1 |
commit: f0aebc3668307cc523caedc3499d401990fcacbc |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Feb 26 20:45:07 2017 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 26 20:45:07 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=f0aebc36 |
7 |
|
8 |
Linux patch 4.4.52. Removal of redundant patch. |
9 |
|
10 |
0000_README | 8 +- |
11 |
1051_linux-4.4.52.patch | 817 ++++++++++++++++++++++++++ |
12 |
1520_CVE-2017-6074-dccp-skb-freeing-fix.patch | 47 -- |
13 |
3 files changed, 821 insertions(+), 51 deletions(-) |
14 |
|
15 |
diff --git a/0000_README b/0000_README |
16 |
index 0bee2eb..747896b 100644 |
17 |
--- a/0000_README |
18 |
+++ b/0000_README |
19 |
@@ -247,6 +247,10 @@ Patch: 1050_linux-4.4.51.patch |
20 |
From: http://www.kernel.org |
21 |
Desc: Linux 4.4.51 |
22 |
|
23 |
+Patch: 1051_linux-4.4.52.patch |
24 |
+From: http://www.kernel.org |
25 |
+Desc: Linux 4.4.52 |
26 |
+ |
27 |
Patch: 1500_XATTR_USER_PREFIX.patch |
28 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
29 |
Desc: Support for namespace user.pax.* on tmpfs. |
30 |
@@ -255,10 +259,6 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch |
31 |
From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ |
32 |
Desc: Enable link security restrictions by default. |
33 |
|
34 |
-Patch: 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch |
35 |
-From: https://bugs.gentoo.org/show_bug.cgi?id=610600 |
36 |
-Desc: dccp: fix freeing skb too early for IPV6_RECVPKTINFO. CVE-2017-6074 |
37 |
- |
38 |
Patch: 1900_xfs-fix-suspend-to-memory.patch |
39 |
From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/fs/xfs/xfs_trans_ail.c?id=18f1df4e00cea2eae41f3e5515b94d1e7127b2b6 |
40 |
Desc: xfs: Make xfsaild freezeable again. See bug #575034. |
41 |
|
42 |
diff --git a/1051_linux-4.4.52.patch b/1051_linux-4.4.52.patch |
43 |
new file mode 100644 |
44 |
index 0000000..63d6ed7 |
45 |
--- /dev/null |
46 |
+++ b/1051_linux-4.4.52.patch |
47 |
@@ -0,0 +1,817 @@ |
48 |
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
49 |
+index c360f80c3473..ca64ca566099 100644 |
50 |
+--- a/Documentation/kernel-parameters.txt |
51 |
++++ b/Documentation/kernel-parameters.txt |
52 |
+@@ -1255,6 +1255,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
53 |
+ When zero, profiling data is discarded and associated |
54 |
+ debugfs files are removed at module unload time. |
55 |
+ |
56 |
++ goldfish [X86] Enable the goldfish android emulator platform. |
57 |
++ Don't use this when you are not running on the |
58 |
++ android emulator |
59 |
++ |
60 |
+ gpt [EFI] Forces disk with valid GPT signature but |
61 |
+ invalid Protective MBR to be treated as GPT. If the |
62 |
+ primary GPT is corrupted, it enables the backup/alternate |
63 |
+diff --git a/Makefile b/Makefile |
64 |
+index 117357188f01..671e183bd507 100644 |
65 |
+--- a/Makefile |
66 |
++++ b/Makefile |
67 |
+@@ -1,6 +1,6 @@ |
68 |
+ VERSION = 4 |
69 |
+ PATCHLEVEL = 4 |
70 |
+-SUBLEVEL = 51 |
71 |
++SUBLEVEL = 52 |
72 |
+ EXTRAVERSION = |
73 |
+ NAME = Blurry Fish Butt |
74 |
+ |
75 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
76 |
+index bb620df05d0d..64f60a48def1 100644 |
77 |
+--- a/arch/x86/kvm/vmx.c |
78 |
++++ b/arch/x86/kvm/vmx.c |
79 |
+@@ -4867,6 +4867,12 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx) |
80 |
+ if (vmx_xsaves_supported()) |
81 |
+ vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP); |
82 |
+ |
83 |
++ if (enable_pml) { |
84 |
++ ASSERT(vmx->pml_pg); |
85 |
++ vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg)); |
86 |
++ vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1); |
87 |
++ } |
88 |
++ |
89 |
+ return 0; |
90 |
+ } |
91 |
+ |
92 |
+@@ -7839,22 +7845,6 @@ static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2) |
93 |
+ *info2 = vmcs_read32(VM_EXIT_INTR_INFO); |
94 |
+ } |
95 |
+ |
96 |
+-static int vmx_create_pml_buffer(struct vcpu_vmx *vmx) |
97 |
+-{ |
98 |
+- struct page *pml_pg; |
99 |
+- |
100 |
+- pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO); |
101 |
+- if (!pml_pg) |
102 |
+- return -ENOMEM; |
103 |
+- |
104 |
+- vmx->pml_pg = pml_pg; |
105 |
+- |
106 |
+- vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg)); |
107 |
+- vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1); |
108 |
+- |
109 |
+- return 0; |
110 |
+-} |
