Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-04-03 11:04:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Mon Apr 3 11:04:53 2017 rev:358 rq:484248 version:4.10.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-03-29 13:23:44.583481810 +0200
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-04-03 11:04:54.405388226 +0200
@@ -1,0 +2,72 @@
+Fri Mar 31 19:16:00 CEST 2017 - mkubecek@suse.cz
+
+- Update patches.kernel.org/patch-4.10.7-8 references (add CVE-2017-7184 bsc#1030573).
+- commit ea9dcd4
+
+-------------------------------------------------------------------
+Fri Mar 31 18:33:34 CEST 2017 - mkubecek@suse.cz
+
+- tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS (CVE-2017-7277
+ bsc#1031265).
+- tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs
+ (CVE-2017-7277 bsc#1031265).
+- commit 37681e8
+
+-------------------------------------------------------------------
+Fri Mar 31 18:25:50 CEST 2017 - mkubecek@suse.cz
+
+- net/packet: fix overflow in check for tp_reserve (CVE-2017-7308
+ bsc#1031579).
+- net/packet: fix overflow in check for tp_frame_nr (CVE-2017-7308
+ bsc#1031579).
+- net/packet: fix overflow in check for priv area size
+ (CVE-2017-7308 bsc#1031579).
+- commit fbe9fc9
+
+-------------------------------------------------------------------
+Fri Mar 31 18:17:42 CEST 2017 - mkubecek@suse.cz
+
+- ping: implement proper locking (bsc#1031003).
+- commit 3ea493f
+
+-------------------------------------------------------------------
+Fri Mar 31 12:00:42 CEST 2017 - jslaby@suse.cz
+
+- Linux 4.10.8 (bnc#1012628).
+- commit fd89662
+
+-------------------------------------------------------------------
+Thu Mar 30 11:49:42 CEST 2017 - jslaby@suse.cz
+
+- drm/i915: disable KASAN for handlers (bnc#1025903).
+- commit 0161cd4
+
+-------------------------------------------------------------------
+Thu Mar 30 11:43:27 CEST 2017 - jslaby@suse.cz
+
+- Linux 4.10.7 (bnc#1007962 bnc#1012628 bsc#1013576 bsc#1028489
+ bsc#1000619).
+- Delete patches.drivers/drm-reference-count-event-completion.
+- Delete patches.drivers/fbcon-Fix-vc-attr-at-deinit.
+- Delete
+ patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch.
+- Delete
+ patches.fixes/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch.
+- commit 24e2bda
+
+-------------------------------------------------------------------
+Sun Mar 26 20:39:41 CEST 2017 - jslaby@suse.cz
+
+- Linux 4.10.6 (bnc#1012628 bnc#1025903).
+- Delete
+ patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch.
+- commit e326586
+
+-------------------------------------------------------------------
+Fri Mar 24 12:46:53 CET 2017 - mkubecek@suse.cz
+
+- genetlink: fix counting regression on ctrl_dumpfamily()
+ (bsc#1028489).
+- commit 5182272
+
+-------------------------------------------------------------------
dtb-armv6l.changes: same change
dtb-armv7l.changes: same change
kernel-64kb.changes: same change
kernel-debug.changes: same change
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-syzkaller.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dtb-aarch64.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.036592636 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.036592636 +0200
@@ -16,15 +16,15 @@
#
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define vanilla_only 0
%include %_sourcedir/kernel-spec-macros
Name: dtb-aarch64
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
dtb-armv6l.spec: same change
dtb-armv7l.spec: same change
++++++ kernel-64kb.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.124580205 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.124580205 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.10
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel with 64kb PAGE_SIZE
License: GPL-2.0
Group: System/Kernel
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
kernel-debug.spec: same change
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.204568904 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.208568339 +0200
@@ -16,7 +16,7 @@
#
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -42,9 +42,9 @@
Summary: Kernel Documentation (man pages)
License: GPL-2.0
Group: Documentation/Man
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.228565514 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.232564949 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.10
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel for LPAE enabled systems
License: GPL-2.0
Group: System/Kernel
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.252562124 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.252562124 +0200
@@ -19,7 +19,7 @@
#!BuildIgnore: post-build-checks
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -57,9 +57,9 @@
Summary: package kernel and initrd for OBS VM builds
License: GPL-2.0
Group: SLES
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-obs-qa.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.276558733 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.276558733 +0200
@@ -17,7 +17,7 @@
# needsrootforbuild
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -36,9 +36,9 @@
Summary: Basic QA tests for the kernel
License: GPL-2.0
Group: SLES
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.300555343 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.304554778 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.10
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel with PAE Support
License: GPL-2.0
Group: System/Kernel
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.328551388 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.332550823 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.10
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -30,9 +30,9 @@
Summary: The Linux Kernel Sources
License: GPL-2.0
Group: Development/Sources
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.360546867 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.360546867 +0200
@@ -24,10 +24,10 @@
Summary: Kernel Symbol Versions (modversions)
License: GPL-2.0
Group: Development/Sources
-Version: 4.10.5
+Version: 4.10.8
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
++++++ kernel-syzkaller.spec ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:00.380544042 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:00.384543477 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.10
-%define patchversion 4.10.5
+%define patchversion 4.10.8
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel used for fuzzing by syzkaller
License: GPL-2.0
Group: System/Kernel
-Version: 4.10.5
+Version: 4.10.8
%if 0%{?is_kotd}
-Release: <RELEASE>.gf3fbfc6
+Release: <RELEASE>.gea9dcd4
%else
Release: 0
%endif
kernel-vanilla.spec: same change
++++++ patches.drivers.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/drm-reference-count-event-completion new/patches.drivers/drm-reference-count-event-completion
--- old/patches.drivers/drm-reference-count-event-completion 2017-01-30 17:46:39.000000000 +0100
+++ new/patches.drivers/drm-reference-count-event-completion 1970-01-01 01:00:00.000000000 +0100
@@ -1,99 +0,0 @@
-From 24835e442f289813aa568d142a755672a740503c Mon Sep 17 00:00:00 2001
-From: Daniel Vetter
-Date: Wed, 21 Dec 2016 11:23:30 +0100
-Subject: [PATCH] drm: reference count event->completion
-Git-commit: 24835e442f289813aa568d142a755672a740503c
-References: bsc#1013576
-Git-repo: git://anongit.freedesktop.org/drm-intel
-Patch-mainline: Queued in subsystem maintainer repository
-
-When writing the generic nonblocking commit code I assumed that
-through clever lifetime management I can assure that the completion
-(stored in drm_crtc_commit) only gets freed after it is completed. And
-that worked.
-
-I also wanted to make nonblocking helpers resilient against driver
-bugs, by having timeouts everywhere. And that worked too.
-
-Unfortunately taking boths things together results in oopses :( Well,
-at least sometimes: What seems to happen is that the drm event hangs
-around forever stuck in limbo land. The nonblocking helpers eventually
-time out, move on and release it. Now the bug I tested all this
-against is drivers that just entirely fail to deliver the vblank
-events like they should, and in those cases the event is simply
-leaked. But what seems to happen, at least sometimes, on i915 is that
-the event is set up correctly, but somohow the vblank fails to fire in
-time. Which means the event isn't leaked, it's still there waiting for
-eventually a vblank to fire. That tends to happen when re-enabling the
-pipe, and then the trap springs and the kernel oopses.
-
-The correct fix here is simply to refcount the crtc commit to make
-sure that the event sticks around even for drivers which only
-sometimes fail to deliver vblanks for some arbitrary reasons. Since
-crtc commits are already refcounted that's easy to do.
-
-Reference: https://bugs.freedesktop.org/show_bug.cgi?id=96781
-Cc: Jim Rees
-Cc: Chris Wilson
-Cc: Maarten Lankhorst
-Cc: Jani Nikula
-Reviewed-by: Maarten Lankhorst
-Signed-off-by: Daniel Vetter
-Link: http://patchwork.freedesktop.org/patch/msgid/20161221102331.31033-1-daniel.v...
-Acked-by: Takashi Iwai
-
----
- drivers/gpu/drm/drm_atomic_helper.c | 11 +++++++++++
- drivers/gpu/drm/drm_fops.c | 2 +-
- include/drm/drmP.h | 1 +
- 3 files changed, 13 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/drm_atomic_helper.c
-+++ b/drivers/gpu/drm/drm_atomic_helper.c
-@@ -1389,6 +1389,15 @@ static int stall_checks(struct drm_crtc
- return ret < 0 ? ret : 0;
- }
-
-+void release_crtc_commit(struct completion *completion)
-+{
-+ struct drm_crtc_commit *commit = container_of(completion,
-+ typeof(*commit),
-+ flip_done);
-+
-+ drm_crtc_commit_put(commit);
-+}
-+
- /**
- * drm_atomic_helper_setup_commit - setup possibly nonblocking commit
- * @state: new modeset state to be committed
-@@ -1481,6 +1490,8 @@ int drm_atomic_helper_setup_commit(struc
- }
-
- crtc_state->event->base.completion = &commit->flip_done;
-+ crtc_state->event->base.completion_release = release_crtc_commit;
-+ drm_crtc_commit_get(commit);
- }
-
- return 0;
---- a/drivers/gpu/drm/drm_fops.c
-+++ b/drivers/gpu/drm/drm_fops.c
-@@ -689,8 +689,8 @@ void drm_send_event_locked(struct drm_de
- assert_spin_locked(&dev->event_lock);
-
- if (e->completion) {
-- /* ->completion might disappear as soon as it signalled. */
- complete_all(e->completion);
-+ e->completion_release(e->completion);
- e->completion = NULL;
- }
-
---- a/include/drm/drmP.h
-+++ b/include/drm/drmP.h
-@@ -360,6 +360,7 @@ struct drm_ioctl_desc {
- /* Event queued up for userspace to read */
- struct drm_pending_event {
- struct completion *completion;
-+ void (*completion_release)(struct completion *completion);
- struct drm_event *event;
- struct dma_fence *fence;
- struct list_head link;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/fbcon-Fix-vc-attr-at-deinit new/patches.drivers/fbcon-Fix-vc-attr-at-deinit
--- old/patches.drivers/fbcon-Fix-vc-attr-at-deinit 2017-01-30 17:46:39.000000000 +0100
+++ new/patches.drivers/fbcon-Fix-vc-attr-at-deinit 1970-01-01 01:00:00.000000000 +0100
@@ -1,142 +0,0 @@
-From: Takashi Iwai
-Date: Tue, 3 Jan 2017 14:47:46 +0100
-Subject: [PATCH] fbcon: Fix vc attr at deinit
-Message-Id: <20170103150322.10350-1-tiwai@suse.de>
-Patch-mainline: Submitted, linux-fbdev ML
-References: bsc#1000619
-
-fbcon can deal with vc_hi_font_mask (the upper 256 chars) and adjust
-the vc attrs dynamically when vc_hi_font_mask is changed at
-fbcon_init(). When the vc_hi_font_mask is set, it remaps the attrs in
-the existing console buffer with one bit shift up (for 9 bits), while
-it remaps with one bit shift down (for 8 bits) when the value is
-cleared. It works fine as long as the font gets updated after fbcon
-was initialized.
-
-However, we hit a bizarre problem when the console is switched to
-another fb driver (typically from vesafb or efifb to drmfb). At
-switching to the new fb driver, we temporarily rebind the console to
-the dummy console, then rebind to the new driver. During the
-switching, we leave the modified attrs as is. Thus, the new fbcon
-takes over the old buffer as if it were to contain 8 bits chars
-(although the attrs are still shifted for 9 bits), and effectively
-this results in the yellow color texts instead of the original white
-color, as found in the bugzilla entry below.
-
-An easy fix for this is to re-adjust the attrs before leaving the
-fbcon at con_deinit callback. Since the code to adjust the attrs is
-already present in the current fbcon code, in this patch, we simply
-factor out the relevant code, and call it from fbcon_deinit().
-
-Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000619
-Signed-off-by: Takashi Iwai
----
- drivers/video/console/fbcon.c | 67 +++++++++++++++++++++++++-----------------
- 1 file changed, 40 insertions(+), 27 deletions(-)
-
---- a/drivers/video/console/fbcon.c
-+++ b/drivers/video/console/fbcon.c
-@@ -1165,6 +1165,8 @@ static void fbcon_free_font(struct displ
- p->userfont = 0;
- }
-
-+static void set_vc_hi_font(struct vc_data *vc, bool set);
-+
- static void fbcon_deinit(struct vc_data *vc)
- {
- struct display *p = &fb_display[vc->vc_num];
-@@ -1200,6 +1202,9 @@ finished:
- if (free_font)
- vc->vc_font.data = NULL;
-
-+ if (vc->vc_hi_font_mask)
-+ set_vc_hi_font(vc, false);
-+
- if (!con_is_bound(&fb_con))
- fbcon_exit();
-
-@@ -2436,32 +2441,10 @@ static int fbcon_get_font(struct vc_data
- return 0;
- }
-
--static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
-- const u8 * data, int userfont)
-+/* set/clear vc_hi_font_mask and update vc attrs accordingly */
-+static void set_vc_hi_font(struct vc_data *vc, bool set)
- {
-- struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
-- struct fbcon_ops *ops = info->fbcon_par;
-- struct display *p = &fb_display[vc->vc_num];
-- int resize;
-- int cnt;
-- char *old_data = NULL;
--
-- if (con_is_visible(vc) && softback_lines)
-- fbcon_set_origin(vc);
--
-- resize = (w != vc->vc_font.width) || (h != vc->vc_font.height);
-- if (p->userfont)
-- old_data = vc->vc_font.data;
-- if (userfont)
-- cnt = FNTCHARCNT(data);
-- else
-- cnt = 256;
-- vc->vc_font.data = (void *)(p->fontdata = data);
-- if ((p->userfont = userfont))
-- REFCOUNT(data)++;
-- vc->vc_font.width = w;
-- vc->vc_font.height = h;
-- if (vc->vc_hi_font_mask && cnt == 256) {
-+ if (!set) {
- vc->vc_hi_font_mask = 0;
- if (vc->vc_can_do_color) {
- vc->vc_complement_mask >>= 1;
-@@ -2484,7 +2467,7 @@ static int fbcon_do_set_font(struct vc_d
- ((c & 0xfe00) >> 1) | (c & 0xff);
- vc->vc_attr >>= 1;
- }
-- } else if (!vc->vc_hi_font_mask && cnt == 512) {
-+ } else {
- vc->vc_hi_font_mask = 0x100;
- if (vc->vc_can_do_color) {
- vc->vc_complement_mask <<= 1;
-@@ -2516,8 +2499,38 @@ static int fbcon_do_set_font(struct vc_d
- } else
- vc->vc_video_erase_char = c & ~0x100;
- }
--
- }
-+}
-+
-+static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
-+ const u8 * data, int userfont)
-+{
-+ struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
-+ struct fbcon_ops *ops = info->fbcon_par;
-+ struct display *p = &fb_display[vc->vc_num];
-+ int resize;
-+ int cnt;
-+ char *old_data = NULL;
-+
-+ if (con_is_visible(vc) && softback_lines)
-+ fbcon_set_origin(vc);
-+
-+ resize = (w != vc->vc_font.width) || (h != vc->vc_font.height);
-+ if (p->userfont)
-+ old_data = vc->vc_font.data;
-+ if (userfont)
-+ cnt = FNTCHARCNT(data);
-+ else
-+ cnt = 256;
-+ vc->vc_font.data = (void *)(p->fontdata = data);
-+ if ((p->userfont = userfont))
-+ REFCOUNT(data)++;
-+ vc->vc_font.width = w;
-+ vc->vc_font.height = h;
-+ if (vc->vc_hi_font_mask && cnt == 256)
-+ set_vc_hi_font(vc, false);
-+ else if (!vc->vc_hi_font_mask && cnt == 512)
-+ set_vc_hi_font(vc, true);
-
- if (resize) {
- int cols, rows;
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch new/patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch
--- old/patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch 2017-03-22 14:15:00.000000000 +0100
+++ new/patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,66 +0,0 @@
-From: Jiri Slaby
-Date: Thu, 15 Dec 2016 14:31:01 +0100
-Subject: crypto: algif_hash - avoid zero-sized array
-Git-commit: 6207119444595d287b1e9e83a2066c17209698f3
-Patch-mainline: 4.11-rc1
-References: bnc#1007962
-
-With this reproducer:
- struct sockaddr_alg alg = {
- .salg_family = 0x26,
- .salg_type = "hash",
- .salg_feat = 0xf,
- .salg_mask = 0x5,
- .salg_name = "digest_null",
- };
- int sock, sock2;
-
- sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
- bind(sock, (struct sockaddr *)&alg, sizeof(alg));
- sock2 = accept(sock, NULL, NULL);
- setsockopt(sock, SOL_ALG, ALG_SET_KEY, "\x9b\xca", 2);
- accept(sock2, NULL, NULL);
-
-==== 8< ======== 8< ======== 8< ======== 8< ====
-
-one can immediatelly see an UBSAN warning:
-UBSAN: Undefined behaviour in crypto/algif_hash.c:187:7
-variable length array bound value 0 <= 0
-CPU: 0 PID: 15949 Comm: syz-executor Tainted: G E 4.4.30-0-default #1
-...
-Call Trace:
-...
- [<ffffffff81d598fd>] ? __ubsan_handle_vla_bound_not_positive+0x13d/0x188
- [<ffffffff81d597c0>] ? __ubsan_handle_out_of_bounds+0x1bc/0x1bc
- [<ffffffffa0e2204d>] ? hash_accept+0x5bd/0x7d0 [algif_hash]
- [<ffffffffa0e2293f>] ? hash_accept_nokey+0x3f/0x51 [algif_hash]
- [<ffffffffa0e206b0>] ? hash_accept_parent_nokey+0x4a0/0x4a0 [algif_hash]
- [<ffffffff8235c42b>] ? SyS_accept+0x2b/0x40
-
-It is a correct warning, as hash state is propagated to accept as zero,
-but creating a zero-length variable array is not allowed in C.
-
-Fix this as proposed by Herbert -- do "?: 1" on that site. No sizeof or
-similar happens in the code there, so we just allocate one byte even
-though we do not use the array.
