diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2017-02-26 20:01:39 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2017-02-26 20:01:39 +0000 |
commit | b1ab20d47d76269a567a0f1bfd333223fa4a97e9 (patch) | |
tree | 73f2ef2a3d4f7ec32d9cc338362fbd2fcb1e581f /releases | |
parent | 78864b38f8c2f24dbe7a910116ca0e5890a0cbb5 (diff) | |
download | linux-stable-queue-b1ab20d47d76269a567a0f1bfd333223fa4a97e9.tar.gz |
Release 3.2.86
Diffstat (limited to 'releases')
5 files changed, 190 insertions, 0 deletions
diff --git a/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch b/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch new file mode 100644 index 00000000..3dedb32f --- /dev/null +++ b/releases/3.2.86/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch @@ -0,0 +1,44 @@ +From: Andrey Konovalov <andreyknvl@google.com> +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +commit 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 upstream. + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov <andreyknvl@google.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock * + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; diff --git a/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch b/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch new file mode 100644 index 00000000..98fafb0f --- /dev/null +++ b/releases/3.2.86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch @@ -0,0 +1,62 @@ +From: Jim Mattson <jmattson@google.com> +Date: Mon, 12 Dec 2016 11:01:37 -0800 +Subject: kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) + +commit ef85b67385436ddc1998f45f1d6a210f935b3388 upstream. + +When L2 exits to L0 due to "exception or NMI", software exceptions +(#BP and #OF) for which L1 has requested an intercept should be +handled by L1 rather than L0. Previously, only hardware exceptions +were forwarded to L1. + +Signed-off-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/vmx.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -876,10 +876,10 @@ static inline bool nested_cpu_has_virtua + return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS; + } + +-static inline bool is_exception(u32 intr_info) ++static inline bool is_nmi(u32 intr_info) + { + return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK)) +- == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK); ++ == (INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK); + } + + static void nested_vmx_vmexit(struct kvm_vcpu *vcpu); +@@ -4225,7 +4225,7 @@ static int handle_exception(struct kvm_v + return 0; + } + +- if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR) ++ if (is_nmi(intr_info)) + return 1; /* already handled by vmx_vcpu_run() */ + + if (is_no_device(intr_info)) { +@@ -5773,7 +5773,7 @@ static bool nested_vmx_exit_handled(stru + + switch (exit_reason) { + case EXIT_REASON_EXCEPTION_NMI: +- if (!is_exception(intr_info)) ++ if (is_nmi(intr_info)) + return 0; + else if (is_page_fault(intr_info)) + return enable_ept; +@@ -5973,8 +5973,7 @@ static void vmx_complete_atomic_exit(str + kvm_machine_check(); + + /* We need to handle NMIs before interrupts are enabled */ +- if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR && +- (exit_intr_info & INTR_INFO_VALID_MASK)) { ++ if (is_nmi(exit_intr_info)) { + kvm_before_handle_nmi(&vmx->vcpu); + asm("int $2"); + kvm_after_handle_nmi(&vmx->vcpu); diff --git a/releases/3.2.86/series b/releases/3.2.86/series new file mode 100644 index 00000000..a697280a --- /dev/null +++ b/releases/3.2.86/series @@ -0,0 +1,4 @@ +kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch +usb-serial-kl5kusb105-fix-line-state-error-handling.patch +dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch +tcp-avoid-infinite-loop-in-tcp_splice_read.patch diff --git a/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch b/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch new file mode 100644 index 00000000..8246cedc --- /dev/null +++ b/releases/3.2.86/tcp-avoid-infinite-loop-in-tcp_splice_read.patch @@ -0,0 +1,43 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 3 Feb 2017 14:59:38 -0800 +Subject: tcp: avoid infinite loop in tcp_splice_read() + +commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 upstream. + +Splicing from TCP socket is vulnerable when a packet with URG flag is +received and stored into receive queue. + +__tcp_splice_read() returns 0, and sk_wait_data() immediately +returns since there is the problematic skb in queue. + +This is a nice way to burn cpu (aka infinite loop) and trigger +soft lockups. + +Again, this gem was found by syzkaller tool. + +Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Cc: Willy Tarreau <w@1wt.eu> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/tcp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -659,6 +659,12 @@ ssize_t tcp_splice_read(struct socket *s + ret = -EAGAIN; + break; + } ++ /* if __tcp_splice_read() got nothing while we have ++ * an skb in receive queue, we do not want to loop. ++ * This might happen with URG data. ++ */ ++ if (!skb_queue_empty(&sk->sk_receive_queue)) ++ break; + sk_wait_data(sk, &timeo); + if (signal_pending(current)) { + ret = sock_intr_errno(timeo); diff --git a/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch new file mode 100644 index 00000000..92bf9ea0 --- /dev/null +++ b/releases/3.2.86/usb-serial-kl5kusb105-fix-line-state-error-handling.patch @@ -0,0 +1,37 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Jan 2017 12:05:37 +0100 +Subject: USB: serial: kl5kusb105: fix line-state error handling + +commit 146cc8a17a3b4996f6805ee5c080e7101277c410 upstream. + +The current implementation failed to detect short transfers when +attempting to read the line state, and also, to make things worse, +logged the content of the uninitialised heap transfer buffer. + +Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/kl5kusb105.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/kl5kusb105.c ++++ b/drivers/usb/serial/kl5kusb105.c +@@ -209,10 +209,11 @@ static int klsi_105_get_line_state(struc + status_buf, KLSI_STATUSBUF_LEN, + 10000 + ); +- if (rc < 0) +- dev_err(&port->dev, "Reading line status failed (error = %d)\n", +- rc); +- else { ++ if (rc != KLSI_STATUSBUF_LEN) { ++ dev_err(&port->dev, "reading line status failed: %d\n", rc); ++ if (rc >= 0) ++ rc = -EIO; ++ } else { + status = get_unaligned_le16(status_buf); + + dev_info(&port->serial->dev->dev, "read status %x %x", |