From b4eefb075d2216606cea7f3f901b37e3cb19db19 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich Date: Wed, 26 Oct 2016 02:54:41 +0000 Subject: [PATCH] core/linux-odroid to 3.8.13.30-5 --- ...ng-ref-leak-in-join_session_keyring.patch} | 10 +- ...ags-FOLL_WRITE-games-from-__get_user.patch | 101 ++++++++++++++++++ ...media-mfc-use-shipped-firmware-paths.patch | 35 ++++++ ...ow-mac-address-to-be-set-in-smsc95xx.patch | 96 +++++++++++++++++ core/linux-odroid/PKGBUILD | 24 +++-- core/linux-odroid/add-gcc6-support.patch | 71 ------------ 6 files changed, 253 insertions(+), 84 deletions(-) rename core/linux-odroid/{kernel-CVE-2016-0728.patch => 0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch} (88%) create mode 100644 core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch create mode 100644 core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch create mode 100644 core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch delete mode 100644 core/linux-odroid/add-gcc6-support.patch diff --git a/core/linux-odroid/kernel-CVE-2016-0728.patch b/core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch similarity index 88% rename from core/linux-odroid/kernel-CVE-2016-0728.patch rename to core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch index 49020d7db..b211efce5 100644 --- a/core/linux-odroid/kernel-CVE-2016-0728.patch +++ b/core/linux-odroid/0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch @@ -1,7 +1,7 @@ -From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001 +From a7c092a19768d6b6dbb5d4afea33136c4637d633 Mon Sep 17 00:00:00 2001 From: Yevgeny Pats Date: Tue, 19 Jan 2016 22:09:04 +0000 -Subject: KEYS: Fix keyring ref leak in join_session_keyring() +Subject: [PATCH 1/4] KEYS: Fix keyring ref leak in join_session_keyring() This fixes CVE-2016-0728. @@ -65,10 +65,10 @@ Signed-off-by: James Morris 1 file changed, 1 insertion(+) diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index a3f85d2..e6d50172 100644 +index 42defae..cd871dc 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) +@@ -792,6 +792,7 @@ long join_session_keyring(const char *name) ret = PTR_ERR(keyring); goto error2; } else if (keyring == new->session_keyring) { @@ -77,5 +77,5 @@ index a3f85d2..e6d50172 100644 goto error2; } -- -cgit v0.12 +2.10.1 diff --git a/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch b/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch new file mode 100644 index 000000000..c7a0dfe29 --- /dev/null +++ b/core/linux-odroid/0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch @@ -0,0 +1,101 @@ +From 541267fab71436c4acb361f1557a881c3908b22e Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 13 Oct 2016 13:07:36 -0700 +Subject: [PATCH 2/4] mm: remove gup_flags FOLL_WRITE games from + __get_user_pages() + +commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. + +This is an ancient bug that was actually attempted to be fixed once +(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix +get_user_pages() race for write access") but that was then undone due to +problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). + +In the meantime, the s390 situation has long been fixed, and we can now +fix it by checking the pte_dirty() bit properly (and do it better). The +s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement +software dirty bits") which made it into v3.9. Earlier kernels will +have to look at the page state itself. + +Also, the VM has become more scalable, and what used a purely +theoretical race back then has become easier to trigger. + +To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, +we already did a COW" rather than play racy games with FOLL_WRITE that +is very fundamental, and then use the pte dirty flag to validate that +the FOLL_COW flag is still valid. + +Reported-and-tested-by: Phil "not Paul" Oester +Acked-by: Hugh Dickins +Reviewed-by: Michal Hocko +Cc: Andy Lutomirski +Cc: Kees Cook +Cc: Oleg Nesterov +Cc: Willy Tarreau +Cc: Nick Piggin +Cc: Greg Thelen +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask; + s/faultin_page/__get_user_page] +Signed-off-by: Willy Tarreau +--- + include/linux/mm.h | 2 ++ + mm/memory.c | 14 ++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index dbade0f..218be84 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1723,6 +1723,8 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address, + #define FOLL_SPLIT 0x80 /* don't return transhuge pages, split them */ + #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */ + #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */ ++#define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ ++#define FOLL_COW 0x4000 /* internal GUP flag */ + + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, + void *data); +diff --git a/mm/memory.c b/mm/memory.c +index 4395fe8..326e9cd 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1458,6 +1458,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address, + } + EXPORT_SYMBOL_GPL(zap_vma_ptes); + ++/* ++ * FOLL_FORCE can write to even unwritable pte's, but only ++ * after we've gone through a COW cycle and they are dirty. ++ */ ++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) ++{ ++ return pte_write(pte) || ++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); ++} ++ + /** + * follow_page - look up a page descriptor from a user-virtual address + * @vma: vm_area_struct mapping @address +@@ -1544,7 +1554,7 @@ split_fallthrough: + goto no_page; + if ((flags & FOLL_NUMA) && pte_numa(pte)) + goto no_page; +- if ((flags & FOLL_WRITE) && !pte_write(pte)) ++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) + goto unlock; + + page = vm_normal_page(vma, address, pte); +@@ -1847,7 +1857,7 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, + */ + if ((ret & VM_FAULT_WRITE) && + !(vma->vm_flags & VM_WRITE)) +- foll_flags &= ~FOLL_WRITE; ++ foll_flags |= FOLL_COW; + + cond_resched(); + } +-- +2.10.1 + diff --git a/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch b/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch new file mode 100644 index 000000000..da1d417fa --- /dev/null +++ b/core/linux-odroid/0003-Revert-media-mfc-use-shipped-firmware-paths.patch @@ -0,0 +1,35 @@ +From 33ec211a483dd5fdc9c590f624ea395a237a59f1 Mon Sep 17 00:00:00 2001 +From: Kevin Mihelich +Date: Mon, 24 Oct 2016 19:33:31 -0600 +Subject: [PATCH 3/4] Revert "media/mfc: use shipped firmware paths" + +This reverts commit 6720e7ffffed9656b006553311b2d85abcd3f0b6. +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 6a1cef5..0da338c 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1293,7 +1293,7 @@ static struct s5p_mfc_variant mfc_drvdata_v5 = { + .buf_size = &buf_size_v5, + .buf_align = &mfc_buf_align_v5, + .mclk_name = "sclk_mfc", +- .fw_name = "s5p-mfc/s5p-mfc.fw", ++ .fw_name = "s5p-mfc.fw", + }; + + struct s5p_mfc_buf_size_v6 mfc_buf_size_v6 = { +@@ -1320,7 +1320,7 @@ static struct s5p_mfc_variant mfc_drvdata_v6 = { + .buf_size = &buf_size_v6, + .buf_align = &mfc_buf_align_v6, + .mclk_name = "aclk_333", +- .fw_name = "s5p-mfc/s5p-mfc-v6.fw", ++ .fw_name = "s5p-mfc-v6.fw", + }; + + static struct platform_device_id mfc_driver_ids[] = { +-- +2.10.1 + diff --git a/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch b/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch new file mode 100644 index 000000000..f1b29a0d0 --- /dev/null +++ b/core/linux-odroid/0004-Allow-mac-address-to-be-set-in-smsc95xx.patch @@ -0,0 +1,96 @@ +From 9610e2bda9ccee379887600bac748aeb13a61cbe Mon Sep 17 00:00:00 2001 +From: popcornmix +Date: Tue, 26 Mar 2013 17:26:38 +0000 +Subject: [PATCH 4/4] Allow mac address to be set in smsc95xx + +Signed-off-by: popcornmix +--- + drivers/net/usb/smsc95xx.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 19a8db7..fdde874 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -54,6 +54,7 @@ + #define FEATURE_8_WAKEUP_FILTERS (0x01) + #define FEATURE_PHY_NLP_CROSSOVER (0x02) + #define FEATURE_AUTOSUSPEND (0x04) ++#define MAC_ADDR_LEN (6) + + struct smsc95xx_priv { + u32 mac_cr; +@@ -129,6 +130,10 @@ int smsc95xx_read_mac_addr(unsigned char *mac) + } + #endif + ++static char *macaddr = ":"; ++module_param(macaddr, charp, 0); ++MODULE_PARM_DESC(macaddr, "MAC address"); ++ + static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index, + u32 *data, int in_pm) + { +@@ -836,8 +841,59 @@ static int smsc95xx_ioctl(struct net_device *netdev, struct ifreq *rq, int cmd) + return generic_mii_ioctl(&dev->mii, if_mii(rq), cmd, NULL); + } + ++/* Check the macaddr module parameter for a MAC address */ ++static int smsc95xx_is_macaddr_param(struct usbnet *dev, u8 *dev_mac) ++{ ++ int i, j, got_num, num; ++ u8 mtbl[MAC_ADDR_LEN]; ++ ++ if (macaddr[0] == ':') ++ return 0; ++ ++ i = 0; ++ j = 0; ++ num = 0; ++ got_num = 0; ++ while (j < MAC_ADDR_LEN) { ++ if (macaddr[i] && macaddr[i] != ':') { ++ got_num++; ++ if ('0' <= macaddr[i] && macaddr[i] <= '9') ++ num = num * 16 + macaddr[i] - '0'; ++ else if ('A' <= macaddr[i] && macaddr[i] <= 'F') ++ num = num * 16 + 10 + macaddr[i] - 'A'; ++ else if ('a' <= macaddr[i] && macaddr[i] <= 'f') ++ num = num * 16 + 10 + macaddr[i] - 'a'; ++ else ++ break; ++ i++; ++ } else if (got_num == 2) { ++ mtbl[j++] = (u8) num; ++ num = 0; ++ got_num = 0; ++ i++; ++ } else { ++ break; ++ } ++ } ++ ++ if (j == MAC_ADDR_LEN) { ++ netif_dbg(dev, ifup, dev->net, "Overriding MAC address with: " ++ "%02x:%02x:%02x:%02x:%02x:%02x\n", mtbl[0], mtbl[1], mtbl[2], ++ mtbl[3], mtbl[4], mtbl[5]); ++ for (i = 0; i < MAC_ADDR_LEN; i++) ++ dev_mac[i] = mtbl[i]; ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ + static void smsc95xx_init_mac_address(struct usbnet *dev) + { ++ /* Check module parameters */ ++ if (smsc95xx_is_macaddr_param(dev, dev->net->dev_addr)) ++ return; ++ + /* try reading mac address from EEPROM */ + if (smsc95xx_read_eeprom(dev, EEPROM_MAC_OFFSET, ETH_ALEN, + dev->net->dev_addr) == 0) { +-- +2.10.1 + diff --git a/core/linux-odroid/PKGBUILD b/core/linux-odroid/PKGBUILD index 2fa193682..45f28aa20 100644 --- a/core/linux-odroid/PKGBUILD +++ b/core/linux-odroid/PKGBUILD @@ -8,7 +8,7 @@ pkgname=('linux-odroid-x' 'linux-odroid-x2' 'linux-odroid-u2' 'linux-headers-odr _kernelname=${pkgname#linux} _basekernel=3.8 pkgver=${_basekernel}.13.30 -pkgrel=4 +pkgrel=5 arch=('armv7h') url="http://github.com/hardkernel/linux/" license=('GPL2') @@ -16,16 +16,20 @@ makedepends=('xmlto' 'docbook-xsl' 'kmod' 'git' 'inetutils' 'bc') options=('!strip') _commit=ddfddf829693c6bb739074e1b14e9e4fa1c55ea8 source=("https://github.com/hardkernel/linux/archive/${_commit}.tar.gz" - 'add-gcc6-support.patch' 'rtl8812_to_v4_3_14_and_enable_rtl8821.patch.xz' - 'kernel-CVE-2016-0728.patch' + '0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch' + '0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch' + '0003-Revert-media-mfc-use-shipped-firmware-paths.patch' + '0004-Allow-mac-address-to-be-set-in-smsc95xx.patch' 'config_x' 'config_x2' 'config_u2') md5sums=('e4ff4cbd8bd2145ba26e085de665d806' - '840a69592300bf7cbc3ad317e8100114' 'c6d56cc8134dd25d97d0416ef98a3dfe' - '6470e9783bd1c7a8feddc2d67f07afd5' + 'a78459b6f959991291c0cf16efd701b8' + 'b13dc91cba30802ee1e6cfd247c8925d' + '34bdc31e77b4b74348181ccbf7faaa32' + '3fbbb92df6a08005260e9f1aab28cf60' 'f54b9fa32d672116c73e6e3c9585929f' '1211492fdd1125c68d03d0a1f8d6c498' '13011519e5c36655bdb5315178c5c1fe') @@ -33,9 +37,13 @@ md5sums=('e4ff4cbd8bd2145ba26e085de665d806' prepare() { cd "${srcdir}/linux-${_commit}" - patch -Np1 -i ${srcdir}/add-gcc6-support.patch - patch -p1 -i ${srcdir}/rtl8812_to_v4_3_14_and_enable_rtl8821.patch - patch -p1 -i ${srcdir}/kernel-CVE-2016-0728.patch + patch -p1 -i ../rtl8812_to_v4_3_14_and_enable_rtl8821.patch + patch -p1 -i ../0001-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch + patch -p1 -i ../0002-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user.patch + patch -p1 -i ../0003-Revert-media-mfc-use-shipped-firmware-paths.patch + patch -p1 -i ../0004-Allow-mac-address-to-be-set-in-smsc95xx.patch + + cp include/linux/compiler-gcc5.h include/linux/compiler-gcc6.h # add pkgrel to extraversion sed -ri "s|^(EXTRAVERSION =)(.*)|\1 \2-${pkgrel}|" Makefile diff --git a/core/linux-odroid/add-gcc6-support.patch b/core/linux-odroid/add-gcc6-support.patch deleted file mode 100644 index 6612dc0bc..000000000 --- a/core/linux-odroid/add-gcc6-support.patch +++ /dev/null @@ -1,71 +0,0 @@ ---- /dev/null -+++ b/include/linux/compiler-gcc6.h -@@ -0,0 +1,66 @@ -+#ifndef __LINUX_COMPILER_H -+#error "Please don't include directly, include instead." -+#endif -+ -+#define __used __attribute__((__used__)) -+#define __must_check __attribute__((warn_unused_result)) -+#define __compiler_offsetof(a, b) __builtin_offsetof(a, b) -+ -+/* Mark functions as cold. gcc will assume any path leading to a call -+ to them will be unlikely. This means a lot of manual unlikely()s -+ are unnecessary now for any paths leading to the usual suspects -+ like BUG(), printk(), panic() etc. [but let's keep them for now for -+ older compilers] -+ -+ Early snapshots of gcc 4.3 don't support this and we can't detect this -+ in the preprocessor, but we can live with this because they're unreleased. -+ Maketime probing would be overkill here. -+ -+ gcc also has a __attribute__((__hot__)) to move hot functions into -+ a special section, but I don't see any sense in this right now in -+ the kernel context */ -+#define __cold __attribute__((__cold__)) -+ -+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) -+ -+#ifndef __CHECKER__ -+# define __compiletime_warning(message) __attribute__((warning(message))) -+# define __compiletime_error(message) __attribute__((error(message))) -+#endif /* __CHECKER__ */ -+ -+/* -+ * Mark a position in code as unreachable. This can be used to -+ * suppress control flow warnings after asm blocks that transfer -+ * control elsewhere. -+ * -+ * Early snapshots of gcc 4.5 don't support this and we can't detect -+ * this in the preprocessor, but we can live with this because they're -+ * unreleased. Really, we need to have autoconf for the kernel. -+ */ -+#define unreachable() __builtin_unreachable() -+ -+/* Mark a function definition as prohibited from being cloned. */ -+#define __noclone __attribute__((__noclone__)) -+ -+/* -+ * Tell the optimizer that something else uses this function or variable. -+ */ -+#define __visible __attribute__((externally_visible)) -+ -+/* -+ * GCC 'asm goto' miscompiles certain code sequences: -+ * -+ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -+ * -+ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek. -+ * Fixed in GCC 4.8.2 and later versions. -+ * -+ * (asm goto is automatically volatile - the naming reflects this.) -+ */ -+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) -+ -+#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP -+#define __HAVE_BUILTIN_BSWAP32__ -+#define __HAVE_BUILTIN_BSWAP64__ -+#define __HAVE_BUILTIN_BSWAP16__ -+#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */ --- -1.9.1