Merge pull request #2938 from coreosbot/master-4.14.4

Upgrade Linux in master to 4.14.4

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
 DIST linux-4.14.tar.xz 100770500 SHA256 f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 WHIRLPOOL fee10d54ecb210156aa55364ecc15867127819e9f7ff9ec5f6ef159b1013e2ae3d3a28d35c62d663886cbe826b996a1387671766093be002536309045a8e4d10
-DIST patch-4.14.3.xz 82540 SHA256 e13995c11d0c2d3379c887666dbfaca619200fb8853db6d5d67f97d47fd959b7 SHA512 36a08a4c1c93c4fefb95273f3bfe4cac724d8e7c4f90d6e42a11c3afbbdd35b537f3380985a730c9aca491359f9bbdc4747ac444dd6b2625443c28df285cf74a WHIRLPOOL 5a2f46d5c1465962f668b60e05ff981a12916860f59a5e81494b4299b8c77160ad7ac4f1370648f5d1a7532947249ded5be41b26557ee58b487547dc22fdb25d
+DIST patch-4.14.4.xz 110228 SHA256 e9dcf9aad5977289940cd6e3762af02b87a725ba6c1a9f4af86958dc621e3a84 SHA512 9232c7816a92f1499cd2a58417250af18cb519fe1abf7b250f82470b1a931f99cb473951fcba9e9a8ffd7246b63db2054ddaa127b7aaa9632d440be5f6c00111 WHIRLPOOL 4837e8ff19b7d300ca3d3126fb13f16a4a186b26aadcef12529906d220a1a0d930de5a94d4fb473b47b1366177a425aef6c7a8558fcfece9b76a8b6c38fb8b22

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.4.ebuild

@@ -33,5 +33,6 @@ IUSE=""
 UNIPATCH_LIST="
 	${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
 	${PATCH_DIR}/z0002-Add-arm64-coreos-verity-hash.patch \
-	${PATCH_DIR}/z0003-mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch \
+	${PATCH_DIR}/z0003-KVM-Remove-I-O-port-0x80-bypass-on-intel-hosts.patch \
+	${PATCH_DIR}/z0004-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 0473934b0b7b1ce2400edb9294cdc17e5fa97607 Mon Sep 17 00:00:00 2001
+From 51a1127fb1ac44395f477a19b7e866ca68f19d0c Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/3] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/4] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index ede4de0d8634..23246140a149 100644
+index ba1648c093fe..805a34dab5bd 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
-From 42d0c22d96d9011105a0f712134df935e5821239 Mon Sep 17 00:00:00 2001
+From 6f18813f11d2ebbb8a083c4af1f65f71e2457ca6 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 2/3] Add arm64 coreos verity hash
+Subject: [PATCH 2/4] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-KVM-Remove-I-O-port-0x80-bypass-on-intel-hosts.patch

@@ -0,0 +1,81 @@
+From 8fabd9ceb90c5d6fa66b57477bbc791f4e37730f Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Wed, 29 Nov 2017 10:54:24 -0800
+Subject: [PATCH 3/4] KVM: Remove I/O port 0x80 bypass on intel hosts.
+
+KVM allows guests to directly access I/O port 0x80 on intel hosts.  If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash.  With this change
+guest writes to port 0x80 on intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port.  This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for intel.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index b21113bcf227..7242184fd8fd 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -935,8 +935,7 @@ static DEFINE_PER_CPU(struct list_head, blocked_vcpu_on_cpu);
+ static DEFINE_PER_CPU(spinlock_t, blocked_vcpu_on_cpu_lock);
+ 
+ enum {
+-	VMX_IO_BITMAP_A,
+-	VMX_IO_BITMAP_B,
++	VMX_IO_BITMAP,
+ 	VMX_MSR_BITMAP_LEGACY,
+ 	VMX_MSR_BITMAP_LONGMODE,
+ 	VMX_MSR_BITMAP_LEGACY_X2APIC_APICV,
+@@ -950,8 +949,7 @@ enum {
+ 
+ static unsigned long *vmx_bitmap[VMX_BITMAP_NR];
+ 
+-#define vmx_io_bitmap_a                      (vmx_bitmap[VMX_IO_BITMAP_A])
+-#define vmx_io_bitmap_b                      (vmx_bitmap[VMX_IO_BITMAP_B])
++#define vmx_io_bitmap                        (vmx_bitmap[VMX_IO_BITMAP])
+ #define vmx_msr_bitmap_legacy                (vmx_bitmap[VMX_MSR_BITMAP_LEGACY])
+ #define vmx_msr_bitmap_longmode              (vmx_bitmap[VMX_MSR_BITMAP_LONGMODE])
+ #define vmx_msr_bitmap_legacy_x2apic_apicv   (vmx_bitmap[VMX_MSR_BITMAP_LEGACY_X2APIC_APICV])
+@@ -5438,8 +5436,8 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
+ 	int i;
+ 
+ 	/* I/O */
+-	vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap_a));
+-	vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap_b));
++	vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap));
++	vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap));
+ 
+ 	if (enable_shadow_vmcs) {
+ 		vmcs_write64(VMREAD_BITMAP, __pa(vmx_vmread_bitmap));
+@@ -6746,18 +6744,10 @@ static __init int hardware_setup(void)
+ 			goto out;
+ 	}
+ 
+-	vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
+ 	memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ 	memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+ 
+-	/*
+-	 * Allow direct access to the PC debug port (it is often used for I/O
+-	 * delays, but the vmexits simply slow things down).
+-	 */
+-	memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+-	clear_bit(0x80, vmx_io_bitmap_a);
+-
+-	memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
++	memset(vmx_io_bitmap, 0xff, PAGE_SIZE);
+ 
+ 	memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE);
+ 	memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE);
+-- 
+2.14.1
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch

@@ -1,108 +0,0 @@
-From 5c97205d13f6955dffbd3f83797f6dc5d2d7bac9 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Mon, 27 Nov 2017 06:21:25 +0300
-Subject: [PATCH 3/3] mm, thp: Do not make page table dirty unconditionally in
- touch_p[mu]d()
-
-Currently, we unconditionally make page table dirty in touch_pmd().
-It may result in false-positive can_follow_write_pmd().
-
-We may avoid the situation, if we would only make the page table entry
-dirty if caller asks for write access -- FOLL_WRITE.
-
-The patch also changes touch_pud() in the same way.
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- mm/huge_memory.c | 36 +++++++++++++-----------------------
- 1 file changed, 13 insertions(+), 23 deletions(-)
-
-diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index 1981ed697dab..eba34cdfc3e5 100644
---- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -842,20 +842,15 @@ EXPORT_SYMBOL_GPL(vmf_insert_pfn_pud);
- #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
- 
- static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,
--		pmd_t *pmd)
-+		pmd_t *pmd, int flags)
- {
- 	pmd_t _pmd;
- 
--	/*
--	 * We should set the dirty bit only for FOLL_WRITE but for now
--	 * the dirty bit in the pmd is meaningless.  And if the dirty
--	 * bit will become meaningful and we'll only set it with
--	 * FOLL_WRITE, an atomic set_bit will be required on the pmd to
--	 * set the young bit, instead of the current set_pmd_at.
--	 */
--	_pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
-+	_pmd = pmd_mkyoung(*pmd);
-+	if (flags & FOLL_WRITE)
-+		_pmd = pmd_mkdirty(_pmd);
- 	if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
--				pmd, _pmd,  1))
-+				pmd, _pmd, flags & FOLL_WRITE))
- 		update_mmu_cache_pmd(vma, addr, pmd);
- }
- 
-@@ -884,7 +879,7 @@ struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr,
- 		return NULL;
- 
- 	if (flags & FOLL_TOUCH)
--		touch_pmd(vma, addr, pmd);
-+		touch_pmd(vma, addr, pmd, flags);
- 
- 	/*
- 	 * device mapped pages can only be returned if the
-@@ -995,20 +990,15 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
- 
- #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
- static void touch_pud(struct vm_area_struct *vma, unsigned long addr,
--		pud_t *pud)
-+		pud_t *pud, int flags)
- {
- 	pud_t _pud;
- 
--	/*
--	 * We should set the dirty bit only for FOLL_WRITE but for now
--	 * the dirty bit in the pud is meaningless.  And if the dirty
--	 * bit will become meaningful and we'll only set it with
--	 * FOLL_WRITE, an atomic set_bit will be required on the pud to
--	 * set the young bit, instead of the current set_pud_at.
--	 */
--	_pud = pud_mkyoung(pud_mkdirty(*pud));
-+	_pud = pud_mkyoung(*pud);
-+	if (flags & FOLL_WRITE)
-+		_pud = pud_mkdirty(_pud);
- 	if (pudp_set_access_flags(vma, addr & HPAGE_PUD_MASK,
--				pud, _pud,  1))
-+				pud, _pud, flags & FOLL_WRITE))
- 		update_mmu_cache_pud(vma, addr, pud);
- }
- 
-@@ -1031,7 +1021,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
- 		return NULL;
- 
- 	if (flags & FOLL_TOUCH)
--		touch_pud(vma, addr, pud);
-+		touch_pud(vma, addr, pud, flags);
- 
- 	/*
- 	 * device mapped pages can only be returned if the
-@@ -1407,7 +1397,7 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
- 	page = pmd_page(*pmd);
- 	VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);
- 	if (flags & FOLL_TOUCH)
--		touch_pmd(vma, addr, pmd);
-+		touch_pmd(vma, addr, pmd, flags);
- 	if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
- 		/*
- 		 * We don't mlock() pte-mapped THPs. This way we can avoid
--- 
-2.14.1
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

@@ -0,0 +1,40 @@
+From 088cbc310cfcf3324ae5f4e092d527707cdb4ce0 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Tue, 5 Dec 2017 12:23:04 -0800
+Subject: [PATCH 4/4] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state, dccp_disconnect()
+must free dccps_hc_tx_ccid and dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06a..9d43c1f40274 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct inet_sock *inet = inet_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	int err = 0;
+ 	const int old_state = sk->sk_state;
+ 
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
+ 		sk->sk_err = ECONNRESET;
+ 
+ 	dccp_clear_xmit_timers(sk);
++	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.14.1
+