Cherry-pick various urgent fixes from 3.11 stable queue
svn path=/dists/sid/linux/; revision=20767
This commit is contained in:
parent
a78dcf3d31
commit
e3b8a9343f
|
@ -7,6 +7,22 @@ linux (3.11.6-2) UNRELEASED; urgency=low
|
||||||
(fixes FTBFS)
|
(fixes FTBFS)
|
||||||
* [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI
|
* [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI
|
||||||
* net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
|
* net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
|
||||||
|
* net: do not call sock_put() on TIMEWAIT sockets
|
||||||
|
* l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
|
||||||
|
* net: heap overflow in __audit_sockaddr()
|
||||||
|
* proc connector: fix info leaks
|
||||||
|
* bridge: update mdb expiration timer upon reports.
|
||||||
|
* Revert "bridge: only expire the mdb entry when query is received"
|
||||||
|
* unix_diag: fix info leak
|
||||||
|
* be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
|
||||||
|
* net: fix cipso packet validation when !NETLABEL
|
||||||
|
* inet: fix possible memory corruption with UDP_CORK and UFO
|
||||||
|
* [arm] 7851/1: check for number of arguments in syscall_get/set_arguments()
|
||||||
|
* ext[34]: fix double put in tmpfile
|
||||||
|
* dm snapshot: fix data corruption (CVE-2013-4299)
|
||||||
|
* i2c: ismt: initialize DMA buffer
|
||||||
|
* mm: fix BUG in __split_huge_page_pmd
|
||||||
|
* writeback: fix negative bdi max pause
|
||||||
|
|
||||||
[ Aurelien Jarno ]
|
[ Aurelien Jarno ]
|
||||||
* UAPI: include <asm/byteorder.h> in linux/raid/md_p.h.
|
* UAPI: include <asm/byteorder.h> in linux/raid/md_p.h.
|
||||||
|
|
40
debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
vendored
Normal file
40
debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
vendored
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vasundhara Volam <vasundhara.volam@emulex.com>
|
||||||
|
Date: Thu, 17 Oct 2013 11:47:14 +0530
|
||||||
|
Subject: be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd
|
||||||
|
|
||||||
|
From: Vasundhara Volam <vasundhara.volam@emulex.com>
|
||||||
|
|
||||||
|
[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ]
|
||||||
|
|
||||||
|
It is a required field for all TX_CREATE cmd versions > 0.
|
||||||
|
This fixes a driver initialization failure, caused by recent SH-R Firmwares
|
||||||
|
(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is
|
||||||
|
not passed.
|
||||||
|
|
||||||
|
Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
|
||||||
|
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
|
||||||
|
@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter
|
||||||
|
|
||||||
|
if (lancer_chip(adapter)) {
|
||||||
|
req->hdr.version = 1;
|
||||||
|
- req->if_id = cpu_to_le16(adapter->if_handle);
|
||||||
|
} else if (BEx_chip(adapter)) {
|
||||||
|
if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC)
|
||||||
|
req->hdr.version = 2;
|
||||||
|
@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter
|
||||||
|
req->hdr.version = 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (req->hdr.version > 0)
|
||||||
|
+ req->if_id = cpu_to_le16(adapter->if_handle);
|
||||||
|
req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size);
|
||||||
|
req->ulp_num = BE_ULP1_NUM;
|
||||||
|
req->type = BE_ETH_TX_RING_TYPE_STANDARD;
|
63
debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
vendored
Normal file
63
debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
vendored
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vlad Yasevich <vyasevic@redhat.com>
|
||||||
|
Date: Thu, 10 Oct 2013 15:57:59 -0400
|
||||||
|
Subject: bridge: update mdb expiration timer upon reports.
|
||||||
|
|
||||||
|
From: Vlad Yasevich <vyasevic@redhat.com>
|
||||||
|
|
||||||
|
[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ]
|
||||||
|
|
||||||
|
commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b
|
||||||
|
bridge: only expire the mdb entry when query is received
|
||||||
|
changed the mdb expiration timer to be armed only when QUERY is
|
||||||
|
received. Howerver, this causes issues in an environment where
|
||||||
|
the multicast server socket comes and goes very fast while a client
|
||||||
|
is trying to send traffic to it.
|
||||||
|
|
||||||
|
The root cause is a race where a sequence of LEAVE followed by REPORT
|
||||||
|
messages can race against QUERY messages generated in response to LEAVE.
|
||||||
|
The QUERY ends up starting the expiration timer, and that timer can
|
||||||
|
potentially expire after the new REPORT message has been received signaling
|
||||||
|
the new join operation. This leads to a significant drop in multicast
|
||||||
|
traffic and possible complete stall.
|
||||||
|
|
||||||
|
The solution is to have REPORT messages update the expiration timer
|
||||||
|
on entries that already exist.
|
||||||
|
|
||||||
|
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
|
||||||
|
CC: Cong Wang <xiyou.wangcong@gmail.com>
|
||||||
|
CC: Herbert Xu <herbert@gondor.apana.org.au>
|
||||||
|
CC: Stephen Hemminger <stephen@networkplumber.org>
|
||||||
|
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/bridge/br_multicast.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/net/bridge/br_multicast.c
|
||||||
|
+++ b/net/bridge/br_multicast.c
|
||||||
|
@@ -610,6 +610,9 @@ rehash:
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
+ /* If we have an existing entry, update it's expire timer */
|
||||||
|
+ mod_timer(&mp->timer,
|
||||||
|
+ jiffies + br->multicast_membership_interval);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct
|
||||||
|
for (pp = &mp->ports;
|
||||||
|
(p = mlock_dereference(*pp, br)) != NULL;
|
||||||
|
pp = &p->next) {
|
||||||
|
- if (p->port == port)
|
||||||
|
+ if (p->port == port) {
|
||||||
|
+ /* We already have a portgroup, update the timer. */
|
||||||
|
+ mod_timer(&p->timer,
|
||||||
|
+ jiffies + br->multicast_membership_interval);
|
||||||
|
goto out;
|
||||||
|
+ }
|
||||||
|
if ((unsigned long)p->port < (unsigned long)port)
|
||||||
|
break;
|
||||||
|
}
|
|
@ -0,0 +1,88 @@
|
||||||
|
From e9c6a182649f4259db704ae15a91ac820e63b0ca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mikulas Patocka <mpatocka@redhat.com>
|
||||||
|
Date: Wed, 16 Oct 2013 03:17:47 +0100
|
||||||
|
Subject: dm snapshot: fix data corruption
|
||||||
|
|
||||||
|
From: Mikulas Patocka <mpatocka@redhat.com>
|
||||||
|
|
||||||
|
commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream.
|
||||||
|
|
||||||
|
This patch fixes a particular type of data corruption that has been
|
||||||
|
encountered when loading a snapshot's metadata from disk.
|
||||||
|
|
||||||
|
When we allocate a new chunk in persistent_prepare, we increment
|
||||||
|
ps->next_free and we make sure that it doesn't point to a metadata area
|
||||||
|
by further incrementing it if necessary.
|
||||||
|
|
||||||
|
When we load metadata from disk on device activation, ps->next_free is
|
||||||
|
positioned after the last used data chunk. However, if this last used
|
||||||
|
data chunk is followed by a metadata area, ps->next_free is positioned
|
||||||
|
erroneously to the metadata area. A newly-allocated chunk is placed at
|
||||||
|
the same location as the metadata area, resulting in data or metadata
|
||||||
|
corruption.
|
||||||
|
|
||||||
|
This patch changes the code so that ps->next_free skips the metadata
|
||||||
|
area when metadata are loaded in function read_exceptions.
|
||||||
|
|
||||||
|
The patch also moves a piece of code from persistent_prepare_exception
|
||||||
|
to a separate function skip_metadata to avoid code duplication.
|
||||||
|
|
||||||
|
CVE-2013-4299
|
||||||
|
|
||||||
|
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
|
||||||
|
Cc: Mike Snitzer <snitzer@redhat.com>
|
||||||
|
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
drivers/md/dm-snap-persistent.c | 18 ++++++++++++------
|
||||||
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
--- a/drivers/md/dm-snap-persistent.c
|
||||||
|
+++ b/drivers/md/dm-snap-persistent.c
|
||||||
|
@@ -269,6 +269,14 @@ static chunk_t area_location(struct psto
|
||||||
|
return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void skip_metadata(struct pstore *ps)
|
||||||
|
+{
|
||||||
|
+ uint32_t stride = ps->exceptions_per_area + 1;
|
||||||
|
+ chunk_t next_free = ps->next_free;
|
||||||
|
+ if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
|
||||||
|
+ ps->next_free++;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Read or write a metadata area. Remembering to skip the first
|
||||||
|
* chunk which holds the header.
|
||||||
|
@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore
|
||||||
|
|
||||||
|
ps->current_area--;
|
||||||
|
|
||||||
|
+ skip_metadata(ps);
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -616,8 +626,6 @@ static int persistent_prepare_exception(
|
||||||
|
struct dm_exception *e)
|
||||||
|
{
|
||||||
|
struct pstore *ps = get_info(store);
|
||||||
|
- uint32_t stride;
|
||||||
|
- chunk_t next_free;
|
||||||
|
sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
|
||||||
|
|
||||||
|
/* Is there enough room ? */
|
||||||
|
@@ -630,10 +638,8 @@ static int persistent_prepare_exception(
|
||||||
|
* Move onto the next free pending, making sure to take
|
||||||
|
* into account the location of the metadata chunks.
|
||||||
|
*/
|
||||||
|
- stride = (ps->exceptions_per_area + 1);
|
||||||
|
- next_free = ++ps->next_free;
|
||||||
|
- if (sector_div(next_free, stride) == 1)
|
||||||
|
- ps->next_free++;
|
||||||
|
+ ps->next_free++;
|
||||||
|
+ skip_metadata(ps);
|
||||||
|
|
||||||
|
atomic_inc(&ps->pending_count);
|
||||||
|
return 0;
|
|
@ -0,0 +1,66 @@
|
||||||
|
From 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
Date: Thu, 10 Oct 2013 16:48:19 +0200
|
||||||
|
Subject: ext[34]: fix double put in tmpfile
|
||||||
|
|
||||||
|
From: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
|
||||||
|
commit 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 upstream.
|
||||||
|
|
||||||
|
d_tmpfile() already swallowed the inode ref.
|
||||||
|
|
||||||
|
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
|
||||||
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
fs/ext3/namei.c | 5 ++---
|
||||||
|
fs/ext4/namei.c | 5 ++---
|
||||||
|
2 files changed, 4 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
--- a/fs/ext3/namei.c
|
||||||
|
+++ b/fs/ext3/namei.c
|
||||||
|
@@ -1783,7 +1783,7 @@ retry:
|
||||||
|
d_tmpfile(dentry, inode);
|
||||||
|
err = ext3_orphan_add(handle, inode);
|
||||||
|
if (err)
|
||||||
|
- goto err_drop_inode;
|
||||||
|
+ goto err_unlock_inode;
|
||||||
|
mark_inode_dirty(inode);
|
||||||
|
unlock_new_inode(inode);
|
||||||
|
}
|
||||||
|
@@ -1791,10 +1791,9 @@ retry:
|
||||||
|
if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries))
|
||||||
|
goto retry;
|
||||||
|
return err;
|
||||||
|
-err_drop_inode:
|
||||||
|
+err_unlock_inode:
|
||||||
|
ext3_journal_stop(handle);
|
||||||
|
unlock_new_inode(inode);
|
||||||
|
- iput(inode);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
--- a/fs/ext4/namei.c
|
||||||
|
+++ b/fs/ext4/namei.c
|
||||||
|
@@ -2319,7 +2319,7 @@ retry:
|
||||||
|
d_tmpfile(dentry, inode);
|
||||||
|
err = ext4_orphan_add(handle, inode);
|
||||||
|
if (err)
|
||||||
|
- goto err_drop_inode;
|
||||||
|
+ goto err_unlock_inode;
|
||||||
|
mark_inode_dirty(inode);
|
||||||
|
unlock_new_inode(inode);
|
||||||
|
}
|
||||||
|
@@ -2328,10 +2328,9 @@ retry:
|
||||||
|
if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries))
|
||||||
|
goto retry;
|
||||||
|
return err;
|
||||||
|
-err_drop_inode:
|
||||||
|
+err_unlock_inode:
|
||||||
|
ext4_journal_stop(handle);
|
||||||
|
unlock_new_inode(inode);
|
||||||
|
- iput(inode);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
From bf4169100c909667ede6af67668b3ecce6928343 Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Ralston <james.d.ralston@intel.com>
|
||||||
|
Date: Tue, 24 Sep 2013 16:47:55 -0700
|
||||||
|
Subject: i2c: ismt: initialize DMA buffer
|
||||||
|
|
||||||
|
From: James Ralston <james.d.ralston@intel.com>
|
||||||
|
|
||||||
|
commit bf4169100c909667ede6af67668b3ecce6928343 upstream.
|
||||||
|
|
||||||
|
This patch adds code to initialize the DMA buffer to compensate for
|
||||||
|
possible hardware data corruption.
|
||||||
|
|
||||||
|
Signed-off-by: James Ralston <james.d.ralston@intel.com>
|
||||||
|
[wsa: changed to use 'sizeof']
|
||||||
|
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
|
||||||
|
Cc: Jean Delvare <jdelvare@suse.de>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
drivers/i2c/busses/i2c-ismt.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
--- a/drivers/i2c/busses/i2c-ismt.c
|
||||||
|
+++ b/drivers/i2c/busses/i2c-ismt.c
|
||||||
|
@@ -393,6 +393,9 @@ static int ismt_access(struct i2c_adapte
|
||||||
|
|
||||||
|
desc = &priv->hw[priv->head];
|
||||||
|
|
||||||
|
+ /* Initialize the DMA buffer */
|
||||||
|
+ memset(priv->dma_buffer, 0, sizeof(priv->dma_buffer));
|
||||||
|
+
|
||||||
|
/* Initialize the descriptor */
|
||||||
|
memset(desc, 0, sizeof(struct ismt_desc));
|
||||||
|
desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, read_write);
|
76
debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
vendored
Normal file
76
debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
vendored
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Date: Tue, 22 Oct 2013 00:07:47 +0200
|
||||||
|
Subject: inet: fix possible memory corruption with UDP_CORK and UFO
|
||||||
|
|
||||||
|
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
|
||||||
|
[ This is a simplified -stable version of a set of upstream commits. ]
|
||||||
|
|
||||||
|
This is a replacement patch only for stable which does fix the problems
|
||||||
|
handled by the following two commits in -net:
|
||||||
|
|
||||||
|
"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
|
||||||
|
"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
|
||||||
|
|
||||||
|
Three frames are written on a corked udp socket for which the output
|
||||||
|
netdevice has UFO enabled. If the first and third frame are smaller than
|
||||||
|
the mtu and the second one is bigger, we enqueue the second frame with
|
||||||
|
skb_append_datato_frags without initializing the gso fields. This leads
|
||||||
|
to the third frame appended regulary and thus constructing an invalid skb.
|
||||||
|
|
||||||
|
This fixes the problem by always using skb_append_datato_frags as soon
|
||||||
|
as the first frag got enqueued to the skb without marking the packet
|
||||||
|
as SKB_GSO_UDP.
|
||||||
|
|
||||||
|
The problem with only two frames for ipv6 was fixed by "ipv6: udp
|
||||||
|
packets following an UFO enqueued packet need also be handled by UFO"
|
||||||
|
(2811ebac2521ceac84f2bdae402455baa6a7fb47).
|
||||||
|
|
||||||
|
Cc: Jiri Pirko <jiri@resnulli.us>
|
||||||
|
Cc: Eric Dumazet <eric.dumazet@gmail.com>
|
||||||
|
Cc: David Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
include/linux/skbuff.h | 5 +++++
|
||||||
|
net/ipv4/ip_output.c | 2 +-
|
||||||
|
net/ipv6/ip6_output.c | 2 +-
|
||||||
|
3 files changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/include/linux/skbuff.h
|
||||||
|
+++ b/include/linux/skbuff.h
|
||||||
|
@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const stru
|
||||||
|
return len + skb_headlen(skb);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline bool skb_has_frags(const struct sk_buff *skb)
|
||||||
|
+{
|
||||||
|
+ return skb_shinfo(skb)->nr_frags;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* __skb_fill_page_desc - initialise a paged fragment in an skb
|
||||||
|
* @skb: buffer containing fragment to be initialised
|
||||||
|
--- a/net/ipv4/ip_output.c
|
||||||
|
+++ b/net/ipv4/ip_output.c
|
||||||
|
@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock
|
||||||
|
csummode = CHECKSUM_PARTIAL;
|
||||||
|
|
||||||
|
cork->length += length;
|
||||||
|
- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
|
||||||
|
+ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
|
||||||
|
(sk->sk_protocol == IPPROTO_UDP) &&
|
||||||
|
(rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
|
||||||
|
err = ip_ufo_append_data(sk, queue, getfrag, from, length,
|
||||||
|
--- a/net/ipv6/ip6_output.c
|
||||||
|
+++ b/net/ipv6/ip6_output.c
|
||||||
|
@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int
|
||||||
|
skb = skb_peek_tail(&sk->sk_write_queue);
|
||||||
|
cork->length += length;
|
||||||
|
if (((length > mtu) ||
|
||||||
|
- (skb && skb_is_gso(skb))) &&
|
||||||
|
+ (skb && skb_has_frags(skb))) &&
|
||||||
|
(sk->sk_protocol == IPPROTO_UDP) &&
|
||||||
|
(rt->dst.dev->features & NETIF_F_UFO)) {
|
||||||
|
err = ip6_ufo_append_data(sk, getfrag, from, length,
|
141
debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
vendored
Normal file
141
debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
vendored
Normal file
|
@ -0,0 +1,141 @@
|
||||||
|
From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001
|
||||||
|
From: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||||
|
Date: Wed, 2 Oct 2013 10:16:02 +0200
|
||||||
|
Subject: l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
|
||||||
|
|
||||||
|
From: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||||
|
|
||||||
|
[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ]
|
||||||
|
|
||||||
|
IPv4 mapped addresses cause kernel panic.
|
||||||
|
The patch juste check whether the IPv6 address is an IPv4 mapped
|
||||||
|
address. If so, use IPv4 API instead of IPv6.
|
||||||
|
|
||||||
|
[ 940.026915] general protection fault: 0000 [#1]
|
||||||
|
[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
|
||||||
|
[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
|
||||||
|
[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
|
||||||
|
[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
|
||||||
|
[ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
|
||||||
|
[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
|
||||||
|
[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
|
||||||
|
[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
|
||||||
|
[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
|
||||||
|
[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
|
||||||
|
[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
|
||||||
|
[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
|
||||||
|
[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||||
|
[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
|
||||||
|
[ 940.026915] Stack:
|
||||||
|
[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
|
||||||
|
[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
|
||||||
|
[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
|
||||||
|
[ 940.026915] Call Trace:
|
||||||
|
[ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
|
||||||
|
[ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
|
||||||
|
[ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
|
||||||
|
[ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
|
||||||
|
[ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
|
||||||
|
[ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
|
||||||
|
[ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
|
||||||
|
[ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
|
||||||
|
[ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
|
||||||
|
[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
|
||||||
|
8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
|
||||||
|
00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
|
||||||
|
[ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
|
||||||
|
[ 940.026915] RSP <ffff88000737fd28>
|
||||||
|
[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
|
||||||
|
[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
|
||||||
|
|
||||||
|
Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
|
||||||
|
net/l2tp/l2tp_core.h | 3 +++
|
||||||
|
2 files changed, 26 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/l2tp/l2tp_core.c
|
||||||
|
+++ b/net/l2tp/l2tp_core.c
|
||||||
|
@@ -496,6 +496,7 @@ out:
|
||||||
|
static inline int l2tp_verify_udp_checksum(struct sock *sk,
|
||||||
|
struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
+ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
|
||||||
|
struct udphdr *uh = udp_hdr(skb);
|
||||||
|
u16 ulen = ntohs(uh->len);
|
||||||
|
__wsum psum;
|
||||||
|
@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checks
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
- if (sk->sk_family == PF_INET6) {
|
||||||
|
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
|
||||||
|
if (!uh->check) {
|
||||||
|
LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
|
||||||
|
return 1;
|
||||||
|
@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_se
|
||||||
|
/* Queue the packet to IP for output */
|
||||||
|
skb->local_df = 1;
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
- if (skb->sk->sk_family == PF_INET6)
|
||||||
|
+ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||||
|
error = inet6_csk_xmit(skb, NULL);
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
|
||||||
|
|
||||||
|
/* Calculate UDP checksum if configured to do so */
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
- if (sk->sk_family == PF_INET6)
|
||||||
|
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||||
|
l2tp_xmit_ipv6_csum(sk, skb, udp_len);
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net,
|
||||||
|
if (cfg != NULL)
|
||||||
|
tunnel->debug = cfg->debug;
|
||||||
|
|
||||||
|
+#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
+ if (sk->sk_family == PF_INET6) {
|
||||||
|
+ struct ipv6_pinfo *np = inet6_sk(sk);
|
||||||
|
+
|
||||||
|
+ if (ipv6_addr_v4mapped(&np->saddr) &&
|
||||||
|
+ ipv6_addr_v4mapped(&np->daddr)) {
|
||||||
|
+ struct inet_sock *inet = inet_sk(sk);
|
||||||
|
+
|
||||||
|
+ tunnel->v4mapped = true;
|
||||||
|
+ inet->inet_saddr = np->saddr.s6_addr32[3];
|
||||||
|
+ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
|
||||||
|
+ inet->inet_daddr = np->daddr.s6_addr32[3];
|
||||||
|
+ } else {
|
||||||
|
+ tunnel->v4mapped = false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
|
||||||
|
tunnel->encap = encap;
|
||||||
|
if (encap == L2TP_ENCAPTYPE_UDP) {
|
||||||
|
@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net,
|
||||||
|
udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
|
||||||
|
udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
|
||||||
|
#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
- if (sk->sk_family == PF_INET6)
|
||||||
|
+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
|
||||||
|
udpv6_encap_enable();
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
--- a/net/l2tp/l2tp_core.h
|
||||||
|
+++ b/net/l2tp/l2tp_core.h
|
||||||
|
@@ -194,6 +194,9 @@ struct l2tp_tunnel {
|
||||||
|
struct sock *sock; /* Parent socket */
|
||||||
|
int fd; /* Parent fd, if tunnel socket
|
||||||
|
* was created by userspace */
|
||||||
|
+#if IS_ENABLED(CONFIG_IPV6)
|
||||||
|
+ bool v4mapped;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
struct work_struct del_work;
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
From 750e8165f5e87b6a142be953640eabb13a9d350a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hugh Dickins <hughd@google.com>
|
||||||
|
Date: Wed, 16 Oct 2013 13:47:08 -0700
|
||||||
|
Subject: mm: fix BUG in __split_huge_page_pmd
|
||||||
|
|
||||||
|
From: Hugh Dickins <hughd@google.com>
|
||||||
|
|
||||||
|
commit 750e8165f5e87b6a142be953640eabb13a9d350a upstream.
|
||||||
|
|
||||||
|
Occasionally we hit the BUG_ON(pmd_trans_huge(*pmd)) at the end of
|
||||||
|
__split_huge_page_pmd(): seen when doing madvise(,,MADV_DONTNEED).
|
||||||
|
|
||||||
|
It's invalid: we don't always have down_write of mmap_sem there: a racing
|
||||||
|
do_huge_pmd_wp_page() might have copied-on-write to another huge page
|
||||||
|
before our split_huge_page() got the anon_vma lock.
|
||||||
|
|
||||||
|
Forget the BUG_ON, just go back and try again if this happens.
|
||||||
|
|
||||||
|
Signed-off-by: Hugh Dickins <hughd@google.com>
|
||||||
|
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
|
||||||
|
Cc: Andrea Arcangeli <aarcange@redhat.com>
|
||||||
|
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||||
|
Cc: David Rientjes <rientjes@google.com>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
mm/huge_memory.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/mm/huge_memory.c
|
||||||
|
+++ b/mm/huge_memory.c
|
||||||
|
@@ -2709,6 +2709,7 @@ void __split_huge_page_pmd(struct vm_are
|
||||||
|
|
||||||
|
mmun_start = haddr;
|
||||||
|
mmun_end = haddr + HPAGE_PMD_SIZE;
|
||||||
|
+again:
|
||||||
|
mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
|
||||||
|
spin_lock(&mm->page_table_lock);
|
||||||
|
if (unlikely(!pmd_trans_huge(*pmd))) {
|
||||||
|
@@ -2731,7 +2732,14 @@ void __split_huge_page_pmd(struct vm_are
|
||||||
|
split_huge_page(page);
|
||||||
|
|
||||||
|
put_page(page);
|
||||||
|
- BUG_ON(pmd_trans_huge(*pmd));
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * We don't always have down_write of mmap_sem here: a racing
|
||||||
|
+ * do_huge_pmd_wp_page() might have copied-on-write to another
|
||||||
|
+ * huge page before our split_huge_page() got the anon_vma lock.
|
||||||
|
+ */
|
||||||
|
+ if (unlikely(pmd_trans_huge(*pmd)))
|
||||||
|
+ goto again;
|
||||||
|
}
|
||||||
|
|
||||||
|
void split_huge_page_pmd_mm(struct mm_struct *mm, unsigned long address,
|
44
debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
vendored
Normal file
44
debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Dumazet <edumazet@google.com>
|
||||||
|
Date: Tue, 1 Oct 2013 21:04:11 -0700
|
||||||
|
Subject: net: do not call sock_put() on TIMEWAIT sockets
|
||||||
|
|
||||||
|
From: Eric Dumazet <edumazet@google.com>
|
||||||
|
|
||||||
|
[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ]
|
||||||
|
|
||||||
|
commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
|
||||||
|
hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
|
||||||
|
|
||||||
|
We should instead use inet_twsk_put()
|
||||||
|
|
||||||
|
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/ipv4/inet_hashtables.c | 2 +-
|
||||||
|
net/ipv6/inet6_hashtables.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/ipv4/inet_hashtables.c
|
||||||
|
+++ b/net/ipv4/inet_hashtables.c
|
||||||
|
@@ -287,7 +287,7 @@ begintw:
|
||||||
|
if (unlikely(!INET_TW_MATCH(sk, net, acookie,
|
||||||
|
saddr, daddr, ports,
|
||||||
|
dif))) {
|
||||||
|
- sock_put(sk);
|
||||||
|
+ inet_twsk_put(inet_twsk(sk));
|
||||||
|
goto begintw;
|
||||||
|
}
|
||||||
|
goto out;
|
||||||
|
--- a/net/ipv6/inet6_hashtables.c
|
||||||
|
+++ b/net/ipv6/inet6_hashtables.c
|
||||||
|
@@ -116,7 +116,7 @@ begintw:
|
||||||
|
}
|
||||||
|
if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr,
|
||||||
|
ports, dif))) {
|
||||||
|
- sock_put(sk);
|
||||||
|
+ inet_twsk_put(inet_twsk(sk));
|
||||||
|
goto begintw;
|
||||||
|
}
|
||||||
|
goto out;
|
54
debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
vendored
Normal file
54
debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
vendored
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Seif Mazareeb <seif@marvell.com>
|
||||||
|
Date: Thu, 17 Oct 2013 20:33:21 -0700
|
||||||
|
Subject: net: fix cipso packet validation when !NETLABEL
|
||||||
|
|
||||||
|
From: Seif Mazareeb <seif@marvell.com>
|
||||||
|
|
||||||
|
[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ]
|
||||||
|
|
||||||
|
When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop
|
||||||
|
forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel
|
||||||
|
crash in an SMP system, since the CPU executing this function will
|
||||||
|
stall /not respond to IPIs.
|
||||||
|
|
||||||
|
This problem can be reproduced by running the IP Stack Integrity Checker
|
||||||
|
(http://isic.sourceforge.net) using the following command on a Linux machine
|
||||||
|
connected to DUT:
|
||||||
|
|
||||||
|
"icmpsic -s rand -d <DUT IP address> -r 123456"
|
||||||
|
wait (1-2 min)
|
||||||
|
|
||||||
|
Signed-off-by: Seif Mazareeb <seif@marvell.com>
|
||||||
|
Acked-by: Paul Moore <paul@paul-moore.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
include/net/cipso_ipv4.h | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/include/net/cipso_ipv4.h
|
||||||
|
+++ b/include/net/cipso_ipv4.h
|
||||||
|
@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons
|
||||||
|
unsigned char err_offset = 0;
|
||||||
|
u8 opt_len = opt[1];
|
||||||
|
u8 opt_iter;
|
||||||
|
+ u8 tag_len;
|
||||||
|
|
||||||
|
if (opt_len < 8) {
|
||||||
|
err_offset = 1;
|
||||||
|
@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons
|
||||||
|
}
|
||||||
|
|
||||||
|
for (opt_iter = 6; opt_iter < opt_len;) {
|
||||||
|
- if (opt[opt_iter + 1] > (opt_len - opt_iter)) {
|
||||||
|
+ tag_len = opt[opt_iter + 1];
|
||||||
|
+ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) {
|
||||||
|
err_offset = opt_iter + 1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- opt_iter += opt[opt_iter + 1];
|
||||||
|
+ opt_iter += tag_len;
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
|
@ -0,0 +1,86 @@
|
||||||
|
From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Date: Thu, 3 Oct 2013 00:27:20 +0300
|
||||||
|
Subject: net: heap overflow in __audit_sockaddr()
|
||||||
|
|
||||||
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
|
||||||
|
[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]
|
||||||
|
|
||||||
|
We need to cap ->msg_namelen or it leads to a buffer overflow when we
|
||||||
|
to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
|
||||||
|
exploit this bug.
|
||||||
|
|
||||||
|
The call tree is:
|
||||||
|
___sys_recvmsg()
|
||||||
|
move_addr_to_user()
|
||||||
|
audit_sockaddr()
|
||||||
|
__audit_sockaddr()
|
||||||
|
|
||||||
|
Reported-by: Jüri Aedla <juri.aedla@gmail.com>
|
||||||
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/compat.c | 2 ++
|
||||||
|
net/socket.c | 24 ++++++++++++++++++++----
|
||||||
|
2 files changed, 22 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/compat.c
|
||||||
|
+++ b/net/compat.c
|
||||||
|
@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms
|
||||||
|
__get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
|
||||||
|
__get_user(kmsg->msg_flags, &umsg->msg_flags))
|
||||||
|
return -EFAULT;
|
||||||
|
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||||
|
+ return -EINVAL;
|
||||||
|
kmsg->msg_name = compat_ptr(tmp1);
|
||||||
|
kmsg->msg_iov = compat_ptr(tmp2);
|
||||||
|
kmsg->msg_control = compat_ptr(tmp3);
|
||||||
|
--- a/net/socket.c
|
||||||
|
+++ b/net/socket.c
|
||||||
|
@@ -1973,6 +1973,16 @@ struct used_address {
|
||||||
|
unsigned int name_len;
|
||||||
|
};
|
||||||
|
|
||||||
|
+static int copy_msghdr_from_user(struct msghdr *kmsg,
|
||||||
|
+ struct msghdr __user *umsg)
|
||||||
|
+{
|
||||||
|
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
|
||||||
|
+ return -EFAULT;
|
||||||
|
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
|
||||||
|
struct msghdr *msg_sys, unsigned int flags,
|
||||||
|
struct used_address *used_address)
|
||||||
|
@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket
|
||||||
|
if (MSG_CMSG_COMPAT & flags) {
|
||||||
|
if (get_compat_msghdr(msg_sys, msg_compat))
|
||||||
|
return -EFAULT;
|
||||||
|
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
|
||||||
|
- return -EFAULT;
|
||||||
|
+ } else {
|
||||||
|
+ err = copy_msghdr_from_user(msg_sys, msg);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
|
||||||
|
err = -EMSGSIZE;
|
||||||
|
@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket
|
||||||
|
if (MSG_CMSG_COMPAT & flags) {
|
||||||
|
if (get_compat_msghdr(msg_sys, msg_compat))
|
||||||
|
return -EFAULT;
|
||||||
|
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
|
||||||
|
- return -EFAULT;
|
||||||
|
+ } else {
|
||||||
|
+ err = copy_msghdr_from_user(msg_sys, msg);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
|
||||||
|
err = -EMSGSIZE;
|
|
@ -0,0 +1,167 @@
|
||||||
|
From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mathias Krause <minipli@googlemail.com>
|
||||||
|
Date: Mon, 30 Sep 2013 22:03:06 +0200
|
||||||
|
Subject: proc connector: fix info leaks
|
||||||
|
|
||||||
|
From: Mathias Krause <minipli@googlemail.com>
|
||||||
|
|
||||||
|
[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ]
|
||||||
|
|
||||||
|
Initialize event_data for all possible message types to prevent leaking
|
||||||
|
kernel stack contents to userland (up to 20 bytes). Also set the flags
|
||||||
|
member of the connector message to 0 to prevent leaking two more stack
|
||||||
|
bytes this way.
|
||||||
|
|
||||||
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
drivers/connector/cn_proc.c | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
--- a/drivers/connector/cn_proc.c
|
||||||
|
+++ b/drivers/connector/cn_proc.c
|
||||||
|
@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_str
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_str
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
/* If cn_netlink_send() failed, the data is not sent */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_str
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_str
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struc
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
ev->what = which_id;
|
||||||
|
ev->event_data.id.process_pid = task->pid;
|
||||||
|
ev->event_data.id.process_tgid = task->tgid;
|
||||||
|
@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struc
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_stru
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_stru
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_s
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_s
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_str
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_str
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_str
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
get_seq(&msg->seq, &ev->cpu);
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_str
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = 0; /* not used */
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcv
|
||||||
|
|
||||||
|
msg = (struct cn_msg *)buffer;
|
||||||
|
ev = (struct proc_event *)msg->data;
|
||||||
|
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
|
||||||
|
msg->seq = rcvd_seq;
|
||||||
|
ktime_get_ts(&ts); /* get high res monotonic timestamp */
|
||||||
|
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
|
||||||
|
@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcv
|
||||||
|
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
|
||||||
|
msg->ack = rcvd_ack + 1;
|
||||||
|
msg->len = sizeof(*ev);
|
||||||
|
+ msg->flags = 0; /* not used */
|
||||||
|
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
|
||||||
|
}
|
||||||
|
|
207
debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
vendored
Normal file
207
debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
vendored
Normal file
|
@ -0,0 +1,207 @@
|
||||||
|
From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Linus Lüssing <linus.luessing@web.de>
|
||||||
|
Date: Sun, 20 Oct 2013 00:58:57 +0200
|
||||||
|
Subject: Revert "bridge: only expire the mdb entry when query is received"
|
||||||
|
|
||||||
|
From: Linus Lüssing <linus.luessing@web.de>
|
||||||
|
|
||||||
|
[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ]
|
||||||
|
|
||||||
|
While this commit was a good attempt to fix issues occuring when no
|
||||||
|
multicast querier is present, this commit still has two more issues:
|
||||||
|
|
||||||
|
1) There are cases where mdb entries do not expire even if there is a
|
||||||
|
querier present. The bridge will unnecessarily continue flooding
|
||||||
|
multicast packets on the according ports.
|
||||||
|
|
||||||
|
2) Never removing an mdb entry could be exploited for a Denial of
|
||||||
|
Service by an attacker on the local link, slowly, but steadily eating up
|
||||||
|
all memory.
|
||||||
|
|
||||||
|
Actually, this commit became obsolete with
|
||||||
|
"bridge: disable snooping if there is no querier" (b00589af3b)
|
||||||
|
which included fixes for a few more cases.
|
||||||
|
|
||||||
|
Therefore reverting the following commits (the commit stated in the
|
||||||
|
commit message plus three of its follow up fixes):
|
||||||
|
|
||||||
|
====================
|
||||||
|
Revert "bridge: update mdb expiration timer upon reports."
|
||||||
|
This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc.
|
||||||
|
Revert "bridge: do not call setup_timer() multiple times"
|
||||||
|
This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1.
|
||||||
|
Revert "bridge: fix some kernel warning in multicast timer"
|
||||||
|
This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1.
|
||||||
|
Revert "bridge: only expire the mdb entry when query is received"
|
||||||
|
This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b.
|
||||||
|
====================
|
||||||
|
|
||||||
|
CC: Cong Wang <amwang@redhat.com>
|
||||||
|
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
|
||||||
|
Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/bridge/br_mdb.c | 2 -
|
||||||
|
net/bridge/br_multicast.c | 47 ++++++++++++++++++++++++++--------------------
|
||||||
|
net/bridge/br_private.h | 1
|
||||||
|
3 files changed, 28 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/bridge/br_mdb.c
|
||||||
|
+++ b/net/bridge/br_mdb.c
|
||||||
|
@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridg
|
||||||
|
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||||
|
err = 0;
|
||||||
|
|
||||||
|
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||||
|
+ if (!mp->ports && !mp->mglist &&
|
||||||
|
netif_running(br->dev))
|
||||||
|
mod_timer(&mp->timer, jiffies);
|
||||||
|
break;
|
||||||
|
--- a/net/bridge/br_multicast.c
|
||||||
|
+++ b/net/bridge/br_multicast.c
|
||||||
|
@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct n
|
||||||
|
del_timer(&p->timer);
|
||||||
|
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||||
|
|
||||||
|
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||||
|
+ if (!mp->ports && !mp->mglist &&
|
||||||
|
netif_running(br->dev))
|
||||||
|
mod_timer(&mp->timer, jiffies);
|
||||||
|
|
||||||
|
@@ -610,9 +610,6 @@ rehash:
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
- /* If we have an existing entry, update it's expire timer */
|
||||||
|
- mod_timer(&mp->timer,
|
||||||
|
- jiffies + br->multicast_membership_interval);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -622,7 +619,6 @@ rehash:
|
||||||
|
|
||||||
|
mp->br = br;
|
||||||
|
mp->addr = *group;
|
||||||
|
-
|
||||||
|
setup_timer(&mp->timer, br_multicast_group_expired,
|
||||||
|
(unsigned long)mp);
|
||||||
|
|
||||||
|
@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct
|
||||||
|
struct net_bridge_mdb_entry *mp;
|
||||||
|
struct net_bridge_port_group *p;
|
||||||
|
struct net_bridge_port_group __rcu **pp;
|
||||||
|
+ unsigned long now = jiffies;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
spin_lock(&br->multicast_lock);
|
||||||
|
@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct
|
||||||
|
|
||||||
|
if (!port) {
|
||||||
|
mp->mglist = true;
|
||||||
|
+ mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (pp = &mp->ports;
|
||||||
|
(p = mlock_dereference(*pp, br)) != NULL;
|
||||||
|
pp = &p->next) {
|
||||||
|
- if (p->port == port) {
|
||||||
|
- /* We already have a portgroup, update the timer. */
|
||||||
|
- mod_timer(&p->timer,
|
||||||
|
- jiffies + br->multicast_membership_interval);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
+ if (p->port == port)
|
||||||
|
+ goto found;
|
||||||
|
if ((unsigned long)p->port < (unsigned long)port)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct
|
||||||
|
rcu_assign_pointer(*pp, p);
|
||||||
|
br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
|
||||||
|
|
||||||
|
+found:
|
||||||
|
+ mod_timer(&p->timer, now + br->multicast_membership_interval);
|
||||||
|
out:
|
||||||
|
err = 0;
|
||||||
|
|
||||||
|
@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct
|
||||||
|
if (!mp)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||||
|
- mp->timer_armed = true;
|
||||||
|
-
|
||||||
|
max_delay *= br->multicast_last_member_count;
|
||||||
|
|
||||||
|
if (mp->mglist &&
|
||||||
|
@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct
|
||||||
|
if (!mp)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- mod_timer(&mp->timer, now + br->multicast_membership_interval);
|
||||||
|
- mp->timer_armed = true;
|
||||||
|
-
|
||||||
|
max_delay *= br->multicast_last_member_count;
|
||||||
|
if (mp->mglist &&
|
||||||
|
(timer_pending(&mp->timer) ?
|
||||||
|
@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(str
|
||||||
|
call_rcu_bh(&p->rcu, br_multicast_free_pg);
|
||||||
|
br_mdb_notify(br->dev, port, group, RTM_DELMDB);
|
||||||
|
|
||||||
|
- if (!mp->ports && !mp->mglist && mp->timer_armed &&
|
||||||
|
+ if (!mp->ports && !mp->mglist &&
|
||||||
|
netif_running(br->dev))
|
||||||
|
mod_timer(&mp->timer, jiffies);
|
||||||
|
}
|
||||||
|
@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(str
|
||||||
|
br->multicast_last_member_interval;
|
||||||
|
|
||||||
|
if (!port) {
|
||||||
|
- if (mp->mglist && mp->timer_armed &&
|
||||||
|
+ if (mp->mglist &&
|
||||||
|
(timer_pending(&mp->timer) ?
|
||||||
|
time_after(mp->timer.expires, time) :
|
||||||
|
try_to_del_timer_sync(&mp->timer) >= 0)) {
|
||||||
|
mod_timer(&mp->timer, time);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (p = mlock_dereference(mp->ports, br);
|
||||||
|
+ p != NULL;
|
||||||
|
+ p = mlock_dereference(p->next, br)) {
|
||||||
|
+ if (p->port != port)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (!hlist_unhashed(&p->mglist) &&
|
||||||
|
+ (timer_pending(&p->timer) ?
|
||||||
|
+ time_after(p->timer.expires, time) :
|
||||||
|
+ try_to_del_timer_sync(&p->timer) >= 0)) {
|
||||||
|
+ mod_timer(&p->timer, time);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
out:
|
||||||
|
spin_unlock(&br->multicast_lock);
|
||||||
|
@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge
|
||||||
|
hlist_for_each_entry_safe(mp, n, &mdb->mhash[i],
|
||||||
|
hlist[ver]) {
|
||||||
|
del_timer(&mp->timer);
|
||||||
|
- mp->timer_armed = false;
|
||||||
|
call_rcu_bh(&mp->rcu, br_multicast_free_group);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--- a/net/bridge/br_private.h
|
||||||
|
+++ b/net/bridge/br_private.h
|
||||||
|
@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry
|
||||||
|
struct timer_list timer;
|
||||||
|
struct br_ip addr;
|
||||||
|
bool mglist;
|
||||||
|
- bool timer_armed;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct net_bridge_mdb_htable
|
|
@ -0,0 +1,30 @@
|
||||||
|
From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mathias Krause <minipli@googlemail.com>
|
||||||
|
Date: Mon, 30 Sep 2013 22:05:40 +0200
|
||||||
|
Subject: unix_diag: fix info leak
|
||||||
|
|
||||||
|
From: Mathias Krause <minipli@googlemail.com>
|
||||||
|
|
||||||
|
[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ]
|
||||||
|
|
||||||
|
When filling the netlink message we miss to wipe the pad field,
|
||||||
|
therefore leak one byte of heap memory to userland. Fix this by
|
||||||
|
setting pad to 0.
|
||||||
|
|
||||||
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
net/unix/diag.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
--- a/net/unix/diag.c
|
||||||
|
+++ b/net/unix/diag.c
|
||||||
|
@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk,
|
||||||
|
rep->udiag_family = AF_UNIX;
|
||||||
|
rep->udiag_type = sk->sk_type;
|
||||||
|
rep->udiag_state = sk->sk_state;
|
||||||
|
+ rep->pad = 0;
|
||||||
|
rep->udiag_ino = sk_ino;
|
||||||
|
sock_diag_save_cookie(sk, rep->udiag_cookie);
|
||||||
|
|
|
@ -0,0 +1,93 @@
|
||||||
|
From e3b6c655b91e01a1dade056cfa358581b47a5351 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Fengguang Wu <fengguang.wu@intel.com>
|
||||||
|
Date: Wed, 16 Oct 2013 13:47:03 -0700
|
||||||
|
Subject: writeback: fix negative bdi max pause
|
||||||
|
|
||||||
|
From: Fengguang Wu <fengguang.wu@intel.com>
|
||||||
|
|
||||||
|
commit e3b6c655b91e01a1dade056cfa358581b47a5351 upstream.
|
||||||
|
|
||||||
|
Toralf runs trinity on UML/i386. After some time it hangs and the last
|
||||||
|
message line is
|
||||||
|
|
||||||
|
BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child0:1521]
|
||||||
|
|
||||||
|
It's found that pages_dirtied becomes very large. More than 1000000000
|
||||||
|
pages in this case:
|
||||||
|
|
||||||
|
period = HZ * pages_dirtied / task_ratelimit;
|
||||||
|
BUG_ON(pages_dirtied > 2000000000);
|
||||||
|
BUG_ON(pages_dirtied > 1000000000); <---------
|
||||||
|
|
||||||
|
UML debug printf shows that we got negative pause here:
|
||||||
|
|
||||||
|
ick: pause : -984
|
||||||
|
ick: pages_dirtied : 0
|
||||||
|
ick: task_ratelimit: 0
|
||||||
|
|
||||||
|
pause:
|
||||||
|
+ if (pause < 0) {
|
||||||
|
+ extern int printf(char *, ...);
|
||||||
|
+ printf("ick : pause : %li\n", pause);
|
||||||
|
+ printf("ick: pages_dirtied : %lu\n", pages_dirtied);
|
||||||
|
+ printf("ick: task_ratelimit: %lu\n", task_ratelimit);
|
||||||
|
+ BUG_ON(1);
|
||||||
|
+ }
|
||||||
|
trace_balance_dirty_pages(bdi,
|
||||||
|
|
||||||
|
Since pause is bounded by [min_pause, max_pause] where min_pause is also
|
||||||
|
bounded by max_pause. It's suspected and demonstrated that the
|
||||||
|
max_pause calculation goes wrong:
|
||||||
|
|
||||||
|
ick: pause : -717
|
||||||
|
ick: min_pause : -177
|
||||||
|
ick: max_pause : -717
|
||||||
|
ick: pages_dirtied : 14
|
||||||
|
ick: task_ratelimit: 0
|
||||||
|
|
||||||
|
The problem lies in the two "long = unsigned long" assignments in
|
||||||
|
bdi_max_pause() which might go negative if the highest bit is 1, and the
|
||||||
|
min_t(long, ...) check failed to protect it falling under 0. Fix all of
|
||||||
|
them by using "unsigned long" throughout the function.
|
||||||
|
|
||||||
|
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
|
||||||
|
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
|
||||||
|
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
|
||||||
|
Reviewed-by: Jan Kara <jack@suse.cz>
|
||||||
|
Cc: Richard Weinberger <richard@nod.at>
|
||||||
|
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
---
|
||||||
|
mm/page-writeback.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
--- a/mm/page-writeback.c
|
||||||
|
+++ b/mm/page-writeback.c
|
||||||
|
@@ -1104,11 +1104,11 @@ static unsigned long dirty_poll_interval
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static long bdi_max_pause(struct backing_dev_info *bdi,
|
||||||
|
- unsigned long bdi_dirty)
|
||||||
|
+static unsigned long bdi_max_pause(struct backing_dev_info *bdi,
|
||||||
|
+ unsigned long bdi_dirty)
|
||||||
|
{
|
||||||
|
- long bw = bdi->avg_write_bandwidth;
|
||||||
|
- long t;
|
||||||
|
+ unsigned long bw = bdi->avg_write_bandwidth;
|
||||||
|
+ unsigned long t;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Limit pause time for small memory systems. If sleeping for too long
|
||||||
|
@@ -1120,7 +1120,7 @@ static long bdi_max_pause(struct backing
|
||||||
|
t = bdi_dirty / (1 + bw / roundup_pow_of_two(1 + HZ / 8));
|
||||||
|
t++;
|
||||||
|
|
||||||
|
- return min_t(long, t, MAX_PAUSE);
|
||||||
|
+ return min_t(unsigned long, t, MAX_PAUSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static long bdi_min_pause(struct backing_dev_info *bdi,
|
|
@ -81,3 +81,19 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
||||||
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
||||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||||
bugfix/all/CVE-2013-4348.patch
|
bugfix/all/CVE-2013-4348.patch
|
||||||
|
bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch
|
||||||
|
bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch
|
||||||
|
bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch
|
||||||
|
bugfix/all/proc-connector-fix-info-leaks.patch
|
||||||
|
bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch
|
||||||
|
bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch
|
||||||
|
bugfix/all/unix_diag-fix-info-leak.patch
|
||||||
|
bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch
|
||||||
|
bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch
|
||||||
|
bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch
|
||||||
|
bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch
|
||||||
|
bugfix/all/ext-fix-double-put-in-tmpfile.patch
|
||||||
|
bugfix/all/dm-snapshot-fix-data-corruption.patch
|
||||||
|
bugfix/all/i2c-ismt-initialize-dma-buffer.patch
|
||||||
|
bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch
|
||||||
|
bugfix/all/writeback-fix-negative-bdi-max-pause.patch
|
||||||
|
|
Loading…
Reference in New Issue