rebase patches

patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch

@@ -54,10 +54,10 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  2 files changed, 111 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 1738d820c56f..e7216bc05b3b 100644
+index 1bbfe73fcd6c..073e3023b515 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2930,6 +2930,15 @@
+@@ -2935,6 +2935,15 @@
  		nomsi		[MSI] If the PCI_MSI kernel config parameter is
  				enabled, this kernel boot option can be used to
  				disable the use of MSI interrupts system-wide.
@@ -74,7 +74,7 @@ index 1738d820c56f..e7216bc05b3b 100644
  				Safety option to keep boot IRQs enabled. This
  				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 02b009426670..c29d89ffc9b2 100644
+index 99eec22d99b7..7576c2b0c913 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
 @@ -3687,6 +3687,107 @@ static int __init pci_apply_final_quirks(void)
@@ -185,7 +185,7 @@ index 02b009426670..c29d89ffc9b2 100644
  /*
   * Following are device-specific reset methods which can be used to
   * reset a single function if other methods (e.g. FLR, PM D0->D3) are
-@@ -4514,6 +4615,7 @@ static const struct pci_dev_acs_enabled {
+@@ -4529,6 +4630,7 @@ static const struct pci_dev_acs_enabled {
  	{ 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */
  	/* Cavium ThunderX */
  	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },

patches/kernel/0007-KVM-x86-fix-APIC-page-invalidation.patch

@@ -23,10 +23,10 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  3 files changed, 25 insertions(+)
 
 diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 066b51796695..f39bc68efa56 100644
+index 78ec3cda9429..1953c0a5b972 100644
 --- a/arch/x86/include/asm/kvm_host.h
 +++ b/arch/x86/include/asm/kvm_host.h
-@@ -1546,4 +1546,7 @@ static inline int kvm_cpu_get_apicid(int mps_cpu)
+@@ -1439,4 +1439,7 @@ static inline int kvm_cpu_get_apicid(int mps_cpu)
  #endif
  }
  

patches/kernel/0009-tun-free-skb-in-early-errors.patch

@@ -21,7 +21,7 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  1 file changed, 18 insertions(+), 6 deletions(-)
 
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index cb1f7747adad..5143e948d7d1 100644
+index d1cb1ff83251..d58ae8ad0a4e 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
 @@ -1519,8 +1519,11 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile,

patches/kernel/0010-tap-free-skb-if-flags-error.patch

@@ -19,7 +19,7 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  1 file changed, 10 insertions(+), 4 deletions(-)
 
 diff --git a/drivers/net/tap.c b/drivers/net/tap.c
-index 3570c7576993..4e04b6094f3c 100644
+index 7a2f6bebfd15..96e5e5b2ae39 100644
 --- a/drivers/net/tap.c
 +++ b/drivers/net/tap.c
 @@ -829,8 +829,11 @@ static ssize_t tap_do_read(struct tap_queue *q,
@@ -35,7 +35,7 @@ index 3570c7576993..4e04b6094f3c 100644
  
  	if (skb)
  		goto put;
-@@ -1155,11 +1158,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
+@@ -1157,11 +1160,14 @@ static int tap_recvmsg(struct socket *sock, struct msghdr *m,
  		       size_t total_len, int flags)
  {
  	struct tap_queue *q = container_of(sock, struct tap_queue, sock);

patches/kernel/0013-kvm-vmx-Reinstate-support-for-CPUs-without-virtual-N.patch

@@ -36,10 +36,10 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  1 file changed, 106 insertions(+), 44 deletions(-)
 
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index cb044cd17790..d2168203bddc 100644
+index 5edf05ce45de..146caacd8fdd 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
-@@ -203,6 +203,10 @@ struct loaded_vmcs {
+@@ -204,6 +204,10 @@ struct loaded_vmcs {
  	bool nmi_known_unmasked;
  	unsigned long vmcs_host_cr3;	/* May not match real cr3 */
  	unsigned long vmcs_host_cr4;	/* May not match real cr4 */
@@ -50,7 +50,7 @@ index cb044cd17790..d2168203bddc 100644
  	struct list_head loaded_vmcss_on_cpu_link;
  };
  
-@@ -1289,6 +1293,11 @@ static inline bool cpu_has_vmx_invpcid(void)
+@@ -1290,6 +1294,11 @@ static inline bool cpu_has_vmx_invpcid(void)
  		SECONDARY_EXEC_ENABLE_INVPCID;
  }
  
@@ -62,7 +62,7 @@ index cb044cd17790..d2168203bddc 100644
  static inline bool cpu_has_vmx_wbinvd_exit(void)
  {
  	return vmcs_config.cpu_based_2nd_exec_ctrl &
-@@ -1340,11 +1349,6 @@ static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit)
+@@ -1341,11 +1350,6 @@ static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit)
  		(vmcs12->secondary_vm_exec_control & bit);
  }
  
@@ -74,7 +74,7 @@ index cb044cd17790..d2168203bddc 100644
  static inline bool nested_cpu_has_preemption_timer(struct vmcs12 *vmcs12)
  {
  	return vmcs12->pin_based_vm_exec_control &
-@@ -3686,9 +3690,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
+@@ -3687,9 +3691,9 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
  				&_vmexit_control) < 0)
  		return -EIO;
  
@@ -87,7 +87,7 @@ index cb044cd17790..d2168203bddc 100644
  	if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS,
  				&_pin_based_exec_control) < 0)
  		return -EIO;
-@@ -5548,7 +5552,8 @@ static void enable_irq_window(struct kvm_vcpu *vcpu)
+@@ -5549,7 +5553,8 @@ static void enable_irq_window(struct kvm_vcpu *vcpu)
  
  static void enable_nmi_window(struct kvm_vcpu *vcpu)
  {
@@ -97,7 +97,7 @@ index cb044cd17790..d2168203bddc 100644
  		enable_irq_window(vcpu);
  		return;
  	}
-@@ -5588,6 +5593,19 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
+@@ -5589,6 +5594,19 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
  {
  	struct vcpu_vmx *vmx = to_vmx(vcpu);
  
@@ -117,7 +117,7 @@ index cb044cd17790..d2168203bddc 100644
  	++vcpu->stat.nmi_injections;
  	vmx->loaded_vmcs->nmi_known_unmasked = false;
  
-@@ -5606,6 +5624,8 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
+@@ -5607,6 +5625,8 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
  	struct vcpu_vmx *vmx = to_vmx(vcpu);
  	bool masked;
  
@@ -126,7 +126,7 @@ index cb044cd17790..d2168203bddc 100644
  	if (vmx->loaded_vmcs->nmi_known_unmasked)
  		return false;
  	masked = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI;
-@@ -5617,13 +5637,20 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
+@@ -5618,13 +5638,20 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
  {
  	struct vcpu_vmx *vmx = to_vmx(vcpu);
  
@@ -154,7 +154,7 @@ index cb044cd17790..d2168203bddc 100644
  }
  
  static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
-@@ -5631,6 +5658,10 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
+@@ -5632,6 +5659,10 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
  	if (to_vmx(vcpu)->nested.nested_run_pending)
  		return 0;
  
@@ -165,7 +165,7 @@ index cb044cd17790..d2168203bddc 100644
  	return	!(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
  		  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
  		   | GUEST_INTR_STATE_NMI));
-@@ -6359,6 +6390,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
+@@ -6360,6 +6391,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
  	 * AAK134, BY25.
  	 */
  	if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) &&
@@ -173,7 +173,7 @@ index cb044cd17790..d2168203bddc 100644
  			(exit_qualification & INTR_INFO_UNBLOCK_NMI))
  		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI);
  
-@@ -6833,7 +6865,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
+@@ -6834,7 +6866,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
  	}
  
  	/* Create a new VMCS */
@@ -182,7 +182,7 @@ index cb044cd17790..d2168203bddc 100644
  	if (!item)
  		return NULL;
  	item->vmcs02.vmcs = alloc_vmcs();
-@@ -7850,6 +7882,7 @@ static int handle_pml_full(struct kvm_vcpu *vcpu)
+@@ -7851,6 +7883,7 @@ static int handle_pml_full(struct kvm_vcpu *vcpu)
  	 * "blocked by NMI" bit has to be set before next VM entry.
  	 */
  	if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) &&
@@ -190,7 +190,7 @@ index cb044cd17790..d2168203bddc 100644
  			(exit_qualification & INTR_INFO_UNBLOCK_NMI))
  		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
  				GUEST_INTR_STATE_NMI);
-@@ -8567,6 +8600,25 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+@@ -8568,6 +8601,25 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
  		return 0;
  	}
  

patches/kernel/0014-KVM-SVM-obey-guest-PAT.patch

@@ -34,10 +34,10 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 55fb408465f7..e99bdfcc6b01 100644
+index a8c911fcd73f..e9d0f80fd83a 100644
 --- a/arch/x86/kvm/svm.c
 +++ b/arch/x86/kvm/svm.c
-@@ -3649,6 +3649,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+@@ -3650,6 +3650,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
  	u32 ecx = msr->index;
  	u64 data = msr->data;
  	switch (ecx) {

patches/kernel/0018-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch

@@ -22,10 +22,10 @@ Signed-off-by: Fabian Grünbichler <[email protected]>
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index d2168203bddc..e6fa3df81fd8 100644
+index 146caacd8fdd..80732f87cac0 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
-@@ -882,8 +882,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
+@@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
  {
  	BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
  

patches/kernel/0019-x86-tboot-Unbreak-tboot-with-PTI-enabled.patch

@@ -1,54 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Dave Hansen <[email protected]>
-Date: Sat, 6 Jan 2018 18:41:14 +0100
-Subject: [PATCH] x86/tboot: Unbreak tboot with PTI enabled
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 262b6b30087246abf09d6275eb0c0dc421bcbe38 upstream.
-
-This is another case similar to what EFI does: create a new set of
-page tables, map some code at a low address, and jump to it.  PTI
-mistakes this low address for userspace and mistakenly marks it
-non-executable in an effort to make it unusable for userspace.
-
-Undo the poison to allow execution.
-
-Fixes: 385ce0ea4c07 ("x86/mm/pti: Add Kconfig")
-Signed-off-by: Dave Hansen <[email protected]>
-Signed-off-by: Andrea Arcangeli <[email protected]>
-Signed-off-by: Thomas Gleixner <[email protected]>
-Cc: Alan Cox <[email protected]>
-Cc: Tim Chen <[email protected]>
-Cc: Jon Masters <[email protected]>
-Cc: Dave Hansen <[email protected]>
-Cc: Andi Kleen <[email protected]>
-Cc: Jeff Law <[email protected]>
-Cc: Paolo Bonzini <[email protected]>
-Cc: Linus Torvalds <[email protected]>
-Cc: Greg Kroah-Hartman <[email protected]>
-Cc: David" <[email protected]>
-Cc: Nick Clifton <[email protected]>
-Link: https://lkml.kernel.org/r/[email protected]
-Signed-off-by: Greg Kroah-Hartman <[email protected]>
-Signed-off-by: Fabian Grünbichler <[email protected]>
----
- arch/x86/kernel/tboot.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
-index a2486f444073..8337730f0956 100644
---- a/arch/x86/kernel/tboot.c
-+++ b/arch/x86/kernel/tboot.c
-@@ -127,6 +127,7 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
- 	p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
- 	if (!p4d)
- 		return -1;
-+	pgd->pgd &= ~_PAGE_NX;
- 	pud = pud_alloc(&tboot_mm, p4d, vaddr);
- 	if (!pud)
- 		return -1;
--- 
-2.14.2
-

patches/kernel/0020-x86-perf-Disable-intel_bts-when-PTI.patch

@@ -1,72 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <[email protected]>
-Date: Sun, 14 Jan 2018 11:27:13 +0100
-Subject: [PATCH] x86,perf: Disable intel_bts when PTI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 99a9dc98ba52267ce5e062b52de88ea1f1b2a7d8 upstream.
-
-The intel_bts driver does not use the 'normal' BTS buffer which is exposed
-through the cpu_entry_area but instead uses the memory allocated for the
-perf AUX buffer.
-
-This obviously comes apart when using PTI because then the kernel mapping;
-which includes that AUX buffer memory; disappears. Fixing this requires to
-expose a mapping which is visible in all context and that's not trivial.
-
-As a quick fix disable this driver when PTI is enabled to prevent
-malfunction.
-
-Fixes: 385ce0ea4c07 ("x86/mm/pti: Add Kconfig")
-Reported-by: Vince Weaver <[email protected]>
-Reported-by: Robert Święcki <[email protected]>
-Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
-Signed-off-by: Thomas Gleixner <[email protected]>
-Cc: Alexander Shishkin <[email protected]>
-Cc: [email protected]
-Cc: [email protected]
-Cc: [email protected]
-Cc: Vince Weaver <[email protected]>
-Cc: [email protected]
-Cc: [email protected]
-Link: https://lkml.kernel.org/r/[email protected]
-Signed-off-by: Greg Kroah-Hartman <[email protected]>
-Signed-off-by: Fabian Grünbichler <[email protected]>
----
- arch/x86/events/intel/bts.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c
-index ddd8d3516bfc..9a62e6fce0e0 100644
---- a/arch/x86/events/intel/bts.c
-+++ b/arch/x86/events/intel/bts.c
-@@ -582,6 +582,24 @@ static __init int bts_init(void)
- 	if (!boot_cpu_has(X86_FEATURE_DTES64) || !x86_pmu.bts)
- 		return -ENODEV;
- 
-+	if (boot_cpu_has(X86_FEATURE_PTI)) {
-+		/*
-+		 * BTS hardware writes through a virtual memory map we must
-+		 * either use the kernel physical map, or the user mapping of
-+		 * the AUX buffer.
-+		 *
-+		 * However, since this driver supports per-CPU and per-task inherit
-+		 * we cannot use the user mapping since it will not be availble
-+		 * if we're not running the owning process.
-+		 *
-+		 * With PTI we can't use the kernal map either, because its not
-+		 * there when we run userspace.
-+		 *
-+		 * For now, disable this driver when using PTI.
-+		 */
-+		return -ENODEV;
-+	}
-+
- 	bts_pmu.capabilities	= PERF_PMU_CAP_AUX_NO_SG | PERF_PMU_CAP_ITRACE |
- 				  PERF_PMU_CAP_EXCLUSIVE;
- 	bts_pmu.task_ctx_nr	= perf_sw_context;
--- 
-2.14.2
-

patches/kernel/0021-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

@@ -1,53 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <[email protected]>
-Date: Fri, 8 Dec 2017 15:39:50 +0100
-Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Whenever the sock object is in DCCP_CLOSED state,
-dccp_disconnect() must free dccps_hc_tx_ccid and
-dccps_hc_rx_ccid and set to NULL.
-
-Signed-off-by: Mohamed Ghannam <[email protected]>
-Reviewed-by: Eric Dumazet <[email protected]>
-Signed-off-by: David S. Miller <[email protected]>
-
-CVE-2017-8824
-(cherry picked from commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 linux-next)
-Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
-Acked-by: Seth Forshee <[email protected]>
-Acked-by: Colin Ian King <[email protected]>
-Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
-Signed-off-by: Fabian Grünbichler <[email protected]>
----
- net/dccp/proto.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/net/dccp/proto.c b/net/dccp/proto.c
-index b68168fcc06a..9d43c1f40274 100644
---- a/net/dccp/proto.c
-+++ b/net/dccp/proto.c
-@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
- {
- 	struct inet_connection_sock *icsk = inet_csk(sk);
- 	struct inet_sock *inet = inet_sk(sk);
-+	struct dccp_sock *dp = dccp_sk(sk);
- 	int err = 0;
- 	const int old_state = sk->sk_state;
- 
-@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
- 		sk->sk_err = ECONNRESET;
- 
- 	dccp_clear_xmit_timers(sk);
-+	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-+	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
-+	dp->dccps_hc_rx_ccid = NULL;
-+	dp->dccps_hc_tx_ccid = NULL;
- 
- 	__skb_queue_purge(&sk->sk_receive_queue);
- 	__skb_queue_purge(&sk->sk_write_queue);
--- 
-2.14.2
-

patches/kernel/0022-sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch

@@ -1,73 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Xin Long <[email protected]>
-Date: Thu, 7 Dec 2017 16:07:00 +0100
-Subject: [PATCH] sctp: do not peel off an assoc from one netns to another one
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Now when peeling off an association to the sock in another netns, all
-transports in this assoc are not to be rehashed and keep use the old
-key in hashtable.
-
-As a transport uses sk->net as the hash key to insert into hashtable,
-it would miss removing these transports from hashtable due to the new
-netns when closing the sock and all transports are being freeed, then
-later an use-after-free issue could be caused when looking up an asoc
-and dereferencing those transports.
-
-This is a very old issue since very beginning, ChunYu found it with
-syzkaller fuzz testing with this series:
-
-  socket$inet6_sctp()
-  bind$inet6()
-  sendto$inet6()
-  unshare(0x40000000)
-  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
-  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
-
-This patch is to block this call when peeling one assoc off from one
-netns to another one, so that the netns of all transport would not
-go out-sync with the key in hashtable.
-
-Note that this patch didn't fix it by rehashing transports, as it's
-difficult to handle the situation when the tuple is already in use
-in the new netns. Besides, no one would like to peel off one assoc
-to another netns, considering ipaddrs, ifaces, etc. are usually
-different.
-
-Reported-by: ChunYu Wang <[email protected]>
-Signed-off-by: Xin Long <[email protected]>
-Acked-by: Marcelo Ricardo Leitner <[email protected]>
-Acked-by: Neil Horman <[email protected]>
-Signed-off-by: David S. Miller <[email protected]>
-
-CVE-2017-15115
-(cherry picked from commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74)
-Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
-Acked-by: Colin Ian King <[email protected]>
-Acked-by: Stefan Bader <[email protected]>
-Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
-Signed-off-by: Fabian Grünbichler <[email protected]>
----
- net/sctp/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 8d760863bc41..52f388e0448e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4894,6 +4894,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
- 	struct socket *sock;
- 	int err = 0;
- 
-+	/* Do not peel off from one netns to another one. */
-+	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
-+		return -EINVAL;
-+
- 	if (!asoc)
- 		return -EINVAL;
- 
--- 
-2.14.2
-