Update to 4.9.11
This commit is contained in:
Ben Hutchings
parent
5e5afa386a
commit
7b50304bda
|
|
@ -1,5 +1,40 @@
|
|||
linux (4.9.10-2) UNRELEASED; urgency=medium
|
||||
linux (4.9.11-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
|
||||
- can: Fix kernel panic at security_sock_rcv_skb
|
||||
- net/mlx5e: Fix update of hash function/key via ethtool
|
||||
- net/sched: matchall: Fix configuration race
|
||||
- ipv6: fix ip6_tnl_parse_tlv_enc_lim()
|
||||
- ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
|
||||
- tcp: fix 0 divide in __tcp_select_window()
|
||||
- stmmac: Discard masked flags in interrupt status register
|
||||
- net: use a work queue to defer net_disable_timestamp() work
|
||||
- netlabel: out of bound access in cipso_v4_validate()
|
||||
- ip6_gre: fix ip6gre_err() invalid reads
|
||||
- ipv6: tcp: add a missing tcp_v6_restore_cb()
|
||||
- tcp: avoid infinite loop in tcp_splice_read()
|
||||
- tun: read vnet_hdr_sz once
|
||||
- macvtap: read vnet_hdr_size once
|
||||
- rtl8150: Use heap buffers for all register access
|
||||
- catc: Combine failure cleanup code in catc_probe()
|
||||
- catc: Use heap buffer for memory size test
|
||||
- mlx4: Invoke softirqs after napi_reschedule
|
||||
- lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled
|
||||
- sit: fix a double free on error path
|
||||
- net: introduce device min_header_len
|
||||
- packet: round up linear to header len
|
||||
- ping: fix a null pointer dereference
|
||||
- net: dsa: Do not destroy invalid network devices
|
||||
- l2tp: do not use udp_ioctl()
|
||||
- mld: do not remove mld souce list info when set link down
|
||||
- igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
|
||||
- tcp: fix mark propagation with fwmark_reflect enabled
|
||||
- net/mlx5: Don't unlock fte while still using it
|
||||
- tcp: don't annotate mark on control socket from tcp_v6_send_response()
|
||||
- [x86] fpu/xstate: Fix xcomp_bv in XSAVES header
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [armel] dts: kirkwood: Fix SATA pinmux-ing for TS419 (Closes: #855017)
|
||||
* [armhf] Enable DRM_OMAP_PANEL_TPO_TD028TTEC1, PWM_OMAP_DMTIMER as modules
|
||||
(Closes: #855472)
|
||||
|
|
|
|||
|
|
@ -1,47 +0,0 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Sat, 4 Feb 2017 11:16:52 -0800
|
||||
Subject: ipv4: keep skb->dst around in presence of IP options
|
||||
Origin: https://git.kernel.org/linus/34b2cef20f19c87999fff3da4071e66937db9644
|
||||
|
||||
Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
|
||||
is accessed.
|
||||
|
||||
ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
|
||||
are present.
|
||||
|
||||
We could refine the test to the presence of ts_needtime or srr,
|
||||
but IP options are not often used, so let's be conservative.
|
||||
|
||||
Thanks to syzkaller team for finding this bug.
|
||||
|
||||
Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ip_sockglue.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
|
||||
index 53ae0c6..9000117 100644
|
||||
--- a/net/ipv4/ip_sockglue.c
|
||||
+++ b/net/ipv4/ip_sockglue.c
|
||||
@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
|
||||
pktinfo->ipi_ifindex = 0;
|
||||
pktinfo->ipi_spec_dst.s_addr = 0;
|
||||
}
|
||||
- skb_dst_drop(skb);
|
||||
+ /* We need to keep the dst for __ip_options_echo()
|
||||
+ * We could restrict the test to opt.ts_needtime || opt.srr,
|
||||
+ * but the following is good enough as IP options are not often used.
