An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.
The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash. This can be
triggered if a dump fails because the target socket's receive
buffer is full.
This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.
Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <email address hidden>
Signed-off-by: Steffen Klassert <email address hidden>
CVE-2017-16939
(cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2)
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Some features can only work when all layers are on the same fs. Test this
condition during mount time, so features can check them later.
Add helper ovl_same_sb() to return the common super block in case all
layers are on the same fs.
Signed-off-by: Amir Goldstein <email address hidden>
Signed-off-by: Miklos Szeredi <email address hidden>
(backported from commit 7bcd74b98d7bac3e5149894caaf72de6989af7f0)
Signed-off-by: Daniel Axtens <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
7d50d51...
by
Adrian Salido <email address hidden>
driver core: platform: fix race condition with driver_override
CVE-2017-12146
The driver_override implementation is susceptible to race condition when
different threads are reading vs storing a different driver override.
Add locking to avoid race condition.
Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
Cc: <email address hidden>
Signed-off-by: Adrian Salido <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit 6265539776a0810b7ce6398c27866ddb9c6bd154)
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
The underlying blk_mq_tag_set, and request timeout parameters support an
unsigned int. Extend the size of the nvme module parameters for io and
admin commands to match.
Signed-off-by: Marc Olson <email address hidden>
Signed-off-by: Christoph Hellwig <email address hidden>
(backported from commit 8ae4e4477d8f5cc7736816a0492f82934ca32ab7)
Signed-off-by: Daniel Axtens <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
[applied upstream patch with fuzz 2]
Signed-off-by: Stefan Bader <email address hidden>
When stopping CPUS fail when doing kdump, the system will hang
indefinitively, instead of rebooting. Using the default value of 10 for
PANIC_TIMEOUT that we had for trusty allows the system to reboot.
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>