summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@redhat.com>2016-08-30 09:42:20 -0500
committerJustin M. Forbes <jforbes@redhat.com>2016-08-30 09:42:20 -0500
commita5b5f8c65c832e46d54bdbc6afbf4bb60f9c6679 (patch)
tree9dc312242b51263d57b3c944d31999f03e7f67e7
parentaaaae68f00a2664a8fc49b8ecb8b0867b0c1bdad (diff)
downloadkernel-a5b5f8c65c832e46d54bdbc6afbf4bb60f9c6679.tar.gz
kernel-a5b5f8c65c832e46d54bdbc6afbf4bb60f9c6679.tar.xz
kernel-a5b5f8c65c832e46d54bdbc6afbf4bb60f9c6679.zip
Linux v4.8-rc4-119-ge4e98c4
-rw-r--r--0001-udp-fix-poll-issue-with-zero-sized-packets.patch73
-rw-r--r--gitrev2
-rw-r--r--kernel.spec13
-rw-r--r--sources1
-rw-r--r--tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch46
5 files changed, 7 insertions, 128 deletions
diff --git a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch b/0001-udp-fix-poll-issue-with-zero-sized-packets.patch
deleted file mode 100644
index f5edf2340..000000000
--- a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 9f30f83eb6347afa6b1d1df1065608c2b4485e2b Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 23 Aug 2016 13:59:33 -0700
-Subject: [PATCH] udp: fix poll() issue with zero sized packets
-
-Laura tracked poll() [and friends] regression caused by commit
-e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
-
-udp_poll() needs to know if there is a valid packet in receive queue,
-even if its payload length is 0.
-
-Change first_packet_length() to return an signed int, and use -1
-as the indication of an empty queue.
-
-Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
-Reported-by: Laura Abbott <labbott@redhat.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Tested-by: Laura Abbott <labbott@redhat.com>
----
- net/ipv4/udp.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index e61f7cd..00d18c5 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1182,13 +1182,13 @@ out:
- * @sk: socket
- *
- * Drops all bad checksum frames, until a valid one is found.
-- * Returns the length of found skb, or 0 if none is found.
-+ * Returns the length of found skb, or -1 if none is found.
- */
--static unsigned int first_packet_length(struct sock *sk)
-+static int first_packet_length(struct sock *sk)
- {
- struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue;
- struct sk_buff *skb;
-- unsigned int res;
-+ int res;
-
- __skb_queue_head_init(&list_kill);
-
-@@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(struct sock *sk)
- __skb_unlink(skb, rcvq);
- __skb_queue_tail(&list_kill, skb);
- }
-- res = skb ? skb->len : 0;
-+ res = skb ? skb->len : -1;
- spin_unlock_bh(&rcvq->lock);
-
- if (!skb_queue_empty(&list_kill)) {
-@@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg)
-
- case SIOCINQ:
- {
-- unsigned int amount = first_packet_length(sk);
-+ int amount = max_t(int, 0, first_packet_length(sk));
-
- return put_user(amount, (int __user *)arg);
- }
-@@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait)
-
- /* Check for false positives due to checksum errors */
- if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) &&
-- !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk))
-+ !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1)
- mask &= ~(POLLIN | POLLRDNORM);
-
- return mask;
---
-2.7.4
-
diff --git a/gitrev b/gitrev
index 1de9dedf3..166be3d1f 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-3eab887a55424fc2c27553b7bfe32330df83f7b8
+e4e98c460ad38c78498622a164fd5ef09a2dc9cb
diff --git a/kernel.spec b/kernel.spec
index 7bad296eb..ef7974cff 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 2
+%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 4
# The git snapshot level
-%define gitrev 0
+%define gitrev 1
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -605,12 +605,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
#rhbz 1200901 (There should be something better upstream at some point)
Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch
-#CVE-2016-6828 rhbz 1367091,1367092
-Patch843: tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
-
-#rhbz 1365940
-Patch844: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch
-
# From kernel list, currently in linux-next
Patch845: HID-microsoft-Add-Surface-4-type-cover-pro-4-JP.patch
@@ -2156,6 +2150,9 @@ fi
#
#
%changelog
+* Tue Aug 30 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.0-0.rc4.git1.1
+- Linux v4.8-rc4-119-ge4e98c4
+
* Mon Aug 29 2016 Laura Abbott <labbott@fedoraproject.org>
- Add event decoding fix (rhbz 1360688)
diff --git a/sources b/sources
index 85c85617d..dfd44b60e 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz
fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz
a0c0753ff460ff35ef9908ecc97fa943 patch-4.8-rc4.xz
+885fc3f5570fd07d2742dd75cb0c0aea patch-4.8-rc4-git1.xz
diff --git a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
deleted file mode 100644
index 36ada7acf..000000000
--- a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Eric Dumazet <edumazet@google.com>
-Date: 2016-08-17 12:56:26
-Subject: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue()
-
-When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
-tail of the write queue using tcp_add_write_queue_tail()
-
-Then it attempts to copy user data into this fresh skb.
-
-If the copy fails, we undo the work and remove the fresh skb.
-
-Unfortunately, this undo lacks the change done to tp->highest_sack and
-we can leave a dangling pointer (to a freed skb)
-
-Later, tcp_xmit_retransmit_queue() can dereference this pointer and
-access freed memory. For regular kernels where memory is not unmapped,
-this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
-returning garbage instead of tp->snd_nxt, but with various debug
-features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
-
-This bug was found by Marco Grassi thanks to syzkaller.
-
-Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
-Reported-by: Marco Grassi <marco.gra@gmail.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
-Cc: Yuchung Cheng <ycheng@google.com>
-Cc: Neal Cardwell <ncardwell@google.com>
----
- include/net/tcp.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index c00e7d51bb18..7717302cab91 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
- {
- if (sk->sk_send_head == skb_unlinked)
- sk->sk_send_head = NULL;
-+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
-+ tcp_sk(sk)->highest_sack = NULL;
- }
-
- static inline void tcp_init_send_head(struct sock *sk)
-