Cherry-pick various urgent fixes from 3.11 stable queue
svn path=/dists/sid/linux/; revision=20767
This commit is contained in:
parent
a78dcf3d31
commit
e3b8a9343f
|
@ -7,6 +7,22 @@ linux (3.11.6-2) UNRELEASED; urgency=low
|
|||
(fixes FTBFS)
|
||||
* [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI
|
||||
* net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
|
||||
* net: do not call sock_put() on TIMEWAIT sockets
|
||||
* l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
|
||||
* net: heap overflow in __audit_sockaddr()
|
||||
* proc connector: fix info leaks
|
||||
* bridge: update mdb expiration timer upon reports.
|
||||
* Revert "bridge: only expire the mdb entry when query is received"
|
||||
* unix_diag: fix info leak
|
||||
* be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
|
||||
* net: fix cipso packet validation when !NETLABEL
|
||||
* inet: fix possible memory corruption with UDP_CORK and UFO
|
||||
* [arm] 7851/1: check for number of arguments in syscall_get/set_arguments()
|
||||
* ext[34]: fix double put in tmpfile
|
||||
* dm snapshot: fix data corruption (CVE-2013-4299)
|
||||
* i2c: ismt: initialize DMA buffer
|
||||
* mm: fix BUG in __split_huge_page_pmd
|
||||
* writeback: fix negative bdi max pause
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* UAPI: include <asm/byteorder.h> in linux/raid/md_p.h.
|
||||
|
|
40
debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
vendored
Normal file
40
debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
vendored
Normal file
|
@ -0,0 +1,40 @@
|
|||
From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001
|
||||
From: Vasundhara Volam <vasundhara.volam@emulex.com>
|
||||
Date: Thu, 17 Oct 2013 11:47:14 +0530
|
||||
Subject: be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
|
||||
|
||||
From: Vasundhara Volam <vasundhara.volam@emulex.com>
|
||||
|
||||
[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ]
|
||||
|
||||
It is a required field for all TX_CREATE cmd versions > 0.
|
||||
This fixes a driver initialization failure, caused by recent SH-R Firmwares
|
||||
(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is
|
||||
not passed.
|
||||
|
||||
Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
|
||||
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
|
||||
@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter
|
||||
|
||||
if (lancer_chip(adapter)) {
|
||||
req->hdr.version = 1;
|
||||
- req->if_id = cpu_to_le16(adapter->if_handle);
|
||||
} else if (BEx_chip(adapter)) {
|
||||
if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC)
|
||||
req->hdr.version = 2;
|
||||
@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter
|
||||
req->hdr.version = 2;
|
||||
}
|
||||
|
||||
+ if (req->hdr.version > 0)
|
||||
+ req->if_id = cpu_to_le16(adapter->if_handle);
|
||||
req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size);
|
||||
req->ulp_num = BE_ULP1_NUM;
|
||||
req->type = BE_ETH_TX_RING_TYPE_STANDARD;
|
63
debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
vendored
Normal file
63
debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
vendored
Normal file
|
@ -0,0 +1,63 @@
|
|||
From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001
|
||||
From: Vlad Yasevich <vyasevic@redhat.com>
|
||||
Date: Thu, 10 Oct 2013 15:57:59 -0400
|
||||
Subject: bridge: update mdb expiration timer upon reports.
|
||||
|
||||
From: Vlad Yasevich <vyasevic@redhat.com>
|
||||
|
||||
[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ]
|
||||
|
||||
commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b
|
||||
bridge: only expire the mdb entry when query is received
|
||||
changed the mdb expiration timer to be armed only when QUERY is
|
||||
received. Howerver, this causes issues in an environment where
|
||||
the multicast server socket comes and goes very fast while a client
|
||||
is trying to send traffic to it.
|
||||
|
||||
The root cause is a race where a sequence of LEAVE followed by REPORT
|
||||
messages can race against QUERY messages generated in response to LEAVE.
|
||||
The QUERY ends up starting the expiration timer, and that timer can
|
||||
potentially expire after the new REPORT message has been received signaling
|
||||
the new join operation. This leads to a significant drop in multicast
|
||||
traffic and possible complete stall.
|
||||
|
||||
The solution is to have REPORT messages update the expiration timer
|
||||
on entries that already exist.
|
||||
|
||||
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
|
||||
CC: Cong Wang <xiyou.wangcong@gmail.com>
|
||||
CC: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
CC: Stephen Hemminger <stephen@networkplumber.org>
|
||||
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/bridge/br_multicast.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/bridge/br_multicast.c
|
||||
+++ b/net/bridge/br_multicast.c
|
||||
@@ -610,6 +610,9 @@ rehash:
|
||||
break;
|
||||
|
||||
default:
|
||||
+ /* If we have an existing entry, update it's expire timer */
|
||||
+ mod_timer(&mp->timer,
|
||||
+ jiffies + br->multicast_membership_interval);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct
|
||||
for (pp = &mp->ports;
|
||||
(p = mlock_dereference(*pp, br)) != NULL;
|
||||
pp = &p->next) {
|
||||
- if (p->port == port)
|
||||
+ if (p->port == port) {
|
||||
+ /* We already have a portgroup, update the timer. */
|
||||
+ mod_timer(&p->timer,
|
||||
+ jiffies + br->multicast_membership_interval);
|
||||
goto out;
|
||||
+ }
|
||||
if ((unsigned long)p->port < (unsigned long)port)
|
||||
break;
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
From e9c6a182649f4259db704ae15a91ac820e63b0ca Mon Sep 17 00:00:00 2001
|
||||
From: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Date: Wed, 16 Oct 2013 03:17:47 +0100
|
||||
Subject: dm snapshot: fix data corruption
|
||||
|
||||
From: Mikulas Patocka <mpatocka@redhat.com>
|
||||
|
||||
commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream.
