Skip to content

L
linux
Switch branch/tag
  1. 11 Aug, 2017 21 commits
  3. 10 Aug, 2017 3 commits
  5. 08 Aug, 2017 7 commits
    • Stefan Bader's avatar
      UBUNTU: Ubuntu-4.4.0-91.114 · 474ab8f0
      Stefan Bader authored 
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      474ab8f0
    • Willem de Bruijn's avatar
      udp: consistently apply ufo or fragmentation · 840d468d
      Willem de Bruijn authored 
      When iteratively building a UDP datagram with MSG_MORE and that
datagram exceeds MTU, consistently choose UFO or fragmentation.

Once skb_is_gso, always apply ufo. Conversely, once a datagram is
split across multiple skbs, do not consider ufo.

Sendpage already maintains the first invariant, only add the second.
IPv6 does not have a sendpage implementation to modify.

Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>

CVE-2017-1000112

(backported from email submission)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      840d468d
    • Michal Kubeček's avatar
      net: account for current skb length when deciding about UFO · 3b4e2b1d
      Michal Kubeček authored 
      Our customer encountered stuck NFS writes for blocks starting at specific
offsets w.r.t. page boundary caused by networking stack sending packets via
UFO enabled device with wrong checksum. The problem can be reproduced by
composing a long UDP datagram from multiple parts using MSG_MORE flag:

  sendto(sd, buff, 1000, MSG_MORE, ...);
  sendto(sd, buff, 1000, MSG_MORE, ...);
  sendto(sd, buff, 3000, 0, ...);

Assume this packet is to be routed via a device with MTU 1500 and
NETIF_F_UFO enabled. When second sendto() gets into __ip_append_data(),
this condition is tested (among others) to decide whether to call
ip_ufo_append_data():

  ((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))

At the moment, we already have skb with 1028 bytes of data which is not
marked for GSO so that the test is false (fragheaderlen is usually 20).
Thus we append second 1000 bytes to this skb without invoking UFO. Third
sendto(), however, has sufficient length to trigger the UFO path so that we
end up with non-UFO skb followed by a UFO one. Later on, udp_send_skb()
uses udp_csum() to calculate the checksum but that assumes all fragments
have correct checksum in skb->csum which is not true for UFO fragments.

When checking against MTU, we need to add skb->len to length of new segment
if we already have a partially filled skb and fragheaderlen only if there
isn't one.

In the IPv6 case, skb can only be null if this is the first segment so that
we have to use headersize (length of the first IPv6 header) rather than
fragheaderlen (length of IPv6 header of further fragments) for skb == NULL.

Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Fixes: e4c5e13a ("ipv6: Should use consistent conditional judgement for
	ip6 fragment between __ip6_append_data and ip6_finish_output")
Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
Acked-by: default avatarVlad Yasevich <vyasevic@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      3b4e2b1d
    • Zheng Li's avatar
      ipv6: Should use consistent conditional judgement for ip6 fragment between... · 74b6bea3
      Zheng Li authored 
      ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output

There is an inconsistent conditional judgement between __ip6_append_data
and ip6_finish_output functions, the variable length in __ip6_append_data
just include the length of application's payload and udp6 header, don't
include the length of ipv6 header, but in ip6_finish_output use
(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ipv6 header.

That causes some particular application's udp6 payloads whose length are
between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
though the rst->dev support UFO feature.

Add the length of ipv6 header to length in __ip6_append_data to keep
consistent conditional judgement as ip6_finish_output for ip6 fragment.
Signed-off-by: default avatarZheng Li <james.z.li@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit e4c5e13a)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      74b6bea3
    • Alexey Kodanev's avatar
      udp: avoid ufo handling on IP payload compression packets · 0de6ee9d
      Alexey Kodanev authored 
      commit c146066a ("ipv4: Don't use ufo handling on later transformed
packets") and commit f89c56ce ("ipv6: Don't use ufo handling on
later transformed packets") added a check that 'rt->dst.header_len' isn't
zero in order to skip UFO, but it doesn't include IPcomp in transport mode
where it equals zero.

Packets, after payload compression, may not require further fragmentation,
and if original length exceeds MTU, later compressed packets will be
transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:

* IPv4 case, offset is wrong + unnecessary fragmentation
    udp_ipsec.sh -p comp -m transport -s 2000 &
    tcpdump -ni ltp_ns_veth2
    ...
    IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
      proto Compressed IP (108), length 49)
      10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
    IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
      proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17

* IPv6 case, sending small fragments
    udp_ipsec.sh -6 -p comp -m transport -s 2000 &
    tcpdump -ni ltp_ns_veth2
    ...
    IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
      payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
    IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
      payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)

Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
if xfrm is set. So the new check will include both cases: IPcomp and IPsec.

Fixes: c146066a ("ipv4: Don't use ufo handling on later transformed packets")
Fixes: f89c56ce ("ipv6: Don't use ufo handling on later transformed packets")
Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit 4b3b45ed)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      0de6ee9d
    • Jakub Sitnicki's avatar
      ipv6: Don't use ufo handling on later transformed packets · d10b5e3d
      Jakub Sitnicki authored 
      Similar to commit c146066a ("ipv4: Don't use ufo handling on later
transformed packets"), don't perform UFO on packets that will be IPsec
transformed. To detect it we rely on the fact that headerlen in
dst_entry is non-zero only for transformation bundles (xfrm_dst
objects).

Unwanted segmentation can be observed with a NETIF_F_UFO capable device,
such as a dummy device:

  DEV=dum0 LEN=1493

  ip li add $DEV type dummy
  ip addr add fc00::1/64 dev $DEV nodad
  ip link set $DEV up
  ip xfrm policy add dir out src fc00::1 dst fc00::2 \
     tmpl src fc00::1 dst fc00::2 proto esp spi 1
  ip xfrm state add src fc00::1 dst fc00::2 \
     proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b

  tcpdump -n -nn -i $DEV -t &
  socat /dev/zero,readbytes=$LEN udp6:[fc00::2]:$LEN

tcpdump output before:

  IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
  IP6 fc00::1 > fc00::2: frag (1448|48)
  IP6 fc00::1 > fc00::2: ESP(spi=0x00000001,seq=0x2), length 88

... and after:

  IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
  IP6 fc00::1 > fc00::2: frag (1448|80)

Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Signed-off-by: default avatarJakub Sitnicki <jkbs@redhat.com>
Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit f89c56ce)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      d10b5e3d
    • zheng li's avatar
      ipv4: Should use consistent conditional judgement for ip fragment in... · 0ca67031
      zheng li authored 
      ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output

There is an inconsistent conditional judgement in __ip_append_data and
ip_finish_output functions, the variable length in __ip_append_data just
include the length of application's payload and udp header, don't include
the length of ip header, but in ip_finish_output use
(skb->len > ip_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ip header.

That causes some particular application's udp payload whose length is
between (MTU - IP Header) and MTU were fragmented by ip_fragment even
though the rst->dev support UFO feature.

Add the length of ip header to length in __ip_append_data to keep
consistent conditional judgement as ip_finish_output for ip fragment.
Signed-off-by: default avatarZheng Li <james.z.li@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit 0a28cfd5)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      0ca67031
  7. 07 Aug, 2017 2 commits
  9. 31 Jul, 2017 3 commits
  11. 20 Jul, 2017 1 commit
  13. 19 Jul, 2017 3 commits
    • Marcelo Henrique Cerri's avatar
      UBUNTU: [Debian] Support custom and lts kernels in printchanges/insertchanges · e081040f
      Marcelo Henrique Cerri authored 
      Ignore: yes

Currently printchanges/insertchanges do not work for custom kernels
because commit messages for each release follow the format
"UBUNTU: Ubuntu-${flavour}-${prev_fullver}" instead of
"UBUNTU: Ubuntu-${prev_fullver}". Also, for the first release, the
previous version in the changelog does not match the version in the
previous release commit.

This patch makes the base commit selection more flexible, allowing
commit messages in the format "UBUNTU: Ubuntu-*${prev_fullver}" and it
fallbacks to the latest release commit when a exact match is not found
in order to support the custom kernels in their initial releases.
Signed-off-by: default avatarMarcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e081040f
    • Martin K. Petersen's avatar
      nvme: Quirks for PM1725 controllers · 3ac0a2eb
      Martin K. Petersen authored 
      BugLink: http://bugs.launchpad.net/bugs/1704435

PM1725 controllers have a couple of quirks that need to be handled in
the driver:

 - I/O queue depth must be limited to 64 entries on controllers that do
   not report MQES.

 - The host interface registers go offline briefly while resetting the
   chip. Thus a delay is needed before checking whether the controller
   is ready.

Note that the admin queue depth is also limited to 64 on older versions
of this board. Since our NVME_AQ_DEPTH is now 32 that is no longer an
issue.
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
(backported from d554b5e1)
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      3ac0a2eb
    • Shrirang Bagul's avatar
      UBUNTU: SAUCE: Redpine: Upgrade to ver. 1.2 production release · 0fdd9099
      Shrirang Bagul authored 
      BugLink: https://bugs.launchpad.net/bugs/1697829
BugLink: https://bugs.launchpad.net/bugs/1694733
BugLink: https://bugs.launchpad.net/bugs/1700941

Vendor release ver: 1.2 (production version)

1.2 -
 WLAN Supported Features:
 ------------------------
 1) Station mode
 2) 802.11bgn
 3) Secutiry modes: Open, WEP, WPA, WPA2
 4) AP mode
 5) Bgscan and roaming
 6) Legacy and UAPSD power save
 7) Regulatory support
 8) WoWLAN
 9) Management frame protection
 10) Wi-Fi direct mode

 WLAN Bug Fixes:
 ---------------
 1) WoWLAN from S5 fails (lp: #1686283)
 2) After wifi-ap is set, system will kernel panic  (lp: #1699753)
 3) Connect to "n" AP will cause system kernel panic (lp: #1699686)
 4) Low throughput observed in some channels for TCP downlink traffic in
 Coex mode.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) For GTK rekey, wakeup trigger send to host.

 BT Supported Features:
 ----------------------
 1) BT EDR mode
 2) BT LE mode
 3) BT Coex mode
	* WLAN STA + BT EDR
	* WLAN STA + BT LE
	* WLAN STA + BT EDR + BT LE
	* WLAN AP + BT EDR
	* WLAN AP + BT EDR + BT LE

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC16 -
 WLAN Bug Fixes:
 ---------------
 1) WoWLAN from S5 fails (lp: #1686283)
 2) After wifi-ap is set, system will kernel panic  (lp: #1699753)
 3) Connect to "n" AP will cause system kernel panic (lp: #1699686)

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) For GTK rekey, wakeup trigger send to host.
 2) Low throughput observed for TCP downlink traffic in Coex mode

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC15 -
 WLAN Bug Fixes:
 ---------------
 1) Coverity scan fixes (lp: #1694733)
 2) Avoid driver reload at S4 resume

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC14 -
 WLAN Bug Fixes:
 ---------------
 1) Low throughput with 40MHz issue resolved.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.
 3) Low throughput observed for TCP downlink traffic in Coex mode

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC12 -
 WLAN Bug Fixes:
 ---------------
 1) WoWLAN stress test cases issue resolved (when all wifi, bt, ble traffics run and suspend)

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.
 3) Low throughput observed for TCP downlink traffic in Coex mode

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC11 -
 WLAN New Features:
 ------------------
 1) Module parameter for debug level(ven_rsi_zone_enabled) is added.
 2) Regulatory changes for Caracalla added

 WLAN Bug Fixes:
 ---------------
 1) Legacy power save issue is fixed.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.
 3) Low throughput observed for TCP downlink traffic in Coex mode

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC10 -
 WLAN Bug Fixes:
 ---------------
 1) 1 minute time delay in sdio resume issue is resolved (Reduced to 10s).
 2) Fail in multiple iterations of hibernate issue is resolved.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.

 BT New Features:
 ----------------
 1) BT classic + BT LE mode is supported

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
 from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC9 -
 WLAN Bug Fixes:
 ---------------
 1) BT reset added before going to S3/S4/S5 sleep when WoWLAN is enabled.
 2) Station connection check before going to S3/S4/S5 sleep removed.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
    from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC8 -
 WLAN Bug Fixes:
 ---------------
 1) Added power leak fixes for S4.
 2) S5 WoLAN issue resolved.
 3) Wakeup short pulse issue resolved.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
    from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC7 -
 WLAN Bug Fixes:
 ---------------
 1) Configured host wakeup pin as active low from driver.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
    from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC6 -
 WLAN Bug Fixes:
 ---------------
 1) AP data throughput issue resolved.
 2) Scan results issue resolved.

 WLAN Limitations/Features NOT Supported:
 ----------------------------------------
 1) S5 with WoWLAN does not work.
 2) For GTK rekey, wakeup trigger send to host.

 BT Limitations/Features NOT Supported:
 ----------------------------------------
 1) To connect multiple BT slaves, connection should be initiated
    from rsi module.
 2) In coex mode, BT file transfer fails at times with certain mobiles.
Signed-off-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
Acked-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      0fdd9099
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7