Update to 4.9-rc5
This commit is contained in:
parent
993ab494e5
commit
b15e0cf459
|
@ -1,4 +1,6 @@
|
|||
linux (4.9~rc3-1~exp2) UNRELEASED; urgency=medium
|
||||
linux (4.9~rc5-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* Enable MAC802154, IEEE802154_ADF7242, IEEE802154_AT86RF230,
|
||||
|
|
|
@ -355,7 +355,7 @@ upstream submission.
|
|||
}
|
||||
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
|
||||
@@ -2410,12 +2410,9 @@ static int stk9090m_frontend_attach(stru
|
||||
@@ -2411,12 +2411,9 @@ static int stk9090m_frontend_attach(stru
|
||||
|
||||
dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, 0x80);
|
||||
|
||||
|
@ -370,7 +370,7 @@ upstream submission.
|
|||
stk9090m_config.microcode_B_fe_size = state->frontend_firmware->size;
|
||||
stk9090m_config.microcode_B_fe_buffer = state->frontend_firmware->data;
|
||||
|
||||
@@ -2476,12 +2473,9 @@ static int nim9090md_frontend_attach(str
|
||||
@@ -2477,12 +2474,9 @@ static int nim9090md_frontend_attach(str
|
||||
msleep(20);
|
||||
dib0700_set_gpio(adap->dev, GPIO0, GPIO_OUT, 1);
|
||||
|
||||
|
@ -406,7 +406,7 @@ upstream submission.
|
|||
case CYPRESS_AN2135:
|
||||
--- a/drivers/media/usb/dvb-usb/gp8psk.c
|
||||
+++ b/drivers/media/usb/dvb-usb/gp8psk.c
|
||||
@@ -116,20 +116,14 @@ static int gp8psk_load_bcm4500fw(struct
|
||||
@@ -134,20 +134,14 @@ static int gp8psk_load_bcm4500fw(struct
|
||||
const u8 *ptr;
|
||||
u8 *buf;
|
||||
if ((ret = request_firmware(&fw, bcm4500_firmware,
|
||||
|
@ -1032,7 +1032,7 @@ upstream submission.
|
|||
|
||||
--- a/drivers/media/usb/s2255/s2255drv.c
|
||||
+++ b/drivers/media/usb/s2255/s2255drv.c
|
||||
@@ -2297,10 +2297,8 @@ static int s2255_probe(struct usb_interf
|
||||
@@ -2308,10 +2308,8 @@ static int s2255_probe(struct usb_interf
|
||||
}
|
||||
/* load the first chunk */
|
||||
if (request_firmware(&dev->fw_data->fw,
|
||||
|
@ -1163,7 +1163,7 @@ upstream submission.
|
|||
|
||||
--- a/drivers/net/ethernet/broadcom/bnx2.c
|
||||
+++ b/drivers/net/ethernet/broadcom/bnx2.c
|
||||
@@ -3720,16 +3720,13 @@ static int bnx2_request_uncached_firmwar
|
||||
@@ -3725,16 +3725,13 @@ static int bnx2_request_uncached_firmwar
|
||||
}
|
||||
|
||||
rc = request_firmware(&bp->mips_firmware, mips_fw_file, &bp->pdev->dev);
|
||||
|
@ -1731,17 +1731,17 @@ upstream submission.
|
|||
if (!err)
|
||||
goto found_alt;
|
||||
}
|
||||
- pr_err("Firmware %s not available\n", rtlpriv->cfg->fw_name);
|
||||
- pr_err("Selected firmware is not available\n");
|
||||
rtlpriv->max_fw_size = 0;
|
||||
return;
|
||||
}
|
||||
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
|
||||
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
|
||||
@@ -94,7 +94,6 @@ static void rtl92se_fw_cb(const struct f
|
||||
@@ -95,7 +95,6 @@ static void rtl92se_fw_cb(const struct f
|
||||
"Firmware callback routine entered!\n");
|
||||
complete(&rtlpriv->firmware_loading_complete);
|
||||
if (!firmware) {
|
||||
- pr_err("Firmware %s not available\n", rtlpriv->cfg->fw_name);
|
||||
- pr_err("Firmware %s not available\n", fw_name);
|
||||
rtlpriv->max_fw_size = 0;
|
||||
return;
|
||||
}
|
||||
|
@ -1965,7 +1965,7 @@ upstream submission.
|
|||
if (qla82xx_validate_firmware_blob(vha,
|
||||
--- a/drivers/scsi/qla2xxx/qla_os.c
|
||||
+++ b/drivers/scsi/qla2xxx/qla_os.c
|
||||
@@ -5620,8 +5620,6 @@ qla2x00_request_firmware(scsi_qla_host_t
|
||||
@@ -5636,8 +5636,6 @@ qla2x00_request_firmware(scsi_qla_host_t
|
||||
goto out;
|
||||
|
||||
if (request_firmware(&blob->fw, blob->name, &ha->pdev->dev)) {
|
||||
|
@ -2526,7 +2526,7 @@ upstream submission.
