[meta-freescale] [meta-fsl-ppc][PATCH 02/16] linux-qoriq: update to revision f488de6
b28495 at freescale.com
b28495 at freescale.com
Fri Jul 17 00:17:38 PDT 2015
From: Ting Liu <ting.liu at freescale.com>
Minor version update to 3.12.37-rt51 with new features:
* e6500 hugepage TLB miss performance improvement
* T1023RDB support
* T1040D4RDB and T1042D4RDB support
* DIU [T1042]
* DPAA Ethernet: loadable module
* eMMC: DDR mode [T2080]
* eTSEC: Gianfar upstream updates and fixes
* fmlib: table statistics, stats extension
* IEEE802.1AE (MACSEC) and IEEE802.1X (port-based network access control) [T104x, T102x]
* IEEE1588 ptpd open source stack includes more DPAA processors: P1023, P2041, P3041, P5020, P5040, T4240, T1023
* LAG SGMII 2.5G ports support - IPv4 traffics forwarding on aggregated 2 x 2.5Gb L2 Switch FMAN ports [1040]
* LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding (2 x 2.5Gb L2 Switch WAN) [1040]
* LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding on both 1 G RGMII port and 1G SGMII port [1040]
* Power Management: Power off feature for all QDS boards except B9132QDS and B4860QDS
* SEC: QI Driver IPSec performance improvement
* SGMII 2.5G fixed link [T1024]
* USB: Dual UTMI
For detailed history, see
http://git.freescale.com/git/cgit.cgi/ppc/sdk/linux.git/tag/?id=fsl-sdk-v1.8
Also remove the patches which already merged in 3.12.37-rt51
Signed-off-by: Ting Liu <ting.liu at freescale.com>
---
.../linux/files/0001-ALSA-CVE-2014-4652.patch | 140 ---------
.../linux/files/0001-ALSA-CVE-2014-4656.patch | 43 ---
.../linux/files/0001-HID-CVE-2014-3181.patch | 52 ---
.../linux/files/0001-kvm-iommu-CVE-2014-3601.patch | 94 ------
.../0001-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 ----
.../linux/files/0001-net-sctp-CVE-2014-3673.patch | 348 ---------------------
.../linux/files/0001-shmem-CVE-2014-4171.patch | 141 ---------
.../linux/files/0002-ALSA-CVE-2014-4653.patch | 92 ------
.../linux/files/0002-ALSA-CVE-2014-4656.patch | 46 ---
.../linux/files/0002-HID-CVE-2014-3182.patch | 65 ----
.../linux/files/0002-kvm-iommu-CVE-2014-8369.patch | 86 -----
.../0002-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 ----
.../linux/files/0002-net-sctp-CVE-2014-3687.patch | 102 ------
.../linux/files/0002-shmem-CVE-2014-4171.patch | 200 ------------
.../linux/files/0003-HID-CVE-2014-3184.patch | 114 -------
.../0003-mnt-CVE-2014-5206_CVE-2014-5207.patch | 137 --------
.../linux/files/0003-net-sctp-CVE-2014-3688.patch | 160 ----------
.../linux/files/0003-shmem-CVE-2014-4171.patch | 134 --------
.../linux/files/0004-USB-CVE-2014-3185.patch | 51 ---
.../0004-mnt-CVE-2014-5206_CVE-2014-5207.patch | 64 ----
.../0005-mnt-CVE-2014-5206_CVE-2014-5207.patch | 324 -------------------
...p-inherit-auth-capable-on-INIT-collisions.patch | 41 ---
.../files/Fix-CVE-2014-5471_CVE-2014-5472.patch | 212 -------------
...r-CVE-2014-5045-fs-umount-on-symlink-leak.patch | 47 ---
.../linux/files/auditsc-CVE-2014-3917.patch | 91 ------
.../linux/files/eCryptfs-CVE-2014-9683.patch | 41 ---
recipes-kernel/linux/files/fs-CVE-2014-4014.patch | 210 -------------
recipes-kernel/linux/files/mm-2014-3122.patch | 98 ------
.../files/modify-defconfig-t1040-nr-cpus.patch | 24 +-
.../linux/files/net-sctp-CVE-2014-0101.patch | 6 +-
...erpc-Fix-64-bit-builds-with-binutils-2.24.patch | 80 -----
.../linux/files/sctp-CVE-2014-4667.patch | 51 ---
.../linux/files/sctp-CVE-2014-7841.patch | 85 -----
.../linux/files/security-keys-CVE-2014-9529.patch | 53 ----
.../linux/files/target-CVE-2014-4027.patch | 46 ---
.../tracing-CVE-2014-7825_CVE-2014-7826.patch | 94 ------
recipes-kernel/linux/files/udf-CVE-2014-6410.patch | 96 ------
recipes-kernel/linux/linux-qoriq_3.12.bb | 38 +--
38 files changed, 9 insertions(+), 3821 deletions(-)
delete mode 100644 recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
delete mode 100644 recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
delete mode 100644 recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
delete mode 100644 recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
delete mode 100644 recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
delete mode 100644 recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
delete mode 100644 recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch
delete mode 100644 recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
delete mode 100644 recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
delete mode 100644 recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
delete mode 100644 recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
delete mode 100644 recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
delete mode 100644 recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
delete mode 100644 recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch
delete mode 100644 recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
delete mode 100644 recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
delete mode 100644 recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
delete mode 100644 recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch
delete mode 100644 recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
delete mode 100644 recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
delete mode 100644 recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
delete mode 100644 recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
delete mode 100644 recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
delete mode 100644 recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
delete mode 100644 recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
delete mode 100644 recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
delete mode 100644 recipes-kernel/linux/files/fs-CVE-2014-4014.patch
delete mode 100644 recipes-kernel/linux/files/mm-2014-3122.patch
delete mode 100644 recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
delete mode 100644 recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
delete mode 100644 recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
delete mode 100644 recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch
delete mode 100644 recipes-kernel/linux/files/target-CVE-2014-4027.patch
delete mode 100644 recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
delete mode 100644 recipes-kernel/linux/files/udf-CVE-2014-6410.patch
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
deleted file mode 100644
index 0130768..0000000
--- a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From ed81e6b21790b717cda5f5bab2bdb07d2ce17ab1 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars at metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:31 +0200
-Subject: [PATCH] ALSA: control: Protect user controls against concurrent
- access
-
-commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream.
-
-The user-control put and get handlers as well as the tlv do not protect against
-concurrent access from multiple threads. Since the state of the control is not
-updated atomically it is possible that either two write operations or a write
-and a read operation race against each other. Both can lead to arbitrary memory
-disclosure. This patch introduces a new lock that protects user-controls from
-concurrent access. Since applications typically access controls sequentially
-than in parallel a single lock per card should be fine.
-
-This fixes CVE-2014-4652
-Upstream-Status: Backport
-
-Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
-Acked-by: Jaroslav Kysela <perex at perex.cz>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- include/sound/core.h | 2 ++
- sound/core/control.c | 31 +++++++++++++++++++++++++------
- sound/core/init.c | 1 +
- 3 files changed, 28 insertions(+), 6 deletions(-)
-
-diff --git a/include/sound/core.h b/include/sound/core.h
-index 2a14f1f..d6bc961 100644
---- a/include/sound/core.h
-+++ b/include/sound/core.h
-@@ -121,6 +121,8 @@ struct snd_card {
- int user_ctl_count; /* count of all user controls */
- struct list_head controls; /* all controls for this card */
- struct list_head ctl_files; /* active control files */
-+ struct mutex user_ctl_lock; /* protects user controls against
-+ concurrent access */
-
- struct snd_info_entry *proc_root; /* root for soundcard specific files */
- struct snd_info_entry *proc_id; /* the card id */
-diff --git a/sound/core/control.c b/sound/core/control.c
-index d8aa206..183fab2 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -992,6 +992,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file,
-
- struct user_element {
- struct snd_ctl_elem_info info;
-+ struct snd_card *card;
- void *elem_data; /* element data */
- unsigned long elem_data_size; /* size of element data in bytes */
- void *tlv_data; /* TLV data */
-@@ -1035,7 +1036,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol,
- {
- struct user_element *ue = kcontrol->private_data;
-
-+ mutex_lock(&ue->card->user_ctl_lock);
- memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size);
-+ mutex_unlock(&ue->card->user_ctl_lock);
- return 0;
- }
-
-@@ -1044,10 +1047,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol,
- {
- int change;
- struct user_element *ue = kcontrol->private_data;
--
-+
-+ mutex_lock(&ue->card->user_ctl_lock);
- change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0;
- if (change)
- memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size);
-+ mutex_unlock(&ue->card->user_ctl_lock);
- return change;
- }
-
-@@ -1067,19 +1072,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
- new_data = memdup_user(tlv, size);
- if (IS_ERR(new_data))
- return PTR_ERR(new_data);
-+ mutex_lock(&ue->card->user_ctl_lock);
- change = ue->tlv_data_size != size;
- if (!change)
- change = memcmp(ue->tlv_data, new_data, size);
- kfree(ue->tlv_data);
- ue->tlv_data = new_data;
- ue->tlv_data_size = size;
-+ mutex_unlock(&ue->card->user_ctl_lock);
- } else {
-- if (! ue->tlv_data_size || ! ue->tlv_data)
-- return -ENXIO;
-- if (size < ue->tlv_data_size)
-- return -ENOSPC;
-+ int ret = 0;
-+
-+ mutex_lock(&ue->card->user_ctl_lock);
-+ if (!ue->tlv_data_size || !ue->tlv_data) {
-+ ret = -ENXIO;
-+ goto err_unlock;
-+ }
-+ if (size < ue->tlv_data_size) {
-+ ret = -ENOSPC;
-+ goto err_unlock;
-+ }
- if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size))
-- return -EFAULT;
-+ ret = -EFAULT;
-+err_unlock:
-+ mutex_unlock(&ue->card->user_ctl_lock);
-+ if (ret)
-+ return ret;
- }
- return change;
- }
-@@ -1211,6 +1229,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL);
- if (ue == NULL)
- return -ENOMEM;
-+ ue->card = card;
- ue->info = *info;
- ue->info.access = 0;
- ue->elem_data = (char *)ue + sizeof(*ue);
-diff --git a/sound/core/init.c b/sound/core/init.c
-index d047851..b9268a5 100644
---- a/sound/core/init.c
-+++ b/sound/core/init.c
-@@ -215,6 +215,7 @@ int snd_card_create(int idx, const char *xid,
- INIT_LIST_HEAD(&card->devices);
- init_rwsem(&card->controls_rwsem);
- rwlock_init(&card->ctl_files_rwlock);
-+ mutex_init(&card->user_ctl_lock);
- INIT_LIST_HEAD(&card->controls);
- INIT_LIST_HEAD(&card->ctl_files);
- spin_lock_init(&card->files_lock);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
deleted file mode 100644
index 9859025..0000000
--- a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars at metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:35 +0200
-Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow
-
-commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
-
-The ALSA control code expects that the range of assigned indices to a control is
-continuous and does not overflow. Currently there are no checks to enforce this.
-If a control with a overflowing index range is created that control becomes
-effectively inaccessible and unremovable since snd_ctl_find_id() will not be
-able to find it. This patch adds a check that makes sure that controls with a
-overflowing index range can not be created.
-
-Fixes CVE-2014-4656
-Upstream-Status: Backport
-
-Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
-Acked-by: Jaroslav Kysela <perex at perex.cz>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- sound/core/control.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 93215b4..98a29b2 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
- if (snd_BUG_ON(!card || !kcontrol->info))
- goto error;
- id = kcontrol->id;
-+ if (id.index > UINT_MAX - kcontrol->count)
-+ goto error;
-+
- down_write(&card->controls_rwsem);
- if (snd_ctl_find_id(card, &id)) {
- up_write(&card->controls_rwsem);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
deleted file mode 100644
index 4355c68..0000000
--- a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
-From: Jiri Kosina <jkosina at suse.cz>
-Date: Wed, 27 Aug 2014 09:12:24 +0200
-Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
- callback
-
-The report passed to us from transport driver could potentially be
-arbitrarily large, therefore we better sanity-check it so that
-magicmouse_emit_touch() gets only valid values of raw_id.
-
-This fixes CVE-2014-3181
-Upstream-Status: Backport
-
-Cc: stable at vger.kernel.org
-Reported-by: Steven Vittitoe <scvitti at google.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- drivers/hid/hid-magicmouse.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
-index ecc2cbf..29a74c1 100644
---- a/drivers/hid/hid-magicmouse.c
-+++ b/drivers/hid/hid-magicmouse.c
-@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
- if (size < 4 || ((size - 4) % 9) != 0)
- return 0;
- npoints = (size - 4) / 9;
-+ if (npoints > 15) {
-+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
-+ size);
-+ return 0;
-+ }
- msc->ntouches = 0;
- for (ii = 0; ii < npoints; ii++)
- magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
-@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
- if (size < 6 || ((size - 6) % 8) != 0)
- return 0;
- npoints = (size - 6) / 8;
-+ if (npoints > 15) {
-+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
-+ size);
-+ return 0;
-+ }
- msc->ntouches = 0;
- for (ii = 0; ii < npoints; ii++)
- magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch b/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
deleted file mode 100644
index e19a3c1..0000000
--- a/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From e35b1e9f17e0567f96502f3a2a31dace727ed3da Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst at redhat.com>
-Date: Tue, 19 Aug 2014 19:14:50 +0800
-Subject: [PATCH] kvm: iommu: fix the third parameter of kvm_iommu_put_pages
- (CVE-2014-3601)
-
-commit 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 upstream.
-
-The third parameter of kvm_iommu_put_pages is wrong,
-It should be 'gfn - slot->base_gfn'.
-
-By making gfn very large, malicious guest or userspace can cause kvm to
-go to this error path, and subsequently to pass a huge value as size.
-Alternatively if gfn is small, then pages would be pinned but never
-unpinned, causing host memory leak and local DOS.
-
-Passing a reasonable but large value could be the most dangerous case,
-because it would unpin a page that should have stayed pinned, and thus
-allow the device to DMA into arbitrary memory. However, this cannot
-happen because of the condition that can trigger the error:
-
-- out of memory (where you can't allocate even a single page)
- should not be possible for the attacker to trigger
-
-- when exceeding the iommu's address space, guest pages after gfn
- will also exceed the iommu's address space, and inside
- kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
- page thus would not be unpinned at all.
-
-Upstream-Status: Backport
-
-Reported-by: Jack Morgenstein <jackm at mellanox.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- virt/kvm/iommu.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
-index c329c8f..dec9971 100644
---- a/virt/kvm/iommu.c
-+++ b/virt/kvm/iommu.c
-@@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
- return pfn;
- }
-
-+static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
-+{
-+ unsigned long i;
-+
-+ for (i = 0; i < npages; ++i)
-+ kvm_release_pfn_clean(pfn + i);
-+}
-+
- int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- {
- gfn_t gfn, end_gfn;
-@@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- if (r) {
- printk(KERN_ERR "kvm_iommu_map_address:"
- "iommu failed to map pfn=%llx\n", pfn);
-+ kvm_unpin_pages(kvm, pfn, page_size);
- goto unmap_pages;
- }
-
-@@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- return 0;
-
- unmap_pages:
-- kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
-+ kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
- return r;
- }
-
-@@ -272,14 +281,6 @@ out_unlock:
- return r;
- }
-
--static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
--{
-- unsigned long i;
--
-- for (i = 0; i < npages; ++i)
-- kvm_release_pfn_clean(pfn + i);
--}
--
- static void kvm_iommu_put_pages(struct kvm *kvm,
- gfn_t base_gfn, unsigned long npages)
- {
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index aec8930..0000000
--- a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Mon, 28 Jul 2014 16:26:53 -0700
-Subject: [PATCH] mnt: Only change user settable mount flags in remount
-
-commit a6138db815df5ee542d848318e5dae681590fccd upstream.
-
-Kenton Varda <kenton at sandstorm.io> discovered that by remounting a
-read-only bind mount read-only in a user namespace the
-MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
-to the remount a read-only mount read-write.
-
-Correct this by replacing the mask of mount flags to preserve
-with a mask of mount flags that may be changed, and preserve
-all others. This ensures that any future bugs with this mask and
-remount will fail in an easy to detect way where new mount flags
-simply won't change.
-
-Fix for CVE-2014-5206 and CVE-2014-5207
-Upstream-Status: backport
-
-Cc: stable at vger.kernel.org
-Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/namespace.c | 2 +-
- include/linux/mount.h | 4 +++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 84447db..34fa7a5 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
- err = do_remount_sb(sb, flags, data, 0);
- if (!err) {
- br_write_lock(&vfsmount_lock);
-- mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
-+ mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
- mnt->mnt.mnt_flags = mnt_flags;
- br_write_unlock(&vfsmount_lock);
- }
-diff --git a/include/linux/mount.h b/include/linux/mount.h
-index 38cd98f..8707c9e 100644
---- a/include/linux/mount.h
-+++ b/include/linux/mount.h
-@@ -42,7 +42,9 @@ struct mnt_namespace;
- * flag, consider how it interacts with shared mounts.
- */
- #define MNT_SHARED_MASK (MNT_UNBINDABLE)
--#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE)
-+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
-+ | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
-+ | MNT_READONLY)
-
-
- #define MNT_INTERNAL 0x4000
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch b/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
deleted file mode 100644
index 68289f2..0000000
--- a/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
+++ /dev/null
@@ -1,348 +0,0 @@
-From bbd951a21e0fd555cd9ede44c7196af09d04d171 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman at redhat.com>
-Date: Thu, 9 Oct 2014 22:55:31 +0200
-Subject: [PATCH] net: sctp: fix skb_over_panic when receiving malformed ASCONF
- chunks
-
-commit 9de7922bc709eee2f609cd01d98aaedc4cf5ea74 upstream.
-
-Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
-ASCONF chunk") added basic verification of ASCONF chunks, however,
-it is still possible to remotely crash a server by sending a
-special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
-
-skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
- head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
- end:0x440 dev:<NULL>
- ------------[ cut here ]------------
-kernel BUG at net/core/skbuff.c:129!
-[...]
-Call Trace:
- <IRQ>
- [<ffffffff8144fb1c>] skb_put+0x5c/0x70
- [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
- [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
- [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
- [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
- [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
- [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
- [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
- [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
- [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
- [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
- [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
- [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
- [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
- [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
- [<ffffffff81496ac5>] ip_rcv+0x275/0x350
- [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
- [<ffffffff81460588>] netif_receive_skb+0x58/0x60
-
-This can be triggered e.g., through a simple scripted nmap
-connection scan injecting the chunk after the handshake, for
-example, ...
-
- -------------- INIT[ASCONF; ASCONF_ACK] ------------->
- <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
- -------------------- COOKIE-ECHO -------------------->
- <-------------------- COOKIE-ACK ---------------------
- ------------------ ASCONF; UNKNOWN ------------------>
-
-... where ASCONF chunk of length 280 contains 2 parameters ...
-
- 1) Add IP address parameter (param length: 16)
- 2) Add/del IP address parameter (param length: 255)
-
-... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
-Address Parameter in the ASCONF chunk is even missing, too.
-This is just an example and similarly-crafted ASCONF chunks
-could be used just as well.
-
-The ASCONF chunk passes through sctp_verify_asconf() as all
-parameters passed sanity checks, and after walking, we ended
-up successfully at the chunk end boundary, and thus may invoke
-sctp_process_asconf(). Parameter walking is done with
-WORD_ROUND() to take padding into account.
-
-In sctp_process_asconf()'s TLV processing, we may fail in
-sctp_process_asconf_param() e.g., due to removal of the IP
-address that is also the source address of the packet containing
-the ASCONF chunk, and thus we need to add all TLVs after the
-failure to our ASCONF response to remote via helper function
-sctp_add_asconf_response(), which basically invokes a
-sctp_addto_chunk() adding the error parameters to the given
-skb.
-
-When walking to the next parameter this time, we proceed
-with ...
-
- length = ntohs(asconf_param->param_hdr.length);
- asconf_param = (void *)asconf_param + length;
-
-... instead of the WORD_ROUND()'ed length, thus resulting here
-in an off-by-one that leads to reading the follow-up garbage
-parameter length of 12336, and thus throwing an skb_over_panic
-for the reply when trying to sctp_addto_chunk() next time,
-which implicitly calls the skb_put() with that length.
-
-Fix it by using sctp_walk_params() [ which is also used in
-INIT parameter processing ] macro in the verification *and*
-in ASCONF processing: it will make sure we don't spill over,
-that we walk parameters WORD_ROUND()'ed. Moreover, we're being
-more defensive and guard against unknown parameter types and
-missized addresses.
-
-Joint work with Vlad Yasevich.
-
-Fixes CVE-2014-3673
-Upstream-Status: Backport
-
-Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
-Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich at gmail.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Cc: Josh Boyer <jwboyer at fedoraproject.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- include/net/sctp/sm.h | 6 +--
- net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++---------------------
- net/sctp/sm_statefuns.c | 18 +--------
- 3 files changed, 60 insertions(+), 63 deletions(-)
-
-diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
-index 4ef75af..c91b6f5 100644
---- a/include/net/sctp/sm.h
-+++ b/include/net/sctp/sm.h
-@@ -249,9 +249,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
- int, __be16);
- struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
- union sctp_addr *addr);
--int sctp_verify_asconf(const struct sctp_association *asoc,
-- struct sctp_paramhdr *param_hdr, void *chunk_end,
-- struct sctp_paramhdr **errp);
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+ struct sctp_chunk *chunk, bool addr_param_needed,
-+ struct sctp_paramhdr **errp);
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- struct sctp_chunk *asconf);
- int sctp_process_asconf_ack(struct sctp_association *asoc,
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index e342387..d800160 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -3126,50 +3126,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
- return SCTP_ERROR_NO_ERROR;
- }
-
--/* Verify the ASCONF packet before we process it. */
--int sctp_verify_asconf(const struct sctp_association *asoc,
-- struct sctp_paramhdr *param_hdr, void *chunk_end,
-- struct sctp_paramhdr **errp) {
-- sctp_addip_param_t *asconf_param;
-+/* Verify the ASCONF packet before we process it. */
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+ struct sctp_chunk *chunk, bool addr_param_needed,
-+ struct sctp_paramhdr **errp)
-+{
-+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
- union sctp_params param;
-- int length, plen;
--
-- param.v = (sctp_paramhdr_t *) param_hdr;
-- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
-- length = ntohs(param.p->length);
-- *errp = param.p;
-+ bool addr_param_seen = false;
-
-- if (param.v > chunk_end - length ||
-- length < sizeof(sctp_paramhdr_t))
-- return 0;
-+ sctp_walk_params(param, addip, addip_hdr.params) {
-+ size_t length = ntohs(param.p->length);
-
-+ *errp = param.p;
- switch (param.p->type) {
-+ case SCTP_PARAM_ERR_CAUSE:
-+ break;
-+ case SCTP_PARAM_IPV4_ADDRESS:
-+ if (length != sizeof(sctp_ipv4addr_param_t))
-+ return false;
-+ addr_param_seen = true;
-+ break;
-+ case SCTP_PARAM_IPV6_ADDRESS:
-+ if (length != sizeof(sctp_ipv6addr_param_t))
-+ return false;
-+ addr_param_seen = true;
-+ break;
- case SCTP_PARAM_ADD_IP:
- case SCTP_PARAM_DEL_IP:
- case SCTP_PARAM_SET_PRIMARY:
-- asconf_param = (sctp_addip_param_t *)param.v;
-- plen = ntohs(asconf_param->param_hdr.length);
-- if (plen < sizeof(sctp_addip_param_t) +
-- sizeof(sctp_paramhdr_t))
-- return 0;
-+ /* In ASCONF chunks, these need to be first. */
-+ if (addr_param_needed && !addr_param_seen)
-+ return false;
-+ length = ntohs(param.addip->param_hdr.length);
-+ if (length < sizeof(sctp_addip_param_t) +
-+ sizeof(sctp_paramhdr_t))
-+ return false;
- break;
- case SCTP_PARAM_SUCCESS_REPORT:
- case SCTP_PARAM_ADAPTATION_LAYER_IND:
- if (length != sizeof(sctp_addip_param_t))
-- return 0;
--
-+ return false;
- break;
- default:
-- break;
-+ /* This is unkown to us, reject! */
-+ return false;
- }
--
-- param.v += WORD_ROUND(length);
- }
-
-- if (param.v != chunk_end)
-- return 0;
-+ /* Remaining sanity checks. */
-+ if (addr_param_needed && !addr_param_seen)
-+ return false;
-+ if (!addr_param_needed && addr_param_seen)
-+ return false;
-+ if (param.v != chunk->chunk_end)
-+ return false;
-
-- return 1;
-+ return true;
- }
-
- /* Process an incoming ASCONF chunk with the next expected serial no. and
-@@ -3178,16 +3191,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- struct sctp_chunk *asconf)
- {
-+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
-+ bool all_param_pass = true;
-+ union sctp_params param;
- sctp_addiphdr_t *hdr;
- union sctp_addr_param *addr_param;
- sctp_addip_param_t *asconf_param;
- struct sctp_chunk *asconf_ack;
--
- __be16 err_code;
- int length = 0;
- int chunk_len;
- __u32 serial;
-- int all_param_pass = 1;
-
- chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
- hdr = (sctp_addiphdr_t *)asconf->skb->data;
-@@ -3215,9 +3229,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- goto done;
-
- /* Process the TLVs contained within the ASCONF chunk. */
-- while (chunk_len > 0) {
-+ sctp_walk_params(param, addip, addip_hdr.params) {
-+ /* Skip preceeding address parameters. */
-+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
-+ param.p->type == SCTP_PARAM_IPV6_ADDRESS)
-+ continue;
-+
- err_code = sctp_process_asconf_param(asoc, asconf,
-- asconf_param);
-+ param.addip);
- /* ADDIP 4.1 A7)
- * If an error response is received for a TLV parameter,
- * all TLVs with no response before the failed TLV are
-@@ -3225,28 +3244,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- * the failed response are considered unsuccessful unless
- * a specific success indication is present for the parameter.
- */
-- if (SCTP_ERROR_NO_ERROR != err_code)
-- all_param_pass = 0;
--
-+ if (err_code != SCTP_ERROR_NO_ERROR)
-+ all_param_pass = false;
- if (!all_param_pass)
-- sctp_add_asconf_response(asconf_ack,
-- asconf_param->crr_id, err_code,
-- asconf_param);
-+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
-+ err_code, param.addip);
-
- /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
- * an IP address sends an 'Out of Resource' in its response, it
- * MUST also fail any subsequent add or delete requests bundled
- * in the ASCONF.
- */
-- if (SCTP_ERROR_RSRC_LOW == err_code)
-+ if (err_code == SCTP_ERROR_RSRC_LOW)
- goto done;
--
-- /* Move to the next ASCONF param. */
-- length = ntohs(asconf_param->param_hdr.length);
-- asconf_param = (void *)asconf_param + length;
-- chunk_len -= length;
- }
--
- done:
- asoc->peer.addip_serial++;
-
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index 62623cc..bf12098 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -3595,9 +3595,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- struct sctp_chunk *asconf_ack = NULL;
- struct sctp_paramhdr *err_param = NULL;
- sctp_addiphdr_t *hdr;
-- union sctp_addr_param *addr_param;
- __u32 serial;
-- int length;
-
- if (!sctp_vtag_verify(chunk, asoc)) {
- sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
-@@ -3622,17 +3620,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- hdr = (sctp_addiphdr_t *)chunk->skb->data;
- serial = ntohl(hdr->serial);
-
-- addr_param = (union sctp_addr_param *)hdr->params;
-- length = ntohs(addr_param->p.length);
-- if (length < sizeof(sctp_paramhdr_t))
-- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
-- (void *)addr_param, commands);
--
- /* Verify the ASCONF chunk before processing it. */
-- if (!sctp_verify_asconf(asoc,
-- (sctp_paramhdr_t *)((void *)addr_param + length),
-- (void *)chunk->chunk_end,
-- &err_param))
-+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- (void *)err_param, commands);
-
-@@ -3750,10 +3739,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
- rcvd_serial = ntohl(addip_hdr->serial);
-
- /* Verify the ASCONF-ACK chunk before processing it. */
-- if (!sctp_verify_asconf(asoc,
-- (sctp_paramhdr_t *)addip_hdr->params,
-- (void *)asconf_ack->chunk_end,
-- &err_param))
-+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- (void *)err_param, commands);
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch
deleted file mode 100644
index 00ead60..0000000
--- a/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 8685789bd8ec12a02b07ea76df4527b055efbf20 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd at google.com>
-Date: Mon, 23 Jun 2014 13:22:06 -0700
-Subject: [PATCH 1/3] shmem: fix faulting into a hole while it's punched
-
-commit f00cdc6df7d7cfcabb5b740911e6788cb0802bdb upstream.
-
-Trinity finds that mmap access to a hole while it's punched from shmem
-can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
-from completing, until the reader chooses to stop; with the puncher's
-hold on i_mutex locking out all other writers until it can complete.
-
-It appears that the tmpfs fault path is too light in comparison with its
-hole-punching path, lacking an i_data_sem to obstruct it; but we don't
-want to slow down the common case.
-
-Extend shmem_fallocate()'s existing range notification mechanism, so
-shmem_fault() can refrain from faulting pages into the hole while it's
-punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
-faulting when not).
-
-Upstream-Status: Backport
-
-[akpm at linux-foundation.org: coding-style fixes]
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Tested-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: Dave Jones <davej at redhat.com>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 52 insertions(+), 4 deletions(-)
-
-diff --git a/mm/shmem.c b/mm/shmem.c
-index 8297623..00d412f 100644
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt;
- #define SHORT_SYMLINK_LEN 128
-
- /*
-- * shmem_fallocate and shmem_writepage communicate via inode->i_private
-- * (with i_mutex making sure that it has only one user at a time):
-- * we would prefer not to enlarge the shmem inode just for that.
-+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via
-+ * inode->i_private (with i_mutex making sure that it has only one user at
-+ * a time): we would prefer not to enlarge the shmem inode just for that.
- */
- struct shmem_falloc {
-+ int mode; /* FALLOC_FL mode currently operating */
- pgoff_t start; /* start of range currently being fallocated */
- pgoff_t next; /* the next page offset to be fallocated */
- pgoff_t nr_falloced; /* how many new pages have been fallocated */
-@@ -826,6 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
- spin_lock(&inode->i_lock);
- shmem_falloc = inode->i_private;
- if (shmem_falloc &&
-+ !shmem_falloc->mode &&
- index >= shmem_falloc->start &&
- index < shmem_falloc->next)
- shmem_falloc->nr_unswapped++;
-@@ -1300,6 +1302,44 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
- int error;
- int ret = VM_FAULT_LOCKED;
-
-+ /*
-+ * Trinity finds that probing a hole which tmpfs is punching can
-+ * prevent the hole-punch from ever completing: which in turn
-+ * locks writers out with its hold on i_mutex. So refrain from
-+ * faulting pages into the hole while it's being punched, and
-+ * wait on i_mutex to be released if vmf->flags permits.
