Linux v3.18.5

4 files changed, 6 insertions, 140 deletions

diff --git a/KEYS-close-race-between-key-lookup-and-freeing.patch b/KEYS-close-race-between-key-lookup-and-freeing.patch
deleted file mode 100644
index 7994e2f3..00000000
--- a/KEYS-close-race-between-key-lookup-and-freeing.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Sasha Levin <sasha.levin () oracle ! com>
-Date: Mon, 29 Dec 2014 14:39:01 -0500
-Subject: [PATCH] KEYS: close race between key lookup and freeing
-
-When a key is being garbage collected, it's key->user would get put before
-the ->destroy() callback is called, where the key is removed from it's
-respective tracking structures.
-
-This leaves a key hanging in a semi-invalid state which leaves a window open
-for a different task to try an access key->user. An example is
-find_keyring_by_name() which would dereference key->user for a key that is
-in the process of being garbage collected (where key->user was freed but
-->destroy() wasn't called yet - so it's still present in the linked list).
-
-This would cause either a panic, or corrupt memory.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
----
- security/keys/gc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 9609a7f0faea..c7952375ac53 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- 			atomic_dec(&key->user->nikeys);
- 
--		key_user_put(key->user);
--
- 		/* now throw away the key memory */
- 		if (key->type->destroy)
- 			key->type->destroy(key);
- 
-+		key_user_put(key->user);
-+
- 		kfree(key->description);
- 
- #ifdef KEY_DEBUGGING
--- 
-2.1.0
-
diff --git a/KVM-x86-SYSENTER-emulation-is-broken.patch b/KVM-x86-SYSENTER-emulation-is-broken.patch
deleted file mode 100644
index bda8f9e8..00000000
--- a/KVM-x86-SYSENTER-emulation-is-broken.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: Nadav Amit <namit@cs.technion.ac.il>
-Date: Thu, 1 Jan 2015 23:11:11 +0200
-Subject: [PATCH] KVM: x86: SYSENTER emulation is broken
-
-SYSENTER emulation is broken in several ways:
-1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
-2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
-   still be set without causing #GP).
-3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
-   legacy-mode.
-4. There is some unneeded code.
-
-Fix it.
-
-Cc: stable@vger.linux.org
-Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/emulate.c | 27 ++++++++-------------------
- 1 file changed, 8 insertions(+), 19 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 22e7ed9e6d8e..ac640d47c28d 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- 	 * Not recognized on AMD in compat mode (but is recognized in legacy
- 	 * mode).
- 	 */
--	if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
-+	if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
- 	    && !vendor_intel(ctxt))
- 		return emulate_ud(ctxt);
- 
-@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- 	setup_syscalls_segments(ctxt, &cs, &ss);
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
--	switch (ctxt->mode) {
--	case X86EMUL_MODE_PROT32:
--		if ((msr_data & 0xfffc) == 0x0)
--			return emulate_gp(ctxt, 0);
--		break;
--	case X86EMUL_MODE_PROT64:
--		if (msr_data == 0x0)
--			return emulate_gp(ctxt, 0);
--		break;
--	default:
--		break;
--	}
-+	if ((msr_data & 0xfffc) == 0x0)
-+		return emulate_gp(ctxt, 0);
- 
- 	ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
--	cs_sel = (u16)msr_data;
--	cs_sel &= ~SELECTOR_RPL_MASK;
-+	cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
- 	ss_sel = cs_sel + 8;
--	ss_sel &= ~SELECTOR_RPL_MASK;
--	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
-+	if (efer & EFER_LMA) {
- 		cs.d = 0;
- 		cs.l = 1;
- 	}
-@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
- 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
--	ctxt->_eip = msr_data;
-+	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
- 
- 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
--	*reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
-+	*reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
-+							      (u32)msr_data;
- 
- 	return X86EMUL_CONTINUE;
- }
--- 
-2.1.0
-
diff --git a/kernel.spec b/kernel.spec
index 1375dbd6..6860f673 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 201
+%global baserelease 200
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -615,9 +615,6 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch
 #rhbz 1163927
 Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
 
-#CVE-2014-9529 rhbz 1179813 1179853
-Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch
-
 #rhbz 1124119
 Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
 Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
@@ -636,10 +633,6 @@ Patch30000: kernel-arm64.patch
 # Fix for big-endian arches, already upstream
 Patch30001: mpssd-x86-only.patch
 
-#CVE-2015-0239 rhbz 1186448 1186453
-Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch
-
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1363,9 +1356,6 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch
 #rhbz 1163927
 ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
 
-#CVE-2014-9529 rhbz 1179813 1179853
-ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch
-
 #rhbz 1124119
 ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
 ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
@@ -1381,9 +1371,6 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
 # Fix for big-endian arches, already upstream
 ApplyPatch mpssd-x86-only.patch
 
-#CVE-2015-0239 rhbz 1186448 1186453
-ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch
-
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2254,6 +2241,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Fri Jan 30 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.5-100
+- Linux v3.18.5
+
 * Thu Jan 29 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - Backport patch from Rob Clark to toggle i915 state machine checks
 - Disable i915 state checks
diff --git a/sources b/sources
index 9b63a7f4..8bf0d43f 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 9e854df51ca3fef8bfe566dbd7b89241  linux-3.18.tar.xz
 813ccb96f0b379d656e57442c2587ca3  perf-man-3.18.tar.gz
-e7c510c0df50abb2cbaea2a1a87f35b7  patch-3.18.4.xz
+e8563b2feaa6c33d20d23ac7add9d385  patch-3.18.5.xz