111 |
+- |
112 |
+ static void vmx_destroy_pml_buffer(struct vcpu_vmx *vmx) |
113 |
+ { |
114 |
+ if (vmx->pml_pg) { |
115 |
+@@ -8789,14 +8779,26 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) |
116 |
+ if (err) |
117 |
+ goto free_vcpu; |
118 |
+ |
119 |
++ err = -ENOMEM; |
120 |
++ |
121 |
++ /* |
122 |
++ * If PML is turned on, failure on enabling PML just results in failure |
123 |
++ * of creating the vcpu, therefore we can simplify PML logic (by |
124 |
++ * avoiding dealing with cases, such as enabling PML partially on vcpus |
125 |
++ * for the guest, etc. |
126 |
++ */ |
127 |
++ if (enable_pml) { |
128 |
++ vmx->pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO); |
129 |
++ if (!vmx->pml_pg) |
130 |
++ goto uninit_vcpu; |
131 |
++ } |
132 |
++ |
133 |
+ vmx->guest_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL); |
134 |
+ BUILD_BUG_ON(ARRAY_SIZE(vmx_msr_index) * sizeof(vmx->guest_msrs[0]) |
135 |
+ > PAGE_SIZE); |
136 |
+ |
137 |
+- err = -ENOMEM; |
138 |
+- if (!vmx->guest_msrs) { |
139 |
+- goto uninit_vcpu; |
140 |
+- } |
141 |
++ if (!vmx->guest_msrs) |
142 |
++ goto free_pml; |
143 |
+ |
144 |
+ vmx->loaded_vmcs = &vmx->vmcs01; |
145 |
+ vmx->loaded_vmcs->vmcs = alloc_vmcs(); |
146 |
+@@ -8840,18 +8842,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) |
147 |
+ vmx->nested.current_vmptr = -1ull; |
148 |
+ vmx->nested.current_vmcs12 = NULL; |
149 |
+ |
150 |
+- /* |
151 |
+- * If PML is turned on, failure on enabling PML just results in failure |
152 |
+- * of creating the vcpu, therefore we can simplify PML logic (by |
153 |
+- * avoiding dealing with cases, such as enabling PML partially on vcpus |
154 |
+- * for the guest, etc. |
155 |
+- */ |
156 |
+- if (enable_pml) { |
157 |
+- err = vmx_create_pml_buffer(vmx); |
158 |
+- if (err) |
159 |
+- goto free_vmcs; |
160 |
+- } |
161 |
+- |
162 |
+ return &vmx->vcpu; |
163 |
+ |
164 |
+ free_vmcs: |
165 |
+@@ -8859,6 +8849,8 @@ free_vmcs: |
166 |
+ free_loaded_vmcs(vmx->loaded_vmcs); |
167 |
+ free_msrs: |
168 |
+ kfree(vmx->guest_msrs); |
169 |
++free_pml: |
170 |
++ vmx_destroy_pml_buffer(vmx); |
171 |
+ uninit_vcpu: |
172 |
+ kvm_vcpu_uninit(&vmx->vcpu); |
173 |
+ free_vcpu: |
174 |
+diff --git a/arch/x86/platform/goldfish/goldfish.c b/arch/x86/platform/goldfish/goldfish.c |
175 |
+index 1693107a518e..0d17c0aafeb1 100644 |
176 |
+--- a/arch/x86/platform/goldfish/goldfish.c |
177 |
++++ b/arch/x86/platform/goldfish/goldfish.c |
178 |
+@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus_resources[] = { |
179 |
+ } |
180 |
+ }; |
181 |
+ |
182 |
++static bool goldfish_enable __initdata; |
183 |
++ |
184 |
++static int __init goldfish_setup(char *str) |
185 |
++{ |
186 |
++ goldfish_enable = true; |
187 |
++ return 0; |
188 |
++} |
189 |
++__setup("goldfish", goldfish_setup); |
190 |
++ |
191 |
+ static int __init goldfish_init(void) |
192 |
+ { |
193 |
++ if (!goldfish_enable) |
194 |
++ return -ENODEV; |
195 |
++ |
196 |
+ platform_device_register_simple("goldfish_pdev_bus", -1, |
197 |
+- goldfish_pdev_bus_resources, 2); |
198 |
++ goldfish_pdev_bus_resources, 2); |
199 |
+ return 0; |
200 |
+ } |
201 |
+ device_initcall(goldfish_init); |
202 |
+diff --git a/block/blk-mq.c b/block/blk-mq.c |
203 |
+index 6cfc6b200366..d8d63c38bf29 100644 |
204 |
+--- a/block/blk-mq.c |
205 |
++++ b/block/blk-mq.c |
206 |
+@@ -1259,12 +1259,9 @@ static blk_qc_t blk_mq_make_request(struct request_queue *q, struct bio *bio) |
207 |
+ |
208 |
+ blk_queue_split(q, &bio, q->bio_split); |
209 |
+ |
210 |
+- if (!is_flush_fua && !blk_queue_nomerges(q)) { |
211 |
+- if (blk_attempt_plug_merge(q, bio, &request_count, |
212 |
+- &same_queue_rq)) |
213 |
+- return BLK_QC_T_NONE; |
214 |
+- } else |
215 |
+- request_count = blk_plug_queued_count(q); |
216 |
++ if (!is_flush_fua && !blk_queue_nomerges(q) && |
217 |
++ blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq)) |
218 |
++ return BLK_QC_T_NONE; |
219 |
+ |
220 |
+ rq = blk_mq_map_request(q, bio, &data); |
221 |
+ if (unlikely(!rq)) |
222 |
+@@ -1355,9 +1352,11 @@ static blk_qc_t blk_sq_make_request(struct request_queue *q, struct bio *bio) |
223 |
+ |
224 |
+ blk_queue_split(q, &bio, q->bio_split); |
225 |
+ |
226 |
+- if (!is_flush_fua && !blk_queue_nomerges(q) && |
227 |
+- blk_attempt_plug_merge(q, bio, &request_count, NULL)) |
