Commit 9e20f996 authored by Ben Hutchings's avatar Ben Hutchings

Merge tag 'debian/4.12.13-1' into stretch-backports

"Release linux (4.12.13-1)."

Drop the ABI reference files for 4.12.0-2 and change our ABI number to
parents de03636f 44ed7a13
linux (4.12.13-1~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports:
- Change ABI number to 0.bpo.2
-- Ben Hutchings <> Thu, 28 Sep 2017 12:29:04 +0100
linux (4.12.13-1) unstable; urgency=medium
* New upstream stable update:
- mtd: nand: make Samsung SLC NAND usable again
- mtd: nand: hynix: add support for 20nm NAND chips
- [armhf] mtd: nand: mxc: Fix mxc_v1 ooblayout
- nvme-fabrics: generate spec-compliant UUID NQNs
- btrfs: resume qgroup rescan on rw remount
- rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be
- radix-tree: must check __radix_tree_preload() return value
- mm: kvfree the swap cluster info if the swap file is unsatisfactory
- mm/swapfile.c: fix swapon frontswap_map memory leak on error
- mm/memory.c: fix mem_cgroup_oom_disable() call missing
- [i386] ALSA: msnd: Optimize / harden DSP and MIDI loops
- [x86] KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest
- rt2800: fix TX_PIN_CFG setting for non MT7620 chips
- Bluetooth: Properly check L2CAP config option output buffer length
(CVE-2017-1000251) (Closes: #875881)
- [arm64] dts: marvell: armada-37xx: Fix GIC maintenance interrupt
- [armel,armhf] 8692/1: mm: abort uaccess retries upon fatal signal
- NFS: Fix 2 use after free issues in the I/O code
- NFS: Sync the correct byte range during synchronous writes
- NFSv4: Fix up mirror allocation
- xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
[ Salvatore Bonaccorso ]
* sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558)
* scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
* Add ABI reference for 4.12.0-2
[ Ben Hutchings ]
* nl80211: check for the required netlink attributes presence (CVE-2017-12153)
* [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
* video: fbdev: aty: do not leak uninitialized padding in clk to userspace
* scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
* packet: Don't write vnet header beyond end of buffer (CVE-2017-14497)
* [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252)
* nfs: Ignore ABI change
-- Ben Hutchings <> Tue, 19 Sep 2017 01:59:17 +0100
linux (4.12.12-2) unstable; urgency=medium
* debian/source/lintian-overrides: Override license-problem-gfdl-invariants
error triggered by a ReSTified copy of the GFDL
-- Ben Hutchings <> Mon, 11 Sep 2017 04:35:28 +0100
linux (4.12.12-1) unstable; urgency=medium
* New upstream stable update:
- ppp: Fix false xmit recursion detect with two ppp devices
- ppp: fix xmit recursion detection on ppp channels
- tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
- net: fix keepalive code vs TCP_FASTOPEN_CONNECT
- ipv6: set rt6i_protocol properly in the route when it is installed
- [s390x] bpf: fix jit branch offset related to ldimm64
- net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets
- net: sched: set xt_tgchk_param properly in ipt_init_target
- net: sched: set xt_tgchk_param par.nft_compat as 0 in ipt_init_target
- tcp: fastopen: tcp_connect() must refresh the route
- qmi_wwan: fix NULL deref on disconnect
- net: avoid skb_warn_bad_offload false positives on UFO
- igmp: Fix regression caused by igmp sysctl namespace code.
- scsi: sg: only check for dxfer_len greater than 256M
- btrfs: Remove false alert when fiemap range is smaller than on-disk
- mm: ratelimit PFNs busy info message
- mm: fix list corruptions on shmem shrinklist
- futex: Remove unnecessary warning from get_futex_key
- xfs: Fix leak of discard bio
- [armhf] pinctrl: armada-37xx: Fix number of pin in south bridge
- mtd: nand: Fix timing setup for NANDs that do not support SET FEATURES
- mtd: nand: Declare tBERS, tR and tPROG as u64 to avoid integer overflow
- iscsi-target: fix memory leak in iscsit_setup_text_cmd()
- iscsi-target: Fix iscsi_np reset hung task during parallel delete
- usb-storage: fix deadlock involving host lock and scsi_done
- target: Fix node_acl demo-mode + uncached dynamic shutdown regression
- fuse: initialize the flock flag in fuse_file on allocation
- i2c: designware: Some broken DSTDs use 1MiHz instead of 1MHz
- nand: fix wrong default oob layout for small pages using soft ecc
- mmc: mmc: correct the logic for setting HS400ES signal voltage
- nfs/flexfiles: fix leak of nfs4_ff_ds_version arrays
- [armhf] drm/etnaviv: Fix off-by-one error in reloc checking
- [x86] drm/i915: Fix out-of-bounds array access in bdw_load_gamma_lut
- [armhf] usb: musb: fix tx fifo flush handling again
- USB: hcd: Mark secondary HCD as dead if the primary one died
- [armhf] iio: accel: st_accel: add SPI-3wire support
- [x86] iio: accel: bmc150: Always restore device to normal mode after
- iio: light: tsl2563: use correct event code
- staging: comedi: comedi_fops: do not call blocking ops when !TASK_RUNNING
- uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
- firmware: fix batched requests - wake all waiters
- firmware: fix batched requests - send wake up on failure on direct lookups
- firmware: avoid invalid fallback aborts by using killable wait
- block: Make blk_mq_delay_kick_requeue_list() rerun the queue at a quiet
- USB: Check for dropped connection before switching to full speed
- usb: core: unlink urbs from the tail of the endpoint's urb_list
- usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
- usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
- PCI: Protect pci_error_handlers->reset_notify() usage with device_lock()
- xhci: Reset Renesas uPD72020x USB controller for 32-bit DMA issue
- pnfs/blocklayout: require 64-bit sector_t
- [x86] pinctrl: cherryview: Add Setzer models to the Chromebook DMI quirk
- [armhf] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
- [x86] pinctrl: intel: merrifield: Correct UART pin lists
- [armhf] pinctrl: samsung: Remove bogus irq_[un]mask from resource
- [arm64] pinctrl: meson-gxbb: Add missing GPIODV_18 pin entry
- [arm64] pinctrl: meson-gxl: Add missing GPIODV_18 pin entry
- [mips*] Revert "MIPS: Don't unnecessarily include kmalloc.h into
- [mips*/octeon] Fix broken EDAC driver.
- [ppc64el] Fix /proc/cpuinfo revision for POWER9 DD2
- audit: Fix use after free in audit_remove_watch_rule()
- [hppa] pci memory bar assignment fails with 64bit kernels on dino/cujo
- [x86] crypto: sha1 - Fix reads beyond the number of blocks passed
- [x86] drm/i915: Perform an invalidate prior to executing golden
- drm/amdgpu: save list length when fence is signaled
- md: fix test in md_write_start()
- md: always clear ->safemode when md_check_recovery gets the mddev lock.
- MD: not clear ->safemode for external metadata array
- ALSA: seq: 2nd attempt at fixing race creating a queue
- ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset
- ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
- ALSA: usb-audio: add DSD support for new Amanero PID
- mm: discard memblock data later
- slub: fix per memcg cache leak on css offline
- mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS
- mm/cma_debug.c: fix stack corruption due to sprintf usage
- mm/mempolicy: fix use after free when calling get_mempolicy
- mm/vmalloc.c: don't unconditonally use __GFP_HIGHMEM
- [amd64,arm64] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
- xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511)
- [armhf] ARM: dts: imx6qdl-nitrogen6_som2: fix PCIe reset
- blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL
- [powerpc*] Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
- xen-blkfront: use a right index when checking requests
- [x86] perf: Fix RDPMC vs. mm_struct tracking
- [amd64] asm: Clear AC on NMI entries
- [x86] Fix norandmaps/ADDR_NO_RANDOMIZE
- [x86] elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks
- genirq: Restore trigger settings in irq_modify_status()
- genirq/ipi: Fixup checks against nr_cpu_ids
- kernel/watchdog: Prevent false positives with turbo modes
- Sanitize 'move_pages()' permission checks (CVE-2017-14140)
- pids: make task_tgid_nr_ns() safe
- debug: Fix WARN_ON_ONCE() for modules
- usb: optimize acpi companion search for usb port devices
- [sparc64] remove unnecessary log message
- bonding: require speed/duplex only for 802.3ad, alb and tlb
- bonding: ratelimit failed speed/duplex update warning
- af_key: do not use GFP_KERNEL in atomic contexts
- dccp: purge write queue in dccp_destroy_sock()
- dccp: defer ccid_hc_tx_delete() at dismantle time
- ipv4: fix NULL dereference in free_fib_info_rcu()
- net_sched/sfq: update hierarchical backlog when drop packet
- net_sched: remove warning from qdisc_hash_add
- bpf: fix bpf_trace_printk on 32 bit archs
- net: igmp: Use ingress interface rather than vrf device
- openvswitch: fix skb_panic due to the incorrect actions attrlen
- ptr_ring: use kmalloc_array()
- ipv4: better IP_MAX_MTU enforcement
- nfp: fix infinite loop on umapping cleanup
- tun: handle register_netdevice() failures properly
- sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
- tipc: fix use-after-free
- ipv6: reset fn->rr_ptr when replacing route
- ipv6: repair fib6 tree in failure case
- tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
- net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
- irda: do not leak initialized to userspace
- net: sched: fix NULL pointer dereference when action calls some targets
- net_sched: fix order of queue length updates in qdisc_replace()
- bpf, verifier: add additional patterns to evaluate_reg_imm_alu
- bpf: fix mixed signed/unsigned derived min/max value bounds
- bpf/verifier: fix min/max handling in BPF_SUB
- Input: ALPS - fix two-finger scroll breakage in right side on ALPS
- [s390x] KVM: sthyi: fix sthyi inline assembly
- [s390x] KVM: sthyi: fix specification exception detection
- [x86] KVM: simplify handling of PKRU
- [x86] KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
- [x86] KVM: block guest protection keys unless the host has them enabled
- ALSA: core: Fix unexpected error at replacing user TLV
- ALSA: firewire: fix NULL pointer dereference when releasing
uninitialized data of iso-resource
- ALSA: firewire-motu: destroy stream data surely at failure of card
- PM/hibernate: touch NMI watchdog when creating snapshot
- mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
- dax: fix deadlock due to misaligned PMD faults
- i2c: designware: Fix system suspend
- mm/madvise.c: fix freeing of locked page with MADV_FREE
- fork: fix incorrect fput of ->exe_file causing use-after-free
- mm/memblock.c: reversed logic in memblock_discard()
- [arm64] fpsimd: Prevent registers leaking across exec
- drm: Fix framebuffer leak
- drm: Release driver tracking before making the object available again
- [armhf] drm/sun4i: Implement drm_driver lastclose to restore fbdev
- drm/atomic: Handle -EDEADLK with out-fences correctly
- drm/atomic: If the atomic check fails, return its value first
- [x86] drm/i915/vbt: ignore extraneous child devices for a port
- [x86] drm/i915/gvt: Fix the kernel null pointer error
- Revert "drm/amdgpu: fix vblank_time when displays are off"
- ACPI: device property: Fix node lookup in
- tracing: Call clear_boot_tracer() at lateinit_sync
- tracing: Missing error code in tracer_alloc_buffers()
- tracing: Fix kmemleak in tracing_map_array_free()
- tracing: Fix freeing of filter in create_filter() when set_str is false
- RDMA/uverbs: Initialize cq_context appropriately
- cifs: Fix df output for users with quota limits
- cifs: return ENAMETOOLONG for overlong names in
- nfsd: Limit end of page list when decoding NFSv4 WRITE
- ring-buffer: Have ring_buffer_alloc_read_page() return error on offline
- virtio_pci: fix cpu affinity support
- ftrace: Check for null ret_stack on profile function graph entry
- perf/core: Fix group {cpu,task} validation
- timers: Fix excessive granularity of new timers after a nohz idle
- [x86] mm: Fix use-after-free of ldt_struct
- net: sunrpc: svcsock: fix NULL-pointer exception
- netfilter: expect: fix crash when putting uninited expectation
- netfilter: nat: fix src map lookup
- netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
- Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
- Bluetooth: cmtp: fix possible might sleep error in cmtp_session
- Bluetooth: bnep: fix possible might sleep error in bnep_session
- iio: hid-sensor-trigger: Fix the race with user space powering up
- iommu: Fix wrong freeing of iommu_device->dev
- Clarify (and fix) MAX_LFS_FILESIZE macros
- ACPI: EC: Fix regression related to wrong ECDT initialization order
- [powerpc*] mm: Ensure cpumask update is ordered
- [arm64] mm: abort uaccess retries upon fatal signal
- [x86] io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl
- [mips*] irqchip: mips-gic: SYNC after enabling GIC region
- Input: synaptics - fix device info appearing different on reconnect
- Input: xpad - fix PowerA init quirk for some gamepad models
- crypto: chacha20 - fix handling of chunked input
- [x86] i2c: ismt: Don't duplicate the receive length for block reads
- [x86] i2c: ismt: Return EMSGSIZE for block reads with bogus length
- crypto: algif_skcipher - only call put_page on referenced and used pages
- mm, uprobes: fix multiple free of ->uprobes_state.xol_area
- mm, madvise: ensure poisoned pages are removed from per-cpu lists
- ceph: fix readpage from fscache
- cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
- cpuset: Fix incorrect memory_pressure control file mapping
- CIFS: Fix maximum SMB2 header size
- CIFS: remove endian related sparse warning
- dm mpath: do not lock up a CPU with requeuing activity
- [x86] drm/vmwgfx: Fix F26 Wayland screen update issue
- [arm64, armhf] wl1251: add a missing spin_lock_init()
- [arm64] mmc: sdhci-xenon: add set_power callback
- lib/mpi: kunmap after finishing accessing buffer
- xfrm: policy: check policy direction value
- drm/ttm: Fix accounting error when fail to get pages for pool
- nvme: fix the definition of the doorbell buffer config support bit
- drm/nouveau/i2c/gf119-: add support for address-only transactions
- epoll: fix race between ep_poll_callback(POLLFREE) and
- usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
- USB: serial: option: add support for D-Link DWM-157 C1
- usb: Add device quirk for Logitech HD Pro Webcam C920-C
- usb:xhci:Fix regression when ATI chipsets detected
- [armhf] USB: musb: fix external abort on suspend
- USB: core: Avoid race of async_completed() w/ usbdev_release()
- [x86] staging/rts5208: fix incorrect shift to extract upper nybble
- iio: adc: ti-ads1015: fix incorrect data rate setting update
- iio: adc: ti-ads1015: fix scale information for ADS1115
- iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set
- iio: adc: ti-ads1015: avoid getting stale result after runtime resume
- iio: adc: ti-ads1015: don't return invalid value from buffer setup
- iio: adc: ti-ads1015: add adequate wait time to get correct conversion
- driver core: bus: Fix a potential double free
- HID: wacom: Do not completely map WACOM_HID_WD_TOUCHRINGSTATUS usage
- [x86] intel_th: pci: Add Cannon Lake PCH-H support
- [x86] intel_th: pci: Add Cannon Lake PCH-LP support
- ath10k: fix memory leak in rx ring buffer allocation
- Input: trackpoint - assume 3 buttons when buttons detection fails
- rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
- Bluetooth: Add support of 13d3:3494 RTL8723BE device
- iwlwifi: pci: add new PCI ID for 7265D
- dlm: avoid double-free on error path in dlm_device_{register,unregister}
- mwifiex: correct channel stat buffer overflows
- [s390x] mm: avoid empty zero pages for KVM guests to avoid postcopy
- [s390x] mm: fix BUG_ON in crst_table_upgrade
- drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
- drm/nouveau: Fix error handling in nv50_disp_atomic_commit
- workqueue: Fix flag collision
- ahci: don't use MSI for devices with the silly Intel NVMe remapping
- cs5536: add support for IDE controller variant
- scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
- scsi: sg: recheck MMAP_IO request length with lock held
- of/device: Prevent buffer overflow in of_device_modalias()
- rtlwifi: Fix memory leak when firmware request fails
- rtlwifi: Fix fallback firmware loading
[ Ben Hutchings ]
* [alpha] udeb: Add i2c-modules (fixes FTBFS)
* cpupower: Add/update definition of MSRHEADER macro for turbostat and
x86_energy_perf_policy (Closes: #872414)
* Bump ABI to 2
[ Roger Shimizu ]
* [armel] Disable CONFIG_STRICT_KERNEL_RWX, which will save about 3MB
on linux Image (before compression). (Closes: #870185)
[ Uwe Kleine-König ]
* mtd: nandsim: remove debugfs entries in error path
-- Ben Hutchings <> Sun, 10 Sep 2017 19:42:51 +0100
linux (4.12.6-1~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports:
......@@ -6,6 +6,7 @@
## end choice
## file: arch/arm/Kconfig
abiname: 0.bpo.1
abiname: 0.bpo.2
......@@ -23,6 +27,7 @@ ignore-changes:
From: Kees Cook <>
Date: Mon, 07 Aug 2017 20:15:42 +0000
Subject: mm: Revert x86_64 and arm64 ELF_ET_DYN_BASE base
Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000
broke AddressSanitizer. This is a partial revert of:
commit eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
commit 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
The AddressSanitizer tool has hard-coded expectations about where
executable mappings are loaded. The motivation for changing the PIE
base in the above commits was to avoid the Stack-Clash CVEs that
allowed executable mappings to get too close to heap and stack. This
was mainly a problem on 32-bit, but the 64-bit bases were moved too,
in an effort to proactively protect those systems (proofs of concept
do exist that show 64-bit collisions, but other recent changes to fix
stack accounting and setuid behaviors will minimize the impact).
The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC
base), so only the 64-bit PIE base needs to be reverted to let x86 and
arm64 ASan binaries run again. Future changes to the 64-bit PIE base on
these architectures can be made optional once a more dynamic method for
dealing with AddressSanitizer is found. (e.g. always loading PIE into
the mmap region for marked binaries.)
Reported-by: Kostya Serebryany <>
Signed-off-by: Kees Cook <>
arch/arm64/include/asm/elf.h | 4 ++--
arch/x86/include/asm/elf.h | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
index acae781f7359..3288c2b36731 100644
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -114,10 +114,10 @@
* This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
* space open for things that want to use the area for 32-bit pointers.
-#define ELF_ET_DYN_BASE 0x100000000UL
+#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
#ifndef __ASSEMBLY__
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 1c18d83d3f09..9aeb91935ce0 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -247,11 +247,11 @@ extern int force_personality32;
* This is the base location for PIE (ET_DYN with INTERP) loads. On
- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
+ * 64-bit, this is above 4GB to leave the entire 32-bit address
* space open for things that want to use the area for 32-bit pointers.
#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
- 0x100000000UL)
+ (TASK_SIZE / 3 * 2))
/* This yields a mask that user programs can use to figure out what
instruction set this CPU supports. This could be done in user space,
From: Uwe Kleine-König <>
Date: Wed, 23 Aug 2017 09:03:04 +0200
Subject: [PATCH] mtd: nandsim: remove debugfs entries in error path
The debugfs entries must be removed before an error is returned in the
probe function. Otherwise another try to load the module fails and when
the debugfs files are accessed without the module loaded, the kernel
still tries to call a function in that module.
Fixes: 5346c27c5fed ("mtd: nandsim: Introduce debugfs infrastructure")
Signed-off-by: Uwe Kleine-König <>
Reviewed-by: Richard Weinberger <>
Acked-by: Boris Brezillon <>
Signed-off-by: Brian Norris <>
drivers/mtd/nand/nandsim.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
index 03a0d057bf2f..e4211c3cc49b 100644
--- a/drivers/mtd/nand/nandsim.c
+++ b/drivers/mtd/nand/nandsim.c
@@ -2373,6 +2373,7 @@ static int __init ns_init_module(void)
return 0;
+ nandsim_debugfs_remove(nand);
for (i = 0;i < ARRAY_SIZE(nand->partitions); ++i)
From: Vladis Dronov <>
Date: Tue, 12 Sep 2017 22:21:21 +0000
Subject: nl80211: check for the required netlink attributes presence
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.
This fixes CVE-2017-12153.
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Cc: <> # v3.1-rc1
Reported-by: bo Zhang <>
Signed-off-by: Vladis Dronov <>
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
From: Benjamin Poirier <>
Date: Mon, 28 Aug 2017 14:29:41 -0400
Subject: packet: Don't write vnet header beyond end of buffer
... which may happen with certain values of tp_reserve and maclen.
Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
Signed-off-by: Benjamin Poirier <>
Cc: Willem de Bruijn <>
Acked-by: Willem de Bruijn <>
Signed-off-by: David S. Miller <>
net/packet/af_packet.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2192,6 +2192,7 @@ static int tpacket_rcv(struct sk_buff *s
struct timespec ts;
__u32 ts_status;
bool is_drop_n_account = false;
+ bool do_vnet = false;
/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
* We may add members to them until current aligned size without forcing
@@ -2242,8 +2243,10 @@ static int tpacket_rcv(struct sk_buff *s
netoff = TPACKET_ALIGN(po->tp_hdrlen +
(maclen < 16 ? 16 : maclen)) +
- if (po->has_vnet_hdr)
+ if (po->has_vnet_hdr) {
netoff += sizeof(struct virtio_net_hdr);
+ do_vnet = true;
+ }
macoff = netoff - maclen;
if (po->tp_version <= TPACKET_V2) {
@@ -2260,8 +2263,10 @@ static int tpacket_rcv(struct sk_buff *s
skb_set_owner_r(copy_skb, sk);
snaplen = po->rx_ring.frame_size - macoff;
- if ((int)snaplen < 0)
+ if ((int)snaplen < 0) {
snaplen = 0;
+ do_vnet = false;
+ }
} else if (unlikely(macoff + snaplen >
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
@@ -2274,6 +2279,7 @@ static int tpacket_rcv(struct sk_buff *s
if (unlikely((int)snaplen < 0)) {
snaplen = 0;
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
+ do_vnet = false;
@@ -2299,7 +2305,7 @@ static int tpacket_rcv(struct sk_buff *s
- if (po->has_vnet_hdr) {
+ if (do_vnet) {
if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),
vio_le(), true)) {
From: Willem de Bruijn <>
Date: Thu, 10 Aug 2017 12:41:58 -0400
Subject: packet: fix tp_reserve race in packet_set_ring
Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.
This bug was discovered by syzkaller.
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <>
Signed-off-by: Willem de Bruijn <>
Signed-off-by: David S. Miller <>
net/packet/af_packet.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 0615c2a950fa..008a45ca3112 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
if (optlen != sizeof(val))
return -EINVAL;
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
- return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
if (val > INT_MAX)
return -EINVAL;
- po->tp_reserve = val;
- return 0;
+ lock_sock(sk);
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+ ret = -EBUSY;
+ } else {
+ po->tp_reserve = val;
+ ret = 0;
+ }
+ release_sock(sk);
+ return ret;
From: Sven Joachim <>
Date: Mon, 31 Jul 2017 18:10:45 +0200
Subject: rtlwifi: Fix fallback firmware loading
Commit f70e4df2b384 ("rtlwifi: Add code to read new versions of
firmware") added code to load an old firmware file if the new one is
not available. Unfortunately that code is never reached because
request_firmware_nowait() does not wait for the firmware to show up
and returns 0 even if the file is not there.
Use the existing fallback mechanism introduced by commit 62009b7f1279
("rtlwifi: rtl8192cu: Add new firmware") instead.
Fixes: f70e4df2b384 ("rtlwifi: Add code to read new versions of firmware")
Signed-off-by: Sven Joachim <>
Signed-off-by: Kalle Valo <>
drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c | 17 +++++------------
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c | 17 +++++------------
2 files changed, 10 insertions(+), 24 deletions(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.c
@@ -187,18 +187,10 @@ int rtl8723be_init_sw_vars(struct ieee80
rtlpriv->, GFP_KERNEL, hw,
if (err) {
- /* Failed to get firmware. Check if old version available */
- fw_name = "rtlwifi/rtl8723befw.bin";
- pr_info("Using firmware %s\n", fw_name);
- err = request_firmware_nowait(THIS_MODULE, 1, fw_name,
- rtlpriv->, GFP_KERNEL, hw,
- rtl_fw_cb);
- if (err) {
- pr_err("Failed to request firmware!\n");
- vfree(rtlpriv->rtlhal.pfirmware);
- rtlpriv->rtlhal.pfirmware = NULL;
- return 1;
- }
+ pr_err("Failed to request firmware!\n");
+ vfree(rtlpriv->rtlhal.pfirmware);
+ rtlpriv->rtlhal.pfirmware = NULL;
+ return 1;
return 0;
@@ -289,6 +281,7 @@ static const struct rtl_hal_cfg rtl8723b
.bar_id = 2,
.write_readback = true,
.name = "rtl8723be_pci",
+ .alt_fw_name = "rtlwifi/rtl8723befw.bin",
.ops = &rtl8723be_hal_ops,
.mod_params = &rtl8723be_mod_params,
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.c
@@ -216,18 +216,10 @@ int rtl8821ae_init_sw_vars(struct ieee80
rtlpriv->, GFP_KERNEL, hw,
if (err) {
- /* Failed to get firmware. Check if old version available */
- fw_name = "rtlwifi/rtl8821aefw.bin";
- pr_info("Using firmware %s\n", fw_name);
- err = request_firmware_nowait(THIS_MODULE, 1, fw_name,
- rtlpriv->, GFP_KERNEL, hw,
- rtl_fw_cb);
- if (err) {
- pr_err("Failed to request normal firmware!\n");
- vfree(rtlpriv->rtlhal.wowlan_firmware);
- vfree(rtlpriv->rtlhal.pfirmware);
- return 1;
- }
+ pr_err("Failed to request normal firmware!\n");
+ vfree(rtlpriv->rtlhal.wowlan_firmware);
+ vfree(rtlpriv->rtlhal.pfirmware);
+ return 1;
/*load wowlan firmware*/
pr_info("Using firmware %s\n", wowlan_fw_name);
@@ -331,6 +323,7 @@ static const struct rtl_hal_cfg rtl8821a
.bar_id = 2,
.write_readback = true,
.name = "rtl8821ae_pci",
+ .alt_fw_name = "rtlwifi/rtl8821aefw.bin",
.ops = &rtl8821ae_hal_ops,
.mod_params = &rtl8821ae_mod_params,