[linux] 02/11: Update to 3.2.88
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 26 23:25:00 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 942ed9549f63b261d55ef36e601e5e98fa2494d8
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 26 23:01:55 2017 +0100
Update to 3.2.88
Drop/refresh patches as appropriate.
---
debian/changelog | 174 +++++++++++-
...pc-shm-fix-shmat-mmap-nil-page-protection.patch | 58 ----
...fix-lockdep-annotations-in-hashbin_delete.patch | 84 ------
...cy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch | 137 ---------
.../all/net-llc-avoid-bug_on-in-skb_orphan.patch | 53 ----
.../all/packet-fix-races-in-fanout_add.patch | 72 -----
.../bugfix/all/sctp-Export-sctp_do_peeloff.patch | 14 +-
...sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch | 37 ---
...tion-on-asocs-with-threads-sleeping-on-it.patch | 63 -----
.../tty-n_hdlc-fix-lockdep-false-positive.patch | 96 -------
.../all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch | 309 ---------------------
.../drm/Remove-gma500-driver-from-staging.patch | 7 +-
.../list-introduce-list_first_entry_or_null.patch | 35 ---
.../features/all/net-sock-add-sock_efree.patch | 33 ---
...ing-hv-move-hv_netvsc-out-of-staging-area.patch | 63 +----
...-hyperv-Fix-the-stop-wake-queue-mechanism.patch | 27 +-
debian/patches/series | 11 -
17 files changed, 210 insertions(+), 1063 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index ef6850d..f38928a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,177 @@
-linux (3.2.86-2) UNRELEASED; urgency=medium
+linux (3.2.88-1) UNRELEASED; urgency=medium
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.87
+ - net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
+ - ite-cir: initialize use_demodulator before using it
+ - usb: gadget: composite: correctly initialize ep->maxpacket
+ - [x86] drm/gma500: Add compat ioctl
+ - xfs: fix up xfs_swap_extent_forks inline extent handling
+ - PCI: Check for PME in targeted sleep state
+ - USB: UHCI: report non-PME wakeup signalling for Intel hardware
+ - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
+ - ext4: fix mballoc breakage with 64k block size
+ - ext4: fix stack memory corruption with 64k block size
+ - IB/mlx4: Put non zero value in max_ah device attribute
+ - scsi: mvsas: fix command_active typo
+ - ssb: Fix error routine when fallback SPROM fails
+ - ext4: fix in-superblock mount options processing
+ - ext4: use more strict checks for inodes_per_block on mount
+ - ext4: add sanity checking to count_overhead()
+ - dm crypt: mark key as invalid until properly loaded
+ - regmap: cache: Remove unused 'blksize' variable
+ - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
+ - thermal: hwmon: Properly report critical temperature in sysfs
+ - USB: serial: kl5kusb105: fix open error path
+ - USB: serial: kl5kusb105: abort on open exception path
+ - Btrfs: fix tree search logic when replaying directory entry deletes
+ - hotplug: Make register and unregister notifier API symmetric
+ - hwmon: (ds620) Fix overflows seen when writing temperature limits
+ - nfs_write_end(): fix handling of short copies
+ - ext4: reject inodes with negative size
+ - libceph: verify authorize reply on connect
+ - fsnotify: Fix possible use-after-free in inode iteration on umount
+ - block_dev: don't test bdev->bd_contains when it is not stable
+ - IB/mad: Fix an array index check
+ - IB/multicast: Check ib_find_pkey() return value
+ - scsi: avoid a permanent stop of the scsi device's request queue
+ - target/iscsi: Fix double free in lio_target_tiqn_addtpg()
+ - net, sched: fix soft lockup in tc_classify
+ - net/mlx4_en: Fix bad WQE issue
+ - net/mlx4: Remove BUG_ON from ICM allocation routine
+ - usb: gadget: composite: Test get_alt() presence instead of set_alt()
+ - USB: dummy-hcd: fix bug in stop_activity (handle ep0)
+ - [armhf] usb: gadgetfs: restrict upper bound on device configuration size
+ - [armhf] USB: gadgetfs: fix unbounded memory allocation bug
+ - [armhf] USB: gadgetfs: fix use-after-free bug
+ - [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors
+ - xhci: free xhci virtual devices with leaf nodes first
+ - USB: serial: cyberjack: fix NULL-deref at open
+ - USB: serial: garmin_gps: fix memory leak on failed URB submit
+ - USB: serial: io_edgeport: fix NULL-deref at open
+ - USB: serial: io_ti: fix NULL-deref at open
+ - USB: serial: io_ti: fix another NULL-deref at open
+ - USB: serial: iuu_phoenix: fix NULL-deref at open
+ - USB: serial: keyspan_pda: verify endpoints at probe
+ - USB: serial: kobil_sct: fix NULL-deref in write
+ - USB: serial: mos7720: fix NULL-deref at open
+ - USB: serial: mos7720: fix use-after-free on probe errors
+ - USB: serial: mos7720: fix parport use-after-free on probe errors
+ - USB: serial: mos7720: fix parallel probe
+ - USB: serial: mos7840: fix NULL-deref at open
+ - USB: serial: mos7840: fix misleading interrupt-URB comment
+ - USB: serial: omninet: fix NULL-derefs at open and disconnect
+ - USB: serial: oti6858: fix NULL-deref at open
+ - USB: serial: pl2303: fix NULL-deref at open
+ - USB: serial: spcp8x5: fix NULL-deref at open
+ - USB: serial: ti_usb_3410_5052: fix NULL-deref at open
+ - [x86] iommu/amd: Fix the left value check of cmd buffer
+ - [x86] cpu: Fix bootup crashes by sanitizing the argument of the
+ 'clearcpuid=' command-line option
+ - [armhf] usb: musb: Fix trying to free already-free IRQ 4
+ - USB: fix problems with duplicate endpoint addresses
+ - HID: hid-cypress: validate length of report (CVE-2017-7273)
+ - ata: sata_mv:- Handle return value of devm_ioremap.
+ - USB: ch341: forward USB errors to USB serial core
+ - USB: ch341: remove redundant close from open error path
+ - USB: ch341: set tty baud speed according to tty struct
+ - USB: serial: ch341: add register and USB request definitions
+ - USB: serial: ch341: reinitialize chip on reconfiguration
+ - USB: serial: ch341: fix initial modem-control state
+ - USB: serial: ch341: fix open and resume after B0
+ - USB: serial: ch341: fix modem-control and B0 handling
+ - USB: serial: ch341: fix open error handling
+ - USB: serial: ch341: fix resume after reset
+ - USB: serial: ch341: fix baud rate and line-control handling
+ - gro: Enter slow-path if there is no tailroom
+ - gro: Disable frag0 optimization on IPv6 ext headers
+ - ocfs2: fix crash caused by stale lvb with fsdlm plugin
+ - sysrq: attach sysrq handler correctly for 32-bit kernel
+ - USB: serial: ch341: fix control-message error handling
+ - gro: use min_t() in skb_gro_reset_offset()
+ - xhci: fix deadlock at host remove by running watchdog correctly
+ - i2c: fix kernel memory disclosure in dev interface
+ - svcrpc: don't leak contexts on PROC_DESTROY
+ - net/mlx4_core: Fix racy CQ (Completion Queue) free
+ - ubifs: Fix journal replay wrt. xattr nodes
+ - ceph: fix bad endianness handling in parse_reply_info_extra
+ - nbd: fix use-after-free of rq/bio in the xmit path
+ - nbd: only set MSG_MORE when we have more to send
+ - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
+ - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
+ - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+ - can: bcm: fix hrtimer/tasklet termination in bcm op removal
+ - [arm*] 8643/3: arm/ptrace: Preserve previous registers for short regset
+ write
+ - mm, fs: check for fatal signals in do_generic_file_read()
+ - netlabel: out of bound access in cipso_v4_validate()
+ - mac80211: Fix adding of mesh vendor IEs
+ - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
+ - rtl8150: Use heap buffers for all register access
+ - catc: Combine failure cleanup code in catc_probe()
+ - catc: Use heap buffer for memory size test
+ - ALSA: seq: Fix race at creating a queue
+ - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
+ - ping: fix a null pointer dereference
+ - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
+ - l2tp: do not use udp_ioctl()
+ - futex: Move futex_init() to core_initcall
+ - vfs: fix uninitialized flags in splice_to_pipe()
+ - packet: call fanout_release, while UNREGISTERING a netdev
+ - packet: Do not call fanout_release from atomic contexts
+ - Fix missing sanity check in /dev/sg
+ - lib/vsprintf.c: improve sanity check in vsnprintf()
+ - decnet: Do not build routes to devices without decnet private data.
+ - route: do not cache fib route info on local routes with oif
+ - sch_htb: update backlog as well
+ - sch_dsmark: update backlog as well
+ - net: bridge: fix old ioctl unlocked net device walk
+ - ipmr/ip6mr: Initialize the last assert time of mfc entries.
+ - net: fix sk_mem_reclaim_partial()
+ - tcp: fix overflow in __tcp_retransmit_skb()
+ - net: avoid sk_forward_alloc overflows
+ - tcp: fix wrong checksum calculation on MTU probing
+ - net: sctp, forbid negative length
+ - net: clear sk_err_soft in sk_clone_lock()
+ - net: mangle zero checksum in skb_checksum_help()
+ - dccp: do not send reset to already closed sockets
+ - dccp: fix out of bound access in dccp_v4_err()
+ - ipv6: dccp: fix out of bound access in dccp_v6_err()
+ - sctp: assign assoc_id earlier in __sctp_connect
+ - sock: fix sendmmsg for partial sendmsg
+ - ip6_tunnel: disable caching when the traffic class is inherited
+ - net: sky2: Fix shutdown crash
+ - net/sched: pedit: make sure that offset is valid
+ - net/dccp: fix use-after-free in dccp_invalid_packet
+ - [x86] netvsc: reduce maximum GSO size
+ - ipv6: handle -EFAULT from skb_copy_bits
+ - drop_monitor: add missing call to genlmsg_end
+ - drop_monitor: consider inserted data in genlmsg_end
+ - igmp: Make igmp group member RFC 3376 compliant
+ - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
+ - net: socket: fix recvmmsg not returning error from sock_error
+ - can: Fix kernel panic at security_sock_rcv_skb
+ - ipv6: fix ip6_tnl_parse_tlv_enc_lim()
+ - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
+ - tcp: fix 0 divide in __tcp_select_window()
+ - tun: Fix TUN_PKT_STRIP setting
+ - tun: read vnet_hdr_sz once
+ - macvtap: read vnet_hdr_size once
+ - igmp: do not remove igmp souce list info when set link down
+ - mld: do not remove mld souce list info when set link down
+ - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
+ - [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.88
+ - ipv4: keep skb->dst around in presence of IP options (CVE-2017-5970)
+ - mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW
+ for thp" backport
+ - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
+ (CVE-2016-10200)
+ - keys: Guard against null match function in keyring_search_aux()
+ (CVE-2017-2647 / CVE-2017-6951)
+
+ [ Ben Hutchings ]
* timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
- * l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (CVE-2016-10200)
* USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Mar 2017 23:12:35 +0000
diff --git a/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch b/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
deleted file mode 100644
index ea7b9ed..0000000
--- a/debian/patches/bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Davidlohr Bueso <dave at stgolabs.net>
-Date: Mon, 27 Feb 2017 14:28:24 -0800
-Subject: ipc/shm: Fix shmat mmap nil-page protection
-Origin: https://git.kernel.org/linus/95e91b831f87ac8e1f8ed50c14d709089b4e01b8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
-
-The issue is described here, with a nice testcase:
-
- https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
-the address rounded down to 0. For the regular mmap case, the
-protection mentioned above is that the kernel gets to generate the
-address -- arch_get_unmapped_area() will always check for MAP_FIXED and
-return that address. So by the time we do security_mmap_addr(0) things
-get funky for shmat().
-
-The testcase itself shows that while a regular user crashes, root will
-not have a problem attaching a nil-page. There are two possible fixes
-to this. The first, and which this patch does, is to simply allow root
-to crash as well -- this is also regular mmap behavior, ie when hacking
-up the testcase and adding mmap(... |MAP_FIXED). While this approach
-is the safer option, the second alternative is to ignore SHM_RND if the
-rounded address is 0, thus only having MAP_SHARED flags. This makes the
-behavior of shmat() identical to the mmap() case. The downside of this
-is obviously user visible, but does make sense in that it maintains
-semantics after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
-Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.2: use SHMLBA constant instead of shmlba parameter]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -963,8 +963,13 @@ long do_shmat(int shmid, char __user *sh
- goto out;
- else if ((addr = (ulong)shmaddr)) {
- if (addr & (SHMLBA-1)) {
-- if (shmflg & SHM_RND)
-- addr &= ~(SHMLBA-1); /* round down */
-+ /*
-+ * Round down to the nearest multiple of shmlba.
-+ * For sane do_mmap_pgoff() parameters, avoid
-+ * round downs that trigger nil-page and MAP_FIXED.
-+ */
-+ if ((shmflg & SHM_RND) && addr >= SHMLBA)
-+ addr &= ~(SHMLBA - 1);
- else
- #ifndef __ARCH_FORCE_SHMLBA
- if (addr & ~PAGE_MASK)
diff --git a/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch b/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
deleted file mode 100644
index eca2e4a..0000000
--- a/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Fri, 17 Feb 2017 16:19:39 -0500
-Subject: irda: Fix lockdep annotations in hashbin_delete().
-Origin: https://git.kernel.org/linus/4c03b862b12f980456f9de92db6d508a4999b788
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6348
-
-A nested lock depth was added to the hasbin_delete() code but it
-doesn't actually work some well and results in tons of lockdep splats.
-
-Fix the code instead to properly drop the lock around the operation
-and just keep peeking the head of the hashbin queue.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/irda/irqueue.c | 34 ++++++++++++++++------------------
- 1 file changed, 16 insertions(+), 18 deletions(-)
-
---- a/net/irda/irqueue.c
-+++ b/net/irda/irqueue.c
-@@ -385,9 +385,6 @@ EXPORT_SYMBOL(hashbin_new);
- * for deallocating this structure if it's complex. If not the user can
- * just supply kfree, which should take care of the job.
- */
--#ifdef CONFIG_LOCKDEP
--static int hashbin_lock_depth = 0;
--#endif
- int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
- {
- irda_queue_t* queue;
-@@ -398,22 +395,27 @@ int hashbin_delete( hashbin_t* hashbin,
- IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
-
- /* Synchronize */
-- if ( hashbin->hb_type & HB_LOCK ) {
-- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
-- hashbin_lock_depth++);
-- }
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
-
- /*
- * Free the entries in the hashbin, TODO: use hashbin_clear when
- * it has been shown to work
- */
- for (i = 0; i < HASHBIN_SIZE; i ++ ) {
-- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
-- while (queue ) {
-- if (free_func)
-- (*free_func)(queue);
-- queue = dequeue_first(
-- (irda_queue_t**) &hashbin->hb_queue[i]);
-+ while (1) {
-+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
-+
-+ if (!queue)
-+ break;
-+
-+ if (free_func) {
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
-+ free_func(queue);
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
-+ }
- }
- }
-
-@@ -422,12 +424,8 @@ int hashbin_delete( hashbin_t* hashbin,
- hashbin->magic = ~HB_MAGIC;
-
- /* Release lock */
-- if ( hashbin->hb_type & HB_LOCK) {
-+ if (hashbin->hb_type & HB_LOCK)
- spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
--#ifdef CONFIG_LOCKDEP
-- hashbin_lock_depth--;
--#endif
-- }
-
- /*
- * Free the hashbin structure
diff --git a/debian/patches/bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch b/debian/patches/bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
deleted file mode 100644
index 18d7fd1..0000000
--- a/debian/patches/bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From: Guillaume Nault <g.nault at alphalink.fr>
-Date: Fri, 18 Nov 2016 22:13:00 +0100
-Subject: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
-Origin: https://git.kernel.org/linus/32c231164b762dddefa13af5a0101032c70b50ef
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10200
-
-Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
-Without lock, a concurrent call could modify the socket flags between
-the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
-a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
-would then leave a stale pointer there, generating use-after-free
-errors when walking through the list or modifying adjacent entries.
-
-BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
-Write of size 8 by task syz-executor/10987
-CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
- ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
- ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
- ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
-Call Trace:
- [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
- [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
- [< inline >] print_address_description mm/kasan/report.c:194
- [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
- [< inline >] kasan_report mm/kasan/report.c:303
- [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
- [< inline >] __write_once_size ./include/linux/compiler.h:249
- [< inline >] __hlist_del ./include/linux/list.h:622
- [< inline >] hlist_del_init ./include/linux/list.h:637
- [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
- [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
- [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
- [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
- [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
- [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
- [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
- [<ffffffff813774f9>] task_work_run+0xf9/0x170
- [<ffffffff81324aae>] do_exit+0x85e/0x2a00
- [<ffffffff81326dc8>] do_group_exit+0x108/0x330
- [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
- [<ffffffff811b49af>] do_signal+0x7f/0x18f0
- [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
- [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
- [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
- [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
-Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
-Allocated:
-PID = 10987
- [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
- [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
- [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
- [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
- [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
- [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
- [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
- [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
- [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
- [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
- [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
- [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
- [ 1116.897025] [< inline >] sock_create net/socket.c:1193
- [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223
- [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
- [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
-Freed:
-PID = 10987
- [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
- [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
- [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
- [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352
- [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374
- [ 1116.897025] [< inline >] slab_free mm/slub.c:2951
- [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
- [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369
- [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
- [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
- [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
- [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
- [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
- [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
- [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
- [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
- [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
- [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
- [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
- [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
- [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
- [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
- [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
- [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
- [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
- [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
- [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
- [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
- [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
-Memory state around the buggy address:
- ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
->ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
- ^
- ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-==================================================================
-
-The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
-
-Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
-Reported-by: Baozeng Ding <sploving1 at gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Baozeng Ding <sploving1 at gmail.com>
-Signed-off-by: Guillaume Nault <g.nault at alphalink.fr>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: drop IPv6 changes]
----
---- a/net/l2tp/l2tp_ip.c
-+++ b/net/l2tp/l2tp_ip.c
-@@ -256,8 +256,6 @@ static int l2tp_ip_bind(struct sock *sk,
- int ret;
- int chk_addr_ret;
-
-- if (!sock_flag(sk, SOCK_ZAPPED))
-- return -EINVAL;
- if (addr_len < sizeof(struct sockaddr_l2tpip))
- return -EINVAL;
- if (addr->l2tp_family != AF_INET)
-@@ -271,6 +269,9 @@ static int l2tp_ip_bind(struct sock *sk,
- read_unlock_bh(&l2tp_ip_lock);
-
- lock_sock(sk);
-+ if (!sock_flag(sk, SOCK_ZAPPED))
-+ goto out;
-+
- if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))
- goto out;
-
diff --git a/debian/patches/bugfix/all/net-llc-avoid-bug_on-in-skb_orphan.patch b/debian/patches/bugfix/all/net-llc-avoid-bug_on-in-skb_orphan.patch
deleted file mode 100644
index 0e7ac74..0000000
--- a/debian/patches/bugfix/all/net-llc-avoid-bug_on-in-skb_orphan.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sun, 12 Feb 2017 14:03:52 -0800
-Subject: net/llc: avoid BUG_ON() in skb_orphan()
-Origin: https://git.kernel.org/linus/8b74d439e1697110c5e5c600643e823eb1dd0762
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6345
-
-It seems nobody used LLC since linux-3.12.
-
-Fortunately fuzzers like syzkaller still know how to run this code,
-otherwise it would be no fun.
-
-Setting skb->sk without skb->destructor leads to all kinds of
-bugs, we now prefer to be very strict about it.
-
-Ideally here we would use skb_set_owner() but this helper does not exist yet,
-only CAN seems to have a private helper for that.
-
-Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/llc/llc_conn.c | 3 +++
- net/llc/llc_sap.c | 3 +++
- 2 files changed, 6 insertions(+)
-
---- a/net/llc/llc_conn.c
-+++ b/net/llc/llc_conn.c
-@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
- * another trick required to cope with how the PROCOM state
- * machine works. -acme
- */
-+ skb_orphan(skb);
-+ sock_hold(sk);
- skb->sk = sk;
-+ skb->destructor = sock_efree;
- }
- if (!sock_owned_by_user(sk))
- llc_conn_rcv(sk, skb);
---- a/net/llc/llc_sap.c
-+++ b/net/llc/llc_sap.c
-@@ -294,7 +294,10 @@ static void llc_sap_rcv(struct llc_sap *
-
- ev->type = LLC_SAP_EV_TYPE_PDU;
- ev->reason = 0;
-+ skb_orphan(skb);
-+ sock_hold(sk);
- skb->sk = sk;
-+ skb->destructor = sock_efree;
- llc_sap_state_process(sap, skb);
- }
-
diff --git a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
deleted file mode 100644
index f2e6404..0000000
--- a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 14 Feb 2017 09:03:51 -0800
-Subject: packet: fix races in fanout_add()
-Origin: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6346
-
-Multiple threads can call fanout_add() at the same time.
-
-We need to grab fanout_mutex earlier to avoid races that could
-lead to one thread freeing po->rollover that was set by another thread.
-
-Do the same in fanout_release(), for peace of mind, and to help us
-finding lockdep issues earlier.
-
-Fixes: dc99f600698d ("packet: Add fanout support.")
-Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Cc: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2:
- - No rollover queue stats
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -1286,13 +1286,16 @@ static int fanout_add(struct sock *sk, u
- return -EINVAL;
- }
-
-+ mutex_lock(&fanout_mutex);
-+
-+ err = -EINVAL;
- if (!po->running)
-- return -EINVAL;
-+ goto out;
-
-+ err = -EALREADY;
- if (po->fanout)
-- return -EALREADY;
-+ goto out;
-
-- mutex_lock(&fanout_mutex);
- match = NULL;
- list_for_each_entry(f, &fanout_list, list) {
- if (f->id == id &&
-@@ -1348,17 +1351,16 @@ static void fanout_release(struct sock *
- struct packet_sock *po = pkt_sk(sk);
- struct packet_fanout *f;
-
-+ mutex_lock(&fanout_mutex);
- f = po->fanout;
-- if (!f)
-- return;
--
-- po->fanout = NULL;
-+ if (f) {
-+ po->fanout = NULL;
-
-- mutex_lock(&fanout_mutex);
-- if (atomic_dec_and_test(&f->sk_ref)) {
-- list_del(&f->list);
-- dev_remove_pack(&f->prot_hook);
-- kfree(f);
-+ if (atomic_dec_and_test(&f->sk_ref)) {
-+ list_del(&f->list);
-+ dev_remove_pack(&f->prot_hook);
-+ kfree(f);
-+ }
- }
- mutex_unlock(&fanout_mutex);
- }
diff --git a/debian/patches/bugfix/all/sctp-Export-sctp_do_peeloff.patch b/debian/patches/bugfix/all/sctp-Export-sctp_do_peeloff.patch
index 8ec5514..16ee555 100644
--- a/debian/patches/bugfix/all/sctp-Export-sctp_do_peeloff.patch
+++ b/debian/patches/bugfix/all/sctp-Export-sctp_do_peeloff.patch
@@ -10,6 +10,8 @@ the sctp code with minimal knowledge of the former.
Signed-off-by: Benjamin Poirier <bpoirier at suse.de>
Acked-by: Vlad Yasevich <vladislav.yasevich at hp.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Adjust context to apply after backport of dfcb9f4f99f1
+ ("sctp: deny peeloff operation on asocs with threads sleeping on it")]
---
include/net/sctp/sctp.h | 1 +
net/sctp/socket.c | 24 +++++++++---------------
@@ -27,7 +29,7 @@ Signed-off-by: David S. Miller <davem at davemloft.net>
#define sctp_skb_for_each(pos, head, tmp) \
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -4179,14 +4179,16 @@ static int sctp_getsockopt_autoclose(str
+@@ -4234,14 +4234,16 @@ static int sctp_getsockopt_autoclose(str
}
/* Helper routine to branch off an association to a new socket. */
@@ -44,10 +46,10 @@ Signed-off-by: David S. Miller <davem at davemloft.net>
+ if (!asoc)
+ return -EINVAL;
+
- /* An association cannot be branched off from an already peeled-off
- * socket, nor is this supported for tcp style sockets.
+ /* If there is a thread waiting on more sndbuf space for
+ * sending on this asoc, it cannot be peeled.
*/
-@@ -4215,13 +4217,13 @@ SCTP_STATIC int sctp_do_peeloff(struct s
+@@ -4276,13 +4278,13 @@ SCTP_STATIC int sctp_do_peeloff(struct s
return err;
}
@@ -62,7 +64,7 @@ Signed-off-by: David S. Miller <davem at davemloft.net>
if (len < sizeof(sctp_peeloff_arg_t))
return -EINVAL;
-@@ -4229,15 +4231,7 @@ static int sctp_getsockopt_peeloff(struc
+@@ -4290,15 +4292,7 @@ static int sctp_getsockopt_peeloff(struc
if (copy_from_user(&peeloff, optval, len))
return -EFAULT;
@@ -79,7 +81,7 @@ Signed-off-by: David S. Miller <davem at davemloft.net>
if (retval < 0)
goto out;
-@@ -4248,8 +4242,8 @@ static int sctp_getsockopt_peeloff(struc
+@@ -4309,8 +4303,8 @@ static int sctp_getsockopt_peeloff(struc
goto out;
}
diff --git a/debian/patches/bugfix/all/sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index 5569aa5..0000000
--- a/debian/patches/bugfix/all/sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5986
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov at linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -6480,7 +6480,8 @@ static int sctp_wait_for_sndbuf(struct s
- */
- sctp_release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- BUG_ON(sk != asoc->base.sk);
-+ if (sk != asoc->base.sk)
-+ goto do_error;
- sctp_lock_sock(sk);
-
- *timeo_p = current_timeo;
diff --git a/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch b/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch
deleted file mode 100644
index dcf9e37..0000000
--- a/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Thu, 23 Feb 2017 09:31:18 -0300
-Subject: sctp: deny peeloff operation on asocs with threads sleeping on it
-Origin: https://git.kernel.org/linus/dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6353
-
-commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-attempted to avoid a BUG_ON call when the association being used for a
-sendmsg() is blocked waiting for more sndbuf and another thread did a
-peeloff operation on such asoc, moving it to another socket.
-
-As Ben Hutchings noticed, then in such case it would return without
-locking back the socket and would cause two unlocks in a row.
-
-Further analysis also revealed that it could allow a double free if the
-application managed to peeloff the asoc that is created during the
-sendmsg call, because then sctp_sendmsg() would try to free the asoc
-that was created only for that call.
-
-This patch takes another approach. It will deny the peeloff operation
-if there is a thread sleeping on the asoc, so this situation doesn't
-exist anymore. This avoids the issues described above and also honors
-the syscalls that are already being handled (it can be multiple sendmsg
-calls).
-
-Joint work with Xin Long.
-
-Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-Cc: Alexander Popov <alex.popov at linux.com>
-Cc: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/sctp/socket.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4241,6 +4241,12 @@ int sctp_do_peeloff(struct sock *sk, sct
- if (!asoc)
- return -EINVAL;
-
-+ /* If there is a thread waiting on more sndbuf space for
-+ * sending on this asoc, it cannot be peeled.
-+ */
-+ if (waitqueue_active(&asoc->wait))
-+ return -EBUSY;
-+
- /* An association cannot be branched off from an already peeled-off
- * socket, nor is this supported for tcp style sockets.
- */
-@@ -6480,8 +6486,6 @@ static int sctp_wait_for_sndbuf(struct s
- */
- sctp_release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- if (sk != asoc->base.sk)
-- goto do_error;
- sctp_lock_sock(sk);
-
- *timeo_p = current_timeo;
diff --git a/debian/patches/bugfix/all/tty-n_hdlc-fix-lockdep-false-positive.patch b/debian/patches/bugfix/all/tty-n_hdlc-fix-lockdep-false-positive.patch
deleted file mode 100644
index c65ba4f..0000000
--- a/debian/patches/bugfix/all/tty-n_hdlc-fix-lockdep-false-positive.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From: Jiri Slaby <jslaby at suse.cz>
-Date: Thu, 26 Nov 2015 19:28:26 +0100
-Subject: TTY: n_hdlc, fix lockdep false positive
-Origin: https://git.kernel.org/linus/e9b736d88af1a143530565929390cadf036dc799
-
-The class of 4 n_hdls buf locks is the same because a single function
-n_hdlc_buf_list_init is used to init all the locks. But since
-flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
-n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
-emits a warning:
-=============================================
-[ INFO: possible recursive locking detected ]
-4.3.0-25.g91e30a7-default #1 Not tainted
----------------------------------------------
-a.out/1248 is trying to acquire lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
-
-but task is already holding lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-
-other info that might help us debug this:
- Possible unsafe locking scenario:
-
- CPU0
- ----
- lock(&(&list->spinlock)->rlock);
- lock(&(&list->spinlock)->rlock);
-
- *** DEADLOCK ***
-
- May be due to missing lock nesting notation
-
-2 locks held by a.out/1248:
- #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
- #1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-...
-Call Trace:
-...
- [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
- [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
- [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
- [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
-...
-
-Fix it by initializing the spin_locks separately. This removes also
-reduntand memset of a freshly kzallocated space.
-
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 19 ++++---------------
- 1 file changed, 4 insertions(+), 15 deletions(-)
-
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -160,7 +160,6 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -856,10 +855,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
-
- memset(n_hdlc, 0, sizeof(*n_hdlc));
-
-- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
-+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
-
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
-@@ -888,16 +887,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
-- * @list - pointer to buffer list
-- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
--{
-- memset(list, 0, sizeof(*list));
-- spin_lock_init(&list->spinlock);
--} /* end of n_hdlc_buf_list_init() */
--
--/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
- * @buf - pointer to buffer
diff --git a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch b/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
deleted file mode 100644
index fad3db3..0000000
--- a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
+++ /dev/null
@@ -1,309 +0,0 @@
-From: Alexander Popov <alex.popov at linux.com>
-Date: Tue, 28 Feb 2017 19:54:40 +0300
-Subject: tty: n_hdlc: get rid of racy n_hdlc.tbuf
-Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2636
-
-Currently N_HDLC line discipline uses a self-made singly linked list for
-data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
-an error.
-
-The commit be10eb7589337e5defbe214dae038a53dd21add8
-("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
-After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
-one data buffer to tx_free_buf_list twice. That causes double free in
-n_hdlc_release().
-
-Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
-in case of tx error put current data buffer after the head of tx_buf_list.
-
-Signed-off-by: Alexander Popov <alex.popov at linux.com>
-Cc: stable <stable at vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
- 1 file changed, 69 insertions(+), 63 deletions(-)
-
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -115,7 +115,7 @@
- #define DEFAULT_TX_BUF_COUNT 3
-
- struct n_hdlc_buf {
-- struct n_hdlc_buf *link;
-+ struct list_head list_item;
- int count;
- char buf[1];
- };
-@@ -123,8 +123,7 @@ struct n_hdlc_buf {
- #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
-
- struct n_hdlc_buf_list {
-- struct n_hdlc_buf *head;
-- struct n_hdlc_buf *tail;
-+ struct list_head list;
- int count;
- spinlock_t spinlock;
- };
-@@ -137,7 +136,6 @@ struct n_hdlc_buf_list {
- * @backup_tty - TTY to use if tty gets closed
- * @tbusy - reentrancy flag for tx wakeup code
- * @woke_up - FIXME: describe this field
-- * @tbuf - currently transmitting tx buffer
- * @tx_buf_list - list of pending transmit frame buffers
- * @rx_buf_list - list of received frame buffers
- * @tx_free_buf_list - list unused transmit frame buffers
-@@ -150,7 +148,6 @@ struct n_hdlc {
- struct tty_struct *backup_tty;
- int tbusy;
- int woke_up;
-- struct n_hdlc_buf *tbuf;
- struct n_hdlc_buf_list tx_buf_list;
- struct n_hdlc_buf_list rx_buf_list;
- struct n_hdlc_buf_list tx_free_buf_list;
-@@ -160,6 +157,8 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -209,16 +208,9 @@ static void flush_tx_queue(struct tty_st
- {
- struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
- struct n_hdlc_buf *buf;
-- unsigned long flags;
-
- while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
-- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
-- if (n_hdlc->tbuf) {
-- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
-- n_hdlc->tbuf = NULL;
-- }
-- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- }
-
- static struct tty_ldisc_ops n_hdlc_ldisc = {
-@@ -284,7 +276,6 @@ static void n_hdlc_release(struct n_hdlc
- } else
- break;
- }
-- kfree(n_hdlc->tbuf);
- kfree(n_hdlc);
-
- } /* end of n_hdlc_release() */
-@@ -403,13 +394,7 @@ static void n_hdlc_send_frames(struct n_
- n_hdlc->woke_up = 0;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
-
-- /* get current transmit buffer or get new transmit */
-- /* buffer from list of pending transmit buffers */
--
-- tbuf = n_hdlc->tbuf;
-- if (!tbuf)
-- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
--
-+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
- while (tbuf) {
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)sending frame %p, count=%d\n",
-@@ -421,7 +406,7 @@ static void n_hdlc_send_frames(struct n_
-
- /* rollback was possible and has been done */
- if (actual == -ERESTARTSYS) {
-- n_hdlc->tbuf = tbuf;
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- /* if transmit error, throw frame away by */
-@@ -436,10 +421,7 @@ static void n_hdlc_send_frames(struct n_
-
- /* free current transmit buffer */
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
--
-- /* this tx buffer is done */
-- n_hdlc->tbuf = NULL;
--
-+
- /* wait up sleeping writers */
- wake_up_interruptible(&tty->write_wait);
-
-@@ -449,10 +431,12 @@ static void n_hdlc_send_frames(struct n_
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)frame %p pending\n",
- __FILE__,__LINE__,tbuf);
--
-- /* buffer not accepted by driver */
-- /* set this buffer as pending buffer */
-- n_hdlc->tbuf = tbuf;
-+
-+ /*
-+ * the buffer was not accepted by driver,
-+ * return it back into tx queue
-+ */
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- }
-@@ -750,7 +734,8 @@ static int n_hdlc_tty_ioctl(struct tty_s
- int error = 0;
- int count;
- unsigned long flags;
--
-+ struct n_hdlc_buf *buf = NULL;
-+
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
- __FILE__,__LINE__,cmd);
-@@ -764,8 +749,10 @@ static int n_hdlc_tty_ioctl(struct tty_s
- /* report count of read data available */
- /* in next available frame (if any) */
- spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
-- if (n_hdlc->rx_buf_list.head)
-- count = n_hdlc->rx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count = buf->count;
- else
- count = 0;
- spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
-@@ -777,8 +764,10 @@ static int n_hdlc_tty_ioctl(struct tty_s
- count = tty_chars_in_buffer(tty);
- /* add size of next output frame in queue */
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
-- if (n_hdlc->tx_buf_list.head)
-- count += n_hdlc->tx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count += buf->count;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
- error = put_user(count, (int __user *)arg);
- break;
-@@ -826,14 +815,14 @@ static unsigned int n_hdlc_tty_poll(stru
- poll_wait(filp, &tty->write_wait, wait);
-
- /* set bits for operations that won't block */
-- if (n_hdlc->rx_buf_list.head)
-+ if (!list_empty(&n_hdlc->rx_buf_list.list))
- mask |= POLLIN | POLLRDNORM; /* readable */
- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
- mask |= POLLHUP;
- if (tty_hung_up_p(filp))
- mask |= POLLHUP;
- if (!tty_is_writelocked(tty) &&
-- n_hdlc->tx_free_buf_list.head)
-+ !list_empty(&n_hdlc->tx_free_buf_list.list))
- mask |= POLLOUT | POLLWRNORM; /* writable */
- }
- return mask;
-@@ -859,7 +848,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
- spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
- spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
- spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
--
-+
-+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
-+
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
-@@ -887,53 +881,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
-+ * @buf_list - pointer to the buffer list
-+ * @buf - pointer to the buffer
-+ */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf)
-+{
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
-+}
-+
-+/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
-- * @list - pointer to buffer list
-+ * @buf_list - pointer to buffer list
- * @buf - pointer to buffer
- */
--static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
-+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
- struct n_hdlc_buf *buf)
- {
- unsigned long flags;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf->link=NULL;
-- if (list->tail)
-- list->tail->link = buf;
-- else
-- list->head = buf;
-- list->tail = buf;
-- (list->count)++;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
--
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add_tail(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- } /* end of n_hdlc_buf_put() */
-
- /**
- * n_hdlc_buf_get - remove and return an HDLC buffer from list
-- * @list - pointer to HDLC buffer list
-+ * @buf_list - pointer to HDLC buffer list
- *
- * Remove and return an HDLC buffer from the head of the specified HDLC buffer
- * list.
- * Returns a pointer to HDLC buffer if available, otherwise %NULL.
- */
--static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
-+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
- {
- unsigned long flags;
- struct n_hdlc_buf *buf;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf = list->head;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ buf = list_first_entry_or_null(&buf_list->list,
-+ struct n_hdlc_buf, list_item);
- if (buf) {
-- list->head = buf->link;
-- (list->count)--;
-+ list_del(&buf->list_item);
-+ buf_list->count--;
- }
-- if (!list->head)
-- list->tail = NULL;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- return buf;
--
- } /* end of n_hdlc_buf_get() */
-
- static char hdlc_banner[] __initdata =
diff --git a/debian/patches/features/all/drm/Remove-gma500-driver-from-staging.patch b/debian/patches/features/all/drm/Remove-gma500-driver-from-staging.patch
index d9e3f17..a64fe70 100644
--- a/debian/patches/features/all/drm/Remove-gma500-driver-from-staging.patch
+++ b/debian/patches/features/all/drm/Remove-gma500-driver-from-staging.patch
@@ -5,7 +5,7 @@ Subject: [PATCH 6/7] Remove gma500 driver from staging
commit b7cdd9e6323af368e26121c5b791eddc78e79fea upstream.
It moved to the main tree
-[bwh: Refresh against 3.2.48]
+[bwh: Refresh against 3.2.88]
--- a/drivers/staging/Kconfig
+++ b/drivers/staging/Kconfig
@@ -21989,7 +21989,7 @@ It moved to the main tree
-#endif
--- a/drivers/staging/gma500/psb_drv.c
+++ /dev/null
-@@ -1,1229 +0,0 @@
+@@ -1,1232 +0,0 @@
-/**************************************************************************
- * Copyright (c) 2007-2011, Intel Corporation.
- * All Rights Reserved.
@@ -23177,6 +23177,9 @@ It moved to the main tree
- .open = drm_open,
- .release = drm_release,
- .unlocked_ioctl = psb_unlocked_ioctl,
+-#ifdef CONFIG_COMPAT
+- .compat_ioctl = drm_compat_ioctl,
+-#endif
- .mmap = drm_gem_mmap,
- .poll = drm_poll,
- .fasync = drm_fasync,
diff --git a/debian/patches/features/all/list-introduce-list_first_entry_or_null.patch b/debian/patches/features/all/list-introduce-list_first_entry_or_null.patch
deleted file mode 100644
index ac5d65a..0000000
--- a/debian/patches/features/all/list-introduce-list_first_entry_or_null.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Jiri Pirko <jiri at resnulli.us>
-Date: Wed, 29 May 2013 05:02:56 +0000
-Subject: list: introduce list_first_entry_or_null
-Origin: https://git.kernel.org/linus/6d7581e62f8be462440d7b22c6361f7c9fa4902b
-
-non-rcu variant of list_first_or_null_rcu
-
-Signed-off-by: Jiri Pirko <jiri at resnulli.us>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/linux/list.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/include/linux/list.h b/include/linux/list.h
-index 6a1f8df9144b..b83e5657365a 100644
---- a/include/linux/list.h
-+++ b/include/linux/list.h
-@@ -362,6 +362,17 @@ static inline void list_splice_tail_init(struct list_head *list,
- list_entry((ptr)->next, type, member)
-
- /**
-+ * list_first_entry_or_null - get the first element from a list
-+ * @ptr: the list head to take the element from.
-+ * @type: the type of the struct this is embedded in.
-+ * @member: the name of the list_struct within the struct.
-+ *
-+ * Note that if the list is empty, it returns NULL.
-+ */
-+#define list_first_entry_or_null(ptr, type, member) \
-+ (!list_empty(ptr) ? list_first_entry(ptr, type, member) : NULL)
-+
-+/**
- * list_for_each - iterate over a list
- * @pos: the &struct list_head to use as a loop cursor.
- * @head: the head for your list.
diff --git a/debian/patches/features/all/net-sock-add-sock_efree.patch b/debian/patches/features/all/net-sock-add-sock_efree.patch
deleted file mode 100644
index 1d4060b..0000000
--- a/debian/patches/features/all/net-sock-add-sock_efree.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Subject: net/sock: Add sock_efree() function
-Date: Fri, 03 Mar 2017 02:32:07 +0000
-
-Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
-stand-alone from phy timestamping").
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1117,6 +1117,7 @@ extern struct sk_buff *sock_rmalloc(str
- gfp_t priority);
- extern void sock_wfree(struct sk_buff *skb);
- extern void sock_rfree(struct sk_buff *skb);
-+void sock_efree(struct sk_buff *skb);
-
- extern int sock_setsockopt(struct socket *sock, int level,
- int op, char __user *optval,
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -1369,6 +1369,11 @@ void sock_rfree(struct sk_buff *skb)
- }
- EXPORT_SYMBOL(sock_rfree);
-
-+void sock_efree(struct sk_buff *skb)
-+{
-+ sock_put(skb->sk);
-+}
-+EXPORT_SYMBOL(sock_efree);
-
- int sock_i_uid(struct sock *sk)
- {
diff --git a/debian/patches/features/x86/hyperv/0018-staging-hv-move-hv_netvsc-out-of-staging-area.patch b/debian/patches/features/x86/hyperv/0018-staging-hv-move-hv_netvsc-out-of-staging-area.patch
index 682da69..56bfe07 100644
--- a/debian/patches/features/x86/hyperv/0018-staging-hv-move-hv_netvsc-out-of-staging-area.patch
+++ b/debian/patches/features/x86/hyperv/0018-staging-hv-move-hv_netvsc-out-of-staging-area.patch
@@ -14,9 +14,9 @@ Signed-off-by: Mike Sterling <Mike.Sterling at microsoft.com>
Acked-by: Stephen Hemminger <shemminger at vyatta.com>
Acked-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
-[bwh: Adjust context to apply after commit
- 045b1684bc21575793a099490938d197555eb128 ('Staging: hv: mousevsc: Remove the
- mouse driver from the staging tree') which makes adjacent deletions.]
+[bwh: Adjust context to apply after commits 045b1684bc21
+ ("Staging: hv: mousevsc: Remove the mouse driver from the staging tree")
+ and a50af86dd49e ("netvsc: reduce maximum GSO size")]
---
drivers/net/Kconfig | 2 +
drivers/net/Makefile | 2 +
@@ -45,19 +45,15 @@ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
delete mode 100644 drivers/staging/hv/netvsc_drv.c
delete mode 100644 drivers/staging/hv/rndis_filter.c
-diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
-index 654a5e9..99aa7fa 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
-@@ -338,4 +338,6 @@ config VMXNET3
+@@ -340,4 +340,6 @@ config VMXNET3
To compile this driver as a module, choose M here: the
module will be called vmxnet3.
+source "drivers/net/hyperv/Kconfig"
+
endif # NETDEVICES
-diff --git a/drivers/net/Makefile b/drivers/net/Makefile
-index fa877cd..a81192b 100644
--- a/drivers/net/Makefile
+++ b/drivers/net/Makefile
@@ -66,3 +66,5 @@ obj-$(CONFIG_USB_USBNET) += usb/
@@ -66,9 +62,6 @@ index fa877cd..a81192b 100644
obj-$(CONFIG_USB_CDC_PHONET) += usb/
+
+obj-$(CONFIG_HYPERV_NET) += hyperv/
-diff --git a/drivers/net/hyperv/Kconfig b/drivers/net/hyperv/Kconfig
-new file mode 100644
-index 0000000..936968d
--- /dev/null
+++ b/drivers/net/hyperv/Kconfig
@@ -0,0 +1,5 @@
@@ -77,18 +70,12 @@ index 0000000..936968d
+ depends on HYPERV
+ help
+ Select this option to enable the Hyper-V virtual network driver.
-diff --git a/drivers/net/hyperv/Makefile b/drivers/net/hyperv/Makefile
-new file mode 100644
-index 0000000..c8a6682
--- /dev/null
+++ b/drivers/net/hyperv/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_HYPERV_NET) += hv_netvsc.o
+
+hv_netvsc-y := netvsc_drv.o netvsc.o rndis_filter.o
-diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
-new file mode 100644
-index 0000000..ac1ec84
--- /dev/null
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -0,0 +1,1058 @@
@@ -1150,9 +1137,6 @@ index 0000000..ac1ec84
+
+
+#endif /* _HYPERV_NET_H */
-diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
-new file mode 100644
-index 0000000..28e69a6
--- /dev/null
+++ b/drivers/net/hyperv/netvsc.c
@@ -0,0 +1,939 @@
@@ -2095,12 +2079,9 @@ index 0000000..28e69a6
+
+ return ret;
+}
-diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
-new file mode 100644
-index 0000000..93b0e91
--- /dev/null
+++ b/drivers/net/hyperv/netvsc_drv.c
-@@ -0,0 +1,456 @@
+@@ -0,0 +1,460 @@
+/*
+ * Copyright (c) 2009, Microsoft Corporation.
+ *
@@ -2155,6 +2136,9 @@ index 0000000..93b0e91
+/* Need this many pages to handle worst case fragmented packet */
+#define PACKET_PAGES_HIWATER (MAX_SKB_FRAGS + 2)
+
++/* Restrict GSO size to account for NVGRE */
++#define NETVSC_GSO_MAX_SIZE 62768
++
+static int ring_size = 128;
+module_param(ring_size, int, S_IRUGO);
+MODULE_PARM_DESC(ring_size, "Ring buffer size (# of pages)");
@@ -2466,6 +2450,7 @@ index 0000000..93b0e91
+
+ SET_ETHTOOL_OPS(net, ðtool_ops);
+ SET_NETDEV_DEV(net, &dev->device);
++ netif_set_gso_max_size(net, NETVSC_GSO_MAX_SIZE);
+
+ ret = register_netdev(net);
+ if (ret != 0) {
@@ -2557,9 +2542,6 @@ index 0000000..93b0e91
+
+module_init(netvsc_drv_init);
+module_exit(netvsc_drv_exit);
-diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
-new file mode 100644
-index 0000000..bafccb3
--- /dev/null
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -0,0 +1,855 @@
@@ -3418,8 +3400,6 @@ index 0000000..bafccb3
+{
+ /* Noop */
+}
-diff --git a/drivers/staging/hv/Kconfig b/drivers/staging/hv/Kconfig
-index 6c0dc30..60ac479 100644
--- a/drivers/staging/hv/Kconfig
+++ b/drivers/staging/hv/Kconfig
@@ -3,9 +3,3 @@ config HYPERV_STORAGE
@@ -3432,8 +3412,6 @@ index 6c0dc30..60ac479 100644
- depends on HYPERV && NET
- help
- Select this option to enable the Hyper-V virtual network driver.
-diff --git a/drivers/staging/hv/Makefile b/drivers/staging/hv/Makefile
-index fbe9a42..af95a6b 100644
--- a/drivers/staging/hv/Makefile
+++ b/drivers/staging/hv/Makefile
@@ -1,5 +1,3 @@
@@ -3442,8 +3420,6 @@ index fbe9a42..af95a6b 100644
hv_storvsc-y := storvsc_drv.o
-hv_netvsc-y := netvsc_drv.o netvsc.o rndis_filter.o
-diff --git a/drivers/staging/hv/TODO b/drivers/staging/hv/TODO
-index ed4d636..fd080cb 100644
--- a/drivers/staging/hv/TODO
+++ b/drivers/staging/hv/TODO
@@ -1,5 +1,4 @@
@@ -3452,9 +3428,6 @@ index ed4d636..fd080cb 100644
- audit the scsi driver
Please send patches for this code to Greg Kroah-Hartman <gregkh at suse.de>,
-diff --git a/drivers/staging/hv/hyperv_net.h b/drivers/staging/hv/hyperv_net.h
-deleted file mode 100644
-index ac1ec84..0000000
--- a/drivers/staging/hv/hyperv_net.h
+++ /dev/null
@@ -1,1058 +0,0 @@
@@ -4516,9 +4489,6 @@ index ac1ec84..0000000
-
-
-#endif /* _HYPERV_NET_H */
-diff --git a/drivers/staging/hv/netvsc.c b/drivers/staging/hv/netvsc.c
-deleted file mode 100644
-index 28e69a6..0000000
--- a/drivers/staging/hv/netvsc.c
+++ /dev/null
@@ -1,939 +0,0 @@
@@ -5461,12 +5431,9 @@ index 28e69a6..0000000
-
- return ret;
-}
-diff --git a/drivers/staging/hv/netvsc_drv.c b/drivers/staging/hv/netvsc_drv.c
-deleted file mode 100644
-index 93b0e91..0000000
--- a/drivers/staging/hv/netvsc_drv.c
+++ /dev/null
-@@ -1,456 +0,0 @@
+@@ -1,460 +0,0 @@
-/*
- * Copyright (c) 2009, Microsoft Corporation.
- *
@@ -5521,6 +5488,9 @@ index 93b0e91..0000000
-/* Need this many pages to handle worst case fragmented packet */
-#define PACKET_PAGES_HIWATER (MAX_SKB_FRAGS + 2)
-
+-/* Restrict GSO size to account for NVGRE */
+-#define NETVSC_GSO_MAX_SIZE 62768
+-
-static int ring_size = 128;
-module_param(ring_size, int, S_IRUGO);
-MODULE_PARM_DESC(ring_size, "Ring buffer size (# of pages)");
@@ -5832,6 +5802,7 @@ index 93b0e91..0000000
-
- SET_ETHTOOL_OPS(net, ðtool_ops);
- SET_NETDEV_DEV(net, &dev->device);
+- netif_set_gso_max_size(net, NETVSC_GSO_MAX_SIZE);
-
- ret = register_netdev(net);
- if (ret != 0) {
@@ -5923,9 +5894,6 @@ index 93b0e91..0000000
-
-module_init(netvsc_drv_init);
-module_exit(netvsc_drv_exit);
-diff --git a/drivers/staging/hv/rndis_filter.c b/drivers/staging/hv/rndis_filter.c
-deleted file mode 100644
-index bafccb3..0000000
--- a/drivers/staging/hv/rndis_filter.c
+++ /dev/null
@@ -1,855 +0,0 @@
@@ -6784,6 +6752,3 @@ index bafccb3..0000000
-{
- /* Noop */
-}
---
-1.7.9.5
-
diff --git a/debian/patches/features/x86/hyperv/0029-net-hyperv-Fix-the-stop-wake-queue-mechanism.patch b/debian/patches/features/x86/hyperv/0029-net-hyperv-Fix-the-stop-wake-queue-mechanism.patch
index f070061..a8fddf5 100644
--- a/debian/patches/features/x86/hyperv/0029-net-hyperv-Fix-the-stop-wake-queue-mechanism.patch
+++ b/debian/patches/features/x86/hyperv/0029-net-hyperv-Fix-the-stop-wake-queue-mechanism.patch
@@ -19,16 +19,16 @@ Signed-off-by: Haiyang Zhang <haiyangz at microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys at microsoft.com>
Reported-by: Long Li <longli at microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Adjust context to apply after commit a50af86dd49e
+ ("netvsc: reduce maximum GSO size")]
---
drivers/net/hyperv/netvsc.c | 14 +++++++++++---
drivers/net/hyperv/netvsc_drv.c | 24 +-----------------------
2 files changed, 12 insertions(+), 26 deletions(-)
-diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
-index 4a807e4..b6ac152 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
-@@ -435,6 +435,9 @@ static void netvsc_send_completion(struct hv_device *device,
+@@ -435,6 +435,9 @@ static void netvsc_send_completion(struc
nvsc_packet->completion.send.send_completion_ctx);
atomic_dec(&net_device->num_outstanding_sends);
@@ -38,7 +38,7 @@ index 4a807e4..b6ac152 100644
} else {
netdev_err(ndev, "Unknown send completion packet type- "
"%d received!!\n", nvsp_packet->hdr.msg_type);
-@@ -485,11 +488,16 @@ int netvsc_send(struct hv_device *device,
+@@ -485,11 +488,16 @@ int netvsc_send(struct hv_device *device
}
@@ -58,8 +58,6 @@ index 4a807e4..b6ac152 100644
return ret;
}
-diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
-index b69c3a4..7da85eb 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -43,15 +43,10 @@
@@ -75,10 +73,10 @@ index b69c3a4..7da85eb 100644
-/* Need this many pages to handle worst case fragmented packet */
-#define PACKET_PAGES_HIWATER (MAX_SKB_FRAGS + 2)
-
- static int ring_size = 128;
- module_param(ring_size, int, S_IRUGO);
- MODULE_PARM_DESC(ring_size, "Ring buffer size (# of pages)");
-@@ -144,18 +139,8 @@ static void netvsc_xmit_completion(void *context)
+ /* Restrict GSO size to account for NVGRE */
+ #define NETVSC_GSO_MAX_SIZE 62768
+
+@@ -147,18 +142,8 @@ static void netvsc_xmit_completion(void
kfree(packet);
@@ -98,7 +96,7 @@ index b69c3a4..7da85eb 100644
}
static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net)
-@@ -167,8 +152,6 @@ static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net)
+@@ -170,8 +155,6 @@ static int netvsc_start_xmit(struct sk_b
/* Add 1 for skb->data and additional one for RNDIS */
num_pages = skb_shinfo(skb)->nr_frags + 1 + 1;
@@ -107,7 +105,7 @@ index b69c3a4..7da85eb 100644
/* Allocate a netvsc packet based on # of frags. */
packet = kzalloc(sizeof(struct hv_netvsc_packet) +
-@@ -218,10 +201,6 @@ static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net)
+@@ -221,10 +204,6 @@ static int netvsc_start_xmit(struct sk_b
if (ret == 0) {
net->stats.tx_bytes += skb->len;
net->stats.tx_packets++;
@@ -118,7 +116,7 @@ index b69c3a4..7da85eb 100644
} else {
/* we are shutting down or bus overloaded, just drop packet */
net->stats.tx_dropped++;
-@@ -391,7 +370,6 @@ static int netvsc_probe(struct hv_device *dev,
+@@ -394,7 +373,6 @@ static int netvsc_probe(struct hv_device
net_device_ctx = netdev_priv(net);
net_device_ctx->device_ctx = dev;
@@ -126,6 +124,3 @@ index b69c3a4..7da85eb 100644
hv_set_drvdata(dev, net);
INIT_DELAYED_WORK(&net_device_ctx->dwork, netvsc_send_garp);
---
-1.7.9.5
-
diff --git a/debian/patches/series b/debian/patches/series
index 76021ef..96e71f7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1106,18 +1106,7 @@ features/all/hpsa/0011-hpsa-add-in-P840ar-controller-model-name.patch
bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
-bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
-bugfix/all/sctp-avoid-bug_on-on-sctp_wait_for_sndbuf.patch
-bugfix/all/net-llc-avoid-bug_on-in-skb_orphan.patch
-features/all/net-sock-add-sock_efree.patch
-bugfix/all/packet-fix-races-in-fanout_add.patch
-bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
-bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch
-bugfix/all/tty-n_hdlc-fix-lockdep-false-positive.patch
-features/all/list-introduce-list_first_entry_or_null.patch
-bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.patch
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
-bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch
bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
# ABI maintenance
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list