parent
716fb36dd7
commit
70963882b0
|
@ -1,39 +0,0 @@
|
|||
From 2dcab598484185dea7ec22219c76dcdd59e3cb90 Mon Sep 17 00:00:00 2001
|
||||
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Date: Mon, 6 Feb 2017 18:10:31 -0200
|
||||
Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
|
||||
|
||||
Alexander Popov reported that an application may trigger a BUG_ON in
|
||||
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
|
||||
waiting on it to queue more data and meanwhile another thread peels off
|
||||
the association being used by the first thread.
|
||||
|
||||
This patch replaces the BUG_ON call with a proper error handling. It
|
||||
will return -EPIPE to the original sendmsg call, similarly to what would
|
||||
have been done if the association wasn't found in the first place.
|
||||
|
||||
Acked-by: Alexander Popov <alex.popov@linux.com>
|
||||
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
||||
Reviewed-by: Xin Long <lucien.xin@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/socket.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
|
||||
index 37eeab7..e214d2e 100644
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
|
||||
*/
|
||||
release_sock(sk);
|
||||
current_timeo = schedule_timeout(current_timeo);
|
||||
- BUG_ON(sk != asoc->base.sk);
|
||||
+ if (sk != asoc->base.sk)
|
||||
+ goto do_error;
|
||||
lock_sock(sk);
|
||||
|
||||
*timeo_p = current_timeo;
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,91 +0,0 @@
|
|||
From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Sat, 4 Feb 2017 23:18:55 -0800
|
||||
Subject: ip6_gre: fix ip6gre_err() invalid reads
|
||||
|
||||
Andrey Konovalov reported out of bound accesses in ip6gre_err()
|
||||
|
||||
If GRE flags contains GRE_KEY, the following expression
|
||||
*(((__be32 *)p) + (grehlen / 4) - 1)
|
||||
|
||||
accesses data ~40 bytes after the expected point, since
|
||||
grehlen includes the size of IPv6 headers.
|
||||
|
||||
Let's use a "struct gre_base_hdr *greh" pointer to make this
|
||||
code more readable.
|
||||
|
||||
p[1] becomes greh->protocol.
|
||||
grhlen is the GRE header length.
|
||||
|
||||
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
|
||||
1 file changed, 21 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
|
||||
index 5586318..630b73b 100644
|
||||
--- a/net/ipv6/ip6_gre.c
|
||||
+++ b/net/ipv6/ip6_gre.c
|
||||
@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
|
||||
|
||||
|
||||
static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
||||
- u8 type, u8 code, int offset, __be32 info)
|
||||
+ u8 type, u8 code, int offset, __be32 info)
|
||||
{
|
||||
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
|
||||
- __be16 *p = (__be16 *)(skb->data + offset);
|
||||
- int grehlen = offset + 4;
|
||||
+ const struct gre_base_hdr *greh;
|
||||
+ const struct ipv6hdr *ipv6h;
|
||||
+ int grehlen = sizeof(*greh);
|
||||
struct ip6_tnl *t;
|
||||
+ int key_off = 0;
|
||||
__be16 flags;
|
||||
+ __be32 key;
|
||||
|
||||
- flags = p[0];
|
||||
- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
|
||||
- if (flags&(GRE_VERSION|GRE_ROUTING))
|
||||
- return;
|
||||
- if (flags&GRE_KEY) {
|
||||
- grehlen += 4;
|
||||
- if (flags&GRE_CSUM)
|
||||
- grehlen += 4;
|
||||
- }
|
||||
+ if (!pskb_may_pull(skb, offset + grehlen))
|
||||
+ return;
|
||||
+ greh = (const struct gre_base_hdr *)(skb->data + offset);
|
||||
+ flags = greh->flags;
|
||||
+ if (flags & (GRE_VERSION | GRE_ROUTING))
|
||||
+ return;
|
||||
+ if (flags & GRE_CSUM)
|
||||
+ grehlen += 4;
|
||||
+ if (flags & GRE_KEY) {
|
||||
+ key_off = grehlen + offset;
|
||||
+ grehlen += 4;
|
||||
}
|
||||
|
||||
- /* If only 8 bytes returned, keyed message will be dropped here */
|
||||
- if (!pskb_may_pull(skb, grehlen))
|
||||
+ if (!pskb_may_pull(skb, offset + grehlen))
|
||||
return;
|
||||
ipv6h = (const struct ipv6hdr *)skb->data;
|
||||
- p = (__be16 *)(skb->data + offset);
|
||||
+ greh = (const struct gre_base_hdr *)(skb->data + offset);
|
||||
+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
|
||||
|
||||
t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
|
||||
- flags & GRE_KEY ?
|
||||
- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
|
||||
- p[1]);
|
||||
+ key, greh->protocol);
|
||||
if (!t)
|
||||
return;
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From 34b2cef20f19c87999fff3da4071e66937db9644 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Sat, 4 Feb 2017 11:16:52 -0800
|
||||
Subject: [PATCH] ipv4: keep skb->dst around in presence of IP options
|
||||
|
||||
Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
|
||||
is accessed.
|
||||
|
||||
ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
|
||||
are present.
|
||||
|
||||
We could refine the test to the presence of ts_needtime or srr,
|
||||
but IP options are not often used, so let's be conservative.
|
||||
|
||||
Thanks to syzkaller team for finding this bug.
|
||||
|
||||
Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ip_sockglue.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
|
||||
index 53ae0c6..9000117 100644
|
||||
--- a/net/ipv4/ip_sockglue.c
|
||||
+++ b/net/ipv4/ip_sockglue.c
|
||||
@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
|
||||
pktinfo->ipi_ifindex = 0;
|
||||
pktinfo->ipi_spec_dst.s_addr = 0;
|
||||
}
|
||||
- skb_dst_drop(skb);
|
||||
+ /* We need to keep the dst for __ip_options_echo()
|
||||
+ * We could restrict the test to opt.ts_needtime || opt.srr,
|
||||
+ * but the following is good enough as IP options are not often used.
|
||||
+ */
|
||||
+ if (unlikely(IPCB(skb)->opt.optlen))
|
||||
+ skb_dst_force(skb);
|
||||
+ else
|
||||
+ skb_dst_drop(skb);
|
||||
}
|
||||
|
||||
int ip_setsockopt(struct sock *sk, int level,
|
||||
--
|
||||
2.9.3
|
||||
|
16
kernel.spec
16
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -636,21 +636,15 @@ Patch852: nouveau-add-maxwell-to-backlight-init.patch
|
|||
#CVE-2017-2596 rhbz 1417812 1417813
|
||||
Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
|
||||
#CVE-2017-5897 rhbz 1419848 1419851
|
||||
Patch857: ip6_gre-fix-ip6gre_err-invalid-reads.patch
|
||||
|
||||
#rhbz 1417829
|
||||
Patch858: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
|
||||
Patch859: 2-2-media-dvb-usb-firmware-don-t-do-DMA-on-stack.patch
|
||||
|
||||
#rhbz 1420276
|
||||
Patch860: 0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
|
||||
|
||||
#rhbz 1415397
|
||||
Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
|
||||
|
||||
#CVE-2017-5970 rhbz 1421638
|
||||
Patch862: ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
|
||||
#rhbz 1422969
|
||||
Patch862: rt2800-warning.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -2181,6 +2175,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Feb 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.11-100
|
||||
- Linux v4.9.11
|
||||
- Fix rt2800 warning (rhbz 1422969)
|
||||
|
||||
* Wed Feb 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Enable PWRSEQ_SIMPLE module (fixes rhbz 1377816)
|
||||
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
From feecb0cb466ba458f59640b4d59ecef1cd956b1f Mon Sep 17 00:00:00 2001
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Date: Fri, 13 Jan 2017 15:55:07 +0100
|
||||
Subject: rt2800: remove warning on bcn_num != rt2x00dev->intf_beaconing
|
||||
|
||||
Since rt2800pci update beacon settings asynchronously from
|
||||
tbtt tasklet, without beacon_skb_mutex protection, number of
|
||||
currently active beacons entries can be different than
|
||||
number pointed by rt2x00dev->intf_beaconing. Remove warning
|
||||
about that inconsistency.
|
||||
|
||||
Reported-by: evaxige@qq.com
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
|
||||
index ff047dc..f36bc9b 100644
|
||||
--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
|
||||
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
|
||||
@@ -967,8 +967,6 @@ static void rt2800_update_beacons_setup(struct rt2x00_dev *rt2x00dev)
|
||||
bcn_num++;
|
||||
}
|
||||
|
||||
- WARN_ON_ONCE(bcn_num != rt2x00dev->intf_beaconing);
|
||||
-
|
||||
rt2800_register_write(rt2x00dev, BCN_OFFSET0, (u32) reg);
|
||||
rt2800_register_write(rt2x00dev, BCN_OFFSET1, (u32) (reg >> 32));
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
|
||||
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
|
||||
SHA512 (patch-4.9.10.xz) = 93958f4b932a46bbd9a122f52bf09b8c4b864b419a0774514baeb7dc83f11f55a5ba84f2e586a904dbfeeb7d976352e40670fbe2e32e25c35085ddf87e41b58d
|
||||
SHA512 (patch-4.9.11.xz) = 7683628b011fa1462b5838301ebabc3eebaefcd50f65600be55bcf0102578ca07589c7683ef84b8d5300bd05795655fb21e1c145f5663d30593fc1801c163bc3
|
||||
|
|
Loading…
Reference in New Issue