From: Greg Kroah-Hartman Date: Fri, 9 Sep 2016 13:47:27 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.79~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=23c3c8347130018010ee6a01c16c6839b3df7a17;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch crypto-nx-842-mask-xers0-bit-in-return-value.patch cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch fs-check-for-invalid-i_uid-in-may_follow_link.patch ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch kernel-add-noaudit-variant-of-ns_capable.patch keys-fix-asn.1-indefinite-length-object-parsing.patch net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch netfilter-x_tables-check-for-size-overflow.patch udp-properly-support-msg_peek-with-truncated-buffers.patch --- diff --git a/queue-4.4/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch b/queue-4.4/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch new file mode 100644 index 00000000000..2b4beff54e7 --- /dev/null +++ b/queue-4.4/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch @@ -0,0 +1,37 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:37:09 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:01 -0400 +Subject: [PATCH 4.4 08/16] cred: Reject inodes with invalid ids in set_create_file_as() +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-9-git-send-email-alexander.levin@verizon.com> + + +From: Seth Forshee + +[ Upstream commit 5f65e5ca286126a60f62c8421b77c2018a482b8a ] + +Using INVALID_[UG]ID for the LSM file creation context doesn't +make sense, so return an error if the inode passed to +set_create_file_as() has an invalid id. + +Signed-off-by: Seth Forshee +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cred.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -689,6 +689,8 @@ EXPORT_SYMBOL(set_security_override_from + */ + int set_create_files_as(struct cred *new, struct inode *inode) + { ++ if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) ++ return -EINVAL; + new->fsuid = inode->i_uid; + new->fsgid = inode->i_gid; + return security_kernel_create_files_as(new, inode); diff --git a/queue-4.4/crypto-nx-842-mask-xers0-bit-in-return-value.patch b/queue-4.4/crypto-nx-842-mask-xers0-bit-in-return-value.patch new file mode 100644 index 00000000000..02ab30f371c --- /dev/null +++ b/queue-4.4/crypto-nx-842-mask-xers0-bit-in-return-value.patch @@ -0,0 +1,67 @@ +From alexander.levin@verizon.com Tue Aug 30 06:37:51 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:34:57 -0400 +Subject: [PATCH 4.4 04/16] crypto: nx-842 - Mask XERS0 bit in return value +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-5-git-send-email-alexander.levin@verizon.com> + + +From: Haren Myneni + +[ Upstream commit 6333ed8f26cf77311088d2e2b7cf16d8480bcbb2 ] + +NX842 coprocessor sets 3rd bit in CR register with XER[S0] which is +nothing to do with NX request. Since this bit can be set with other +valuable return status, mast this bit. + +One of other bits (INITIATED, BUSY or REJECTED) will be returned for +any given NX request. + +Signed-off-by: Haren Myneni +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/icswx.h | 1 + + drivers/crypto/nx/nx-842-powernv.c | 12 ++++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/include/asm/icswx.h ++++ b/arch/powerpc/include/asm/icswx.h +@@ -164,6 +164,7 @@ struct coprocessor_request_block { + #define ICSWX_INITIATED (0x8) + #define ICSWX_BUSY (0x4) + #define ICSWX_REJECTED (0x2) ++#define ICSWX_XERS0 (0x1) /* undefined or set from XERSO. */ + + static inline int icswx(__be32 ccw, struct coprocessor_request_block *crb) + { +--- a/drivers/crypto/nx/nx-842-powernv.c ++++ b/drivers/crypto/nx/nx-842-powernv.c +@@ -442,6 +442,14 @@ static int nx842_powernv_function(const + (unsigned int)ccw, + (unsigned int)be32_to_cpu(crb->ccw)); + ++ /* ++ * NX842 coprocessor sets 3rd bit in CR register with XER[S0]. ++ * XER[S0] is the integer summary overflow bit which is nothing ++ * to do NX. Since this bit can be set with other return values, ++ * mask this bit. ++ */ ++ ret &= ~ICSWX_XERS0; ++ + switch (ret) { + case ICSWX_INITIATED: + ret = wait_for_csb(wmem, csb); +@@ -454,10 +462,6 @@ static int nx842_powernv_function(const + pr_err_ratelimited("ICSWX rejected\n"); + ret = -EPROTO; + break; +- default: +- pr_err_ratelimited("Invalid ICSWX return code %x\n", ret); +- ret = -EPROTO; +- break; + } + + if (!ret) diff --git a/queue-4.4/cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch b/queue-4.4/cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch new file mode 100644 index 00000000000..0f7c2fe380a --- /dev/null +++ b/queue-4.4/cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch @@ -0,0 +1,74 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:44 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:34:55 -0400 +Subject: [PATCH 4.4 02/16] cxlflash: Fix to avoid virtual LUN failover failure +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-3-git-send-email-alexander.levin@verizon.com> + + +From: "Matthew R. Ochs" + +[ Upstream commit d5e26bb1d812ba74f29b6bcbc88c3dbfb3eed824 ] + +Applications which use virtual LUN's that are backed by a physical LUN +over both adapter ports may experience an I/O failure in the event of a +link loss (e.g. cable pull). + +Virtual LUNs may be accessed through one or both ports of the adapter. +This access is encoded in the translation entries that comprise the +virtual LUN and used by the AFU for load-balancing I/O and handling +failover scenarios. In a link loss scenario, even though the AFU is able +to maintain connectivity to the LUN, it is up to the application to +retry the failed I/O. When applications are unaware of the virtual LUN's +underlying topology, they are unable to make a sound decision of when to +retry an I/O and therefore are forced to make their reaction to a failed +I/O absolute. The result is either a failure to retry I/O or increased +latency for scenarios where a retry is pointless. + +To remedy this scenario, provide feedback back to the application on +virtual LUN creation as to which ports the LUN may be accessed. LUN's +spanning both ports are candidates for a retry in a presence of an I/O +failure. + +Signed-off-by: Matthew R. Ochs +Acked-by: Manoj Kumar +Reviewed-by: Uma Krishnan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/cxlflash/vlun.c | 2 ++ + include/uapi/scsi/cxlflash_ioctl.h | 10 ++++++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/scsi/cxlflash/vlun.c ++++ b/drivers/scsi/cxlflash/vlun.c +@@ -1008,6 +1008,8 @@ int cxlflash_disk_virtual_open(struct sc + virt->last_lba = last_lba; + virt->rsrc_handle = rsrc_handle; + ++ if (lli->port_sel == BOTH_PORTS) ++ virt->hdr.return_flags |= DK_CXLFLASH_ALL_PORTS_ACTIVE; + out: + if (likely(ctxi)) + put_context(ctxi); +--- a/include/uapi/scsi/cxlflash_ioctl.h ++++ b/include/uapi/scsi/cxlflash_ioctl.h +@@ -31,6 +31,16 @@ struct dk_cxlflash_hdr { + }; + + /* ++ * Return flag definitions available to all ioctls ++ * ++ * Similar to the input flags, these are grown from the bottom-up with the ++ * intention that ioctl-specific return flag definitions would grow from the ++ * top-down, allowing the two sets to co-exist. While not required/enforced ++ * at this time, this provides future flexibility. ++ */ ++#define DK_CXLFLASH_ALL_PORTS_ACTIVE 0x0000000000000001ULL ++ ++/* + * Notes: + * ----- + * The 'context_id' field of all ioctl structures contains the context diff --git a/queue-4.4/cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch b/queue-4.4/cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch new file mode 100644 index 00000000000..fe7c94e3e8b --- /dev/null +++ b/queue-4.4/cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch @@ -0,0 +1,37 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:46 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:34:54 -0400 +Subject: [PATCH 4.4 01/16] cxlflash: Fix to escalate LINK_RESET also on port 1 +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-2-git-send-email-alexander.levin@verizon.com> + +From: Manoj Kumar + +[ Upstream commit a9be294ecb3b9dc82b15625631b153f871181d16 ] + +The original fix to escalate a 'login timed out' error to a LINK_RESET +was only made for one of the two ports on the card. This fix resolves +the same issue for the second port (port 1). + +Signed-off-by: Manoj N. Kumar +Acked-by: Matthew R. Ochs +Reviewed-by: Uma Krishnan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/cxlflash/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/cxlflash/main.c ++++ b/drivers/scsi/cxlflash/main.c +@@ -1141,7 +1141,7 @@ static const struct asyc_intr_info ainfo + {SISL_ASTATUS_FC1_OTHER, "other error", 1, CLR_FC_ERROR | LINK_RESET}, + {SISL_ASTATUS_FC1_LOGO, "target initiated LOGO", 1, 0}, + {SISL_ASTATUS_FC1_CRC_T, "CRC threshold exceeded", 1, LINK_RESET}, +- {SISL_ASTATUS_FC1_LOGI_R, "login timed out, retrying", 1, 0}, ++ {SISL_ASTATUS_FC1_LOGI_R, "login timed out, retrying", 1, LINK_RESET}, + {SISL_ASTATUS_FC1_LOGI_F, "login failed", 1, CLR_FC_ERROR}, + {SISL_ASTATUS_FC1_LOGI_S, "login succeeded", 1, SCAN_HOST}, + {SISL_ASTATUS_FC1_LINK_DN, "link down", 1, 0}, diff --git a/queue-4.4/cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch b/queue-4.4/cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch new file mode 100644 index 00000000000..501fcbaf266 --- /dev/null +++ b/queue-4.4/cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch @@ -0,0 +1,77 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:51 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:05 -0400 +Subject: [PATCH 4.4 12/16] cxlflash: Move to exponential back-off when cmd_room is not available +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-13-git-send-email-alexander.levin@verizon.com> + + +From: "Manoj N. Kumar" + +[ Upstream commit ea76543127da32dec28af0a13ea1b06625fc085e ] + +While profiling the cxlflash_queuecommand() path under a heavy load it +was found that number of retries to find cmd_room was fairly high. + +There are two problems with the current back-off: +a) It starts with a udelay of 0 +b) It backs-off linearly + +Tried several approaches (a higher multiple 10*n, 100*n, as well as n^2, +2^n) and found that the exponential back-off(2^n) approach had the least +overall cost. Cost as being defined as overall time spent waiting. + +The fix is to change the linear back-off to an exponential back-off. +This solution also takes care of the problem with the initial +delay (starts with 1 usec). + +Signed-off-by: Manoj N. Kumar +Acked-by: Matthew R. Ochs +Reviewed-by: Johannes Thumshirn +Signed-off-by: Uma Krishnan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/cxlflash/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/cxlflash/main.c ++++ b/drivers/scsi/cxlflash/main.c +@@ -289,7 +289,7 @@ static void context_reset(struct afu_cmd + atomic64_set(&afu->room, room); + if (room) + goto write_rrin; +- udelay(nretry); ++ udelay(1 << nretry); + } while (nretry++ < MC_ROOM_RETRY_CNT); + + pr_err("%s: no cmd_room to send reset\n", __func__); +@@ -303,7 +303,7 @@ write_rrin: + if (rrin != 0x1) + break; + /* Double delay each time */ +- udelay(2 << nretry); ++ udelay(1 << nretry); + } while (nretry++ < MC_ROOM_RETRY_CNT); + } + +@@ -338,7 +338,7 @@ retry: + atomic64_set(&afu->room, room); + if (room) + goto write_ioarrin; +- udelay(nretry); ++ udelay(1 << nretry); + } while (nretry++ < MC_ROOM_RETRY_CNT); + + dev_err(dev, "%s: no cmd_room to send 0x%X\n", +@@ -352,7 +352,7 @@ retry: + * afu->room. + */ + if (nretry++ < MC_ROOM_RETRY_CNT) { +- udelay(nretry); ++ udelay(1 << nretry); + goto retry; + } + diff --git a/queue-4.4/drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch b/queue-4.4/drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch new file mode 100644 index 00000000000..2b007158d7b --- /dev/null +++ b/queue-4.4/drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch @@ -0,0 +1,71 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:05 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:06 -0400 +Subject: [PATCH 4.4 13/16] drivers:hv: Lock access to hyperv_mmio resource tree +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-14-git-send-email-alexander.levin@verizon.com> + + +From: Jake Oshins + +[ Upstream commit e16dad6bfe1437aaee565f875a6713ca7ce81bdf ] + +In existing code, this tree of resources is created +in single-threaded code and never modified after it is +created, and thus needs no locking. This patch introduces +a semaphore for tree access, as other patches in this +series introduce run-time modifications of this resource +tree which can happen on multiple threads. + +Signed-off-by: Jake Oshins +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -105,6 +105,7 @@ static struct notifier_block hyperv_pani + }; + + struct resource *hyperv_mmio; ++DEFINE_SEMAPHORE(hyperv_mmio_lock); + + static int vmbus_exists(void) + { +@@ -1140,7 +1141,10 @@ int vmbus_allocate_mmio(struct resource + resource_size_t range_min, range_max, start, local_min, local_max; + const char *dev_n = dev_name(&device_obj->device); + u32 fb_end = screen_info.lfb_base + (screen_info.lfb_size << 1); +- int i; ++ int i, retval; ++ ++ retval = -ENXIO; ++ down(&hyperv_mmio_lock); + + for (iter = hyperv_mmio; iter; iter = iter->sibling) { + if ((iter->start >= max) || (iter->end <= min)) +@@ -1177,13 +1181,17 @@ int vmbus_allocate_mmio(struct resource + for (; start + size - 1 <= local_max; start += align) { + *new = request_mem_region_exclusive(start, size, + dev_n); +- if (*new) +- return 0; ++ if (*new) { ++ retval = 0; ++ goto exit; ++ } + } + } + } + +- return -ENXIO; ++exit: ++ up(&hyperv_mmio_lock); ++ return retval; + } + EXPORT_SYMBOL_GPL(vmbus_allocate_mmio); + diff --git a/queue-4.4/drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch b/queue-4.4/drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch new file mode 100644 index 00000000000..56ca67b1300 --- /dev/null +++ b/queue-4.4/drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch @@ -0,0 +1,40 @@ +dos2unix: Binary symbol 0x1F found at line 42 +dos2unix: Skipping binary file stdin +From stable-owner@vger.kernel.org Tue Aug 30 06:36:47 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:03 -0400 +Subject: [PATCH 4.4 10/16] drm/amdgpu/cz: enable/disable vce dpm even if vce pg is disabled +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-11-git-send-email-alexander.levin@verizon.com> + + +From: Alex Deucher + +[ Upstream commit b3dae7828399ef316e3fabf7e82c6415cb03a02e ] + +I missed this when cleaning up the vce pg handling. + +Reviewed-by: Christian König +Reviewed-by: Rex Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/cz_dpm.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/cz_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/cz_dpm.c +@@ -1955,10 +1955,8 @@ static void cz_dpm_powergate_vce(struct + } + } else { /*pi->caps_vce_pg*/ + cz_update_vce_dpm(adev); +- cz_enable_vce_dpm(adev, true); ++ cz_enable_vce_dpm(adev, !gate); + } +- +- return; + } + + const struct amd_ip_funcs cz_dpm_ip_funcs = { diff --git a/queue-4.4/fs-check-for-invalid-i_uid-in-may_follow_link.patch b/queue-4.4/fs-check-for-invalid-i_uid-in-may_follow_link.patch new file mode 100644 index 00000000000..84d02d4d82f --- /dev/null +++ b/queue-4.4/fs-check-for-invalid-i_uid-in-may_follow_link.patch @@ -0,0 +1,49 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:53 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:00 -0400 +Subject: [PATCH 4.4 07/16] fs: Check for invalid i_uid in may_follow_link() +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-8-git-send-email-alexander.levin@verizon.com> + + +From: Seth Forshee + +[ Upstream commit 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a ] + +Filesystem uids which don't map into a user namespace may result +in inode->i_uid being INVALID_UID. A symlink and its parent +could have different owners in the filesystem can both get +mapped to INVALID_UID, which may result in following a symlink +when this would not have otherwise been permitted when protected +symlinks are enabled. + +Signed-off-by: Seth Forshee +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -887,6 +887,7 @@ static inline int may_follow_link(struct + { + const struct inode *inode; + const struct inode *parent; ++ kuid_t puid; + + if (!sysctl_protected_symlinks) + return 0; +@@ -902,7 +903,8 @@ static inline int may_follow_link(struct + return 0; + + /* Allowed if parent directory and link owner match. */ +- if (uid_eq(parent->i_uid, inode->i_uid)) ++ puid = parent->i_uid; ++ if (uid_valid(puid) && uid_eq(puid, inode->i_uid)) + return 0; + + if (nd->flags & LOOKUP_RCU) diff --git a/queue-4.4/ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch b/queue-4.4/ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch new file mode 100644 index 00000000000..da64a952f7b --- /dev/null +++ b/queue-4.4/ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch @@ -0,0 +1,38 @@ +From alexander.levin@verizon.com Tue Aug 30 06:37:53 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:34:59 -0400 +Subject: [PATCH 4.4 06/16] IB/IPoIB: Do not set skb truesize since using one linearskb +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-7-git-send-email-alexander.levin@verizon.com> + + +From: Carol L Soto + +[ Upstream commit bb6a777369449d15a4a890306d2f925cae720e1c ] + +We are seeing this warning: at net/core/skbuff.c:4174 +and before commit a44878d10063 ("IB/ipoib: Use one linear skb in RX flow") +skb truesize was not being set when ipoib was using just one skb. +Removing this line avoids the warning when running tcp tests like iperf. + +Fixes: a44878d10063 ("IB/ipoib: Use one linear skb in RX flow") +Signed-off-by: Carol L Soto +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -245,8 +245,6 @@ static void ipoib_ib_handle_rx_wc(struct + skb_reset_mac_header(skb); + skb_pull(skb, IPOIB_ENCAP_LEN); + +- skb->truesize = SKB_TRUESIZE(skb->len); +- + ++dev->stats.rx_packets; + dev->stats.rx_bytes += skb->len; + diff --git a/queue-4.4/kernel-add-noaudit-variant-of-ns_capable.patch b/queue-4.4/kernel-add-noaudit-variant-of-ns_capable.patch new file mode 100644 index 00000000000..02a1586cfb3 --- /dev/null +++ b/queue-4.4/kernel-add-noaudit-variant-of-ns_capable.patch @@ -0,0 +1,115 @@ +From 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 2 Jun 2016 23:43:21 -0500 +Subject: kernel: Add noaudit variant of ns_capable() + +From: Tyler Hicks + +commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream. + +When checking the current cred for a capability in a specific user +namespace, it isn't always desirable to have the LSMs audit the check. +This patch adds a noaudit variant of ns_capable() for when those +situations arise. + +The common logic between ns_capable() and the new ns_capable_noaudit() +is moved into a single, shared function to keep duplicated code to a +minimum and ease maintainability. + +Signed-off-by: Tyler Hicks +Acked-by: Serge E. Hallyn +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/capability.h | 5 ++++ + kernel/capability.c | 46 +++++++++++++++++++++++++++++++++++---------- + 2 files changed, 41 insertions(+), 10 deletions(-) + +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -214,6 +214,7 @@ extern bool has_ns_capability_noaudit(st + struct user_namespace *ns, int cap); + extern bool capable(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); ++extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + #else + static inline bool has_capability(struct task_struct *t, int cap) + { +@@ -241,6 +242,10 @@ static inline bool ns_capable(struct use + { + return true; + } ++static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) ++{ ++ return true; ++} + #endif /* CONFIG_MULTIUSER */ + extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); + extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_ + return has_ns_capability_noaudit(t, &init_user_ns, cap); + } + ++static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit) ++{ ++ int capable; ++ ++ if (unlikely(!cap_valid(cap))) { ++ pr_crit("capable() called with invalid cap=%u\n", cap); ++ BUG(); ++ } ++ ++ capable = audit ? security_capable(current_cred(), ns, cap) : ++ security_capable_noaudit(current_cred(), ns, cap); ++ if (capable == 0) { ++ current->flags |= PF_SUPERPRIV; ++ return true; ++ } ++ return false; ++} ++ + /** + * ns_capable - Determine if the current task has a superior capability in effect + * @ns: The usernamespace we want the capability in +@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_ + */ + bool ns_capable(struct user_namespace *ns, int cap) + { +- if (unlikely(!cap_valid(cap))) { +- pr_crit("capable() called with invalid cap=%u\n", cap); +- BUG(); +- } +- +- if (security_capable(current_cred(), ns, cap) == 0) { +- current->flags |= PF_SUPERPRIV; +- return true; +- } +- return false; ++ return ns_capable_common(ns, cap, true); + } + EXPORT_SYMBOL(ns_capable); + ++/** ++ * ns_capable_noaudit - Determine if the current task has a superior capability ++ * (unaudited) in effect ++ * @ns: The usernamespace we want the capability in ++ * @cap: The capability to be tested for ++ * ++ * Return true if the current task has the given superior capability currently ++ * available for use, false if not. ++ * ++ * This sets PF_SUPERPRIV on the task if the capability is available on the ++ * assumption that it's about to be used. ++ */ ++bool ns_capable_noaudit(struct user_namespace *ns, int cap) ++{ ++ return ns_capable_common(ns, cap, false); ++} ++EXPORT_SYMBOL(ns_capable_noaudit); + + /** + * capable - Determine if the current task has a superior capability in effect diff --git a/queue-4.4/keys-fix-asn.1-indefinite-length-object-parsing.patch b/queue-4.4/keys-fix-asn.1-indefinite-length-object-parsing.patch new file mode 100644 index 00000000000..12d4071e989 --- /dev/null +++ b/queue-4.4/keys-fix-asn.1-indefinite-length-object-parsing.patch @@ -0,0 +1,96 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:08 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:07 -0400 +Subject: [PATCH 4.4 14/16] KEYS: Fix ASN.1 indefinite length object parsing +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-15-git-send-email-alexander.levin@verizon.com> + + +From: David Howells + +[ Upstream commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa ] + +This fixes CVE-2016-0758. + +In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, +it isn't validated against the remaining amount of data before being added +to the cursor. With a sufficiently large size indicated, the check: + + datalen - dp < 2 + +may then fail due to integer overflow. + +Fix this by checking the length indicated against the amount of remaining +data in both places a definite length is determined. + +Whilst we're at it, make the following changes: + + (1) Check the maximum size of extended length does not exceed the capacity + of the variable it's being stored in (len) rather than the type that + variable is assumed to be (size_t). + + (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the + integer 0. + + (3) To reduce confusion, move the initialisation of len outside of: + + for (len = 0; n > 0; n--) { + + since it doesn't have anything to do with the loop counter n. + +Signed-off-by: David Howells +Reviewed-by: Mimi Zohar +Acked-by: David Woodhouse +Acked-by: Peter Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/asn1_decoder.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -74,7 +74,7 @@ next_tag: + + /* Extract a tag from the data */ + tag = data[dp++]; +- if (tag == 0) { ++ if (tag == ASN1_EOC) { + /* It appears to be an EOC. */ + if (data[dp++] != 0) + goto invalid_eoc; +@@ -96,10 +96,8 @@ next_tag: + + /* Extract the length */ + len = data[dp++]; +- if (len <= 0x7f) { +- dp += len; +- goto next_tag; +- } ++ if (len <= 0x7f) ++ goto check_length; + + if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { + /* Indefinite length */ +@@ -110,14 +108,18 @@ next_tag: + } + + n = len - 0x80; +- if (unlikely(n > sizeof(size_t) - 1)) ++ if (unlikely(n > sizeof(len) - 1)) + goto length_too_long; + if (unlikely(n > datalen - dp)) + goto data_overrun_error; +- for (len = 0; n > 0; n--) { ++ len = 0; ++ for (; n > 0; n--) { + len <<= 8; + len |= data[dp++]; + } ++check_length: ++ if (len > datalen - dp) ++ goto data_overrun_error; + dp += len; + goto next_tag; + diff --git a/queue-4.4/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch b/queue-4.4/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch new file mode 100644 index 00000000000..40ae2277517 --- /dev/null +++ b/queue-4.4/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch @@ -0,0 +1,42 @@ +From d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 2 Jun 2016 23:43:22 -0500 +Subject: net: Use ns_capable_noaudit() when determining net sysctl permissions + +From: Tyler Hicks + +commit d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 upstream. + +The capability check should not be audited since it is only being used +to determine the inode permissions. A failed check does not indicate a +violation of security policy but, when an LSM is enabled, a denial audit +message was being generated. + +The denial audit message caused confusion for some application authors +because root-running Go applications always triggered the denial. To +prevent this confusion, the capability check in net_ctl_permissions() is +switched to the noaudit variant. + +BugLink: https://launchpad.net/bugs/1465724 + +Signed-off-by: Tyler Hicks +Acked-by: Serge E. Hallyn +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + net/sysctl_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sysctl_net.c ++++ b/net/sysctl_net.c +@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct + kgid_t root_gid = make_kgid(net->user_ns, 0); + + /* Allow network administrator to have same access as root. */ +- if (ns_capable(net->user_ns, CAP_NET_ADMIN) || ++ if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) || + uid_eq(root_uid, current_euid())) { + int mode = (table->mode >> 6) & 7; + return (mode << 6) | (mode << 3) | mode; diff --git a/queue-4.4/netfilter-x_tables-check-for-size-overflow.patch b/queue-4.4/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 00000000000..122888946eb --- /dev/null +++ b/queue-4.4/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,39 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:37:09 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:35:04 -0400 +Subject: [PATCH 4.4 11/16] netfilter: x_tables: check for size overflow +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-12-git-send-email-alexander.levin@verizon.com> + + +From: Florian Westphal + +[ Upstream commit d157bd761585605b7882935ffb86286919f62ea1 ] + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -900,6 +900,9 @@ struct xt_table_info *xt_alloc_table_inf + if (sz < sizeof(*info)) + return NULL; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; diff --git a/queue-4.4/series b/queue-4.4/series index 2a78317edc0..66f61c17881 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -133,3 +133,17 @@ 0133-netfilter-x_tables-check-for-size-overflow.patch 0134-tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch 0135-tipc-fix-nl-compat-regression-for-link-statistics.patch +cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch +cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch +crypto-nx-842-mask-xers0-bit-in-return-value.patch +udp-properly-support-msg_peek-with-truncated-buffers.patch +ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch +fs-check-for-invalid-i_uid-in-may_follow_link.patch +cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch +drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch +netfilter-x_tables-check-for-size-overflow.patch +cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch +drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch +keys-fix-asn.1-indefinite-length-object-parsing.patch +kernel-add-noaudit-variant-of-ns_capable.patch +net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch diff --git a/queue-4.4/udp-properly-support-msg_peek-with-truncated-buffers.patch b/queue-4.4/udp-properly-support-msg_peek-with-truncated-buffers.patch new file mode 100644 index 00000000000..a6cea6931c7 --- /dev/null +++ b/queue-4.4/udp-properly-support-msg_peek-with-truncated-buffers.patch @@ -0,0 +1,97 @@ +From stable-owner@vger.kernel.org Tue Aug 30 06:36:52 2016 +From: "Levin, Alexander" +Date: Tue, 30 Aug 2016 00:34:58 -0400 +Subject: [PATCH 4.4 05/16] udp: properly support MSG_PEEK with truncated buffers +To: "gregkh@linuxfoundation.org" +Cc: "stable@vger.kernel.org" +Message-ID: <1472531709-18002-6-git-send-email-alexander.levin@verizon.com> + + +From: Eric Dumazet + +[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ] + +Backport of this upstream commit into stable kernels : +89c22d8c3b27 ("net: Fix skb csum races when peeking") +exposed a bug in udp stack vs MSG_PEEK support, when user provides +a buffer smaller than skb payload. + +In this case, +skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), + msg->msg_iov); +returns -EFAULT. + +This bug does not happen in upstream kernels since Al Viro did a great +job to replace this into : +skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); +This variant is safe vs short buffers. + +For the time being, instead reverting Herbert Xu patch and add back +skb->ip_summed invalid changes, simply store the result of +udp_lib_checksum_complete() so that we avoid computing the checksum a +second time, and avoid the problematic +skb_copy_and_csum_datagram_iovec() call. + +This patch can be applied on recent kernels as it avoids a double +checksumming, then backported to stable kernels as a bug fix. + +Signed-off-by: Eric Dumazet +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 6 ++++-- + net/ipv6/udp.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1275,6 +1275,7 @@ int udp_recvmsg(struct sock *sk, struct + int peeked, off = 0; + int err; + int is_udplite = IS_UDPLITE(sk); ++ bool checksum_valid = false; + bool slow; + + if (flags & MSG_ERRQUEUE) +@@ -1300,11 +1301,12 @@ try_again: + */ + + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { +- if (udp_lib_checksum_complete(skb)) ++ checksum_valid = !udp_lib_checksum_complete(skb); ++ if (!checksum_valid) + goto csum_copy_err; + } + +- if (skb_csum_unnecessary(skb)) ++ if (checksum_valid || skb_csum_unnecessary(skb)) + err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), + msg, copied); + else { +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struc + int peeked, off = 0; + int err; + int is_udplite = IS_UDPLITE(sk); ++ bool checksum_valid = false; + int is_udp4; + bool slow; + +@@ -433,11 +434,12 @@ try_again: + */ + + if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { +- if (udp_lib_checksum_complete(skb)) ++ checksum_valid = !udp_lib_checksum_complete(skb); ++ if (!checksum_valid) + goto csum_copy_err; + } + +- if (skb_csum_unnecessary(skb)) ++ if (checksum_valid || skb_csum_unnecessary(skb)) + err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), + msg, copied); + else {