From 70963882b0662d901c07e82b3389df881ab7a924 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 20 Feb 2017 09:48:03 -0800 Subject: Linux v4.9.11 Fix rt2800 warning (rhbz 1422969) --- ...sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 39 ---------- ip6_gre-fix-ip6gre_err-invalid-reads.patch | 91 ---------------------- ...-skb-dst-around-in-presence-of-IP-options.patch | 47 ----------- kernel.spec | 16 ++-- rt2800-warning.patch | 34 ++++++++ sources | 2 +- 6 files changed, 42 insertions(+), 187 deletions(-) delete mode 100644 0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch delete mode 100644 ip6_gre-fix-ip6gre_err-invalid-reads.patch delete mode 100644 ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch create mode 100644 rt2800-warning.patch diff --git a/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch deleted file mode 100644 index 134e1ea39..000000000 --- a/0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 2dcab598484185dea7ec22219c76dcdd59e3cb90 Mon Sep 17 00:00:00 2001 -From: Marcelo Ricardo Leitner -Date: Mon, 6 Feb 2017 18:10:31 -0200 -Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf - -Alexander Popov reported that an application may trigger a BUG_ON in -sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is -waiting on it to queue more data and meanwhile another thread peels off -the association being used by the first thread. - -This patch replaces the BUG_ON call with a proper error handling. It -will return -EPIPE to the original sendmsg call, similarly to what would -have been done if the association wasn't found in the first place. - -Acked-by: Alexander Popov -Signed-off-by: Marcelo Ricardo Leitner -Reviewed-by: Xin Long -Signed-off-by: David S. Miller ---- - net/sctp/socket.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 37eeab7..e214d2e 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, - */ - release_sock(sk); - current_timeo = schedule_timeout(current_timeo); -- BUG_ON(sk != asoc->base.sk); -+ if (sk != asoc->base.sk) -+ goto do_error; - lock_sock(sk); - - *timeo_p = current_timeo; --- -2.9.3 - diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch deleted file mode 100644 index 756663c11..000000000 --- a/ip6_gre-fix-ip6gre_err-invalid-reads.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sat, 4 Feb 2017 23:18:55 -0800 -Subject: ip6_gre: fix ip6gre_err() invalid reads - -Andrey Konovalov reported out of bound accesses in ip6gre_err() - -If GRE flags contains GRE_KEY, the following expression -*(((__be32 *)p) + (grehlen / 4) - 1) - -accesses data ~40 bytes after the expected point, since -grehlen includes the size of IPv6 headers. - -Let's use a "struct gre_base_hdr *greh" pointer to make this -code more readable. - -p[1] becomes greh->protocol. -grhlen is the GRE header length. - -Fixes: c12b395a4664 ("gre: Support GRE over IPv6") -Signed-off-by: Eric Dumazet -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++------------------- - 1 file changed, 21 insertions(+), 19 deletions(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 5586318..630b73b 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev) - - - static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, -- u8 type, u8 code, int offset, __be32 info) -+ u8 type, u8 code, int offset, __be32 info) - { -- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; -- __be16 *p = (__be16 *)(skb->data + offset); -- int grehlen = offset + 4; -+ const struct gre_base_hdr *greh; -+ const struct ipv6hdr *ipv6h; -+ int grehlen = sizeof(*greh); - struct ip6_tnl *t; -+ int key_off = 0; - __be16 flags; -+ __be32 key; - -- flags = p[0]; -- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { -- if (flags&(GRE_VERSION|GRE_ROUTING)) -- return; -- if (flags&GRE_KEY) { -- grehlen += 4; -- if (flags&GRE_CSUM) -- grehlen += 4; -- } -+ if (!pskb_may_pull(skb, offset + grehlen)) -+ return; -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ flags = greh->flags; -+ if (flags & (GRE_VERSION | GRE_ROUTING)) -+ return; -+ if (flags & GRE_CSUM) -+ grehlen += 4; -+ if (flags & GRE_KEY) { -+ key_off = grehlen + offset; -+ grehlen += 4; - } - -- /* If only 8 bytes returned, keyed message will be dropped here */ -- if (!pskb_may_pull(skb, grehlen)) -+ if (!pskb_may_pull(skb, offset + grehlen)) - return; - ipv6h = (const struct ipv6hdr *)skb->data; -- p = (__be16 *)(skb->data + offset); -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0; - - t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, -- flags & GRE_KEY ? -- *(((__be32 *)p) + (grehlen / 4) - 1) : 0, -- p[1]); -+ key, greh->protocol); - if (!t) - return; - --- -cgit v0.12 - diff --git a/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch b/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch deleted file mode 100644 index 821e3fce8..000000000 --- a/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 34b2cef20f19c87999fff3da4071e66937db9644 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sat, 4 Feb 2017 11:16:52 -0800 -Subject: [PATCH] ipv4: keep skb->dst around in presence of IP options - -Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst -is accessed. - -ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options -are present. - -We could refine the test to the presence of ts_needtime or srr, -but IP options are not often used, so let's be conservative. - -Thanks to syzkaller team for finding this bug. - -Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference") -Signed-off-by: Eric Dumazet -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller ---- - net/ipv4/ip_sockglue.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 53ae0c6..9000117 100644 ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb) - pktinfo->ipi_ifindex = 0; - pktinfo->ipi_spec_dst.s_addr = 0; - } -- skb_dst_drop(skb); -+ /* We need to keep the dst for __ip_options_echo() -+ * We could restrict the test to opt.ts_needtime || opt.srr, -+ * but the following is good enough as IP options are not often used. -+ */ -+ if (unlikely(IPCB(skb)->opt.optlen)) -+ skb_dst_force(skb); -+ else -+ skb_dst_drop(skb); - } - - int ip_setsockopt(struct sock *sk, int level, --- -2.9.3 - diff --git a/kernel.spec b/kernel.spec index 81bb1596e..707f508f0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -636,21 +636,15 @@ Patch852: nouveau-add-maxwell-to-backlight-init.patch #CVE-2017-2596 rhbz 1417812 1417813 Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch -#CVE-2017-5897 rhbz 1419848 1419851 -Patch857: ip6_gre-fix-ip6gre_err-invalid-reads.patch - #rhbz 1417829 Patch858: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch Patch859: 2-2-media-dvb-usb-firmware-don-t-do-DMA-on-stack.patch -#rhbz 1420276 -Patch860: 0001-sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch - #rhbz 1415397 Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch -#CVE-2017-5970 rhbz 1421638 -Patch862: ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch +#rhbz 1422969 +Patch862: rt2800-warning.patch # END OF PATCH DEFINITIONS @@ -2181,6 +2175,10 @@ fi # # %changelog +* Mon Feb 20 2017 Laura Abbott - 4.9.11-100 +- Linux v4.9.11 +- Fix rt2800 warning (rhbz 1422969) + * Wed Feb 15 2017 Peter Robinson - Enable PWRSEQ_SIMPLE module (fixes rhbz 1377816) diff --git a/rt2800-warning.patch b/rt2800-warning.patch new file mode 100644 index 000000000..0e7a1fe0d --- /dev/null +++ b/rt2800-warning.patch @@ -0,0 +1,34 @@ +From feecb0cb466ba458f59640b4d59ecef1cd956b1f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Fri, 13 Jan 2017 15:55:07 +0100 +Subject: rt2800: remove warning on bcn_num != rt2x00dev->intf_beaconing + +Since rt2800pci update beacon settings asynchronously from +tbtt tasklet, without beacon_skb_mutex protection, number of +currently active beacons entries can be different than +number pointed by rt2x00dev->intf_beaconing. Remove warning +about that inconsistency. + +Reported-by: evaxige@qq.com +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index ff047dc..f36bc9b 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -967,8 +967,6 @@ static void rt2800_update_beacons_setup(struct rt2x00_dev *rt2x00dev) + bcn_num++; + } + +- WARN_ON_ONCE(bcn_num != rt2x00dev->intf_beaconing); +- + rt2800_register_write(rt2x00dev, BCN_OFFSET0, (u32) reg); + rt2800_register_write(rt2x00dev, BCN_OFFSET1, (u32) (reg >> 32)); + +-- +cgit v0.12 + diff --git a/sources b/sources index 687327e58..d34f194b7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.9.10.xz) = 93958f4b932a46bbd9a122f52bf09b8c4b864b419a0774514baeb7dc83f11f55a5ba84f2e586a904dbfeeb7d976352e40670fbe2e32e25c35085ddf87e41b58d +SHA512 (patch-4.9.11.xz) = 7683628b011fa1462b5838301ebabc3eebaefcd50f65600be55bcf0102578ca07589c7683ef84b8d5300bd05795655fb21e1c145f5663d30593fc1801c163bc3 -- cgit