debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.5.5 

Drop changes that were applied upstream.

Fix/ignore ABI changes.
This commit is contained in:
Ben Hutchings 2016-05-23 02:34:39 +01:00
parent b88823f96b
commit 327c921aa7
14 changed files with 125 additions and 785 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
debian/changelog vendored
View File

@ -1,4 +1,91 @@
linux (4.5.4-2) UNRELEASED; urgency=medium
linux (4.5.5-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5
- decnet: Do not build routes to devices without decnet private data.
- route: do not cache fib route info on local routes with oif
- packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
- net: sched: do not requeue a NULL skb
- bpf/verifier: reject invalid LD_ABS | BPF_DW instruction
- cdc_mbim: apply "NDP to end" quirk to all Huawei devices
- soreuseport: fix ordering for mixed v4/v6 sockets
- net: use skb_postpush_rcsum instead of own implementations
- vlan: pull on __vlan_insert_tag error path and fix csum correction
- openvswitch: Orphan skbs before IPv6 defrag
- openvswitch: use flow protocol when recalculating ipv6 checksums
- net/mlx5_core: Fix soft lockup in steering error flow
- net/mlx5e: Device's mtu field is u16 and not int
- net/mlx5e: Fix minimum MTU
- net/mlx5e: Use vport MTU rather than physical port MTU
- ipv4/fib: don't warn when primary address is missing if in_dev is dead
- net/mlx4_en: fix spurious timestamping callbacks
- net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
- gre: do not pull header in ICMP error processing
- net_sched: introduce qdisc_replace() helper
- net_sched: update hierarchical backlog too
- sch_htb: update backlog as well
- sch_dsmark: update backlog as well
- netem: Segment GSO packets on enqueue
- ipv6/ila: fix nlsize calculation for lwtunnel
- net/mlx4_en: Fix endianness bug in IPV6 csum calculation
- [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only
- net: bridge: fix old ioctl unlocked net device walk
- bridge: fix igmp / mld query parsing
- net: fix a kernel infoleak in x25 module
- net: thunderx: avoid exposing kernel stack
- tcp: refresh skb timestamp at retransmit time
- net/route: enforce hoplimit max value
- ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
- ocfs2: fix posix_acl_create deadlock
- zsmalloc: fix zs_can_compact() integer overflow
- mm: thp: calculate the mapcount correctly for THP pages during WP faults
- [x86] crypto: qat - fix invalid pf2vf_resp_wq logic
- crypto: testmgr - Use kmalloc memory for RSA input
- ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
- ALSA: usb-audio: Yet another Phoneix Audio device quirk
- ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
- ALSA: hda - Fix white noise on Asus UX501VW headset
- ALSA: hda - Fix broken reconfig
- [armhf] spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is
overridden
- [armhf] spi: spi-ti-qspi: Handle truncated frames properly
- perf diff: Fix duplicated output column
- perf/core: Disable the event on a truncated AUX record
- vfs: rename: check backing inode being equal
- workqueue: fix rebind bound workers warning
- [armhf] regulator: s2mps11: Fix invalid selector mask and voltages
for buck9
- [armhf] regulator: axp20x: Fix axp22x ldo_io voltage ranges
- atomic_open(): fix the handling of create_error
- qla1280: Don't allocate 512kb of host tags
- tools lib traceevent: Do not reassign parg after collapse_tree()
- Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
- [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk
frequency
- drm/radeon: fix PLL sharing on DCE6.1 (v2)
- [x86] drm/i915: Bail out of pipe config compute loop on LPT
- [x86] Revert "drm/i915: start adding dp mst audio"
- [x86] drm/i915/bdw: Add missing delay during L3 SQC credit programming
- drm/radeon: fix DP link training issue with second 4K monitor
- drm/radeon: fix DP mode validation
- [x86] drm/amdgpu: fix DP mode validation
- btrfs: reada: Fix in-segment calculation for reada
- Btrfs: fix truncate_space_check
- btrfs: remove error message from search ioctl for nonexistent tree
- btrfs: change max_inline default to 2048
- Btrfs: fix unreplayable log after snapshot delete + parent dir fsync
- Btrfs: fix file loss on log replay after renaming a file and fsync
- Btrfs: fix extent_same allowing destination offset beyond i_size
- Btrfs: fix deadlock between direct IO reads and buffered writes
- Btrfs: fix race when checking if we can skip fsync'ing an inode
- Btrfs: do not collect ordered extents when logging that inode exists
- btrfs: csum_tree_block: return proper errno value
- btrfs: do not write corrupted metadata blocks to disk
- Btrfs: fix invalid reference in replace_path
- btrfs: handle non-fatal errors in btrfs_qgroup_inherit()
- btrfs: fallback to vmalloc in btrfs_compare_tree
- Btrfs: don't use src fd for printk
- btrfs: Reset IO error counters before start of device replacing
[ Salvatore Bonaccorso ]
* tipc: check nl sock before parsing nested attributes (CVE-2016-4951)

1
debian/config/defines vendored
View File

@ -1,6 +1,7 @@
[abi]
abiname: 2
ignore-changes:
module:drivers/net/ethernet/*
module:sound/hda/*
zpci_disable_device
zpci_enable_device

37
debian/patches/bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch vendored
View File

@ -1,37 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 20 Apr 2016 23:23:08 +0100
Subject: atl2: Disable unimplemented scatter/gather feature
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=f43bfaeddc79effbf3d0fcb53ca477cca66f3db8
atl2 includes NETIF_F_SG in hw_features even though it has no support
for non-linear skbs. This bug was originally harmless since the
driver does not claim to implement checksum offload and that used to
be a requirement for SG.
Now that SG and checksum offload are independent features, if you
explicitly enable SG *and* use one of the rare protocols that can use
SG without checkusm offload, this potentially leaks sensitive
information (before you notice that it just isn't working). Therefore
this obscure bug has been designated CVE-2016-2117.
Reported-by: Justin Yackoski <jyackoski@crypto-nite.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.")
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/ethernet/atheros/atlx/atl2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
index 8f76f4558a88..2ff465848b65 100644
--- a/drivers/net/ethernet/atheros/atlx/atl2.c
+++ b/drivers/net/ethernet/atheros/atlx/atl2.c
@@ -1412,7 +1412,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err = -EIO;
- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX;
+ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX;
netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX);
/* Init PHY as early as possible due to power saving issue */

94
debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch vendored
View File

@ -1,94 +0,0 @@
From: Alexei Starovoitov <ast@fb.com>
Date: Wed, 27 Apr 2016 18:56:21 -0700
Subject: [3/3] bpf: fix check_map_func_compatibility logic
Origin: https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca
The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
introduced clever way to check bpf_helper<->map_type compatibility.
Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted
the logic and inadvertently broke it.
Get rid of the clever bool compare and go back to two-way check
from map and from helper perspective.
Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.5:
- Drop the STACK_TRACE case
- No verbose() logging]
---
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -239,15 +239,6 @@ static const char * const reg_type_str[]
[CONST_IMM] = "imm",
};
-static const struct {
- int map_type;
- int func_id;
-} func_limit[] = {
- {BPF_MAP_TYPE_PROG_ARRAY, BPF_FUNC_tail_call},
- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_read},
- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_output},
-};
-
static void print_verifier_state(struct verifier_env *env)
{
enum bpf_reg_type t;
@@ -898,24 +889,42 @@ static int check_func_arg(struct verifie
static int check_map_func_compatibility(struct bpf_map *map, int func_id)
{
- bool bool_map, bool_func;
- int i;
-
if (!map)
return 0;
- for (i = 0; i < ARRAY_SIZE(func_limit); i++) {
- bool_map = (map->map_type == func_limit[i].map_type);
- bool_func = (func_id == func_limit[i].func_id);
- /* only when map & func pair match it can continue.
- * don't allow any other map type to be passed into
- * the special func;
- */
- if (bool_func && bool_map != bool_func)
- return -EINVAL;
+ /* We need a two way check, first is from map perspective ... */
+ switch (map->map_type) {
+ case BPF_MAP_TYPE_PROG_ARRAY:
+ if (func_id != BPF_FUNC_tail_call)
+ goto error;
+ break;
+ case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
+ if (func_id != BPF_FUNC_perf_event_read &&
+ func_id != BPF_FUNC_perf_event_output)
+ goto error;
+ break;
+ default:
+ break;
+ }
+
+ /* ... and second from the function itself. */
+ switch (func_id) {
+ case BPF_FUNC_tail_call:
+ if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
+ goto error;
+ break;
+ case BPF_FUNC_perf_event_read:
+ case BPF_FUNC_perf_event_output:
+ if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
+ goto error;
+ break;
+ default:
+ break;
}
return 0;
+error:
+ return -EINVAL;
}
static int check_call(struct verifier_env *env, int func_id)

41
debian/patches/bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch vendored
View File

@ -1,41 +0,0 @@
From: Jann Horn <jannh@google.com>
Date: Tue, 26 Apr 2016 22:26:26 +0200
Subject: [1/3] bpf: fix double-fdput in replace_map_fd_with_map_ptr()
Origin: https://git.kernel.org/linus/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
references a non-map file descriptor as a map file descriptor, the error
handling code called fdput() twice instead of once (in __bpf_map_get() and
in replace_map_fd_with_map_ptr()). If the file descriptor table of the
current task is shared, this causes f_count to be decremented too much,
allowing the struct file to be freed while it is still in use
(use-after-free). This can be exploited to gain root privileges by an
unprivileged user.
This bug was introduced in
commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
exploitable since
commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
(posted publicly according to request by maintainer)
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
kernel/bpf/verifier.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2003,7 +2003,6 @@ static int replace_map_fd_with_map_ptr(s
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
- fdput(f);
return PTR_ERR(map);
}

147
debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch vendored
View File

@ -1,147 +0,0 @@
From: Alexei Starovoitov <ast@fb.com>
Date: Wed, 27 Apr 2016 18:56:20 -0700
Subject: [2/3] bpf: fix refcnt overflow
Origin: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e
On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
the malicious application may overflow 32-bit bpf program refcnt.
It's also possible to overflow map refcnt on 1Tb system.
Impose 32k hard limit which means that the same bpf program or
map cannot be shared by more than 32k processes.
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/linux/bpf.h | 3 ++-
kernel/bpf/inode.c | 7 ++++---
kernel/bpf/syscall.c | 24 ++++++++++++++++++++----
kernel/bpf/verifier.c | 11 +++++++----
4 files changed, 33 insertions(+), 12 deletions(-)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_p
void bpf_register_map_type(struct bpf_map_type_list *tl);
struct bpf_prog *bpf_prog_get(u32 ufd);
+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
void bpf_prog_put(struct bpf_prog *prog);
void bpf_prog_put_rcu(struct bpf_prog *prog);
struct bpf_map *bpf_map_get_with_uref(u32 ufd);
struct bpf_map *__bpf_map_get(struct fd f);
-void bpf_map_inc(struct bpf_map *map, bool uref);
+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
void bpf_map_put_with_uref(struct bpf_map *map);
void bpf_map_put(struct bpf_map *map);
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum
{
switch (type) {
case BPF_TYPE_PROG:
- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
+ raw = bpf_prog_inc(raw);
break;
case BPF_TYPE_MAP:
- bpf_map_inc(raw, true);
+ raw = bpf_map_inc(raw, true);
break;
default:
WARN_ON_ONCE(1);
@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct
goto out;
raw = bpf_any_get(inode->i_private, *type);
- touch_atime(&path);
+ if (!IS_ERR(raw))
+ touch_atime(&path);
path_put(&path);
return raw;
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -201,11 +201,18 @@ struct bpf_map *__bpf_map_get(struct fd
return f.file->private_data;
}
-void bpf_map_inc(struct bpf_map *map, bool uref)
+/* prog's and map's refcnt limit */
+#define BPF_MAX_REFCNT 32768
+
+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
{
- atomic_inc(&map->refcnt);
+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
+ atomic_dec(&map->refcnt);
+ return ERR_PTR(-EBUSY);
+ }
if (uref)
atomic_inc(&map->usercnt);
+ return map;
}
struct bpf_map *bpf_map_get_with_uref(u32 ufd)
@@ -217,7 +224,7 @@ struct bpf_map *bpf_map_get_with_uref(u3
if (IS_ERR(map))
return map;
- bpf_map_inc(map, true);
+ map = bpf_map_inc(map, true);
fdput(f);
return map;
@@ -600,6 +607,15 @@ static struct bpf_prog *__bpf_prog_get(s
return f.file->private_data;
}
+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
+{
+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
+ atomic_dec(&prog->aux->refcnt);
+ return ERR_PTR(-EBUSY);
+ }
+ return prog;
+}
+
/* called by sockets/tracing/seccomp before attaching program to an event
* pairs with bpf_prog_put()
*/
@@ -612,7 +628,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
if (IS_ERR(prog))
return prog;
- atomic_inc(&prog->aux->refcnt);
+ prog = bpf_prog_inc(prog);
fdput(f);
return prog;
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2022,15 +2022,18 @@ static int replace_map_fd_with_map_ptr(s
return -E2BIG;
}
- /* remember this map */
- env->used_maps[env->used_map_cnt++] = map;
-
/* hold the map. If the program is rejected by verifier,
* the map will be released by release_maps() or it
* will be used by the valid program until it's unloaded
* and all maps are released in free_bpf_prog_info()
*/
- bpf_map_inc(map, false);
+ map = bpf_map_inc(map, false);
+ if (IS_ERR(map)) {
+ fdput(f);
+ return PTR_ERR(map);
+ }
+ env->used_maps[env->used_map_cnt++] = map;
+
fdput(f);
next_insn:
insn++;

31
debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch vendored
View File

@ -1,31 +0,0 @@
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Wed, 4 May 2016 17:52:56 +0800
Subject: crypto: hash - Fix page length clamping in hash walk
Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29
The crypto hash walk code is broken when supplied with an offset
greater than or equal to PAGE_SIZE. This patch fixes it by adjusting
walk->pg and walk->offset when this happens.
Cc: <stable@vger.kernel.org>
Reported-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
crypto/ahash.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/ahash.c b/crypto/ahash.c
index 5fc1f172963d..3887a98abcc3 100644
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk)
struct scatterlist *sg;
sg = walk->sg;
- walk->pg = sg_page(sg);
walk->offset = sg->offset;
+ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
+ walk->offset = offset_in_page(walk->offset);
walk->entrylen = sg->length;
if (walk->entrylen > walk->total)

