Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora

9 files changed, 188 insertions, 131 deletions

diff --git a/baseconfig/x86/x86_64/CONFIG_PAGE_TABLE_ISOLATION b/baseconfig/x86/x86_64/CONFIG_PAGE_TABLE_ISOLATION
new file mode 100644
index 000000000..6881a7757
--- /dev/null
+++ b/baseconfig/x86/x86_64/CONFIG_PAGE_TABLE_ISOLATION
@@ -0,0 +1 @@
+CONFIG_PAGE_TABLE_ISOLATION=y
diff --git a/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
new file mode 100644
index 000000000..fc84559d0
--- /dev/null
+++ b/cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
@@ -0,0 +1,132 @@
+From patchwork Wed Dec 20 15:13:31 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [cgroup/for-4.15-fixes] cgroup: fix css_task_iter crash on
+ CSS_TASK_ITER_PROC
+From: Tejun Heo <tj@kernel.org>
+X-Patchwork-Id: 10125801
+Message-Id: <20171220151331.GA3413940@devbig577.frc2.facebook.com>
+To: Laura Abbott <labbott@redhat.com>
+Cc: Zefan Li <lizefan@huawei.com>, linux-kernel@vger.kernel.org,
+ cgroups@vger.kernel.org, regressions@leemhuis.info,
+ Bronek Kozicki <brok@incorrekt.com>, George Amanakis <gamanakis@gmail.com>
+Date: Wed, 20 Dec 2017 07:13:31 -0800
+
+Hello,
+
+Applied the following to cgroup/for-4.15-fixes.  Will push out to
+linus later this week.  I could reproduce the problem reliably and am
+pretty sure this is the right fix but I'd greatly appreciate if you
+guys can confirm the fix too.
+
+Thank you very much.
+
+------ 8< ------
+>From 74d0833c659a8a54735e5efdd44f4b225af68586 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 20 Dec 2017 07:09:19 -0800
+
+While teaching css_task_iter to handle skipping over tasks which
+aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
+css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
+silly bug.
+
+CSS_TASK_ITER_PROCS is implemented by repeating
+css_task_iter_advance() while the advanced cursor is pointing to a
+non-leader thread.  However, the cursor variable, @l, wasn't updated
+when the iteration has to advance to the next css_set and the
+following repetition would operate on the terminal @l from the
+previous iteration which isn't pointing to a valid task leading to
+oopses like the following or infinite looping.
+
+  BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
+  IP: __task_pid_nr_ns+0xc7/0xf0
+  PGD 0 P4D 0
+  Oops: 0000 [#1] SMP
+  ...
+  CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
+  Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
+  task: ffff88c4baee8000 task.stack: ffff96d5c3158000
+  RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
+  RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
+  RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
+  RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
+  RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
+  R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
+  R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
+  FS:  00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
+  Call Trace:
+   cgroup_procs_show+0x19/0x30
+   cgroup_seqfile_show+0x4c/0xb0
+   kernfs_seq_show+0x21/0x30
+   seq_read+0x2ec/0x3f0
+   kernfs_fop_read+0x134/0x180
+   __vfs_read+0x37/0x160
+   ? security_file_permission+0x9b/0xc0
+   vfs_read+0x8e/0x130
+   SyS_read+0x55/0xc0
+   entry_SYSCALL_64_fastpath+0x1a/0xa5
+  RIP: 0033:0x7f94455f942d
+  RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
+  RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
+  RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
+  RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
+  R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
+  R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
+  Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
+  RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
+
+Fix it by moving the initialization of the cursor below the repeat
+label.  While at it, rename it to @next for readability.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
+Cc: stable@vger.kernel.org # v4.14+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Reported-by: Bronek Kozicki <brok@incorrekt.com>
+Reported-by: George Amanakis <gamanakis@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index f4c2f8c..2cf06c2 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
+ 
+ static void css_task_iter_advance(struct css_task_iter *it)
+ {
+-	struct list_head *l = it->task_pos;
++	struct list_head *next;
+ 
+ 	lockdep_assert_held(&css_set_lock);
+-	WARN_ON_ONCE(!l);
+-
+ repeat:
+ 	/*
+ 	 * Advance iterator to find next entry.  cset->tasks is consumed
+ 	 * first and then ->mg_tasks.  After ->mg_tasks, we move onto the
+ 	 * next cset.
+ 	 */
+-	l = l->next;
++	next = it->task_pos->next;
+ 
+-	if (l == it->tasks_head)
+-		l = it->mg_tasks_head->next;
++	if (next == it->tasks_head)
++		next = it->mg_tasks_head->next;
+ 
+-	if (l == it->mg_tasks_head)
++	if (next == it->mg_tasks_head)
+ 		css_task_iter_advance_css_set(it);
+ 	else
+-		it->task_pos = l;
++		it->task_pos = next;
+ 
+ 	/* if PROCS, skip over tasks which aren't group leaders */
+ 	if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index 0c708f7ca..9ca5d9065 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -3824,6 +3824,7 @@ CONFIG_PACKET=y
 # CONFIG_PAGE_EXTENSION is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_PAGE_POISONING is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_PANASONIC_LAPTOP=m
 # CONFIG_PANEL is not set
 # CONFIG_PANIC_ON_OOPS is not set
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 253f5248d..7ce1dc7ca 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -3804,6 +3804,7 @@ CONFIG_PACKET=y
 # CONFIG_PAGE_EXTENSION is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_PAGE_POISONING is not set
+CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_PANASONIC_LAPTOP=m
 # CONFIG_PANEL is not set
 # CONFIG_PANIC_ON_OOPS is not set
diff --git a/kernel.spec b/kernel.spec
index 1aed94d63..a7a3def7e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -633,10 +633,6 @@ Patch335: arm-exynos-fix-usb3.patch
 # rbhz 1519591 1520764
 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
-# CVE-2017-17449
-# rhbz 1525762 1525763
-Patch503: netlink-Add-netns-check-on-taps.patch
-
 # CVE-2017-17450
 # rhbz 1525761 1525764
 Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
@@ -673,12 +669,12 @@ Patch627: qxl-fixes.patch
 # rhbz 1462175
 Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
 
-# CVE-2017-17712 rhbz 1526427 1526933 
-Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
-
 # CVE-2017-17741 rhbz 1527112 1527113
 Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
 
+Patch631: cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+Patch632: x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2257,6 +2253,9 @@ fi
 #
 #
 %changelog
+* Wed Jan 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.11-200
+- Linux v4.14.11
+
 * Mon Jan 01 2018 Laura Abbott <labbott@redhat.com> - 4.14.10-200
 - Linux v4.14.10
 
diff --git a/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
deleted file mode 100644
index 41ad4af16..000000000
--- a/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From patchwork Sun Dec 10 03:50:58 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: net: ipv4: fix for a race condition in raw_sendmsg
-X-Patchwork-Submitter: simo.ghannam@gmail.com
-X-Patchwork-Id: 846641
-X-Patchwork-Delegate: davem@davemloft.net
-Message-Id: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com>
-To: netdev@vger.kernel.org
-Cc: Mohamed Ghannam <simo.ghannam@gmail.com>
-Date: Sun, 10 Dec 2017 03:50:58 +0000
-From: simo.ghannam@gmail.com
-List-Id: <netdev.vger.kernel.org>
-
-From: Mohamed Ghannam <simo.ghannam@gmail.com>
-
-inet->hdrincl is racy, and could lead to uninitialized stack pointer
-usage, so its value should be read only once.
-
-Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
----
- net/ipv4/raw.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 33b70bfd1122..125c1eab3eaa 100644
---- a/net/ipv4/raw.c
-+++ b/net/ipv4/raw.c
-@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 	int err;
- 	struct ip_options_data opt_copy;
- 	struct raw_frag_vec rfv;
-+	int hdrincl;
- 
- 	err = -EMSGSIZE;
- 	if (len > 0xFFFF)
- 		goto out;
- 
-+	/* hdrincl should be READ_ONCE(inet->hdrincl)
-+	 * but READ_ONCE() doesn't work with bit fields
-+	 */
-+	hdrincl = inet->hdrincl;
- 	/*
- 	 *	Check the flags.
- 	 */
-@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 		/* Linux does not mangle headers on raw sockets,
- 		 * so that IP options + IP_HDRINCL is non-sense.
- 		 */
--		if (inet->hdrincl)
-+		if (hdrincl)
- 			goto done;
- 		if (ipc.opt->opt.srr) {
- 			if (!daddr)
-@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 
- 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
- 			   RT_SCOPE_UNIVERSE,
--			   inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-+			   hdrincl ? IPPROTO_RAW : sk->sk_protocol,
- 			   inet_sk_flowi_flags(sk) |
--			    (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
-+			    (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
- 			   daddr, saddr, 0, 0, sk->sk_uid);
- 
--	if (!inet->hdrincl) {
-+	if (!hdrincl) {
- 		rfv.msg = msg;
- 		rfv.hlen = 0;
- 
-@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 		goto do_confirm;
- back_from_confirm:
- 
--	if (inet->hdrincl)
-+	if (hdrincl)
- 		err = raw_send_hdrinc(sk, &fl4, msg, len,
- 				      &rt, msg->msg_flags, &ipc.sockc);
- 
diff --git a/netlink-Add-netns-check-on-taps.patch b/netlink-Add-netns-check-on-taps.patch
deleted file mode 100644
index 8595cf80d..000000000
--- a/netlink-Add-netns-check-on-taps.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Wed, 6 Dec 2017 12:12:27 -0800
-Subject: [PATCH] netlink: Add netns check on taps
-
-Currently, a nlmon link inside a child namespace can observe systemwide
-netlink activity.  Filter the traffic so that nlmon can only sniff
-netlink messages from its own netns.
-
-Test case:
-
-    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
-                      ip link set nlmon0 up; \
-                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
-    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
-        spi 0x1 mode transport \
-        auth sha1 0x6162633132330000000000000000000000000000 \
-        enc aes 0x00000000000000000000000000000000
-    grep --binary abc123 /tmp/nlmon.pcap
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
----
- net/netlink/af_netlink.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 15c99dfa3d72..aac9d68b4636 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
- 	struct sock *sk = skb->sk;
- 	int ret = -ENOMEM;
- 
-+	if (!net_eq(dev_net(dev), sock_net(sk)))
-+		return 0;
-+
- 	dev_hold(dev);
- 
- 	if (is_vmalloc_addr(skb->head))
--- 
-2.14.3
-
diff --git a/sources b/sources
index 079711d0e..05d19ed73 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14.10.xz) = 93b642201235c78ef6c8253ef6338a82f6c38e5b6741c7ec06c3dde84433683809c56fe30aab0117607ab09d3367d1dafbbc81af3353f267676357bf72cd7280
+SHA512 (patch-4.14.11.xz) = 3fbaf02eb236d7490eb65e64b841fc43bd3abbbf97deef79b7457faf8005ef7f2cbaf5c4a8c3b2d22998f5197a5a98b6fef717ed60a34ff666fa7eaf8376118d
diff --git a/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
new file mode 100644
index 000000000..a7e0accb6
--- /dev/null
+++ b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
@@ -0,0 +1,46 @@
+From patchwork Wed Dec 27 05:43:54 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: x86/cpu, x86/pti: Do not enable PTI on AMD processors
+From: Tom Lendacky <thomas.lendacky@amd.com>
+X-Patchwork-Id: 10133447
+Message-Id: <20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net>
+To: x86@kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>,
+ linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
+ Andy Lutomirski <luto@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
+ Thomas Gleixner <tglx@linutronix.de>, Borislav Petkov <bp@suse.de>
+Date: Tue, 26 Dec 2017 23:43:54 -0600
+
+AMD processors are not subject to the types of attacks that the kernel
+page table isolation feature protects against.  The AMD microarchitecture
+does not allow memory references, including speculative references, that
+access higher privileged data when running in a lesser privileged mode
+when that access would result in a page fault.
+
+Disable page table isolation by default on AMD processors by not setting
+the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
+is set.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/common.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index c47de4e..7d9e3b0 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+ 
+-	/* Assume for now that ALL x86 CPUs are insecure */
+-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++	if (c->x86_vendor != X86_VENDOR_AMD)
++		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ 
+ 	fpu__init_system(c);
+