228 |
+- return BLK_QC_T_NONE; |
229 |
++ if (!is_flush_fua && !blk_queue_nomerges(q)) { |
230 |
++ if (blk_attempt_plug_merge(q, bio, &request_count, NULL)) |
231 |
++ return BLK_QC_T_NONE; |
232 |
++ } else |
233 |
++ request_count = blk_plug_queued_count(q); |
234 |
+ |
235 |
+ rq = blk_mq_map_request(q, bio, &data); |
236 |
+ if (unlikely(!rq)) |
237 |
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c |
238 |
+index aac1ed3f7bb4..ad8390d2997b 100644 |
239 |
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c |
240 |
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c |
241 |
+@@ -834,12 +834,30 @@ static void rtl_usb_stop(struct ieee80211_hw *hw) |
242 |
+ struct rtl_priv *rtlpriv = rtl_priv(hw); |
243 |
+ struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); |
244 |
+ struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); |
245 |
++ struct urb *urb; |
246 |
+ |
247 |
+ /* should after adapter start and interrupt enable. */ |
248 |
+ set_hal_stop(rtlhal); |
249 |
+ cancel_work_sync(&rtlpriv->works.fill_h2c_cmd); |
250 |
+ /* Enable software */ |
251 |
+ SET_USB_STOP(rtlusb); |
252 |
++ |
253 |
++ /* free pre-allocated URBs from rtl_usb_start() */ |
254 |
++ usb_kill_anchored_urbs(&rtlusb->rx_submitted); |
255 |
++ |
256 |
++ tasklet_kill(&rtlusb->rx_work_tasklet); |
257 |
++ cancel_work_sync(&rtlpriv->works.lps_change_work); |
258 |
++ |
259 |
++ flush_workqueue(rtlpriv->works.rtl_wq); |
260 |
++ |
261 |
++ skb_queue_purge(&rtlusb->rx_queue); |
262 |
++ |
263 |
++ while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) { |
264 |
++ usb_free_coherent(urb->dev, urb->transfer_buffer_length, |
265 |
++ urb->transfer_buffer, urb->transfer_dma); |
266 |
++ usb_free_urb(urb); |
267 |
++ } |
268 |
++ |
269 |
+ rtlpriv->cfg->ops->hw_disable(hw); |
270 |
+ } |
271 |
+ |
272 |
+@@ -1073,6 +1091,7 @@ int rtl_usb_probe(struct usb_interface *intf, |
273 |
+ return -ENOMEM; |
274 |
+ } |
275 |
+ rtlpriv = hw->priv; |
276 |
++ rtlpriv->hw = hw; |
277 |
+ rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32), |
278 |
+ GFP_KERNEL); |
279 |
+ if (!rtlpriv->usb_data) |
280 |
+diff --git a/drivers/platform/goldfish/pdev_bus.c b/drivers/platform/goldfish/pdev_bus.c |
281 |
+index 1f52462f4cdd..dd9ea463c2a4 100644 |
282 |
+--- a/drivers/platform/goldfish/pdev_bus.c |
283 |
++++ b/drivers/platform/goldfish/pdev_bus.c |
284 |
+@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void) |
285 |
+ static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id) |
286 |
+ { |
287 |
+ irqreturn_t ret = IRQ_NONE; |
288 |
++ |
289 |
+ while (1) { |
290 |
+ u32 op = readl(pdev_bus_base + PDEV_BUS_OP); |
291 |
+- switch (op) { |
292 |
+- case PDEV_BUS_OP_DONE: |
293 |
+- return IRQ_NONE; |
294 |
+ |
295 |
++ switch (op) { |
296 |
+ case PDEV_BUS_OP_REMOVE_DEV: |
297 |
+ goldfish_pdev_remove(); |
298 |
++ ret = IRQ_HANDLED; |
299 |
+ break; |
300 |
+ |
301 |
+ case PDEV_BUS_OP_ADD_DEV: |
302 |
+ goldfish_new_pdev(); |
303 |
++ ret = IRQ_HANDLED; |
304 |
+ break; |
305 |
++ |
306 |
++ case PDEV_BUS_OP_DONE: |
307 |
++ default: |
308 |
++ return ret; |
309 |
+ } |
310 |
+- ret = IRQ_HANDLED; |
311 |
+ } |
312 |
+- return ret; |
313 |
+ } |
314 |
+ |
315 |
+ static int goldfish_pdev_bus_probe(struct platform_device *pdev) |
316 |
+diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c |
317 |
+index 5836751b8203..9bb934ed2a7a 100644 |
318 |
+--- a/drivers/rtc/interface.c |
319 |
++++ b/drivers/rtc/interface.c |
320 |
+@@ -748,9 +748,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq); |
321 |
+ */ |
322 |
+ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) |
323 |
+ { |
324 |
++ struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue); |
325 |
++ struct rtc_time tm; |
326 |
++ ktime_t now; |
327 |
++ |
328 |
+ timer->enabled = 1; |
329 |
++ __rtc_read_time(rtc, &tm); |
330 |
++ now = rtc_tm_to_ktime(tm); |
331 |
++ |
332 |
++ /* Skip over expired timers */ |
333 |
++ while (next) { |
334 |
++ if (next->expires.tv64 >= now.tv64) |
335 |
++ break; |
336 |
++ next = timerqueue_iterate_next(next); |
337 |
++ } |
338 |
++ |
339 |
+ timerqueue_add(&rtc->timerqueue, &timer->node); |
340 |
+- if (&timer->node == timerqueue_getnext(&rtc->timerqueue)) { |
341 |
++ if (!next) { |
342 |
+ struct rtc_wkalrm alarm; |
343 |
+ int err; |
344 |
+ alarm.time = rtc_ktime_to_tm(timer->node.expires); |
345 |
+diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c |
346 |
+index e1de4944e0ce..8c4707d5778e 100644 |
347 |
+--- a/drivers/tty/serial/msm_serial.c |
348 |
++++ b/drivers/tty/serial/msm_serial.c |
349 |
+@@ -1615,6 +1615,7 @@ static const struct of_device_id msm_match_table[] = { |
350 |
+ { .compatible = "qcom,msm-uartdm" }, |
351 |
+ {} |
352 |
+ }; |
353 |
++MODULE_DEVICE_TABLE(of, msm_match_table); |
354 |
+ |
355 |
+ static struct platform_driver msm_platform_driver = { |
356 |
+ .remove = msm_serial_remove, |
357 |
+diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c |
358 |
+index 5a048b7b92e8..2949289bb3c5 100644 |
359 |
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c |
360 |
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c |
361 |
+@@ -244,7 +244,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev) |
362 |
+ struct ci_hdrc_platform_data pdata = { |
363 |
+ .name = dev_name(&pdev->dev), |
364 |
+ .capoffset = DEF_CAPOFFSET, |
365 |
+- .flags = CI_HDRC_SET_NON_ZERO_TTHA, |
366 |
+ }; |
367 |
+ int ret; |
368 |
+ const struct of_device_id *of_id; |
369 |
+diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c |
370 |
+index 1532cde8a437..7812052dc700 100644 |
371 |
+--- a/drivers/usb/serial/ark3116.c |
372 |
++++ b/drivers/usb/serial/ark3116.c |
373 |
+@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_serial *serial, |
374 |
+ usb_rcvctrlpipe(serial->dev, 0), |
375 |
+ 0xfe, 0xc0, 0, reg, |
376 |
+ buf, 1, ARK_TIMEOUT); |
377 |
+- if (result < 0) |
378 |
++ if (result < 1) { |
379 |
++ dev_err(&serial->interface->dev, |
380 |
++ "failed to read register %u: %d\n", |
381 |
++ reg, result); |
382 |
++ if (result >= 0) |
383 |
++ result = -EIO; |
384 |
++ |
385 |
+ return result; |
386 |
+- else |
387 |
+- return buf[0]; |
388 |
++ } |
389 |
++ |
390 |
++ return buf[0]; |
391 |
+ } |
392 |
+ |
393 |
+ static inline int calc_divisor(int bps) |
394 |
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c |
395 |
+index fe7452f0f38a..33cec50978b8 100644 |
396 |
+--- a/drivers/usb/serial/cp210x.c |
397 |
++++ b/drivers/usb/serial/cp210x.c |
398 |
+@@ -171,6 +171,8 @@ static const struct usb_device_id id_table[] = { |
399 |
+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ |
400 |
+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ |
401 |
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ |
402 |
++ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */ |
403 |
++ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */ |
404 |
+ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ |
405 |
+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ |
406 |
+ { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ |
407 |
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c |
408 |
+index d3d6ec455151..19a98116c2ab 100644 |
409 |
+--- a/drivers/usb/serial/ftdi_sio.c |
410 |
++++ b/drivers/usb/serial/ftdi_sio.c |
411 |
+@@ -1807,8 +1807,6 @@ static int ftdi_sio_port_probe(struct usb_serial_port *port) |
412 |
+ |
413 |
+ mutex_init(&priv->cfg_lock); |
414 |
+ |
415 |
+- priv->flags = ASYNC_LOW_LATENCY; |
416 |
+- |
417 |
+ if (quirk && quirk->port_probe) |
418 |
+ quirk->port_probe(priv); |
419 |
+ |
420 |
+@@ -2072,6 +2070,20 @@ static int ftdi_process_packet(struct usb_serial_port *port, |
421 |
+ priv->prev_status = status; |
422 |
+ } |
423 |
+ |
424 |
++ /* save if the transmitter is empty or not */ |
425 |
++ if (packet[1] & FTDI_RS_TEMT) |
426 |
++ priv->transmit_empty = 1; |
427 |
++ else |
428 |
++ priv->transmit_empty = 0; |
429 |
++ |
430 |
++ len -= 2; |
431 |
++ if (!len) |
432 |
++ return 0; /* status only */ |
433 |
++ |
434 |
++ /* |
435 |
++ * Break and error status must only be processed for packets with |
436 |
++ * data payload to avoid over-reporting. |
437 |
++ */ |
438 |
+ flag = TTY_NORMAL; |
439 |
+ if (packet[1] & FTDI_RS_ERR_MASK) { |
440 |
+ /* Break takes precedence over parity, which takes precedence |
441 |
+@@ -2094,15 +2106,6 @@ static int ftdi_process_packet(struct usb_serial_port *port, |
442 |
+ } |
443 |
+ } |
444 |
+ |
445 |
+- /* save if the transmitter is empty or not */ |
446 |
+- if (packet[1] & FTDI_RS_TEMT) |
447 |
+- priv->transmit_empty = 1; |
448 |
+- else |
449 |
+- priv->transmit_empty = 0; |
