diff options
author | Tony Lambiris | 2017-03-13 12:23:24 -0400 |
---|---|---|
committer | Tony Lambiris | 2017-03-13 12:23:24 -0400 |
commit | 1c00d30fae794c263c9a5f274e5a704ab329343c (patch) | |
tree | fbb0fabd3da8b1e1375339b138365a09025d2402 | |
parent | abaa6b65dc79d454392d533f56608a6213e4ec84 (diff) | |
download | aur-1c00d30fae794c263c9a5f274e5a704ab329343c.tar.gz |
Update linux-macbook
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 | ||||
-rw-r--r-- | PKGBUILD | 13 | ||||
-rw-r--r-- | net_handle_no_dst_on_skb_in_icmp6_send.patch | 68 |
4 files changed, 9 insertions, 131 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-macbook - pkgver = 4.9.11 - pkgrel = 2 + pkgver = 4.9.14 + pkgrel = 1 url = https://www.kernel.org/ arch = i686 arch = x86_64 @@ -14,8 +14,8 @@ pkgbase = linux-macbook options = !strip source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.tar.xz source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.9.11.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.9.11.sign + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.9.14.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.9.14.sign source = config source = config.x86_64 source = 99-linux-macbook.hook @@ -26,12 +26,11 @@ pkgbase = linux-macbook source = poweroff-quirk-workaround.patch source = intel-pstate-backport.patch source = change-default-console-loglevel.patch - source = 0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a sha256sums = SKIP - sha256sums = 23e773a670f3cac11a92c4e442405dea6d2c28fea0f914ea2ba4bea313c26541 + sha256sums = 056282412144bdb8bb1d33a5b22a5605ed836a8061dfd65926e25ba71119d518 sha256sums = SKIP sha256sums = 49ec194851a7f96fbeedddb6125bf51d0e73e949f28026dca0d9ff36fc4ce5ff sha256sums = 36fa6355b46655570838351a6f4b2a4904d4e1c550ce0b7a21aa5ebe1bad2d2d @@ -43,7 +42,6 @@ pkgbase = linux-macbook sha256sums = 24f914e16f5efd13608e835ded81b4da731798737a88228fb8684f6db80f7d2c sha256sums = c0a25b413bc542472868c63318213dfe788beeece750d15f7ff1568aca8968ec sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99 - sha256sums = 85954ac18da9dc1bec5df28e2f097d13016e39fa9631074f85b6364af340fcd9 pkgname = linux-macbook pkgdesc = The Linux-macbook kernel and modules diff --git a/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch deleted file mode 100644 index 9adaf0b305f2..000000000000 --- a/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov <andreyknvl@google.com> -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov <andreyknvl@google.com> -Acked-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/dccp/input.c b/net/dccp/input.c -index ba347184bda9b3fe..8fedc2d497709b3d 100644 ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; --- -2.11.1 - @@ -5,8 +5,8 @@ pkgbase=linux-macbook _srcname=linux-4.9 -pkgver=4.9.11 -pkgrel=2 +pkgver=4.9.14 +pkgrel=1 arch=('i686' 'x86_64') url="https://www.kernel.org/" license=('GPL2') @@ -30,12 +30,11 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" 'poweroff-quirk-workaround.patch' 'intel-pstate-backport.patch' 'change-default-console-loglevel.patch' - '0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch' ) sha256sums=('029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a' 'SKIP' - '23e773a670f3cac11a92c4e442405dea6d2c28fea0f914ea2ba4bea313c26541' + '056282412144bdb8bb1d33a5b22a5605ed836a8061dfd65926e25ba71119d518' 'SKIP' '49ec194851a7f96fbeedddb6125bf51d0e73e949f28026dca0d9ff36fc4ce5ff' '36fa6355b46655570838351a6f4b2a4904d4e1c550ce0b7a21aa5ebe1bad2d2d' @@ -46,8 +45,7 @@ sha256sums=('029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a' '896455ba219148e10c1fd19ec98f9871b384f9d0018598c1bb36ad7f3c8607c1' '24f914e16f5efd13608e835ded81b4da731798737a88228fb8684f6db80f7d2c' 'c0a25b413bc542472868c63318213dfe788beeece750d15f7ff1568aca8968ec' - '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' - '85954ac18da9dc1bec5df28e2f097d13016e39fa9631074f85b6364af340fcd9') + '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -61,9 +59,6 @@ prepare() { # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" - # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 - patch -p1 -i "${srcdir}/0001-dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch" - # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git diff --git a/net_handle_no_dst_on_skb_in_icmp6_send.patch b/net_handle_no_dst_on_skb_in_icmp6_send.patch deleted file mode 100644 index 06448a90affe..000000000000 --- a/net_handle_no_dst_on_skb_in_icmp6_send.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 Mon Sep 17 00:00:00 2001 -From: David Ahern <dsa@cumulusnetworks.com> -Date: Sun, 27 Nov 2016 18:52:53 -0800 -Subject: [PATCH] net: handle no dst on skb in icmp6_send - -Andrey reported the following while fuzzing the kernel with syzkaller: - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN -Modules linked in: -CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 -task: ffff8800666d4200 task.stack: ffff880067348000 -RIP: 0010:[<ffffffff833617ec>] [<ffffffff833617ec>] -icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451 -RSP: 0018:ffff88006734f2c0 EFLAGS: 00010206 -RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000 -RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018 -RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003 -R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000 -R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0 -FS: 00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0 -Stack: - ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460 - ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046 - ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000 -Call Trace: - [<ffffffff83364ddc>] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557 - [< inline >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88 - [<ffffffff83394405>] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157 - [<ffffffff8339a759>] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663 - [<ffffffff832ee773>] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191 - ... - -icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both -cases the dst->dev should be preferred for determining the L3 domain -if the dst has been set on the skb. Fallback to the skb->dev if it has -not. This covers the case reported here where icmp6_send is invoked on -Rx before the route lookup. - -Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: David Ahern <dsa@cumulusnetworks.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/icmp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c -index 7370ad2..2772004 100644 ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -447,8 +447,10 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, - - if (__ipv6_addr_needs_scope_id(addr_type)) - iif = skb->dev->ifindex; -- else -- iif = l3mdev_master_ifindex(skb_dst(skb)->dev); -+ else { -+ dst = skb_dst(skb); -+ iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev); -+ } - - /* - * Must not send error if the source does not uniquely |