Linux v4.10.10
This commit is contained in:
parent
21d113f3e9
commit
e462fa4b82
|
@ -1,65 +0,0 @@
|
|||
From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001
|
||||
From: Andi Kleen <ak@linux.intel.com>
|
||||
Date: Mon, 27 Mar 2017 11:32:59 +0200
|
||||
Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active
|
||||
|
||||
Since:
|
||||
|
||||
cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
|
||||
|
||||
all MCEs are printed even when mcelog is running. Fix the regression to
|
||||
not print to dmesg when mcelog is running as it is a consumer too.
|
||||
|
||||
Signed-off-by: Andi Kleen <ak@linux.intel.com>
|
||||
[ Massage commit message. ]
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Tony Luck <tony.luck@intel.com>
|
||||
Cc: linux-edac <linux-edac@vger.kernel.org>
|
||||
Cc: stable@vger.kernel.org # 4.10..
|
||||
Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
|
||||
Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
index 8e9725c..5accfbd 100644
|
||||
--- a/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
@@ -54,6 +54,8 @@
|
||||
|
||||
static DEFINE_MUTEX(mce_chrdev_read_mutex);
|
||||
|
||||
+static int mce_chrdev_open_count; /* #times opened */
|
||||
+
|
||||
#define mce_log_get_idx_check(p) \
|
||||
({ \
|
||||
RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
|
||||
@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val,
|
||||
if (atomic_read(&num_notifiers) > 2)
|
||||
return NOTIFY_DONE;
|
||||
|
||||
+ /* Don't print when mcelog is running */
|
||||
+ if (mce_chrdev_open_count > 0)
|
||||
+ return NOTIFY_DONE;
|
||||
+
|
||||
__print_mce(m);
|
||||
|
||||
return NOTIFY_DONE;
|
||||
@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
|
||||
*/
|
||||
|
||||
static DEFINE_SPINLOCK(mce_chrdev_state_lock);
|
||||
-static int mce_chrdev_open_count; /* #times opened */
|
||||
static int mce_chrdev_open_exclu; /* already open exclusive? */
|
||||
|
||||
static int mce_chrdev_open(struct inode *inode, struct file *file)
|
||||
--
|
||||
2.9.3
|
||||
|
15
kernel.spec
15
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -599,18 +599,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
|
|||
# selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
|
||||
Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
|
||||
|
||||
#CVE-2017-2596 rhbz 1417812 1417813
|
||||
Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
|
||||
#CVE-2017-7261 rhbz 1435719 1435740
|
||||
Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
|
||||
|
||||
#CVE-2017-7277 rhbz 1436629 1436661
|
||||
Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
|
||||
|
||||
# rhbz 1438316
|
||||
Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
|
||||
|
||||
# CVE-2017-2671 rhbz 1436649 1436663
|
||||
Patch860: 0001-ping-implement-proper-locking.patch
|
||||
|
||||
|
@ -2197,6 +2188,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Apr 12 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.10-100
|
||||
- Linux v4.10.10
|
||||
- CVE-2017-7616 (rhbz 1441088 1441093)
|
||||
|
||||
* Tue Apr 11 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2017-7618 (rhbz 1441095 1441093)
|
||||
- Fix CVE-2017-7308 (rhbz 1437404 1437406)
|
||||
|
|
|
@ -1,49 +0,0 @@
|
|||
From patchwork Tue Jan 24 10:56:21 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: kvm: fix page struct leak in handle_vmon
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
X-Patchwork-Id: 9534885
|
||||
Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com>
|
||||
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
|
||||
Cc: dvyukov@google.com
|
||||
Date: Tue, 24 Jan 2017 11:56:21 +0100
|
||||
|
||||
handle_vmon gets a reference on VMXON region page,
|
||||
but does not release it. Release the reference.
|
||||
|
||||
Found by syzkaller; based on a patch by Dmitry.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/vmx.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
||||
index 42cc3d6f4d20..0f7345035210 100644
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
|
||||
}
|
||||
|
||||
page = nested_get_page(vcpu, vmptr);
|
||||
- if (page == NULL ||
|
||||
- *(u32 *)kmap(page) != VMCS12_REVISION) {
|
||||
+ if (page == NULL) {
|
||||
nested_vmx_failInvalid(vcpu);
|
||||
+ return kvm_skip_emulated_instruction(vcpu);
|
||||
+ }
|
||||
+ if (*(u32 *)kmap(page) != VMCS12_REVISION) {
|
||||
kunmap(page);
|
||||
+ nested_release_page_clean(page);
|
||||
+ nested_vmx_failInvalid(vcpu);
|
||||
return kvm_skip_emulated_instruction(vcpu);
|
||||
}
|
||||
kunmap(page);
|
||||
+ nested_release_page_clean(page);
|
||||
vmx->nested.vmxon_ptr = vmptr;
|
||||
break;
|
||||
case EXIT_REASON_VMCLEAR:
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
|
||||
SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
|
||||
SHA512 (patch-4.10.9.xz) = 867cdcf1e6ceee58dec7eb913e119dcaa75255cef1ad2dd9eb0eead6a918a202e3b6656770422d547a7758236a8589c70d49fa4045de867b77a04480f97c242d
|
||||
SHA512 (patch-4.10.10.xz) = 264d156d7a3b1f3b3a80a7a9dc9a358b5cd582d8d894c482f3c9eb5af4eca64439720d5b9b141ae57f7845dfab59563497faae8e6fb666aeec86aab6b8df904a
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
|
||||
Date: 2017-03-24 15:37:10
|
||||
|
||||
In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
|
||||
user-controlled value which is not checked for zero. It is used in
|
||||
a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
|
||||
is dereferenced which leads to a GPF and possibly to a kernel panic.
|
||||
Add the check for zero to avoid this.
|
||||
|
||||
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
index b445ce9..42840cc 100644
|
||||
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
|
||||
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
|
||||
num_sizes += req->mip_levels[i];
|
||||
|
||||
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
|
||||
- DRM_VMW_MAX_MIP_LEVELS)
|
||||
+ if (num_sizes <= 0 ||
|
||||
+ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
|
||||
return -EINVAL;
|
||||
|
||||
size = vmw_user_surface_size + 128 +
|
||||
--
|
||||
2.9.3
|
Loading…
Reference in New Issue