rebase patches on top of Ubuntu-4.15.0-33.36
(generated with debian/scripts/import-upstream-tag) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
parent
b59d76e6de
commit
9464be5351
8 changed files with 6 additions and 285 deletions
|
@ -1,56 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Taglang <rob@taglang.io>
|
||||
Date: Thu, 3 May 2018 17:13:06 -0400
|
||||
Subject: [PATCH] net: ethernet: sun: niu set correct packet size in skb
|
||||
|
||||
Currently, skb->len and skb->data_len are set to the page size, not
|
||||
the packet size. This causes the frame check sequence to not be
|
||||
located at the "end" of the packet resulting in ethernet frame check
|
||||
errors. The driver does work currently, but stricter kernel facing
|
||||
networking solutions like OpenVSwitch will drop these packets as
|
||||
invalid.
|
||||
|
||||
These changes set the packet size correctly so that these errors no
|
||||
longer occur. The length does not include the frame check sequence, so
|
||||
that subtraction was removed.
|
||||
|
||||
Tested on Oracle/SUN Multithreaded 10-Gigabit Ethernet Network
|
||||
Controller [108e:abcd] and validated in wireshark.
|
||||
|
||||
Signed-off-by: Rob Taglang <rob@taglang.io>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
drivers/net/ethernet/sun/niu.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
|
||||
index 06001bacbe0f..64f1b3a3afa8 100644
|
||||
--- a/drivers/net/ethernet/sun/niu.c
|
||||
+++ b/drivers/net/ethernet/sun/niu.c
|
||||
@@ -3442,7 +3442,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
|
||||
|
||||
len = (val & RCR_ENTRY_L2_LEN) >>
|
||||
RCR_ENTRY_L2_LEN_SHIFT;
|
||||
- len -= ETH_FCS_LEN;
|
||||
+ append_size = len + ETH_HLEN + ETH_FCS_LEN;
|
||||
|
||||
addr = (val & RCR_ENTRY_PKT_BUF_ADDR) <<
|
||||
RCR_ENTRY_PKT_BUF_ADDR_SHIFT;
|
||||
@@ -3452,7 +3452,6 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
|
||||
RCR_ENTRY_PKTBUFSZ_SHIFT];
|
||||
|
||||
off = addr & ~PAGE_MASK;
|
||||
- append_size = rcr_size;
|
||||
if (num_rcr == 1) {
|
||||
int ptype;
|
||||
|
||||
@@ -3465,7 +3464,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
|
||||
else
|
||||
skb_checksum_none_assert(skb);
|
||||
} else if (!(val & RCR_ENTRY_MULTI))
|
||||
- append_size = len - skb->len;
|
||||
+ append_size = append_size - skb->len;
|
||||
|
||||
niu_rx_skb_append(skb, page, off, append_size, rcr_size);
|
||||
if ((page->index + rp->rbr_block_size) - rcr_size == addr) {
|
|
@ -1,20 +1,7 @@
|
|||
From patchwork Mon Jun 18 19:30:37 2018
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [net] net/tcp: Fix socket lookups with SO_BINDTODEVICE
|
||||
X-Patchwork-Submitter: dsahern@kernel.org
|
||||
X-Patchwork-Id: 931179
|
||||
X-Patchwork-Delegate: davem@davemloft.net
|
||||
Message-Id: <20180618193037.3365-1-dsahern@kernel.org>
|
||||
To: netdev@vger.kernel.org
|
||||
Cc: davem@davemloft.net, lberger@labn.net,
|
||||
renato@opensourcerouting.org, David Ahern <dsahern@gmail.com>
|
||||
Date: Mon, 18 Jun 2018 12:30:37 -0700
|
||||
From: dsahern@kernel.org
|
||||
List-Id: <netdev.vger.kernel.org>
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: David Ahern <dsahern@gmail.com>
|
||||
Date: Mon, 18 Jun 2018 12:30:37 -0700
|
||||
Subject: [PATCH] net/tcp: Fix socket lookups with SO_BINDTODEVICE
|
||||
|
||||
Similar to 69678bcd4d2d ("udp: fix SO_BINDTODEVICE"), TCP socket lookups
|
||||
need to fail if dev_match is not true. Currently, a packet to a given port
|
||||
|
@ -34,10 +21,10 @@ Signed-off-by: David Ahern <dsahern@gmail.com>
|
|||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
|
||||
index 31ff46daae97..3647167c8fa3 100644
|
||||
index e7d15fb0d94d..24b066c32e06 100644
|
||||
--- a/net/ipv4/inet_hashtables.c
|
||||
+++ b/net/ipv4/inet_hashtables.c
|
||||
@@ -243,9 +243,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
|
||||
@@ -188,9 +188,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
|
||||
bool dev_match = (sk->sk_bound_dev_if == dif ||
|
||||
sk->sk_bound_dev_if == sdif);
|
||||
|
||||
|
@ -50,7 +37,7 @@ index 31ff46daae97..3647167c8fa3 100644
|
|||
}
|
||||
if (sk->sk_incoming_cpu == raw_smp_processor_id())
|
||||
diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
|
||||
index 2febe26de6a1..595ad408dba0 100644
|
||||
index b01858f5deb1..6dc93ac28261 100644
|
||||
--- a/net/ipv6/inet6_hashtables.c
|
||||
+++ b/net/ipv6/inet6_hashtables.c
|
||||
@@ -113,9 +113,9 @@ static inline int compute_score(struct sock *sk, struct net *net,
|
|
@ -1,65 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Felix Wilhelm <fwilhelm@google.com>
|
||||
Date: Mon, 11 Jun 2018 09:43:44 +0200
|
||||
Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions
|
||||
|
||||
VMX instructions executed inside a L1 VM will always trigger a VM exit
|
||||
even when executed with cpl 3. This means we must perform the
|
||||
privilege check in software.
|
||||
|
||||
Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||
---
|
||||
arch/x86/kvm/vmx.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
||||
index 1a5617fc8b6a..5c8bd2d61080 100644
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -7575,6 +7575,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* CPL=0 must be checked manually. */
|
||||
+ if (vmx_get_cpl(vcpu)) {
|
||||
+ kvm_queue_exception(vcpu, UD_VECTOR);
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
if (vmx->nested.vmxon) {
|
||||
nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
|
||||
return kvm_skip_emulated_instruction(vcpu);
|
||||
@@ -7634,6 +7640,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
|
||||
*/
|
||||
static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
+ if (vmx_get_cpl(vcpu)) {
|
||||
+ kvm_queue_exception(vcpu, UD_VECTOR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!to_vmx(vcpu)->nested.vmxon) {
|
||||
kvm_queue_exception(vcpu, UD_VECTOR);
|
||||
return 0;
|
||||
@@ -7967,7 +7978,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
|
||||
if (get_vmx_mem_address(vcpu, exit_qualification,
|
||||
vmx_instruction_info, true, &gva))
|
||||
return 1;
|
||||
- /* _system ok, as hardware has verified cpl=0 */
|
||||
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
|
||||
kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
|
||||
&field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
|
||||
}
|
||||
@@ -8110,7 +8121,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
|
||||
if (get_vmx_mem_address(vcpu, exit_qualification,
|
||||
vmx_instruction_info, true, &vmcs_gva))
|
||||
return 1;
|
||||
- /* ok to use *_system, as hardware has verified cpl=0 */
|
||||
+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
|
||||
if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
|
||||
(void *)&to_vmx(vcpu)->nested.current_vmptr,
|
||||
sizeof(u64), &e)) {
|
|
@ -1,33 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: John Johansen <john.johansen@canonical.com>
|
||||
Date: Fri, 27 Jul 2018 14:27:05 -0700
|
||||
Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
|
||||
unix sockets
|
||||
|
||||
the apparmor policy language current does not allow expressing of the
|
||||
locking permission for no-fs unix sockets. However the kernel is
|
||||
enforcing mediation.
|
||||
|
||||
Add the AA_MAY_LOCK perm to the computed perm mask which will grant
|
||||
permission for all current abi profiles, but still allow specifying
|
||||
auditing of the operation if needed.
|
||||
|
||||
http://bugs.launchpad.net/bugs/1780227
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
security/apparmor/lib.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
|
||||
index 068a9f471f77..23f3d16d6b85 100644
|
||||
--- a/security/apparmor/lib.c
|
||||
+++ b/security/apparmor/lib.c
|
||||
@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
|
||||
/* for v5 perm mapping in the policydb, the other set is used
|
||||
* to extend the general perm set
|
||||
*/
|
||||
- perms->allow |= map_other(dfa_other_allow(dfa, state));
|
||||
+ perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
|
||||
perms->audit |= map_other(dfa_other_audit(dfa, state));
|
||||
perms->quiet |= map_other(dfa_other_quiet(dfa, state));
|
||||
// perms->xindex = dfa_user_xindex(dfa, state);
|
|
@ -1,45 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Tue, 3 Jul 2018 17:10:19 -0700
|
||||
Subject: [PATCH] Fix up non-directory creation in SGID directories
|
||||
|
||||
sgid directories have special semantics, making newly created files in
|
||||
the directory belong to the group of the directory, and newly created
|
||||
subdirectories will also become sgid. This is historically used for
|
||||
group-shared directories.
|
||||
|
||||
But group directories writable by non-group members should not imply
|
||||
that such non-group members can magically join the group, so make sure
|
||||
to clear the sgid bit on non-directories for non-members (but remember
|
||||
that sgid without group execute means "mandatory locking", just to
|
||||
confuse things even more).
|
||||
|
||||
Reported-by: Jann Horn <jannh@google.com>
|
||||
Cc: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
(cherry picked from commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7)
|
||||
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
|
||||
---
|
||||
fs/inode.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fs/inode.c b/fs/inode.c
|
||||
index 5c1138e9cac0..797b4cb3d20b 100644
|
||||
--- a/fs/inode.c
|
||||
+++ b/fs/inode.c
|
||||
@@ -2008,8 +2008,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
|
||||
inode->i_uid = current_fsuid();
|
||||
if (dir && dir->i_mode & S_ISGID) {
|
||||
inode->i_gid = dir->i_gid;
|
||||
+
|
||||
+ /* Directories are special, and always inherit S_ISGID */
|
||||
if (S_ISDIR(mode))
|
||||
mode |= S_ISGID;
|
||||
+ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
|
||||
+ !in_group_p(inode->i_gid) &&
|
||||
+ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
|
||||
+ mode &= ~S_ISGID;
|
||||
} else
|
||||
inode->i_gid = current_fsgid();
|
||||
inode->i_mode = mode;
|
|
@ -1,67 +0,0 @@
|
|||
From patchwork Wed May 9 10:42:34 2018
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [net] udp: fix SO_BINDTODEVICE
|
||||
X-Patchwork-Submitter: Paolo Abeni <pabeni@redhat.com>
|
||||
X-Patchwork-Id: 910747
|
||||
X-Patchwork-Delegate: davem@davemloft.net
|
||||
Message-Id: <9445dd5d149af16463df4d0502b2667ee2b6f4e8.1525862461.git.pabeni@redhat.com>
|
||||
To: netdev@vger.kernel.org
|
||||
Cc: Damir Mansurov <dnman@oktetlabs.ru>, David Ahern <dsahern@gmail.com>,
|
||||
David Miller <davem@davemloft.net>
|
||||
Date: Wed, 9 May 2018 12:42:34 +0200
|
||||
From: Paolo Abeni <pabeni@redhat.com>
|
||||
List-Id: <netdev.vger.kernel.org>
|
||||
|
||||
Damir reported a breakage of SO_BINDTODEVICE for UDP sockets.
|
||||
In absence of VRF devices, after commit fb74c27735f0 ("net:
|
||||
ipv4: add second dif to udp socket lookups") the dif mismatch
|
||||
isn't fatal anymore for UDP socket lookup with non null
|
||||
sk_bound_dev_if, breaking SO_BINDTODEVICE semantics.
|
||||
|
||||
This changeset addresses the issue making the dif match mandatory
|
||||
again in the above scenario.
|
||||
|
||||
Reported-by: Damir Mansurov <dnman@oktetlabs.ru>
|
||||
Fixes: fb74c27735f0 ("net: ipv4: add second dif to udp socket lookups")
|
||||
Fixes: 1801b570dd2a ("net: ipv6: add second dif to udp socket lookups")
|
||||
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||
Acked-by: David Ahern <dsahern@gmail.com>
|
||||
---
|
||||
net/ipv4/udp.c | 4 ++--
|
||||
net/ipv6/udp.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
|
||||
index 24b5c59b1c53..c2a292dfd137 100644
|
||||
--- a/net/ipv4/udp.c
|
||||
+++ b/net/ipv4/udp.c
|
||||
@@ -401,9 +401,9 @@ static int compute_score(struct sock *sk, struct net *net,
|
||||
bool dev_match = (sk->sk_bound_dev_if == dif ||
|
||||
sk->sk_bound_dev_if == sdif);
|
||||
|
||||
- if (exact_dif && !dev_match)
|
||||
+ if (!dev_match)
|
||||
return -1;
|
||||
- if (sk->sk_bound_dev_if && dev_match)
|
||||
+ if (sk->sk_bound_dev_if)
|
||||
score += 4;
|
||||
}
|
||||
|
||||
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
|
||||
index 4ec76a87aeb8..ea0730028e5d 100644
|
||||
--- a/net/ipv6/udp.c
|
||||
+++ b/net/ipv6/udp.c
|
||||
@@ -148,9 +148,9 @@ static int compute_score(struct sock *sk, struct net *net,
|
||||
bool dev_match = (sk->sk_bound_dev_if == dif ||
|
||||
sk->sk_bound_dev_if == sdif);
|
||||
|
||||
- if (exact_dif && !dev_match)
|
||||
+ if (!dev_match)
|
||||
return -1;
|
||||
- if (sk->sk_bound_dev_if && dev_match)
|
||||
+ if (sk->sk_bound_dev_if)
|
||||
score++;
|
||||
}
|
||||
|
Loading…
Reference in a new issue