From a5b5f8c65c832e46d54bdbc6afbf4bb60f9c6679 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 30 Aug 2016 09:42:20 -0500 Subject: [PATCH] Linux v4.8-rc4-119-ge4e98c4 --- ...x-poll-issue-with-zero-sized-packets.patch | 73 ------------------- gitrev | 2 +- kernel.spec | 13 ++-- sources | 1 + ...er-free-in-tcp_xmit_retransmit_queue.patch | 46 ------------ 5 files changed, 7 insertions(+), 128 deletions(-) delete mode 100644 0001-udp-fix-poll-issue-with-zero-sized-packets.patch delete mode 100644 tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch diff --git a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch b/0001-udp-fix-poll-issue-with-zero-sized-packets.patch deleted file mode 100644 index f5edf2340..000000000 --- a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 9f30f83eb6347afa6b1d1df1065608c2b4485e2b Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 23 Aug 2016 13:59:33 -0700 -Subject: [PATCH] udp: fix poll() issue with zero sized packets - -Laura tracked poll() [and friends] regression caused by commit -e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") - -udp_poll() needs to know if there is a valid packet in receive queue, -even if its payload length is 0. - -Change first_packet_length() to return an signed int, and use -1 -as the indication of an empty queue. - -Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") -Reported-by: Laura Abbott -Signed-off-by: Eric Dumazet -Tested-by: Laura Abbott ---- - net/ipv4/udp.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index e61f7cd..00d18c5 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1182,13 +1182,13 @@ out: - * @sk: socket - * - * Drops all bad checksum frames, until a valid one is found. -- * Returns the length of found skb, or 0 if none is found. -+ * Returns the length of found skb, or -1 if none is found. - */ --static unsigned int first_packet_length(struct sock *sk) -+static int first_packet_length(struct sock *sk) - { - struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue; - struct sk_buff *skb; -- unsigned int res; -+ int res; - - __skb_queue_head_init(&list_kill); - -@@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(struct sock *sk) - __skb_unlink(skb, rcvq); - __skb_queue_tail(&list_kill, skb); - } -- res = skb ? skb->len : 0; -+ res = skb ? skb->len : -1; - spin_unlock_bh(&rcvq->lock); - - if (!skb_queue_empty(&list_kill)) { -@@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg) - - case SIOCINQ: - { -- unsigned int amount = first_packet_length(sk); -+ int amount = max_t(int, 0, first_packet_length(sk)); - - return put_user(amount, (int __user *)arg); - } -@@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait) - - /* Check for false positives due to checksum errors */ - if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) && -- !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk)) -+ !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1) - mask &= ~(POLLIN | POLLRDNORM); - - return mask; --- -2.7.4 - diff --git a/gitrev b/gitrev index 1de9dedf3..166be3d1f 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -3eab887a55424fc2c27553b7bfe32330df83f7b8 +e4e98c460ad38c78498622a164fd5ef09a2dc9cb diff --git a/kernel.spec b/kernel.spec index 7bad296eb..ef7974cff 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 4 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -605,12 +605,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #rhbz 1200901 (There should be something better upstream at some point) Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch -#CVE-2016-6828 rhbz 1367091,1367092 -Patch843: tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch - -#rhbz 1365940 -Patch844: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch - # From kernel list, currently in linux-next Patch845: HID-microsoft-Add-Surface-4-type-cover-pro-4-JP.patch @@ -2156,6 +2150,9 @@ fi # # %changelog +* Tue Aug 30 2016 Justin M. Forbes - 4.8.0-0.rc4.git1.1 +- Linux v4.8-rc4-119-ge4e98c4 + * Mon Aug 29 2016 Laura Abbott - Add event decoding fix (rhbz 1360688) diff --git a/sources b/sources index 85c85617d..dfd44b60e 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ 5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz a0c0753ff460ff35ef9908ecc97fa943 patch-4.8-rc4.xz +885fc3f5570fd07d2742dd75cb0c0aea patch-4.8-rc4-git1.xz diff --git a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch b/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch deleted file mode 100644 index 36ada7acf..000000000 --- a/tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Eric Dumazet -Date: 2016-08-17 12:56:26 -Subject: [PATCH net] tcp: fix use after free in tcp_xmit_retransmit_queue() - -When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the -tail of the write queue using tcp_add_write_queue_tail() - -Then it attempts to copy user data into this fresh skb. - -If the copy fails, we undo the work and remove the fresh skb. - -Unfortunately, this undo lacks the change done to tp->highest_sack and -we can leave a dangling pointer (to a freed skb) - -Later, tcp_xmit_retransmit_queue() can dereference this pointer and -access freed memory. For regular kernels where memory is not unmapped, -this might cause SACK bugs because tcp_highest_sack_seq() is buggy, -returning garbage instead of tp->snd_nxt, but with various debug -features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. - -This bug was found by Marco Grassi thanks to syzkaller. - -Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") -Reported-by: Marco Grassi -Signed-off-by: Eric Dumazet -Cc: Ilpo Järvinen -Cc: Yuchung Cheng -Cc: Neal Cardwell ---- - include/net/tcp.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index c00e7d51bb18..7717302cab91 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli - { - if (sk->sk_send_head == skb_unlinked) - sk->sk_send_head = NULL; -+ if (tcp_sk(sk)->highest_sack == skb_unlinked) -+ tcp_sk(sk)->highest_sack = NULL; - } - - static inline void tcp_init_send_head(struct sock *sk) -