diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-08-03 08:07:41 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-08-03 08:07:41 +0200 |
commit | 1f399d4e5ced03d1878c114b9df8033548de739c (patch) | |
tree | bea142476f4dc90b50a99ddcc7dcd44612db2094 | |
parent | bc2d2ed76e681dc1b9f99528b9ae8529f140e657 (diff) | |
parent | 020145bd7b3ce8ed2e2fddf47b35a10c1b46741d (diff) | |
download | kernel-1f399d4e5ced03d1878c114b9df8033548de739c.tar.gz kernel-1f399d4e5ced03d1878c114b9df8033548de739c.tar.xz kernel-1f399d4e5ced03d1878c114b9df8033548de739c.zip |
Merge remote-tracking branch 'origin/f27' into f27-user-thl-vanilla-fedora
-rw-r--r-- | 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch | 46 | ||||
-rw-r--r-- | 2-2-xen-netfront-Update-features-after-registering-netdev.patch | 58 | ||||
-rw-r--r-- | ext4-fix-false-negative-and-false-positives.patch | 56 | ||||
-rw-r--r-- | kernel.spec | 30 | ||||
-rw-r--r-- | mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch | 69 | ||||
-rwxr-xr-x | scripts/create_headers_tarball.sh | 85 | ||||
-rw-r--r-- | xsa274-linux-4_17.patch | 127 |
7 files changed, 292 insertions, 179 deletions
diff --git a/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch b/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch deleted file mode 100644 index ed73771aa..000000000 --- a/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch +++ /dev/null @@ -1,46 +0,0 @@ -From patchwork Thu Jun 21 13:00:20 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [1/2] xen-netfront: Fix mismatched rtnl_unlock -X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com> -X-Patchwork-Id: 932721 -Message-Id: <20180621130021.27029-2-ross.lagerwall@citrix.com> -To: <netdev@vger.kernel.org> -Cc: Ross Lagerwall <ross.lagerwall@citrix.com>, - Boris Ostrovsky <boris.ostrovsky@oracle.com>, - Juergen Gross <jgross@suse.com>, "David S. Miller" <davem@davemloft.net>, - <xen-devel@lists.xenproject.org>, <linux-kernel@vger.kernel.org> -Date: Thu, 21 Jun 2018 14:00:20 +0100 -From: Ross Lagerwall <ross.lagerwall@citrix.com> -List-Id: <netdev.vger.kernel.org> - -Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") -Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> -Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> -Reviewed-by: Juergen Gross <jgross@suse.com> ---- - drivers/net/xen-netfront.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index 922ce0a..ee4cb6c 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -1810,7 +1810,7 @@ static int talk_to_netback(struct xenbus_device *dev, - err = xen_net_read_mac(dev, info->netdev->dev_addr); - if (err) { - xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename); -- goto out; -+ goto out_unlocked; - } - - rtnl_lock(); -@@ -1925,6 +1925,7 @@ static int talk_to_netback(struct xenbus_device *dev, - xennet_destroy_queues(info); - out: - rtnl_unlock(); -+out_unlocked: - device_unregister(&dev->dev); - return err; - } diff --git a/2-2-xen-netfront-Update-features-after-registering-netdev.patch b/2-2-xen-netfront-Update-features-after-registering-netdev.patch deleted file mode 100644 index b23d6bfaa..000000000 --- a/2-2-xen-netfront-Update-features-after-registering-netdev.patch +++ /dev/null @@ -1,58 +0,0 @@ -From patchwork Thu Jun 21 13:00:21 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [2/2] xen-netfront: Update features after registering netdev -X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com> -X-Patchwork-Id: 932720 -Message-Id: <20180621130021.27029-3-ross.lagerwall@citrix.com> -To: <netdev@vger.kernel.org> -Cc: Ross Lagerwall <ross.lagerwall@citrix.com>, - Boris Ostrovsky <boris.ostrovsky@oracle.com>, - Juergen Gross <jgross@suse.com>, "David S. Miller" <davem@davemloft.net>, - <xen-devel@lists.xenproject.org>, <linux-kernel@vger.kernel.org>, - Liam Shepherd <liam@dancer.es> -Date: Thu, 21 Jun 2018 14:00:21 +0100 -From: Ross Lagerwall <ross.lagerwall@citrix.com> -List-Id: <netdev.vger.kernel.org> - -Update the features after calling register_netdev() otherwise the -device features are not set up correctly and it not possible to change -the MTU of the device. After this change, the features reported by -ethtool match the device's features before the commit which introduced -the issue and it is possible to change the device's MTU. - -Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") -Reported-by: Liam Shepherd <liam@dancer.es> -Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> -Reviewed-by: Juergen Gross <jgross@suse.com> ---- - drivers/net/xen-netfront.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index ee4cb6c..a57daec 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -1951,10 +1951,6 @@ static int xennet_connect(struct net_device *dev) - /* talk_to_netback() sets the correct number of queues */ - num_queues = dev->real_num_tx_queues; - -- rtnl_lock(); -- netdev_update_features(dev); -- rtnl_unlock(); -- - if (dev->reg_state == NETREG_UNINITIALIZED) { - err = register_netdev(dev); - if (err) { -@@ -1964,6 +1960,10 @@ static int xennet_connect(struct net_device *dev) - } - } - -+ rtnl_lock(); -+ netdev_update_features(dev); -+ rtnl_unlock(); -+ - /* - * All public and private state should now be sane. Get - * ready to start sending and receiving packets and give the driver diff --git a/ext4-fix-false-negative-and-false-positives.patch b/ext4-fix-false-negative-and-false-positives.patch new file mode 100644 index 000000000..2beba4f94 --- /dev/null +++ b/ext4-fix-false-negative-and-false-positives.patch @@ -0,0 +1,56 @@ +From 44de022c4382541cebdd6de4465d1f4f465ff1dd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sun, 8 Jul 2018 19:35:02 -0400 +Subject: ext4: fix false negatives *and* false positives in + ext4_check_descriptors() + +Ext4_check_descriptors() was getting called before s_gdb_count was +initialized. So for file systems w/o the meta_bg feature, allocation +bitmaps could overlap the block group descriptors and ext4 wouldn't +notice. + +For file systems with the meta_bg feature enabled, there was a +fencepost error which would cause the ext4_check_descriptors() to +incorrectly believe that the block allocation bitmap overlaps with the +block group descriptor blocks, and it would reject the mount. + +Fix both of these problems. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@vger.kernel.org +--- + fs/ext4/super.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index ba2396a7bd04..eff5c983e067 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2342,7 +2342,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; +- ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0); + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -4085,14 +4085,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount2; + } + } ++ sbi->s_gdb_count = db_count; + if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) { + ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); + ret = -EFSCORRUPTED; + goto failed_mount2; + } + +- sbi->s_gdb_count = db_count; +- + timer_setup(&sbi->s_err_report, print_daily_error_info, 0); + + /* Register extent status tree shrinker */ +-- +cgit 1.2-0.3.lf.el7 + diff --git a/kernel.spec b/kernel.spec index 5d7d6fe89..5c2058e75 100644 --- a/kernel.spec +++ b/kernel.spec @@ -134,6 +134,10 @@ Summary: The Linux kernel # See also 'make debug' and 'make release'. %define debugbuildsenabled 1 +# Kernel headers are being split out into a separate package +%define with_headers 0 +%define with_cross_headers 0 + %if %{with_verbose} %define make_opts V=1 %else @@ -656,10 +660,6 @@ Patch508: ath10k-Update-the-phymode-along-with-bandwidth-change.patch # In 4.18 Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch -# rhbz 1584216 -Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch -Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch - # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch @@ -688,8 +688,11 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1597333 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch -# i686 patch that will eventually be 4.17.8 -Patch527: mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch +# rhbz 1602971 +Patch529: ext4-fix-false-negative-and-false-positives.patch + +# CVE-2018-14678 rhbz 1608559 1608560 +Patch530: xsa274-linux-4_17.patch # END OF PATCH DEFINITIONS @@ -1943,6 +1946,21 @@ fi # # %changelog +* Mon Jul 30 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.11-100 +- Linux v4.17.11 +- Turn off kernel-headers for the split +- Fix CVE-2018-14678 (rhbz 1608559 1608560) + +* Wed Jul 25 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.10-100 +- Linux v4.17.10 + +* Mon Jul 23 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.9-200 +- Linux v4.17.9 +- Fix emergency shell with ext4 rootfs (rhbz 1602971) + +* Mon Jul 23 2018 Jeremy Cline <jeremy@jcline.org> +- Fix iwlwifi module load failure (rhbz 1607092) + * Tue Jul 17 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.7-100 - Linux v4.17.7 diff --git a/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch b/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch deleted file mode 100644 index f72e111ad..000000000 --- a/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch +++ /dev/null @@ -1,69 +0,0 @@ -From d1b47a7c9efcf3c3384b70f6e3c8f1423b44d8c7 Mon Sep 17 00:00:00 2001 -From: Pavel Tatashin <pasha.tatashin@oracle.com> -Date: Mon, 16 Jul 2018 11:16:30 -0400 -Subject: mm: don't do zero_resv_unavail if memmap is not allocated - -From: Pavel Tatashin <pasha.tatashin@oracle.com> - -commit d1b47a7c9efcf3c3384b70f6e3c8f1423b44d8c7 upstream. - -Moving zero_resv_unavail before memmap_init_zone(), caused a regression on -x86-32. - -The cause is that we access struct pages before they are allocated when -CONFIG_FLAT_NODE_MEM_MAP is used. - -free_area_init_nodes() - zero_resv_unavail() - mm_zero_struct_page(pfn_to_page(pfn)); <- struct page is not alloced - free_area_init_node() - if CONFIG_FLAT_NODE_MEM_MAP - alloc_node_mem_map() - memblock_virt_alloc_node_nopanic() <- struct page alloced here - -On the other hand memblock_virt_alloc_node_nopanic() zeroes all the memory -that it returns, so we do not need to do zero_resv_unavail() here. - -Fixes: e181ae0c5db9 ("mm: zero unavailable pages before memmap init") -Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com> -Tested-by: Matt Hart <matt@mattface.org> -Acked-by: Michal Hocko <mhocko@suse.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/mm.h | 2 +- - mm/page_alloc.c | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -2081,7 +2081,7 @@ extern int __meminit __early_pfn_to_nid( - struct mminit_pfnnid_cache *state); - #endif - --#ifdef CONFIG_HAVE_MEMBLOCK -+#if defined(CONFIG_HAVE_MEMBLOCK) && !defined(CONFIG_FLAT_NODE_MEM_MAP) - void zero_resv_unavail(void); - #else - static inline void zero_resv_unavail(void) {} ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -6377,7 +6377,7 @@ void __paginginit free_area_init_node(in - free_area_init_core(pgdat); - } - --#ifdef CONFIG_HAVE_MEMBLOCK -+#if defined(CONFIG_HAVE_MEMBLOCK) && !defined(CONFIG_FLAT_NODE_MEM_MAP) - /* - * Only struct pages that are backed by physical memory are zeroed and - * initialized by going through __init_single_page(). But, there are some -@@ -6415,7 +6415,7 @@ void __paginginit zero_resv_unavail(void - if (pgcnt) - pr_info("Reserved but unavailable: %lld pages", pgcnt); - } --#endif /* CONFIG_HAVE_MEMBLOCK */ -+#endif /* CONFIG_HAVE_MEMBLOCK && !CONFIG_FLAT_NODE_MEM_MAP */ - - #ifdef CONFIG_HAVE_MEMBLOCK_NODE_MAP - diff --git a/scripts/create_headers_tarball.sh b/scripts/create_headers_tarball.sh new file mode 100755 index 000000000..fee658579 --- /dev/null +++ b/scripts/create_headers_tarball.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# +# This script is aimed at generating the headers from the kernel sources. +# Please do a git checkout of the kernel sources, or run until %prep step of +# kernel rpm build. Then go into the directory with the sources, and run this +# script +# +# Author: Herton R. Krzesinski <herton@redhat.com> + +# ARCH_LIST below has the default list of supported architectures +# (the architectures names may be different from rpm, you list here the +# names of arch/<arch> directories in the kernel sources) +ARCH_LIST="arm arm64 powerpc s390 x86" + +# If the kernel Makefile doesn't contain enough information for the tarball +# release, you can specify the release of the package so it'll be included +# in the name of the created tarball +TB_RELEASE="1" + +# If kernel Makefile has the package release number, you can specify the name of +# Makefile variable here. +MAKE_RELEASE="" + +# Extra string (usually dist tag) that goes into the tarball name +EXTRA="" + +while [ ! -z "$1" ]; do + opt="$1" + case $opt in + --arch-list|-a) + ARCH_LIST="$2" + shift + ;; + --extra|-e) + EXTRA="$2" + shift + ;; + --make-release|-m) + MAKE_RELEASE=$2 + shift + ;; + --release|-r) + TB_RELEASE=$2 + shift + ;; + *) + echo "Unknown option ($1) to $0" + exit + ;; + esac + shift +done + +KVERSION=$(cat Makefile | sed -ne '/^VERSION\ =\ /{s///;p;q}') +KPATCHLEVEL=$(cat Makefile | sed -ne '/^PATCHLEVEL\ =\ /{s///;p;q}') +KSUBLEVEL=$(cat Makefile | sed -ne '/^SUBLEVEL\ =\ /{s///;p;q}') +TB_VERSION=$KVERSION.$KPATCHLEVEL.$KSUBLEVEL +if [ -z "$TB_RELEASE" ]; then + KEXTRAVERSION=$(cat Makefile | sed -ne '/^EXTRAVERSION\ =\ /{s///;p;q}') + DISTRO_RELEASE="" + if [ -n "$MAKE_RELEASE" ]; then + DISTRO_RELEASE=.$(cat Makefile | sed -ne "/^$MAKE_RELEASE\ =\ /{s///;p;q}") + fi + if [ -n "$KEXTRAVERSION" ]; then + KEXTRAVERSION=$(echo $KEXTRAVERSION | sed -e s/-/./) + TB_RELEASE=0$KEXTRAVERSION$DISTRO_RELEASE$EXTRA + else + TB_RELEASE=$DISTRO_RELEASE$EXTRA + fi +fi + +headers_dir=$(mktemp -d) +trap 'rm -rf "$headers_dir"' SIGHUP SIGINT SIGTERM EXIT + +make HDR_ARCH_LIST="$ARCH_LIST" INSTALL_HDR_PATH=$headers_dir headers_install_all +find $headers_dir \ + \( -name .install -o -name .check -o \ + -name ..install.cmd -o -name ..check.cmd \) | xargs rm -f + +TARBALL=$PWD/kernel-headers-$TB_VERSION-$TB_RELEASE.tar.xz +pushd $headers_dir + tar -Jcf $TARBALL * +popd + +echo wrote $TARBALL diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch new file mode 100644 index 000000000..7a9bbf768 --- /dev/null +++ b/xsa274-linux-4_17.patch @@ -0,0 +1,127 @@ +From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@kernel.org> +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit + +error_entry and error_exit communicate the user vs kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, The +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for + exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed.] + +[Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem.] + +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Dominik Brodowski <linux@dominikbrodowski.net> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> +Cc: Juergen Gross <jgross@suse.com> +Cc: xen-devel@lists.xenproject.org +Cc: x86@kernel.org +Cc: stable@vger.kernel.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com> +Signed-off-by: Andy Lutomirski <luto@kernel.org> +--- + arch/x86/entry/entry_64.S | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 73a522d53b53..8ae7ffda8f98 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -981,7 +981,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1222,7 +1222,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1269,7 +1268,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1303,28 +1301,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) + +-- +2.18.0 + |