Update to 4.5-rc6
This commit is contained in:
Ben Hutchings
parent
ba3de699a1
commit
62226211b4
|
|
@ -1,3 +1,9 @@
|
|||
linux (4.5~rc6-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 02 Mar 2016 14:24:38 +0000
|
||||
|
||||
linux (4.5~rc5-1~exp1) experimental; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
|
|
|||
|
|
@ -1,65 +0,0 @@
|
|||
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
Date: Mon, 08 Feb 2016 18:47:19 +0000
|
||||
Subject: af_unix: Don't set err in unix_stream_read_generic unless there was an error
|
||||
Origin: http://mid.gmane.org/87bn7rrqdk.fsf@doppelsaurus.mobileactivedefense.com
|
||||
|
||||
The present unix_stream_read_generic contains various code sequences of
|
||||
the form
|
||||
|
||||
err = -EDISASTER;
|
||||
if (<test>)
|
||||
goto out;
|
||||
|
||||
This has the unfortunate side effect of possibly causing the error code
|
||||
to bleed through to the final
|
||||
|
||||
out:
|
||||
return copied ? : err;
|
||||
|
||||
and then to be wrongly returned if no data was copied because the caller
|
||||
didn't supply a data buffer, as demonstrated by the program available at
|
||||
|
||||
http://pad.lv/1540731
|
||||
|
||||
Change it such that err is only set if an error condition was detected.
|
||||
|
||||
Fixes: 3822b5c2fc62 ("af_unix: Revert 'lock_interruptible' in stream receive code")
|
||||
Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com>
|
||||
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
---
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -2275,13 +2275,15 @@ static int unix_stream_read_generic(stru
|
||||
size_t size = state->size;
|
||||
unsigned int last_len;
|
||||
|
||||
- err = -EINVAL;
|
||||
- if (sk->sk_state != TCP_ESTABLISHED)
|
||||
+ if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
|
||||
+ err = -EINVAL;
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
- err = -EOPNOTSUPP;
|
||||
- if (flags & MSG_OOB)
|
||||
+ if (unlikely(flags & MSG_OOB)) {
|
||||
+ err = -EOPNOTSUPP;
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
|
||||
timeo = sock_rcvtimeo(sk, noblock);
|
||||
@@ -2327,9 +2329,11 @@ again:
|
||||
goto unlock;
|
||||
|
||||
unix_state_unlock(sk);
|
||||
- err = -EAGAIN;
|
||||
- if (!timeo)
|
||||
+ if (!timeo) {
|
||||
+ err = -EAGAIN;
|
||||
break;
|
||||
+ }
|
||||
+
|
||||
mutex_unlock(&u->readlock);
|
||||
|
||||
timeo = unix_stream_data_wait(sk, timeo, last,
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
Date: Thu, 11 Feb 2016 19:37:27 +0000
|
||||
Subject: af_unix: Guard against other == sk in unix_dgram_sendmsg
|
||||
Origin: http://mid.gmane.org/87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com
|
||||
|
||||
The unix_dgram_sendmsg routine use the following test
|
||||
|
||||
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
|
||||
to determine if sk and other are in an n:1 association (either
|
||||
established via connect or by using sendto to send messages to an
|
||||
unrelated socket identified by address). This isn't correct as the
|
||||
specified address could have been bound to the sending socket itself or
|
||||
because this socket could have been connected to itself by the time of
|
||||
the unix_peer_get but disconnected before the unix_state_lock(other). In
|
||||
both cases, the if-block would be entered despite other == sk which
|
||||
might either block the sender unintentionally or lead to trying to unlock
|
||||
the same spin lock twice for a non-blocking send. Add a other != sk
|
||||
check to guard against this.
|
||||
|
||||
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
|
||||
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
|
||||
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
|
||||
---
|
||||
--- a/net/unix/af_unix.c
|
||||
+++ b/net/unix/af_unix.c
|
||||
@@ -1781,7 +1781,12 @@ restart_locked:
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
+ /* other == sk && unix_peer(other) != sk if
|
||||
+ * - unix_peer(sk) == NULL, destination address bound to sk
|
||||
+ * - unix_peer(sk) == sk by time of get but disconnected before lock
|
||||
+ */
|
||||
+ if (other != sk &&
|
||||
+ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
|
||||
if (timeo) {
|
||||
timeo = unix_wait_for_peer(other, timeo);
|
||||
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 17 Feb 2016 15:37:43 +0100
|
||||
Subject: IFF_NO_QUEUE: Fix for drivers not calling ether_setup()
|
||||
Origin: http://mid.gmane.org/1455719863-25730-1-git-send-email-phil@nwl.cc
|
||||
|
||||
My implementation around IFF_NO_QUEUE driver flag assumed that leaving
|
||||
tx_queue_len untouched (specifically: not setting it to zero) by drivers
|
||||
would make it possible to assign a regular qdisc to them without having
|
||||
to worry about setting tx_queue_len to a useful value. This was only
|
||||
partially true: I overlooked that some drivers don't call ether_setup()
|
||||
and therefore not initialize tx_queue_len to the default value of 1000.
|
||||
Consequently, removing the workarounds in place for that case in qdisc
|
||||
implementations which cared about it (namely, pfifo, bfifo, gred, htb,
|
||||
plug and sfb) leads to problems with these specific interface types and
|
||||
qdiscs.
|
||||
|
||||
Luckily, there's already a sanitization point for drivers setting
|
||||
tx_queue_len to zero, which can be reused to assign the fallback value
|
||||
most qdisc implementations used, which is 1.
|
||||
|
||||
Fixes: 348e3435cbefa ("net: sched: drop all special handling of tx_queue_len == 0")
|
||||
Tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
net/core/dev.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/core/dev.c
|
||||
+++ b/net/core/dev.c
|
||||
@@ -7125,8 +7125,10 @@ struct net_device *alloc_netdev_mqs(int
|
||||
dev->priv_flags = IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM;
|
||||
setup(dev);
|
||||
|
||||
- if (!dev->tx_queue_len)
|
||||
+ if (!dev->tx_queue_len) {
|
||||
dev->priv_flags |= IFF_NO_QUEUE;
|
||||
+ dev->tx_queue_len = 1;
|
||||
+ }
|
||||
|
||||
dev->num_tx_queues = txqs;
|
||||
dev->real_num_tx_queues = txqs;
|
||||
|
|
@ -67,8 +67,6 @@ features/all/grsecurity/grkernsec_perf_harden.patch
|
|||
|
||||
# Security fixes
|
||||
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
||||
bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
|
||||
bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
|
||||
bugfix/x86/x86-mm-page-align-the-_end-symbol-to-avoid-pfn-conve.patch
|
||||
bugfix/x86/x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-n.patch
|
||||
bugfix/x86/x86-efi-map-ram-into-the-identity-page-table-for-mix.patch
|
||||
|
|
@ -76,6 +74,5 @@ bugfix/x86/x86-efi-hoist-page-table-switching-code-into-efi_cal.patch
|
|||
bugfix/x86/x86-efi-build-our-own-page-table-structures.patch
|
||||
bugfix/x86/x86-efi-setup-separate-efi-page-tables-in-kexec-path.patch
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/iff_no_queue-fix-for-drivers-not-calling-ether_setup.patch
|
||||
bugfix/x86/x86-efi-bgrt-fix-kernel-panic-when-mapping-bgrt-data.patch
|
||||
bugfix/x86/x86-efi-bgrt-replace-early_memremap-with-memremap.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue