Merge branch 'f27' of ssh://pkgs.fedoraproject.org/rpms/kernel into f27
This commit is contained in:
commit
d41964993d
|
@ -1,54 +0,0 @@
|
|||
From 174134ac760275457bb0d1560a0dbe6cf8a12ad6 Mon Sep 17 00:00:00 2001
|
||||
From: Corey Minyard <cminyard@mvista.com>
|
||||
Date: Mon, 27 Nov 2017 08:18:33 -0600
|
||||
Subject: [PATCH] ipmi_si: Fix error handling of platform device
|
||||
|
||||
Cleanup of platform devices created by the IPMI driver was not
|
||||
being done correctly and could result in a memory leak. So
|
||||
create a local boolean to know how to clean up those platform
|
||||
devices.
|
||||
|
||||
Reported-by: David Binderman <dcb314@hotmail.com>
|
||||
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
||||
---
|
||||
drivers/char/ipmi/ipmi_si_intf.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
|
||||
index 71fad747c0c7..7499b0cd8326 100644
|
||||
--- a/drivers/char/ipmi/ipmi_si_intf.c
|
||||
+++ b/drivers/char/ipmi/ipmi_si_intf.c
|
||||
@@ -2045,6 +2045,7 @@ static int try_smi_init(struct smi_info *new_smi)
|
||||
int rv = 0;
|
||||
int i;
|
||||
char *init_name = NULL;
|
||||
+ bool platform_device_registered = false;
|
||||
|
||||
pr_info(PFX "Trying %s-specified %s state machine at %s address 0x%lx, slave address 0x%x, irq %d\n",
|
||||
ipmi_addr_src_to_str(new_smi->io.addr_source),
|
||||
@@ -2173,6 +2174,7 @@ static int try_smi_init(struct smi_info *new_smi)
|
||||
rv);
|
||||
goto out_err;
|
||||
}
|
||||
+ platform_device_registered = true;
|
||||
}
|
||||
|
||||
dev_set_drvdata(new_smi->io.dev, new_smi);
|
||||
@@ -2279,10 +2281,11 @@ static int try_smi_init(struct smi_info *new_smi)
|
||||
}
|
||||
|
||||
if (new_smi->pdev) {
|
||||
- platform_device_unregister(new_smi->pdev);
|
||||
+ if (platform_device_registered)
|
||||
+ platform_device_unregister(new_smi->pdev);
|
||||
+ else
|
||||
+ platform_device_put(new_smi->pdev);
|
||||
new_smi->pdev = NULL;
|
||||
- } else if (new_smi->pdev) {
|
||||
- platform_device_put(new_smi->pdev);
|
||||
}
|
||||
|
||||
kfree(init_name);
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 Mon Sep 17 00:00:00 2001
|
||||
From: Jason Yan <yanaijie@huawei.com>
|
||||
Date: Thu, 4 Jan 2018 21:04:31 +0800
|
||||
Subject: [PATCH] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
|
||||
|
||||
We've got a memory leak with the following producer:
|
||||
|
||||
while true;
|
||||
do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
|
||||
done
|
||||
|
||||
The buffer req is allocated and not freed after we return. Fix it.
|
||||
|
||||
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
|
||||
Signed-off-by: Jason Yan <yanaijie@huawei.com>
|
||||
CC: John Garry <john.garry@huawei.com>
|
||||
CC: chenqilin <chenqilin2@huawei.com>
|
||||
CC: chenxiang <chenxiang66@hisilicon.com>
|
||||
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||||
Reviewed-by: Hannes Reinecke <hare@suse.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/scsi/libsas/sas_expander.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
|
||||
index ca1566237ae7..1de59c0fdbc0 100644
|
||||
--- a/drivers/scsi/libsas/sas_expander.c
|
||||
+++ b/drivers/scsi/libsas/sas_expander.c
|
||||
@@ -695,6 +695,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
|
||||
phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
|
||||
|
||||
out:
|
||||
+ kfree(req);
|
||||
kfree(resp);
|
||||
return res;
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,85 +0,0 @@
|
|||
From 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Kodanev <alexey.kodanev@oracle.com>
|
||||
Date: Fri, 9 Feb 2018 17:35:23 +0300
|
||||
Subject: [PATCH] sctp: verify size of a new chunk in _sctp_make_chunk()
|
||||
|
||||
When SCTP makes INIT or INIT_ACK packet the total chunk length
|
||||
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
|
||||
transmitting these packets, e.g. the crash on sending INIT_ACK:
|
||||
|
||||
[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
|
||||
put:120156 head:000000007aa47635 data:00000000d991c2de
|
||||
tail:0x1d640 end:0xfec0 dev:<NULL>
|
||||
...
|
||||
[ 597.976970] ------------[ cut here ]------------
|
||||
[ 598.033408] kernel BUG at net/core/skbuff.c:104!
|
||||
[ 600.314841] Call Trace:
|
||||
[ 600.345829] <IRQ>
|
||||
[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
|
||||
[ 600.436934] skb_put+0x16c/0x200
|
||||
[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
|
||||
[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
|
||||
[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
|
||||
[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
|
||||
[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
|
||||
[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
|
||||
[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
|
||||
[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
|
||||
[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
|
||||
[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
|
||||
[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
|
||||
[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
|
||||
[ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
|
||||
[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
|
||||
[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
|
||||
[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
|
||||
...
|
||||
|
||||
Here the chunk size for INIT_ACK packet becomes too big, mostly
|
||||
because of the state cookie (INIT packet has large size with
|
||||
many address parameters), plus additional server parameters.
|
||||
|
||||
Later this chunk causes the panic in skb_put_data():
|
||||
|
||||
skb_packet_transmit()
|
||||
sctp_packet_pack()
|
||||
skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
|
||||
|
||||
'nskb' (head skb) was previously allocated with packet->size
|
||||
from u16 'chunk->chunk_hdr->length'.
|
||||
|
||||
As suggested by Marcelo we should check the chunk's length in
|
||||
_sctp_make_chunk() before trying to allocate skb for it and
|
||||
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
|
||||
|
||||
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
|
||||
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
|
||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/sm_make_chunk.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
|
||||
index 793b05ec692b..d01475f5f710 100644
|
||||
--- a/net/sctp/sm_make_chunk.c
|
||||
+++ b/net/sctp/sm_make_chunk.c
|
||||
@@ -1380,9 +1380,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
|
||||
struct sctp_chunk *retval;
|
||||
struct sk_buff *skb;
|
||||
struct sock *sk;
|
||||
+ int chunklen;
|
||||
+
|
||||
+ chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
|
||||
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
|
||||
+ goto nodata;
|
||||
|
||||
/* No need to allocate LL here, as this is only a chunk. */
|
||||
- skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp);
|
||||
+ skb = alloc_skb(chunklen, gfp);
|
||||
if (!skb)
|
||||
goto nodata;
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
File diff suppressed because it is too large
Load Diff
21
kernel.spec
21
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -653,14 +653,14 @@ Patch652: iwlwifi-mvn.patch
|
|||
# CVE-2018-1000026 rhbz 1541846 1546744
|
||||
Patch653: CVE-2018-1000026.patch
|
||||
|
||||
# rhbz 1549316
|
||||
Patch654: 0001-ipmi_si-Fix-error-handling-of-platform-device.patch
|
||||
|
||||
# CVE-2018-1065 rhbz 1547824 1547831
|
||||
Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch
|
||||
|
||||
# CVE-2018-5803 rhbz 1551051 1551053
|
||||
Patch656: 0001-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch
|
||||
# rhbz 1549316
|
||||
Patch657: ipmi-fixes.patch
|
||||
|
||||
# CVE-2018-7757 rhbz 1553361 1553363
|
||||
Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1940,6 +1940,15 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 09 2018 Laura Abbott <labbott@redhat.com> - 4.15.8-300
|
||||
- Linux v4.15.8
|
||||
|
||||
* Thu Mar 08 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-7757 (rhbz 1553361 1553363)
|
||||
|
||||
* Tue Mar 06 2018 Laura Abbott <labbott@redhat.com>
|
||||
- Fixes for IPMI crash (rbhz 1549316)
|
||||
|
||||
* Mon Mar 05 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-5803 (rhbz 1551051 1551053)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.15.tar.xz) = c00d92659df815a53dcac7dde145b742b1f20867d380c07cb09ddb3295d6ff10f8931b21ef0b09d7156923a3957b39d74d87c883300173b2e20690d2b4ec35ea
|
||||
SHA512 (patch-4.15.7.xz) = 4215a356a61c3af20352fd60f3ec4e4a74a3d4d6223c7bd5c1b8283bc4d786a5e1c29a770518cb6a136f42841c637648835a54a46f11e552d1aa7b867999ef1a
|
||||
SHA512 (patch-4.15.8.xz) = 0e070a05b2caccfa8dc41ae0c826b50cf6e9e02894213972745f609e5cda9aeb04c6ebf480d34c12bb649ad0f4b8a07b3c67e562ce1cae7a086d1e30da280458
|
||||
|
|
Loading…
Reference in New Issue