfix/all/posix_acl-add-set_posix_acl.patch @@ -0,0 +1,82 @@ +From: Andreas Gruenbacher +Date: Wed, 22 Jun 2016 23:57:25 +0200 +Subject: [PATCH] posix_acl: Add set_posix_acl +Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f + +Factor out part of posix_acl_xattr_set into a common function that takes +a posix_acl, which nfsd can also call. + +The prototype already exists in include/linux/posix_acl.h. + +Signed-off-by: Andreas Gruenbacher +Cc: stable@vger.kernel.org +Cc: Christoph Hellwig +Cc: Al Viro +Signed-off-by: J. Bruce Fields +[bwh: Backported to 4.6: posix_acl_xattr_set() parameters are different] +--- +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -786,39 +786,43 @@ posix_acl_xattr_get(const struct xattr_h + return error; + } + +-static int +-posix_acl_xattr_set(const struct xattr_handler *handler, +- struct dentry *dentry, const char *name, +- const void *value, size_t size, int flags) ++int ++set_posix_acl(struct inode *inode, int type, struct posix_acl *acl) + { +- struct inode *inode = d_backing_inode(dentry); +- struct posix_acl *acl = NULL; +- int ret; +- + if (!IS_POSIXACL(inode)) + return -EOPNOTSUPP; + if (!inode->i_op->set_acl) + return -EOPNOTSUPP; + +- if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) +- return value ? -EACCES : 0; ++ if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return acl ? -EACCES : 0; + if (!inode_owner_or_capable(inode)) + return -EPERM; + ++ if (acl) { ++ int ret = posix_acl_valid(acl); ++ if (ret) ++ return ret; ++ } ++ return inode->i_op->set_acl(inode, acl, type); ++} ++EXPORT_SYMBOL(set_posix_acl); ++ ++static int ++posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, const char *name, ++ const void *value, size_t size, int flags) ++{ ++ struct inode *inode = d_backing_inode(dentry); ++ struct posix_acl *acl = NULL; ++ int ret; ++ + if (value) { + acl = posix_acl_from_xattr(&init_user_ns, value, size); + if (IS_ERR(acl)) + return PTR_ERR(acl); +- +- if (acl) { +- ret = posix_acl_valid(acl); +- if (ret) +- goto out; +- } + } +- +- ret = inode->i_op->set_acl(inode, acl, handler->flags); +-out: ++ ret = set_posix_acl(inode, handler->flags, acl); + posix_acl_release(acl); + return ret; + } diff --git a/debian/patches/series b/debian/patches/series index ad115dd32830..ec4eddb4f10d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -131,6 +131,8 @@ bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch +bugfix/all/posix_acl-add-set_posix_acl.patch +bugfix/all/nfsd-check-permissions-when-setting-acls.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From 0bb71866b7e62faf4c15037a9d2edac3a84800e4 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 25 Jun 2016 02:05:12 +0200 Subject: [PATCH 08/14] Ignore ABI change in x_tables --- debian/changelog | 1 + debian/config/defines | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index 467e056bf413..4c3892bede2a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,6 +27,7 @@ linux (4.6.2-2) UNRELEASED; urgency=medium - xt_compat_match_from_user doesn't need a retval - do compat validation via translate_table - introduce and use xt_copy_counters_from_user + * Ignore ABI change in x_tables * nfsd: check permissions when setting ACLs -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 diff --git a/debian/config/defines b/debian/config/defines index 17ae3236ffbf..abd561af4088 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -3,6 +3,7 @@ abiname: 1 ignore-changes: # Should not be used from OOT module:drivers/net/wireless/realtek/rtlwifi/* + xt_compat_match_from_user [base] arches: From c42ea367e39054bcccd3dcbc028827a632b42e2a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 25 Jun 2016 07:22:30 +0200 Subject: [PATCH 09/14] Add CVE identifier for nfsd issue --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 4c3892bede2a..b57f321b86fe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -28,7 +28,7 @@ linux (4.6.2-2) UNRELEASED; urgency=medium - do compat validation via translate_table - introduce and use xt_copy_counters_from_user * Ignore ABI change in x_tables - * nfsd: check permissions when setting ACLs + * nfsd: check permissions when setting ACLs (CVE-2016-1237) -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 From 15c473a9c7b81aaf38ffe4ff07aa95f918609161 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 25 Jun 2016 11:22:27 +0200 Subject: [PATCH 10/14] Prepare to release linux (4.6.2-2). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index b57f321b86fe..e638f9a4a5c8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.6.2-2) UNRELEASED; urgency=medium +linux (4.6.2-2) unstable; urgency=medium * [mips*] Fix ABI changes in 4.6.2 * [rt] Update to 4.6.2-rt5: @@ -30,7 +30,7 @@ linux (4.6.2-2) UNRELEASED; urgency=medium * Ignore ABI change in x_tables * nfsd: check permissions when setting ACLs (CVE-2016-1237) - -- Ben Hutchings Thu, 16 Jun 2016 12:37:27 +0100 + -- Ben Hutchings Sat, 25 Jun 2016 11:22:27 +0200 linux (4.6.2-1) unstable; urgency=medium From 419d6356df57b589f32096977868d207d5f53689 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 27 Jun 2016 00:58:54 +0200 Subject: [PATCH 11/14] Update to 4.6.3 --- debian/changelog | 71 ++ debian/config/defines | 1 + ...d-opening-files-without-mmap-handler.patch | 59 -- ...bles-simplify-translate_compat_table.patch | 210 ----- ...bles-simplify-translate_compat_table.patch | 185 ---- ...les-simplify-translate_compat_table-.patch | 185 ---- ...es-add-and-use-xt_check_entry_offset.patch | 151 ---- ...es-add-compat-version-of-xt_check_en.patch | 105 --- ...-x_tables-assert-minimum-target-size.patch | 25 - ...tables-check-for-bogus-target-offset.patch | 164 ---- ...ables-check-standard-target-size-too.patch | 60 -- ...es-do-compat-validation-via-translat.patch | 798 ------------------ ...es-don-t-move-to-non-existent-next-r.patch | 100 --- ...es-don-t-reject-valid-target-size-on.patch | 54 -- ...es-introduce-and-use-xt_copy_counter.patch | 328 ------- ...ter-x_tables-kill-check_entry-helper.patch | 149 ---- ...es-validate-all-offsets-and-sizes-in.patch | 137 --- ...r-x_tables-validate-targets-of-jumps.patch | 127 --- ...es-xt_compat_match_from_user-doesn-t.patch | 234 ----- ...-prevent-stacking-filesystems-on-top.patch | 41 - .../sched-panic-on-corrupted-stack-end.patch | 36 - ...ock-before-parsing-nested-attributes.patch | 36 - debian/patches/series | 20 - 23 files changed, 72 insertions(+), 3204 deletions(-) delete mode 100644 debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch delete mode 100644 debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch delete mode 100644 debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch delete mode 100644 debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch delete mode 100644 debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch delete mode 100644 debian/patches/bugfix/all/proc-prevent-stacking-filesystems-on-top.patch delete mode 100644 debian/patches/bugfix/all/sched-panic-on-corrupted-stack-end.patch delete mode 100644 debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch diff --git a/debian/changelog b/debian/changelog index e638f9a4a5c8..323cb730a0b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,74 @@ +linux (4.6.3-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3 + - scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands + - scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist + - netlink: Fix dump skb leak/double free + - tipc: fix nametable publication field in nl compat + - switchdev: pass pointer to fib_info instead of copy + - tuntap: correctly wake up process during uninit + - bpf: Use mount_nodev not mount_ns to mount the bpf filesystem + - udp: prevent skbs lingering in tunnel socket queues + - uapi glibc compat: fix compilation when !__USE_MISC in glibc + - bpf, inode: disallow userns mounts + - [armhf] net: mvneta: Fix lacking spinlock initialization + - net: hwbm: Fix unbalanced spinlock in error case + - sfc: on MC reset, clear PIO buffer linkage in TXQs + - team: don't call netdev_change_features under team->lock + - net: alx: use custom skb allocator + - net: stmmac: Fix incorrect memcpy source memory + - vxlan: Accept user specified MTU value when create new vxlan link + - net: nps_enet: Disable interrupts before napi reschedule + - bpf, trace: use READ_ONCE for retrieving file ptr + - tcp: record TLP and ER timer stats in v6 stats + - bridge: Don't insert unnecessary local fdb entry on changing mac address + - l2tp: fix configuration passed to setup_udp_tunnel_sock() + - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid + - [armhf,arm64] KVM: vgic-v2: Clear all dirty LRs + - [armhf,arm64] KVM: vgic-v3: Clear all dirty LRs + - [x86] KVM: fix OOPS after invalid KVM_SET_DEBUGREGS + - KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi + - [arm*] drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu + - [x86] ALSA: hda - Add PCI ID for Kabylake + - [x86] ALSA: hda - Fix headset mic detection problem for Dell machine + - ALSA: hda/realtek - ALC256 speaker noise issue + - ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703 + - [x86] ALSA: hda/realtek: Add T560 docking unit fixup + - [armhf] fix PTRACE_SETVFPREGS on SMP systems + - gpio: bail out silently on NULL descriptors + - gpiolib: Fix NULL pointer deference + - gpiolib: Fix unaligned used of reference counters + - [s390x] bpf: fix recache skb->data/hlen for skb_vlan_push/pop + - [s390x] bpf: reduce maximum program size to 64 KB + - [armhf,arm64] irqchip/gic-v3: Fix ICC_SGI1R_EL1.INTID decoding mask + - [x86] crypto: ccp - Fix AES XTS error for request sizes above 4096 + - [arm64] Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks + - [arm64] mm: always take dirty state from new pte in ptep_set_access_flags + - [powerpc*] pseries/eeh: Handle RTAS delay requests in configure_bridge + - [powerpc*] Fix definition of SIAR and SDAR registers + - [powerpc*] Use privileged SPR number for MMCR2 + - [powerpc*] pseries: Add POWER8NVL support to + ibm,client-architecture-support call + - [powerpc*] mm/hash: Fix the reference bit update when handling hash fault + - [hppa] Fix pagefault crash in unaligned __get_user() call + - memcg: add RCU locking around css_for_each_descendant_pre() in + memcg_offline_kmem() + - wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel + - mm: thp: broken page count after commit aa88b68c3b1d + - [x86] entry/traps: Don't force in_interrupt() to return true in IST + handlers + - fix d_walk()/non-delayed __d_free() race + - [sparc64] Reduce TLB flushes during hugepte changes + - [sparc64] Take ctx_alloc_lock properly in hugetlb_setup(). + - [sparc64] Harden signal return frame checks. + - [sparc64] Fix return from trap window fill crashes. + - drm/core: Do not preserve framebuffer on rmfb, v4. + - [x86] Revert "drm/i915: Exit cherryview_irq_handler() after one pass" + - gpio: make sure gpiod_to_irq() returns negative on NULL desc + + -- Ben Hutchings Mon, 27 Jun 2016 00:31:11 +0200 + linux (4.6.2-2) unstable; urgency=medium * [mips*] Fix ABI changes in 4.6.2 diff --git a/debian/config/defines b/debian/config/defines index abd561af4088..521205dd70e9 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -3,6 +3,7 @@ abiname: 1 ignore-changes: # Should not be used from OOT module:drivers/net/wireless/realtek/rtlwifi/* + module:net/switchdev/* xt_compat_match_from_user [base] diff --git a/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch deleted file mode 100644 index e4167dedc84e..000000000000 --- a/debian/patches/bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:06 +0200 -Subject: [2/3] ecryptfs: forbid opening files without mmap handler -Origin: https://git.kernel.org/linus/2f36db71009304b3f0b95afacd8eba1f9f046b87 - -This prevents users from triggering a stack overflow through a recursive -invocation of pagefault handling that involves mapping procfs files into -virtual memory. - -Signed-off-by: Jann Horn -Acked-by: Tyler Hicks -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - fs/ecryptfs/kthread.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c -index 866bb18..e818f5a 100644 ---- a/fs/ecryptfs/kthread.c -+++ b/fs/ecryptfs/kthread.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include "ecryptfs_kernel.h" - - struct ecryptfs_open_req { -@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file, - flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; - (*lower_file) = dentry_open(&req.path, flags, cred); - if (!IS_ERR(*lower_file)) -- goto out; -+ goto have_file; - if ((flags & O_ACCMODE) == O_RDONLY) { - rc = PTR_ERR((*lower_file)); - goto out; -@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file, - mutex_unlock(&ecryptfs_kthread_ctl.mux); - wake_up(&ecryptfs_kthread_ctl.wait); - wait_for_completion(&req.done); -- if (IS_ERR(*lower_file)) -+ if (IS_ERR(*lower_file)) { - rc = PTR_ERR(*lower_file); -+ goto out; -+ } -+have_file: -+ if ((*lower_file)->f_op->mmap == NULL) { -+ fput(*lower_file); -+ *lower_file = NULL; -+ rc = -EMEDIUMTYPE; -+ } - out: - return rc; - } --- -2.8.1 - diff --git a/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch deleted file mode 100644 index 3c9dc86fad15..000000000000 --- a/debian/patches/bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch +++ /dev/null @@ -1,210 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:32 +0200 -Subject: netfilter: arp_tables: simplify translate_compat_table args -Origin: https://git.kernel.org/linus/8dddd32756f6fe8e4e82a63361119b7e2384e02f - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 82 ++++++++++++++++++----------------------- - 1 file changed, 36 insertions(+), 46 deletions(-) - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -1214,6 +1214,18 @@ static int do_add_counters(struct net *n - } - - #ifdef CONFIG_COMPAT -+struct compat_arpt_replace { -+ char name[XT_TABLE_MAXNAMELEN]; -+ u32 valid_hooks; -+ u32 num_entries; -+ u32 size; -+ u32 hook_entry[NF_ARP_NUMHOOKS]; -+ u32 underflow[NF_ARP_NUMHOOKS]; -+ u32 num_counters; -+ compat_uptr_t counters; -+ struct compat_arpt_entry entries[0]; -+}; -+ - static inline void compat_release_entry(struct compat_arpt_entry *e) - { - struct xt_entry_target *t; -@@ -1229,8 +1241,7 @@ check_compat_entry_size_and_hooks(struct - const unsigned char *base, - const unsigned char *limit, - const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned int *underflows) - { - struct xt_entry_target *t; - struct xt_target *target; -@@ -1301,7 +1312,7 @@ out: - - static int - compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; -@@ -1334,14 +1345,9 @@ compat_copy_entry_from_user(struct compa - return ret; - } - --static int translate_compat_table(const char *name, -- unsigned int valid_hooks, -- struct xt_table_info **pinfo, -+static int translate_compat_table(struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_arpt_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; -@@ -1353,8 +1359,8 @@ static int translate_compat_table(const - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -+ size = compatr->size; -+ info->number = compatr->num_entries; - - /* Init all hooks to impossible value. */ - for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -@@ -1365,40 +1371,39 @@ static int translate_compat_table(const - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(NFPROTO_ARP); -- xt_compat_init_offsets(NFPROTO_ARP, number); -+ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size, -+ compatr->hook_entry, -+ compatr->underflow); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - - /* Check hooks all assigned */ - for (i = 0; i < NF_ARP_NUMHOOKS; i++) { - /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -+ if (!(compatr->valid_hooks & (1 << i))) - continue; - if (info->hook_entry[i] == 0xFFFFFFFF) { - duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -+ i, info->hook_entry[i]); - goto out_unlock; - } - if (info->underflow[i] == 0xFFFFFFFF) { - duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -+ i, info->underflow[i]); - goto out_unlock; - } - } -@@ -1408,17 +1413,17 @@ static int translate_compat_table(const - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_ARP_NUMHOOKS; i++) { - newinfo->hook_entry[i] = info->hook_entry[i]; - newinfo->underflow[i] = info->underflow[i]; - } - entry1 = newinfo->entries; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -+ newinfo, entry1); - if (ret != 0) - break; - } -@@ -1428,7 +1433,7 @@ static int translate_compat_table(const - goto free_newinfo; - - ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) - goto free_newinfo; - - i = 0; -@@ -1439,7 +1444,7 @@ static int translate_compat_table(const - break; - } - -- ret = check_target(iter1, name); -+ ret = check_target(iter1, compatr->name); - if (ret != 0) { - xt_percpu_counter_free(iter1->counters.pcnt); - break; -@@ -1481,7 +1486,7 @@ static int translate_compat_table(const - free_newinfo: - xt_free_table_info(newinfo); - out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); -@@ -1493,18 +1498,6 @@ out_unlock: - goto out; - } - --struct compat_arpt_replace { -- char name[XT_TABLE_MAXNAMELEN]; -- u32 valid_hooks; -- u32 num_entries; -- u32 size; -- u32 hook_entry[NF_ARP_NUMHOOKS]; -- u32 underflow[NF_ARP_NUMHOOKS]; -- u32 num_counters; -- compat_uptr_t counters; -- struct compat_arpt_entry entries[0]; --}; -- - static int compat_do_replace(struct net *net, void __user *user, - unsigned int len) - { -@@ -1537,10 +1530,7 @@ static int compat_do_replace(struct net - goto free_newinfo; - } - -- ret = translate_compat_table(tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - diff --git a/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch b/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch deleted file mode 100644 index 109fd0d1ee76..000000000000 --- a/debian/patches/bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch +++ /dev/null @@ -1,185 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:31 +0200 -Subject: netfilter: ip6_tables: simplify translate_compat_table args -Origin: https://git.kernel.org/linus/329a0807124f12fe1c8032f95d8a8eb47047fb0e - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv6/netfilter/ip6_tables.c | 59 +++++++++++++++++------------------------ - 1 file changed, 24 insertions(+), 35 deletions(-) - ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1461,7 +1461,6 @@ compat_copy_entry_to_user(struct ip6t_en - - static int - compat_find_calc_match(struct xt_entry_match *m, -- const char *name, - const struct ip6t_ip6 *ipv6, - int *size) - { -@@ -1498,8 +1497,7 @@ check_compat_entry_size_and_hooks(struct - const unsigned char *base, - const unsigned char *limit, - const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned int *underflows) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; -@@ -1535,7 +1533,7 @@ check_compat_entry_size_and_hooks(struct - entry_offset = (void *)e - (void *)base; - j = 0; - xt_ematch_foreach(ematch, e) { -- ret = compat_find_calc_match(ematch, name, &e->ipv6, &off); -+ ret = compat_find_calc_match(ematch, &e->ipv6, &off); - if (ret != 0) - goto release_matches; - ++j; -@@ -1584,7 +1582,7 @@ release_matches: - - static int - compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; -@@ -1664,14 +1662,9 @@ static int compat_check_entry(struct ip6 - - static int - translate_compat_table(struct net *net, -- const char *name, -- unsigned int valid_hooks, - struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_ip6t_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; -@@ -1683,8 +1676,8 @@ translate_compat_table(struct net *net, - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -+ size = compatr->size; -+ info->number = compatr->num_entries; - - /* Init all hooks to impossible value. */ - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -@@ -1695,40 +1688,39 @@ translate_compat_table(struct net *net, - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET6); -- xt_compat_init_offsets(AF_INET6, number); -+ xt_compat_init_offsets(AF_INET6, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size, -+ compatr->hook_entry, -+ compatr->underflow); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - - /* Check hooks all assigned */ - for (i = 0; i < NF_INET_NUMHOOKS; i++) { - /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -+ if (!(compatr->valid_hooks & (1 << i))) - continue; - if (info->hook_entry[i] == 0xFFFFFFFF) { - duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -+ i, info->hook_entry[i]); - goto out_unlock; - } - if (info->underflow[i] == 0xFFFFFFFF) { - duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -+ i, info->underflow[i]); - goto out_unlock; - } - } -@@ -1738,17 +1730,17 @@ translate_compat_table(struct net *net, - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { - newinfo->hook_entry[i] = info->hook_entry[i]; - newinfo->underflow[i] = info->underflow[i]; - } - entry1 = newinfo->entries; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -+ newinfo, entry1); - if (ret != 0) - break; - } -@@ -1758,12 +1750,12 @@ translate_compat_table(struct net *net, - goto free_newinfo; - - ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) - goto free_newinfo; - - i = 0; - xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, name); -+ ret = compat_check_entry(iter1, net, compatr->name); - if (ret != 0) - break; - ++i; -@@ -1803,7 +1795,7 @@ translate_compat_table(struct net *net, - free_newinfo: - xt_free_table_info(newinfo); - out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); -@@ -1848,10 +1840,7 @@ compat_do_replace(struct net *net, void - goto free_newinfo; - } - -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - diff --git a/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch b/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch deleted file mode 100644 index 05603e542d7a..000000000000 --- a/debian/patches/bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch +++ /dev/null @@ -1,185 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:30 +0200 -Subject: netfilter: ip_tables: simplify translate_compat_table args -Origin: https://git.kernel.org/linus/7d3f843eed29222254c9feab481f55175a1afcc9 - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/ip_tables.c | 59 +++++++++++++++++------------------------- - 1 file changed, 24 insertions(+), 35 deletions(-) - ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1449,7 +1449,6 @@ compat_copy_entry_to_user(struct ipt_ent - - static int - compat_find_calc_match(struct xt_entry_match *m, -- const char *name, - const struct ipt_ip *ip, - int *size) - { -@@ -1486,8 +1485,7 @@ check_compat_entry_size_and_hooks(struct - const unsigned char *base, - const unsigned char *limit, - const unsigned int *hook_entries, -- const unsigned int *underflows, -- const char *name) -+ const unsigned int *underflows) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; -@@ -1523,7 +1521,7 @@ check_compat_entry_size_and_hooks(struct - entry_offset = (void *)e - (void *)base; - j = 0; - xt_ematch_foreach(ematch, e) { -- ret = compat_find_calc_match(ematch, name, &e->ip, &off); -+ ret = compat_find_calc_match(ematch, &e->ip, &off); - if (ret != 0) - goto release_matches; - ++j; -@@ -1572,7 +1570,7 @@ release_matches: - - static int - compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, -- unsigned int *size, const char *name, -+ unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) - { - struct xt_entry_target *t; -@@ -1655,14 +1653,9 @@ compat_check_entry(struct ipt_entry *e, - - static int - translate_compat_table(struct net *net, -- const char *name, -- unsigned int valid_hooks, - struct xt_table_info **pinfo, - void **pentry0, -- unsigned int total_size, -- unsigned int number, -- unsigned int *hook_entries, -- unsigned int *underflows) -+ const struct compat_ipt_replace *compatr) - { - unsigned int i, j; - struct xt_table_info *newinfo, *info; -@@ -1674,8 +1667,8 @@ translate_compat_table(struct net *net, - - info = *pinfo; - entry0 = *pentry0; -- size = total_size; -- info->number = number; -+ size = compatr->size; -+ info->number = compatr->num_entries; - - /* Init all hooks to impossible value. */ - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -@@ -1686,40 +1679,39 @@ translate_compat_table(struct net *net, - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET); -- xt_compat_init_offsets(AF_INET, number); -+ xt_compat_init_offsets(AF_INET, compatr->num_entries); - /* Walk through entries, checking offsets. */ -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + total_size, -- hook_entries, -- underflows, -- name); -+ entry0 + compatr->size, -+ compatr->hook_entry, -+ compatr->underflow); - if (ret != 0) - goto out_unlock; - ++j; - } - - ret = -EINVAL; -- if (j != number) { -+ if (j != compatr->num_entries) { - duprintf("translate_compat_table: %u not %u entries\n", -- j, number); -+ j, compatr->num_entries); - goto out_unlock; - } - - /* Check hooks all assigned */ - for (i = 0; i < NF_INET_NUMHOOKS; i++) { - /* Only hooks which are valid */ -- if (!(valid_hooks & (1 << i))) -+ if (!(compatr->valid_hooks & (1 << i))) - continue; - if (info->hook_entry[i] == 0xFFFFFFFF) { - duprintf("Invalid hook entry %u %u\n", -- i, hook_entries[i]); -+ i, info->hook_entry[i]); - goto out_unlock; - } - if (info->underflow[i] == 0xFFFFFFFF) { - duprintf("Invalid underflow %u %u\n", -- i, underflows[i]); -+ i, info->underflow[i]); - goto out_unlock; - } - } -@@ -1729,17 +1721,17 @@ translate_compat_table(struct net *net, - if (!newinfo) - goto out_unlock; - -- newinfo->number = number; -+ newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { - newinfo->hook_entry[i] = info->hook_entry[i]; - newinfo->underflow[i] = info->underflow[i]; - } - entry1 = newinfo->entries; - pos = entry1; -- size = total_size; -- xt_entry_foreach(iter0, entry0, total_size) { -+ size = compatr->size; -+ xt_entry_foreach(iter0, entry0, compatr->size) { - ret = compat_copy_entry_from_user(iter0, &pos, &size, -- name, newinfo, entry1); -+ newinfo, entry1); - if (ret != 0) - break; - } -@@ -1749,12 +1741,12 @@ translate_compat_table(struct net *net, - goto free_newinfo; - - ret = -ELOOP; -- if (!mark_source_chains(newinfo, valid_hooks, entry1)) -+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) - goto free_newinfo; - - i = 0; - xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, name); -+ ret = compat_check_entry(iter1, net, compatr->name); - if (ret != 0) - break; - ++i; -@@ -1794,7 +1786,7 @@ translate_compat_table(struct net *net, - free_newinfo: - xt_free_table_info(newinfo); - out: -- xt_entry_foreach(iter0, entry0, total_size) { -+ xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); -@@ -1839,10 +1831,7 @@ compat_do_replace(struct net *net, void - goto free_newinfo; - } - -- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, -- &newinfo, &loc_cpu_entry, tmp.size, -- tmp.num_entries, tmp.hook_entry, -- tmp.underflow); -+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); - if (ret != 0) - goto free_newinfo; - diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch deleted file mode 100644 index 42ed724e32ac..