Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-11-26 10:34:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Sun Nov 26 10:34:17 2017 rev:391 rq:545098 version:4.14.2 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-11-24 10:52:43.904095928 +0100 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-11-26 10:34:20.468212104 +0100 @@ -1,0 +2,52 @@ +Fri Nov 24 09:17:59 CET 2017 - [email protected] + +- ipmi_si: fix memory leak on new_smi (git-fixes). +- commit 4ca3b35 + +------------------------------------------------------------------- +Fri Nov 24 09:05:44 CET 2017 - [email protected] + +- Linux 4.14.2 (bnc#1012628). +- af_netlink: ensure that NLMSG_DONE never fails in dumps + (bnc#1012628). +- vxlan: fix the issue that neigh proxy blocks all icmpv6 packets + (bnc#1012628). +- net: cdc_ncm: GetNtbFormat endian fix (bnc#1012628). +- fealnx: Fix building error on MIPS (bnc#1012628). +- net/sctp: Always set scope_id in sctp_inet6_skb_msgname + (bnc#1012628). +- ima: do not update security.ima if appraisal status is not + INTEGRITY_PASS (bnc#1012628). +- serial: omap: Fix EFR write on RTS deassertion (bnc#1012628). +- serial: 8250_fintek: Fix finding base_port with activated + SuperIO (bnc#1012628). +- tpm-dev-common: Reject too short writes (bnc#1012628). +- rcu: Fix up pending cbs check in rcu_prepare_for_idle + (bnc#1012628). +- mm/pagewalk.c: report holes in hugetlb ranges (bnc#1012628). +- ocfs2: fix cluster hang after a node dies (bnc#1012628). +- ocfs2: should wait dio before inode lock in ocfs2_setattr() + (bnc#1012628). +- ipmi: fix unsigned long underflow (bnc#1012628). +- mm/page_alloc.c: broken deferred calculation (bnc#1012628). +- mm/page_ext.c: check if page_ext is not prepared (bnc#1012628). +- coda: fix 'kernel memory exposure attempt' in fsync + (bnc#1012628). +- ipmi: Prefer ACPI system interfaces over SMBIOS ones + (bnc#1012628). +- commit 295c90a + +------------------------------------------------------------------- +Thu Nov 23 14:48:07 CET 2017 - [email protected] + +- apparmor: fix oops in audit_signal_cb hook (bnc#1069562). +- Refresh patches.suse/0001-AppArmor-basic-networking-rules.patch. +- commit d091ad8 + +------------------------------------------------------------------- +Thu Nov 23 13:38:55 CET 2017 - [email protected] + +- bio: ensure __bio_clone_fast copies bi_partno (bnc#1069605). +- commit 59c6ade + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change kernel-zfcpdump.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.095970425 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.099970279 +0100 @@ -17,7 +17,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb}) Name: dtb-aarch64 -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.179967362 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.183967216 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.259964445 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.263964299 +0100 @@ -17,7 +17,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -31,9 +31,9 @@ Summary: Kernel Documentation License: GPL-2.0 Group: Documentation/Man -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.283963570 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.287963424 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.319962257 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.323962111 +0100 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.343961382 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.347961236 +0100 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.375960215 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.379960069 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.407959048 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.411958902 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.435958027 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.439957881 +0100 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.14.1 +Version: 4.14.2 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:27.459957152 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:27.463957006 +0100 @@ -18,7 +18,7 @@ %define srcversion 4.14 -%define patchversion 4.14.1 +%define patchversion 4.14.2 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.14.1 +Version: 4.14.2 %if 0%{?is_kotd} -Release: <RELEASE>.ga5bca71 +Release: <RELEASE>.gb0610fc %else Release: 0 %endif kernel-vanilla.spec: same change kernel-zfcpdump.spec: same change ++++++ patches.kernel.org.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-001-bio-ensure-__bio_clone_fast-copies-bi_partno.patch new/patches.kernel.org/4.14.2-001-bio-ensure-__bio_clone_fast-copies-bi_partno.patch --- old/patches.kernel.org/4.14.2-001-bio-ensure-__bio_clone_fast-copies-bi_partno.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-001-bio-ensure-__bio_clone_fast-copies-bi_partno.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,43 @@ +From: Michael Lyle <[email protected]> +Date: Thu, 16 Nov 2017 23:47:25 -0800 +Subject: [PATCH] bio: ensure __bio_clone_fast copies bi_partno +Patch-mainline: 4.14.2 +References: bnc#1012628 bnc#1069605 +Git-commit: 62530ed8b1d07a45dec94d46e521c0c6c2d476e6 + +commit 62530ed8b1d07a45dec94d46e521c0c6c2d476e6 upstream. + +A new field was introduced in 74d46992e0d9, bi_partno, instead of using +bdev->bd_contains and encoding the partition information in the bi_bdev +field. __bio_clone_fast was changed to copy the disk information, but +not the partition information. At minimum, this regressed bcache and +caused data corruption. + +Signed-off-by: Michael Lyle <[email protected]> +Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index") +Reported-by: Pavel Goran <[email protected]> +Reported-by: Campbell Steven <[email protected]> +Reviewed-by: Coly Li <[email protected]> +Reviewed-by: Ming Lei <[email protected]> +Signed-off-by: Jens Axboe <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + block/bio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/bio.c b/block/bio.c +index 101c2a9b5481..33fa6b4af312 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -597,6 +597,7 @@ void __bio_clone_fast(struct bio *bio, struct bio *bio_src) + * so we don't set nor calculate new physical/hw segment counts here + */ + bio->bi_disk = bio_src->bi_disk; ++ bio->bi_partno = bio_src->bi_partno; + bio_set_flag(bio, BIO_CLONED); + bio->bi_opf = bio_src->bi_opf; + bio->bi_write_hint = bio_src->bi_write_hint; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-002-af_netlink-ensure-that-NLMSG_DONE-never-fails-.patch new/patches.kernel.org/4.14.2-002-af_netlink-ensure-that-NLMSG_DONE-never-fails-.patch --- old/patches.kernel.org/4.14.2-002-af_netlink-ensure-that-NLMSG_DONE-never-fails-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-002-af_netlink-ensure-that-NLMSG_DONE-never-fails-.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,121 @@ +From: "Jason A. Donenfeld" <[email protected]> +Date: Thu, 9 Nov 2017 13:04:44 +0900 +Subject: [PATCH] af_netlink: ensure that NLMSG_DONE never fails in dumps +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 0642840b8bb008528dbdf929cec9f65ac4231ad0 + +[ Upstream commit 0642840b8bb008528dbdf929cec9f65ac4231ad0 ] + +The way people generally use netlink_dump is that they fill in the skb +as much as possible, breaking when nla_put returns an error. Then, they +get called again and start filling out the next skb, and again, and so +forth. The mechanism at work here is the ability for the iterative +dumping function to detect when the skb is filled up and not fill it +past the brim, waiting for a fresh skb for the rest of the data. + +However, if the attributes are small and nicely packed, it is possible +that a dump callback function successfully fills in attributes until the +skb is of size 4080 (libmnl's default page-sized receive buffer size). +The dump function completes, satisfied, and then, if it happens to be +that this is actually the last skb, and no further ones are to be sent, +then netlink_dump will add on the NLMSG_DONE part: + + nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI); + +It is very important that netlink_dump does this, of course. However, in +this example, that call to nlmsg_put_answer will fail, because the +previous filling by the dump function did not leave it enough room. And +how could it possibly have done so? All of the nla_put variety of +functions simply check to see if the skb has enough tailroom, +independent of the context it is in. + +In order to keep the important assumptions of all netlink dump users, it +is therefore important to give them an skb that has this end part of the +tail already reserved, so that the call to nlmsg_put_answer does not +fail. Otherwise, library authors are forced to find some bizarre sized +receive buffer that has a large modulo relative to the common sizes of +messages received, which is ugly and buggy. + +This patch thus saves the NLMSG_DONE for an additional message, for the +case that things are dangerously close to the brim. This requires +keeping track of the errno from ->dump() across calls. + +Signed-off-by: Jason A. Donenfeld <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + net/netlink/af_netlink.c | 17 +++++++++++------ + net/netlink/af_netlink.h | 1 + + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index b93148e8e9fb..15c99dfa3d72 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2136,7 +2136,7 @@ static int netlink_dump(struct sock *sk) + struct sk_buff *skb = NULL; + struct nlmsghdr *nlh; + struct module *module; +- int len, err = -ENOBUFS; ++ int err = -ENOBUFS; + int alloc_min_size; + int alloc_size; + +@@ -2183,9 +2183,11 @@ static int netlink_dump(struct sock *sk) + skb_reserve(skb, skb_tailroom(skb) - alloc_size); + netlink_skb_set_owner_r(skb, sk); + +- len = cb->dump(skb, cb); ++ if (nlk->dump_done_errno > 0) ++ nlk->dump_done_errno = cb->dump(skb, cb); + +- if (len > 0) { ++ if (nlk->dump_done_errno > 0 || ++ skb_tailroom(skb) < nlmsg_total_size(sizeof(nlk->dump_done_errno))) { + mutex_unlock(nlk->cb_mutex); + + if (sk_filter(sk, skb)) +@@ -2195,13 +2197,15 @@ static int netlink_dump(struct sock *sk) + return 0; + } + +- nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI); +- if (!nlh) ++ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, ++ sizeof(nlk->dump_done_errno), NLM_F_MULTI); ++ if (WARN_ON(!nlh)) + goto errout_skb; + + nl_dump_check_consistent(cb, nlh); + +- memcpy(nlmsg_data(nlh), &len, sizeof(len)); ++ memcpy(nlmsg_data(nlh), &nlk->dump_done_errno, ++ sizeof(nlk->dump_done_errno)); + + if (sk_filter(sk, skb)) + kfree_skb(skb); +@@ -2273,6 +2277,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + } + + nlk->cb_running = true; ++ nlk->dump_done_errno = INT_MAX; + + mutex_unlock(nlk->cb_mutex); + +diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h +index 028188597eaa..962de7b3c023 100644 +--- a/net/netlink/af_netlink.h ++++ b/net/netlink/af_netlink.h +@@ -34,6 +34,7 @@ struct netlink_sock { + wait_queue_head_t wait; + bool bound; + bool cb_running; ++ int dump_done_errno; + struct netlink_callback cb; + struct mutex *cb_mutex; + struct mutex cb_def_mutex; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-003-vxlan-fix-the-issue-that-neigh-proxy-blocks-al.patch new/patches.kernel.org/4.14.2-003-vxlan-fix-the-issue-that-neigh-proxy-blocks-al.patch --- old/patches.kernel.org/4.14.2-003-vxlan-fix-the-issue-that-neigh-proxy-blocks-al.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-003-vxlan-fix-the-issue-that-neigh-proxy-blocks-al.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,103 @@ +From: Xin Long <[email protected]> +Date: Sat, 11 Nov 2017 19:58:50 +0800 +Subject: [PATCH] vxlan: fix the issue that neigh proxy blocks all icmpv6 + packets +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 8bff3685a4bbf175a96bc6a528f13455d8d38244 + +[ Upstream commit 8bff3685a4bbf175a96bc6a528f13455d8d38244 ] + +Commit f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport +header offset") removed icmp6_code and icmp6_type check before calling +neigh_reduce when doing neigh proxy. + +It means all icmpv6 packets would be blocked by this, not only ns packet. +In Jianlin's env, even ping6 couldn't work through it. + +This patch is to bring the icmp6_code and icmp6_type check back and also +removed the same check from neigh_reduce(). + +Fixes: f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport header offset") +Reported-by: Jianlin Shi <[email protected]> +Signed-off-by: Xin Long <[email protected]> +Reviewed-by: Vincent Bernat <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/net/vxlan.c | 31 +++++++++++++------------------ + 1 file changed, 13 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index d7c49cf1d5e9..a2f4e52fadb5 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1623,26 +1623,19 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, + static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + { + struct vxlan_dev *vxlan = netdev_priv(dev); +- struct nd_msg *msg; +- const struct ipv6hdr *iphdr; + const struct in6_addr *daddr; +- struct neighbour *n; ++ const struct ipv6hdr *iphdr; + struct inet6_dev *in6_dev; ++ struct neighbour *n; ++ struct nd_msg *msg; + + in6_dev = __in6_dev_get(dev); + if (!in6_dev) + goto out; + +- if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + sizeof(struct nd_msg))) +- goto out; +- + iphdr = ipv6_hdr(skb); + daddr = &iphdr->daddr; +- + msg = (struct nd_msg *)(iphdr + 1); +- if (msg->icmph.icmp6_code != 0 || +- msg->icmph.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION) +- goto out; + + if (ipv6_addr_loopback(daddr) || + ipv6_addr_is_multicast(&msg->target)) +@@ -2240,11 +2233,11 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, + static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct vxlan_dev *vxlan = netdev_priv(dev); ++ struct vxlan_rdst *rdst, *fdst = NULL; + const struct ip_tunnel_info *info; +- struct ethhdr *eth; + bool did_rsc = false; +- struct vxlan_rdst *rdst, *fdst = NULL; + struct vxlan_fdb *f; ++ struct ethhdr *eth; + __be32 vni = 0; + + info = skb_tunnel_info(skb); +@@ -2269,12 +2262,14 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) + if (ntohs(eth->h_proto) == ETH_P_ARP) + return arp_reduce(dev, skb, vni); + #if IS_ENABLED(CONFIG_IPV6) +- else if (ntohs(eth->h_proto) == ETH_P_IPV6) { +- struct ipv6hdr *hdr, _hdr; +- if ((hdr = skb_header_pointer(skb, +- skb_network_offset(skb), +- sizeof(_hdr), &_hdr)) && +- hdr->nexthdr == IPPROTO_ICMPV6) ++ else if (ntohs(eth->h_proto) == ETH_P_IPV6 && ++ pskb_may_pull(skb, sizeof(struct ipv6hdr) + ++ sizeof(struct nd_msg)) && ++ ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) { ++ struct nd_msg *m = (struct nd_msg *)(ipv6_hdr(skb) + 1); ++ ++ if (m->icmph.icmp6_code == 0 && ++ m->icmph.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION) + return neigh_reduce(dev, skb, vni); + } + #endif +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-004-net-cdc_ncm-GetNtbFormat-endian-fix.patch new/patches.kernel.org/4.14.2-004-net-cdc_ncm-GetNtbFormat-endian-fix.patch --- old/patches.kernel.org/4.14.2-004-net-cdc_ncm-GetNtbFormat-endian-fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-004-net-cdc_ncm-GetNtbFormat-endian-fix.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,58 @@ +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <[email protected]> +Date: Wed, 15 Nov 2017 09:35:02 +0100 +Subject: [PATCH] net: cdc_ncm: GetNtbFormat endian fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 6314dab4b8fb8493d810e175cb340376052c69b6 + +[ Upstream commit 6314dab4b8fb8493d810e175cb340376052c69b6 ] + +The GetNtbFormat and SetNtbFormat requests operate on 16 bit little +endian values. We get away with ignoring this most of the time, because +we only care about USB_CDC_NCM_NTB16_FORMAT which is 0x0000. This +fails for USB_CDC_NCM_NTB32_FORMAT. + +Fix comparison between LE value from device and constant by converting +the constant to LE. + +Reported-by: Ben Hutchings <[email protected]> +Fixes: 2b02c20ce0c2 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices") +Cc: Enrico Mioso <[email protected]> +Cc: Christian Panton <[email protected]> +Signed-off-by: Bjørn Mork <[email protected]> +Acked-By: Enrico Mioso <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/net/usb/cdc_ncm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 47cab1bde065..9e1b74590682 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -771,7 +771,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + int err; + u8 iface_no; + struct usb_cdc_parsed_header hdr; +- u16 curr_ntb_format; ++ __le16 curr_ntb_format; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) +@@ -889,7 +889,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + goto error2; + } + +- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) { ++ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) { + dev_info(&intf->dev, "resetting NTB format to 16-bit"); + err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT, + USB_TYPE_CLASS | USB_DIR_OUT +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-005-fealnx-Fix-building-error-on-MIPS.patch new/patches.kernel.org/4.14.2-005-fealnx-Fix-building-error-on-MIPS.patch --- old/patches.kernel.org/4.14.2-005-fealnx-Fix-building-error-on-MIPS.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-005-fealnx-Fix-building-error-on-MIPS.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,48 @@ +From: Huacai Chen <[email protected]> +Date: Thu, 16 Nov 2017 11:07:15 +0800 +Subject: [PATCH] fealnx: Fix building error on MIPS +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: cc54c1d32e6a4bb3f116721abf900513173e4d02 + +[ Upstream commit cc54c1d32e6a4bb3f116721abf900513173e4d02 ] + +This patch try to fix the building error on MIPS. The reason is MIPS +has already defined the LONG macro, which conflicts with the LONG enum +in drivers/net/ethernet/fealnx.c. + +Signed-off-by: Huacai Chen <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/net/ethernet/fealnx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c +index e92859dab7ae..e191c4ebeaf4 100644 +--- a/drivers/net/ethernet/fealnx.c ++++ b/drivers/net/ethernet/fealnx.c +@@ -257,8 +257,8 @@ enum rx_desc_status_bits { + RXFSD = 0x00000800, /* first descriptor */ + RXLSD = 0x00000400, /* last descriptor */ + ErrorSummary = 0x80, /* error summary */ +- RUNT = 0x40, /* runt packet received */ +- LONG = 0x20, /* long packet received */ ++ RUNTPKT = 0x40, /* runt packet received */ ++ LONGPKT = 0x20, /* long packet received */ + FAE = 0x10, /* frame align error */ + CRC = 0x08, /* crc error */ + RXER = 0x04, /* receive error */ +@@ -1632,7 +1632,7 @@ static int netdev_rx(struct net_device *dev) + dev->name, rx_status); + + dev->stats.rx_errors++; /* end of a packet. */ +- if (rx_status & (LONG | RUNT)) ++ if (rx_status & (LONGPKT | RUNTPKT)) + dev->stats.rx_length_errors++; + if (rx_status & RXER) + dev->stats.rx_frame_errors++; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-006-net-sctp-Always-set-scope_id-in-sctp_inet6_skb.patch new/patches.kernel.org/4.14.2-006-net-sctp-Always-set-scope_id-in-sctp_inet6_skb.patch --- old/patches.kernel.org/4.14.2-006-net-sctp-Always-set-scope_id-in-sctp_inet6_skb.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-006-net-sctp-Always-set-scope_id-in-sctp_inet6_skb.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,62 @@ +From: "Eric W. Biederman" <[email protected]> +Date: Wed, 15 Nov 2017 22:17:48 -0600 +Subject: [PATCH] net/sctp: Always set scope_id in sctp_inet6_skb_msgname +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 7c8a61d9ee1df0fb4747879fa67a99614eb62fec + +[ Upstream commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec ] + +Alexandar Potapenko while testing the kernel with KMSAN and syzkaller +discovered that in some configurations sctp would leak 4 bytes of +kernel stack. + +Working with his reproducer I discovered that those 4 bytes that +are leaked is the scope id of an ipv6 address returned by recvmsg. + +With a little code inspection and a shrewd guess I discovered that +sctp_inet6_skb_msgname only initializes the scope_id field for link +local ipv6 addresses to the interface index the link local address +pertains to instead of initializing the scope_id field for all ipv6 +addresses. + +That is almost reasonable as scope_id's are meaniningful only for link +local addresses. Set the scope_id in all other cases to 0 which is +not a valid interface index to make it clear there is nothing useful +in the scope_id field. + +There should be no danger of breaking userspace as the stack leak +guaranteed that previously meaningless random data was being returned. + +Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.") +History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Reported-by: Alexander Potapenko <[email protected]> +Tested-by: Alexander Potapenko <[email protected]> +Signed-off-by: "Eric W. Biederman" <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + net/sctp/ipv6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index a6dfa86c0201..3b18085e3b10 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -807,9 +807,10 @@ static void sctp_inet6_skb_msgname(struct sk_buff *skb, char *msgname, + addr->v6.sin6_flowinfo = 0; + addr->v6.sin6_port = sh->source; + addr->v6.sin6_addr = ipv6_hdr(skb)->saddr; +- if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { ++ if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) + addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb); +- } ++ else ++ addr->v6.sin6_scope_id = 0; + } + + *addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr); +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-007-ima-do-not-update-security.ima-if-appraisal-st.patch new/patches.kernel.org/4.14.2-007-ima-do-not-update-security.ima-if-appraisal-st.patch --- old/patches.kernel.org/4.14.2-007-ima-do-not-update-security.ima-if-appraisal-st.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-007-ima-do-not-update-security.ima-if-appraisal-st.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,52 @@ +From: Roberto Sassu <[email protected]> +Date: Tue, 7 Nov 2017 11:37:07 +0100 +Subject: [PATCH] ima: do not update security.ima if appraisal status is not + INTEGRITY_PASS +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb + +commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream. + +Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") +moved the call of ima_file_check() from may_open() to do_filp_open() at a +point where the file descriptor is already opened. + +This breaks the assumption made by IMA that file descriptors being closed +belong to files whose access was granted by ima_file_check(). The +consequence is that security.ima and security.evm are updated with good +values, regardless of the current appraisal status. + +For example, if a file does not have security.ima, IMA will create it after +opening the file for writing, even if access is denied. Access to the file +will be allowed afterwards. + +Avoid this issue by checking the appraisal status before updating +security.ima. + +Signed-off-by: Roberto Sassu <[email protected]> +Signed-off-by: Mimi Zohar <[email protected]> +Signed-off-by: James Morris <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + security/integrity/ima/ima_appraise.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 809ba70fbbbf..7d769b948de8 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -320,6 +320,9 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) + if (iint->flags & IMA_DIGSIG) + return; + ++ if (iint->ima_file_status != INTEGRITY_PASS) ++ return; ++ + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); + if (rc < 0) + return; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-008-serial-omap-Fix-EFR-write-on-RTS-deassertion.patch new/patches.kernel.org/4.14.2-008-serial-omap-Fix-EFR-write-on-RTS-deassertion.patch --- old/patches.kernel.org/4.14.2-008-serial-omap-Fix-EFR-write-on-RTS-deassertion.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-008-serial-omap-Fix-EFR-write-on-RTS-deassertion.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,39 @@ +From: Lukas Wunner <[email protected]> +Date: Sat, 21 Oct 2017 10:50:18 +0200 +Subject: [PATCH] serial: omap: Fix EFR write on RTS deassertion +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 2a71de2f7366fb1aec632116d0549ec56d6a3940 + +commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream. + +Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable +auto RTS upon manual RTS assertion and disable it on deassertion. +However it seems the latter was done incorrectly, it clears all bits in +the Extended Features Register *except* auto RTS. + +Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling") +Cc: Peter Hurley <[email protected]> +Signed-off-by: Lukas Wunner <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/tty/serial/omap-serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/omap-serial.c b/drivers/tty/serial/omap-serial.c +index 7754053deeda..26a22b100df1 100644 +--- a/drivers/tty/serial/omap-serial.c ++++ b/drivers/tty/serial/omap-serial.c +@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct uart_port *port, unsigned int mctrl) + if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS)) + up->efr |= UART_EFR_RTS; + else +- up->efr &= UART_EFR_RTS; ++ up->efr &= ~UART_EFR_RTS; + serial_out(up, UART_EFR, up->efr); + serial_out(up, UART_LCR, lcr); + +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-009-serial-8250_fintek-Fix-finding-base_port-with-.patch new/patches.kernel.org/4.14.2-009-serial-8250_fintek-Fix-finding-base_port-with-.patch --- old/patches.kernel.org/4.14.2-009-serial-8250_fintek-Fix-finding-base_port-with-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-009-serial-8250_fintek-Fix-finding-base_port-with-.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,44 @@ +From: "Ji-Ze Hong (Peter Hong)" <[email protected]> +Date: Tue, 17 Oct 2017 14:23:08 +0800 +Subject: [PATCH] serial: 8250_fintek: Fix finding base_port with activated + SuperIO +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: fd97e66c5529046e989a0879c3bb58fddb592c71 + +commit fd97e66c5529046e989a0879c3bb58fddb592c71 upstream. + +The SuperIO will be configured at boot time by BIOS, but some BIOS +will not deactivate the SuperIO when the end of configuration. It'll +lead to mismatch for pdata->base_port in probe_setup_port(). So we'll +deactivate all SuperIO before activate special base_port in +fintek_8250_enter_key(). + +Tested on iBASE MI802. + +Tested-by: Ji-Ze Hong (Peter Hong) <[email protected]> +Signed-off-by: Ji-Ze Hong (Peter Hong) <[email protected]> +Reviewd-by: Alan Cox <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/tty/serial/8250/8250_fintek.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_fintek.c b/drivers/tty/serial/8250/8250_fintek.c +index e500f7dd2470..4bd376c08b59 100644 +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -118,6 +118,9 @@ static int fintek_8250_enter_key(u16 base_port, u8 key) + if (!request_muxed_region(base_port, 2, "8250_fintek")) + return -EBUSY; + ++ /* Force to deactive all SuperIO in this base_port */ ++ outb(EXIT_KEY, base_port + ADDR_PORT); ++ + outb(key, base_port + ADDR_PORT); + outb(key, base_port + ADDR_PORT); + return 0; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-010-tpm-dev-common-Reject-too-short-writes.patch new/patches.kernel.org/4.14.2-010-tpm-dev-common-Reject-too-short-writes.patch --- old/patches.kernel.org/4.14.2-010-tpm-dev-common-Reject-too-short-writes.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-010-tpm-dev-common-Reject-too-short-writes.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,49 @@ +From: Alexander Steffen <[email protected]> +Date: Fri, 8 Sep 2017 17:21:32 +0200 +Subject: [PATCH] tpm-dev-common: Reject too short writes +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: ee70bc1e7b63ac8023c9ff9475d8741e397316e7 + +commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream. + +tpm_transmit() does not offer an explicit interface to indicate the number +of valid bytes in the communication buffer. Instead, it relies on the +commandSize field in the TPM header that is encoded within the buffer. +Therefore, ensure that a) enough data has been written to the buffer, so +that the commandSize field is present and b) the commandSize field does not +announce more data than has been written to the buffer. + +This should have been fixed with CVE-2011-1161 long ago, but apparently +a correct version of that patch never made it into the kernel. + +Signed-off-by: Alexander Steffen <[email protected]> +Reviewed-by: Jarkko Sakkinen <[email protected]> +Tested-by: Jarkko Sakkinen <[email protected]> +Signed-off-by: Jarkko Sakkinen <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/char/tpm/tpm-dev-common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c +index 610638a80383..461bf0b8a094 100644 +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -110,6 +110,12 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, + return -EFAULT; + } + ++ if (in_size < 6 || ++ in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { ++ mutex_unlock(&priv->buffer_mutex); ++ return -EINVAL; ++ } ++ + /* atomic tpm command send and result receive. We only hold the ops + * lock during this period so that the tpm can be unregistered even if + * the char dev is held open. +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-011-rcu-Fix-up-pending-cbs-check-in-rcu_prepare_fo.patch new/patches.kernel.org/4.14.2-011-rcu-Fix-up-pending-cbs-check-in-rcu_prepare_fo.patch --- old/patches.kernel.org/4.14.2-011-rcu-Fix-up-pending-cbs-check-in-rcu_prepare_fo.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-011-rcu-Fix-up-pending-cbs-check-in-rcu_prepare_fo.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,39 @@ +From: Neeraj Upadhyay <[email protected]> +Date: Mon, 7 Aug 2017 11:20:10 +0530 +Subject: [PATCH] rcu: Fix up pending cbs check in rcu_prepare_for_idle +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 135bd1a230bb69a68c9808a7d25467318900b80a + +commit 135bd1a230bb69a68c9808a7d25467318900b80a upstream. + +The pending-callbacks check in rcu_prepare_for_idle() is backwards. +It should accelerate if there are pending callbacks, but the check +rather uselessly accelerates only if there are no callbacks. This commit +therefore inverts this check. + +Fixes: 15fecf89e46a ("srcu: Abstract multi-tail callback list handling") +Signed-off-by: Neeraj Upadhyay <[email protected]> +Signed-off-by: Paul E. McKenney <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + kernel/rcu/tree_plugin.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index e012b9be777e..fed95fa941e6 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -1507,7 +1507,7 @@ static void rcu_prepare_for_idle(void) + rdtp->last_accelerate = jiffies; + for_each_rcu_flavor(rsp) { + rdp = this_cpu_ptr(rsp->rda); +- if (rcu_segcblist_pend_cbs(&rdp->cblist)) ++ if (!rcu_segcblist_pend_cbs(&rdp->cblist)) + continue; + rnp = rdp->mynode; + raw_spin_lock_rcu_node(rnp); /* irqs already disabled. */ +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-012-mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch new/patches.kernel.org/4.14.2-012-mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch --- old/patches.kernel.org/4.14.2-012-mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-012-mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,56 @@ +From: Jann Horn <[email protected]> +Date: Tue, 14 Nov 2017 01:03:44 +0100 +Subject: [PATCH] mm/pagewalk.c: report holes in hugetlb ranges +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 373c4557d2aa362702c4c2d41288fb1e54990b7c + +commit 373c4557d2aa362702c4c2d41288fb1e54990b7c upstream. + +This matters at least for the mincore syscall, which will otherwise copy +uninitialized memory from the page allocator to userspace. It is +probably also a correctness error for /proc/$pid/pagemap, but I haven't +tested that. + +Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has +no effect because the caller already checks for that. + +This only reports holes in hugetlb ranges to callers who have specified +a hugetlb_entry callback. + +This issue was found using an AFL-based fuzzer. + +v2: + - don't crash on ->pte_hole==NULL (Andrew Morton) + - add Cc stable (Andrew Morton) + +Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()") +Signed-off-by: Jann Horn <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + mm/pagewalk.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index 8bd4afa83cb8..23a3e415ac2c 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -188,8 +188,12 @@ static int walk_hugetlb_range(unsigned long addr, unsigned long end, + do { + next = hugetlb_entry_end(h, addr, end); + pte = huge_pte_offset(walk->mm, addr & hmask, sz); +- if (pte && walk->hugetlb_entry) ++ ++ if (pte) + err = walk->hugetlb_entry(pte, hmask, addr, next, walk); ++ else if (walk->pte_hole) ++ err = walk->pte_hole(addr, next, walk); ++ + if (err) + break; + } while (addr = next, addr != end); +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-013-ocfs2-fix-cluster-hang-after-a-node-dies.patch new/patches.kernel.org/4.14.2-013-ocfs2-fix-cluster-hang-after-a-node-dies.patch --- old/patches.kernel.org/4.14.2-013-ocfs2-fix-cluster-hang-after-a-node-dies.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-013-ocfs2-fix-cluster-hang-after-a-node-dies.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,59 @@ +From: Changwei Ge <[email protected]> +Date: Wed, 15 Nov 2017 17:31:33 -0800 +Subject: [PATCH] ocfs2: fix cluster hang after a node dies +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 1c01967116a678fed8e2c68a6ab82abc8effeddc + +commit 1c01967116a678fed8e2c68a6ab82abc8effeddc upstream. + +When a node dies, other live nodes have to choose a new master for an +existed lock resource mastered by the dead node. + +As for ocfs2/dlm implementation, this is done by function - +dlm_move_lockres_to_recovery_list which marks those lock rsources as +DLM_LOCK_RES_RECOVERING and manages them via a list from which DLM +changes lock resource's master later. + +So without invoking dlm_move_lockres_to_recovery_list, no master will be +choosed after dlm recovery accomplishment since no lock resource can be +found through ::resource list. + +What's worse is that if DLM_LOCK_RES_RECOVERING is not marked for lock +resources mastered a dead node, it will break up synchronization among +nodes. + +So invoke dlm_move_lockres_to_recovery_list again. + +Fixs: 'commit ee8f7fcbe638 ("ocfs2/dlm: continue to purge recovery lockres when recovery master goes down")' +Link: http://lkml.kernel.org/r/63adc13fd55d6546b7dece290d39e373ced6e...