debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.3.4

This commit is contained in:
Ben Hutchings 2016-01-23 12:11:55 +00:00
parent 33cd223d58
commit 9b355e6846
10 changed files with 55 additions and 549 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
debian/changelog vendored
View File

@ -1,3 +1,58 @@
linux (4.3.4-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
- ACPI: Use correct IRQ when uninstalling ACPI interrupt handler
- ACPI: Using correct irq when waiting for events
- ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle
- tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0
- toshiba_acpi: Initialize hotkey_event_type variable
- USB: cdc_acm: Ignore Infineon Flash Loader utility
- USB: serial: Another Infineon flash loader USB ID
- usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
JMicron
- USB: cp210x: Remove CP2110 ID from compatibility list
- USB: add quirk for devices with broken LPM
- USB: whci-hcd: add check for dma mapping error
- usb: gadget: pxa27x: fix suspend callback
- USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq
- usb: musb: USB_TI_CPPI41_DMA requires dmaengine support
- usb: core : hub: Fix BOS 'NULL pointer' kernel panic
- usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
- pppoe: fix memory corruption in padt work structure
- gre6: allow to update all parameters via rtnl
- atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
- ipv6: keep existing flags when setting IFA_F_OPTIMISTIC
- vxlan: fix incorrect RCO bit in VXLAN header
- sctp: use the same clock as if sock source timestamps were on
- sctp: update the netstamp_needed counter when copying sockets
- sctp: also copy sk_tsflags when copying the socket
- net: cdc_mbim: add "NDP to end" quirk for Huawei E3372
- net: qca_spi: fix transmit queue timeout handling
- r8152: fix lockup when runtime PM is enabled
- ipv6: sctp: clone options to avoid use after free
- phy: micrel: Fix finding PHY properties in MAC node.
- openvswitch: Fix helper reference leak
- openvswitch: Respect conntrack zone even if invalid
- uapi: export ila.h
- sh_eth: fix kernel oops in skb_put()
- net: fix IP early demux races
- vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
- skbuff: Fix offset error in skb_reorder_vlan_header
- net: check both type and procotol for tcp sockets
- net_sched: make qdisc_tree_decrease_qlen() work for non mq
- net: fix uninitialized variable issue
- ipv6: automatically enable stable privacy mode if stable_secret set
- inet: tcp: fix inetpeer_set_addr_v4()
- rhashtable: Enforce minimum size on initial hash table
- gianfar: Don't enable RX Filer if not supported
- fou: clean up socket with kfree_rcu
- af_unix: Revert 'lock_interruptible' in stream receive code
- tcp: restore fastopen with no data in SYN packet
- rhashtable: Fix walker list corruption
-- Ben Hutchings <ben@decadent.org.uk> Sat, 23 Jan 2016 11:51:46 +0000
linux (4.3.3-7) unstable; urgency=medium
* linux-image-dbg: Don't rely on upstream makefile to make .build-id

75
debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch vendored
View File

@ -1,75 +0,0 @@
From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
From: Yevgeny Pats <yevgeny@perception-point.io>
Date: Mon, 11 Jan 2016 12:05:28 +0000
Subject: KEYS: Fix keyring ref leak in join_session_keyring()
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/process_keys.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index a3f85d2..e6d50172 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
ret = PTR_ERR(keyring);
goto error2;
} else if (keyring == new->session_keyring) {
+ key_put(keyring);
ret = 0;
goto error2;
}
--
2.7.0.rc3

22
debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch vendored
View File

@ -1,22 +0,0 @@
From: "David S. Miller" <davem@davemloft.net>
Date: Tue, 15 Dec 2015 15:39:08 -0500
Subject: bluetooth: Validate socket address length in sco_sock_bind().
Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/bluetooth/sco.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ if (addr_len < sizeof(struct sockaddr_sco))
+ return -EINVAL;
+
lock_sock(sk);
if (sk->sk_state != BT_OPEN) {

110
debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch vendored
View File

@ -1,110 +0,0 @@
From: David Howells <dhowells@redhat.com>
Date: Fri, 18 Dec 2015 01:34:26 +0000
Subject: KEYS: Fix race between read and revoke
Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
---
security/keys/keyctl.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
/* the key is probably readable - now try to read it */
can_read_key:
- ret = key_validate(key);
- if (ret == 0) {
- ret = -EOPNOTSUPP;
- if (key->type->read) {
- /* read the data with the semaphore held (since we
- * might sleep) */
- down_read(&key->sem);
+ ret = -EOPNOTSUPP;
+ if (key->type->read) {
+ /* Read the data with the semaphore held (since we might sleep)
+ * to protect against the key being updated or revoked.
+ */
+ down_read(&key->sem);
+ ret = key_validate(key);
+ if (ret == 0)
ret = key->type->read(key, buffer, buflen);
- up_read(&key->sem);
- }
+ up_read(&key->sem);
}
error2:

121
debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch vendored
View File

@ -1,121 +0,0 @@
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Mon, 14 Dec 2015 22:03:39 +0100
Subject: net: add validation for the socket syscall protocol argument
Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
郭永刚 reported that one could simply crash the kernel as root by
using a simple program:
int socket_fd;
struct sockaddr_in addr;
addr.sin_port = 0;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_family = 10;
socket_fd = socket(10,3,0x40000000);
connect(socket_fd , &addr,16);
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.
This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.
kernel: Call Trace:
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
I found no particular commit which introduced this problem.
CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/sock.h | 1 +
net/ax25/af_ax25.c | 3 +++
net/decnet/af_decnet.c | 3 +++
net/ipv4/af_inet.c | 3 +++
net/ipv6/af_inet6.c | 3 +++
net/irda/af_irda.c | 3 +++
6 files changed, 16 insertions(+)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -387,6 +387,7 @@ struct sock {
sk_no_check_rx : 1,
sk_userlocks : 4,
sk_protocol : 8,
+#define SK_PROTOCOL_MAX U8_MAX
sk_type : 16;
kmemcheck_bitfield_end(flags);
int sk_wmem_queued;
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net,
struct sock *sk;
ax25_cb *ax25;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st
{
struct sock *sk;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (!net_eq(net, &init_net))
return -EAFNOSUPPORT;
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -261,6 +261,9 @@ static int inet_create(struct net *net,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
sock->state = SS_UNCONNECTED;
/* Look for the requested type/protocol pair. */
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
int try_loading_module = 0;
int err;
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
+ return -EINVAL;
+
/* Look for the requested type/protocol pair. */
lookup_protocol:
err = -ESOCKTNOSUPPORT;
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net,
struct sock *sk;
struct irda_sock *self;
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+ return -EINVAL;
+
if (net != &init_net)
return -EAFNOSUPPORT;

34
debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch vendored
View File

@ -1,34 +0,0 @@
From: WANG Cong <xiyou.wangcong@gmail.com>
Date: Mon, 14 Dec 2015 13:48:36 -0800
Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/ppp/pptp.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock
struct pptp_opt *opt = &po->proto.pptp;
int error = 0;
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
+ return -EINVAL;
+
lock_sock(sk);
opt->src_addr = sp->sa_addr.pptp;
@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s
struct flowi4 fl4;
int error = 0;
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
+ return -EINVAL;
+
if (sp->sa_protocol != PX_PROTO_PPTP)
return -EINVAL;

55
debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch vendored
View File

@ -1,55 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 15 Dec 2015 15:26:45 +0000
Subject: Revert "vrf: fix double free and memory corruption on register_netdevice failure"
Forwarded: http://mid.gmane.org/20151215153149.GO28542@decadent.org.uk
This reverts commit b3abad339f8e268bb261e5844ab68b18a7797c29, which
was an attempt to backport commit 7f109f7cc37108cba7243bc832988525b0d85909
upstream. The backport introduced a deadlock and other bugs.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/vrf.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index c9e309c..488c6f5 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
{
struct net_vrf *vrf = netdev_priv(dev);
struct net_vrf_dev *vrf_ptr;
+ int err;
if (!data || !data[IFLA_VRF_TABLE])
return -EINVAL;
@@ -589,16 +590,26 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
dev->priv_flags |= IFF_VRF_MASTER;
+ err = -ENOMEM;
vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
if (!vrf_ptr)
- return -ENOMEM;
+ goto out_fail;
vrf_ptr->ifindex = dev->ifindex;
vrf_ptr->tb_id = vrf->tb_id;
+ err = register_netdevice(dev);
+ if (err < 0)
+ goto out_fail;
+
rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
- return register_netdev(dev);
+ return 0;
+
+out_fail:
+ kfree(vrf_ptr);
+ free_netdev(dev);
+ return err;
}
static size_t vrf_nl_getsize(const struct net_device *dev)

29
debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch vendored
View File

@ -1,29 +0,0 @@
Date: Tue, 15 Dec 2015 21:21:56 +0000
From: Ben Hutchings <ben@decadent.org.uk>
Subject: tipc: Fix kfree_skb() of uninitialised pointer
Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk
Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
headroom") added a "goto tx_error". This is fine upstream, but
when backported to 4.3 it results in attempting to free the clone
before it has been allocated. In this early error case, no
cleanup is needed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/tipc/udp_media.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 86f2e7c..73bdf1b 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
- goto tx_error;
+ return err;
}
clone = skb_clone(skb, GFP_ATOMIC);

95
debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch vendored
View File

@ -1,95 +0,0 @@
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date: Sat, 21 Nov 2015 19:46:19 +0100
Subject: vrf: fix double free and memory corruption on register_netdevice failure
Origin: https://git.kernel.org/linus/7f109f7cc37108cba7243bc832988525b0d85909
When vrf's ->newlink is called, if register_netdevice() fails then it
does free_netdev(), but that's also done by rtnl_newlink() so a second
free happens and memory gets corrupted, to reproduce execute the
following line a couple of times (1 - 5 usually is enough):
$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
This works because we fail in register_netdevice() because of the wrong
name "vrf:".
And here's a trace of one crash:
[ 28.792157] ------------[ cut here ]------------
[ 28.792407] kernel BUG at fs/namei.c:246!
[ 28.792608] invalid opcode: 0000 [#1] SMP
[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry
nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul
crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse
glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev
parport_pc parport serio_raw pcspkr virtio_balloon virtio_console
i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4
ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom
ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix
libata virtio_pci virtio_ring virtio scsi_mod floppy
[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted
4.4.0-rc1+ #24
[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.8.1-20150318_183358- 04/01/2014
[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti:
ffff88003592c000
[ 28.796016] RIP: 0010:[<ffffffff812187b3>] [<ffffffff812187b3>]
putname+0x43/0x60
[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246
[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX:
0000000000000001
[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff88003784f000
[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09:
0000000000000000
[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12:
0000000000000000
[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15:
ffff8800358c4a00
[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4:
00000000000406f0
[ 28.796016] Stack:
[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0
ffff880035a91660
[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940
00ffffff81218684
[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000
ffff880035b36d80
[ 28.796016] Call Trace:
[ 28.796016] [<ffffffff8121045d>] ?
do_execveat_common.isra.34+0x74d/0x930
[ 28.796016] [<ffffffff812102d3>] ?
do_execveat_common.isra.34+0x5c3/0x930
[ 28.796016] [<ffffffff8121066c>] do_execve+0x2c/0x30
[ 28.796016] [<ffffffff810939a0>]
call_usermodehelper_exec_async+0xf0/0x140
[ 28.796016] [<ffffffff810938b0>] ? umh_complete+0x40/0x40
[ 28.796016] [<ffffffff815cb1af>] ret_from_fork+0x3f/0x70
[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6
74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d
f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9
[ 28.796016] RIP [<ffffffff812187b3>] putname+0x43/0x60
[ 28.796016] RSP <ffff88003592fe88>
Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: For 4.3, retain the kfree() on failure]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/vrf.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 488c6f5..374feba 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
out_fail:
kfree(vrf_ptr);
- free_netdev(dev);
return err;
}

8
debian/patches/series vendored
View File

@ -106,13 +106,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
bugfix/all/xen-add-ring_copy_request.patch
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
@ -127,7 +121,6 @@ bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/ptrace-fix-abi-change-for-priv-esc-fix.patch
bugfix/all/keys-fix-race-between-read-and-revoke.patch
bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
@ -147,4 +140,3 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch