Linux v4.10.10

5 files changed, 6 insertions, 158 deletions

diff --git a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
deleted file mode 100644
index d682dcc42..000000000
--- a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Mon, 27 Mar 2017 11:32:59 +0200
-Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active
-
-Since:
-
-  cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
-
-all MCEs are printed even when mcelog is running. Fix the regression to
-not print to dmesg when mcelog is running as it is a consumer too.
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-[ Massage commit message. ]
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Tony Luck <tony.luck@intel.com>
-Cc: linux-edac <linux-edac@vger.kernel.org>
-Cc: stable@vger.kernel.org # 4.10..
-Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
-Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
----
- arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 8e9725c..5accfbd 100644
---- a/arch/x86/kernel/cpu/mcheck/mce.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce.c
-@@ -54,6 +54,8 @@
-
- static DEFINE_MUTEX(mce_chrdev_read_mutex);
-
-+static int mce_chrdev_open_count;	/* #times opened */
-+
- #define mce_log_get_idx_check(p) \
- ({ \
- 	RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
-@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val,
- 	if (atomic_read(&num_notifiers) > 2)
- 		return NOTIFY_DONE;
-
-+	/* Don't print when mcelog is running */
-+	if (mce_chrdev_open_count > 0)
-+		return NOTIFY_DONE;
-+
- 	__print_mce(m);
-
- 	return NOTIFY_DONE;
-@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
-  */
-
- static DEFINE_SPINLOCK(mce_chrdev_state_lock);
--static int mce_chrdev_open_count;	/* #times opened */
- static int mce_chrdev_open_exclu;	/* already open exclusive? */
-
- static int mce_chrdev_open(struct inode *inode, struct file *file)
--- 
-2.9.3
-
diff --git a/kernel.spec b/kernel.spec
index babc8e9d1..b231b59ff 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -599,18 +599,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
 Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 
-#CVE-2017-2596 rhbz 1417812 1417813
-Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
-
-#CVE-2017-7261 rhbz 1435719 1435740
-Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
-
 #CVE-2017-7277 rhbz 1436629 1436661
 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
 
-# rhbz 1438316
-Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
-
 # CVE-2017-2671 rhbz 1436649 1436663
 Patch860: 0001-ping-implement-proper-locking.patch
 
@@ -2197,6 +2188,10 @@ fi
 #
 #
 %changelog
+* Wed Apr 12 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.10-200
+- Linux v4.10.10
+- CVE-2017-7616 (rhbz 1441088 1441093)
+
 * Tue Apr 11 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2017-7618 (rhbz 1441095 1441093)
 - Fix CVE-2017-7308 (rhbz 1437404 1437406)
diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch
deleted file mode 100644
index b29bcea03..000000000
--- a/kvm-fix-page-struct-leak-in-handle_vmon.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From patchwork Tue Jan 24 10:56:21 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: kvm: fix page struct leak in handle_vmon
-From: Paolo Bonzini <pbonzini@redhat.com>
-X-Patchwork-Id: 9534885
-Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com>
-To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
-Cc: dvyukov@google.com
-Date: Tue, 24 Jan 2017 11:56:21 +0100
-
-handle_vmon gets a reference on VMXON region page,
-but does not release it. Release the reference.
-
-Found by syzkaller; based on a patch by Dmitry.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 42cc3d6f4d20..0f7345035210 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
- 		}
- 
- 		page = nested_get_page(vcpu, vmptr);
--		if (page == NULL ||
--		    *(u32 *)kmap(page) != VMCS12_REVISION) {
-+		if (page == NULL) {
- 			nested_vmx_failInvalid(vcpu);
-+			return kvm_skip_emulated_instruction(vcpu);
-+		}
-+		if (*(u32 *)kmap(page) != VMCS12_REVISION) {
- 			kunmap(page);
-+			nested_release_page_clean(page);
-+			nested_vmx_failInvalid(vcpu);
- 			return kvm_skip_emulated_instruction(vcpu);
- 		}
- 		kunmap(page);
-+		nested_release_page_clean(page);
- 		vmx->nested.vmxon_ptr = vmptr;
- 		break;
- 	case EXIT_REASON_VMCLEAR:
diff --git a/sources b/sources
index e6820718f..3e1d074ac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10.9.xz) = 867cdcf1e6ceee58dec7eb913e119dcaa75255cef1ad2dd9eb0eead6a918a202e3b6656770422d547a7758236a8589c70d49fa4045de867b77a04480f97c242d
+SHA512 (patch-4.10.10.xz) = 264d156d7a3b1f3b3a80a7a9dc9a358b5cd582d8d894c482f3c9eb5af4eca64439720d5b9b141ae57f7845dfab59563497faae8e6fb666aeec86aab6b8df904a
diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
deleted file mode 100644
index 1ede96c60..000000000
--- a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From:       Vladis Dronov <vdronov@redhat.com>
-Subject:    [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
-Date:       2017-03-24 15:37:10
-
-In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
-user-controlled value which is not checked for zero. It is used in
-a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
-is dereferenced which leads to a GPF and possibly to a kernel panic.
-Add the check for zero to avoid this.
-
-Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index b445ce9..42840cc 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- 		num_sizes += req->mip_levels[i];
- 
--	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
--	    DRM_VMW_MAX_MIP_LEVELS)
-+	if (num_sizes <= 0 ||
-+	    num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
- 		return -EINVAL;
- 
- 	size = vmw_user_surface_size + 128 +
--- 
-2.9.3