Linux v3.11.5
This commit is contained in:
parent
3a677fbd44
commit
6bd5874c5a
@ -1,73 +0,0 @@
|
|||||||
commit 5a0068deb611109c5ba77358be533f763f395ee4
|
|
||||||
Author: Neil Horman <nhorman@tuxdriver.com>
|
|
||||||
Date: Fri Sep 27 12:22:15 2013 -0400
|
|
||||||
|
|
||||||
bonding: Fix broken promiscuity reference counting issue
|
|
||||||
|
|
||||||
Recently grabbed this report:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1005567
|
|
||||||
|
|
||||||
Of an issue in which the bonding driver, with an attached vlan encountered the
|
|
||||||
following errors when bond0 was taken down and back up:
|
|
||||||
|
|
||||||
dummy1: promiscuity touches roof, set promiscuity failed. promiscuity feature of
|
|
||||||
device might be broken.
|
|
||||||
|
|
||||||
The error occurs because, during __bond_release_one, if we release our last
|
|
||||||
slave, we take on a random mac address and issue a NETDEV_CHANGEADDR
|
|
||||||
notification. With an attached vlan, the vlan may see that the vlan and bond
|
|
||||||
mac address were in sync, but no longer are. This triggers a call to dev_uc_add
|
|
||||||
and dev_set_rx_mode, which enables IFF_PROMISC on the bond device. Then, when
|
|
||||||
we complete __bond_release_one, we use the current state of the bond flags to
|
|
||||||
determine if we should decrement the promiscuity of the releasing slave. But
|
|
||||||
since the bond changed promiscuity state during the release operation, we
|
|
||||||
incorrectly decrement the slave promisc count when it wasn't in promiscuous mode
|
|
||||||
to begin with, causing the above error
|
|
||||||
|
|
||||||
Fix is pretty simple, just cache the bonding flags at the start of the function
|
|
||||||
and use those when determining the need to set promiscuity.
|
|
||||||
|
|
||||||
This is also needed for the ALLMULTI flag
|
|
||||||
|
|
||||||
CC: Jay Vosburgh <fubar@us.ibm.com>
|
|
||||||
CC: Andy Gospodarek <andy@greyhouse.net>
|
|
||||||
CC: Mark Wu <wudxw@linux.vnet.ibm.com>
|
|
||||||
CC: "David S. Miller" <davem@davemloft.net>
|
|
||||||
Reported-by: Mark Wu <wudxw@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
|
|
||||||
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
|
|
||||||
index 55bbb8b..e883bfe 100644
|
|
||||||
--- a/drivers/net/bonding/bond_main.c
|
|
||||||
+++ b/drivers/net/bonding/bond_main.c
|
|
||||||
@@ -1724,6 +1724,7 @@ static int __bond_release_one(struct net_device *bond_dev,
|
|
||||||
struct bonding *bond = netdev_priv(bond_dev);
|
|
||||||
struct slave *slave, *oldcurrent;
|
|
||||||
struct sockaddr addr;
|
|
||||||
+ int old_flags = bond_dev->flags;
|
|
||||||
netdev_features_t old_features = bond_dev->features;
|
|
||||||
|
|
||||||
/* slave is not a slave or master is not master of this slave */
|
|
||||||
@@ -1855,12 +1856,18 @@ static int __bond_release_one(struct net_device *bond_dev,
|
|
||||||
* bond_change_active_slave(..., NULL)
|
|
||||||
*/
|
|
||||||
if (!USES_PRIMARY(bond->params.mode)) {
|
|
||||||
- /* unset promiscuity level from slave */
|
|
||||||
- if (bond_dev->flags & IFF_PROMISC)
|
|
||||||
+ /* unset promiscuity level from slave
|
|
||||||
+ * NOTE: The NETDEV_CHANGEADDR call above may change the value
|
|
||||||
+ * of the IFF_PROMISC flag in the bond_dev, but we need the
|
|
||||||
+ * value of that flag before that change, as that was the value
|
|
||||||
+ * when this slave was attached, so we cache at the start of the
|
|
||||||
+ * function and use it here. Same goes for ALLMULTI below
|
|
||||||
+ */
|
|
||||||
+ if (old_flags & IFF_PROMISC)
|
|
||||||
dev_set_promiscuity(slave_dev, -1);
|
|
||||||
|
|
||||||
/* unset allmulti level from slave */
|
|
||||||
- if (bond_dev->flags & IFF_ALLMULTI)
|
|
||||||
+ if (old_flags & IFF_ALLMULTI)
|
|
||||||
dev_set_allmulti(slave_dev, -1);
|
|
||||||
|
|
||||||
bond_hw_addr_flush(bond_dev, slave_dev);
|
|
@ -1,27 +0,0 @@
|
|||||||
diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
|
|
||||||
index 639d26b..2b94403 100644
|
|
||||||
--- a/drivers/block/cpqarray.c
|
|
||||||
+++ b/drivers/block/cpqarray.c
|
|
||||||
@@ -1193,6 +1193,7 @@ out_passthru:
|
|
||||||
ida_pci_info_struct pciinfo;
|
|
||||||
|
|
||||||
if (!arg) return -EINVAL;
|
|
||||||
+ memset(&pciinfo, 0, sizeof(pciinfo));
|
|
||||||
pciinfo.bus = host->pci_dev->bus->number;
|
|
||||||
pciinfo.dev_fn = host->pci_dev->devfn;
|
|
||||||
pciinfo.board_id = host->board_id;
|
|
||||||
|
|
||||||
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
|
|
||||||
index 6374dc1..34971aa 100644
|
|
||||||
--- a/drivers/block/cciss.c
|
|
||||||
+++ b/drivers/block/cciss.c
|
|
||||||
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
|
|
||||||
int err;
|
|
||||||
u32 cp;
|
|
||||||
|
|
||||||
+ memset(&arg64, 0, sizeof(arg64));
|
|
||||||
err = 0;
|
|
||||||
err |=
|
|
||||||
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
|
|
||||||
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
|
|
||||||
Delivered-To: jwboyer@gmail.com
|
|
||||||
Received: by 10.76.11.131 with SMTP id q3csp149379oab;
|
|
||||||
Mon, 7 Oct 2013 23:45:24 -0700 (PDT)
|
|
||||||
X-Received: by 10.68.185.36 with SMTP id ez4mr69490pbc.144.1381214724506;
|
|
||||||
Mon, 07 Oct 2013 23:45:24 -0700 (PDT)
|
|
||||||
Return-Path: <stable-owner@vger.kernel.org>
|
|
||||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
|
||||||
by mx.google.com with ESMTP id rz6si25872020pab.249.1969.12.31.16.00.00;
|
|
||||||
Mon, 07 Oct 2013 23:45:24 -0700 (PDT)
|
|
||||||
Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
|
||||||
Authentication-Results: mx.google.com;
|
|
||||||
spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org;
|
|
||||||
dkim=neutral (bad format) header.i=@gmail.com;
|
|
||||||
dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
|
|
||||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
||||||
id S1754014Ab3JHGow (ORCPT <rfc822;lembacon@gmail.com> + 60 others);
|
|
||||||
Tue, 8 Oct 2013 02:44:52 -0400
|
|
||||||
Received: from mail-pa0-f42.google.com ([209.85.220.42]:35990 "EHLO
|
|
||||||
mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
|
||||||
with ESMTP id S1753696Ab3JHGov (ORCPT
|
|
||||||
<rfc822;stable@vger.kernel.org>); Tue, 8 Oct 2013 02:44:51 -0400
|
|
||||||
Received: by mail-pa0-f42.google.com with SMTP id lj1so8433751pab.15
|
|
||||||
for <stable@vger.kernel.org>; Mon, 07 Oct 2013 23:44:51 -0700 (PDT)
|
|
||||||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
|
||||||
d=gmail.com; s=20120113;
|
|
||||||
h=from:to:cc:subject:date:message-id;
|
|
||||||
bh=DRveULH9ZaYYXMJRsSw3WWLRMs5ifsnU9G+VUu1PKtk=;
|
|
||||||
b=oCDYfvF1KXEUN6PZU0jit8kMHSKTzIWcR078uMTxLpTjheGcoLWW0efoqsO4Dac3jp
|
|
||||||
+4dHm3NSdeqk4e+aCjnvZw7He+nMGmbWhrf1vx49XCOE4s+YvC/AgSI78pku8BQE/plZ
|
|
||||||
w8F+64e+wNze1FfRAxPPM/PoLdBiuBfvUL18htMmYi/rgq0VRkNk2UwbzvGk5AJE+vwL
|
|
||||||
esavQLjvCuJZTc7i2J9Us53dUcY4aQuYlESFvOUlbDnkkgm5Htrsnyd2Eq7k61/hr0MR
|
|
||||||
/nIFNBXuhIadU5bvf6jpMT+toIK+PA176Yt9eyEgdOAxNXdn5g15mO93/WEyXf7idBfk
|
|
||||||
JLZA==
|
|
||||||
X-Received: by 10.68.232.132 with SMTP id to4mr7840579pbc.141.1381214691006;
|
|
||||||
Mon, 07 Oct 2013 23:44:51 -0700 (PDT)
|
|
||||||
Received: from turiel.redhat.com (124-148-32-6.dyn.iinet.net.au. [124.148.32.6])
|
|
||||||
by mx.google.com with ESMTPSA id j9sm44764711paj.18.1969.12.31.16.00.00
|
|
||||||
(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
|
|
||||||
Mon, 07 Oct 2013 23:44:50 -0700 (PDT)
|
|
||||||
From: Ben Skeggs <skeggsb@gmail.com>
|
|
||||||
To: stable@vger.kernel.org
|
|
||||||
Cc: Ben Skeggs <bskeggs@redhat.com>
|
|
||||||
Subject: [PATCH] drm/nouveau/bios/init: stub opcode 0xaa
|
|
||||||
Date: Tue, 8 Oct 2013 16:45:08 +1000
|
|
||||||
Message-Id: <1381214708-2990-1-git-send-email-skeggsb@gmail.com>
|
|
||||||
X-Mailer: git-send-email 1.8.3.2
|
|
||||||
Sender: stable-owner@vger.kernel.org
|
|
||||||
Precedence: bulk
|
|
||||||
List-ID: <stable.vger.kernel.org>
|
|
||||||
X-Mailing-List: stable@vger.kernel.org
|
|
||||||
|
|
||||||
From: Ben Skeggs <bskeggs@redhat.com>
|
|
||||||
|
|
||||||
Seen on a large number of recent boards, when triggered results in
|
|
||||||
nouveau aborting the card cold boot, giving unpredictable results
|
|
||||||
(oopses in the reported cases) later.
|
|
||||||
|
|
||||||
commit 5495e39fb3695182b9f2a72fe4169056cada37a1 upstream
|
|
||||||
|
|
||||||
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/gpu/drm/nouveau/core/subdev/bios/init.c | 19 +++++++++++++++++--
|
|
||||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
|
||||||
index 0687e64..8f06cca 100644
|
|
||||||
--- a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
|
||||||
+++ b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c
|
|
||||||
@@ -579,8 +579,22 @@ static void
|
|
||||||
init_reserved(struct nvbios_init *init)
|
|
||||||
{
|
|
||||||
u8 opcode = nv_ro08(init->bios, init->offset);
|
|
||||||
- trace("RESERVED\t0x%02x\n", opcode);
|
|
||||||
- init->offset += 1;
|
|
||||||
+ u8 length, i;
|
|
||||||
+
|
|
||||||
+ switch (opcode) {
|
|
||||||
+ case 0xaa:
|
|
||||||
+ length = 4;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ length = 1;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ trace("RESERVED 0x%02x\t", opcode);
|
|
||||||
+ for (i = 1; i < length; i++)
|
|
||||||
+ cont(" 0x%02x", nv_ro08(init->bios, init->offset + i));
|
|
||||||
+ cont("\n");
|
|
||||||
+ init->offset += length;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -2135,6 +2149,7 @@ static struct nvbios_init_opcode {
|
|
||||||
[0x99] = { init_zm_auxch },
|
|
||||||
[0x9a] = { init_i2c_long_if },
|
|
||||||
[0xa9] = { init_gpio_ne },
|
|
||||||
+ [0xaa] = { init_reserved },
|
|
||||||
};
|
|
||||||
|
|
||||||
#define init_opcode_nr (sizeof(init_opcode) / sizeof(init_opcode[0]))
|
|
||||||
--
|
|
||||||
1.8.3.2
|
|
||||||
|
|
||||||
--
|
|
||||||
To unsubscribe from this list: send the line "unsubscribe stable" in
|
|
||||||
the body of a message to majordomo@vger.kernel.org
|
|
||||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
@ -1,123 +0,0 @@
|
|||||||
From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
|
||||||
Date: Sat, 21 Sep 2013 06:27:00 +0200
|
|
||||||
Subject: [PATCH] ipv6: udp packets following an UFO enqueued packet need also
|
|
||||||
be handled by UFO
|
|
||||||
|
|
||||||
In the following scenario the socket is corked:
|
|
||||||
If the first UDP packet is larger then the mtu we try to append it to the
|
|
||||||
write queue via ip6_ufo_append_data. A following packet, which is smaller
|
|
||||||
than the mtu would be appended to the already queued up gso-skb via
|
|
||||||
plain ip6_append_data. This causes random memory corruptions.
|
|
||||||
|
|
||||||
In ip6_ufo_append_data we also have to be careful to not queue up the
|
|
||||||
same skb multiple times. So setup the gso frame only when no first skb
|
|
||||||
is available.
|
|
||||||
|
|
||||||
This also fixes a shortcoming where we add the current packet's length to
|
|
||||||
cork->length but return early because of a packet > mtu with dontfrag set
|
|
||||||
(instead of sutracting it again).
|
|
||||||
|
|
||||||
Found with trinity.
|
|
||||||
|
|
||||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
|
||||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
|
||||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
net/ipv6/ip6_output.c | 53 +++++++++++++++++++++------------------------------
|
|
||||||
1 file changed, 22 insertions(+), 31 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
|
||||||
index 3a692d5..a54c45c 100644
|
|
||||||
--- a/net/ipv6/ip6_output.c
|
|
||||||
+++ b/net/ipv6/ip6_output.c
|
|
||||||
@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
|
||||||
* udp datagram
|
|
||||||
*/
|
|
||||||
if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
|
|
||||||
+ struct frag_hdr fhdr;
|
|
||||||
+
|
|
||||||
skb = sock_alloc_send_skb(sk,
|
|
||||||
hh_len + fragheaderlen + transhdrlen + 20,
|
|
||||||
(flags & MSG_DONTWAIT), &err);
|
|
||||||
@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
|
||||||
skb->protocol = htons(ETH_P_IPV6);
|
|
||||||
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
||||||
skb->csum = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- err = skb_append_datato_frags(sk,skb, getfrag, from,
|
|
||||||
- (length - transhdrlen));
|
|
||||||
- if (!err) {
|
|
||||||
- struct frag_hdr fhdr;
|
|
||||||
|
|
||||||
/* Specify the length of each IPv6 datagram fragment.
|
|
||||||
* It has to be a multiple of 8.
|
|
||||||
@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk,
|
|
||||||
ipv6_select_ident(&fhdr, rt);
|
|
||||||
skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
|
|
||||||
__skb_queue_tail(&sk->sk_write_queue, skb);
|
|
||||||
-
|
|
||||||
- return 0;
|
|
||||||
}
|
|
||||||
- /* There is not enough support do UPD LSO,
|
|
||||||
- * so follow normal path
|
|
||||||
- */
|
|
||||||
- kfree_skb(skb);
|
|
||||||
|
|
||||||
- return err;
|
|
||||||
+ return skb_append_datato_frags(sk, skb, getfrag, from,
|
|
||||||
+ (length - transhdrlen));
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
|
|
||||||
@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
|
|
||||||
* --yoshfuji
|
|
||||||
*/
|
|
||||||
|
|
||||||
- cork->length += length;
|
|
||||||
- if (length > mtu) {
|
|
||||||
- int proto = sk->sk_protocol;
|
|
||||||
- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
|
|
||||||
- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
|
|
||||||
- return -EMSGSIZE;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (proto == IPPROTO_UDP &&
|
|
||||||
- (rt->dst.dev->features & NETIF_F_UFO)) {
|
|
||||||
+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
|
|
||||||
+ sk->sk_protocol == IPPROTO_RAW)) {
|
|
||||||
+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
|
|
||||||
+ return -EMSGSIZE;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- err = ip6_ufo_append_data(sk, getfrag, from, length,
|
|
||||||
- hh_len, fragheaderlen,
|
|
||||||
- transhdrlen, mtu, flags, rt);
|
|
||||||
- if (err)
|
|
||||||
- goto error;
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
+ skb = skb_peek_tail(&sk->sk_write_queue);
|
|
||||||
+ cork->length += length;
|
|
||||||
+ if (((length > mtu) ||
|
|
||||||
+ (skb && skb_is_gso(skb))) &&
|
|
||||||
+ (sk->sk_protocol == IPPROTO_UDP) &&
|
|
||||||
+ (rt->dst.dev->features & NETIF_F_UFO)) {
|
|
||||||
+ err = ip6_ufo_append_data(sk, getfrag, from, length,
|
|
||||||
+ hh_len, fragheaderlen,
|
|
||||||
+ transhdrlen, mtu, flags, rt);
|
|
||||||
+ if (err)
|
|
||||||
+ goto error;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
|
|
||||||
+ if (!skb)
|
|
||||||
goto alloc_new_skb;
|
|
||||||
|
|
||||||
while (length > 0) {
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
49
kernel.spec
49
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 201
|
%global baserelease 200
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||||||
%if 0%{?released_kernel}
|
%if 0%{?released_kernel}
|
||||||
|
|
||||||
# Do we have a -stable update to apply?
|
# Do we have a -stable update to apply?
|
||||||
%define stable_update 4
|
%define stable_update 5
|
||||||
# Is it a -stable RC?
|
# Is it a -stable RC?
|
||||||
%define stable_rc 0
|
%define stable_rc 0
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
@ -717,9 +717,6 @@ Patch22010: debug-idle-sched-warn-once.patch
|
|||||||
#rhbz 927469
|
#rhbz 927469
|
||||||
Patch23006: fix-child-thread-introspection.patch
|
Patch23006: fix-child-thread-introspection.patch
|
||||||
|
|
||||||
#CVE-2013-2147 rhbz 971242 971249
|
|
||||||
Patch25032: cve-2013-2147-ciss-info-leak.patch
|
|
||||||
|
|
||||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||||
|
|
||||||
#rhbz 977040
|
#rhbz 977040
|
||||||
@ -729,18 +726,9 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
|
|||||||
#rhbz 963715
|
#rhbz 963715
|
||||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||||
|
|
||||||
#CVE-2013-4343 rhbz 1007733 1007741
|
|
||||||
Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
|
|
||||||
|
|
||||||
#CVE-2013-4350 rhbz 1007872 1007903
|
|
||||||
Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
|
||||||
|
|
||||||
#CVE-2013-4345 rhbz 1007690 1009136
|
#CVE-2013-4345 rhbz 1007690 1009136
|
||||||
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||||
|
|
||||||
#rhbz 1008323
|
|
||||||
Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
|
|
||||||
|
|
||||||
#rhbz 985522
|
#rhbz 985522
|
||||||
Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
|
Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
|
||||||
|
|
||||||
@ -757,21 +745,12 @@ Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
|||||||
#rhbz 974072
|
#rhbz 974072
|
||||||
Patch25117: rt2800-add-support-for-rf3070.patch
|
Patch25117: rt2800-add-support-for-rf3070.patch
|
||||||
|
|
||||||
#rhbz 1005567
|
|
||||||
Patch25118: bonding-driver-promisc.patch
|
|
||||||
|
|
||||||
#CVE-2013-4387 rhbz 1011927 1015166
|
|
||||||
Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch
|
|
||||||
|
|
||||||
#rhbz 1015989
|
#rhbz 1015989
|
||||||
Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
||||||
|
|
||||||
#rhbz 982153
|
#rhbz 982153
|
||||||
Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
||||||
|
|
||||||
#rhbz 1015920
|
|
||||||
Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch
|
|
||||||
|
|
||||||
#rhbz 998732
|
#rhbz 998732
|
||||||
Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
||||||
|
|
||||||
@ -1450,9 +1429,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
|
|||||||
#rhbz 927469
|
#rhbz 927469
|
||||||
ApplyPatch fix-child-thread-introspection.patch
|
ApplyPatch fix-child-thread-introspection.patch
|
||||||
|
|
||||||
#CVE-2013-2147 rhbz 971242 971249
|
|
||||||
ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
|
||||||
|
|
||||||
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||||
|
|
||||||
#rhbz 977040
|
#rhbz 977040
|
||||||
@ -1462,12 +1438,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
|
|||||||
#rhbz 963715
|
#rhbz 963715
|
||||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||||
|
|
||||||
#CVE-2013-4343 rhbz 1007733 1007741
|
|
||||||
ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
|
|
||||||
|
|
||||||
#CVE-2013-4350 rhbz 1007872 1007903
|
|
||||||
ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
|
|
||||||
|
|
||||||
#CVE-2013-4345 rhbz 1007690 1009136
|
#CVE-2013-4345 rhbz 1007690 1009136
|
||||||
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
|
||||||
|
|
||||||
@ -1480,9 +1450,6 @@ ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch
|
|||||||
#rhbz 971893
|
#rhbz 971893
|
||||||
ApplyPatch bonding-driver-alb-learning.patch
|
ApplyPatch bonding-driver-alb-learning.patch
|
||||||
|
|
||||||
#rhbz 1008323
|
|
||||||
ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
|
|
||||||
|
|
||||||
#rhbz 902012
|
#rhbz 902012
|
||||||
ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch
|
ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch
|
||||||
ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
||||||
@ -1490,21 +1457,12 @@ ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch
|
|||||||
#rhbz 974072
|
#rhbz 974072
|
||||||
ApplyPatch rt2800-add-support-for-rf3070.patch
|
ApplyPatch rt2800-add-support-for-rf3070.patch
|
||||||
|
|
||||||
#rhbz 1005567
|
|
||||||
ApplyPatch bonding-driver-promisc.patch
|
|
||||||
|
|
||||||
#CVE-2013-4387 rhbz 1011927 1015166
|
|
||||||
ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch
|
|
||||||
|
|
||||||
#rhbz 1015989
|
#rhbz 1015989
|
||||||
ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch
|
||||||
|
|
||||||
#rhbz 982153
|
#rhbz 982153
|
||||||
ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
|
||||||
|
|
||||||
#rhbz 1015920
|
|
||||||
ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch
|
|
||||||
|
|
||||||
#rhbz 998732
|
#rhbz 998732
|
||||||
ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
|
||||||
|
|
||||||
@ -2330,6 +2288,9 @@ fi
|
|||||||
# and build.
|
# and build.
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 14 2013 Justin M. Forbes <jforbes@fedoraproject.org> - 3.11.5-200
|
||||||
|
- Linux v3.11.5
|
||||||
|
|
||||||
* Fri Oct 11 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
* Fri Oct 11 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- Fix segfault in cpupower set (rhbz 1000439)
|
- Fix segfault in cpupower set (rhbz 1000439)
|
||||||
|
|
||||||
|
@ -1,186 +0,0 @@
|
|||||||
From 95ee62083cb6453e056562d91f597552021e6ae7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
Date: Wed, 11 Sep 2013 14:58:36 +0000
|
|
||||||
Subject: net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
|
|
||||||
|
|
||||||
Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
|
|
||||||
being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
|
|
||||||
does not seem to have the desired effect:
|
|
||||||
|
|
||||||
SCTP + IPv4:
|
|
||||||
|
|
||||||
22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
|
|
||||||
192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
|
|
||||||
22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
|
|
||||||
192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
|
|
||||||
|
|
||||||
SCTP + IPv6:
|
|
||||||
|
|
||||||
22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
|
|
||||||
fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
|
|
||||||
1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
|
|
||||||
|
|
||||||
Moreover, Alan says:
|
|
||||||
|
|
||||||
This problem was seen with both Racoon and Racoon2. Other people have seen
|
|
||||||
this with OpenSwan. When IPsec is configured to encrypt all upper layer
|
|
||||||
protocols the SCTP connection does not initialize. After using Wireshark to
|
|
||||||
follow packets, this is because the SCTP packet leaves Box A unencrypted and
|
|
||||||
Box B believes all upper layer protocols are to be encrypted so it drops
|
|
||||||
this packet, causing the SCTP connection to fail to initialize. When IPsec
|
|
||||||
is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
|
|
||||||
|
|
||||||
In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
|
|
||||||
string on the other end, results in cleartext on the wire where SCTP eventually
|
|
||||||
does not report any errors, thus in the latter case that Alan reports, the
|
|
||||||
non-paranoid user might think he's communicating over an encrypted transport on
|
|
||||||
SCTP although he's not (tcpdump ... -X):
|
|
||||||
|
|
||||||
...
|
|
||||||
0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
|
|
||||||
0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
|
|
||||||
|
|
||||||
Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
|
|
||||||
receiver side. Initial follow-up analysis from Alan's bug report was done by
|
|
||||||
Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
|
|
||||||
|
|
||||||
SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
|
|
||||||
This has the implication that it probably never really got updated along with
|
|
||||||
changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
|
|
||||||
|
|
||||||
SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
|
|
||||||
a call to inet6_csk_xmit() would solve this problem, but result in unecessary
|
|
||||||
route lookups, let us just use the cached flowi6 instead that we got through
|
|
||||||
sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
|
|
||||||
we do the route lookup / flow caching in sctp_transport_route(), hold it in
|
|
||||||
tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
|
|
||||||
sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
|
|
||||||
of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
|
|
||||||
instead to get the correct source routed dst entry, which we assign to the skb.
|
|
||||||
|
|
||||||
Also source address routing example from 625034113 ("sctp: fix sctp to work with
|
|
||||||
ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
|
|
||||||
it is actually 'recommended' to not use that anyway due to traffic amplification [1].
|
|
||||||
So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
|
|
||||||
we overwrite the flow destination here, the lower IPv6 layer will be unable to
|
|
||||||
put the correct destination address into IP header, as routing header is added in
|
|
||||||
ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
|
|
||||||
result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
|
|
||||||
the wire with this patch it now looks like:
|
|
||||||
|
|
||||||
SCTP + IPv6:
|
|
||||||
|
|
||||||
08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
|
|
||||||
AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
|
|
||||||
08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
|
|
||||||
AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
|
|
||||||
|
|
||||||
This fixes Kernel Bugzilla 24412. This security issue seems to be present since
|
|
||||||
2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
|
|
||||||
its fun with that. lksctp-tools IPv6 regression test suite passes as well with
|
|
||||||
this patch.
|
|
||||||
|
|
||||||
[1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
|
|
||||||
|
|
||||||
Reported-by: Alan Chester <alan.chester@tekelec.com>
|
|
||||||
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
|
|
||||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
Cc: Steffen Klassert <steffen.klassert@secunet.com>
|
|
||||||
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
|
||||||
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
|
|
||||||
index da613ce..4f52e2c 100644
|
|
||||||
--- a/net/sctp/ipv6.c
|
|
||||||
+++ b/net/sctp/ipv6.c
|
|
||||||
@@ -204,44 +204,23 @@ out:
|
|
||||||
in6_dev_put(idev);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* Based on tcp_v6_xmit() in tcp_ipv6.c. */
|
|
||||||
static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
|
|
||||||
{
|
|
||||||
struct sock *sk = skb->sk;
|
|
||||||
struct ipv6_pinfo *np = inet6_sk(sk);
|
|
||||||
- struct flowi6 fl6;
|
|
||||||
-
|
|
||||||
- memset(&fl6, 0, sizeof(fl6));
|
|
||||||
-
|
|
||||||
- fl6.flowi6_proto = sk->sk_protocol;
|
|
||||||
-
|
|
||||||
- /* Fill in the dest address from the route entry passed with the skb
|
|
||||||
- * and the source address from the transport.
|
|
||||||
- */
|
|
||||||
- fl6.daddr = transport->ipaddr.v6.sin6_addr;
|
|
||||||
- fl6.saddr = transport->saddr.v6.sin6_addr;
|
|
||||||
-
|
|
||||||
- fl6.flowlabel = np->flow_label;
|
|
||||||
- IP6_ECN_flow_xmit(sk, fl6.flowlabel);
|
|
||||||
- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
|
|
||||||
- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
|
|
||||||
- else
|
|
||||||
- fl6.flowi6_oif = sk->sk_bound_dev_if;
|
|
||||||
-
|
|
||||||
- if (np->opt && np->opt->srcrt) {
|
|
||||||
- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
|
|
||||||
- fl6.daddr = *rt0->addr;
|
|
||||||
- }
|
|
||||||
+ struct flowi6 *fl6 = &transport->fl.u.ip6;
|
|
||||||
|
|
||||||
pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb,
|
|
||||||
- skb->len, &fl6.saddr, &fl6.daddr);
|
|
||||||
+ skb->len, &fl6->saddr, &fl6->daddr);
|
|
||||||
|
|
||||||
- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
|
|
||||||
+ IP6_ECN_flow_xmit(sk, fl6->flowlabel);
|
|
||||||
|
|
||||||
if (!(transport->param_flags & SPP_PMTUD_ENABLE))
|
|
||||||
skb->local_df = 1;
|
|
||||||
|
|
||||||
- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
|
|
||||||
+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS);
|
|
||||||
+
|
|
||||||
+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Returns the dst cache entry for the given source and destination ip
|
|
||||||
@@ -254,10 +233,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
|
||||||
struct dst_entry *dst = NULL;
|
|
||||||
struct flowi6 *fl6 = &fl->u.ip6;
|
|
||||||
struct sctp_bind_addr *bp;
|
|
||||||
+ struct ipv6_pinfo *np = inet6_sk(sk);
|
|
||||||
struct sctp_sockaddr_entry *laddr;
|
|
||||||
union sctp_addr *baddr = NULL;
|
|
||||||
union sctp_addr *daddr = &t->ipaddr;
|
|
||||||
union sctp_addr dst_saddr;
|
|
||||||
+ struct in6_addr *final_p, final;
|
|
||||||
__u8 matchlen = 0;
|
|
||||||
__u8 bmatchlen;
|
|
||||||
sctp_scope_t scope;
|
|
||||||
@@ -281,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
|
||||||
pr_debug("src=%pI6 - ", &fl6->saddr);
|
|
||||||
}
|
|
||||||
|
|
||||||
- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
|
|
||||||
+ final_p = fl6_update_dst(fl6, np->opt, &final);
|
|
||||||
+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
|
|
||||||
if (!asoc || saddr)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
rcu_read_unlock();
|
|
||||||
+
|
|
||||||
if (baddr) {
|
|
||||||
fl6->saddr = baddr->v6.sin6_addr;
|
|
||||||
fl6->fl6_sport = baddr->v6.sin6_port;
|
|
||||||
- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
|
|
||||||
+ final_p = fl6_update_dst(fl6, np->opt, &final);
|
|
||||||
+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
out:
|
|
||||||
--
|
|
||||||
cgit v0.9.2
|
|
@ -1,61 +0,0 @@
|
|||||||
From 3361dc9538832a2a9150a8c722374ca844bf8dc8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mikulas Patocka <mpatocka@redhat.com>
|
|
||||||
Date: Fri, 20 Sep 2013 17:53:22 +0000
|
|
||||||
Subject: skge: fix invalid value passed to pci_unmap_sigle
|
|
||||||
|
|
||||||
In my patch c194992cbe71c20bb3623a566af8d11b0bfaa721 ("skge: fix
|
|
||||||
broken driver") I didn't fix the skge bug correctly. The value of the
|
|
||||||
new mapping (not old) was passed to pci_unmap_single.
|
|
||||||
|
|
||||||
If we enable CONFIG_DMA_API_DEBUG, it results in this warning:
|
|
||||||
WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:986 check_sync+0x4c4/0x580()
|
|
||||||
skge 0000:02:07.0: DMA-API: device driver tries to sync DMA memory it has
|
|
||||||
not allocated [device address=0x000000023a0096c0] [size=1536 bytes]
|
|
||||||
|
|
||||||
This patch makes the skge driver pass the correct value to
|
|
||||||
pci_unmap_single and fixes the warning. It copies the old descriptor to
|
|
||||||
on-stack variable "ee" and unmaps it if mapping of the new descriptor
|
|
||||||
succeeded.
|
|
||||||
|
|
||||||
This patch should be backported to 3.11-stable.
|
|
||||||
|
|
||||||
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
|
|
||||||
Reported-by: Francois Romieu <romieu@fr.zoreil.com>
|
|
||||||
Tested-by: Mikulas Patocka <mpatocka@redhat.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c
|
|
||||||
index 1a9c4f6..ecc7f7b 100644
|
|
||||||
--- a/drivers/net/ethernet/marvell/skge.c
|
|
||||||
+++ b/drivers/net/ethernet/marvell/skge.c
|
|
||||||
@@ -3086,13 +3086,16 @@ static struct sk_buff *skge_rx_get(struct net_device *dev,
|
|
||||||
PCI_DMA_FROMDEVICE);
|
|
||||||
skge_rx_reuse(e, skge->rx_buf_size);
|
|
||||||
} else {
|
|
||||||
+ struct skge_element ee;
|
|
||||||
struct sk_buff *nskb;
|
|
||||||
|
|
||||||
nskb = netdev_alloc_skb_ip_align(dev, skge->rx_buf_size);
|
|
||||||
if (!nskb)
|
|
||||||
goto resubmit;
|
|
||||||
|
|
||||||
- skb = e->skb;
|
|
||||||
+ ee = *e;
|
|
||||||
+
|
|
||||||
+ skb = ee.skb;
|
|
||||||
prefetch(skb->data);
|
|
||||||
|
|
||||||
if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
|
|
||||||
@@ -3101,8 +3104,8 @@ static struct sk_buff *skge_rx_get(struct net_device *dev,
|
|
||||||
}
|
|
||||||
|
|
||||||
pci_unmap_single(skge->hw->pdev,
|
|
||||||
- dma_unmap_addr(e, mapaddr),
|
|
||||||
- dma_unmap_len(e, maplen),
|
|
||||||
+ dma_unmap_addr(&ee, mapaddr),
|
|
||||||
+ dma_unmap_len(&ee, maplen),
|
|
||||||
PCI_DMA_FROMDEVICE);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
cgit v0.9.2
|
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
|
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
|
||||||
5147e7f82600452c5438f8309c07eccd patch-3.11.4.xz
|
628876a432c0d4090013b383abac20e4 patch-3.11.5.xz
|
||||||
|
@ -1,57 +0,0 @@
|
|||||||
From dff4e504b2addc8053fc47712d44a21f733ef51b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jason Wang <jasowang@redhat.com>
|
|
||||||
Date: Wed, 11 Sep 2013 18:09:48 +0800
|
|
||||||
Subject: [PATCH] tuntap: correctly handle error in tun_set_iff()
|
|
||||||
|
|
||||||
Commit c8d68e6be1c3b242f1c598595830890b65cea64a
|
|
||||||
(tuntap: multiqueue support) only call free_netdev() on error in
|
|
||||||
tun_set_iff(). This causes several issues:
|
|
||||||
|
|
||||||
- memory of tun security were leaked
|
|
||||||
- use after free since the flow gc timer was not deleted and the tfile
|
|
||||||
were not detached
|
|
||||||
|
|
||||||
This patch solves the above issues.
|
|
||||||
|
|
||||||
Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
|
|
||||||
Cc: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/net/tun.c | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
|
|
||||||
index 71af122..68b9aa3 100644
|
|
||||||
--- a/drivers/net/tun.c
|
|
||||||
+++ b/drivers/net/tun.c
|
|
||||||
@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
|
|
||||||
INIT_LIST_HEAD(&tun->disabled);
|
|
||||||
err = tun_attach(tun, file);
|
|
||||||
if (err < 0)
|
|
||||||
- goto err_free_dev;
|
|
||||||
+ goto err_free_flow;
|
|
||||||
|
|
||||||
err = register_netdevice(tun->dev);
|
|
||||||
if (err < 0)
|
|
||||||
- goto err_free_dev;
|
|
||||||
+ goto err_detach;
|
|
||||||
|
|
||||||
if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
|
|
||||||
device_create_file(&tun->dev->dev, &dev_attr_owner) ||
|
|
||||||
@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
|
|
||||||
strcpy(ifr->ifr_name, tun->dev->name);
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- err_free_dev:
|
|
||||||
+err_detach:
|
|
||||||
+ tun_detach_all(dev);
|
|
||||||
+err_free_flow:
|
|
||||||
+ tun_flow_uninit(tun);
|
|
||||||
+ security_tun_dev_free_security(tun->security);
|
|
||||||
+err_free_dev:
|
|
||||||
free_netdev(dev);
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user