450 |
+- |
451 |
+- len -= 2; |
452 |
+- if (!len) |
453 |
+- return 0; /* status only */ |
454 |
+ port->icount.rx += len; |
455 |
+ ch = packet + 2; |
456 |
+ |
457 |
+@@ -2433,8 +2436,12 @@ static int ftdi_get_modem_status(struct usb_serial_port *port, |
458 |
+ FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE, |
459 |
+ 0, priv->interface, |
460 |
+ buf, len, WDR_TIMEOUT); |
461 |
+- if (ret < 0) { |
462 |
++ |
463 |
++ /* NOTE: We allow short responses and handle that below. */ |
464 |
++ if (ret < 1) { |
465 |
+ dev_err(&port->dev, "failed to get modem status: %d\n", ret); |
466 |
++ if (ret >= 0) |
467 |
++ ret = -EIO; |
468 |
+ ret = usb_translate_errors(ret); |
469 |
+ goto out; |
470 |
+ } |
471 |
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c |
472 |
+index 97ea52b5cfd4..d17685cc00c9 100644 |
473 |
+--- a/drivers/usb/serial/mos7840.c |
474 |
++++ b/drivers/usb/serial/mos7840.c |
475 |
+@@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port) |
476 |
+ * (can't set it up in mos7840_startup as the structures * |
477 |
+ * were not set up at that time.) */ |
478 |
+ if (port0->open_ports == 1) { |
479 |
++ /* FIXME: Buffer never NULL, so URB is not submitted. */ |
480 |
+ if (serial->port[0]->interrupt_in_buffer == NULL) { |
481 |
+ /* set up interrupt urb */ |
482 |
+ usb_fill_int_urb(serial->port[0]->interrupt_in_urb, |
483 |
+@@ -2119,7 +2120,8 @@ static int mos7840_calc_num_ports(struct usb_serial *serial) |
484 |
+ static int mos7840_attach(struct usb_serial *serial) |
485 |
+ { |
486 |
+ if (serial->num_bulk_in < serial->num_ports || |
487 |
+- serial->num_bulk_out < serial->num_ports) { |
488 |
++ serial->num_bulk_out < serial->num_ports || |
489 |
++ serial->num_interrupt_in < 1) { |
490 |
+ dev_err(&serial->interface->dev, "missing endpoints\n"); |
491 |
+ return -ENODEV; |
492 |
+ } |
493 |
+diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c |
494 |
+index 4b7bfb394a32..64bf258e7e00 100644 |
495 |
+--- a/drivers/usb/serial/opticon.c |
496 |
++++ b/drivers/usb/serial/opticon.c |
497 |
+@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struct *tty, struct usb_serial_port *port) |
498 |
+ usb_clear_halt(port->serial->dev, port->read_urb->pipe); |
499 |
+ |
500 |
+ res = usb_serial_generic_open(tty, port); |
501 |
+- if (!res) |
502 |
++ if (res) |
503 |
+ return res; |
504 |
+ |
505 |
+ /* Request CTS line state, sometimes during opening the current |
506 |
+diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c |
507 |
+index 475e6c31b266..ddfd787c461c 100644 |
508 |
+--- a/drivers/usb/serial/spcp8x5.c |
509 |
++++ b/drivers/usb/serial/spcp8x5.c |
510 |
+@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_serial_port *port, u8 *status) |
511 |
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), |
512 |
+ GET_UART_STATUS, GET_UART_STATUS_TYPE, |
513 |
+ 0, GET_UART_STATUS_MSR, buf, 1, 100); |
514 |
+- if (ret < 0) |
515 |
++ if (ret < 1) { |
516 |
+ dev_err(&port->dev, "failed to get modem status: %d\n", ret); |
517 |
++ if (ret >= 0) |
518 |
++ ret = -EIO; |
519 |
++ goto out; |
520 |
++ } |
521 |
+ |
522 |
+ dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf); |
523 |
+ *status = *buf; |
524 |
++ ret = 0; |
525 |
++out: |
526 |
+ kfree(buf); |
527 |
+ |
528 |
+ return ret; |
529 |
+diff --git a/mm/backing-dev.c b/mm/backing-dev.c |
530 |
+index 9ef80bf441b3..a988d4ef39da 100644 |
531 |
+--- a/mm/backing-dev.c |
532 |
++++ b/mm/backing-dev.c |
533 |
+@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_dev_info *bdi) |
534 |
+ if (!bdi->wb_congested) |
535 |
+ return -ENOMEM; |
536 |
+ |
537 |
++ atomic_set(&bdi->wb_congested->refcnt, 1); |
538 |
++ |
539 |
+ err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL); |
540 |
+ if (err) { |
541 |
+- kfree(bdi->wb_congested); |
542 |
++ wb_congested_put(bdi->wb_congested); |
543 |
+ return err; |
544 |
+ } |
545 |
+ return 0; |
546 |
+ } |
547 |
+ |
548 |
+-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { } |
549 |
++static void cgwb_bdi_destroy(struct backing_dev_info *bdi) |
550 |
++{ |
551 |
++ wb_congested_put(bdi->wb_congested); |
552 |
++} |
553 |
+ |
554 |
+ #endif /* CONFIG_CGROUP_WRITEBACK */ |
555 |
+ |
556 |
+diff --git a/net/dccp/input.c b/net/dccp/input.c |
557 |
+index 3bd14e885396..dbe2573f6ba1 100644 |
558 |
+--- a/net/dccp/input.c |
559 |
++++ b/net/dccp/input.c |
560 |
+@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, |
561 |
+ if (inet_csk(sk)->icsk_af_ops->conn_request(sk, |
562 |
+ skb) < 0) |
563 |
+ return 1; |
564 |
+- goto discard; |
565 |
++ consume_skb(skb); |
566 |
++ return 0; |
567 |
+ } |
568 |
+ if (dh->dccph_type == DCCP_PKT_RESET) |
569 |
+ goto discard; |
570 |
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c |
571 |
+index bc14c5bb124b..f300d1cbfa91 100644 |
572 |
+--- a/net/ipv4/ip_sockglue.c |
573 |
++++ b/net/ipv4/ip_sockglue.c |
574 |
+@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, |
575 |
+ if (skb->ip_summed != CHECKSUM_COMPLETE) |
576 |
+ return; |
577 |
+ |
578 |
+- if (offset != 0) |
579 |
+- csum = csum_sub(csum, |
580 |
+- csum_partial(skb->data + tlen, |
581 |
+- offset, 0)); |
582 |
++ if (offset != 0) { |
583 |
++ int tend_off = skb_transport_offset(skb) + tlen; |
584 |
++ csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0)); |
585 |
++ } |
586 |
+ |
587 |
+ put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum); |
588 |
+ } |
589 |
+diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c |
590 |
+index acbe61c7e683..160dc89335e2 100644 |
591 |
+--- a/net/irda/irqueue.c |
592 |
++++ b/net/irda/irqueue.c |
593 |
+@@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); |
594 |
+ * for deallocating this structure if it's complex. If not the user can |
595 |
+ * just supply kfree, which should take care of the job. |
596 |
+ */ |
597 |
+-#ifdef CONFIG_LOCKDEP |
598 |
+-static int hashbin_lock_depth = 0; |
599 |
+-#endif |
600 |
+ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) |
601 |
+ { |
602 |
+ irda_queue_t* queue; |
603 |
+@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) |
604 |
+ IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;); |
605 |
+ |
606 |
+ /* Synchronize */ |
607 |
+- if ( hashbin->hb_type & HB_LOCK ) { |
608 |
+- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags, |
609 |
+- hashbin_lock_depth++); |
610 |
+- } |
611 |
++ if (hashbin->hb_type & HB_LOCK) |
612 |
++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); |
613 |
+ |
614 |
+ /* |
615 |
+ * Free the entries in the hashbin, TODO: use hashbin_clear when |
616 |
+ * it has been shown to work |
617 |
+ */ |
618 |
+ for (i = 0; i < HASHBIN_SIZE; i ++ ) { |
619 |
+- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); |
620 |
+- while (queue ) { |
621 |
+- if (free_func) |
622 |
+- (*free_func)(queue); |
623 |
+- queue = dequeue_first( |
624 |
+- (irda_queue_t**) &hashbin->hb_queue[i]); |
625 |
++ while (1) { |
626 |
++ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); |
627 |
++ |
628 |
++ if (!queue) |
629 |
++ break; |
630 |
++ |
631 |
++ if (free_func) { |
632 |
++ if (hashbin->hb_type & HB_LOCK) |
633 |
++ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); |
634 |
++ free_func(queue); |
635 |
++ if (hashbin->hb_type & HB_LOCK) |
636 |
++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); |
637 |
++ } |
638 |
+ } |
639 |
+ } |
640 |
+ |
641 |
+@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) |
642 |
+ hashbin->magic = ~HB_MAGIC; |
643 |
+ |
644 |
+ /* Release lock */ |
645 |
+- if ( hashbin->hb_type & HB_LOCK) { |
646 |
++ if (hashbin->hb_type & HB_LOCK) |
647 |
+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); |
648 |
+-#ifdef CONFIG_LOCKDEP |
649 |
+- hashbin_lock_depth--; |
650 |
+-#endif |
651 |
+- } |
652 |
+ |
653 |
+ /* |
654 |
+ * Free the hashbin structure |
655 |
+diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c |
656 |
+index 3e821daf9dd4..8bc5a1bd2d45 100644 |
657 |
+--- a/net/llc/llc_conn.c |
658 |
++++ b/net/llc/llc_conn.c |
659 |
+@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb) |
660 |
+ * another trick required to cope with how the PROCOM state |
661 |
+ * machine works. -acme |
662 |
+ */ |
663 |
++ skb_orphan(skb); |
664 |
++ sock_hold(sk); |
665 |
+ skb->sk = sk; |
666 |
++ skb->destructor = sock_efree; |
667 |
+ } |
668 |
+ if (!sock_owned_by_user(sk)) |
669 |
+ llc_conn_rcv(sk, skb); |
670 |
+diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c |
671 |
+index d0e1e804ebd7..5404d0d195cc 100644 |
672 |
+--- a/net/llc/llc_sap.c |
673 |
++++ b/net/llc/llc_sap.c |
674 |
+@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb, |
675 |
+ |
676 |
+ ev->type = LLC_SAP_EV_TYPE_PDU; |
677 |
+ ev->reason = 0; |
678 |
++ skb_orphan(skb); |
679 |
++ sock_hold(sk); |
680 |
+ skb->sk = sk; |
681 |
++ skb->destructor = sock_efree; |
682 |
+ llc_sap_state_process(sap, skb); |
683 |
+ } |
684 |
+ |
685 |
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
686 |
+index f2d28ed74a0a..d805cd577a60 100644 |
687 |
+--- a/net/packet/af_packet.c |
688 |
++++ b/net/packet/af_packet.c |
689 |
+@@ -1497,6 +1497,8 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po) |
690 |
+ f->arr[f->num_members] = sk; |
691 |
+ smp_wmb(); |
692 |
+ f->num_members++; |
693 |
++ if (f->num_members == 1) |
694 |
++ dev_add_pack(&f->prot_hook); |
695 |
+ spin_unlock(&f->lock); |
696 |
+ } |
697 |
+ |
698 |
+@@ -1513,6 +1515,8 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po) |
699 |
+ BUG_ON(i >= f->num_members); |
700 |
+ f->arr[i] = f->arr[f->num_members - 1]; |
701 |
+ f->num_members--; |
702 |
++ if (f->num_members == 0) |
703 |
++ __dev_remove_pack(&f->prot_hook); |
704 |
+ spin_unlock(&f->lock); |
705 |
+ } |
706 |
+ |
707 |
+@@ -1623,6 +1627,7 @@ static void fanout_release_data(struct packet_fanout *f) |
708 |
+ |
709 |
+ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
710 |
+ { |
711 |
++ struct packet_rollover *rollover = NULL; |
712 |
+ struct packet_sock *po = pkt_sk(sk); |
713 |
+ struct packet_fanout *f, *match; |
714 |
+ u8 type = type_flags & 0xff; |
715 |
+@@ -1645,23 +1650,28 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
716 |
+ return -EINVAL; |
717 |
+ } |
718 |
+ |
719 |
++ mutex_lock(&fanout_mutex); |
720 |
++ |
721 |
++ err = -EINVAL; |
722 |
+ if (!po->running) |
723 |
+- return -EINVAL; |
724 |
++ goto out; |
725 |
+ |
726 |
++ err = -EALREADY; |
727 |
+ if (po->fanout) |
728 |
+- return -EALREADY; |
729 |
++ goto out; |
730 |
+ |
731 |
+ if (type == PACKET_FANOUT_ROLLOVER || |
732 |
+ (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) { |
733 |
+- po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL); |
734 |
+- if (!po->rollover) |
735 |
+- return -ENOMEM; |
736 |
+- atomic_long_set(&po->rollover->num, 0); |
737 |
+- atomic_long_set(&po->rollover->num_huge, 0); |
738 |
+- atomic_long_set(&po->rollover->num_failed, 0); |
739 |
++ err = -ENOMEM; |
740 |
++ rollover = kzalloc(sizeof(*rollover), GFP_KERNEL); |
741 |
++ if (!rollover) |
742 |
++ goto out; |
743 |
++ atomic_long_set(&rollover->num, 0); |
744 |
++ atomic_long_set(&rollover->num_huge, 0); |
745 |
++ atomic_long_set(&rollover->num_failed, 0); |
746 |
++ po->rollover = rollover; |
747 |
+ } |
748 |
+ |
749 |
+- mutex_lock(&fanout_mutex); |
750 |
+ match = NULL; |
751 |
+ list_for_each_entry(f, &fanout_list, list) { |
752 |
+ if (f->id == id && |
753 |
+@@ -1691,7 +1701,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
754 |
+ match->prot_hook.func = packet_rcv_fanout; |
755 |
+ match->prot_hook.af_packet_priv = match; |
756 |
+ match->prot_hook.id_match = match_fanout_group; |
757 |
+- dev_add_pack(&match->prot_hook); |
758 |
+ list_add(&match->list, &fanout_list); |
759 |
+ } |
760 |
+ err = -EINVAL; |
761 |
+@@ -1708,36 +1717,40 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags) |
762 |
+ } |
763 |
+ } |
764 |
+ out: |
765 |
+- mutex_unlock(&fanout_mutex); |
766 |
+- if (err) { |
767 |
+- kfree(po->rollover); |
768 |
++ if (err && rollover) { |
769 |
++ kfree(rollover); |
770 |
+ po->rollover = NULL; |
771 |
+ } |
772 |
++ mutex_unlock(&fanout_mutex); |
773 |
+ return err; |
774 |
+ } |
775 |
+ |
776 |
+-static void fanout_release(struct sock *sk) |
777 |
++/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes |
778 |
++ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout. |
779 |
++ * It is the responsibility of the caller to call fanout_release_data() and |
780 |
++ * free the returned packet_fanout (after synchronize_net()) |
781 |
++ */ |
782 |
++static struct packet_fanout *fanout_release(struct sock *sk) |
783 |
+ { |
784 |
+ struct packet_sock *po = pkt_sk(sk); |
785 |
+ struct packet_fanout *f; |
786 |
+ |
787 |
++ mutex_lock(&fanout_mutex); |
788 |
+ f = po->fanout; |
789 |
+- if (!f) |
790 |
+- return; |
791 |
++ if (f) { |
792 |
++ po->fanout = NULL; |
793 |
+ |
794 |
+- mutex_lock(&fanout_mutex); |
795 |
+- po->fanout = NULL; |
796 |
++ if (atomic_dec_and_test(&f->sk_ref)) |
797 |
++ list_del(&f->list); |
798 |
++ else |
799 |
++ f = NULL; |
800 |
+ |
801 |
+- if (atomic_dec_and_test(&f->sk_ref)) { |
802 |
+- list_del(&f->list); |
803 |
+- dev_remove_pack(&f->prot_hook); |
804 |
+- fanout_release_data(f); |
805 |
+- kfree(f); |
806 |
++ if (po->rollover) |
807 |
++ kfree_rcu(po->rollover, rcu); |
808 |
+ } |
809 |
+ mutex_unlock(&fanout_mutex); |
810 |
+ |
811 |
+- if (po->rollover) |
812 |
+- kfree_rcu(po->rollover, rcu); |
813 |
++ return f; |
814 |
+ } |
815 |
+ |
816 |
+ static bool packet_extra_vlan_len_allowed(const struct net_device *dev, |
817 |
+@@ -2846,6 +2859,7 @@ static int packet_release(struct socket *sock) |
818 |
+ { |
819 |
+ struct sock *sk = sock->sk; |
820 |
+ struct packet_sock *po; |
821 |
++ struct packet_fanout *f; |
822 |
+ struct net *net; |
823 |
+ union tpacket_req_u req_u; |
824 |
+ |
825 |
+@@ -2885,9 +2899,14 @@ static int packet_release(struct socket *sock) |
826 |
+ packet_set_ring(sk, &req_u, 1, 1); |
827 |
+ } |
828 |
+ |
829 |
+- fanout_release(sk); |
830 |
++ f = fanout_release(sk); |
831 |
+ |
832 |
+ synchronize_net(); |
833 |
++ |
834 |
++ if (f) { |
835 |
++ fanout_release_data(f); |
836 |
++ kfree(f); |
837 |
++ } |
838 |
+ /* |
839 |
+ * Now the socket is dead. No more input will appear. |
840 |
+ */ |
841 |
+@@ -3861,7 +3880,6 @@ static int packet_notifier(struct notifier_block *this, |
842 |
+ } |
843 |
+ if (msg == NETDEV_UNREGISTER) { |
844 |
+ packet_cached_dev_reset(po); |
845 |
+- fanout_release(sk); |
846 |
+ po->ifindex = -1; |
847 |
+ if (po->prot_hook.dev) |
848 |
+ dev_put(po->prot_hook.dev); |
849 |
+diff --git a/net/socket.c b/net/socket.c |
850 |
+index 0090225eeb1e..fbfa9d2492cf 100644 |
851 |
+--- a/net/socket.c |
852 |
++++ b/net/socket.c |
853 |
+@@ -2185,8 +2185,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, |
854 |
+ return err; |
855 |
+ |
856 |
+ err = sock_error(sock->sk); |
857 |
+- if (err) |
858 |
++ if (err) { |
859 |
++ datagrams = err; |
860 |
+ goto out_put; |
861 |
++ } |
862 |
+ |
863 |
+ entry = mmsg; |
864 |
+ compat_entry = (struct compat_mmsghdr __user *)mmsg; |
865 |
|
866 |
diff --git a/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch b/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch |
867 |
deleted file mode 100644 |
868 |
index 433fd4b..0000000 |
869 |
--- a/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch |
870 |
+++ /dev/null |
871 |
@@ -1,47 +0,0 @@ |
872 |
-From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001 |
873 |
-From: Andrey Konovalov <andreyknvl@××××××.com> |
874 |
-Date: Thu, 16 Feb 2017 17:22:46 +0100 |
875 |
-Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO |
876 |
- |
877 |
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet |
878 |
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if |
879 |
-dccp_v6_conn_request successfully returns. |
880 |
- |
881 |
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb |
882 |
-is saved to ireq->pktopts and the ref count for skb is incremented in |
883 |
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed |
884 |
-in dccp_rcv_state_process. |
885 |
- |
886 |
-Fix by calling consume_skb instead of doing goto discard and therefore |
887 |
-calling __kfree_skb. |
888 |
- |
889 |
-Similar fixes for TCP: |
890 |
- |
891 |
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. |
892 |
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now |
893 |
-simply consumed |
894 |
- |
895 |
-Signed-off-by: Andrey Konovalov <andreyknvl@××××××.com> |
896 |
-Acked-by: Eric Dumazet <edumazet@××××××.com> |
897 |
-Signed-off-by: David S. Miller <davem@×××××××××.net> |
898 |
---- |
899 |
- net/dccp/input.c | 3 ++- |
900 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
901 |
- |
902 |
-diff --git a/net/dccp/input.c b/net/dccp/input.c |
903 |
-index ba34718..8fedc2d 100644 |
904 |
---- a/net/dccp/input.c |
905 |
-+++ b/net/dccp/input.c |
906 |
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, |
907 |
- if (inet_csk(sk)->icsk_af_ops->conn_request(sk, |
908 |
- skb) < 0) |
909 |
- return 1; |
910 |
-- goto discard; |
911 |
-+ consume_skb(skb); |
912 |
-+ return 0; |
913 |
- } |
914 |
- if (dh->dccph_type == DCCP_PKT_RESET) |
915 |
- goto discard; |
916 |
--- |
917 |
-cgit v0.12 |
918 |
- |