|
|||
filename, emu->firmware->size);
|
||||
--- a/sound/pci/hda/hda_intel.c
|
||||
+++ b/sound/pci/hda/hda_intel.c
|
||||
@@ -1812,10 +1812,8 @@ static void azx_firmware_cb(const struct
|
||||
@@ -1815,10 +1815,8 @@ static void azx_firmware_cb(const struct
|
||||
struct azx *chip = card->private_data;
|
||||
struct pci_dev *pci = chip->pci;
|
||||
|
||||
|
|
|
@ -25,9 +25,9 @@ Signed-off-by: Michal Marek <mmarek@suse.com>
|
|||
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -624,6 +624,8 @@ include arch/$(SRCARCH)/Makefile
|
||||
@@ -623,6 +623,8 @@ include arch/$(SRCARCH)/Makefile
|
||||
|
||||
KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
|
||||
KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
|
||||
KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
|
||||
+KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
|
||||
+KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
|
||||
|
|
|
@ -64,16 +64,16 @@ the kernel.
|
|||
# Usage: KBUILD_ARFLAGS := $(call ar-option,D)
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -634,6 +634,8 @@ KBUILD_CFLAGS += -O2
|
||||
endif
|
||||
endif
|
||||
@@ -642,6 +642,8 @@ endif
|
||||
KBUILD_CFLAGS += $(call cc-ifversion, -lt, 0409, \
|
||||
$(call cc-disable-warning,maybe-uninitialized,))
|
||||
|
||||
+NOSTDINC_FLAGS += -nostdinc
|
||||
+
|
||||
# Tell gcc to never replace conditional load with a non-conditional one
|
||||
KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
|
||||
|
||||
@@ -752,7 +754,7 @@ KBUILD_CFLAGS += $(call cc-option, -fno-
|
||||
@@ -760,7 +762,7 @@ KBUILD_CFLAGS += $(call cc-option, -fno-
|
||||
endif
|
||||
|
||||
# arch Makefile may override CC so keep this after arch Makefile is included
|
||||
|
|
|
@ -1,201 +0,0 @@
|
|||
From: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Date: Mon, 10 Oct 2016 15:43:46 +0200
|
||||
Subject: net: add recursion limit to GRO
|
||||
Origin: https://patchwork.ozlabs.org/patch/680412/
|
||||
|
||||
Currently, GRO can do unlimited recursion through the gro_receive
|
||||
handlers. This was fixed for tunneling protocols by limiting tunnel GRO
|
||||
to one level with encap_mark, but both VLAN and TEB still have this
|
||||
problem. Thus, the kernel is vulnerable to a stack overflow, if we
|
||||
receive a packet composed entirely of VLAN headers.
|
||||
|
||||
This patch adds a recursion counter to the GRO layer to prevent stack
|
||||
overflow. When a gro_receive function hits the recursion limit, GRO is
|
||||
aborted for this skb and it is processed normally.
|
||||
|
||||
Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
|
||||
|
||||
Fixes: CVE-2016-7039
|
||||
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
|
||||
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
|
||||
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Reviewed-by: Jiri Benc <jbenc@redhat.com>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
---
|
||||
drivers/net/geneve.c | 2 +-
|
||||
drivers/net/vxlan.c | 2 +-
|
||||
include/linux/netdevice.h | 24 +++++++++++++++++++++++-
|
||||
net/8021q/vlan.c | 2 +-
|
||||
net/core/dev.c | 1 +
|
||||
net/ethernet/eth.c | 2 +-
|
||||
net/ipv4/af_inet.c | 2 +-
|
||||
net/ipv4/fou.c | 4 ++--
|
||||
net/ipv4/gre_offload.c | 2 +-
|
||||
net/ipv4/udp_offload.c | 8 +++++++-
|
||||
net/ipv6/ip6_offload.c | 2 +-
|
||||
11 files changed, 40 insertions(+), 11 deletions(-)
|
||||
|
||||
--- a/drivers/net/geneve.c
|
||||
+++ b/drivers/net/geneve.c
|
||||
@@ -471,7 +471,7 @@ static struct sk_buff **geneve_gro_recei
|
||||
|
||||
skb_gro_pull(skb, gh_len);
|
||||
skb_gro_postpull_rcsum(skb, gh, gh_len);
|
||||
- pp = ptype->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
|
||||
flush = 0;
|
||||
|
||||
out_unlock:
|
||||
--- a/drivers/net/vxlan.c
|
||||
+++ b/drivers/net/vxlan.c
|
||||
@@ -601,7 +601,7 @@ static struct sk_buff **vxlan_gro_receiv
|
||||
}
|
||||
}
|
||||
|
||||
- pp = eth_gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(eth_gro_receive, head, skb);
|
||||
flush = 0;
|
||||
|
||||
out:
|
||||
--- a/include/linux/netdevice.h
|
||||
+++ b/include/linux/netdevice.h
|
||||
@@ -2114,7 +2114,10 @@ struct napi_gro_cb {
|
||||
/* Used to determine if flush_id can be ignored */
|
||||
u8 is_atomic:1;
|
||||
|
||||
- /* 5 bit hole */
|
||||
+ /* Number of gro_receive callbacks this packet already went through */
|
||||
+ u8 recursion_counter:4;
|
||||
+
|
||||
+ /* 1 bit hole */
|
||||
|
||||
/* used to support CHECKSUM_COMPLETE for tunneling protocols */
|
||||
__wsum csum;
|
||||
@@ -2125,6 +2128,25 @@ struct napi_gro_cb {
|
||||
|
||||
#define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)
|
||||
|
||||
+#define GRO_RECURSION_LIMIT 15
|
||||
+static inline int gro_recursion_inc_test(struct sk_buff *skb)
|
||||
+{
|
||||
+ return ++NAPI_GRO_CB(skb)->recursion_counter == GRO_RECURSION_LIMIT;
|
||||
+}
|
||||
+
|
||||
+typedef struct sk_buff **(*gro_receive_t)(struct sk_buff **, struct sk_buff *);
|
||||
+static inline struct sk_buff **call_gro_receive(gro_receive_t cb,
|
||||
+ struct sk_buff **head,
|
||||
+ struct sk_buff *skb)
|
||||
+{
|
||||
+ if (gro_recursion_inc_test(skb)) {
|
||||
+ NAPI_GRO_CB(skb)->flush |= 1;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return cb(head, skb);
|
||||
+}
|
||||
+
|
||||
struct packet_type {
|
||||
__be16 type; /* This is really htons(ether_type). */
|
||||
struct net_device *dev; /* NULL is wildcarded here */
|
||||
--- a/net/8021q/vlan.c
|
||||
+++ b/net/8021q/vlan.c
|
||||
@@ -664,7 +664,7 @@ static struct sk_buff **vlan_gro_receive
|
||||
|
||||
skb_gro_pull(skb, sizeof(*vhdr));
|
||||
skb_gro_postpull_rcsum(skb, vhdr, sizeof(*vhdr));
|
||||
- pp = ptype->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
||||
--- a/net/core/dev.c
|
||||
+++ b/net/core/dev.c
|
||||
@@ -4500,6 +4500,7 @@ static enum gro_result dev_gro_receive(s
|
||||
NAPI_GRO_CB(skb)->flush = 0;
|
||||
NAPI_GRO_CB(skb)->free = 0;
|
||||
NAPI_GRO_CB(skb)->encap_mark = 0;
|
||||
+ NAPI_GRO_CB(skb)->recursion_counter = 0;
|
||||
NAPI_GRO_CB(skb)->is_fou = 0;
|
||||
NAPI_GRO_CB(skb)->is_atomic = 1;
|
||||
NAPI_GRO_CB(skb)->gro_remcsum_start = 0;
|
||||
--- a/net/ethernet/eth.c
|
||||
+++ b/net/ethernet/eth.c
|
||||
@@ -439,7 +439,7 @@ struct sk_buff **eth_gro_receive(struct
|
||||
|
||||
skb_gro_pull(skb, sizeof(*eh));
|
||||
skb_gro_postpull_rcsum(skb, eh, sizeof(*eh));
|
||||
- pp = ptype->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
||||
--- a/net/ipv4/af_inet.c
|
||||
+++ b/net/ipv4/af_inet.c
|
||||
@@ -1388,7 +1388,7 @@ struct sk_buff **inet_gro_receive(struct
|
||||
skb_gro_pull(skb, sizeof(*iph));
|
||||
skb_set_transport_header(skb, skb_gro_offset(skb));
|
||||
|
||||
- pp = ops->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
||||
--- a/net/ipv4/fou.c
|
||||
+++ b/net/ipv4/fou.c
|
||||
@@ -219,7 +219,7 @@ static struct sk_buff **fou_gro_receive(
|
||||
if (!ops || !ops->callbacks.gro_receive)
|
||||
goto out_unlock;
|
||||
|
||||
- pp = ops->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
||||
@@ -387,7 +387,7 @@ static struct sk_buff **gue_gro_receive(
|
||||
if (WARN_ON_ONCE(!ops || !ops->callbacks.gro_receive))
|
||||
goto out_unlock;
|
||||
|
||||
- pp = ops->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
|
||||
flush = 0;
|
||||
|
||||
out_unlock:
|
||||
--- a/net/ipv4/gre_offload.c
|
||||
+++ b/net/ipv4/gre_offload.c
|
||||
@@ -227,7 +227,7 @@ static struct sk_buff **gre_gro_receive(
|
||||
/* Adjusted NAPI_GRO_CB(skb)->csum after skb_gro_pull()*/
|
||||
skb_gro_postpull_rcsum(skb, greh, grehlen);
|
||||
|
||||
- pp = ptype->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
|
||||
flush = 0;
|
||||
|
||||
out_unlock:
|
||||
--- a/net/ipv4/udp_offload.c
|
||||
+++ b/net/ipv4/udp_offload.c
|
||||
@@ -293,7 +293,13 @@ unflush:
|
||||
|
||||
skb_gro_pull(skb, sizeof(struct udphdr)); /* pull encapsulating udp header */
|
||||
skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
|
||||
- pp = udp_sk(sk)->gro_receive(sk, head, skb);
|
||||
+
|
||||
+ if (gro_recursion_inc_test(skb)) {
|
||||
+ flush = 1;
|
||||
+ pp = NULL;
|
||||
+ } else {
|
||||
+ pp = udp_sk(sk)->gro_receive(sk, head, skb);
|
||||
+ }
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
||||
--- a/net/ipv6/ip6_offload.c
|
||||
+++ b/net/ipv6/ip6_offload.c
|
||||
@@ -243,7 +243,7 @@ static struct sk_buff **ipv6_gro_receive
|
||||
|
||||
skb_gro_postpull_rcsum(skb, iph, nlen);
|
||||
|
||||
- pp = ops->callbacks.gro_receive(head, skb);
|
||||
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
|
||||
|
||||
out_unlock:
|
||||
rcu_read_unlock();
|
|
@ -1,36 +0,0 @@
|
|||
From: Liping Zhang <liping.zhang@spreadtrum.com>
|
||||
Date: Tue, 11 Oct 2016 21:03:45 +0800
|
||||
Subject: netfilter: xt_NFLOG: fix unexpected truncated packet
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=6d19375b58763fefc2f215fb45117d3353ced888
|
||||
Bug-Debian: https://bugs.debian.org/841261
|
||||
|
||||
Justin and Chris spotted that iptables NFLOG target was broken when they
|
||||
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
|
||||
"results in segfaults in ulogd-2.0.5".
|
||||
|
||||
Because "struct nf_loginfo li;" is a local variable, and flags will be
|
||||
filled with garbage value, not inited to zero. So if it contains 0x1,
|
||||
packets will not be logged to the userspace anymore.
|
||||
|
||||
Fixes: 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets")
|
||||
Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
|
||||
Reported-by: Chris Caputo <ccaputo@alt.net>
|
||||
Tested-by: Chris Caputo <ccaputo@alt.net>
|
||||
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/xt_NFLOG.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
|
||||
index 018eed7e1ff1..8668a5c18dc3 100644
|
||||
--- a/net/netfilter/xt_NFLOG.c
|
||||
+++ b/net/netfilter/xt_NFLOG.c
|
||||
@@ -32,6 +32,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
li.u.ulog.copy_len = info->len;
|
||||
li.u.ulog.group = info->group;
|
||||
li.u.ulog.qthreshold = info->threshold;
|
||||
+ li.u.ulog.flags = 0;
|
||||
|
||||
if (info->flags & XT_NFLOG_F_COPY_LEN)
|
||||
li.u.ulog.flags |= NF_LOG_F_COPY_LEN;
|
|
@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this.
|
|||
export KCONFIG_CONFIG
|
||||
|
||||
@@ -373,6 +337,44 @@ LDFLAGS_vmlinux =
|
||||
CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
|
||||
CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
|
||||
CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
|
||||
|
||||
+-include $(obj)/.kernelvariables
|
||||
|
|
|
@ -62,7 +62,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
|||
bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
|
||||
bugfix/all/ext4-fix-bug-838544.patch
|
||||
bugfix/all/mm-memcontrol-use-special-workqueue-for-creating-per-memcg-caches.patch
|
||||
bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch
|
||||
bugfix/all/kbuild-add-fno-pie.patch
|
||||
bugfix/x86/scripts-has-stack-protector-add-fno-pie.patch
|
||||
bugfix/x86/x86-kexec-add-fno-pie.patch
|
||||
|
@ -96,7 +95,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
# Security fixes
|
||||
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/net-add-recursion-limit-to-gro.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
|
|
Loading…
Reference in New Issue