From: Greg Kroah-Hartman Date: Mon, 23 Jul 2018 08:46:28 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.144~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63c633bade19b87525ba40d820c74f6a18d027b8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch ptp-fix-missing-break-in-switch.patch skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch --- diff --git a/queue-3.18/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch b/queue-3.18/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch new file mode 100644 index 00000000000..9d6a7680203 --- /dev/null +++ b/queue-3.18/ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Jul 23 09:59:58 CEST 2018 +From: Tyler Hicks +Date: Thu, 5 Jul 2018 18:49:23 +0000 +Subject: ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns + +From: Tyler Hicks + +[ Upstream commit 70ba5b6db96ff7324b8cfc87e0d0383cf59c9677 ] + +The low and high values of the net.ipv4.ping_group_range sysctl were +being silently forced to the default disabled state when a write to the +sysctl contained GIDs that didn't map to the associated user namespace. +Confusingly, the sysctl's write operation would return success and then +a subsequent read of the sysctl would indicate that the low and high +values are the overflowgid. + +This patch changes the behavior by clearly returning an error when the +sysctl write operation receives a GID range that doesn't map to the +associated user namespace. In such a situation, the previous value of +the sysctl is preserved and that range will be returned in a subsequent +read of the sysctl. + +Signed-off-by: Tyler Hicks +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/sysctl_net_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -134,8 +134,9 @@ static int ipv4_ping_group_range(struct + if (write && ret == 0) { + low = make_kgid(user_ns, urange[0]); + high = make_kgid(user_ns, urange[1]); +- if (!gid_valid(low) || !gid_valid(high) || +- (urange[1] < urange[0]) || gid_lt(high, low)) { ++ if (!gid_valid(low) || !gid_valid(high)) ++ return -EINVAL; ++ if (urange[1] < urange[0] || gid_lt(high, low)) { + low = make_kgid(&init_user_ns, 1); + high = make_kgid(&init_user_ns, 0); + } diff --git a/queue-3.18/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch b/queue-3.18/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch new file mode 100644 index 00000000000..9f4e48aea7d --- /dev/null +++ b/queue-3.18/net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch @@ -0,0 +1,118 @@ +From foo@baz Mon Jul 23 08:24:46 CEST 2018 +From: Stefano Brivio +Date: Wed, 11 Jul 2018 14:39:42 +0200 +Subject: net: Don't copy pfmemalloc flag in __copy_skb_header() + +From: Stefano Brivio + +[ Upstream commit 8b7008620b8452728cadead460a36f64ed78c460 ] + +The pfmemalloc flag indicates that the skb was allocated from +the PFMEMALLOC reserves, and the flag is currently copied on skb +copy and clone. + +However, an skb copied from an skb flagged with pfmemalloc +wasn't necessarily allocated from PFMEMALLOC reserves, and on +the other hand an skb allocated that way might be copied from an +skb that wasn't. + +So we should not copy the flag on skb copy, and rather decide +whether to allow an skb to be associated with sockets unrelated +to page reclaim depending only on how it was allocated. + +Move the pfmemalloc flag before headers_start[0] using an +existing 1-bit hole, so that __copy_skb_header() doesn't copy +it. + +When cloning, we'll now take care of this flag explicitly, +contravening to the warning comment of __skb_clone(). + +While at it, restore the newline usage introduced by commit +b19372273164 ("net: reorganize sk_buff for faster +__copy_skb_header()") to visually separate bytes used in +bitfields after headers_start[0], that was gone after commit +a9e419dc7be6 ("netfilter: merge ctinfo into nfct pointer storage +area"), and describe the pfmemalloc flag in the kernel-doc +structure comment. + +This doesn't change the size of sk_buff or cacheline boundaries, +but consolidates the 15 bits hole before tc_index into a 2 bytes +hole before csum, that could now be filled more easily. + +Reported-by: Patrick Talbert +Fixes: c93bdd0e03e8 ("netvm: allow skb allocation to use PFMEMALLOC reserves") +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 12 ++++++------ + net/core/skbuff.c | 2 ++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -475,6 +475,7 @@ static inline u32 skb_mstamp_us_delta(co + * @hash: the packet hash + * @queue_mapping: Queue mapping for multiqueue devices + * @xmit_more: More SKBs are pending for this queue ++ * @pfmemalloc: skbuff was allocated from PFMEMALLOC reserves + * @ndisc_nodetype: router type (from link layer) + * @ooo_okay: allow the mapping of a socket to a queue to be changed + * @l4_hash: indicate hash is a canonical 4-tuple hash over transport +@@ -551,8 +552,8 @@ struct sk_buff { + fclone:2, + peeked:1, + head_frag:1, +- xmit_more:1; +- /* one bit hole */ ++ xmit_more:1, ++ pfmemalloc:1; + kmemcheck_bitfield_end(flags1); + + /* fields enclosed in headers_start/headers_end are copied +@@ -572,19 +573,18 @@ struct sk_buff { + + __u8 __pkt_type_offset[0]; + __u8 pkt_type:3; +- __u8 pfmemalloc:1; + __u8 ignore_df:1; + __u8 nfctinfo:3; +- + __u8 nf_trace:1; ++ + __u8 ip_summed:2; + __u8 ooo_okay:1; + __u8 l4_hash:1; + __u8 sw_hash:1; + __u8 wifi_acked_valid:1; + __u8 wifi_acked:1; +- + __u8 no_fcs:1; ++ + /* Indicates the inner headers are valid in the skbuff. */ + __u8 encapsulation:1; + __u8 encap_hdr_csum:1; +@@ -592,11 +592,11 @@ struct sk_buff { + __u8 csum_complete_sw:1; + __u8 csum_level:2; + __u8 csum_bad:1; +- + #ifdef CONFIG_IPV6_NDISC_NODETYPE + __u8 ndisc_nodetype:2; + #endif + __u8 ipvs_property:1; ++ + __u8 inner_protocol_type:1; + /* 4 or 6 bit hole */ + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -780,6 +780,8 @@ static struct sk_buff *__skb_clone(struc + n->cloned = 1; + n->nohdr = 0; + n->peeked = 0; ++ if (skb->pfmemalloc) ++ n->pfmemalloc = 1; + n->destructor = NULL; + C(tail); + C(end); diff --git a/queue-3.18/ptp-fix-missing-break-in-switch.patch b/queue-3.18/ptp-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..ce2d7f76c06 --- /dev/null +++ b/queue-3.18/ptp-fix-missing-break-in-switch.patch @@ -0,0 +1,31 @@ +From foo@baz Mon Jul 23 09:59:58 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 17 Jul 2018 20:17:33 -0500 +Subject: ptp: fix missing break in switch + +From: "Gustavo A. R. Silva" + +[ Upstream commit 9ba8376ce1e2cbf4ce44f7e4bee1d0648e10d594 ] + +It seems that a *break* is missing in order to avoid falling through +to the default case. Otherwise, checking *chan* makes no sense. + +Fixes: 72df7a7244c0 ("ptp: Allow reassigning calibration pin function") +Signed-off-by: Gustavo A. R. Silva +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_chardev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -88,6 +88,7 @@ int ptp_set_pinfunc(struct ptp_clock *pt + case PTP_PF_PHYSYNC: + if (chan != 0) + return -EINVAL; ++ break; + default: + return -EINVAL; + } diff --git a/queue-3.18/series b/queue-3.18/series index db910dc558e..6e308b7ba13 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -3,3 +3,7 @@ fat-fix-memory-allocation-failure-handling-of-match_strdup.patch alsa-rawmidi-change-resized-buffers-atomically.patch arc-fix-config_swap.patch arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch +ipv4-return-einval-when-ping_group_range-sysctl-doesn-t-map-to-user-ns.patch +ptp-fix-missing-break-in-switch.patch +net-don-t-copy-pfmemalloc-flag-in-__copy_skb_header.patch +skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch diff --git a/queue-3.18/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch b/queue-3.18/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch new file mode 100644 index 00000000000..fcbbddf4eb0 --- /dev/null +++ b/queue-3.18/skbuff-unconditionally-copy-pfmemalloc-in-__skb_clone.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Jul 23 09:59:58 CEST 2018 +From: Stefano Brivio +Date: Fri, 13 Jul 2018 13:21:07 +0200 +Subject: skbuff: Unconditionally copy pfmemalloc in __skb_clone() + +From: Stefano Brivio + +[ Upstream commit e78bfb0751d4e312699106ba7efbed2bab1a53ca ] + +Commit 8b7008620b84 ("net: Don't copy pfmemalloc flag in +__copy_skb_header()") introduced a different handling for the +pfmemalloc flag in copy and clone paths. + +In __skb_clone(), now, the flag is set only if it was set in the +original skb, but not cleared if it wasn't. This is wrong and +might lead to socket buffers being flagged with pfmemalloc even +if the skb data wasn't allocated from pfmemalloc reserves. Copy +the flag instead of ORing it. + +Reported-by: Sabrina Dubroca +Fixes: 8b7008620b84 ("net: Don't copy pfmemalloc flag in __copy_skb_header()") +Signed-off-by: Stefano Brivio +Tested-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -780,8 +780,7 @@ static struct sk_buff *__skb_clone(struc + n->cloned = 1; + n->nohdr = 0; + n->peeked = 0; +- if (skb->pfmemalloc) +- n->pfmemalloc = 1; ++ C(pfmemalloc); + n->destructor = NULL; + C(tail); + C(end);