Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Sun, 26 Feb 2017 20:45:24
Message-Id: 1488141907.f0aebc3668307cc523caedc3499d401990fcacbc.mpagano@gentoo
1 commit: f0aebc3668307cc523caedc3499d401990fcacbc
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Feb 26 20:45:07 2017 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Feb 26 20:45:07 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=f0aebc36
7
8 Linux patch 4.4.52. Removal of redundant patch.
9
10 0000_README | 8 +-
11 1051_linux-4.4.52.patch | 817 ++++++++++++++++++++++++++
12 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch | 47 --
13 3 files changed, 821 insertions(+), 51 deletions(-)
14
15 diff --git a/0000_README b/0000_README
16 index 0bee2eb..747896b 100644
17 --- a/0000_README
18 +++ b/0000_README
19 @@ -247,6 +247,10 @@ Patch: 1050_linux-4.4.51.patch
20 From: http://www.kernel.org
21 Desc: Linux 4.4.51
22
23 +Patch: 1051_linux-4.4.52.patch
24 +From: http://www.kernel.org
25 +Desc: Linux 4.4.52
26 +
27 Patch: 1500_XATTR_USER_PREFIX.patch
28 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
29 Desc: Support for namespace user.pax.* on tmpfs.
30 @@ -255,10 +259,6 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch
31 From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/
32 Desc: Enable link security restrictions by default.
33
34 -Patch: 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch
35 -From: https://bugs.gentoo.org/show_bug.cgi?id=610600
36 -Desc: dccp: fix freeing skb too early for IPV6_RECVPKTINFO. CVE-2017-6074
37 -
38 Patch: 1900_xfs-fix-suspend-to-memory.patch
39 From: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/fs/xfs/xfs_trans_ail.c?id=18f1df4e00cea2eae41f3e5515b94d1e7127b2b6
40 Desc: xfs: Make xfsaild freezeable again. See bug #575034.
41
42 diff --git a/1051_linux-4.4.52.patch b/1051_linux-4.4.52.patch
43 new file mode 100644
44 index 0000000..63d6ed7
45 --- /dev/null
46 +++ b/1051_linux-4.4.52.patch
47 @@ -0,0 +1,817 @@
48 +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
49 +index c360f80c3473..ca64ca566099 100644
50 +--- a/Documentation/kernel-parameters.txt
51 ++++ b/Documentation/kernel-parameters.txt
52 +@@ -1255,6 +1255,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
53 + When zero, profiling data is discarded and associated
54 + debugfs files are removed at module unload time.
55 +
56 ++ goldfish [X86] Enable the goldfish android emulator platform.
57 ++ Don't use this when you are not running on the
58 ++ android emulator
59 ++
60 + gpt [EFI] Forces disk with valid GPT signature but
61 + invalid Protective MBR to be treated as GPT. If the
62 + primary GPT is corrupted, it enables the backup/alternate
63 +diff --git a/Makefile b/Makefile
64 +index 117357188f01..671e183bd507 100644
65 +--- a/Makefile
66 ++++ b/Makefile
67 +@@ -1,6 +1,6 @@
68 + VERSION = 4
69 + PATCHLEVEL = 4
70 +-SUBLEVEL = 51
71 ++SUBLEVEL = 52
72 + EXTRAVERSION =
73 + NAME = Blurry Fish Butt
74 +
75 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
76 +index bb620df05d0d..64f60a48def1 100644
77 +--- a/arch/x86/kvm/vmx.c
78 ++++ b/arch/x86/kvm/vmx.c
79 +@@ -4867,6 +4867,12 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
80 + if (vmx_xsaves_supported())
81 + vmcs_write64(XSS_EXIT_BITMAP, VMX_XSS_EXIT_BITMAP);
82 +
83 ++ if (enable_pml) {
84 ++ ASSERT(vmx->pml_pg);
85 ++ vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
86 ++ vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
87 ++ }
88 ++
89 + return 0;
90 + }
91 +
92 +@@ -7839,22 +7845,6 @@ static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
93 + *info2 = vmcs_read32(VM_EXIT_INTR_INFO);
94 + }
95 +
96 +-static int vmx_create_pml_buffer(struct vcpu_vmx *vmx)
97 +-{
98 +- struct page *pml_pg;
99 +-
100 +- pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO);
101 +- if (!pml_pg)
102 +- return -ENOMEM;
103 +-
104 +- vmx->pml_pg = pml_pg;
105 +-
106 +- vmcs_write64(PML_ADDRESS, page_to_phys(vmx->pml_pg));
107 +- vmcs_write16(GUEST_PML_INDEX, PML_ENTITY_NUM - 1);
108 +-
109 +- return 0;
110 +-}
111 +-
112 + static void vmx_destroy_pml_buffer(struct vcpu_vmx *vmx)
113 + {
114 + if (vmx->pml_pg) {
115 +@@ -8789,14 +8779,26 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
116 + if (err)
117 + goto free_vcpu;
118 +
119 ++ err = -ENOMEM;
120 ++
121 ++ /*
122 ++ * If PML is turned on, failure on enabling PML just results in failure
123 ++ * of creating the vcpu, therefore we can simplify PML logic (by
124 ++ * avoiding dealing with cases, such as enabling PML partially on vcpus
125 ++ * for the guest, etc.
126 ++ */
127 ++ if (enable_pml) {
128 ++ vmx->pml_pg = alloc_page(GFP_KERNEL | __GFP_ZERO);
129 ++ if (!vmx->pml_pg)
130 ++ goto uninit_vcpu;
131 ++ }
132 ++
133 + vmx->guest_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL);
134 + BUILD_BUG_ON(ARRAY_SIZE(vmx_msr_index) * sizeof(vmx->guest_msrs[0])
135 + > PAGE_SIZE);
136 +
137 +- err = -ENOMEM;
138 +- if (!vmx->guest_msrs) {
139 +- goto uninit_vcpu;
140 +- }
141 ++ if (!vmx->guest_msrs)
142 ++ goto free_pml;
143 +
144 + vmx->loaded_vmcs = &vmx->vmcs01;
145 + vmx->loaded_vmcs->vmcs = alloc_vmcs();
146 +@@ -8840,18 +8842,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
147 + vmx->nested.current_vmptr = -1ull;
148 + vmx->nested.current_vmcs12 = NULL;
149 +
150 +- /*
151 +- * If PML is turned on, failure on enabling PML just results in failure
152 +- * of creating the vcpu, therefore we can simplify PML logic (by
153 +- * avoiding dealing with cases, such as enabling PML partially on vcpus
154 +- * for the guest, etc.
155 +- */
156 +- if (enable_pml) {
157 +- err = vmx_create_pml_buffer(vmx);
158 +- if (err)
159 +- goto free_vmcs;
160 +- }
161 +-
162 + return &vmx->vcpu;
163 +
164 + free_vmcs:
165 +@@ -8859,6 +8849,8 @@ free_vmcs:
166 + free_loaded_vmcs(vmx->loaded_vmcs);
167 + free_msrs:
168 + kfree(vmx->guest_msrs);
169 ++free_pml:
170 ++ vmx_destroy_pml_buffer(vmx);
171 + uninit_vcpu:
172 + kvm_vcpu_uninit(&vmx->vcpu);
173 + free_vcpu:
174 +diff --git a/arch/x86/platform/goldfish/goldfish.c b/arch/x86/platform/goldfish/goldfish.c
175 +index 1693107a518e..0d17c0aafeb1 100644
176 +--- a/arch/x86/platform/goldfish/goldfish.c
177 ++++ b/arch/x86/platform/goldfish/goldfish.c
178 +@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus_resources[] = {
179 + }
180 + };
181 +
182 ++static bool goldfish_enable __initdata;
183 ++
184 ++static int __init goldfish_setup(char *str)
185 ++{
186 ++ goldfish_enable = true;
187 ++ return 0;
188 ++}
189 ++__setup("goldfish", goldfish_setup);
190 ++
191 + static int __init goldfish_init(void)
192 + {
193 ++ if (!goldfish_enable)
194 ++ return -ENODEV;
195 ++
196 + platform_device_register_simple("goldfish_pdev_bus", -1,
197 +- goldfish_pdev_bus_resources, 2);
198 ++ goldfish_pdev_bus_resources, 2);
199 + return 0;
200 + }
201 + device_initcall(goldfish_init);
202 +diff --git a/block/blk-mq.c b/block/blk-mq.c
203 +index 6cfc6b200366..d8d63c38bf29 100644
204 +--- a/block/blk-mq.c
205 ++++ b/block/blk-mq.c
206 +@@ -1259,12 +1259,9 @@ static blk_qc_t blk_mq_make_request(struct request_queue *q, struct bio *bio)
207 +
208 + blk_queue_split(q, &bio, q->bio_split);
209 +
210 +- if (!is_flush_fua && !blk_queue_nomerges(q)) {
211 +- if (blk_attempt_plug_merge(q, bio, &request_count,
212 +- &same_queue_rq))
213 +- return BLK_QC_T_NONE;
214 +- } else
215 +- request_count = blk_plug_queued_count(q);
216 ++ if (!is_flush_fua && !blk_queue_nomerges(q) &&
217 ++ blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq))
218 ++ return BLK_QC_T_NONE;
219 +
220 + rq = blk_mq_map_request(q, bio, &data);
221 + if (unlikely(!rq))
222 +@@ -1355,9 +1352,11 @@ static blk_qc_t blk_sq_make_request(struct request_queue *q, struct bio *bio)
223 +
224 + blk_queue_split(q, &bio, q->bio_split);
225 +
226 +- if (!is_flush_fua && !blk_queue_nomerges(q) &&
227 +- blk_attempt_plug_merge(q, bio, &request_count, NULL))
228 +- return BLK_QC_T_NONE;
229 ++ if (!is_flush_fua && !blk_queue_nomerges(q)) {
230 ++ if (blk_attempt_plug_merge(q, bio, &request_count, NULL))
231 ++ return BLK_QC_T_NONE;
232 ++ } else
233 ++ request_count = blk_plug_queued_count(q);
234 +
235 + rq = blk_mq_map_request(q, bio, &data);
236 + if (unlikely(!rq))
237 +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
238 +index aac1ed3f7bb4..ad8390d2997b 100644
239 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
240 ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
241 +@@ -834,12 +834,30 @@ static void rtl_usb_stop(struct ieee80211_hw *hw)
242 + struct rtl_priv *rtlpriv = rtl_priv(hw);
243 + struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
244 + struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
245 ++ struct urb *urb;
246 +
247 + /* should after adapter start and interrupt enable. */
248 + set_hal_stop(rtlhal);
249 + cancel_work_sync(&rtlpriv->works.fill_h2c_cmd);
250 + /* Enable software */
251 + SET_USB_STOP(rtlusb);
252 ++
253 ++ /* free pre-allocated URBs from rtl_usb_start() */
254 ++ usb_kill_anchored_urbs(&rtlusb->rx_submitted);
255 ++
256 ++ tasklet_kill(&rtlusb->rx_work_tasklet);
257 ++ cancel_work_sync(&rtlpriv->works.lps_change_work);
258 ++
259 ++ flush_workqueue(rtlpriv->works.rtl_wq);
260 ++
261 ++ skb_queue_purge(&rtlusb->rx_queue);
262 ++
263 ++ while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
264 ++ usb_free_coherent(urb->dev, urb->transfer_buffer_length,
265 ++ urb->transfer_buffer, urb->transfer_dma);
266 ++ usb_free_urb(urb);
267 ++ }
268 ++
269 + rtlpriv->cfg->ops->hw_disable(hw);
270 + }
271 +
272 +@@ -1073,6 +1091,7 @@ int rtl_usb_probe(struct usb_interface *intf,
273 + return -ENOMEM;
274 + }
275 + rtlpriv = hw->priv;
276 ++ rtlpriv->hw = hw;
277 + rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32),
278 + GFP_KERNEL);
279 + if (!rtlpriv->usb_data)
280 +diff --git a/drivers/platform/goldfish/pdev_bus.c b/drivers/platform/goldfish/pdev_bus.c
281 +index 1f52462f4cdd..dd9ea463c2a4 100644
282 +--- a/drivers/platform/goldfish/pdev_bus.c
283 ++++ b/drivers/platform/goldfish/pdev_bus.c
284 +@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void)
285 + static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id)
286 + {
287 + irqreturn_t ret = IRQ_NONE;
288 ++
289 + while (1) {
290 + u32 op = readl(pdev_bus_base + PDEV_BUS_OP);
291 +- switch (op) {
292 +- case PDEV_BUS_OP_DONE:
293 +- return IRQ_NONE;
294 +
295 ++ switch (op) {
296 + case PDEV_BUS_OP_REMOVE_DEV:
297 + goldfish_pdev_remove();
298 ++ ret = IRQ_HANDLED;
299 + break;
300 +
301 + case PDEV_BUS_OP_ADD_DEV:
302 + goldfish_new_pdev();
303 ++ ret = IRQ_HANDLED;
304 + break;
305 ++
306 ++ case PDEV_BUS_OP_DONE:
307 ++ default:
308 ++ return ret;
309 + }
310 +- ret = IRQ_HANDLED;
311 + }
312 +- return ret;
313 + }
314 +
315 + static int goldfish_pdev_bus_probe(struct platform_device *pdev)
316 +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
317 +index 5836751b8203..9bb934ed2a7a 100644
318 +--- a/drivers/rtc/interface.c
319 ++++ b/drivers/rtc/interface.c
320 +@@ -748,9 +748,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
321 + */
322 + static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
323 + {
324 ++ struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue);
325 ++ struct rtc_time tm;
326 ++ ktime_t now;
327 ++
328 + timer->enabled = 1;
329 ++ __rtc_read_time(rtc, &tm);
330 ++ now = rtc_tm_to_ktime(tm);
331 ++
332 ++ /* Skip over expired timers */
333 ++ while (next) {
334 ++ if (next->expires.tv64 >= now.tv64)
335 ++ break;
336 ++ next = timerqueue_iterate_next(next);
337 ++ }
338 ++
339 + timerqueue_add(&rtc->timerqueue, &timer->node);
340 +- if (&timer->node == timerqueue_getnext(&rtc->timerqueue)) {
341 ++ if (!next) {
342 + struct rtc_wkalrm alarm;
343 + int err;
344 + alarm.time = rtc_ktime_to_tm(timer->node.expires);
345 +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
346 +index e1de4944e0ce..8c4707d5778e 100644
347 +--- a/drivers/tty/serial/msm_serial.c
348 ++++ b/drivers/tty/serial/msm_serial.c
349 +@@ -1615,6 +1615,7 @@ static const struct of_device_id msm_match_table[] = {
350 + { .compatible = "qcom,msm-uartdm" },
351 + {}
352 + };
353 ++MODULE_DEVICE_TABLE(of, msm_match_table);
354 +
355 + static struct platform_driver msm_platform_driver = {
356 + .remove = msm_serial_remove,
357 +diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
358 +index 5a048b7b92e8..2949289bb3c5 100644
359 +--- a/drivers/usb/chipidea/ci_hdrc_imx.c
360 ++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
361 +@@ -244,7 +244,6 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
362 + struct ci_hdrc_platform_data pdata = {
363 + .name = dev_name(&pdev->dev),
364 + .capoffset = DEF_CAPOFFSET,
365 +- .flags = CI_HDRC_SET_NON_ZERO_TTHA,
366 + };
367 + int ret;
368 + const struct of_device_id *of_id;
369 +diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c
370 +index 1532cde8a437..7812052dc700 100644
371 +--- a/drivers/usb/serial/ark3116.c
372 ++++ b/drivers/usb/serial/ark3116.c
373 +@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_serial *serial,
374 + usb_rcvctrlpipe(serial->dev, 0),
375 + 0xfe, 0xc0, 0, reg,
376 + buf, 1, ARK_TIMEOUT);
377 +- if (result < 0)
378 ++ if (result < 1) {
379 ++ dev_err(&serial->interface->dev,
380 ++ "failed to read register %u: %d\n",
381 ++ reg, result);
382 ++ if (result >= 0)
383 ++ result = -EIO;
384 ++
385 + return result;
386 +- else
387 +- return buf[0];
388 ++ }
389 ++
390 ++ return buf[0];
391 + }
392 +
393 + static inline int calc_divisor(int bps)
394 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
395 +index fe7452f0f38a..33cec50978b8 100644
396 +--- a/drivers/usb/serial/cp210x.c
397 ++++ b/drivers/usb/serial/cp210x.c
398 +@@ -171,6 +171,8 @@ static const struct usb_device_id id_table[] = {
399 + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
400 + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
401 + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
402 ++ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */
403 ++ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */
404 + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
405 + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
406 + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
407 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
408 +index d3d6ec455151..19a98116c2ab 100644
409 +--- a/drivers/usb/serial/ftdi_sio.c
410 ++++ b/drivers/usb/serial/ftdi_sio.c
411 +@@ -1807,8 +1807,6 @@ static int ftdi_sio_port_probe(struct usb_serial_port *port)
412 +
413 + mutex_init(&priv->cfg_lock);
414 +
415 +- priv->flags = ASYNC_LOW_LATENCY;
416 +-
417 + if (quirk && quirk->port_probe)
418 + quirk->port_probe(priv);
419 +
420 +@@ -2072,6 +2070,20 @@ static int ftdi_process_packet(struct usb_serial_port *port,
421 + priv->prev_status = status;
422 + }
423 +
424 ++ /* save if the transmitter is empty or not */
425 ++ if (packet[1] & FTDI_RS_TEMT)
426 ++ priv->transmit_empty = 1;
427 ++ else
428 ++ priv->transmit_empty = 0;
429 ++
430 ++ len -= 2;
431 ++ if (!len)
432 ++ return 0; /* status only */
433 ++
434 ++ /*
435 ++ * Break and error status must only be processed for packets with
436 ++ * data payload to avoid over-reporting.
437 ++ */
438 + flag = TTY_NORMAL;
439 + if (packet[1] & FTDI_RS_ERR_MASK) {
440 + /* Break takes precedence over parity, which takes precedence
441 +@@ -2094,15 +2106,6 @@ static int ftdi_process_packet(struct usb_serial_port *port,
442 + }
443 + }
444 +
445 +- /* save if the transmitter is empty or not */
446 +- if (packet[1] & FTDI_RS_TEMT)
447 +- priv->transmit_empty = 1;
448 +- else
449 +- priv->transmit_empty = 0;
450 +-
451 +- len -= 2;
452 +- if (!len)
453 +- return 0; /* status only */
454 + port->icount.rx += len;
455 + ch = packet + 2;
456 +
457 +@@ -2433,8 +2436,12 @@ static int ftdi_get_modem_status(struct usb_serial_port *port,
458 + FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE,
459 + 0, priv->interface,
460 + buf, len, WDR_TIMEOUT);
461 +- if (ret < 0) {
462 ++
463 ++ /* NOTE: We allow short responses and handle that below. */
464 ++ if (ret < 1) {
465 + dev_err(&port->dev, "failed to get modem status: %d\n", ret);
466 ++ if (ret >= 0)
467 ++ ret = -EIO;
468 + ret = usb_translate_errors(ret);
469 + goto out;
470 + }
471 +diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
472 +index 97ea52b5cfd4..d17685cc00c9 100644
473 +--- a/drivers/usb/serial/mos7840.c
474 ++++ b/drivers/usb/serial/mos7840.c
475 +@@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
476 + * (can't set it up in mos7840_startup as the structures *
477 + * were not set up at that time.) */
478 + if (port0->open_ports == 1) {
479 ++ /* FIXME: Buffer never NULL, so URB is not submitted. */
480 + if (serial->port[0]->interrupt_in_buffer == NULL) {
481 + /* set up interrupt urb */
482 + usb_fill_int_urb(serial->port[0]->interrupt_in_urb,
483 +@@ -2119,7 +2120,8 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
484 + static int mos7840_attach(struct usb_serial *serial)
485 + {
486 + if (serial->num_bulk_in < serial->num_ports ||
487 +- serial->num_bulk_out < serial->num_ports) {
488 ++ serial->num_bulk_out < serial->num_ports ||
489 ++ serial->num_interrupt_in < 1) {
490 + dev_err(&serial->interface->dev, "missing endpoints\n");
491 + return -ENODEV;
492 + }
493 +diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
494 +index 4b7bfb394a32..64bf258e7e00 100644
495 +--- a/drivers/usb/serial/opticon.c
496 ++++ b/drivers/usb/serial/opticon.c
497 +@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struct *tty, struct usb_serial_port *port)
498 + usb_clear_halt(port->serial->dev, port->read_urb->pipe);
499 +
500 + res = usb_serial_generic_open(tty, port);
501 +- if (!res)
502 ++ if (res)
503 + return res;
504 +
505 + /* Request CTS line state, sometimes during opening the current
506 +diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
507 +index 475e6c31b266..ddfd787c461c 100644
508 +--- a/drivers/usb/serial/spcp8x5.c
509 ++++ b/drivers/usb/serial/spcp8x5.c
510 +@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_serial_port *port, u8 *status)
511 + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
512 + GET_UART_STATUS, GET_UART_STATUS_TYPE,
513 + 0, GET_UART_STATUS_MSR, buf, 1, 100);
514 +- if (ret < 0)
515 ++ if (ret < 1) {
516 + dev_err(&port->dev, "failed to get modem status: %d\n", ret);
517 ++ if (ret >= 0)
518 ++ ret = -EIO;
519 ++ goto out;
520 ++ }
521 +
522 + dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf);
523 + *status = *buf;
524 ++ ret = 0;
525 ++out:
526 + kfree(buf);
527 +
528 + return ret;
529 +diff --git a/mm/backing-dev.c b/mm/backing-dev.c
530 +index 9ef80bf441b3..a988d4ef39da 100644
531 +--- a/mm/backing-dev.c
532 ++++ b/mm/backing-dev.c
533 +@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_dev_info *bdi)
534 + if (!bdi->wb_congested)
535 + return -ENOMEM;
536 +
537 ++ atomic_set(&bdi->wb_congested->refcnt, 1);
538 ++
539 + err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
540 + if (err) {
541 +- kfree(bdi->wb_congested);
542 ++ wb_congested_put(bdi->wb_congested);
543 + return err;
544 + }
545 + return 0;
546 + }
547 +
548 +-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { }
549 ++static void cgwb_bdi_destroy(struct backing_dev_info *bdi)
550 ++{
551 ++ wb_congested_put(bdi->wb_congested);
552 ++}
553 +
554 + #endif /* CONFIG_CGROUP_WRITEBACK */
555 +
556 +diff --git a/net/dccp/input.c b/net/dccp/input.c
557 +index 3bd14e885396..dbe2573f6ba1 100644
558 +--- a/net/dccp/input.c
559 ++++ b/net/dccp/input.c
560 +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
561 + if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
562 + skb) < 0)
563 + return 1;
564 +- goto discard;
565 ++ consume_skb(skb);
566 ++ return 0;
567 + }
568 + if (dh->dccph_type == DCCP_PKT_RESET)
569 + goto discard;
570 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
571 +index bc14c5bb124b..f300d1cbfa91 100644
572 +--- a/net/ipv4/ip_sockglue.c
573 ++++ b/net/ipv4/ip_sockglue.c
574 +@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
575 + if (skb->ip_summed != CHECKSUM_COMPLETE)
576 + return;
577 +
578 +- if (offset != 0)
579 +- csum = csum_sub(csum,
580 +- csum_partial(skb->data + tlen,
581 +- offset, 0));
582 ++ if (offset != 0) {
583 ++ int tend_off = skb_transport_offset(skb) + tlen;
584 ++ csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
585 ++ }
586 +
587 + put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
588 + }
589 +diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
590 +index acbe61c7e683..160dc89335e2 100644
591 +--- a/net/irda/irqueue.c
592 ++++ b/net/irda/irqueue.c
593 +@@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new);
594 + * for deallocating this structure if it's complex. If not the user can
595 + * just supply kfree, which should take care of the job.
596 + */
597 +-#ifdef CONFIG_LOCKDEP
598 +-static int hashbin_lock_depth = 0;
599 +-#endif
600 + int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
601 + {
602 + irda_queue_t* queue;
603 +@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
604 + IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
605 +
606 + /* Synchronize */
607 +- if ( hashbin->hb_type & HB_LOCK ) {
608 +- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
609 +- hashbin_lock_depth++);
610 +- }
611 ++ if (hashbin->hb_type & HB_LOCK)
612 ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
613 +
614 + /*
615 + * Free the entries in the hashbin, TODO: use hashbin_clear when
616 + * it has been shown to work
617 + */
618 + for (i = 0; i < HASHBIN_SIZE; i ++ ) {
619 +- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
620 +- while (queue ) {
621 +- if (free_func)
622 +- (*free_func)(queue);
623 +- queue = dequeue_first(
624 +- (irda_queue_t**) &hashbin->hb_queue[i]);
625 ++ while (1) {
626 ++ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
627 ++
628 ++ if (!queue)
629 ++ break;
630 ++
631 ++ if (free_func) {
632 ++ if (hashbin->hb_type & HB_LOCK)
633 ++ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
634 ++ free_func(queue);
635 ++ if (hashbin->hb_type & HB_LOCK)
636 ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
637 ++ }
638 + }
639 + }
640 +
641 +@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
642 + hashbin->magic = ~HB_MAGIC;
643 +
644 + /* Release lock */
645 +- if ( hashbin->hb_type & HB_LOCK) {
646 ++ if (hashbin->hb_type & HB_LOCK)
647 + spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
648 +-#ifdef CONFIG_LOCKDEP
649 +- hashbin_lock_depth--;
650 +-#endif
651 +- }
652 +
653 + /*
654 + * Free the hashbin structure
655 +diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
656 +index 3e821daf9dd4..8bc5a1bd2d45 100644
657 +--- a/net/llc/llc_conn.c
658 ++++ b/net/llc/llc_conn.c
659 +@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
660 + * another trick required to cope with how the PROCOM state
661 + * machine works. -acme
662 + */
663 ++ skb_orphan(skb);
664 ++ sock_hold(sk);
665 + skb->sk = sk;
666 ++ skb->destructor = sock_efree;
667 + }
668 + if (!sock_owned_by_user(sk))
669 + llc_conn_rcv(sk, skb);
670 +diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
671 +index d0e1e804ebd7..5404d0d195cc 100644
672 +--- a/net/llc/llc_sap.c
673 ++++ b/net/llc/llc_sap.c
674 +@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
675 +
676 + ev->type = LLC_SAP_EV_TYPE_PDU;
677 + ev->reason = 0;
678 ++ skb_orphan(skb);
679 ++ sock_hold(sk);
680 + skb->sk = sk;
681 ++ skb->destructor = sock_efree;
682 + llc_sap_state_process(sap, skb);
683 + }
684 +
685 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
686 +index f2d28ed74a0a..d805cd577a60 100644
687 +--- a/net/packet/af_packet.c
688 ++++ b/net/packet/af_packet.c
689 +@@ -1497,6 +1497,8 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po)
690 + f->arr[f->num_members] = sk;
691 + smp_wmb();
692 + f->num_members++;
693 ++ if (f->num_members == 1)
694 ++ dev_add_pack(&f->prot_hook);
695 + spin_unlock(&f->lock);
696 + }
697 +
698 +@@ -1513,6 +1515,8 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
699 + BUG_ON(i >= f->num_members);
700 + f->arr[i] = f->arr[f->num_members - 1];
701 + f->num_members--;
702 ++ if (f->num_members == 0)
703 ++ __dev_remove_pack(&f->prot_hook);
704 + spin_unlock(&f->lock);
705 + }
706 +
707 +@@ -1623,6 +1627,7 @@ static void fanout_release_data(struct packet_fanout *f)
708 +
709 + static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
710 + {
711 ++ struct packet_rollover *rollover = NULL;
712 + struct packet_sock *po = pkt_sk(sk);
713 + struct packet_fanout *f, *match;
714 + u8 type = type_flags & 0xff;
715 +@@ -1645,23 +1650,28 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
716 + return -EINVAL;
717 + }
718 +
719 ++ mutex_lock(&fanout_mutex);
720 ++
721 ++ err = -EINVAL;
722 + if (!po->running)
723 +- return -EINVAL;
724 ++ goto out;
725 +
726 ++ err = -EALREADY;
727 + if (po->fanout)
728 +- return -EALREADY;
729 ++ goto out;
730 +
731 + if (type == PACKET_FANOUT_ROLLOVER ||
732 + (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) {
733 +- po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL);
734 +- if (!po->rollover)
735 +- return -ENOMEM;
736 +- atomic_long_set(&po->rollover->num, 0);
737 +- atomic_long_set(&po->rollover->num_huge, 0);
738 +- atomic_long_set(&po->rollover->num_failed, 0);
739 ++ err = -ENOMEM;
740 ++ rollover = kzalloc(sizeof(*rollover), GFP_KERNEL);
741 ++ if (!rollover)
742 ++ goto out;
743 ++ atomic_long_set(&rollover->num, 0);
744 ++ atomic_long_set(&rollover->num_huge, 0);
745 ++ atomic_long_set(&rollover->num_failed, 0);
746 ++ po->rollover = rollover;
747 + }
748 +
749 +- mutex_lock(&fanout_mutex);
750 + match = NULL;
751 + list_for_each_entry(f, &fanout_list, list) {
752 + if (f->id == id &&
753 +@@ -1691,7 +1701,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
754 + match->prot_hook.func = packet_rcv_fanout;
755 + match->prot_hook.af_packet_priv = match;
756 + match->prot_hook.id_match = match_fanout_group;
757 +- dev_add_pack(&match->prot_hook);
758 + list_add(&match->list, &fanout_list);
759 + }
760 + err = -EINVAL;
761 +@@ -1708,36 +1717,40 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
762 + }
763 + }
764 + out:
765 +- mutex_unlock(&fanout_mutex);
766 +- if (err) {
767 +- kfree(po->rollover);
768 ++ if (err && rollover) {
769 ++ kfree(rollover);
770 + po->rollover = NULL;
771 + }
772 ++ mutex_unlock(&fanout_mutex);
773 + return err;
774 + }
775 +
776 +-static void fanout_release(struct sock *sk)
777 ++/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes
778 ++ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout.
779 ++ * It is the responsibility of the caller to call fanout_release_data() and
780 ++ * free the returned packet_fanout (after synchronize_net())
781 ++ */
782 ++static struct packet_fanout *fanout_release(struct sock *sk)
783 + {
784 + struct packet_sock *po = pkt_sk(sk);
785 + struct packet_fanout *f;
786 +
787 ++ mutex_lock(&fanout_mutex);
788 + f = po->fanout;
789 +- if (!f)
790 +- return;
791 ++ if (f) {
792 ++ po->fanout = NULL;
793 +
794 +- mutex_lock(&fanout_mutex);
795 +- po->fanout = NULL;
796 ++ if (atomic_dec_and_test(&f->sk_ref))
797 ++ list_del(&f->list);
798 ++ else
799 ++ f = NULL;
800 +
801 +- if (atomic_dec_and_test(&f->sk_ref)) {
802 +- list_del(&f->list);
803 +- dev_remove_pack(&f->prot_hook);
804 +- fanout_release_data(f);
805 +- kfree(f);
806 ++ if (po->rollover)
807 ++ kfree_rcu(po->rollover, rcu);
808 + }
809 + mutex_unlock(&fanout_mutex);
810 +
811 +- if (po->rollover)
812 +- kfree_rcu(po->rollover, rcu);
813 ++ return f;
814 + }
815 +
816 + static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
817 +@@ -2846,6 +2859,7 @@ static int packet_release(struct socket *sock)
818 + {
819 + struct sock *sk = sock->sk;
820 + struct packet_sock *po;
821 ++ struct packet_fanout *f;
822 + struct net *net;
823 + union tpacket_req_u req_u;
824 +
825 +@@ -2885,9 +2899,14 @@ static int packet_release(struct socket *sock)
826 + packet_set_ring(sk, &req_u, 1, 1);
827 + }
828 +
829 +- fanout_release(sk);
830 ++ f = fanout_release(sk);
831 +
832 + synchronize_net();
833 ++
834 ++ if (f) {
835 ++ fanout_release_data(f);
836 ++ kfree(f);
837 ++ }
838 + /*
839 + * Now the socket is dead. No more input will appear.
840 + */
841 +@@ -3861,7 +3880,6 @@ static int packet_notifier(struct notifier_block *this,
842 + }
843 + if (msg == NETDEV_UNREGISTER) {
844 + packet_cached_dev_reset(po);
845 +- fanout_release(sk);
846 + po->ifindex = -1;
847 + if (po->prot_hook.dev)
848 + dev_put(po->prot_hook.dev);
849 +diff --git a/net/socket.c b/net/socket.c
850 +index 0090225eeb1e..fbfa9d2492cf 100644
851 +--- a/net/socket.c
852 ++++ b/net/socket.c
853 +@@ -2185,8 +2185,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
854 + return err;
855 +
856 + err = sock_error(sock->sk);
857 +- if (err)
858 ++ if (err) {
859 ++ datagrams = err;
860 + goto out_put;
861 ++ }
862 +
863 + entry = mmsg;
864 + compat_entry = (struct compat_mmsghdr __user *)mmsg;
865
866 diff --git a/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch b/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch
867 deleted file mode 100644
868 index 433fd4b..0000000
869 --- a/1520_CVE-2017-6074-dccp-skb-freeing-fix.patch
870 +++ /dev/null
871 @@ -1,47 +0,0 @@
872 -From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
873 -From: Andrey Konovalov <andreyknvl@××××××.com>
874 -Date: Thu, 16 Feb 2017 17:22:46 +0100
875 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
876 -
877 -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
878 -is forcibly freed via __kfree_skb in dccp_rcv_state_process if
879 -dccp_v6_conn_request successfully returns.
880 -
881 -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
882 -is saved to ireq->pktopts and the ref count for skb is incremented in
883 -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
884 -in dccp_rcv_state_process.
885 -
886 -Fix by calling consume_skb instead of doing goto discard and therefore
887 -calling __kfree_skb.
888 -
889 -Similar fixes for TCP:
890 -
891 -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
892 -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
893 -simply consumed
894 -
895 -Signed-off-by: Andrey Konovalov <andreyknvl@××××××.com>
896 -Acked-by: Eric Dumazet <edumazet@××××××.com>
897 -Signed-off-by: David S. Miller <davem@×××××××××.net>
898 ----
899 - net/dccp/input.c | 3 ++-
900 - 1 file changed, 2 insertions(+), 1 deletion(-)
901 -
902 -diff --git a/net/dccp/input.c b/net/dccp/input.c
903 -index ba34718..8fedc2d 100644
904 ---- a/net/dccp/input.c
905 -+++ b/net/dccp/input.c
906 -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
907 - if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
908 - skb) < 0)
909 - return 1;
910 -- goto discard;
911 -+ consume_skb(skb);
912 -+ return 0;
913 - }
914 - if (dh->dccph_type == DCCP_PKT_RESET)
915 - goto discard;
916 ---
917 -cgit v0.12
918 -
Report Message
Find on MARC Find on Google Groups