Date: Wednesday, January 3, 2018 @ 07:21:25
Author: heftig
Revision: 313949
4.14.11-1
Added:
linux/trunk/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
(from rev 313772,
linux/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch)
linux/trunk/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
(from rev 313772,
linux/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch)
linux/trunk/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
(from rev 313772,
linux/trunk/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch)
linux/trunk/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
(from rev 313772,
linux/trunk/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch)
linux/trunk/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
(from rev 313772,
linux/trunk/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch)
linux/trunk/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
Modified:
linux/trunk/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
linux/trunk/PKGBUILD
linux/trunk/config
Deleted:
linux/trunk/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
linux/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
linux/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
linux/trunk/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
linux/trunk/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
-----------------------------------------------------------------+
0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch | 72 ------
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 15 -
0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 73 ------
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch | 57 -----
0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 75 ++++++
0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch | 49 ----
0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch | 114
----------
0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch | 57 +++++
0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch | 74 ++++++
0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch | 49 ++++
0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch | 114
++++++++++
0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 42 +++
PKGBUILD | 43 ++-
config | 3
14 files changed, 445 insertions(+), 392 deletions(-)
Deleted: 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
===================================================================
--- 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
2018-01-03 07:16:24 UTC (rev 313948)
+++ 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,72 +0,0 @@
-From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001
-Message-Id:
<b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steff...@gmail.com>
-From: Steffen Klassert <[email protected]>
-Date: Wed, 15 Nov 2017 06:40:57 +0100
-Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in
- xfrm_state_find."
-
-This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
-
-This commit breaks transport mode when the policy template
-has widlcard addresses configured, so revert it.
-
-Signed-off-by: Steffen Klassert <[email protected]>
----
- net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 6eb228a70131069b..a2e531bf4f976308 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy,
const struct flowi *fl,
- struct net *net = xp_net(policy);
- int nx;
- int i, error;
-+ xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
-+ xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
- xfrm_address_t tmp;
-
- for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
- struct xfrm_state *x;
-- xfrm_address_t *local;
-- xfrm_address_t *remote;
-+ xfrm_address_t *remote = daddr;
-+ xfrm_address_t *local = saddr;
- struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
-
-- remote = &tmpl->id.daddr;
-- local = &tmpl->saddr;
-- if (xfrm_addr_any(local, tmpl->encap_family)) {
-- error = xfrm_get_saddr(net, fl->flowi_oif,
-- &tmp, remote,
-- tmpl->encap_family, 0);
-- if (error)
-- goto fail;
-- local = &tmp;
-+ if (tmpl->mode == XFRM_MODE_TUNNEL ||
-+ tmpl->mode == XFRM_MODE_BEET) {
-+ remote = &tmpl->id.daddr;
-+ local = &tmpl->saddr;
-+ if (xfrm_addr_any(local, tmpl->encap_family)) {
-+ error = xfrm_get_saddr(net, fl->flowi_oif,
-+ &tmp, remote,
-+ tmpl->encap_family, 0);
-+ if (error)
-+ goto fail;
-+ local = &tmp;
-+ }
- }
-
- x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
family);
-
- if (x && x->km.state == XFRM_STATE_VALID) {
- xfrm[nx++] = x;
-+ daddr = remote;
-+ saddr = local;
- continue;
- }
- if (x) {
---
-2.15.1
-
Modified: 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
===================================================================
--- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
2018-01-03 07:16:24 UTC (rev 313948)
+++ 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,8 +1,9 @@
-From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001
-Message-Id:
<5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steff...@gmail.com>
+From fb89d912d5f7289d3a922c77b671e36e1c740f5e Mon Sep 17 00:00:00 2001
+Message-Id:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
From: Serge Hallyn <[email protected]>
Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
+Subject: [PATCH 1/7] add sysctl to disallow unprivileged CLONE_NEWUSER by
+ default
Signed-off-by: Serge Hallyn <[email protected]>
[bwh: Remove unneeded binary sysctl bits]
@@ -14,7 +15,7 @@
3 files changed, 30 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
-index 07cc743698d3668e..4011d68a8ff9305c 100644
+index 500ce64517d93e68..35f5860958b40e9b 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -102,6 +102,11 @@
@@ -29,7 +30,7 @@
/*
* Minimum number of threads to boot the kernel
-@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct
*copy_process(
+@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct
*copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) ==
(CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@@ -40,7 +41,7 @@
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
-@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@@ -54,7 +55,7 @@
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index b86520ed3fb60fbf..f7dab3760839f1a1 100644
+index 56aca862c4f584f5..e8402ba393c1915d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -105,6 +105,9 @@ extern int core_uses_pid;
Deleted: 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
===================================================================
--- 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
2018-01-03 07:16:24 UTC (rev 313948)
+++ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,73 +0,0 @@
-From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
-Message-Id:
<c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steff...@gmail.com>
-From: Benjamin Poirier <[email protected]>
-Date: Mon, 11 Dec 2017 16:26:40 +0900
-Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
- value.
