diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2016-08-16 14:04:23 -0700 |
---|---|---|
committer | Laura Abbott <labbott@fedoraproject.org> | 2016-08-16 14:15:16 -0700 |
commit | 2edaf5a5bcc7108e5e444d9125659af9d429d3be (patch) | |
tree | 053666c5eb9ee44216dbf328036aa23bf0b37a56 | |
parent | 2eb64d83d9832089cad56248e7afb55e87a45c1b (diff) | |
download | kernel-2edaf5a5bcc7108e5e444d9125659af9d429d3be.tar.gz kernel-2edaf5a5bcc7108e5e444d9125659af9d429d3be.tar.xz kernel-2edaf5a5bcc7108e5e444d9125659af9d429d3be.zip |
Linux v4.6.7
-rw-r--r-- | kernel.spec | 13 | ||||
-rw-r--r-- | openstack_fix.patch | 53 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | tcp-enable-per-socket-rate-limiting-of-all-challenge.patch | 102 | ||||
-rw-r--r-- | tcp-make-challenge-acks-less-predictable.patch | 83 |
5 files changed, 62 insertions, 191 deletions
diff --git a/kernel.spec b/kernel.spec index 408b8c2e7..ec57c4113 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -636,10 +636,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch -#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615 -Patch835: tcp-make-challenge-acks-less-predictable.patch -Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch - # https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/A4YCP7OGMX6JLFT5V44H57GOMAQLC3M4/ Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch Patch837: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch @@ -651,6 +647,9 @@ Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch Patch842: kvm-ppc-Book3S-HV-Pull-out-TM-state-save.patch Patch843: kvm-ppc-Book3S-HV-Save-restore-TM-state.patch +#rhbz 1361414 +Patch844: openstack_fix.patch + # END OF PATCH DEFINITIONS %endif @@ -2171,6 +2170,10 @@ fi # # %changelog +* Tue Aug 16 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.7-200 +- Linux v4.6.7 +- Fix for crash seen with Open Stack (rhbz 1361414) + * Fri Aug 11 2016 Laura Abbott <labbott@fedoraproject.org> - Bring in fixes from f24 - Sync skylake hdaudio __unclaimed_reg WARN_ON fix with latest upstream version diff --git a/openstack_fix.patch b/openstack_fix.patch new file mode 100644 index 000000000..a967c350e --- /dev/null +++ b/openstack_fix.patch @@ -0,0 +1,53 @@ +From 5ef9f289c4e698054e5687edb54f0da3cdc9173a Mon Sep 17 00:00:00 2001 +From: Ian Wienand <iwienand@redhat.com> +Date: Wed, 3 Aug 2016 15:44:57 +1000 +Subject: OVS: Ignore negative headroom value + +net_device->ndo_set_rx_headroom (introduced in +871b642adebe300be2e50aa5f65a418510f636ec) says + + "Setting a negtaive value reset the rx headroom + to the default value". + +It seems that the OVS implementation in +3a927bc7cf9d0fbe8f4a8189dd5f8440228f64e7 overlooked this and sets +dev->needed_headroom unconditionally. + +This doesn't have an immediate effect, but can mess up later +LL_RESERVED_SPACE calculations, such as done in +net/ipv6/mcast.c:mld_newpack. For reference, this issue was found +from a skb_panic raised there after the length calculations had given +the wrong result. + +Note the other current users of this interface +(drivers/net/tun.c:tun_set_headroom and +drivers/net/veth.c:veth_set_rx_headroom) are both checking this +correctly thus need no modification. + +Thanks to Ben for some pointers from the crash dumps! + +Cc: Benjamin Poirier <bpoirier@suse.com> +Cc: Paolo Abeni <pabeni@redhat.com> +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361414 +Signed-off-by: Ian Wienand <iwienand@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/openvswitch/vport-internal_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c +index 434e04c..95c3614 100644 +--- a/net/openvswitch/vport-internal_dev.c ++++ b/net/openvswitch/vport-internal_dev.c +@@ -140,7 +140,7 @@ internal_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) + + static void internal_set_rx_headroom(struct net_device *dev, int new_hr) + { +- dev->needed_headroom = new_hr; ++ dev->needed_headroom = new_hr < 0 ? 0 : new_hr; + } + + static const struct net_device_ops internal_dev_netdev_ops = { +-- +cgit v0.12 + @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -84f23eb772635b1348d3ea7c5bd67930 patch-4.6.6.xz +3fc1fcb7ef83c4ef4c05d8bd57e1b985 patch-4.6.7.xz diff --git a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch b/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch deleted file mode 100644 index 0a5eab8aa..000000000 --- a/tcp-enable-per-socket-rate-limiting-of-all-challenge.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 8272c58d085e5611a7f839fa32e148ae62446375 Mon Sep 17 00:00:00 2001 -From: Jason Baron <jbaron@akamai.com> -Date: Thu, 14 Jul 2016 11:38:40 -0400 -Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks' - -The per-socket rate limit for 'challenge acks' was introduced in the -context of limiting ack loops: - -commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") - -And I think it can be extended to rate limit all 'challenge acks' on a -per-socket basis. - -Since we have the global tcp_challenge_ack_limit, this patch allows for -tcp_challenge_ack_limit to be set to a large value and effectively rely on -the per-socket limit, or set tcp_challenge_ack_limit to a lower value and -still prevents a single connections from consuming the entire challenge ack -quota. - -It further moves in the direction of eliminating the global limit at some -point, as Eric Dumazet has suggested. This a follow-up to: -Subject: tcp: make challenge acks less predictable - -Cc: Eric Dumazet <edumazet@google.com> -Cc: David S. Miller <davem@davemloft.net> -Cc: Neal Cardwell <ncardwell@google.com> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Yue Cao <ycao009@ucr.edu> -Signed-off-by: Jason Baron <jbaron@akamai.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- - 1 file changed, 22 insertions(+), 17 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 8c011359646b..796315104ad7 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3423,6 +3423,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 - return flag; - } - -+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, -+ u32 *last_oow_ack_time) -+{ -+ if (*last_oow_ack_time) { -+ s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -+ -+ if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -+ NET_INC_STATS(net, mib_idx); -+ return true; /* rate-limited: don't send yet! */ -+ } -+ } -+ -+ *last_oow_ack_time = tcp_time_stamp; -+ -+ return false; /* not rate-limited: go ahead, send dupack now! */ -+} -+ - /* Return true if we're currently rate-limiting out-of-window ACKs and - * thus shouldn't send a dupack right now. We rate-limit dupacks in - * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS -@@ -3436,21 +3453,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb, - /* Data packets without SYNs are not likely part of an ACK loop. */ - if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && - !tcp_hdr(skb)->syn) -- goto not_rate_limited; -- -- if (*last_oow_ack_time) { -- s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -- -- if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -- NET_INC_STATS_BH(net, mib_idx); -- return true; /* rate-limited: don't send yet! */ -- } -- } -- -- *last_oow_ack_time = tcp_time_stamp; -+ return false; - --not_rate_limited: -- return false; /* not rate-limited: go ahead, send dupack now! */ -+ return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); - } - - /* RFC 5961 7 [ACK Throttling] */ -@@ -3463,9 +3468,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - u32 count, now; - - /* First check our per-socket dupack rate limit. */ -- if (tcp_oow_rate_limited(sock_net(sk), skb, -- LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -- &tp->last_oow_ack_time)) -+ if (__tcp_oow_rate_limited(sock_net(sk), -+ LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -+ &tp->last_oow_ack_time)) - return; - - /* Then check host-wide RFC 5961 rate limit. */ --- -2.7.4 - diff --git a/tcp-make-challenge-acks-less-predictable.patch b/tcp-make-challenge-acks-less-predictable.patch deleted file mode 100644 index 992e4f522..000000000 --- a/tcp-make-challenge-acks-less-predictable.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 771209218b9ec051a573b9fddc149682a534190e Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Sun, 10 Jul 2016 10:04:02 +0200 -Subject: [PATCH] tcp: make challenge acks less predictable - -Yue Cao claims that current host rate limiting of challenge ACKS -(RFC 5961) could leak enough information to allow a patient attacker -to hijack TCP sessions. He will soon provide details in an academic -paper. - -This patch increases the default limit from 100 to 1000, and adds -some randomization so that the attacker can no longer hijack -sessions without spending a considerable amount of probes. - -Based on initial analysis and patch from Linus. - -Note that we also have per socket rate limiting, so it is tempting -to remove the host limit in the future. - -v2: randomize the count of challenge acks per second, not the period. - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Reported-by: Yue Cao <ycao009@ucr.edu> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Neal Cardwell <ncardwell@google.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Acked-by: Yuchung Cheng <ycheng@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv4/tcp_input.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index c124c3c12f7c..8c011359646b 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - static u32 challenge_timestamp; - static unsigned int challenge_count; - struct tcp_sock *tp = tcp_sk(sk); -- u32 now; -+ u32 count, now; - - /* First check our per-socket dupack rate limit. */ - if (tcp_oow_rate_limited(sock_net(sk), skb, -@@ -3468,14 +3468,19 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - &tp->last_oow_ack_time)) - return; - -- /* Then check the check host-wide RFC 5961 rate limit. */ -+ /* Then check host-wide RFC 5961 rate limit. */ - now = jiffies / HZ; - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ WRITE_ONCE(challenge_count, half + -+ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -- NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); -+ count = READ_ONCE(challenge_count); -+ if (count > 0) { -+ WRITE_ONCE(challenge_count, count - 1); -+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } - } --- -2.5.5 - |