From 4570eb612bf95c0e9d8c9e79cac79e781fb60786 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 11 Dec 2013 06:48:49 +0000 Subject: [PATCH] Update to 3.12.4 svn path=/dists/sid/linux/; revision=20877 --- debian/changelog | 24 ++++++ ...oom-calculation-in-udp6_ufo_fragment.patch | 35 -------- ...amelen-instead-of-returning-an-error.patch | 47 ---------- ...q-restore-minimal-amount-of-queueing.patch | 85 ------------------- debian/patches/series | 3 - 5 files changed, 24 insertions(+), 170 deletions(-) delete mode 100644 debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch delete mode 100644 debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch delete mode 100644 debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch diff --git a/debian/changelog b/debian/changelog index 65b7c2601..5ec043ec6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,27 @@ +linux (3.12.4-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 + - net: x86: bpf: don't forget to free sk_filter (v2) + - net: Fix "ip rule delete table 256" (Closes: #724783) + - net-tcp: fix panic in tcp_fastopen_cache_set() + - inet: prevent leakage of uninitialized memory to user in recv syscalls + (CVE-2013-6405) + - ping: prevent NULL pointer dereference on write to msg_name + (CVE-2013-6432) + - ipv6: fix leaking uninitialized port number of offender sockaddr + - netfilter: push reasm skb through instead of original frag skbs + - packet: fix use after free race in send path when dev is released + - gso: handle new frag_list of frags GRO packets + - net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST + - xfs: add capability check to free eofblocks ioctl + - iommu/vt-d: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address + limits + - aio: Fix a trinity splat + - aio: prevent double free in ioctx_alloc + + -- Ben Hutchings Wed, 11 Dec 2013 06:04:49 +0000 + linux (3.12.3-1~exp1) experimental; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch deleted file mode 100644 index 92c5fa086..000000000 --- a/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Hannes Frederic Sowa -Date: Tue, 5 Nov 2013 02:41:27 +0100 -Subject: ipv6: fix headroom calculation in udp6_ufo_fragment -Origin: https://git.kernel.org/linus/0e033e04c2678dbbe74a46b23fffb7bb918c288e - -Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp -fragmentation for tunnel traffic.") changed the calculation if -there is enough space to include a fragment header in the skb from a -skb->mac_header dervived one to skb_headroom. Because we already peeled -off the skb to transport_header this is wrong. Change this back to check -if we have enough room before the mac_header. - -This fixes a panic Saran Neti reported. He used the tbf scheduler which -skb_gso_segments the skb. The offsets get negative and we panic in memcpy -because the skb was erroneously not expanded at the head. - -Reported-by: Saran Neti -Cc: Pravin B Shelar -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/udp_offload.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment - - /* Check if there is enough headroom to insert fragment header. */ - tnl_hlen = skb_tnl_header_len(skb); -- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) { -+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) { - if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz)) - goto out; - } diff --git a/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch b/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch deleted file mode 100644 index dbe220e26..000000000 --- a/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Dan Carpenter -Date: Wed, 27 Nov 2013 15:40:21 +0300 -Subject: net: clamp ->msg_namelen instead of returning an error -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=db31c55a6fb245fdbb752a2ca4aefec89afabb06 - -If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the -original code that would lead to memory corruption in the kernel if you -had audit configured. If you didn't have audit configured it was -harmless. - -There are some programs such as beta versions of Ruby which use too -large of a buffer and returning an error code breaks them. We should -clamp the ->msg_namelen value instead. - -Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()") -Reported-by: Eric Wong -Signed-off-by: Dan Carpenter -Tested-by: Eric Wong -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/compat.c | 2 +- - net/socket.