Linux v3.11.5
This commit is contained in:
parent
3a677fbd44
commit
6bd5874c5a
@ -1,73 +0,0 @@
|
||||
commit 5a0068deb611109c5ba77358be533f763f395ee4
|
||||
Author: Neil Horman <nhorman@tuxdriver.com>
|
||||
Date: Fri Sep 27 12:22:15 2013 -0400
|
||||
|
||||
bonding: Fix broken promiscuity reference counting issue
|
||||
|
||||
Recently grabbed this report:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1005567
|
||||
|
||||
Of an issue in which the bonding driver, with an attached vlan encountered the
|
||||
following errors when bond0 was taken down and back up:
|
||||
|
||||
dummy1: promiscuity touches roof, set promiscuity failed. promiscuity feature of
|
||||
device might be broken.
|
||||
|
||||
The error occurs because, during __bond_release_one, if we release our last
|
||||
slave, we take on a random mac address and issue a NETDEV_CHANGEADDR
|
||||
notification. With an attached vlan, the vlan may see that the vlan and bond
|
||||
mac address were in sync, but no longer are. This triggers a call to dev_uc_add
|
||||
and dev_set_rx_mode, which enables IFF_PROMISC on the bond device. Then, when
|
||||
we complete __bond_release_one, we use the current state of the bond flags to
|
||||
determine if we should decrement the promiscuity of the releasing slave. But
|
||||
since the bond changed promiscuity state during the release operation, we
|
||||
incorrectly decrement the slave promisc count when it wasn't in promiscuous mode
|
||||
to begin with, causing the above error
|
||||
|
||||
Fix is pretty simple, just cache the bonding flags at the start of the function
|
||||
and use those when determining the need to set promiscuity.
|
||||
|
||||
This is also needed for the ALLMULTI flag
|
||||
|
||||
CC: Jay Vosburgh <fubar@us.ibm.com>
|
||||
CC: Andy Gospodarek <andy@greyhouse.net>
|
||||
CC: Mark Wu <wudxw@linux.vnet.ibm.com>
|
||||
CC: "David S. Miller" <davem@davemloft.net>
|
||||
Reported-by: Mark Wu <wudxw@linux.vnet.ibm.com>
|
||||
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
|
||||
index 55bbb8b..e883bfe 100644
|
||||
--- a/drivers/net/bonding/bond_main.c
|
||||
+++ b/drivers/net/bonding/bond_main.c
|
||||
@@ -1724,6 +1724,7 @@ static int __bond_release_one(struct net_device *bond_dev,
|
||||
struct bonding *bond = netdev_priv(bond_dev);
|
||||
struct slave *slave, *oldcurrent;
|
||||
struct sockaddr addr;
|
||||
+ int old_flags = bond_dev->flags;
|
||||
netdev_features_t old_features = bond_dev->features;
|
||||
|
||||
/* slave is not a slave or master is not master of this slave */
|
||||
@@ -1855,12 +1856,18 @@ static int __bond_release_one(struct net_device *bond_dev,
|
||||
* bond_change_active_slave(..., NULL)
|
||||
*/
|
||||
if (!USES_PRIMARY(bond->params.mode)) {
|
||||
- /* unset promiscuity level from slave */
|
||||
- if (bond_dev->flags & IFF_PROMISC)
|
||||
+ /* unset promiscuity level from slave
|
||||
+ * NOTE: The NETDEV_CHANGEADDR call above may change the value
|
||||
+ * of the IFF_PROMISC flag in the bond_dev, but we need the
|
||||
+ * value of that flag before that change, as that was the value
|
||||
+ * when this slave was attached, so we cache at the start of the
|
||||
+ * function and use it here. Same goes for ALLMULTI below
|
||||
+ */
|
||||
+ if (old_flags & IFF_PROMISC)
|
||||
dev_set_promiscuity(slave_dev, -1);
|
||||
|
||||
/* unset allmulti level from slave */
|
||||
- if (bond_dev->flags & IFF_ALLMULTI)
|
||||
+ if (old_flags & IFF_ALLMULTI)
|
||||
dev_set_allmulti(slave_dev, -1);
|
||||
|
||||
bond_hw_addr_flush(bond_dev, slave_dev);
|
@ -1,27 +0,0 @@
|
||||
diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
|
||||
index 639d26b..2b94403 100644
|
||||
--- a/drivers/block/cpqarray.c
|
||||
+++ b/drivers/block/cpqarray.c
|
||||
@@ -1193,6 +1193,7 @@ out_passthru:
|
||||
ida_pci_info_struct pciinfo;
|
||||
|
||||
if (!arg) return -EINVAL;
|
||||
+ memset(&pciinfo, 0, sizeof(pciinfo));
|
||||
pciinfo.bus = host->pci_dev->bus->number;
|
||||
pciinfo.dev_fn = host->pci_dev->devfn;
|
||||
pciinfo.board_id = host->board_id;
|
||||
|
||||
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
|
||||
index 6374dc1..34971aa 100644
|
||||
--- a/drivers/block/cciss.c
|
||||
+++ b/drivers/block/cciss.c
|
||||
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
|
||||
int err;
|
||||
u32 cp;
|
||||
|
||||
+ memset(&arg64, 0, sizeof(arg64));
|
||||
err = 0;
|
||||
err |=
|
||||
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
|
||||
|
||||
|
@ -1,109 +0,0 @@
|
||||
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.11.131 with SMTP id q3csp149379oab;
|
||||
Mon, 7 Oct 2013 23:45:24 -0700 (PDT)
|
||||
X-Received: by 10.68.185.36 with SMTP id ez4mr69490pbc.144.1381214724506;
|
||||
Mon, 07 Oct 2013 23:45:24 -0700 (PDT)
|
||||
Return-Path: <stable-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id rz6si25872020pab.249.1969.12.31.16.00.00;
|
||||
Mon, 07 Oct 2013 23:45:24 -0700 (PDT)
|
||||
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
||||
dkim=neutral (bad format) header.i=@gmail.com;
|
||||
dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1754014Ab3JHGow (ORCPT <rfc822;lembacon@gmail.com> + 60 others);
|
||||
Tue, 8 Oct 2013 02:44:52 -0400
|
||||
Received: from mail-pa0-f42.google.com ([209.85.220.42]:35990 "EHLO
|
||||
mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1753696Ab3JHGov (ORCPT
|
||||
<rfc822;stable@vger.kernel.org>); Tue, 8 Oct 2013 02:44:51 -0400
|
||||
Received: by mail-pa0-f42.google.com with SMTP id lj1so8433751pab.15
|
||||
for <stable@vger.kernel.org>; Mon, 07 Oct 2013 23:44:51 -0700 (PDT)
|
||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||
d=gmail.com; s=20120113;
|
||||
h=from:to:cc:subject:date:message-id;
|
||||
bh=DRveULH9ZaYYXMJRsSw3WWLRMs5ifsnU9G+VUu1PKtk=;
|
||||
b=oCDYfvF1KXEUN6PZU0jit8kMHSKTzIWcR078uMTxLpTjheGcoLWW0efoqsO4Dac3jp
|
||||
+4dHm3NSdeqk4e+aCjnvZw7He+nMGmbWhrf1vx49XCOE4s+YvC/AgSI78pku8BQE/plZ
|
||||
w8F+64e+wNze1FfRAxPPM/PoLdBiuBfvUL18htMmYi/rgq0VRkNk2UwbzvGk5AJE+vwL
|
||||
esavQLjvCuJZTc7i2J9Us53dUcY4aQuYlESFvOUlbDnkkgm5Htrsnyd2Eq7k61/hr0MR
|
||||
/nIFNBXuhIadU5bvf6jpMT+toIK+PA176Yt9eyEgdOAxNXdn5g15mO93/WEyXf7idBfk
|
||||
JLZA==
|
||||
X-Received: by 10.68.232.132 with SMTP id to4mr7840579pbc.141.1381214691006;
|
||||
Mon, 07 Oct 2013 23:44:51 -0700 (PDT)
|
||||
Received: from turiel.redhat.com (124-148-32-6.dyn.iinet.net.au. [124.148.32.6])
|
||||
by mx.google.com with ESMTPSA id j9sm44764711paj.18.1969.12.31.16.00.00
|
||||
(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
|
||||
Mon, 07 Oct 2013 23:44:50 -0700 (PDT)
|
||||
From: Ben Skeggs <skeggsb@gmail.com>
|
||||
To: stable@vger.kernel.org
|
||||
Cc: Ben Skeggs <bskeggs@redhat.com>
|
||||
Subject: [PATCH] drm/nouveau/bios/init: stub opcode 0xaa
|
||||
Date: Tue, 8 Oct 2013 16:45:08 +1000
|
||||
Message-Id: <1381214708-2990-1-git-send-email-skeggsb@gmail.com>
|
||||
X-Mailer: git-send-email 1.8.3.2
|
||||
Sender: stable-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <stable.vger.kernel.org>
|
||||
X-Mailing-List: stable@vger.kernel.org
|
||||
|
||||
From: Ben Skeggs <bskeggs@redhat.com>
|
||||
|
||||
Seen on a large number of recent boards, when triggered results in
|
||||
nouveau aborting the card cold boot, giving unpredictable results
|
||||
(oopses in the reported cases) later.
|
||||
|
||||
commit 5495e39fb3695182b9f2a72fe4169056cada37a1 upstream
|
||||
|
||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
||||
---
|
||||
drivers/gpu/drm/nouveau/core/subdev/bios/init.c | 19 +++++++++++++++++--
|
||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
||||
index 0687e64..8f06cca 100644
|
||||
--- a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
||||
+++ b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
||||
@@ -579,8 +579,22 @@ static void
|
||||
init_reserved(struct nvbios_init *init)
|
||||
{
|
||||
u8 opcode = nv_ro08(init->bios, init->offset);
|
||||
- trace("RESERVED\t0x%02x\n", opcode);
|
||||
- init->offset += 1;
|
||||
+ u8 length, i;
|
||||
+
|
||||
+ switch (opcode) {
|
||||
+ case 0xaa:
|
||||
+ length = 4;
|
||||
+ break;
|
||||
+ default:
|
||||
+ length = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ trace("RESERVED 0x%02x\t", opcode);
|
||||
+ for (i = 1; i < length; i++)
|
||||
+ cont(" 0x%02x", nv_ro08(init->bios, init->offset + i));
|
||||
+ cont("\n");
|
||||
+ init->offset += length;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -2135,6 +2149,7 @@ static struct nvbios_init_opcode {
|
||||
[0x99] = { init_zm_auxch },
|
||||
[0x9a] = { init_i2c_long_if },
|
||||
[0xa9] = { init_gpio_ne },
|
||||
+ [0xaa] = { init_reserved },
|
||||
};
|
||||
|
||||
#define init_opcode_nr (sizeof(init_opcode) / sizeof(init_opcode[0]))
|
||||
--
|
||||
1.8.3.2
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe stable" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
@ -1,123 +0,0 @@
|
||||
From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Sat, 21 Sep 2013 06:27:00 +0200
|
||||
Subject: [PATCH] ipv6: udp packets following an UFO enqueued packet need also
|
||||
be handled by UFO
|
||||
|
||||
In the following scenario the socket is corked:
|
||||
If the first UDP packet is larger then the mtu we try to append it to the
|
||||
write queue via ip6_ufo_append_data. A following packet, which is smaller
|
||||
than the mtu would be appended to the already queued up gso-skb via
|
||||
plain ip6_append_data. This causes random memory corruptions.
|
||||
|
||||
In ip6_ufo_append_data we also have to be careful to not queue up the
|
||||
same skb multiple times. So setup the gso frame only when no first skb
|
||||
is available.
|
||||
|
||||
This also fixes a shortcoming where we add the current packet's length to
|
||||
cork->length but return early because of a packet > mtu with dontfrag set
|
||||
(instead of sutracting it again).
|
||||
|
||||
Found with trinity.
|
||||
|
||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_output.c | 53 +++++++++++++++++++++------------------------------
|
||||
1 file changed, 22 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
||||
index 3a692d5..a54c45c 100644
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
||||
* udp datagram
|
||||
*/
|
||||
if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
|
||||
+ struct frag_hdr fhdr;
|
||||
+
|
||||
skb = sock_alloc_send_skb(sk,
|
||||
hh_len + fragheaderlen + transhdrlen + 20,
|
||||
(flags & MSG_DONTWAIT), &err);
|
||||
@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
||||
skb->protocol = htons(ETH_P_IPV6);
|
||||
skb->ip_summed = CHECKSUM_PARTIAL;
|
||||
skb->csum = 0;
|
||||
- }
|
||||
-
|
||||
- err = skb_append_datato_frags(sk,skb, getfrag, from,
|
||||
- (length - transhdrlen));
|
||||
- if (!err) {
|
||||
- struct frag_hdr fhdr;
|
||||
|
||||
/* Specify the length of each IPv6 datagram fragment.
|
||||
* It has to be a multiple of 8.
|
||||
@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
||||
ipv6_select_ident(&fhdr, rt);
|
||||
skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
|
||||
__skb_queue_tail(&sk->sk_write_queue, skb);
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
- /* There is not enough support do UPD LSO,
|
||||
- * so follow normal path
|
||||
- */
|
||||
- kfree_skb(skb);
|
||||
|
||||
- return err;
|
||||
+ return skb_append_datato_frags(sk, skb, getfrag, from,
|
||||
+ (length - transhdrlen));
|
||||
}
|
||||
|
||||
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
|
||||
@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
|
||||
* --yoshfuji
|
||||
*/
|
||||
|
||||
- cork->length += length;
|
||||
- if (length > mtu) {
|
||||
- int proto = sk->sk_protocol;
|
||||
- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
|
||||
- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
|
||||
- return -EMSGSIZE;
|
||||
- }
|
||||
-
|
||||
- if (proto == IPPROTO_UDP &&
|
||||
- (rt->dst.dev->features & NETIF_F_UFO)) {
|
||||
+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
|
||||
+ sk->sk_protocol == IPPROTO_RAW)) {
|
||||
+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
|
||||
+ return -EMSGSIZE;
|
||||
+ }
|
||||
|
||||
- err = ip6_ufo_append_data(sk, getfrag, from, length,
|
||||
- hh_len, fragheaderlen,
|
||||
- transhdrlen, mtu, flags, rt);
|
||||
- if (err)
|
||||
- goto error;
|
||||
- return 0;
|
||||
- }
|
||||
+ skb = skb_peek_tail(&sk->sk_write_queue);
|
||||
+ cork->length += length;
|
||||
+ if (((length > mtu) ||
|
||||
+ (skb && skb_is_gso(skb))) &&
|
||||
+ (sk->sk_protocol == IPPROTO_UDP) &&
|
||||
+ (rt->dst.dev->features & NETIF_F_UFO)) {
|
||||
+ err = ip6_ufo_append_data(sk, getfrag, from, length,
|
||||
+ hh_len, fragheaderlen,
|
||||
+ transhdrlen, mtu, flags, rt);
|
||||
+ if (err)
|
||||
+ goto error;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
|
||||
+ if (!skb)
|
||||
goto alloc_new_skb;
|
||||
|
||||
while (length > 0) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
49
kernel.spec
49
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
||||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 5
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
@ -717,9 +717,6 @@ Patch22010: debug-idle-sched-warn-once.patch
|
||||
#rhbz 927469
|
||||
Patch23006: fix-child-thread-introspection.patch
|
||||
|
||||
#CVE-2013-2147 rhbz 971242 971249
|
||||
Patch25032: cve-2013-2147-ciss-info-leak.patch
|
||||
|
||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
#rhbz 977040
|
||||
@ -729,18 +726,9 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
|
||||
#rhbz 963715
|
||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
#CVE-2013-4350 rhbz 1007872 1007903
|
||||
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
#rhbz 1008323
|
||||
Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
|
||||
|
||||
#rhbz 985522
|
||||
Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||
|
||||
@ -757,21 +745,12 @@ Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
||||
#rhbz 974072
|
||||
Patch25117: rt2800-add-support-for-rf3070.patch
|
||||
|
||||
#rhbz 1005567
|
||||
Patch25118: bonding-driver-promisc.patch
|
||||
|
||||
#CVE-2013-4387 rhbz 1011927 1015166
|
||||
Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch
|
||||
|
||||
#rhbz 1015989
|
||||
Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
||||
|
||||
#rhbz 982153
|
||||
Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
||||
|
||||
#rhbz 1015920
|
||||
Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch
|
||||
|
||||
#rhbz 998732
|
||||
Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
||||
|
||||
@ -1450,9 +1429,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||
#rhbz 927469
|
||||
ApplyPatch fix-child-thread-introspection.patch
|
||||
|
||||
#CVE-2013-2147 rhbz 971242 971249
|
||||
ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
||||
|
||||
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
#rhbz 977040
|
||||
@ -1462,12 +1438,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
|
||||
#rhbz 963715
|
||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-4343 rhbz 1007733 1007741
|
||||
ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
|
||||
|
||||
#CVE-2013-4350 rhbz 1007872 1007903
|
||||
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||
|
||||
@ -1480,9 +1450,6 @@ ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch
|
||||
#rhbz 971893
|
||||
ApplyPatch bonding-driver-alb-learning.patch
|
||||
|
||||
#rhbz 1008323
|
||||
ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
|
||||
|
||||
#rhbz 902012
|
||||
ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch
|
||||
ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
||||
@ -1490,21 +1457,12 @@ ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
||||
#rhbz 974072
|
||||
ApplyPatch rt2800-add-support-for-rf3070.patch
|
||||
|
||||
#rhbz 1005567
|
||||
ApplyPatch bonding-driver-promisc.patch
|
||||
|
||||
#CVE-2013-4387 rhbz 1011927 1015166
|
||||
ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch
|
||||
|
||||
#rhbz 1015989
|
||||
ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
||||
|
||||
#rhbz 982153
|
||||
ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
||||
|
||||
#rhbz 1015920
|
||||
ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch
|
||||
|
||||
#rhbz 998732
|
||||
ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
||||
|
||||
@ -2330,6 +2288,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Oct 14 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.5-200
|
||||
- Linux v3.11.5
|
||||
|
||||
* Fri Oct 11 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix segfault in cpupower set (rhbz 1000439)
|
||||
|
||||
|
@ -1,186 +0,0 @@
|
||||
From 95ee62083cb6453e056562d91f597552021e6ae7 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Borkmann <dborkman@redhat.com>
|
||||
Date: Wed, 11 Sep 2013 14:58:36 +0000
|
||||
Subject: net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
|
||||
|
||||
Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
|
||||
being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
|
||||
does not seem to have the desired effect:
|
||||
|
||||
SCTP + IPv4:
|
||||
|
||||
22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
|
||||
192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
|
||||
22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
|
||||
192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
|
||||
|
||||
SCTP + IPv6:
|
||||
|
||||
22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
|
||||
fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
|
||||
1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
|
||||
|
||||
Moreover, Alan says:
|
||||
|
||||
This problem was seen with both Racoon and Racoon2. Other people have seen
|
||||
this with OpenSwan. When IPsec is configured to encrypt all upper layer
|
||||
protocols the SCTP connection does not initialize. After using Wireshark to
|
||||
follow packets, this is because the SCTP packet leaves Box A unencrypted and
|
||||
Box B believes all upper layer protocols are to be encrypted so it drops
|
||||
this packet, causing the SCTP connection to fail to initialize. When IPsec
|
||||
is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
|
||||
|
||||
In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
|
||||
string on the other end, results in cleartext on the wire where SCTP eventually
|
||||
does not report any errors, thus in the latter case that Alan reports, the
|
||||
non-paranoid user might think he's communicating over an encrypted transport on
|
||||
SCTP although he's not (tcpdump ... -X):
|
||||
|
||||
...
|
||||
0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
|
||||
0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
|
||||
|
||||
Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
|
||||
receiver side. Initial follow-up analysis from Alan's bug report was done by
|
||||
Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
|
||||
|
||||
SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
|
||||
This has the implication that it probably never really got updated along with
|
||||
changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
|
||||
|
||||
SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
|
||||
a call to inet6_csk_xmit() would solve this problem, but result in unecessary
|
||||
route lookups, let us just use the cached flowi6 instead that we got through
|
||||
sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
|
||||
we do the route lookup / flow caching in sctp_transport_route(), hold it in
|
||||
tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
|
||||
sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
|
||||
of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
|
||||
instead to get the correct source routed dst entry, which we assign to the skb.
|
||||
|
||||
Also source address routing example from 625034113 ("sctp: fix sctp to work with
|
||||
ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
|
||||
it is actually 'recommended' to not use that anyway due to traffic amplification [1].
|
||||
So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
|
||||
we overwrite the flow destination here, the lower IPv6 layer will be unable to
|
||||
put the correct destination address into IP header, as routing header is added in
|
||||
ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
|
||||
result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
|
||||
the wire with this patch it now looks like:
|
||||
|
||||
SCTP + IPv6:
|
||||
|
||||
08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
|
||||
AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
|
||||
08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
|
||||
AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
|
||||
|
||||
This fixes Kernel Bugzilla 24412. This security issue seems to be present since
|
||||
2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
|
||||
its fun with that. lksctp-tools IPv6 regression test suite passes as well with
|
||||
this patch.
|
||||
|
||||
[1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
|
||||
|
||||
Reported-by: Alan Chester <alan.chester@tekelec.com>
|
||||
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
|
||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
||||
Cc: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
|
||||
index da613ce..4f52e2c 100644
|
||||
--- a/net/sctp/ipv6.c
|
||||
+++ b/net/sctp/ipv6.c
|
||||
@@ -204,44 +204,23 @@ out:
|
||||
in6_dev_put(idev);
|
||||
}
|
||||
|
||||
-/* Based on tcp_v6_xmit() in tcp_ipv6.c. */
|
||||
static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
|
||||
{
|
||||
struct sock *sk = skb->sk;
|
||||
struct ipv6_pinfo *np = inet6_sk(sk);
|
||||
- struct flowi6 fl6;
|
||||
-
|
||||
- memset(&fl6, 0, sizeof(fl6));
|
||||
-
|
||||
- fl6.flowi6_proto = sk->sk_protocol;
|
||||
-
|
||||
- /* Fill in the dest address from the route entry passed with the skb
|
||||
- * and the source address from the transport.
|
||||
- */
|
||||
- fl6.daddr = transport->ipaddr.v6.sin6_addr;
|
||||
- fl6.saddr = transport->saddr.v6.sin6_addr;
|
||||
-
|
||||
- fl6.flowlabel = np->flow_label;
|
||||
- IP6_ECN_flow_xmit(sk, fl6.flowlabel);
|
||||
- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
|
||||
- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
|
||||
- else
|
||||
- fl6.flowi6_oif = sk->sk_bound_dev_if;
|
||||
-
|
||||
- if (np->opt && np->opt->srcrt) {
|
||||
- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
|
||||
- fl6.daddr = *rt0->addr;
|
||||
- }
|
||||
+ struct flowi6 *fl6 = &transport->fl.u.ip6;
|
||||
|
||||
pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb,
|
||||
- skb->len, &fl6.saddr, &fl6.daddr);
|
||||
+ skb->len, &fl6->saddr, &fl6->daddr);
|
||||
|
||||
- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
|
||||
+ IP6_ECN_flow_xmit(sk, fl6->flowlabel);
|
||||
|
||||
if (!(transport->param_flags & SPP_PMTUD_ENABLE))
|
||||
skb->local_df = 1;
|
||||
|
||||
- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
|
||||
+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
|
||||
+
|
||||
+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
|
||||
}
|
||||
|
||||
/* Returns the dst cache entry for the given source and destination ip
|
||||
@@ -254,10 +233,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
||||
struct dst_entry *dst = NULL;
|
||||
struct flowi6 *fl6 = &fl->u.ip6;
|
||||
struct sctp_bind_addr *bp;
|
||||
+ struct ipv6_pinfo *np = inet6_sk(sk);
|
||||
struct sctp_sockaddr_entry *laddr;
|
||||
union sctp_addr *baddr = NULL;
|
||||
union sctp_addr *daddr = &t->ipaddr;
|
||||
union sctp_addr dst_saddr;
|
||||
+ struct in6_addr *final_p, final;
|
||||
__u8 matchlen = 0;
|
||||
__u8 bmatchlen;
|
||||
sctp_scope_t scope;
|
||||
@@ -281,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
||||
pr_debug("src=%pI6 - ", &fl6->saddr);
|
||||
}
|
||||
|
||||
- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
|
||||
+ final_p = fl6_update_dst(fl6, np->opt, &final);
|
||||
+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
|
||||
if (!asoc || saddr)
|
||||
goto out;
|
||||
|
||||
@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
||||
}
|
||||
}
|
||||
rcu_read_unlock();
|
||||
+
|
||||
if (baddr) {
|
||||
fl6->saddr = baddr->v6.sin6_addr;
|
||||
fl6->fl6_sport = baddr->v6.sin6_port;
|
||||
- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
|
||||
+ final_p = fl6_update_dst(fl6, np->opt, &final);
|
||||
+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
|
||||
}
|
||||
|
||||
out:
|
||||
--
|
||||
cgit v0.9.2
|
@ -1,61 +0,0 @@
|
||||
From 3361dc9538832a2a9150a8c722374ca844bf8dc8 Mon Sep 17 00:00:00 2001
|
||||
From: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Date: Fri, 20 Sep 2013 17:53:22 +0000
|
||||
Subject: skge: fix invalid value passed to pci_unmap_sigle
|
||||
|
||||
In my patch c194992cbe71c20bb3623a566af8d11b0bfaa721 ("skge: fix
|
||||
broken driver") I didn't fix the skge bug correctly. The value of the
|
||||
new mapping (not old) was passed to pci_unmap_single.
|
||||
|
||||
If we enable CONFIG_DMA_API_DEBUG, it results in this warning:
|
||||
WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:986 check_sync+0x4c4/0x580()
|
||||
skge 0000:02:07.0: DMA-API: device driver tries to sync DMA memory it has
|
||||
not allocated [device address=0x000000023a0096c0] [size=1536 bytes]
|
||||
|
||||
This patch makes the skge driver pass the correct value to
|
||||
pci_unmap_single and fixes the warning. It copies the old descriptor to
|
||||
on-stack variable "ee" and unmaps it if mapping of the new descriptor
|
||||
succeeded.
|
||||
|
||||
This patch should be backported to 3.11-stable.
