Update to 3.12.4
svn path=/dists/sid/linux/; revision=20877
This commit is contained in:
Ben Hutchings
parent
e227ad0d78
commit
4570eb612b
|
|
@ -1,3 +1,27 @@
|
|||
linux (3.12.4-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4
|
||||
- net: x86: bpf: don't forget to free sk_filter (v2)
|
||||
- net: Fix "ip rule delete table 256" (Closes: #724783)
|
||||
- net-tcp: fix panic in tcp_fastopen_cache_set()
|
||||
- inet: prevent leakage of uninitialized memory to user in recv syscalls
|
||||
(CVE-2013-6405)
|
||||
- ping: prevent NULL pointer dereference on write to msg_name
|
||||
(CVE-2013-6432)
|
||||
- ipv6: fix leaking uninitialized port number of offender sockaddr
|
||||
- netfilter: push reasm skb through instead of original frag skbs
|
||||
- packet: fix use after free race in send path when dev is released
|
||||
- gso: handle new frag_list of frags GRO packets
|
||||
- net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
|
||||
- xfs: add capability check to free eofblocks ioctl
|
||||
- iommu/vt-d: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address
|
||||
limits
|
||||
- aio: Fix a trinity splat
|
||||
- aio: prevent double free in ioctx_alloc
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 11 Dec 2013 06:04:49 +0000
|
||||
|
||||
linux (3.12.3-1~exp1) experimental; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Tue, 5 Nov 2013 02:41:27 +0100
|
||||
Subject: ipv6: fix headroom calculation in udp6_ufo_fragment
|
||||
Origin: https://git.kernel.org/linus/0e033e04c2678dbbe74a46b23fffb7bb918c288e
|
||||
|
||||
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
|
||||
fragmentation for tunnel traffic.") changed the calculation if
|
||||
there is enough space to include a fragment header in the skb from a
|
||||
skb->mac_header dervived one to skb_headroom. Because we already peeled
|
||||
off the skb to transport_header this is wrong. Change this back to check
|
||||
if we have enough room before the mac_header.
|
||||
|
||||
This fixes a panic Saran Neti reported. He used the tbf scheduler which
|
||||
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
|
||||
because the skb was erroneously not expanded at the head.
|
||||
|
||||
Reported-by: Saran Neti <Saran.Neti@telus.com>
|
||||
Cc: Pravin B Shelar <pshelar@nicira.com>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/udp_offload.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/net/ipv6/udp_offload.c
|
||||
+++ b/net/ipv6/udp_offload.c
|
||||
@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment
|
||||
|
||||
/* Check if there is enough headroom to insert fragment header. */
|
||||
tnl_hlen = skb_tnl_header_len(skb);
|
||||
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
|
||||
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
|
||||
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
|
||||
goto out;
|
||||
}
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 27 Nov 2013 15:40:21 +0300
|
||||
Subject: net: clamp ->msg_namelen instead of returning an error
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=db31c55a6fb245fdbb752a2ca4aefec89afabb06
|
||||
|
||||
If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
|
||||
original code that would lead to memory corruption in the kernel if you
|
||||
had audit configured. If you didn't have audit configured it was
|
||||
harmless.
|
||||
|
||||
There are some programs such as beta versions of Ruby which use too
|
||||
large of a buffer and returning an error code breaks them. We should
|
||||
clamp the ->msg_namelen value instead.
|
||||
|
||||
Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
|
||||
Reported-by: Eric Wong <normalperson@yhbt.net>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Tested-by: Eric Wong <normalperson@yhbt.net>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/compat.c | 2 +-
|
||||
net/socket.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/compat.c
|
||||
+++ b/net/compat.c
|
||||
@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kms
|
||||
__get_user(kmsg->msg_flags, &umsg->msg_flags))
|
||||
return -EFAULT;
|
||||
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
- return -EINVAL;
|
||||
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
|
||||
kmsg->msg_name = compat_ptr(tmp1);
|
||||
kmsg->msg_iov = compat_ptr(tmp2);
|
||||
kmsg->msg_control = compat_ptr(tmp3);
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1970,7 +1970,7 @@ static int copy_msghdr_from_user(struct
|
||||
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
|
||||
return -EFAULT;
|
||||
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
- return -EINVAL;
|
||||
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -1,85 +0,0 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Wed, 13 Nov 2013 06:32:54 -0800
|
||||
Subject: tcp: tsq: restore minimal amount of queueing
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=98e09386c0ef4dfd48af7ba60ff908f0d525cdee
|
||||
|
||||
After commit c9eeec26e32e ("tcp: TSQ can use a dynamic limit"), several
|
||||
users reported throughput regressions, notably on mvneta and wifi
|
||||
adapters.
