Merge changes from sid up to 3.13.7-1
svn path=/dists/trunk/linux/; revision=21193
This commit is contained in:
commit
057e9d9557
|
@ -35,6 +35,70 @@ linux (3.14~rc5-1~exp1) experimental; urgency=medium
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 07 Mar 2014 03:36:35 +0000
|
||||
|
||||
linux (3.13.7-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7
|
||||
- mm: page_alloc: exempt GFP_THISNODE allocations from zone fairness
|
||||
(regression in 3.12)
|
||||
- mm: include VM_MIXEDMAP flag in the VM_SPECIAL list to avoid m(un)locking
|
||||
(regression in 3.12)
|
||||
- ocfs2: fix quota file corruption
|
||||
- ocfs2 syncs the wrong range...
|
||||
- memcg: fix endless loop in __mem_cgroup_iter_next()
|
||||
(regression in 3.13.3)
|
||||
- net-tcp: fastopen: fix high order allocations
|
||||
- ipv6: reuse ip6_frag_id from ip6_ufo_append_data
|
||||
- ipv4: ipv6: better estimate tunnel header cut for correct ufo handling
|
||||
- ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL
|
||||
pointer
|
||||
- mac80211: clear sequence/fragment number in QoS-null frames
|
||||
- ath9k: Fix ETSI compliance for AR9462 2.0
|
||||
- ath9k: protect tid->sched check
|
||||
- cpuset: fix a locking issue in cpuset_migrate_mm()
|
||||
- cpuset: fix a race condition in __cpuset_node_allowed_softwall()
|
||||
- firewire: net: fix use after free
|
||||
- firewire: don't use PREPARE_DELAYED_WORK
|
||||
- libata: disable queued TRIM for Crucial M500 mSATA SSDs
|
||||
- libata: use wider match for blacklisting Crucial M500
|
||||
- NFSv4: Fix another nfs4_sequence corruptor (Closes: #734268)
|
||||
- cpufreq: use cpufreq_cpu_get() to avoid cpufreq_get() race conditions
|
||||
- cpufreq: Skip current frequency initialization for ->setpolicy drivers
|
||||
(regression in 3.13)
|
||||
- iscsi/iser-target: Use list_del_init for ->i_conn_node
|
||||
- iser-target: Ignore completions for FRWRs in isert_cq_tx_work
|
||||
- iser-target: Fix post_send_buf_count for RDMA READ/WRITE
|
||||
- mm/readahead.c: fix do_readahead() for no readpage(s)
|
||||
(regression in 3.13)
|
||||
- fs/proc/base.c: fix GPF in /proc/$PID/map_files
|
||||
- drm/i915: fix pch pci device enumeration (regression in 3.11)
|
||||
- drm/i915: Reject >165MHz modes w/ DVI monitors (regression in 3.11)
|
||||
- drm/radeon: fix runpm disabling on non-PX harder
|
||||
(may fix #741619, #742507)
|
||||
- PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled
|
||||
(fixes regression in 3.13.6)
|
||||
- [x86] vmxnet3: fix netpoll race condition
|
||||
- mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
|
||||
- dm space map metadata: fix refcount decrement below 0 which caused
|
||||
corruption
|
||||
- dm cache: fix truncation bug when copying a block to/from >2TB fast
|
||||
device
|
||||
- net: unix socket code abuses csum_partial
|
||||
- SCSI: qla2xxx: Fix multiqueue MSI-X registration.
|
||||
- [x86] fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU
|
||||
- Btrfs: fix tree mod logging
|
||||
- Btrfs: fix data corruption when reading/updating compressed extents
|
||||
- intel_pstate: Add setting voltage value for baytrail P states.
|
||||
- Fix mountpoint reference leakage in linkat
|
||||
- bio-integrity: Fix bio_integrity_verify segment start bug
|
||||
- memcg: reparent charges of children before processing parent
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [arm] mm: Avoid ABI change in 3.13.6 (fixes FTBFS)
|
||||
* nfqueue: Orphan frags in nfqnl_zcopy() and handle errors (CVE-2014-2568)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 25 Mar 2014 17:23:31 +0000
|
||||
|
||||
linux (3.13.6-1) unstable; urgency=high
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -0,0 +1,105 @@
|
|||
Subject: [v4] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors
|
||||
From: Zoltan Kiss <zoltan.kiss@citrix.com>
|
||||
Date: Fri, 21 Mar 2014 10:31:34 +0000
|
||||
Origin: https://patchwork.ozlabs.org/patch/332544/
|
||||
|
||||
skb_zerocopy can copy elements of the frags array between skbs, but it doesn't
|
||||
orphan them. Also, it doesn't handle errors, so this patch takes care of that
|
||||
as well, and modify the callers accordingly. skb_tx_error() is also added to
|
||||
the callers so they will signal the failed delivery towards the creator of the
|
||||
skb.
