From 93819d25f00803e00b6578e7a719f17a3e851532 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 26 Feb 2017 20:10:47 +0000 Subject: [PATCH] Update to 4.9.13 --- debian/changelog | 32 +++++++++++-- ...g-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 ------------------- debian/patches/series | 1 - 3 files changed, 28 insertions(+), 52 deletions(-) delete mode 100644 debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch diff --git a/debian/changelog b/debian/changelog index 0c7bd59f4..9d2b8533e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.9.12-1) UNRELEASED; urgency=medium +linux (4.9.13-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11 @@ -55,6 +55,33 @@ linux (4.9.12-1) UNRELEASED; urgency=medium - timekeeping: Use deferred printk() in debug code - bcache: Make gc wakeup sane, remove set_task_state() - videodev2.h: go back to limited range Y'CbCr for SRGB and, ADOBERGB + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.13 + - net/mlx5e: Disable preemption when doing TC statistics upcall + - net/llc: avoid BUG_ON() in skb_orphan() + - net: ethernet: ti: cpsw: fix cpsw assignment in resume + (regression in 4.9) + - packet: fix races in fanout_add() + - packet: Do not call fanout_release from atomic contexts + (regression in 4.9) + - net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification + - dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) + - vxlan: fix oops in dev_fill_metadata_dst (regression in 4.6) + - irda: Fix lockdep annotations in hashbin_delete(). + - ptr_ring: fix race conditions when resizing + - ip: fix IP_CHECKSUM handling (regression in 4.0) + - net: socket: fix recvmmsg not returning error from sock_error + (regression in 4.6) + - USB: serial: mos7840: fix another NULL-deref at open + - USB: serial: ftdi_sio: fix modem-status error handling + - USB: serial: ftdi_sio: fix extreme low-latency setting + - USB: serial: ftdi_sio: fix line-status over-reporting + - USB: serial: spcp8x5: fix modem-status handling + - USB: serial: opticon: fix CTS retrieval at open + - USB: serial: ark3116: fix register-accessor error handling + - netfilter: nf_ct_helper: warn when not applying default helper assignment + - block: fix double-free in the failure path of cgwb_bdi_init() + - rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down + - xfs: clear delalloc and cache on buffered write failure [ Ben Hutchings ] * [armel] dts: kirkwood: Fix SATA pinmux-ing for TS419 (Closes: #855017) @@ -65,9 +92,6 @@ linux (4.9.12-1) UNRELEASED; urgency=medium * udeb: Add more USB host and dual-role drivers to usb-modules (Closes: #856111) - [ Salvatore Bonaccorso ] - * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) - -- Ben Hutchings Sat, 18 Feb 2017 00:38:10 +0000 linux (4.9.10-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch deleted file mode 100644 index 4421444a5..000000000 --- a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Andrey Konovalov -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO -Origin: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba34718..8fedc2d 100644 ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 45430b807..848611101 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -108,7 +108,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch