Merge changes from sid up to 3.13.7-1
svn path=/dists/trunk/linux/; revision=21193
This commit is contained in:
commit
057e9d9557
|
@ -35,6 +35,70 @@ linux (3.14~rc5-1~exp1) experimental; urgency=medium
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 07 Mar 2014 03:36:35 +0000
|
-- Ben Hutchings <ben@decadent.org.uk> Fri, 07 Mar 2014 03:36:35 +0000
|
||||||
|
|
||||||
|
linux (3.13.7-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New upstream stable update:
|
||||||
|
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7
|
||||||
|
- mm: page_alloc: exempt GFP_THISNODE allocations from zone fairness
|
||||||
|
(regression in 3.12)
|
||||||
|
- mm: include VM_MIXEDMAP flag in the VM_SPECIAL list to avoid m(un)locking
|
||||||
|
(regression in 3.12)
|
||||||
|
- ocfs2: fix quota file corruption
|
||||||
|
- ocfs2 syncs the wrong range...
|
||||||
|
- memcg: fix endless loop in __mem_cgroup_iter_next()
|
||||||
|
(regression in 3.13.3)
|
||||||
|
- net-tcp: fastopen: fix high order allocations
|
||||||
|
- ipv6: reuse ip6_frag_id from ip6_ufo_append_data
|
||||||
|
- ipv4: ipv6: better estimate tunnel header cut for correct ufo handling
|
||||||
|
- ip_tunnel:multicast process cause panic due to skb->_skb_refdst NULL
|
||||||
|
pointer
|
||||||
|
- mac80211: clear sequence/fragment number in QoS-null frames
|
||||||
|
- ath9k: Fix ETSI compliance for AR9462 2.0
|
||||||
|
- ath9k: protect tid->sched check
|
||||||
|
- cpuset: fix a locking issue in cpuset_migrate_mm()
|
||||||
|
- cpuset: fix a race condition in __cpuset_node_allowed_softwall()
|
||||||
|
- firewire: net: fix use after free
|
||||||
|
- firewire: don't use PREPARE_DELAYED_WORK
|
||||||
|
- libata: disable queued TRIM for Crucial M500 mSATA SSDs
|
||||||
|
- libata: use wider match for blacklisting Crucial M500
|
||||||
|
- NFSv4: Fix another nfs4_sequence corruptor (Closes: #734268)
|
||||||
|
- cpufreq: use cpufreq_cpu_get() to avoid cpufreq_get() race conditions
|
||||||
|
- cpufreq: Skip current frequency initialization for ->setpolicy drivers
|
||||||
|
(regression in 3.13)
|
||||||
|
- iscsi/iser-target: Use list_del_init for ->i_conn_node
|
||||||
|
- iser-target: Ignore completions for FRWRs in isert_cq_tx_work
|
||||||
|
- iser-target: Fix post_send_buf_count for RDMA READ/WRITE
|
||||||
|
- mm/readahead.c: fix do_readahead() for no readpage(s)
|
||||||
|
(regression in 3.13)
|
||||||
|
- fs/proc/base.c: fix GPF in /proc/$PID/map_files
|
||||||
|
- drm/i915: fix pch pci device enumeration (regression in 3.11)
|
||||||
|
- drm/i915: Reject >165MHz modes w/ DVI monitors (regression in 3.11)
|
||||||
|
- drm/radeon: fix runpm disabling on non-PX harder
|
||||||
|
(may fix #741619, #742507)
|
||||||
|
- PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled
|
||||||
|
(fixes regression in 3.13.6)
|
||||||
|
- [x86] vmxnet3: fix netpoll race condition
|
||||||
|
- mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
|
||||||
|
- dm space map metadata: fix refcount decrement below 0 which caused
|
||||||
|
corruption
|
||||||
|
- dm cache: fix truncation bug when copying a block to/from >2TB fast
|
||||||
|
device
|
||||||
|
- net: unix socket code abuses csum_partial
|
||||||
|
- SCSI: qla2xxx: Fix multiqueue MSI-X registration.
|
||||||
|
- [x86] fpu: Check tsk_used_math() in kernel_fpu_end() for eager FPU
|
||||||
|
- Btrfs: fix tree mod logging
|
||||||
|
- Btrfs: fix data corruption when reading/updating compressed extents
|
||||||
|
- intel_pstate: Add setting voltage value for baytrail P states.
|
||||||
|
- Fix mountpoint reference leakage in linkat
|
||||||
|
- bio-integrity: Fix bio_integrity_verify segment start bug
|
||||||
|
- memcg: reparent charges of children before processing parent
|
||||||
|
|
||||||
|
[ Ben Hutchings ]
|
||||||
|
* [arm] mm: Avoid ABI change in 3.13.6 (fixes FTBFS)
|
||||||
|
* nfqueue: Orphan frags in nfqnl_zcopy() and handle errors (CVE-2014-2568)
|
||||||
|
|
||||||
|
-- Ben Hutchings <ben@decadent.org.uk> Tue, 25 Mar 2014 17:23:31 +0000
|
||||||
|
|
||||||
linux (3.13.6-1) unstable; urgency=high
|
linux (3.13.6-1) unstable; urgency=high
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
|
|
|
@ -0,0 +1,105 @@
|
||||||
|
Subject: [v4] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors
|
||||||
|
From: Zoltan Kiss <zoltan.kiss@citrix.com>
|
||||||
|
Date: Fri, 21 Mar 2014 10:31:34 +0000
|
||||||
|
Origin: https://patchwork.ozlabs.org/patch/332544/
|
||||||
|
|
||||||
|
skb_zerocopy can copy elements of the frags array between skbs, but it doesn't
|
||||||
|
orphan them. Also, it doesn't handle errors, so this patch takes care of that
|
||||||
|
as well, and modify the callers accordingly. skb_tx_error() is also added to
|
||||||
|
the callers so they will signal the failed delivery towards the creator of the
|
||||||
|
skb.
|
||||||
|
|
||||||
|
Signed-off-by: Zoltan Kiss <zoltan.kiss@citrix.com>
|
||||||
|
Acked-by: Thomas Graf <tgraf@redhat.com>
|
||||||
|
[bwh: skb_zerocopy() is new in 3.14, but was moved from a static function
|
||||||
|
in nfnetlink_queue. We need to patch that and its caller, but not
|
||||||
|
openvswitch.]
|
||||||
|
---
|
||||||
|
--- a/net/netfilter/nfnetlink_queue_core.c
|
||||||
|
+++ b/net/netfilter/nfnetlink_queue_core.c
|
||||||
|
@@ -235,22 +235,23 @@ nfqnl_flush(struct nfqnl_instance *queue
|
||||||
|
spin_unlock_bh(&queue->lock);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
nfqnl_zcopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
|
||||||
|
{
|
||||||
|
int i, j = 0;
|
||||||
|
int plen = 0; /* length of skb->head fragment */
|
||||||
|
+ int ret;
|
||||||
|
struct page *page;
|
||||||
|
unsigned int offset;
|
||||||
|
|
||||||
|
/* dont bother with small payloads */
|
||||||
|
- if (len <= skb_tailroom(to)) {
|
||||||
|
- skb_copy_bits(from, 0, skb_put(to, len), len);
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ if (len <= skb_tailroom(to))
|
||||||
|
+ return skb_copy_bits(from, 0, skb_put(to, len), len);
|
||||||
|
|
||||||
|
if (hlen) {
|
||||||
|
- skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
|
||||||
|
+ ret = skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
|
||||||
|
+ if (unlikely(ret))
|
||||||
|
+ return ret;
|
||||||
|
len -= hlen;
|
||||||
|
} else {
|
||||||
|
plen = min_t(int, skb_headlen(from), len);
|
||||||
|
@@ -268,6 +269,11 @@ nfqnl_zcopy(struct sk_buff *to, const st
|
||||||
|
to->len += len + plen;
|
||||||
|
to->data_len += len + plen;
|
||||||
|
|
||||||
|
+ if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
|
||||||
|
+ skb_tx_error(from);
|
||||||
|
+ return -ENOMEM;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
|
||||||
|
if (!len)
|
||||||
|
break;
|
||||||
|
@@ -278,6 +284,8 @@ nfqnl_zcopy(struct sk_buff *to, const st
|
||||||
|
j++;
|
||||||
|
}
|
||||||
|
skb_shinfo(to)->nr_frags = j;
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
@@ -374,13 +382,16 @@ nfqnl_build_packet_message(struct net *n
|
||||||
|
|
||||||
|
skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
|
||||||
|
GFP_ATOMIC);
|
||||||
|
- if (!skb)
|
||||||
|
+ if (!skb) {
|
||||||
|
+ skb_tx_error(entskb);
|
||||||
|
return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
nlh = nlmsg_put(skb, 0, 0,
|
||||||
|
NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
|
||||||
|
sizeof(struct nfgenmsg), 0);
|
||||||
|
if (!nlh) {
|
||||||
|
+ skb_tx_error(entskb);
|
||||||
|
kfree_skb(skb);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
@@ -504,13 +515,15 @@ nfqnl_build_packet_message(struct net *n
|
||||||
|
nla->nla_type = NFQA_PAYLOAD;
|
||||||
|
nla->nla_len = nla_attr_size(data_len);
|
||||||
|
|
||||||
|
- nfqnl_zcopy(skb, entskb, data_len, hlen);
|
||||||
|
+ if (nfqnl_zcopy(skb, entskb, data_len, hlen))
|
||||||
|
+ goto nla_put_failure;
|
||||||
|
}
|
||||||
|
|
||||||
|
nlh->nlmsg_len = skb->len;
|
||||||
|
return skb;
|
||||||
|
|
||||||
|
nla_put_failure:
|
||||||
|
+ skb_tx_error(entskb);
|
||||||
|
kfree_skb(skb);
|
||||||
|
net_err_ratelimited("nf_queue: error creating packet message\n");
|
||||||
|
return NULL;
|
|
@ -71,3 +71,4 @@ features/all/x86-memtest-WARN-if-bad-RAM-found.patch
|
||||||
features/all/efi-autoload-efivars.patch
|
features/all/efi-autoload-efivars.patch
|
||||||
features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
||||||
bugfix/arm/bfa-Replace-large-udelay-with-mdelay.patch
|
bugfix/arm/bfa-Replace-large-udelay-with-mdelay.patch
|
||||||
|
bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch
|
||||||
|
|
Loading…
Reference in New Issue