-
-e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
-are the two functions that may be assigned to mac.ops.check_for_link when
-phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
-Separate signaling for link check/link up") changed the meaning of the
-return value of check_for_link for copper media but only adjusted the first
-function. This patch adjusts the second function likewise.
-
-Reported-by: Christian Hesse <[email protected]>
-Reported-by: Gabriel C <[email protected]>
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
-Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
-Tested-by: Christian Hesse <[email protected]>
-Signed-off-by: Benjamin Poirier <[email protected]>
----
- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c
b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-index d6d4ed7acf031172..31277d3bb7dc1241 100644
---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
-+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw
*hw, bool force)
- * Checks to see of the link status of the hardware has changed. If a
- * change in link status has been detected, then we read the PHY registers
- * to get the current speed/duplex if link exists.
-+ *
-+ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
-+ * up).
- **/
- static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- {
- struct e1000_mac_info *mac = &hw->mac;
- s32 ret_val, tipg_reg = 0;
- u16 emi_addr, emi_val = 0;
- bool link;
- u16 phy_reg;
-
- /* We only want to go out to the PHY registers to see if Auto-Neg
- * has completed and/or if our link status has changed. The
- * get_link_status flag is set upon receiving a Link Status
- * Change or Rx Sequence Error interrupt.
- */
- if (!mac->get_link_status)
-- return 0;
-+ return 1;
-
- /* First we want to see if the MII Status Register reports
- * link. If so, then we want to get the current speed/duplex
-@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct
e1000_hw *hw)
- * different link partner.
- */
- ret_val = e1000e_config_fc_after_link_up(hw);
-- if (ret_val)
-+ if (ret_val) {
- e_dbg("Error configuring flow control\n");
-+ return ret_val;
-+ }
-
-- return ret_val;
-+ return 1;
- }
-
- static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
---
-2.15.1
-
Deleted: 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
===================================================================
--- 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch 2018-01-03
07:16:24 UTC (rev 313948)
+++ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch 2018-01-03
07:21:25 UTC (rev 313949)
@@ -1,57 +0,0 @@
-From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
-Message-Id:
<80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steff...@gmail.com>
-In-Reply-To:
<c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steff...@gmail.com>
-References:
<c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steff...@gmail.com>
-From: Mohamed Ghannam <[email protected]>
-Date: Tue, 5 Dec 2017 20:58:35 +0000
-Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code
-
-Whenever the sock object is in DCCP_CLOSED state,
-dccp_disconnect() must free dccps_hc_tx_ccid and
-dccps_hc_rx_ccid and set to NULL.
-
-Signed-off-by: Mohamed Ghannam <[email protected]>
-Reviewed-by: Eric Dumazet <[email protected]>
-Signed-off-by: David S. Miller <[email protected]>
----
- net/dccp/proto.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/net/dccp/proto.c b/net/dccp/proto.c
-index b68168fcc06aa198..9d43c1f4027408f3 100644
---- a/net/dccp/proto.c
-+++ b/net/dccp/proto.c
-@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
- {
- struct inet_connection_sock *icsk = inet_csk(sk);
- struct inet_sock *inet = inet_sk(sk);
-+ struct dccp_sock *dp = dccp_sk(sk);
- int err = 0;
- const int old_state = sk->sk_state;
-
- if (old_state != DCCP_CLOSED)
- dccp_set_state(sk, DCCP_CLOSED);
-
- /*
- * This corresponds to the ABORT function of RFC793, sec. 3.8
- * TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
- */
- if (old_state == DCCP_LISTEN) {
- inet_csk_listen_stop(sk);
- } else if (dccp_need_reset(old_state)) {
- dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
- sk->sk_err = ECONNRESET;
- } else if (old_state == DCCP_REQUESTING)
- sk->sk_err = ECONNRESET;
-
- dccp_clear_xmit_timers(sk);
-+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
-+ dp->dccps_hc_rx_ccid = NULL;
-+ dp->dccps_hc_tx_ccid = NULL;
-
- __skb_queue_purge(&sk->sk_receive_queue);
- __skb_queue_purge(&sk->sk_write_queue);
---
-2.15.1
-
Copied:
linux/trunk/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
(from rev 313772,
linux/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch)
===================================================================
--- 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
(rev 0)
+++ 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -0,0 +1,75 @@
+From 8c6956686606b9c3661e74a410c8cb2fc276c5ee Mon Sep 17 00:00:00 2001
+Message-Id:
<8c6956686606b9c3661e74a410c8cb2fc276c5ee.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Benjamin Poirier <[email protected]>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: [PATCH 2/7] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+ value.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <[email protected]>
+Reported-by: Gabriel C <[email protected]>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse <[email protected]>
+Signed-off-by: Benjamin Poirier <[email protected]>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c
b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf031172..31277d3bb7dc1241 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw
*hw, bool force)
+ * Checks to see of the link status of the hardware has changed. If a
+ * change in link status has been detected, then we read the PHY registers
+ * to get the current speed/duplex if link exists.
++ *
++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ * up).
+ **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+ struct e1000_mac_info *mac = &hw->mac;
+ s32 ret_val, tipg_reg = 0;
+ u16 emi_addr, emi_val = 0;
+ bool link;
+ u16 phy_reg;
+
+ /* We only want to go out to the PHY registers to see if Auto-Neg
+ * has completed and/or if our link status has changed. The
+ * get_link_status flag is set upon receiving a Link Status
+ * Change or Rx Sequence Error interrupt.
+ */
+ if (!mac->get_link_status)
+- return 0;
++ return 1;
+
+ /* First we want to see if the MII Status Register reports
+ * link. If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct
e1000_hw *hw)
+ * different link partner.
+ */
+ ret_val = e1000e_config_fc_after_link_up(hw);
+- if (ret_val)
++ if (ret_val) {
+ e_dbg("Error configuring flow control\n");
++ return ret_val;
++ }
+
+- return ret_val;
++ return 1;
+ }
+
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
+--
+2.15.1
+
Deleted: 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
===================================================================
--- 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
2018-01-03 07:16:24 UTC (rev 313948)
+++ 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,49 +0,0 @@
-From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001
-Message-Id:
<1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steff...@gmail.com>
-In-Reply-To:
<b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steff...@gmail.com>
-References:
<b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steff...@gmail.com>
-From: Steffen Klassert <[email protected]>
-Date: Fri, 22 Dec 2017 10:44:57 +0100
-Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy
- lookup.
-
-When we do tunnel or beet mode, we pass saddr and daddr from the
-template to xfrm_state_find(), this is ok. On transport mode,
-we pass the addresses from the flowi, assuming that the IP
-addresses (and address family) don't change during transformation.
-This assumption is wrong in the IPv4 mapped IPv6 case, packet
-is IPv4 and template is IPv6.
-
-Fix this by catching address family missmatches of the policy
-and the flow already before we do the lookup.
-
-Reported-by: syzbot <[email protected]>
-Signed-off-by: Steffen Klassert <[email protected]>
----
- net/xfrm/xfrm_policy.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index a2e531bf4f976308..c79ed3bed5d4dc2f 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const
struct sock *sk, int dir,
- again:
- pol = rcu_dereference(sk->sk_policy[dir]);
- if (pol != NULL) {
-- bool match = xfrm_selector_match(&pol->selector, fl, family);
-+ bool match;
- int err = 0;
-
-+ if (pol->family != family) {
-+ pol = NULL;
-+ goto out;
-+ }
-+
-+ match = xfrm_selector_match(&pol->selector, fl, family);
- if (match) {
- if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
- pol = NULL;
---
-2.15.1
-
Deleted: 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
===================================================================
--- 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
2018-01-03 07:16:24 UTC (rev 313948)
+++ 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,114 +0,0 @@
-From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001
-Message-Id:
<a3c64fe9d978f3ee8f21fac5b410c63fe7cce725.1514245012.git.jan.steff...@gmail.com>
-In-Reply-To:
<b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steff...@gmail.com>
-References:
<b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steff...@gmail.com>
-From: Tejun Heo <[email protected]>
-Date: Wed, 20 Dec 2017 07:09:19 -0800
-Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
-
-While teaching css_task_iter to handle skipping over tasks which
-aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
-css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
-silly bug.
-
-CSS_TASK_ITER_PROCS is implemented by repeating
-css_task_iter_advance() while the advanced cursor is pointing to a
-non-leader thread. However, the cursor variable, @l, wasn't updated
-when the iteration has to advance to the next css_set and the
-following repetition would operate on the terminal @l from the
-previous iteration which isn't pointing to a valid task leading to
-oopses like the following or infinite looping.
-
- BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
- IP: __task_pid_nr_ns+0xc7/0xf0
- PGD 0 P4D 0
- Oops: 0000 [#1] SMP
- ...
- CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
- Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS
3203 11/09/2017
- task: ffff88c4baee8000 task.stack: ffff96d5c3158000
- RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
- RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
- RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
- RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
- RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
- R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
- R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
- FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
- Call Trace:
- cgroup_procs_show+0x19/0x30
- cgroup_seqfile_show+0x4c/0xb0
- kernfs_seq_show+0x21/0x30
- seq_read+0x2ec/0x3f0
- kernfs_fop_read+0x134/0x180
- __vfs_read+0x37/0x160
- ? security_file_permission+0x9b/0xc0
- vfs_read+0x8e/0x130
- SyS_read+0x55/0xc0
- entry_SYSCALL_64_fastpath+0x1a/0xa5
- RIP: 0033:0x7f94455f942d
- RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
- RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
- RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
- RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
- R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
- R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
- Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00
00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48
c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
- RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
-
-Fix it by moving the initialization of the cursor below the repeat
-label. While at it, rename it to @next for readability.
-
-Signed-off-by: Tejun Heo <[email protected]>
-Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and
implement CSS_TASK_ITER_PROCS")
-Cc: [email protected] # v4.14+
-Reported-by: Laura Abbott <[email protected]>
-Reported-by: Bronek Kozicki <[email protected]>
-Reported-by: George Amanakis <[email protected]>
-Signed-off-by: Tejun Heo <[email protected]>
----
- kernel/cgroup/cgroup.c | 14 ++++++--------
- 1 file changed, 6 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
-index 44857278eb8aa6a2..030e4286f14c715e 100644
---- a/kernel/cgroup/cgroup.c
-+++ b/kernel/cgroup/cgroup.c
-@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct
css_task_iter *it)
-
- static void css_task_iter_advance(struct css_task_iter *it)
- {
-- struct list_head *l = it->task_pos;
-+ struct list_head *next;
-
- lockdep_assert_held(&css_set_lock);
-- WARN_ON_ONCE(!l);
--
- repeat:
- /*
- * Advance iterator to find next entry. cset->tasks is consumed
- * first and then ->mg_tasks. After ->mg_tasks, we move onto the
- * next cset.
- */
-- l = l->next;
-+ next = it->task_pos->next;
-
-- if (l == it->tasks_head)
-- l = it->mg_tasks_head->next;
-+ if (next == it->tasks_head)
-+ next = it->mg_tasks_head->next;
-
-- if (l == it->mg_tasks_head)
-+ if (next == it->mg_tasks_head)
- css_task_iter_advance_css_set(it);
- else
-- it->task_pos = l;
-+ it->task_pos = next;
-
- /* if PROCS, skip over tasks which aren't group leaders */
- if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
---
-2.15.1
-
Copied: linux/trunk/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
(from rev 313772,
linux/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch)
===================================================================
--- 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
(rev 0)
+++ 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch 2018-01-03
07:21:25 UTC (rev 313949)
@@ -0,0 +1,57 @@
+From b81e273fb227373a2951c7256ab11a87d5333a9d Mon Sep 17 00:00:00 2001
+Message-Id:
<b81e273fb227373a2951c7256ab11a87d5333a9d.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Mohamed Ghannam <[email protected]>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH 3/7] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <[email protected]>
+Reviewed-by: Eric Dumazet <[email protected]>
+Signed-off-by: David S. Miller <[email protected]>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06aa198..9d43c1f4027408f3 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+ if (old_state != DCCP_CLOSED)
+ dccp_set_state(sk, DCCP_CLOSED);
+
+ /*
+ * This corresponds to the ABORT function of RFC793, sec. 3.8
+ * TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
+ */
+ if (old_state == DCCP_LISTEN) {
+ inet_csk_listen_stop(sk);
+ } else if (dccp_need_reset(old_state)) {
+ dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
+ sk->sk_err = ECONNRESET;
+ } else if (old_state == DCCP_REQUESTING)
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
+--
+2.15.1
+
Copied:
linux/trunk/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
(from rev 313772,
linux/trunk/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch)
===================================================================
--- 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
(rev 0)
+++ 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -0,0 +1,74 @@
+From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
+Message-Id:
<d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Steffen Klassert <[email protected]>
+Date: Wed, 15 Nov 2017 06:40:57 +0100
+Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
+ xfrm_state_find."
+
+This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
+
+This commit breaks transport mode when the policy template
+has widlcard addresses configured, so revert it.
+
+Signed-off-by: Steffen Klassert <[email protected]>
+---
+ net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2a6093840e7e856e..6bc16bb61b5533ef 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy,
const struct flowi *fl,
+ struct net *net = xp_net(policy);
+ int nx;
+ int i, error;
++ xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
++ xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
+ xfrm_address_t tmp;
+
+ for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
+ struct xfrm_state *x;
+- xfrm_address_t *local;
+- xfrm_address_t *remote;
++ xfrm_address_t *remote = daddr;
++ xfrm_address_t *local = saddr;
+ struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
+
+- remote = &tmpl->id.daddr;
+- local = &tmpl->saddr;
+- if (xfrm_addr_any(local, tmpl->encap_family)) {
+- error = xfrm_get_saddr(net, fl->flowi_oif,
+- &tmp, remote,
+- tmpl->encap_family, 0);
+- if (error)
+- goto fail;
+- local = &tmp;
++ if (tmpl->mode == XFRM_MODE_TUNNEL ||
++ tmpl->mode == XFRM_MODE_BEET) {
++ remote = &tmpl->id.daddr;
++ local = &tmpl->saddr;
++ if (xfrm_addr_any(local, tmpl->encap_family)) {
++ error = xfrm_get_saddr(net, fl->flowi_oif,
++ &tmp, remote,
++ tmpl->encap_family, 0);
++ if (error)
++ goto fail;
++ local = &tmp;
++ }
+ }
+
+ x = xfrm_state_find(remote, local, fl, tmpl, policy, &error,
family);
+
+ if (x && x->km.state == XFRM_STATE_VALID) {
+ xfrm[nx++] = x;
++ daddr = remote;
++ saddr = local;
+ continue;
+ }
+ if (x) {
+--
+2.15.1
+
Copied:
linux/trunk/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
(from rev 313772,
linux/trunk/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch)
===================================================================
--- 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
(rev 0)
+++ 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -0,0 +1,49 @@
+From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001
+Message-Id:
<3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Steffen Klassert <[email protected]>
+Date: Fri, 22 Dec 2017 10:44:57 +0100
+Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy
+ lookup.
+
+When we do tunnel or beet mode, we pass saddr and daddr from the
+template to xfrm_state_find(), this is ok. On transport mode,
+we pass the addresses from the flowi, assuming that the IP
+addresses (and address family) don't change during transformation.
+This assumption is wrong in the IPv4 mapped IPv6 case, packet
+is IPv4 and template is IPv6.
+
+Fix this by catching address family missmatches of the policy
+and the flow already before we do the lookup.
+
+Reported-by: syzbot <[email protected]>
+Signed-off-by: Steffen Klassert <[email protected]>
+---
+ net/xfrm/xfrm_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const
struct sock *sk, int dir,
+ again:
+ pol = rcu_dereference(sk->sk_policy[dir]);
+ if (pol != NULL) {
+- bool match = xfrm_selector_match(&pol->selector, fl, family);
++ bool match;
+ int err = 0;
+
++ if (pol->family != family) {
++ pol = NULL;
++ goto out;
++ }
++
++ match = xfrm_selector_match(&pol->selector, fl, family);
+ if (match) {
+ if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
+ pol = NULL;
+--
+2.15.1
+
Copied:
linux/trunk/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
(from rev 313772,
linux/trunk/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch)
===================================================================
--- 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
(rev 0)
+++ 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -0,0 +1,114 @@
+From a79cb4d4e540c72a601ca0494e914565c16e2893 Mon Sep 17 00:00:00 2001
+Message-Id:
<a79cb4d4e540c72a601ca0494e914565c16e2893.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Tejun Heo <[email protected]>
+Date: Wed, 20 Dec 2017 07:09:19 -0800
+Subject: [PATCH 6/7] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
+
+While teaching css_task_iter to handle skipping over tasks which
+aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
+css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
+silly bug.
+
+CSS_TASK_ITER_PROCS is implemented by repeating
+css_task_iter_advance() while the advanced cursor is pointing to a
+non-leader thread. However, the cursor variable, @l, wasn't updated
+when the iteration has to advance to the next css_set and the
+following repetition would operate on the terminal @l from the
+previous iteration which isn't pointing to a valid task leading to
+oopses like the following or infinite looping.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
+ IP: __task_pid_nr_ns+0xc7/0xf0
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP
+ ...
+ CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
+ Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS
3203 11/09/2017
+ task: ffff88c4baee8000 task.stack: ffff96d5c3158000
+ RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
+ RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
+ RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
+ RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
+ RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
+ R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
+ R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
+ FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
+ Call Trace:
+ cgroup_procs_show+0x19/0x30
+ cgroup_seqfile_show+0x4c/0xb0
+ kernfs_seq_show+0x21/0x30
+ seq_read+0x2ec/0x3f0
+ kernfs_fop_read+0x134/0x180
+ __vfs_read+0x37/0x160
+ ? security_file_permission+0x9b/0xc0
+ vfs_read+0x8e/0x130
+ SyS_read+0x55/0xc0
+ entry_SYSCALL_64_fastpath+0x1a/0xa5
+ RIP: 0033:0x7f94455f942d
+ RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
+ RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
+ RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
+ RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
+ R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
+ R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
+ Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00
00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48
c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
+ RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
+
+Fix it by moving the initialization of the cursor below the repeat
+label. While at it, rename it to @next for readability.
+
+Signed-off-by: Tejun Heo <[email protected]>
+Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and
implement CSS_TASK_ITER_PROCS")
+Cc: [email protected] # v4.14+
+Reported-by: Laura Abbott <[email protected]>
+Reported-by: Bronek Kozicki <[email protected]>
+Reported-by: George Amanakis <[email protected]>
+Signed-off-by: Tejun Heo <[email protected]>
+---
+ kernel/cgroup/cgroup.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 44857278eb8aa6a2..030e4286f14c715e 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct
css_task_iter *it)
+
+ static void css_task_iter_advance(struct css_task_iter *it)
+ {
+- struct list_head *l = it->task_pos;
++ struct list_head *next;
+
+ lockdep_assert_held(&css_set_lock);
+- WARN_ON_ONCE(!l);
+-
+ repeat:
+ /*
+ * Advance iterator to find next entry. cset->tasks is consumed
+ * first and then ->mg_tasks. After ->mg_tasks, we move onto the
+ * next cset.
+ */
+- l = l->next;
++ next = it->task_pos->next;
+
+- if (l == it->tasks_head)
+- l = it->mg_tasks_head->next;
++ if (next == it->tasks_head)
++ next = it->mg_tasks_head->next;
+
+- if (l == it->mg_tasks_head)
++ if (next == it->mg_tasks_head)
+ css_task_iter_advance_css_set(it);
+ else
+- it->task_pos = l;
++ it->task_pos = next;
+
+ /* if PROCS, skip over tasks which aren't group leaders */
+ if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
+--
+2.15.1
+
Added: 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
===================================================================
--- 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
(rev 0)
+++ 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
2018-01-03 07:21:25 UTC (rev 313949)
@@ -0,0 +1,42 @@
+From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
+Message-Id:
<51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steff...@gmail.com>
+In-Reply-To:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+References:
<fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steff...@gmail.com>
+From: Tom Lendacky <[email protected]>
+Date: Tue, 26 Dec 2017 23:43:54 -0600
+Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
+
+AMD processors are not subject to the types of attacks that the kernel
+page table isolation feature protects against. The AMD microarchitecture
+does not allow memory references, including speculative references, that
+access higher privileged data when running in a lesser privileged mode
+when that access would result in a page fault.
+
+Disable page table isolation by default on AMD processors by not setting
+the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
+is set.
+
+Signed-off-by: Tom Lendacky <[email protected]>
+Reviewed-by: Borislav Petkov <[email protected]>
+---
+ arch/x86/kernel/cpu/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86
*c)
+
+ setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+
+- /* Assume for now that ALL x86 CPUs are insecure */
+- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++ if (c->x86_vendor != X86_VENDOR_AMD)
++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+
+ fpu__init_system(c);
+
+--
+2.15.1
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-01-03 07:16:24 UTC (rev 313948)
+++ PKGBUILD 2018-01-03 07:21:25 UTC (rev 313949)
@@ -5,7 +5,7 @@
pkgbase=linux # Build stock -ARCH kernel
#pkgbase=linux-custom # Build kernel with a different name
_srcname=linux-4.14
-pkgver=4.14.10
+pkgver=4.14.11
pkgrel=1
arch=('x86_64')
url="https://www.kernel.org/";
@@ -22,11 +22,12 @@
'90-linux.hook' # pacman hook for initramfs regeneration
'linux.preset' # standard config files for mkinitcpio ramdisk
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
- 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
- 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
- 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+ 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+ 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+ 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -34,18 +35,19 @@
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
- '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74'
+ 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
'SKIP'
- '4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195'
+ '24b8cf6829dafcb2b5c76cffaae6438ad2d432f13d6551fa1c8f25e66b751ed4'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
- '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
- 'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
- '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
- 'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
- '64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
- '3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb')
+ '06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2'
+ 'b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b'
+ 'f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25'
+ '705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb'
+ '0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f'
+ '8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711'
+ '914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31')
_kernelname=${pkgbase#linux}
@@ -65,18 +67,21 @@
patch -Np1 -i
../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
# https://bugs.archlinux.org/task/56575
- patch -Np1 -i
../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ patch -Np1 -i
../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
- patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+ patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
# https://bugs.archlinux.org/task/56605
- patch -Np1 -i
../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
- patch -Np1 -i
../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+ patch -Np1 -i
../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+ patch -Np1 -i
../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
# https://bugs.archlinux.org/task/56846
- patch -Np1 -i
../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ patch -Np1 -i
../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ # For AMD processors, keep PTI off by default
+ patch -Np1 -i
../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+
cp -Tf ../config .config
if [ "${_kernelname}" != "" ]; then
Modified: config
===================================================================
--- config 2018-01-03 07:16:24 UTC (rev 313948)
+++ config 2018-01-03 07:21:25 UTC (rev 313949)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.9-1 Kernel Configuration
+# Linux/x86 4.14.11-1 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -8130,6 +8130,7 @@
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_INTEL_TXT is not set
