Linux v4.14.16

2018-01-31 09:15:25 -06:00 · 2018-01-31 09:15:25 -06:00 · 4731c682ce
parent 078f4c3ff6
commit 4731c682ce
23 changed files with 24 additions and 201 deletions
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@ -592,6 +592,7 @@ CONFIG_BONDING=m
 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@ -592,6 +592,7 @@ CONFIG_BONDING=m
 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@ -634,6 +634,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@ -610,6 +610,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@ -609,6 +609,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@ -633,6 +633,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-i686-PAE.config
+++ b/kernel-i686-PAE.config
@ -502,6 +502,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-i686-PAEdebug.config
+++ b/kernel-i686-PAEdebug.config
@ -503,6 +503,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@ -503,6 +503,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-i686.config
+++ b/kernel-i686.config
@ -502,6 +502,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-ppc64-debug.config
+++ b/kernel-ppc64-debug.config
@ -488,6 +488,7 @@ CONFIG_BONDING=m
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOOTX_TEXT=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-ppc64.config
+++ b/kernel-ppc64.config
@ -487,6 +487,7 @@ CONFIG_BONDING=m
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOOTX_TEXT=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@ -444,6 +444,7 @@ CONFIG_BONDING=m
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOOTX_TEXT=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@ -443,6 +443,7 @@ CONFIG_BONDING=m
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOOTX_TEXT=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@ -444,6 +444,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@ -443,6 +443,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@ -515,6 +515,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@ -514,6 +514,7 @@ CONFIG_BONDING=m
 # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
 CONFIG_BOOT_PRINTK_DELAY=y
 CONFIG_BOUNCE=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_BPF_JIT=y
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
--- a/kernel.spec
+++ b/kernel.spec
@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 301
+%global baserelease 300
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -632,20 +632,11 @@ Patch335: arm-exynos-fix-usb3.patch
 # rbhz 1519591 1520764
 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

-# CVE-2017-17450
-# rhbz 1525761 1525764
-Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
-
-# CVE-2017-17448
-# rhbz 1525768 1525769
-Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
-
 # CVE-2018-5344 rhbz 1533909 1533911
 Patch507: loop-fix-concurrent-lo_open-lo_release.patch

 # 550-600 Meltdown and Spectre Fixes
 Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
-Patch551: revert-module-add-retpoline-tag-to-vermagic.patch

 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@ -2243,6 +2234,9 @@ fi
 #
 #
 %changelog
+* Wed Jan 31 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.16-300
+- Linux v4.14.16
+
 * Mon Jan 29 2018 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2018-5750 (rhbz 1539706 1539708)
 - Fix softlockup (rhbz 1492664 1492665)
--- a/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
+++ b/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
@ -1,78 +0,0 @@
-From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission
- checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    $ nfct helper list
-    nfct v1.4.4: netlink error: Operation not permitted
-    $ vpnns -- nfct helper list
-    {
-            .name = ftp,
-            .queuenum = 0,
-            .l3protonum = 2,
-            .l4protonum = 6,
-            .priv_data_len = 24,
-            .status = enabled,
-    };
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
-index 41628b393673..d33ce6d5ebce 100644
--- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include <linux/types.h>
- #include <linux/list.h>
- #include <linux/errno.h>
-+#include <linux/capability.h>
- #include <net/netlink.h>
- #include <net/sock.h>
- 
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	int ret = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
- 		return -EINVAL;
- 
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	bool tuple_set = false;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
- 		struct netlink_dump_control c = {
- 			.dump = nfnl_cthelper_dump_table,
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth, *n;
- 	int j = 0, ret;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (tb[NFCTH_NAME])
- 		helper_name = nla_data(tb[NFCTH_NAME]);
- 
-- 
-2.14.3
-
--- a/netfilter-xt_osf-Add-missing-permission-checks.patch
+++ b/netfilter-xt_osf-Add-missing-permission-checks.patch
@ -1,59 +0,0 @@
-From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    vpnns -- nfnl_osf -f /tmp/pf.os
-
-    vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list.  Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
-index 36e14b1f061d..a34f314a8c23 100644
--- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
- 
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *kf = NULL, *sf;
- 	int err = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *sf;
- 	int err = -ENOENT;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-- 
-2.14.3
-
--- a/revert-module-add-retpoline-tag-to-vermagic.patch
+++ b/revert-module-add-retpoline-tag-to-vermagic.patch
@ -1,52 +0,0 @@
-From 5132ede0fe8092b043dae09a7cc32b8ae7272baa Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Wed, 24 Jan 2018 15:28:17 +0100
-Subject: Revert "module: Add retpoline tag to VERMAGIC"
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-commit 5132ede0fe8092b043dae09a7cc32b8ae7272baa upstream.
-
-This reverts commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12.
-
-Turns out distros do not want to make retpoline as part of their "ABI",
-so this patch should not have been merged.  Sorry Andi, this was my
-fault, I suggested it when your original patch was the "correct" way of
-doing this instead.
-
-Reported-by: Jiri Kosina <jikos@kernel.org>
-Fixes: 6cfb521ac0d5 ("module: Add retpoline tag to VERMAGIC")
-Acked-by: Andi Kleen <ak@linux.intel.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: rusty@rustcorp.com.au
-Cc: arjan.van.de.ven@intel.com
-Cc: jeyu@kernel.org
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
- include/linux/vermagic.h |    8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
--- a/include/linux/vermagic.h
-+++ b/include/linux/vermagic.h
-@@ -31,17 +31,11 @@
- #else
- #define MODULE_RANDSTRUCT_PLUGIN
- #endif
-#ifdef RETPOLINE
-#define MODULE_VERMAGIC_RETPOLINE "retpoline "
-#else
-#define MODULE_VERMAGIC_RETPOLINE ""
-#endif
- 
- #define VERMAGIC_STRING 						\
- 	UTS_RELEASE " "							\
- 	MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT 			\
- 	MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS	\
- 	MODULE_ARCH_VERMAGIC						\
-	MODULE_RANDSTRUCT_PLUGIN					\
-	MODULE_VERMAGIC_RETPOLINE
-+	MODULE_RANDSTRUCT_PLUGIN
- 
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14.15.xz) = faf165072fcff9f6f8cec76f0c35cf422afc453dfa2fc9ab5bc918eb177ebefd1e305f2c994a90c9dff073151762d79359789d118307ba15f53a020426c291a8
+SHA512 (patch-4.14.16.xz) = 7ba492011915a356ea696a6ae2269ff85725f726f6dd382973ceb417ac3289c7b4384bdffbde8ddea04b386126e07a3ea3aacf18253db4fcbc461e7c7e75d371