21345a3...
by
Willem de Bruijn <email address hidden>
packet: fix tp_reserve race in packet_set_ring
Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.
This bug was discovered by syzkaller.
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <email address hidden>
Signed-off-by: Willem de Bruijn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit c27927e372f0785f3303e8fad94b85945e2c97b7
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git)
CVE-2017-1000111
Signed-off-by: Seth Forshee <email address hidden>
83b7474...
by
Willem de Bruijn <email address hidden>
udp: consistently apply ufo or fragmentation
When iteratively building a UDP datagram with MSG_MORE and that
datagram exceeds MTU, consistently choose UFO or fragmentation.
Once skb_is_gso, always apply ufo. Conversely, once a datagram is
split across multiple skbs, do not consider ufo.
Sendpage already maintains the first invariant, only add the second.
IPv6 does not have a sendpage implementation to modify.
A gso skb must have a partial checksum, do not follow sk_no_check_tx
in udp_send_skb.
Found by syzkaller.
Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Reported-by: Andrey Konovalov <email address hidden>
Signed-off-by: Willem de Bruijn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git)
CVE-2017-1000112
Signed-off-by: Seth Forshee <email address hidden>
UBUNTU: SAUCE: powerpc: Always initialize input array when calling epapr_hypercall()
Several callers to epapr_hypercall() pass an uninitialized stack
allocated array for the input arguments, presumably because they
have no input arguments. However this can produce errors like
this one
arch/powerpc/include/asm/epapr_hcalls.h:470:42: error: 'in' may be used uninitialized in this function [-Werror=maybe-uninitialized]
unsigned long register r3 asm("r3") = in[0]; ~~^~~
Fix callers to this function to always zero-initialize the input
arguments array to prevent this.
UBUNTU: SAUCE: aufs -- Add missing argument to loop_switch() call
The aufs patches add an argument to loop_switch(), but an
additional call to this function was added since the patches were
last updated. This causes a FTBFS:
drivers/block/loop.c: In function 'loop_flush':
drivers/block/loop.c:624:9: error: too few arguments to function 'loop_switch'
return loop_switch(lo, NULL); ^~~~~~~~~~~
drivers/block/loop.c:596:12: note: declared here
static int loop_switch(struct loop_device *lo, struct file *file, ^~~~~~~~~~~
This new call is meant only to induce a flush of queued bios and
does not use the file arguments at all, so just pass NULL.