Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedora

6 files changed, 41 insertions, 186 deletions

diff --git a/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index 134e1ea39..000000000
--- a/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 2dcab598484185dea7ec22219c76dcdd59e3cb90 Mon Sep 17 00:00:00 2001
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov@linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 37eeab7..e214d2e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- 		 */
- 		release_sock(sk);
- 		current_timeo = schedule_timeout(current_timeo);
--		BUG_ON(sk != asoc->base.sk);
-+		if (sk != asoc->base.sk)
-+			goto do_error;
- 		lock_sock(sk);
-
- 		*timeo_p = current_timeo;
--- 
-2.9.3
-
diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch
deleted file mode 100644
index 756663c11..000000000
--- a/ip6_gre-fix-ip6gre_err-invalid-reads.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 23:18:55 -0800
-Subject: ip6_gre: fix ip6gre_err() invalid reads
-
-Andrey Konovalov reported out of bound accesses in ip6gre_err()
-
-If GRE flags contains GRE_KEY, the following expression
-*(((__be32 *)p) + (grehlen / 4) - 1)
-
-accesses data ~40 bytes after the expected point, since
-grehlen includes the size of IPv6 headers.
-
-Let's use a "struct gre_base_hdr *greh" pointer to make this
-code more readable.
-
-p[1] becomes greh->protocol.
-grhlen is the GRE header length.
-
-Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
- 1 file changed, 21 insertions(+), 19 deletions(-)
-
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 5586318..630b73b 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
- 
- 
- static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
--		u8 type, u8 code, int offset, __be32 info)
-+		       u8 type, u8 code, int offset, __be32 info)
- {
--	const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
--	__be16 *p = (__be16 *)(skb->data + offset);
--	int grehlen = offset + 4;
-+	const struct gre_base_hdr *greh;
-+	const struct ipv6hdr *ipv6h;
-+	int grehlen = sizeof(*greh);
- 	struct ip6_tnl *t;
-+	int key_off = 0;
- 	__be16 flags;
-+	__be32 key;
- 
--	flags = p[0];
--	if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
--		if (flags&(GRE_VERSION|GRE_ROUTING))
--			return;
--		if (flags&GRE_KEY) {
--			grehlen += 4;
--			if (flags&GRE_CSUM)
--				grehlen += 4;
--		}
-+	if (!pskb_may_pull(skb, offset + grehlen))
-+		return;
-+	greh = (const struct gre_base_hdr *)(skb->data + offset);
-+	flags = greh->flags;
-+	if (flags & (GRE_VERSION | GRE_ROUTING))
-+		return;
-+	if (flags & GRE_CSUM)
-+		grehlen += 4;
-+	if (flags & GRE_KEY) {
-+		key_off = grehlen + offset;
-+		grehlen += 4;
- 	}
- 
--	/* If only 8 bytes returned, keyed message will be dropped here */
--	if (!pskb_may_pull(skb, grehlen))
-+	if (!pskb_may_pull(skb, offset + grehlen))
- 		return;
- 	ipv6h = (const struct ipv6hdr *)skb->data;
--	p = (__be16 *)(skb->data + offset);
-+	greh = (const struct gre_base_hdr *)(skb->data + offset);
-+	key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
- 
- 	t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
--				flags & GRE_KEY ?
--				*(((__be32 *)p) + (grehlen / 4) - 1) : 0,
--				p[1]);
-+				 key, greh->protocol);
- 	if (!t)
- 		return;
- 
--- 
-cgit v0.12
-
diff --git a/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch b/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
deleted file mode 100644
index 821e3fce8..000000000
--- a/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 34b2cef20f19c87999fff3da4071e66937db9644 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 11:16:52 -0800
-Subject: [PATCH] ipv4: keep skb->dst around in presence of IP options
-
-Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
-is accessed.
-
-ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
-are present.
-
-We could refine the test to the presence of ts_needtime or srr,
-but IP options are not often used, so let's be conservative.
-
-Thanks to syzkaller team for finding this bug.
-
-Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ip_sockglue.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 53ae0c6..9000117 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
- 		pktinfo->ipi_ifindex = 0;
- 		pktinfo->ipi_spec_dst.s_addr = 0;
- 	}
--	skb_dst_drop(skb);
-+	/* We need to keep the dst for __ip_options_echo()
-+	 * We could restrict the test to opt.ts_needtime || opt.srr,
-+	 * but the following is good enough as IP options are not often used.
-+	 */
-+	if (unlikely(IPCB(skb)->opt.optlen))
-+		skb_dst_force(skb);
-+	else
-+		skb_dst_drop(skb);
- }
-
- int ip_setsockopt(struct sock *sk, int level,
--- 
-2.9.3
-
diff --git a/kernel.spec b/kernel.spec
index 321f6d95b..9d1bfd959 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -654,21 +654,15 @@ Patch852: nouveau-add-maxwell-to-backlight-init.patch
 #CVE-2017-2596 rhbz 1417812 1417813
 Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
-#CVE-2017-5897 rhbz 1419848 1419851
-Patch857: ip6_gre-fix-ip6gre_err-invalid-reads.patch
-
 #rhbz 1417829
 Patch858: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
 Patch859: 2-2-media-dvb-usb-firmware-don-t-do-DMA-on-stack.patch
 
-#rhbz 1420276
-Patch860: 0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
-
 #rhbz 1415397
 Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
 
-#CVE-2017-5970 rhbz 1421638
-Patch862: ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
+#rhbz 1422969
+Patch862: rt2800-warning.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2202,6 +2196,10 @@ fi
 #
 # 
 %changelog
+* Mon Feb 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.11-100
+- Linux v4.9.11
+- Fix rt2800 warning (rhbz 1422969)
+
 * Wed Feb 15 2017 Peter Robinson <pbrobinson@fedoraproject.org>
 - Enable PWRSEQ_SIMPLE module (fixes rhbz 1377816)
 
diff --git a/rt2800-warning.patch b/rt2800-warning.patch
new file mode 100644
index 000000000..0e7a1fe0d
--- /dev/null
+++ b/rt2800-warning.patch
@@ -0,0 +1,34 @@
+From feecb0cb466ba458f59640b4d59ecef1cd956b1f Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Fri, 13 Jan 2017 15:55:07 +0100
+Subject: rt2800: remove warning on bcn_num != rt2x00dev->intf_beaconing
+
+Since rt2800pci update beacon settings asynchronously from
+tbtt tasklet, without beacon_skb_mutex protection, number of
+currently active beacons entries can be different than
+number pointed by rt2x00dev->intf_beaconing. Remove warning
+about that inconsistency.
+
+Reported-by: evaxige@qq.com
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index ff047dc..f36bc9b 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -967,8 +967,6 @@ static void rt2800_update_beacons_setup(struct rt2x00_dev *rt2x00dev)
+ 		bcn_num++;
+ 	}
+ 
+-	WARN_ON_ONCE(bcn_num != rt2x00dev->intf_beaconing);
+-
+ 	rt2800_register_write(rt2x00dev, BCN_OFFSET0, (u32) reg);
+ 	rt2800_register_write(rt2x00dev, BCN_OFFSET1, (u32) (reg >> 32));
+ 
+-- 
+cgit v0.12
+
diff --git a/sources b/sources
index 687327e58..d34f194b7 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
-SHA512 (patch-4.9.10.xz) = 93958f4b932a46bbd9a122f52bf09b8c4b864b419a0774514baeb7dc83f11f55a5ba84f2e586a904dbfeeb7d976352e40670fbe2e32e25c35085ddf87e41b58d
+SHA512 (patch-4.9.11.xz) = 7683628b011fa1462b5838301ebabc3eebaefcd50f65600be55bcf0102578ca07589c7683ef84b8d5300bd05795655fb21e1c145f5663d30593fc1801c163bc3