diff --git a/debian/changelog b/debian/changelog index 1a7d01f74..590b9bfbe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,61 @@ -linux (4.9.25-2) UNRELEASED; urgency=medium +linux (4.9.26-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.26 + - [arm64] Revert "mmc: sdhci-msm: Enable few quirks" + - ping: implement proper locking + - [sparc64] kern_addr_valid regression + - [sparc64] Fix kernel panic due to erroneous #ifdef surrounding + pmd_write() + - net: neigh: guard against NULL solicit() method + - net: phy: handle state correctly in phy_stop_machine + - bpf: improve verifier packet range checks + - net/mlx5: Avoid dereferencing uninitialized pointer + - l2tp: hold tunnel socket when handling control frames in l2tp_ip + and l2tp_ip6 + - l2tp: purge socket queues in the .destruct() callback + - net/packet: fix overflow in check for tp_frame_nr + - net/packet: fix overflow in check for tp_reserve + - l2tp: take reference on sessions being dumped + - l2tp: fix PPP pseudo-wire auto-loading + - net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given + - sctp: listen on the sock only when it's state is listening or + closed + - tcp: clear saved_syn in tcp_disconnect() + - ipv6: Fix idev->addr_list corruption + - net-timestamp: avoid use-after-free in ip_recv_error + - net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule + - dp83640: don't recieve time stamps twice + - gso: Validate assumption of frag_list segementation + - net: ipv6: RTF_PCPU should not be settable from userspace + - netpoll: Check for skb->queue_mapping + - ip6mr: fix notification device destruction + - net/mlx5: Fix driver load bad flow when having fw + initializing timeout + - net/mlx5e: Fix small packet threshold + - net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling + - macvlan: Fix device ref leak when purging bc_queue + - net: ipv6: regenerate host route if moved to gc list + - net: phy: fix auto-negotiation stall due to unavailable interrupt + - ipv6: check skb->protocol before lookup for nexthop + - tcp: memset ca_priv data to 0 properly + - ipv6: check raw payload size correctly in ioctl + - ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d + - ALSA: firewire-lib: fix inappropriate assignment between + signed/unsigned type + - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout + - [mips*] KGDB: Use kernel context for sleeping threads + - [mips*] Avoid BUG warning in arch_check_elf + - p9_client_readdir() fix + - [x86] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers + - Input: i8042 - add Clevo P650RS to the i8042 reset list + - nfsd: check for oversized NFSv2/v3 arguments + - nfsd4: minor NFSv2/v3 write decoding cleanup + - nfsd: stricter decoding of write-like NFSv2/v3 ops + - ceph: fix recursion between ceph_set_acl() and __ceph_setattr() + - macsec: avoid heap overflow in skb_to_sgvec + - net: can: usb: gs_usb: Fix buffer on stack + - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram [ Aurelien Jarno ] * [mips*/*-malta] Enable POWER_RESET and POWER_RESET_SYSCON. diff --git a/debian/config/defines b/debian/config/defines index eef7c76c5..1b1add7ab 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -21,6 +21,8 @@ ignore-changes: module:drivers/usb/host/** module:drivers/usb/musb/** module:net/ceph/libceph + module:net/l2tp/l2tp_core + module:sound/firewire/snd-firewire-lib # btree library is only selected by few drivers so not useful OOT btree_* visitor* diff --git a/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch b/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch deleted file mode 100644 index 63508e62c..000000000 --- a/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: "Jason A. Donenfeld" -Date: Fri, 21 Apr 2017 23:14:48 +0200 -Subject: macsec: avoid heap overflow in skb_to_sgvec -Origin: https://git.kernel.org/linus/4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7477 - -While this may appear as a humdrum one line change, it's actually quite -important. An sk_buff stores data in three places: - -1. A linear chunk of allocated memory in skb->data. This is the easiest - one to work with, but it precludes using scatterdata since the memory - must be linear. -2. The array skb_shinfo(skb)->frags, which is of maximum length - MAX_SKB_FRAGS. This is nice for scattergather, since these fragments - can point to different pages. -3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff, - which in turn can have data in either (1) or (2). - -The first two are rather easy to deal with, since they're of a fixed -maximum length, while the third one is not, since there can be -potentially limitless chains of fragments. Fortunately dealing with -frag_list is opt-in for drivers, so drivers don't actually have