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:23 +0200 -Subject: netfilter: x_tables: add and use xt_check_entry_offsets -Origin: https://git.kernel.org/linus/7d35812c3214afa5b37a675113555259cfd67b98 - -Currently arp/ip and ip6tables each implement a short helper to check that -the target offset is large enough to hold one xt_entry_target struct and -that t->u.target_size fits within the current rule. - -Unfortunately these checks are not sufficient. - -To avoid adding new tests to all of ip/ip6/arptables move the current -checks into a helper, then extend this helper in followup patches. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/x_tables.h | 4 ++++ - net/ipv4/netfilter/arp_tables.c | 11 +---------- - net/ipv4/netfilter/ip_tables.c | 12 +----------- - net/ipv6/netfilter/ip6_tables.c | 12 +----------- - net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++++++++++++ - 5 files changed, 41 insertions(+), 32 deletions(-) - ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -242,6 +242,10 @@ void xt_unregister_match(struct xt_match - int xt_register_matches(struct xt_match *match, unsigned int n); - void xt_unregister_matches(struct xt_match *match, unsigned int n); - -+int xt_check_entry_offsets(const void *base, -+ unsigned int target_offset, -+ unsigned int next_offset); -+ - int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto, - bool inv_proto); - int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -496,19 +496,10 @@ next: - - static inline int check_entry(const struct arpt_entry *e) - { -- const struct xt_entry_target *t; -- - if (!arp_checkentry(&e->arp)) - return -EINVAL; - -- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) -- return -EINVAL; -- -- t = arpt_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; -+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); - } - - static inline int check_target(struct arpt_entry *e, const char *name) ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -590,20 +590,10 @@ static void cleanup_match(struct xt_entr - static int - check_entry(const struct ipt_entry *e) - { -- const struct xt_entry_target *t; -- - if (!ip_checkentry(&e->ip)) - return -EINVAL; - -- if (e->target_offset + sizeof(struct xt_entry_target) > -- e->next_offset) -- return -EINVAL; -- -- t = ipt_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; -+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); - } - - static int ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -602,20 +602,10 @@ static void cleanup_match(struct xt_entr - static int - check_entry(const struct ip6t_entry *e) - { -- const struct xt_entry_target *t; -- - if (!ip6_checkentry(&e->ipv6)) - return -EINVAL; - -- if (e->target_offset + sizeof(struct xt_entry_target) > -- e->next_offset) -- return -EINVAL; -- -- t = ip6t_get_target_c(e); -- if (e->target_offset + t->u.target_size > e->next_offset) -- return -EINVAL; -- -- return 0; -+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset); - } - - static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -541,6 +541,40 @@ int xt_compat_match_to_user(const struct - EXPORT_SYMBOL_GPL(xt_compat_match_to_user); - #endif /* CONFIG_COMPAT */ - -+/** -+ * xt_check_entry_offsets - validate arp/ip/ip6t_entry -+ * -+ * @base: pointer to arp/ip/ip6t_entry -+ * @target_offset: the arp/ip/ip6_t->target_offset -+ * @next_offset: the arp/ip/ip6_t->next_offset -+ * -+ * validates that target_offset and next_offset are sane. -+ * -+ * The arp/ip/ip6t_entry structure @base must have passed following tests: -+ * - it must point to a valid memory location -+ * - base to base + next_offset must be accessible, i.e. not exceed allocated -+ * length. -+ * -+ * Return: 0 on success, negative errno on failure. -+ */ -+int xt_check_entry_offsets(const void *base, -+ unsigned int target_offset, -+ unsigned int next_offset) -+{ -+ const struct xt_entry_target *t; -+ const char *e = base; -+ -+ if (target_offset + sizeof(*t) > next_offset) -+ return -EINVAL; -+ -+ t = (void *)(e + target_offset); -+ if (target_offset + t->u.target_size > next_offset) -+ return -EINVAL; -+ -+ return 0; -+} -+EXPORT_SYMBOL(xt_check_entry_offsets); -+ - int xt_check_target(struct xt_tgchk_param *par, - unsigned int size, u_int8_t proto, bool inv_proto) - { diff --git a/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch b/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch deleted file mode 100644 index c08d01c8a676..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch +++ /dev/null @@ -1,105 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:26 +0200 -Subject: netfilter: x_tables: add compat version of xt_check_entry_offsets -Origin: https://git.kernel.org/linus/fc1221b3a163d1386d1052184202d5dc50d302d1 - -32bit rulesets have different layout and alignment requirements, so once -more integrity checks get added to xt_check_entry_offsets it will reject -well-formed 32bit rulesets. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/x_tables.h | 3 +++ - net/ipv4/netfilter/arp_tables.c | 3 ++- - net/ipv4/netfilter/ip_tables.c | 3 ++- - net/ipv6/netfilter/ip6_tables.c | 3 ++- - net/netfilter/x_tables.c | 22 ++++++++++++++++++++++ - 5 files changed, 31 insertions(+), 3 deletions(-) - ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -494,6 +494,9 @@ void xt_compat_target_from_user(struct x - unsigned int *size); - int xt_compat_target_to_user(const struct xt_entry_target *t, - void __user **dstptr, unsigned int *size); -+int xt_compat_check_entry_offsets(const void *base, -+ unsigned int target_offset, -+ unsigned int next_offset); - - #endif /* CONFIG_COMPAT */ - #endif /* _X_TABLES_H */ ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -1254,7 +1254,8 @@ check_compat_entry_size_and_hooks(struct - if (!arp_checkentry(&e->arp)) - return -EINVAL; - -- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ ret = xt_compat_check_entry_offsets(e, e->target_offset, -+ e->next_offset); - if (ret) - return ret; - ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1513,7 +1513,8 @@ check_compat_entry_size_and_hooks(struct - if (!ip_checkentry(&e->ip)) - return -EINVAL; - -- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ ret = xt_compat_check_entry_offsets(e, -+ e->target_offset, e->next_offset); - if (ret) - return ret; - ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1525,7 +1525,8 @@ check_compat_entry_size_and_hooks(struct - if (!ip6_checkentry(&e->ipv6)) - return -EINVAL; - -- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ ret = xt_compat_check_entry_offsets(e, -+ e->target_offset, e->next_offset); - if (ret) - return ret; - ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -539,6 +539,27 @@ int xt_compat_match_to_user(const struct - return 0; - } - EXPORT_SYMBOL_GPL(xt_compat_match_to_user); -+ -+int xt_compat_check_entry_offsets(const void *base, -+ unsigned int target_offset, -+ unsigned int next_offset) -+{ -+ const struct compat_xt_entry_target *t; -+ const char *e = base; -+ -+ if (target_offset + sizeof(*t) > next_offset) -+ return -EINVAL; -+ -+ t = (void *)(e + target_offset); -+ if (t->u.target_size < sizeof(*t)) -+ return -EINVAL; -+ -+ if (target_offset + t->u.target_size > next_offset) -+ return -EINVAL; -+ -+ return 0; -+} -+EXPORT_SYMBOL(xt_compat_check_entry_offsets); - #endif /* CONFIG_COMPAT */ - - /** -@@ -549,6 +570,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_use - * @next_offset: the arp/ip/ip6_t->next_offset - * - * validates that target_offset and next_offset are sane. -+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. - * - * The arp/ip/ip6t_entry structure @base must have passed following tests: - * - it must point to a valid memory location diff --git a/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch b/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch deleted file mode 100644 index 6a13a02d0ac9..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:25 +0200 -Subject: netfilter: x_tables: assert minimum target size -Origin: https://git.kernel.org/linus/a08e4e190b866579896c09af59b3bdca821da2cd - -The target size includes the size of the xt_entry_target struct. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/x_tables.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -568,6 +568,9 @@ int xt_check_entry_offsets(const void *b - return -EINVAL; - - t = (void *)(e + target_offset); -+ if (t->u.target_size < sizeof(*t)) -+ return -EINVAL; -+ - if (target_offset + t->u.target_size > next_offset) - return -EINVAL; - diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch deleted file mode 100644 index a7617869b9d5..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch +++ /dev/null @@ -1,164 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:28 +0200 -Subject: netfilter: x_tables: check for bogus target offset -Origin: https://git.kernel.org/linus/ce683e5f9d045e5d67d1312a42b359cb2ab2a13c - -We're currently asserting that targetoff + targetsize <= nextoff. - -Extend it to also check that targetoff is >= sizeof(xt_entry). -Since this is generic code, add an argument pointing to the start of the -match/target, we can then derive the base structure size from the delta. - -We also need the e->elems pointer in a followup change to validate matches. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/x_tables.h | 4 ++-- - net/ipv4/netfilter/arp_tables.c | 5 +++-- - net/ipv4/netfilter/ip_tables.c | 5 +++-- - net/ipv6/netfilter/ip6_tables.c | 5 +++-- - net/netfilter/x_tables.c | 17 +++++++++++++++-- - 5 files changed, 26 insertions(+), 10 deletions(-) - ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -242,7 +242,7 @@ void xt_unregister_match(struct xt_match - int xt_register_matches(struct xt_match *match, unsigned int n); - void xt_unregister_matches(struct xt_match *match, unsigned int n); - --int xt_check_entry_offsets(const void *base, -+int xt_check_entry_offsets(const void *base, const char *elems, - unsigned int target_offset, - unsigned int next_offset); - -@@ -494,7 +494,7 @@ void xt_compat_target_from_user(struct x - unsigned int *size); - int xt_compat_target_to_user(const struct xt_entry_target *t, - void __user **dstptr, unsigned int *size); --int xt_compat_check_entry_offsets(const void *base, -+int xt_compat_check_entry_offsets(const void *base, const char *elems, - unsigned int target_offset, - unsigned int next_offset); - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -592,7 +592,8 @@ static inline int check_entry_size_and_h - if (!arp_checkentry(&e->arp)) - return -EINVAL; - -- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); - if (err) - return err; - -@@ -1254,7 +1255,7 @@ check_compat_entry_size_and_hooks(struct - if (!arp_checkentry(&e->arp)) - return -EINVAL; - -- ret = xt_compat_check_entry_offsets(e, e->target_offset, -+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset, - e->next_offset); - if (ret) - return ret; ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -754,7 +754,8 @@ check_entry_size_and_hooks(struct ipt_en - if (!ip_checkentry(&e->ip)) - return -EINVAL; - -- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); - if (err) - return err; - -@@ -1513,7 +1514,7 @@ check_compat_entry_size_and_hooks(struct - if (!ip_checkentry(&e->ip)) - return -EINVAL; - -- ret = xt_compat_check_entry_offsets(e, -+ ret = xt_compat_check_entry_offsets(e, e->elems, - e->target_offset, e->next_offset); - if (ret) - return ret; ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -766,7 +766,8 @@ check_entry_size_and_hooks(struct ip6t_e - if (!ip6_checkentry(&e->ipv6)) - return -EINVAL; - -- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); -+ err = xt_check_entry_offsets(e, e->elems, e->target_offset, -+ e->next_offset); - if (err) - return err; - -@@ -1525,7 +1526,7 @@ check_compat_entry_size_and_hooks(struct - if (!ip6_checkentry(&e->ipv6)) - return -EINVAL; - -- ret = xt_compat_check_entry_offsets(e, -+ ret = xt_compat_check_entry_offsets(e, e->elems, - e->target_offset, e->next_offset); - if (ret) - return ret; ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -546,14 +546,17 @@ struct compat_xt_standard_target { - compat_uint_t verdict; - }; - --/* see xt_check_entry_offsets */ --int xt_compat_check_entry_offsets(const void *base, -+int xt_compat_check_entry_offsets(const void *base, const char *elems, - unsigned int target_offset, - unsigned int next_offset) - { -+ long size_of_base_struct = elems - (const char *)base; - const struct compat_xt_entry_target *t; - const char *e = base; - -+ if (target_offset < size_of_base_struct) -+ return -EINVAL; -+ - if (target_offset + sizeof(*t) > next_offset) - return -EINVAL; - -@@ -577,12 +580,16 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs - * xt_check_entry_offsets - validate arp/ip/ip6t_entry - * - * @base: pointer to arp/ip/ip6t_entry -+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems - * @target_offset: the arp/ip/ip6_t->target_offset - * @next_offset: the arp/ip/ip6_t->next_offset - * - * validates that target_offset and next_offset are sane. - * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. - * -+ * This function does not validate the targets or matches themselves, it -+ * only tests that all the offsets and sizes are correct. -+ * - * The arp/ip/ip6t_entry structure @base must have passed following tests: - * - it must point to a valid memory location - * - base to base + next_offset must be accessible, i.e. not exceed allocated -@@ -591,12 +598,18 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs - * Return: 0 on success, negative errno on failure. - */ - int xt_check_entry_offsets(const void *base, -+ const char *elems, - unsigned int target_offset, - unsigned int next_offset) - { -+ long size_of_base_struct = elems - (const char *)base; - const struct xt_entry_target *t; - const char *e = base; - -+ /* target start is within the ip/ip6/arpt_entry struct */ -+ if (target_offset < size_of_base_struct) -+ return -EINVAL; -+ - if (target_offset + sizeof(*t) > next_offset) - return -EINVAL; - diff --git a/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch b/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch deleted file mode 100644 index 427d31b860fb..