Disable debugging options.
This commit is contained in:
Justin M. Forbes
parent
52986814f7
commit
5053df0140
@ -1,73 +0,0 @@
|
||||
From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001
|
||||
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
||||
Date: Fri, 21 Apr 2017 23:14:48 +0200
|
||||
Subject: macsec: avoid heap overflow in skb_to_sgvec
|
||||
|
||||
While this may appear as a humdrum one line change, it's actually quite
|
||||
important. An sk_buff stores data in three places:
|
||||
|
||||
1. A linear chunk of allocated memory in skb->data. This is the easiest
|
||||
one to work with, but it precludes using scatterdata since the memory
|
||||
must be linear.
|
||||
2. The array skb_shinfo(skb)->frags, which is of maximum length
|
||||
MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
|
||||
can point to different pages.
|
||||
3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
|
||||
which in turn can have data in either (1) or (2).
|
||||
|
||||
The first two are rather easy to deal with, since they're of a fixed
|
||||
maximum length, while the third one is not, since there can be
|
||||
potentially limitless chains of fragments. Fortunately dealing with
|
||||
frag_list is opt-in for drivers, so drivers don't actually have to deal
|
||||
with this mess. For whatever reason, macsec decided it wanted pain, and
|
||||
so it explicitly specified NETIF_F_FRAGLIST.
|
||||
|
||||
Because dealing with (1), (2), and (3) is insane, most users of sk_buff
|
||||
doing any sort of crypto or paging operation calls a convenient function
|
||||
called skb_to_sgvec (which happens to be recursive if (3) is in use!).
|
||||
This takes a sk_buff as input, and writes into its output pointer an
|
||||
array of scattergather list items. Sometimes people like to declare a
|
||||
fixed size scattergather list on the stack; othertimes people like to
|
||||
allocate a fixed size scattergather list on the heap. However, if you're
|
||||
doing it in a fixed-size fashion, you really shouldn't be using
|
||||
NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
|
||||
frag_list children arent't shared and then you check the number of
|
||||
fragments in total required.)
|
||||
|
||||
Macsec specifically does this:
|
||||
|
||||
size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
|
||||
tmp = kmalloc(size, GFP_ATOMIC);
|
||||
*sg = (struct scatterlist *)(tmp + sg_offset);
|
||||
...
|
||||
sg_init_table(sg, MAX_SKB_FRAGS + 1);
|
||||
skb_to_sgvec(skb, sg, 0, skb->len);
|
||||
|
||||
Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
|
||||
using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
|
||||
overflow the heap, and disaster ensues.
|
||||
|
||||
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: security@kernel.org
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/macsec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
|
||||
index ff0a5ed..dbab05a 100644
|
||||
--- a/drivers/net/macsec.c
|
||||
+++ b/drivers/net/macsec.c
|
||||
@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
|
||||
}
|
||||
|
||||
#define MACSEC_FEATURES \
|
||||
- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
|
||||
+ (NETIF_F_SG | NETIF_F_HIGHDMA)
|
||||
static struct lock_class_key macsec_netdev_addr_lock_key;
|
||||
|
||||
static int macsec_dev_init(struct net_device *dev)
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From patchwork Thu Feb 9 18:16:00 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: drm/vc4: Fix OOPSes from trying to cache a partially constructed BO.
|
||||
From: Eric Anholt <eric@anholt.net>
|
||||
X-Patchwork-Id: 138087
|
||||
Message-Id: <20170209181600.24048-1-eric@anholt.net>
|
||||
To: dri-devel@lists.freedesktop.org
|
||||
Cc: linux-kernel@vger.kernel.org, pbrobinson@gmail.com
|
||||
Date: Thu, 9 Feb 2017 10:16:00 -0800
|
||||
|
||||
If a CMA allocation failed, the partially constructed BO would be
|
||||
unreferenced through the normal path, and we might choose to put it in
|
||||
the BO cache. If we then reused it before it expired from the cache,
|
||||
the kernel would OOPS.
|
||||
|
||||
Signed-off-by: Eric Anholt <eric@anholt.net>
|
||||
Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.")
|
||||
---
|
||||
drivers/gpu/drm/vc4/vc4_bo.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
|
||||
index 5ec14f25625d..fd83a2807656 100644
|
||||
--- a/drivers/gpu/drm/vc4/vc4_bo.c
|
||||
+++ b/drivers/gpu/drm/vc4/vc4_bo.c
|
||||
@@ -314,6 +314,14 @@ void vc4_free_object(struct drm_gem_object *gem_bo)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ /* If this object was partially constructed but CMA allocation
|
||||
+ * had failed, just free it.
|
||||
+ */
|
||||
+ if (!bo->base.vaddr) {
|
||||
+ vc4_bo_destroy(bo);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
cache_list = vc4_get_cache_list_for_size(dev, gem_bo->size);
|
||||
if (!cache_list) {
|
||||
vc4_bo_destroy(bo);
|
||||
11
kernel.spec
11
kernel.spec
@ -125,7 +125,7 @@ Summary: The Linux kernel
|
||||
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
|
||||
# and 0 for rawhide (all kernels are debug kernels).
|
||||
# See also 'make debug' and 'make release'.
|
||||
%define debugbuildsenabled 0
|
||||
%define debugbuildsenabled 1
|
||||
|
||||
# Want to build a vanilla kernel build without any non-upstream patches?
|
||||
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
|
||||
@ -611,9 +611,6 @@ Patch310: qcom-msm89xx-fixes.patch
|
||||
# https://patchwork.kernel.org/patch/9831825/
|
||||
# https://patchwork.kernel.org/patch/9833721/
|
||||
|
||||
# http://www.spinics.net/lists/dri-devel/msg132235.html
|
||||
Patch320: bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch
|
||||
|
||||
# Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/
|
||||
Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch
|
||||
|
||||
@ -634,9 +631,6 @@ Patch335: arm-exynos-fix-usb3.patch
|
||||
|
||||
# 500 - Temp fixes/CVEs etc
|
||||
|
||||
# CVE-2017-7477 rhbz 1445207 1445208
|
||||
Patch502: CVE-2017-7477.patch
|
||||
|
||||
# rhbz 1498016 1498017
|
||||
#Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch
|
||||
|
||||
@ -2217,6 +2211,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Nov 06 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Disable debugging options.
|
||||
|
||||
* Fri Nov 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.0-0.rc7.git4.1
|
||||
- Linux v4.14-rc7-129-g81ca2caefc6d
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user