From db967e16ae79e3d02914cffbd28d4617d3c384d8 Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Tue, 12 Jun 2018 16:31:33 -0500
Subject: Fix CVE-2018-12232 (rhbz 1590215 1590216)

---
 ...e-race-condition-between-sock_close-and-s.patch | 91 ++++++++++++++++++++++
 kernel.spec                                        |  6 ++
 2 files changed, 97 insertions(+)
 create mode 100644 0001-socket-close-race-condition-between-sock_close-and-s.patch

diff --git a/0001-socket-close-race-condition-between-sock_close-and-s.patch b/0001-socket-close-race-condition-between-sock_close-and-s.patch
new file mode 100644
index 000000000..90f52fc3f
--- /dev/null
+++ b/0001-socket-close-race-condition-between-sock_close-and-s.patch
@@ -0,0 +1,91 @@
+From 6d8c50dcb029872b298eea68cc6209c866fd3e14 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 7 Jun 2018 13:39:49 -0700
+Subject: [PATCH] socket: close race condition between sock_close() and
+ sockfs_setattr()
+
+fchownat() doesn't even hold refcnt of fd until it figures out
+fd is really needed (otherwise is ignored) and releases it after
+it resolves the path. This means sock_close() could race with
+sockfs_setattr(), which leads to a NULL pointer dereference
+since typically we set sock->sk to NULL in ->release().
+
+As pointed out by Al, this is unique to sockfs. So we can fix this
+in socket layer by acquiring inode_lock in sock_close() and
+checking against NULL in sockfs_setattr().
+
+sock_release() is called in many places, only the sock_close()
+path matters here. And fortunately, this should not affect normal
+sock_close() as it is only called when the last fd refcnt is gone.
+It only affects sock_close() with a parallel sockfs_setattr() in
+progress, which is not common.
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Reported-by: shankarapailoor <shankarapailoor@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/socket.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index af57d85bcb48..8a109012608a 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -541,7 +541,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
+ 	if (!err && (iattr->ia_valid & ATTR_UID)) {
+ 		struct socket *sock = SOCKET_I(d_inode(dentry));
+
+-		sock->sk->sk_uid = iattr->ia_uid;
++		if (sock->sk)
++			sock->sk->sk_uid = iattr->ia_uid;
++		else
++			err = -ENOENT;
+ 	}
+
+ 	return err;
+@@ -590,12 +593,16 @@ EXPORT_SYMBOL(sock_alloc);
+  *	an inode not a file.
+  */
+
+-void sock_release(struct socket *sock)
++static void __sock_release(struct socket *sock, struct inode *inode)
+ {
+ 	if (sock->ops) {
+ 		struct module *owner = sock->ops->owner;
+
++		if (inode)
++			inode_lock(inode);
+ 		sock->ops->release(sock);
++		if (inode)
++			inode_unlock(inode);
+ 		sock->ops = NULL;
+ 		module_put(owner);
+ 	}
+@@ -609,6 +616,11 @@ void sock_release(struct socket *sock)
+ 	}
+ 	sock->file = NULL;
+ }
++
++void sock_release(struct socket *sock)
++{
++	__sock_release(sock, NULL);
++}
+ EXPORT_SYMBOL(sock_release);
+
+ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
+@@ -1171,7 +1183,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma)
+
+ static int sock_close(struct inode *inode, struct file *filp)
+ {
+-	sock_release(SOCKET_I(inode));
++	__sock_release(SOCKET_I(inode), inode);
+ 	return 0;
+ }
+
+-- 
+2.17.1
+
diff --git a/kernel.spec b/kernel.spec
index 8f7ae872e..5a8623828 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -674,6 +674,9 @@ Patch515: kvm-x86-Check-CPL-in-segmented_write_std.patch
 # https://www.spinics.net/lists/platform-driver-x86/msg15719.html
 Patch516: platform-x86-dell-laptop-Fix-keyboard-backlight-time.patch
 
+# CVE-2018-12232 rhbz 1590215 1590216
+Patch517: 0001-socket-close-race-condition-between-sock_close-and-s.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1924,6 +1927,9 @@ fi
 #
 #
 %changelog
+* Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-12232 (rhbz 1590215 1590216)
+
 * Mon Jun 11 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.15-300
 - Fix for the keyboard backlight on Dell XPS 13 9370
 - Linux v4.16.15
-- 
cgit 


From 481fd57c0077dc63d30b53dbad87e94c0683743f Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Tue, 12 Jun 2018 11:22:22 -0400
Subject: Fix a crash in ath10k when bandwidth changes (rhbz 1577106)

---
 ...e-the-phymode-along-with-bandwidth-change.patch | 76 ++++++++++++++++++++++
 kernel.spec                                        |  7 ++
 2 files changed, 83 insertions(+)
 create mode 100644 ath10k-Update-the-phymode-along-with-bandwidth-change.patch

diff --git a/ath10k-Update-the-phymode-along-with-bandwidth-change.patch b/ath10k-Update-the-phymode-along-with-bandwidth-change.patch
new file mode 100644
index 000000000..184c71272
--- /dev/null
+++ b/ath10k-Update-the-phymode-along-with-bandwidth-change.patch
@@ -0,0 +1,76 @@
+From 24b6fe7240e15b6df53b0ace61a70f58e09f6fc6 Mon Sep 17 00:00:00 2001
+From: Ryan Hsu <ryanhsu@codeaurora.org>
+Date: Fri, 8 Jun 2018 11:32:39 -0700
+Subject: [PATCH] ath10k: Update the phymode along with bandwidth change
+ request
+
+In the case of Station connects to AP with narrower bandwidth at beginning.
+And later the AP changes the bandwidth to winder bandwidth, the AP will
+beacon with wider bandwidth IE, eg VHT20->VHT40->VHT80 or VHT40->VHT80.
+
+Since the supported BANDWIDTH will be limited by the PHYMODE, so while
+Station receives the bandwidth change request, it will also need to
+reconfigure the PHYMODE setting to firmware instead of just configuring
+the BANDWIDTH info, otherwise it'll trigger a firmware crash with
+non-support bandwidth.
+
+The issue was observed in WLAN.RM.4.4.1-00051-QCARMSWP-1, QCA6174 with
+below scenario.
+
+Reported-by: Rouven Czerwinski <rouven@czerwinskis.de>
+Signed-off-by: Ryan Hsu <ryanhsu@codeaurora.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 16 ++++++++++++++--
+ drivers/net/wireless/ath/ath10k/wmi.h |  1 +
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 2d7ef7460780..72d61ca3cb42 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5996,8 +5996,19 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk)
+ 			   ath10k_mac_max_vht_nss(vht_mcs_mask)));
+ 
+ 	if (changed & IEEE80211_RC_BW_CHANGED) {
+-		ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM peer bw %d\n",
+-			   sta->addr, bw);
++		enum wmi_phy_mode mode;
++
++		mode = chan_to_phymode(&def);
++		ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM peer bw %d phymode %d\n",
++				sta->addr, bw, mode);
++
++		err = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr,
++				WMI_PEER_PHYMODE, mode);
++		if (err) {
++			ath10k_warn(ar, "failed to update STA %pM peer phymode %d: %d\n",
++					sta->addr, mode, err);
++			goto exit;
++		}
+ 
+ 		err = ath10k_wmi_peer_set_param(ar, arvif->vdev_id, sta->addr,
+ 						WMI_PEER_CHAN_WIDTH, bw);
+@@ -6038,6 +6049,7 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk)
+ 				    sta->addr);
+ 	}
+ 
++exit:
+ 	mutex_unlock(&ar->conf_mutex);
+ }
+ 
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
+index c7b30ed9015d..930a0e1b1163 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.h
++++ b/drivers/net/wireless/ath/ath10k/wmi.h
+@@ -6010,6 +6010,7 @@ enum wmi_peer_param {
+ 	WMI_PEER_NSS        = 0x5,
+ 	WMI_PEER_USE_4ADDR  = 0x6,
+ 	WMI_PEER_DEBUG      = 0xa,
++	WMI_PEER_PHYMODE    = 0xd,
+ 	WMI_PEER_DUMMY_VAR  = 0xff, /* dummy parameter for STA PS workaround */
+ };
+ 
+-- 
+2.17.1
+
diff --git a/kernel.spec b/kernel.spec
index 5a8623828..0847fd49d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -677,6 +677,10 @@ Patch516: platform-x86-dell-laptop-Fix-keyboard-backlight-time.patch
 # CVE-2018-12232 rhbz 1590215 1590216
 Patch517: 0001-socket-close-race-condition-between-sock_close-and-s.patch
 
+# rhbz 1577106
+# http://lists.infradead.org/pipermail/ath10k/2018-June/011582.html
+Patch518: ath10k-Update-the-phymode-along-with-bandwidth-change.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1927,6 +1931,9 @@ fi
 #
 #
 %changelog
+* Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org>
+- Fix a crash in ath10k when bandwidth changes (rhbz 1577106)
+
 * Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2018-12232 (rhbz 1590215 1590216)
 
-- 
cgit 


From aeed1b0b0d58c7a1a35a1885592b87ff22d7d71d Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Wed, 13 Jun 2018 09:38:05 -0400
Subject: Fix kexec_file_load pefile signature verification (rhbz 1470995)

---
 kernel.spec                                 |  4 ++++
 kexec-bzimage-verify-pe-signature-fix.patch | 34 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch

diff --git a/kernel.spec b/kernel.spec
index 0847fd49d..69e8ac52b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -644,6 +644,9 @@ Patch501: Fix-for-module-sig-verification.patch
 # rhbz 1431375
 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 
+# rhbz 1470995
+Patch503: kexec-bzimage-verify-pe-signature-fix.patch
+
 # In v4.17
 # rhbz 1549316
 Patch504: ipmi-fixes.patch
@@ -1933,6 +1936,7 @@ fi
 %changelog
 * Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org>
 - Fix a crash in ath10k when bandwidth changes (rhbz 1577106)
+- Fix kexec_file_load pefile signature verification (rhbz 1470995)
 
 * Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2018-12232 (rhbz 1590215 1590216)
diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch
new file mode 100644
index 000000000..6c8a51b95
--- /dev/null
+++ b/kexec-bzimage-verify-pe-signature-fix.patch
@@ -0,0 +1,34 @@
+From: Dave Young <dyoung@redhat.com>
+
+Fix kexec_file_load pefile signature verification
+
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also
+need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+
+Fedora bug
+https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+
+Latest upstream effort is below:
+https://www.spinics.net/lists/kernel/msg2825184.html
+
+Ideally this need an upstream fix, but since nobody response we can workaround
+it like the module code did.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c
++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c
+@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+ {
+ 	return verify_pefile_signature(kernel, kernel_len,
+-				       NULL,
++				       (void *)1UL,
+ 				       VERIFYING_KEXEC_PE_SIGNATURE);
+ }
+ #endif
+-- 
+2.17.0
-- 
cgit