|
||||
|
||||
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Reported-by: Francois Romieu <romieu@fr.zoreil.com>
|
||||
Tested-by: Mikulas Patocka <mpatocka@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c
|
||||
index 1a9c4f6..ecc7f7b 100644
|
||||
--- a/drivers/net/ethernet/marvell/skge.c
|
||||
+++ b/drivers/net/ethernet/marvell/skge.c
|
||||
@@ -3086,13 +3086,16 @@ static struct sk_buff *skge_rx_get(struct net_device *dev,
|
||||
PCI_DMA_FROMDEVICE);
|
||||
skge_rx_reuse(e, skge->rx_buf_size);
|
||||
} else {
|
||||
+ struct skge_element ee;
|
||||
struct sk_buff *nskb;
|
||||
|
||||
nskb = netdev_alloc_skb_ip_align(dev, skge->rx_buf_size);
|
||||
if (!nskb)
|
||||
goto resubmit;
|
||||
|
||||
- skb = e->skb;
|
||||
+ ee = *e;
|
||||
+
|
||||
+ skb = ee.skb;
|
||||
prefetch(skb->data);
|
||||
|
||||
if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
|
||||
@@ -3101,8 +3104,8 @@ static struct sk_buff *skge_rx_get(struct net_device *dev,
|
||||
}
|
||||
|
||||
pci_unmap_single(skge->hw->pdev,
|
||||
- dma_unmap_addr(e, mapaddr),
|
||||
- dma_unmap_len(e, maplen),
|
||||
+ dma_unmap_addr(&ee, mapaddr),
|
||||
+ dma_unmap_len(&ee, maplen),
|
||||
PCI_DMA_FROMDEVICE);
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.9.2
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
|
||||
5147e7f82600452c5438f8309c07eccd patch-3.11.4.xz
|
||||
628876a432c0d4090013b383abac20e4 patch-3.11.5.xz
|
||||
|
@ -1,57 +0,0 @@
|
||||
From dff4e504b2addc8053fc47712d44a21f733ef51b Mon Sep 17 00:00:00 2001
|
||||
From: Jason Wang <jasowang@redhat.com>
|
||||
Date: Wed, 11 Sep 2013 18:09:48 +0800
|
||||
Subject: [PATCH] tuntap: correctly handle error in tun_set_iff()
|
||||
|
||||
Commit c8d68e6be1c3b242f1c598595830890b65cea64a
|
||||
(tuntap: multiqueue support) only call free_netdev() on error in
|
||||
tun_set_iff(). This causes several issues:
|
||||
|
||||
- memory of tun security were leaked
|
||||
- use after free since the flow gc timer was not deleted and the tfile
|
||||
were not detached
|
||||
|
||||
This patch solves the above issues.
|
||||
|
||||
Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
|
||||
Cc: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
drivers/net/tun.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
|
||||
index 71af122..68b9aa3 100644
|
||||
--- a/drivers/net/tun.c
|
||||
+++ b/drivers/net/tun.c
|
||||
@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
|
||||
INIT_LIST_HEAD(&tun->disabled);
|
||||
err = tun_attach(tun, file);
|
||||
if (err < 0)
|
||||
- goto err_free_dev;
|
||||
+ goto err_free_flow;
|
||||
|
||||
err = register_netdevice(tun->dev);
|
||||
if (err < 0)
|
||||
- goto err_free_dev;
|
||||
+ goto err_detach;
|
||||
|
||||
if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
|
||||
device_create_file(&tun->dev->dev, &dev_attr_owner) ||
|
||||
@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
|
||||
strcpy(ifr->ifr_name, tun->dev->name);
|
||||
return 0;
|
||||
|
||||
- err_free_dev:
|
||||
+err_detach:
|
||||
+ tun_detach_all(dev);
|
||||
+err_free_flow:
|
||||
+ tun_flow_uninit(tun);
|
||||
+ security_tun_dev_free_security(tun->security);
|
||||
+err_free_dev:
|
||||
free_netdev(dev);
|
||||
return err;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
Loading…
Reference in New Issue
Block a user