Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora

2 files changed, 3 insertions, 130 deletions

diff --git a/kernel.spec b/kernel.spec
index b94222418..46034fd08 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -688,9 +688,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 # rhbz 1597333
 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch
 
-# CVE-2018-14678 rhbz 1608559 1608560
-Patch530: xsa274-linux-4_17.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1943,6 +1940,9 @@ fi
 #
 #
 %changelog
+* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200
+- Linux v4.17.13
+
 * Fri Aug 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.12-200
 - Linux v4.17.12
 - Fixes CVE-2018-14734 (rhbz 1611005 1611007)
diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch
deleted file mode 100644
index 7a9bbf768..000000000
--- a/xsa274-linux-4_17.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Sun, 22 Jul 2018 11:05:09 -0700
-Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
-
-error_entry and error_exit communicate the user vs kernel status of
-the frame using %ebx.  This is unnecessary -- the information is in
-regs->cs.  Just use regs->cs.
-
-This makes error_entry simpler and makes error_exit more robust.
-
-It also fixes a nasty bug.  Before all the Spectre nonsense, The
-xen_failsafe_callback entry point returned like this:
-
-        ALLOC_PT_GPREGS_ON_STACK
-        SAVE_C_REGS
-        SAVE_EXTRA_REGS
-        ENCODE_FRAME_POINTER
-        jmp     error_exit
-
-And it did not go through error_entry.  This was bogus: RBX
-contained garbage, and error_exit expected a flag in RBX.
-Fortunately, it generally contained *nonzero* garbage, so the
-correct code path was used.  As part of the Spectre fixes, code was
-added to clear RBX to mitigate certain speculation attacks.  Now,
-depending on kernel configuration, RBX got zeroed and, when running
-some Wine workloads, the kernel crashes.  This was introduced by:
-
-    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
-    exceptions/interrupts, to reduce speculation attack surface")
-
-With this patch applied, RBX is no longer needed as a flag, and the
-problem goes away.
-
-I suspect that malicious userspace could use this bug to crash the
-kernel even without the offending patch applied, though.
-
-[Historical note: I wrote this patch as a cleanup before I was aware
- of the bug it fixed.]
-
-[Note to stable maintainers: this should probably get applied to all
- kernels.  If you're nervous about that, a more conservative fix to
- add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
- also fix the problem.]
-
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dominik Brodowski <linux@dominikbrodowski.net>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: xen-devel@lists.xenproject.org
-Cc: x86@kernel.org
-Cc: stable@vger.kernel.org
-Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
-Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com>
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
----
- arch/x86/entry/entry_64.S | 18 ++++--------------
- 1 file changed, 4 insertions(+), 14 deletions(-)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index 73a522d53b53..8ae7ffda8f98 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -981,7 +981,7 @@ ENTRY(\sym)
- 
- 	call	\do_sym
- 
--	jmp	error_exit			/* %ebx: no swapgs flag */
-+	jmp	error_exit
- 	.endif
- END(\sym)
- .endm
-@@ -1222,7 +1222,6 @@ END(paranoid_exit)
- 
- /*
-  * Save all registers in pt_regs, and switch GS if needed.
-- * Return: EBX=0: came from user mode; EBX=1: otherwise
-  */
- ENTRY(error_entry)
- 	UNWIND_HINT_FUNC
-@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
- 	 * for these here too.
- 	 */
- .Lerror_kernelspace:
--	incl	%ebx
- 	leaq	native_irq_return_iret(%rip), %rcx
- 	cmpq	%rcx, RIP+8(%rsp)
- 	je	.Lerror_bad_iret
-@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
- 
- 	/*
- 	 * Pretend that the exception came from user mode: set up pt_regs
--	 * as if we faulted immediately after IRET and clear EBX so that
--	 * error_exit knows that we will be returning to user mode.
-+	 * as if we faulted immediately after IRET.
- 	 */
- 	mov	%rsp, %rdi
- 	call	fixup_bad_iret
- 	mov	%rax, %rsp
--	decl	%ebx
- 	jmp	.Lerror_entry_from_usermode_after_swapgs
- END(error_entry)
- 
--
--/*
-- * On entry, EBX is a "return to kernel mode" flag:
-- *   1: already in kernel mode, don't need SWAPGS
-- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
-- */
- ENTRY(error_exit)
- 	UNWIND_HINT_REGS
- 	DISABLE_INTERRUPTS(CLBR_ANY)
- 	TRACE_IRQS_OFF
--	testl	%ebx, %ebx
--	jnz	retint_kernel
-+	testb	$3, CS(%rsp)
-+	jz	retint_kernel
- 	jmp	retint_user
- END(error_exit)
- 
--- 
-2.18.0
-