November 2017 - Linux-stable-mirror

[Linux-stable-mirror] Patch "dmaengine: dmatest: warn user when dma test times out" has been added to the 4.13-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dmaengine: dmatest: warn user when dma test times out to the 4.13-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dmaengine-dmatest-warn-user-when-dma-test-times-out.patch and it can be found in the queue-4.13 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From a9df21e34b422f79d9a9fa5c3eff8c2a53491be6 Mon Sep 17 00:00:00 2001 From: Adam Wallis <awallis(a)codeaurora.org> Date: Thu, 2 Nov 2017 08:53:30 -0400 Subject: dmaengine: dmatest: warn user when dma test times out From: Adam Wallis <awallis(a)codeaurora.org> commit a9df21e34b422f79d9a9fa5c3eff8c2a53491be6 upstream. Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()") introduced a bug (that is in fact documented by the patch commit text) that leaves behind a dangling pointer. Since the done_wait structure is allocated on the stack, future invocations to the DMATEST can produce undesirable results (e.g., corrupted spinlocks). Ideally, this would be cleaned up in the thread handler, but at the very least, the kernel is left in a very precarious scenario that can lead to some long debug sessions when the crash comes later. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197605 Signed-off-by: Adam Wallis <awallis(a)codeaurora.org> Signed-off-by: Vinod Koul <vinod.koul(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma/dmatest.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/dma/dmatest.c +++ b/drivers/dma/dmatest.c @@ -696,6 +696,7 @@ static int dmatest_func(void *data) * free it this time?" dancing. For now, just * leave it dangling. */ + WARN(1, "dmatest: Kernel stack may be corrupted!!\n"); dmaengine_unmap_put(um); result("test timed out", total_tests, src_off, dst_off, len, 0); Patches currently in stable-queue which might be from awallis(a)codeaurora.org are queue-4.13/dmaengine-dmatest-warn-user-when-dma-test-times-out.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "target/iscsi: Fix iSCSI task reassignment handling" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled target/iscsi: Fix iSCSI task reassignment handling to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: target-iscsi-fix-iscsi-task-reassignment-handling.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 59b6986dbfcdab96a971f9663221849de79a7556 Mon Sep 17 00:00:00 2001 From: Bart Van Assche <bart.vanassche(a)sandisk.com> Date: Thu, 5 Jan 2017 12:39:57 +0100 Subject: target/iscsi: Fix iSCSI task reassignment handling From: Bart Van Assche <bart.vanassche(a)sandisk.com> commit 59b6986dbfcdab96a971f9663221849de79a7556 upstream. Allocate a task management request structure for all task management requests, including task reassignment. This change avoids that the se_tmr->response assignment dereferences an uninitialized se_tmr pointer. Reported-by: Moshe David <mdavid(a)infinidat.com> Signed-off-by: Bart Van Assche <bart.vanassche(a)sandisk.com> Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Cc: Moshe David <mdavid(a)infinidat.com> Signed-off-by: Nicholas Bellinger <nab(a)linux-iscsi.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/target/iscsi/iscsi_target.c | 19 +++++++------------ include/target/target_core_base.h | 1 + 2 files changed, 8 insertions(+), 12 deletions(-) --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1749,7 +1749,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ struct iscsi_tm *hdr; int out_of_order_cmdsn = 0, ret; bool sess_ref = false; - u8 function; + u8 function, tcm_function = TMR_UNKNOWN; hdr = (struct iscsi_tm *) buf; hdr->flags &= ~ISCSI_FLAG_CMD_FINAL; @@ -1795,10 +1795,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ * LIO-Target $FABRIC_MOD */ if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { - - u8 tcm_function; - int ret; - transport_init_se_cmd(&cmd->se_cmd, &lio_target_fabric_configfs->tf_ops, conn->sess->se_sess, 0, DMA_NONE, @@ -1835,15 +1831,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); } - - ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, - tcm_function, GFP_KERNEL); - if (ret < 0) - return iscsit_add_reject_cmd(cmd, + } + ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function, + GFP_KERNEL); + if (ret < 0) + return iscsit_add_reject_cmd(cmd, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf); - cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; - } + cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req; cmd->iscsi_opcode = ISCSI_OP_SCSI_TMFUNC; cmd->i_state = ISTATE_SEND_TASKMGTRSP; --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h @@ -231,6 +231,7 @@ enum tcm_tmreq_table { TMR_LUN_RESET = 5, TMR_TARGET_WARM_RESET = 6, TMR_TARGET_COLD_RESET = 7, + TMR_UNKNOWN = 0xff, }; /* fabric independent task management response values */ Patches currently in stable-queue which might be from bart.vanassche(a)sandisk.com are queue-3.18/target-iscsi-fix-iscsi-task-reassignment-handling.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "security/keys: add CONFIG_KEYS_COMPAT to Kconfig" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled security/keys: add CONFIG_KEYS_COMPAT to Kconfig to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: security-keys-add-config_keys_compat-to-kconfig.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 47b2c3fff4932e6fc17ce13d51a43c6969714e20 Mon Sep 17 00:00:00 2001 From: Bilal Amarni <bilal.amarni(a)gmail.com> Date: Thu, 8 Jun 2017 14:47:26 +0100 Subject: security/keys: add CONFIG_KEYS_COMPAT to Kconfig From: Bilal Amarni <bilal.amarni(a)gmail.com> commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 upstream. CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for several 64-bit architectures : mips, parisc, tile. At the moment and for those architectures, calling in 32-bit userspace the keyctl syscall would return an ENOSYS error. This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to make sure the compatibility wrapper is registered by default for any 64-bit architecture as long as it is configured with CONFIG_COMPAT. [DH: Modified to remove arm64 compat enablement also as requested by Eric Biggers] Signed-off-by: Bilal Amarni <bilal.amarni(a)gmail.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Arnd Bergmann <arnd(a)arndb.de> cc: Eric Biggers <ebiggers3(a)gmail.com> Signed-off-by: James Morris <james.l.morris(a)oracle.com> Cc: James Cowgill <james.cowgill(a)mips.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/powerpc/Kconfig | 5 ----- arch/s390/Kconfig | 3 --- arch/sparc/Kconfig | 3 --- arch/x86/Kconfig | 4 ---- security/keys/Kconfig | 4 ++++ 5 files changed, 4 insertions(+), 15 deletions(-) --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -1070,11 +1070,6 @@ source "arch/powerpc/Kconfig.debug" source "security/Kconfig" -config KEYS_COMPAT - bool - depends on COMPAT && KEYS - default y - source "crypto/Kconfig" config PPC_LIB_RHEAP --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -332,9 +332,6 @@ config COMPAT config SYSVIPC_COMPAT def_bool y if COMPAT && SYSVIPC -config KEYS_COMPAT - def_bool y if COMPAT && KEYS - config SMP def_bool y prompt "Symmetric multi-processing support" --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -542,9 +542,6 @@ config SYSVIPC_COMPAT depends on COMPAT && SYSVIPC default y -config KEYS_COMPAT - def_bool y if COMPAT && KEYS - endmenu source "net/Kconfig" --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2471,10 +2471,6 @@ config COMPAT_FOR_U64_ALIGNMENT config SYSVIPC_COMPAT def_bool y depends on SYSVIPC - -config KEYS_COMPAT - def_bool y - depends on KEYS endif endmenu --- a/security/keys/Kconfig +++ b/security/keys/Kconfig @@ -20,6 +20,10 @@ config KEYS If you are unsure as to whether this is required, answer N. +config KEYS_COMPAT + def_bool y + depends on COMPAT && KEYS + config PERSISTENT_KEYRINGS bool "Enable register of persistent per-UID keyrings" depends on KEYS Patches currently in stable-queue which might be from bilal.amarni(a)gmail.com are queue-3.18/security-keys-add-config_keys_compat-to-kconfig.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] [PATCH-4.4.y 0/2] target: stable backports

by Nicholas A. Bellinger

From: Nicholas Bellinger <nab(a)linux-iscsi.org> Hi Greg-KH, Here are two target patches for v4.4.y stable, the first of which did not originally include a stable CC, and the latter did not apply due to a minor context change. The series has been cut against v4.4.98. Please apply at your earliest convenience. Thank you, --nab Bart Van Assche (1): target/iscsi: Fix iSCSI task reassignment handling Nicholas Bellinger (1): target: Fix node_acl demo-mode + uncached dynamic shutdown regression drivers/target/iscsi/iscsi_target.c | 19 +++++++------------ drivers/target/target_core_tpg.c | 4 ++-- drivers/target/target_core_transport.c | 4 ++-- include/target/target_core_base.h | 1 + 4 files changed, 12 insertions(+), 16 deletions(-) -- 1.8.5.3

7 years, 1 month

2
3
0 0

[Linux-stable-mirror] [PATCH-4.9.y 0/2] target: stable backports

by Nicholas A. Bellinger

From: Nicholas Bellinger <nab(a)linux-iscsi.org> Hi Greg-KH, Here are two target patches for v4.9.y stable, the first of which did not originally include a stable CC, and the latter did not apply due to a minor context change. The series has been cut against v4.9.62. Please apply at your earliest convenience. Thank you, --nab Bart Van Assche (1): target/iscsi: Fix iSCSI task reassignment handling Nicholas Bellinger (1): qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) drivers/scsi/qla2xxx/tcm_qla2xxx.c | 33 --------------------------------- drivers/target/iscsi/iscsi_target.c | 19 +++++++------------ include/target/target_core_base.h | 1 + 3 files changed, 8 insertions(+), 45 deletions(-) -- 1.8.5.3

7 years, 1 month

2
4
0 0

[Linux-stable-mirror] [PATCH 0/1] tipc oops fix to 4.4-stable: "tipc: fix link attribute propagation bug"

by Tommi Rantala

Hello, Upstream commit d01332f1acacc0cb43a61f4244dd2b846d4cd585 ("tipc: fix link attribute propagation bug") fixes a tipc oops that can be triggered from user space, we want it also in 4.4-stable. I've backported the patch, as it does not apply as-is to 4.4. Richard Alpe (1): tipc: fix link attribute propagation bug net/tipc/link.c | 28 ++++++---------------------- net/tipc/link.h | 1 - 2 files changed, 6 insertions(+), 23 deletions(-) -- 2.13.6

7 years, 1 month

2
2
0 0

[Linux-stable-mirror] Apply "security/keys: add CONFIG_KEYS_COMPAT to Kconfig" to stable trees

by James Cowgill

Hi, Is it possible to apply this commit to the stable trees before 4.12? commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 Author: Bilal Amarni <bilal.amarni(a)gmail.com> Date: Thu Jun 8 14:47:26 2017 +0100 security/keys: add CONFIG_KEYS_COMPAT to Kconfig In commit 20f06ed9f61a ("KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace"), the keyctl syscall for 32-bit MIPS was "fixed" to point at compat_sys_keyctl instead of sys_keyctl. Unfortunately this caused the syscall to always return ENOSYS because CONFIG_KEYS_COMPAT was not enabled on MIPS. Instead of fixing this by manually by enabling KEYS_COMPAT in the MIPS Kconfig, I think applying the above commit is a better. Thanks, James

7 years, 1 month

2
3
0 0

[Linux-stable-mirror] [PATCH 4.9.y 0/2] netfilter: nat: revert rhashtable conversion

by Florian Westphal

These two patches get rid of rhashtable the conversion. First patch is an implicit dependency, rhlist remove interface is a no-op in case element is not yet in the table, but hlist_del_rcu() must only be called for conntracks that already have been inserted. Second patch is the actual revert.

7 years, 1 month

3
4
0 0

Re: [Linux-stable-mirror] [PATCH] drm/vblank: Tune drm_crtc_accurate_vblank_count() WARN down to a debug

by Benjamin Gaignard

2017-10-30 10:19 GMT+01:00 Daniel Vetter <daniel(a)ffwll.ch>: > On Tue, Oct 24, 2017 at 11:01:32AM +0200, Benjamin Gaignard wrote: >> 2017-10-23 17:25 GMT+02:00 Ville Syrjala <ville.syrjala(a)linux.intel.com>: >> > From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> >> > >> > Since commit 632c6e4edef1 ("drm/vblank: Fix flip event vblank count") >> > even drivers that don't implement accurate vblank timestamps will end >> > up using drm_crtc_accurate_vblank_count(). That leads to a WARN every >> > time drm_crtc_arm_vblank_event() gets called. The could be as often >> > as every frame for each active crtc. >> > >> > Considering drm_crtc_accurate_vblank_count() is never any worse than >> > the drm_vblank_count() we used previously, let's just skip the WARN >> > unless DRM_UT_VBL is enabled. That way people won't be bothered by >> > this unless they're debugging vblank code. And let's also change it >> > to WARN_ONCE() so that even when you're debugging vblank code you >> > won't get drowned by constant WARNs. >> > >> > Cc: stable(a)vger.kernel.org >> > Cc: Daniel Vetter <daniel(a)ffwll.ch> >> > Cc: "Szyprowski, Marek" <m.szyprowski(a)samsung.com> >> > Cc: Andrzej Hajda <a.hajda(a)samsung.com> >> > Reported-by: Andrzej Hajda <a.hajda(a)samsung.com> >> > Fixes: 632c6e4edef1 ("drm/vblank: Fix flip event vblank count") >> > Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> >> >> I have tested it on sti and stm driver, it fix the problem, thanks. >> >> Acked-by: Benjamin Gaignard <benjamin.gaignard(a)linaro.org> >> >> > --- >> > drivers/gpu/drm/drm_vblank.c | 4 ++-- >> > 1 file changed, 2 insertions(+), 2 deletions(-) >> > >> > diff --git a/drivers/gpu/drm/drm_vblank.c b/drivers/gpu/drm/drm_vblank.c >> > index 13722c373a6a..c81c297995c6 100644 >> > --- a/drivers/gpu/drm/drm_vblank.c >> > +++ b/drivers/gpu/drm/drm_vblank.c >> > @@ -299,8 +299,8 @@ u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc) >> > u32 vblank; >> > unsigned long flags; >> > >> > - WARN(!dev->driver->get_vblank_timestamp, >> > - "This function requires support for accurate vblank timestamps."); >> > + WARN_ONCE(drm_debug & DRM_UT_VBL && !dev->driver->get_vblank_timestamp, >> > + "This function requires support for accurate vblank timestamps."); > > Somewhat a bikeshed, but if we e.g. enable debugging in a CI or piglit > run, then this could change the results. I'd go with a if () > DRM_DEBUG_VBLANK. Either way: > > Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> > Does something is missing to merge this fix in drm-misc ? Without it I got warning at each frame. Benjamin >> > >> > spin_lock_irqsave(&dev->vblank_time_lock, flags); >> > >> > -- >> > 2.13.6 >> > >> > _______________________________________________ >> > dri-devel mailing list >> > dri-devel(a)lists.freedesktop.org >> > https://lists.freedesktop.org/mailman/listinfo/dri-devel >> _______________________________________________ >> dri-devel mailing list >> dri-devel(a)lists.freedesktop.org >> https://lists.freedesktop.org/mailman/listinfo/dri-devel > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch

7 years, 1 month

2
1
0 0

[Linux-stable-mirror] Patch "ipv6: flowlabel: do not leave opt->tot_len with garbage" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ipv6: flowlabel: do not leave opt->tot_len with garbage to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Nov 16 15:49:43 CET 2017 From: Eric Dumazet <edumazet(a)google.com> Date: Sat, 21 Oct 2017 12:26:23 -0700 Subject: ipv6: flowlabel: do not leave opt->tot_len with garbage From: Eric Dumazet <edumazet(a)google.com> [ Upstream commit 864e2a1f8aac05effac6063ce316b480facb46ff ] When syzkaller team brought us a C repro for the crash [1] that had been reported many times in the past, I finally could find the root cause. If FlowLabel info is merged by fl6_merge_options(), we leave part of the opt_space storage provided by udp/raw/l2tp with random value in opt_space.tot_len, unless a control message was provided at sendmsg() time. Then ip6_setup_cork() would use this random value to perform a kzalloc() call. Undefined behavior and crashes. Fix is to properly set tot_len in fl6_merge_options() At the same time, we can also avoid consuming memory and cpu cycles to clear it, if every option is copied via a kmemdup(). This is the change in ip6_setup_cork(). [1] kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 6613 Comm: syz-executor0 Not tainted 4.14.0-rc4+ #127 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801cb64a100 task.stack: ffff8801cc350000 RIP: 0010:ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168 RSP: 0018:ffff8801cc357550 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: ffff8801cc357748 RCX: 0000000000000010 RDX: 0000000000000002 RSI: ffffffff842bd1d9 RDI: 0000000000000014 RBP: ffff8801cc357620 R08: ffff8801cb17f380 R09: ffff8801cc357b10 R10: ffff8801cb64a100 R11: 0000000000000000 R12: ffff8801cc357ab0 R13: ffff8801cc357b10 R14: 0000000000000000 R15: ffff8801c3bbf0c0 FS: 00007f9c5c459700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020324000 CR3: 00000001d1cf2000 CR4: 00000000001406f0 DR0: 0000000020001010 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: ip6_make_skb+0x282/0x530 net/ipv6/ip6_output.c:1729 udpv6_sendmsg+0x2769/0x3380 net/ipv6/udp.c:1340 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x358/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4520a9 RSP: 002b:00007f9c5c458c08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9 RDX: 0000000000000001 RSI: 0000000020fd1000 RDI: 0000000000000016 RBP: 0000000000000086 R08: 0000000020e0afe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb1ee R13: 00000000ffffffff R14: 0000000000000016 R15: 0000000000000029 Code: e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ea 0f 00 00 48 8d 79 04 48 b8 00 00 00 00 00 fc ff df 45 8b 74 24 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP: ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168 RSP: ffff8801cc357550 Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: Dmitry Vyukov <dvyukov(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/ip6_flowlabel.c | 1 + net/ipv6/ip6_output.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c @@ -316,6 +316,7 @@ struct ipv6_txoptions *fl6_merge_options } opt_space->dst1opt = fopt->dst1opt; opt_space->opt_flen = fopt->opt_flen; + opt_space->tot_len = fopt->tot_len; return opt_space; } EXPORT_SYMBOL_GPL(fl6_merge_options); --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1177,11 +1177,11 @@ int ip6_append_data(struct sock *sk, int if (WARN_ON(np->cork.opt)) return -EINVAL; - np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); + np->cork.opt = kzalloc(sizeof(*opt), sk->sk_allocation); if (unlikely(np->cork.opt == NULL)) return -ENOBUFS; - np->cork.opt->tot_len = opt->tot_len; + np->cork.opt->tot_len = sizeof(*opt); np->cork.opt->opt_flen = opt->opt_flen; np->cork.opt->opt_nflen = opt->opt_nflen; Patches currently in stable-queue which might be from edumazet(a)google.com are queue-3.18/tcp-fix-tcp_mtu_probe-vs-highest_sack.patch queue-3.18/ipv6-flowlabel-do-not-leave-opt-tot_len-with-garbage.patch queue-3.18/sctp-add-the-missing-sock_owned_by_user-check-in-sctp_icmp_redirect.patch queue-3.18/tun-tap-sanitize-tunsetsndbuf-input.patch

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2017