rebase patches on top of Ubuntu-4.15.0-55.60

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-07-03 11:16:59 +02:00 · 2019-07-03 11:16:59 +02:00 · 58b67f303a
commit 58b67f303a
parent 90281c3c81
12 changed files with 10 additions and 189 deletions
--- a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
+++ b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
@ -15,6 +15,7 @@ Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
 $KBUILD_BUILD_TIMESTAMP.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 scripts/mkcompile_h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/patches/kernel/0002-bridge-keep-MAC-of-first-assigned-port.patch
+++ b/patches/kernel/0002-bridge-keep-MAC-of-first-assigned-port.patch
@ -13,6 +13,7 @@ connected ports (for no real reason). To avoid problems with ARP
 we simply use the MAC of the first connected port.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 net/bridge/br_stp_if.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)
--- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
+++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
@ -48,6 +48,7 @@ capability.  Please contact me to have your devices added and save
 your customers the hassle of this boot option.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 .../admin-guide/kernel-parameters.txt         |   9 ++
 drivers/pci/quirks.c                          | 101 ++++++++++++++++++
@ -74,10 +75,10 @@ index 11bf7af493e1..4c3d21a1b79f 100644
 				Safety option to keep boot IRQs enabled. This
 				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 2956ebbd83dc..8dceb0838970 100644
+index fb4b0dd22f95..29f7741eafef 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -3705,6 +3705,106 @@ static int __init pci_apply_final_quirks(void)
+@@ -3702,6 +3702,106 @@ static int __init pci_apply_final_quirks(void)
 fs_initcall_sync(pci_apply_final_quirks);
@ -184,7 +185,7 @@ index 2956ebbd83dc..8dceb0838970 100644
 /*
  * Following are device-specific reset methods which can be used to
  * reset a single function if other methods (e.g. FLR, PM D0->D3) are
-@@ -4558,6 +4658,7 @@ static const struct pci_dev_acs_enabled {
+@@ -4555,6 +4655,7 @@ static const struct pci_dev_acs_enabled {
 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
 	/* APM X-Gene */
 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
--- a/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch
+++ b/patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch
@ -7,6 +7,7 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 virt/kvm/kvm_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/patches/kernel/0005-ocfs2-make-metadata-estimation-accurate-and-clear.patch
+++ b/patches/kernel/0005-ocfs2-make-metadata-estimation-accurate-and-clear.patch
@ -23,6 +23,7 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 (cherry picked from commit 63de8bd9328bf2a778fc277503da163ae3defa3c)
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 fs/ocfs2/aops.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/patches/kernel/0006-ocfs2-try-to-reuse-extent-block-in-dealloc-without-m.patch
+++ b/patches/kernel/0006-ocfs2-try-to-reuse-extent-block-in-dealloc-without-m.patch
@ -65,6 +65,7 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 (cherry picked from commit 71a36944042b7d9dd71f6a5d1c5ea1c2353b5d42)
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 fs/ocfs2/alloc.c | 206 ++++++++++++++++++++++++++++++++++++++++++++---
 fs/ocfs2/alloc.h |   1 +
--- a/patches/kernel/0007-Revert-UBUNTU-Packaging-retpoline-add-safe-usage-hin.patch
+++ b/patches/kernel/0007-Revert-UBUNTU-Packaging-retpoline-add-safe-usage-hin.patch
@ -14,6 +14,7 @@ we remove before building. it would also be required by any module
 builds afterwards and is not shipped by Ubuntu's kernel packages either.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 scripts/Makefile.build | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)
--- a/patches/kernel/0009-KVM-Take-vcpu-mutex-outside-vcpu_load.patch
+++ b/patches/kernel/0009-KVM-Take-vcpu-mutex-outside-vcpu_load.patch
--- a/patches/kernel/0009-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
+++ b/patches/kernel/0009-net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
@ -1,144 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Mao Wenan <maowenan@huawei.com>
 Date: Thu, 28 Mar 2019 17:10:56 +0800
 Subject: [PATCH] net: rds: force to destroy connection if t_sock is NULL in
 rds_tcp_kill_sock().
 When it is to cleanup net namespace, rds_tcp_exit_net() will call
 rds_tcp_kill_sock(), if t_sock is NULL, it will not call
 rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
 connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
 net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
 and reference 'net' which has already been freed.
 In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
 sock->ops->connect, but if connect() is failed, it will call
 rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
 failed, rds_connect_worker() will try to reconnect all the time, so
 rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
 connections.
 Therefore, the condition !tc->t_sock is not needed if it is going to do
 cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
 NULL, and there is on other path to cancel cp_conn_w and free
 connection. So this patch is to fix this.
 rds_tcp_kill_sock():
 ...
 if (net != c_net || !tc->t_sock)
 ...
 Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
 ==================================================================
 BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
 net/ipv4/af_inet.c:340
 Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721
 CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
 Hardware name: linux,dummy-virt (DT)
 Workqueue: krdsd rds_connect_worker
 Call trace:
 dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x120/0x188 lib/dump_stack.c:113
 print_address_description+0x68/0x278 mm/kasan/report.c:253
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x21c/0x348 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
 inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
 __sock_create+0x4f8/0x770 net/socket.c:1276
 sock_create_kern+0x50/0x68 net/socket.c:1322
 rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
 rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
 kthread+0x2f0/0x378 kernel/kthread.c:255
 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
 Allocated by task 687:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2705 [inline]
 slab_alloc mm/slub.c:2713 [inline]
 kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 net_alloc net/core/net_namespace.c:384 [inline]
 copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
 create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
 ksys_unshare+0x340/0x628 kernel/fork.c:2577
 __do_sys_unshare kernel/fork.c:2645 [inline]
 __se_sys_unshare kernel/fork.c:2643 [inline]
 __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
 el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
 el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
 el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960
 Freed by task 264:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
 slab_free_hook mm/slub.c:1370 [inline]
 slab_free_freelist_hook mm/slub.c:1397 [inline]
 slab_free mm/slub.c:2952 [inline]
 kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
 net_free net/core/net_namespace.c:400 [inline]
 net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
 net_drop_ns net/core/net_namespace.c:406 [inline]
 cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
 kthread+0x2f0/0x378 kernel/kthread.c:255
 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117
 The buggy address belongs to the object at ffff8003496a3f80
 which belongs to the cache net_namespace of size 7872
 The buggy address is located 1796 bytes inside of
 7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
 The buggy address belongs to the page:
 page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
 index:0x0 compound_mapcount: 0
 flags: 0xffffe0000008100(slab|head)
 raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
 raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected
 Memory state around the buggy address:
 ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================
 Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
 Reported-by: Hulk Robot <hulkci@huawei.com>
 Signed-off-by: Mao Wenan <maowenan@huawei.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 (cherry picked from commit cb66ddd156203daefb8d71158036b27b0e2caf63)
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 net/rds/tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
 index 4df21e47d2ab..0a31fa6ef752 100644
 --- a/net/rds/tcp.c
 +++ b/net/rds/tcp.c
@@ -531,7 +531,7 @@ static void rds_tcp_kill_sock(struct net *net)
 	list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
 		struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
 -		if (net != c_net || !tc->t_sock)
 +		if (net != c_net)
 			continue;
 		if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
 			list_move_tail(&tc->t_tcp_node, &tmp_list);
--- a/patches/kernel/0010-kvm-x86-Don-t-modify-MSR_PLATFORM_INFO-on-vCPU-reset.patch
+++ b/patches/kernel/0010-kvm-x86-Don-t-modify-MSR_PLATFORM_INFO-on-vCPU-reset.patch
--- a/patches/kernel/0011-KVM-x86-Emulate-MSR_IA32_ARCH_CAPABILITIES-on-AMD-ho.patch
+++ b/patches/kernel/0011-KVM-x86-Emulate-MSR_IA32_ARCH_CAPABILITIES-on-AMD-ho.patch
--- a/patches/kernel/0013-tcp-refine-memory-limit-test-in-tcp_fragment.patch
+++ b/patches/kernel/0013-tcp-refine-memory-limit-test-in-tcp_fragment.patch
@ -1,42 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Fri, 21 Jun 2019 06:09:55 -0700
 Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
 tcp_fragment() might be called for skbs in the write queue.
 Memory limits might have been exceeded because tcp_sendmsg() only
 checks limits at full skb (64KB) boundaries.
 Therefore, we need to make sure tcp_fragment() wont punish applications
 that might have setup very low SO_SNDBUF values.
 Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: Christoph Paasch <cpaasch@apple.com>
 Tested-by: Christoph Paasch <cpaasch@apple.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 BugLink: https://bugs.launchpad.net/bugs/1831638
 CVE-2019-11478
 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 net/ipv4/tcp_output.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
 index e471ec48dcbc..de76eb94b4d2 100644
 --- a/net/ipv4/tcp_output.c
 +++ b/net/ipv4/tcp_output.c
@@ -1321,7 +1321,8 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
 	if (nsize < 0)
 		nsize = 0;
 -	if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
 +	if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
 +		     tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
 		return -ENOMEM;
 	}