|
||||
+ */
|
||||
+ if (unlikely(IPCB(skb)->opt.optlen))
|
||||
+ skb_dst_force(skb);
|
||||
+ else
|
||||
+ skb_dst_drop(skb);
|
||||
}
|
||||
|
||||
int ip_setsockopt(struct sock *sk, int level,
|
||||
--
|
||||
2.1.4
|
||||
|
||||
|
|
@ -1,88 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Fri, 27 Jan 2017 02:44:26 +0000
|
||||
Subject: pegasus: Use heap buffers for all register access
|
||||
Forwarded: https://patchwork.ozlabs.org/patch/724109/
|
||||
Bug-Debian: https://bugs.debian.org/852556
|
||||
|
||||
Allocating USB buffers on the stack is not portable, and no longer
|
||||
works on x86_64 (with VMAP_STACK enabled as per default).
|
||||
|
||||
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
|
||||
References: https://bugs.debian.org/852556
|
||||
Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
|
||||
Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++----
|
||||
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
|
||||
index 24e803fe9a53..36674484c6fb 100644
|
||||
--- a/drivers/net/usb/pegasus.c
|
||||
+++ b/drivers/net/usb/pegasus.c
|
||||
@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
|
||||
|
||||
static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
|
||||
{
|
||||
+ u8 *buf;
|
||||
int ret;
|
||||
|
||||
+ buf = kmalloc(size, GFP_NOIO);
|
||||
+ if (!buf)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
|
||||
PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
|
||||
- indx, data, size, 1000);
|
||||
+ indx, buf, size, 1000);
|
||||
if (ret < 0)
|
||||
netif_dbg(pegasus, drv, pegasus->net,
|
||||
"%s returned %d\n", __func__, ret);
|
||||
+ else if (ret <= size)
|
||||
+ memcpy(data, buf, ret);
|
||||
+ kfree(buf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
|
||||
+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
|
||||
+ const void *data)
|
||||
{
|
||||
+ u8 *buf;
|
||||
int ret;
|
||||
|
||||
+ buf = kmemdup(data, size, GFP_NOIO);
|
||||
+ if (!buf)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
|
||||
PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
|
||||
- indx, data, size, 100);
|
||||
+ indx, buf, size, 100);
|
||||
if (ret < 0)
|
||||
netif_dbg(pegasus, drv, pegasus->net,
|
||||
"%s returned %d\n", __func__, ret);
|
||||
+ kfree(buf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
|
||||
{
|
||||
+ u8 *buf;
|
||||
int ret;
|
||||
|
||||
+ buf = kmemdup(&data, 1, GFP_NOIO);
|
||||
+ if (!buf)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
|
||||
PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
|
||||
- indx, &data, 1, 1000);
|
||||
+ indx, buf, 1, 1000);
|
||||
if (ret < 0)
|
||||
netif_dbg(pegasus, drv, pegasus->net,
|
||||
"%s returned %d\n", __func__, ret);
|
||||
+ kfree(buf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Date: Mon, 6 Feb 2017 18:10:31 -0200
|
||||
Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
|
||||
Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
|
||||
|
||||
Alexander Popov reported that an application may trigger a BUG_ON in
|
||||
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
|
||||
waiting on it to queue more data and meanwhile another thread peels off
|
||||
the association being used by the first thread.
|
||||
|
||||
This patch replaces the BUG_ON call with a proper error handling. It
|
||||
will return -EPIPE to the original sendmsg call, similarly to what would
|
||||
have been done if the association wasn't found in the first place.
|
||||
|
||||
Acked-by: Alexander Popov <alex.popov@linux.com>
|
||||
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Reviewed-by: Xin Long <lucien.xin@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index 37eeab7..e214d2e 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
|
||||
*/
|
||||
release_sock(sk);
|
||||
current_timeo = schedule_timeout(current_timeo);
|
||||
- BUG_ON(sk != asoc->base.sk);
|
||||
+ if (sk != asoc->base.sk)
|
||||
+ goto do_error;
|
||||
lock_sock(sk);
|
||||
|
||||
*timeo_p = current_timeo;
|
||||
--
|
||||
2.1.4
|
||||
|
||||
|
|
@ -77,7 +77,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
|||
bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
|
||||
bugfix/all/ath9k-fix-null-pointer-dereference.patch
|
||||
bugfix/all/nbd-fix-64-bit-division.patch
|
||||
bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
|
||||
bugfix/all/net-ipv6-check-route-protocol-when-deleting-routes.patch
|
||||
bugfix/all/media-dvb-usb-dibusb-mc-common-add-module_license.patch
|
||||
|
||||
|
|
@ -109,8 +108,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
||||
bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue