kernel: add fix for CVE-2016-7117

This probably doesn't affect Gluon as nothing is using recvmmsg, but it's
still a good idea to get this fixed ASAP.

patches/openwrt/0076-kernel-add-fix-for-CVE-2016-7117.patch

@@ -0,0 +1,105 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 11 Oct 2016 00:46:56 +0200
+Subject: kernel: add fix for CVE-2016-7117
+
+diff --git a/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch
+new file mode 100644
+index 0000000..98da375
+--- /dev/null
++++ b/target/linux/generic/patches-3.18/010-net-Fix-use-after-free-in-the-recvmmsg-exit-path.patch
+@@ -0,0 +1,95 @@
++From cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b Mon Sep 17 00:00:00 2001
++Message-Id: <cdd1fd36f4b67d9fdbeb1a4d16025192d44a3e8b.1476139573.git.mschiffer@universe-factory.net>
++From: Arnaldo Carvalho de Melo <acme@redhat.com>
++Date: Mon, 14 Mar 2016 09:56:35 -0300
++Subject: [PATCH] net: Fix use after free in the recvmmsg exit path
++
++[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ]
++
++The syzkaller fuzzer hit the following use-after-free:
++
++  Call Trace:
++   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
++   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
++   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
++   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
++   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
++  arch/x86/entry/entry_64.S:185
++
++And, as Dmitry rightly assessed, that is because we can drop the
++reference and then touch it when the underlying recvmsg calls return
++some packets and then hit an error, which will make recvmmsg to set
++sock->sk->sk_err, oops, fix it.
++
++Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
++Cc: Alexander Potapenko <glider@google.com>
++Cc: Eric Dumazet <edumazet@google.com>
++Cc: Kostya Serebryany <kcc@google.com>
++Cc: Sasha Levin <sasha.levin@oracle.com>
++Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
++http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
++Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
++Signed-off-by: David S. Miller <davem@davemloft.net>
++Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
++---
++ net/socket.c | 38 +++++++++++++++++++-------------------
++ 1 file changed, 19 insertions(+), 19 deletions(-)
++
++diff --git a/net/socket.c b/net/socket.c
++index 02fc7c8..7f61789 100644
++--- a/net/socket.c
+++++ b/net/socket.c
++@@ -2410,31 +2410,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
++ 			break;
++ 	}
++ 
++-out_put:
++-	fput_light(sock->file, fput_needed);
++-
++ 	if (err == 0)
++-		return datagrams;
+++		goto out_put;
++ 
++-	if (datagrams != 0) {
+++	if (datagrams == 0) {
+++		datagrams = err;
+++		goto out_put;
+++	}
+++
+++	/*
+++	 * We may return less entries than requested (vlen) if the
+++	 * sock is non block and there aren't enough datagrams...
+++	 */
+++	if (err != -EAGAIN) {
++ 		/*
++-		 * We may return less entries than requested (vlen) if the
++-		 * sock is non block and there aren't enough datagrams...
+++		 * ... or  if recvmsg returns an error after we
+++		 * received some datagrams, where we record the
+++		 * error to return on the next call or if the
+++		 * app asks about it using getsockopt(SO_ERROR).
++ 		 */
++-		if (err != -EAGAIN) {
++-			/*
++-			 * ... or  if recvmsg returns an error after we
++-			 * received some datagrams, where we record the
++-			 * error to return on the next call or if the
++-			 * app asks about it using getsockopt(SO_ERROR).
++-			 */
++-			sock->sk->sk_err = -err;
++-		}
++-
++-		return datagrams;
+++		sock->sk->sk_err = -err;
++ 	}
+++out_put:
+++	fput_light(sock->file, fput_needed);
++ 
++-	return err;
+++	return datagrams;
++ }
++ 
++ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
++-- 
++2.10.0
++