diff --git a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch deleted file mode 100644 index 8c379543..00000000 --- a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Tue, 6 Dec 2016 16:18:14 -0800 -Subject: [PATCH] Don't feed anything but regular iovec's to - blk_rq_map_user_iov - -In theory we could map other things, but there's a reason that function -is called "user_iov". Using anything else (like splice can do) just -confuses it. - -Reported-and-tested-by: Johannes Thumshirn -Cc: Al Viro -Signed-off-by: Linus Torvalds ---- - block/blk-map.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/block/blk-map.c b/block/blk-map.c -index b8657fa..27fd8d92 100644 ---- a/block/blk-map.c -+++ b/block/blk-map.c -@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, - struct iov_iter i; - int ret; - -+ if (!iter_is_iovec(iter)) -+ goto fail; -+ - if (map_data) - copy = true; - else if (iov_iter_alignment(iter) & align) -@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, - - unmap_rq: - __blk_rq_unmap_user(bio); -+fail: - rq->bio = NULL; - return -EINVAL; - } --- -2.9.3 - diff --git a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch deleted file mode 100644 index 6d5771cc..00000000 --- a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 2 Dec 2016 09:44:53 -0800 -Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE - -CAP_NET_ADMIN users should not be allowed to set negative -sk_sndbuf or sk_rcvbuf values, as it can lead to various memory -corruptions, crashes, OOM... - -Note that before commit 82981930125a ("net: cleanups in -sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF -and SO_RCVBUF were vulnerable. - -This needs to be backported to all known linux kernels. - -Again, many thanks to syzkaller team for discovering this gem. - -Signed-off-by: Eric Dumazet -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller ---- - net/core/sock.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/core/sock.c b/net/core/sock.c -index 5e3ca41..00a074d 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, - val = min_t(u32, val, sysctl_wmem_max); - set_sndbuf: - sk->sk_userlocks |= SOCK_SNDBUF_LOCK; -- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); -+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); - /* Wake up sending tasks if we upped the value. */ - sk->sk_write_space(sk); - break; -@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, - * returning the value we actually used in getsockopt - * is the most desirable behavior. - */ -- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); -+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); - break; - - case SO_RCVBUFFORCE: --- -2.9.3 - diff --git a/0001-packet-fix-race-condition-in-packet_set_ring.patch b/0001-packet-fix-race-condition-in-packet_set_ring.patch deleted file mode 100644 index ba7da62e..00000000 --- a/0001-packet-fix-race-condition-in-packet_set_ring.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001 -From: Philip Pettersson -Date: Wed, 30 Nov 2016 14:55:36 -0800 -Subject: [PATCH] packet: fix race condition in packet_set_ring - -When packet_set_ring creates a ring buffer it will initialize a -struct timer_list if the packet version is TPACKET_V3. This value -can then be raced by a different thread calling setsockopt to -set the version to TPACKET_V1 before packet_set_ring has finished. - -This leads to a use-after-free on a function pointer in the -struct timer_list when the socket is closed as the previously -initialized timer will not be deleted. - -The bug is fixed by taking lock_sock(sk) in packet_setsockopt when -changing the packet version while also taking the lock at the start -of packet_set_ring. - -Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") -Signed-off-by: Philip Pettersson -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/packet/af_packet.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index d2238b2..dd23323 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv - - if (optlen != sizeof(val)) - return -EINVAL; -- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) -- return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; - switch (val) { - case TPACKET_V1: - case TPACKET_V2: - case TPACKET_V3: -- po->tp_version = val; -- return 0; -+ break; - default: - return -EINVAL; - } -+ lock_sock(sk); -+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { -+ ret = -EBUSY; -+ } else { -+ po->tp_version = val; -+ ret = 0; -+ } -+ release_sock(sk); -+ return ret; - } - case PACKET_RESERVE: - { -@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, - /* Added to avoid minimal code churn */ - struct tpacket_req *req = &req_u->req; - -+ lock_sock(sk); - /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ - if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { - net_warn_ratelimited("Tx-ring is not supported.\n"); -@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, - goto out; - } - -- lock_sock(sk); - - /* Detach socket from network */ - spin_lock(&po->bind_lock); -@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, - if (!tx_ring) - prb_shutdown_retire_blk_timer(po, rb_queue); - } -- release_sock(sk); - - if (pg_vec) - free_pg_vec(pg_vec, order, req->tp_block_nr); - out: -+ release_sock(sk); - return err; - } - --- -2.9.3 - diff --git a/config-generic b/config-generic index d81e2237..a8b4e13b 100644 --- a/config-generic +++ b/config-generic @@ -1917,7 +1917,7 @@ CONFIG_IWLDVM=m CONFIG_IWLMVM=m # CONFIG_IWLWIFI_BCAST_FILTERING is not set # CONFIG_IWLWIFI_UAPSD is not set -CONFIG_IWLWIFI_PCIE_RTPM=y +# CONFIG_IWLWIFI_PCIE_RTPM is not set CONFIG_IWLWIFI_DEBUG=y CONFIG_IWLWIFI_DEBUGFS=y diff --git a/kernel.spec b/kernel.spec index 35570f29..78841233 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 202 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 15 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -640,17 +640,11 @@ Patch855: 0001-platform-x86-ideapad-laptop-Add-Lenovo-Yoga-910-13IK.patch # CVE-2016-9755 rhbz 1400904 1400905 Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch -# CVE-2016-8655 rhbz 1400019 1401820 -Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch - -# CVE-2016-9793 rhbz 1402013 1402014 -Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch - -# CVE-2016-9576 rhbz 1403145 1403146 -Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch +# CVE-2016-9588 rhbz 1404924 1404925 +Patch857: kvm-nVMX-allow-L1-to-intercept-software-exceptions.patch #pf-kernel -Patch999: pf-kernel-4.8.13.patch +Patch999: pf-kernel-4.8.15.patch # END OF PATCH DEFINITIONS @@ -2179,6 +2173,15 @@ fi # # %changelog +* Thu Dec 15 2016 Justin M. Forbes - 4.8.15-200 +- Linux v4.8.15 +- CVE-2016-9588 fix possible DoS in nVMX (rhbz 1404924 1404925) +- Turn off CONFIG_IWLWIFI_PCIE_RTPM as it can cause wifi disconnects + +* Mon Dec 12 2016 Justin M. Forbes - 4.8.14-200 +- Linux v4.8.14 +- CVE-2016-8399 Fix out OOB stack read in memcpy_fromiovec (rhbz 1403833 1403834) + * Fri Dec 09 2016 Justin M. Forbes - 4.8.13-200 - Linux v4.8.13 - CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146) diff --git a/kvm-nVMX-allow-L1-to-intercept-software-exceptions.patch b/kvm-nVMX-allow-L1-to-intercept-software-exceptions.patch new file mode 100644 index 00000000..b408fc60 --- /dev/null +++ b/kvm-nVMX-allow-L1-to-intercept-software-exceptions.patch @@ -0,0 +1,68 @@ +From: Jim Mattson +To: kvm@vger.kernel.org +Cc: Jim Mattson +Subject: [PATCH] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) +Date: Wed, 14 Dec 2016 11:41:59 -0800 + +When L2 exits to L0 due to "exception or NMI", software exceptions +(#BP and #OF) for which L1 has requested an intercept should be +handled by L1 rather than L0. Previously, only hardware exceptions +were forwarded to L1. + +Signed-off-by: Jim Mattson +--- + arch/x86/kvm/vmx.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 5382b82..64774f4 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1343,10 +1343,10 @@ static inline bool nested_cpu_has_posted_intr(struct vmcs12 *vmcs12) + return vmcs12->pin_based_vm_exec_control & PIN_BASED_POSTED_INTR; + } + +-static inline bool is_exception(u32 intr_info) ++static inline bool is_nmi(u32 intr_info) + { + return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK)) +- == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK); ++ == (INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK); + } + + static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason, +@@ -5476,7 +5476,7 @@ static int handle_exception(struct kvm_vcpu *vcpu) + if (is_machine_check(intr_info)) + return handle_machine_check(vcpu); + +- if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR) ++ if (is_nmi(intr_info)) + return 1; /* already handled by vmx_vcpu_run() */ + + if (is_no_device(intr_info)) { +@@ -8018,7 +8018,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) + + switch (exit_reason) { + case EXIT_REASON_EXCEPTION_NMI: +- if (!is_exception(intr_info)) ++ if (is_nmi(intr_info)) + return false; + else if (is_page_fault(intr_info)) + return enable_ept; +@@ -8611,8 +8611,7 @@ static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx) + kvm_machine_check(); + + /* We need to handle NMIs before interrupts are enabled */ +- if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR && +- (exit_intr_info & INTR_INFO_VALID_MASK)) { ++ if (is_nmi(exit_intr_info)) { + kvm_before_handle_nmi(&vmx->vcpu); + asm("int $2"); + kvm_after_handle_nmi(&vmx->vcpu); +-- +2.8.0.rc3.226.g39d4020 + +-- +To unsubscribe from this list: send the line "unsubscribe kvm" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/pf-kernel-4.8.13.patch b/pf-kernel-4.8.15.patch similarity index 99% rename from pf-kernel-4.8.13.patch rename to pf-kernel-4.8.15.patch index 0ed0eaa4..f1249d7f 100644 --- a/pf-kernel-4.8.13.patch +++ b/pf-kernel-4.8.15.patch @@ -1,7 +1,7 @@ -From 12d96ab453163636a866f89ae1277e11fd3f3690 Mon Sep 17 00:00:00 2001 +From bca2f2ca6c18897eccd43540ba5b7059fcaf3167 Mon Sep 17 00:00:00 2001 From: Fedora Kernel Team -Date: Sat, 10 Dec 2016 01:06:15 -0500 -Subject: [PATCH] pf-kernel 4.8.13 +Date: Thu, 22 Dec 2016 01:59:36 -0500 +Subject: [PATCH] pf-kernel 4.8.15 --- Documentation/block/00-INDEX | 2 + @@ -10,7 +10,6 @@ Subject: [PATCH] pf-kernel 4.8.13 Documentation/scheduler/sched-BFS.txt | 351 + Documentation/scheduler/sched-MuQSS.txt | 345 + Documentation/sysctl/kernel.txt | 26 + - Makefile | 6 +- arch/powerpc/platforms/cell/spufs/sched.c | 5 - arch/x86/Kconfig | 30 +- arch/x86/Kconfig.cpu | 169 +- @@ -26,7 +25,7 @@ Subject: [PATCH] pf-kernel 4.8.13 block/blk-mq.c | 40 +- block/blk-mq.h | 3 + block/blk-settings.c | 15 + - block/blk-stat.c | 221 + + block/blk-stat.c | 229 + block/blk-stat.h | 18 + block/blk-sysfs.c | 151 + block/cfq-iosched.c | 13 + @@ -145,7 +144,7 @@ Subject: [PATCH] pf-kernel 4.8.13 sound/soc/codecs/wm9713.c | 4 +- sound/soc/soc-dapm.c | 2 +- sound/usb/line6/pcm.c | 2 +- - 141 files changed, 20348 insertions(+), 196 deletions(-) + 140 files changed, 20353 insertions(+), 193 deletions(-) create mode 100644 Documentation/block/bfq-iosched.txt create mode 100644 Documentation/scheduler/sched-BFS.txt create mode 100644 Documentation/scheduler/sched-MuQSS.txt @@ -1477,22 +1476,6 @@ index ffab8b5..01e0a4a 100644 rtsig-max & rtsig-nr: The file rtsig-max can be used to tune the maximum number -diff --git a/Makefile b/Makefile -index 2f58544..d1aa03c 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,8 +1,8 @@ - VERSION = 4 - PATCHLEVEL = 8 --SUBLEVEL = 13 --EXTRAVERSION = --NAME = Psychotic Stoned Sheep -+SUBLEVEL = 0 -+EXTRAVERSION = -pf9 -+NAME = Wrong Language - - # *DOCUMENTATION* - # To see a list of typical targets execute "make help" diff --git a/arch/powerpc/platforms/cell/spufs/sched.c b/arch/powerpc/platforms/cell/spufs/sched.c index 460f5f3..eeb3e32 100644 --- a/arch/powerpc/platforms/cell/spufs/sched.c @@ -10638,10 +10621,10 @@ index f679ae1..746dc9f 100644 diff --git a/block/blk-stat.c b/block/blk-stat.c new file mode 100644 -index 0000000..bdb16d8 +index 0000000..f6ede16 --- /dev/null +++ b/block/blk-stat.c -@@ -0,0 +1,221 @@ +@@ -0,0 +1,229 @@ +/* + * Block stat tracking code + * @@ -10705,6 +10688,9 @@ index 0000000..bdb16d8 + + queue_for_each_hw_ctx(q, hctx, i) { + hctx_for_each_ctx(hctx, ctx, j) { ++ blk_stat_flush_batch(&ctx->stat[0]); ++ blk_stat_flush_batch(&ctx->stat[1]); ++ + if (!ctx->stat[0].nr_samples && + !ctx->stat[1].nr_samples) + continue; @@ -10750,6 +10736,8 @@ index 0000000..bdb16d8 + if (q->mq_ops) + blk_mq_stat_get(q, dst); + else { ++ blk_stat_flush_batch(&q->rq_stats[0]); ++ blk_stat_flush_batch(&q->rq_stats[1]); + memcpy(&dst[0], &q->rq_stats[0], sizeof(struct blk_rq_stat)); + memcpy(&dst[1], &q->rq_stats[1], sizeof(struct blk_rq_stat)); + } @@ -10765,6 +10753,9 @@ index 0000000..bdb16d8 + uint64_t newest = 0; + + hctx_for_each_ctx(hctx, ctx, i) { ++ blk_stat_flush_batch(&ctx->stat[0]); ++ blk_stat_flush_batch(&ctx->stat[1]); ++ + if (!ctx->stat[0].nr_samples && + !ctx->stat[1].nr_samples) + continue; diff --git a/sources b/sources index b175e7f8..640793e5 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz -0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz -bc208ac66340464839ee61a4621d9384 patch-4.8.13.xz +SHA512 (linux-4.8.tar.xz) = a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 +SHA512 (perf-man-4.8.tar.gz) = 1e9707f1e11808178c1953d4f46e1789a138e9aca7bec89af7a6e209cd91e5301bc582db72cf889baa31dcba8cd3d3b1ceb4e8999ac1544ef17d513e861f2b59 +SHA512 (patch-4.8.15.xz) = d819c86f3fe93ee1d083fdce954ae06a683a22e8b0864da170714c5230c4c2fdecc29270194b1ad8a715b836b493141c8ff2c09e76a84426b7a89ebc31fb9e01