[linux] 01/01: Update to 4.9.26
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat May 13 14:29:56 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 3d18d55b64cb359c21815392af4ab5e8096514f9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sat May 13 08:15:06 2017 +0200
Update to 4.9.26
Ignore changes to module:sound/firewire/snd-firewire-lib
Ignore changes to module:net/l2tp/l2tp_core
---
debian/changelog | 59 +++++++++++-
debian/config/defines | 2 +
...acsec-avoid-heap-overflow-in-skb_to_sgvec.patch | 74 ---------------
...ket-fix-overflow-in-check-for-tp_frame_nr.patch | 32 -------
...cket-fix-overflow-in-check-for-tp_reserve.patch | 28 ------
...sd-check-for-oversized-NFSv2-v3-arguments.patch | 104 ---------------------
...icter-decoding-of-write-like-NFSv2-v3-ops.patch | 63 -------------
...sd4-minor-NFSv2-v3-write-decoding-cleanup.patch | 84 -----------------
.../bugfix/all/ping-implement-proper-locking.patch | 54 -----------
debian/patches/series | 7 --
10 files changed, 60 insertions(+), 447 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1a7d01f..590b9bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,61 @@
-linux (4.9.25-2) UNRELEASED; urgency=medium
+linux (4.9.26-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.26
+ - [arm64] Revert "mmc: sdhci-msm: Enable few quirks"
+ - ping: implement proper locking
+ - [sparc64] kern_addr_valid regression
+ - [sparc64] Fix kernel panic due to erroneous #ifdef surrounding
+ pmd_write()
+ - net: neigh: guard against NULL solicit() method
+ - net: phy: handle state correctly in phy_stop_machine
+ - bpf: improve verifier packet range checks
+ - net/mlx5: Avoid dereferencing uninitialized pointer
+ - l2tp: hold tunnel socket when handling control frames in l2tp_ip
+ and l2tp_ip6
+ - l2tp: purge socket queues in the .destruct() callback
+ - net/packet: fix overflow in check for tp_frame_nr
+ - net/packet: fix overflow in check for tp_reserve
+ - l2tp: take reference on sessions being dumped
+ - l2tp: fix PPP pseudo-wire auto-loading
+ - net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
+ - sctp: listen on the sock only when it's state is listening or
+ closed
+ - tcp: clear saved_syn in tcp_disconnect()
+ - ipv6: Fix idev->addr_list corruption
+ - net-timestamp: avoid use-after-free in ip_recv_error
+ - net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
+ - dp83640: don't recieve time stamps twice
+ - gso: Validate assumption of frag_list segementation
+ - net: ipv6: RTF_PCPU should not be settable from userspace
+ - netpoll: Check for skb->queue_mapping
+ - ip6mr: fix notification device destruction
+ - net/mlx5: Fix driver load bad flow when having fw
+ initializing timeout
+ - net/mlx5e: Fix small packet threshold
+ - net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling
+ - macvlan: Fix device ref leak when purging bc_queue
+ - net: ipv6: regenerate host route if moved to gc list
+ - net: phy: fix auto-negotiation stall due to unavailable interrupt
+ - ipv6: check skb->protocol before lookup for nexthop
+ - tcp: memset ca_priv data to 0 properly
+ - ipv6: check raw payload size correctly in ioctl
+ - ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
+ - ALSA: firewire-lib: fix inappropriate assignment between
+ signed/unsigned type
+ - ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
+ - [mips*] KGDB: Use kernel context for sleeping threads
+ - [mips*] Avoid BUG warning in arch_check_elf
+ - p9_client_readdir() fix
+ - [x86] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
+ - Input: i8042 - add Clevo P650RS to the i8042 reset list
+ - nfsd: check for oversized NFSv2/v3 arguments
+ - nfsd4: minor NFSv2/v3 write decoding cleanup
+ - nfsd: stricter decoding of write-like NFSv2/v3 ops
+ - ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
+ - macsec: avoid heap overflow in skb_to_sgvec
+ - net: can: usb: gs_usb: Fix buffer on stack
+ - [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram
[ Aurelien Jarno ]
* [mips*/*-malta] Enable POWER_RESET and POWER_RESET_SYSCON.
diff --git a/debian/config/defines b/debian/config/defines
index eef7c76..1b1add7 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -21,6 +21,8 @@ ignore-changes:
module:drivers/usb/host/**
module:drivers/usb/musb/**
module:net/ceph/libceph
+ module:net/l2tp/l2tp_core
+ module:sound/firewire/snd-firewire-lib
# btree library is only selected by few drivers so not useful OOT
btree_*
visitor*
diff --git a/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch b/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
deleted file mode 100644
index 63508e6..0000000
--- a/debian/patches/bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: "Jason A. Donenfeld" <Jason at zx2c4.com>
-Date: Fri, 21 Apr 2017 23:14:48 +0200
-Subject: macsec: avoid heap overflow in skb_to_sgvec
-Origin: https://git.kernel.org/linus/4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7477
-
-While this may appear as a humdrum one line change, it's actually quite
-important. An sk_buff stores data in three places:
-
-1. A linear chunk of allocated memory in skb->data. This is the easiest
- one to work with, but it precludes using scatterdata since the memory
- must be linear.
-2. The array skb_shinfo(skb)->frags, which is of maximum length
- MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
- can point to different pages.
-3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
- which in turn can have data in either (1) or (2).
-
-The first two are rather easy to deal with, since they're of a fixed
-maximum length, while the third one is not, since there can be
-potentially limitless chains of fragments. Fortunately dealing with
-frag_list is opt-in for drivers, so drivers don't actually have to deal
-with this mess. For whatever reason, macsec decided it wanted pain, and
-so it explicitly specified NETIF_F_FRAGLIST.
-
-Because dealing with (1), (2), and (3) is insane, most users of sk_buff
-doing any sort of crypto or paging operation calls a convenient function
-called skb_to_sgvec (which happens to be recursive if (3) is in use!).
-This takes a sk_buff as input, and writes into its output pointer an
-array of scattergather list items. Sometimes people like to declare a
-fixed size scattergather list on the stack; othertimes people like to
-allocate a fixed size scattergather list on the heap. However, if you're
-doing it in a fixed-size fashion, you really shouldn't be using
-NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
-frag_list children arent't shared and then you check the number of
-fragments in total required.)
-
-Macsec specifically does this:
-
- size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
- tmp = kmalloc(size, GFP_ATOMIC);
- *sg = (struct scatterlist *)(tmp + sg_offset);
- ...
- sg_init_table(sg, MAX_SKB_FRAGS + 1);
- skb_to_sgvec(skb, sg, 0, skb->len);
-
-Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
-using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
-overflow the heap, and disaster ensues.
-
-Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
-Cc: stable at vger.kernel.org
-Cc: security at kernel.org
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- drivers/net/macsec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
-index ff0a5ed..dbab05a 100644
---- a/drivers/net/macsec.c
-+++ b/drivers/net/macsec.c
-@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
- }
-
- #define MACSEC_FEATURES \
-- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
-+ (NETIF_F_SG | NETIF_F_HIGHDMA)
- static struct lock_class_key macsec_netdev_addr_lock_key;
-
- static int macsec_dev_init(struct net_device *dev)
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
deleted file mode 100644
index 1ca2d19..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:21 +0200
-Subject: net/packet: fix overflow in check for tp_frame_nr
-Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating rb->frames_per_block * req->tp_block_nr the result
-can overflow.
-
-Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
-
-Since frames_per_block <= tp_block_size, the expression would
-never overflow.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock *
- rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
- if (unlikely(rb->frames_per_block == 0))
- goto out;
-+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+ goto out;
- if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- req->tp_frame_nr))
- goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
deleted file mode 100644
index 267e16c..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:22 +0200
-Subject: net/packet: fix overflow in check for tp_reserve
-Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
-
-Fix by checking that tp_reserve <= INT_MAX on assign.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i
- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
-+ if (val > INT_MAX)
-+ return -EINVAL;
- po->tp_reserve = val;
- return 0;
- }
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
deleted file mode 100644
index 1c12edf..0000000
--- a/debian/patches/bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 16:10:18 -0400
-Subject: nfsd: check for oversized NFSv2/v3 arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply. This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE). But a client that sends an incorrectly long reply
-can violate those assumptions. This was observed to cause crashes.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-So, following a suggestion from Neil Brown, add a central check to
-enforce our expectation that no NFSv2/v3 call has both a large call and
-a large reply.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-We may also consider rejecting calls that have any extra garbage
-appended. That would be safer, and within our rights by spec, but given
-the age of our server and the NFS protocol, and the fact that we've
-never enforced this before, we may need to balance that against the
-possibility of breaking some oddball client.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Cc: stable at vger.kernel.org
-Reviewed-by: NeilBrown <neilb at suse.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
-diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
-index 31e1f95..59979f0 100644
---- a/fs/nfsd/nfssvc.c
-+++ b/fs/nfsd/nfssvc.c
-@@ -747,6 +747,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
- return nfserr;
- }
-
-+/*
-+ * A write procedure can have a large argument, and a read procedure can
-+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
-+ * reply that can both be larger than a page. The xdr code has taken
-+ * advantage of this assumption to be a sloppy about bounds checking in
-+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
-+ * problem, we enforce these assumptions here:
-+ */
-+static bool nfs_request_too_big(struct svc_rqst *rqstp,
-+ struct svc_procedure *proc)
-+{
-+ /*
-+ * The ACL code has more careful bounds-checking and is not
-+ * susceptible to this problem:
-+ */
-+ if (rqstp->rq_prog != NFS_PROGRAM)
-+ return false;
-+ /*
-+ * Ditto NFSv4 (which can in theory have argument and reply both
-+ * more than a page):
-+ */
-+ if (rqstp->rq_vers >= 4)
-+ return false;
-+ /* The reply will be small, we're OK: */
-+ if (proc->pc_xdrressize > 0 &&
-+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
-+ return false;
-+
-+ return rqstp->rq_arg.len > PAGE_SIZE;
-+}
-+
- int
- nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- {
-@@ -759,6 +790,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- rqstp->rq_vers, rqstp->rq_proc);
- proc = rqstp->rq_procinfo;
-
-+ if (nfs_request_too_big(rqstp, proc)) {
-+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
-+ *statp = rpc_garbage_args;
-+ return 1;
-+ }
- /*
- * Give the xdr decoder a chance to change this if it wants
- * (necessary in the NFSv4.0 compound case)
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
deleted file mode 100644
index 33415b6..0000000
--- a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 15:26:30 -0400
-Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-The NFSv2/v3 code does not systematically check whether we decode past
-the end of the buffer. This generally appears to be harmless, but there
-are a few places where we do arithmetic on the pointers involved and
-don't account for the possibility that a length could be negative. Add
-checks to catch these.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Reviewed-by: NeilBrown <neilb at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs3xdr.c | 4 ++++
- fs/nfsd/nfsxdr.c | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
-index d18cfdd..4523346 100644
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- args->count = ntohl(*p++);
- args->stable = ntohl(*p++);
- len = args->len = ntohl(*p++);
-+ if ((void *)p > head->iov_base + head->iov_len)
-+ return 0;
- /*
- * The count must equal the amount of data passed.
- */
-@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
- /* first copy and check from the first page */
- old = (char*)p;
- vec = &rqstp->rq_arg.head[0];
-+ if ((void *)old > vec->iov_base + vec->iov_len)
-+ return 0;
- avail = vec->iov_len - (old - (char*)vec->iov_base);
- while (len && avail && *old) {
- *new++ = *old++;
-diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
-index 59bd88a..de07ff6 100644
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- * bytes.
- */
- hdr = (void*)p - head->iov_base;
-+ if (hdr > head->iov_len)
-+ return 0;
- dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
deleted file mode 100644
index 7b7d9f5..0000000
--- a/debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Tue, 25 Apr 2017 16:21:34 -0400
-Subject: nfsd4: minor NFSv2/v3 write decoding cleanup
-Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
-
-Use a couple shortcuts that will simplify a following bugfix.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs3xdr.c | 9 +++++----
- fs/nfsd/nfsxdr.c | 8 ++++----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
-index dba2ff8..d18cfdd 100644
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- {
- unsigned int len, v, hdr, dlen;
- u32 max_blocksize = svc_max_payload(rqstp);
-+ struct kvec *head = rqstp->rq_arg.head;
-+ struct kvec *tail = rqstp->rq_arg.tail;
-
- p = decode_fh(p, &args->fh);
- if (!p)
-@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- + rqstp->rq_arg.tail[0].iov_len - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
- /*
- * Round the length of the data which was specified up to
- * the next multiple of XDR units and then compare that
-@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- len = args->len = max_blocksize;
- }
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
-diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
-index 41b468a..59bd88a 100644
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- struct nfsd_writeargs *args)
- {
- unsigned int len, hdr, dlen;
-+ struct kvec *head = rqstp->rq_arg.head;
- int v;
-
- p = decode_fh(p, &args->fh);
-@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
- * Round the length of the data which was specified up to
-@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
- return 0;
-
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
deleted file mode 100644
index d7b4b83..0000000
--- a/debian/patches/bugfix/all/ping-implement-proper-locking.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: ping: implement proper locking
-Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
-Reported-by: Solar Designer <solar at openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 2af6244b83e2..ccfbce13a633 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
- void ping_unhash(struct sock *sk)
- {
- struct inet_sock *isk = inet_sk(sk);
-+
- pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+ write_lock_bh(&ping_table.lock);
- if (sk_hashed(sk)) {
-- write_lock_bh(&ping_table.lock);
- hlist_nulls_del(&sk->sk_nulls_node);
- sk_nulls_node_init(&sk->sk_nulls_node);
- sock_put(sk);
- isk->inet_num = 0;
- isk->inet_sport = 0;
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-- write_unlock_bh(&ping_table.lock);
- }
-+ write_unlock_bh(&ping_table.lock);
- }
- EXPORT_SYMBOL_GPL(ping_unhash);
-
---
-2.11.0
-
diff --git a/debian/patches/series b/debian/patches/series
index a5922a9..6559add 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -105,14 +105,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/time-mark-timer_stats-as-broken.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
-bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
-bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
-bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
-bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list