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/net/compat.c -+++ b/net/compat.c -@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kms - __get_user(kmsg->msg_flags, &umsg->msg_flags)) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); ---- a/net/socket.c -+++ b/net/socket.c -@@ -1970,7 +1970,7 @@ static int copy_msghdr_from_user(struct - if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) - return -EFAULT; - if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -- return -EINVAL; -+ kmsg->msg_namelen = sizeof(struct sockaddr_storage); - return 0; - } - diff --git a/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch b/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch deleted file mode 100644 index 78ef8c57c..000000000 --- a/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch +++ /dev/null @@ -1,85 +0,0 @@ -From: Eric Dumazet -Date: Wed, 13 Nov 2013 06:32:54 -0800 -Subject: tcp: tsq: restore minimal amount of queueing -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=98e09386c0ef4dfd48af7ba60ff908f0d525cdee - -After commit c9eeec26e32e ("tcp: TSQ can use a dynamic limit"), several -users reported throughput regressions, notably on mvneta and wifi -adapters. - -802.11 AMPDU requires a fair amount of queueing to be effective. - -This patch partially reverts the change done in tcp_write_xmit() -so that the minimal amount is sysctl_tcp_limit_output_bytes. - -It also remove the use of this sysctl while building skb stored -in write queue, as TSO autosizing does the right thing anyway. - -Users with well behaving NICS and correct qdisc (like sch_fq), -can then lower the default sysctl_tcp_limit_output_bytes value from -128KB to 8KB. - -This new usage of sysctl_tcp_limit_output_bytes permits each driver -authors to check how their driver performs when/if the value is set -to a minimum of 4KB. - -Normally, line rate for a single TCP flow should be possible, -but some drivers rely on timers to perform TX completion and -too long TX completion delays prevent reaching full throughput. - -Fixes: c9eeec26e32e ("tcp: TSQ can use a dynamic limit") -Signed-off-by: Eric Dumazet -Reported-by: Sujith Manoharan -Reported-by: Arnaud Ebalard -Tested-by: Sujith Manoharan -Cc: Felix Fietkau -Signed-off-by: David S. Miller ---- - Documentation/networking/ip-sysctl.txt | 3 --- - net/ipv4/tcp.c | 6 ------ - net/ipv4/tcp_output.c | 6 +++++- - 3 files changed, 5 insertions(+), 10 deletions(-) - ---- a/Documentation/networking/ip-sysctl.txt -+++ b/Documentation/networking/ip-sysctl.txt -@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER - typical pfifo_fast qdiscs. - tcp_limit_output_bytes limits the number of bytes on qdisc - or device to reduce artificial RTT/cwnd and reduce bufferbloat. -- Note: For GSO/TSO enabled flows, we try to have at least two -- packets in flight. Reducing tcp_limit_output_bytes might also -- reduce the size of individual GSO packet (64KB being the max) - Default: 131072 - - tcp_challenge_ack_limit - INTEGER ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(s - xmit_size_goal = min_t(u32, gso_size, - sk->sk_gso_max_size - 1 - hlen); - -- /* TSQ : try to have at least two segments in flight -- * (one in NIC TX ring, another in Qdisc) -- */ -- xmit_size_goal = min_t(u32, xmit_size_goal, -- sysctl_tcp_limit_output_bytes >> 1); -- - xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal); - - /* We try hard to avoid divides here */ ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock * - * - better RTT estimation and ACK scheduling - * - faster recovery - * - high rates -+ * Alas, some drivers / subsystems require a fair amount -+ * of queued bytes to ensure line rate. -+ * One example is wifi aggregation (802.11 AMPDU) - */ -- limit = max(skb->truesize, sk->sk_pacing_rate >> 10); -+ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes, -+ sk->sk_pacing_rate >> 10); - - if (atomic_read(&sk->sk_wmem_alloc) > limit) { - set_bit(TSQ_THROTTLED, &tp->tsq_flags); diff --git a/debian/patches/series b/debian/patches/series index 9418ffb71..41787ec10 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -74,9 +74,6 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch -bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch -bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch -bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch bugfix/arm/ahci-imx-Explicitly-clear-IMX6Q_GPR13_SATA_MPLL_CLK_.patch