Linux v4.15.10

Fix for dock booting (rhbz 1549042)
Fix THP bug (rhbz 1546709)

0001-netfilter-add-back-stackpointer-size-checks.patch

@@ -1,84 +0,0 @@
-From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Wed, 7 Feb 2018 13:46:25 +0100
-Subject: [PATCH] netfilter: add back stackpointer size checks
-
-The rationale for removing the check is only correct for rulesets
-generated by ip(6)tables.
-
-In iptables, a jump can only occur to a user-defined chain, i.e.
-because we size the stack based on number of user-defined chains we
-cannot exceed stack size.
-
-However, the underlying binary format has no such restriction,
-and the validation step only ensures that the jump target is a
-valid rule start point.
-
-IOW, its possible to build a rule blob that has no user-defined
-chains but does contain a jump.
-
-If this happens, no jump stack gets allocated and crash occurs
-because no jumpstack was allocated.
-
-Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
-Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/ipv4/netfilter/arp_tables.c | 4 ++++
- net/ipv4/netfilter/ip_tables.c  | 7 ++++++-
- net/ipv6/netfilter/ip6_tables.c | 4 ++++
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index 4ffe302f9b82..e3e420f3ba7b 100644
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
- 			}
- 			if (table_base + v
- 			    != arpt_next_entry(e)) {
-+				if (unlikely(stackidx >= private->stacksize)) {
-+					verdict = NF_DROP;
-+					break;
-+				}
- 				jumpstack[stackidx++] = e;
- 			}
-
-diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index 9a71f3149507..e38395a8dcf2 100644
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
- 				continue;
- 			}
- 			if (table_base + v != ipt_next_entry(e) &&
--			    !(e->ip.flags & IPT_F_GOTO))
-+			    !(e->ip.flags & IPT_F_GOTO)) {
-+				if (unlikely(stackidx >= private->stacksize)) {
-+					verdict = NF_DROP;
-+					break;
-+				}
- 				jumpstack[stackidx++] = e;
-+			}
-
- 			e = get_entry(table_base, v);
- 			continue;
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index af4c917e0836..62358b93bbac 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
- 			}
- 			if (table_base + v != ip6t_next_entry(e) &&
- 			    !(e->ipv6.flags & IP6T_F_GOTO)) {
-+				if (unlikely(stackidx >= private->stacksize)) {
-+					verdict = NF_DROP;
-+					break;
-+				}
- 				jumpstack[stackidx++] = e;
- 			}
-
--- 
-2.14.3
-

0001-x86-MCE-Serialize-sysfs-changes.patch

@@ -1,114 +0,0 @@
-From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
-From: Seunghun Han <kkamagui@gmail.com>
-Date: Tue, 6 Mar 2018 15:21:43 +0100
-Subject: [PATCH] x86/MCE: Serialize sysfs changes
-
-The check_interval file in
-
-  /sys/devices/system/machinecheck/machinecheck<cpu number>
-
-directory is a global timer value for MCE polling. If it is changed by one
-CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
-the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
-mce_timer variable.
-
-If more than one CPU writes a specific value to the check_interval file
-concurrently, mce_timer is not protected from such concurrent accesses and
-all kinds of explosions happen. Since only root can write to those sysfs
-variables, the issue is not a big deal security-wise.
-
-However, concurrent writes to these configuration variables is void of
-reason so the proper thing to do is to serialize the access with a mutex.
-
-Boris:
-
- - Make store_int_with_restart() use device_store_ulong() to filter out
-   negative intervals
- - Limit min interval to 1 second
- - Correct locking
- - Massage commit message
-
-Signed-off-by: Seunghun Han <kkamagui@gmail.com>
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: Tony Luck <tony.luck@intel.com>
-Cc: linux-edac <linux-edac@vger.kernel.org>
-Cc: stable@vger.kernel.org
-Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
----
- arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index b3323cab9139..466f47301334 100644
---- a/arch/x86/kernel/cpu/mcheck/mce.c
-+++ b/arch/x86/kernel/cpu/mcheck/mce.c
-@@ -56,6 +56,9 @@
-
- static DEFINE_MUTEX(mce_log_mutex);
-
-+/* sysfs synchronization */
-+static DEFINE_MUTEX(mce_sysfs_mutex);
-+
- #define CREATE_TRACE_POINTS
- #include <trace/events/mce.h>
-
-@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s,
- 	if (kstrtou64(buf, 0, &new) < 0)
- 		return -EINVAL;
-
-+	mutex_lock(&mce_sysfs_mutex);
- 	if (mca_cfg.ignore_ce ^ !!new) {
- 		if (new) {
- 			/* disable ce features */
-@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s,
- 			on_each_cpu(mce_enable_ce, (void *)1, 1);
- 		}
- 	}
-+	mutex_unlock(&mce_sysfs_mutex);
-+
- 	return size;
- }
-
-@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s,
- 	if (kstrtou64(buf, 0, &new) < 0)
- 		return -EINVAL;
-
-+	mutex_lock(&mce_sysfs_mutex);
- 	if (mca_cfg.cmci_disabled ^ !!new) {
- 		if (new) {
- 			/* disable cmci */
-@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s,
- 			on_each_cpu(mce_enable_ce, NULL, 1);
- 		}
- 	}
-+	mutex_unlock(&mce_sysfs_mutex);
-+
- 	return size;
- }
-
-@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s,
- 				      struct device_attribute *attr,
- 				      const char *buf, size_t size)
- {
--	ssize_t ret = device_store_int(s, attr, buf, size);
-+	unsigned long old_check_interval = check_interval;
-+	ssize_t ret = device_store_ulong(s, attr, buf, size);
-+
-+	if (check_interval == old_check_interval)
-+		return ret;
-+
-+	if (check_interval < 1)
-+		check_interval = 1;
-+
-+	mutex_lock(&mce_sysfs_mutex);
- 	mce_restart();
-+	mutex_unlock(&mce_sysfs_mutex);
-+
- 	return ret;
- }
-
--- 
-2.14.3
-

drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch

@@ -0,0 +1,65 @@
+From ddc1b88d9947a548cc9a41b421df2941483b1e04 Mon Sep 17 00:00:00 2001
+From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Date: Tue, 13 Mar 2018 22:48:25 -0700
+Subject: [PATCH] drm/i915/dp: Write to SET_POWER dpcd to enable MST hub.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If bios sets up an MST output and hardware state readout code sees this is
+an SST configuration, when disabling the encoder we end up calling
+->post_disable_dp() hook instead of the MST version. Consequently, we write
+to the DP_SET_POWER dpcd to set it D3 state. Further along when we try
+enable the encoder in MST mode, POWER_UP_PHY transaction fails to power up
+the MST hub. This results in continuous link training failures which keep
+the system busy delaying boot. We could identify bios MST boot discrepancy
+and handle it accordingly but a simple way to solve this is to write to the
+DP_SET_POWER dpcd for MST too.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105470
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+---
+ drivers/gpu/drm/i915/intel_ddi.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c
+index 58a3755544b2..38e53d6b8127 100644
+--- a/drivers/gpu/drm/i915/intel_ddi.c
++++ b/drivers/gpu/drm/i915/intel_ddi.c
+@@ -2208,8 +2208,7 @@ static void intel_ddi_pre_enable_dp(struct intel_encoder *encoder,
+ 		intel_prepare_dp_ddi_buffers(encoder);
+ 
+ 	intel_ddi_init_dp_buf_reg(encoder);
+-	if (!is_mst)
+-		intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON);
++	intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON);
+ 	intel_dp_start_link_train(intel_dp);
+ 	if (port != PORT_A || INTEL_GEN(dev_priv) >= 9)
+ 		intel_dp_stop_link_train(intel_dp);
+@@ -2294,19 +2293,12 @@ static void intel_ddi_post_disable_dp(struct intel_encoder *encoder,
+ 	struct drm_i915_private *dev_priv = to_i915(encoder->base.dev);
+ 	struct intel_digital_port *dig_port = enc_to_dig_port(&encoder->base);
+ 	struct intel_dp *intel_dp = &dig_port->dp;
+-	/*
+-	 * old_crtc_state and old_conn_state are NULL when called from
+-	 * DP_MST. The main connector associated with this port is never
+-	 * bound to a crtc for MST.
+-	 */
+-	bool is_mst = !old_crtc_state;
+ 
+ 	/*
+ 	 * Power down sink before disabling the port, otherwise we end
+ 	 * up getting interrupts from the sink on detecting link loss.
+ 	 */
+-	if (!is_mst)
+-		intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF);
++	intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF);
+ 
+ 	intel_disable_ddi_buf(encoder);
+ 
+-- 
+2.14.3
+

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -653,21 +653,21 @@ Patch652: iwlwifi-mvn.patch
 # CVE-2018-1000026 rhbz 1541846 1546744
 Patch653: CVE-2018-1000026.patch
 
-# CVE-2018-1065 rhbz 1547824 1547831
-Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch
-
 # rhbz 1549316
 Patch657: ipmi-fixes.patch
 
 # CVE-2018-7757 rhbz 1553361 1553363
 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
 
-# CVE-2018-7995 rhbz 1553911 1553918
-Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch
-
 # CVE-2018-8043 rhbz 1554199 1554200
 Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
 
+# rhbz 1549042
+Patch661: drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch
+
+# rhbz 1546709
+Patch662: mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1946,6 +1946,11 @@ fi
 #
 #
 %changelog
+* Thu Mar 15 2018 Laura Abbott <labbott@redhat.com> - 4.15.10-300
+- Linux v4.15.10
+- Fix for dock booting (rhbz 1549042)
+- Fix THP bug (rhbz 1546709)
+
 * Mon Mar 12 2018 Laura Abbott <labbott@redhat.com> - 4.15.9-300
 - Linux v4.15.9
 

mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch

@@ -0,0 +1,51 @@
+From patchwork Thu Mar 15 15:23:53 2018
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: mm/khugepaged: Convert VM_BUG_ON() to collapse fail
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+X-Patchwork-Id: 10284785
+Message-Id: <20180315152353.27989-1-kirill.shutemov@linux.intel.com>
+To: Andrew Morton <akpm@linux-foundation.org>
+Cc: Laura Abbott <labbott@redhat.com>, linux-mm@kvack.org,
+ linux-kernel@vger.kernel.org,
+ "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 15 Mar 2018 18:23:53 +0300
+
+khugepaged is not yet able to convert PTE-mapped huge pages back to PMD
+mapped. We do not collapse such pages. See check khugepaged_scan_pmd().
+
+But if between khugepaged_scan_pmd() and __collapse_huge_page_isolate()
+somebody managed to instantiate THP in the range and then split the PMD
+back to PTEs we would have a problem -- VM_BUG_ON_PAGE(PageCompound(page))
+will get triggered.
+
+It's possible since we drop mmap_sem during collapse to re-take for
+write.
+
+Replace the VM_BUG_ON() with graceful collapse fail.
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Fixes: b1caa957ae6d ("khugepaged: ignore pmd tables with THP mapped with ptes")
+---
+ mm/khugepaged.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index b7e2268dfc9a..c15da1ea7e63 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -530,7 +530,12 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
+ 			goto out;
+ 		}
+ 
+-		VM_BUG_ON_PAGE(PageCompound(page), page);
++		/* TODO: teach khugepaged to collapse THP mapped with pte */
++		if (PageCompound(page)) {
++			result = SCAN_PAGE_COMPOUND;
++			goto out;
++		}
++
+ 		VM_BUG_ON_PAGE(!PageAnon(page), page);
+ 
+ 		/*

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-4.15.tar.xz) = c00d92659df815a53dcac7dde145b742b1f20867d380c07cb09ddb3295d6ff10f8931b21ef0b09d7156923a3957b39d74d87c883300173b2e20690d2b4ec35ea
-SHA512 (patch-4.15.9.xz) = 60d24d79c19ab44520e4b583c74ca30045dc72bebd426a802c84d62c369fbda5bd7016aee1f5fa3931937cd31f17d6c0867080eb26949dedbd2d9522ee13143d
+SHA512 (patch-4.15.10.xz) = 275abec91344e9409d27dc3ce801f104717730819a9d90786b0ef104525cf706291e0954a3e8d16618179a1e9603d6d12cd9cfdac3efac8783b83a0decdab94a

v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch

@@ -25,5 +25,5 @@ index ee5466a374bf..b3c683a84d3f 100644
  	"LEN004a", /* W541 */
 +	"LEN0073", /* X1 Carbon 5 */
  	"LEN200f", /* T450s */
- 	"LEN2018", /* T460p */
  	NULL
+ };