4.14.7-200.fc26.gnu

7 files changed, 99 insertions, 89 deletions

diff --git a/freed-ora/current/f26/allwinner-net-emac.patch b/freed-ora/current/f26/allwinner-net-emac.patch
index bad1e4490..c9c7cd0ec 100644
--- a/freed-ora/current/f26/allwinner-net-emac.patch
+++ b/freed-ora/current/f26/allwinner-net-emac.patch
@@ -1932,43 +1932,3 @@ index e5ff734..9eb7f65 100644
 -- 
 cgit v1.1
 
-From 45ab4b13e46325d00f4acdb365d406e941a15f81 Mon Sep 17 00:00:00 2001
-From: Lars Persson <lars.persson@axis.com>
-Date: Fri, 1 Dec 2017 11:12:44 +0100
-Subject: stmmac: reset last TSO segment size after device open
-
-The mss variable tracks the last max segment size sent to the TSO
-engine. We do not update the hardware as long as we receive skb:s with
-the same value in gso_size.
-
-During a network device down/up cycle (mapped to stmmac_release() and
-stmmac_open() callbacks) we issue a reset to the hardware and it
-forgets the setting for mss. However we did not zero out our mss
-variable so the next transmission of a gso packet happens with an
-undefined hardware setting.
-
-This triggers a hang in the TSO engine and eventuelly the netdev
-watchdog will bark.
-
-Fixes: f748be531d70 ("stmmac: support new GMAC4")
-Signed-off-by: Lars Persson <larper@axis.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
-index f63c2dd..d725053 100644
---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
-+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
-@@ -2588,6 +2588,7 @@ static int stmmac_open(struct net_device *dev)
- 
- 	priv->dma_buf_sz = STMMAC_ALIGN(buf_sz);
- 	priv->rx_copybreak = STMMAC_RX_COPYBREAK;
-+	priv->mss = 0;
- 
- 	ret = alloc_dma_desc_resources(priv);
- 	if (ret < 0) {
--- 
-cgit v1.1
-
diff --git a/freed-ora/current/f26/arm64-thunderX-fix-ipv6-checksum-offload.patch b/freed-ora/current/f26/arm64-thunderX-fix-ipv6-checksum-offload.patch
deleted file mode 100644
index 221189997..000000000
--- a/freed-ora/current/f26/arm64-thunderX-fix-ipv6-checksum-offload.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From fa6d7cb5d76cf0467c61420fc9238045aedfd379 Mon Sep 17 00:00:00 2001
-From: Sunil Goutham <sgoutham@cavium.com>
-Date: Thu, 23 Nov 2017 22:34:31 +0300
-Subject: net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts
-
-Don't offload IP header checksum to NIC.
-
-This fixes a previous patch which enabled checksum offloading
-for both IPv4 and IPv6 packets.  So L3 checksum offload was
-getting enabled for IPv6 pkts.  And HW is dropping these pkts
-as it assumes the pkt is IPv4 when IP csum offload is set
-in the SQ descriptor.
-
-Fixes:  3a9024f52c2e ("net: thunderx: Enable TSO and checksum offloads for ipv6")
-Signed-off-by: Sunil Goutham <sgoutham@cavium.com>
-Signed-off-by: Aleksey Makarov <aleksey.makarov@auriga.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 1 -
- 1 file changed, 1 deletion(-)
-
-(limited to 'drivers/net/ethernet/cavium/thunder/nicvf_queues.c')
-
-diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
-index d4496e9..8b2c31e 100644
---- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
-+++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
-@@ -1355,7 +1355,6 @@ nicvf_sq_add_hdr_subdesc(struct nicvf *nic, struct snd_queue *sq, int qentry,
- 
- 	/* Offload checksum calculation to HW */
- 	if (skb->ip_summed == CHECKSUM_PARTIAL) {
--		hdr->csum_l3 = 1; /* Enable IP csum calculation */
- 		hdr->l3_offset = skb_network_offset(skb);
- 		hdr->l4_offset = skb_transport_offset(skb);
- 
--- 
-cgit v1.1
-
diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec
index e8e04884b..659df1ba1 100644
--- a/freed-ora/current/f26/kernel.spec
+++ b/freed-ora/current/f26/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -654,8 +654,6 @@ Patch332: arm64-socionext-96b-enablement.patch
 
 Patch335: arm-exynos-fix-usb3.patch
 
-Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch
-
 # 400 - IBM (ppc/s390x) patches
 
 # 500 - Temp fixes/CVEs etc
@@ -706,6 +704,9 @@ Patch627: qxl-fixes.patch
 # rhbz 1462175
 Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
 
+# CVE-2017-17712 rhbz 1526427 1526933 
+Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2349,6 +2350,13 @@ fi
 #
 #
 %changelog
+* Mon Dec 18 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.14.7-gnu.
+
+* Mon Dec 18 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.7-200
+- Linux v4.14.7
+- Fix CVE-2017-17712 (rhbz 1526427 1526933)
+
 * Thu Dec 14 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.14.6-gnu.
 
diff --git a/freed-ora/current/f26/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/freed-ora/current/f26/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
new file mode 100644
index 000000000..41ad4af16
--- /dev/null
+++ b/freed-ora/current/f26/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,81 @@
+From patchwork Sun Dec 10 03:50:58 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: net: ipv4: fix for a race condition in raw_sendmsg
+X-Patchwork-Submitter: simo.ghannam@gmail.com
+X-Patchwork-Id: 846641
+X-Patchwork-Delegate: davem@davemloft.net
+Message-Id: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com>
+To: netdev@vger.kernel.org
+Cc: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+From: simo.ghannam@gmail.com
+List-Id: <netdev.vger.kernel.org>
+
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 33b70bfd1122..125c1eab3eaa 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 	int err;
+ 	struct ip_options_data opt_copy;
+ 	struct raw_frag_vec rfv;
++	int hdrincl;
+ 
+ 	err = -EMSGSIZE;
+ 	if (len > 0xFFFF)
+ 		goto out;
+ 
++	/* hdrincl should be READ_ONCE(inet->hdrincl)
++	 * but READ_ONCE() doesn't work with bit fields
++	 */
++	hdrincl = inet->hdrincl;
+ 	/*
+ 	 *	Check the flags.
+ 	 */
+@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 		/* Linux does not mangle headers on raw sockets,
+ 		 * so that IP options + IP_HDRINCL is non-sense.
+ 		 */
+-		if (inet->hdrincl)
++		if (hdrincl)
+ 			goto done;
+ 		if (ipc.opt->opt.srr) {
+ 			if (!daddr)
+@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 
+ 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+ 			   RT_SCOPE_UNIVERSE,
+-			   inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
++			   hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ 			   inet_sk_flowi_flags(sk) |
+-			    (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
++			    (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ 			   daddr, saddr, 0, 0, sk->sk_uid);
+ 
+-	if (!inet->hdrincl) {
++	if (!hdrincl) {
+ 		rfv.msg = msg;
+ 		rfv.hlen = 0;
+ 
+@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 		goto do_confirm;
+ back_from_confirm:
+ 
+-	if (inet->hdrincl)
++	if (hdrincl)
+ 		err = raw_send_hdrinc(sk, &fl4, msg, len,
+ 				      &rt, msg->msg_flags, &ipc.sockc);
+ 
diff --git a/freed-ora/current/f26/patch-4.14-gnu-4.14.6-gnu.xz.sign b/freed-ora/current/f26/patch-4.14-gnu-4.14.6-gnu.xz.sign
deleted file mode 100644
index bfb9aeb82..000000000
--- a/freed-ora/current/f26/patch-4.14-gnu-4.14.6-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWjLLkAAKCRC8t8+Hfn1H
-p9puAKCMEyft0oBT/Znro2qBdLFXg/yDIACgiRBoUECbjRjjrrL7gFTcFkPSPFw=
-=1Cmj
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign b/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign
new file mode 100644
index 000000000..3e3152beb
--- /dev/null
+++ b/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWja8ZAAKCRC8t8+Hfn1H
+p4A5AJ9raaSBcexl6qbvHKKPisWMTc4SugCeM1JmdNIyDqFQOGB/Smp5bCiumos=
+=9ARk
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f26/sources b/freed-ora/current/f26/sources
index c91cdfdfb..d96f8c143 100644
--- a/freed-ora/current/f26/sources
+++ b/freed-ora/current/f26/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.14-gnu.tar.xz) = 0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14-gnu-4.14.6-gnu.xz) = 8a4dfb2433faf9f0e9ca26825f3e198dd8c75d5a343e9145c0f655336333c838b1534efc4a54697d40e29cbf8c61ca2affa042bd5a35ba38df19cbb0f4ec4f44
+SHA512 (patch-4.14-gnu-4.14.7-gnu.xz) = 5c62bbc5d3bc5aa67eed8c4952e86263cc86bd9406cfe30a87ee4ff891b8aeb23e78df82d7cfefcdbedce17520b7fe3d515d930905ee2ceaf6c7462399670fb7