4.4-stable patches

added patches:
	ib-cma-fix-rdma-port-validation-for-iwarp.patch
	security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch

diff --git a/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch b/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch
new file mode 100644 (file)
index 0000000..adbc131
--- /dev/null
+++ b/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch
@@ -0,0 +1,41 @@
+From 649367735ee5dedb128d9fac0b86ba7e0fe7ae3b Mon Sep 17 00:00:00 2001
+From: Matan Barak <matanb@mellanox.com>
+Date: Thu, 7 Jan 2016 11:19:29 +0200
+Subject: IB/cma: Fix RDMA port validation for iWarp
+
+From: Matan Barak <matanb@mellanox.com>
+
+commit 649367735ee5dedb128d9fac0b86ba7e0fe7ae3b upstream.
+
+cma_validate_port wrongly assumed that Ethernet devices are RoCE
+devices and thus their ndev should be matched in the GID table.
+This broke the iWarp support. Fixing that matching the ndev only if
+we work on a RoCE port.
+
+Cc: <stable@vger.kernel.org> # 4.4.x-
+Fixes: abae1b71dd37 ('IB/cma: cma_validate_port should verify the port
+                    and netdevice')
+Reported-by: Hariprasad Shenai <hariprasad@chelsio.com>
+Tested-by: Hariprasad Shenai <hariprasad@chelsio.com>
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/infiniband/core/cma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -453,7 +453,7 @@ static inline int cma_validate_port(stru
+       if ((dev_type != ARPHRD_INFINIBAND) && rdma_protocol_ib(device, port))
+               return ret;
+ 
+-      if (dev_type == ARPHRD_ETHER)
++      if (dev_type == ARPHRD_ETHER && rdma_protocol_roce(device, port))
+               ndev = dev_get_by_index(&init_net, bound_if_index);
+ 
+       ret = ib_find_cached_gid_by_port(device, gid, port, ndev, NULL);

diff --git a/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch b/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
new file mode 100644 (file)
index 0000000..e8153b9
--- /dev/null
+++ b/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
@@ -0,0 +1,73 @@
+From 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Wed, 20 Jan 2016 15:00:01 -0800
+Subject: security: let security modules use PTRACE_MODE_* with bitmasks
+
+From: Jann Horn <jann@thejh.net>
+
+commit 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 upstream.
+
+It looks like smack and yama weren't aware that the ptrace mode
+can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
+only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
+all modes have flags ORed into them.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Morris <james.l.morris@oracle.com>
+Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_lsm.c |    8 +++-----
+ security/yama/yama_lsm.c   |    4 ++--
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -398,12 +398,10 @@ static int smk_copy_relabel(struct list_
+  */
+ static inline unsigned int smk_ptrace_mode(unsigned int mode)
+ {
+-      switch (mode) {
+-      case PTRACE_MODE_READ:
+-              return MAY_READ;
+-      case PTRACE_MODE_ATTACH:
++      if (mode & PTRACE_MODE_ATTACH)
+               return MAY_READWRITE;
+-      }
++      if (mode & PTRACE_MODE_READ)
++              return MAY_READ;
+ 
+       return 0;
+ }
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -281,7 +281,7 @@ static int yama_ptrace_access_check(stru
+       int rc = 0;
+ 
+       /* require ptrace target be a child of ptracer on attach */
+-      if (mode == PTRACE_MODE_ATTACH) {
++      if (mode & PTRACE_MODE_ATTACH) {
+               switch (ptrace_scope) {
+               case YAMA_SCOPE_DISABLED:
+                       /* No additional restrictions. */
+@@ -307,7 +307,7 @@ static int yama_ptrace_access_check(stru
+               }
+       }
+ 
+-      if (rc) {
++      if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
+               printk_ratelimited(KERN_NOTICE
+                       "ptrace of pid %d was attempted by: %s (pid %d)\n",
+                       child->pid, current->comm, current->pid);

diff --git a/queue-4.4/series b/queue-4.4/series
index 62569f2b43d338896ae40f418348b3feb995157a..5a5bbda53626443b9acc86260237ed24ffbbf687 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -334,3 +334,5 @@ x86-irq-remove-the-cpumask-allocation-from-send_cleanup_vector.patch
 x86-irq-remove-outgoing-cpu-from-vector-cleanup-mask.patch
 x86-irq-call-irq_force_move_complete-with-irq-descriptor.patch
 x86-irq-plug-vector-cleanup-race.patch
+ib-cma-fix-rdma-port-validation-for-iwarp.patch
+security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch