diff --git a/0001-netfilter-add-back-stackpointer-size-checks.patch b/0001-netfilter-add-back-stackpointer-size-checks.patch deleted file mode 100644 index 1bf809a..0000000 --- a/0001-netfilter-add-back-stackpointer-size-checks.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Wed, 7 Feb 2018 13:46:25 +0100 -Subject: [PATCH] netfilter: add back stackpointer size checks - -The rationale for removing the check is only correct for rulesets -generated by ip(6)tables. - -In iptables, a jump can only occur to a user-defined chain, i.e. -because we size the stack based on number of user-defined chains we -cannot exceed stack size. - -However, the underlying binary format has no such restriction, -and the validation step only ensures that the jump target is a -valid rule start point. - -IOW, its possible to build a rule blob that has no user-defined -chains but does contain a jump. - -If this happens, no jump stack gets allocated and crash occurs -because no jumpstack was allocated. - -Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") -Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso ---- - net/ipv4/netfilter/arp_tables.c | 4 ++++ - net/ipv4/netfilter/ip_tables.c | 7 ++++++- - net/ipv6/netfilter/ip6_tables.c | 4 ++++ - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c -index 4ffe302f9b82..e3e420f3ba7b 100644 ---- a/net/ipv4/netfilter/arp_tables.c -+++ b/net/ipv4/netfilter/arp_tables.c -@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, - } - if (table_base + v - != arpt_next_entry(e)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; - } - -diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c -index 9a71f3149507..e38395a8dcf2 100644 ---- a/net/ipv4/netfilter/ip_tables.c -+++ b/net/ipv4/netfilter/ip_tables.c -@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb, - continue; - } - if (table_base + v != ipt_next_entry(e) && -- !(e->ip.flags & IPT_F_GOTO)) -+ !(e->ip.flags & IPT_F_GOTO)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; -+ } - - e = get_entry(table_base, v); - continue; -diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c -index af4c917e0836..62358b93bbac 100644 ---- a/net/ipv6/netfilter/ip6_tables.c -+++ b/net/ipv6/netfilter/ip6_tables.c -@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb, - } - if (table_base + v != ip6t_next_entry(e) && - !(e->ipv6.flags & IP6T_F_GOTO)) { -+ if (unlikely(stackidx >= private->stacksize)) { -+ verdict = NF_DROP; -+ break; -+ } - jumpstack[stackidx++] = e; - } - --- -2.14.3 - diff --git a/0001-x86-MCE-Serialize-sysfs-changes.patch b/0001-x86-MCE-Serialize-sysfs-changes.patch deleted file mode 100644 index 84c7b7f..0000000 --- a/0001-x86-MCE-Serialize-sysfs-changes.patch +++ /dev/null @@ -1,114 +0,0 @@ -From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001 -From: Seunghun Han -Date: Tue, 6 Mar 2018 15:21:43 +0100 -Subject: [PATCH] x86/MCE: Serialize sysfs changes - -The check_interval file in - - /sys/devices/system/machinecheck/machinecheck - -directory is a global timer value for MCE polling. If it is changed by one -CPU, mce_restart() broadcasts the event to other CPUs to delete and restart -the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the -mce_timer variable. - -If more than one CPU writes a specific value to the check_interval file -concurrently, mce_timer is not protected from such concurrent accesses and -all kinds of explosions happen. Since only root can write to those sysfs -variables, the issue is not a big deal security-wise. - -However, concurrent writes to these configuration variables is void of -reason so the proper thing to do is to serialize the access with a mutex. - -Boris: - - - Make store_int_with_restart() use device_store_ulong() to filter out - negative intervals - - Limit min interval to 1 second - - Correct locking - - Massage commit message - -Signed-off-by: Seunghun Han -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Cc: Greg Kroah-Hartman -Cc: Tony Luck -Cc: linux-edac -Cc: stable@vger.kernel.org -Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com ---- - arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index b3323cab9139..466f47301334 100644 ---- a/arch/x86/kernel/cpu/mcheck/mce.c -+++ b/arch/x86/kernel/cpu/mcheck/mce.c -@@ -56,6 +56,9 @@ - - static DEFINE_MUTEX(mce_log_mutex); - -+/* sysfs synchronization */ -+static DEFINE_MUTEX(mce_sysfs_mutex); -+ - #define CREATE_TRACE_POINTS - #include - -@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s, - if (kstrtou64(buf, 0, &new) < 0) - return -EINVAL; - -+ mutex_lock(&mce_sysfs_mutex); - if (mca_cfg.ignore_ce ^ !!new) { - if (new) { - /* disable ce features */ -@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s, - on_each_cpu(mce_enable_ce, (void *)1, 1); - } - } -+ mutex_unlock(&mce_sysfs_mutex); -+ - return size; - } - -@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s, - if (kstrtou64(buf, 0, &new) < 0) - return -EINVAL; - -+ mutex_lock(&mce_sysfs_mutex); - if (mca_cfg.cmci_disabled ^ !!new) { - if (new) { - /* disable cmci */ -@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s, - on_each_cpu(mce_enable_ce, NULL, 1); - } - } -+ mutex_unlock(&mce_sysfs_mutex); -+ - return size; - } - -@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s, - struct device_attribute *attr, - const char *buf, size_t size) - { -- ssize_t ret = device_store_int(s, attr, buf, size); -+ unsigned long old_check_interval = check_interval; -+ ssize_t ret = device_store_ulong(s, attr, buf, size); -+ -+ if (check_interval == old_check_interval) -+ return ret; -+ -+ if (check_interval < 1) -+ check_interval = 1; -+ -+ mutex_lock(&mce_sysfs_mutex); - mce_restart(); -+ mutex_unlock(&mce_sysfs_mutex); -+ - return ret; - } - --- -2.14.3 - diff --git a/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch b/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch new file mode 100644 index 0000000..b1c4340 --- /dev/null +++ b/drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch @@ -0,0 +1,65 @@ +From ddc1b88d9947a548cc9a41b421df2941483b1e04 Mon Sep 17 00:00:00 2001 +From: Dhinakaran Pandiyan +Date: Tue, 13 Mar 2018 22:48:25 -0700 +Subject: [PATCH] drm/i915/dp: Write to SET_POWER dpcd to enable MST hub. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If bios sets up an MST output and hardware state readout code sees this is +an SST configuration, when disabling the encoder we end up calling +->post_disable_dp() hook instead of the MST version. Consequently, we write +to the DP_SET_POWER dpcd to set it D3 state. Further along when we try +enable the encoder in MST mode, POWER_UP_PHY transaction fails to power up +the MST hub. This results in continuous link training failures which keep +the system busy delaying boot. We could identify bios MST boot discrepancy +and handle it accordingly but a simple way to solve this is to write to the +DP_SET_POWER dpcd for MST too. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105470 +Cc: Ville Syrjälä +Cc: Jani Nikula +Signed-off-by: Dhinakaran Pandiyan +Reviewed-by: Ville Syrjälä +--- + drivers/gpu/drm/i915/intel_ddi.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c +index 58a3755544b2..38e53d6b8127 100644 +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -2208,8 +2208,7 @@ static void intel_ddi_pre_enable_dp(struct intel_encoder *encoder, + intel_prepare_dp_ddi_buffers(encoder); + + intel_ddi_init_dp_buf_reg(encoder); +- if (!is_mst) +- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON); ++ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_ON); + intel_dp_start_link_train(intel_dp); + if (port != PORT_A || INTEL_GEN(dev_priv) >= 9) + intel_dp_stop_link_train(intel_dp); +@@ -2294,19 +2293,12 @@ static void intel_ddi_post_disable_dp(struct intel_encoder *encoder, + struct drm_i915_private *dev_priv = to_i915(encoder->base.dev); + struct intel_digital_port *dig_port = enc_to_dig_port(&encoder->base); + struct intel_dp *intel_dp = &dig_port->dp; +- /* +- * old_crtc_state and old_conn_state are NULL when called from +- * DP_MST. The main connector associated with this port is never +- * bound to a crtc for MST. +- */ +- bool is_mst = !old_crtc_state; + + /* + * Power down sink before disabling the port, otherwise we end + * up getting interrupts from the sink on detecting link loss. + */ +- if (!is_mst) +- intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF); ++ intel_dp_sink_dpms(intel_dp, DRM_MODE_DPMS_OFF); + + intel_disable_ddi_buf(encoder); + +-- +2.14.3 + diff --git a/kernel.spec b/kernel.spec index 8ed60af..30706bc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -630,21 +630,21 @@ Patch652: iwlwifi-mvn.patch # CVE-2018-1000026 rhbz 1541846 1546744 Patch653: CVE-2018-1000026.patch -# CVE-2018-1065 rhbz 1547824 1547831 -Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch - # rhbz 1549316 Patch657: ipmi-fixes.patch # CVE-2018-7757 rhbz 1553361 1553363 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch -# CVE-2018-7995 rhbz 1553911 1553918 -Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch - # CVE-2018-8043 rhbz 1554199 1554200 Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch +# rhbz 1549042 +Patch661: drm-i915-dp-Write-to-SET_POWER-dpcd-to-enable-MST-hub..patch + +# rhbz 1546709 +Patch662: mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch + # END OF PATCH DEFINITIONS %endif @@ -1943,6 +1943,11 @@ fi # # %changelog +* Thu Mar 15 2018 Laura Abbott - 4.15.10-200 +- Linux v4.15.10 +- Fix for dock booting (rhbz 1549042) +- Fix THP bug (rhbz 1546709) + * Mon Mar 12 2018 Laura Abbott - 4.15.9-200 - Linux v4.15.9 diff --git a/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch b/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch new file mode 100644 index 0000000..c5d3a0c --- /dev/null +++ b/mm-khugepaged-Convert-VM_BUG_ON-to-collapse-fail.patch @@ -0,0 +1,51 @@ +From patchwork Thu Mar 15 15:23:53 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: mm/khugepaged: Convert VM_BUG_ON() to collapse fail +From: "Kirill A. Shutemov" +X-Patchwork-Id: 10284785 +Message-Id: <20180315152353.27989-1-kirill.shutemov@linux.intel.com> +To: Andrew Morton +Cc: Laura Abbott , linux-mm@kvack.org, + linux-kernel@vger.kernel.org, + "Kirill A. Shutemov" +Date: Thu, 15 Mar 2018 18:23:53 +0300 + +khugepaged is not yet able to convert PTE-mapped huge pages back to PMD +mapped. We do not collapse such pages. See check khugepaged_scan_pmd(). + +But if between khugepaged_scan_pmd() and __collapse_huge_page_isolate() +somebody managed to instantiate THP in the range and then split the PMD +back to PTEs we would have a problem -- VM_BUG_ON_PAGE(PageCompound(page)) +will get triggered. + +It's possible since we drop mmap_sem during collapse to re-take for +write. + +Replace the VM_BUG_ON() with graceful collapse fail. + +Signed-off-by: Kirill A. Shutemov +Fixes: b1caa957ae6d ("khugepaged: ignore pmd tables with THP mapped with ptes") +--- + mm/khugepaged.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index b7e2268dfc9a..c15da1ea7e63 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -530,7 +530,12 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma, + goto out; + } + +- VM_BUG_ON_PAGE(PageCompound(page), page); ++ /* TODO: teach khugepaged to collapse THP mapped with pte */ ++ if (PageCompound(page)) { ++ result = SCAN_PAGE_COMPOUND; ++ goto out; ++ } ++ + VM_BUG_ON_PAGE(!PageAnon(page), page); + + /* diff --git a/sources b/sources index 0e53c26..6e9a23d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.15.tar.xz) = c00d92659df815a53dcac7dde145b742b1f20867d380c07cb09ddb3295d6ff10f8931b21ef0b09d7156923a3957b39d74d87c883300173b2e20690d2b4ec35ea -SHA512 (patch-4.15.9.xz) = 60d24d79c19ab44520e4b583c74ca30045dc72bebd426a802c84d62c369fbda5bd7016aee1f5fa3931937cd31f17d6c0867080eb26949dedbd2d9522ee13143d +SHA512 (patch-4.15.10.xz) = 275abec91344e9409d27dc3ce801f104717730819a9d90786b0ef104525cf706291e0954a3e8d16618179a1e9603d6d12cd9cfdac3efac8783b83a0decdab94a diff --git a/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch b/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch index 7e22e36..a37b15e 100644 --- a/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch +++ b/v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch @@ -25,5 +25,5 @@ index ee5466a374bf..b3c683a84d3f 100644 "LEN004a", /* W541 */ + "LEN0073", /* X1 Carbon 5 */ "LEN200f", /* T450s */ - "LEN2018", /* T460p */ NULL + };