rebase patches on top of Ubuntu-4.15.0-33.36
authorThomas Lamprecht <t.lamprecht@proxmox.com>
Fri, 24 Aug 2018 08:30:36 +0000 (10:30 +0200)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Fri, 24 Aug 2018 08:30:36 +0000 (10:30 +0200)
(generated with debian/scripts/import-upstream-tag)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch [deleted file]
patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch [new file with mode: 0644]
patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch [deleted file]
patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch [new file with mode: 0644]
patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch [deleted file]
patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch [new file with mode: 0644]
patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch [deleted file]
patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch [deleted file]
patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch [deleted file]
patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch [deleted file]
patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch [deleted file]

diff --git a/patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch b/patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch
deleted file mode 100644 (file)
index e5a2727..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Rob Taglang <rob@taglang.io>
-Date: Thu, 3 May 2018 17:13:06 -0400
-Subject: [PATCH] net: ethernet: sun: niu set correct packet size in skb
-
-Currently, skb->len and skb->data_len are set to the page size, not
-the packet size. This causes the frame check sequence to not be
-located at the "end" of the packet resulting in ethernet frame check
-errors. The driver does work currently, but stricter kernel facing
-networking solutions like OpenVSwitch will drop these packets as
-invalid.
-
-These changes set the packet size correctly so that these errors no
-longer occur. The length does not include the frame check sequence, so
-that subtraction was removed.
-
-Tested on Oracle/SUN Multithreaded 10-Gigabit Ethernet Network
-Controller [108e:abcd] and validated in wireshark.
-
-Signed-off-by: Rob Taglang <rob@taglang.io>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- drivers/net/ethernet/sun/niu.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
-index 06001bacbe0f..64f1b3a3afa8 100644
---- a/drivers/net/ethernet/sun/niu.c
-+++ b/drivers/net/ethernet/sun/niu.c
-@@ -3442,7 +3442,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
-               len = (val & RCR_ENTRY_L2_LEN) >>
-                       RCR_ENTRY_L2_LEN_SHIFT;
--              len -= ETH_FCS_LEN;
-+              append_size = len + ETH_HLEN + ETH_FCS_LEN;
-               addr = (val & RCR_ENTRY_PKT_BUF_ADDR) <<
-                       RCR_ENTRY_PKT_BUF_ADDR_SHIFT;
-@@ -3452,7 +3452,6 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
-                                        RCR_ENTRY_PKTBUFSZ_SHIFT];
-               off = addr & ~PAGE_MASK;
--              append_size = rcr_size;
-               if (num_rcr == 1) {
-                       int ptype;
-@@ -3465,7 +3464,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
-                       else
-                               skb_checksum_none_assert(skb);
-               } else if (!(val & RCR_ENTRY_MULTI))
--                      append_size = len - skb->len;
-+                      append_size = append_size - skb->len;
-               niu_rx_skb_append(skb, page, off, append_size, rcr_size);
-               if ((page->index + rp->rbr_block_size) - rcr_size == addr) {
diff --git a/patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch b/patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch
new file mode 100644 (file)
index 0000000..b198390
--- /dev/null
@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 18 Jun 2018 12:30:37 -0700
+Subject: [PATCH] net/tcp: Fix socket lookups with SO_BINDTODEVICE
+
+Similar to 69678bcd4d2d ("udp: fix SO_BINDTODEVICE"), TCP socket lookups
+need to fail if dev_match is not true. Currently, a packet to a given port
+can match a socket bound to device when it should not. In the VRF case,
+this causes the lookup to hit a VRF socket and not a global socket
+resulting in a response trying to go through the VRF when it should it.
+
+Fixes: 3fa6f616a7a4d ("net: ipv4: add second dif to inet socket lookups")
+Fixes: 4297a0ef08572 ("net: ipv6: add second dif to inet6 socket lookups")
+Reported-by: Lou Berger <lberger@labn.net>
+Diagnosed-by: Renato Westphal <renato@opensourcerouting.org>
+Tested-by: Renato Westphal <renato@opensourcerouting.org>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+---
+ net/ipv4/inet_hashtables.c  | 4 ++--
+ net/ipv6/inet6_hashtables.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index e7d15fb0d94d..24b066c32e06 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -188,9 +188,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
+                       bool dev_match = (sk->sk_bound_dev_if == dif ||
+                                         sk->sk_bound_dev_if == sdif);
+-                      if (exact_dif && !dev_match)
++                      if (!dev_match)
+                               return -1;
+-                      if (sk->sk_bound_dev_if && dev_match)
++                      if (sk->sk_bound_dev_if)
+                               score += 4;
+               }
+               if (sk->sk_incoming_cpu == raw_smp_processor_id())
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index b01858f5deb1..6dc93ac28261 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -113,9 +113,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
+                       bool dev_match = (sk->sk_bound_dev_if == dif ||
+                                         sk->sk_bound_dev_if == sdif);
+-                      if (exact_dif && !dev_match)
++                      if (!dev_match)
+                               return -1;
+-                      if (sk->sk_bound_dev_if && dev_match)
++                      if (sk->sk_bound_dev_if)
+                               score++;
+               }
+               if (sk->sk_incoming_cpu == raw_smp_processor_id())
diff --git a/patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch b/patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch
deleted file mode 100644 (file)
index eb49834..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Felix Wilhelm <fwilhelm@google.com>
-Date: Mon, 11 Jun 2018 09:43:44 +0200
-Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions
-
-VMX instructions executed inside a L1 VM will always trigger a VM exit
-even when executed with cpl 3. This means we must perform the
-privilege check in software.
-
-Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- arch/x86/kvm/vmx.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 1a5617fc8b6a..5c8bd2d61080 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
-               return 1;
-       }
-+      /* CPL=0 must be checked manually. */
-+      if (vmx_get_cpl(vcpu)) {
-+              kvm_queue_exception(vcpu, UD_VECTOR);
-+              return 1;
-+      }
-+
-       if (vmx->nested.vmxon) {
-               nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
-               return kvm_skip_emulated_instruction(vcpu);
-@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
-  */
- static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
- {
-+      if (vmx_get_cpl(vcpu)) {
-+              kvm_queue_exception(vcpu, UD_VECTOR);
-+              return 0;
-+      }
-+
-       if (!to_vmx(vcpu)->nested.vmxon) {
-               kvm_queue_exception(vcpu, UD_VECTOR);
-               return 0;
-@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
-               if (get_vmx_mem_address(vcpu, exit_qualification,
-                               vmx_instruction_info, true, &gva))
-                       return 1;
--              /* _system ok, as hardware has verified cpl=0 */
-+              /* _system ok, nested_vmx_check_permission has verified cpl=0 */
-               kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
-                            &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
-       }
-@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
-       if (get_vmx_mem_address(vcpu, exit_qualification,
-                       vmx_instruction_info, true, &vmcs_gva))
-               return 1;
--      /* ok to use *_system, as hardware has verified cpl=0 */
-+      /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
-       if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
-                                (void *)&to_vmx(vcpu)->nested.current_vmptr,
-                                sizeof(u64), &e)) {
diff --git a/patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch
new file mode 100644 (file)
index 0000000..a627235
--- /dev/null
@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 16 Aug 2018 17:02:36 +0800
+Subject: [PATCH] vhost: fix info leak due to uninitialized memory
+
+CVE-2018-1118
+
+struct vhost_msg within struct vhost_msg_node is copied to userspace.
+Unfortunately it turns out on 64 bit systems vhost_msg has padding after
+type which gcc doesn't initialize, leaking 4 uninitialized bytes to
+userspace.
+
+This padding also unfortunately means 32 bit users of this interface are
+broken on a 64 bit kernel which will need to be fixed separately.
+
+Fixes: CVE-2018-1118
+Cc: stable@vger.kernel.org
+Reported-by: Kevin Easton <kevin@guarana.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad)
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
+Acked-by: Kamal Mostafa <kamal@canonical.com>
+Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ drivers/vhost/vhost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 31bdfd296ced..a922d3d28a20 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
+       struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
+       if (!node)
+               return NULL;
++
++      /* Make sure all padding within the structure is initialized. */
++      memset(&node->msg, 0, sizeof node->msg);
+       node->vq = vq;
+       node->msg.type = type;
+       return node;
diff --git a/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch
deleted file mode 100644 (file)
index dc8c5ea..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Fri, 27 Jul 2018 14:27:05 -0700
-Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
- unix sockets
-
-the apparmor policy language current does not allow expressing of the
-locking permission for no-fs unix sockets. However the kernel is
-enforcing mediation.
-
-Add the AA_MAY_LOCK perm to the computed perm mask which will grant
-permission for all current abi profiles, but still allow specifying
-auditing of the operation if needed.
-
-http://bugs.launchpad.net/bugs/1780227
-Signed-off-by: John Johansen <john.johansen@canonical.com>
----
- security/apparmor/lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
-index 068a9f471f77..23f3d16d6b85 100644
---- a/security/apparmor/lib.c
-+++ b/security/apparmor/lib.c
-@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
-       /* for v5 perm mapping in the policydb, the other set is used
-        * to extend the general perm set
-        */
--      perms->allow |= map_other(dfa_other_allow(dfa, state));
-+      perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
-       perms->audit |= map_other(dfa_other_audit(dfa, state));
-       perms->quiet |= map_other(dfa_other_quiet(dfa, state));
- //    perms->xindex = dfa_user_xindex(dfa, state);
diff --git a/patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch b/patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch
new file mode 100644 (file)
index 0000000..18109a6
--- /dev/null
@@ -0,0 +1,76 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 1 Jul 2018 18:22:37 +0200
+Subject: [PATCH] scsi: hpsa: disable device during shutdown
+
+4.17-stable review patch.  If anyone has any objections, please let me know.
+
+------------------
+
+From: Sinan Kaya <okaya@codeaurora.org>
+
+commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream.
+
+'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during
+shutdown")' has been added to kernel to shutdown pending PCIe port service
+interrupts during reboot so that a newly started kexec kernel wouldn't
+observe pending interrupts.
+
+pcie_port_device_remove() is disabling the root port and switches by
+calling pci_disable_device() after all PCIe service drivers are shutdown.
+
+This has been found to cause crashes on HP DL360 Gen9 machines during
+reboot due to hpsa driver not clearing the bus master bit during the
+shutdown procedure by calling pci_disable_device().
+
+Disable device as part of the shutdown sequence.
+
+Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779
+Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown")
+Cc: stable@vger.kernel.org
+Reported-by: Ryan Finnie <ryan@finnie.org>
+Tested-by: Don Brace <don.brace@microsemi.com>
+Acked-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ drivers/scsi/hpsa.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 211975cc28c9..2d4b5177d1a2 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -8879,7 +8879,7 @@ static void hpsa_disable_rld_caching(struct ctlr_info *h)
+       kfree(options);
+ }
+-static void hpsa_shutdown(struct pci_dev *pdev)
++static void __hpsa_shutdown(struct pci_dev *pdev)
+ {
+       struct ctlr_info *h;
+@@ -8894,6 +8894,12 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+       hpsa_disable_interrupt_mode(h);         /* pci_init 2 */
+ }
++static void hpsa_shutdown(struct pci_dev *pdev)
++{
++      __hpsa_shutdown(pdev);
++      pci_disable_device(pdev);
++}
++
+ static void hpsa_free_device_info(struct ctlr_info *h)
+ {
+       int i;
+@@ -8937,7 +8943,7 @@ static void hpsa_remove_one(struct pci_dev *pdev)
+               scsi_remove_host(h->scsi_host);         /* init_one 8 */
+       /* includes hpsa_free_irqs - init_one 4 */
+       /* includes hpsa_disable_interrupt_mode - pci_init 2 */
+-      hpsa_shutdown(pdev);
++      __hpsa_shutdown(pdev);
+       hpsa_free_device_info(h);               /* scan */
diff --git a/patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch
deleted file mode 100644 (file)
index 2fc71a9..0000000
+++ /dev/null
@@ -1,45 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 3 Jul 2018 17:10:19 -0700
-Subject: [PATCH] Fix up non-directory creation in SGID directories
-
-sgid directories have special semantics, making newly created files in
-the directory belong to the group of the directory, and newly created
-subdirectories will also become sgid.  This is historically used for
-group-shared directories.
-
-But group directories writable by non-group members should not imply
-that such non-group members can magically join the group, so make sure
-to clear the sgid bit on non-directories for non-members (but remember
-that sgid without group execute means "mandatory locking", just to
-confuse things even more).
-
-Reported-by: Jann Horn <jannh@google.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-(cherry picked from commit  0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7)
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- fs/inode.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/fs/inode.c b/fs/inode.c
-index 5c1138e9cac0..797b4cb3d20b 100644
---- a/fs/inode.c
-+++ b/fs/inode.c
-@@ -2008,8 +2008,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
-       inode->i_uid = current_fsuid();
-       if (dir && dir->i_mode & S_ISGID) {
-               inode->i_gid = dir->i_gid;
-+
-+              /* Directories are special, and always inherit S_ISGID */
-               if (S_ISDIR(mode))
-                       mode |= S_ISGID;
-+              else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
-+                       !in_group_p(inode->i_gid) &&
-+                       !capable_wrt_inode_uidgid(dir, CAP_FSETID))
-+                      mode &= ~S_ISGID;
-       } else
-               inode->i_gid = current_fsgid();
-       inode->i_mode = mode;
diff --git a/patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch b/patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch
deleted file mode 100644 (file)
index 144f192..0000000
+++ /dev/null
@@ -1,67 +0,0 @@
-From patchwork Wed May  9 10:42:34 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [net] udp: fix SO_BINDTODEVICE
-X-Patchwork-Submitter: Paolo Abeni <pabeni@redhat.com>
-X-Patchwork-Id: 910747
-X-Patchwork-Delegate: davem@davemloft.net
-Message-Id: <9445dd5d149af16463df4d0502b2667ee2b6f4e8.1525862461.git.pabeni@redhat.com>
-To: netdev@vger.kernel.org
-Cc: Damir Mansurov <dnman@oktetlabs.ru>, David Ahern <dsahern@gmail.com>,
- David Miller <davem@davemloft.net>
-Date: Wed,  9 May 2018 12:42:34 +0200
-From: Paolo Abeni <pabeni@redhat.com>
-List-Id: <netdev.vger.kernel.org>
-
-Damir reported a breakage of SO_BINDTODEVICE for UDP sockets.
-In absence of VRF devices, after commit fb74c27735f0 ("net:
-ipv4: add second dif to udp socket lookups") the dif mismatch
-isn't fatal anymore for UDP socket lookup with non null
-sk_bound_dev_if, breaking SO_BINDTODEVICE semantics.
-
-This changeset addresses the issue making the dif match mandatory
-again in the above scenario.
-
-Reported-by: Damir Mansurov <dnman@oktetlabs.ru>
-Fixes: fb74c27735f0 ("net: ipv4: add second dif to udp socket lookups")
-Fixes: 1801b570dd2a ("net: ipv6: add second dif to udp socket lookups")
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Acked-by: David Ahern <dsahern@gmail.com>
----
- net/ipv4/udp.c | 4 ++--
- net/ipv6/udp.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 24b5c59b1c53..c2a292dfd137 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -401,9 +401,9 @@ static int compute_score(struct sock *sk, struct net *net,
-               bool dev_match = (sk->sk_bound_dev_if == dif ||
-                                 sk->sk_bound_dev_if == sdif);
--              if (exact_dif && !dev_match)
-+              if (!dev_match)
-                       return -1;
--              if (sk->sk_bound_dev_if && dev_match)
-+              if (sk->sk_bound_dev_if)
-                       score += 4;
-       }
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 4ec76a87aeb8..ea0730028e5d 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -148,9 +148,9 @@ static int compute_score(struct sock *sk, struct net *net,
-               bool dev_match = (sk->sk_bound_dev_if == dif ||
-                                 sk->sk_bound_dev_if == sdif);
--              if (exact_dif && !dev_match)
-+              if (!dev_match)
-                       return -1;
--              if (sk->sk_bound_dev_if && dev_match)
-+              if (sk->sk_bound_dev_if)
-                       score++;
-       }
diff --git a/patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch b/patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch
deleted file mode 100644 (file)
index 5e90e09..0000000
+++ /dev/null
@@ -1,67 +0,0 @@
-From patchwork Mon Jun 18 19:30:37 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [net] net/tcp: Fix socket lookups with SO_BINDTODEVICE
-X-Patchwork-Submitter: dsahern@kernel.org
-X-Patchwork-Id: 931179
-X-Patchwork-Delegate: davem@davemloft.net
-Message-Id: <20180618193037.3365-1-dsahern@kernel.org>
-To: netdev@vger.kernel.org
-Cc: davem@davemloft.net, lberger@labn.net,
- renato@opensourcerouting.org, David Ahern <dsahern@gmail.com>
-Date: Mon, 18 Jun 2018 12:30:37 -0700
-From: dsahern@kernel.org
-List-Id: <netdev.vger.kernel.org>
-
-From: David Ahern <dsahern@gmail.com>
-
-Similar to 69678bcd4d2d ("udp: fix SO_BINDTODEVICE"), TCP socket lookups
-need to fail if dev_match is not true. Currently, a packet to a given port
-can match a socket bound to device when it should not. In the VRF case,
-this causes the lookup to hit a VRF socket and not a global socket
-resulting in a response trying to go through the VRF when it should it.
-
-Fixes: 3fa6f616a7a4d ("net: ipv4: add second dif to inet socket lookups")
-Fixes: 4297a0ef08572 ("net: ipv6: add second dif to inet6 socket lookups")
-Reported-by: Lou Berger <lberger@labn.net>
-Diagnosed-by: Renato Westphal <renato@opensourcerouting.org>
-Tested-by: Renato Westphal <renato@opensourcerouting.org>
-Signed-off-by: David Ahern <dsahern@gmail.com>
----
- net/ipv4/inet_hashtables.c  | 4 ++--
- net/ipv6/inet6_hashtables.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
-index 31ff46daae97..3647167c8fa3 100644
---- a/net/ipv4/inet_hashtables.c
-+++ b/net/ipv4/inet_hashtables.c
-@@ -243,9 +243,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
-                       bool dev_match = (sk->sk_bound_dev_if == dif ||
-                                         sk->sk_bound_dev_if == sdif);
--                      if (exact_dif && !dev_match)
-+                      if (!dev_match)
-                               return -1;
--                      if (sk->sk_bound_dev_if && dev_match)
-+                      if (sk->sk_bound_dev_if)
-                               score += 4;
-               }
-               if (sk->sk_incoming_cpu == raw_smp_processor_id())
-diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
-index 2febe26de6a1..595ad408dba0 100644
---- a/net/ipv6/inet6_hashtables.c
-+++ b/net/ipv6/inet6_hashtables.c
-@@ -113,9 +113,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
-                       bool dev_match = (sk->sk_bound_dev_if == dif ||
-                                         sk->sk_bound_dev_if == sdif);
--                      if (exact_dif && !dev_match)
-+                      if (!dev_match)
-                               return -1;
--                      if (sk->sk_bound_dev_if && dev_match)
-+                      if (sk->sk_bound_dev_if)
-                               score++;
-               }
-               if (sk->sk_incoming_cpu == raw_smp_processor_id())
diff --git a/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch
deleted file mode 100644 (file)
index a627235..0000000
+++ /dev/null
@@ -1,45 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 16 Aug 2018 17:02:36 +0800
-Subject: [PATCH] vhost: fix info leak due to uninitialized memory
-
-CVE-2018-1118
-
-struct vhost_msg within struct vhost_msg_node is copied to userspace.
-Unfortunately it turns out on 64 bit systems vhost_msg has padding after
-type which gcc doesn't initialize, leaking 4 uninitialized bytes to
-userspace.
-
-This padding also unfortunately means 32 bit users of this interface are
-broken on a 64 bit kernel which will need to be fixed separately.
-
-Fixes: CVE-2018-1118
-Cc: stable@vger.kernel.org
-Reported-by: Kevin Easton <kevin@guarana.org>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad)
-Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
-Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
-Acked-by: Kamal Mostafa <kamal@canonical.com>
-Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- drivers/vhost/vhost.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 31bdfd296ced..a922d3d28a20 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type)
-       struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
-       if (!node)
-               return NULL;
-+
-+      /* Make sure all padding within the structure is initialized. */
-+      memset(&node->msg, 0, sizeof node->msg);
-       node->vq = vq;
-       node->msg.type = type;
-       return node;
diff --git a/patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch b/patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch
deleted file mode 100644 (file)
index 18109a6..0000000
+++ /dev/null
@@ -1,76 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Sun, 1 Jul 2018 18:22:37 +0200
-Subject: [PATCH] scsi: hpsa: disable device during shutdown
-
-4.17-stable review patch.  If anyone has any objections, please let me know.
-
-------------------
-
-From: Sinan Kaya <okaya@codeaurora.org>
-
-commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream.
-
-'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during
-shutdown")' has been added to kernel to shutdown pending PCIe port service
-interrupts during reboot so that a newly started kexec kernel wouldn't
-observe pending interrupts.
-
-pcie_port_device_remove() is disabling the root port and switches by
-calling pci_disable_device() after all PCIe service drivers are shutdown.
-
-This has been found to cause crashes on HP DL360 Gen9 machines during
-reboot due to hpsa driver not clearing the bus master bit during the
-shutdown procedure by calling pci_disable_device().
-
-Disable device as part of the shutdown sequence.
-
-Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779
-Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown")
-Cc: stable@vger.kernel.org
-Reported-by: Ryan Finnie <ryan@finnie.org>
-Tested-by: Don Brace <don.brace@microsemi.com>
-Acked-by: Don Brace <don.brace@microsemi.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
----
- drivers/scsi/hpsa.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 211975cc28c9..2d4b5177d1a2 100644
---- a/drivers/scsi/hpsa.c
-+++ b/drivers/scsi/hpsa.c
-@@ -8879,7 +8879,7 @@ static void hpsa_disable_rld_caching(struct ctlr_info *h)
-       kfree(options);
- }
--static void hpsa_shutdown(struct pci_dev *pdev)
-+static void __hpsa_shutdown(struct pci_dev *pdev)
- {
-       struct ctlr_info *h;
-@@ -8894,6 +8894,12 @@ static void hpsa_shutdown(struct pci_dev *pdev)
-       hpsa_disable_interrupt_mode(h);         /* pci_init 2 */
- }
-+static void hpsa_shutdown(struct pci_dev *pdev)
-+{
-+      __hpsa_shutdown(pdev);
-+      pci_disable_device(pdev);
-+}
-+
- static void hpsa_free_device_info(struct ctlr_info *h)
- {
-       int i;
-@@ -8937,7 +8943,7 @@ static void hpsa_remove_one(struct pci_dev *pdev)
-               scsi_remove_host(h->scsi_host);         /* init_one 8 */
-       /* includes hpsa_free_irqs - init_one 4 */
-       /* includes hpsa_disable_interrupt_mode - pci_init 2 */
--      hpsa_shutdown(pdev);
-+      __hpsa_shutdown(pdev);
-       hpsa_free_device_info(h);               /* scan */