diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-11-15 18:56:33 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-11-15 18:56:33 +0100 |
commit | 43888731c5158f8322f36ca42657f30ad867a579 (patch) | |
tree | 5c72b9922cc0595caed3b5994ead0eeb07d87692 | |
parent | 718fa1a81b4f7cd9c0df7dbf35a6590e7a577a79 (diff) | |
parent | a0974068fe76f108a1f67373b04dfa6d66921c62 (diff) | |
download | kernel-4.8.8-100.vanilla.knurd.1.fc23.tar.gz kernel-4.8.8-100.vanilla.knurd.1.fc23.tar.xz kernel-4.8.8-100.vanilla.knurd.1.fc23.zip |
Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.8.8-100.vanilla.knurd.1.fc23
-rw-r--r-- | 0001-tcp-take-care-of-truncations-done-by-sk_filter.patch | 105 | ||||
-rw-r--r-- | kernel.spec | 15 | ||||
-rw-r--r-- | nouveau-add-maxwell-to-backlight-init.patch | 24 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 144 insertions, 2 deletions
diff --git a/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch b/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch new file mode 100644 index 000000000..1c9b2f022 --- /dev/null +++ b/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch @@ -0,0 +1,105 @@ +From ac6e780070e30e4c35bd395acfe9191e6268bdd3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 10 Nov 2016 13:12:35 -0800 +Subject: [PATCH] tcp: take care of truncations done by sk_filter() + +With syzkaller help, Marco Grassi found a bug in TCP stack, +crashing in tcp_collapse() + +Root cause is that sk_filter() can truncate the incoming skb, +but TCP stack was not really expecting this to happen. +It probably was expecting a simple DROP or ACCEPT behavior. + +We first need to make sure no part of TCP header could be removed. +Then we need to adjust TCP_SKB_CB(skb)->end_seq + +Many thanks to syzkaller team and Marco for giving us a reproducer. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Marco Grassi <marco.gra@gmail.com> +Reported-by: Vladis Dronov <vdronov@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/tcp.h | 1 + + net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++- + net/ipv6/tcp_ipv6.c | 6 ++++-- + 3 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 304a8e1..123979f 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1220,6 +1220,7 @@ static inline void tcp_prequeue_init(struct tcp_sock *tp) + } + + bool tcp_prequeue(struct sock *sk, struct sk_buff *skb); ++int tcp_filter(struct sock *sk, struct sk_buff *skb); + + #undef STATE_TRACE + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 61b7be3..2259114 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1564,6 +1564,21 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb) + } + EXPORT_SYMBOL(tcp_prequeue); + ++int tcp_filter(struct sock *sk, struct sk_buff *skb) ++{ ++ struct tcphdr *th = (struct tcphdr *)skb->data; ++ unsigned int eaten = skb->len; ++ int err; ++ ++ err = sk_filter_trim_cap(sk, skb, th->doff * 4); ++ if (!err) { ++ eaten -= skb->len; ++ TCP_SKB_CB(skb)->end_seq -= eaten; ++ } ++ return err; ++} ++EXPORT_SYMBOL(tcp_filter); ++ + /* + * From tcp_input.c + */ +@@ -1676,8 +1691,10 @@ int tcp_v4_rcv(struct sk_buff *skb) + + nf_reset(skb); + +- if (sk_filter(sk, skb)) ++ if (tcp_filter(sk, skb)) + goto discard_and_relse; ++ th = (const struct tcphdr *)skb->data; ++ iph = ip_hdr(skb); + + skb->dev = NULL; + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 6ca23c2..b9f1fee 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1229,7 +1229,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) + if (skb->protocol == htons(ETH_P_IP)) + return tcp_v4_do_rcv(sk, skb); + +- if (sk_filter(sk, skb)) ++ if (tcp_filter(sk, skb)) + goto discard; + + /* +@@ -1457,8 +1457,10 @@ static int tcp_v6_rcv(struct sk_buff *skb) + if (tcp_v6_inbound_md5_hash(sk, skb)) + goto discard_and_relse; + +- if (sk_filter(sk, skb)) ++ if (tcp_filter(sk, skb)) + goto discard_and_relse; ++ th = (const struct tcphdr *)skb->data; ++ hdr = ipv6_hdr(skb); + + skb->dev = NULL; + +-- +2.7.4 + diff --git a/kernel.spec b/kernel.spec index d10600766..f7cebef2b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -654,6 +654,12 @@ Patch852: 0001-HID-input-ignore-System-Control-application-usages-i.patch #rhbz 1392885 Patch853: 0001-drm-i915-Refresh-that-status-of-MST-capable-connecto.patch +#rhbz 1390308 +Patch854: nouveau-add-maxwell-to-backlight-init.patch + +#CVE-2016-8645 rhbz 1393904 1393908 +Patch856: 0001-tcp-take-care-of-truncations-done-by-sk_filter.patch + # END OF PATCH DEFINITIONS %endif @@ -2179,6 +2185,13 @@ fi # # %changelog +* Tue Nov 15 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.8-100 +- Linux v4.8.8 +- Fix crash in tcp_collapse CVE-2016-8645 (rhbz 1393904 1393908) + +* Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- Nouveau: Add Maxwell to backlight initialization (rhbz 1390308) + * Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.7-100 - Refresh status of MST capable connectors (rhbz 1392885) diff --git a/nouveau-add-maxwell-to-backlight-init.patch b/nouveau-add-maxwell-to-backlight-init.patch new file mode 100644 index 000000000..9d89069c1 --- /dev/null +++ b/nouveau-add-maxwell-to-backlight-init.patch @@ -0,0 +1,24 @@ +From bbe1f94a8b3f2e8622dd400a6827d3242005d951 Mon Sep 17 00:00:00 2001 +From: Faris Alsalama <farisbenbrahem@gmail.com> +Date: Sat, 21 May 2016 14:41:43 -0400 +Subject: drm/nouveau/kms: add Maxwell to backlight initialization + +Signed-off-by: Faris Alsalama <farisbenbrahem@gmail.com> +Acked-by: Acked-by: Pierre Moreau <pierre.morrow@free.fr> +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> + +diff --git a/drivers/gpu/drm/nouveau/nouveau_backlight.c b/drivers/gpu/drm/nouveau/nouveau_backlight.c +index f5101be..5e2c568 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c ++++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c +@@ -232,6 +232,7 @@ nouveau_backlight_init(struct drm_device *dev) + case NV_DEVICE_INFO_V0_TESLA: + case NV_DEVICE_INFO_V0_FERMI: + case NV_DEVICE_INFO_V0_KEPLER: ++ case NV_DEVICE_INFO_V0_MAXWELL: + return nv50_backlight_init(connector); + default: + break; +-- +cgit v0.10.2 + @@ -1,3 +1,3 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz -ad7cdae5329497d07582b31858516686 patch-4.8.7.xz +38e85040e09193251766975d6fd30d08 patch-4.8.8.xz |