|
||||
|
||||
This patch fixes a particular type of data corruption that has been
|
||||
encountered when loading a snapshot's metadata from disk.
|
||||
|
||||
When we allocate a new chunk in persistent_prepare, we increment
|
||||
ps->next_free and we make sure that it doesn't point to a metadata area
|
||||
by further incrementing it if necessary.
|
||||
|
||||
When we load metadata from disk on device activation, ps->next_free is
|
||||
positioned after the last used data chunk. However, if this last used
|
||||
data chunk is followed by a metadata area, ps->next_free is positioned
|
||||
erroneously to the metadata area. A newly-allocated chunk is placed at
|
||||
the same location as the metadata area, resulting in data or metadata
|
||||
corruption.
|
||||
|
||||
This patch changes the code so that ps->next_free skips the metadata
|
||||
area when metadata are loaded in function read_exceptions.
|
||||
|
||||
The patch also moves a piece of code from persistent_prepare_exception
|
||||
to a separate function skip_metadata to avoid code duplication.
|
||||
|
||||
CVE-2013-4299
|
||||
|
||||
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Cc: Mike Snitzer <snitzer@redhat.com>
|
||||
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
drivers/md/dm-snap-persistent.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/drivers/md/dm-snap-persistent.c
|
||||
+++ b/drivers/md/dm-snap-persistent.c
|
||||
@@ -269,6 +269,14 @@ static chunk_t area_location(struct psto
|
||||
return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
|
||||
}
|
||||
|
||||
+static void skip_metadata(struct pstore *ps)
|
||||
+{
|
||||
+ uint32_t stride = ps->exceptions_per_area + 1;
|
||||
+ chunk_t next_free = ps->next_free;
|
||||
+ if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
|
||||
+ ps->next_free++;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Read or write a metadata area. Remembering to skip the first
|
||||
* chunk which holds the header.
|
||||
@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore
|
||||
|
||||
ps->current_area--;
|
||||
|
||||
+ skip_metadata(ps);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -616,8 +626,6 @@ static int persistent_prepare_exception(
|
||||
struct dm_exception *e)
|
||||
{
|
||||
struct pstore *ps = get_info(store);
|
||||
- uint32_t stride;
|
||||
- chunk_t next_free;
|
||||
sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
|
||||
|
||||
/* Is there enough room ? */
|
||||
@@ -630,10 +638,8 @@ static int persistent_prepare_exception(
|
||||
* Move onto the next free pending, making sure to take
|
||||
* into account the location of the metadata chunks.
|
||||
*/
|
||||
- stride = (ps->exceptions_per_area + 1);
|
||||
- next_free = ++ps->next_free;
|
||||
- if (sector_div(next_free, stride) == 1)
|
||||
- ps->next_free++;
|
||||
+ ps->next_free++;
|
||||
+ skip_metadata(ps);
|
||||
|
||||
atomic_inc(&ps->pending_count);
|
||||
return 0;
|
|
@ -0,0 +1,66 @@
|
|||
From 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 Mon Sep 17 00:00:00 2001
|
||||
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||
Date: Thu, 10 Oct 2013 16:48:19 +0200
|
||||
Subject: ext[34]: fix double put in tmpfile
|
||||
|
||||
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||
|
||||
commit 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 upstream.
|
||||
|
||||
d_tmpfile() already swallowed the inode ref.
|
||||
|
||||
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
fs/ext3/namei.c | 5 ++---
|
||||
fs/ext4/namei.c | 5 ++---
|
||||
2 files changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/fs/ext3/namei.c
|
||||
+++ b/fs/ext3/namei.c
|
||||
@@ -1783,7 +1783,7 @@ retry:
|
||||
d_tmpfile(dentry, inode);
|
||||
err = ext3_orphan_add(handle, inode);
|
||||
if (err)
|
||||
- goto err_drop_inode;
|
||||
+ goto err_unlock_inode;
|
||||
mark_inode_dirty(inode);
|
||||
unlock_new_inode(inode);
|
||||
}
|
||||
@@ -1791,10 +1791,9 @@ retry:
|
||||
if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries))
|
||||
goto retry;
|
||||
return err;
|
||||
-err_drop_inode:
|
||||
+err_unlock_inode:
|
||||
ext3_journal_stop(handle);
|
||||
unlock_new_inode(inode);
|
||||
- iput(inode);
|
||||
return err;
|
||||
}
|
||||
|
||||
--- a/fs/ext4/namei.c
|
||||
+++ b/fs/ext4/namei.c
|
||||
@@ -2319,7 +2319,7 @@ retry:
|
||||
d_tmpfile(dentry, inode);
|
||||
err = ext4_orphan_add(handle, inode);
|
||||
if (err)
|
||||
- goto err_drop_inode;
|
||||
+ goto err_unlock_inode;
|
||||
mark_inode_dirty(inode);
|
||||
unlock_new_inode(inode);
|
||||
}
|
||||
@@ -2328,10 +2328,9 @@ retry:
|
||||
if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries))
|
||||
goto retry;
|
||||
return err;
|
||||
-err_drop_inode:
|
||||
+err_unlock_inode:
|
||||
ext4_journal_stop(handle);
|
||||
unlock_new_inode(inode);
|
||||
- iput(inode);
|
||||
return err;
|
||||
}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From bf4169100c909667ede6af67668b3ecce6928343 Mon Sep 17 00:00:00 2001
|
||||
From: James Ralston <james.d.ralston@intel.com>
|
||||
Date: Tue, 24 Sep 2013 16:47:55 -0700
|
||||
Subject: i2c: ismt: initialize DMA buffer
|
||||
|
||||
From: James Ralston <james.d.ralston@intel.com>
|
||||
|
||||
commit bf4169100c909667ede6af67668b3ecce6928343 upstream.
|
||||
|
||||
This patch adds code to initialize the DMA buffer to compensate for
|
||||
possible hardware data corruption.
|
||||
|
||||
Signed-off-by: James Ralston <james.d.ralston@intel.com>
|
||||
[wsa: changed to use 'sizeof']
|
||||
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
|
||||
Cc: Jean Delvare <jdelvare@suse.de>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
drivers/i2c/busses/i2c-ismt.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/drivers/i2c/busses/i2c-ismt.c
|
||||
+++ b/drivers/i2c/busses/i2c-ismt.c
|
||||
@@ -393,6 +393,9 @@ static int ismt_access(struct i2c_adapte
|
||||
|
||||
desc = &priv->hw[priv->head];
|
||||
|
||||
+ /* Initialize the DMA buffer */
|
||||
+ memset(priv->dma_buffer, 0, sizeof(priv->dma_buffer));
|
||||
+
|
||||
/* Initialize the descriptor */
|
||||
memset(desc, 0, sizeof(struct ismt_desc));
|
||||
desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, read_write);
|
76
debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
vendored
Normal file
76
debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
vendored
Normal file
|
@ -0,0 +1,76 @@
|
|||
From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Tue, 22 Oct 2013 00:07:47 +0200
|
||||
Subject: inet: fix possible memory corruption with UDP_CORK and UFO
|
||||
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
|
||||
[ This is a simplified -stable version of a set of upstream commits. ]
|
||||
|
||||
This is a replacement patch only for stable which does fix the problems
|
||||
handled by the following two commits in -net:
|
||||
|
||||
"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
|
||||
"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
|
||||
|
||||
Three frames are written on a corked udp socket for which the output
|
||||
netdevice has UFO enabled. If the first and third frame are smaller than
|
||||
the mtu and the second one is bigger, we enqueue the second frame with
|
||||
skb_append_datato_frags without initializing the gso fields. This leads
|
||||
to the third frame appended regulary and thus constructing an invalid skb.
|
||||
|
||||
This fixes the problem by always using skb_append_datato_frags as soon
|
||||
as the first frag got enqueued to the skb without marking the packet
|
||||
as SKB_GSO_UDP.
|
||||
|
||||
The problem with only two frames for ipv6 was fixed by "ipv6: udp
|
||||
packets following an UFO enqueued packet need also be handled by UFO"
|
||||
(2811ebac2521ceac84f2bdae402455baa6a7fb47).
|
||||
|
||||
Cc: Jiri Pirko <jiri@resnulli.us>
|
||||
Cc: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Cc: David Miller <davem@davemloft.net>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
include/linux/skbuff.h | 5 +++++
|
||||
net/ipv4/ip_output.c | 2 +-
|
||||
net/ipv6/ip6_output.c | 2 +-
|
||||
3 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/include/linux/skbuff.h
|
||||
+++ b/include/linux/skbuff.h
|
||||
@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const stru
|
||||
return len + skb_headlen(skb);
|
||||
}
|
||||
|
||||
+static inline bool skb_has_frags(const struct sk_buff *skb)
|
||||
+{
|
||||
+ return skb_shinfo(skb)->nr_frags;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* __skb_fill_page_desc - initialise a paged fragment in an skb
|
||||
* @skb: buffer containing fragment to be initialised
|
||||
--- a/net/ipv4/ip_output.c
|
||||
+++ b/net/ipv4/ip_output.c
|
||||
@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock
|
||||
csummode = CHECKSUM_PARTIAL;
|
||||
|
||||
cork->length += length;
|
||||
- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
|
||||
+ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
|
||||
(sk->sk_protocol == IPPROTO_UDP) &&
|
||||
(rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
|
||||
err = ip_ufo_append_data(sk, queue, getfrag, from, length,
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int
|
||||
skb = skb_peek_tail(&sk->sk_write_queue);
|
||||
cork->length += length;
|
||||
if (((length > mtu) ||
|
||||
- (skb && skb_is_gso(skb))) &&
|
||||
+ (skb && skb_has_frags(skb))) &&
|
||||
(sk->sk_protocol == IPPROTO_UDP) &&
|
||||
(rt->dst.dev->features & NETIF_F_UFO)) {
|
||||
err = ip6_ufo_append_data(sk, getfrag, from, length,
|
141
debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
vendored
Normal file
141
debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
vendored
Normal file
|
@ -0,0 +1,141 @@
|
|||
From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001
|
||||
From: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||
Date: Wed, 2 Oct 2013 10:16:02 +0200
|
||||
Subject: l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
|
||||
|
||||
From: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||
|
||||
[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ]
|
||||
|
||||
IPv4 mapped addresses cause kernel panic.
|
||||
The patch juste check whether the IPv6 address is an IPv4 mapped
|
||||
address. If so, use IPv4 API instead of IPv6.
