Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-06-12 15:11:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Mon Jun 12 15:11:57 2017 rev:367 rq:501788 version:4.11.4 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-05-31 12:12:10.076551223 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-06-12 15:12:00.081313592 +0200 @@ -1,0 +2,80 @@ +Wed Jun 7 17:14:28 CEST 2017 - [email protected] + +- Linux 4.11.4 (CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 + CVE-2017-9076 CVE-2017-9077 CVE-2017-9211 CVE-2017-9242 + bnc#1012628 bsc#1038544 bsc#1039882 bsc#1039883 bsc#1039885 + bsc#1040069 bsc#1040389 bsc#1041431). +- Delete + patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks. +- Delete + patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch. +- Delete + patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch. +- Delete + patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch. +- Delete + patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch. +- Delete + patches.fixes/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch. +- Delete + patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch. +- commit cba98ee + +------------------------------------------------------------------- +Tue Jun 6 09:28:09 CEST 2017 - [email protected] + +- series.conf: better section label (networking core) +- commit 3a35823 + +------------------------------------------------------------------- +Tue Jun 6 09:24:50 CEST 2017 - [email protected] + +- ipv6: fix out of bound writes in __ip6_append_data() + (CVE-2017-9242 bsc#1041431). +- commit 26cd5c8 + +------------------------------------------------------------------- +Mon Jun 5 22:18:27 CEST 2017 - [email protected] + +- drm/vmwgfx: limit the number of mip levels in + vmw_gb_surface_define_ioctl() (CVE-2017-7346 bsc#1031796). +- commit dfa88a5 + +------------------------------------------------------------------- +Mon Jun 5 13:54:42 CEST 2017 - [email protected] + +- Update + patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch + (bsc#1039674 CVE-2017-9059). +- Update + patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch + (bsc#1039674 CVE-2017-9059). + Fix References tags. +- commit bf7afe3 + +------------------------------------------------------------------- +Tue May 30 21:53:42 CEST 2017 - [email protected] + +- Refresh + patches.drivers/e1000e-Don-t-return-uninitialized-stats.patch. + Fix incorrect tag. +- commit 7bbd095 + +------------------------------------------------------------------- +Mon May 29 02:20:12 CEST 2017 - [email protected] + +- NFSv4: Fix callback server shutdown (bsc#1039675, + CVS#2017-9059). +- SUNRPC: Refactor svc_set_num_threads() (bsc#1039675, + CVS#2017-9059). +- commit 596757c + +------------------------------------------------------------------- +Fri May 26 10:38:38 CEST 2017 - [email protected] + +- config: arm64: Make PINCTRL_SINGLE built-in + This fixes serial console on the HiKey board (bsc#1040492). + (cherry picked from commit 02f57029be80cfec078617f5dbb4022ea5931ac3) +- commit 36186ce + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.309471660 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.313471095 +0200 @@ -17,7 +17,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,find-provides,find-requires,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb}) Name: dtb-aarch64 -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.397459244 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.401458680 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.473448522 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.477447958 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -42,9 +42,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.497445136 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.501444572 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.525441186 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.529440621 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.553437235 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.557436671 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.577433850 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.581433285 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.601430464 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.601430464 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.621427642 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.625427078 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.11.3 +Version: 4.11.4 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:27.649423692 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:27.649423692 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.3 +%define patchversion 4.11.4 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.11.3 +Version: 4.11.4 %if 0%{?is_kotd} -Release: <RELEASE>.g7262353 +Release: <RELEASE>.gcba98ee %else Release: 0 %endif kernel-vanilla.spec: same change ++++++ config.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/arm64/default new/config/arm64/default --- old/config/arm64/default 2017-05-10 18:29:51.000000000 +0200 +++ new/config/arm64/default 2017-05-30 18:47:26.000000000 +0200 @@ -3902,7 +3902,7 @@ CONFIG_PINCTRL_AMD=m CONFIG_PINCTRL_MESON=y CONFIG_PINCTRL_ROCKCHIP=y -CONFIG_PINCTRL_SINGLE=m +CONFIG_PINCTRL_SINGLE=y CONFIG_PINCTRL_SX150X=y CONFIG_PINCTRL_BCM2835=y CONFIG_PINCTRL_IPROC_GPIO=y ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/e1000e-Don-t-return-uninitialized-stats.patch new/patches.drivers/e1000e-Don-t-return-uninitialized-stats.patch --- old/patches.drivers/e1000e-Don-t-return-uninitialized-stats.patch 2017-05-12 13:27:18.000000000 +0200 +++ new/patches.drivers/e1000e-Don-t-return-uninitialized-stats.patch 2017-05-30 21:54:30.000000000 +0200 @@ -1,9 +1,7 @@ From: Benjamin Poirier <[email protected]> Date: Fri, 21 Apr 2017 09:51:31 -0700 Subject: e1000e: Don't return uninitialized stats -Patch-mainline: Queued in subsystem maintainer repository -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git -Git-commit: 47b311d9d6cc72ab208d757ad2071e927040c7d5 +Patch-mainline: Submitted, http://patchwork.ozlabs.org/patch/763759/ References: bug#1034635 Some statistics passed to ethtool are garbage because e1000e_get_stats64() ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch new/patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch --- old/patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch 2017-06-07 17:14:28.000000000 +0200 @@ -0,0 +1,155 @@ +From: Trond Myklebust <[email protected]> +Date: Wed, 26 Apr 2017 11:55:26 -0400 +Subject: [PATCH] SUNRPC: Refactor svc_set_num_threads() +Git-commit: 9e0d87680d689f1758185851c3da6eafb16e71e1 +Patch-mainline: v4.12 +References: bsc#1039674 CVE-2017-9059 + +Refactor to separate out the functions of starting and stopping threads +so that they can be used in other helpers. + +Signed-off-by: Trond Myklebust <[email protected]> +Tested-and-reviewed-by: Kinglong Mee <[email protected]> +Signed-off-by: J. Bruce Fields <[email protected]> +Acked-by: NeilBrown <[email protected]> + +--- + net/sunrpc/svc.c | 96 +++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 58 insertions(+), 38 deletions(-) + +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -702,59 +702,32 @@ found_pool: + return task; + } + +-/* +- * Create or destroy enough new threads to make the number +- * of threads the given number. If `pool' is non-NULL, applies +- * only to threads in that pool, otherwise round-robins between +- * all pools. Caller must ensure that mutual exclusion between this and +- * server startup or shutdown. +- * +- * Destroying threads relies on the service threads filling in +- * rqstp->rq_task, which only the nfs ones do. Assumes the serv +- * has been created using svc_create_pooled(). +- * +- * Based on code that used to be in nfsd_svc() but tweaked +- * to be pool-aware. +- */ +-int +-svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) ++/* create new threads */ ++static int ++svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) + { + struct svc_rqst *rqstp; + struct task_struct *task; + struct svc_pool *chosen_pool; +- int error = 0; + unsigned int state = serv->sv_nrthreads-1; + int node; + +- if (pool == NULL) { +- /* The -1 assumes caller has done a svc_get() */ +- nrservs -= (serv->sv_nrthreads-1); +- } else { +- spin_lock_bh(&pool->sp_lock); +- nrservs -= pool->sp_nrthreads; +- spin_unlock_bh(&pool->sp_lock); +- } +- +- /* create new threads */ +- while (nrservs > 0) { ++ do { + nrservs--; + chosen_pool = choose_pool(serv, pool, &state); + + node = svc_pool_map_get_node(chosen_pool->sp_id); + rqstp = svc_prepare_thread(serv, chosen_pool, node); +- if (IS_ERR(rqstp)) { +- error = PTR_ERR(rqstp); +- break; +- } ++ if (IS_ERR(rqstp)) ++ return PTR_ERR(rqstp); + + __module_get(serv->sv_ops->svo_module); + task = kthread_create_on_node(serv->sv_ops->svo_function, rqstp, + node, "%s", serv->sv_name); + if (IS_ERR(task)) { +- error = PTR_ERR(task); + module_put(serv->sv_ops->svo_module); + svc_exit_thread(rqstp); +- break; ++ return PTR_ERR(task); + } + + rqstp->rq_task = task; +@@ -763,15 +736,62 @@ svc_set_num_threads(struct svc_serv *ser + + svc_sock_update_bufs(serv); + wake_up_process(task); +- } ++ } while (nrservs > 0); ++ ++ return 0; ++} ++ ++ ++/* destroy old threads */ ++static int ++svc_signal_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) ++{ ++ struct task_struct *task; ++ unsigned int state = serv->sv_nrthreads-1; ++ + /* destroy old threads */ +- while (nrservs < 0 && +- (task = choose_victim(serv, pool, &state)) != NULL) { ++ do { ++ task = choose_victim(serv, pool, &state); ++ if (task == NULL) ++ break; + send_sig(SIGINT, task, 1); + nrservs++; ++ } while (nrservs < 0); ++ ++ return 0; ++} ++ ++/* ++ * Create or destroy enough new threads to make the number ++ * of threads the given number. If `pool' is non-NULL, applies ++ * only to threads in that pool, otherwise round-robins between ++ * all pools. Caller must ensure that mutual exclusion between this and ++ * server startup or shutdown. ++ * ++ * Destroying threads relies on the service threads filling in ++ * rqstp->rq_task, which only the nfs ones do. Assumes the serv ++ * has been created using svc_create_pooled(). ++ * ++ * Based on code that used to be in nfsd_svc() but tweaked ++ * to be pool-aware. ++ */ ++int ++svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) ++{ ++ if (pool == NULL) { ++ /* The -1 assumes caller has done a svc_get() */ ++ nrservs -= (serv->sv_nrthreads-1); ++ } else { ++ spin_lock_bh(&pool->sp_lock); ++ nrservs -= pool->sp_nrthreads; ++ spin_unlock_bh(&pool->sp_lock); + } + +- return error; ++ if (nrservs > 0) ++ return svc_start_kthreads(serv, pool, nrservs); ++ if (nrservs < 0) ++ return svc_signal_kthreads(serv, pool, nrservs); ++ return 0; + } + EXPORT_SYMBOL_GPL(svc_set_num_threads); + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch new/patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch --- old/patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch 2017-06-07 17:14:28.000000000 +0200 @@ -0,0 +1,150 @@ +From: Trond Myklebust <[email protected]> +Date: Wed, 26 Apr 2017 11:55:27 -0400 +Subject: [PATCH] NFSv4: Fix callback server shutdown +Git-commit: ed6473ddc704a2005b9900ca08e236ebb2d8540a +Patch-mainline: v4.12 +References: bsc#1039674 CVE-2017-9059 + +We want to use kthread_stop() in order to ensure the threads are +shut down before we tear down the nfs_callback_info in nfs_callback_down. + +Tested-and-reviewed-by: Kinglong Mee <[email protected]> +Reported-by: Kinglong Mee <[email protected]> +Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using svc_set_num_threads()...") +Signed-off-by: Trond Myklebust <[email protected]> +Signed-off-by: J. Bruce Fields <[email protected]> +Acked-by: NeilBrown <[email protected]> + +--- + fs/nfs/callback.c | 24 ++++++++++++++++-------- + include/linux/sunrpc/svc.h | 1 + + net/sunrpc/svc.c | 38 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 8 deletions(-) + +--- a/fs/nfs/callback.c ++++ b/fs/nfs/callback.c +@@ -76,7 +76,10 @@ nfs4_callback_svc(void *vrqstp) + + set_freezable(); + +- while (!kthread_should_stop()) { ++ while (!kthread_freezable_should_stop(NULL)) { ++ ++ if (signal_pending(current)) ++ flush_signals(current); + /* + * Listen for a request on the socket + */ +@@ -85,6 +88,8 @@ nfs4_callback_svc(void *vrqstp) + continue; + svc_process(rqstp); + } ++ svc_exit_thread(rqstp); ++ module_put_and_exit(0); + return 0; + } + +@@ -103,9 +108,10 @@ nfs41_callback_svc(void *vrqstp) + + set_freezable(); + +- while (!kthread_should_stop()) { +- if (try_to_freeze()) +- continue; ++ while (!kthread_freezable_should_stop(NULL)) { ++ ++ if (signal_pending(current)) ++ flush_signals(current); + + prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE); + spin_lock_bh(&serv->sv_cb_lock); +@@ -121,11 +127,13 @@ nfs41_callback_svc(void *vrqstp) + error); + } else { + spin_unlock_bh(&serv->sv_cb_lock); +- schedule(); ++ if (!kthread_should_stop()) ++ schedule(); + finish_wait(&serv->sv_cb_waitq, &wq); + } +- flush_signals(current); + } ++ svc_exit_thread(rqstp); ++ module_put_and_exit(0); + return 0; + } + +@@ -221,14 +229,14 @@ err_bind: + static struct svc_serv_ops nfs40_cb_sv_ops = { + .svo_function = nfs4_callback_svc, + .svo_enqueue_xprt = svc_xprt_do_enqueue, +- .svo_setup = svc_set_num_threads, ++ .svo_setup = svc_set_num_threads_sync, + .svo_module = THIS_MODULE, + }; + #if defined(CONFIG_NFS_V4_1) + static struct svc_serv_ops nfs41_cb_sv_ops = { + .svo_function = nfs41_callback_svc, + .svo_enqueue_xprt = svc_xprt_do_enqueue, +- .svo_setup = svc_set_num_threads, ++ .svo_setup = svc_set_num_threads_sync, + .svo_module = THIS_MODULE, + }; + +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -474,6 +474,7 @@ void svc_pool_map_put(void); + struct svc_serv * svc_create_pooled(struct svc_program *, unsigned int, + struct svc_serv_ops *); + int svc_set_num_threads(struct svc_serv *, struct svc_pool *, int); ++int svc_set_num_threads_sync(struct svc_serv *, struct svc_pool *, int); + int svc_pool_stats_open(struct svc_serv *serv, struct file *file); + void svc_destroy(struct svc_serv *); + void svc_shutdown_net(struct svc_serv *, struct net *); +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -795,6 +795,44 @@ svc_set_num_threads(struct svc_serv *ser + } + EXPORT_SYMBOL_GPL(svc_set_num_threads); + ++/* destroy old threads */ ++static int ++svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs) ++{ ++ struct task_struct *task; ++ unsigned int state = serv->sv_nrthreads-1; ++ ++ /* destroy old threads */ ++ do { ++ task = choose_victim(serv, pool, &state); ++ if (task == NULL) ++ break; ++ kthread_stop(task); ++ nrservs++; ++ } while (nrservs < 0); ++ return 0; ++} ++ ++int ++svc_set_num_threads_sync(struct svc_serv *serv, struct svc_pool *pool, int nrservs) ++{ ++ if (pool == NULL) { ++ /* The -1 assumes caller has done a svc_get() */ ++ nrservs -= (serv->sv_nrthreads-1); ++ } else { ++ spin_lock_bh(&pool->sp_lock); ++ nrservs -= pool->sp_nrthreads; ++ spin_unlock_bh(&pool->sp_lock); ++ } ++ ++ if (nrservs > 0) ++ return svc_start_kthreads(serv, pool, nrservs); ++ if (nrservs < 0) ++ return svc_stop_kthreads(serv, pool, nrservs); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(svc_set_num_threads_sync); ++ + /* + * Called from a server thread as it's exiting. Caller must hold the "service + * mutex" for the service. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks --- old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 1970-01-01 01:00:00.000000000 +0100 @@ -1,77 +0,0 @@ -From 9933e113c2e87a9f46a40fde8dafbf801dca1ab9 Mon Sep 17 00:00:00 2001 -From: Herbert Xu <[email protected]> -Date: Wed, 10 May 2017 03:48:23 +0800 -Subject: [PATCH] crypto: skcipher - Add missing API setkey checks -Git-commit: 9933e113c2e87a9f46a40fde8dafbf801dca1ab9 -Patch-mainline: 4.12-rc3 -References: bsc#1040389,CVE-2017-9211 - -The API setkey checks for key sizes and alignment went AWOL during the -skcipher conversion. This patch restores them. - -Cc: <[email protected]> -Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...") -Reported-by: Baozeng <[email protected]> -Signed-off-by: Herbert Xu <[email protected]> -Acked-by: Takashi Iwai <[email protected]> - ---- - crypto/skcipher.c | 40 +++++++++++++++++++++++++++++++++++++++- - 1 file changed, 39 insertions(+), 1 deletion(-) - ---- a/crypto/skcipher.c -+++ b/crypto/skcipher.c -@@ -764,6 +764,44 @@ static int crypto_init_skcipher_ops_ablk - return 0; - } - -+static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm, -+ const u8 *key, unsigned int keylen) -+{ -+ unsigned long alignmask = crypto_skcipher_alignmask(tfm); -+ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); -+ u8 *buffer, *alignbuffer; -+ unsigned long absize; -+ int ret; -+ -+ absize = keylen + alignmask; -+ buffer = kmalloc(absize, GFP_ATOMIC); -+ if (!buffer) -+ return -ENOMEM; -+ -+ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); -+ memcpy(alignbuffer, key, keylen); -+ ret = cipher->setkey(tfm, alignbuffer, keylen); -+ kzfree(buffer); -+ return ret; -+} -+ -+static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, -+ unsigned int keylen) -+{ -+ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); -+ unsigned long alignmask = crypto_skcipher_alignmask(tfm); -+ -+ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) { -+ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); -+ return -EINVAL; -+ } -+ -+ if ((unsigned long)key & alignmask) -+ return skcipher_setkey_unaligned(tfm, key, keylen); -+ -+ return cipher->setkey(tfm, key, keylen); -+} -+ - static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm) - { - struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm); -@@ -784,7 +822,7 @@ static int crypto_skcipher_init_tfm(stru - tfm->__crt_alg->cra_type == &crypto_givcipher_type) - return crypto_init_skcipher_ops_ablkcipher(tfm); - -- skcipher->setkey = alg->setkey; -+ skcipher->setkey = skcipher_setkey; - skcipher->encrypt = alg->encrypt; - skcipher->decrypt = alg->decrypt; - skcipher->ivsize = alg->ivsize; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch --- old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,45 +0,0 @@ -From: Eric Dumazet <[email protected]> -Date: Tue, 9 May 2017 06:29:19 -0700 -Subject: dccp/tcp: do not inherit mc_list from parent -Patch-mainline: v4.12-rc1 -Git-commit: 657831ffc38e30092a2d5f03d385d710eb88b09a -References: CVE-2017-8890 bsc#1038544 - -syzkaller found a way to trigger double frees from ip_mc_drop_socket() - -It turns out that leave a copy of parent mc_list at accept() time, -which is very bad. - -Very similar to commit 8b485ce69876 ("tcp: do not inherit -fastopen_req from parent") - -Initial report from Pray3r, completed by Andrey one. -Thanks a lot to them ! - -Signed-off-by: Eric Dumazet <[email protected]> -Reported-by: Pray3r <[email protected]> -Reported-by: Andrey Konovalov <[email protected]> -Tested-by: Andrey Konovalov <[email protected]> -Signed-off-by: David S. Miller <[email protected]> -Acked-by: Michal Kubecek <[email protected]> - ---- - net/ipv4/inet_connection_sock.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c -index 5e313c1ac94f..1054d330bf9d 100644 ---- a/net/ipv4/inet_connection_sock.c -+++ b/net/ipv4/inet_connection_sock.c -@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, - /* listeners have SOCK_RCU_FREE, not the children */ - sock_reset_flag(newsk, SOCK_RCU_FREE); - -+ inet_sk(newsk)->mc_list = NULL; -+ - newsk->sk_mark = inet_rsk(req)->ir_mark; - atomic64_set(&newsk->sk_cookie, - atomic64_read(&inet_rsk(req)->ir_cookie)); --- -2.13.0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch new/patches.fixes/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch --- old/patches.fixes/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch 2017-06-07 17:14:28.000000000 +0200 @@ -0,0 +1,42 @@ +From 032018df0351f6d3f138d1e7ebcd95bebc47828c Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <[email protected]> +Date: Fri, 2 Jun 2017 07:42:09 +0200 +Subject: [PATCH] drm/vmwgfx: limit the number of mip levels in + vmw_gb_surface_define_ioctl() + +Git-commit: b3853a7a95888646e1246f85625477c50084e1f4 +Git-repo: git://people.freedesktop.org/~thomash/linux +Patch-mainline: Queued in subsystem maintainer repository +References: CVE-2017-7346 bsc#1031796 + +The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is +a user-controlled 'uint32_t' value which is used as a loop count limit. +This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1437431 + +Cc: <[email protected]> +Signed-off-by: Vladis Dronov <[email protected]> +Reviewed-by: Sinclair Yeh <[email protected]> +Signed-off-by: Patrik Jakobsson <[email protected]> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index 05fa092c942b..6fed5a8da005 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct drm_device *dev, void *data, + if (req->multisample_count != 0) + return -EINVAL; + ++ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) ++ return -EINVAL; ++ + if (unlikely(vmw_user_surface_size == 0)) + vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + + 128; +-- +2.13.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch --- old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,96 +0,0 @@ -From: "David S. Miller" <[email protected]> -Date: Wed, 17 May 2017 22:54:11 -0400 -Subject: ipv6: Check ip6_find_1stfragopt() return value properly. -Patch-mainline: v4.12-rc2 -Git-commit: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 -References: CVE-2017-9074 bsc#1039882 - -Do not use unsigned variables to see if it returns a negative -error or not. - -Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") -Reported-by: Julia Lawall <[email protected]> -Signed-off-by: David S. Miller <[email protected]> -Acked-by: Michal Kubecek <[email protected]> - ---- - net/ipv6/ip6_offload.c | 9 ++++----- - net/ipv6/ip6_output.c | 7 +++---- - net/ipv6/udp_offload.c | 8 +++++--- - 3 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c -index eab36abc9f22..280268f1dd7b 100644 ---- a/net/ipv6/ip6_offload.c -+++ b/net/ipv6/ip6_offload.c -@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, - const struct net_offload *ops; - int proto; - struct frag_hdr *fptr; -- unsigned int unfrag_ip6hlen; - unsigned int payload_len; - u8 *prevhdr; - int offset = 0; -@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, - skb->network_header = (u8 *)ipv6h - skb->head; - - if (udpfrag) { -- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -- if (unfrag_ip6hlen < 0) -- return ERR_PTR(unfrag_ip6hlen); -- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); -+ int err = ip6_find_1stfragopt(skb, &prevhdr); -+ if (err < 0) -+ return ERR_PTR(err); -+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err); - fptr->frag_off = htons(offset); - if (skb->next) - fptr->frag_off |= htons(IP6_MF); -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 01deecda2f84..d4a31becbd25 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, - int ptr, offset = 0, err = 0; - u8 *prevhdr, nexthdr = 0; - -- hlen = ip6_find_1stfragopt(skb, &prevhdr); -- if (hlen < 0) { -- err = hlen; -+ err = ip6_find_1stfragopt(skb, &prevhdr); -+ if (err < 0) - goto fail; -- } -+ hlen = err; - nexthdr = *prevhdr; - - mtu = ip6_skb_dst_mtu(skb); -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index b348cff47395..a2267f80febb 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - u8 frag_hdr_sz = sizeof(struct frag_hdr); - __wsum csum; - int tnl_hlen; -+ int err; - - mss = skb_shinfo(skb)->gso_size; - if (unlikely(skb->len <= mss)) -@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - /* Find the unfragmentable header and shift it left by frag_hdr_sz - * bytes to insert fragment header. - */ -- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -- if (unfrag_ip6hlen < 0) -- return ERR_PTR(unfrag_ip6hlen); -+ err = ip6_find_1stfragopt(skb, &prevhdr); -+ if (err < 0) -+ return ERR_PTR(err); -+ unfrag_ip6hlen = err; - nexthdr = *prevhdr; - *prevhdr = NEXTHDR_FRAGMENT; - unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + --- -2.13.0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch --- old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,235 +0,0 @@ -From: Craig Gallek <[email protected]> -Date: Tue, 16 May 2017 14:36:23 -0400 -Subject: ipv6: Prevent overrun when parsing v6 header options -Patch-mainline: v4.12-rc2 -Git-commit: 2423496af35d94a87156b063ea5cedffc10a70a1 -References: CVE-2017-9074 bsc#1039882 - -The KASAN warning repoted below was discovered with a syzkaller -program. The reproducer is basically: - int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); - send(s, &one_byte_of_data, 1, MSG_MORE); - send(s, &more_than_mtu_bytes_data, 2000, 0); - -The socket() call sets the nexthdr field of the v6 header to -NEXTHDR_HOP, the first send call primes the payload with a non zero -byte of data, and the second send call triggers the fragmentation path. - -The fragmentation code tries to parse the header options in order -to figure out where to insert the fragment option. Since nexthdr points -to an invalid option, the calculation of the size of the network header -can made to be much larger than the linear section of the skb and data -is read outside of it. - -This fix makes ip6_find_1stfrag return an error if it detects -running out-of-bounds. - -[ 42.361487] ================================================================== -[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730 -[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789 -[ 42.366469] -[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41 -[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 -[ 42.368824] Call Trace: -[ 42.369183] dump_stack+0xb3/0x10b -[ 42.369664] print_address_description+0x73/0x290 -[ 42.370325] kasan_report+0x252/0x370 -[ 42.370839] ? ip6_fragment+0x11c8/0x3730 -[ 42.371396] check_memory_region+0x13c/0x1a0 -[ 42.371978] memcpy+0x23/0x50 -[ 42.372395] ip6_fragment+0x11c8/0x3730 -[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110 -[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0 -[ 42.374263] ? ip6_forward+0x2e30/0x2e30 -[ 42.374803] ip6_finish_output+0x584/0x990 -[ 42.375350] ip6_output+0x1b7/0x690 -[ 42.375836] ? ip6_finish_output+0x990/0x990 -[ 42.376411] ? ip6_fragment+0x3730/0x3730 -[ 42.376968] ip6_local_out+0x95/0x160 -[ 42.377471] ip6_send_skb+0xa1/0x330 -[ 42.377969] ip6_push_pending_frames+0xb3/0xe0 -[ 42.378589] rawv6_sendmsg+0x2051/0x2db0 -[ 42.379129] ? rawv6_bind+0x8b0/0x8b0 -[ 42.379633] ? _copy_from_user+0x84/0xe0 -[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290 -[ 42.380878] ? ___sys_sendmsg+0x162/0x930 -[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120 -[ 42.382074] ? sock_has_perm+0x1f6/0x290 -[ 42.382614] ? ___sys_sendmsg+0x167/0x930 -[ 42.383173] ? lock_downgrade+0x660/0x660 -[ 42.383727] inet_sendmsg+0x123/0x500 -[ 42.384226] ? inet_sendmsg+0x123/0x500 -[ 42.384748] ? inet_recvmsg+0x540/0x540 -[ 42.385263] sock_sendmsg+0xca/0x110 -[ 42.385758] SYSC_sendto+0x217/0x380 -[ 42.386249] ? SYSC_connect+0x310/0x310 -[ 42.386783] ? __might_fault+0x110/0x1d0 -[ 42.387324] ? lock_downgrade+0x660/0x660 -[ 42.387880] ? __fget_light+0xa1/0x1f0 -[ 42.388403] ? __fdget+0x18/0x20 -[ 42.388851] ? sock_common_setsockopt+0x95/0xd0 -[ 42.389472] ? SyS_setsockopt+0x17f/0x260 -[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe -[ 42.390650] SyS_sendto+0x40/0x50 -[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.391731] RIP: 0033:0x7fbbb711e383 -[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383 -[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003 -[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018 -[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad -[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00 -[ 42.397257] -[ 42.397411] Allocated by task 3789: -[ 42.397702] save_stack_trace+0x16/0x20 -[ 42.398005] save_stack+0x46/0xd0 -[ 42.398267] kasan_kmalloc+0xad/0xe0 -[ 42.398548] kasan_slab_alloc+0x12/0x20 -[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380 -[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0 -[ 42.399654] __alloc_skb+0xf8/0x580 -[ 42.400003] sock_wmalloc+0xab/0xf0 -[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0 -[ 42.400813] ip6_append_data+0x1a8/0x2f0 -[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0 -[ 42.401505] inet_sendmsg+0x123/0x500 -[ 42.401860] sock_sendmsg+0xca/0x110 -[ 42.402209] ___sys_sendmsg+0x7cb/0x930 -[ 42.402582] __sys_sendmsg+0xd9/0x190 -[ 42.402941] SyS_sendmsg+0x2d/0x50 -[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.403718] -[ 42.403871] Freed by task 1794: -[ 42.404146] save_stack_trace+0x16/0x20 -[ 42.404515] save_stack+0x46/0xd0 -[ 42.404827] kasan_slab_free+0x72/0xc0 -[ 42.405167] kfree+0xe8/0x2b0 -[ 42.405462] skb_free_head+0x74/0xb0 -[ 42.405806] skb_release_data+0x30e/0x3a0 -[ 42.406198] skb_release_all+0x4a/0x60 -[ 42.406563] consume_skb+0x113/0x2e0 -[ 42.406910] skb_free_datagram+0x1a/0xe0 -[ 42.407288] netlink_recvmsg+0x60d/0xe40 -[ 42.407667] sock_recvmsg+0xd7/0x110 -[ 42.408022] ___sys_recvmsg+0x25c/0x580 -[ 42.408395] __sys_recvmsg+0xd6/0x190 -[ 42.408753] SyS_recvmsg+0x2d/0x50 -[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe -[ 42.409513] -[ 42.409665] The buggy address belongs to the object at ffff88000969e780 -[ 42.409665] which belongs to the cache kmalloc-512 of size 512 -[ 42.410846] The buggy address is located 24 bytes inside of -[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980) -[ 42.411941] The buggy address belongs to the page: -[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 -[ 42.413298] flags: 0x100000000008100(slab|head) -[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c -[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000 -[ 42.415074] page dumped because: kasan: bad access detected -[ 42.415604] -[ 42.415757] Memory state around the buggy address: -[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -[ 42.418273] ^ -[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb -[ 42.419882] ================================================================== - -Reported-by: Andrey Konovalov <[email protected]> -Signed-off-by: Craig Gallek <[email protected]> -Signed-off-by: David S. Miller <[email protected]> -Acked-by: Michal Kubecek <[email protected]> - ---- - net/ipv6/ip6_offload.c | 2 ++ - net/ipv6/ip6_output.c | 4 ++++ - net/ipv6/output_core.c | 14 ++++++++------ - net/ipv6/udp_offload.c | 2 ++ - 4 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c -index 93e58a5e1837..eab36abc9f22 100644 ---- a/net/ipv6/ip6_offload.c -+++ b/net/ipv6/ip6_offload.c -@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, - - if (udpfrag) { - unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (unfrag_ip6hlen < 0) -+ return ERR_PTR(unfrag_ip6hlen); - fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); - fptr->frag_off = htons(offset); - if (skb->next) -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 58f6288e9ba5..01deecda2f84 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, - u8 *prevhdr, nexthdr = 0; - - hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (hlen < 0) { -+ err = hlen; -+ goto fail; -+ } - nexthdr = *prevhdr; - - mtu = ip6_skb_dst_mtu(skb); -diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index cd4252346a32..e9065b8d3af8 100644 ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident); - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - { - u16 offset = sizeof(struct ipv6hdr); -- struct ipv6_opt_hdr *exthdr = -- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1); - unsigned int packet_len = skb_tail_pointer(skb) - - skb_network_header(skb); - int found_rhdr = 0; - *nexthdr = &ipv6_hdr(skb)->nexthdr; - -- while (offset + 1 <= packet_len) { -+ while (offset <= packet_len) { -+ struct ipv6_opt_hdr *exthdr; - - switch (**nexthdr) { - -@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - return offset; - } - -- offset += ipv6_optlen(exthdr); -- *nexthdr = &exthdr->nexthdr; -+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len) -+ return -EINVAL; -+ - exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + - offset); -+ offset += ipv6_optlen(exthdr); -+ *nexthdr = &exthdr->nexthdr; - } - -- return offset; -+ return -EINVAL; - } - EXPORT_SYMBOL(ip6_find_1stfragopt); - -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index ac858c480f2f..b348cff47395 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - * bytes to insert fragment header. - */ - unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); -+ if (unfrag_ip6hlen < 0) -+ return ERR_PTR(unfrag_ip6hlen); - nexthdr = *prevhdr; - *prevhdr = NEXTHDR_FRAGMENT; - unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + --- -2.13.0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch --- old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,68 +0,0 @@ -From: WANG Cong <[email protected]> -Date: Tue, 9 May 2017 16:59:54 -0700 -Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent -Patch-mainline: v4.12-rc2 -Git-commit: 83eaddab4378db256d00d295bda6ca997cd13a52 -References: CVE-2017-9076 CVE-2017-9077 bsc#1039885 bsc#1040069 - -Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") -we should clear ipv6_mc_list etc. for IPv6 sockets too. - -Cc: Eric Dumazet <[email protected]> -Signed-off-by: Cong Wang <[email protected]> -Acked-by: Eric Dumazet <[email protected]> -Signed-off-by: David S. Miller <[email protected]> -Acked-by: Michal Kubecek <[email protected]> - ---- - net/dccp/ipv6.c | 6 ++++++ - net/ipv6/tcp_ipv6.c | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c -index d9b6a4e403e7..b6bbb71e713e 100644 ---- a/net/dccp/ipv6.c -+++ b/net/dccp/ipv6.c -@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - newsk->sk_backlog_rcv = dccp_v4_do_rcv; - newnp->pktoptions = NULL; - newnp->opt = NULL; -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->mcast_oif = inet6_iif(skb); - newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; - -@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, - /* Clone RX bits */ - newnp->rxopt.all = np->rxopt.all; - -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; - newnp->opt = NULL; - newnp->mcast_oif = inet6_iif(skb); -diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index 4c4afdca41ff..ff5f87641651 100644 ---- a/net/ipv6/tcp_ipv6.c -+++ b/net/ipv6/tcp_ipv6.c -@@ -1070,6 +1070,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - newtp->af_specific = &tcp_sock_ipv6_mapped_specific; - #endif - -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - newnp->pktoptions = NULL; -@@ -1139,6 +1140,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * - First: no IPv4 options. - */ - newinet->inet_opt = NULL; -+ newnp->ipv6_mc_list = NULL; - newnp->ipv6_ac_list = NULL; - newnp->ipv6_fl_list = NULL; - --- -2.13.0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch --- old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 +++ new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,37 +0,0 @@ -From: Eric Dumazet <[email protected]> -Date: Wed, 17 May 2017 07:16:40 -0700 -Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent -Patch-mainline: v4.12-rc2 -Git-commit: fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 -References: CVE-2017-9075 bsc#1039883 - -SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit -ipv6_mc_list from parent"), otherwise bad things can happen. - -Signed-off-by: Eric Dumazet <[email protected]> -Reported-by: Andrey Konovalov <[email protected]> -Tested-by: Andrey Konovalov <[email protected]> -Signed-off-by: David S. Miller <[email protected]> -Acked-by: Michal Kubecek <[email protected]> - ---- - net/sctp/ipv6.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index 961ee59f696a..6d2349bc71a6 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -665,6 +665,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, - newnp = inet6_sk(newsk); - - memcpy(newnp, np, sizeof(struct ipv6_pinfo)); -+ newnp->ipv6_mc_list = NULL; -+ newnp->ipv6_ac_list = NULL; -+ newnp->ipv6_fl_list = NULL; - - rcu_read_lock(); - opt = rcu_dereference(np->opt); --- -2.13.0 - ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 5108 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:28.865252136 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:28.869251572 +0200 @@ -30,6 +30,7 @@ patches.kernel.org/patch-4.11.1 patches.kernel.org/patch-4.11.1-2 patches.kernel.org/patch-4.11.2-3 + patches.kernel.org/patch-4.11.3-4 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -211,13 +212,8 @@ patches.suse/suse-hv-storvsc-sg_tablesize.patch ######################################################## - # Networking, IPv6 + # Networking Core ######################################################## - patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch - patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch - patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch - patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch - patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch ######################################################## # Netfilter @@ -229,6 +225,8 @@ ######################################################## patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch + patches.fixes/0001-SUNRPC-Refactor-svc_set_num_threads.patch + patches.fixes/0002-NFSv4-Fix-callback-server-shutdown.patch ######################################################## # lockd + statd @@ -328,6 +326,7 @@ ######################################################## patches.fixes/drm-i915-Fix-S4-resume-breakage patches.fixes/drm-amdgpu-revert-update-tile-table-for-oland-hainan.patch + patches.fixes/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch ######################################################## # video4linux @@ -452,7 +451,6 @@ # ########################################################## patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork - patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks ########################################################## # Audit ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.FNWhFn/_old 2017-06-12 15:12:28.909245929 +0200 +++ /var/tmp/diff_new_pack.FNWhFn/_new 2017-06-12 15:12:28.909245929 +0200 @@ -1,3 +1,3 @@ -2017-05-25 19:55:04 +0200 -GIT Revision: 72623535ffa1560169ca6cb8dc05802d2c18962a +2017-06-07 17:14:28 +0200 +GIT Revision: cba98eed4de5d08a98e0b0fa4717778762020d36 GIT Branch: stable
