Linux v4.10-rc6-24-gf1774f4

gitrev

@@ -1 +1 @@
-566cf877a1fcb6d6dc0126b076aad062054c2637
+f1774f46d49f806614d81854321ee9e5138135e5

kernel.spec

@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 1
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 6
 # The git snapshot level
-%define gitrev 0
+%define gitrev 1
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -596,7 +596,7 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 # See http://lists.infradead.org/pipermail/linux-arm-kernel/2016-October/461597.html
 Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
 
-# CVE-2017-2596 rhbz 1417812 1417813
+#CVE-2017-2596 rhbz 1417812 1417813
 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
 # END OF PATCH DEFINITIONS
@@ -2169,9 +2169,10 @@ fi
 #
 #
 %changelog
-* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.2
+* Tue Jan 31 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git1.1
+- Linux v4.10-rc6-24-gf1774f4
 - Reenable debugging options.
-- Fix kvm nested virt CVE-2017-2596 rhbz (1417812 1417813)
+- Fix kvm nested virt CVE-2017-2596 (rhbz 1417812 1417813)
 
 * Mon Jan 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git0.1
 - Linux v4.10-rc6

kvm-fix-page-struct-leak-in-handle_vmon.patch

@@ -0,0 +1,49 @@
+From patchwork Tue Jan 24 10:56:21 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: kvm: fix page struct leak in handle_vmon
+From: Paolo Bonzini <pbonzini@redhat.com>
+X-Patchwork-Id: 9534885
+Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com>
+To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
+Cc: dvyukov@google.com
+Date: Tue, 24 Jan 2017 11:56:21 +0100
+
+handle_vmon gets a reference on VMXON region page,
+but does not release it. Release the reference.
+
+Found by syzkaller; based on a patch by Dmitry.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 42cc3d6f4d20..0f7345035210 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
+ 		}
+ 
+ 		page = nested_get_page(vcpu, vmptr);
+-		if (page == NULL ||
+-		    *(u32 *)kmap(page) != VMCS12_REVISION) {
++		if (page == NULL) {
+ 			nested_vmx_failInvalid(vcpu);
++			return kvm_skip_emulated_instruction(vcpu);
++		}
++		if (*(u32 *)kmap(page) != VMCS12_REVISION) {
+ 			kunmap(page);
++			nested_release_page_clean(page);
++			nested_vmx_failInvalid(vcpu);
+ 			return kvm_skip_emulated_instruction(vcpu);
+ 		}
+ 		kunmap(page);
++		nested_release_page_clean(page);
+ 		vmx->nested.vmxon_ptr = vmptr;
+ 		break;
+ 	case EXIT_REASON_VMCLEAR:

sources

@@ -1,3 +1,4 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
 SHA512 (patch-4.10-rc6.xz) = eb6dfcdcb427d198d955b6c2146abd5c6a74d01ab10855d713f33b9c87df05f20f2688cb354d5881dfb82ebdcf4ecac37b36956ff3645977f967f021b52ad507
+SHA512 (patch-4.10-rc6-git1.xz) = 78244cdca47da41b35ddf6d8573e4ce4c6a42af9ec99a3bb9b725fe9934b4880de3d29500ba99a471d86eb78f8c1587a98013998140381c9885cc11016a294da