|
||||
|
||||
[ 940.026915] general protection fault: 0000 [#1]
|
||||
[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
|
||||
[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
|
||||
[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
|
||||
[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
|
||||
[ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
|
||||
[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
|
||||
[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
|
||||
[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
|
||||
[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
|
||||
[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
|
||||
[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
|
||||
[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
|
||||
[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
|
||||
[ 940.026915] Stack:
|
||||
[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
|
||||
[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
|
||||
[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
|
||||
[ 940.026915] Call Trace:
|
||||
[ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
|
||||
[ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
|
||||
[ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
|
||||
[ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
|
||||
[ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
|
||||
[ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
|
||||
[ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
|
||||
[ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
|
||||
[ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
|
||||
[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
|
||||
8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
|
||||
00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
|
||||
[ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
|
||||
[ 940.026915] RSP <ffff88000737fd28>
|
||||
[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
|
||||
[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
|
||||
|
||||
Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
|
||||
net/l2tp/l2tp_core.h | 3 +++
|
||||
2 files changed, 26 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/net/l2tp/l2tp_core.c
|
||||
+++ b/net/l2tp/l2tp_core.c
|
||||
@@ -496,6 +496,7 @@ out:
|
||||
static inline int l2tp_verify_udp_checksum(struct sock *sk,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
+ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
|
||||
struct udphdr *uh = udp_hdr(skb);
|
||||
u16 ulen = ntohs(uh->len);
|
||||
__wsum psum;
|
||||
@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checks
|
||||
return 0;
|
||||
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
- if (sk->sk_family == PF_INET6) {
|
||||
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
|
||||
if (!uh->check) {
|
||||
LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
|
||||
return 1;
|
||||
@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_se
|
||||
/* Queue the packet to IP for output */
|
||||
skb->local_df = 1;
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
- if (skb->sk->sk_family == PF_INET6)
|
||||
+ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||
error = inet6_csk_xmit(skb, NULL);
|
||||
else
|
||||
#endif
|
||||
@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
|
||||
|
||||
/* Calculate UDP checksum if configured to do so */
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
- if (sk->sk_family == PF_INET6)
|
||||
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||
l2tp_xmit_ipv6_csum(sk, skb, udp_len);
|
||||
else
|
||||
#endif
|
||||
@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net,
|
||||
if (cfg != NULL)
|
||||
tunnel->debug = cfg->debug;
|
||||
|
||||
+#if IS_ENABLED(CONFIG_IPV6)
|
||||
+ if (sk->sk_family == PF_INET6) {
|
||||
+ struct ipv6_pinfo *np = inet6_sk(sk);
|
||||
+
|
||||
+ if (ipv6_addr_v4mapped(&np->saddr) &&
|
||||
+ ipv6_addr_v4mapped(&np->daddr)) {
|
||||
+ struct inet_sock *inet = inet_sk(sk);
|
||||
+
|
||||
+ tunnel->v4mapped = true;
|
||||
+ inet->inet_saddr = np->saddr.s6_addr32[3];
|
||||
+ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
|
||||
+ inet->inet_daddr = np->daddr.s6_addr32[3];
|
||||
+ } else {
|
||||
+ tunnel->v4mapped = false;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
|
||||
tunnel->encap = encap;
|
||||
if (encap == L2TP_ENCAPTYPE_UDP) {
|
||||
@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net,
|
||||
udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
|
||||
udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
- if (sk->sk_family == PF_INET6)
|
||||
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||
udpv6_encap_enable();
|
||||
else
|
||||
#endif
|
||||
--- a/net/l2tp/l2tp_core.h
|
||||
+++ b/net/l2tp/l2tp_core.h
|
||||
@@ -194,6 +194,9 @@ struct l2tp_tunnel {
|
||||
struct sock *sock; /* Parent socket */
|
||||
int fd; /* Parent fd, if tunnel socket
|
||||
* was created by userspace */
|
||||
+#if IS_ENABLED(CONFIG_IPV6)
|
||||
+ bool v4mapped;
|
||||
+#endif
|
||||
|
||||
struct work_struct del_work;
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
From 750e8165f5e87b6a142be953640eabb13a9d350a Mon Sep 17 00:00:00 2001
|
||||
From: Hugh Dickins <hughd@google.com>
|
||||
Date: Wed, 16 Oct 2013 13:47:08 -0700
|
||||
Subject: mm: fix BUG in __split_huge_page_pmd
|
||||
|
||||
From: Hugh Dickins <hughd@google.com>
|
||||
|
||||
commit 750e8165f5e87b6a142be953640eabb13a9d350a upstream.
|
||||
|
||||
Occasionally we hit the BUG_ON(pmd_trans_huge(*pmd)) at the end of
|
||||
__split_huge_page_pmd(): seen when doing madvise(,,MADV_DONTNEED).
|
||||
|
||||
It's invalid: we don't always have down_write of mmap_sem there: a racing
|
||||
do_huge_pmd_wp_page() might have copied-on-write to another huge page
|
||||
before our split_huge_page() got the anon_vma lock.
|
||||
|
||||
Forget the BUG_ON, just go back and try again if this happens.
|
||||
|
||||
Signed-off-by: Hugh Dickins <hughd@google.com>
|
||||
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
|
||||
Cc: Andrea Arcangeli <aarcange@redhat.com>
|
||||
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||
Cc: David Rientjes <rientjes@google.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
mm/huge_memory.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/mm/huge_memory.c
|
||||
+++ b/mm/huge_memory.c
|
||||
@@ -2709,6 +2709,7 @@ void __split_huge_page_pmd(struct vm_are
|
||||
|
||||
mmun_start = haddr;
|
||||
mmun_end = haddr + HPAGE_PMD_SIZE;
|
||||
+again:
|
||||
mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
|
||||
spin_lock(&mm->page_table_lock);
|
||||
if (unlikely(!pmd_trans_huge(*pmd))) {
|
||||
@@ -2731,7 +2732,14 @@ void __split_huge_page_pmd(struct vm_are
|
||||
split_huge_page(page);
|
||||
|
||||
put_page(page);
|
||||
- BUG_ON(pmd_trans_huge(*pmd));
|
||||
+
|
||||
+ /*
|
||||
+ * We don't always have down_write of mmap_sem here: a racing
|
||||
+ * do_huge_pmd_wp_page() might have copied-on-write to another
|
||||
+ * huge page before our split_huge_page() got the anon_vma lock.
|
||||
+ */
|
||||
+ if (unlikely(pmd_trans_huge(*pmd)))
|
||||
+ goto again;
|
||||
}
|
||||
|
||||
void split_huge_page_pmd_mm(struct mm_struct *mm, unsigned long address,
|
44
debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
vendored
Normal file
44
debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Tue, 1 Oct 2013 21:04:11 -0700
|
||||
Subject: net: do not call sock_put() on TIMEWAIT sockets
|
||||
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
|
||||
[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ]
|
||||
|
||||
commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
|
||||
hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
|
||||
|
||||
We should instead use inet_twsk_put()
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/ipv4/inet_hashtables.c | 2 +-
|
||||
net/ipv6/inet6_hashtables.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/ipv4/inet_hashtables.c
|
||||
+++ b/net/ipv4/inet_hashtables.c
|
||||
@@ -287,7 +287,7 @@ begintw:
|
||||
if (unlikely(!INET_TW_MATCH(sk, net, acookie,
|
||||
saddr, daddr, ports,
|
||||
dif))) {
|
||||
- sock_put(sk);
|
||||
+ inet_twsk_put(inet_twsk(sk));
|
||||
goto begintw;
|
||||
}
|
||||
goto out;
|
||||
--- a/net/ipv6/inet6_hashtables.c
|
||||
+++ b/net/ipv6/inet6_hashtables.c
|
||||
@@ -116,7 +116,7 @@ begintw:
|
||||
}
|
||||
if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr,
|
||||
ports, dif))) {
|
||||
- sock_put(sk);
|
||||
+ inet_twsk_put(inet_twsk(sk));
|
||||
goto begintw;
|
||||
}
|
||||
goto out;
|
54
debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
vendored
Normal file
54
debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
vendored
Normal file
|
@ -0,0 +1,54 @@
|
|||
From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001
|
||||
From: Seif Mazareeb <seif@marvell.com>
|
||||
Date: Thu, 17 Oct 2013 20:33:21 -0700
|
||||
Subject: net: fix cipso packet validation when !NETLABEL
|
||||
|
||||
From: Seif Mazareeb <seif@marvell.com>
|
||||
|
||||
[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ]
|
||||
|
||||
When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop
|
||||
forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel
|
||||
crash in an SMP system, since the CPU executing this function will
|
||||
stall /not respond to IPIs.
|
||||
|
||||
This problem can be reproduced by running the IP Stack Integrity Checker
|
||||
(http://isic.sourceforge.net) using the following command on a Linux machine
|
||||
connected to DUT:
|
||||
|
||||
"icmpsic -s rand -d <DUT IP address> -r 123456"
|
||||
wait (1-2 min)
|
||||
|
||||
Signed-off-by: Seif Mazareeb <seif@marvell.com>
|
||||
Acked-by: Paul Moore <paul@paul-moore.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
include/net/cipso_ipv4.h | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/include/net/cipso_ipv4.h
|
||||
+++ b/include/net/cipso_ipv4.h
|
||||
@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons
|
||||
unsigned char err_offset = 0;
|
||||
u8 opt_len = opt[1];
|
||||
u8 opt_iter;
|
||||
+ u8 tag_len;
|
||||
|
||||
if (opt_len < 8) {
|
||||
err_offset = 1;
|
||||
@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons
|
||||
}
|
||||
|
||||
for (opt_iter = 6; opt_iter < opt_len;) {
|
||||
- if (opt[opt_iter + 1] > (opt_len - opt_iter)) {
|
||||
+ tag_len = opt[opt_iter + 1];
|
||||
+ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) {
|
||||
err_offset = opt_iter + 1;
|
||||
goto out;
|
||||
}
|
||||
- opt_iter += opt[opt_iter + 1];
|
||||
+ opt_iter += tag_len;
|
||||
}
|
||||
|
||||
out:
|
|
@ -0,0 +1,86 @@
|
|||
From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Thu, 3 Oct 2013 00:27:20 +0300
|
||||
Subject: net: heap overflow in __audit_sockaddr()
|
||||
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
|
||||
[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]
|
||||
|
||||
We need to cap ->msg_namelen or it leads to a buffer overflow when we
|
||||
to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
|
||||
exploit this bug.
|
||||
|
||||
The call tree is:
|
||||
___sys_recvmsg()
|
||||
move_addr_to_user()
|
||||
audit_sockaddr()
|
||||
__audit_sockaddr()
|
||||
|
||||
Reported-by: Jüri Aedla <juri.aedla@gmail.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/compat.c | 2 ++
|
||||
net/socket.c | 24 ++++++++++++++++++++----
|
||||
2 files changed, 22 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/net/compat.c
|
||||
+++ b/net/compat.c
|
||||
@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms
|
||||
__get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
|
||||
__get_user(kmsg->msg_flags, &umsg->msg_flags))
|
||||
return -EFAULT;
|
||||
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
+ return -EINVAL;
|
||||
kmsg->msg_name = compat_ptr(tmp1);
|
||||
kmsg->msg_iov = compat_ptr(tmp2);
|
||||
kmsg->msg_control = compat_ptr(tmp3);
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1973,6 +1973,16 @@ struct used_address {
|
||||
unsigned int name_len;
|
||||
};
|
||||
|
||||
+static int copy_msghdr_from_user(struct msghdr *kmsg,
|
||||
+ struct msghdr __user *umsg)
|
||||
+{
|
||||
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
|
||||
+ return -EFAULT;
|
||||
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
+ return -EINVAL;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
|
||||
struct msghdr *msg_sys, unsigned int flags,
|
||||
struct used_address *used_address)
|
||||
@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket
|
||||
if (MSG_CMSG_COMPAT & flags) {
|
||||
if (get_compat_msghdr(msg_sys, msg_compat))
|
||||
return -EFAULT;
|
||||
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
|
||||
- return -EFAULT;
|
||||
+ } else {
|
||||
+ err = copy_msghdr_from_user(msg_sys, msg);
|
||||
+ if (err)
|
||||
+ return err;
|
||||
+ }
|
||||
|
||||
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
|
||||
err = -EMSGSIZE;
|
||||
@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket
|
||||
if (MSG_CMSG_COMPAT & flags) {
|
||||
if (get_compat_msghdr(msg_sys, msg_compat))
|
||||
return -EFAULT;
|
||||
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
|
||||
- return -EFAULT;
|
||||
+ } else {
|
||||
+ err = copy_msghdr_from_user(msg_sys, msg);
|
||||
+ if (err)
|
||||
+ return err;
|
||||
+ }
|
||||
|
||||
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
|
||||
err = -EMSGSIZE;
|
|
@ -0,0 +1,167 @@
|
|||
From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Mon, 30 Sep 2013 22:03:06 +0200
|
||||
Subject: proc connector: fix info leaks
|
||||
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
|
||||
[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ]
|
||||
|
||||
Initialize event_data for all possible message types to prevent leaking
|
||||
kernel stack contents to userland (up to 20 bytes). Also set the flags
|
||||
member of the connector message to 0 to prevent leaking two more stack
|
||||
bytes this way.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/connector/cn_proc.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
--- a/drivers/connector/cn_proc.c
|
||||
+++ b/drivers/connector/cn_proc.c
|
||||
@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_str
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_str
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
/* If cn_netlink_send() failed, the data is not sent */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_str
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_str
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struc
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
ev->what = which_id;
|
||||
ev->event_data.id.process_pid = task->pid;
|
||||
ev->event_data.id.process_tgid = task->tgid;
|
||||
@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struc
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_stru
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_stru
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_s
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_s
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_str
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_str
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_str
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
get_seq(&msg->seq, &ev->cpu);
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_str
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = 0; /* not used */
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
||||
@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcv
|
||||
|
||||
msg = (struct cn_msg *)buffer;
|
||||
ev = (struct proc_event *)msg->data;
|
||||
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||
msg->seq = rcvd_seq;
|
||||
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||
@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcv
|
||||
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||
msg->ack = rcvd_ack + 1;
|
||||
msg->len = sizeof(*ev);
|
||||
+ msg->flags = 0; /* not used */
|
||||
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||
}
|
||||
|
207
debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
vendored
Normal file
207
debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
vendored
Normal file
|
@ -0,0 +1,207 @@
|
|||
From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001
|
||||
From: Linus Lüssing <linus.luessing@web.de>
|
||||
Date: Sun, 20 Oct 2013 00:58:57 +0200
|
||||
Subject: Revert "bridge: only expire the mdb entry when query is received"
|
||||
|
||||
From: Linus Lüssing <linus.luessing@web.de>
|
||||
|
||||
[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ]
|
||||
|
||||
While this commit was a good attempt to fix issues occuring when no
|
||||
multicast querier is present, this commit still has two more issues:
|
||||
|
||||
1) There are cases where mdb entries do not expire even if there is a
|
||||
querier present. The bridge will unnecessarily continue flooding
|
||||
multicast packets on the according ports.
|
||||
|
||||
2) Never removing an mdb entry could be exploited for a Denial of
|
||||
Service by an attacker on the local link, slowly, but steadily eating up
|
||||
all memory.
|
||||
|
||||
Actually, this commit became obsolete with
|
||||
"bridge: disable snooping if there is no querier" (b00589af3b)
|
||||
which included fixes for a few more cases.
|
||||
|
||||
Therefore reverting the following commits (the commit stated in the
|
||||
commit message plus three of its follow up fixes):
|
||||
|
||||
====================
|
||||
Revert "bridge: update mdb expiration timer upon reports."
|
||||
This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc.
|
||||
Revert "bridge: do not call setup_timer() multiple times"
|
||||
This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1.
|
||||
Revert "bridge: fix some kernel warning in multicast timer"
|
||||
This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1.
|
||||
Revert "bridge: only expire the mdb entry when query is received"
|
||||
This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b.
|
||||
====================
|
||||
|
||||
CC: Cong Wang <amwang@redhat.com>
|
||||
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
|
||||
Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/bridge/br_mdb.c | 2 -
|
||||
net/bridge/br_multicast.c | 47 ++++++++++++++++++++++++++--------------------
|
||||
net/bridge/br_private.h | 1
|
||||
3 files changed, 28 insertions(+), 22 deletions(-)
|
||||
|
||||
--- a/net/bridge/br_mdb.c
|
||||
+++ b/net/bridge/br_mdb.c
|
||||
@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridg
|
||||
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||
err = 0;
|
||||
|
||||
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||
+ if (!mp->ports && !mp->mglist &&
|
||||
netif_running(br->dev))
|
||||
mod_timer(&mp->timer, jiffies);
|
||||
break;
|
||||
--- a/net/bridge/br_multicast.c
|
||||
+++ b/net/bridge/br_multicast.c
|
||||
@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct n
|
||||
del_timer(&p->timer);
|
||||
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||
|
||||
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||
+ if (!mp->ports && !mp->mglist &&
|
||||
netif_running(br->dev))
|
||||
mod_timer(&mp->timer, jiffies);
|
||||
|
||||
@@ -610,9 +610,6 @@ rehash:
|
||||
break;
|
||||
|
||||
default:
|
||||
- /* If we have an existing entry, update it's expire timer */
|
||||
- mod_timer(&mp->timer,
|
||||
- jiffies + br->multicast_membership_interval);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -622,7 +619,6 @@ rehash:
|
||||
|
||||
mp->br = br;
|
||||
mp->addr = *group;
|
||||
-
|
||||
setup_timer(&mp->timer, br_multicast_group_expired,
|
||||
(unsigned long)mp);
|
||||
|
||||
@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct
|
||||
struct net_bridge_mdb_entry *mp;
|
||||
struct net_bridge_port_group *p;
|
||||
struct net_bridge_port_group __rcu **pp;
|
||||
+ unsigned long now = jiffies;
|
||||
int err;
|
||||
|
||||
spin_lock(&br->multicast_lock);
|
||||
@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct
|
||||
|
||||
if (!port) {
|
||||
mp->mglist = true;
|
||||
+ mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||
goto out;
|
||||
}
|
||||
|
||||
for (pp = &mp->ports;
|
||||
(p = mlock_dereference(*pp, br)) != NULL;
|
||||
pp = &p->next) {
|
||||
- if (p->port == port) {
|
||||
- /* We already have a portgroup, update the timer. */
|
||||
- mod_timer(&p->timer,
|
||||
- jiffies + br->multicast_membership_interval);
|
||||
- goto out;
|
||||
- }
|
||||
+ if (p->port == port)
|
||||
+ goto found;
|
||||
if ((unsigned long)p->port < (unsigned long)port)
|
||||
break;
|
||||
}
|
||||
@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct
|
||||
rcu_assign_pointer(*pp, p);
|
||||
br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
|
||||
|
||||
+found:
|
||||
+ mod_timer(&p->timer, now + br->multicast_membership_interval);
|
||||
out:
|
||||
err = 0;
|
||||
|
||||
@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct
|
||||
if (!mp)
|
||||
goto out;
|
||||
|
||||
- mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||
- mp->timer_armed = true;
|
||||
-
|
||||
max_delay *= br->multicast_last_member_count;
|
||||
|
||||
if (mp->mglist &&
|
||||
@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct
|
||||
if (!mp)
|
||||
goto out;
|
||||
|
||||
- mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||
- mp->timer_armed = true;
|
||||
-
|
||||
max_delay *= br->multicast_last_member_count;
|
||||
if (mp->mglist &&
|
||||
(timer_pending(&mp->timer) ?
|
||||
@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(str
|
||||
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||
br_mdb_notify(br->dev, port, group, RTM_DELMDB);
|
||||
|
||||
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||
+ if (!mp->ports && !mp->mglist &&
|
||||
netif_running(br->dev))
|
||||
mod_timer(&mp->timer, jiffies);
|
||||
}
|
||||
@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(str
|
||||
br->multicast_last_member_interval;
|
||||
|
||||
if (!port) {
|
||||
- if (mp->mglist && mp->timer_armed &&
|
||||
+ if (mp->mglist &&
|
||||
(timer_pending(&mp->timer) ?
|
||||
time_after(mp->timer.expires, time) :
|
||||
try_to_del_timer_sync(&mp->timer) >= 0)) {
|
||||
mod_timer(&mp->timer, time);
|
||||
}
|
||||
+
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ for (p = mlock_dereference(mp->ports, br);
|
||||
+ p != NULL;
|
||||
+ p = mlock_dereference(p->next, br)) {
|
||||
+ if (p->port != port)
|
||||
+ continue;
|
||||
+
|
||||
+ if (!hlist_unhashed(&p->mglist) &&
|
||||
+ (timer_pending(&p->timer) ?
|
||||
+ time_after(p->timer.expires, time) :
|
||||
+ try_to_del_timer_sync(&p->timer) >= 0)) {
|
||||
+ mod_timer(&p->timer, time);
|
||||
+ }
|
||||
+
|
||||
+ break;
|
||||
}
|
||||
out:
|
||||
spin_unlock(&br->multicast_lock);
|
||||
@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge
|
||||
hlist_for_each_entry_safe(mp, n, &mdb->mhash[i],
|
||||
hlist[ver]) {
|
||||
del_timer(&mp->timer);
|
||||
- mp->timer_armed = false;
|
||||
call_rcu_bh(&mp->rcu, br_multicast_free_group);
|
||||
}
|
||||
}
|
||||
--- a/net/bridge/br_private.h
|
||||
+++ b/net/bridge/br_private.h
|
||||
@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry
|
||||
struct timer_list timer;
|
||||
struct br_ip addr;
|
||||
bool mglist;
|
||||
- bool timer_armed;
|
||||
};
|
||||
|
||||
struct net_bridge_mdb_htable
|
|
@ -0,0 +1,30 @@
|
|||
From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Mon, 30 Sep 2013 22:05:40 +0200
|
||||
Subject: unix_diag: fix info leak
|
||||
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
|
||||
[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ]
|
||||
|
||||
When filling the netlink message we miss to wipe the pad field,
|
||||
therefore leak one byte of heap memory to userland. Fix this by
|
||||
setting pad to 0.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/unix/diag.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/net/unix/diag.c
|
||||
+++ b/net/unix/diag.c
|
||||
@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk,
|
||||
rep->udiag_family = AF_UNIX;
|
||||
rep->udiag_type = sk->sk_type;
|
||||
rep->udiag_state = sk->sk_state;
|
||||
+ rep->pad = 0;
|
||||
rep->udiag_ino = sk_ino;
|
||||
sock_diag_save_cookie(sk, rep->udiag_cookie);
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
From e3b6c655b91e01a1dade056cfa358581b47a5351 Mon Sep 17 00:00:00 2001
|
||||
From: Fengguang Wu <fengguang.wu@intel.com>
|
||||
Date: Wed, 16 Oct 2013 13:47:03 -0700
|
||||
Subject: writeback: fix negative bdi max pause
|
||||
|
||||
From: Fengguang Wu <fengguang.wu@intel.com>
|
||||
|
||||
commit e3b6c655b91e01a1dade056cfa358581b47a5351 upstream.
|
||||
|
||||
Toralf runs trinity on UML/i386. After some time it hangs and the last
|
||||
message line is
|
||||
|
||||
BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child0:1521]
|
||||
|
||||
It's found that pages_dirtied becomes very large. More than 1000000000
|
||||
pages in this case:
|
||||
|
||||
period = HZ * pages_dirtied / task_ratelimit;
|
||||
BUG_ON(pages_dirtied > 2000000000);
|
||||
BUG_ON(pages_dirtied > 1000000000); <---------
|
||||
|
||||
UML debug printf shows that we got negative pause here:
|
||||
|
||||
ick: pause : -984
|
||||
ick: pages_dirtied : 0
|
||||
ick: task_ratelimit: 0
|
||||
|
||||
pause:
|
||||
+ if (pause < 0) {
|
||||
+ extern int printf(char *, ...);
|
||||
+ printf("ick : pause : %li\n", pause);
|
||||
+ printf("ick: pages_dirtied : %lu\n", pages_dirtied);
|
||||
+ printf("ick: task_ratelimit: %lu\n", task_ratelimit);
|
||||
+ BUG_ON(1);
|
||||
+ }
|
||||
trace_balance_dirty_pages(bdi,
|
||||
|
||||
Since pause is bounded by [min_pause, max_pause] where min_pause is also
|
||||
bounded by max_pause. It's suspected and demonstrated that the
|
||||
max_pause calculation goes wrong:
|
||||
|
||||
ick: pause : -717
|
||||
ick: min_pause : -177
|
||||
ick: max_pause : -717
|
||||
ick: pages_dirtied : 14
|
||||
ick: task_ratelimit: 0
|
||||
|
||||
The problem lies in the two "long = unsigned long" assignments in
|
||||
bdi_max_pause() which might go negative if the highest bit is 1, and the
|
||||
min_t(long, ...) check failed to protect it falling under 0. Fix all of
|
||||
them by using "unsigned long" throughout the function.
|
||||
|
||||
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
|
||||
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
|
||||
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
|
||||
Reviewed-by: Jan Kara <jack@suse.cz>
|
||||
Cc: Richard Weinberger <richard@nod.at>
|
||||
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
mm/page-writeback.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/mm/page-writeback.c
|
||||
+++ b/mm/page-writeback.c
|
||||
@@ -1104,11 +1104,11 @@ static unsigned long dirty_poll_interval
|
||||
return 1;
|
||||
}
|
||||
|
||||
-static long bdi_max_pause(struct backing_dev_info *bdi,
|
||||
- unsigned long bdi_dirty)
|
||||
+static unsigned long bdi_max_pause(struct backing_dev_info *bdi,
|
||||
+ unsigned long bdi_dirty)
|
||||
{
|
||||
- long bw = bdi->avg_write_bandwidth;
|
||||
- long t;
|
||||
+ unsigned long bw = bdi->avg_write_bandwidth;
|
||||
+ unsigned long t;
|
||||
|
||||
/*
|
||||
* Limit pause time for small memory systems. If sleeping for too long
|
||||
@@ -1120,7 +1120,7 @@ static long bdi_max_pause(struct backing
|
||||
t = bdi_dirty / (1 + bw / roundup_pow_of_two(1 + HZ / 8));
|
||||
t++;
|
||||
|
||||
- return min_t(long, t, MAX_PAUSE);
|
||||
+ return min_t(unsigned long, t, MAX_PAUSE);
|
||||
}
|
||||
|
||||
static long bdi_min_pause(struct backing_dev_info *bdi,
|
|
@ -81,3 +81,19 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
|||
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||
bugfix/all/CVE-2013-4348.patch
|
||||
bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
|
||||
bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
|
||||
bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch
|
||||
bugfix/all/proc-connector-fix-info-leaks.patch
|
||||
bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
|
||||
bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
|
||||
bugfix/all/unix_diag-fix-info-leak.patch
|
||||
bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
|
||||
bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
|
||||
bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
|
||||
bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch
|
||||
bugfix/all/ext-fix-double-put-in-tmpfile.patch
|
||||
bugfix/all/dm-snapshot-fix-data-corruption.patch
|
||||
bugfix/all/i2c-ismt-initialize-dma-buffer.patch
|
||||
bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch
|
||||
bugfix/all/writeback-fix-negative-bdi-max-pause.patch
|
||||
|
|
Loading…
Reference in New Issue