Update to 4.13.13
This commit is contained in:
parent
6ff07bd9a5
commit
f4e45ee455
|
@ -1,4 +1,4 @@
|
||||||
linux (4.13.12-1) UNRELEASED; urgency=medium
|
linux (4.13.13-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11
|
||||||
|
@ -76,15 +76,43 @@ linux (4.13.12-1) UNRELEASED; urgency=medium
|
||||||
- [mips*] smp-cmp: Use right include for task_struct
|
- [mips*] smp-cmp: Use right include for task_struct
|
||||||
- [mips*] SMP: Fix deadlock & online race
|
- [mips*] SMP: Fix deadlock & online race
|
||||||
- Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz""
|
- Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz""
|
||||||
- [x86] CPU: Fix up "cpu MHz" in /proc/cpuinfo
|
|
||||||
- [powerpc*] kprobes: Dereference function pointers only if the address
|
- [powerpc*] kprobes: Dereference function pointers only if the address
|
||||||
does not belong to kernel text
|
does not belong to kernel text
|
||||||
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races
|
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races
|
||||||
- perf/cgroup: Fix perf cgroup hierarchy support
|
- perf/cgroup: Fix perf cgroup hierarchy support
|
||||||
- [x86] mcelog: Get rid of RCU remnants
|
- [x86] mcelog: Get rid of RCU remnants
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.13
|
||||||
|
- netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to
|
||||||
|
rhashtable"
|
||||||
|
- netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
||||||
|
- workqueue: Fix NULL pointer dereference
|
||||||
|
- crypto: ccm - preserve the IV buffer
|
||||||
|
- [x86] crypto: sha1-mb - fix panic due to unaligned access
|
||||||
|
- [x86] crypto: sha256-mb - fix panic due to unaligned access
|
||||||
|
- KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
|
||||||
|
- [x86] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360
|
||||||
|
- ACPICA: Dispatch active GPEs at init time
|
||||||
|
- ACPICA: Make it possible to enable runtime GPEs earlier
|
||||||
|
- ACPI / scan: Enable GPEs before scanning the namespace
|
||||||
|
- [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit
|
||||||
|
- ALSA: timer: Limit max instances per timer
|
||||||
|
- ALSA: usb-audio: support new Amanero Combo384 firmware version
|
||||||
|
- [x86] ALSA: hda - fix headset mic problem for Dell machines with alc274
|
||||||
|
- ALSA: seq: Fix OSS sysex delivery in OSS emulation
|
||||||
|
- ALSA: seq: Avoid invalid lockdep class warning
|
||||||
|
- [mips*] Fix CM region target definitions
|
||||||
|
- [powerpc*] KVM: Book3S HV: Fix exclusion between HPT resizing and other
|
||||||
|
HPT updates
|
||||||
|
- Input: elan_i2c - add ELAN060C to the ACPI table
|
||||||
|
- rbd: use GFP_NOIO for parent stat and data requests
|
||||||
|
- [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
|
||||||
|
- [armhf] can: sun4i: handle overrun in RX FIFO
|
||||||
|
- can: peak: Add support for new PCIe/M2 CAN FD interfaces
|
||||||
|
- [x86] debug: Handle warnings before the notifier chain, to fix KGDB crash
|
||||||
|
- [x86] smpboot: Make optimization of delay calibration work correctly
|
||||||
|
- [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
|
||||||
* mac80211: accept key reinstall without changing anything (CVE-2017-13080)
|
* mac80211: accept key reinstall without changing anything (CVE-2017-13080)
|
||||||
* sctp: do not peel off an assoc from one netns to another one
|
* sctp: do not peel off an assoc from one netns to another one
|
||||||
(CVE-2017-15115)
|
(CVE-2017-15115)
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
From: Anatole Denis <anatole@rezel.net>
|
|
||||||
Date: Wed, 4 Oct 2017 01:17:14 +0100
|
|
||||||
Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys
|
|
||||||
Origin: https://git.kernel.org/linus/0414c78f14861cb704d6e6888efd53dd36e3bdde
|
|
||||||
Bug-Debian: https://bugs.debian.org/880145
|
|
||||||
|
|
||||||
jhash_1word of a u16 is a different value from jhash of the same u16 with
|
|
||||||
length 2.
|
|
||||||
Since elements are always inserted in sets using jhash over the actual
|
|
||||||
klen, this would lead to incorrect lookups on fixed-size sets with a key
|
|
||||||
length of 2, as they would be inserted with hash value jhash(key, 2) and
|
|
||||||
looked up with hash value jhash_1word(key), which is different.
|
|
||||||
|
|
||||||
Example reproducer(v4.13+), using anonymous sets which always have a
|
|
||||||
fixed size:
|
|
||||||
|
|
||||||
table inet t {
|
|
||||||
chain c {
|
|
||||||
type filter hook output priority 0; policy accept;
|
|
||||||
tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
|
|
||||||
tcp dport 10001 counter packets 4 bytes 240 reject
|
|
||||||
tcp dport 10003 counter packets 4 bytes 240 reject
|
|
||||||
tcp dport 10005 counter packets 4 bytes 240 reject
|
|
||||||
tcp dport 10007 counter packets 0 bytes 0 reject
|
|
||||||
tcp dport 10009 counter packets 4 bytes 240 reject
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
then use nc -z localhost <port> to probe; incorrectly hashed ports will
|
|
||||||
pass through the set lookup and increment the counter of an individual
|
|
||||||
rule.
|
|
||||||
|
|
||||||
jhash being seeded with a random value, it is not deterministic which
|
|
||||||
ports will incorrectly hash, but in testing with 5 ports in the set I
|
|
||||||
always had 4 or 5 with an incorrect hash value.
|
|
||||||
|
|
||||||
Signed-off-by: Anatole Denis <anatole@rezel.net>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
---
|
|
||||||
net/netfilter/nft_set_hash.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
|
|
||||||
index 0fa01d772c5e..9c0d5a7ce5f9 100644
|
|
||||||
--- a/net/netfilter/nft_set_hash.c
|
|
||||||
+++ b/net/netfilter/nft_set_hash.c
|
|
||||||
@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
|
|
||||||
{
|
|
||||||
if (desc->size) {
|
|
||||||
switch (desc->klen) {
|
|
||||||
- case 2:
|
|
||||||
case 4:
|
|
||||||
return &nft_hash_fast_ops;
|
|
||||||
default:
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
||||||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||||
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
||||||
bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
|
|
||||||
|
|
||||||
# Miscellaneous features
|
# Miscellaneous features
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue