Linux v4.14.11
This commit is contained in:
parent
e4f9feb252
commit
87e3972ebc
|
@ -0,0 +1 @@
|
|||
CONFIG_PAGE_TABLE_ISOLATION=y
|
|
@ -0,0 +1,132 @@
|
|||
From patchwork Wed Dec 20 15:13:31 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [cgroup/for-4.15-fixes] cgroup: fix css_task_iter crash on
|
||||
CSS_TASK_ITER_PROC
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
X-Patchwork-Id: 10125801
|
||||
Message-Id: <20171220151331.GA3413940@devbig577.frc2.facebook.com>
|
||||
To: Laura Abbott <labbott@redhat.com>
|
||||
Cc: Zefan Li <lizefan@huawei.com>, linux-kernel@vger.kernel.org,
|
||||
cgroups@vger.kernel.org, regressions@leemhuis.info,
|
||||
Bronek Kozicki <brok@incorrekt.com>, George Amanakis <gamanakis@gmail.com>
|
||||
Date: Wed, 20 Dec 2017 07:13:31 -0800
|
||||
|
||||
Hello,
|
||||
|
||||
Applied the following to cgroup/for-4.15-fixes. Will push out to
|
||||
linus later this week. I could reproduce the problem reliably and am
|
||||
pretty sure this is the right fix but I'd greatly appreciate if you
|
||||
guys can confirm the fix too.
|
||||
|
||||
Thank you very much.
|
||||
|
||||
------ 8< ------
|
||||
>From 74d0833c659a8a54735e5efdd44f4b225af68586 Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Wed, 20 Dec 2017 07:09:19 -0800
|
||||
|
||||
While teaching css_task_iter to handle skipping over tasks which
|
||||
aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
|
||||
css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
|
||||
silly bug.
|
||||
|
||||
CSS_TASK_ITER_PROCS is implemented by repeating
|
||||
css_task_iter_advance() while the advanced cursor is pointing to a
|
||||
non-leader thread. However, the cursor variable, @l, wasn't updated
|
||||
when the iteration has to advance to the next css_set and the
|
||||
following repetition would operate on the terminal @l from the
|
||||
previous iteration which isn't pointing to a valid task leading to
|
||||
oopses like the following or infinite looping.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
|
||||
IP: __task_pid_nr_ns+0xc7/0xf0
|
||||
PGD 0 P4D 0
|
||||
Oops: 0000 [#1] SMP
|
||||
...
|
||||
CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
|
||||
Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
|
||||
task: ffff88c4baee8000 task.stack: ffff96d5c3158000
|
||||
RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
|
||||
RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
|
||||
RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
|
||||
RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
|
||||
RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
|
||||
R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
|
||||
R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
|
||||
FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
|
||||
Call Trace:
|
||||
cgroup_procs_show+0x19/0x30
|
||||
cgroup_seqfile_show+0x4c/0xb0
|
||||
kernfs_seq_show+0x21/0x30
|
||||
seq_read+0x2ec/0x3f0
|
||||
kernfs_fop_read+0x134/0x180
|
||||
__vfs_read+0x37/0x160
|
||||
? security_file_permission+0x9b/0xc0
|
||||
vfs_read+0x8e/0x130
|
||||
SyS_read+0x55/0xc0
|
||||
entry_SYSCALL_64_fastpath+0x1a/0xa5
|
||||
RIP: 0033:0x7f94455f942d
|
||||
RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
|
||||
RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
|
||||
RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
|
||||
RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
|
||||
R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
|
||||
R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
|
||||
Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
|
||||
RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
|
||||
|
||||
Fix it by moving the initialization of the cursor below the repeat
|
||||
label. While at it, rename it to @next for readability.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
|
||||
Cc: stable@vger.kernel.org # v4.14+
|
||||
Reported-by: Laura Abbott <labbott@redhat.com>
|
||||
Reported-by: Bronek Kozicki <brok@incorrekt.com>
|
||||
Reported-by: George Amanakis <gamanakis@gmail.com>
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
---
|
||||
kernel/cgroup/cgroup.c | 14 ++++++--------
|
||||
1 file changed, 6 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
|
||||
index f4c2f8c..2cf06c2 100644
|
||||
--- a/kernel/cgroup/cgroup.c
|
||||
+++ b/kernel/cgroup/cgroup.c
|
||||
@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
|
||||
|
||||
static void css_task_iter_advance(struct css_task_iter *it)
|
||||
{
|
||||
- struct list_head *l = it->task_pos;
|
||||
+ struct list_head *next;
|
||||
|
||||
lockdep_assert_held(&css_set_lock);
|
||||
- WARN_ON_ONCE(!l);
|
||||
-
|
||||
repeat:
|
||||
/*
|
||||
* Advance iterator to find next entry. cset->tasks is consumed
|
||||
* first and then ->mg_tasks. After ->mg_tasks, we move onto the
|
||||
* next cset.
|
||||
*/
|
||||
- l = l->next;
|
||||
+ next = it->task_pos->next;
|
||||
|
||||
- if (l == it->tasks_head)
|
||||
- l = it->mg_tasks_head->next;
|
||||
+ if (next == it->tasks_head)
|
||||
+ next = it->mg_tasks_head->next;
|
||||
|
||||
- if (l == it->mg_tasks_head)
|
||||
+ if (next == it->mg_tasks_head)
|
||||
css_task_iter_advance_css_set(it);
|
||||
else
|
||||
- it->task_pos = l;
|
||||
+ it->task_pos = next;
|
||||
|
||||
/* if PROCS, skip over tasks which aren't group leaders */
|
||||
if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
|
|
@ -3824,6 +3824,7 @@ CONFIG_PACKET=y
|
|||
# CONFIG_PAGE_EXTENSION is not set
|
||||
# CONFIG_PAGE_OWNER is not set
|
||||
# CONFIG_PAGE_POISONING is not set
|
||||
CONFIG_PAGE_TABLE_ISOLATION=y
|
||||
CONFIG_PANASONIC_LAPTOP=m
|
||||
# CONFIG_PANEL is not set
|
||||
# CONFIG_PANIC_ON_OOPS is not set
|
||||
|
|
|
@ -3804,6 +3804,7 @@ CONFIG_PACKET=y
|
|||
# CONFIG_PAGE_EXTENSION is not set
|
||||
# CONFIG_PAGE_OWNER is not set
|
||||
# CONFIG_PAGE_POISONING is not set
|
||||
CONFIG_PAGE_TABLE_ISOLATION=y
|
||||
CONFIG_PANASONIC_LAPTOP=m
|
||||
# CONFIG_PANEL is not set
|
||||
# CONFIG_PANIC_ON_OOPS is not set
|
||||
|
|
15
kernel.spec
15
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 10
|
||||
%define stable_update 11
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -616,10 +616,6 @@ Patch335: arm-exynos-fix-usb3.patch
|
|||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# CVE-2017-17449
|
||||
# rhbz 1525762 1525763
|
||||
Patch503: netlink-Add-netns-check-on-taps.patch
|
||||
|
||||
# CVE-2017-17450
|
||||
# rhbz 1525761 1525764
|
||||
Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
|
||||
|
@ -656,12 +652,12 @@ Patch627: qxl-fixes.patch
|
|||
# rhbz 1462175
|
||||
Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
|
||||
|
||||
# CVE-2017-17712 rhbz 1526427 1526933
|
||||
Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
|
||||
|
||||
# CVE-2017-17741 rhbz 1527112 1527113
|
||||
Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
|
||||
|
||||
Patch631: cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
|
||||
Patch632: x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2237,6 +2233,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jan 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.11-200
|
||||
- Linux v4.14.11
|
||||
|
||||
* Mon Jan 01 2018 Laura Abbott <labbott@redhat.com> - 4.14.10-200
|
||||
- Linux v4.14.10
|
||||
|
||||
|
|
|
@ -1,81 +0,0 @@
|
|||
From patchwork Sun Dec 10 03:50:58 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: net: ipv4: fix for a race condition in raw_sendmsg
|
||||
X-Patchwork-Submitter: simo.ghannam@gmail.com
|
||||
X-Patchwork-Id: 846641
|
||||
X-Patchwork-Delegate: davem@davemloft.net
|
||||
Message-Id: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com>
|
||||
To: netdev@vger.kernel.org
|
||||
Cc: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Sun, 10 Dec 2017 03:50:58 +0000
|
||||
From: simo.ghannam@gmail.com
|
||||
List-Id: <netdev.vger.kernel.org>
|
||||
|
||||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
|
||||
inet->hdrincl is racy, and could lead to uninitialized stack pointer
|
||||
usage, so its value should be read only once.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
---
|
||||
net/ipv4/raw.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
|
||||
index 33b70bfd1122..125c1eab3eaa 100644
|
||||
--- a/net/ipv4/raw.c
|
||||
+++ b/net/ipv4/raw.c
|
||||
@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
||||
int err;
|
||||
struct ip_options_data opt_copy;
|
||||
struct raw_frag_vec rfv;
|
||||
+ int hdrincl;
|
||||
|
||||
err = -EMSGSIZE;
|
||||
if (len > 0xFFFF)
|
||||
goto out;
|
||||
|
||||
+ /* hdrincl should be READ_ONCE(inet->hdrincl)
|
||||
+ * but READ_ONCE() doesn't work with bit fields
|
||||
+ */
|
||||
+ hdrincl = inet->hdrincl;
|
||||
/*
|
||||
* Check the flags.
|
||||
*/
|
||||
@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
||||
/* Linux does not mangle headers on raw sockets,
|
||||
* so that IP options + IP_HDRINCL is non-sense.
|
||||
*/
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
goto done;
|
||||
if (ipc.opt->opt.srr) {
|
||||
if (!daddr)
|
||||
@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
||||
|
||||
flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
|
||||
RT_SCOPE_UNIVERSE,
|
||||
- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
inet_sk_flowi_flags(sk) |
|
||||
- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
daddr, saddr, 0, 0, sk->sk_uid);
|
||||
|
||||
- if (!inet->hdrincl) {
|
||||
+ if (!hdrincl) {
|
||||
rfv.msg = msg;
|
||||
rfv.hlen = 0;
|
||||
|
||||
@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
|
||||
goto do_confirm;
|
||||
back_from_confirm:
|
||||
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
err = raw_send_hdrinc(sk, &fl4, msg, len,
|
||||
&rt, msg->msg_flags, &ipc.sockc);
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Wed, 6 Dec 2017 12:12:27 -0800
|
||||
Subject: [PATCH] netlink: Add netns check on taps
|
||||
|
||||
Currently, a nlmon link inside a child namespace can observe systemwide
|
||||
netlink activity. Filter the traffic so that nlmon can only sniff
|
||||
netlink messages from its own netns.
|
||||
|
||||
Test case:
|
||||
|
||||
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
|
||||
ip link set nlmon0 up; \
|
||||
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
|
||||
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
|
||||
spi 0x1 mode transport \
|
||||
auth sha1 0x6162633132330000000000000000000000000000 \
|
||||
enc aes 0x00000000000000000000000000000000
|
||||
grep --binary abc123 /tmp/nlmon.pcap
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
---
|
||||
net/netlink/af_netlink.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
||||
index 15c99dfa3d72..aac9d68b4636 100644
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
|
||||
struct sock *sk = skb->sk;
|
||||
int ret = -ENOMEM;
|
||||
|
||||
+ if (!net_eq(dev_net(dev), sock_net(sk)))
|
||||
+ return 0;
|
||||
+
|
||||
dev_hold(dev);
|
||||
|
||||
if (is_vmalloc_addr(skb->head))
|
||||
--
|
||||
2.14.3
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
|
||||
SHA512 (patch-4.14.10.xz) = 93b642201235c78ef6c8253ef6338a82f6c38e5b6741c7ec06c3dde84433683809c56fe30aab0117607ab09d3367d1dafbbc81af3353f267676357bf72cd7280
|
||||
SHA512 (patch-4.14.11.xz) = 3fbaf02eb236d7490eb65e64b841fc43bd3abbbf97deef79b7457faf8005ef7f2cbaf5c4a8c3b2d22998f5197a5a98b6fef717ed60a34ff666fa7eaf8376118d
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
From patchwork Wed Dec 27 05:43:54 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: x86/cpu, x86/pti: Do not enable PTI on AMD processors
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
X-Patchwork-Id: 10133447
|
||||
Message-Id: <20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net>
|
||||
To: x86@kernel.org
|
||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>,
|
||||
linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
|
||||
Andy Lutomirski <luto@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
|
||||
Thomas Gleixner <tglx@linutronix.de>, Borislav Petkov <bp@suse.de>
|
||||
Date: Tue, 26 Dec 2017 23:43:54 -0600
|
||||
|
||||
AMD processors are not subject to the types of attacks that the kernel
|
||||
page table isolation feature protects against. The AMD microarchitecture
|
||||
does not allow memory references, including speculative references, that
|
||||
access higher privileged data when running in a lesser privileged mode
|
||||
when that access would result in a page fault.
|
||||
|
||||
Disable page table isolation by default on AMD processors by not setting
|
||||
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
|
||||
is set.
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
||||
---
|
||||
arch/x86/kernel/cpu/common.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
|
||||
index c47de4e..7d9e3b0 100644
|
||||
--- a/arch/x86/kernel/cpu/common.c
|
||||
+++ b/arch/x86/kernel/cpu/common.c
|
||||
@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
|
||||
|
||||
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
|
||||
|
||||
- /* Assume for now that ALL x86 CPUs are insecure */
|
||||
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
||||
+ if (c->x86_vendor != X86_VENDOR_AMD)
|
||||
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
||||
|
||||
fpu__init_system(c);
|
||||
|
Loading…
Reference in New Issue