60
debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch vendored
View File

@ -1,60 +0,0 @@
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu, 5 May 2016 16:25:35 -0400
Subject: get_rock_ridge_filename(): handle malformed NM entries
Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
Payloads of NM entries are not supposed to contain NUL. When we run
into such, only the part prior to the first NUL goes into the
concatenation (i.e. the directory entry name being encoded by a bunch
of NM entries). We do stop when the amount collected so far + the
claimed amount in the current NM entry exceed 254. So far, so good,
but what we return as the total length is the sum of *claimed*
sizes, not the actual amount collected. And that can grow pretty
large - not unlimited, since you'd need to put CE entries in
between to be able to get more than the maximum that could be
contained in one isofs directory entry / continuation chunk and
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
easily. And that's what will be passed to readdir callback as the
name length. 8Kb __copy_to_user() from a buffer allocated by
__get_free_page()
Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/isofs/rock.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index 5384ceb35b1c..98b3eb7d8eaf 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
int retnamlen = 0;
int truncate = 0;
int ret = 0;
+ char *p;
+ int len;
if (!ISOFS_SB(inode->i_sb)->s_rock)
return 0;
@@ -267,12 +269,17 @@ repeat:
rr->u.NM.flags);
break;
}
- if ((strlen(retname) + rr->len - 5) >= 254) {
+ len = rr->len - 5;
+ if (retnamlen + len >= 254) {
truncate = 1;
break;
}
- strncat(retname, rr->u.NM.name, rr->len - 5);
- retnamlen += rr->len - 5;
+ p = memchr(rr->u.NM.name, '\0', len);
+ if (unlikely(p))
+ len = p - rr->u.NM.name;
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
+ retnamlen += len;
+ retname[retnamlen] = '\0';
break;
case SIG('R', 'E'):
kfree(rs.buffer);

29
debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch vendored
View File

@ -1,29 +0,0 @@
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:35:05 -0400
Subject: net: fix infoleak in llc
Origin: https://git.kernel.org/linus/b8670c09f37bdf2847cc44f36511a53afc6161fd
The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/llc/af_llc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index b3c52e3..8ae3ed9 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
struct llc_pktinfo info;
+ memset(&info, 0, sizeof(info));
info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
llc_pdu_decode_dsap(skb, &info.lpi_sap);
llc_pdu_decode_da(skb, info.lpi_mac);
--
2.8.1

45
debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch vendored
View File

@ -1,45 +0,0 @@
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:46:24 -0400
Subject: net: fix infoleak in rtnetlink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/core/rtnetlink.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_
static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
{
- struct rtnl_link_ifmap map = {
- .mem_start = dev->mem_start,
- .mem_end = dev->mem_end,
- .base_addr = dev->base_addr,
- .irq = dev->irq,
- .dma = dev->dma,
- .port = dev->if_port,
- };
+ struct rtnl_link_ifmap map;
+
+ memset(&map, 0, sizeof(map));
+ map.mem_start = dev->mem_start;
+ map.mem_end = dev->mem_end;
+ map.base_addr = dev->base_addr;
+ map.irq = dev->irq;
+ map.dma = dev->dma;
+ map.port = dev->if_port;
+
if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
return -EMSGSIZE;

45
debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch vendored
View File

@ -1,45 +0,0 @@
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat, 14 May 2016 11:11:44 -0700
Subject: nf_conntrack: avoid kernel pointer value leak in slab name
Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0
The slab name ends up being visible in the directory structure under
/sys, and even if you don't have access rights to the file you can see
the filenames.
Just use a 64-bit counter instead of the pointer to the 'net' structure
to generate a unique name.
This code will go away in 4.7 when the conntrack code moves to a single
kmemcache, but this is the backportable simple solution to avoiding
leaking kernel pointers to user space.
Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/netfilter/nf_conntrack_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
int nf_conntrack_init_net(struct net *net)
{
+ static atomic64_t unique_id;
int ret = -ENOMEM;
int cpu;
@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
if (!net->ct.stat)
goto err_pcpu_lists;
- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
+ (u64)atomic64_inc_return(&unique_id));
if (!net->ct.slabname)
goto err_slabname;

245
debian/patches/bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch vendored
View File

@ -1,245 +0,0 @@
From: Mikko Rapeli <mikko.rapeli@iki.fi>
Date: Sun, 24 Apr 2016 17:45:00 +0200
Subject: uapi glibc compat: fix compile errors when glibc net/if.h included
before linux/if.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/4a91cb61bb995e5571098188092e296192309c77
Bug-Debian: https://bugs.debian.org/822393
glibc's net/if.h contains copies of definitions from linux/if.h and these
conflict and cause build failures if both files are included by application
source code. Changes in uapi headers, which fixed header file dependencies to
include linux/if.h when it was needed, e.g. commit 1ffad83d, made the
net/if.h and linux/if.h incompatibilities visible as build failures for
userspace applications like iproute2 and xtables-addons.
This patch fixes compile errors when glibc net/if.h is included before
linux/if.h:
./linux/if.h:99:21: error: redeclaration of enumerator IFF_NOARP
./linux/if.h:98:23: error: redeclaration of enumerator IFF_RUNNING
./linux/if.h:97:26: error: redeclaration of enumerator IFF_NOTRAILERS
./linux/if.h:96:27: error: redeclaration of enumerator IFF_POINTOPOINT
./linux/if.h:95:24: error: redeclaration of enumerator IFF_LOOPBACK
./linux/if.h:94:21: error: redeclaration of enumerator IFF_DEBUG
./linux/if.h:93:25: error: redeclaration of enumerator IFF_BROADCAST
./linux/if.h:92:19: error: redeclaration of enumerator IFF_UP
./linux/if.h:252:8: error: redefinition of struct ifconf
./linux/if.h:203:8: error: redefinition of struct ifreq
./linux/if.h:169:8: error: redefinition of struct ifmap
./linux/if.h:107:23: error: redeclaration of enumerator IFF_DYNAMIC
./linux/if.h:106:25: error: redeclaration of enumerator IFF_AUTOMEDIA
./linux/if.h:105:23: error: redeclaration of enumerator IFF_PORTSEL
./linux/if.h:104:25: error: redeclaration of enumerator IFF_MULTICAST
./linux/if.h:103:21: error: redeclaration of enumerator IFF_SLAVE
./linux/if.h:102:22: error: redeclaration of enumerator IFF_MASTER
./linux/if.h:101:24: error: redeclaration of enumerator IFF_ALLMULTI
./linux/if.h:100:23: error: redeclaration of enumerator IFF_PROMISC
The cases where linux/if.h is included before net/if.h need a similar fix in
the glibc side, or the order of include files can be changed userspace
code as a workaround.
This change was tested in x86 userspace on Debian unstable with
scripts/headers_compile_test.sh:
$ make headers_install && \
cd usr/include && ../../scripts/headers_compile_test.sh -l -k
...
cc -Wall -c -nostdinc -I /usr/lib/gcc/i586-linux-gnu/5/include -I /usr/lib/gcc/i586-linux-gnu/5/include-fixed -I . -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH/i586-linux-gnu -o /dev/null ./linux/if.h_libc_before_kernel.h
PASSED libc before kernel test: ./linux/if.h
Reported-by: Jan Engelhardt <jengelh@inai.de>
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Reported-by: Stephen Hemminger <shemming@brocade.com>
Reported-by: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
Cc: Gabriel Laskar <gabriel@lse.epita.fr>
Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/uapi/linux/if.h | 28 +++++++++++++++++++++++++
include/uapi/linux/libc-compat.h | 44 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h
index f80277569f24..e601c8c3bdc7 100644
--- a/include/uapi/linux/if.h
+++ b/include/uapi/linux/if.h
@@ -19,14 +19,20 @@
#ifndef _LINUX_IF_H
#define _LINUX_IF_H
+#include <linux/libc-compat.h> /* for compatibility with glibc */
#include <linux/types.h> /* for "__kernel_caddr_t" et al */
#include <linux/socket.h> /* for "struct sockaddr" et al */
#include <linux/compiler.h> /* for "__user" et al */
+#if __UAPI_DEF_IF_IFNAMSIZ
#define IFNAMSIZ 16
+#endif /* __UAPI_DEF_IF_IFNAMSIZ */
#define IFALIASZ 256
#include <linux/hdlc/ioctl.h>
+/* For glibc compatibility. An empty enum does not compile. */
+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO != 0 && \
+ __UAPI_DEF_IF_NET_DEVICE_FLAGS != 0
/**
* enum net_device_flags - &struct net_device flags
*
@@ -68,6 +74,8 @@
* @IFF_ECHO: echo sent packets. Volatile.
*/
enum net_device_flags {
+/* for compatibility with glibc net/if.h */
+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS
IFF_UP = 1<<0, /* sysfs */
IFF_BROADCAST = 1<<1, /* volatile */
IFF_DEBUG = 1<<2, /* sysfs */
@@ -84,11 +92,17 @@ enum net_device_flags {
IFF_PORTSEL = 1<<13, /* sysfs */
IFF_AUTOMEDIA = 1<<14, /* sysfs */
IFF_DYNAMIC = 1<<15, /* sysfs */
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS */
+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO
IFF_LOWER_UP = 1<<16, /* volatile */
IFF_DORMANT = 1<<17, /* volatile */
IFF_ECHO = 1<<18, /* volatile */
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */
};
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO != 0 && __UAPI_DEF_IF_NET_DEVICE_FLAGS != 0 */
+/* for compatibility with glibc net/if.h */
+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS
#define IFF_UP IFF_UP
#define IFF_BROADCAST IFF_BROADCAST
#define IFF_DEBUG IFF_DEBUG
@@ -105,9 +119,13 @@ enum net_device_flags {
#define IFF_PORTSEL IFF_PORTSEL
#define IFF_AUTOMEDIA IFF_AUTOMEDIA
#define IFF_DYNAMIC IFF_DYNAMIC
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS */
+
+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO
#define IFF_LOWER_UP IFF_LOWER_UP
#define IFF_DORMANT IFF_DORMANT
#define IFF_ECHO IFF_ECHO
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */
#define IFF_VOLATILE (IFF_LOOPBACK|IFF_POINTOPOINT|IFF_BROADCAST|IFF_ECHO|\
IFF_MASTER|IFF_SLAVE|IFF_RUNNING|IFF_LOWER_UP|IFF_DORMANT)
@@ -166,6 +184,8 @@ enum {
* being very small might be worth keeping for clean configuration.
*/
+/* for compatibility with glibc net/if.h */
+#if __UAPI_DEF_IF_IFMAP
struct ifmap {
unsigned long mem_start;
unsigned long mem_end;
@@ -175,6 +195,7 @@ struct ifmap {
unsigned char port;
/* 3 bytes spare */
};
+#endif /* __UAPI_DEF_IF_IFMAP */
struct if_settings {
unsigned int type; /* Type of physical device or protocol */
@@ -200,6 +221,8 @@ struct if_settings {
* remainder may be interface specific.
*/
+/* for compatibility with glibc net/if.h */
+#if __UAPI_DEF_IF_IFREQ
struct ifreq {
#define IFHWADDRLEN 6
union
@@ -223,6 +246,7 @@ struct ifreq {
struct if_settings ifru_settings;
} ifr_ifru;
};
+#endif /* __UAPI_DEF_IF_IFREQ */
#define ifr_name ifr_ifrn.ifrn_name /* interface name */
#define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */
@@ -249,6 +273,8 @@ struct ifreq {
* must know all networks accessible).
*/
+/* for compatibility with glibc net/if.h */
+#if __UAPI_DEF_IF_IFCONF
struct ifconf {
int ifc_len; /* size of buffer */
union {
@@ -256,6 +282,8 @@ struct ifconf {
struct ifreq __user *ifcu_req;
} ifc_ifcu;
};
+#endif /* __UAPI_DEF_IF_IFCONF */
+
#define ifc_buf ifc_ifcu.ifcu_buf /* buffer address */
#define ifc_req ifc_ifcu.ifcu_req /* array of structures */
diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
index 7d024ceb075d..d5e38c73377c 100644
--- a/include/uapi/linux/libc-compat.h
+++ b/include/uapi/linux/libc-compat.h
@@ -51,6 +51,40 @@
/* We have included glibc headers... */
#if defined(__GLIBC__)
+/* Coordinate with glibc net/if.h header. */
+#if defined(_NET_IF_H)
+
+/* GLIBC headers included first so don't define anything
+ * that would already be defined. */
+
+#define __UAPI_DEF_IF_IFCONF 0
+#define __UAPI_DEF_IF_IFMAP 0
+#define __UAPI_DEF_IF_IFNAMSIZ 0
+#define __UAPI_DEF_IF_IFREQ 0
+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 0
+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */
+#ifndef __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1
+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */
+
+#else /* _NET_IF_H */
+
+/* Linux headers included first, and we must define everything
+ * we need. The expectation is that glibc will check the
+ * __UAPI_DEF_* defines and adjust appropriately. */
+
+#define __UAPI_DEF_IF_IFCONF 1
+#define __UAPI_DEF_IF_IFMAP 1
+#define __UAPI_DEF_IF_IFNAMSIZ 1
+#define __UAPI_DEF_IF_IFREQ 1
+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 1
+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1
+
+#endif /* _NET_IF_H */
+
/* Coordinate with glibc netinet/in.h header. */
#if defined(_NETINET_IN_H)
@@ -117,6 +151,16 @@
* that we need. */
#else /* !defined(__GLIBC__) */
+/* Definitions for if.h */
+#define __UAPI_DEF_IF_IFCONF 1
+#define __UAPI_DEF_IF_IFMAP 1
+#define __UAPI_DEF_IF_IFNAMSIZ 1
+#define __UAPI_DEF_IF_IFREQ 1
+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 1
+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */
+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1
+
/* Definitions for in.h */
#define __UAPI_DEF_IN_ADDR 1
#define __UAPI_DEF_IN_IPPROTO 1

35
debian/patches/debian/net-sched-fix-abi-change-in-4.5.5.patch vendored Normal file
View File

@ -0,0 +1,35 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 23 May 2016 01:25:47 +0100
Subject: net/sched: Fix ABI change in 4.5.5
Forwarded: not-needed
Restore the function qdisc_tree_decrease_qlen(), removed in 4.5.5.
It can now be a trivial wrapper for its replacement,
qdisc_tree_reduce_backlog().
---
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -398,6 +398,7 @@ void qdisc_reset(struct Qdisc *qdisc);
void qdisc_destroy(struct Qdisc *qdisc);
void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, unsigned int n,
unsigned int len);
+void qdisc_tree_decrease_qlen(struct Qdisc *qdisc, unsigned int n);
struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
const struct Qdisc_ops *ops);
struct Qdisc *qdisc_create_dflt(struct netdev_queue *dev_queue,
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -782,6 +782,12 @@ void qdisc_tree_reduce_backlog(struct Qd
}
EXPORT_SYMBOL(qdisc_tree_reduce_backlog);
+void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
+{
+ qdisc_tree_reduce_backlog(sch, n, 0);
+}
+EXPORT_SYMBOL(qdisc_tree_decrease_qlen);
+
static void notify_and_destroy(struct net *net, struct sk_buff *skb,
struct nlmsghdr *n, u32 clid,
struct Qdisc *old, struct Qdisc *new)

11
debian/patches/series vendored
View File

@ -82,10 +82,8 @@ bugfix/all/disable-some-marvell-phys.patch
bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch
bugfix/all/mm-zone_device-depends-on-sparsemem_vmemmap.patch
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch
bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
bugfix/all/revert-stmmac-fix-eth0-no-phy-found-regression.patch
@ -135,16 +133,8 @@ bugfix/all/netfilter-x_tables-check-for-size-overflow.patch
bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch
bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch
bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
bugfix/all/bpf-fix-refcnt-overflow.patch
bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
bugfix/all/net-fix-infoleak-in-llc.patch
bugfix/all/net-fix-infoleak-in-rtnetlink.patch
bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
@ -174,3 +164,4 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
bugfix/all/power-cpupower-fix-manpages-NAME.patch
bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
debian/net-sched-fix-abi-change-in-4.5.5.patch