1
0
mirror of https://aur.archlinux.org/linux-vfio.git synced 2024-12-26 04:24:09 +00:00

Update to 4.14.9-1

This commit is contained in:
Mark Weiman 2017-12-29 18:27:48 -05:00
parent 6d8ebed3be
commit ce596bb49b
5 changed files with 263 additions and 9 deletions

View File

@ -1,7 +1,7 @@
# Generated by mksrcinfo v8
# Sat Dec 23 16:38:20 UTC 2017
# Fri Dec 29 23:27:38 UTC 2017
pkgbase = linux-vfio
pkgver = 4.14.8
pkgver = 4.14.9
pkgrel = 1
url = http://www.kernel.org/
arch = x86_64
@ -15,8 +15,8 @@ pkgbase = linux-vfio
options = !strip
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.8.xz
source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.8.sign
source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.9.xz
source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.9.sign
source = config
source = 60-linux.hook
source = 90-linux.hook
@ -26,9 +26,12 @@ pkgbase = linux-vfio
source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
source = 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
source = 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
source = 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
source = 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
source = 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
sha256sums = SKIP
sha256sums = 42eaed731b716244514b765c199e8f675d79287d7630e5c2911053ad52a1fa0a
sha256sums = 5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704
sha256sums = SKIP
sha256sums = bfde21c325d39013463c38e9fa23d6d6481238b8509eea4ae38906127017e47d
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
@ -39,6 +42,9 @@ pkgbase = linux-vfio
sha256sums = 37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85
sha256sums = c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3
sha256sums = 1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2
sha256sums = ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32
sha256sums = 64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00
sha256sums = 3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb
pkgname = linux-vfio
pkgdesc = The Linux-vfio kernel and modules

View File

@ -0,0 +1,72 @@
From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001
Message-Id: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 15 Nov 2017 06:40:57 +0100
Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in
xfrm_state_find."
This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
This commit breaks transport mode when the policy template
has widlcard addresses configured, so revert it.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6eb228a70131069b..a2e531bf4f976308 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
struct net *net = xp_net(policy);
int nx;
int i, error;
+ xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
+ xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
xfrm_address_t tmp;
for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
struct xfrm_state *x;
- xfrm_address_t *local;
- xfrm_address_t *remote;
+ xfrm_address_t *remote = daddr;
+ xfrm_address_t *local = saddr;
struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
- remote = &tmpl->id.daddr;
- local = &tmpl->saddr;
- if (xfrm_addr_any(local, tmpl->encap_family)) {
- error = xfrm_get_saddr(net, fl->flowi_oif,
- &tmp, remote,
- tmpl->encap_family, 0);
- if (error)
- goto fail;
- local = &tmp;
+ if (tmpl->mode == XFRM_MODE_TUNNEL ||
+ tmpl->mode == XFRM_MODE_BEET) {
+ remote = &tmpl->id.daddr;
+ local = &tmpl->saddr;
+ if (xfrm_addr_any(local, tmpl->encap_family)) {
+ error = xfrm_get_saddr(net, fl->flowi_oif,
+ &tmp, remote,
+ tmpl->encap_family, 0);
+ if (error)
+ goto fail;
+ local = &tmp;
+ }
}
x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
if (x && x->km.state == XFRM_STATE_VALID) {
xfrm[nx++] = x;
+ daddr = remote;
+ saddr = local;
continue;
}
if (x) {
--
2.15.1

View File

@ -0,0 +1,49 @@
From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001
Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com>
In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Fri, 22 Dec 2017 10:44:57 +0100
Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy
lookup.
When we do tunnel or beet mode, we pass saddr and daddr from the
template to xfrm_state_find(), this is ok. On transport mode,
we pass the addresses from the flowi, assuming that the IP
addresses (and address family) don't change during transformation.
This assumption is wrong in the IPv4 mapped IPv6 case, packet
is IPv4 and template is IPv6.
Fix this by catching address family missmatches of the policy
and the flow already before we do the lookup.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a2e531bf4f976308..c79ed3bed5d4dc2f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
again:
pol = rcu_dereference(sk->sk_policy[dir]);
if (pol != NULL) {
- bool match = xfrm_selector_match(&pol->selector, fl, family);
+ bool match;
int err = 0;
+ if (pol->family != family) {
+ pol = NULL;
+ goto out;
+ }
+
+ match = xfrm_selector_match(&pol->selector, fl, family);
if (match) {
if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
pol = NULL;
--
2.15.1

