From 9b355e6846793b107e2b0518e7874fc88ce57537 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 23 Jan 2016 12:11:55 +0000 Subject: [PATCH] Update to 4.3.4 --- debian/changelog | 55 ++++++++ ...ing-ref-leak-in-join_session_keyring.patch | 75 ----------- ...te-socket-address-length-in-sco_sock.patch | 22 ---- ...eys-fix-race-between-read-and-revoke.patch | 110 ---------------- ...tion-for-the-socket-syscall-protocol.patch | 121 ------------------ ...addr_len-in-pptp_bind-and-pptp_conne.patch | 34 ----- ...ouble-free-and-memory-corruption-on-.patch | 55 -------- ...x-kfree_skb-of-uninitialised-pointer.patch | 29 ----- ...ree-and-memory-corruption-on-registe.patch | 95 -------------- debian/patches/series | 8 -- 10 files changed, 55 insertions(+), 549 deletions(-) delete mode 100644 debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch delete mode 100644 debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch delete mode 100644 debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch delete mode 100644 debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch delete mode 100644 debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch delete mode 100644 debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch delete mode 100644 debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch delete mode 100644 debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch diff --git a/debian/changelog b/debian/changelog index 83d54a0de..7d35ae95b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,58 @@ +linux (4.3.4-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4 + - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler + - ACPI: Using correct irq when waiting for events + - ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle + - tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0 + - toshiba_acpi: Initialize hotkey_event_type variable + - USB: cdc_acm: Ignore Infineon Flash Loader utility + - USB: serial: Another Infineon flash loader USB ID + - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter + JMicron + - USB: cp210x: Remove CP2110 ID from compatibility list + - USB: add quirk for devices with broken LPM + - USB: whci-hcd: add check for dma mapping error + - usb: gadget: pxa27x: fix suspend callback + - USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq + - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support + - usb: core : hub: Fix BOS 'NULL pointer' kernel panic + - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message + - pppoe: fix memory corruption in padt work structure + - gre6: allow to update all parameters via rtnl + - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation + - ipv6: keep existing flags when setting IFA_F_OPTIMISTIC + - vxlan: fix incorrect RCO bit in VXLAN header + - sctp: use the same clock as if sock source timestamps were on + - sctp: update the netstamp_needed counter when copying sockets + - sctp: also copy sk_tsflags when copying the socket + - net: cdc_mbim: add "NDP to end" quirk for Huawei E3372 + - net: qca_spi: fix transmit queue timeout handling + - r8152: fix lockup when runtime PM is enabled + - ipv6: sctp: clone options to avoid use after free + - phy: micrel: Fix finding PHY properties in MAC node. + - openvswitch: Fix helper reference leak + - openvswitch: Respect conntrack zone even if invalid + - uapi: export ila.h + - sh_eth: fix kernel oops in skb_put() + - net: fix IP early demux races + - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off + - skbuff: Fix offset error in skb_reorder_vlan_header + - net: check both type and procotol for tcp sockets + - net_sched: make qdisc_tree_decrease_qlen() work for non mq + - net: fix uninitialized variable issue + - ipv6: automatically enable stable privacy mode if stable_secret set + - inet: tcp: fix inetpeer_set_addr_v4() + - rhashtable: Enforce minimum size on initial hash table + - gianfar: Don't enable RX Filer if not supported + - fou: clean up socket with kfree_rcu + - af_unix: Revert 'lock_interruptible' in stream receive code + - tcp: restore fastopen with no data in SYN packet + - rhashtable: Fix walker list corruption + + -- Ben Hutchings Sat, 23 Jan 2016 11:51:46 +0000 + linux (4.3.3-7) unstable; urgency=medium * linux-image-dbg: Don't rely on upstream makefile to make .build-id diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch deleted file mode 100644 index 9c6a96973..000000000 --- a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001 -From: Yevgeny Pats -Date: Mon, 11 Jan 2016 12:05:28 +0000 -Subject: KEYS: Fix keyring ref leak in join_session_keyring() - -If a thread is asked to join as a session keyring the keyring that's already -set as its session, we leak a keyring reference. - -This can be tested with the following program: - - #include - #include - #include - #include - - int main(int argc, const char *argv[]) - { - int i = 0; - key_serial_t serial; - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, - KEY_POS_ALL | KEY_USR_ALL) < 0) { - perror("keyctl"); - return -1; - } - - for (i = 0; i < 100; i++) { - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - } - - return 0; - } - -If, after the program has run, there something like the following line in -/proc/keys: - -3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty - -with a usage count of 100 * the number of times the program has been run, -then the kernel is malfunctioning. If leaked-keyring has zero usages or -has been garbage collected, then the problem is fixed. - -Reported-by: Yevgeny Pats -Signed-off-by: David Howells ---- - security/keys/process_keys.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index a3f85d2..e6d50172 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } --- -2.7.0.rc3 - diff --git a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch b/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch deleted file mode 100644 index ab4bdf6bd..000000000 --- a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: "David S. Miller" -Date: Tue, 15 Dec 2015 15:39:08 -0500 -Subject: bluetooth: Validate socket address length in sco_sock_bind(). -Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4 - -Signed-off-by: David S. Miller ---- - net/bluetooth/sco.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket * - if (!addr || addr->sa_family != AF_BLUETOOTH) - return -EINVAL; - -+ if (addr_len < sizeof(struct sockaddr_sco)) -+ return -EINVAL; -+ - lock_sock(sk); - - if (sk->sk_state != BT_OPEN) { diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch deleted file mode 100644 index e75e67730..000000000 --- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: David Howells -Date: Fri, 18 Dec 2015 01:34:26 +0000 -Subject: KEYS: Fix race between read and revoke -Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d - -This fixes CVE-2015-7550. - -There's a race between keyctl_read() and keyctl_revoke(). If the revoke -happens between keyctl_read() checking the validity of a key and the key's -semaphore being taken, then the key type read method will see a revoked key. - -This causes a problem for the user-defined key type because it assumes in -its read method that there will always be a payload in a non-revoked key -and doesn't check for a NULL pointer. - -Fix this by making keyctl_read() check the validity of a key after taking -semaphore instead of before. - -I think the bug was introduced with the original keyrings code. - -This was discovered by a multithreaded test program generated by syzkaller -(http://github.com/google/syzkaller). Here's a cleaned up version: - - #include - #include - #include - void *thr0(void *arg) - { - key_serial_t key = (unsigned long)arg; - keyctl_revoke(key); - return 0; - } - void *thr1(void *arg) - { - key_serial_t key = (unsigned long)arg; - char buffer[16]; - keyctl_read(key, buffer, 16); - return 0; - } - int main() - { - key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); - pthread_t th[5]; - pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); - pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); - pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); - pthread_join(th[0], 0); - pthread_join(th[1], 0); - pthread_join(th[2], 0); - pthread_join(th[3], 0); - return 0; - } - -Build as: - - cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread - -Run as: - - while keyctl-race; do :; done - -as it may need several iterations to crash the kernel. The crash can be -summarised as: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 - IP: [] user_read+0x56/0xa3 - ... - Call Trace: - [] keyctl_read_key+0xb6/0xd7 - [] SyS_keyctl+0x83/0xe0 - [] entry_SYSCALL_64_fastpath+0x12/0x6f - -Reported-by: Dmitry Vyukov -Signed-off-by: David Howells -Tested-by: Dmitry Vyukov -Cc: stable@vger.kernel.org -Signed-off-by: James Morris ---- - security/keys/keyctl.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, - - /* the key is probably readable - now try to read it */ - can_read_key: -- ret = key_validate(key); -- if (ret == 0) { -- ret = -EOPNOTSUPP; -- if (key->type->read) { -- /* read the data with the semaphore held (since we -- * might sleep) */ -- down_read(&key->sem); -+ ret = -EOPNOTSUPP; -+ if (key->type->read) { -+ /* Read the data with the semaphore held (since we might sleep) -+ * to protect against the key being updated or revoked. -+ */ -+ down_read(&key->sem); -+ ret = key_validate(key); -+ if (ret == 0) - ret = key->type->read(key, buffer, buflen); -- up_read(&key->sem); -- } -+ up_read(&key->sem); - } - - error2: diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch deleted file mode 100644 index fb9a94c30..000000000 --- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch +++ /dev/null @@ -1,121 +0,0 @@ -From: Hannes Frederic Sowa -Date: Mon, 14 Dec 2015 22:03:39 +0100 -Subject: net: add validation for the socket syscall protocol argument -Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9 - -郭永刚 reported that one could simply crash the kernel as root by -using a simple program: - - int socket_fd; - struct sockaddr_in addr; - addr.sin_port = 0; - addr.sin_addr.s_addr = INADDR_ANY; - addr.sin_family = 10; - - socket_fd = socket(10,3,0x40000000); - connect(socket_fd , &addr,16); - -AF_INET, AF_INET6 sockets actually only support 8-bit protocol -identifiers. inet_sock's skc_protocol field thus is sized accordingly, -thus larger protocol identifiers simply cut off the higher bits and -store a zero in the protocol fields. - -This could lead to e.g. NULL function pointer because as a result of -the cut off inet_num is zero and we call down to inet_autobind, which -is NULL for raw sockets. - -kernel: Call Trace: -kernel: [] ? inet_autobind+0x2e/0x70 -kernel: [] inet_dgram_connect+0x54/0x80 -kernel: [] SYSC_connect+0xd9/0x110 -kernel: [] ? ptrace_notify+0x5b/0x80 -kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 -kernel: [] SyS_connect+0xe/0x10 -kernel: [] tracesys_phase2+0x84/0x89 - -I found no particular commit which introduced this problem. - -CVE: CVE-2015-8543 -Cc: Cong Wang -Reported-by: 郭永刚 -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/sock.h | 1 + - net/ax25/af_ax25.c | 3 +++ - net/decnet/af_decnet.c | 3 +++ - net/ipv4/af_inet.c | 3 +++ - net/ipv6/af_inet6.c | 3 +++ - net/irda/af_irda.c | 3 +++ - 6 files changed, 16 insertions(+) - ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -387,6 +387,7 @@ struct sock { - sk_no_check_rx : 1, - sk_userlocks : 4, - sk_protocol : 8, -+#define SK_PROTOCOL_MAX U8_MAX - sk_type : 16; - kmemcheck_bitfield_end(flags); - int sk_wmem_queued; ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, - struct sock *sk; - ax25_cb *ax25; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - ---- a/net/decnet/af_decnet.c -+++ b/net/decnet/af_decnet.c -@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st - { - struct sock *sk; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (!net_eq(net, &init_net)) - return -EAFNOSUPPORT; - ---- a/net/ipv4/af_inet.c -+++ b/net/ipv4/af_inet.c -@@ -261,6 +261,9 @@ static int inet_create(struct net *net, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - sock->state = SS_UNCONNECTED; - - /* Look for the requested type/protocol pair. */ ---- a/net/ipv6/af_inet6.c -+++ b/net/ipv6/af_inet6.c -@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, - int try_loading_module = 0; - int err; - -+ if (protocol < 0 || protocol >= IPPROTO_MAX) -+ return -EINVAL; -+ - /* Look for the requested type/protocol pair. */ - lookup_protocol: - err = -ESOCKTNOSUPPORT; ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, - struct sock *sk; - struct irda_sock *self; - -+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) -+ return -EINVAL; -+ - if (net != &init_net) - return -EAFNOSUPPORT; - diff --git a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch deleted file mode 100644 index ad192d1f6..000000000 --- a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: WANG Cong -Date: Mon, 14 Dec 2015 13:48:36 -0800 -Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect() -Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1 - -Reported-by: Dmitry Vyukov -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - drivers/net/ppp/pptp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/net/ppp/pptp.c -+++ b/drivers/net/ppp/pptp.c -@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock - struct pptp_opt *opt = &po->proto.pptp; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - lock_sock(sk); - - opt->src_addr = sp->sa_addr.pptp; -@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s - struct flowi4 fl4; - int error = 0; - -+ if (sockaddr_len < sizeof(struct sockaddr_pppox)) -+ return -EINVAL; -+ - if (sp->sa_protocol != PX_PROTO_PPTP) - return -EINVAL; - diff --git a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch b/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch deleted file mode 100644 index cd0f02e16..000000000 --- a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Ben Hutchings -Date: Tue, 15 Dec 2015 15:26:45 +0000 -Subject: Revert "vrf: fix double free and memory corruption on register_netdevice failure" -Forwarded: http://mid.gmane.org/20151215153149.GO28542@decadent.org.uk - -This reverts commit b3abad339f8e268bb261e5844ab68b18a7797c29, which -was an attempt to backport commit 7f109f7cc37108cba7243bc832988525b0d85909 -upstream. The backport introduced a deadlock and other bugs. - -Signed-off-by: Ben Hutchings ---- - drivers/net/vrf.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index c9e309c..488c6f5 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - { - struct net_vrf *vrf = netdev_priv(dev); - struct net_vrf_dev *vrf_ptr; -+ int err; - - if (!data || !data[IFLA_VRF_TABLE]) - return -EINVAL; -@@ -589,16 +590,26 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - - dev->priv_flags |= IFF_VRF_MASTER; - -+ err = -ENOMEM; - vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL); - if (!vrf_ptr) -- return -ENOMEM; -+ goto out_fail; - - vrf_ptr->ifindex = dev->ifindex; - vrf_ptr->tb_id = vrf->tb_id; - -+ err = register_netdevice(dev); -+ if (err < 0) -+ goto out_fail; -+ - rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); - -- return register_netdev(dev); -+ return 0; -+ -+out_fail: -+ kfree(vrf_ptr); -+ free_netdev(dev); -+ return err; - } - - static size_t vrf_nl_getsize(const struct net_device *dev) diff --git a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch deleted file mode 100644 index a584e73c5..000000000 --- a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch +++ /dev/null @@ -1,29 +0,0 @@ -Date: Tue, 15 Dec 2015 21:21:56 +0000 -From: Ben Hutchings -Subject: tipc: Fix kfree_skb() of uninitialised pointer -Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk - -Commit 7098356baca7 ("tipc: fix error handling of expanding buffer -headroom") added a "goto tx_error". This is fine upstream, but -when backported to 4.3 it results in attempting to free the clone -before it has been allocated. In this early error case, no -cleanup is needed. - -Signed-off-by: Ben Hutchings ---- - net/tipc/udp_media.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c -index 86f2e7c..73bdf1b 100644 ---- a/net/tipc/udp_media.c -+++ b/net/tipc/udp_media.c -@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb, - if (skb_headroom(skb) < UDP_MIN_HEADROOM) { - err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC); - if (err) -- goto tx_error; -+ return err; - } - - clone = skb_clone(skb, GFP_ATOMIC); diff --git a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch b/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch deleted file mode 100644 index f387fdece..000000000 --- a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Nikolay Aleksandrov -Date: Sat, 21 Nov 2015 19:46:19 +0100 -Subject: vrf: fix double free and memory corruption on register_netdevice failure -Origin: https://git.kernel.org/linus/7f109f7cc37108cba7243bc832988525b0d85909 - -When vrf's ->newlink is called, if register_netdevice() fails then it -does free_netdev(), but that's also done by rtnl_newlink() so a second -free happens and memory gets corrupted, to reproduce execute the -following line a couple of times (1 - 5 usually is enough): -$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done; -This works because we fail in register_netdevice() because of the wrong -name "vrf:". - -And here's a trace of one crash: -[ 28.792157] ------------[ cut here ]------------ -[ 28.792407] kernel BUG at fs/namei.c:246! -[ 28.792608] invalid opcode: 0000 [#1] SMP -[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry -nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul -crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse -glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev -parport_pc parport serio_raw pcspkr virtio_balloon virtio_console -i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4 -ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom -ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix -libata virtio_pci virtio_ring virtio scsi_mod floppy -[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted -4.4.0-rc1+ #24 -[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), -BIOS 1.8.1-20150318_183358- 04/01/2014 -[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti: -ffff88003592c000 -[ 28.796016] RIP: 0010:[] [] -putname+0x43/0x60 -[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246 -[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX: -0000000000000001 -[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI: -ffff88003784f000 -[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09: -0000000000000000 -[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12: -0000000000000000 -[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15: -ffff8800358c4a00 -[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000) -knlGS:0000000000000000 -[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4: -00000000000406f0 -[ 28.796016] Stack: -[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0 -ffff880035a91660 -[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940 -00ffffff81218684 -[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000 -ffff880035b36d80 -[ 28.796016] Call Trace: -[ 28.796016] [] ? -do_execveat_common.isra.34+0x74d/0x930 -[ 28.796016] [] ? -do_execveat_common.isra.34+0x5c3/0x930 -[ 28.796016] [] do_execve+0x2c/0x30 -[ 28.796016] [] -call_usermodehelper_exec_async+0xf0/0x140 -[ 28.796016] [] ? umh_complete+0x40/0x40 -[ 28.796016] [] ret_from_fork+0x3f/0x70 -[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6 -74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d -f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9 -[ 28.796016] RIP [] putname+0x43/0x60 -[ 28.796016] RSP - -Fixes: 193125dbd8eb ("net: Introduce VRF device driver") -Signed-off-by: Nikolay Aleksandrov -Acked-by: David Ahern -Signed-off-by: David S. Miller -[bwh: For 4.3, retain the kfree() on failure] -Signed-off-by: Ben Hutchings ---- - drivers/net/vrf.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c -index 488c6f5..374feba 100644 ---- a/drivers/net/vrf.c -+++ b/drivers/net/vrf.c -@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, - - out_fail: - kfree(vrf_ptr); -- free_netdev(dev); - return err; - } - diff --git a/debian/patches/series b/debian/patches/series index 82ac5d4c9..725582e07 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -106,13 +106,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch -bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch -bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch -bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch -bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch bugfix/all/ovl-fix-permission-checking-for-setattr.patch -bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch -bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch bugfix/all/xen-add-ring_copy_request.patch bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch bugfix/all/xen-netback-use-ring_copy_request-throughout.patch @@ -127,7 +121,6 @@ bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/ptrace-fix-abi-change-for-priv-esc-fix.patch -bugfix/all/keys-fix-race-between-read-and-revoke.patch bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch @@ -147,4 +140,3 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch -bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch