From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 1 Mar 2016 23:09:21 +0000 (-0800)
Subject: 4.4-stable patches
X-Git-Tag: v3.10.99~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7ae60790e8ef04f4950555772954b4a2b96b5c7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ib-cma-fix-rdma-port-validation-for-iwarp.patch
	security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
---

diff --git a/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch b/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch
new file mode 100644
index 00000000000..adbc131abd4
--- /dev/null
+++ b/queue-4.4/ib-cma-fix-rdma-port-validation-for-iwarp.patch
@@ -0,0 +1,41 @@
+From 649367735ee5dedb128d9fac0b86ba7e0fe7ae3b Mon Sep 17 00:00:00 2001
+From: Matan Barak <matanb@mellanox.com>
+Date: Thu, 7 Jan 2016 11:19:29 +0200
+Subject: IB/cma: Fix RDMA port validation for iWarp
+
+From: Matan Barak <matanb@mellanox.com>
+
+commit 649367735ee5dedb128d9fac0b86ba7e0fe7ae3b upstream.
+
+cma_validate_port wrongly assumed that Ethernet devices are RoCE
+devices and thus their ndev should be matched in the GID table.
+This broke the iWarp support. Fixing that matching the ndev only if
+we work on a RoCE port.
+
+Cc: <stable@vger.kernel.org> # 4.4.x-
+Fixes: abae1b71dd37 ('IB/cma: cma_validate_port should verify the port
+		     and netdevice')
+Reported-by: Hariprasad Shenai <hariprasad@chelsio.com>
+Tested-by: Hariprasad Shenai <hariprasad@chelsio.com>
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/infiniband/core/cma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -453,7 +453,7 @@ static inline int cma_validate_port(stru
+ 	if ((dev_type != ARPHRD_INFINIBAND) && rdma_protocol_ib(device, port))
+ 		return ret;
+ 
+-	if (dev_type == ARPHRD_ETHER)
++	if (dev_type == ARPHRD_ETHER && rdma_protocol_roce(device, port))
+ 		ndev = dev_get_by_index(&init_net, bound_if_index);
+ 
+ 	ret = ib_find_cached_gid_by_port(device, gid, port, ndev, NULL);
diff --git a/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch b/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
new file mode 100644
index 00000000000..e8153b91586
--- /dev/null
+++ b/queue-4.4/security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
@@ -0,0 +1,73 @@
+From 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Wed, 20 Jan 2016 15:00:01 -0800
+Subject: security: let security modules use PTRACE_MODE_* with bitmasks
+
+From: Jann Horn <jann@thejh.net>
+
+commit 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 upstream.
+
+It looks like smack and yama weren't aware that the ptrace mode
+can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
+only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
+all modes have flags ORed into them.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Morris <james.l.morris@oracle.com>
+Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_lsm.c |    8 +++-----
+ security/yama/yama_lsm.c   |    4 ++--
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -398,12 +398,10 @@ static int smk_copy_relabel(struct list_
+  */
+ static inline unsigned int smk_ptrace_mode(unsigned int mode)
+ {
+-	switch (mode) {
+-	case PTRACE_MODE_READ:
+-		return MAY_READ;
+-	case PTRACE_MODE_ATTACH:
++	if (mode & PTRACE_MODE_ATTACH)
+ 		return MAY_READWRITE;
+-	}
++	if (mode & PTRACE_MODE_READ)
++		return MAY_READ;
+ 
+ 	return 0;
+ }
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -281,7 +281,7 @@ static int yama_ptrace_access_check(stru
+ 	int rc = 0;
+ 
+ 	/* require ptrace target be a child of ptracer on attach */
+-	if (mode == PTRACE_MODE_ATTACH) {
++	if (mode & PTRACE_MODE_ATTACH) {
+ 		switch (ptrace_scope) {
+ 		case YAMA_SCOPE_DISABLED:
+ 			/* No additional restrictions. */
+@@ -307,7 +307,7 @@ static int yama_ptrace_access_check(stru
+ 		}
+ 	}
+ 
+-	if (rc) {
++	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
+ 		printk_ratelimited(KERN_NOTICE
+ 			"ptrace of pid %d was attempted by: %s (pid %d)\n",
+ 			child->pid, current->comm, current->pid);
diff --git a/queue-4.4/series b/queue-4.4/series
index 62569f2b43d..5a5bbda5362 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -334,3 +334,5 @@ x86-irq-remove-the-cpumask-allocation-from-send_cleanup_vector.patch
 x86-irq-remove-outgoing-cpu-from-vector-cleanup-mask.patch
 x86-irq-call-irq_force_move_complete-with-irq-descriptor.patch
 x86-irq-plug-vector-cleanup-race.patch
+ib-cma-fix-rdma-port-validation-for-iwarp.patch
+security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch