rebase patches on top of Ubuntu-4.15.0-55.60
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht
parent
90281c3c81
commit
58b67f303a
@ -15,6 +15,7 @@ Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
|
||||
$KBUILD_BUILD_TIMESTAMP.
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
scripts/mkcompile_h | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
@ -13,6 +13,7 @@ connected ports (for no real reason). To avoid problems with ARP
|
||||
we simply use the MAC of the first connected port.
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
net/bridge/br_stp_if.c | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
@ -48,6 +48,7 @@ capability. Please contact me to have your devices added and save
|
||||
your customers the hassle of this boot option.
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
.../admin-guide/kernel-parameters.txt | 9 ++
|
||||
drivers/pci/quirks.c | 101 ++++++++++++++++++
|
||||
@ -74,10 +75,10 @@ index 11bf7af493e1..4c3d21a1b79f 100644
|
||||
Safety option to keep boot IRQs enabled. This
|
||||
should never be necessary.
|
||||
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
|
||||
index 2956ebbd83dc..8dceb0838970 100644
|
||||
index fb4b0dd22f95..29f7741eafef 100644
|
||||
--- a/drivers/pci/quirks.c
|
||||
+++ b/drivers/pci/quirks.c
|
||||
@@ -3705,6 +3705,106 @@ static int __init pci_apply_final_quirks(void)
|
||||
@@ -3702,6 +3702,106 @@ static int __init pci_apply_final_quirks(void)
|
||||
|
||||
fs_initcall_sync(pci_apply_final_quirks);
|
||||
|
||||
@ -184,7 +185,7 @@ index 2956ebbd83dc..8dceb0838970 100644
|
||||
/*
|
||||
* Following are device-specific reset methods which can be used to
|
||||
* reset a single function if other methods (e.g. FLR, PM D0->D3) are
|
||||
@@ -4558,6 +4658,7 @@ static const struct pci_dev_acs_enabled {
|
||||
@@ -4555,6 +4655,7 @@ static const struct pci_dev_acs_enabled {
|
||||
{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
|
||||
/* APM X-Gene */
|
||||
{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
|
||||
|
||||
@ -7,6 +7,7 @@ Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
virt/kvm/kvm_main.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
@ -23,6 +23,7 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
(cherry picked from commit 63de8bd9328bf2a778fc277503da163ae3defa3c)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
fs/ocfs2/aops.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
@ -65,6 +65,7 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
(cherry picked from commit 71a36944042b7d9dd71f6a5d1c5ea1c2353b5d42)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
fs/ocfs2/alloc.c | 206 ++++++++++++++++++++++++++++++++++++++++++++---
|
||||
fs/ocfs2/alloc.h | 1 +
|
||||
|
||||
@ -14,6 +14,7 @@ we remove before building. it would also be required by any module
|
||||
builds afterwards and is not shipped by Ubuntu's kernel packages either.
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
scripts/Makefile.build | 10 +---------
|
||||
1 file changed, 1 insertion(+), 9 deletions(-)
|
||||
|
||||
@ -1,144 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Mao Wenan <maowenan@huawei.com>
|
||||
Date: Thu, 28 Mar 2019 17:10:56 +0800
|
||||
Subject: [PATCH] net: rds: force to destroy connection if t_sock is NULL in
|
||||
rds_tcp_kill_sock().
|
||||
|
||||
When it is to cleanup net namespace, rds_tcp_exit_net() will call
|
||||
rds_tcp_kill_sock(), if t_sock is NULL, it will not call
|
||||
rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
|
||||
connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
|
||||
net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
|
||||
and reference 'net' which has already been freed.
|
||||
|
||||
In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
|
||||
sock->ops->connect, but if connect() is failed, it will call
|
||||
rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
|
||||
failed, rds_connect_worker() will try to reconnect all the time, so
|
||||
rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
|
||||
connections.
|
||||
|
||||
Therefore, the condition !tc->t_sock is not needed if it is going to do
|
||||
cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
|
||||
NULL, and there is on other path to cancel cp_conn_w and free
|
||||
connection. So this patch is to fix this.
|
||||
|
||||
rds_tcp_kill_sock():
|
||||
...
|
||||
if (net != c_net || !tc->t_sock)
|
||||
...
|
||||
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
|
||||
|
||||
==================================================================
|
||||
BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
|
||||
net/ipv4/af_inet.c:340
|
||||
Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
|
||||
|
||||
CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
|
||||
Hardware name: linux,dummy-virt (DT)
|
||||
Workqueue: krdsd rds_connect_worker
|
||||
Call trace:
|
||||
dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
|
||||
show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
|
||||
__dump_stack lib/dump_stack.c:77 [inline]
|
||||
dump_stack+0x120/0x188 lib/dump_stack.c:113
|
||||
print_address_description+0x68/0x278 mm/kasan/report.c:253
|
||||
kasan_report_error mm/kasan/report.c:351 [inline]
|
||||
kasan_report+0x21c/0x348 mm/kasan/report.c:409
|
||||
__asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
|
||||
inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
|
||||
__sock_create+0x4f8/0x770 net/socket.c:1276
|
||||
sock_create_kern+0x50/0x68 net/socket.c:1322
|
||||
rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
|
||||
rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
|
||||
process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
|
||||
worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
|
||||
kthread+0x2f0/0x378 kernel/kthread.c:255
|
||||
ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
|
||||
|
||||
Allocated by task 687:
|
||||
save_stack mm/kasan/kasan.c:448 [inline]
|
||||
set_track mm/kasan/kasan.c:460 [inline]
|
||||
kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
|
||||
kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
|
||||
slab_post_alloc_hook mm/slab.h:444 [inline]
|
||||
slab_alloc_node mm/slub.c:2705 [inline]
|
||||
slab_alloc mm/slub.c:2713 [inline]
|
||||
kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
|
||||
kmem_cache_zalloc include/linux/slab.h:697 [inline]
|
||||
net_alloc net/core/net_namespace.c:384 [inline]
|
||||
copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
|
||||
create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
|
||||
unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
|
||||
ksys_unshare+0x340/0x628 kernel/fork.c:2577
|
||||
__do_sys_unshare kernel/fork.c:2645 [inline]
|
||||
__se_sys_unshare kernel/fork.c:2643 [inline]
|
||||
__arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
|
||||
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
|
||||
invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
|
||||
el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
|
||||
el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
|
||||
el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
|
||||
|
||||
Freed by task 264:
|
||||
save_stack mm/kasan/kasan.c:448 [inline]
|
||||
set_track mm/kasan/kasan.c:460 [inline]
|
||||
__kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
|
||||
kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
|
||||
slab_free_hook mm/slub.c:1370 [inline]
|
||||
slab_free_freelist_hook mm/slub.c:1397 [inline]
|
||||
slab_free mm/slub.c:2952 [inline]
|
||||
kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
|
||||
net_free net/core/net_namespace.c:400 [inline]
|
||||
net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
|
||||
net_drop_ns net/core/net_namespace.c:406 [inline]
|
||||
cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
|
||||
process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
|
||||
worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
|
||||
kthread+0x2f0/0x378 kernel/kthread.c:255
|
||||
ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
|
||||
|
||||
The buggy address belongs to the object at ffff8003496a3f80
|
||||
which belongs to the cache net_namespace of size 7872
|
||||
The buggy address is located 1796 bytes inside of
|
||||
7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
|
||||
The buggy address belongs to the page:
|
||||
page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
|
||||
index:0x0 compound_mapcount: 0
|
||||
flags: 0xffffe0000008100(slab|head)
|
||||
raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
|
||||
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
|
||||
page dumped because: kasan: bad access detected
|
||||
|
||||
Memory state around the buggy address:
|
||||
ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
>ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
^
|
||||
ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
==================================================================
|
||||
|
||||
Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
|
||||
Reported-by: Hulk Robot <hulkci@huawei.com>
|
||||
Signed-off-by: Mao Wenan <maowenan@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
(cherry picked from commit cb66ddd156203daefb8d71158036b27b0e2caf63)
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
net/rds/tcp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
|
||||
index 4df21e47d2ab..0a31fa6ef752 100644
|
||||
--- a/net/rds/tcp.c
|
||||
+++ b/net/rds/tcp.c
|
||||
@@ -531,7 +531,7 @@ static void rds_tcp_kill_sock(struct net *net)
|
||||
list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
|
||||
struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
|
||||
|
||||
- if (net != c_net || !tc->t_sock)
|
||||
+ if (net != c_net)
|
||||
continue;
|
||||
if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
|
||||
list_move_tail(&tc->t_tcp_node, &tmp_list);
|
||||
@ -1,42 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 21 Jun 2019 06:09:55 -0700
|
||||
Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
|
||||
|
||||
tcp_fragment() might be called for skbs in the write queue.
|
||||
|
||||
Memory limits might have been exceeded because tcp_sendmsg() only
|
||||
checks limits at full skb (64KB) boundaries.
|
||||
|
||||
Therefore, we need to make sure tcp_fragment() wont punish applications
|
||||
that might have setup very low SO_SNDBUF values.
|
||||
|
||||
Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Christoph Paasch <cpaasch@apple.com>
|
||||
Tested-by: Christoph Paasch <cpaasch@apple.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
BugLink: https://bugs.launchpad.net/bugs/1831638
|
||||
CVE-2019-11478
|
||||
|
||||
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
net/ipv4/tcp_output.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
|
||||
index e471ec48dcbc..de76eb94b4d2 100644
|
||||
--- a/net/ipv4/tcp_output.c
|
||||
+++ b/net/ipv4/tcp_output.c
|
||||
@@ -1321,7 +1321,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
|
||||
if (nsize < 0)
|
||||
nsize = 0;
|
||||
|
||||
- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
|
||||
+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
|
||||
+ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
|
||||
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
|
||||
return -ENOMEM;
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user