From 8e44fd873cb4353cb67e9e3e58c02487ddd61eaa Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 25 Aug 2017 21:34:44 +0200 Subject: [PATCH] Update to 4.12.7 --- debian/changelog | 21 ++++- ...x-tp_reserve-race-in-packet_set_ring.patch | 51 ---------- ...sistently-apply-ufo-or-fragmentation.patch | 94 ------------------- debian/patches/series | 2 - 4 files changed, 20 insertions(+), 148 deletions(-) delete mode 100644 debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch delete mode 100644 debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch diff --git a/debian/changelog b/debian/changelog index 6388fc4ea..ce66ccbcf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,23 @@ -linux (4.12.6-2) UNRELEASED; urgency=medium +linux (4.12.7-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.7 + - ppp: Fix false xmit recursion detect with two ppp devices + - ppp: fix xmit recursion detection on ppp channels + - tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states + - net: fix keepalive code vs TCP_FASTOPEN_CONNECT + - ipv6: set rt6i_protocol properly in the route when it is installed + - [s390x] bpf: fix jit branch offset related to ldimm64 + - net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets + - net: sched: set xt_tgchk_param par.net properly in ipt_init_target + - net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target + - tcp: fastopen: tcp_connect() must refresh the route + - qmi_wwan: fix NULL deref on disconnect + - net: avoid skb_warn_bad_offload false positives on UFO + - igmp: Fix regression caused by igmp sysctl namespace code. + - scsi: sg: only check for dxfer_len greater than 256M + - btrfs: Remove false alert when fiemap range is smaller than on-disk + extent * [alpha] udeb: Add i2c-modules (fixes FTBFS) * cpupower: Add/update definition of MSRHEADER macro for turbostat and diff --git a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch deleted file mode 100644 index d6e14ad86..000000000 --- a/debian/patches/bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Willem de Bruijn -Date: Thu, 10 Aug 2017 12:41:58 -0400 -Subject: packet: fix tp_reserve race in packet_set_ring -Origin: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000111 - -Updates to tp_reserve can race with reads of the field in -packet_set_ring. Avoid this by holding the socket lock during -updates in setsockopt PACKET_RESERVE. - -This bug was discovered by syzkaller. - -Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") -Reported-by: Andrey Konovalov -Signed-off-by: Willem de Bruijn -Signed-off-by: David S. Miller ---- - net/packet/af_packet.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 0615c2a950fa..008a45ca3112 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv - - if (optlen != sizeof(val)) - return -EINVAL; -- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) -- return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; - if (val > INT_MAX) - return -EINVAL; -- po->tp_reserve = val; -- return 0; -+ lock_sock(sk); -+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { -+ ret = -EBUSY; -+ } else { -+ po->tp_reserve = val; -+ ret = 0; -+ } -+ release_sock(sk); -+ return ret; - } - case PACKET_LOSS: - { --- -2.11.0 - diff --git a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch deleted file mode 100644 index 5233c2741..000000000 --- a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Willem de Bruijn -Date: Thu, 10 Aug 2017 12:29:19 -0400 -Subject: udp: consistently apply ufo or fragmentation -Origin: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112 - -When iteratively building a UDP datagram with MSG_MORE and that -datagram exceeds MTU, consistently choose UFO or fragmentation. - -Once skb_is_gso, always apply ufo. Conversely, once a datagram is -split across multiple skbs, do not consider ufo. - -Sendpage already maintains the first invariant, only add the second. -IPv6 does not have a sendpage implementation to modify. - -A gso skb must have a partial checksum, do not follow sk_no_check_tx -in udp_send_skb. - -Found by syzkaller. - -Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") -Reported-by: Andrey Konovalov -Signed-off-by: Willem de Bruijn -Signed-off-by: David S. Miller ---- - net/ipv4/ip_output.c | 8 +++++--- - net/ipv4/udp.c | 2 +- - net/ipv6/ip6_output.c | 7 ++++--- - 3 files changed, 10 insertions(+), 7 deletions(-) - -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 50c74cd890bc..e153c40c2436 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -965,11 +965,12 @@ static int __ip_append_data(struct sock *sk, - csummode = CHECKSUM_PARTIAL; - - cork->length += length; -- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || -- (skb && skb_is_gso(skb))) && -+ if ((skb && skb_is_gso(skb)) || -+ (((length + (skb ? skb->len : fragheaderlen)) > mtu) && -+ (skb_queue_len(queue) <= 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && -- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { -+ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) { - err = ip_ufo_append_data(sk, queue, getfrag, from, length, - hh_len, fragheaderlen, transhdrlen, - maxfraglen, flags); -@@ -1288,6 +1289,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page, - return -EINVAL; - - if ((size + skb->len > mtu) && -+ (skb_queue_len(&sk->sk_write_queue) == 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO)) { - if (skb->ip_summed != CHECKSUM_PARTIAL) -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index e6276fa3750b..a7c804f73990 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -802,7 +802,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4) - if (is_udplite) /* UDP-Lite */ - csum = udplite_csum(skb); - -- else if (sk->sk_no_check_tx) { /* UDP csum disabled */ -+ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */ - - skb->ip_summed = CHECKSUM_NONE; - goto send; -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 162efba0d0cd..2dfe50d8d609 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1381,11 +1381,12 @@ static int __ip6_append_data(struct sock *sk, - */ - - cork->length += length; -- if ((((length + (skb ? skb->len : headersize)) > mtu) || -- (skb && skb_is_gso(skb))) && -+ if ((skb && skb_is_gso(skb)) || -+ (((length + (skb ? skb->len : headersize)) > mtu) && -+ (skb_queue_len(queue) <= 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && -- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { -+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) { - err = ip6_ufo_append_data(sk, queue, getfrag, from, length, - hh_len, fragheaderlen, exthdrlen, - transhdrlen, mtu, flags, fl6); --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index ed0a66bda..fad0ddab2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -123,8 +123,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch -bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch bugfix/all/xfrm-policy-check-policy-direction-value.patch # Fix exported symbol versions