-
-Signed-off-by: Jiri Slaby
-Cc: Herbert Xu
-Cc: "David S. Miller" (maintainer:CRYPTO API)
-Reported-by: Sasha Levin
-Signed-off-by: Herbert Xu
----
- crypto/algif_hash.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/crypto/algif_hash.c
-+++ b/crypto/algif_hash.c
-@@ -245,7 +245,7 @@ static int hash_accept(struct socket *so
- struct alg_sock *ask = alg_sk(sk);
- struct hash_ctx *ctx = ask->private;
- struct ahash_request *req = &ctx->req;
-- char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req))];
-+ char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req)) ? : 1];
- struct sock *sk2;
- struct alg_sock *ask2;
- struct hash_ctx *ctx2;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch new/patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch
--- old/patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,44 @@
+From: Andrey Konovalov
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: net/packet: fix overflow in check for priv area size
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Git-commit: 2b6867c2ce76c596676bec7d2d525af525fdc6e2
+References: CVE-2017-7308 bsc#1031579
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov
+Acked-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c59fcc79ba32..5c919933a39b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4177,8 +4177,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
+ if (po->tp_version >= TPACKET_V3 &&
+- (int)(req->tp_block_size -
+- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++ req->tp_block_size <=
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ goto out;
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ po->tp_reserve))
+--
+2.12.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch new/patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
--- old/patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,41 @@
+From: Andrey Konovalov
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: net/packet: fix overflow in check for tp_frame_nr
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Git-commit: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
+References: CVE-2017-7308 bsc#1031579
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov
+Acked-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 5c919933a39b..624d188bf705 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4189,6 +4189,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
+ if (unlikely(rb->frames_per_block == 0))
+ goto out;
++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++ goto out;
+ if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ req->tp_frame_nr))
+ goto out;
+--
+2.12.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch new/patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch
--- old/patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,37 @@
+From: Andrey Konovalov
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: net/packet: fix overflow in check for tp_reserve
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Git-commit: bcc5364bdcfe131e6379363f089e7b4108d35b70
+References: CVE-2017-7308 bsc#1031579
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov
+Acked-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 624d188bf705..0f074c96f43f 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3644,6 +3644,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
++ if (val > INT_MAX)
++ return -EINVAL;
+ po->tp_reserve = val;
+ return 0;
+ }
+--
+2.12.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ping-implement-proper-locking.patch new/patches.fixes/ping-implement-proper-locking.patch
--- old/patches.fixes/ping-implement-proper-locking.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ping-implement-proper-locking.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,58 @@
+From: Eric Dumazet
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: ping: implement proper locking
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Git-commit: 43a6684519ab0a6c52024b5e25322476cabad893
+References: bsc#1031003
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet
+Reported-by: Daniel Jiang
+Reported-by: Solar Designer
+Reported-by: Andrey Konovalov
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/ipv4/ping.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 68d77b1f1495..51e2f3c5e954 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
+ void ping_unhash(struct sock *sk)
+ {
+ struct inet_sock *isk = inet_sk(sk);
++
+ pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
++ write_lock_bh(&ping_table.lock);
+ if (sk_hashed(sk)) {
+- write_lock_bh(&ping_table.lock);
+ hlist_nulls_del(&sk->sk_nulls_node);
+ sk_nulls_node_init(&sk->sk_nulls_node);
+ sock_put(sk);
+ isk->inet_num = 0;
+ isk->inet_sport = 0;
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+- write_unlock_bh(&ping_table.lock);
+ }
++ write_unlock_bh(&ping_table.lock);
+ }
+ EXPORT_SYMBOL_GPL(ping_unhash);
+
+--
+2.12.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/tcp-fix-SCM_TIMESTAMPING_OPT_STATS-for-normal-skbs.patch new/patches.fixes/tcp-fix-SCM_TIMESTAMPING_OPT_STATS-for-normal-skbs.patch
--- old/patches.fixes/tcp-fix-SCM_TIMESTAMPING_OPT_STATS-for-normal-skbs.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/tcp-fix-SCM_TIMESTAMPING_OPT_STATS-for-normal-skbs.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,99 @@
+From: Soheil Hassas Yeganeh
+Date: Sat, 18 Mar 2017 17:02:59 -0400
+Subject: tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs
+Patch-mainline: v4.11-rc4
+Git-commit: 8605330aac5a5785630aec8f64378a54891937cc
+References: CVE-2017-7277 bsc#1031265
+
+__sock_recv_timestamp can be called for both normal skbs (for
+receive timestamps) and for skbs on the error queue (for transmit
+timestamps).
+
+Commit 1c885808e456
+(tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING)
+assumes any skb passed to __sock_recv_timestamp are from
+the error queue, containing OPT_STATS in the content of the skb.
+This results in accessing invalid memory or generating junk
+data.
+
+To fix this, set skb->pkt_type to PACKET_OUTGOING for packets
+on the error queue. This is safe because on the receive path
+on local sockets skb->pkt_type is never set to PACKET_OUTGOING.
+With that, copy OPT_STATS from a packet, only if its pkt_type
+is PACKET_OUTGOING.
+
+Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
+Reported-by: JongHwan Kim
+Signed-off-by: Soheil Hassas Yeganeh
+Signed-off-by: Eric Dumazet
+Signed-off-by: Willem de Bruijn
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/core/skbuff.c | 10 ++++++++++
+ net/socket.c | 13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index aa3a13378c90..f21a29efdfc9 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3690,6 +3690,15 @@ static void sock_rmem_free(struct sk_buff *skb)
+ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ }
+
++static void skb_set_err_queue(struct sk_buff *skb)
++{
++ /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
++ * So, it is safe to (mis)use it to mark skbs on the error queue.
++ */
++ skb->pkt_type = PACKET_OUTGOING;
++ BUILD_BUG_ON(PACKET_OUTGOING == 0);
++}
++
+ /*
+ * Note: We dont mem charge error packets (no sk_forward_alloc changes)
+ */
+@@ -3703,6 +3712,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ skb->sk = sk;
+ skb->destructor = sock_rmem_free;
+ atomic_add(skb->truesize, &sk->sk_rmem_alloc);
++ skb_set_err_queue(skb);
+
+ /* before exiting rcu section, make sure dst is refcounted */
+ skb_dst_force(skb);
+diff --git a/net/socket.c b/net/socket.c
+index 02bd9249e295..bfdb35898e4c 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -654,6 +654,16 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
+ }
+ EXPORT_SYMBOL(kernel_sendmsg);
+
++static bool skb_is_err_queue(const struct sk_buff *skb)
++{
++ /* pkt_type of skbs enqueued on the error queue are set to
++ * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
++ * in recvmsg, since skbs received on a local socket will never
++ * have a pkt_type of PACKET_OUTGOING.
++ */
++ return skb->pkt_type == PACKET_OUTGOING;
++}
++
+ /*
+ * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP)
+ */
+@@ -697,7 +707,8 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ put_cmsg(msg, SOL_SOCKET,
+ SCM_TIMESTAMPING, sizeof(tss), &tss);
+
+- if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
++ if (skb_is_err_queue(skb) && skb->len &&
++ (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
+ put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
+ skb->len, skb->data);
+ }
+--
+2.12.2
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch new/patches.fixes/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
--- old/patches.fixes/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch 2017-03-31 19:14:49.000000000 +0200
@@ -0,0 +1,125 @@
+From: Soheil Hassas Yeganeh
+Date: Sat, 18 Mar 2017 17:03:00 -0400
+Subject: tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
+Patch-mainline: v4.11-rc4
+Git-commit: 4ef1b2869447411ad3ef91ad7d4891a83c1a509a
+References: CVE-2017-7277 bsc#1031265
+
+SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
+while packets are collected on the error queue.
+So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
+is not enough to safely assume that the skb contains
+OPT_STATS data.
+
+Add a bit in sock_exterr_skb to indicate whether the
+skb contains opt_stats data.
+
+Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
+Reported-by: JongHwan Kim
+Signed-off-by: Soheil Hassas Yeganeh
+Signed-off-by: Eric Dumazet
+Signed-off-by: Willem de Bruijn
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ include/linux/errqueue.h | 2 ++
+ net/core/skbuff.c | 17 +++++++++++------
+ net/socket.c | 2 +-
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
+index 9ca23fcfb5d7..6fdfc884fdeb 100644
+--- a/include/linux/errqueue.h
++++ b/include/linux/errqueue.h
+@@ -20,6 +20,8 @@ struct sock_exterr_skb {
+ struct sock_extended_err ee;
+ u16 addr_offset;
+ __be16 port;
++ u8 opt_stats:1,
++ unused:7;
+ };
+
+ #endif
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index f21a29efdfc9..941b8c76739d 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3789,16 +3789,20 @@ EXPORT_SYMBOL(skb_clone_sk);
+
+ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
+ struct sock *sk,
+- int tstype)
++ int tstype,
++ bool opt_stats)
+ {
+ struct sock_exterr_skb *serr;
+ int err;
+
++ BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
++
+ serr = SKB_EXT_ERR(skb);
+ memset(serr, 0, sizeof(*serr));
+ serr->ee.ee_errno = ENOMSG;
+ serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
+ serr->ee.ee_info = tstype;
++ serr->opt_stats = opt_stats;
+ if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
+ serr->ee.ee_data = skb_shinfo(skb)->tskey;
+ if (sk->sk_protocol == IPPROTO_TCP &&
+@@ -3839,7 +3843,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
+ */
+ if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
+ *skb_hwtstamps(skb) = *hwtstamps;
+- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
++ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
+ sock_put(sk);
+ }
+ }
+@@ -3850,7 +3854,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ struct sock *sk, int tstype)
+ {
+ struct sk_buff *skb;
+- bool tsonly;
++ bool tsonly, opt_stats = false;
+
+ if (!sk)
+ return;
+@@ -3863,9 +3867,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ #ifdef CONFIG_INET
+ if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
+ sk->sk_protocol == IPPROTO_TCP &&
+- sk->sk_type == SOCK_STREAM)
++ sk->sk_type == SOCK_STREAM) {
+ skb = tcp_get_timestamping_opt_stats(sk);
+- else
++ opt_stats = true;
++ } else
+ #endif
+ skb = alloc_skb(0, GFP_ATOMIC);
+ } else {
+@@ -3884,7 +3889,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ else
+ skb->tstamp = ktime_get_real();
+
+- __skb_complete_tx_timestamp(skb, sk, tstype);
++ __skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
+ }
+ EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
+
+diff --git a/net/socket.c b/net/socket.c
+index bfdb35898e4c..6361d3161120 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -708,7 +708,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ SCM_TIMESTAMPING, sizeof(tss), &tss);
+
+ if (skb_is_err_queue(skb) && skb->len &&
+- (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
++ SKB_EXT_ERR(skb)->opt_stats)
+ put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
+ skb->len, skb->data);
+ }
+--
+2.12.2
+
++++++ patches.kernel.org.tar.bz2 ++++++
++++ 6800 lines of diff (skipped)
++++++ patches.rpmify.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch new/patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch
--- old/patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch 2017-03-30 11:49:42.000000000 +0200
@@ -0,0 +1,40 @@
+From: Jiri Slaby
+Date: Thu, 30 Mar 2017 10:52:48 +0200
+Subject: drm/i915: disable KASAN for handlers
+Patch-mainline: submitted, https://lkml.kernel.org/r/<20170330094627.29460-1-jslaby@suse.cz>
+References: bnc#1025903
+
+Handlers are currently the only blocker to compile the kernel with gcc 7
+and KASAN+use-after-scope enabled:
+drivers/gpu/drm/i915/gvt/handlers.c:2200:1: error: the frame size of 43760 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
+drivers/gpu/drm/i915/gvt/handlers.c:2402:1: error: the frame size of 9400 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
+drivers/gpu/drm/i915/gvt/handlers.c:2628:1: error: the frame size of 11256 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
+
+It is due to many expansions of MMIO_* macros in init_generic_mmio_info.
+INTEL_GVT_MMIO_OFFSET generates for each such line a __reg and an
+offset. There are too many for KASAN to keep up.
+
+So disable KASAN for this file.
+
+Signed-off-by: Jiri Slaby
+Cc: Martin Liska
+Cc: Zhenyu Wang
+Cc: Zhi Wang
+Cc: Daniel Vetter
+Cc: Jani Nikula
+Cc: David Airlie
+Cc: intel-gvt-dev@lists.freedesktop.org
+Cc: intel-gfx@lists.freedesktop.org
+Cc: dri-devel@lists.freedesktop.org
+---
+ drivers/gpu/drm/i915/gvt/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/i915/gvt/Makefile
++++ b/drivers/gpu/drm/i915/gvt/Makefile
+@@ -6,3 +6,5 @@ GVT_SOURCE := gvt.o aperture_gm.o handle
+ ccflags-y += -I$(src) -I$(src)/$(GVT_DIR) -Wall
+ i915-y += $(addprefix $(GVT_DIR)/, $(GVT_SOURCE))
+ obj-$(CONFIG_DRM_I915_GVT_KVMGT) += $(GVT_DIR)/kvmgt.o
++
++KASAN_SANITIZE_handlers.o := n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch new/patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch
--- old/patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch 2017-03-20 11:31:28.000000000 +0100
+++ new/patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,123 +0,0 @@
-From: Linus Torvalds
-Date: Thu, 2 Mar 2017 12:17:22 -0800
-Subject: give up on gcc ilog2() constant optimizations
-Git-commit: 474c90156c8dcc2fa815e6716cc9394d7930cb9c
-Patch-mainline: v4.11-rc1
-References: bnc#1025903
-
-gcc-7 has an "optimization" pass that completely screws up, and
-generates the code expansion for the (impossible) case of calling
-ilog2() with a zero constant, even when the code gcc compiles does not
-actually have a zero constant.
-
-And we try to generate a compile-time error for anybody doing ilog2() on
-a constant where that doesn't make sense (be it zero or negative). So
-now gcc7 will fail the build due to our sanity checking, because it
-created that constant-zero case that didn't actually exist in the source
-code.
-
-There's a whole long discussion on the kernel mailing about how to work
-around this gcc bug. The gcc people themselevs have discussed their
-"feature" in
-
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
-
-but it's all water under the bridge, because while it looked at one
-point like it would be solved by the time gcc7 was released, that was
-not to be.
-
-So now we have to deal with this compiler braindamage.
-
-And the only simple approach seems to be to just delete the code that
-tries to warn about bad uses of ilog2().
-
-So now "ilog2()" will just return 0 not just for the value 1, but for
-any non-positive value too.
-
-It's not like I can recall anybody having ever actually tried to use
-this function on any invalid value, but maybe the sanity check just
-meant that such code never made it out in public.
-
-Reported-by: Laura Abbott
-Cc: John Stultz ,
-Cc: Thomas Gleixner
-Cc: Ard Biesheuvel
-Signed-off-by: Linus Torvalds
-Signed-off-by: Jiri Slaby
----
- include/linux/log2.h | 13 ++-----------
- tools/include/linux/log2.h | 13 ++-----------
- 2 files changed, 4 insertions(+), 22 deletions(-)
-
---- a/include/linux/log2.h
-+++ b/include/linux/log2.h
-@@ -16,12 +16,6 @@
- #include
-
- /*
-- * deal with unrepresentable constant logarithms
-- */
--extern __attribute__((const, noreturn))
--int ____ilog2_NaN(void);
--
--/*
- * non-constant log of base 2 calculators
- * - the arch may override these in asm/bitops.h if they can be implemented
- * more efficiently than using fls() and fls64()
-@@ -85,7 +79,7 @@ unsigned long __rounddown_pow_of_two(uns
- #define ilog2(n) \
- ( \
- __builtin_constant_p(n) ? ( \
-- (n) < 1 ? ____ilog2_NaN() : \
-+ (n) < 2 ? 0 : \
- (n) & (1ULL << 63) ? 63 : \
- (n) & (1ULL << 62) ? 62 : \
- (n) & (1ULL << 61) ? 61 : \
-@@ -148,10 +142,7 @@ unsigned long __rounddown_pow_of_two(uns
- (n) & (1ULL << 4) ? 4 : \
- (n) & (1ULL << 3) ? 3 : \
- (n) & (1ULL << 2) ? 2 : \
-- (n) & (1ULL << 1) ? 1 : \
-- (n) & (1ULL << 0) ? 0 : \
-- ____ilog2_NaN() \
-- ) : \
-+ 1 ) : \
- (sizeof(n) <= 4) ? \
- __ilog2_u32(n) : \
- __ilog2_u64(n) \
---- a/tools/include/linux/log2.h
-+++ b/tools/include/linux/log2.h
-@@ -13,12 +13,6 @@
- #define _TOOLS_LINUX_LOG2_H
-
- /*
-- * deal with unrepresentable constant logarithms
-- */
--extern __attribute__((const, noreturn))
--int ____ilog2_NaN(void);
--
--/*
- * non-constant log of base 2 calculators
- * - the arch may override these in asm/bitops.h if they can be implemented
- * more efficiently than using fls() and fls64()
-@@ -78,7 +72,7 @@ unsigned long __rounddown_pow_of_two(uns
- #define ilog2(n) \
- ( \
- __builtin_constant_p(n) ? ( \
-- (n) < 1 ? ____ilog2_NaN() : \
-+ (n) < 2 ? 0 : \
- (n) & (1ULL << 63) ? 63 : \
- (n) & (1ULL << 62) ? 62 : \
- (n) & (1ULL << 61) ? 61 : \
-@@ -141,10 +135,7 @@ unsigned long __rounddown_pow_of_two(uns
- (n) & (1ULL << 4) ? 4 : \
- (n) & (1ULL << 3) ? 3 : \
- (n) & (1ULL << 2) ? 2 : \
-- (n) & (1ULL << 1) ? 1 : \
-- (n) & (1ULL << 0) ? 0 : \
-- ____ilog2_NaN() \
-- ) : \
-+ 1 ) : \
- (sizeof(n) <= 4) ? \
- __ilog2_u32(n) : \
- __ilog2_u64(n) \
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:01.440394304 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:01.440394304 +0200
@@ -32,13 +32,15 @@
patches.kernel.org/patch-4.10.2-3
patches.kernel.org/patch-4.10.3-4
patches.kernel.org/patch-4.10.4-5
+ patches.kernel.org/patch-4.10.5-6
+ patches.kernel.org/patch-4.10.6-7
+ patches.kernel.org/patch-4.10.7-8
########################################################
# Build fixes that apply to the vanilla kernel too.
# Patches in patches.rpmify are applied to both -vanilla
# and patched flavors.
########################################################
- patches.rpmify/give-up-on-gcc-ilog2-constant-optimizations.patch
########################################################
# kABI consistency patches
@@ -56,6 +58,7 @@
patches.rpmify/firmware-path
patches.rpmify/cloneconfig.diff
patches.rpmify/get_builtin_firmware-gcc-7.patch
+ patches.rpmify/drm-i915-disable-KASAN-for-handlers.patch
########################################################
# kbuild/module infrastructure fixes
@@ -184,7 +187,6 @@
########################################################
patches.suse/connector-read-mostly
patches.suse/kbd-ignore-gfx.patch
- patches.fixes/crypto-algif_hash-avoid-zero-sized-array.patch
########################################################
#
@@ -215,6 +217,12 @@
# Networking, IPv6
########################################################
patches.fixes/openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
+ patches.fixes/ping-implement-proper-locking.patch
+ patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+ patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+ patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+ patches.fixes/tcp-fix-SCM_TIMESTAMPING_OPT_STATS-for-normal-skbs.patch
+ patches.fixes/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
########################################################
# Netfilter
@@ -321,7 +329,6 @@
# DRM/Video
########################################################
patches.fixes/drm-i915-Fix-S4-resume-breakage
- patches.drivers/drm-reference-count-event-completion
########################################################
# video4linux
@@ -375,7 +382,6 @@
########################################################
# Char / serial
########################################################
- patches.drivers/fbcon-Fix-vc-attr-at-deinit
########################################################
# Other driver fixes
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.NjYCQA/_old 2017-04-03 11:05:01.480388653 +0200
+++ /var/tmp/diff_new_pack.NjYCQA/_new 2017-04-03 11:05:01.484388088 +0200
@@ -1,3 +1,3 @@
-2017-03-22 14:15:00 +0100
-GIT Revision: f3fbfc6e0759d457c1c47e1ac5a962624a67e66d
+2017-03-31 19:16:00 +0200
+GIT Revision: ea9dcd468d472551aa10e99534387143f44aa33f
GIT Branch: stable