Linux v4.15.10
Fix for dock booting (rhbz 1549042) Fix THP bug (rhbz 1546709)
This commit is contained in:
parent
3f91bd12ee
commit
67c1a82ba3
|
@ -1,84 +0,0 @@
|
|||
From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 7 Feb 2018 13:46:25 +0100
|
||||
Subject: [PATCH] netfilter: add back stackpointer size checks
|
||||
|
||||
The rationale for removing the check is only correct for rulesets
|
||||
generated by ip(6)tables.
|
||||
|
||||
In iptables, a jump can only occur to a user-defined chain, i.e.
|
||||
because we size the stack based on number of user-defined chains we
|
||||
cannot exceed stack size.
|
||||
|
||||
However, the underlying binary format has no such restriction,
|
||||
and the validation step only ensures that the jump target is a
|
||||
valid rule start point.
|
||||
|
||||
IOW, its possible to build a rule blob that has no user-defined
|
||||
chains but does contain a jump.
|
||||
|
||||
If this happens, no jump stack gets allocated and crash occurs
|
||||
because no jumpstack was allocated.
|
||||
|
||||
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
|
||||
Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/ipv4/netfilter/arp_tables.c | 4 ++++
|
||||
net/ipv4/netfilter/ip_tables.c | 7 ++++++-
|
||||
net/ipv6/netfilter/ip6_tables.c | 4 ++++
|
||||
3 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
|
||||
index 4ffe302f9b82..e3e420f3ba7b 100644
|
||||
--- a/net/ipv4/netfilter/arp_tables.c
|
||||
+++ b/net/ipv4/netfilter/arp_tables.c
|
||||
@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||
}
|
||||
if (table_base + v
|
||||
!= arpt_next_entry(e)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
}
|
||||
|
||||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
|
||||
index 9a71f3149507..e38395a8dcf2 100644
|
||||
--- a/net/ipv4/netfilter/ip_tables.c
|
||||
+++ b/net/ipv4/netfilter/ip_tables.c
|
||||
@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
|
||||
continue;
|
||||
}
|
||||
if (table_base + v != ipt_next_entry(e) &&
|
||||
- !(e->ip.flags & IPT_F_GOTO))
|
||||
+ !(e->ip.flags & IPT_F_GOTO)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
+ }
|
||||
|
||||
e = get_entry(table_base, v);
|
||||
continue;
|
||||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
|
||||
index af4c917e0836..62358b93bbac 100644
|
||||
--- a/net/ipv6/netfilter/ip6_tables.c
|
||||
+++ b/net/ipv6/netfilter/ip6_tables.c
|
||||
@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
}
|
||||
if (table_base + v != ip6t_next_entry(e) &&
|
||||
!(e->ipv6.flags & IP6T_F_GOTO)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,114 +0,0 @@
|
|||
From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
|
||||
From: Seunghun Han <kkamagui@gmail.com>
|
||||
Date: Tue, 6 Mar 2018 15:21:43 +0100
|
||||
Subject: [PATCH] x86/MCE: Serialize sysfs changes
|
||||
|
||||
The check_interval file in
|
||||
|
||||
/sys/devices/system/machinecheck/machinecheck<cpu number>
|
||||
|
||||
directory is a global timer value for MCE polling. If it is changed by one
|
||||
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
|
||||
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
|
||||
mce_timer variable.
|
||||
|
||||
If more than one CPU writes a specific value to the check_interval file
|
||||
concurrently, mce_timer is not protected from such concurrent accesses and
|
||||
all kinds of explosions happen. Since only root can write to those sysfs
|
||||
variables, the issue is not a big deal security-wise.
|
||||
|
||||
However, concurrent writes to these configuration variables is void of
|
||||
reason so the proper thing to do is to serialize the access with a mutex.
|
||||
|
||||
Boris:
|
||||
|
||||
- Make store_int_with_restart() use device_store_ulong() to filter out
|
||||
negative intervals
|
||||
- Limit min interval to 1 second
|
||||
- Correct locking
|
||||
- Massage commit message
|
||||
|
||||
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Cc: Tony Luck <tony.luck@intel.com>
|
||||
Cc: linux-edac <linux-edac@vger.kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
|
||||
---
|
||||
arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
index b3323cab9139..466f47301334 100644
|
||||
--- a/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
@@ -56,6 +56,9 @@
|
||||
|
||||
static DEFINE_MUTEX(mce_log_mutex);
|
||||
|
||||
+/* sysfs synchronization */
|
||||
+static DEFINE_MUTEX(mce_sysfs_mutex);
|
||||
+
|
||||
#define CREATE_TRACE_POINTS
|
||||
#include <trace/events/mce.h>
|
||||
|
||||
@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s,
|
||||
if (kstrtou64(buf, 0, &new) < 0)
|
||||
return -EINVAL;
|
||||
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
if (mca_cfg.ignore_ce ^ !!new) {
|
||||
if (new) {
|
||||
/* disable ce features */
|
||||
@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s,
|
||||
on_each_cpu(mce_enable_ce, (void *)1, 1);
|
||||
}
|
||||
}
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return size;
|
||||
}
|
||||
|
||||
@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s,
|
||||
if (kstrtou64(buf, 0, &new) < 0)
|
||||
return -EINVAL;
|
||||
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
if (mca_cfg.cmci_disabled ^ !!new) {
|
||||
if (new) {
|
||||
/* disable cmci */
|
||||
@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s,
|
||||
on_each_cpu(mce_enable_ce, NULL, 1);
|
||||
}
|
||||
}
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return size;
|
||||
}
|
||||
|
||||
@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s,
|
||||
struct device_attribute *attr,
|
||||
const char *buf, size_t size)
|
||||
{
|
||||
- ssize_t ret = device_store_int(s, attr, buf, size);
|
||||
+ unsigned long old_check_interval = check_interval;
|
||||
+ ssize_t ret = device_store_ulong(s, attr, buf, size);
|
||||
+
|
||||
+ if (check_interval == old_check_interval)
|
||||
+ return ret;
|
||||
+
|
||||
+ if (check_interval < 1)
|
||||
+ check_interval = 1;
|
||||
+
|
||||
+ mutex_lock(&mce_sysfs_mutex);
|
||||
mce_restart();
|
||||
+ mutex_unlock(&mce_sysfs_mutex);
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -0,0 +1,65 @@
|
|||
From ddc1b88d9947a548cc9a41b421df2941483b1e04 Mon Sep 17 00:00:00 2001
|
||||
From: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
|
||||
Date: Tue, 13 Mar 2018 22:48:25 -0700
|
||||
Subject: [PATCH] drm/i915/dp: Write to SET_POWER dpcd to enable MST hub.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If bios sets up an MST output and hardware state readout code sees this is
|
||||
an SST configuration, when disabling the encoder we end up calling
|
||||
->post_disable_dp() hook instead of the MST version. Consequently, we write
|
||||
to the DP_SET_POWER dpcd to set it D3 state. Further along when we try
|
||||
enable the encoder in MST mode, POWER_UP_PHY transaction fails to power up
|
||||
the MST hub. This results in continuous link training failures which keep
|
||||
the system busy delaying boot. We could identify bios MST boot discrepancy
|
||||
and handle it accordingly but a simple way to solve this is to write to the
|
||||
DP_SET_POWER dpcd for MST too.
|
||||
|
||||
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105470
|
||||
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
|
||||
Cc: Jani Nikula <jani.nikula@intel.com>
|
||||
Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
|
||||
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
|
||||
---
|
||||
drivers/gpu/drm/i915/intel_ddi.c | 12 ++----------
|
||||
1 file changed, 2 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c
|
||||
index 58a3755544b2..38e53d6b8127 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_ddi.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_ddi.c
|
||||
@@ -2208,8 +2208,7 @@ static void intel_ddi_pre_enable_dp(struct intel_encoder *encoder,
|
||||
intel_prepare_dp_ddi_buffers(encoder);
|
||||
|
||||
intel_ddi_init_dp_buf_reg(encoder);
|
||||
- if (!is_mst)
|
||||
- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON);
|
||||
+ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON);
|
||||
intel_dp_start_link_train(intel_dp);
|
||||
if (port != PORT_A || INTEL_GEN(dev_priv) >= 9)
|
||||
intel_dp_stop_link_train(intel_dp);
|
||||
@@ -2294,19 +2293,12 @@ static void intel_ddi_post_disable_dp(struct intel_encoder *encoder,
|
||||
struct drm_i915_private *dev_priv = to_i915(encoder->base.dev);
|
||||
struct intel_digital_port *dig_port = enc_to_dig_port(&encoder->base);
|
||||
struct intel_dp *intel_dp = &dig_port->dp;
|
||||
- /*
|
||||
- * old_crtc_state and old_conn_state are NULL when called from
|
||||
- * DP_MST. The main connector associated with this port is never
|
||||
- * bound to a crtc for MST.
|
||||
- */
|
||||
- bool is_mst = !old_crtc_state;
|
||||
|
||||
/*
|
||||
* Power down sink before disabling the port, otherwise we end
|
||||
* up getting interrupts from the sink on detecting link loss.
|
||||
*/
|
||||
- if (!is_mst)
|
||||
- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF);
|
||||
+ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF);
|
||||
|
||||
intel_disable_ddi_buf(encoder);
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
19
kernel.spec
19
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -653,21 +653,21 @@ Patch652: iwlwifi-mvn.patch
|
|||
# CVE-2018-1000026 rhbz 1541846 1546744
|
||||
Patch653: CVE-2018-1000026.patch
|
||||
|
||||
# CVE-2018-1065 rhbz 1547824 1547831
|
||||
Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch
|
||||
|
||||
# rhbz 1549316
|
||||
Patch657: ipmi-fixes.patch
|
||||
|
||||
# CVE-2018-7757 rhbz 1553361 1553363
|
||||
Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
|
||||
|
||||
# CVE-2018-7995 rhbz 1553911 1553918
|
||||
Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch
|
||||
|
||||
# CVE-2018-8043 rhbz 1554199 1554200
|
||||
Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
|
||||
|
||||
# rhbz 1549042
|
||||
Patch661: drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch
|
||||
|
||||
# rhbz 1546709
|
||||
Patch662: mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1946,6 +1946,11 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Mar 15 2018 Laura Abbott <labbott@redhat.com> - 4.15.10-300
|
||||
- Linux v4.15.10
|
||||
- Fix for dock booting (rhbz 1549042)
|
||||
- Fix THP bug (rhbz 1546709)
|
||||
|
||||
* Mon Mar 12 2018 Laura Abbott <labbott@redhat.com> - 4.15.9-300
|
||||
- Linux v4.15.9
|
||||
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
From patchwork Thu Mar 15 15:23:53 2018
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: mm/khugepaged: Convert VM_BUG_ON() to collapse fail
|
||||
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
|
||||
X-Patchwork-Id: 10284785
|
||||
Message-Id: <20180315152353.27989-1-kirill.shutemov@linux.intel.com>
|
||||
To: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: Laura Abbott <labbott@redhat.com>, linux-mm@kvack.org,
|
||||
linux-kernel@vger.kernel.org,
|
||||
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
|
||||
Date: Thu, 15 Mar 2018 18:23:53 +0300
|
||||
|
||||
khugepaged is not yet able to convert PTE-mapped huge pages back to PMD
|
||||
mapped. We do not collapse such pages. See check khugepaged_scan_pmd().
|
||||
|
||||
But if between khugepaged_scan_pmd() and __collapse_huge_page_isolate()
|
||||
somebody managed to instantiate THP in the range and then split the PMD
|
||||
back to PTEs we would have a problem -- VM_BUG_ON_PAGE(PageCompound(page))
|
||||
will get triggered.
|
||||
|
||||
It's possible since we drop mmap_sem during collapse to re-take for
|
||||
write.
|
||||
|
||||
Replace the VM_BUG_ON() with graceful collapse fail.
|
||||
|
||||
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
|
||||
Fixes: b1caa957ae6d ("khugepaged: ignore pmd tables with THP mapped with ptes")
|
||||
---
|
||||
mm/khugepaged.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/mm/khugepaged.c b/mm/khugepaged.c
|
||||
index b7e2268dfc9a..c15da1ea7e63 100644
|
||||
--- a/mm/khugepaged.c
|
||||
+++ b/mm/khugepaged.c
|
||||
@@ -530,7 +530,12 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- VM_BUG_ON_PAGE(PageCompound(page), page);
|
||||
+ /* TODO: teach khugepaged to collapse THP mapped with pte */
|
||||
+ if (PageCompound(page)) {
|
||||
+ result = SCAN_PAGE_COMPOUND;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
VM_BUG_ON_PAGE(!PageAnon(page), page);
|
||||
|
||||
/*
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.15.tar.xz) = c00d92659df815a53dcac7dde145b742b1f20867d380c07cb09ddb3295d6ff10f8931b21ef0b09d7156923a3957b39d74d87c883300173b2e20690d2b4ec35ea
|
||||
SHA512 (patch-4.15.9.xz) = 60d24d79c19ab44520e4b583c74ca30045dc72bebd426a802c84d62c369fbda5bd7016aee1f5fa3931937cd31f17d6c0867080eb26949dedbd2d9522ee13143d
|
||||
SHA512 (patch-4.15.10.xz) = 275abec91344e9409d27dc3ce801f104717730819a9d90786b0ef104525cf706291e0954a3e8d16618179a1e9603d6d12cd9cfdac3efac8783b83a0decdab94a
|
||||
|
|
|
@ -25,5 +25,5 @@ index ee5466a374bf..b3c683a84d3f 100644
|
|||
"LEN004a", /* W541 */
|
||||
+ "LEN0073", /* X1 Carbon 5 */
|
||||
"LEN200f", /* T450s */
|
||||
"LEN2018", /* T460p */
|
||||
NULL
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue