From 85d582a4513873c44f293514d3fef17389134c30 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 26 Mar 2014 02:43:52 +0000 Subject: [PATCH 1/7] Prepare to release linux (3.13.7-1). svn path=/dists/sid/linux/; revision=21191 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 9b627a617..5e539ba52 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.13.7-1) UNRELEASED; urgency=medium +linux (3.13.7-1) unstable; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7 @@ -60,7 +60,7 @@ linux (3.13.7-1) UNRELEASED; urgency=medium * [arm] mm: Avoid ABI change in 3.13.6 (fixes FTBFS) * nfqueue: Orphan frags in nfqnl_zcopy() and handle errors (CVE-2014-2568) - -- Ben Hutchings Fri, 21 Mar 2014 19:47:01 +0000 + -- Ben Hutchings Tue, 25 Mar 2014 17:23:31 +0000 linux (3.13.6-1) unstable; urgency=high From d2cf486950f5015f38f1dbb331cdd2d9d3fec7b0 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 31 Mar 2014 21:34:41 +0000 Subject: [PATCH 2/7] Update to 3.13.8 svn path=/dists/sid/linux/; revision=21203 --- debian/changelog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/debian/changelog b/debian/changelog index 5e539ba52..bac652644 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +linux (3.13.8-1) UNRELEASED; urgency=medium + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.8 + - ALSA: compress: Pass through return value of open ops callback + - [hppa] partly revert commit 8a10bc9: parisc/sti_console: prefer Linux + fonts over built-in ROM fonts (regression in 3.13.2) + - [armhf] net: davinci_emac: Replace devm_request_irq with request_irq + (regression in 3.11) + - NFSv4: Use the correct net namespace in nfs4_update_server + - media: cxusb: unlock on error in cxusb_i2c_xfer() (regression in 3.13) + - media: dw2102: some missing unlocks on error (regression in 3.13) + - libceph: block I/O when PAUSE or FULL osd map flags are set + - libceph: resend all writes after the osdmap loses the full flag + - stop_machine: Fix^2 race between stop_two_cpus() and stop_cpus() + - [arm] 7941/2: Fix incorrect FDT initrd parameter override + (regression in 3.13) + - [x86] bpf_jit: support negative offsets + - printk: fix syslog() overflowing user buffer + - Fix uses of dma_max_pfn() when converting to a limiting address + - deb-pkg: Fix building for MIPS big-endian or ARM OABI + - deb-pkg: Fix cross-building linux-headers package + - fs/proc/proc_devtree.c: remove empty /proc/device-tree when no + openfirmware exists. + - KVM: MMU: handle invalid root_hpa at __direct_map + - [x86] KVM: x86: handle invalid root_hpa everywhere + - KVM: VMX: fix use after free of vmx->loaded_vmcs + + -- Ben Hutchings Mon, 31 Mar 2014 21:12:56 +0100 + linux (3.13.7-1) unstable; urgency=medium * New upstream stable update: From e55302e2477076d51abc661c9dafefd1b5f94990 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 31 Mar 2014 21:43:48 +0000 Subject: [PATCH 3/7] Add patches for two CVEs in vhost svn path=/dists/sid/linux/; revision=21204 --- debian/changelog | 4 ++ ...al-length-when-packets-are-too-short.patch | 58 +++++++++++++++++++ ...idate-vhost_get_vq_desc-return-value.patch | 39 +++++++++++++ debian/patches/series | 2 + 4 files changed, 103 insertions(+) create mode 100644 debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch create mode 100644 debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch diff --git a/debian/changelog b/debian/changelog index bac652644..f03e093c4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,10 @@ linux (3.13.8-1) UNRELEASED; urgency=medium - [x86] KVM: x86: handle invalid root_hpa everywhere - KVM: VMX: fix use after free of vmx->loaded_vmcs + [ Ben Hutchings ] + * vhost: fix total length when packets are too short (CVE-2014-0077) + * vhost: validate vhost_get_vq_desc return value (CVE-2014-0055) + -- Ben Hutchings Mon, 31 Mar 2014 21:12:56 +0100 linux (3.13.7-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch new file mode 100644 index 000000000..3110e61b5 --- /dev/null +++ b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch @@ -0,0 +1,58 @@ +From: "Michael S. Tsirkin" +Date: Thu, 27 Mar 2014 12:00:26 +0200 +Subject: [1/2] vhost: fix total length when packets are too short +Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0 + +When mergeable buffers are disabled, and the +incoming packet is too large for the rx buffer, +get_rx_bufs returns success. + +This was intentional in order for make recvmsg +truncate the packet and then handle_rx would +detect err != sock_len and drop it. + +Unfortunately we pass the original sock_len to +recvmsg - which means we use parts of iov not fully +validated. + +Fix this up by detecting this overrun and doing packet drop +immediately. + +CVE-2014-0077 + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/vhost/net.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt + *iovcount = seg; + if (unlikely(log)) + *log_num = nlogs; ++ ++ /* Detect overrun */ ++ if (unlikely(datalen > 0)) { ++ r = UIO_MAXIOV + 1; ++ goto err; ++ } + return headcount; + err: + vhost_discard_vq_desc(vq, headcount); +@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net * + /* On error, stop handling until the next kick. */ + if (unlikely(headcount < 0)) + break; ++ /* On overrun, truncate and discard */ ++ if (unlikely(headcount > UIO_MAXIOV)) { ++ msg.msg_iovlen = 1; ++ err = sock->ops->recvmsg(NULL, sock, &msg, ++ 1, MSG_DONTWAIT | MSG_TRUNC); ++ pr_debug("Discarded rx packet: len %zd\n", sock_len); ++ continue; ++ } + /* OK, now we need to know about added descriptors. */ + if (!headcount) { + if (unlikely(vhost_enable_notify(&net->dev, vq))) { diff --git a/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch new file mode 100644 index 000000000..3460e8304 --- /dev/null +++ b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch @@ -0,0 +1,39 @@ +From: "Michael S. Tsirkin" +Date: Thu, 27 Mar 2014 12:53:37 +0200 +Subject: [2/2] vhost: validate vhost_get_vq_desc return value +Origin: https://git.kernel.org/linus/a39ee449f96a2cd44ce056d8a0a112211a9b1a1f + +vhost fails to validate negative error code +from vhost_get_vq_desc causing +a crash: we are using -EFAULT which is 0xfffffff2 +as vector size, which exceeds the allocated size. + +The code in question was introduced in commit +8dd014adfea6f173c1ef6378f7e5e7924866c923 + vhost-net: mergeable buffers support + +CVE-2014-0055 + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/vhost/net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -501,9 +501,13 @@ static int get_rx_bufs(struct vhost_virt + r = -ENOBUFS; + goto err; + } +- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num); ++ if (unlikely(r < 0)) ++ goto err; ++ ++ d = r; + if (d == vq->num) { + r = 0; + goto err; diff --git a/debian/patches/series b/debian/patches/series index fd62e6a4d..ed7953f45 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -94,3 +94,5 @@ debian/can-avoid-abi-change-in-3.13.6.patch debian/arm-mm-avoid-abi-change-in-3.13.6.patch debian/fireware-avoid-abi-change-in-3.13.7.patch bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch +bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch From ca418520c6bbca1caea563b633a27a098c4db0e2 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 14 Apr 2014 03:31:55 +0000 Subject: [PATCH 4/7] Update to 3.13.9 svn path=/dists/sid/linux/; revision=21232 --- debian/changelog | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index f03e093c4..7f2095648 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.13.8-1) UNRELEASED; urgency=medium +linux (3.13.9-1) UNRELEASED; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.8 @@ -25,6 +25,21 @@ linux (3.13.8-1) UNRELEASED; urgency=medium - KVM: MMU: handle invalid root_hpa at __direct_map - [x86] KVM: x86: handle invalid root_hpa everywhere - KVM: VMX: fix use after free of vmx->loaded_vmcs + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.9 + - ext4: atomically set inode->i_flags in ext4_set_inode_flags() + - rcuwalk: recheck mount_lock after mountpoint crossing attempts + - Input: mousedev - fix race when creating mixed device + - xen/balloon: flush persistent kmaps in correct position + - Revert "xen: properly account for _PAGE_NUMA during xen pte translations" + (regression in 3.13.5) + - drm/i915: Undo gtt scratch pte unmapping again (regression in 3.12) + - [i386/486] fix boot on uniprocessor systems + - random32: avoid attempt to late reseed if in the middle of seeding + - rcuwalk: switch mnt_hash to hlist + - mm: close PageTail race + - cgroup: protect modifications to cgroup_idr with cgroup_mutex + - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages + (CVE-2014-2523) [ Ben Hutchings ] * vhost: fix total length when packets are too short (CVE-2014-0077) From 3785b88bc11ac13eb56ce08fc294e31407acdfe2 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 14 Apr 2014 21:12:50 +0000 Subject: [PATCH 5/7] Update to 3.13.10 svn path=/dists/sid/linux/; revision=21234 --- debian/changelog | 43 +++++- debian/config/defines | 2 + ...-skbuff-skb_segment-s-frag-nskb_frag.patch | 68 --------- ...2-skbuff-skb_segment-s-skb_frag-frag.patch | 77 ---------- ...03-skbuff-skb_segment-s-skb-head_skb.patch | 144 ------------------ ...4-skbuff-skb_segment-s-fskb-list_skb.patch | 79 ---------- ..._segment-orphan-frags-before-copying.patch | 59 ------- ...ST_NOCOUNT-for-remotely-added-routes.patch | 30 ---- ...race-condition-in-the-inet-frag-code.patch | 91 ----------- .../all/net-use-kfree_skb_list-helper.patch | 69 --------- ...al-length-when-packets-are-too-short.patch | 58 ------- ...idate-vhost_get_vq_desc-return-value.patch | 39 ----- debian/patches/series | 10 -- 13 files changed, 40 insertions(+), 729 deletions(-) delete mode 100644 debian/patches/bugfix/all/0001-skbuff-skb_segment-s-frag-nskb_frag.patch delete mode 100644 debian/patches/bugfix/all/0002-skbuff-skb_segment-s-skb_frag-frag.patch delete mode 100644 debian/patches/bugfix/all/0003-skbuff-skb_segment-s-skb-head_skb.patch delete mode 100644 debian/patches/bugfix/all/0004-skbuff-skb_segment-s-fskb-list_skb.patch delete mode 100644 debian/patches/bugfix/all/0005-skbuff-skb_segment-orphan-frags-before-copying.patch delete mode 100644 debian/patches/bugfix/all/ipv6-don-t-set-DST_NOCOUNT-for-remotely-added-routes.patch delete mode 100644 debian/patches/bugfix/all/net-fix-for-a-race-condition-in-the-inet-frag-code.patch delete mode 100644 debian/patches/bugfix/all/net-use-kfree_skb_list-helper.patch delete mode 100644 debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch delete mode 100644 debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch diff --git a/debian/changelog b/debian/changelog index 7f2095648..d65a39d2e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.13.9-1) UNRELEASED; urgency=medium +linux (3.13.10-1) UNRELEASED; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.8 @@ -40,10 +40,43 @@ linux (3.13.9-1) UNRELEASED; urgency=medium - cgroup: protect modifications to cgroup_idr with cgroup_mutex - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages (CVE-2014-2523) - - [ Ben Hutchings ] - * vhost: fix total length when packets are too short (CVE-2014-0077) - * vhost: validate vhost_get_vq_desc return value (CVE-2014-0055) + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.10 + - selinux: correctly label /proc inodes in use before the policy is loaded + - net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk + - bridge: multicast: add sanity check for query source addresses + - tipc: allow connection shutdown callback to be invoked in advance + - tipc: fix connection refcount leak + - tipc: drop subscriber connection id invalidation + - inet: frag: make sure forced eviction removes all frags + - vlan: Set correct source MAC address with TX VLAN offload enabled + (regression in 3.13) + - tcp: tcp_release_cb() should release socket ownership + - bridge: multicast: add sanity check for general query destination + - bridge: multicast: enable snooping on general queries only + - net: socket: error on a negative msg_namelen (regression in 3.11.10) + - bonding: set correct vlan id for alb xmit path (regression in 3.12) + - ipv6: Avoid unnecessary temporary addresses being generated + - net: cdc_ncm: fix control message ordering (regression in 3.13) + - tcp: syncookies: do not use getnstimeofday() (regression in 3.13) + - tipc: fix spinlock recursion bug for failed subscriptions + - ip_tunnel: Fix dst ref-count. (regression in 3.13.7) + - tg3: Do not include vlan acceleration features in vlan_features + - virtio-net: correct error handling of virtqueue_kick() + (regression in 3.13) + - usbnet: include wait queue head in device structure + - vhost: fix total length when packets are too short (CVE-2014-0077) + - vhost: validate vhost_get_vq_desc return value (CVE-2014-0055) + - tcp: fix get_timewait4_sock() delay computation on 64bit + (regression in 3.13) + - xen-netback: remove pointless clause from if statement + - netlink: don't compare the nul-termination in nla_strcmp + - xen-netback: disable rogue vif in kthread context + - net: vxlan: fix crash when interface is created with no group + - rds: prevent dereference of a NULL device in rds_iw_laddr_check + (CVE-2014-2678) + - powernow-k6: disable cache when changing frequency + - [m68k] Skip futex_atomic_cmpxchg_inatomic() test + - crypto: ghash-clmulni-intel - use C implementation for setkey() -- Ben Hutchings Mon, 31 Mar 2014 21:12:56 +0100 diff --git a/debian/config/defines b/debian/config/defines index 6ff6107c8..9a0472001 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -5,6 +5,8 @@ ignore-changes: module:drivers/target/iscsi/iscsi_target_mod tcp_cong_avoid_ai tcp_slow_start +# Not expected to be used by OOT drivers + module:drivers/net/usb/* [base] arches: diff --git a/debian/patches/bugfix/all/0001-skbuff-skb_segment-s-frag-nskb_frag.patch b/debian/patches/bugfix/all/0001-skbuff-skb_segment-s-frag-nskb_frag.patch deleted file mode 100644 index 51fe7686a..000000000 --- a/debian/patches/bugfix/all/0001-skbuff-skb_segment-s-frag-nskb_frag.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 10 Mar 2014 18:29:04 +0200 -Subject: [1/5] skbuff: skb_segment: s/frag/nskb_frag/ -Origin: https://git.kernel.org/linus/8cb19905e9287a93ce7c2cbbdf742a060b00e219 - -frag points at nskb, so name it appropriately - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - net/core/skbuff.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 5d6236d..60e8cd7 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2876,7 +2876,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - do { - struct sk_buff *nskb; -- skb_frag_t *frag; -+ skb_frag_t *nskb_frag; - int hsize; - int size; - -@@ -2969,7 +2969,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - continue; - } - -- frag = skb_shinfo(nskb)->frags; -+ nskb_frag = skb_shinfo(nskb)->frags; - - skb_copy_from_linear_data_offset(skb, offset, - skb_put(nskb, hsize), hsize); -@@ -2997,13 +2997,13 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - goto err; - } - -- *frag = *skb_frag; -- __skb_frag_ref(frag); -- size = skb_frag_size(frag); -+ *nskb_frag = *skb_frag; -+ __skb_frag_ref(nskb_frag); -+ size = skb_frag_size(nskb_frag); - - if (pos < offset) { -- frag->page_offset += offset - pos; -- skb_frag_size_sub(frag, offset - pos); -+ nskb_frag->page_offset += offset - pos; -+ skb_frag_size_sub(nskb_frag, offset - pos); - } - - skb_shinfo(nskb)->nr_frags++; -@@ -3013,11 +3013,11 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - skb_frag++; - pos += size; - } else { -- skb_frag_size_sub(frag, pos + size - (offset + len)); -+ skb_frag_size_sub(nskb_frag, pos + size - (offset + len)); - goto skip_fraglist; - } - -- frag++; -+ nskb_frag++; - } - - skip_fraglist: diff --git a/debian/patches/bugfix/all/0002-skbuff-skb_segment-s-skb_frag-frag.patch b/debian/patches/bugfix/all/0002-skbuff-skb_segment-s-skb_frag-frag.patch deleted file mode 100644 index e4549d479..000000000 --- a/debian/patches/bugfix/all/0002-skbuff-skb_segment-s-skb_frag-frag.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 10 Mar 2014 18:29:14 +0200 -Subject: [2/5] skbuff: skb_segment: s/skb_frag/frag/ -Origin: https://git.kernel.org/linus/4e1beba12d094c6c761ba5c49032b9b9e46380e8 - -skb_frag can in fact point at either skb -or fskb so rename it generally "frag". - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - net/core/skbuff.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 60e8cd7..d788a98 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2850,7 +2850,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - struct sk_buff *segs = NULL; - struct sk_buff *tail = NULL; - struct sk_buff *fskb = skb_shinfo(skb)->frag_list; -- skb_frag_t *skb_frag = skb_shinfo(skb)->frags; -+ skb_frag_t *frag = skb_shinfo(skb)->frags; - unsigned int mss = skb_shinfo(skb)->gso_size; - unsigned int doffset = skb->data - skb_mac_header(skb); - unsigned int offset = doffset; -@@ -2896,19 +2896,19 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - i = 0; - nfrags = skb_shinfo(fskb)->nr_frags; -- skb_frag = skb_shinfo(fskb)->frags; -+ frag = skb_shinfo(fskb)->frags; - pos += skb_headlen(fskb); - - while (pos < offset + len) { - BUG_ON(i >= nfrags); - -- size = skb_frag_size(skb_frag); -+ size = skb_frag_size(frag); - if (pos + size > offset + len) - break; - - i++; - pos += size; -- skb_frag++; -+ frag++; - } - - nskb = skb_clone(fskb, GFP_ATOMIC); -@@ -2982,7 +2982,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - i = 0; - nfrags = skb_shinfo(fskb)->nr_frags; -- skb_frag = skb_shinfo(fskb)->frags; -+ frag = skb_shinfo(fskb)->frags; - - BUG_ON(!nfrags); - -@@ -2997,7 +2997,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - goto err; - } - -- *nskb_frag = *skb_frag; -+ *nskb_frag = *frag; - __skb_frag_ref(nskb_frag); - size = skb_frag_size(nskb_frag); - -@@ -3010,7 +3010,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - if (pos + size <= offset + len) { - i++; -- skb_frag++; -+ frag++; - pos += size; - } else { - skb_frag_size_sub(nskb_frag, pos + size - (offset + len)); diff --git a/debian/patches/bugfix/all/0003-skbuff-skb_segment-s-skb-head_skb.patch b/debian/patches/bugfix/all/0003-skbuff-skb_segment-s-skb-head_skb.patch deleted file mode 100644 index 2f173415e..000000000 --- a/debian/patches/bugfix/all/0003-skbuff-skb_segment-s-skb-head_skb.patch +++ /dev/null @@ -1,144 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 10 Mar 2014 18:29:19 +0200 -Subject: [3/5] skbuff: skb_segment: s/skb/head_skb/ -Origin: https://git.kernel.org/linus/df5771ffefb13f8af5392bd54fd7e2b596a3a357 - -rename local variable to make it easier to tell at a glance that we are -dealing with a head skb. - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - net/core/skbuff.c | 46 ++++++++++++++++++++++++---------------------- - 1 file changed, 24 insertions(+), 22 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index d788a98..fdc065d 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2838,41 +2838,42 @@ EXPORT_SYMBOL_GPL(skb_pull_rcsum); - - /** - * skb_segment - Perform protocol segmentation on skb. -- * @skb: buffer to segment -+ * @head_skb: buffer to segment - * @features: features for the output path (see dev->features) - * - * This function performs segmentation on the given skb. It returns - * a pointer to the first in a list of new skbs for the segments. - * In case of error it returns ERR_PTR(err). - */ --struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) -+struct sk_buff *skb_segment(struct sk_buff *head_skb, -+ netdev_features_t features) - { - struct sk_buff *segs = NULL; - struct sk_buff *tail = NULL; -- struct sk_buff *fskb = skb_shinfo(skb)->frag_list; -- skb_frag_t *frag = skb_shinfo(skb)->frags; -- unsigned int mss = skb_shinfo(skb)->gso_size; -- unsigned int doffset = skb->data - skb_mac_header(skb); -+ struct sk_buff *fskb = skb_shinfo(head_skb)->frag_list; -+ skb_frag_t *frag = skb_shinfo(head_skb)->frags; -+ unsigned int mss = skb_shinfo(head_skb)->gso_size; -+ unsigned int doffset = head_skb->data - skb_mac_header(head_skb); - unsigned int offset = doffset; -- unsigned int tnl_hlen = skb_tnl_header_len(skb); -+ unsigned int tnl_hlen = skb_tnl_header_len(head_skb); - unsigned int headroom; - unsigned int len; - __be16 proto; - bool csum; - int sg = !!(features & NETIF_F_SG); -- int nfrags = skb_shinfo(skb)->nr_frags; -+ int nfrags = skb_shinfo(head_skb)->nr_frags; - int err = -ENOMEM; - int i = 0; - int pos; - -- proto = skb_network_protocol(skb); -+ proto = skb_network_protocol(head_skb); - if (unlikely(!proto)) - return ERR_PTR(-EINVAL); - - csum = !!can_checksum_protocol(features, proto); -- __skb_push(skb, doffset); -- headroom = skb_headroom(skb); -- pos = skb_headlen(skb); -+ __skb_push(head_skb, doffset); -+ headroom = skb_headroom(head_skb); -+ pos = skb_headlen(head_skb); - - do { - struct sk_buff *nskb; -@@ -2880,11 +2881,11 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - int hsize; - int size; - -- len = skb->len - offset; -+ len = head_skb->len - offset; - if (len > mss) - len = mss; - -- hsize = skb_headlen(skb) - offset; -+ hsize = skb_headlen(head_skb) - offset; - if (hsize < 0) - hsize = 0; - if (hsize > len || !sg) -@@ -2933,7 +2934,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - __skb_push(nskb, doffset); - } else { - nskb = __alloc_skb(hsize + doffset + headroom, -- GFP_ATOMIC, skb_alloc_rx_flag(skb), -+ GFP_ATOMIC, skb_alloc_rx_flag(head_skb), - NUMA_NO_NODE); - - if (unlikely(!nskb)) -@@ -2949,12 +2950,12 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - segs = nskb; - tail = nskb; - -- __copy_skb_header(nskb, skb); -- nskb->mac_len = skb->mac_len; -+ __copy_skb_header(nskb, head_skb); -+ nskb->mac_len = head_skb->mac_len; - - skb_headers_offset_update(nskb, skb_headroom(nskb) - headroom); - -- skb_copy_from_linear_data_offset(skb, -tnl_hlen, -+ skb_copy_from_linear_data_offset(head_skb, -tnl_hlen, - nskb->data - tnl_hlen, - doffset + tnl_hlen); - -@@ -2963,7 +2964,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - if (!sg) { - nskb->ip_summed = CHECKSUM_NONE; -- nskb->csum = skb_copy_and_csum_bits(skb, offset, -+ nskb->csum = skb_copy_and_csum_bits(head_skb, offset, - skb_put(nskb, len), - len, 0); - continue; -@@ -2971,10 +2972,11 @@ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features) - - nskb_frag = skb_shinfo(nskb)->frags; - -- skb_copy_from_linear_data_offset(skb, offset, -+ skb_copy_from_linear_data_offset(head_skb, offset, - skb_put(nskb, hsize), hsize); - -- skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG; -+ skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags & -+ SKBTX_SHARED_FRAG; - - while (pos < offset + len) { - if (i >= nfrags) { -@@ -3031,7 +3033,7 @@ perform_csum_check: - nskb->len - doffset, 0); - nskb->ip_summed = CHECKSUM_NONE; - } -- } while ((offset += len) < skb->len); -+ } while ((offset += len) < head_skb->len); - - return segs; - diff --git a/debian/patches/bugfix/all/0004-skbuff-skb_segment-s-fskb-list_skb.patch b/debian/patches/bugfix/all/0004-skbuff-skb_segment-s-fskb-list_skb.patch deleted file mode 100644 index b7ba26d11..000000000 --- a/debian/patches/bugfix/all/0004-skbuff-skb_segment-s-fskb-list_skb.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 10 Mar 2014 19:27:59 +0200 -Subject: [4/5] skbuff: skb_segment: s/fskb/list_skb/ -Origin: https://git.kernel.org/linus/1a4cedaf65491e66e1e55b8428c89209da729209 - -fskb is unrelated to frag: it's coming from -frag_list. Rename it list_skb to avoid confusion. - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - net/core/skbuff.c | 26 +++++++++++++------------- - 1 file changed, 13 insertions(+), 13 deletions(-) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index fdc065d..dc4f768 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2850,7 +2850,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - { - struct sk_buff *segs = NULL; - struct sk_buff *tail = NULL; -- struct sk_buff *fskb = skb_shinfo(head_skb)->frag_list; -+ struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list; - skb_frag_t *frag = skb_shinfo(head_skb)->frags; - unsigned int mss = skb_shinfo(head_skb)->gso_size; - unsigned int doffset = head_skb->data - skb_mac_header(head_skb); -@@ -2891,14 +2891,14 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - if (hsize > len || !sg) - hsize = len; - -- if (!hsize && i >= nfrags && skb_headlen(fskb) && -- (skb_headlen(fskb) == len || sg)) { -- BUG_ON(skb_headlen(fskb) > len); -+ if (!hsize && i >= nfrags && skb_headlen(list_skb) && -+ (skb_headlen(list_skb) == len || sg)) { -+ BUG_ON(skb_headlen(list_skb) > len); - - i = 0; -- nfrags = skb_shinfo(fskb)->nr_frags; -- frag = skb_shinfo(fskb)->frags; -- pos += skb_headlen(fskb); -+ nfrags = skb_shinfo(list_skb)->nr_frags; -+ frag = skb_shinfo(list_skb)->frags; -+ pos += skb_headlen(list_skb); - - while (pos < offset + len) { - BUG_ON(i >= nfrags); -@@ -2912,8 +2912,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - frag++; - } - -- nskb = skb_clone(fskb, GFP_ATOMIC); -- fskb = fskb->next; -+ nskb = skb_clone(list_skb, GFP_ATOMIC); -+ list_skb = list_skb->next; - - if (unlikely(!nskb)) - goto err; -@@ -2980,15 +2980,15 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - - while (pos < offset + len) { - if (i >= nfrags) { -- BUG_ON(skb_headlen(fskb)); -+ BUG_ON(skb_headlen(list_skb)); - - i = 0; -- nfrags = skb_shinfo(fskb)->nr_frags; -- frag = skb_shinfo(fskb)->frags; -+ nfrags = skb_shinfo(list_skb)->nr_frags; -+ frag = skb_shinfo(list_skb)->frags; - - BUG_ON(!nfrags); - -- fskb = fskb->next; -+ list_skb = list_skb->next; - } - - if (unlikely(skb_shinfo(nskb)->nr_frags >= diff --git a/debian/patches/bugfix/all/0005-skbuff-skb_segment-orphan-frags-before-copying.patch b/debian/patches/bugfix/all/0005-skbuff-skb_segment-orphan-frags-before-copying.patch deleted file mode 100644 index 1d61c6465..000000000 --- a/debian/patches/bugfix/all/0005-skbuff-skb_segment-orphan-frags-before-copying.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Mon, 10 Mar 2014 19:28:08 +0200 -Subject: [5/5] skbuff: skb_segment: orphan frags before copying -Origin: https://git.kernel.org/linus/1fd819ecb90cc9b822cd84d3056ddba315d3340f - -skb_segment copies frags around, so we need -to copy them carefully to avoid accessing -user memory after reporting completion to userspace -through a callback. - -skb_segment doesn't normally happen on datapath: -TSO needs to be disabled - so disabling zero copy -in this case does not look like a big deal. - -Signed-off-by: Michael S. Tsirkin -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- - net/core/skbuff.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index dc4f768..869c7af 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2854,6 +2854,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - skb_frag_t *frag = skb_shinfo(head_skb)->frags; - unsigned int mss = skb_shinfo(head_skb)->gso_size; - unsigned int doffset = head_skb->data - skb_mac_header(head_skb); -+ struct sk_buff *frag_skb = head_skb; - unsigned int offset = doffset; - unsigned int tnl_hlen = skb_tnl_header_len(head_skb); - unsigned int headroom; -@@ -2898,6 +2899,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - i = 0; - nfrags = skb_shinfo(list_skb)->nr_frags; - frag = skb_shinfo(list_skb)->frags; -+ frag_skb = list_skb; - pos += skb_headlen(list_skb); - - while (pos < offset + len) { -@@ -2985,6 +2987,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - i = 0; - nfrags = skb_shinfo(list_skb)->nr_frags; - frag = skb_shinfo(list_skb)->frags; -+ frag_skb = list_skb; - - BUG_ON(!nfrags); - -@@ -2999,6 +3002,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, - goto err; - } - -+ if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC))) -+ goto err; -+ - *nskb_frag = *frag; - __skb_frag_ref(nskb_frag); - size = skb_frag_size(nskb_frag); diff --git a/debian/patches/bugfix/all/ipv6-don-t-set-DST_NOCOUNT-for-remotely-added-routes.patch b/debian/patches/bugfix/all/ipv6-don-t-set-DST_NOCOUNT-for-remotely-added-routes.patch deleted file mode 100644 index eb8ce2143..000000000 --- a/debian/patches/bugfix/all/ipv6-don-t-set-DST_NOCOUNT-for-remotely-added-routes.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Sabrina Dubroca -Date: Thu, 6 Mar 2014 17:51:57 +0100 -Subject: ipv6: don't set DST_NOCOUNT for remotely added routes -Origin: https://git.kernel.org/linus/c88507fbad8055297c1d1e21e599f46960cbee39 - -DST_NOCOUNT should only be used if an authorized user adds routes -locally. In case of routes which are added on behalf of router -advertisments this flag must not get used as it allows an unlimited -number of routes getting added remotely. - -Signed-off-by: Sabrina Dubroca -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/route.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 11dac21..fba54a4 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg) - if (!table) - goto out; - -- rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table); -+ rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table); - - if (!rt) { - err = -ENOMEM; diff --git a/debian/patches/bugfix/all/net-fix-for-a-race-condition-in-the-inet-frag-code.patch b/debian/patches/bugfix/all/net-fix-for-a-race-condition-in-the-inet-frag-code.patch deleted file mode 100644 index e19e35901..000000000 --- a/debian/patches/bugfix/all/net-fix-for-a-race-condition-in-the-inet-frag-code.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Nikolay Aleksandrov -Date: Mon, 3 Mar 2014 23:19:18 +0100 -Subject: net: fix for a race condition in the inet frag code -Origin: https://git.kernel.org/linus/24b9bf43e93e0edd89072da51cf1fab95fc69dec - -I stumbled upon this very serious bug while hunting for another one, -it's a very subtle race condition between inet_frag_evictor, -inet_frag_intern and the IPv4/6 frag_queue and expire functions -(basically the users of inet_frag_kill/inet_frag_put). - -What happens is that after a fragment has been added to the hash chain -but before it's been added to the lru_list (inet_frag_lru_add) in -inet_frag_intern, it may get deleted (either by an expired timer if -the system load is high or the timer sufficiently low, or by the -fraq_queue function for different reasons) before it's added to the -lru_list, then after it gets added it's a matter of time for the -evictor to get to a piece of memory which has been freed leading to a -number of different bugs depending on what's left there. - -I've been able to trigger this on both IPv4 and IPv6 (which is normal -as the frag code is the same), but it's been much more difficult to -trigger on IPv4 due to the protocol differences about how fragments -are treated. - -The setup I used to reproduce this is: 2 machines with 4 x 10G bonded -in a RR bond, so the same flow can be seen on multiple cards at the -same time. Then I used multiple instances of ping/ping6 to generate -fragmented packets and flood the machines with them while running -other processes to load the attacked machine. - -*It is very important to have the _same flow_ coming in on multiple CPUs -concurrently. Usually the attacked machine would die in less than 30 -minutes, if configured properly to have many evictor calls and timeouts -it could happen in 10 minutes or so. - -An important point to make is that any caller (frag_queue or timer) of -inet_frag_kill will remove both the timer refcount and the -original/guarding refcount thus removing everything that's keeping the -frag from being freed at the next inet_frag_put. All of this could -happen before the frag was ever added to the LRU list, then it gets -added and the evictor uses a freed fragment. - -An example for IPv6 would be if a fragment is being added and is at -the stage of being inserted in the hash after the hash lock is -released, but before inet_frag_lru_add executes (or is able to obtain -the lru lock) another overlapping fragment for the same flow arrives -at a different CPU which finds it in the hash, but since it's -overlapping it drops it invoking inet_frag_kill and thus removing all -guarding refcounts, and afterwards freeing it by invoking -inet_frag_put which removes the last refcount added previously by -inet_frag_find, then inet_frag_lru_add gets executed by -inet_frag_intern and we have a freed fragment in the lru_list. - -The fix is simple, just move the lru_add under the hash chain locked -region so when a removing function is called it'll have to wait for -the fragment to be added to the lru_list, and then it'll remove it (it -works because the hash chain removal is done before the lru_list one -and there's no window between the two list adds when the frag can get -dropped). With this fix applied I couldn't kill the same machine in 24 -hours with the same setup. - -Fixes: 3ef0eb0db4bf ("net: frag, move LRU list maintenance outside of -rwlock") - -CC: Florian Westphal -CC: Jesper Dangaard Brouer -CC: David S. Miller - -Signed-off-by: Nikolay Aleksandrov -Acked-by: Jesper Dangaard Brouer -Signed-off-by: David S. Miller ---- - net/ipv4/inet_fragment.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c -index bb075fc..322dceb 100644 ---- a/net/ipv4/inet_fragment.c -+++ b/net/ipv4/inet_fragment.c -@@ -278,9 +278,10 @@ static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf, - - atomic_inc(&qp->refcnt); - hlist_add_head(&qp->list, &hb->chain); -+ inet_frag_lru_add(nf, qp); - spin_unlock(&hb->chain_lock); - read_unlock(&f->lock); -- inet_frag_lru_add(nf, qp); -+ - return qp; - } - diff --git a/debian/patches/bugfix/all/net-use-kfree_skb_list-helper.patch b/debian/patches/bugfix/all/net-use-kfree_skb_list-helper.patch deleted file mode 100644 index a318fd01c..000000000 --- a/debian/patches/bugfix/all/net-use-kfree_skb_list-helper.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Eric Dumazet -Date: Fri, 20 Dec 2013 14:29:08 -0800 -Subject: net: use kfree_skb_list() helper -Origin: https://git.kernel.org/linus/289dccbe141e01efc5968fe39a0993c9f611375e - -We can use kfree_skb_list() instead of open coding it. - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/core/dev.c | 18 +++--------------- - net/core/skbuff.c | 5 +---- - 2 files changed, 4 insertions(+), 19 deletions(-) - -diff --git a/net/core/dev.c b/net/core/dev.c -index c482fe8..973c236 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -2454,13 +2454,8 @@ static void dev_gso_skb_destructor(struct sk_buff *skb) - { - struct dev_gso_cb *cb; - -- do { -- struct sk_buff *nskb = skb->next; -- -- skb->next = nskb->next; -- nskb->next = NULL; -- kfree_skb(nskb); -- } while (skb->next); -+ kfree_skb_list(skb->next); -+ skb->next = NULL; - - cb = DEV_GSO_CB(skb); - if (cb->destructor) -@@ -4240,17 +4235,10 @@ EXPORT_SYMBOL(netif_napi_add); - - void netif_napi_del(struct napi_struct *napi) - { -- struct sk_buff *skb, *next; -- - list_del_init(&napi->dev_list); - napi_free_frags(napi); - -- for (skb = napi->gro_list; skb; skb = next) { -- next = skb->next; -- skb->next = NULL; -- kfree_skb(skb); -- } -- -+ kfree_skb_list(napi->gro_list); - napi->gro_list = NULL; - napi->gro_count = 0; - } -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 2b6b863..eb96c2c 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2981,10 +2981,7 @@ perform_csum_check: - return segs; - - err: -- while ((skb = segs)) { -- segs = skb->next; -- kfree_skb(skb); -- } -+ kfree_skb_list(segs); - return ERR_PTR(err); - } - EXPORT_SYMBOL_GPL(skb_segment); diff --git a/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch b/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch deleted file mode 100644 index 3110e61b5..000000000 --- a/debian/patches/bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Thu, 27 Mar 2014 12:00:26 +0200 -Subject: [1/2] vhost: fix total length when packets are too short -Origin: https://git.kernel.org/linus/d8316f3991d207fe32881a9ac20241be8fa2bad0 - -When mergeable buffers are disabled, and the -incoming packet is too large for the rx buffer, -get_rx_bufs returns success. - -This was intentional in order for make recvmsg -truncate the packet and then handle_rx would -detect err != sock_len and drop it. - -Unfortunately we pass the original sock_len to -recvmsg - which means we use parts of iov not fully -validated. - -Fix this up by detecting this overrun and doing packet drop -immediately. - -CVE-2014-0077 - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/vhost/net.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -528,6 +528,12 @@ static int get_rx_bufs(struct vhost_virt - *iovcount = seg; - if (unlikely(log)) - *log_num = nlogs; -+ -+ /* Detect overrun */ -+ if (unlikely(datalen > 0)) { -+ r = UIO_MAXIOV + 1; -+ goto err; -+ } - return headcount; - err: - vhost_discard_vq_desc(vq, headcount); -@@ -583,6 +589,14 @@ static void handle_rx(struct vhost_net * - /* On error, stop handling until the next kick. */ - if (unlikely(headcount < 0)) - break; -+ /* On overrun, truncate and discard */ -+ if (unlikely(headcount > UIO_MAXIOV)) { -+ msg.msg_iovlen = 1; -+ err = sock->ops->recvmsg(NULL, sock, &msg, -+ 1, MSG_DONTWAIT | MSG_TRUNC); -+ pr_debug("Discarded rx packet: len %zd\n", sock_len); -+ continue; -+ } - /* OK, now we need to know about added descriptors. */ - if (!headcount) { - if (unlikely(vhost_enable_notify(&net->dev, vq))) { diff --git a/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch b/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch deleted file mode 100644 index 3460e8304..000000000 --- a/debian/patches/bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: "Michael S. Tsirkin" -Date: Thu, 27 Mar 2014 12:53:37 +0200 -Subject: [2/2] vhost: validate vhost_get_vq_desc return value -Origin: https://git.kernel.org/linus/a39ee449f96a2cd44ce056d8a0a112211a9b1a1f - -vhost fails to validate negative error code -from vhost_get_vq_desc causing -a crash: we are using -EFAULT which is 0xfffffff2 -as vector size, which exceeds the allocated size. - -The code in question was introduced in commit -8dd014adfea6f173c1ef6378f7e5e7924866c923 - vhost-net: mergeable buffers support - -CVE-2014-0055 - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/vhost/net.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -501,9 +501,13 @@ static int get_rx_bufs(struct vhost_virt - r = -ENOBUFS; - goto err; - } -- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, -+ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, - ARRAY_SIZE(vq->iov) - seg, &out, - &in, log, log_num); -+ if (unlikely(r < 0)) -+ goto err; -+ -+ d = r; - if (d == vq->num) { - r = 0; - goto err; diff --git a/debian/patches/series b/debian/patches/series index ed7953f45..fed5afac1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -79,20 +79,10 @@ bugfix/all/staging-lustre-Make-LUSTRE_LLITE_LLOOP-tristate.patch bugfix/all/i2c-designware-remove-HAVE_CLK-build-dependecy.patch debian/snd-pcsp-disable-autoload.patch bugfix/all/bluetooth-allocate-static-minor-for-vhci.patch -bugfix/all/net-fix-for-a-race-condition-in-the-inet-frag-code.patch bugfix/all/KEYS-Make-the-keyring-cycle-detector-ignore-other-ke.patch -bugfix/all/net-use-kfree_skb_list-helper.patch -bugfix/all/0001-skbuff-skb_segment-s-frag-nskb_frag.patch -bugfix/all/0002-skbuff-skb_segment-s-skb_frag-frag.patch -bugfix/all/0003-skbuff-skb_segment-s-skb-head_skb.patch -bugfix/all/0004-skbuff-skb_segment-s-fskb-list_skb.patch -bugfix/all/0005-skbuff-skb_segment-orphan-frags-before-copying.patch -bugfix/all/ipv6-don-t-set-DST_NOCOUNT-for-remotely-added-routes.patch debian/fs-avoid-abi-change-in-3.13.6.patch debian/netdev-avoid-abi-change-in-3.13.6.patch debian/can-avoid-abi-change-in-3.13.6.patch debian/arm-mm-avoid-abi-change-in-3.13.6.patch debian/fireware-avoid-abi-change-in-3.13.7.patch bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch -bugfix/all/vhost-fix-total-length-when-packets-are-too-short.patch -bugfix/all/vhost-validate-vhost_get_vq_desc-return-value.patch From a7ea5c3c975f61f898e9eb3f44e86b062dac1568 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 15 Apr 2014 21:12:25 +0000 Subject: [PATCH 6/7] Work around or ignore some more ABI changes svn path=/dists/sid/linux/; revision=21236 --- debian/config/defines | 1 + .../trace-avoid-abi-change-in-3.13.8.patch | 20 ++++++++ .../vfs-avoid-abi-change-in-3.13.9.patch | 47 +++++++++++++++++++ debian/patches/series | 2 + 4 files changed, 70 insertions(+) create mode 100644 debian/patches/debian/trace-avoid-abi-change-in-3.13.8.patch create mode 100644 debian/patches/debian/vfs-avoid-abi-change-in-3.13.9.patch diff --git a/debian/config/defines b/debian/config/defines index 9a0472001..08db07916 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -7,6 +7,7 @@ ignore-changes: tcp_slow_start # Not expected to be used by OOT drivers module:drivers/net/usb/* + module:net/ceph/libceph [base] arches: diff --git a/debian/patches/debian/trace-avoid-abi-change-in-3.13.8.patch b/debian/patches/debian/trace-avoid-abi-change-in-3.13.8.patch new file mode 100644 index 000000000..02a887e09 --- /dev/null +++ b/debian/patches/debian/trace-avoid-abi-change-in-3.13.8.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings +Date: Tue, 15 Apr 2014 22:05:04 +0100 +Subject: trace: Avoid ABI change in 3.13.8 +Forwarded: not-needed + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -27,6 +27,12 @@ + + DEFINE_MUTEX(event_mutex); + ++/* Should no longer be used, but kept for compatibility with older modules */ ++DEFINE_MUTEX(event_storage_mutex); ++EXPORT_SYMBOL_GPL(event_storage_mutex); ++char event_storage[128]; ++EXPORT_SYMBOL_GPL(event_storage); ++ + LIST_HEAD(ftrace_events); + static LIST_HEAD(ftrace_common_fields); + diff --git a/debian/patches/debian/vfs-avoid-abi-change-in-3.13.9.patch b/debian/patches/debian/vfs-avoid-abi-change-in-3.13.9.patch new file mode 100644 index 000000000..43d6384f2 --- /dev/null +++ b/debian/patches/debian/vfs-avoid-abi-change-in-3.13.9.patch @@ -0,0 +1,47 @@ +From: Ben Hutchings +Date: Tue, 15 Apr 2014 21:56:00 +0100 +Subject: vfs: Avoid ABI change in 3.13.9 +Forwarded: not-needed + +--- a/fs/mount.h ++++ b/fs/mount.h +@@ -18,14 +18,27 @@ struct mnt_pcp { + int mnt_writers; + }; + ++/* ++ * These structures are not exposed to modules, but changes somehow ++ * still affect exported symbol versions! ++ */ ++ + struct mountpoint { ++#ifdef __GENKSYMS__ ++ struct list_head m_hash; /* not really */ ++#else + struct hlist_node m_hash; ++#endif + struct dentry *m_dentry; + int m_count; + }; + + struct mount { ++#ifdef __GENKSYMS__ ++ struct list_head mnt_hash; /* not really */ ++#else + struct hlist_node mnt_hash; ++#endif + struct mount *mnt_parent; + struct dentry *mnt_mountpoint; + struct vfsmount mnt; +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -23,7 +23,9 @@ + #include + #include + #include ++#ifndef __GENKSYMS__ + #include ++#endif + #include "pnode.h" + #include "internal.h" + diff --git a/debian/patches/series b/debian/patches/series index fed5afac1..90bb099c2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -86,3 +86,5 @@ debian/can-avoid-abi-change-in-3.13.6.patch debian/arm-mm-avoid-abi-change-in-3.13.6.patch debian/fireware-avoid-abi-change-in-3.13.7.patch bugfix/all/net-core-nfqueue-openvswitch-Orphan-frags-in-skb_zerocopy-and-handle-errors.patch +debian/vfs-avoid-abi-change-in-3.13.9.patch +debian/trace-avoid-abi-change-in-3.13.8.patch From 59876c9de13edc1f1fc5a1ed3a2d8111c6b0e3a0 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 16 Apr 2014 03:33:41 +0000 Subject: [PATCH 7/7] Prepare to release linux (3.13.10-1). svn path=/dists/sid/linux/; revision=21237 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index d65a39d2e..b823d0e0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.13.10-1) UNRELEASED; urgency=medium +linux (3.13.10-1) unstable; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.8 @@ -78,7 +78,7 @@ linux (3.13.10-1) UNRELEASED; urgency=medium - [m68k] Skip futex_atomic_cmpxchg_inatomic() test - crypto: ghash-clmulni-intel - use C implementation for setkey() - -- Ben Hutchings Mon, 31 Mar 2014 21:12:56 +0100 + -- Ben Hutchings Tue, 15 Apr 2014 22:12:38 +0100 linux (3.13.7-1) unstable; urgency=medium