-+ */
-+ if (unlikely(inode->i_private)) {
-+ struct shmem_falloc *shmem_falloc;
-+
-+ spin_lock(&inode->i_lock);
-+ shmem_falloc = inode->i_private;
-+ if (!shmem_falloc ||
-+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
-+ vmf->pgoff < shmem_falloc->start ||
-+ vmf->pgoff >= shmem_falloc->next)
-+ shmem_falloc = NULL;
-+ spin_unlock(&inode->i_lock);
-+ /*
-+ * i_lock has protected us from taking shmem_falloc seriously
-+ * once return from shmem_fallocate() went back up that stack.
-+ * i_lock does not serialize with i_mutex at all, but it does
-+ * not matter if sometimes we wait unnecessarily, or sometimes
-+ * miss out on waiting: we just need to make those cases rare.
-+ */
-+ if (shmem_falloc) {
-+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
-+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
-+ up_read(&vma->vm_mm->mmap_sem);
-+ mutex_lock(&inode->i_mutex);
-+ mutex_unlock(&inode->i_mutex);
-+ return VM_FAULT_RETRY;
-+ }
-+ /* cond_resched? Leave that to GUP or return to user */
-+ return VM_FAULT_NOPAGE;
-+ }
-+ }
-+
- error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
- if (error)
- return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
-@@ -1815,18 +1855,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
-
- mutex_lock(&inode->i_mutex);
-
-+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
-+
- if (mode & FALLOC_FL_PUNCH_HOLE) {
- struct address_space *mapping = file->f_mapping;
- loff_t unmap_start = round_up(offset, PAGE_SIZE);
- loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
-
-+ shmem_falloc.start = unmap_start >> PAGE_SHIFT;
-+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
-+ spin_lock(&inode->i_lock);
-+ inode->i_private = &shmem_falloc;
-+ spin_unlock(&inode->i_lock);
-+
- if ((u64)unmap_end > (u64)unmap_start)
- unmap_mapping_range(mapping, unmap_start,
- 1 + unmap_end - unmap_start, 0);
- shmem_truncate_range(inode, offset, offset + len - 1);
- /* No need to unmap again: hole-punching leaves COWed pages */
- error = 0;
-- goto out;
-+ goto undone;
- }
-
- /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
deleted file mode 100644
index 8612d74..0000000
--- a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 0bf595fd311aa4d6e82c43879f2c0d0650e83271 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars at metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:33 +0200
-Subject: [PATCH] ALSA: control: Don't access controls outside of protected
- regions
-
-commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream.
-
-A control that is visible on the card->controls list can be freed at any time.
-This means we must not access any of its memory while not holding the
-controls_rw_lock. Otherwise we risk a use after free access.
-
-This fixes CVE-2014-4653
-Upstream-Status: Backport
-
-Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
-Acked-by: Jaroslav Kysela <perex at perex.cz>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- sound/core/control.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 15bc844..d4a597f 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -331,6 +331,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
- {
- struct snd_ctl_elem_id id;
- unsigned int idx;
-+ unsigned int count;
- int err = -EINVAL;
-
- if (! kcontrol)
-@@ -359,8 +360,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
- card->controls_count += kcontrol->count;
- kcontrol->id.numid = card->last_numid + 1;
- card->last_numid += kcontrol->count;
-+ count = kcontrol->count;
- up_write(&card->controls_rwsem);
-- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
-+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
- return 0;
-
-@@ -389,6 +391,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
- bool add_on_replace)
- {
- struct snd_ctl_elem_id id;
-+ unsigned int count;
- unsigned int idx;
- struct snd_kcontrol *old;
- int ret;
-@@ -424,8 +427,9 @@ add:
- card->controls_count += kcontrol->count;
- kcontrol->id.numid = card->last_numid + 1;
- card->last_numid += kcontrol->count;
-+ count = kcontrol->count;
- up_write(&card->controls_rwsem);
-- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
-+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
- return 0;
-
-@@ -898,9 +902,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
- result = kctl->put(kctl, control);
- }
- if (result > 0) {
-+ struct snd_ctl_elem_id id = control->id;
- up_read(&card->controls_rwsem);
-- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE,
-- &control->id);
-+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id);
- return 0;
- }
- }
-@@ -1334,8 +1338,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
- }
- err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv);
- if (err > 0) {
-+ struct snd_ctl_elem_id id = kctl->id;
- up_read(&card->controls_rwsem);
-- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id);
-+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id);
- return 0;
- }
- } else {
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
deleted file mode 100644
index 2065780..0000000
--- a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars at metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:34 +0200
-Subject: [PATCH] ALSA: control: Handle numid overflow
-
-commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
-
-Each control gets automatically assigned its numids when the control is created.
-The allocation is done by incrementing the numid by the amount of allocated
-numids per allocation. This means that excessive creation and destruction of
-controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
-eventually overflow. Currently when this happens for the control that caused the
-overflow kctl->id.numid + kctl->count will also over flow causing it to be
-smaller than kctl->id.numid. Most of the code assumes that this is something
-that can not happen, so we need to make sure that it won't happen
-
-Fixes CVE-2014-4656
-Upstream-Status: Backport
-
-Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
-Acked-by: Jaroslav Kysela <perex at perex.cz>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- sound/core/control.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index d4a597f..93215b4 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
- {
- struct snd_kcontrol *kctl;
-
-+ /* Make sure that the ids assigned to the control do not wrap around */
-+ if (card->last_numid >= UINT_MAX - count)
-+ card->last_numid = 0;
-+
- list_for_each_entry(kctl, &card->controls, list) {
- if (kctl->id.numid < card->last_numid + 1 + count &&
- kctl->id.numid + kctl->count > card->last_numid + 1) {
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
deleted file mode 100644
index a90d079..0000000
--- a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
-From: Jiri Kosina <jkosina at suse.cz>
-Date: Thu, 21 Aug 2014 09:57:17 -0500
-Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
- enough
-
-device_index is a char type and the size of paired_dj_deivces is 7
-elements, therefore proper bounds checking has to be applied to
-device_index before it is used.
-
-We are currently performing the bounds checking in
-logi_dj_recv_add_djhid_device(), which is too late, as malicious device
-could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
-problem in one of the report forwarding functions called from
-logi_dj_raw_event().
-
-Fix this by performing the check at the earliest possible ocasion in
-logi_dj_raw_event().
-
-This fixes CVE-2014-3182
-Upstream-Status: Backport
-
-Cc: stable at vger.kernel.org
-Reported-by: Ben Hawkes <hawkes at google.com>
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- drivers/hid/hid-logitech-dj.c | 13 ++++++-------
- 1 file changed, 6 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
-index ca0ab51..b7ba829 100644
---- a/drivers/hid/hid-logitech-dj.c
-+++ b/drivers/hid/hid-logitech-dj.c
-@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
- return;
- }
-
-- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
-- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
-- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
-- __func__, dj_report->device_index);
-- return;
-- }
--
- if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
- /* The device is already known. No need to reallocate it. */
- dbg_hid("%s: device is already known\n", __func__);
-@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
- * device (via hid_input_report() ) and return 1 so hid-core does not do
- * anything else with it.
- */
-+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
-+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
-+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
-+ __func__, dj_report->device_index);
-+ return false;
-+ }
-
- spin_lock_irqsave(&djrcv_dev->lock, flags);
- if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
deleted file mode 100644
index e43771c..0000000
--- a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001
-From: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Date: Fri, 17 Oct 2014 22:55:59 +0200
-Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
- path.
-
-commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
-
-The third parameter of kvm_unpin_pages() when called from
-kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
-and not the page size.
-
-This error was facilitated with an inconsistent API: kvm_pin_pages() takes
-a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
-by matching the two.
-
-This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
-of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
-un-pinning for pages intended to be un-pinned (i.e. memory leak) but
-unfortunately potentially aggravated the number of pages we un-pin that
-should have stayed pinned. As far as I understand though, the same
-practical mitigations apply.
-
-This issue was found during review of Red Hat 6.6 patches to prepare
-Ksplice rebootless updates.
-
-Thanks to Vegard for his time on a late Friday evening to help me in
-understanding this code.
-
-Fix for CVE-2014-8369
-
-Upstream-Status: Backport
-
-Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
-Signed-off-by: Quentin Casasnovas <quentin.casasnovas at oracle.com>
-Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
-Signed-off-by: Jamie Iles <jamie.iles at oracle.com>
-Reviewed-by: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- virt/kvm/iommu.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
-index dec9971..a650aa4 100644
---- a/virt/kvm/iommu.c
-+++ b/virt/kvm/iommu.c
-@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
- gfn_t base_gfn, unsigned long npages);
-
- static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
-- unsigned long size)
-+ unsigned long npages)
- {
- gfn_t end_gfn;
- pfn_t pfn;
-
- pfn = gfn_to_pfn_memslot(slot, gfn);
-- end_gfn = gfn + (size >> PAGE_SHIFT);
-+ end_gfn = gfn + npages;
- gfn += 1;
-
- if (is_error_noslot_pfn(pfn))
-@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- * Pin all pages we are about to map in memory. This is
- * important because we unmap and unpin in 4kb steps later.
- */
-- pfn = kvm_pin_pages(slot, gfn, page_size);
-+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
- if (is_error_noslot_pfn(pfn)) {
- gfn += 1;
- continue;
-@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
- if (r) {
- printk(KERN_ERR "kvm_iommu_map_address:"
- "iommu failed to map pfn=%llx\n", pfn);
-- kvm_unpin_pages(kvm, pfn, page_size);
-+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
- goto unmap_pages;
- }
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index b08f217..0000000
--- a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Mon, 28 Jul 2014 17:10:56 -0700
-Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
- change_mount_flags into do_remount
-
-commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
-
-There are no races as locked mount flags are guaranteed to never change.
-
-Moving the test into do_remount makes it more visible, and ensures all
-filesystem remounts pass the MNT_LOCK_READONLY permission check. This
-second case is not an issue today as filesystem remounts are guarded
-by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
-mount namespaces, but it could become an issue in the future.
-
-Fix for CVE-2014-5206 and CVE-2014-5207
-Upstream-Status: backport
-
-Cc: stable at vger.kernel.org
-Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/namespace.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 34fa7a5..8e90b03 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
- if (readonly_request == __mnt_is_readonly(mnt))
- return 0;
-
-- if (mnt->mnt_flags & MNT_LOCK_READONLY)
-- return -EPERM;
--
- if (readonly_request)
- error = mnt_make_readonly(real_mount(mnt));
- else
-@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
- if (path->dentry != path->mnt->mnt_root)
- return -EINVAL;
-
-+ /* Don't allow changing of locked mnt flags.
-+ *
-+ * No locks need to be held here while testing the various
-+ * MNT_LOCK flags because those flags can never be cleared
-+ * once they are set.
-+ */
-+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
-+ !(mnt_flags & MNT_READONLY)) {
-+ return -EPERM;
-+ }
- err = security_sb_remount(sb, data);
- if (err)
- return err;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch b/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
deleted file mode 100644
index b05aaf2..0000000
--- a/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From a723db0be941b8aebaa1a98b33d17a91b16603e4 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman at redhat.com>
-Date: Thu, 9 Oct 2014 22:55:32 +0200
-Subject: [PATCH] net: sctp: fix panic on duplicate ASCONF chunks
-
-commit b69040d8e39f20d5215a03502a8e8b4c6ab78395 upstream.
-
-When receiving a e.g. semi-good formed connection scan in the
-form of ...
-
- -------------- INIT[ASCONF; ASCONF_ACK] ------------->
- <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
- -------------------- COOKIE-ECHO -------------------->
- <-------------------- COOKIE-ACK ---------------------
- ---------------- ASCONF_a; ASCONF_b ----------------->
-
-... where ASCONF_a equals ASCONF_b chunk (at least both serials
-need to be equal), we panic an SCTP server!
-
-The problem is that good-formed ASCONF chunks that we reply with
-ASCONF_ACK chunks are cached per serial. Thus, when we receive a
-same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
-not need to process them again on the server side (that was the
-idea, also proposed in the RFC). Instead, we know it was cached
-and we just resend the cached chunk instead. So far, so good.
-
-Where things get nasty is in SCTP's side effect interpreter, that
-is, sctp_cmd_interpreter():
-
-While incoming ASCONF_a (chunk = event_arg) is being marked
-!end_of_packet and !singleton, and we have an association context,
-we do not flush the outqueue the first time after processing the
-ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
-queued up, although we set local_cork to 1. Commit 2e3216cd54b1
-changed the precedence, so that as long as we get bundled, incoming
-chunks we try possible bundling on outgoing queue as well. Before
-this commit, we would just flush the output queue.
-
-Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
-continue to process the same ASCONF_b chunk from the packet. As
-we have cached the previous ASCONF_ACK, we find it, grab it and
-do another SCTP_CMD_REPLY command on it. So, effectively, we rip
-the chunk->list pointers and requeue the same ASCONF_ACK chunk
-another time. Since we process ASCONF_b, it's correctly marked
-with end_of_packet and we enforce an uncork, and thus flush, thus
-crashing the kernel.
-
-Fix it by testing if the ASCONF_ACK is currently pending and if
-that is the case, do not requeue it. When flushing the output
-queue we may relink the chunk for preparing an outgoing packet,
-but eventually unlink it when it's copied into the skb right
-before transmission.
-
-Joint work with Vlad Yasevich.
-
-Fixes CVE-2014-3687
-Upstream-Status: Backport
-
-Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
-Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Cc: Josh Boyer <jwboyer at fedoraproject.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- include/net/sctp/sctp.h | 5 +++++
- net/sctp/associola.c | 2 ++
- 2 files changed, 7 insertions(+)
-
-diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
-index 3794c5a..3848934 100644
---- a/include/net/sctp/sctp.h
-+++ b/include/net/sctp/sctp.h
-@@ -454,6 +454,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
- asoc->pmtu_pending = 0;
- }
-
-+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
-+{
-+ return !list_empty(&chunk->list);
-+}
-+
- /* Walk through a list of TLV parameters. Don't trust the
- * individual parameter lengths and instead depend on
- * the chunk length to indicate when to stop. Make sure
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index ad5cd6f..737050f 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -1645,6 +1645,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
- * ack chunk whose serial number matches that of the request.
- */
- list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
-+ if (sctp_chunk_pending(ack))
-+ continue;
- if (ack->subh.addip_hdr->serial == serial) {
- sctp_chunk_hold(ack);
- return ack;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch
deleted file mode 100644
index a43b895..0000000
--- a/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From 38d05809df1ea5272a658e7f4d5f2a3027ad2fd2 Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd at google.com>
-Date: Wed, 23 Jul 2014 14:00:10 -0700
-Subject: [PATCH 2/3] shmem: fix faulting into a hole, not taking i_mutex
-
-commit 8e205f779d1443a94b5ae81aa359cb535dd3021e upstream.
-
-Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's
-punched") was buggy: Sasha sent a lockdep report to remind us that
-grabbing i_mutex in the fault path is a no-no (write syscall may already
-hold i_mutex while faulting user buffer).
-
-We tried a completely different approach (see following patch) but that
-proved inadequate: good enough for a rational workload, but not good
-enough against trinity - which forks off so many mappings of the object
-that contention on i_mmap_mutex while hole-puncher holds i_mutex builds
-into serious starvation when concurrent faults force the puncher to fall
-back to single-page unmap_mapping_range() searches of the i_mmap tree.
-
-So return to the original umbrella approach, but keep away from i_mutex
-this time. We really don't want to bloat every shmem inode with a new
-mutex or completion, just to protect this unlikely case from trinity.
-So extend the original with wait_queue_head on stack at the hole-punch
-end, and wait_queue item on the stack at the fault end.
-
-This involves further use of i_lock to guard against the races: lockdep
-has been happy so far, and I see fs/inode.c:unlock_new_inode() holds
-i_lock around wake_up_bit(), which is comparable to what we do here.
-i_lock is more convenient, but we could switch to shmem's info->lock.
-
-This issue has been tagged with CVE-2014-4171, which will require commit
-f00cdc6df7d7 and this and the following patch to be backported: we
-suggest to 3.1+, though in fact the trinity forkbomb effect might go
-back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might
-not, since much has changed, with i_mmap_mutex a spinlock before 3.0.
-Anyone running trinity on 3.0 and earlier? I don't think we need care.
-
-Upstream-Status: Backport
-
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Tested-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: Vlastimil Babka <vbabka at suse.cz>
-Cc: Konstantin Khlebnikov <koct9i at gmail.com>
-Cc: Johannes Weiner <hannes at cmpxchg.org>
-Cc: Lukas Czerner <lczerner at redhat.com>
-Cc: Dave Jones <davej at redhat.com>
-Cc: <stable at vger.kernel.org> [3.1+]
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- mm/shmem.c | 78 +++++++++++++++++++++++++++++++++++++++++---------------------
- 1 file changed, 52 insertions(+), 26 deletions(-)
-
-diff --git a/mm/shmem.c b/mm/shmem.c
-index 00d412f..6f5626f 100644
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -85,7 +85,7 @@ static struct vfsmount *shm_mnt;
- * a time): we would prefer not to enlarge the shmem inode just for that.
- */
- struct shmem_falloc {
-- int mode; /* FALLOC_FL mode currently operating */
-+ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */
- pgoff_t start; /* start of range currently being fallocated */
- pgoff_t next; /* the next page offset to be fallocated */
- pgoff_t nr_falloced; /* how many new pages have been fallocated */
-@@ -827,7 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
- spin_lock(&inode->i_lock);
- shmem_falloc = inode->i_private;
- if (shmem_falloc &&
-- !shmem_falloc->mode &&
-+ !shmem_falloc->waitq &&
- index >= shmem_falloc->start &&
- index < shmem_falloc->next)
- shmem_falloc->nr_unswapped++;
-@@ -1306,38 +1306,58 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
- * Trinity finds that probing a hole which tmpfs is punching can
- * prevent the hole-punch from ever completing: which in turn
- * locks writers out with its hold on i_mutex. So refrain from
-- * faulting pages into the hole while it's being punched, and
-- * wait on i_mutex to be released if vmf->flags permits.
-+ * faulting pages into the hole while it's being punched. Although
-+ * shmem_undo_range() does remove the additions, it may be unable to
-+ * keep up, as each new page needs its own unmap_mapping_range() call,
-+ * and the i_mmap tree grows ever slower to scan if new vmas are added.
-+ *
-+ * It does not matter if we sometimes reach this check just before the
-+ * hole-punch begins, so that one fault then races with the punch:
-+ * we just need to make racing faults a rare case.
-+ *
-+ * The implementation below would be much simpler if we just used a
-+ * standard mutex or completion: but we cannot take i_mutex in fault,
-+ * and bloating every shmem inode for this unlikely case would be sad.
- */
- if (unlikely(inode->i_private)) {
- struct shmem_falloc *shmem_falloc;
-
- spin_lock(&inode->i_lock);
- shmem_falloc = inode->i_private;
-- if (!shmem_falloc ||
-- shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
-- vmf->pgoff < shmem_falloc->start ||
-- vmf->pgoff >= shmem_falloc->next)
-- shmem_falloc = NULL;
-- spin_unlock(&inode->i_lock);
-- /*
-- * i_lock has protected us from taking shmem_falloc seriously
-- * once return from shmem_fallocate() went back up that stack.
-- * i_lock does not serialize with i_mutex at all, but it does
-- * not matter if sometimes we wait unnecessarily, or sometimes
-- * miss out on waiting: we just need to make those cases rare.
-- */
-- if (shmem_falloc) {
-+ if (shmem_falloc &&
-+ shmem_falloc->waitq &&
-+ vmf->pgoff >= shmem_falloc->start &&
-+ vmf->pgoff < shmem_falloc->next) {
-+ wait_queue_head_t *shmem_falloc_waitq;
-+ DEFINE_WAIT(shmem_fault_wait);
-+
-+ ret = VM_FAULT_NOPAGE;
- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
-+ /* It's polite to up mmap_sem if we can */
- up_read(&vma->vm_mm->mmap_sem);
-- mutex_lock(&inode->i_mutex);
-- mutex_unlock(&inode->i_mutex);
-- return VM_FAULT_RETRY;
-+ ret = VM_FAULT_RETRY;
- }
-- /* cond_resched? Leave that to GUP or return to user */
-- return VM_FAULT_NOPAGE;
-+
-+ shmem_falloc_waitq = shmem_falloc->waitq;
-+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
-+ TASK_UNINTERRUPTIBLE);
-+ spin_unlock(&inode->i_lock);
-+ schedule();
-+
-+ /*
-+ * shmem_falloc_waitq points into the shmem_fallocate()
-+ * stack of the hole-punching task: shmem_falloc_waitq
-+ * is usually invalid by the time we reach here, but
-+ * finish_wait() does not dereference it in that case;
-+ * though i_lock needed lest racing with wake_up_all().
-+ */
-+ spin_lock(&inode->i_lock);
-+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
-+ spin_unlock(&inode->i_lock);
-+ return ret;
- }
-+ spin_unlock(&inode->i_lock);
- }
-
- error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
-@@ -1855,13 +1875,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
-
- mutex_lock(&inode->i_mutex);
-
-- shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
--
- if (mode & FALLOC_FL_PUNCH_HOLE) {
- struct address_space *mapping = file->f_mapping;
- loff_t unmap_start = round_up(offset, PAGE_SIZE);
- loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
-+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
-
-+ shmem_falloc.waitq = &shmem_falloc_waitq;
- shmem_falloc.start = unmap_start >> PAGE_SHIFT;
- shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
- spin_lock(&inode->i_lock);
-@@ -1873,8 +1893,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
- 1 + unmap_end - unmap_start, 0);
- shmem_truncate_range(inode, offset, offset + len - 1);
- /* No need to unmap again: hole-punching leaves COWed pages */
-+
-+ spin_lock(&inode->i_lock);
-+ inode->i_private = NULL;
-+ wake_up_all(&shmem_falloc_waitq);
-+ spin_unlock(&inode->i_lock);
- error = 0;
-- goto undone;
-+ goto out;
- }
-
- /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
-@@ -1890,6 +1915,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
- goto out;
- }
-
-+ shmem_falloc.waitq = NULL;
- shmem_falloc.start = start;
- shmem_falloc.next = start;
- shmem_falloc.nr_falloced = 0;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
deleted file mode 100644
index f58b2f0..0000000
--- a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
-From: Jiri Kosina <jkosina at suse.cz>
-Date: Thu, 21 Aug 2014 09:57:48 -0500
-Subject: [PATCH] HID: fix a couple of off-by-ones
-
-There are a few very theoretical off-by-one bugs in report descriptor size
-checking when performing a pre-parsing fixup. Fix those.
-
-This fixes CVE-2014-3184
-Upstream-Status: Backport
-
-Cc: stable at vger.kernel.org
-Reported-by: Ben Hawkes <hawkes at google.com>
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- drivers/hid/hid-cherry.c | 2 +-
- drivers/hid/hid-kye.c | 2 +-
- drivers/hid/hid-lg.c | 4 ++--
- drivers/hid/hid-monterey.c | 2 +-
- drivers/hid/hid-petalynx.c | 2 +-
- drivers/hid/hid-sunplus.c | 2 +-
- 6 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
-index 1bdcccc..f745d2c 100644
---- a/drivers/hid/hid-cherry.c
-+++ b/drivers/hid/hid-cherry.c
-@@ -28,7 +28,7 @@
- static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
-+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
- hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
- rdesc[11] = rdesc[16] = 0xff;
- rdesc[12] = rdesc[17] = 0x03;
-diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
-index e776963..b92bf01 100644
---- a/drivers/hid/hid-kye.c
-+++ b/drivers/hid/hid-kye.c
-@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- * - change the button usage range to 4-7 for the extra
- * buttons
- */
-- if (*rsize >= 74 &&
-+ if (*rsize >= 75 &&
- rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
- rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
- rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
-diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
-index a976f48..f91ff14 100644
---- a/drivers/hid/hid-lg.c
-+++ b/drivers/hid/hid-lg.c
-@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- struct usb_device_descriptor *udesc;
- __u16 bcdDevice, rev_maj, rev_min;
-
-- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
-+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
- rdesc[84] == 0x8c && rdesc[85] == 0x02) {
- hid_info(hdev,
- "fixing up Logitech keyboard report descriptor\n");
- rdesc[84] = rdesc[89] = 0x4d;
- rdesc[85] = rdesc[90] = 0x10;
- }
-- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
-+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
- rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
- rdesc[49] == 0x81 && rdesc[50] == 0x06) {
- hid_info(hdev,
-diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
-index 9e14c00..25daf28 100644
---- a/drivers/hid/hid-monterey.c
-+++ b/drivers/hid/hid-monterey.c
-@@ -24,7 +24,7 @@
- static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
-+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
- hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
- rdesc[30] = 0x0c;
- }
-diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
-index 736b250..6aca4f2 100644
---- a/drivers/hid/hid-petalynx.c
-+++ b/drivers/hid/hid-petalynx.c
-@@ -25,7 +25,7 @@
- static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
-+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
- rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
- rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
- hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
-diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
-index 87fc91e..91072fa 100644
---- a/drivers/hid/hid-sunplus.c
-+++ b/drivers/hid/hid-sunplus.c
-@@ -24,7 +24,7 @@
- static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
- unsigned int *rsize)
- {
-- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
-+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
- rdesc[106] == 0x03) {
- hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
- rdesc[105] = rdesc[110] = 0x03;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index aa5ca1b..0000000
--- a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Mon, 28 Jul 2014 17:26:07 -0700
-Subject: [PATCH] mnt: Correct permission checks in do_remount
-
-commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream.
-
-While invesgiating the issue where in "mount --bind -oremount,ro ..."
-would result in later "mount --bind -oremount,rw" succeeding even if
-the mount started off locked I realized that there are several
-additional mount flags that should be locked and are not.
-
-In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
-flags in addition to MNT_READONLY should all be locked. These
-flags are all per superblock, can all be changed with MS_BIND,
-and should not be changable if set by a more privileged user.
-
-The following additions to the current logic are added in this patch.
-- nosuid may not be clearable by a less privileged user.
-- nodev may not be clearable by a less privielged user.
-- noexec may not be clearable by a less privileged user.
-- atime flags may not be changeable by a less privileged user.
-
-The logic with atime is that always setting atime on access is a
-global policy and backup software and auditing software could break if
-atime bits are not updated (when they are configured to be updated),
-and serious performance degradation could result (DOS attack) if atime
-updates happen when they have been explicitly disabled. Therefore an
-unprivileged user should not be able to mess with the atime bits set
-by a more privileged user.
-
-The additional restrictions are implemented with the addition of
-MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
-mnt flags.
-
-Taken together these changes and the fixes for MNT_LOCK_READONLY
-should make it safe for an unprivileged user to create a user
-namespace and to call "mount --bind -o remount,... ..." without
-the danger of mount flags being changed maliciously.
-
-Fix for CVE-2014-5206 and CVE-2014-5207
-Upstream-Status: backport
-
-Cc: stable at vger.kernel.org
-Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
- include/linux/mount.h | 5 +++++
- 2 files changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 8e90b03..7c67de8 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
-
- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
- /* Don't allow unprivileged users to change mount flags */
-- if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
-- mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
-+ if (flag & CL_UNPRIVILEGED) {
-+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
-+
-+ if (mnt->mnt.mnt_flags & MNT_READONLY)
-+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
-+
-+ if (mnt->mnt.mnt_flags & MNT_NODEV)
-+ mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
-+
-+ if (mnt->mnt.mnt_flags & MNT_NOSUID)
-+ mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
-+
-+ if (mnt->mnt.mnt_flags & MNT_NOEXEC)
-+ mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
-+ }
-
- /* Don't allow unprivileged users to reveal what is under a mount */
- if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
-@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
- !(mnt_flags & MNT_READONLY)) {
- return -EPERM;
- }
-+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
-+ !(mnt_flags & MNT_NODEV)) {
-+ return -EPERM;
-+ }
-+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
-+ !(mnt_flags & MNT_NOSUID)) {
-+ return -EPERM;
-+ }
-+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
-+ !(mnt_flags & MNT_NOEXEC)) {
-+ return -EPERM;
-+ }
-+ if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
-+ ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
-+ return -EPERM;
-+ }
-+
- err = security_sb_remount(sb, data);
- if (err)
- return err;
-@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
- */
- if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
- flags |= MS_NODEV;
-- mnt_flags |= MNT_NODEV;
-+ mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
- }
- }
-
-diff --git a/include/linux/mount.h b/include/linux/mount.h
-index 8707c9e..22e5b96 100644
---- a/include/linux/mount.h
-+++ b/include/linux/mount.h
-@@ -45,10 +45,15 @@ struct mnt_namespace;
- #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
- | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
- | MNT_READONLY)
-+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
-
-
- #define MNT_INTERNAL 0x4000
-
-+#define MNT_LOCK_ATIME 0x040000
-+#define MNT_LOCK_NOEXEC 0x080000
-+#define MNT_LOCK_NOSUID 0x100000
-+#define MNT_LOCK_NODEV 0x200000
- #define MNT_LOCK_READONLY 0x400000
- #define MNT_LOCKED 0x800000
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch b/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
deleted file mode 100644
index 1b4716d..0000000
--- a/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From e476841415c1b7b54e4118d8a219f5db71878675 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman at redhat.com>
-Date: Thu, 9 Oct 2014 22:55:33 +0200
-Subject: [PATCH] net: sctp: fix remote memory pressure from excessive queueing
-
-commit 26b87c7881006311828bb0ab271a551a62dcceb4 upstream.
-
-This scenario is not limited to ASCONF, just taken as one
-example triggering the issue. When receiving ASCONF probes
-in the form of ...
-
- -------------- INIT[ASCONF; ASCONF_ACK] ------------->
- <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
- -------------------- COOKIE-ECHO -------------------->
- <-------------------- COOKIE-ACK ---------------------
- ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
- [...]
- ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
-
-... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
-ASCONFs and have increasing serial numbers, we process such
-ASCONF chunk(s) marked with !end_of_packet and !singleton,
-since we have not yet reached the SCTP packet end. SCTP does
-only do verification on a chunk by chunk basis, as an SCTP
-packet is nothing more than just a container of a stream of
-chunks which it eats up one by one.
-
-We could run into the case that we receive a packet with a
-malformed tail, above marked as trailing JUNK. All previous
-chunks are here goodformed, so the stack will eat up all
-previous chunks up to this point. In case JUNK does not fit
-into a chunk header and there are no more other chunks in
-the input queue, or in case JUNK contains a garbage chunk
-header, but the encoded chunk length would exceed the skb
-tail, or we came here from an entirely different scenario
-and the chunk has pdiscard=1 mark (without having had a flush
-point), it will happen, that we will excessively queue up
-the association's output queue (a correct final chunk may
-then turn it into a response flood when flushing the
-queue ;)): I ran a simple script with incremental ASCONF
-serial numbers and could see the server side consuming
-excessive amount of RAM [before/after: up to 2GB and more].
-
-The issue at heart is that the chunk train basically ends
-with !end_of_packet and !singleton markers and since commit
-2e3216cd54b1 ("sctp: Follow security requirement of responding
-with 1 packet") therefore preventing an output queue flush
-point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
-chunk (chunk = event_arg) even though local_cork is set,
-but its precedence has changed since then. In the normal
-case, the last chunk with end_of_packet=1 would trigger the
-queue flush to accommodate possible outgoing bundling.
-
-In the input queue, sctp_inq_pop() seems to do the right thing
-in terms of discarding invalid chunks. So, above JUNK will
-not enter the state machine and instead be released and exit
-the sctp_assoc_bh_rcv() chunk processing loop. It's simply
-the flush point being missing at loop exit. Adding a try-flush
-approach on the output queue might not work as the underlying
-infrastructure might be long gone at this point due to the
-side-effect interpreter run.
-
-One possibility, albeit a bit of a kludge, would be to defer
-invalid chunk freeing into the state machine in order to
-possibly trigger packet discards and thus indirectly a queue
-flush on error. It would surely be better to discard chunks
-as in the current, perhaps better controlled environment, but
-going back and forth, it's simply architecturally not possible.
-I tried various trailing JUNK attack cases and it seems to
-look good now.
-
-Joint work with Vlad Yasevich.
-
-Fixes CVE-2014-3688
-Upstream-Status: Backport
-
-Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
-Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Cc: Josh Boyer <jwboyer at fedoraproject.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- net/sctp/inqueue.c | 33 +++++++--------------------------
- net/sctp/sm_statefuns.c | 3 +++
- 2 files changed, 10 insertions(+), 26 deletions(-)
-
-diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
-index 5856932..560cd41 100644
---- a/net/sctp/inqueue.c
-+++ b/net/sctp/inqueue.c
-@@ -141,18 +141,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- } else {
- /* Nothing to do. Next chunk in the packet, please. */
- ch = (sctp_chunkhdr_t *) chunk->chunk_end;
--
- /* Force chunk->skb->data to chunk->chunk_end. */
-- skb_pull(chunk->skb,
-- chunk->chunk_end - chunk->skb->data);
--
-- /* Verify that we have at least chunk headers
-- * worth of buffer left.
-- */
-- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
-- sctp_chunk_free(chunk);
-- chunk = queue->in_progress = NULL;
-- }
-+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
-+ /* We are guaranteed to pull a SCTP header. */
- }
- }
-
-@@ -188,24 +179,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
- chunk->subh.v = NULL; /* Subheader is no longer valid. */
-
-- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
-+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
-+ skb_tail_pointer(chunk->skb)) {
- /* This is not a singleton */
- chunk->singleton = 0;
- } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
-- /* RFC 2960, Section 6.10 Bundling
-- *
-- * Partial chunks MUST NOT be placed in an SCTP packet.
-- * If the receiver detects a partial chunk, it MUST drop
-- * the chunk.
-- *
-- * Since the end of the chunk is past the end of our buffer
-- * (which contains the whole packet, we can freely discard
-- * the whole packet.
-- */
-- sctp_chunk_free(chunk);
-- chunk = queue->in_progress = NULL;
--
-- return NULL;
-+ /* Discard inside state machine. */
-+ chunk->pdiscard = 1;
-+ chunk->chunk_end = skb_tail_pointer(chunk->skb);
- } else {
- /* We are at the end of the packet, so mark the chunk
- * in case we need to send a SACK.
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index 1dbcc6a..62623cc 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -171,6 +171,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
- {
- __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
-
-+ /* Previously already marked? */
-+ if (unlikely(chunk->pdiscard))
-+ return 0;
- if (unlikely(chunk_length < required_length))
- return 0;
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch
deleted file mode 100644
index 2b70ec1..0000000
--- a/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From a428dc008e435c5a36b1288fb5b8c4b58472e28c Mon Sep 17 00:00:00 2001
-From: Hugh Dickins <hughd at google.com>
-Date: Wed, 23 Jul 2014 14:00:13 -0700
-Subject: [PATCH 3/3] shmem: fix splicing from a hole while it's punched
-
-commit b1a366500bd537b50c3aad26dc7df083ec03a448 upstream.
-
-shmem_fault() is the actual culprit in trinity's hole-punch starvation,
-and the most significant cause of such problems: since a page faulted is
-one that then appears page_mapped(), needing unmap_mapping_range() and
-i_mmap_mutex to be unmapped again.
-
-But it is not the only way in which a page can be brought into a hole in
-the radix_tree while that hole is being punched; and Vlastimil's testing
-implies that if enough other processors are busy filling in the hole,
-then shmem_undo_range() can be kept from completing indefinitely.
-
-shmem_file_splice_read() is the main other user of SGP_CACHE, which can
-instantiate shmem pagecache pages in the read-only case (without holding
-i_mutex, so perhaps concurrently with a hole-punch). Probably it's
-silly not to use SGP_READ already (using the ZERO_PAGE for holes): which
-ought to be safe, but might bring surprises - not a change to be rushed.
-
-shmem_read_mapping_page_gfp() is an internal interface used by
-drivers/gpu/drm GEM (and next by uprobes): it should be okay. And
-shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when
-called internally by the kernel (perhaps for a stacking filesystem,
-which might rely on holes to be reserved): it's unclear whether it could
-be provoked to keep hole-punch busy or not.
-
-We could apply the same umbrella as now used in shmem_fault() to
-shmem_file_splice_read() and the others; but it looks ugly, and use over
-a range raises questions - should it actually be per page? can these get
-starved themselves?
-
-The origin of this part of the problem is my v3.1 commit d0823576bf4b
-("mm: pincer in truncate_inode_pages_range"), once it was duplicated
-into shmem.c. It seemed like a nice idea at the time, to ensure
-(barring RCU lookup fuzziness) that there's an instant when the entire
-hole is empty; but the indefinitely repeated scans to ensure that make
-it vulnerable.
-
-Revert that "enhancement" to hole-punch from shmem_undo_range(), but
-retain the unproblematic rescanning when it's truncating; add a couple
-of comments there.
-
-Remove the "indices[0] >= end" test: that is now handled satisfactorily
-by the inner loop, and mem_cgroup_uncharge_start()/end() are too light
-to be worth avoiding here.
-
-But if we do not always loop indefinitely, we do need to handle the case
-of swap swizzled back to page before shmem_free_swap() gets it: add a
-retry for that case, as suggested by Konstantin Khlebnikov; and for the
-case of page swizzled back to swap, as suggested by Johannes Weiner.
-
-Upstream-Status: Backport
-
-Signed-off-by: Hugh Dickins <hughd at google.com>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Suggested-by: Vlastimil Babka <vbabka at suse.cz>
-Cc: Konstantin Khlebnikov <koct9i at gmail.com>
-Cc: Johannes Weiner <hannes at cmpxchg.org>
-Cc: Lukas Czerner <lczerner at redhat.com>
-Cc: Dave Jones <davej at redhat.com>
-Cc: <stable at vger.kernel.org> [3.1+]
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- mm/shmem.c | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
-
-diff --git a/mm/shmem.c b/mm/shmem.c
-index 6f5626f..0da81aa 100644
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -534,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- return;
-
- index = start;
-- for ( ; ; ) {
-+ while (index < end) {
- cond_resched();
- pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
- min(end - index, (pgoff_t)PAGEVEC_SIZE),
- pvec.pages, indices);
- if (!pvec.nr) {
-- if (index == start || unfalloc)
-+ /* If all gone or hole-punch or unfalloc, we're done */
-+ if (index == start || end != -1)
- break;
-+ /* But if truncating, restart to make sure all gone */
- index = start;
- continue;
- }
-- if ((index == start || unfalloc) && indices[0] >= end) {
-- shmem_deswap_pagevec(&pvec);
-- pagevec_release(&pvec);
-- break;
-- }
- mem_cgroup_uncharge_start();
- for (i = 0; i < pagevec_count(&pvec); i++) {
- struct page *page = pvec.pages[i];
-@@ -561,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- if (radix_tree_exceptional_entry(page)) {
- if (unfalloc)
- continue;
-- nr_swaps_freed += !shmem_free_swap(mapping,
-- index, page);
-+ if (shmem_free_swap(mapping, index, page)) {
-+ /* Swap was replaced by page: retry */
-+ index--;
-+ break;
-+ }
-+ nr_swaps_freed++;
- continue;
- }
-
-@@ -571,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
- if (page->mapping == mapping) {
- VM_BUG_ON(PageWriteback(page));
- truncate_inode_page(mapping, page);
-+ } else {
-+ /* Page was replaced by swap: retry */
-+ unlock_page(page);
-+ index--;
-+ break;
- }
- }
- unlock_page(page);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
deleted file mode 100644
index 0820807..0000000
--- a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
-From: James Forshaw <forshaw at google.com>
-Date: Sat, 23 Aug 2014 14:39:48 -0700
-Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
- response
-
-This patch fixes a potential security issue in the whiteheat USB driver
-which might allow a local attacker to cause kernel memory corrpution. This
-is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
-EHCI and XHCI busses it's possible to craft responses greater than 64
-bytes leading a buffer overflow.
-
-This fixes CVE-2014-3185
-Upstream-Status: Backport
-
-Signed-off-by: James Forshaw <forshaw at google.com>
-Cc: stable <stable at vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- drivers/usb/serial/whiteheat.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
-index e62f2df..6c3734d 100644
---- a/drivers/usb/serial/whiteheat.c
-+++ b/drivers/usb/serial/whiteheat.c
-@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
- dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
- return;
- }
-+ if (!urb->actual_length) {
-+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
-+ return;
-+ }
- if (status) {
- dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
- if (status != -ENOENT)
-@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
- /* These are unsolicited reports from the firmware, hence no
- waiting command to wakeup */
- dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
-- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
-+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
-+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
- memcpy(command_info->result_buffer, &data[1],
- urb->actual_length - 1);
- command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index 8cd4b13..0000000
--- a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Mon, 28 Jul 2014 17:36:04 -0700
-Subject: [PATCH] mnt: Change the default remount atime from relatime to the
- existing value
-
-commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
-
-Since March 2009 the kernel has treated the state that if no
-MS_..ATIME flags are passed then the kernel defaults to relatime.
-
-Defaulting to relatime instead of the existing atime state during a
-remount is silly, and causes problems in practice for people who don't
-specify any MS_...ATIME flags and to get the default filesystem atime
-setting. Those users may encounter a permission error because the
-default atime setting does not work.
-
-A default that does not work and causes permission problems is
-ridiculous, so preserve the existing value to have a default
-atime setting that is always guaranteed to work.
-
-Using the default atime setting in this way is particularly
-interesting for applications built to run in restricted userspace
-environments without /proc mounted, as the existing atime mount
-options of a filesystem can not be read from /proc/mounts.
-
-In practice this fixes user space that uses the default atime
-setting on remount that are broken by the permission checks
-keeping less privileged users from changing more privileged users
-atime settings.
-
-Fix for CVE-2014-5206 and CVE-2014-5207
-Upstream-Status: backport
-
-Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/namespace.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index 7c67de8..4ea2b73 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name,
- if (flags & MS_RDONLY)
- mnt_flags |= MNT_READONLY;
-
-+ /* The default atime for remount is preservation */
-+ if ((flags & MS_REMOUNT) &&
-+ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
-+ MS_STRICTATIME)) == 0)) {
-+ mnt_flags &= ~MNT_ATIME_MASK;
-+ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK;
-+ }
-+
- flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
- MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
- MS_STRICTATIME);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index caa89db..0000000
--- a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,324 +0,0 @@
-From 4194b9700ce41ff2f7031aa0c6108c2539028ab5 Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Tue, 29 Jul 2014 15:50:44 -0700
-Subject: [PATCH] mnt: Add tests for unprivileged remount cases that have found
- to be faulty
-
-commit db181ce011e3c033328608299cd6fac06ea50130 upstream.
-
-Kenton Varda <kenton at sandstorm.io> discovered that by remounting a
-read-only bind mount read-only in a user namespace the
-MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
-to the remount a read-only mount read-write.
-
-Upon review of the code in remount it was discovered that the code allowed
-nosuid, noexec, and nodev to be cleared. It was also discovered that
-the code was allowing the per mount atime flags to be changed.
-
-The first naive patch to fix these issues contained the flaw that using
-default atime settings when remounting a filesystem could be disallowed.
-
-To avoid this problems in the future add tests to ensure unprivileged
-remounts are succeeding and failing at the appropriate times.
-
-Fix for CVE-2014-5206 and CVE-2014-5207
-Upstream-Status: backport
-
-Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- tools/testing/selftests/Makefile | 1 +
- tools/testing/selftests/mount/Makefile | 17 ++
- .../selftests/mount/unprivileged-remount-test.c | 242 +++++++++++++++++++++
- 3 files changed, 260 insertions(+)
- create mode 100644 tools/testing/selftests/mount/Makefile
- create mode 100644 tools/testing/selftests/mount/unprivileged-remount-test.c
-
-diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
-index 9f3eae2..2d9ab94 100644
---- a/tools/testing/selftests/Makefile
-+++ b/tools/testing/selftests/Makefile
-@@ -4,6 +4,7 @@ TARGETS += efivarfs
- TARGETS += kcmp
- TARGETS += memory-hotplug
- TARGETS += mqueue
-+TARGETS += mount
- TARGETS += net
- TARGETS += ptrace
- TARGETS += timers
-diff --git a/tools/testing/selftests/mount/Makefile b/tools/testing/selftests/mount/Makefile
-new file mode 100644
-index 0000000..337d853
---- /dev/null
-+++ b/tools/testing/selftests/mount/Makefile
-@@ -0,0 +1,17 @@
-+# Makefile for mount selftests.
-+
-+all: unprivileged-remount-test
-+
-+unprivileged-remount-test: unprivileged-remount-test.c
-+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
-+
-+# Allow specific tests to be selected.
-+test_unprivileged_remount: unprivileged-remount-test
-+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
-+
-+run_tests: all test_unprivileged_remount
-+
-+clean:
-+ rm -f unprivileged-remount-test
-+
-+.PHONY: all test_unprivileged_remount
-diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c
-new file mode 100644
-index 0000000..1b3ff2f
---- /dev/null
-+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c
-@@ -0,0 +1,242 @@
-+#define _GNU_SOURCE
-+#include <sched.h>
-+#include <stdio.h>
-+#include <errno.h>
-+#include <string.h>
-+#include <sys/types.h>
-+#include <sys/mount.h>
-+#include <sys/wait.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+#include <grp.h>
-+#include <stdbool.h>
-+#include <stdarg.h>
-+
-+#ifndef CLONE_NEWNS
-+# define CLONE_NEWNS 0x00020000
-+#endif
-+#ifndef CLONE_NEWUTS
-+# define CLONE_NEWUTS 0x04000000
-+#endif
-+#ifndef CLONE_NEWIPC
-+# define CLONE_NEWIPC 0x08000000
-+#endif
-+#ifndef CLONE_NEWNET
-+# define CLONE_NEWNET 0x40000000
-+#endif
-+#ifndef CLONE_NEWUSER
-+# define CLONE_NEWUSER 0x10000000
-+#endif
-+#ifndef CLONE_NEWPID
-+# define CLONE_NEWPID 0x20000000
-+#endif
-+
-+#ifndef MS_RELATIME
-+#define MS_RELATIME (1 << 21)
-+#endif
-+#ifndef MS_STRICTATIME
-+#define MS_STRICTATIME (1 << 24)
-+#endif
-+
-+static void die(char *fmt, ...)
-+{
-+ va_list ap;
-+ va_start(ap, fmt);
-+ vfprintf(stderr, fmt, ap);
-+ va_end(ap);
-+ exit(EXIT_FAILURE);
-+}
-+
-+static void write_file(char *filename, char *fmt, ...)
-+{
-+ char buf[4096];
-+ int fd;
-+ ssize_t written;
-+ int buf_len;
-+ va_list ap;
-+
-+ va_start(ap, fmt);
-+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
-+ va_end(ap);
-+ if (buf_len < 0) {
-+ die("vsnprintf failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (buf_len >= sizeof(buf)) {
-+ die("vsnprintf output truncated\n");
-+ }
-+
-+ fd = open(filename, O_WRONLY);
-+ if (fd < 0) {
-+ die("open of %s failed: %s\n",
-+ filename, strerror(errno));
-+ }
-+ written = write(fd, buf, buf_len);
-+ if (written != buf_len) {
-+ if (written >= 0) {
-+ die("short write to %s\n", filename);
-+ } else {
-+ die("write to %s failed: %s\n",
-+ filename, strerror(errno));
-+ }
-+ }
-+ if (close(fd) != 0) {
-+ die("close of %s failed: %s\n",
-+ filename, strerror(errno));
-+ }
-+}
-+
-+static void create_and_enter_userns(void)
-+{
-+ uid_t uid;
-+ gid_t gid;
-+
-+ uid = getuid();
-+ gid = getgid();
-+
-+ if (unshare(CLONE_NEWUSER) !=0) {
-+ die("unshare(CLONE_NEWUSER) failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ write_file("/proc/self/uid_map", "0 %d 1", uid);
-+ write_file("/proc/self/gid_map", "0 %d 1", gid);
-+
-+ if (setgroups(0, NULL) != 0) {
-+ die("setgroups failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (setgid(0) != 0) {
-+ die ("setgid(0) failed %s\n",
-+ strerror(errno));
-+ }
-+ if (setuid(0) != 0) {
-+ die("setuid(0) failed %s\n",
-+ strerror(errno));
-+ }
-+}
-+
-+static
-+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
-+{
-+ pid_t child;
-+
-+ child = fork();
-+ if (child == -1) {
-+ die("fork failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (child != 0) { /* parent */
-+ pid_t pid;
-+ int status;
-+ pid = waitpid(child, &status, 0);
-+ if (pid == -1) {
-+ die("waitpid failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (pid != child) {
-+ die("waited for %d got %d\n",
-+ child, pid);
-+ }
-+ if (!WIFEXITED(status)) {
-+ die("child did not terminate cleanly\n");
-+ }
-+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
-+ }
-+
-+ create_and_enter_userns();
-+ if (unshare(CLONE_NEWNS) != 0) {
-+ die("unshare(CLONE_NEWNS) failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
-+ die("mount of /tmp failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ create_and_enter_userns();
-+
-+ if (unshare(CLONE_NEWNS) != 0) {
-+ die("unshare(CLONE_NEWNS) failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ if (mount("/tmp", "/tmp", "none",
-+ MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) {
-+ /* system("cat /proc/self/mounts"); */
-+ die("remount of /tmp failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ if (mount("/tmp", "/tmp", "none",
-+ MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) {
-+ /* system("cat /proc/self/mounts"); */
-+ die("remount of /tmp with invalid flags "
-+ "succeeded unexpectedly\n");
-+ }
-+ exit(EXIT_SUCCESS);
-+}
-+
-+static bool test_unpriv_remount_simple(int mount_flags)
-+{
-+ return test_unpriv_remount(mount_flags, mount_flags, 0);
-+}
-+
-+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
-+{
-+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
-+}
-+
-+int main(int argc, char **argv)
-+{
-+ if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
-+ die("MS_RDONLY malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_simple(MS_NODEV)) {
-+ die("MS_NODEV malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
-+ die("MS_NOSUID malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
-+ die("MS_NOEXEC malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
-+ MS_NOATIME|MS_NODEV))
-+ {
-+ die("MS_RELATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
-+ MS_NOATIME|MS_NODEV))
-+ {
-+ die("MS_STRICTATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
-+ MS_STRICTATIME|MS_NODEV))
-+ {
-+ die("MS_RELATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
-+ MS_NOATIME|MS_NODEV))
-+ {
-+ die("MS_RELATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
-+ MS_NOATIME|MS_NODEV))
-+ {
-+ die("MS_RELATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
-+ MS_STRICTATIME|MS_NODEV))
-+ {
-+ die("MS_RELATIME malfunctions\n");
-+ }
-+ if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
-+ MS_NOATIME|MS_NODEV))
-+ {
-+ die("Default atime malfunctions\n");
-+ }
-+ return EXIT_SUCCESS;
-+}
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
deleted file mode 100644
index 7d16535..0000000
--- a/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-CVE-2014-5077 Kernel/SCTP: fix a NULL pointer dereference
-
-A NULL pointer dereference flaw was found in the way the
-Linux kernel's Stream Control Transmission Protocol
-(SCTP) implementation handled simultaneous connections
-between the same hosts. A remote attacker could use this
-flaw to crash the system.
-
-Upstream-Status: Backport (from v3.16, commit 1be9a950c646c)
-
-References:
- - https://access.redhat.com/security/cve/CVE-2014-5077
- - http://patchwork.ozlabs.org/patch/372475/
-
-Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
-Reported-by: Jason Gunthorpe <jgunthorpe at obsidianresearch.com>
-Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
-Tested-by: Jason Gunthorpe <jgunthorpe at obsidianresearch.com>
-Cc: Vlad Yasevich <vyasevich at gmail.com>
-Acked-by: Vlad Yasevich <vyasevich at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan at enea.com>
----
- net/sctp/associola.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index 9de23a2..06a9ee6 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
- asoc->c = new->c;
- asoc->peer.rwnd = new->peer.rwnd;
- asoc->peer.sack_needed = new->peer.sack_needed;
-+ asoc->peer.auth_capable = new->peer.auth_capable;
- asoc->peer.i = new->peer.i;
- sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
- asoc->peer.i.initial_tsn, GFP_ATOMIC);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
deleted file mode 100644
index 65107d6..0000000
--- a/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-From 4488e1f5ef40441c9846b1d0a29152c208a05e66 Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack at suse.cz>
-Date: Sun, 17 Aug 2014 11:49:57 +0200
-Subject: [PATCH] isofs: Fix unbounded recursion when processing relocated
- directories
-
-commit 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 upstream.
-
-We did not check relocated directory in any way when processing Rock
-Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
-entry pointing to another CL entry leading to possibly unbounded
-recursion in kernel code and thus stack overflow or deadlocks (if there
-is a loop created from CL entries).
-
-Fix the problem by not allowing CL entry to point to a directory entry
-with CL entry (such use makes no good sense anyway) and by checking
-whether CL entry doesn't point to itself.
-
-Upstream status: backported (from v3.12 e4ca8b780c82c04ec0)
-
-Reported-by: Chris Evans <cevans at google.com>
-Signed-off-by: Jan Kara <jack at suse.cz>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/isofs/inode.c | 15 ++++++++-------
- fs/isofs/isofs.h | 23 +++++++++++++++++++----
- fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++-----------
- 3 files changed, 55 insertions(+), 22 deletions(-)
-
-diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
-index e5d408a..2e2af97 100644
---- a/fs/isofs/inode.c
-+++ b/fs/isofs/inode.c
-@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb)
- return;
- }
-
--static int isofs_read_inode(struct inode *);
-+static int isofs_read_inode(struct inode *, int relocated);
- static int isofs_statfs (struct dentry *, struct kstatfs *);
-
- static struct kmem_cache *isofs_inode_cachep;
-@@ -1258,7 +1258,7 @@ out_toomany:
- goto out;
- }
-
--static int isofs_read_inode(struct inode *inode)
-+static int isofs_read_inode(struct inode *inode, int relocated)
- {
- struct super_block *sb = inode->i_sb;
- struct isofs_sb_info *sbi = ISOFS_SB(sb);
-@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode)
- */
-
- if (!high_sierra) {
-- parse_rock_ridge_inode(de, inode);
-+ parse_rock_ridge_inode(de, inode, relocated);
- /* if we want uid/gid set, override the rock ridge setting */
- if (sbi->s_uid_set)
- inode->i_uid = sbi->s_uid;
-@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data)
- * offset that point to the underlying meta-data for the inode. The
- * code below is otherwise similar to the iget() code in
- * include/linux/fs.h */
--struct inode *isofs_iget(struct super_block *sb,
-- unsigned long block,
-- unsigned long offset)
-+struct inode *__isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset,
-+ int relocated)
- {
- unsigned long hashval;
- struct inode *inode;
-@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb,
- return ERR_PTR(-ENOMEM);
-
- if (inode->i_state & I_NEW) {
-- ret = isofs_read_inode(inode);
-+ ret = isofs_read_inode(inode, relocated);
- if (ret < 0) {
- iget_failed(inode);
- inode = ERR_PTR(ret);
-diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
-index 9916723..0ac4c1f 100644
---- a/fs/isofs/isofs.h
-+++ b/fs/isofs/isofs.h
-@@ -107,7 +107,7 @@ extern int iso_date(char *, int);
-
- struct inode; /* To make gcc happy */
-
--extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *);
-+extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
- extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
- extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
-
-@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int
- extern struct buffer_head *isofs_bread(struct inode *, sector_t);
- extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
-
--extern struct inode *isofs_iget(struct super_block *sb,
-- unsigned long block,
-- unsigned long offset);
-+struct inode *__isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset,
-+ int relocated);
-+
-+static inline struct inode *isofs_iget(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset)
-+{
-+ return __isofs_iget(sb, block, offset, 0);
-+}
-+
-+static inline struct inode *isofs_iget_reloc(struct super_block *sb,
-+ unsigned long block,
-+ unsigned long offset)
-+{
-+ return __isofs_iget(sb, block, offset, 1);
-+}
-
- /* Because the inode number is no longer relevant to finding the
- * underlying meta-data for an inode, we are free to choose a more
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index c0bf424..f488bba 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -288,12 +288,16 @@ eio:
- goto out;
- }
-
-+#define RR_REGARD_XA 1
-+#define RR_RELOC_DE 2
-+
- static int
- parse_rock_ridge_inode_internal(struct iso_directory_record *de,
-- struct inode *inode, int regard_xa)
-+ struct inode *inode, int flags)
- {
- int symlink_len = 0;
- int cnt, sig;
-+ unsigned int reloc_block;
- struct inode *reloc;
- struct rock_ridge *rr;
- int rootflag;
-@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
-
- init_rock_state(&rs, inode);
- setup_rock_ridge(de, inode, &rs);
-- if (regard_xa) {
-+ if (flags & RR_REGARD_XA) {
- rs.chr += 14;
- rs.len -= 14;
- if (rs.len < 0)
-@@ -485,12 +489,22 @@ repeat:
- "relocated directory\n");
- goto out;
- case SIG('C', 'L'):
-- ISOFS_I(inode)->i_first_extent =
-- isonum_733(rr->u.CL.location);
-- reloc =
-- isofs_iget(inode->i_sb,
-- ISOFS_I(inode)->i_first_extent,
-- 0);
-+ if (flags & RR_RELOC_DE) {
-+ printk(KERN_ERR
-+ "ISOFS: Recursive directory relocation "
-+ "is not supported\n");
-+ goto eio;
-+ }
-+ reloc_block = isonum_733(rr->u.CL.location);
-+ if (reloc_block == ISOFS_I(inode)->i_iget5_block &&
-+ ISOFS_I(inode)->i_iget5_offset == 0) {
-+ printk(KERN_ERR
-+ "ISOFS: Directory relocation points to "
-+ "itself\n");
-+ goto eio;
-+ }
-+ ISOFS_I(inode)->i_first_extent = reloc_block;
-+ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0);
- if (IS_ERR(reloc)) {
- ret = PTR_ERR(reloc);
- goto out;
-@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
- return rpnt;
- }
-
--int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
-+int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode,
-+ int relocated)
- {
-- int result = parse_rock_ridge_inode_internal(de, inode, 0);
-+ int flags = relocated ? RR_RELOC_DE : 0;
-+ int result = parse_rock_ridge_inode_internal(de, inode, flags);
-
- /*
- * if rockridge flag was reset and we didn't look for attributes
-@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
- */
- if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1)
- && (ISOFS_SB(inode->i_sb)->s_rock == 2)) {
-- result = parse_rock_ridge_inode_internal(de, inode, 14);
-+ result = parse_rock_ridge_inode_internal(de, inode,
-+ flags | RR_REGARD_XA);
- }
- return result;
- }
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
deleted file mode 100644
index 1ae600f..0000000
--- a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-fs: umount on symlink leaks mnt count
-
-commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
-
-Currently umount on symlink blocks following umount:
-
-/vz is separate mount
-
-drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
-lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
-umount: /vz/testlink: not mounted (expected)
-
-umount: /vz: device is busy. (unexpected)
-
-In this case mountpoint_last() gets an extra refcount on path->mnt
-
-Upstream-Status: Backport
-
-Signed-off-by: Vasily Averin <vvs at openvz.org>
-Acked-by: Ian Kent <raven at themaw.net>
-Acked-by: Jeff Layton <jlayton at primarydata.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/namei.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index 187cacf..c199dcc 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -2280,9 +2280,10 @@ done:
- goto out;
- }
- path->dentry = dentry;
-- path->mnt = mntget(nd->path.mnt);
-+ path->mnt = nd->path.mnt;
- if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW))
- return 1;
-+ mntget(path->mnt);
- follow_mount(path);
- error = 0;
- out:
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch b/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
deleted file mode 100644
index a0bdc27..0000000
--- a/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 6004b0e5ac2e8e9e1bb0f012dc9242e03cca95df Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto at amacapital.net>
-Date: Wed, 28 May 2014 23:09:58 -0400
-Subject: [PATCH] auditsc: audit_krule mask accesses need bounds checking
-
-commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream.
-
-Fixes an easy DoS and possible information disclosure.
-
-This does nothing about the broken state of x32 auditing.
-
-eparis: If the admin has enabled auditd and has specifically loaded
-audit rules. This bug has been around since before git. Wow...
-
-This fixes CVE-2014-3917
-Upstream-Status: Backport
-
-Signed-off-by: Andy Lutomirski <luto at amacapital.net>
-Signed-off-by: Eric Paris <eparis at redhat.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- kernel/auditsc.c | 27 ++++++++++++++++++---------
- 1 file changed, 18 insertions(+), 9 deletions(-)
-
-diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 3b79a47..979c00b 100644
---- a/kernel/auditsc.c
-+++ b/kernel/auditsc.c
-@@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
- return AUDIT_BUILD_CONTEXT;
- }
-
-+static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
-+{
-+ int word, bit;
-+
-+ if (val > 0xffffffff)
-+ return false;
-+
-+ word = AUDIT_WORD(val);
-+ if (word >= AUDIT_BITMASK_SIZE)
-+ return false;
-+
-+ bit = AUDIT_BIT(val);
-+
-+ return rule->mask[word] & bit;
-+}
-+
- /* At syscall entry and exit time, this filter is called if the
- * audit_state is not low enough that auditing cannot take place, but is
- * also not high enough that we already know we have to write an audit
-@@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
-
- rcu_read_lock();
- if (!list_empty(list)) {
-- int word = AUDIT_WORD(ctx->major);
-- int bit = AUDIT_BIT(ctx->major);
--
- list_for_each_entry_rcu(e, list, list) {
-- if ((e->rule.mask[word] & bit) == bit &&
-+ if (audit_in_mask(&e->rule, ctx->major) &&
- audit_filter_rules(tsk, &e->rule, ctx, NULL,
- &state, false)) {
- rcu_read_unlock();
-@@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
- static int audit_filter_inode_name(struct task_struct *tsk,
- struct audit_names *n,
- struct audit_context *ctx) {
-- int word, bit;
- int h = audit_hash_ino((u32)n->ino);
- struct list_head *list = &audit_inode_hash[h];
- struct audit_entry *e;
- enum audit_state state;
-
-- word = AUDIT_WORD(ctx->major);
-- bit = AUDIT_BIT(ctx->major);
--
- if (list_empty(list))
- return 0;
-
- list_for_each_entry_rcu(e, list, list) {
-- if ((e->rule.mask[word] & bit) == bit &&
-+ if (audit_in_mask(&e->rule, ctx->major) &&
- audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
- ctx->current_state = state;
- return 1;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
deleted file mode 100644
index 0cd9c95..0000000
--- a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
-From: Michael Halcrow <mhalcrow at google.com>
-Date: Wed, 26 Nov 2014 09:09:16 -0800
-Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
- decode routine
-
-commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
-
-Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
-end of the allocated buffer during encrypted filename decoding. This
-fix corrects the issue by getting rid of the unnecessary 0 write when
-the current bit offset is 2.
-
-Fixes CVE-2014-9683
-Upstream-Status: Backport
-
-Signed-off-by: Michael Halcrow <mhalcrow at google.com>
-Reported-by: Dmitry Chernenkov <dmitryc at google.com>
-Suggested-by: Kees Cook <keescook at chromium.org>
-Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/ecryptfs/crypto.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
-index 000eae2..bf926f7 100644
---- a/fs/ecryptfs/crypto.c
-+++ b/fs/ecryptfs/crypto.c
-@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
- break;
- case 2:
- dst[dst_byte_offset++] |= (src_byte);
-- dst[dst_byte_offset] = 0;
- current_bit_offset = 0;
- break;
- }
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/fs-CVE-2014-4014.patch b/recipes-kernel/linux/files/fs-CVE-2014-4014.patch
deleted file mode 100644
index a61ae4c..0000000
--- a/recipes-kernel/linux/files/fs-CVE-2014-4014.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 2246a472bce19c0d373fb5488a0e612e3328ce0a Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto at amacapital.net>
-Date: Tue, 10 Jun 2014 12:45:42 -0700
-Subject: [PATCH] fs,userns: Change inode_capable to capable_wrt_inode_uidgid
-
-commit 23adbe12ef7d3d4195e80800ab36b37bee28cd03 upstream.
-
-The kernel has no concept of capabilities with respect to inodes; inodes
-exist independently of namespaces. For example, inode_capable(inode,
-CAP_LINUX_IMMUTABLE) would be nonsense.
-
-This patch changes inode_capable to check for uid and gid mappings and
-renames it to capable_wrt_inode_uidgid, which should make it more
-obvious what it does.
-
-Fixes CVE-2014-4014.
-Upstream-Status: Backport
-
-Cc: Theodore Ts'o <tytso at mit.edu>
-Cc: Serge Hallyn <serge.hallyn at ubuntu.com>
-Cc: "Eric W. Biederman" <ebiederm at xmission.com>
-Cc: Dave Chinner <david at fromorbit.com>
-Signed-off-by: Andy Lutomirski <luto at amacapital.net>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/attr.c | 8 ++++----
- fs/inode.c | 10 +++++++---
- fs/namei.c | 11 ++++++-----
- fs/xfs/xfs_ioctl.c | 2 +-
- include/linux/capability.h | 2 +-
- kernel/capability.c | 20 ++++++++------------
- 6 files changed, 27 insertions(+), 26 deletions(-)
-
-diff --git a/fs/attr.c b/fs/attr.c
-index 8dd5825..66fa625 100644
---- a/fs/attr.c
-+++ b/fs/attr.c
-@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
- if ((ia_valid & ATTR_UID) &&
- (!uid_eq(current_fsuid(), inode->i_uid) ||
- !uid_eq(attr->ia_uid, inode->i_uid)) &&
-- !inode_capable(inode, CAP_CHOWN))
-+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- return -EPERM;
-
- /* Make sure caller can chgrp. */
- if ((ia_valid & ATTR_GID) &&
- (!uid_eq(current_fsuid(), inode->i_uid) ||
- (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
-- !inode_capable(inode, CAP_CHOWN))
-+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
- return -EPERM;
-
- /* Make sure a caller can chmod. */
-@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
- /* Also check the setgid bit! */
- if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
- inode->i_gid) &&
-- !inode_capable(inode, CAP_FSETID))
-+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
- attr->ia_mode &= ~S_ISGID;
- }
-
-@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
- umode_t mode = attr->ia_mode;
-
- if (!in_group_p(inode->i_gid) &&
-- !inode_capable(inode, CAP_FSETID))
-+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
- mode &= ~S_ISGID;
- inode->i_mode = mode;
- }
-diff --git a/fs/inode.c b/fs/inode.c
-index b33ba8e..1e6e846 100644
---- a/fs/inode.c
-+++ b/fs/inode.c
-@@ -1808,14 +1808,18 @@ EXPORT_SYMBOL(inode_init_owner);
- * inode_owner_or_capable - check current task permissions to inode
- * @inode: inode being checked
- *
-- * Return true if current either has CAP_FOWNER to the inode, or
-- * owns the file.
-+ * Return true if current either has CAP_FOWNER in a namespace with the
-+ * inode owner uid mapped, or owns the file.
- */
- bool inode_owner_or_capable(const struct inode *inode)
- {
-+ struct user_namespace *ns;
-+
- if (uid_eq(current_fsuid(), inode->i_uid))
- return true;
-- if (inode_capable(inode, CAP_FOWNER))
-+
-+ ns = current_user_ns();
-+ if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
- return true;
- return false;
- }
-diff --git a/fs/namei.c b/fs/namei.c
-index 187cacf..338d08b 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -321,10 +321,11 @@ int generic_permission(struct inode *inode, int mask)
-
- if (S_ISDIR(inode->i_mode)) {
- /* DACs are overridable for directories */
-- if (inode_capable(inode, CAP_DAC_OVERRIDE))
-+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- return 0;
- if (!(mask & MAY_WRITE))
-- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
-+ if (capable_wrt_inode_uidgid(inode,
-+ CAP_DAC_READ_SEARCH))
- return 0;
- return -EACCES;
- }
-@@ -334,7 +335,7 @@ int generic_permission(struct inode *inode, int mask)
- * at least one exec bit set.
- */
- if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
-- if (inode_capable(inode, CAP_DAC_OVERRIDE))
-+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
- return 0;
-
- /*
-@@ -342,7 +343,7 @@ int generic_permission(struct inode *inode, int mask)
- */
- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
- if (mask == MAY_READ)
-- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
-+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
- return 0;
-
- return -EACCES;
-@@ -2404,7 +2405,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
- return 0;
- if (uid_eq(dir->i_uid, fsuid))
- return 0;
-- return !inode_capable(inode, CAP_FOWNER);
-+ return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
- }
-
- /*
-diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
-index 8c8ef24..52b5375 100644
---- a/fs/xfs/xfs_ioctl.c
-+++ b/fs/xfs/xfs_ioctl.c
-@@ -1133,7 +1133,7 @@ xfs_ioctl_setattr(
- * cleared upon successful return from chown()
- */
- if ((ip->i_d.di_mode & (S_ISUID|S_ISGID)) &&
-- !inode_capable(VFS_I(ip), CAP_FSETID))
-+ !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))
- ip->i_d.di_mode &= ~(S_ISUID|S_ISGID);
-
- /*
-diff --git a/include/linux/capability.h b/include/linux/capability.h
-index a6ee1f9..84b13ad 100644
---- a/include/linux/capability.h
-+++ b/include/linux/capability.h
-@@ -210,7 +210,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
- struct user_namespace *ns, int cap);
- extern bool capable(int cap);
- extern bool ns_capable(struct user_namespace *ns, int cap);
--extern bool inode_capable(const struct inode *inode, int cap);
-+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
- extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
-
- /* audit system wants to get cap info from files as well */
-diff --git a/kernel/capability.c b/kernel/capability.c
-index 4e66bf9..788653b 100644
---- a/kernel/capability.c
-+++ b/kernel/capability.c
-@@ -433,23 +433,19 @@ bool capable(int cap)
- EXPORT_SYMBOL(capable);
-
- /**
-- * inode_capable - Check superior capability over inode
-+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
- * @inode: The inode in question
- * @cap: The capability in question
- *
-- * Return true if the current task has the given superior capability
-- * targeted at it's own user namespace and that the given inode is owned
-- * by the current user namespace or a child namespace.
-- *
-- * Currently we check to see if an inode is owned by the current
-- * user namespace by seeing if the inode's owner maps into the
-- * current user namespace.
-- *
-+ * Return true if the current task has the given capability targeted at
-+ * its own user namespace and that the given inode's uid and gid are
-+ * mapped into the current user namespace.
- */
--bool inode_capable(const struct inode *inode, int cap)
-+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
- {
- struct user_namespace *ns = current_user_ns();
-
-- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
-+ return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
-+ kgid_has_mapping(ns, inode->i_gid);
- }
--EXPORT_SYMBOL(inode_capable);
-+EXPORT_SYMBOL(capable_wrt_inode_uidgid);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/mm-2014-3122.patch b/recipes-kernel/linux/files/mm-2014-3122.patch
deleted file mode 100644
index 590af0a..0000000
--- a/recipes-kernel/linux/files/mm-2014-3122.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 77552735ba84a410447af7e3375625eb4cfd577b Mon Sep 17 00:00:00 2001
-From: Vlastimil Babka <vbabka at suse.cz>
-Date: Mon, 7 Apr 2014 15:37:50 -0700
-Subject: [PATCH] mm: try_to_unmap_cluster() should lock_page() before mlocking
-
-commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream.
-
-A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin
-fuzzing with trinity. The call site try_to_unmap_cluster() does not lock
-the pages other than its check_page parameter (which is already locked).
-
-The BUG_ON in mlock_vma_page() is not documented and its purpose is
-somewhat unclear, but apparently it serializes against page migration,
-which could otherwise fail to transfer the PG_mlocked flag. This would
-not be fatal, as the page would be eventually encountered again, but
-NR_MLOCK accounting would become distorted nevertheless. This patch adds
-a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that
-effect.
-
-The call site try_to_unmap_cluster() is fixed so that for page !=
-check_page, trylock_page() is attempted (to avoid possible deadlocks as we
-already have check_page locked) and mlock_vma_page() is performed only
-upon success. If the page lock cannot be obtained, the page is left
-without PG_mlocked, which is again not a problem in the whole unevictable
-memory design.
-
-Fixes CVE-2014-3122
-Upstream-Status: Backport
-
-Signed-off-by: Vlastimil Babka <vbabka at suse.cz>
-Signed-off-by: Bob Liu <bob.liu at oracle.com>
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Cc: Wanpeng Li <liwanp at linux.vnet.ibm.com>
-Cc: Michel Lespinasse <walken at google.com>
-Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
-Acked-by: Rik van Riel <riel at redhat.com>
-Cc: David Rientjes <rientjes at google.com>
-Cc: Mel Gorman <mgorman at suse.de>
-Cc: Hugh Dickins <hughd at google.com>
-Cc: Joonsoo Kim <iamjoonsoo.kim at lge.com>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- mm/mlock.c | 2 ++
- mm/rmap.c | 14 ++++++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/mm/mlock.c b/mm/mlock.c
-index 79b7cf7..713e462 100644
---- a/mm/mlock.c
-+++ b/mm/mlock.c
-@@ -76,6 +76,7 @@ void clear_page_mlock(struct page *page)
- */
- void mlock_vma_page(struct page *page)
- {
-+ /* Serialize with page migration */
- BUG_ON(!PageLocked(page));
-
- if (!TestSetPageMlocked(page)) {
-@@ -106,6 +107,7 @@ unsigned int munlock_vma_page(struct page *page)
- {
- unsigned int page_mask = 0;
-
-+ /* For try_to_munlock() and to serialize with page migration */
- BUG_ON(!PageLocked(page));
-
- if (TestClearPageMlocked(page)) {
-diff --git a/mm/rmap.c b/mm/rmap.c
-index 3f60774..fbf0040 100644
---- a/mm/rmap.c
-+++ b/mm/rmap.c
-@@ -1390,9 +1390,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount,
- BUG_ON(!page || PageAnon(page));
-
- if (locked_vma) {
-- mlock_vma_page(page); /* no-op if already mlocked */
-- if (page == check_page)
-+ if (page == check_page) {
-+ /* we know we have check_page locked */
-+ mlock_vma_page(page);
- ret = SWAP_MLOCK;
-+ } else if (trylock_page(page)) {
-+ /*
-+ * If we can lock the page, perform mlock.
-+ * Otherwise leave the page alone, it will be
-+ * eventually encountered again later.
-+ */
-+ mlock_vma_page(page);
-+ unlock_page(page);
-+ }
- continue; /* don't unmap */
- }
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
index 635c2bb..7d109ed 100644
--- a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
+++ b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
@@ -14,14 +14,13 @@ This has been tested on t1040rdb-64b. .
Signed-off-by: Bob Cochran <yocto at mindchasers.com>
---
- arch/powerpc/configs/corenet32_fmanv3_smp_defconfig | 2 +-
- arch/powerpc/configs/corenet64_fmanv3_smp_defconfig | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-diff --git a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
+diff --git a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
index a401e7c..5542248 100644
---- a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
-+++ b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
+--- a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
++++ b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
@@ -1,6 +1,6 @@
CONFIG_PPC_85xx=y
CONFIG_SMP=y
@@ -30,18 +29,5 @@ index a401e7c..5542248 100644
CONFIG_EXPERIMENTAL=y
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
-diff --git a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
-index 1b987d9..bc0dacf 100644
---- a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
-+++ b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
-@@ -2,7 +2,7 @@ CONFIG_PPC64=y
- CONFIG_PPC_BOOK3E_64=y
- CONFIG_ALTIVEC=y
- CONFIG_SMP=y
--CONFIG_NR_CPUS=24
-+CONFIG_NR_CPUS=4
- CONFIG_SYSVIPC=y
- CONFIG_POSIX_MQUEUE=y
- CONFIG_IRQ_DOMAIN_DEBUG=y
--
1.7.9.5
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
index 6fc5610..ddcb6c5 100644
--- a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
+++ b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
@@ -126,9 +126,9 @@ diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dfe3f36..56ebe71 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
-@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
- struct sctp_chunk auth;
- sctp_ierror_t ret;
+@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }
+ /* Make sure that we and the peer are AUTH capable */
+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
diff --git a/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch b/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
deleted file mode 100644
index 2fdcc9f..0000000
--- a/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 7998eb3dc700aaf499f93f50b3d77da834ef9e1d Mon Sep 17 00:00:00 2001
-From: Guenter Roeck <linux at roeck-us.net>
-Date: Thu, 15 May 2014 09:33:42 -0700
-Subject: powerpc: Fix 64 bit builds with binutils 2.24
-
-Upstream-Status: Backport
-
-With binutils 2.24, various 64 bit builds fail with relocation errors
-such as
-
-arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
- (.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI
- against symbol `interrupt_base_book3e' defined in .text section
- in arch/powerpc/kernel/built-in.o
-arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
- (.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI
- against symbol `interrupt_end_book3e' defined in .text section
- in arch/powerpc/kernel/built-in.o
-
-The assembler maintainer says:
-
- I changed the ABI, something that had to be done but unfortunately
- happens to break the booke kernel code. When building up a 64-bit
- value with lis, ori, shl, oris, ori or similar sequences, you now
- should use @high and @higha in place of @h and @ha. @h and @ha
- (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA)
- now report overflow if the value is out of 32-bit signed range.
- ie. @h and @ha assume you're building a 32-bit value. This is needed
- to report out-of-range -mcmodel=medium toc pointer offsets in @toc at h
- and @toc at ha expressions, and for consistency I did the same for all
- other @h and @ha relocs.
-
-Replacing @h with @high in one strategic location fixes the relocation
-errors. This has to be done conditionally since the assembler either
-supports @h or @high but not both.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Guenter Roeck <linux at roeck-us.net>
-Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
-
-diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
-index 4c0cedf..ce4c68a 100644
---- a/arch/powerpc/Makefile
-+++ b/arch/powerpc/Makefile
-@@ -150,7 +150,9 @@ endif
-
- CFLAGS-$(CONFIG_TUNE_CELL) += $(call cc-option,-mtune=cell)
-
--KBUILD_CPPFLAGS += -Iarch/$(ARCH)
-+asinstr := $(call as-instr,lis 9$(comma)foo at high,-DHAVE_AS_ATHIGH=1)
-+
-+KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr)
- KBUILD_AFLAGS += -Iarch/$(ARCH)
- KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
- CPP = $(CC) -E $(KBUILD_CFLAGS)
-diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
-index 6586a40..cded7c1 100644
---- a/arch/powerpc/include/asm/ppc_asm.h
-+++ b/arch/powerpc/include/asm/ppc_asm.h
-@@ -318,11 +318,16 @@ n:
- addi reg,reg,(name - 0b)@l;
-
- #ifdef __powerpc64__
-+#ifdef HAVE_AS_ATHIGH
-+#define __AS_ATHIGH high
-+#else
-+#define __AS_ATHIGH h
-+#endif
- #define LOAD_REG_IMMEDIATE(reg,expr) \
- lis reg,(expr)@highest; \
- ori reg,reg,(expr)@higher; \
- rldicr reg,reg,32,31; \
-- oris reg,reg,(expr)@h; \
-+ oris reg,reg,(expr)@__AS_ATHIGH; \
- ori reg,reg,(expr)@l;
-
- #define LOAD_REG_ADDR(reg,name) \
---
-cgit v0.10.1
-
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
deleted file mode 100644
index e7b1228..0000000
--- a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
-From: Xufeng Zhang <xufeng.zhang at windriver.com>
-Date: Thu, 12 Jun 2014 10:53:36 +0800
-Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
-
-[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
-
-Consider the scenario:
-For a TCP-style socket, while processing the COOKIE_ECHO chunk in
-sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
-a new association would be created in sctp_unpack_cookie(), but afterwards,
-some processing maybe failed, and sctp_association_free() will be called to
-free the previously allocated association, in sctp_association_free(),
-sk_ack_backlog value is decremented for this socket, since the initial
-value for sk_ack_backlog is 0, after the decrement, it will be 65535,
-a wrap-around problem happens, and if we want to establish new associations
-afterward in the same socket, ABORT would be triggered since sctp deem the
-accept queue as full.
-Fix this issue by only decrementing sk_ack_backlog for associations in
-the endpoint's list.
-
-Fixes CVE-2014-4667
-Upstream-Status: Backport
-
-Fix-suggested-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: Xufeng Zhang <xufeng.zhang at windriver.com>
-Acked-by: Daniel Borkmann <dborkman at redhat.com>
-Acked-by: Vlad Yasevich <vyasevich at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- net/sctp/associola.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index cef5099..f6d6dcd 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
- /* Only real associations count against the endpoint, so
- * don't bother for if this is a temporary association.
- */
-- if (!asoc->temp) {
-+ if (!list_empty(&asoc->asocs)) {
- list_del(&asoc->asocs);
-
- /* Decrement the backlog value for a TCP-style listening
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
deleted file mode 100644
index 0c4beb3..0000000
--- a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman at redhat.com>
-Date: Mon, 10 Nov 2014 17:54:26 +0100
-Subject: [PATCH] net: sctp: fix NULL pointer dereference in
- af->from_addr_param on malformed packet
-
-[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ]
-
-An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
-in the form of:
-
- ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
-
-While the INIT chunk parameter verification dissects through many things
-in order to detect malformed input, it misses to actually check parameters
-inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
-IP address' parameter in ASCONF, which has as a subparameter an address
-parameter.
-
-So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
-or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
-and thus sctp_get_af_specific() returns NULL, too, which we then happily
-dereference unconditionally through af->from_addr_param().
-
-The trace for the log:
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
-IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
-PGD 0
-Oops: 0000 [#1] SMP
-[...]
-Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
-RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
-[...]
-Call Trace:
- <IRQ>
- [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
- [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
- [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
- [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
- [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
- [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
- [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
- [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
- [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
-[...]
-
-A minimal way to address this is to check for NULL as we do on all
-other such occasions where we know sctp_get_af_specific() could
-possibly return with NULL.
-
-Fix for CVE-2014-7841
-Upstream-Status: Backport
-
-Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
-Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
-Cc: Vlad Yasevich <vyasevich at gmail.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- net/sctp/sm_make_chunk.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index 1e06f3b..e342387 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -2622,6 +2622,9 @@ do_addr_param:
- addr_param = param.v + sizeof(sctp_addip_param_t);
-
- af = sctp_get_af_specific(param_type2af(param.p->type));
-+ if (af == NULL)
-+ break;
-+
- af->from_addr_param(&addr, addr_param,
- htons(asoc->peer.port), 0);
-
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch b/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch
deleted file mode 100644
index 573b530..0000000
--- a/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From a7033e302dcd38bb4333f46b3fdcd930955e402d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin at oracle.com>
-Date: Mon, 29 Dec 2014 09:39:01 -0500
-Subject: [PATCH] KEYS: close race between key lookup and freeing
-
-commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
-
-When a key is being garbage collected, it's key->user would get put before
-the ->destroy() callback is called, where the key is removed from it's
-respective tracking structures.
-
-This leaves a key hanging in a semi-invalid state which leaves a window open
-for a different task to try an access key->user. An example is
-find_keyring_by_name() which would dereference key->user for a key that is
-in the process of being garbage collected (where key->user was freed but
-->destroy() wasn't called yet - so it's still present in the linked list).
-
-This would cause either a panic, or corrupt memory.
-
-Fixes CVE-2014-9529.
-
-Upstream-Status: Backport
-
-Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- security/keys/gc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index d67c97b..7978186 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- atomic_dec(&key->user->nikeys);
-
-- key_user_put(key->user);
--
- /* now throw away the key memory */
- if (key->type->destroy)
- key->type->destroy(key);
-
-+ key_user_put(key->user);
-+
- kfree(key->description);
-
- #ifdef KEY_DEBUGGING
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/recipes-kernel/linux/files/target-CVE-2014-4027.patch
deleted file mode 100644
index 0f8b49c..0000000
--- a/recipes-kernel/linux/files/target-CVE-2014-4027.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Mon Sep 17 00:00:00 2001
-From: "Nicholas A. Bellinger" <nab at linux-iscsi.org>
-Date: Mon, 16 Jun 2014 20:59:52 +0000
-Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
-
-[Note that a different patch to address the same issue went in during
-v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
-don't strictly apply to fixing the bug]
-
-This patch changes rd_allocate_sgl_table() to explicitly clear
-ramdisk_mcp backend memory pages by passing __GFP_ZERO into
-alloc_pages().
-
-This addresses a potential security issue where reading from a
-ramdisk_mcp could return sensitive information, and follows what
->= v3.15 does to explicitly clear ramdisk_mcp memory at backend
-device initialization time.
-
-This fixes CVE-2014-4027
-Upstream-Status: Backport
-
-Reported-by: Jorge Daniel Sequeira Matias <jdsm at tecnico.ulisboa.pt>
-Cc: Jorge Daniel Sequeira Matias <jdsm at tecnico.ulisboa.pt>
-Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- drivers/target/target_core_rd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
-index 131327a..9f6bede 100644
---- a/drivers/target/target_core_rd.c
-+++ b/drivers/target/target_core_rd.c
-@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
- - 1;
-
- for (j = 0; j < sg_per_table; j++) {
-- pg = alloc_pages(GFP_KERNEL, 0);
-+ pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
- if (!pg) {
- pr_err("Unable to allocate scatterlist"
- " pages for struct rd_dev_sg_table\n");
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
deleted file mode 100644
index cc90f7d..0000000
--- a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
-From: Rabin Vincent <rabin at rab.in>
-Date: Wed, 29 Oct 2014 23:06:58 +0100
-Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
-
-commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
-
-ARM has some private syscalls (for example, set_tls(2)) which lie
-outside the range of NR_syscalls. If any of these are called while
-syscall tracing is being performed, out-of-bounds array access will
-occur in the ftrace and perf sys_{enter,exit} handlers.
-
- # trace-cmd record -e raw_syscalls:* true && trace-cmd report
- ...
- true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
- true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264
- true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
- true-653 [000] 384.675988: sys_exit: NR 983045 = 0
- ...
-
- # trace-cmd record -e syscalls:* true
- [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace
- [ 17.289590] pgd = 9e71c000
- [ 17.289696] [aaaaaace] *pgd=00000000
- [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
- [ 17.290169] Modules linked in:
- [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
- [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
- [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
- [ 17.290866] LR is at syscall_trace_enter+0x124/0x184
-
-Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
-
-Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-added the check for less than zero, but it should have also checked
-for greater than NR_syscalls.
-
-Fixes CVE-2014-7825 and CVE-2014-7826
-Upstream-Status: Backport
-
-Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
-
-Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
-Signed-off-by: Rabin Vincent <rabin at rab.in>
-Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- kernel/trace/trace_syscalls.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
-index 559329d..d8ce71b 100644
---- a/kernel/trace/trace_syscalls.c
-+++ b/kernel/trace/trace_syscalls.c
-@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
- int size;
-
- syscall_nr = trace_get_syscall_nr(current, regs);
-- if (syscall_nr < 0)
-+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- return;
- if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
- return;
-@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
- int syscall_nr;
-
- syscall_nr = trace_get_syscall_nr(current, regs);
-- if (syscall_nr < 0)
-+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- return;
- if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
- return;
-@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
- int size;
-
- syscall_nr = trace_get_syscall_nr(current, regs);
-- if (syscall_nr < 0)
-+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- return;
- if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
- return;
-@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
- int size;
-
- syscall_nr = trace_get_syscall_nr(current, regs);
-- if (syscall_nr < 0)
-+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
- return;
- if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
- return;
---
-1.9.1
-
diff --git a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
deleted file mode 100644
index 9086e0a..0000000
--- a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack at suse.cz>
-Date: Thu, 4 Sep 2014 14:06:55 +0200
-Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
-
-commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream.
-
-We did not implement any bound on number of indirect ICBs we follow when
-loading inode. Thus corrupted medium could cause kernel to go into an
-infinite loop, possibly causing a stack overflow.
-
-Fix the possible stack overflow by removing recursion from
-__udf_read_inode() and limit number of indirect ICBs we follow to avoid
-infinite loops.
-
-Upstream-Status: Backport
-
-Signed-off-by: Jan Kara <jack at suse.cz>
-Cc: Chuck Ebbert <cebbert.lkml at gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- fs/udf/inode.c | 35 +++++++++++++++++++++--------------
- 1 file changed, 21 insertions(+), 14 deletions(-)
-
-diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index b6d15d3..aa02328 100644
---- a/fs/udf/inode.c
-+++ b/fs/udf/inode.c
-@@ -1270,13 +1270,22 @@ update_time:
- return 0;
- }
-
-+/*
-+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
-+ * arbitrary - just that we hopefully don't limit any real use of rewritten
-+ * inode on write-once media but avoid looping for too long on corrupted media.
-+ */
-+#define UDF_MAX_ICB_NESTING 1024
-+
- static void __udf_read_inode(struct inode *inode)
- {
- struct buffer_head *bh = NULL;
- struct fileEntry *fe;
- uint16_t ident;
- struct udf_inode_info *iinfo = UDF_I(inode);
-+ unsigned int indirections = 0;
-
-+reread:
- /*
- * Set defaults, but the inode is still incomplete!
- * Note: get_new_inode() sets the following on a new inode:
-@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode)
- ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
- &ident);
- if (ident == TAG_IDENT_IE && ibh) {
-- struct buffer_head *nbh = NULL;
- struct kernel_lb_addr loc;
- struct indirectEntry *ie;
-
- ie = (struct indirectEntry *)ibh->b_data;
- loc = lelb_to_cpu(ie->indirectICB.extLocation);
-
-- if (ie->indirectICB.extLength &&
-- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
-- &ident))) {
-- if (ident == TAG_IDENT_FE ||
-- ident == TAG_IDENT_EFE) {
-- memcpy(&iinfo->i_location,
-- &loc,
-- sizeof(struct kernel_lb_addr));
-- brelse(bh);
-- brelse(ibh);
-- brelse(nbh);
-- __udf_read_inode(inode);
-+ if (ie->indirectICB.extLength) {
-+ brelse(bh);
-+ brelse(ibh);
-+ memcpy(&iinfo->i_location, &loc,
-+ sizeof(struct kernel_lb_addr));
-+ if (++indirections > UDF_MAX_ICB_NESTING) {
-+ udf_err(inode->i_sb,
-+ "too many ICBs in ICB hierarchy"
-+ " (max %d supported)\n",
-+ UDF_MAX_ICB_NESTING);
-+ make_bad_inode(inode);
- return;
- }
-- brelse(nbh);
-+ goto reread;
- }
- }
- brelse(ibh);
---
-1.9.1
-
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 1e9e476..3e0ab95 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -1,43 +1,7 @@
require recipes-kernel/linux/linux-qoriq.inc
SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
- file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
- file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \
- file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \
- file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
file://modify-defconfig-t1040-nr-cpus.patch \
- file://0001-mnt-CVE-2014-5206_CVE-2014-5207.patch \
- file://0002-mnt-CVE-2014-5206_CVE-2014-5207.patch \
- file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \
- file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \
- file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
- file://udf-CVE-2014-6410.patch \
file://net-sctp-CVE-2014-0101.patch \
- file://0001-HID-CVE-2014-3181.patch \
- file://0002-HID-CVE-2014-3182.patch \
- file://0003-HID-CVE-2014-3184.patch \
- file://0004-USB-CVE-2014-3185.patch \
- file://0001-kvm-iommu-CVE-2014-3601.patch \
- file://0002-kvm-iommu-CVE-2014-8369.patch \
- file://0001-net-sctp-CVE-2014-3673.patch \
- file://0002-net-sctp-CVE-2014-3687.patch \
- file://0003-net-sctp-CVE-2014-3688.patch \
- file://auditsc-CVE-2014-3917.patch \
- file://0001-ALSA-CVE-2014-4652.patch \
- file://0002-ALSA-CVE-2014-4653.patch \
- file://sctp-CVE-2014-4667.patch \
- file://sctp-CVE-2014-7841.patch \
- file://0001-ALSA-CVE-2014-4656.patch \
- file://0002-ALSA-CVE-2014-4656.patch \
- file://target-CVE-2014-4027.patch \
- file://mm-2014-3122.patch \
- file://0001-shmem-CVE-2014-4171.patch \
- file://0002-shmem-CVE-2014-4171.patch \
- file://0003-shmem-CVE-2014-4171.patch \
- file://fs-CVE-2014-4014.patch \
- file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
- file://security-keys-CVE-2014-9529.patch \
- file://eCryptfs-CVE-2014-9683.patch \
"
-SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
-
+SRCREV = "f488de6741d5ba805b9fe813d2ddf32368d3a888"
--
1.9.1
More information about the meta-freescale
mailing list