--- /dev/null
+From b050e3769c6b4013bb937e879fc43bf1847ee819 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Wed, 15 Nov 2017 17:38:30 -0800
+Subject: mm, page_alloc: fix potential false positive in __zone_watermark_ok
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit b050e3769c6b4013bb937e879fc43bf1847ee819 upstream.
+
+Since commit 97a16fc82a7c ("mm, page_alloc: only enforce watermarks for
+order-0 allocations"), __zone_watermark_ok() check for high-order
+allocations will shortcut per-migratetype free list checks for
+ALLOC_HARDER allocations, and return true as long as there's free page
+of any migratetype. The intention is that ALLOC_HARDER can allocate
+from MIGRATE_HIGHATOMIC free lists, while normal allocations can't.
+
+However, as a side effect, the watermark check will then also return
+true when there are pages only on the MIGRATE_ISOLATE list, or (prior to
+CMA conversion to ZONE_MOVABLE) on the MIGRATE_CMA list. Since the
+allocation cannot actually obtain isolated pages, and might not be able
+to obtain CMA pages, this can result in a false positive.
+
+The condition should be rare and perhaps the outcome is not a fatal one.
+Still, it's better if the watermark check is correct. There also
+shouldn't be a performance tradeoff here.
+
+Link: http://lkml.kernel.org/r/20171102125001.23708-1-vbabka@suse.cz
+Fixes: 97a16fc82a7c ("mm, page_alloc: only enforce watermarks for order-0 allocations")
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3011,9 +3011,6 @@ bool __zone_watermark_ok(struct zone *z,
+ if (!area->nr_free)
+ continue;
+
+- if (alloc_harder)
+- return true;
+-
+ for (mt = 0; mt < MIGRATE_PCPTYPES; mt++) {
+ if (!list_empty(&area->free_list[mt]))
+ return true;
+@@ -3025,6 +3022,9 @@ bool __zone_watermark_ok(struct zone *z,
+ return true;
+ }
+ #endif
++ if (alloc_harder &&
++ !list_empty(&area->free_list[MIGRATE_HIGHATOMIC]))
++ return true;
+ }
+ return false;
+ }
--- /dev/null
+From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
+
+From: Kevin Cernekee <cernekee@chromium.org>
+
+commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream.
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ $ nfct helper list
+ nfct v1.4.4: netlink error: Operation not permitted
+ $ vpnns -- nfct helper list
+ {
+ .name = ftp,
+ .queuenum = 0,
+ .l3protonum = 2,
+ .l4protonum = 6,
+ .priv_data_len = 24,
+ .status = enabled,
+ };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net
+ struct nfnl_cthelper *nlcth;
+ int ret = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net
+ struct nfnl_cthelper *nlcth;
+ bool tuple_set = false;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_cthelper_dump_table,
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net
+ struct nfnl_cthelper *nlcth, *n;
+ int j = 0, ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+
--- /dev/null
+From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: netfilter: xt_osf: Add missing permission checks
+
+From: Kevin Cernekee <cernekee@chromium.org>
+
+commit 916a27901de01446bcf57ecca4783f6cff493309 upstream.
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ vpnns -- nfnl_osf -f /tmp/pf.os
+
+ vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list. Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne
+ struct xt_osf_finger *kf = NULL, *sf;
+ int err = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct
+ struct xt_osf_finger *sf;
+ int err = -ENOENT;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
orangefs-use-list_for_each_entry_safe-in-purge_waiting_ops.patch
orangefs-initialize-op-on-loop-restart-in-orangefs_devreq_read.patch
+mm-page_alloc-fix-potential-false-positive-in-__zone_watermark_ok.patch
+netfilter-nfnetlink_cthelper-add-missing-permission-checks.patch
+netfilter-xt_osf-add-missing-permission-checks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