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:27 +0200 -Subject: netfilter: x_tables: check standard target size too -Origin: https://git.kernel.org/linus/7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 - -We have targets and standard targets -- the latter carries a verdict. - -The ip/ip6tables validation functions will access t->verdict for the -standard targets to fetch the jump offset or verdict for chainloop -detection, but this happens before the targets get checked/validated. - -Thus we also need to check for verdict presence here, else t->verdict -can point right after a blob. - -Spotted with UBSAN while testing malformed blobs. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/x_tables.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -540,6 +540,13 @@ int xt_compat_match_to_user(const struct - } - EXPORT_SYMBOL_GPL(xt_compat_match_to_user); - -+/* non-compat version may have padding after verdict */ -+struct compat_xt_standard_target { -+ struct compat_xt_entry_target t; -+ compat_uint_t verdict; -+}; -+ -+/* see xt_check_entry_offsets */ - int xt_compat_check_entry_offsets(const void *base, - unsigned int target_offset, - unsigned int next_offset) -@@ -557,6 +564,10 @@ int xt_compat_check_entry_offsets(const - if (target_offset + t->u.target_size > next_offset) - return -EINVAL; - -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -+ target_offset + sizeof(struct compat_xt_standard_target) != next_offset) -+ return -EINVAL; -+ - return 0; - } - EXPORT_SYMBOL(xt_compat_check_entry_offsets); -@@ -596,6 +607,10 @@ int xt_check_entry_offsets(const void *b - if (target_offset + t->u.target_size > next_offset) - return -EINVAL; - -+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -+ target_offset + sizeof(struct xt_standard_target) != next_offset) -+ return -EINVAL; -+ - return 0; - } - EXPORT_SYMBOL(xt_check_entry_offsets); diff --git a/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch b/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch deleted file mode 100644 index 75270cf93a06..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch +++ /dev/null @@ -1,798 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:34 +0200 -Subject: netfilter: x_tables: do compat validation via translate_table -Origin: https://git.kernel.org/linus/09d9686047dbbe1cf4faa558d3ecc4aae2046054 - -This looks like refactoring, but its also a bug fix. - -Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few -sanity tests that are done in the normal path. - -For example, we do not check for underflows and the base chain policies. - -While its possible to also add such checks to the compat path, its more -copy&pastry, for instance we cannot reuse check_underflow() helper as -e->target_offset differs in the compat case. - -Other problem is that it makes auditing for validation errors harder; two -places need to be checked and kept in sync. - -At a high level 32 bit compat works like this: -1- initial pass over blob: - validate match/entry offsets, bounds checking - lookup all matches and targets - do bookkeeping wrt. size delta of 32/64bit structures - assign match/target.u.kernel pointer (points at kernel - implementation, needed to access ->compatsize etc.) - -2- allocate memory according to the total bookkeeping size to - contain the translated ruleset - -3- second pass over original blob: - for each entry, copy the 32bit representation to the newly allocated - memory. This also does any special match translations (e.g. - adjust 32bit to 64bit longs, etc). - -4- check if ruleset is free of loops (chase all jumps) - -5-first pass over translated blob: - call the checkentry function of all matches and targets. - -The alternative implemented by this patch is to drop steps 3&4 from the -compat process, the translation is changed into an intermediate step -rather than a full 1:1 translate_table replacement. - -In the 2nd pass (step #3), change the 64bit ruleset back to a kernel -representation, i.e. put() the kernel pointer and restore ->u.user.name . - -This gets us a 64bit ruleset that is in the format generated by a 64bit -iptables userspace -- we can then use translate_table() to get the -'native' sanity checks. - -This has two drawbacks: - -1. we re-validate all the match and target entry structure sizes even -though compat translation is supposed to never generate bogus offsets. -2. we put and then re-lookup each match and target. - -THe upside is that we get all sanity tests and ruleset validations -provided by the normal path and can remove some duplicated compat code. - -iptables-restore time of autogenerated ruleset with 300k chains of form --A CHAIN0001 -m limit --limit 1/s -j CHAIN0002 --A CHAIN0002 -m limit --limit 1/s -j CHAIN0003 - -shows no noticeable differences in restore times: -old: 0m30.796s -new: 0m31.521s -64bit: 0m25.674s - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 114 ++++++----------------------- - net/ipv4/netfilter/ip_tables.c | 155 ++++++++-------------------------------- - net/ipv6/netfilter/ip6_tables.c | 148 ++++++-------------------------------- - net/netfilter/x_tables.c | 8 +++ - 4 files changed, 83 insertions(+), 342 deletions(-) - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -1234,19 +1234,17 @@ static inline void compat_release_entry( - module_put(t->u.kernel.target->me); - } - --static inline int -+static int - check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows) -+ const unsigned char *limit) - { - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || -@@ -1291,17 +1289,6 @@ check_compat_entry_size_and_hooks(struct - if (ret) - goto release_target; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_ARP_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - release_target: -@@ -1351,7 +1338,7 @@ static int translate_compat_table(struct - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_arpt_entry *iter0; -- struct arpt_entry *iter1; -+ struct arpt_replace repl; - unsigned int size; - int ret = 0; - -@@ -1360,12 +1347,6 @@ static int translate_compat_table(struct - size = compatr->size; - info->number = compatr->num_entries; - -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -- - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(NFPROTO_ARP); -@@ -1374,9 +1355,7 @@ static int translate_compat_table(struct - xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + compatr->size, -- compatr->hook_entry, -- compatr->underflow); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; -@@ -1389,23 +1368,6 @@ static int translate_compat_table(struct - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(compatr->valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, info->hook_entry[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, info->underflow[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) -@@ -1422,55 +1384,26 @@ static int translate_compat_table(struct - xt_entry_foreach(iter0, entry0, compatr->size) - compat_copy_entry_from_user(iter0, &pos, &size, - newinfo, entry1); -+ -+ /* all module references in entry0 are now gone */ -+ - xt_compat_flush_offsets(NFPROTO_ARP); - xt_compat_unlock(NFPROTO_ARP); - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) -- goto free_newinfo; -- -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- iter1->counters.pcnt = xt_percpu_counter_alloc(); -- if (IS_ERR_VALUE(iter1->counters.pcnt)) { -- ret = -ENOMEM; -- break; -- } -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- ret = check_target(iter1, compatr->name); -- if (ret != 0) { -- xt_percpu_counter_free(iter1->counters.pcnt); -- break; -- } -- ++i; -- if (strcmp(arpt_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; -+ - *pinfo = newinfo; - *pentry0 = entry1; - xt_free_table_info(info); -@@ -1478,17 +1411,16 @@ static int translate_compat_table(struct - - free_newinfo: - xt_free_table_info(newinfo); --out: -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(NFPROTO_ARP); -+ xt_compat_unlock(NFPROTO_ARP); - xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(NFPROTO_ARP); -- xt_compat_unlock(NFPROTO_ARP); -- goto out; - } - - static int compat_do_replace(struct net *net, void __user *user, ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1483,16 +1483,14 @@ check_compat_entry_size_and_hooks(struct - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows) -+ const unsigned char *limit) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; - unsigned int j; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || -@@ -1544,17 +1542,6 @@ check_compat_entry_size_and_hooks(struct - if (ret) - goto out; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_INET_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - out: -@@ -1597,6 +1584,7 @@ compat_copy_entry_from_user(struct compa - xt_compat_target_from_user(t, dstptr, size); - - de->next_offset = e->next_offset - (origsize - *size); -+ - for (h = 0; h < NF_INET_NUMHOOKS; h++) { - if ((unsigned char *)de - base < newinfo->hook_entry[h]) - newinfo->hook_entry[h] -= origsize - *size; -@@ -1606,48 +1594,6 @@ compat_copy_entry_from_user(struct compa - } - - static int --compat_check_entry(struct ipt_entry *e, struct net *net, const char *name) --{ -- struct xt_entry_match *ematch; -- struct xt_mtchk_param mtpar; -- unsigned int j; -- int ret = 0; -- -- e->counters.pcnt = xt_percpu_counter_alloc(); -- if (IS_ERR_VALUE(e->counters.pcnt)) -- return -ENOMEM; -- -- j = 0; -- mtpar.net = net; -- mtpar.table = name; -- mtpar.entryinfo = &e->ip; -- mtpar.hook_mask = e->comefrom; -- mtpar.family = NFPROTO_IPV4; -- xt_ematch_foreach(ematch, e) { -- ret = check_match(ematch, &mtpar); -- if (ret != 0) -- goto cleanup_matches; -- ++j; -- } -- -- ret = check_target(e, net, name); -- if (ret) -- goto cleanup_matches; -- return 0; -- -- cleanup_matches: -- xt_ematch_foreach(ematch, e) { -- if (j-- == 0) -- break; -- cleanup_match(ematch, net); -- } -- -- xt_percpu_counter_free(e->counters.pcnt); -- -- return ret; --} -- --static int - translate_compat_table(struct net *net, - struct xt_table_info **pinfo, - void **pentry0, -@@ -1657,7 +1603,7 @@ translate_compat_table(struct net *net, - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_ipt_entry *iter0; -- struct ipt_entry *iter1; -+ struct ipt_replace repl; - unsigned int size; - int ret; - -@@ -1666,12 +1612,6 @@ translate_compat_table(struct net *net, - size = compatr->size; - info->number = compatr->num_entries; - -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -- - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET); -@@ -1680,9 +1620,7 @@ translate_compat_table(struct net *net, - xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + compatr->size, -- compatr->hook_entry, -- compatr->underflow); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; -@@ -1695,23 +1633,6 @@ translate_compat_table(struct net *net, - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(compatr->valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, info->hook_entry[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, info->underflow[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) -@@ -1719,8 +1640,8 @@ translate_compat_table(struct net *net, - - newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- newinfo->hook_entry[i] = info->hook_entry[i]; -- newinfo->underflow[i] = info->underflow[i]; -+ newinfo->hook_entry[i] = compatr->hook_entry[i]; -+ newinfo->underflow[i] = compatr->underflow[i]; - } - entry1 = newinfo->entries; - pos = entry1; -@@ -1729,47 +1650,30 @@ translate_compat_table(struct net *net, - compat_copy_entry_from_user(iter0, &pos, &size, - newinfo, entry1); - -+ /* all module references in entry0 are now gone. -+ * entry1/newinfo contains a 64bit ruleset that looks exactly as -+ * generated by 64bit userspace. -+ * -+ * Call standard translate_table() to validate all hook_entrys, -+ * underflows, check for loops, etc. -+ */ - xt_compat_flush_offsets(AF_INET); - xt_compat_unlock(AF_INET); - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) -- goto free_newinfo; -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, compatr->name); -- if (ret != 0) -- break; -- ++i; -- if (strcmp(ipt_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1, net); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(net, newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; -+ - *pinfo = newinfo; - *pentry0 = entry1; - xt_free_table_info(info); -@@ -1777,17 +1681,16 @@ translate_compat_table(struct net *net, - - free_newinfo: - xt_free_table_info(newinfo); --out: -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(AF_INET); -+ xt_compat_unlock(AF_INET); - xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(AF_INET); -- xt_compat_unlock(AF_INET); -- goto out; - } - - static int ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1495,16 +1495,14 @@ check_compat_entry_size_and_hooks(struct - struct xt_table_info *newinfo, - unsigned int *size, - const unsigned char *base, -- const unsigned char *limit, -- const unsigned int *hook_entries, -- const unsigned int *underflows) -+ const unsigned char *limit) - { - struct xt_entry_match *ematch; - struct xt_entry_target *t; - struct xt_target *target; - unsigned int entry_offset; - unsigned int j; -- int ret, off, h; -+ int ret, off; - - duprintf("check_compat_entry_size_and_hooks %p\n", e); - if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 || -@@ -1556,17 +1554,6 @@ check_compat_entry_size_and_hooks(struct - if (ret) - goto out; - -- /* Check hooks & underflows */ -- for (h = 0; h < NF_INET_NUMHOOKS; h++) { -- if ((unsigned char *)e - base == hook_entries[h]) -- newinfo->hook_entry[h] = hook_entries[h]; -- if ((unsigned char *)e - base == underflows[h]) -- newinfo->underflow[h] = underflows[h]; -- } -- -- /* Clear counters and comefrom */ -- memset(&e->counters, 0, sizeof(e->counters)); -- e->comefrom = 0; - return 0; - - out: -@@ -1615,47 +1602,6 @@ compat_copy_entry_from_user(struct compa - } - } - --static int compat_check_entry(struct ip6t_entry *e, struct net *net, -- const char *name) --{ -- unsigned int j; -- int ret = 0; -- struct xt_mtchk_param mtpar; -- struct xt_entry_match *ematch; -- -- e->counters.pcnt = xt_percpu_counter_alloc(); -- if (IS_ERR_VALUE(e->counters.pcnt)) -- return -ENOMEM; -- j = 0; -- mtpar.net = net; -- mtpar.table = name; -- mtpar.entryinfo = &e->ipv6; -- mtpar.hook_mask = e->comefrom; -- mtpar.family = NFPROTO_IPV6; -- xt_ematch_foreach(ematch, e) { -- ret = check_match(ematch, &mtpar); -- if (ret != 0) -- goto cleanup_matches; -- ++j; -- } -- -- ret = check_target(e, net, name); -- if (ret) -- goto cleanup_matches; -- return 0; -- -- cleanup_matches: -- xt_ematch_foreach(ematch, e) { -- if (j-- == 0) -- break; -- cleanup_match(ematch, net); -- } -- -- xt_percpu_counter_free(e->counters.pcnt); -- -- return ret; --} -- - static int - translate_compat_table(struct net *net, - struct xt_table_info **pinfo, -@@ -1666,7 +1612,7 @@ translate_compat_table(struct net *net, - struct xt_table_info *newinfo, *info; - void *pos, *entry0, *entry1; - struct compat_ip6t_entry *iter0; -- struct ip6t_entry *iter1; -+ struct ip6t_replace repl; - unsigned int size; - int ret = 0; - -@@ -1675,12 +1621,6 @@ translate_compat_table(struct net *net, - size = compatr->size; - info->number = compatr->num_entries; - -- /* Init all hooks to impossible value. */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- info->hook_entry[i] = 0xFFFFFFFF; -- info->underflow[i] = 0xFFFFFFFF; -- } -- - duprintf("translate_compat_table: size %u\n", info->size); - j = 0; - xt_compat_lock(AF_INET6); -@@ -1689,9 +1629,7 @@ translate_compat_table(struct net *net, - xt_entry_foreach(iter0, entry0, compatr->size) { - ret = check_compat_entry_size_and_hooks(iter0, info, &size, - entry0, -- entry0 + compatr->size, -- compatr->hook_entry, -- compatr->underflow); -+ entry0 + compatr->size); - if (ret != 0) - goto out_unlock; - ++j; -@@ -1704,23 +1642,6 @@ translate_compat_table(struct net *net, - goto out_unlock; - } - -- /* Check hooks all assigned */ -- for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- /* Only hooks which are valid */ -- if (!(compatr->valid_hooks & (1 << i))) -- continue; -- if (info->hook_entry[i] == 0xFFFFFFFF) { -- duprintf("Invalid hook entry %u %u\n", -- i, info->hook_entry[i]); -- goto out_unlock; -- } -- if (info->underflow[i] == 0xFFFFFFFF) { -- duprintf("Invalid underflow %u %u\n", -- i, info->underflow[i]); -- goto out_unlock; -- } -- } -- - ret = -ENOMEM; - newinfo = xt_alloc_table_info(size); - if (!newinfo) -@@ -1728,56 +1649,34 @@ translate_compat_table(struct net *net, - - newinfo->number = compatr->num_entries; - for (i = 0; i < NF_INET_NUMHOOKS; i++) { -- newinfo->hook_entry[i] = info->hook_entry[i]; -- newinfo->underflow[i] = info->underflow[i]; -+ newinfo->hook_entry[i] = compatr->hook_entry[i]; -+ newinfo->underflow[i] = compatr->underflow[i]; - } - entry1 = newinfo->entries; - pos = entry1; -+ size = compatr->size; - xt_entry_foreach(iter0, entry0, compatr->size) - compat_copy_entry_from_user(iter0, &pos, &size, - newinfo, entry1); - -+ /* all module references in entry0 are now gone. */ - xt_compat_flush_offsets(AF_INET6); - xt_compat_unlock(AF_INET6); - -- ret = -ELOOP; -- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) -- goto free_newinfo; -+ memcpy(&repl, compatr, sizeof(*compatr)); - -- i = 0; -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- ret = compat_check_entry(iter1, net, compatr->name); -- if (ret != 0) -- break; -- ++i; -- if (strcmp(ip6t_get_target(iter1)->u.user.name, -- XT_ERROR_TARGET) == 0) -- ++newinfo->stacksize; -- } -- if (ret) { -- /* -- * The first i matches need cleanup_entry (calls ->destroy) -- * because they had called ->check already. The other j-i -- * entries need only release. -- */ -- int skip = i; -- j -= i; -- xt_entry_foreach(iter0, entry0, newinfo->size) { -- if (skip-- > 0) -- continue; -- if (j-- == 0) -- break; -- compat_release_entry(iter0); -- } -- xt_entry_foreach(iter1, entry1, newinfo->size) { -- if (i-- == 0) -- break; -- cleanup_entry(iter1, net); -- } -- xt_free_table_info(newinfo); -- return ret; -+ for (i = 0; i < NF_INET_NUMHOOKS; i++) { -+ repl.hook_entry[i] = newinfo->hook_entry[i]; -+ repl.underflow[i] = newinfo->underflow[i]; - } - -+ repl.num_counters = 0; -+ repl.counters = NULL; -+ repl.size = newinfo->size; -+ ret = translate_table(net, newinfo, entry1, &repl); -+ if (ret) -+ goto free_newinfo; -+ - *pinfo = newinfo; - *pentry0 = entry1; - xt_free_table_info(info); -@@ -1785,17 +1684,16 @@ translate_compat_table(struct net *net, - - free_newinfo: - xt_free_table_info(newinfo); --out: -+ return ret; -+out_unlock: -+ xt_compat_flush_offsets(AF_INET6); -+ xt_compat_unlock(AF_INET6); - xt_entry_foreach(iter0, entry0, compatr->size) { - if (j-- == 0) - break; - compat_release_entry(iter0); - } - return ret; --out_unlock: -- xt_compat_flush_offsets(AF_INET6); -- xt_compat_unlock(AF_INET6); -- goto out; - } - - static int ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -533,6 +533,7 @@ void xt_compat_match_from_user(struct xt - struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; - int pad, off = xt_compat_match_offset(match); - u_int16_t msize = cm->u.user.match_size; -+ char name[sizeof(m->u.user.name)]; - - m = *dstptr; - memcpy(m, cm, sizeof(*cm)); -@@ -546,6 +547,9 @@ void xt_compat_match_from_user(struct xt - - msize += off; - m->u.user.match_size = msize; -+ strlcpy(name, match->name, sizeof(name)); -+ module_put(match->me); -+ strncpy(m->u.user.name, name, sizeof(m->u.user.name)); - - *size += off; - *dstptr += msize; -@@ -763,6 +767,7 @@ void xt_compat_target_from_user(struct x - struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; - int pad, off = xt_compat_target_offset(target); - u_int16_t tsize = ct->u.user.target_size; -+ char name[sizeof(t->u.user.name)]; - - t = *dstptr; - memcpy(t, ct, sizeof(*ct)); -@@ -776,6 +781,9 @@ void xt_compat_target_from_user(struct x - - tsize += off; - t->u.user.target_size = tsize; -+ strlcpy(name, target->name, sizeof(name)); -+ module_put(target->me); -+ strncpy(t->u.user.name, name, sizeof(t->u.user.name)); - - *size += off; - *dstptr += tsize; diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch deleted file mode 100644 index 23ad93f795ac..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:21 +0200 -Subject: netfilter: x_tables: don't move to non-existent next rule -Origin: https://git.kernel.org/linus/f24e230d257af1ad7476c6e81a8dc3127a74204e - -Ben Hawkes says: - - In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it - is possible for a user-supplied ipt_entry structure to have a large - next_offset field. This field is not bounds checked prior to writing a - counter value at the supplied offset. - -Base chains enforce absolute verdict. - -User defined chains are supposed to end with an unconditional return, -xtables userspace adds them automatically. - -But if such return is missing we will move to non-existent next rule. - -Reported-by: Ben Hawkes -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 8 +++++--- - net/ipv4/netfilter/ip_tables.c | 4 ++++ - net/ipv6/netfilter/ip6_tables.c | 4 ++++ - 3 files changed, 13 insertions(+), 3 deletions(-) - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -439,6 +439,8 @@ static int mark_source_chains(const stru - size = e->next_offset; - e = (struct arpt_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -461,6 +463,8 @@ static int mark_source_chains(const stru - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct arpt_entry *) - (entry0 + newpos); -@@ -691,10 +695,8 @@ static int translate_table(struct xt_tab - } - } - -- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) { -- duprintf("Looping hook\n"); -+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) - return -ELOOP; -- } - - /* Finally, each sanity check must pass */ - i = 0; ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -520,6 +520,8 @@ mark_source_chains(const struct xt_table - size = e->next_offset; - e = (struct ipt_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -541,6 +543,8 @@ mark_source_chains(const struct xt_table - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct ipt_entry *) - (entry0 + newpos); ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -532,6 +532,8 @@ mark_source_chains(const struct xt_table - size = e->next_offset; - e = (struct ip6t_entry *) - (entry0 + pos + size); -+ if (pos + size >= newinfo->size) -+ return 0; - e->counters.pcnt = pos; - pos += size; - } else { -@@ -553,6 +555,8 @@ mark_source_chains(const struct xt_table - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; -+ if (newpos >= newinfo->size) -+ return 0; - } - e = (struct ip6t_entry *) - (entry0 + newpos); diff --git a/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch b/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch deleted file mode 100644 index 75001438576b..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Florian Westphal -Date: Wed, 1 Jun 2016 02:04:44 +0200 -Subject: netfilter: x_tables: don't reject valid target size on some - architectures -Origin: https://git.kernel.org/linus/7b7eba0f3515fca3296b8881d583f7c1042f5226 - -Quoting John Stultz: - In updating a 32bit arm device from 4.6 to Linus' current HEAD, I - noticed I was having some trouble with networking, and realized that - /proc/net/ip_tables_names was suddenly empty. - Digging through the registration process, it seems we're catching on the: - - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && - target_offset + sizeof(struct xt_standard_target) != next_offset) - return -EINVAL; - - Where next_offset seems to be 4 bytes larger then the - offset + standard_target struct size. - -next_offset needs to be aligned via XT_ALIGN (so we can access all members -of ip(6)t_entry struct). - -This problem didn't show up on i686 as it only needs 4-byte alignment for -u64, but iptables userspace on other 32bit arches does insert extra padding. - -Reported-by: John Stultz -Tested-by: John Stultz -Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/x_tables.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -609,7 +609,7 @@ int xt_compat_check_entry_offsets(const - return -EINVAL; - - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -- target_offset + sizeof(struct compat_xt_standard_target) != next_offset) -+ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) - return -EINVAL; - - /* compat_xt_entry match has less strict aligment requirements, -@@ -691,7 +691,7 @@ int xt_check_entry_offsets(const void *b - return -EINVAL; - - if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && -- target_offset + sizeof(struct xt_standard_target) != next_offset) -+ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) - return -EINVAL; - - return xt_check_entry_match(elems, base + target_offset, diff --git a/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch b/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch deleted file mode 100644 index 263f64d7c011..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch +++ /dev/null @@ -1,328 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 15:37:59 +0200 -Subject: netfilter: x_tables: introduce and use xt_copy_counters_from_user -Origin: https://git.kernel.org/linus/d7591f0c41ce3e67600a982bab6989ef0f07b3ce - -The three variants use same copy&pasted code, condense this into a -helper and use that. - -Make sure info.name is 0-terminated. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/x_tables.h | 3 ++ - net/ipv4/netfilter/arp_tables.c | 48 +++---------------------- - net/ipv4/netfilter/ip_tables.c | 48 +++---------------------- - net/ipv6/netfilter/ip6_tables.c | 49 +++---------------------- - net/netfilter/x_tables.c | 74 ++++++++++++++++++++++++++++++++++++++ - 5 files changed, 92 insertions(+), 130 deletions(-) - ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -251,6 +251,9 @@ int xt_check_match(struct xt_mtchk_param - int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto, - bool inv_proto); - -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len, -+ struct xt_counters_info *info, bool compat); -+ - struct xt_table *xt_register_table(struct net *net, - const struct xt_table *table, - struct xt_table_info *bootstrap, ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -1131,55 +1131,17 @@ static int do_add_counters(struct net *n - unsigned int i; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- const char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - struct arpt_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; - -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } -- -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -- --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } -- -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); - -- t = xt_find_table_lock(net, NFPROTO_ARP, name); -+ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1187,7 +1149,7 @@ static int do_add_counters(struct net *n - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1314,55 +1314,17 @@ do_add_counters(struct net *net, const v - unsigned int i; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- const char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - struct ipt_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; - -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } -- -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -- --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } -- -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); - -- t = xt_find_table_lock(net, AF_INET, name); -+ t = xt_find_table_lock(net, AF_INET, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1370,7 +1332,7 @@ do_add_counters(struct net *net, const v - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1326,55 +1326,16 @@ do_add_counters(struct net *net, const v - unsigned int i; - struct xt_counters_info tmp; - struct xt_counters *paddc; -- unsigned int num_counters; -- char *name; -- int size; -- void *ptmp; - struct xt_table *t; - const struct xt_table_info *private; - int ret = 0; - struct ip6t_entry *iter; - unsigned int addend; --#ifdef CONFIG_COMPAT -- struct compat_xt_counters_info compat_tmp; - -- if (compat) { -- ptmp = &compat_tmp; -- size = sizeof(struct compat_xt_counters_info); -- } else --#endif -- { -- ptmp = &tmp; -- size = sizeof(struct xt_counters_info); -- } -- -- if (copy_from_user(ptmp, user, size) != 0) -- return -EFAULT; -- --#ifdef CONFIG_COMPAT -- if (compat) { -- num_counters = compat_tmp.num_counters; -- name = compat_tmp.name; -- } else --#endif -- { -- num_counters = tmp.num_counters; -- name = tmp.name; -- } -- -- if (len != size + num_counters * sizeof(struct xt_counters)) -- return -EINVAL; -- -- paddc = vmalloc(len - size); -- if (!paddc) -- return -ENOMEM; -- -- if (copy_from_user(paddc, user + size, len - size) != 0) { -- ret = -EFAULT; -- goto free; -- } -- -- t = xt_find_table_lock(net, AF_INET6, name); -+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat); -+ if (IS_ERR(paddc)) -+ return PTR_ERR(paddc); -+ t = xt_find_table_lock(net, AF_INET6, tmp.name); - if (IS_ERR_OR_NULL(t)) { - ret = t ? PTR_ERR(t) : -ENOENT; - goto free; -@@ -1382,7 +1343,7 @@ do_add_counters(struct net *net, const v - - local_bh_disable(); - private = t->private; -- if (private->number != num_counters) { -+ if (private->number != tmp.num_counters) { - ret = -EINVAL; - goto unlock_up_free; - } ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -752,6 +752,80 @@ int xt_check_target(struct xt_tgchk_para - } - EXPORT_SYMBOL_GPL(xt_check_target); - -+/** -+ * xt_copy_counters_from_user - copy counters and metadata from userspace -+ * -+ * @user: src pointer to userspace memory -+ * @len: alleged size of userspace memory -+ * @info: where to store the xt_counters_info metadata -+ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel -+ * -+ * Copies counter meta data from @user and stores it in @info. -+ * -+ * vmallocs memory to hold the counters, then copies the counter data -+ * from @user to the new memory and returns a pointer to it. -+ * -+ * If @compat is true, @info gets converted automatically to the 64bit -+ * representation. -+ * -+ * The metadata associated with the counters is stored in @info. -+ * -+ * Return: returns pointer that caller has to test via IS_ERR(). -+ * If IS_ERR is false, caller has to vfree the pointer. -+ */ -+void *xt_copy_counters_from_user(const void __user *user, unsigned int len, -+ struct xt_counters_info *info, bool compat) -+{ -+ void *mem; -+ u64 size; -+ -+#ifdef CONFIG_COMPAT -+ if (compat) { -+ /* structures only differ in size due to alignment */ -+ struct compat_xt_counters_info compat_tmp; -+ -+ if (len <= sizeof(compat_tmp)) -+ return ERR_PTR(-EINVAL); -+ -+ len -= sizeof(compat_tmp); -+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) -+ return ERR_PTR(-EFAULT); -+ -+ strlcpy(info->name, compat_tmp.name, sizeof(info->name)); -+ info->num_counters = compat_tmp.num_counters; -+ user += sizeof(compat_tmp); -+ } else -+#endif -+ { -+ if (len <= sizeof(*info)) -+ return ERR_PTR(-EINVAL); -+ -+ len -= sizeof(*info); -+ if (copy_from_user(info, user, sizeof(*info)) != 0) -+ return ERR_PTR(-EFAULT); -+ -+ info->name[sizeof(info->name) - 1] = '\0'; -+ user += sizeof(*info); -+ } -+ -+ size = sizeof(struct xt_counters); -+ size *= info->num_counters; -+ -+ if (size != (u64)len) -+ return ERR_PTR(-EINVAL); -+ -+ mem = vmalloc(len); -+ if (!mem) -+ return ERR_PTR(-ENOMEM); -+ -+ if (copy_from_user(mem, user, len) == 0) -+ return mem; -+ -+ vfree(mem); -+ return ERR_PTR(-EFAULT); -+} -+EXPORT_SYMBOL_GPL(xt_copy_counters_from_user); -+ - #ifdef CONFIG_COMPAT - int xt_compat_target_offset(const struct xt_target *target) - { diff --git a/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch b/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch deleted file mode 100644 index 37de1a8b7c01..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:24 +0200 -Subject: netfilter: x_tables: kill check_entry helper -Origin: https://git.kernel.org/linus/aa412ba225dd3bc36d404c28cdc3d674850d80d0 - -Once we add more sanity testing to xt_check_entry_offsets it -becomes relvant if we're expecting a 32bit 'config_compat' blob -or a normal one. - -Since we already have a lot of similar-named functions (check_entry, -compat_check_entry, find_and_check_entry, etc.) and the current -incarnation is short just fold its contents into the callers. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 19 ++++++++----------- - net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------ - net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------ - 3 files changed, 24 insertions(+), 35 deletions(-) - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -494,14 +494,6 @@ next: - return 1; - } - --static inline int check_entry(const struct arpt_entry *e) --{ -- if (!arp_checkentry(&e->arp)) -- return -EINVAL; -- -- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); --} -- - static inline int check_target(struct arpt_entry *e, const char *name) - { - struct xt_entry_target *t = arpt_get_target(e); -@@ -597,7 +589,10 @@ static inline int check_entry_size_and_h - return -EINVAL; - } - -- err = check_entry(e); -+ if (!arp_checkentry(&e->arp)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (err) - return err; - -@@ -1256,8 +1251,10 @@ check_compat_entry_size_and_hooks(struct - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct arpt_entry *)e); -+ if (!arp_checkentry(&e->arp)) -+ return -EINVAL; -+ -+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (ret) - return ret; - ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -588,15 +588,6 @@ static void cleanup_match(struct xt_entr - } - - static int --check_entry(const struct ipt_entry *e) --{ -- if (!ip_checkentry(&e->ip)) -- return -EINVAL; -- -- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); --} -- --static int - check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) - { - const struct ipt_ip *ip = par->entryinfo; -@@ -760,7 +751,10 @@ check_entry_size_and_hooks(struct ipt_en - return -EINVAL; - } - -- err = check_entry(e); -+ if (!ip_checkentry(&e->ip)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (err) - return err; - -@@ -1516,8 +1510,10 @@ check_compat_entry_size_and_hooks(struct - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct ipt_entry *)e); -+ if (!ip_checkentry(&e->ip)) -+ return -EINVAL; -+ -+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (ret) - return ret; - ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -599,15 +599,6 @@ static void cleanup_match(struct xt_entr - module_put(par.match->me); - } - --static int --check_entry(const struct ip6t_entry *e) --{ -- if (!ip6_checkentry(&e->ipv6)) -- return -EINVAL; -- -- return xt_check_entry_offsets(e, e->target_offset, e->next_offset); --} -- - static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par) - { - const struct ip6t_ip6 *ipv6 = par->entryinfo; -@@ -772,7 +763,10 @@ check_entry_size_and_hooks(struct ip6t_e - return -EINVAL; - } - -- err = check_entry(e); -+ if (!ip6_checkentry(&e->ipv6)) -+ return -EINVAL; -+ -+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (err) - return err; - -@@ -1528,8 +1522,10 @@ check_compat_entry_size_and_hooks(struct - return -EINVAL; - } - -- /* For purposes of check_entry casting the compat entry is fine */ -- ret = check_entry((struct ip6t_entry *)e); -+ if (!ip6_checkentry(&e->ipv6)) -+ return -EINVAL; -+ -+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset); - if (ret) - return ret; - diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch deleted file mode 100644 index 26923ed67e07..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch +++ /dev/null @@ -1,137 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:29 +0200 -Subject: netfilter: x_tables: validate all offsets and sizes in a rule -Origin: https://git.kernel.org/linus/13631bfc604161a9d69cd68991dff8603edd66f9 - -Validate that all matches (if any) add up to the beginning of -the target and that each match covers at least the base structure size. - -The compat path should be able to safely re-use the function -as the structures only differ in alignment; added a -BUILD_BUG_ON just in case we have an arch that adds padding as well. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/x_tables.c | 81 +++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 76 insertions(+), 5 deletions(-) - ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -416,6 +416,47 @@ int xt_check_match(struct xt_mtchk_param - } - EXPORT_SYMBOL_GPL(xt_check_match); - -+/** xt_check_entry_match - check that matches end before start of target -+ * -+ * @match: beginning of xt_entry_match -+ * @target: beginning of this rules target (alleged end of matches) -+ * @alignment: alignment requirement of match structures -+ * -+ * Validates that all matches add up to the beginning of the target, -+ * and that each match covers at least the base structure size. -+ * -+ * Return: 0 on success, negative errno on failure. -+ */ -+static int xt_check_entry_match(const char *match, const char *target, -+ const size_t alignment) -+{ -+ const struct xt_entry_match *pos; -+ int length = target - match; -+ -+ if (length == 0) /* no matches */ -+ return 0; -+ -+ pos = (struct xt_entry_match *)match; -+ do { -+ if ((unsigned long)pos % alignment) -+ return -EINVAL; -+ -+ if (length < (int)sizeof(struct xt_entry_match)) -+ return -EINVAL; -+ -+ if (pos->u.match_size < sizeof(struct xt_entry_match)) -+ return -EINVAL; -+ -+ if (pos->u.match_size > length) -+ return -EINVAL; -+ -+ length -= pos->u.match_size; -+ pos = ((void *)((char *)(pos) + (pos)->u.match_size)); -+ } while (length > 0); -+ -+ return 0; -+} -+ - #ifdef CONFIG_COMPAT - int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta) - { -@@ -571,7 +612,14 @@ int xt_compat_check_entry_offsets(const - target_offset + sizeof(struct compat_xt_standard_target) != next_offset) - return -EINVAL; - -- return 0; -+ /* compat_xt_entry match has less strict aligment requirements, -+ * otherwise they are identical. In case of padding differences -+ * we need to add compat version of xt_check_entry_match. -+ */ -+ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match)); -+ -+ return xt_check_entry_match(elems, base + target_offset, -+ __alignof__(struct compat_xt_entry_match)); - } - EXPORT_SYMBOL(xt_compat_check_entry_offsets); - #endif /* CONFIG_COMPAT */ -@@ -584,17 +632,39 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs - * @target_offset: the arp/ip/ip6_t->target_offset - * @next_offset: the arp/ip/ip6_t->next_offset - * -- * validates that target_offset and next_offset are sane. -- * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. -+ * validates that target_offset and next_offset are sane and that all -+ * match sizes (if any) align with the target offset. - * - * This function does not validate the targets or matches themselves, it -- * only tests that all the offsets and sizes are correct. -+ * only tests that all the offsets and sizes are correct, that all -+ * match structures are aligned, and that the last structure ends where -+ * the target structure begins. -+ * -+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version. - * - * The arp/ip/ip6t_entry structure @base must have passed following tests: - * - it must point to a valid memory location - * - base to base + next_offset must be accessible, i.e. not exceed allocated - * length. - * -+ * A well-formed entry looks like this: -+ * -+ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry -+ * e->elems[]-----' | | -+ * matchsize | | -+ * matchsize | | -+ * | | -+ * target_offset---------------------------------' | -+ * next_offset---------------------------------------------------' -+ * -+ * elems[]: flexible array member at end of ip(6)/arpt_entry struct. -+ * This is where matches (if any) and the target reside. -+ * target_offset: beginning of target. -+ * next_offset: start of the next rule; also: size of this rule. -+ * Since targets have a minimum size, target_offset + minlen <= next_offset. -+ * -+ * Every match stores its size, sum of sizes must not exceed target_offset. -+ * - * Return: 0 on success, negative errno on failure. - */ - int xt_check_entry_offsets(const void *base, -@@ -624,7 +694,8 @@ int xt_check_entry_offsets(const void *b - target_offset + sizeof(struct xt_standard_target) != next_offset) - return -EINVAL; - -- return 0; -+ return xt_check_entry_match(elems, base + target_offset, -+ __alignof__(struct xt_entry_match)); - } - EXPORT_SYMBOL(xt_check_entry_offsets); - diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch deleted file mode 100644 index a610aaace035..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch +++ /dev/null @@ -1,127 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:22 +0200 -Subject: netfilter: x_tables: validate targets of jumps -Origin: https://git.kernel.org/linus/36472341017529e2b12573093cc0f68719300997 - -When we see a jump also check that the offset gets us to beginning of -a rule (an ipt_entry). - -The extra overhead is negible, even with absurd cases. - -300k custom rules, 300k jumps to 'next' user chain: -[ plus one jump from INPUT to first userchain ]: - -Before: -real 0m24.874s -user 0m7.532s -sys 0m16.076s - -After: -real 0m27.464s -user 0m7.436s -sys 0m18.840s - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++ - net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++ - net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++ - 3 files changed, 48 insertions(+) - ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -367,6 +367,18 @@ static inline bool unconditional(const s - memcmp(&e->arp, &uncond, sizeof(uncond)) == 0; - } - -+static bool find_jump_target(const struct xt_table_info *t, -+ const struct arpt_entry *target) -+{ -+ struct arpt_entry *iter; -+ -+ xt_entry_foreach(iter, t->entries, t->size) { -+ if (iter == target) -+ return true; -+ } -+ return false; -+} -+ - /* Figures out from what hook each rule can be called: returns 0 if - * there are loops. Puts hook bitmask in comefrom. - */ -@@ -460,6 +472,10 @@ static int mark_source_chains(const stru - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -+ e = (struct arpt_entry *) -+ (entry0 + newpos); -+ if (!find_jump_target(newinfo, e)) -+ return 0; - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -443,6 +443,18 @@ ipt_do_table(struct sk_buff *skb, - #endif - } - -+static bool find_jump_target(const struct xt_table_info *t, -+ const struct ipt_entry *target) -+{ -+ struct ipt_entry *iter; -+ -+ xt_entry_foreach(iter, t->entries, t->size) { -+ if (iter == target) -+ return true; -+ } -+ return false; -+} -+ - /* Figures out from what hook each rule can be called: returns 0 if - there are loops. Puts hook bitmask in comefrom. */ - static int -@@ -540,6 +552,10 @@ mark_source_chains(const struct xt_table - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -+ e = (struct ipt_entry *) -+ (entry0 + newpos); -+ if (!find_jump_target(newinfo, e)) -+ return 0; - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -455,6 +455,18 @@ ip6t_do_table(struct sk_buff *skb, - #endif - } - -+static bool find_jump_target(const struct xt_table_info *t, -+ const struct ip6t_entry *target) -+{ -+ struct ip6t_entry *iter; -+ -+ xt_entry_foreach(iter, t->entries, t->size) { -+ if (iter == target) -+ return true; -+ } -+ return false; -+} -+ - /* Figures out from what hook each rule can be called: returns 0 if - there are loops. Puts hook bitmask in comefrom. */ - static int -@@ -552,6 +564,10 @@ mark_source_chains(const struct xt_table - /* This a jump; chase it. */ - duprintf("Jump rule %u -> %u\n", - pos, newpos); -+ e = (struct ip6t_entry *) -+ (entry0 + newpos); -+ if (!find_jump_target(newinfo, e)) -+ return 0; - } else { - /* ... this is a fallthru */ - newpos = pos + e->next_offset; diff --git a/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch b/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch deleted file mode 100644 index 15df53219a80..000000000000 --- a/debian/patches/bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch +++ /dev/null @@ -1,234 +0,0 @@ -From: Florian Westphal -Date: Fri, 1 Apr 2016 14:17:33 +0200 -Subject: netfilter: x_tables: xt_compat_match_from_user doesn't need a retval -Origin: https://git.kernel.org/linus/0188346f21e6546498c2a0f84888797ad4063fc5 - -Always returned 0. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter/x_tables.h | 2 +- - net/ipv4/netfilter/arp_tables.c | 17 +++++------------ - net/ipv4/netfilter/ip_tables.c | 26 +++++++++----------------- - net/ipv6/netfilter/ip6_tables.c | 27 +++++++++------------------ - net/netfilter/x_tables.c | 5 ++--- - 5 files changed, 26 insertions(+), 51 deletions(-) - ---- a/include/linux/netfilter/x_tables.h -+++ b/include/linux/netfilter/x_tables.h -@@ -484,7 +484,7 @@ void xt_compat_init_offsets(u_int8_t af, - int xt_compat_calc_jump(u_int8_t af, unsigned int offset); - - int xt_compat_match_offset(const struct xt_match *match); --int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, -+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, - unsigned int *size); - int xt_compat_match_to_user(const struct xt_entry_match *m, - void __user **dstptr, unsigned int *size); ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -1310,7 +1310,7 @@ out: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr, - unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) -@@ -1319,9 +1319,8 @@ compat_copy_entry_from_user(struct compa - struct xt_target *target; - struct arpt_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - -- ret = 0; - origsize = *size; - de = (struct arpt_entry *)*dstptr; - memcpy(de, e, sizeof(struct arpt_entry)); -@@ -1342,7 +1341,6 @@ compat_copy_entry_from_user(struct compa - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; - } - - static int translate_compat_table(struct xt_table_info **pinfo, -@@ -1421,16 +1419,11 @@ static int translate_compat_table(struct - entry1 = newinfo->entries; - pos = entry1; - size = compatr->size; -- xt_entry_foreach(iter0, entry0, compatr->size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- newinfo, entry1); -- if (ret != 0) -- break; -- } -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); - xt_compat_flush_offsets(NFPROTO_ARP); - xt_compat_unlock(NFPROTO_ARP); -- if (ret) -- goto free_newinfo; - - ret = -ELOOP; - if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -1568,7 +1568,7 @@ release_matches: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, - unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) -@@ -1577,10 +1577,9 @@ compat_copy_entry_from_user(struct compa - struct xt_target *target; - struct ipt_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - struct xt_entry_match *ematch; - -- ret = 0; - origsize = *size; - de = (struct ipt_entry *)*dstptr; - memcpy(de, e, sizeof(struct ipt_entry)); -@@ -1589,11 +1588,9 @@ compat_copy_entry_from_user(struct compa - *dstptr += sizeof(struct ipt_entry); - *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); - -- xt_ematch_foreach(ematch, e) { -- ret = xt_compat_match_from_user(ematch, dstptr, size); -- if (ret != 0) -- return ret; -- } -+ xt_ematch_foreach(ematch, e) -+ xt_compat_match_from_user(ematch, dstptr, size); -+ - de->target_offset = e->target_offset - (origsize - *size); - t = compat_ipt_get_target(e); - target = t->u.kernel.target; -@@ -1606,7 +1603,6 @@ compat_copy_entry_from_user(struct compa - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; - } - - static int -@@ -1729,16 +1725,12 @@ translate_compat_table(struct net *net, - entry1 = newinfo->entries; - pos = entry1; - size = compatr->size; -- xt_entry_foreach(iter0, entry0, compatr->size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- newinfo, entry1); -- if (ret != 0) -- break; -- } -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); -+ - xt_compat_flush_offsets(AF_INET); - xt_compat_unlock(AF_INET); -- if (ret) -- goto free_newinfo; - - ret = -ELOOP; - if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -1580,7 +1580,7 @@ release_matches: - return ret; - } - --static int -+static void - compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, - unsigned int *size, - struct xt_table_info *newinfo, unsigned char *base) -@@ -1588,10 +1588,9 @@ compat_copy_entry_from_user(struct compa - struct xt_entry_target *t; - struct ip6t_entry *de; - unsigned int origsize; -- int ret, h; -+ int h; - struct xt_entry_match *ematch; - -- ret = 0; - origsize = *size; - de = (struct ip6t_entry *)*dstptr; - memcpy(de, e, sizeof(struct ip6t_entry)); -@@ -1600,11 +1599,9 @@ compat_copy_entry_from_user(struct compa - *dstptr += sizeof(struct ip6t_entry); - *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); - -- xt_ematch_foreach(ematch, e) { -- ret = xt_compat_match_from_user(ematch, dstptr, size); -- if (ret != 0) -- return ret; -- } -+ xt_ematch_foreach(ematch, e) -+ xt_compat_match_from_user(ematch, dstptr, size); -+ - de->target_offset = e->target_offset - (origsize - *size); - t = compat_ip6t_get_target(e); - xt_compat_target_from_user(t, dstptr, size); -@@ -1616,7 +1613,6 @@ compat_copy_entry_from_user(struct compa - if ((unsigned char *)de - base < newinfo->underflow[h]) - newinfo->underflow[h] -= origsize - *size; - } -- return ret; - } - - static int compat_check_entry(struct ip6t_entry *e, struct net *net, -@@ -1737,17 +1733,12 @@ translate_compat_table(struct net *net, - } - entry1 = newinfo->entries; - pos = entry1; -- size = compatr->size; -- xt_entry_foreach(iter0, entry0, compatr->size) { -- ret = compat_copy_entry_from_user(iter0, &pos, &size, -- newinfo, entry1); -- if (ret != 0) -- break; -- } -+ xt_entry_foreach(iter0, entry0, compatr->size) -+ compat_copy_entry_from_user(iter0, &pos, &size, -+ newinfo, entry1); -+ - xt_compat_flush_offsets(AF_INET6); - xt_compat_unlock(AF_INET6); -- if (ret) -- goto free_newinfo; - - ret = -ELOOP; - if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1)) ---- a/net/netfilter/x_tables.c -+++ b/net/netfilter/x_tables.c -@@ -526,8 +526,8 @@ int xt_compat_match_offset(const struct - } - EXPORT_SYMBOL_GPL(xt_compat_match_offset); - --int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, -- unsigned int *size) -+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, -+ unsigned int *size) - { - const struct xt_match *match = m->u.kernel.match; - struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; -@@ -549,7 +549,6 @@ int xt_compat_match_from_user(struct xt_ - - *size += off; - *dstptr += msize; -- return 0; - } - EXPORT_SYMBOL_GPL(xt_compat_match_from_user); - diff --git a/debian/patches/bugfix/all/proc-prevent-stacking-filesystems-on-top.patch b/debian/patches/bugfix/all/proc-prevent-stacking-filesystems-on-top.patch deleted file mode 100644 index fb2e9694f97f..000000000000 --- a/debian/patches/bugfix/all/proc-prevent-stacking-filesystems-on-top.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:05 +0200 -Subject: [1/3] proc: prevent stacking filesystems on top -Origin: https://git.kernel.org/linus/e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 - -This prevents stacking filesystems (ecryptfs and overlayfs) from using -procfs as lower filesystem. There is too much magic going on inside -procfs, and there is no good reason to stack stuff on top of procfs. - -(For example, procfs does access checks in VFS open handlers, and -ecryptfs by design calls open handlers from a kernel thread that doesn't -drop privileges or so.) - -Signed-off-by: Jann Horn -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds ---- - fs/proc/root.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/fs/proc/root.c b/fs/proc/root.c -index 361ab4e..ec649c9 100644 ---- a/fs/proc/root.c -+++ b/fs/proc/root.c -@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type, - if (IS_ERR(sb)) - return ERR_CAST(sb); - -+ /* -+ * procfs isn't actually a stacking filesystem; however, there is -+ * too much magic going on inside it to permit stacking things on -+ * top of it -+ */ -+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH; -+ - if (!proc_parse_options(options, ns)) { - deactivate_locked_super(sb); - return ERR_PTR(-EINVAL); --- -2.8.1 - diff --git a/debian/patches/bugfix/all/sched-panic-on-corrupted-stack-end.patch b/debian/patches/bugfix/all/sched-panic-on-corrupted-stack-end.patch deleted file mode 100644 index 170e944459fd..000000000000 --- a/debian/patches/bugfix/all/sched-panic-on-corrupted-stack-end.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jann Horn -Date: Wed, 1 Jun 2016 11:55:07 +0200 -Subject: [3/3] sched: panic on corrupted stack end -Origin: https://git.kernel.org/linus/29d6455178a09e1dc340380c582b13356227e8df - -Until now, hitting this BUG_ON caused a recursive oops (because oops -handling involves do_exit(), which calls into the scheduler, which in -turn raises an oops), which caused stuff below the stack to be -overwritten until a panic happened (e.g. via an oops in interrupt -context, caused by the overwritten CPU index in the thread_info). - -Just panic directly. - -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds ---- - kernel/sched/core.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index d1f7149..11546a6 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev) - static inline void schedule_debug(struct task_struct *prev) - { - #ifdef CONFIG_SCHED_STACK_END_CHECK -- BUG_ON(task_stack_end_corrupted(prev)); -+ if (task_stack_end_corrupted(prev)) -+ panic("corrupted stack end detected inside scheduler\n"); - #endif - - if (unlikely(in_atomic_preempt_off())) { --- -2.8.1 - diff --git a/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch deleted file mode 100644 index 934147dd5293..000000000000 --- a/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Richard Alpe -Date: Mon, 16 May 2016 11:14:54 +0200 -Subject: tipc: check nl sock before parsing nested attributes -Origin: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c - -Make sure the socket for which the user is listing publication exists -before parsing the socket netlink attributes. - -Prior to this patch a call without any socket caused a NULL pointer -dereference in tipc_nl_publ_dump(). - -Tested-and-reported-by: Baozeng Ding -Signed-off-by: Richard Alpe -Acked-by: Jon Maloy -Signed-off-by: David S. Miller ---- - net/tipc/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 1262889..3b7a799 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) - if (err) - return err; - -+ if (!attrs[TIPC_NLA_SOCK]) -+ return -EINVAL; -+ - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, - attrs[TIPC_NLA_SOCK], - tipc_nl_sock_policy); --- -2.8.1 - diff --git a/debian/patches/series b/debian/patches/series index ec4eddb4f10d..7315a6291288 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -101,36 +101,16 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch -bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch -bugfix/all/proc-prevent-stacking-filesystems-on-top.patch -bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch -bugfix/all/sched-panic-on-corrupted-stack-end.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch bugfix/all/keys-potential-uninitialized-variable.patch bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch -bugfix/all/netfilter-x_tables-don-t-move-to-non-existent-next-r.patch -bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch -bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch -bugfix/all/netfilter-x_tables-kill-check_entry-helper.patch -bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch -bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch -bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch -bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch -bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch -bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch -bugfix/all/netfilter-arp_tables-simplify-translate_compat_table.patch -bugfix/all/netfilter-ip_tables-simplify-translate_compat_table-.patch -bugfix/all/netfilter-ip6_tables-simplify-translate_compat_table.patch -bugfix/all/netfilter-x_tables-xt_compat_match_from_user-doesn-t.patch -bugfix/all/netfilter-x_tables-do-compat-validation-via-translat.patch -bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch bugfix/all/posix_acl-add-set_posix_acl.patch bugfix/all/nfsd-check-permissions-when-setting-acls.patch From 3c35987b0584b3a83bdd752b709fbfd1cda59a72 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 30 Jun 2016 14:49:56 +0200 Subject: [PATCH 12/14] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829) --- debian/changelog | 5 +++ ...ate-num_values-for-HIDIOCGUSAGES-HID.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 50 insertions(+) create mode 100644 debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch diff --git a/debian/changelog b/debian/changelog index 323cb730a0b4..126691b559d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ linux (4.6.3-1) UNRELEASED; urgency=medium + [ Ben Hutchings ] * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.3 - scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands @@ -67,6 +68,10 @@ linux (4.6.3-1) UNRELEASED; urgency=medium - [x86] Revert "drm/i915: Exit cherryview_irq_handler() after one pass" - gpio: make sure gpiod_to_irq() returns negative on NULL desc + [ Salvatore Bonaccorso ] + * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands + (CVE-2016-5829) + -- Ben Hutchings Mon, 27 Jun 2016 00:31:11 +0200 linux (4.6.2-2) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch b/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch new file mode 100644 index 000000000000..e5e4cece4a94 --- /dev/null +++ b/debian/patches/bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch @@ -0,0 +1,44 @@ +From: Scott Bauer +Date: Thu, 23 Jun 2016 08:59:47 -0600 +Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES + commands +Origin: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5 + +This patch validates the num_values parameter from userland during the +HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set +to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter +leading to a heap overflow. + +Cc: stable@vger.kernel.org +Signed-off-by: Scott Bauer +Signed-off-by: Jiri Kosina +--- + drivers/hid/usbhid/hiddev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 2f1ddca..700145b 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + goto inval; + } else if (uref->usage_index >= field->report_count) + goto inval; +- +- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; + } + ++ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && ++ (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > field->report_count)) ++ goto inval; ++ + switch (cmd) { + case HIDIOCGUSAGE: + uref->value = field->value[uref->usage_index]; +-- +2.8.1 + diff --git a/debian/patches/series b/debian/patches/series index 7315a6291288..50cedefadc14 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -113,6 +113,7 @@ bugfix/all/percpu-fix-synchronization-between-chunk-map_extend_.patch bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch bugfix/all/posix_acl-add-set_posix_acl.patch bugfix/all/nfsd-check-permissions-when-setting-acls.patch +bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From ade54804a1ca3cbe5340508fdcf0f088fe6a8c13 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 3 Jul 2016 16:33:04 +0200 Subject: [PATCH 13/14] [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828) --- debian/changelog | 2 + ...s-reclaim-in-start_thread-for-exec-c.patch | 106 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 109 insertions(+) create mode 100644 debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch diff --git a/debian/changelog b/debian/changelog index 126691b559d3..f83b0cc8083e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -67,6 +67,8 @@ linux (4.6.3-1) UNRELEASED; urgency=medium - drm/core: Do not preserve framebuffer on rmfb, v4. - [x86] Revert "drm/i915: Exit cherryview_irq_handler() after one pass" - gpio: make sure gpiod_to_irq() returns negative on NULL desc + * [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls + (CVE-2016-5828) [ Salvatore Bonaccorso ] * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch new file mode 100644 index 000000000000..d98651bac31d --- /dev/null +++ b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch @@ -0,0 +1,106 @@ +From: Cyril Bur +Date: Fri, 17 Jun 2016 14:58:34 +1000 +Subject: powerpc/tm: Always reclaim in start_thread() for exec() class + syscalls +Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6 + +Userspace can quite legitimately perform an exec() syscall with a +suspended transaction. exec() does not return to the old process, rather +it load a new one and starts that, the expectation therefore is that the +new process starts not in a transaction. Currently exec() is not treated +any differently to any other syscall which creates problems. + +Firstly it could allow a new process to start with a suspended +transaction for a binary that no longer exists. This means that the +checkpointed state won't be valid and if the suspended transaction were +ever to be resumed and subsequently aborted (a possibility which is +exceedingly likely as exec()ing will likely doom the transaction) the +new process will jump to invalid state. + +Secondly the incorrect attempt to keep the transactional state while +still zeroing state for the new process creates at least two TM Bad +Things. The first triggers on the rfid to return to userspace as +start_thread() has given the new process a 'clean' MSR but the suspend +will still be set in the hardware MSR. The second TM Bad Thing triggers +in __switch_to() as the processor is still transactionally suspended but +__switch_to() wants to zero the TM sprs for the new process. + +This is an example of the outcome of calling exec() with a suspended +transaction. Note the first 700 is likely the first TM bad thing +decsribed earlier only the kernel can't report it as we've loaded +userspace registers. c000000000009980 is the rfid in +fast_exception_return() + + Bad kernel stack pointer 3fffcfa1a370 at c000000000009980 + Oops: Bad kernel stack pointer, sig: 6 [#1] + CPU: 0 PID: 2006 Comm: tm-execed Not tainted + NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000 + REGS: c00000003ffefd40 TRAP: 0700 Not tainted + MSR: 8000000300201031 CR: 00000000 XER: 00000000 + CFAR: c0000000000098b4 SOFTE: 0 + PACATMSCRATCH: b00000010000d033 + GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000 + GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000 + NIP [c000000000009980] fast_exception_return+0xb0/0xb8 + LR [0000000000000000] (null) + Call Trace: + Instruction dump: + f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070 + e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b + + Kernel BUG at c000000000043e80 [verbose debug info unavailable] + Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033) + Oops: Unrecoverable exception, sig: 6 [#2] + CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D + task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000 + NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000 + REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D + MSR: 8000000300201033 CR: 28002828 XER: 00000000 + CFAR: c000000000015a20 SOFTE: 0 + PACATMSCRATCH: b00000010000d033 + GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000 + GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000 + GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004 + GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000 + GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000 + GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80 + NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c + LR [c000000000015a24] __switch_to+0x1f4/0x420 + Call Trace: + Instruction dump: + 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8 + 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020 + +This fixes CVE-2016-5828. + +Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code") +Cc: stable@vger.kernel.org # v3.9+ +Signed-off-by: Cyril Bur +Signed-off-by: Michael Ellerman +--- + arch/powerpc/kernel/process.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1503,6 +1503,16 @@ void start_thread(struct pt_regs *regs, + current->thread.regs = regs - 1; + } + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* ++ * Clear any transactional state, we're exec()ing. The cause is ++ * not important as there will never be a recheckpoint so it's not ++ * user visible. ++ */ ++ if (MSR_TM_SUSPENDED(mfmsr())) ++ tm_reclaim_current(0); ++#endif ++ + memset(regs->gpr, 0, sizeof(regs->gpr)); + regs->ctr = 0; + regs->link = 0; diff --git a/debian/patches/series b/debian/patches/series index 50cedefadc14..8c16bb51097d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -114,6 +114,7 @@ bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch bugfix/all/posix_acl-add-set_posix_acl.patch bugfix/all/nfsd-check-permissions-when-setting-acls.patch bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch +bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch # ABI maintenance debian/mips-siginfo-fix-abi-change-in-4.6.2.patch From 2064fe373043d3573ef68482931f1f16815f035e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 4 Jul 2016 20:10:24 +0200 Subject: [PATCH 14/14] Prepare to release linux (4.6.3-1). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index f83b0cc8083e..49a89d604394 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.6.3-1) UNRELEASED; urgency=medium +linux (4.6.3-1) unstable; urgency=medium [ Ben Hutchings ] * New upstream stable update: @@ -74,7 +74,7 @@ linux (4.6.3-1) UNRELEASED; urgency=medium * HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (CVE-2016-5829) - -- Ben Hutchings Mon, 27 Jun 2016 00:31:11 +0200 + -- Ben Hutchings Mon, 04 Jul 2016 20:10:24 +0200 linux (4.6.2-2) unstable; urgency=medium