From 79803bf38a2745c330e16c58613140e03d2c854b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 29 Oct 2013 15:03:55 +0000 Subject: [PATCH 01/11] [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet available svn path=/dists/sid/linux/; revision=20758 --- debian/changelog | 7 +++++++ debian/config/sh4/defines | 1 + 2 files changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4107f2988..0fc7225eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (3.11.6-2) UNRELEASED; urgency=low + + * [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet + available + + -- Ben Hutchings Tue, 29 Oct 2013 14:36:09 +0000 + linux (3.11.6-1) unstable; urgency=low * New upstream stable update: diff --git a/debian/config/sh4/defines b/debian/config/sh4/defines index 7dd028a53..1661800dd 100644 --- a/debian/config/sh4/defines +++ b/debian/config/sh4/defines @@ -3,6 +3,7 @@ flavours: sh7751r sh7785lcr kernel-arch: sh +compiler: gcc-4.7 [image] suggests: fdutils From 565dc3ec815817d46cc47af6e7591f7458e2047e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 30 Oct 2013 02:05:09 +0000 Subject: [PATCH 02/11] [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults (fixes FTBFS) svn path=/dists/sid/linux/; revision=20759 --- debian/changelog | 2 ++ debian/config/ia64/defines | 1 + 2 files changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index 0fc7225eb..a7c3fa296 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ linux (3.11.6-2) UNRELEASED; urgency=low * [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet available + * [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults + (fixes FTBFS) -- Ben Hutchings Tue, 29 Oct 2013 14:36:09 +0000 diff --git a/debian/config/ia64/defines b/debian/config/ia64/defines index d699fa398..34b4ae73f 100644 --- a/debian/config/ia64/defines +++ b/debian/config/ia64/defines @@ -3,6 +3,7 @@ flavours: itanium mckinley kernel-arch: ia64 +compiler: gcc-4.6 [image] bootloaders: elilo From 2b65b3949c0cac9eab7bd506fbcb7dc56a5a5519 Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Wed, 30 Oct 2013 15:30:07 +0000 Subject: [PATCH 03/11] UAPI: include in linux/raid/md_p.h. svn path=/dists/sid/linux/; revision=20760 --- debian/changelog | 4 +++ ...asm-byteorder.h-in-linux-raid-md_p.h.patch | 30 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 35 insertions(+) create mode 100644 debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch diff --git a/debian/changelog b/debian/changelog index a7c3fa296..7e4ddca6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,14 @@ linux (3.11.6-2) UNRELEASED; urgency=low + [ Ben Hutchings ] * [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet available * [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults (fixes FTBFS) + [ Aurelien Jarno ] + * UAPI: include in linux/raid/md_p.h. + -- Ben Hutchings Tue, 29 Oct 2013 14:36:09 +0000 linux (3.11.6-1) unstable; urgency=low diff --git a/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch b/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch new file mode 100644 index 000000000..6bdc3737e --- /dev/null +++ b/debian/patches/bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch @@ -0,0 +1,30 @@ +From: Aurelien Jarno +Date: Tue, 29 Oct 2013 11:55:17 +0100 +Subject: [PATCH] UAPI: include in linux/raid/md_p.h +Forwarded: http://comments.gmane.org/gmane.linux.kernel/1586604 + +linux/raid/md_p.h is using conditionals depending on endianess and fails +with an error if neither of __BIG_ENDIAN, __LITTLE_ENDIAN or +__BYTE_ORDER are defined, but it doesn't include any header which can +define these constants. This make this header unusable alone. + +This patch adds a #include at the beginning of this +header to make it usable alone. This is needed to compile klibc on MIPS. + +Signed-off-by: Aurelien Jarno +--- + include/uapi/linux/raid/md_p.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/raid/md_p.h b/include/uapi/linux/raid/md_p.h +index fe1a540..f7cf7f3 100644 +--- a/include/uapi/linux/raid/md_p.h ++++ b/include/uapi/linux/raid/md_p.h +@@ -16,6 +16,7 @@ + #define _MD_P_H + + #include ++#include + + /* + * RAID superblock. diff --git a/debian/patches/series b/debian/patches/series index 64c49e236..66a28c93c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -79,3 +79,4 @@ bugfix/m68k/atari-irqs.patch bugfix/all/crypto-ansi_cprng-Fix-off-by-one-error-in-non-block-.patch features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch +bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch From 2e899941851d8afe5673271de3f1ddc466106dbd Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 31 Oct 2013 03:58:28 +0000 Subject: [PATCH 04/11] Fix support for per-architecture ABI name In gencontrol.py 'abiname' now includes the upstream version whereas the part after that is 'abiname_part'. Update the per-architecture ABI name handling accordingly. Also use the per-architecture ABI name in udeb package names and when generating the maintainer scripts. svn path=/dists/sid/linux/; revision=20762 --- debian/bin/gencontrol.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 42690008f..8444c8230 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -128,10 +128,12 @@ class Gencontrol(Base): if self.version.linux_modifier is None: try: - vars['abiname'] = '-%s' % self.config['abi', arch]['abiname'] + abiname_part = '-%s' % self.config['abi', arch]['abiname'] except KeyError: - vars['abiname'] = self.abiname - makeflags['ABINAME'] = vars['abiname'] + abiname_part = self.abiname_part + makeflags['ABINAME'] = vars['abiname'] = \ + self.version.linux_upstream + abiname_part + makeflags['ABINAME_PART'] = abiname_part if foreign_kernel: packages_headers_arch = [] @@ -175,8 +177,7 @@ class Gencontrol(Base): kw_env['KW_DEFCONFIG_DIR'] = installer_def_dir kw_env['KW_CONFIG_DIR'] = installer_arch_dir kw_proc = subprocess.Popen( - ['kernel-wedge', 'gen-control', - self.abiname], + ['kernel-wedge', 'gen-control', vars['abiname']], stdout=subprocess.PIPE, env=kw_env) udeb_packages = read_control(kw_proc.stdout) @@ -409,11 +410,11 @@ class Gencontrol(Base): if config_entry_image['type'] == 'plain': substitute_file('headers.plain.postinst', 'debian/linux-headers-%s%s.postinst' % - (self.abiname, vars['localversion'])) + (vars['abiname'], vars['localversion'])) for name in ['postinst', 'postrm', 'preinst', 'prerm', 'templates']: substitute_file('image.plain.%s' % name, 'debian/linux-image-%s%s.%s' % - (self.abiname, vars['localversion'], name)) + (vars['abiname'], vars['localversion'], name)) for path in glob.glob('debian/templates/po/*.po'): substitute_file('po/' + os.path.basename(path), 'debian/po/' + os.path.basename(path), @@ -421,7 +422,7 @@ class Gencontrol(Base): if build_debug: substitute_file('image-dbg.lintian-override', 'debian/linux-image-%s%s-dbg.lintian-overrides' % - (self.abiname, vars['localversion'])) + (vars['abiname'], vars['localversion'])) def merge_packages(self, packages, new, arch): for new_package in new: From b7cc18725e3566a3f7706d0e17cad6415ee6c324 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 31 Oct 2013 03:59:10 +0000 Subject: [PATCH 05/11] [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI svn path=/dists/sid/linux/; revision=20763 --- debian/changelog | 1 + debian/config/armhf/defines | 3 +++ 2 files changed, 4 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7e4ddca6a..fb7985f9d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ linux (3.11.6-2) UNRELEASED; urgency=low available * [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults (fixes FTBFS) + * [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI [ Aurelien Jarno ] * UAPI: include in linux/raid/md_p.h. diff --git a/debian/config/armhf/defines b/debian/config/armhf/defines index 989613f0c..35f561883 100644 --- a/debian/config/armhf/defines +++ b/debian/config/armhf/defines @@ -1,3 +1,6 @@ +[abi] +abiname: 1a + [base] flavours: armmp From 3a3112b981ea7a17282387f49235a3b761f85108 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 01:34:05 +0000 Subject: [PATCH 06/11] net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) svn path=/dists/sid/linux/; revision=20764 --- debian/patches/bugfix/all/CVE-2013-4348.patch | 82 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 83 insertions(+) create mode 100644 debian/patches/bugfix/all/CVE-2013-4348.patch diff --git a/debian/patches/bugfix/all/CVE-2013-4348.patch b/debian/patches/bugfix/all/CVE-2013-4348.patch new file mode 100644 index 000000000..4a0dbd2f1 --- /dev/null +++ b/debian/patches/bugfix/all/CVE-2013-4348.patch @@ -0,0 +1,82 @@ +From: Ben Hutchings +Date: Thu, 31 Oct 2013 02:24:12 +0000 +Subject: net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) + +Jason Wang writes: +(via linux-distros@vs.openwall.org etc.) +> There's a deadloop path in skb_flow_dissect(): +> +> bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow) +> { +> .. +> +> ip: +> iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); +> if (!iph) +> return false; +> +> if (ip_is_fragment(iph)) +> ip_proto = 0; +> else +> ip_proto = iph->protocol; +> iph_to_flow_copy_addrs(flow, iph); +> nhoff += iph->ihl * 4; +> break; +> .. +> +> Here the code does not check whether iph->ihl is zero which may cause +> deadloop if a malicous IPIP packet whose ihl is zero. See the above +> codes for IPIP. Since the pointer was not move ahead. +> +> .. +> case IPPROTO_IPIP: +> proto = htons(ETH_P_IP); +> goto ip; +> .. +> } +> +> skb_flow_dissect() were used by several places: +> - packet scheduler that want classify flows +> - skb_get_rxhash() that will be used by RPS, vxlan, multiqueue +> tap,macvtap packet fanout +> - skb_probe_transport_header() which was used for probing transport +> header for DODGY packets +> - __skb_get_poff() which will be used by socket filter +> +> So this could be used to DOS both local and remote machine. +> +> I was able to +> +> - DOS the local host machine +> - DOS the local host machine by run the reproducer in guest +> - DOS one guest with RPS enabled by running the reproducer in another +> guest in the same host. +> +> I believe it could be also used to DOS a remote machine, but I didn't try. +> +> The issue were introduced by commit +> 0744dd00c1b1be99a25b62b1b48df440e82e57e0 (net: introduce +> skb_flow_dissect()). +> +> The fix looks easy, just fail when iph->ihl is zero. + +Accepting any positive value means we can still be made to loop nearly +skb->len / 4 times in some cases. But all values < 5 are invalid, so +let's reject them and reduce that to skb->len / 20. + +We should probably set a constant limit on the loop count as well, but +I'm not sure what the limit should be. + +Signed-off-by: Ben Hutchings +--- +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -40,7 +40,7 @@ again: + struct iphdr _iph; + ip: + iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); +- if (!iph) ++ if (!iph || iph->ihl < 5) + return false; + + if (ip_is_fragment(iph)) diff --git a/debian/patches/series b/debian/patches/series index 66a28c93c..b4191ec33 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -80,3 +80,4 @@ bugfix/all/crypto-ansi_cprng-Fix-off-by-one-error-in-non-block-.patch features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch +bugfix/all/CVE-2013-4348.patch From a78dcf3d317668f22627118282f800e7a16e3f01 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 01:35:14 +0000 Subject: [PATCH 07/11] net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) svn path=/dists/sid/linux/; revision=20765 --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index fb7985f9d..ca78cba39 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ linux (3.11.6-2) UNRELEASED; urgency=low * [ia64] Reduce compiler version to gcc-4.6, matching gcc-defaults (fixes FTBFS) * [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI + * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) [ Aurelien Jarno ] * UAPI: include in linux/raid/md_p.h. From e3b8a9343f873b4599d79e1df81a4712ad83a410 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 03:44:52 +0000 Subject: [PATCH 08/11] Cherry-pick various urgent fixes from 3.11 stable queue svn path=/dists/sid/linux/; revision=20767 --- debian/changelog | 16 ++ ...-v1-and-v2-versions-of-tx_create-cmd.patch | 40 ++++ ...te-mdb-expiration-timer-upon-reports.patch | 63 ++++++ .../all/dm-snapshot-fix-data-corruption.patch | 88 ++++++++ .../all/ext-fix-double-put-in-tmpfile.patch | 66 ++++++ .../all/i2c-ismt-initialize-dma-buffer.patch | 34 +++ ...ory-corruption-with-udp_cork-and-ufo.patch | 76 +++++++ ...hen-using-ipv4-mapped-ipv6-addresses.patch | 141 ++++++++++++ .../mm-fix-bug-in-__split_huge_page_pmd.patch | 57 +++++ ...ot-call-sock_put-on-timewait-sockets.patch | 44 ++++ ...ipso-packet-validation-when-netlabel.patch | 54 +++++ ...et-heap-overflow-in-__audit_sockaddr.patch | 86 ++++++++ .../all/proc-connector-fix-info-leaks.patch | 167 ++++++++++++++ ...the-mdb-entry-when-query-is-received.patch | 207 ++++++++++++++++++ .../bugfix/all/unix_diag-fix-info-leak.patch | 30 +++ ...writeback-fix-negative-bdi-max-pause.patch | 93 ++++++++ debian/patches/series | 16 ++ 17 files changed, 1278 insertions(+) create mode 100644 debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch create mode 100644 debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch create mode 100644 debian/patches/bugfix/all/dm-snapshot-fix-data-corruption.patch create mode 100644 debian/patches/bugfix/all/ext-fix-double-put-in-tmpfile.patch create mode 100644 debian/patches/bugfix/all/i2c-ismt-initialize-dma-buffer.patch create mode 100644 debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch create mode 100644 debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch create mode 100644 debian/patches/bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch create mode 100644 debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch create mode 100644 debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch create mode 100644 debian/patches/bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch create mode 100644 debian/patches/bugfix/all/proc-connector-fix-info-leaks.patch create mode 100644 debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch create mode 100644 debian/patches/bugfix/all/unix_diag-fix-info-leak.patch create mode 100644 debian/patches/bugfix/all/writeback-fix-negative-bdi-max-pause.patch diff --git a/debian/changelog b/debian/changelog index ca78cba39..b80ea01ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,22 @@ linux (3.11.6-2) UNRELEASED; urgency=low (fixes FTBFS) * [armhf] Bump ABI to 1a, as enabling Xen and KVM support changes ABI * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) + * net: do not call sock_put() on TIMEWAIT sockets + * l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses + * net: heap overflow in __audit_sockaddr() + * proc connector: fix info leaks + * bridge: update mdb expiration timer upon reports. + * Revert "bridge: only expire the mdb entry when query is received" + * unix_diag: fix info leak + * be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd + * net: fix cipso packet validation when !NETLABEL + * inet: fix possible memory corruption with UDP_CORK and UFO + * [arm] 7851/1: check for number of arguments in syscall_get/set_arguments() + * ext[34]: fix double put in tmpfile + * dm snapshot: fix data corruption (CVE-2013-4299) + * i2c: ismt: initialize DMA buffer + * mm: fix BUG in __split_huge_page_pmd + * writeback: fix negative bdi max pause [ Aurelien Jarno ] * UAPI: include in linux/raid/md_p.h. diff --git a/debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch b/debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch new file mode 100644 index 000000000..4a3474bcf --- /dev/null +++ b/debian/patches/bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch @@ -0,0 +1,40 @@ +From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001 +From: Vasundhara Volam +Date: Thu, 17 Oct 2013 11:47:14 +0530 +Subject: be2net: pass if_id for v1 and V2 versions of TX_CREATE cmd + +From: Vasundhara Volam + +[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ] + +It is a required field for all TX_CREATE cmd versions > 0. +This fixes a driver initialization failure, caused by recent SH-R Firmwares +(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is +not passed. + +Signed-off-by: Sathya Perla +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter + + if (lancer_chip(adapter)) { + req->hdr.version = 1; +- req->if_id = cpu_to_le16(adapter->if_handle); + } else if (BEx_chip(adapter)) { + if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC) + req->hdr.version = 2; +@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter + req->hdr.version = 2; + } + ++ if (req->hdr.version > 0) ++ req->if_id = cpu_to_le16(adapter->if_handle); + req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size); + req->ulp_num = BE_ULP1_NUM; + req->type = BE_ETH_TX_RING_TYPE_STANDARD; diff --git a/debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch b/debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch new file mode 100644 index 000000000..7af0bca18 --- /dev/null +++ b/debian/patches/bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch @@ -0,0 +1,63 @@ +From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 10 Oct 2013 15:57:59 -0400 +Subject: bridge: update mdb expiration timer upon reports. + +From: Vlad Yasevich + +[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ] + +commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b + bridge: only expire the mdb entry when query is received +changed the mdb expiration timer to be armed only when QUERY is +received. Howerver, this causes issues in an environment where +the multicast server socket comes and goes very fast while a client +is trying to send traffic to it. + +The root cause is a race where a sequence of LEAVE followed by REPORT +messages can race against QUERY messages generated in response to LEAVE. +The QUERY ends up starting the expiration timer, and that timer can +potentially expire after the new REPORT message has been received signaling +the new join operation. This leads to a significant drop in multicast +traffic and possible complete stall. + +The solution is to have REPORT messages update the expiration timer +on entries that already exist. + +Signed-off-by: Vlad Yasevich +CC: Cong Wang +CC: Herbert Xu +CC: Stephen Hemminger +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -610,6 +610,9 @@ rehash: + break; + + default: ++ /* If we have an existing entry, update it's expire timer */ ++ mod_timer(&mp->timer, ++ jiffies + br->multicast_membership_interval); + goto out; + } + +@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct + for (pp = &mp->ports; + (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { +- if (p->port == port) ++ if (p->port == port) { ++ /* We already have a portgroup, update the timer. */ ++ mod_timer(&p->timer, ++ jiffies + br->multicast_membership_interval); + goto out; ++ } + if ((unsigned long)p->port < (unsigned long)port) + break; + } diff --git a/debian/patches/bugfix/all/dm-snapshot-fix-data-corruption.patch b/debian/patches/bugfix/all/dm-snapshot-fix-data-corruption.patch new file mode 100644 index 000000000..113824cba --- /dev/null +++ b/debian/patches/bugfix/all/dm-snapshot-fix-data-corruption.patch @@ -0,0 +1,88 @@ +From e9c6a182649f4259db704ae15a91ac820e63b0ca Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 16 Oct 2013 03:17:47 +0100 +Subject: dm snapshot: fix data corruption + +From: Mikulas Patocka + +commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream. + +This patch fixes a particular type of data corruption that has been +encountered when loading a snapshot's metadata from disk. + +When we allocate a new chunk in persistent_prepare, we increment +ps->next_free and we make sure that it doesn't point to a metadata area +by further incrementing it if necessary. + +When we load metadata from disk on device activation, ps->next_free is +positioned after the last used data chunk. However, if this last used +data chunk is followed by a metadata area, ps->next_free is positioned +erroneously to the metadata area. A newly-allocated chunk is placed at +the same location as the metadata area, resulting in data or metadata +corruption. + +This patch changes the code so that ps->next_free skips the metadata +area when metadata are loaded in function read_exceptions. + +The patch also moves a piece of code from persistent_prepare_exception +to a separate function skip_metadata to avoid code duplication. + +CVE-2013-4299 + +Signed-off-by: Mikulas Patocka +Cc: Mike Snitzer +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-snap-persistent.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -269,6 +269,14 @@ static chunk_t area_location(struct psto + return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area); + } + ++static void skip_metadata(struct pstore *ps) ++{ ++ uint32_t stride = ps->exceptions_per_area + 1; ++ chunk_t next_free = ps->next_free; ++ if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS) ++ ps->next_free++; ++} ++ + /* + * Read or write a metadata area. Remembering to skip the first + * chunk which holds the header. +@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore + + ps->current_area--; + ++ skip_metadata(ps); ++ + return 0; + } + +@@ -616,8 +626,6 @@ static int persistent_prepare_exception( + struct dm_exception *e) + { + struct pstore *ps = get_info(store); +- uint32_t stride; +- chunk_t next_free; + sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev); + + /* Is there enough room ? */ +@@ -630,10 +638,8 @@ static int persistent_prepare_exception( + * Move onto the next free pending, making sure to take + * into account the location of the metadata chunks. + */ +- stride = (ps->exceptions_per_area + 1); +- next_free = ++ps->next_free; +- if (sector_div(next_free, stride) == 1) +- ps->next_free++; ++ ps->next_free++; ++ skip_metadata(ps); + + atomic_inc(&ps->pending_count); + return 0; diff --git a/debian/patches/bugfix/all/ext-fix-double-put-in-tmpfile.patch b/debian/patches/bugfix/all/ext-fix-double-put-in-tmpfile.patch new file mode 100644 index 000000000..f0e6bd460 --- /dev/null +++ b/debian/patches/bugfix/all/ext-fix-double-put-in-tmpfile.patch @@ -0,0 +1,66 @@ +From 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 10 Oct 2013 16:48:19 +0200 +Subject: ext[34]: fix double put in tmpfile + +From: Miklos Szeredi + +commit 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 upstream. + +d_tmpfile() already swallowed the inode ref. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/namei.c | 5 ++--- + fs/ext4/namei.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/ext3/namei.c ++++ b/fs/ext3/namei.c +@@ -1783,7 +1783,7 @@ retry: + d_tmpfile(dentry, inode); + err = ext3_orphan_add(handle, inode); + if (err) +- goto err_drop_inode; ++ goto err_unlock_inode; + mark_inode_dirty(inode); + unlock_new_inode(inode); + } +@@ -1791,10 +1791,9 @@ retry: + if (err == -ENOSPC && ext3_should_retry_alloc(dir->i_sb, &retries)) + goto retry; + return err; +-err_drop_inode: ++err_unlock_inode: + ext3_journal_stop(handle); + unlock_new_inode(inode); +- iput(inode); + return err; + } + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2319,7 +2319,7 @@ retry: + d_tmpfile(dentry, inode); + err = ext4_orphan_add(handle, inode); + if (err) +- goto err_drop_inode; ++ goto err_unlock_inode; + mark_inode_dirty(inode); + unlock_new_inode(inode); + } +@@ -2328,10 +2328,9 @@ retry: + if (err == -ENOSPC && ext4_should_retry_alloc(dir->i_sb, &retries)) + goto retry; + return err; +-err_drop_inode: ++err_unlock_inode: + ext4_journal_stop(handle); + unlock_new_inode(inode); +- iput(inode); + return err; + } + diff --git a/debian/patches/bugfix/all/i2c-ismt-initialize-dma-buffer.patch b/debian/patches/bugfix/all/i2c-ismt-initialize-dma-buffer.patch new file mode 100644 index 000000000..7b9b921a7 --- /dev/null +++ b/debian/patches/bugfix/all/i2c-ismt-initialize-dma-buffer.patch @@ -0,0 +1,34 @@ +From bf4169100c909667ede6af67668b3ecce6928343 Mon Sep 17 00:00:00 2001 +From: James Ralston +Date: Tue, 24 Sep 2013 16:47:55 -0700 +Subject: i2c: ismt: initialize DMA buffer + +From: James Ralston + +commit bf4169100c909667ede6af67668b3ecce6928343 upstream. + +This patch adds code to initialize the DMA buffer to compensate for +possible hardware data corruption. + +Signed-off-by: James Ralston +[wsa: changed to use 'sizeof'] +Signed-off-by: Wolfram Sang +Cc: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -393,6 +393,9 @@ static int ismt_access(struct i2c_adapte + + desc = &priv->hw[priv->head]; + ++ /* Initialize the DMA buffer */ ++ memset(priv->dma_buffer, 0, sizeof(priv->dma_buffer)); ++ + /* Initialize the descriptor */ + memset(desc, 0, sizeof(struct ismt_desc)); + desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, read_write); diff --git a/debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch b/debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch new file mode 100644 index 000000000..01a266abb --- /dev/null +++ b/debian/patches/bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch @@ -0,0 +1,76 @@ +From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 22 Oct 2013 00:07:47 +0200 +Subject: inet: fix possible memory corruption with UDP_CORK and UFO + +From: Hannes Frederic Sowa + +[ This is a simplified -stable version of a set of upstream commits. ] + +This is a replacement patch only for stable which does fix the problems +handled by the following two commits in -net: + +"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) +"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) + +Three frames are written on a corked udp socket for which the output +netdevice has UFO enabled. If the first and third frame are smaller than +the mtu and the second one is bigger, we enqueue the second frame with +skb_append_datato_frags without initializing the gso fields. This leads +to the third frame appended regulary and thus constructing an invalid skb. + +This fixes the problem by always using skb_append_datato_frags as soon +as the first frag got enqueued to the skb without marking the packet +as SKB_GSO_UDP. + +The problem with only two frames for ipv6 was fixed by "ipv6: udp +packets following an UFO enqueued packet need also be handled by UFO" +(2811ebac2521ceac84f2bdae402455baa6a7fb47). + +Cc: Jiri Pirko +Cc: Eric Dumazet +Cc: David Miller +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 5 +++++ + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const stru + return len + skb_headlen(skb); + } + ++static inline bool skb_has_frags(const struct sk_buff *skb) ++{ ++ return skb_shinfo(skb)->nr_frags; ++} ++ + /** + * __skb_fill_page_desc - initialise a paged fragment in an skb + * @skb: buffer containing fragment to be initialised +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if (((length > mtu) || (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int + skb = skb_peek_tail(&sk->sk_write_queue); + cork->length += length; + if (((length > mtu) || +- (skb && skb_is_gso(skb))) && ++ (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + err = ip6_ufo_append_data(sk, getfrag, from, length, diff --git a/debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch b/debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch new file mode 100644 index 000000000..57ee43bbc --- /dev/null +++ b/debian/patches/bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch @@ -0,0 +1,141 @@ +From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001 +From: François CACHEREUL +Date: Wed, 2 Oct 2013 10:16:02 +0200 +Subject: l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses + +From: François CACHEREUL + +[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ] + +IPv4 mapped addresses cause kernel panic. +The patch juste check whether the IPv6 address is an IPv4 mapped +address. If so, use IPv4 API instead of IPv6. + +[ 940.026915] general protection fault: 0000 [#1] +[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse +[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 +[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 +[ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 +[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 +[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 +[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 +[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 +[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 +[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 +[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 +[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 +[ 940.026915] Stack: +[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 +[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 +[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 +[ 940.026915] Call Trace: +[ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 +[ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] +[ 940.026915] [] ? pskb_expand_head+0x161/0x214 +[ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] +[ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] +[ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] +[ 940.026915] [] ? vfs_write+0xa2/0x106 +[ 940.026915] [] ? SyS_write+0x56/0x8a +[ 940.026915] [] ? system_call_fastpath+0x16/0x1b +[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 +8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 +00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 +[ 940.026915] RIP [] ip6_xmit+0x276/0x326 +[ 940.026915] RSP +[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- +[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt + +Signed-off-by: François CACHEREUL +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- + net/l2tp/l2tp_core.h | 3 +++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -496,6 +496,7 @@ out: + static inline int l2tp_verify_udp_checksum(struct sock *sk, + struct sk_buff *skb) + { ++ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; + struct udphdr *uh = udp_hdr(skb); + u16 ulen = ntohs(uh->len); + __wsum psum; +@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checks + return 0; + + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) { ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { + if (!uh->check) { + LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); + return 1; +@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_se + /* Queue the packet to IP for output */ + skb->local_df = 1; + #if IS_ENABLED(CONFIG_IPV6) +- if (skb->sk->sk_family == PF_INET6) ++ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped) + error = inet6_csk_xmit(skb, NULL); + else + #endif +@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *s + + /* Calculate UDP checksum if configured to do so */ + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + l2tp_xmit_ipv6_csum(sk, skb, udp_len); + else + #endif +@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, + if (cfg != NULL) + tunnel->debug = cfg->debug; + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (sk->sk_family == PF_INET6) { ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (ipv6_addr_v4mapped(&np->saddr) && ++ ipv6_addr_v4mapped(&np->daddr)) { ++ struct inet_sock *inet = inet_sk(sk); ++ ++ tunnel->v4mapped = true; ++ inet->inet_saddr = np->saddr.s6_addr32[3]; ++ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3]; ++ inet->inet_daddr = np->daddr.s6_addr32[3]; ++ } else { ++ tunnel->v4mapped = false; ++ } ++ } ++#endif ++ + /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ + tunnel->encap = encap; + if (encap == L2TP_ENCAPTYPE_UDP) { +@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, + udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; + udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + udpv6_encap_enable(); + else + #endif +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -194,6 +194,9 @@ struct l2tp_tunnel { + struct sock *sock; /* Parent socket */ + int fd; /* Parent fd, if tunnel socket + * was created by userspace */ ++#if IS_ENABLED(CONFIG_IPV6) ++ bool v4mapped; ++#endif + + struct work_struct del_work; + diff --git a/debian/patches/bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch b/debian/patches/bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch new file mode 100644 index 000000000..fed246946 --- /dev/null +++ b/debian/patches/bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch @@ -0,0 +1,57 @@ +From 750e8165f5e87b6a142be953640eabb13a9d350a Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Wed, 16 Oct 2013 13:47:08 -0700 +Subject: mm: fix BUG in __split_huge_page_pmd + +From: Hugh Dickins + +commit 750e8165f5e87b6a142be953640eabb13a9d350a upstream. + +Occasionally we hit the BUG_ON(pmd_trans_huge(*pmd)) at the end of +__split_huge_page_pmd(): seen when doing madvise(,,MADV_DONTNEED). + +It's invalid: we don't always have down_write of mmap_sem there: a racing +do_huge_pmd_wp_page() might have copied-on-write to another huge page +before our split_huge_page() got the anon_vma lock. + +Forget the BUG_ON, just go back and try again if this happens. + +Signed-off-by: Hugh Dickins +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Naoya Horiguchi +Cc: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2709,6 +2709,7 @@ void __split_huge_page_pmd(struct vm_are + + mmun_start = haddr; + mmun_end = haddr + HPAGE_PMD_SIZE; ++again: + mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end); + spin_lock(&mm->page_table_lock); + if (unlikely(!pmd_trans_huge(*pmd))) { +@@ -2731,7 +2732,14 @@ void __split_huge_page_pmd(struct vm_are + split_huge_page(page); + + put_page(page); +- BUG_ON(pmd_trans_huge(*pmd)); ++ ++ /* ++ * We don't always have down_write of mmap_sem here: a racing ++ * do_huge_pmd_wp_page() might have copied-on-write to another ++ * huge page before our split_huge_page() got the anon_vma lock. ++ */ ++ if (unlikely(pmd_trans_huge(*pmd))) ++ goto again; + } + + void split_huge_page_pmd_mm(struct mm_struct *mm, unsigned long address, diff --git a/debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch b/debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch new file mode 100644 index 000000000..1f323288b --- /dev/null +++ b/debian/patches/bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch @@ -0,0 +1,44 @@ +From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 1 Oct 2013 21:04:11 -0700 +Subject: net: do not call sock_put() on TIMEWAIT sockets + +From: Eric Dumazet + +[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ] + +commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / +hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. + +We should instead use inet_twsk_put() + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_hashtables.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -287,7 +287,7 @@ begintw: + if (unlikely(!INET_TW_MATCH(sk, net, acookie, + saddr, daddr, ports, + dif))) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -116,7 +116,7 @@ begintw: + } + if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr, + ports, dif))) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; diff --git a/debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch b/debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch new file mode 100644 index 000000000..f7d93dba6 --- /dev/null +++ b/debian/patches/bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch @@ -0,0 +1,54 @@ +From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001 +From: Seif Mazareeb +Date: Thu, 17 Oct 2013 20:33:21 -0700 +Subject: net: fix cipso packet validation when !NETLABEL + +From: Seif Mazareeb + +[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ] + +When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop +forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel +crash in an SMP system, since the CPU executing this function will +stall /not respond to IPIs. + +This problem can be reproduced by running the IP Stack Integrity Checker +(http://isic.sourceforge.net) using the following command on a Linux machine +connected to DUT: + +"icmpsic -s rand -d -r 123456" +wait (1-2 min) + +Signed-off-by: Seif Mazareeb +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cipso_ipv4.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/net/cipso_ipv4.h ++++ b/include/net/cipso_ipv4.h +@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(cons + unsigned char err_offset = 0; + u8 opt_len = opt[1]; + u8 opt_iter; ++ u8 tag_len; + + if (opt_len < 8) { + err_offset = 1; +@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(cons + } + + for (opt_iter = 6; opt_iter < opt_len;) { +- if (opt[opt_iter + 1] > (opt_len - opt_iter)) { ++ tag_len = opt[opt_iter + 1]; ++ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) { + err_offset = opt_iter + 1; + goto out; + } +- opt_iter += opt[opt_iter + 1]; ++ opt_iter += tag_len; + } + + out: diff --git a/debian/patches/bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch b/debian/patches/bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch new file mode 100644 index 000000000..8b6236820 --- /dev/null +++ b/debian/patches/bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch @@ -0,0 +1,86 @@ +From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 3 Oct 2013 00:27:20 +0300 +Subject: net: heap overflow in __audit_sockaddr() + +From: Dan Carpenter + +[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ] + +We need to cap ->msg_namelen or it leads to a buffer overflow when we +to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to +exploit this bug. + +The call tree is: +___sys_recvmsg() + move_addr_to_user() + audit_sockaddr() + __audit_sockaddr() + +Reported-by: Jüri Aedla +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/compat.c | 2 ++ + net/socket.c | 24 ++++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kms + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; + kmsg->msg_name = compat_ptr(tmp1); + kmsg->msg_iov = compat_ptr(tmp2); + kmsg->msg_control = compat_ptr(tmp3); +--- a/net/socket.c ++++ b/net/socket.c +@@ -1973,6 +1973,16 @@ struct used_address { + unsigned int name_len; + }; + ++static int copy_msghdr_from_user(struct msghdr *kmsg, ++ struct msghdr __user *umsg) ++{ ++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) ++ return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; ++ return 0; ++} ++ + static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, + struct msghdr *msg_sys, unsigned int flags, + struct used_address *used_address) +@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + if (msg_sys->msg_iovlen > UIO_FASTIOV) { + err = -EMSGSIZE; +@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + if (msg_sys->msg_iovlen > UIO_FASTIOV) { + err = -EMSGSIZE; diff --git a/debian/patches/bugfix/all/proc-connector-fix-info-leaks.patch b/debian/patches/bugfix/all/proc-connector-fix-info-leaks.patch new file mode 100644 index 000000000..e2080c23f --- /dev/null +++ b/debian/patches/bugfix/all/proc-connector-fix-info-leaks.patch @@ -0,0 +1,167 @@ +From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:03:06 +0200 +Subject: proc connector: fix info leaks + +From: Mathias Krause + +[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ] + +Initialize event_data for all possible message types to prevent leaking +kernel stack contents to userland (up to 20 bytes). Also set the flags +member of the connector message to 0 to prevent leaking two more stack +bytes this way. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/connector/cn_proc.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_str + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + /* If cn_netlink_send() failed, the data is not sent */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } +@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_str + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struc + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; + ev->event_data.id.process_pid = task->pid; + ev->event_data.id.process_tgid = task->tgid; +@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struc + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_stru + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_stru + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_s + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_s + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_str + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_str + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_str + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcv + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcv + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = rcvd_ack + 1; + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + diff --git a/debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch b/debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch new file mode 100644 index 000000000..0b90448c5 --- /dev/null +++ b/debian/patches/bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch @@ -0,0 +1,207 @@ +From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001 +From: Linus Lüssing +Date: Sun, 20 Oct 2013 00:58:57 +0200 +Subject: Revert "bridge: only expire the mdb entry when query is received" + +From: Linus Lüssing + +[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ] + +While this commit was a good attempt to fix issues occuring when no +multicast querier is present, this commit still has two more issues: + +1) There are cases where mdb entries do not expire even if there is a +querier present. The bridge will unnecessarily continue flooding +multicast packets on the according ports. + +2) Never removing an mdb entry could be exploited for a Denial of +Service by an attacker on the local link, slowly, but steadily eating up +all memory. + +Actually, this commit became obsolete with +"bridge: disable snooping if there is no querier" (b00589af3b) +which included fixes for a few more cases. + +Therefore reverting the following commits (the commit stated in the +commit message plus three of its follow up fixes): + +==================== +Revert "bridge: update mdb expiration timer upon reports." +This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc. +Revert "bridge: do not call setup_timer() multiple times" +This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1. +Revert "bridge: fix some kernel warning in multicast timer" +This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1. +Revert "bridge: only expire the mdb entry when query is received" +This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b. +==================== + +CC: Cong Wang +Signed-off-by: Linus Lüssing +Reviewed-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_mdb.c | 2 - + net/bridge/br_multicast.c | 47 ++++++++++++++++++++++++++-------------------- + net/bridge/br_private.h | 1 + 3 files changed, 28 insertions(+), 22 deletions(-) + +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridg + call_rcu_bh(&p->rcu, br_multicast_free_pg); + err = 0; + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + break; +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct n + del_timer(&p->timer); + call_rcu_bh(&p->rcu, br_multicast_free_pg); + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + +@@ -610,9 +610,6 @@ rehash: + break; + + default: +- /* If we have an existing entry, update it's expire timer */ +- mod_timer(&mp->timer, +- jiffies + br->multicast_membership_interval); + goto out; + } + +@@ -622,7 +619,6 @@ rehash: + + mp->br = br; + mp->addr = *group; +- + setup_timer(&mp->timer, br_multicast_group_expired, + (unsigned long)mp); + +@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct + struct net_bridge_mdb_entry *mp; + struct net_bridge_port_group *p; + struct net_bridge_port_group __rcu **pp; ++ unsigned long now = jiffies; + int err; + + spin_lock(&br->multicast_lock); +@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct + + if (!port) { + mp->mglist = true; ++ mod_timer(&mp->timer, now + br->multicast_membership_interval); + goto out; + } + + for (pp = &mp->ports; + (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { +- if (p->port == port) { +- /* We already have a portgroup, update the timer. */ +- mod_timer(&p->timer, +- jiffies + br->multicast_membership_interval); +- goto out; +- } ++ if (p->port == port) ++ goto found; + if ((unsigned long)p->port < (unsigned long)port) + break; + } +@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct + rcu_assign_pointer(*pp, p); + br_mdb_notify(br->dev, port, group, RTM_NEWMDB); + ++found: ++ mod_timer(&p->timer, now + br->multicast_membership_interval); + out: + err = 0; + +@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct + if (!mp) + goto out; + +- mod_timer(&mp->timer, now + br->multicast_membership_interval); +- mp->timer_armed = true; +- + max_delay *= br->multicast_last_member_count; + + if (mp->mglist && +@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct + if (!mp) + goto out; + +- mod_timer(&mp->timer, now + br->multicast_membership_interval); +- mp->timer_armed = true; +- + max_delay *= br->multicast_last_member_count; + if (mp->mglist && + (timer_pending(&mp->timer) ? +@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(str + call_rcu_bh(&p->rcu, br_multicast_free_pg); + br_mdb_notify(br->dev, port, group, RTM_DELMDB); + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + } +@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(str + br->multicast_last_member_interval; + + if (!port) { +- if (mp->mglist && mp->timer_armed && ++ if (mp->mglist && + (timer_pending(&mp->timer) ? + time_after(mp->timer.expires, time) : + try_to_del_timer_sync(&mp->timer) >= 0)) { + mod_timer(&mp->timer, time); + } ++ ++ goto out; ++ } ++ ++ for (p = mlock_dereference(mp->ports, br); ++ p != NULL; ++ p = mlock_dereference(p->next, br)) { ++ if (p->port != port) ++ continue; ++ ++ if (!hlist_unhashed(&p->mglist) && ++ (timer_pending(&p->timer) ? ++ time_after(p->timer.expires, time) : ++ try_to_del_timer_sync(&p->timer) >= 0)) { ++ mod_timer(&p->timer, time); ++ } ++ ++ break; + } + out: + spin_unlock(&br->multicast_lock); +@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge + hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], + hlist[ver]) { + del_timer(&mp->timer); +- mp->timer_armed = false; + call_rcu_bh(&mp->rcu, br_multicast_free_group); + } + } +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry + struct timer_list timer; + struct br_ip addr; + bool mglist; +- bool timer_armed; + }; + + struct net_bridge_mdb_htable diff --git a/debian/patches/bugfix/all/unix_diag-fix-info-leak.patch b/debian/patches/bugfix/all/unix_diag-fix-info-leak.patch new file mode 100644 index 000000000..1309e88c7 --- /dev/null +++ b/debian/patches/bugfix/all/unix_diag-fix-info-leak.patch @@ -0,0 +1,30 @@ +From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:05:40 +0200 +Subject: unix_diag: fix info leak + +From: Mathias Krause + +[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ] + +When filling the netlink message we miss to wipe the pad field, +therefore leak one byte of heap memory to userland. Fix this by +setting pad to 0. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/diag.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk, + rep->udiag_family = AF_UNIX; + rep->udiag_type = sk->sk_type; + rep->udiag_state = sk->sk_state; ++ rep->pad = 0; + rep->udiag_ino = sk_ino; + sock_diag_save_cookie(sk, rep->udiag_cookie); + diff --git a/debian/patches/bugfix/all/writeback-fix-negative-bdi-max-pause.patch b/debian/patches/bugfix/all/writeback-fix-negative-bdi-max-pause.patch new file mode 100644 index 000000000..104fcfefd --- /dev/null +++ b/debian/patches/bugfix/all/writeback-fix-negative-bdi-max-pause.patch @@ -0,0 +1,93 @@ +From e3b6c655b91e01a1dade056cfa358581b47a5351 Mon Sep 17 00:00:00 2001 +From: Fengguang Wu +Date: Wed, 16 Oct 2013 13:47:03 -0700 +Subject: writeback: fix negative bdi max pause + +From: Fengguang Wu + +commit e3b6c655b91e01a1dade056cfa358581b47a5351 upstream. + +Toralf runs trinity on UML/i386. After some time it hangs and the last +message line is + + BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child0:1521] + +It's found that pages_dirtied becomes very large. More than 1000000000 +pages in this case: + + period = HZ * pages_dirtied / task_ratelimit; + BUG_ON(pages_dirtied > 2000000000); + BUG_ON(pages_dirtied > 1000000000); <--------- + +UML debug printf shows that we got negative pause here: + + ick: pause : -984 + ick: pages_dirtied : 0 + ick: task_ratelimit: 0 + + pause: + + if (pause < 0) { + + extern int printf(char *, ...); + + printf("ick : pause : %li\n", pause); + + printf("ick: pages_dirtied : %lu\n", pages_dirtied); + + printf("ick: task_ratelimit: %lu\n", task_ratelimit); + + BUG_ON(1); + + } + trace_balance_dirty_pages(bdi, + +Since pause is bounded by [min_pause, max_pause] where min_pause is also +bounded by max_pause. It's suspected and demonstrated that the +max_pause calculation goes wrong: + + ick: pause : -717 + ick: min_pause : -177 + ick: max_pause : -717 + ick: pages_dirtied : 14 + ick: task_ratelimit: 0 + +The problem lies in the two "long = unsigned long" assignments in +bdi_max_pause() which might go negative if the highest bit is 1, and the +min_t(long, ...) check failed to protect it falling under 0. Fix all of +them by using "unsigned long" throughout the function. + +Signed-off-by: Fengguang Wu +Reported-by: Toralf Förster +Tested-by: Toralf Förster +Reviewed-by: Jan Kara +Cc: Richard Weinberger +Cc: Geert Uytterhoeven +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page-writeback.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1104,11 +1104,11 @@ static unsigned long dirty_poll_interval + return 1; + } + +-static long bdi_max_pause(struct backing_dev_info *bdi, +- unsigned long bdi_dirty) ++static unsigned long bdi_max_pause(struct backing_dev_info *bdi, ++ unsigned long bdi_dirty) + { +- long bw = bdi->avg_write_bandwidth; +- long t; ++ unsigned long bw = bdi->avg_write_bandwidth; ++ unsigned long t; + + /* + * Limit pause time for small memory systems. If sleeping for too long +@@ -1120,7 +1120,7 @@ static long bdi_max_pause(struct backing + t = bdi_dirty / (1 + bw / roundup_pow_of_two(1 + HZ / 8)); + t++; + +- return min_t(long, t, MAX_PAUSE); ++ return min_t(unsigned long, t, MAX_PAUSE); + } + + static long bdi_min_pause(struct backing_dev_info *bdi, diff --git a/debian/patches/series b/debian/patches/series index b4191ec33..53358b9d6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -81,3 +81,19 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch bugfix/all/CVE-2013-4348.patch +bugfix/all/net-do-not-call-sock_put-on-timewait-sockets.patch +bugfix/all/l2tp-fix-kernel-panic-when-using-ipv4-mapped-ipv6-addresses.patch +bugfix/all/net-heap-overflow-in-__audit_sockaddr.patch +bugfix/all/proc-connector-fix-info-leaks.patch +bugfix/all/bridge-update-mdb-expiration-timer-upon-reports.patch +bugfix/all/revert-bridge-only-expire-the-mdb-entry-when-query-is-received.patch +bugfix/all/unix_diag-fix-info-leak.patch +bugfix/all/be2net-pass-if_id-for-v1-and-v2-versions-of-tx_create-cmd.patch +bugfix/all/net-fix-cipso-packet-validation-when-netlabel.patch +bugfix/all/inet-fix-possible-memory-corruption-with-udp_cork-and-ufo.patch +bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch +bugfix/all/ext-fix-double-put-in-tmpfile.patch +bugfix/all/dm-snapshot-fix-data-corruption.patch +bugfix/all/i2c-ismt-initialize-dma-buffer.patch +bugfix/all/mm-fix-bug-in-__split_huge_page_pmd.patch +bugfix/all/writeback-fix-negative-bdi-max-pause.patch From 2967bec3f89f41ce06bce410a9487142360ebb7a Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 05:23:02 +0000 Subject: [PATCH 09/11] Ignore ABI change in l2tp svn path=/dists/sid/linux/; revision=20768 --- debian/config/defines | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/config/defines b/debian/config/defines index f7fd2ef7b..b8d316e2a 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -1,5 +1,7 @@ [abi] abiname: 1 +ignore-changes: + module:net/l2tp/* [base] arches: From 28fda5d8fae0c7c9f28d7d3bf7974493ed72322b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 17:53:57 +0000 Subject: [PATCH 10/11] Add ARM patch that was missed when adding the last batch of fixes svn path=/dists/sid/linux/; revision=20769 --- ...guments-in-syscall_get-set_arguments.patch | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 debian/patches/bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch diff --git a/debian/patches/bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch b/debian/patches/bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch new file mode 100644 index 000000000..4b33389dd --- /dev/null +++ b/debian/patches/bugfix/arm/arm-7851-1-check-for-number-of-arguments-in-syscall_get-set_arguments.patch @@ -0,0 +1,53 @@ +From 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a Mon Sep 17 00:00:00 2001 +From: AKASHI Takahiro +Date: Wed, 9 Oct 2013 15:58:29 +0100 +Subject: ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() + +From: AKASHI Takahiro + +commit 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a upstream. + +In ftrace_syscall_enter(), + syscall_get_arguments(..., 0, n, ...) + if (i == 0) { ...; n--;} + memcpy(..., n * sizeof(args[0])); +If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in +syscall_get_arguments(), none of arguments should be copied by memcpy(). +Otherwise 'n--' can be a big positive number and unexpected amount of data +will be copied. Tracing system calls which take no argument, say sync(void), +may hit this case and eventually make the system corrupted. +This patch fixes the issue both in syscall_get_arguments() and +syscall_set_arguments(). + +Acked-by: Will Deacon +Signed-off-by: AKASHI Takahiro +Signed-off-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/syscall.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/include/asm/syscall.h ++++ b/arch/arm/include/asm/syscall.h +@@ -57,6 +57,9 @@ static inline void syscall_get_arguments + unsigned int i, unsigned int n, + unsigned long *args) + { ++ if (n == 0) ++ return; ++ + if (i + n > SYSCALL_MAX_ARGS) { + unsigned long *args_bad = args + SYSCALL_MAX_ARGS - i; + unsigned int n_bad = n + i - SYSCALL_MAX_ARGS; +@@ -81,6 +84,9 @@ static inline void syscall_set_arguments + unsigned int i, unsigned int n, + const unsigned long *args) + { ++ if (n == 0) ++ return; ++ + if (i + n > SYSCALL_MAX_ARGS) { + pr_warning("%s called with max args %d, handling only %d\n", + __func__, i + n, SYSCALL_MAX_ARGS); From b08f6d30b9d799d3954b77d30a2e744ac2f7c40f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Nov 2013 17:54:12 +0000 Subject: [PATCH 11/11] Prepare to release linux (3.11.6-2). svn path=/dists/sid/linux/; revision=20770 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index b80ea01ab..b5ad21d65 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.11.6-2) UNRELEASED; urgency=low +linux (3.11.6-2) unstable; urgency=medium [ Ben Hutchings ] * [sh4] Reduce compiler version to gcc-4.7, as gcc-4.8 is not yet @@ -27,7 +27,7 @@ linux (3.11.6-2) UNRELEASED; urgency=low [ Aurelien Jarno ] * UAPI: include in linux/raid/md_p.h. - -- Ben Hutchings Tue, 29 Oct 2013 14:36:09 +0000 + -- Ben Hutchings Fri, 01 Nov 2013 05:23:13 +0000 linux (3.11.6-1) unstable; urgency=low