diff options
author | Alexandre Oliva <lxoliva@fsfla.org> | 2018-03-17 17:17:47 +0000 |
---|---|---|
committer | Alexandre Oliva <lxoliva@fsfla.org> | 2018-03-17 17:17:47 +0000 |
commit | 711b9dd010ee2136f7b526663b813fca120887b7 (patch) | |
tree | 9a8afca96a4ce6bf8f607d2cfeb2ea2a4a67caee | |
parent | a5953dc40195da8dbdc2d4699d9a7567e60aa03d (diff) | |
download | linux-libre-raptor-711b9dd010ee2136f7b526663b813fca120887b7.tar.gz linux-libre-raptor-711b9dd010ee2136f7b526663b813fca120887b7.zip |
4.15.10-200.fc26.gnu
9 files changed, 139 insertions, 213 deletions
diff --git a/freed-ora/current/f26/0001-netfilter-add-back-stackpointer-size-checks.patch b/freed-ora/current/f26/0001-netfilter-add-back-stackpointer-size-checks.patch deleted file mode 100644 index 1bf809aa1..000000000 --- a/freed-ora/current/f26/0001-netfilter-add-back-stackpointer-size-checks.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001 -From: Florian Westphal <fw@strlen.de> -Date: Wed, 7 Feb 2018 13:46:25 +0100 -Subject: [PATCH] netfilter: add back stackpointer size checks - -The rationale for removing the check is only correct for rulesets -generated by ip(6)tables. - -In iptables, a jump can only occur to a user-defined chain, i.e. -because we size the stack based on number of user-defined chains we -cannot exceed stack size. - -However, the underlying binary format has no such restriction, -and the validation step only ensures that the jump target is a -valid rule start point. - -IOW, its possible to build a rule blob that has no user-defined -chains but does contain a jump. - -If this happens, no jump stack gets allocated and crash occurs -because no jumpstack was allocated. - -Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") -Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com -Signed-off-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/ipv4/netfilter/arp_tables.c | 4 ++++ - net/ipv4/netfilter/ip_tables.c | 7 ++++++- - net/ipv6/netfilter/ip6_tables.c | 4 ++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index 4ffe302f9b82..e3e420f3ba7b 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, - } - if (table_base + v - != arpt_next_entry(e)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; - } - -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 9a71f3149507..e38395a8dcf2 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb, - continue; - } - if (table_base + v != ipt_next_entry(e) && -- !(e->ip.flags & IPT_F_GOTO)) -+ !(e->ip.flags & IPT_F_GOTO)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; -+ } - - e = get_entry(table_base, v); - continue; -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index af4c917e0836..62358b93bbac 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb, - } - if (table_base + v != ip6t_next_entry(e) && - !(e->ipv6.flags & IP6T_F_GOTO)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; - } - --- -2.14.3 - diff --git a/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch b/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch deleted file mode 100644 index 84c7b7fd3..000000000 --- a/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch +++ /dev/null @@ -1,114 +0,0 @@ -From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001 -From: Seunghun Han <kkamagui@gmail.com> -Date: Tue, 6 Mar 2018 15:21:43 +0100 -Subject: [PATCH] x86/MCE: Serialize sysfs changes - -The check_interval file in - - /sys/devices/system/machinecheck/machinecheck<cpu number> - -directory is a global timer value for MCE polling. If it is changed by one -CPU, mce_restart() broadcasts the event to other CPUs to delete and restart -the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the -mce_timer variable. - -If more than one CPU writes a specific value to the check_interval file -concurrently, mce_timer is not protected from such concurrent accesses and -all kinds of explosions happen. Since only root can write to those sysfs -variables, the issue is not a big deal security-wise. - -However, concurrent writes to these configuration variables is void of -reason so the proper thing to do is to serialize the access with a mutex. - -Boris: - - - Make store_int_with_restart() use device_store_ulong() to filter out - negative intervals - - Limit min interval to 1 second - - Correct locking - - Massage commit message - -Signed-off-by: Seunghun Han <kkamagui@gmail.com> -Signed-off-by: Borislav Petkov <bp@suse.de> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Cc: Tony Luck <tony.luck@intel.com> -Cc: linux-edac <linux-edac@vger.kernel.org> -Cc: stable@vger.kernel.org -Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com ---- - arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index b3323cab9139..466f47301334 100644 ---- a/arch/x86/kernel/cpu/mcheck/mce.c -+++ b/arch/x86/kernel/cpu/mcheck/mce.c -@@ -56,6 +56,9 @@ - - static DEFINE_MUTEX(mce_log_mutex); - -+/* sysfs synchronization */ -+static DEFINE_MUTEX(mce_sysfs_mutex); -+ - #define CREATE_TRACE_POINTS - #include <trace/events/mce.h> - -@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s, - if (kstrtou64(buf, 0, &new) < 0) - return -EINVAL; - -+ mutex_lock(&mce_sysfs_mutex); - if (mca_cfg.ignore_ce ^ !!new) { - if (new) { - /* disable ce features */ -@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s, - on_each_cpu(mce_enable_ce, (void *)1, 1); - } - } -+ mutex_unlock(&mce_sysfs_mutex); -+ - return size; - } - -@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s, - if (kstrtou64(buf, 0, &new) < 0) - return -EINVAL; - -+ mutex_lock(&mce_sysfs_mutex); - if (mca_cfg.cmci_disabled ^ !!new) { - if (new) { - /* disable cmci */ -@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s, - on_each_cpu(mce_enable_ce, NULL, 1); - } - } -+ mutex_unlock(&mce_sysfs_mutex); -+ - return size; - } - -@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s, - struct device_attribute *attr, - const char *buf, size_t size) - { -- ssize_t ret = device_store_int(s, attr, buf, size); -+ unsigned long old_check_interval = check_interval; -+ ssize_t ret = device_store_ulong(s, attr, buf, size); -+ -+ if (check_interval == old_check_interval) -+ return ret; -+ -+ if (check_interval < 1) -+ check_interval = 1; -+ -+ mutex_lock(&mce_sysfs_mutex); - mce_restart(); -+ mutex_unlock(&mce_sysfs_mutex); -+ - return ret; - } - --- -2.14.3 - diff --git a/freed-ora/current/f26/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch b/freed-ora/current/f26/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch new file mode 100644 index 000000000..b1c434074 --- /dev/null +++ b/freed-ora/current/f26/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch @@ -0,0 +1,65 @@ +From ddc1b88d9947a548cc9a41b421df2941483b1e04 Mon Sep 17 00:00:00 2001 +From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com> +Date: Tue, 13 Mar 2018 22:48:25 -0700 +Subject: [PATCH] drm/i915/dp: Write to SET_POWER dpcd to enable MST hub. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If bios sets up an MST output and hardware state readout code sees this is +an SST configuration, when disabling the encoder we end up calling +->post_disable_dp() hook instead of the MST version. Consequently, we write +to the DP_SET_POWER dpcd to set it D3 state. Further along when we try +enable the encoder in MST mode, POWER_UP_PHY transaction fails to power up +the MST hub. This results in continuous link training failures which keep +the system busy delaying boot. We could identify bios MST boot discrepancy +and handle it accordingly but a simple way to solve this is to write to the +DP_SET_POWER dpcd for MST too. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105470 +Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> +Cc: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com> +Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com> +--- + drivers/gpu/drm/i915/intel_ddi.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c +index 58a3755544b2..38e53d6b8127 100644 +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -2208,8 +2208,7 @@ static void intel_ddi_pre_enable_dp(struct intel_encoder *encoder, + intel_prepare_dp_ddi_buffers(encoder); + + intel_ddi_init_dp_buf_reg(encoder); +- if (!is_mst) +- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON); ++ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON); + intel_dp_start_link_train(intel_dp); + if (port != PORT_A || INTEL_GEN(dev_priv) >= 9) + intel_dp_stop_link_train(intel_dp); +@@ -2294,19 +2293,12 @@ static void intel_ddi_post_disable_dp(struct intel_encoder *encoder, + struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); + struct intel_digital_port *dig_port = enc_to_dig_port(&encoder->base); + struct intel_dp *intel_dp = &dig_port->dp; +- /* +- * old_crtc_state and old_conn_state are NULL when called from +- * DP_MST. The main connector associated with this port is never +- * bound to a crtc for MST. +- */ +- bool is_mst = !old_crtc_state; + + /* + * Power down sink before disabling the port, otherwise we end + * up getting interrupts from the sink on detecting link loss. + */ +- if (!is_mst) +- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF); ++ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF); + + intel_disable_ddi_buf(encoder); + +-- +2.14.3 + diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec index 39e2f82a3..dc9f417ca 100644 --- a/freed-ora/current/f26/kernel.spec +++ b/freed-ora/current/f26/kernel.spec @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -675,21 +675,21 @@ Patch652: iwlwifi-mvn.patch # CVE-2018-1000026 rhbz 1541846 1546744 Patch653: CVE-2018-1000026.patch -# CVE-2018-1065 rhbz 1547824 1547831 -Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch - # rhbz 1549316 Patch657: ipmi-fixes.patch # CVE-2018-7757 rhbz 1553361 1553363 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch -# CVE-2018-7995 rhbz 1553911 1553918 -Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch - # CVE-2018-8043 rhbz 1554199 1554200 Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch +# rhbz 1549042 +Patch661: drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch + +# rhbz 1546709 +Patch662: mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch + # END OF PATCH DEFINITIONS %endif @@ -2049,6 +2049,14 @@ fi # # %changelog +* Fri Mar 16 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 4.15.10-gnu. + +* Thu Mar 15 2018 Laura Abbott <labbott@redhat.com> - 4.15.10-200 +- Linux v4.15.10 +- Fix for dock booting (rhbz 1549042) +- Fix THP bug (rhbz 1546709) + * Tue Mar 13 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 4.15.9-gnu. diff --git a/freed-ora/current/f26/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch b/freed-ora/current/f26/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch new file mode 100644 index 000000000..c5d3a0c0c --- /dev/null +++ b/freed-ora/current/f26/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch @@ -0,0 +1,51 @@ +From patchwork Thu Mar 15 15:23:53 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: mm/khugepaged: Convert VM_BUG_ON() to collapse fail +From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +X-Patchwork-Id: 10284785 +Message-Id: <20180315152353.27989-1-kirill.shutemov@linux.intel.com> +To: Andrew Morton <akpm@linux-foundation.org> +Cc: Laura Abbott <labbott@redhat.com>, linux-mm@kvack.org, + linux-kernel@vger.kernel.org, + "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Date: Thu, 15 Mar 2018 18:23:53 +0300 + +khugepaged is not yet able to convert PTE-mapped huge pages back to PMD +mapped. We do not collapse such pages. See check khugepaged_scan_pmd(). + +But if between khugepaged_scan_pmd() and __collapse_huge_page_isolate() +somebody managed to instantiate THP in the range and then split the PMD +back to PTEs we would have a problem -- VM_BUG_ON_PAGE(PageCompound(page)) +will get triggered. + +It's possible since we drop mmap_sem during collapse to re-take for +write. + +Replace the VM_BUG_ON() with graceful collapse fail. + +Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Fixes: b1caa957ae6d ("khugepaged: ignore pmd tables with THP mapped with ptes") +--- + mm/khugepaged.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index b7e2268dfc9a..c15da1ea7e63 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -530,7 +530,12 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma, + goto out; + } + +- VM_BUG_ON_PAGE(PageCompound(page), page); ++ /* TODO: teach khugepaged to collapse THP mapped with pte */ ++ if (PageCompound(page)) { ++ result = SCAN_PAGE_COMPOUND; ++ goto out; ++ } ++ + VM_BUG_ON_PAGE(!PageAnon(page), page); + + /* diff --git a/freed-ora/current/f26/patch-4.15-gnu-4.15.10-gnu.xz.sign b/freed-ora/current/f26/patch-4.15-gnu-4.15.10-gnu.xz.sign new file mode 100644 index 000000000..28b645705 --- /dev/null +++ b/freed-ora/current/f26/patch-4.15-gnu-4.15.10-gnu.xz.sign @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqqxOwAKCRC8t8+Hfn1H +p14UAJ9OvDflFLnJDrIpNsPJPmJc3+3nQACfdiQdaWso1WsJzezedK5MxdO1rgk= +=FYhq +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign b/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign deleted file mode 100644 index 5f9ba76fe..000000000 --- a/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqWujAAKCRC8t8+Hfn1H -p12iAJ9Jm+ekfjnw8h5FUlk1Bey9ni20OACgrOZ1QWFlffYD1C7iSeRYnVpQqlQ= -=nUnX ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f26/sources b/freed-ora/current/f26/sources index b7006188b..d418e404a 100644 --- a/freed-ora/current/f26/sources +++ b/freed-ora/current/f26/sources @@ -1,2 +1,2 @@ SHA512 (linux-libre-4.15-gnu.tar.xz) = a55cc663c6fb1e1cfa7905282b368b5d5888bc2398f0acf37e5bb9a232ded04fd566b1980e654da26aaec005332e458581495184d6bd4cec669181085d4d78a5 -SHA512 (patch-4.15-gnu-4.15.9-gnu.xz) = 5b2ad5af70d432cf79eb11729ae39ed53e0b5b2a76688c35655c78538c1d0aa3852ad2c3244c2e0a4207d678919d806fa1903efdad6690e9679c9208d973bb73 +SHA512 (patch-4.15-gnu-4.15.10-gnu.xz) = 74d7cb1a74a4020e71646da8853287b062562c8a8c965a6e4b4e6a8c5a5c43711c6a74359634cf119821f4f6caef4caf8e1647ff82cce3eb4b189d918956ff68 diff --git a/freed-ora/current/f26/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch b/freed-ora/current/f26/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch index 7e22e3669..a37b15ec7 100644 --- a/freed-ora/current/f26/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch +++ b/freed-ora/current/f26/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch @@ -25,5 +25,5 @@ index ee5466a374bf..b3c683a84d3f 100644 "LEN004a", /* W541 */ + "LEN0073", /* X1 Carbon 5 */ "LEN200f", /* T450s */ - "LEN2018", /* T460p */ NULL + }; |