From 3adc532101a386a39e0e9d65998df7fd8ecc942e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Mon, 12 Feb 2018 09:46:50 +0100 Subject: [PATCH] rebase patches --- ...ides-for-missing-ACS-capabilities-4..patch | 8 +- ...7-KVM-x86-fix-APIC-page-invalidation.patch | 4 +- .../0009-tun-free-skb-in-early-errors.patch | 2 +- .../0010-tap-free-skb-if-flags-error.patch | 4 +- ...e-support-for-CPUs-without-virtual-N.patch | 28 +++---- .../kernel/0014-KVM-SVM-obey-guest-PAT.patch | 4 +- ...-memory-barrier-on-vmcs-field-lookup.patch | 4 +- ...t-create-a-second-memory-controller.patch} | 0 ...tboot-Unbreak-tboot-with-PTI-enabled.patch | 54 -------------- ...sb_edac-Fix-missing-break-in-switch.patch} | 0 ...-x86-perf-Disable-intel_bts-when-PTI.patch | 72 ------------------ ...017-8824-use-after-free-in-DCCP-code.patch | 53 -------------- ...-off-an-assoc-from-one-netns-to-anot.patch | 73 ------------------- 13 files changed, 27 insertions(+), 279 deletions(-) rename patches/kernel/{0023-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch => 0019-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch} (100%) delete mode 100644 patches/kernel/0019-x86-tboot-Unbreak-tboot-with-PTI-enabled.patch rename patches/kernel/{0024-EDAC-sb_edac-Fix-missing-break-in-switch.patch => 0020-EDAC-sb_edac-Fix-missing-break-in-switch.patch} (100%) delete mode 100644 patches/kernel/0020-x86-perf-Disable-intel_bts-when-PTI.patch delete mode 100644 patches/kernel/0021-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch delete mode 100644 patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch diff --git a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch index a67bc88..a6b4391 100644 --- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch +++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch @@ -54,10 +54,10 @@ Signed-off-by: Fabian Grünbichler 2 files changed, 111 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 1738d820c56f..e7216bc05b3b 100644 +index 1bbfe73fcd6c..073e3023b515 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2930,6 +2930,15 @@ +@@ -2935,6 +2935,15 @@ nomsi [MSI] If the PCI_MSI kernel config parameter is enabled, this kernel boot option can be used to disable the use of MSI interrupts system-wide. @@ -74,7 +74,7 @@ index 1738d820c56f..e7216bc05b3b 100644 Safety option to keep boot IRQs enabled. This should never be necessary. diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index 02b009426670..c29d89ffc9b2 100644 +index 99eec22d99b7..7576c2b0c913 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -3687,6 +3687,107 @@ static int __init pci_apply_final_quirks(void) @@ -185,7 +185,7 @@ index 02b009426670..c29d89ffc9b2 100644 /* * Following are device-specific reset methods which can be used to * reset a single function if other methods (e.g. FLR, PM D0->D3) are -@@ -4514,6 +4615,7 @@ static const struct pci_dev_acs_enabled { +@@ -4529,6 +4630,7 @@ static const struct pci_dev_acs_enabled { { 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */ /* Cavium ThunderX */ { PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs }, diff --git a/patches/kernel/0007-KVM-x86-fix-APIC-page-invalidation.patch b/patches/kernel/0007-KVM-x86-fix-APIC-page-invalidation.patch index b0589bf..1e693f9 100644 --- a/patches/kernel/0007-KVM-x86-fix-APIC-page-invalidation.patch +++ b/patches/kernel/0007-KVM-x86-fix-APIC-page-invalidation.patch @@ -23,10 +23,10 @@ Signed-off-by: Fabian Grünbichler 3 files changed, 25 insertions(+) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 066b51796695..f39bc68efa56 100644 +index 78ec3cda9429..1953c0a5b972 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h -@@ -1546,4 +1546,7 @@ static inline int kvm_cpu_get_apicid(int mps_cpu) +@@ -1439,4 +1439,7 @@ static inline int kvm_cpu_get_apicid(int mps_cpu) #endif } diff --git a/patches/kernel/0009-tun-free-skb-in-early-errors.patch b/patches/kernel/0009-tun-free-skb-in-early-errors.patch index f5a7ee5..0185bbd 100644 --- a/patches/kernel/0009-tun-free-skb-in-early-errors.patch +++ b/patches/kernel/0009-tun-free-skb-in-early-errors.patch @@ -21,7 +21,7 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index cb1f7747adad..5143e948d7d1 100644 +index d1cb1ff83251..d58ae8ad0a4e 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1519,8 +1519,11 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile, diff --git a/patches/kernel/0010-tap-free-skb-if-flags-error.patch b/patches/kernel/0010-tap-free-skb-if-flags-error.patch index 8316afe..87f6502 100644 --- a/patches/kernel/0010-tap-free-skb-if-flags-error.patch +++ b/patches/kernel/0010-tap-free-skb-if-flags-error.patch @@ -19,7 +19,7 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c -index 3570c7576993..4e04b6094f3c 100644 +index 7a2f6bebfd15..96e5e5b2ae39 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q, @@ -35,7 +35,7 @@ index 3570c7576993..4e04b6094f3c 100644 if (skb) goto put; -@@ -1155,11 +1158,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, +@@ -1157,11 +1160,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m, size_t total_len, int flags) { struct tap_queue *q = container_of(sock, struct tap_queue, sock); diff --git a/patches/kernel/0013-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-N.patch b/patches/kernel/0013-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-N.patch index 9617a1a..54a3fdb 100644 --- a/patches/kernel/0013-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-N.patch +++ b/patches/kernel/0013-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-N.patch @@ -36,10 +36,10 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 106 insertions(+), 44 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index cb044cd17790..d2168203bddc 100644 +index 5edf05ce45de..146caacd8fdd 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -203,6 +203,10 @@ struct loaded_vmcs { +@@ -204,6 +204,10 @@ struct loaded_vmcs { bool nmi_known_unmasked; unsigned long vmcs_host_cr3; /* May not match real cr3 */ unsigned long vmcs_host_cr4; /* May not match real cr4 */ @@ -50,7 +50,7 @@ index cb044cd17790..d2168203bddc 100644 struct list_head loaded_vmcss_on_cpu_link; }; -@@ -1289,6 +1293,11 @@ static inline bool cpu_has_vmx_invpcid(void) +@@ -1290,6 +1294,11 @@ static inline bool cpu_has_vmx_invpcid(void) SECONDARY_EXEC_ENABLE_INVPCID; } @@ -62,7 +62,7 @@ index cb044cd17790..d2168203bddc 100644 static inline bool cpu_has_vmx_wbinvd_exit(void) { return vmcs_config.cpu_based_2nd_exec_ctrl & -@@ -1340,11 +1349,6 @@ static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit) +@@ -1341,11 +1350,6 @@ static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit) (vmcs12->secondary_vm_exec_control & bit); } @@ -74,7 +74,7 @@ index cb044cd17790..d2168203bddc 100644 static inline bool nested_cpu_has_preemption_timer(struct vmcs12 *vmcs12) { return vmcs12->pin_based_vm_exec_control & -@@ -3686,9 +3690,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf) +@@ -3687,9 +3691,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf) &_vmexit_control) < 0) return -EIO; @@ -87,7 +87,7 @@ index cb044cd17790..d2168203bddc 100644 if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS, &_pin_based_exec_control) < 0) return -EIO; -@@ -5548,7 +5552,8 @@ static void enable_irq_window(struct kvm_vcpu *vcpu) +@@ -5549,7 +5553,8 @@ static void enable_irq_window(struct kvm_vcpu *vcpu) static void enable_nmi_window(struct kvm_vcpu *vcpu) { @@ -97,7 +97,7 @@ index cb044cd17790..d2168203bddc 100644 enable_irq_window(vcpu); return; } -@@ -5588,6 +5593,19 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu) +@@ -5589,6 +5594,19 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu) { struct vcpu_vmx *vmx = to_vmx(vcpu); @@ -117,7 +117,7 @@ index cb044cd17790..d2168203bddc 100644 ++vcpu->stat.nmi_injections; vmx->loaded_vmcs->nmi_known_unmasked = false; -@@ -5606,6 +5624,8 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu) +@@ -5607,6 +5625,8 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu) struct vcpu_vmx *vmx = to_vmx(vcpu); bool masked; @@ -126,7 +126,7 @@ index cb044cd17790..d2168203bddc 100644 if (vmx->loaded_vmcs->nmi_known_unmasked) return false; masked = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI; -@@ -5617,13 +5637,20 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked) +@@ -5618,13 +5638,20 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked) { struct vcpu_vmx *vmx = to_vmx(vcpu); @@ -154,7 +154,7 @@ index cb044cd17790..d2168203bddc 100644 } static int vmx_nmi_allowed(struct kvm_vcpu *vcpu) -@@ -5631,6 +5658,10 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu) +@@ -5632,6 +5659,10 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu) if (to_vmx(vcpu)->nested.nested_run_pending) return 0; @@ -165,7 +165,7 @@ index cb044cd17790..d2168203bddc 100644 return !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI | GUEST_INTR_STATE_NMI)); -@@ -6359,6 +6390,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu) +@@ -6360,6 +6391,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu) * AAK134, BY25. */ if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) && @@ -173,7 +173,7 @@ index cb044cd17790..d2168203bddc 100644 (exit_qualification & INTR_INFO_UNBLOCK_NMI)) vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI); -@@ -6833,7 +6865,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx) +@@ -6834,7 +6866,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx) } /* Create a new VMCS */ @@ -182,7 +182,7 @@ index cb044cd17790..d2168203bddc 100644 if (!item) return NULL; item->vmcs02.vmcs = alloc_vmcs(); -@@ -7850,6 +7882,7 @@ static int handle_pml_full(struct kvm_vcpu *vcpu) +@@ -7851,6 +7883,7 @@ static int handle_pml_full(struct kvm_vcpu *vcpu) * "blocked by NMI" bit has to be set before next VM entry. */ if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) && @@ -190,7 +190,7 @@ index cb044cd17790..d2168203bddc 100644 (exit_qualification & INTR_INFO_UNBLOCK_NMI)) vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI); -@@ -8567,6 +8600,25 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu) +@@ -8568,6 +8601,25 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu) return 0; } diff --git a/patches/kernel/0014-KVM-SVM-obey-guest-PAT.patch b/patches/kernel/0014-KVM-SVM-obey-guest-PAT.patch index 9b25ed5..cc64a62 100644 --- a/patches/kernel/0014-KVM-SVM-obey-guest-PAT.patch +++ b/patches/kernel/0014-KVM-SVM-obey-guest-PAT.patch @@ -34,10 +34,10 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 7 insertions(+) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 55fb408465f7..e99bdfcc6b01 100644 +index a8c911fcd73f..e9d0f80fd83a 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -3649,6 +3649,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) +@@ -3650,6 +3650,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) u32 ecx = msr->index; u64 data = msr->data; switch (ecx) { diff --git a/patches/kernel/0018-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch b/patches/kernel/0018-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch index e8b4be8..8fc4603 100644 --- a/patches/kernel/0018-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch +++ b/patches/kernel/0018-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch @@ -22,10 +22,10 @@ Signed-off-by: Fabian Grünbichler 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index d2168203bddc..e6fa3df81fd8 100644 +index 146caacd8fdd..80732f87cac0 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -882,8 +882,16 @@ static inline short vmcs_field_to_offset(unsigned long field) +@@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field) { BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX); diff --git a/patches/kernel/0023-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch b/patches/kernel/0019-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch similarity index 100% rename from patches/kernel/0023-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch rename to patches/kernel/0019-EDAC-sb_edac-Don-t-create-a-second-memory-controller.patch diff --git a/patches/kernel/0019-x86-tboot-Unbreak-tboot-with-PTI-enabled.patch b/patches/kernel/0019-x86-tboot-Unbreak-tboot-with-PTI-enabled.patch deleted file mode 100644 index a65f18b..0000000 --- a/patches/kernel/0019-x86-tboot-Unbreak-tboot-with-PTI-enabled.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Dave Hansen -Date: Sat, 6 Jan 2018 18:41:14 +0100 -Subject: [PATCH] x86/tboot: Unbreak tboot with PTI enabled -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 262b6b30087246abf09d6275eb0c0dc421bcbe38 upstream. - -This is another case similar to what EFI does: create a new set of -page tables, map some code at a low address, and jump to it. PTI -mistakes this low address for userspace and mistakenly marks it -non-executable in an effort to make it unusable for userspace. - -Undo the poison to allow execution. - -Fixes: 385ce0ea4c07 ("x86/mm/pti: Add Kconfig") -Signed-off-by: Dave Hansen -Signed-off-by: Andrea Arcangeli -Signed-off-by: Thomas Gleixner -Cc: Alan Cox -Cc: Tim Chen -Cc: Jon Masters -Cc: Dave Hansen -Cc: Andi Kleen -Cc: Jeff Law -Cc: Paolo Bonzini -Cc: Linus Torvalds -Cc: Greg Kroah-Hartman -Cc: David" -Cc: Nick Clifton -Link: https://lkml.kernel.org/r/20180108102805.GK25546@redhat.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Fabian Grünbichler ---- - arch/x86/kernel/tboot.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c -index a2486f444073..8337730f0956 100644 ---- a/arch/x86/kernel/tboot.c -+++ b/arch/x86/kernel/tboot.c -@@ -127,6 +127,7 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn, - p4d = p4d_alloc(&tboot_mm, pgd, vaddr); - if (!p4d) - return -1; -+ pgd->pgd &= ~_PAGE_NX; - pud = pud_alloc(&tboot_mm, p4d, vaddr); - if (!pud) - return -1; --- -2.14.2 - diff --git a/patches/kernel/0024-EDAC-sb_edac-Fix-missing-break-in-switch.patch b/patches/kernel/0020-EDAC-sb_edac-Fix-missing-break-in-switch.patch similarity index 100% rename from patches/kernel/0024-EDAC-sb_edac-Fix-missing-break-in-switch.patch rename to patches/kernel/0020-EDAC-sb_edac-Fix-missing-break-in-switch.patch diff --git a/patches/kernel/0020-x86-perf-Disable-intel_bts-when-PTI.patch b/patches/kernel/0020-x86-perf-Disable-intel_bts-when-PTI.patch deleted file mode 100644 index 039498e..0000000 --- a/patches/kernel/0020-x86-perf-Disable-intel_bts-when-PTI.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Peter Zijlstra -Date: Sun, 14 Jan 2018 11:27:13 +0100 -Subject: [PATCH] x86,perf: Disable intel_bts when PTI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 99a9dc98ba52267ce5e062b52de88ea1f1b2a7d8 upstream. - -The intel_bts driver does not use the 'normal' BTS buffer which is exposed -through the cpu_entry_area but instead uses the memory allocated for the -perf AUX buffer. - -This obviously comes apart when using PTI because then the kernel mapping; -which includes that AUX buffer memory; disappears. Fixing this requires to -expose a mapping which is visible in all context and that's not trivial. - -As a quick fix disable this driver when PTI is enabled to prevent -malfunction. - -Fixes: 385ce0ea4c07 ("x86/mm/pti: Add Kconfig") -Reported-by: Vince Weaver -Reported-by: Robert Święcki -Signed-off-by: Peter Zijlstra (Intel) -Signed-off-by: Thomas Gleixner -Cc: Alexander Shishkin -Cc: greg@kroah.com -Cc: hughd@google.com -Cc: luto@amacapital.net -Cc: Vince Weaver -Cc: torvalds@linux-foundation.org -Cc: stable@vger.kernel.org -Link: https://lkml.kernel.org/r/20180114102713.GB6166@worktop.programming.kicks-ass.net -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Fabian Grünbichler ---- - arch/x86/events/intel/bts.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c -index ddd8d3516bfc..9a62e6fce0e0 100644 ---- a/arch/x86/events/intel/bts.c -+++ b/arch/x86/events/intel/bts.c -@@ -582,6 +582,24 @@ static __init int bts_init(void) - if (!boot_cpu_has(X86_FEATURE_DTES64) || !x86_pmu.bts) - return -ENODEV; - -+ if (boot_cpu_has(X86_FEATURE_PTI)) { -+ /* -+ * BTS hardware writes through a virtual memory map we must -+ * either use the kernel physical map, or the user mapping of -+ * the AUX buffer. -+ * -+ * However, since this driver supports per-CPU and per-task inherit -+ * we cannot use the user mapping since it will not be availble -+ * if we're not running the owning process. -+ * -+ * With PTI we can't use the kernal map either, because its not -+ * there when we run userspace. -+ * -+ * For now, disable this driver when using PTI. -+ */ -+ return -ENODEV; -+ } -+ - bts_pmu.capabilities = PERF_PMU_CAP_AUX_NO_SG | PERF_PMU_CAP_ITRACE | - PERF_PMU_CAP_EXCLUSIVE; - bts_pmu.task_ctx_nr = perf_sw_context; --- -2.14.2 - diff --git a/patches/kernel/0021-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/patches/kernel/0021-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch deleted file mode 100644 index a01ee41..0000000 --- a/patches/kernel/0021-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Mohamed Ghannam -Date: Fri, 8 Dec 2017 15:39:50 +0100 -Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Whenever the sock object is in DCCP_CLOSED state, -dccp_disconnect() must free dccps_hc_tx_ccid and -dccps_hc_rx_ccid and set to NULL. - -Signed-off-by: Mohamed Ghannam -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller - -CVE-2017-8824 -(cherry picked from commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 linux-next) -Signed-off-by: Kleber Sacilotto de Souza -Acked-by: Seth Forshee -Acked-by: Colin Ian King -Signed-off-by: Thadeu Lima de Souza Cascardo -Signed-off-by: Fabian Grünbichler ---- - net/dccp/proto.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/net/dccp/proto.c b/net/dccp/proto.c -index b68168fcc06a..9d43c1f40274 100644 ---- a/net/dccp/proto.c -+++ b/net/dccp/proto.c -@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) - { - struct inet_connection_sock *icsk = inet_csk(sk); - struct inet_sock *inet = inet_sk(sk); -+ struct dccp_sock *dp = dccp_sk(sk); - int err = 0; - const int old_state = sk->sk_state; - -@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) - sk->sk_err = ECONNRESET; - - dccp_clear_xmit_timers(sk); -+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); -+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); -+ dp->dccps_hc_rx_ccid = NULL; -+ dp->dccps_hc_tx_ccid = NULL; - - __skb_queue_purge(&sk->sk_receive_queue); - __skb_queue_purge(&sk->sk_write_queue); --- -2.14.2 - diff --git a/patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch b/patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch deleted file mode 100644 index e4561c5..0000000 --- a/patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Xin Long -Date: Thu, 7 Dec 2017 16:07:00 +0100 -Subject: [PATCH] sctp: do not peel off an assoc from one netns to another one -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Now when peeling off an association to the sock in another netns, all -transports in this assoc are not to be rehashed and keep use the old -key in hashtable. - -As a transport uses sk->net as the hash key to insert into hashtable, -it would miss removing these transports from hashtable due to the new -netns when closing the sock and all transports are being freeed, then -later an use-after-free issue could be caused when looking up an asoc -and dereferencing those transports. - -This is a very old issue since very beginning, ChunYu found it with -syzkaller fuzz testing with this series: - - socket$inet6_sctp() - bind$inet6() - sendto$inet6() - unshare(0x40000000) - getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() - getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF() - -This patch is to block this call when peeling one assoc off from one -netns to another one, so that the netns of all transport would not -go out-sync with the key in hashtable. - -Note that this patch didn't fix it by rehashing transports, as it's -difficult to handle the situation when the tuple is already in use -in the new netns. Besides, no one would like to peel off one assoc -to another netns, considering ipaddrs, ifaces, etc. are usually -different. - -Reported-by: ChunYu Wang -Signed-off-by: Xin Long -Acked-by: Marcelo Ricardo Leitner -Acked-by: Neil Horman -Signed-off-by: David S. Miller - -CVE-2017-15115 -(cherry picked from commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74) -Signed-off-by: Kleber Sacilotto de Souza -Acked-by: Colin Ian King -Acked-by: Stefan Bader -Signed-off-by: Thadeu Lima de Souza Cascardo -Signed-off-by: Fabian Grünbichler ---- - net/sctp/socket.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 8d760863bc41..52f388e0448e 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -4894,6 +4894,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) - struct socket *sock; - int err = 0; - -+ /* Do not peel off from one netns to another one. */ -+ if (!net_eq(current->nsproxy->net_ns, sock_net(sk))) -+ return -EINVAL; -+ - if (!asoc) - return -EINVAL; - --- -2.14.2 -