[linux] 01/01: Update to 4.3.4
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Jan 23 18:20:56 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 9b355e6846793b107e2b0518e7874fc88ce57537
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jan 23 12:11:55 2016 +0000
Update to 4.3.4
---
debian/changelog | 55 ++++++++++
...-keyring-ref-leak-in-join_session_keyring.patch | 75 -------------
...alidate-socket-address-length-in-sco_sock.patch | 22 ----
.../keys-fix-race-between-read-and-revoke.patch | 110 -------------------
...alidation-for-the-socket-syscall-protocol.patch | 121 ---------------------
...-sockaddr_len-in-pptp_bind-and-pptp_conne.patch | 34 ------
...fix-double-free-and-memory-corruption-on-.patch | 55 ----------
...pc-fix-kfree_skb-of-uninitialised-pointer.patch | 29 -----
...ble-free-and-memory-corruption-on-registe.patch | 95 ----------------
debian/patches/series | 8 --
10 files changed, 55 insertions(+), 549 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 83d54a0..7d35ae9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,58 @@
+linux (4.3.4-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.4
+ - ACPI: Use correct IRQ when uninstalling ACPI interrupt handler
+ - ACPI: Using correct irq when waiting for events
+ - ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle
+ - tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0
+ - toshiba_acpi: Initialize hotkey_event_type variable
+ - USB: cdc_acm: Ignore Infineon Flash Loader utility
+ - USB: serial: Another Infineon flash loader USB ID
+ - usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter
+ JMicron
+ - USB: cp210x: Remove CP2110 ID from compatibility list
+ - USB: add quirk for devices with broken LPM
+ - USB: whci-hcd: add check for dma mapping error
+ - usb: gadget: pxa27x: fix suspend callback
+ - USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq
+ - usb: musb: USB_TI_CPPI41_DMA requires dmaengine support
+ - usb: core : hub: Fix BOS 'NULL pointer' kernel panic
+ - usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
+ - pppoe: fix memory corruption in padt work structure
+ - gre6: allow to update all parameters via rtnl
+ - atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
+ - ipv6: keep existing flags when setting IFA_F_OPTIMISTIC
+ - vxlan: fix incorrect RCO bit in VXLAN header
+ - sctp: use the same clock as if sock source timestamps were on
+ - sctp: update the netstamp_needed counter when copying sockets
+ - sctp: also copy sk_tsflags when copying the socket
+ - net: cdc_mbim: add "NDP to end" quirk for Huawei E3372
+ - net: qca_spi: fix transmit queue timeout handling
+ - r8152: fix lockup when runtime PM is enabled
+ - ipv6: sctp: clone options to avoid use after free
+ - phy: micrel: Fix finding PHY properties in MAC node.
+ - openvswitch: Fix helper reference leak
+ - openvswitch: Respect conntrack zone even if invalid
+ - uapi: export ila.h
+ - sh_eth: fix kernel oops in skb_put()
+ - net: fix IP early demux races
+ - vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
+ - skbuff: Fix offset error in skb_reorder_vlan_header
+ - net: check both type and procotol for tcp sockets
+ - net_sched: make qdisc_tree_decrease_qlen() work for non mq
+ - net: fix uninitialized variable issue
+ - ipv6: automatically enable stable privacy mode if stable_secret set
+ - inet: tcp: fix inetpeer_set_addr_v4()
+ - rhashtable: Enforce minimum size on initial hash table
+ - gianfar: Don't enable RX Filer if not supported
+ - fou: clean up socket with kfree_rcu
+ - af_unix: Revert 'lock_interruptible' in stream receive code
+ - tcp: restore fastopen with no data in SYN packet
+ - rhashtable: Fix walker list corruption
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 23 Jan 2016 11:51:46 +0000
+
linux (4.3.3-7) unstable; urgency=medium
* linux-image-dbg: Don't rely on upstream makefile to make .build-id
diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
deleted file mode 100644
index 9c6a969..0000000
--- a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
-From: Yevgeny Pats <yevgeny at perception-point.io>
-Date: Mon, 11 Jan 2016 12:05:28 +0000
-Subject: KEYS: Fix keyring ref leak in join_session_keyring()
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
- #include <stddef.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <keyutils.h>
-
- int main(int argc, const char *argv[])
- {
- int i = 0;
- key_serial_t serial;
-
- serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
- "leaked-keyring");
- if (serial < 0) {
- perror("keyctl");
- return -1;
- }
-
- if (keyctl(KEYCTL_SETPERM, serial,
- KEY_POS_ALL | KEY_USR_ALL) < 0) {
- perror("keyctl");
- return -1;
- }
-
- for (i = 0; i < 100; i++) {
- serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
- "leaked-keyring");
- if (serial < 0) {
- perror("keyctl");
- return -1;
- }
- }
-
- return 0;
- }
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning. If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny at perception-point.io>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- ret = PTR_ERR(keyring);
- goto error2;
- } else if (keyring == new->session_keyring) {
-+ key_put(keyring);
- ret = 0;
- goto error2;
- }
---
-2.7.0.rc3
-
diff --git a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch b/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
deleted file mode 100644
index ab4bdf6..0000000
--- a/debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Tue, 15 Dec 2015 15:39:08 -0500
-Subject: bluetooth: Validate socket address length in sco_sock_bind().
-Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
-
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/bluetooth/sco.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ if (addr_len < sizeof(struct sockaddr_sco))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
diff --git a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch b/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
deleted file mode 100644
index e75e677..0000000
--- a/debian/patches/bugfix/all/keys-fix-race-between-read-and-revoke.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Fri, 18 Dec 2015 01:34:26 +0000
-Subject: KEYS: Fix race between read and revoke
-Origin: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d
-
-This fixes CVE-2015-7550.
-
-There's a race between keyctl_read() and keyctl_revoke(). If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-I think the bug was introduced with the original keyrings code.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller). Here's a cleaned up version:
-
- #include <sys/types.h>
- #include <keyutils.h>
- #include <pthread.h>
- void *thr0(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- keyctl_revoke(key);
- return 0;
- }
- void *thr1(void *arg)
- {
- key_serial_t key = (unsigned long)arg;
- char buffer[16];
- keyctl_read(key, buffer, 16);
- return 0;
- }
- int main()
- {
- key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
- pthread_t th[5];
- pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
- pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
- pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
- pthread_join(th[0], 0);
- pthread_join(th[1], 0);
- pthread_join(th[2], 0);
- pthread_join(th[3], 0);
- return 0;
- }
-
-Build as:
-
- cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
- while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel. The crash can be
-summarised as:
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
- IP: [<ffffffff81279b08>] user_read+0x56/0xa3
- ...
- Call Trace:
- [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
- [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
- [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid,
-
- /* the key is probably readable - now try to read it */
- can_read_key:
-- ret = key_validate(key);
-- if (ret == 0) {
-- ret = -EOPNOTSUPP;
-- if (key->type->read) {
-- /* read the data with the semaphore held (since we
-- * might sleep) */
-- down_read(&key->sem);
-+ ret = -EOPNOTSUPP;
-+ if (key->type->read) {
-+ /* Read the data with the semaphore held (since we might sleep)
-+ * to protect against the key being updated or revoked.
-+ */
-+ down_read(&key->sem);
-+ ret = key_validate(key);
-+ if (ret == 0)
- ret = key->type->read(key, buffer, buflen);
-- up_read(&key->sem);
-- }
-+ up_read(&key->sem);
- }
-
- error2:
diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
deleted file mode 100644
index fb9a94c..0000000
--- a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Date: Mon, 14 Dec 2015 22:03:39 +0100
-Subject: net: add validation for the socket syscall protocol argument
-Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
- int socket_fd;
- struct sockaddr_in addr;
- addr.sin_port = 0;
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_family = 10;
-
- socket_fd = socket(10,3,0x40000000);
- connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Cc: Cong Wang <cwang at twopensource.com>
-Reported-by: 郭永刚 <guoyonggang at 360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/net/sock.h | 1 +
- net/ax25/af_ax25.c | 3 +++
- net/decnet/af_decnet.c | 3 +++
- net/ipv4/af_inet.c | 3 +++
- net/ipv6/af_inet6.c | 3 +++
- net/irda/af_irda.c | 3 +++
- 6 files changed, 16 insertions(+)
-
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -387,6 +387,7 @@ struct sock {
- sk_no_check_rx : 1,
- sk_userlocks : 4,
- sk_protocol : 8,
-+#define SK_PROTOCOL_MAX U8_MAX
- sk_type : 16;
- kmemcheck_bitfield_end(flags);
- int sk_wmem_queued;
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -805,6 +805,9 @@ static int ax25_create(struct net *net,
- struct sock *sk;
- ax25_cb *ax25;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -678,6 +678,9 @@ static int dn_create(struct net *net, st
- {
- struct sock *sk;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (!net_eq(net, &init_net))
- return -EAFNOSUPPORT;
-
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -261,6 +261,9 @@ static int inet_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- sock->state = SS_UNCONNECTED;
-
- /* Look for the requested type/protocol pair. */
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
- int try_loading_module = 0;
- int err;
-
-+ if (protocol < 0 || protocol >= IPPROTO_MAX)
-+ return -EINVAL;
-+
- /* Look for the requested type/protocol pair. */
- lookup_protocol:
- err = -ESOCKTNOSUPPORT;
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net,
- struct sock *sk;
- struct irda_sock *self;
-
-+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+ return -EINVAL;
-+
- if (net != &init_net)
- return -EAFNOSUPPORT;
-
diff --git a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch b/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
deleted file mode 100644
index ad192d1..0000000
--- a/debian/patches/bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Mon, 14 Dec 2015 13:48:36 -0800
-Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
-Origin: https://git.kernel.org/linus/09ccfd238e5a0e670d8178cf50180ea81ae09ae1
-
-Reported-by: Dmitry Vyukov <dvyukov at gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/net/ppp/pptp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock
- struct pptp_opt *opt = &po->proto.pptp;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- opt->src_addr = sp->sa_addr.pptp;
-@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *s
- struct flowi4 fl4;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- if (sp->sa_protocol != PX_PROTO_PPTP)
- return -EINVAL;
-
diff --git a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch b/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
deleted file mode 100644
index cd0f02e..0000000
--- a/debian/patches/bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Tue, 15 Dec 2015 15:26:45 +0000
-Subject: Revert "vrf: fix double free and memory corruption on register_netdevice failure"
-Forwarded: http://mid.gmane.org/20151215153149.GO28542@decadent.org.uk
-
-This reverts commit b3abad339f8e268bb261e5844ab68b18a7797c29, which
-was an attempt to backport commit 7f109f7cc37108cba7243bc832988525b0d85909
-upstream. The backport introduced a deadlock and other bugs.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/net/vrf.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index c9e309c..488c6f5 100644
---- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
- {
- struct net_vrf *vrf = netdev_priv(dev);
- struct net_vrf_dev *vrf_ptr;
-+ int err;
-
- if (!data || !data[IFLA_VRF_TABLE])
- return -EINVAL;
-@@ -589,16 +590,26 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
-
- dev->priv_flags |= IFF_VRF_MASTER;
-
-+ err = -ENOMEM;
- vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
- if (!vrf_ptr)
-- return -ENOMEM;
-+ goto out_fail;
-
- vrf_ptr->ifindex = dev->ifindex;
- vrf_ptr->tb_id = vrf->tb_id;
-
-+ err = register_netdevice(dev);
-+ if (err < 0)
-+ goto out_fail;
-+
- rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
-
-- return register_netdev(dev);
-+ return 0;
-+
-+out_fail:
-+ kfree(vrf_ptr);
-+ free_netdev(dev);
-+ return err;
- }
-
- static size_t vrf_nl_getsize(const struct net_device *dev)
diff --git a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch b/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
deleted file mode 100644
index a584e73..0000000
--- a/debian/patches/bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Date: Tue, 15 Dec 2015 21:21:56 +0000
-From: Ben Hutchings <ben at decadent.org.uk>
-Subject: tipc: Fix kfree_skb() of uninitialised pointer
-Forwarded: http://mid.gmane.org/20151215212156.GQ28542@decadent.org.uk
-
-Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
-headroom") added a "goto tx_error". This is fine upstream, but
-when backported to 4.3 it results in attempting to free the clone
-before it has been allocated. In this early error case, no
-cleanup is needed.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/tipc/udp_media.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
-index 86f2e7c..73bdf1b 100644
---- a/net/tipc/udp_media.c
-+++ b/net/tipc/udp_media.c
-@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
- if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
- err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
- if (err)
-- goto tx_error;
-+ return err;
- }
-
- clone = skb_clone(skb, GFP_ATOMIC);
diff --git a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch b/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
deleted file mode 100644
index f387fde..0000000
--- a/debian/patches/bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From: Nikolay Aleksandrov <nikolay at cumulusnetworks.com>
-Date: Sat, 21 Nov 2015 19:46:19 +0100
-Subject: vrf: fix double free and memory corruption on register_netdevice failure
-Origin: https://git.kernel.org/linus/7f109f7cc37108cba7243bc832988525b0d85909
-
-When vrf's ->newlink is called, if register_netdevice() fails then it
-does free_netdev(), but that's also done by rtnl_newlink() so a second
-free happens and memory gets corrupted, to reproduce execute the
-following line a couple of times (1 - 5 usually is enough):
-$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
-This works because we fail in register_netdevice() because of the wrong
-name "vrf:".
-
-And here's a trace of one crash:
-[ 28.792157] ------------[ cut here ]------------
-[ 28.792407] kernel BUG at fs/namei.c:246!
-[ 28.792608] invalid opcode: 0000 [#1] SMP
-[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry
-nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul
-crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse
-glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev
-parport_pc parport serio_raw pcspkr virtio_balloon virtio_console
-i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4
-ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom
-ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix
-libata virtio_pci virtio_ring virtio scsi_mod floppy
-[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted
-4.4.0-rc1+ #24
-[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
-BIOS 1.8.1-20150318_183358- 04/01/2014
-[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti:
-ffff88003592c000
-[ 28.796016] RIP: 0010:[<ffffffff812187b3>] [<ffffffff812187b3>]
-putname+0x43/0x60
-[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246
-[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX:
-0000000000000001
-[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
-ffff88003784f000
-[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09:
-0000000000000000
-[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12:
-0000000000000000
-[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15:
-ffff8800358c4a00
-[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000)
-knlGS:0000000000000000
-[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4:
-00000000000406f0
-[ 28.796016] Stack:
-[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0
-ffff880035a91660
-[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940
-00ffffff81218684
-[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000
-ffff880035b36d80
-[ 28.796016] Call Trace:
-[ 28.796016] [<ffffffff8121045d>] ?
-do_execveat_common.isra.34+0x74d/0x930
-[ 28.796016] [<ffffffff812102d3>] ?
-do_execveat_common.isra.34+0x5c3/0x930
-[ 28.796016] [<ffffffff8121066c>] do_execve+0x2c/0x30
-[ 28.796016] [<ffffffff810939a0>]
-call_usermodehelper_exec_async+0xf0/0x140
-[ 28.796016] [<ffffffff810938b0>] ? umh_complete+0x40/0x40
-[ 28.796016] [<ffffffff815cb1af>] ret_from_fork+0x3f/0x70
-[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6
-74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d
-f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9
-[ 28.796016] RIP [<ffffffff812187b3>] putname+0x43/0x60
-[ 28.796016] RSP <ffff88003592fe88>
-
-Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
-Signed-off-by: Nikolay Aleksandrov <nikolay at cumulusnetworks.com>
-Acked-by: David Ahern <dsa at cumulusnetworks.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: For 4.3, retain the kfree() on failure]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/net/vrf.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index 488c6f5..374feba 100644
---- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
-
- out_fail:
- kfree(vrf_ptr);
-- free_netdev(dev);
- return err;
- }
-
diff --git a/debian/patches/series b/debian/patches/series
index 82ac5d4..725582e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -106,13 +106,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
-bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
-bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
-bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
-bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
-bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
-bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch
bugfix/all/xen-add-ring_copy_request.patch
bugfix/all/xen-netback-don-t-use-last-request-to-determine-mini.patch
bugfix/all/xen-netback-use-ring_copy_request-throughout.patch
@@ -127,7 +121,6 @@ bugfix/all/xen-pciback-for-xen_pci_op_disable_msi-x-only-disabl.patch
bugfix/all/xen-pciback-don-t-allow-msi-x-ops-if-pci_command_mem.patch
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
debian/ptrace-fix-abi-change-for-priv-esc-fix.patch
-bugfix/all/keys-fix-race-between-read-and-revoke.patch
bugfix/x86/KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
bugfix/all/drm-nouveau-pmu-do-not-assume-a-pmu-is-present.patch
bugfix/x86/drm-i915-don-t-compare-has_drrs-strictly-in-pipe-con.patch
@@ -147,4 +140,3 @@ bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
-bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list