to deal -with this mess. For whatever reason, macsec decided it wanted pain, and -so it explicitly specified NETIF_F_FRAGLIST. - -Because dealing with (1), (2), and (3) is insane, most users of sk_buff -doing any sort of crypto or paging operation calls a convenient function -called skb_to_sgvec (which happens to be recursive if (3) is in use!). -This takes a sk_buff as input, and writes into its output pointer an -array of scattergather list items. Sometimes people like to declare a -fixed size scattergather list on the stack; othertimes people like to -allocate a fixed size scattergather list on the heap. However, if you're -doing it in a fixed-size fashion, you really shouldn't be using -NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its -frag_list children arent't shared and then you check the number of -fragments in total required.) - -Macsec specifically does this: - - size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1); - tmp = kmalloc(size, GFP_ATOMIC); - *sg = (struct scatterlist *)(tmp + sg_offset); - ... - sg_init_table(sg, MAX_SKB_FRAGS + 1); - skb_to_sgvec(skb, sg, 0, skb->len); - -Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're -using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will -overflow the heap, and disaster ensues. - -Signed-off-by: Jason A. Donenfeld -Cc: stable@vger.kernel.org -Cc: security@kernel.org -Signed-off-by: David S. Miller ---- - drivers/net/macsec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c -index ff0a5ed..dbab05a 100644 ---- a/drivers/net/macsec.c -+++ b/drivers/net/macsec.c -@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, - } - - #define MACSEC_FEATURES \ -- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) -+ (NETIF_F_SG | NETIF_F_HIGHDMA) - static struct lock_class_key macsec_netdev_addr_lock_key; - - static int macsec_dev_init(struct net_device *dev) --- -2.1.4 - diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch deleted file mode 100644 index 1ca2d19c1..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Andrey Konovalov -Date: Wed, 29 Mar 2017 16:11:21 +0200 -Subject: net/packet: fix overflow in check for tp_frame_nr -Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308 - -When calculating rb->frames_per_block * req->tp_block_nr the result -can overflow. - -Add a check that tp_block_size * tp_block_nr <= UINT_MAX. - -Since frames_per_block <= tp_block_size, the expression would -never overflow. - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/packet/af_packet.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock * - rb->frames_per_block = req->tp_block_size / req->tp_frame_size; - if (unlikely(rb->frames_per_block == 0)) - goto out; -+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) -+ goto out; - if (unlikely((rb->frames_per_block * req->tp_block_nr) != - req->tp_frame_nr)) - goto out; diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch deleted file mode 100644 index 267e16c89..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Andrey Konovalov -Date: Wed, 29 Mar 2017 16:11:22 +0200 -Subject: net/packet: fix overflow in check for tp_reserve -Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308 - -When calculating po->tp_hdrlen + po->tp_reserve the result can overflow. - -Fix by checking that tp_reserve <= INT_MAX on assign. - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/packet/af_packet.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i - return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; -+ if (val > INT_MAX) -+ return -EINVAL; - po->tp_reserve = val; - return 0; - } diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch deleted file mode 100644 index 1c12edfb3..000000000 --- a/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch +++ /dev/null @@ -1,104 +0,0 @@ -From: "J. Bruce Fields" -Date: Fri, 21 Apr 2017 16:10:18 -0400 -Subject: nfsd: check for oversized NFSv2/v3 arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645 - -A client can append random data to the end of an NFSv2 or NFSv3 RPC call -without our complaining; we'll just stop parsing at the end of the -expected data and ignore the rest. - -Encoded arguments and replies are stored together in an array of pages, -and if a call is too large it could leave inadequate space for the -reply. This is normally OK because NFS RPC's typically have either -short arguments and long replies (like READ) or long arguments and short -replies (like WRITE). But a client that sends an incorrectly long reply -can violate those assumptions. This was observed to cause crashes. - -Also, several operations increment rq_next_page in the decode routine -before checking the argument size, which can leave rq_next_page pointing -well past the end of the page array, causing trouble later in -svc_free_pages. - -So, following a suggestion from Neil Brown, add a central check to -enforce our expectation that no NFSv2/v3 call has both a large call and -a large reply. - -As followup we may also want to rewrite the encoding routines to check -more carefully that they aren't running off the end of the page array. - -We may also consider rejecting calls that have any extra garbage -appended. That would be safer, and within our rights by spec, but given -the age of our server and the NFS protocol, and the fact that we've -never enforced this before, we may need to balance that against the -possibility of breaking some oddball client. - -Reported-by: Tuomas Haanpää -Reported-by: Ari Kauppi -Cc: stable@vger.kernel.org -Reviewed-by: NeilBrown -Signed-off-by: J. Bruce Fields ---- - fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c -index 31e1f95..59979f0 100644 ---- a/fs/nfsd/nfssvc.c -+++ b/fs/nfsd/nfssvc.c -@@ -747,6 +747,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr) - return nfserr; - } - -+/* -+ * A write procedure can have a large argument, and a read procedure can -+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and -+ * reply that can both be larger than a page. The xdr code has taken -+ * advantage of this assumption to be a sloppy about bounds checking in -+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that -+ * problem, we enforce these assumptions here: -+ */ -+static bool nfs_request_too_big(struct svc_rqst *rqstp, -+ struct svc_procedure *proc) -+{ -+ /* -+ * The ACL code has more careful bounds-checking and is not -+ * susceptible to this problem: -+ */ -+ if (rqstp->rq_prog != NFS_PROGRAM) -+ return false; -+ /* -+ * Ditto NFSv4 (which can in theory have argument and reply both -+ * more than a page): -+ */ -+ if (rqstp->rq_vers >= 4) -+ return false; -+ /* The reply will be small, we're OK: */ -+ if (proc->pc_xdrressize > 0 && -+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) -+ return false; -+ -+ return rqstp->rq_arg.len > PAGE_SIZE; -+} -+ - int - nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) - { -@@ -759,6 +790,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) - rqstp->rq_vers, rqstp->rq_proc); - proc = rqstp->rq_procinfo; - -+ if (nfs_request_too_big(rqstp, proc)) { -+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); -+ *statp = rpc_garbage_args; -+ return 1; -+ } - /* - * Give the xdr decoder a chance to change this if it wants - * (necessary in the NFSv4.0 compound case) --- -2.1.4 - diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch deleted file mode 100644 index 33415b65a..000000000 --- a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: "J. Bruce Fields" -Date: Fri, 21 Apr 2017 15:26:30 -0400 -Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895 - -The NFSv2/v3 code does not systematically check whether we decode past -the end of the buffer. This generally appears to be harmless, but there -are a few places where we do arithmetic on the pointers involved and -don't account for the possibility that a length could be negative. Add -checks to catch these. - -Reported-by: Tuomas Haanpää -Reported-by: Ari Kauppi -Reviewed-by: NeilBrown -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields ---- - fs/nfsd/nfs3xdr.c | 4 ++++ - fs/nfsd/nfsxdr.c | 2 ++ - 2 files changed, 6 insertions(+) - -diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c -index d18cfdd..4523346 100644 ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - args->count = ntohl(*p++); - args->stable = ntohl(*p++); - len = args->len = ntohl(*p++); -+ if ((void *)p > head->iov_base + head->iov_len) -+ return 0; - /* - * The count must equal the amount of data passed. - */ -@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p, - /* first copy and check from the first page */ - old = (char*)p; - vec = &rqstp->rq_arg.head[0]; -+ if ((void *)old > vec->iov_base + vec->iov_len) -+ return 0; - avail = vec->iov_len - (old - (char*)vec->iov_base); - while (len && avail && *old) { - *new++ = *old++; -diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c -index 59bd88a..de07ff6 100644 ---- a/fs/nfsd/nfsxdr.c -+++ b/fs/nfsd/nfsxdr.c -@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - * bytes. - */ - hdr = (void*)p - head->iov_base; -+ if (hdr > head->iov_len) -+ return 0; - dlen = head->iov_len + rqstp->rq_arg.page_len - hdr; - - /* --- -2.1.4 - diff --git a/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch deleted file mode 100644 index 7b7d9f5f4..000000000 --- a/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch +++ /dev/null @@ -1,84 +0,0 @@ -From: "J. Bruce Fields" -Date: Tue, 25 Apr 2017 16:21:34 -0400 -Subject: nfsd4: minor NFSv2/v3 write decoding cleanup -Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b - -Use a couple shortcuts that will simplify a following bugfix. - -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields ---- - fs/nfsd/nfs3xdr.c | 9 +++++---- - fs/nfsd/nfsxdr.c | 8 ++++---- - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c -index dba2ff8..d18cfdd 100644 ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - { - unsigned int len, v, hdr, dlen; - u32 max_blocksize = svc_max_payload(rqstp); -+ struct kvec *head = rqstp->rq_arg.head; -+ struct kvec *tail = rqstp->rq_arg.tail; - - p = decode_fh(p, &args->fh); - if (!p) -@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - * Check to make sure that we got the right number of - * bytes. - */ -- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; -- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len -- + rqstp->rq_arg.tail[0].iov_len - hdr; -+ hdr = (void*)p - head->iov_base; -+ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr; - /* - * Round the length of the data which was specified up to - * the next multiple of XDR units and then compare that -@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - len = args->len = max_blocksize; - } - rqstp->rq_vec[0].iov_base = (void*)p; -- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; -+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr; - v = 0; - while (len > rqstp->rq_vec[v].iov_len) { - len -= rqstp->rq_vec[v].iov_len; -diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c -index 41b468a..59bd88a 100644 ---- a/fs/nfsd/nfsxdr.c -+++ b/fs/nfsd/nfsxdr.c -@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - struct nfsd_writeargs *args) - { - unsigned int len, hdr, dlen; -+ struct kvec *head = rqstp->rq_arg.head; - int v; - - p = decode_fh(p, &args->fh); -@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - * Check to make sure that we got the right number of - * bytes. - */ -- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; -- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len -- - hdr; -+ hdr = (void*)p - head->iov_base; -+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr; - - /* - * Round the length of the data which was specified up to -@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p, - return 0; - - rqstp->rq_vec[0].iov_base = (void*)p; -- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; -+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr; - v = 0; - while (len > rqstp->rq_vec[v].iov_len) { - len -= rqstp->rq_vec[v].iov_len; --- -2.1.4 - diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch deleted file mode 100644 index d7b4b837c..000000000 --- a/debian/patches/bugfix/all/ping-implement-proper-locking.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Eric Dumazet -Date: Fri, 24 Mar 2017 19:36:13 -0700 -Subject: ping: implement proper locking -Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671 - -We got a report of yet another bug in ping - -http://www.openwall.com/lists/oss-security/2017/03/24/6 - -->disconnect() is not called with socket lock held. - -Fix this by acquiring ping rwlock earlier. - -Thanks to Daniel, Alexander and Andrey for letting us know this problem. - -Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") -Signed-off-by: Eric Dumazet -Reported-by: Daniel Jiang -Reported-by: Solar Designer -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller ---- - net/ipv4/ping.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 2af6244b83e2..ccfbce13a633 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk) - void ping_unhash(struct sock *sk) - { - struct inet_sock *isk = inet_sk(sk); -+ - pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num); -+ write_lock_bh(&ping_table.lock); - if (sk_hashed(sk)) { -- write_lock_bh(&ping_table.lock); - hlist_nulls_del(&sk->sk_nulls_node); - sk_nulls_node_init(&sk->sk_nulls_node); - sock_put(sk); - isk->inet_num = 0; - isk->inet_sport = 0; - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); -- write_unlock_bh(&ping_table.lock); - } -+ write_unlock_bh(&ping_table.lock); - } - EXPORT_SYMBOL_GPL(ping_unhash); - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index a5922a91c..6559add96 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -105,14 +105,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/time-mark-timer_stats-as-broken.patch -bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch -bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch -bugfix/all/ping-implement-proper-locking.patch -bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch -bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch -bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch -bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch