From: Thomas Lamprecht Date: Fri, 24 Aug 2018 08:30:36 +0000 (+0200) Subject: rebase patches on top of Ubuntu-4.15.0-33.36 X-Git-Url: https://git.proxmox.com/?p=pve-kernel.git;a=commitdiff_plain;h=9464be53517a2a376207db285074a37e747b4be2 rebase patches on top of Ubuntu-4.15.0-33.36 (generated with debian/scripts/import-upstream-tag) Signed-off-by: Thomas Lamprecht --- diff --git a/patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch b/patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch deleted file mode 100644 index e5a2727..0000000 --- a/patches/kernel/0008-net-ethernet-sun-niu-set-correct-packet-size-in-skb.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Rob Taglang -Date: Thu, 3 May 2018 17:13:06 -0400 -Subject: [PATCH] net: ethernet: sun: niu set correct packet size in skb - -Currently, skb->len and skb->data_len are set to the page size, not -the packet size. This causes the frame check sequence to not be -located at the "end" of the packet resulting in ethernet frame check -errors. The driver does work currently, but stricter kernel facing -networking solutions like OpenVSwitch will drop these packets as -invalid. - -These changes set the packet size correctly so that these errors no -longer occur. The length does not include the frame check sequence, so -that subtraction was removed. - -Tested on Oracle/SUN Multithreaded 10-Gigabit Ethernet Network -Controller [108e:abcd] and validated in wireshark. - -Signed-off-by: Rob Taglang -Signed-off-by: David S. Miller -Signed-off-by: Thomas Lamprecht ---- - drivers/net/ethernet/sun/niu.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c -index 06001bacbe0f..64f1b3a3afa8 100644 ---- a/drivers/net/ethernet/sun/niu.c -+++ b/drivers/net/ethernet/sun/niu.c -@@ -3442,7 +3442,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, - - len = (val & RCR_ENTRY_L2_LEN) >> - RCR_ENTRY_L2_LEN_SHIFT; -- len -= ETH_FCS_LEN; -+ append_size = len + ETH_HLEN + ETH_FCS_LEN; - - addr = (val & RCR_ENTRY_PKT_BUF_ADDR) << - RCR_ENTRY_PKT_BUF_ADDR_SHIFT; -@@ -3452,7 +3452,6 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, - RCR_ENTRY_PKTBUFSZ_SHIFT]; - - off = addr & ~PAGE_MASK; -- append_size = rcr_size; - if (num_rcr == 1) { - int ptype; - -@@ -3465,7 +3464,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np, - else - skb_checksum_none_assert(skb); - } else if (!(val & RCR_ENTRY_MULTI)) -- append_size = len - skb->len; -+ append_size = append_size - skb->len; - - niu_rx_skb_append(skb, page, off, append_size, rcr_size); - if ((page->index + rp->rbr_block_size) - rcr_size == addr) { diff --git a/patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch b/patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch new file mode 100644 index 0000000..b198390 --- /dev/null +++ b/patches/kernel/0008-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch @@ -0,0 +1,54 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Mon, 18 Jun 2018 12:30:37 -0700 +Subject: [PATCH] net/tcp: Fix socket lookups with SO_BINDTODEVICE + +Similar to 69678bcd4d2d ("udp: fix SO_BINDTODEVICE"), TCP socket lookups +need to fail if dev_match is not true. Currently, a packet to a given port +can match a socket bound to device when it should not. In the VRF case, +this causes the lookup to hit a VRF socket and not a global socket +resulting in a response trying to go through the VRF when it should it. + +Fixes: 3fa6f616a7a4d ("net: ipv4: add second dif to inet socket lookups") +Fixes: 4297a0ef08572 ("net: ipv6: add second dif to inet6 socket lookups") +Reported-by: Lou Berger +Diagnosed-by: Renato Westphal +Tested-by: Renato Westphal +Signed-off-by: David Ahern +--- + net/ipv4/inet_hashtables.c | 4 ++-- + net/ipv6/inet6_hashtables.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index e7d15fb0d94d..24b066c32e06 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -188,9 +188,9 @@ static inline int compute_score(struct sock *sk, struct net *net, + bool dev_match = (sk->sk_bound_dev_if == dif || + sk->sk_bound_dev_if == sdif); + +- if (exact_dif && !dev_match) ++ if (!dev_match) + return -1; +- if (sk->sk_bound_dev_if && dev_match) ++ if (sk->sk_bound_dev_if) + score += 4; + } + if (sk->sk_incoming_cpu == raw_smp_processor_id()) +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index b01858f5deb1..6dc93ac28261 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -113,9 +113,9 @@ static inline int compute_score(struct sock *sk, struct net *net, + bool dev_match = (sk->sk_bound_dev_if == dif || + sk->sk_bound_dev_if == sdif); + +- if (exact_dif && !dev_match) ++ if (!dev_match) + return -1; +- if (sk->sk_bound_dev_if && dev_match) ++ if (sk->sk_bound_dev_if) + score++; + } + if (sk->sk_incoming_cpu == raw_smp_processor_id()) diff --git a/patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch b/patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch deleted file mode 100644 index eb49834..0000000 --- a/patches/kernel/0009-kvm-nVMX-Enforce-cpl-0-for-VMX-instructions.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Felix Wilhelm -Date: Mon, 11 Jun 2018 09:43:44 +0200 -Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions - -VMX instructions executed inside a L1 VM will always trigger a VM exit -even when executed with cpl 3. This means we must perform the -privilege check in software. - -Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks") -Cc: stable@vger.kernel.org -Signed-off-by: Felix Wilhelm -Signed-off-by: Paolo Bonzini -Signed-off-by: Thomas Lamprecht ---- - arch/x86/kvm/vmx.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 1a5617fc8b6a..5c8bd2d61080 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu) - return 1; - } - -+ /* CPL=0 must be checked manually. */ -+ if (vmx_get_cpl(vcpu)) { -+ kvm_queue_exception(vcpu, UD_VECTOR); -+ return 1; -+ } -+ - if (vmx->nested.vmxon) { - nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION); - return kvm_skip_emulated_instruction(vcpu); -@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu) - */ - static int nested_vmx_check_permission(struct kvm_vcpu *vcpu) - { -+ if (vmx_get_cpl(vcpu)) { -+ kvm_queue_exception(vcpu, UD_VECTOR); -+ return 0; -+ } -+ - if (!to_vmx(vcpu)->nested.vmxon) { - kvm_queue_exception(vcpu, UD_VECTOR); - return 0; -@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) - if (get_vmx_mem_address(vcpu, exit_qualification, - vmx_instruction_info, true, &gva)) - return 1; -- /* _system ok, as hardware has verified cpl=0 */ -+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */ - kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, - &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); - } -@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) - if (get_vmx_mem_address(vcpu, exit_qualification, - vmx_instruction_info, true, &vmcs_gva)) - return 1; -- /* ok to use *_system, as hardware has verified cpl=0 */ -+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ - if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, - (void *)&to_vmx(vcpu)->nested.current_vmptr, - sizeof(u64), &e)) { diff --git a/patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 0000000..a627235 --- /dev/null +++ b/patches/kernel/0009-vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 16 Aug 2018 17:02:36 +0800 +Subject: [PATCH] vhost: fix info leak due to uninitialized memory + +CVE-2018-1118 + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad) +Signed-off-by: Po-Hsu Lin +Acked-by: Khalid Elmously +Acked-by: Kamal Mostafa +Signed-off-by: Khalid Elmously +Signed-off-by: Stoiko Ivanov +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 31bdfd296ced..a922d3d28a20 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node; diff --git a/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch deleted file mode 100644 index dc8c5ea..0000000 --- a/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Fri, 27 Jul 2018 14:27:05 -0700 -Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs - unix sockets - -the apparmor policy language current does not allow expressing of the -locking permission for no-fs unix sockets. However the kernel is -enforcing mediation. - -Add the AA_MAY_LOCK perm to the computed perm mask which will grant -permission for all current abi profiles, but still allow specifying -auditing of the operation if needed. - -http://bugs.launchpad.net/bugs/1780227 -Signed-off-by: John Johansen ---- - security/apparmor/lib.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c -index 068a9f471f77..23f3d16d6b85 100644 ---- a/security/apparmor/lib.c -+++ b/security/apparmor/lib.c -@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, - /* for v5 perm mapping in the policydb, the other set is used - * to extend the general perm set - */ -- perms->allow |= map_other(dfa_other_allow(dfa, state)); -+ perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; - perms->audit |= map_other(dfa_other_audit(dfa, state)); - perms->quiet |= map_other(dfa_other_quiet(dfa, state)); - // perms->xindex = dfa_user_xindex(dfa, state); diff --git a/patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch b/patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch new file mode 100644 index 0000000..18109a6 --- /dev/null +++ b/patches/kernel/0010-scsi-hpsa-disable-device-during-shutdown.patch @@ -0,0 +1,76 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 1 Jul 2018 18:22:37 +0200 +Subject: [PATCH] scsi: hpsa: disable device during shutdown + +4.17-stable review patch. If anyone has any objections, please let me know. + +------------------ + +From: Sinan Kaya + +commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream. + +'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during +shutdown")' has been added to kernel to shutdown pending PCIe port service +interrupts during reboot so that a newly started kexec kernel wouldn't +observe pending interrupts. + +pcie_port_device_remove() is disabling the root port and switches by +calling pci_disable_device() after all PCIe service drivers are shutdown. + +This has been found to cause crashes on HP DL360 Gen9 machines during +reboot due to hpsa driver not clearing the bus master bit during the +shutdown procedure by calling pci_disable_device(). + +Disable device as part of the shutdown sequence. + +Signed-off-by: Sinan Kaya +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779 +Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown") +Cc: stable@vger.kernel.org +Reported-by: Ryan Finnie +Tested-by: Don Brace +Acked-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Stoiko Ivanov +--- + drivers/scsi/hpsa.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 211975cc28c9..2d4b5177d1a2 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -8879,7 +8879,7 @@ static void hpsa_disable_rld_caching(struct ctlr_info *h) + kfree(options); + } + +-static void hpsa_shutdown(struct pci_dev *pdev) ++static void __hpsa_shutdown(struct pci_dev *pdev) + { + struct ctlr_info *h; + +@@ -8894,6 +8894,12 @@ static void hpsa_shutdown(struct pci_dev *pdev) + hpsa_disable_interrupt_mode(h); /* pci_init 2 */ + } + ++static void hpsa_shutdown(struct pci_dev *pdev) ++{ ++ __hpsa_shutdown(pdev); ++ pci_disable_device(pdev); ++} ++ + static void hpsa_free_device_info(struct ctlr_info *h) + { + int i; +@@ -8937,7 +8943,7 @@ static void hpsa_remove_one(struct pci_dev *pdev) + scsi_remove_host(h->scsi_host); /* init_one 8 */ + /* includes hpsa_free_irqs - init_one 4 */ + /* includes hpsa_disable_interrupt_mode - pci_init 2 */ +- hpsa_shutdown(pdev); ++ __hpsa_shutdown(pdev); + + hpsa_free_device_info(h); /* scan */ + diff --git a/patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch deleted file mode 100644 index 2fc71a9..0000000 --- a/patches/kernel/0011-Fix-up-non-directory-creation-in-SGID-directories.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Tue, 3 Jul 2018 17:10:19 -0700 -Subject: [PATCH] Fix up non-directory creation in SGID directories - -sgid directories have special semantics, making newly created files in -the directory belong to the group of the directory, and newly created -subdirectories will also become sgid. This is historically used for -group-shared directories. - -But group directories writable by non-group members should not imply -that such non-group members can magically join the group, so make sure -to clear the sgid bit on non-directories for non-members (but remember -that sgid without group execute means "mandatory locking", just to -confuse things even more). - -Reported-by: Jann Horn -Cc: Andy Lutomirski -Cc: Al Viro -Signed-off-by: Linus Torvalds -(cherry picked from commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7) -Signed-off-by: Stoiko Ivanov ---- - fs/inode.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fs/inode.c b/fs/inode.c -index 5c1138e9cac0..797b4cb3d20b 100644 ---- a/fs/inode.c -+++ b/fs/inode.c -@@ -2008,8 +2008,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, - inode->i_uid = current_fsuid(); - if (dir && dir->i_mode & S_ISGID) { - inode->i_gid = dir->i_gid; -+ -+ /* Directories are special, and always inherit S_ISGID */ - if (S_ISDIR(mode)) - mode |= S_ISGID; -+ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && -+ !in_group_p(inode->i_gid) && -+ !capable_wrt_inode_uidgid(dir, CAP_FSETID)) -+ mode &= ~S_ISGID; - } else - inode->i_gid = current_fsgid(); - inode->i_mode = mode; diff --git a/patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch b/patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch deleted file mode 100644 index 144f192..0000000 --- a/patches/kernel/0012-net-udp-fix-SO_BINDTODEVICE.patch +++ /dev/null @@ -1,67 +0,0 @@ -From patchwork Wed May 9 10:42:34 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net] udp: fix SO_BINDTODEVICE -X-Patchwork-Submitter: Paolo Abeni -X-Patchwork-Id: 910747 -X-Patchwork-Delegate: davem@davemloft.net -Message-Id: <9445dd5d149af16463df4d0502b2667ee2b6f4e8.1525862461.git.pabeni@redhat.com> -To: netdev@vger.kernel.org -Cc: Damir Mansurov , David Ahern , - David Miller -Date: Wed, 9 May 2018 12:42:34 +0200 -From: Paolo Abeni -List-Id: - -Damir reported a breakage of SO_BINDTODEVICE for UDP sockets. -In absence of VRF devices, after commit fb74c27735f0 ("net: -ipv4: add second dif to udp socket lookups") the dif mismatch -isn't fatal anymore for UDP socket lookup with non null -sk_bound_dev_if, breaking SO_BINDTODEVICE semantics. - -This changeset addresses the issue making the dif match mandatory -again in the above scenario. - -Reported-by: Damir Mansurov -Fixes: fb74c27735f0 ("net: ipv4: add second dif to udp socket lookups") -Fixes: 1801b570dd2a ("net: ipv6: add second dif to udp socket lookups") -Signed-off-by: Paolo Abeni -Acked-by: David Ahern ---- - net/ipv4/udp.c | 4 ++-- - net/ipv6/udp.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 24b5c59b1c53..c2a292dfd137 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -401,9 +401,9 @@ static int compute_score(struct sock *sk, struct net *net, - bool dev_match = (sk->sk_bound_dev_if == dif || - sk->sk_bound_dev_if == sdif); - -- if (exact_dif && !dev_match) -+ if (!dev_match) - return -1; -- if (sk->sk_bound_dev_if && dev_match) -+ if (sk->sk_bound_dev_if) - score += 4; - } - -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 4ec76a87aeb8..ea0730028e5d 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -148,9 +148,9 @@ static int compute_score(struct sock *sk, struct net *net, - bool dev_match = (sk->sk_bound_dev_if == dif || - sk->sk_bound_dev_if == sdif); - -- if (exact_dif && !dev_match) -+ if (!dev_match) - return -1; -- if (sk->sk_bound_dev_if && dev_match) -+ if (sk->sk_bound_dev_if) - score++; - } - diff --git a/patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch b/patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch deleted file mode 100644 index 5e90e09..0000000 --- a/patches/kernel/0013-net-net-tcp-Fix-socket-lookups-with-SO_BINDTODEVICE.patch +++ /dev/null @@ -1,67 +0,0 @@ -From patchwork Mon Jun 18 19:30:37 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net] net/tcp: Fix socket lookups with SO_BINDTODEVICE -X-Patchwork-Submitter: dsahern@kernel.org -X-Patchwork-Id: 931179 -X-Patchwork-Delegate: davem@davemloft.net -Message-Id: <20180618193037.3365-1-dsahern@kernel.org> -To: netdev@vger.kernel.org -Cc: davem@davemloft.net, lberger@labn.net, - renato@opensourcerouting.org, David Ahern -Date: Mon, 18 Jun 2018 12:30:37 -0700 -From: dsahern@kernel.org -List-Id: - -From: David Ahern - -Similar to 69678bcd4d2d ("udp: fix SO_BINDTODEVICE"), TCP socket lookups -need to fail if dev_match is not true. Currently, a packet to a given port -can match a socket bound to device when it should not. In the VRF case, -this causes the lookup to hit a VRF socket and not a global socket -resulting in a response trying to go through the VRF when it should it. - -Fixes: 3fa6f616a7a4d ("net: ipv4: add second dif to inet socket lookups") -Fixes: 4297a0ef08572 ("net: ipv6: add second dif to inet6 socket lookups") -Reported-by: Lou Berger -Diagnosed-by: Renato Westphal -Tested-by: Renato Westphal -Signed-off-by: David Ahern ---- - net/ipv4/inet_hashtables.c | 4 ++-- - net/ipv6/inet6_hashtables.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index 31ff46daae97..3647167c8fa3 100644 ---- a/net/ipv4/inet_hashtables.c -+++ b/net/ipv4/inet_hashtables.c -@@ -243,9 +243,9 @@ static inline int compute_score(struct sock *sk, struct net *net, - bool dev_match = (sk->sk_bound_dev_if == dif || - sk->sk_bound_dev_if == sdif); - -- if (exact_dif && !dev_match) -+ if (!dev_match) - return -1; -- if (sk->sk_bound_dev_if && dev_match) -+ if (sk->sk_bound_dev_if) - score += 4; - } - if (sk->sk_incoming_cpu == raw_smp_processor_id()) -diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c -index 2febe26de6a1..595ad408dba0 100644 ---- a/net/ipv6/inet6_hashtables.c -+++ b/net/ipv6/inet6_hashtables.c -@@ -113,9 +113,9 @@ static inline int compute_score(struct sock *sk, struct net *net, - bool dev_match = (sk->sk_bound_dev_if == dif || - sk->sk_bound_dev_if == sdif); - -- if (exact_dif && !dev_match) -+ if (!dev_match) - return -1; -- if (sk->sk_bound_dev_if && dev_match) -+ if (sk->sk_bound_dev_if) - score++; - } - if (sk->sk_incoming_cpu == raw_smp_processor_id()) diff --git a/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch b/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch deleted file mode 100644 index a627235..0000000 --- a/patches/kernel/0014-vhost-fix-info-leak-due-to-uninitialized-memory.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Thu, 16 Aug 2018 17:02:36 +0800 -Subject: [PATCH] vhost: fix info leak due to uninitialized memory - -CVE-2018-1118 - -struct vhost_msg within struct vhost_msg_node is copied to userspace. -Unfortunately it turns out on 64 bit systems vhost_msg has padding after -type which gcc doesn't initialize, leaking 4 uninitialized bytes to -userspace. - -This padding also unfortunately means 32 bit users of this interface are -broken on a 64 bit kernel which will need to be fixed separately. - -Fixes: CVE-2018-1118 -Cc: stable@vger.kernel.org -Reported-by: Kevin Easton -Signed-off-by: Michael S. Tsirkin -Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad) -Signed-off-by: Po-Hsu Lin -Acked-by: Khalid Elmously -Acked-by: Kamal Mostafa -Signed-off-by: Khalid Elmously -Signed-off-by: Stoiko Ivanov ---- - drivers/vhost/vhost.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 31bdfd296ced..a922d3d28a20 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -2383,6 +2383,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); - if (!node) - return NULL; -+ -+ /* Make sure all padding within the structure is initialized. */ -+ memset(&node->msg, 0, sizeof node->msg); - node->vq = vq; - node->msg.type = type; - return node; diff --git a/patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch b/patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch deleted file mode 100644 index 18109a6..0000000 --- a/patches/kernel/0015-scsi-hpsa-disable-device-during-shutdown.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Sun, 1 Jul 2018 18:22:37 +0200 -Subject: [PATCH] scsi: hpsa: disable device during shutdown - -4.17-stable review patch. If anyone has any objections, please let me know. - ------------------- - -From: Sinan Kaya - -commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream. - -'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during -shutdown")' has been added to kernel to shutdown pending PCIe port service -interrupts during reboot so that a newly started kexec kernel wouldn't -observe pending interrupts. - -pcie_port_device_remove() is disabling the root port and switches by -calling pci_disable_device() after all PCIe service drivers are shutdown. - -This has been found to cause crashes on HP DL360 Gen9 machines during -reboot due to hpsa driver not clearing the bus master bit during the -shutdown procedure by calling pci_disable_device(). - -Disable device as part of the shutdown sequence. - -Signed-off-by: Sinan Kaya -Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779 -Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown") -Cc: stable@vger.kernel.org -Reported-by: Ryan Finnie -Tested-by: Don Brace -Acked-by: Don Brace -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Stoiko Ivanov ---- - drivers/scsi/hpsa.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c -index 211975cc28c9..2d4b5177d1a2 100644 ---- a/drivers/scsi/hpsa.c -+++ b/drivers/scsi/hpsa.c -@@ -8879,7 +8879,7 @@ static void hpsa_disable_rld_caching(struct ctlr_info *h) - kfree(options); - } - --static void hpsa_shutdown(struct pci_dev *pdev) -+static void __hpsa_shutdown(struct pci_dev *pdev) - { - struct ctlr_info *h; - -@@ -8894,6 +8894,12 @@ static void hpsa_shutdown(struct pci_dev *pdev) - hpsa_disable_interrupt_mode(h); /* pci_init 2 */ - } - -+static void hpsa_shutdown(struct pci_dev *pdev) -+{ -+ __hpsa_shutdown(pdev); -+ pci_disable_device(pdev); -+} -+ - static void hpsa_free_device_info(struct ctlr_info *h) - { - int i; -@@ -8937,7 +8943,7 @@ static void hpsa_remove_one(struct pci_dev *pdev) - scsi_remove_host(h->scsi_host); /* init_one 8 */ - /* includes hpsa_free_irqs - init_one 4 */ - /* includes hpsa_disable_interrupt_mode - pci_init 2 */ -- hpsa_shutdown(pdev); -+ __hpsa_shutdown(pdev); - - hpsa_free_device_info(h); /* scan */ -