|
||||
|
||||
Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
|
||||
Acked-by: Thomas Graf <tgraf@redhat.com>
|
||||
[bwh: skb_zerocopy() is new in 3.14, but was moved from a static function
|
||||
in nfnetlink_queue. We need to patch that and its caller, but not
|
||||
openvswitch.]
|
||||
---
|
||||
--- a/net/netfilter/nfnetlink_queue_core.c
|
||||
+++ b/net/netfilter/nfnetlink_queue_core.c
|
||||
@@ -235,22 +235,23 @@ nfqnl_flush(struct nfqnl_instance *queue
|
||||
spin_unlock_bh(&queue->lock);
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
nfqnl_zcopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
|
||||
{
|
||||
int i, j = 0;
|
||||
int plen = 0; /* length of skb->head fragment */
|
||||
+ int ret;
|
||||
struct page *page;
|
||||
unsigned int offset;
|
||||
|
||||
/* dont bother with small payloads */
|
||||
- if (len <= skb_tailroom(to)) {
|
||||
- skb_copy_bits(from, 0, skb_put(to, len), len);
|
||||
- return;
|
||||
- }
|
||||
+ if (len <= skb_tailroom(to))
|
||||
+ return skb_copy_bits(from, 0, skb_put(to, len), len);
|
||||
|
||||
if (hlen) {
|
||||
- skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
|
||||
+ ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
|
||||
+ if (unlikely(ret))
|
||||
+ return ret;
|
||||
len -= hlen;
|
||||
} else {
|
||||
plen = min_t(int, skb_headlen(from), len);
|
||||
@@ -268,6 +269,11 @@ nfqnl_zcopy(struct sk_buff *to, const st
|
||||
to->len += len + plen;
|
||||
to->data_len += len + plen;
|
||||
|
||||
+ if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
|
||||
+ skb_tx_error(from);
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
|
||||
if (!len)
|
||||
break;
|
||||
@@ -278,6 +284,8 @@ nfqnl_zcopy(struct sk_buff *to, const st
|
||||
j++;
|
||||
}
|
||||
skb_shinfo(to)->nr_frags = j;
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -374,13 +382,16 @@ nfqnl_build_packet_message(struct net *n
|
||||
|
||||
skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
|
||||
GFP_ATOMIC);
|
||||
- if (!skb)
|
||||
+ if (!skb) {
|
||||
+ skb_tx_error(entskb);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
nlh = nlmsg_put(skb, 0, 0,
|
||||
NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
|
||||
sizeof(struct nfgenmsg), 0);
|
||||
if (!nlh) {
|
||||
+ skb_tx_error(entskb);
|
||||
kfree_skb(skb);
|
||||
return NULL;
|
||||
}
|
||||
@@ -504,13 +515,15 @@ nfqnl_build_packet_message(struct net *n
|
||||
nla->nla_type = NFQA_PAYLOAD;
|
||||
nla->nla_len = nla_attr_size(data_len);
|
||||
|
||||
- nfqnl_zcopy(skb, entskb, data_len, hlen);
|
||||
+ if (nfqnl_zcopy(skb, entskb, data_len, hlen))
|
||||
+ goto nla_put_failure;
|
||||
}
|
||||
|
||||
nlh->nlmsg_len = skb->len;
|
||||
return skb;
|
||||
|
||||
nla_put_failure:
|
||||
+ skb_tx_error(entskb);
|
||||
kfree_skb(skb);
|
||||
net_err_ratelimited("nf_queue: error creating packet message\n");
|
||||
return NULL;
|
|
@ -71,3 +71,4 @@ features/all/x86-memtest-WARN-if-bad-RAM-found.patch
|
|||
features/all/efi-autoload-efivars.patch
|
||||
features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
||||
bugfix/arm/bfa-Replace-large-udelay-with-mdelay.patch
|
||||
bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
|
||||
|
|
Loading…
Reference in New Issue