|
||||
|
||||
802.11 AMPDU requires a fair amount of queueing to be effective.
|
||||
|
||||
This patch partially reverts the change done in tcp_write_xmit()
|
||||
so that the minimal amount is sysctl_tcp_limit_output_bytes.
|
||||
|
||||
It also remove the use of this sysctl while building skb stored
|
||||
in write queue, as TSO autosizing does the right thing anyway.
|
||||
|
||||
Users with well behaving NICS and correct qdisc (like sch_fq),
|
||||
can then lower the default sysctl_tcp_limit_output_bytes value from
|
||||
128KB to 8KB.
|
||||
|
||||
This new usage of sysctl_tcp_limit_output_bytes permits each driver
|
||||
authors to check how their driver performs when/if the value is set
|
||||
to a minimum of 4KB.
|
||||
|
||||
Normally, line rate for a single TCP flow should be possible,
|
||||
but some drivers rely on timers to perform TX completion and
|
||||
too long TX completion delays prevent reaching full throughput.
|
||||
|
||||
Fixes: c9eeec26e32e ("tcp: TSQ can use a dynamic limit")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Sujith Manoharan <sujith@msujith.org>
|
||||
Reported-by: Arnaud Ebalard <arno@natisbad.org>
|
||||
Tested-by: Sujith Manoharan <sujith@msujith.org>
|
||||
Cc: Felix Fietkau <nbd@openwrt.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
Documentation/networking/ip-sysctl.txt | 3 ---
|
||||
net/ipv4/tcp.c | 6 ------
|
||||
net/ipv4/tcp_output.c | 6 +++++-
|
||||
3 files changed, 5 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/Documentation/networking/ip-sysctl.txt
|
||||
+++ b/Documentation/networking/ip-sysctl.txt
|
||||
@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER
|
||||
typical pfifo_fast qdiscs.
|
||||
tcp_limit_output_bytes limits the number of bytes on qdisc
|
||||
or device to reduce artificial RTT/cwnd and reduce bufferbloat.
|
||||
- Note: For GSO/TSO enabled flows, we try to have at least two
|
||||
- packets in flight. Reducing tcp_limit_output_bytes might also
|
||||
- reduce the size of individual GSO packet (64KB being the max)
|
||||
Default: 131072
|
||||
|
||||
tcp_challenge_ack_limit - INTEGER
|
||||
--- a/net/ipv4/tcp.c
|
||||
+++ b/net/ipv4/tcp.c
|
||||
@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(s
|
||||
xmit_size_goal = min_t(u32, gso_size,
|
||||
sk->sk_gso_max_size - 1 - hlen);
|
||||
|
||||
- /* TSQ : try to have at least two segments in flight
|
||||
- * (one in NIC TX ring, another in Qdisc)
|
||||
- */
|
||||
- xmit_size_goal = min_t(u32, xmit_size_goal,
|
||||
- sysctl_tcp_limit_output_bytes >> 1);
|
||||
-
|
||||
xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal);
|
||||
|
||||
/* We try hard to avoid divides here */
|
||||
--- a/net/ipv4/tcp_output.c
|
||||
+++ b/net/ipv4/tcp_output.c
|
||||
@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock *
|
||||
* - better RTT estimation and ACK scheduling
|
||||
* - faster recovery
|
||||
* - high rates
|
||||
+ * Alas, some drivers / subsystems require a fair amount
|
||||
+ * of queued bytes to ensure line rate.
|
||||
+ * One example is wifi aggregation (802.11 AMPDU)
|
||||
*/
|
||||
- limit = max(skb->truesize, sk->sk_pacing_rate >> 10);
|
||||
+ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes,
|
||||
+ sk->sk_pacing_rate >> 10);
|
||||
|
||||
if (atomic_read(&sk->sk_wmem_alloc) > limit) {
|
||||
set_bit(TSQ_THROTTLED, &tp->tsq_flags);
|
||||
|
|
@ -74,9 +74,6 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
|||
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
||||
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||
bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch
|
||||
bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch
|
||||
bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
|
||||
bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
bugfix/arm/ahci-imx-Explicitly-clear-IMX6Q_GPR13_SATA_MPLL_CLK_.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue