Update to 4.3.4
This commit is contained in:
parent
33cd223d58
commit
9b355e6846
|
@ -1,3 +1,58 @@
|
|||
linux (4.3.4-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
|
||||
- ACPI: Use correct IRQ when uninstalling ACPI interrupt handler
|
||||
- ACPI: Using correct irq when waiting for events
|
||||
- ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle
|
||||
- tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0
|
||||
- toshiba_acpi: Initialize hotkey_event_type variable
|
||||
- USB: cdc_acm: Ignore Infineon Flash Loader utility
|
||||
- USB: serial: Another Infineon flash loader USB ID
|
||||
- usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
|
||||
JMicron
|
||||
- USB: cp210x: Remove CP2110 ID from compatibility list
|
||||
- USB: add quirk for devices with broken LPM
|
||||
- USB: whci-hcd: add check for dma mapping error
|
||||
- usb: gadget: pxa27x: fix suspend callback
|
||||
- USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq
|
||||
- usb: musb: USB_TI_CPPI41_DMA requires dmaengine support
|
||||
- usb: core : hub: Fix BOS 'NULL pointer' kernel panic
|
||||
- usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
|
||||
- pppoe: fix memory corruption in padt work structure
|
||||
- gre6: allow to update all parameters via rtnl
|
||||
- atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
|
||||
- ipv6: keep existing flags when setting IFA_F_OPTIMISTIC
|
||||
- vxlan: fix incorrect RCO bit in VXLAN header
|
||||
- sctp: use the same clock as if sock source timestamps were on
|
||||
- sctp: update the netstamp_needed counter when copying sockets
|
||||
- sctp: also copy sk_tsflags when copying the socket
|
||||
- net: cdc_mbim: add "NDP to end" quirk for Huawei E3372
|
||||
- net: qca_spi: fix transmit queue timeout handling
|
||||
- r8152: fix lockup when runtime PM is enabled
|
||||
- ipv6: sctp: clone options to avoid use after free
|
||||
- phy: micrel: Fix finding PHY properties in MAC node.
|
||||
- openvswitch: Fix helper reference leak
|
||||
- openvswitch: Respect conntrack zone even if invalid
|
||||
- uapi: export ila.h
|
||||
- sh_eth: fix kernel oops in skb_put()
|
||||
- net: fix IP early demux races
|
||||
- vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
|
||||
- skbuff: Fix offset error in skb_reorder_vlan_header
|
||||
- net: check both type and procotol for tcp sockets
|
||||
- net_sched: make qdisc_tree_decrease_qlen() work for non mq
|
||||
- net: fix uninitialized variable issue
|
||||
- ipv6: automatically enable stable privacy mode if stable_secret set
|
||||
- inet: tcp: fix inetpeer_set_addr_v4()
|
||||
- rhashtable: Enforce minimum size on initial hash table
|
||||
- gianfar: Don't enable RX Filer if not supported
|
||||
- fou: clean up socket with kfree_rcu
|
||||
- af_unix: Revert 'lock_interruptible' in stream receive code
|
||||
- tcp: restore fastopen with no data in SYN packet
|
||||
- rhashtable: Fix walker list corruption
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 23 Jan 2016 11:51:46 +0000
|
||||
|
||||
linux (4.3.3-7) unstable; urgency=medium
|
||||
|
||||
* linux-image-dbg: Don't rely on upstream makefile to make .build-id
|
||||
|
|
|
@ -1,75 +0,0 @@
|
|||
From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
|
||||
From: Yevgeny Pats <yevgeny@perception-point.io>
|
||||
Date: Mon, 11 Jan 2016 12:05:28 +0000
|
||||
Subject: KEYS: Fix keyring ref leak in join_session_keyring()
|
||||
|
||||
If a thread is asked to join as a session keyring the keyring that's already
|
||||
set as its session, we leak a keyring reference.
|
||||
|
||||
This can be tested with the following program:
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <keyutils.h>
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int i = 0;
|
||||
key_serial_t serial;
|
||||
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (keyctl(KEYCTL_SETPERM, serial,
|
||||
KEY_POS_ALL | KEY_USR_ALL) < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < 100; i++) {
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
If, after the program has run, there something like the following line in
|
||||
/proc/keys:
|
||||
|
||||
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
|
||||
|
||||
with a usage count of 100 * the number of times the program has been run,
|
||||
then the kernel is malfunctioning. If leaked-keyring has zero usages or
|
||||
has been garbage collected, then the problem is fixed.
|
||||
|
||||
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/process_keys.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
||||
index a3f85d2..e6d50172 100644
|
||||
--- a/security/keys/process_keys.c
|
||||
+++ b/security/keys/process_keys.c
|
||||
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
|
||||
ret = PTR_ERR(keyring);
|
||||
goto error2;
|
||||
} else if (keyring == new->session_keyring) {
|
||||
+ key_put(keyring);
|
||||
ret = 0;
|
||||
goto error2;
|
||||
}
|
||||
--
|
||||
2.7.0.rc3
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Tue, 15 Dec 2015 15:39:08 -0500
|
||||
Subject: bluetooth: Validate socket address length in sco_sock_bind().
|
||||
Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
|
||||
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/sco.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/bluetooth/sco.c
|
||||
+++ b/net/bluetooth/sco.c
|
||||
@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *
|
||||
if (!addr || addr->sa_family != AF_BLUETOOTH)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (addr_len < sizeof(struct sockaddr_sco))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
if (sk->sk_state != BT_OPEN) {
|
|
@ -1,110 +0,0 @@
|
|||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 18 Dec 2015 01:34:26 +0000
|
||||
Subject: KEYS: Fix race between read and revoke
|
||||
Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
|
||||
|
||||
This fixes CVE-2015-7550.
|
||||
|
||||
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
|
||||
happens between keyctl_read() checking the validity of a key and the key's
|
||||
semaphore being taken, then the key type read method will see a revoked key.
|
||||
|
||||
This causes a problem for the user-defined key type because it assumes in
|
||||
its read method that there will always be a payload in a non-revoked key
|
||||
and doesn't check for a NULL pointer.
|
||||
|
||||
Fix this by making keyctl_read() check the validity of a key after taking
|
||||
semaphore instead of before.
|
||||
|
||||
I think the bug was introduced with the original keyrings code.
|
||||
|
||||
This was discovered by a multithreaded test program generated by syzkaller
|
||||
(http://github.com/google/syzkaller). Here's a cleaned up version:
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <keyutils.h>
|
||||
#include <pthread.h>
|
||||
void *thr0(void *arg)
|
||||
{
|
||||
key_serial_t key = (unsigned long)arg;
|
||||
keyctl_revoke(key);
|
||||
return 0;
|
||||
}
|
||||
void *thr1(void *arg)
|
||||
{
|
||||
key_serial_t key = (unsigned long)arg;
|
||||
char buffer[16];
|
||||
keyctl_read(key, buffer, 16);
|
||||
return 0;
|
||||
}
|
||||
int main()
|
||||
{
|
||||
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
|
||||
pthread_t th[5];
|
||||
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
|
||||
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
|
||||
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
|
||||
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
|
||||
pthread_join(th[0], 0);
|
||||
pthread_join(th[1], 0);
|
||||
pthread_join(th[2], 0);
|
||||
pthread_join(th[3], 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Build as:
|
||||
|
||||
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
|
||||
|
||||
Run as:
|
||||
|
||||
while keyctl-race; do :; done
|
||||
|
||||
as it may need several iterations to crash the kernel. The crash can be
|
||||
summarised as:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
|
||||
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
|
||||
...
|
||||
Call Trace:
|
||||
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
|
||||
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
|
||||
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Tested-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
security/keys/keyctl.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
--- a/security/keys/keyctl.c
|
||||
+++ b/security/keys/keyctl.c
|
||||
@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
|
||||
|
||||
/* the key is probably readable - now try to read it */
|
||||
can_read_key:
|
||||
- ret = key_validate(key);
|
||||
- if (ret == 0) {
|
||||
- ret = -EOPNOTSUPP;
|
||||
- if (key->type->read) {
|
||||
- /* read the data with the semaphore held (since we
|
||||
- * might sleep) */
|
||||
- down_read(&key->sem);
|
||||
+ ret = -EOPNOTSUPP;
|
||||
+ if (key->type->read) {
|
||||
+ /* Read the data with the semaphore held (since we might sleep)
|
||||
+ * to protect against the key being updated or revoked.
|
||||
+ */
|
||||
+ down_read(&key->sem);
|
||||
+ ret = key_validate(key);
|
||||
+ if (ret == 0)
|
||||
ret = key->type->read(key, buffer, buflen);
|
||||
- up_read(&key->sem);
|
||||
- }
|
||||
+ up_read(&key->sem);
|
||||
}
|
||||
|
||||
error2:
|
|
@ -1,121 +0,0 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Mon, 14 Dec 2015 22:03:39 +0100
|
||||
Subject: net: add validation for the socket syscall protocol argument
|
||||
Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
|
||||
|
||||
郭永刚 reported that one could simply crash the kernel as root by
|
||||
using a simple program:
|
||||
|
||||
int socket_fd;
|
||||
struct sockaddr_in addr;
|
||||
addr.sin_port = 0;
|
||||
addr.sin_addr.s_addr = INADDR_ANY;
|
||||
addr.sin_family = 10;
|
||||
|
||||
socket_fd = socket(10,3,0x40000000);
|
||||
connect(socket_fd , &addr,16);
|
||||
|
||||
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
|
||||
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
|
||||
thus larger protocol identifiers simply cut off the higher bits and
|
||||
store a zero in the protocol fields.
|
||||
|
||||
This could lead to e.g. NULL function pointer because as a result of
|
||||
the cut off inet_num is zero and we call down to inet_autobind, which
|
||||
is NULL for raw sockets.
|
||||
|
||||
kernel: Call Trace:
|
||||
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
|
||||
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
|
||||
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
|
||||
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
|
||||
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
|
||||
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
|
||||
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
|
||||
|
||||
I found no particular commit which introduced this problem.
|
||||
|
||||
CVE: CVE-2015-8543
|
||||
Cc: Cong Wang <cwang@twopensource.com>
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/sock.h | 1 +
|
||||
net/ax25/af_ax25.c | 3 +++
|
||||
net/decnet/af_decnet.c | 3 +++
|
||||
net/ipv4/af_inet.c | 3 +++
|
||||
net/ipv6/af_inet6.c | 3 +++
|
||||
net/irda/af_irda.c | 3 +++
|
||||
6 files changed, 16 insertions(+)
|
||||
|
||||
--- a/include/net/sock.h
|
||||
+++ b/include/net/sock.h
|
||||
@@ -387,6 +387,7 @@ struct sock {
|
||||
sk_no_check_rx : 1,
|
||||
sk_userlocks : 4,
|
||||
sk_protocol : 8,
|
||||
+#define SK_PROTOCOL_MAX U8_MAX
|
||||
sk_type : 16;
|
||||
kmemcheck_bitfield_end(flags);
|
||||
int sk_wmem_queued;
|
||||
--- a/net/ax25/af_ax25.c
|
||||
+++ b/net/ax25/af_ax25.c
|
||||
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net,
|
||||
struct sock *sk;
|
||||
ax25_cb *ax25;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
--- a/net/decnet/af_decnet.c
|
||||
+++ b/net/decnet/af_decnet.c
|
||||
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st
|
||||
{
|
||||
struct sock *sk;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
--- a/net/ipv4/af_inet.c
|
||||
+++ b/net/ipv4/af_inet.c
|
||||
@@ -261,6 +261,9 @@ static int inet_create(struct net *net,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
sock->state = SS_UNCONNECTED;
|
||||
|
||||
/* Look for the requested type/protocol pair. */
|
||||
--- a/net/ipv6/af_inet6.c
|
||||
+++ b/net/ipv6/af_inet6.c
|
||||
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* Look for the requested type/protocol pair. */
|
||||
lookup_protocol:
|
||||
err = -ESOCKTNOSUPPORT;
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net,
|
||||
struct sock *sk;
|
||||
struct irda_sock *self;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (net != &init_net)
|
||||
return -EAFNOSUPPORT;
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From: WANG Cong <xiyou.wangcong@gmail.com>
|
||||
Date: Mon, 14 Dec 2015 13:48:36 -0800
|
||||
Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
|
||||
Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
|
||||
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ppp/pptp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/drivers/net/ppp/pptp.c
|
||||
+++ b/drivers/net/ppp/pptp.c
|
||||
@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock
|
||||
struct pptp_opt *opt = &po->proto.pptp;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
opt->src_addr = sp->sa_addr.pptp;
|
||||
@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s
|
||||
struct flowi4 fl4;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (sp->sa_protocol != PX_PROTO_PPTP)
|
||||
return -EINVAL;
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Tue, 15 Dec 2015 15:26:45 +0000
|
||||
Subject: Revert "vrf: fix double free and memory corruption on register_netdevice failure"
|
||||
Forwarded: http://mid.gmane.org/20151215153149.GO28542@decadent.org.uk
|
||||
|
||||
This reverts commit b3abad339f8e268bb261e5844ab68b18a7797c29, which
|
||||
was an attempt to backport commit 7f109f7cc37108cba7243bc832988525b0d85909
|
||||
upstream. The backport introduced a deadlock and other bugs.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/net/vrf.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
|
||||
index c9e309c..488c6f5 100644
|
||||
--- a/drivers/net/vrf.c
|
||||
+++ b/drivers/net/vrf.c
|
||||
@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
|
||||
{
|
||||
struct net_vrf *vrf = netdev_priv(dev);
|
||||
struct net_vrf_dev *vrf_ptr;
|
||||
+ int err;
|
||||
|
||||
if (!data || !data[IFLA_VRF_TABLE])
|
||||
return -EINVAL;
|
||||
@@ -589,16 +590,26 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
|
||||
|
||||
dev->priv_flags |= IFF_VRF_MASTER;
|
||||
|
||||
+ err = -ENOMEM;
|
||||
vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
|
||||
if (!vrf_ptr)
|
||||
- return -ENOMEM;
|
||||
+ goto out_fail;
|
||||
|
||||
vrf_ptr->ifindex = dev->ifindex;
|
||||
vrf_ptr->tb_id = vrf->tb_id;
|
||||
|
||||
+ err = register_netdevice(dev);
|
||||
+ if (err < 0)
|
||||
+ goto out_fail;
|
||||
+
|
||||
rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
|
||||
|
||||
- return register_netdev(dev);
|
||||
+ return 0;
|
||||
+
|
||||
+out_fail:
|
||||
+ kfree(vrf_ptr);
|
||||
+ free_netdev(dev);
|
||||
+ return err;
|
||||
}
|
||||
|
||||
static size_t vrf_nl_getsize(const struct net_device *dev)
|
|
@ -1,29 +0,0 @@
|
|||
Date: Tue, 15 Dec 2015 21:21:56 +0000
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Subject: tipc: Fix kfree_skb() of uninitialised pointer
|
||||
Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk
|
||||
|
||||
Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
|
||||
headroom") added a "goto tx_error". This is fine upstream, but
|
||||
when backported to 4.3 it results in attempting to free the clone
|
||||
before it has been allocated. In this early error case, no
|
||||
cleanup is needed.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
net/tipc/udp_media.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
|
||||
index 86f2e7c..73bdf1b 100644
|
||||
--- a/net/tipc/udp_media.c
|
||||
+++ b/net/tipc/udp_media.c
|
||||
@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
|
||||
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
|
||||
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
|
||||
if (err)
|
||||
- goto tx_error;
|
||||
+ return err;
|
||||
}
|
||||
|
||||
clone = skb_clone(skb, GFP_ATOMIC);
|
|
@ -1,95 +0,0 @@
|
|||
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
|
||||
Date: Sat, 21 Nov 2015 19:46:19 +0100
|
||||
Subject: vrf: fix double free and memory corruption on register_netdevice failure
|
||||
Origin: https://git.kernel.org/linus/7f109f7cc37108cba7243bc832988525b0d85909
|
||||
|
||||
When vrf's ->newlink is called, if register_netdevice() fails then it
|
||||
does free_netdev(), but that's also done by rtnl_newlink() so a second
|
||||
free happens and memory gets corrupted, to reproduce execute the
|
||||
following line a couple of times (1 - 5 usually is enough):
|
||||
$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
|
||||
This works because we fail in register_netdevice() because of the wrong
|
||||
name "vrf:".
|
||||
|
||||
And here's a trace of one crash:
|
||||
[ 28.792157] ------------[ cut here ]------------
|
||||
[ 28.792407] kernel BUG at fs/namei.c:246!
|
||||
[ 28.792608] invalid opcode: 0000 [#1] SMP
|
||||
[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry
|
||||
nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul
|
||||
crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse
|
||||
glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev
|
||||
parport_pc parport serio_raw pcspkr virtio_balloon virtio_console
|
||||
i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4
|
||||
ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom
|
||||
ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix
|
||||
libata virtio_pci virtio_ring virtio scsi_mod floppy
|
||||
[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted
|
||||
4.4.0-rc1+ #24
|
||||
[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
|
||||
BIOS 1.8.1-20150318_183358- 04/01/2014
|
||||
[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti:
|
||||
ffff88003592c000
|
||||
[ 28.796016] RIP: 0010:[<ffffffff812187b3>] [<ffffffff812187b3>]
|
||||
putname+0x43/0x60
|
||||
[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246
|
||||
[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX:
|
||||
0000000000000001
|
||||
[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
|
||||
ffff88003784f000
|
||||
[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09:
|
||||
0000000000000000
|
||||
[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12:
|
||||
0000000000000000
|
||||
[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15:
|
||||
ffff8800358c4a00
|
||||
[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000)
|
||||
knlGS:0000000000000000
|
||||
[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4:
|
||||
00000000000406f0
|
||||
[ 28.796016] Stack:
|
||||
[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0
|
||||
ffff880035a91660
|
||||
[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940
|
||||
00ffffff81218684
|
||||
[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000
|
||||
ffff880035b36d80
|
||||
[ 28.796016] Call Trace:
|
||||
[ 28.796016] [<ffffffff8121045d>] ?
|
||||
do_execveat_common.isra.34+0x74d/0x930
|
||||
[ 28.796016] [<ffffffff812102d3>] ?
|
||||
do_execveat_common.isra.34+0x5c3/0x930
|
||||
[ 28.796016] [<ffffffff8121066c>] do_execve+0x2c/0x30
|
||||
[ 28.796016] [<ffffffff810939a0>]
|
||||
call_usermodehelper_exec_async+0xf0/0x140
|
||||
[ 28.796016] [<ffffffff810938b0>] ? umh_complete+0x40/0x40
|
||||
[ 28.796016] [<ffffffff815cb1af>] ret_from_fork+0x3f/0x70
|
||||
[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6
|
||||
74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d
|
||||
f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9
|
||||
[ 28.796016] RIP [<ffffffff812187b3>] putname+0x43/0x60
|
||||
[ 28.796016] RSP <ffff88003592fe88>
|
||||
|
||||
Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
|
||||
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
|
||||
Acked-by: David Ahern <dsa@cumulusnetworks.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
[bwh: For 4.3, retain the kfree() on failure]
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
drivers/net/vrf.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
|
||||
index 488c6f5..374feba 100644
|
||||
--- a/drivers/net/vrf.c
|
||||
+++ b/drivers/net/vrf.c
|
||||
@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
|
||||
|
||||
out_fail:
|
||||
kfree(vrf_ptr);
|
||||
- free_netdev(dev);
|
||||
return err;
|
||||
}
|
||||
|
|
@ -106,13 +106,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
|||
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
|
||||
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
|
||||
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
|
||||
bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
|
||||
bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
|
||||
bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
|
||||
bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
|
||||
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
|
||||
bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
|
||||
bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
|
||||
bugfix/all/xen-add-ring_copy_request.patch
|
||||
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
|
||||
bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
|
||||
|
@ -127,7 +121,6 @@ bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
|
|||
bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
|
||||
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
||||
debian/ptrace-fix-abi-change-for-priv-esc-fix.patch
|
||||
bugfix/all/keys-fix-race-between-read-and-revoke.patch
|
||||
bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
|
||||
bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
|
||||
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
|
||||
|
@ -147,4 +140,3 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
|
|||
bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
|
||||
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
|
||||
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
|
||||
bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
|
||||
|
|
Loading…
Reference in New Issue