From 2be21dcc7879707f0f72df4f5edac9a4517b604d Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Sat, 10 Dec 2016 16:08:57 -0800 Subject: [PATCH] Update to Linux 4.8.14 Includes fix for CVE-2016-8655 Linux af_packet.c race condition. This gives a container escape with default container capabilities. This now has the slow network namespace patch backported, so this is removed. Signed-off-by: Justin Cormack --- alpine/kernel/Dockerfile | 2 +- ...api-struct-as-not-busy-poll-candidat.patch | 50 ------------------- 2 files changed, 1 insertion(+), 51 deletions(-) delete mode 100644 alpine/kernel/patches/0005-gro_cells-mark-napi-struct-as-not-busy-poll-candidat.patch diff --git a/alpine/kernel/Dockerfile b/alpine/kernel/Dockerfile index dbf80652a..155b1f50b 100644 --- a/alpine/kernel/Dockerfile +++ b/alpine/kernel/Dockerfile @@ -1,7 +1,7 @@ # Tag: 36aecb5cf4738737634140eec9abebe1f6559a39 FROM mobylinux/alpine-build-c@sha256:d66b9625abc831f28f8c584991a9cb6975e85d3bb3d3768474b592f1cf32a3a6 -ARG KERNEL_VERSION=4.8.12 +ARG KERNEL_VERSION=4.8.14 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz diff --git a/alpine/kernel/patches/0005-gro_cells-mark-napi-struct-as-not-busy-poll-candidat.patch b/alpine/kernel/patches/0005-gro_cells-mark-napi-struct-as-not-busy-poll-candidat.patch deleted file mode 100644 index 2ef31e56c..000000000 --- a/alpine/kernel/patches/0005-gro_cells-mark-napi-struct-as-not-busy-poll-candidat.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f45dc8d3c7bab381eba3c94414bbc04eae208990 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Mon, 14 Nov 2016 16:28:42 -0800 -Subject: [PATCH 5/5] gro_cells: mark napi struct as not busy poll candidates - -Rolf Neugebauer reported very long delays at netns dismantle. - -Eric W. Biederman was kind enough to look at this problem -and noticed synchronize_net() occurring from netif_napi_del() that was -added in linux-4.5 - -Busy polling makes no sense for tunnels NAPI. -If busy poll is used for sessions over tunnels, the poller will need to -poll the physical device queue anyway. - -netif_tx_napi_add() could be used here, but function name is misleading, -and renaming it is not stable material, so set NAPI_STATE_NO_BUSY_POLL -bit directly. - -This will avoid inserting gro_cells napi structures in napi_hash[] -and avoid the problematic synchronize_net() (per possible cpu) that -Rolf reported. - -Fixes: 93d05d4a320c ("net: provide generic busy polling to all NAPI drivers") -Signed-off-by: Eric Dumazet -Reported-by: Rolf Neugebauer -Reported-by: Eric W. Biederman -Acked-by: Cong Wang -Origin: https://patchwork.ozlabs.org/patch/694780/ ---- - include/net/gro_cells.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h -index d15214d..2a1abbf 100644 ---- a/include/net/gro_cells.h -+++ b/include/net/gro_cells.h -@@ -68,6 +68,9 @@ static inline int gro_cells_init(struct gro_cells *gcells, struct net_device *de - struct gro_cell *cell = per_cpu_ptr(gcells->cells, i); - - __skb_queue_head_init(&cell->napi_skbs); -+ -+ set_bit(NAPI_STATE_NO_BUSY_POLL, &cell->napi.state); -+ - netif_napi_add(dev, &cell->napi, gro_cell_poll, 64); - napi_enable(&cell->napi); - } --- -2.10.2 -