View File

@ -0,0 +1,114 @@
From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001
Message-Id: <a3c64fe9d978f3ee8f21fac5b410c63fe7cce725.1514245012.git.jan.steffens@gmail.com>
In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From: Tejun Heo <tj@kernel.org>
Date: Wed, 20 Dec 2017 07:09:19 -0800
Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
While teaching css_task_iter to handle skipping over tasks which
aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
silly bug.
CSS_TASK_ITER_PROCS is implemented by repeating
css_task_iter_advance() while the advanced cursor is pointing to a
non-leader thread. However, the cursor variable, @l, wasn't updated
when the iteration has to advance to the next css_set and the
following repetition would operate on the terminal @l from the
previous iteration which isn't pointing to a valid task leading to
oopses like the following or infinite looping.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
IP: __task_pid_nr_ns+0xc7/0xf0
PGD 0 P4D 0
Oops: 0000 [#1] SMP
...
CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
task: ffff88c4baee8000 task.stack: ffff96d5c3158000
RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
Call Trace:
cgroup_procs_show+0x19/0x30
cgroup_seqfile_show+0x4c/0xb0
kernfs_seq_show+0x21/0x30
seq_read+0x2ec/0x3f0
kernfs_fop_read+0x134/0x180
__vfs_read+0x37/0x160
? security_file_permission+0x9b/0xc0
vfs_read+0x8e/0x130
SyS_read+0x55/0xc0
entry_SYSCALL_64_fastpath+0x1a/0xa5
RIP: 0033:0x7f94455f942d
RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
Fix it by moving the initialization of the cursor below the repeat
label. While at it, rename it to @next for readability.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
Cc: stable@vger.kernel.org # v4.14+
Reported-by: Laura Abbott <labbott@redhat.com>
Reported-by: Bronek Kozicki <brok@incorrekt.com>
Reported-by: George Amanakis <gamanakis@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
---
kernel/cgroup/cgroup.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 44857278eb8aa6a2..030e4286f14c715e 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -4059,26 +4059,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
static void css_task_iter_advance(struct css_task_iter *it)
{
- struct list_head *l = it->task_pos;
+ struct list_head *next;
lockdep_assert_held(&css_set_lock);
- WARN_ON_ONCE(!l);
-
repeat:
/*
* Advance iterator to find next entry. cset->tasks is consumed
* first and then ->mg_tasks. After ->mg_tasks, we move onto the
* next cset.
*/
- l = l->next;
+ next = it->task_pos->next;
- if (l == it->tasks_head)
- l = it->mg_tasks_head->next;
+ if (next == it->tasks_head)
+ next = it->mg_tasks_head->next;
- if (l == it->mg_tasks_head)
+ if (next == it->mg_tasks_head)
css_task_iter_advance_css_set(it);
else
- it->task_pos = l;
+ it->task_pos = next;
/* if PROCS, skip over tasks which aren't group leaders */
if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
--
2.15.1

View File

@ -3,7 +3,7 @@
pkgbase=linux-vfio
_srcname=linux-4.14
pkgver=4.14.8
pkgver=4.14.9
pkgrel=1
arch=('x86_64')
url="http://www.kernel.org/"
@ -27,10 +27,13 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
'i915-vga-arbiter.patch'
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch)
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
'42eaed731b716244514b765c199e8f675d79287d7630e5c2911053ad52a1fa0a'
'5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704'
'SKIP'
'bfde21c325d39013463c38e9fa23d6d6481238b8509eea4ae38906127017e47d'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
@ -40,7 +43,10 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'eaf70cd805cdb43cf6227d354a6d54f67645b6df99e06136a8055d7494d7439c'
'37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
'1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2')
'1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
'64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
'3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@ -68,6 +74,13 @@ prepare() {
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
# https://bugs.archlinux.org/task/56605
patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
# https://bugs.archlinux.org/task/56846
patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
# patches for vga arbiter fix in intel systems
patch -p1 -i "${srcdir}/i915-vga-arbiter.patch"