@h3cmlb14-ex.srv.huawei-3com.com +Signed-off-by: Changwei Ge <[email protected]> +Reported-by: Vitaly Mayatskih <[email protected]> +Tested-by: Vitaly Mayatskikh <[email protected]> +Cc: Mark Fasheh <[email protected]> +Cc: Joel Becker <[email protected]> +Cc: Junxiao Bi <[email protected]> +Cc: Joseph Qi <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + fs/ocfs2/dlm/dlmrecovery.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c +index 74407c6dd592..ec8f75813beb 100644 +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -2419,6 +2419,7 @@ static void dlm_do_local_recovery_cleanup(struct dlm_ctxt *dlm, u8 dead_node) + dlm_lockres_put(res); + continue; + } ++ dlm_move_lockres_to_recovery_list(dlm, res); + } else if (res->owner == dlm->node_num) { + dlm_free_dead_locks(dlm, res, dead_node); + __dlm_lockres_calc_usage(dlm, res); +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-014-ocfs2-should-wait-dio-before-inode-lock-in-ocf.patch new/patches.kernel.org/4.14.2-014-ocfs2-should-wait-dio-before-inode-lock-in-ocf.patch --- old/patches.kernel.org/4.14.2-014-ocfs2-should-wait-dio-before-inode-lock-in-ocf.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-014-ocfs2-should-wait-dio-before-inode-lock-in-ocf.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,87 @@ +From: alex chen <[email protected]> +Date: Wed, 15 Nov 2017 17:31:40 -0800 +Subject: [PATCH] ocfs2: should wait dio before inode lock in ocfs2_setattr() +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 + +commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream. + +we should wait dio requests to finish before inode lock in +ocfs2_setattr(), otherwise the following deadlock will happen: + +process 1 process 2 process 3 +truncate file 'A' end_io of writing file 'A' receiving the bast messages +ocfs2_setattr + ocfs2_inode_lock_tracker + ocfs2_inode_lock_full + inode_dio_wait + __inode_dio_wait + -->waiting for all dio + requests finish + dlm_proxy_ast_handler + dlm_do_local_bast + ocfs2_blocking_ast + ocfs2_generic_handle_bast + set OCFS2_LOCK_BLOCKED flag + dio_end_io + dio_bio_end_aio + dio_complete + ocfs2_dio_end_io + ocfs2_dio_end_io_write + ocfs2_inode_lock + __ocfs2_cluster_lock + ocfs2_wait_for_mask + -->waiting for OCFS2_LOCK_BLOCKED + flag to be cleared, that is waiting + for 'process 1' unlocking the inode lock + inode_dio_end + -->here dec the i_dio_count, but will never + be called, so a deadlock happened. + +Link: http://lkml.kernel.org/r/[email protected] +Signed-off-by: Alex Chen <[email protected]> +Reviewed-by: Jun Piao <[email protected]> +Reviewed-by: Joseph Qi <[email protected]> +Acked-by: Changwei Ge <[email protected]> +Cc: Mark Fasheh <[email protected]> +Cc: Joel Becker <[email protected]> +Cc: Junxiao Bi <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + fs/ocfs2/file.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index 6e41fc8fabbe..dc455d45a66a 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -1161,6 +1161,13 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr) + } + size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; + if (size_change) { ++ /* ++ * Here we should wait dio to finish before inode lock ++ * to avoid a deadlock between ocfs2_setattr() and ++ * ocfs2_dio_end_io_write() ++ */ ++ inode_dio_wait(inode); ++ + status = ocfs2_rw_lock(inode, 1); + if (status < 0) { + mlog_errno(status); +@@ -1200,8 +1207,6 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr) + if (status) + goto bail_unlock; + +- inode_dio_wait(inode); +- + if (i_size_read(inode) >= attr->ia_size) { + if (ocfs2_should_order_data(inode)) { + status = ocfs2_begin_ordered_truncate(inode, +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-015-ipmi-fix-unsigned-long-underflow.patch new/patches.kernel.org/4.14.2-015-ipmi-fix-unsigned-long-underflow.patch --- old/patches.kernel.org/4.14.2-015-ipmi-fix-unsigned-long-underflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-015-ipmi-fix-unsigned-long-underflow.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,68 @@ +From: Corey Minyard <[email protected]> +Date: Sat, 29 Jul 2017 21:14:55 -0500 +Subject: [PATCH] ipmi: fix unsigned long underflow +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 392a17b10ec4320d3c0e96e2a23ebaad1123b989 + +commit 392a17b10ec4320d3c0e96e2a23ebaad1123b989 upstream. + +When I set the timeout to a specific value such as 500ms, the timeout +event will not happen in time due to the overflow in function +check_msg_timeout: +... + ent->timeout -= timeout_period; + if (ent->timeout > 0) + return; +... + +The type of timeout_period is long, but ent->timeout is unsigned long. +This patch makes the type consistent. + +Reported-by: Weilong Chen <[email protected]> +Signed-off-by: Corey Minyard <[email protected]> +Tested-by: Weilong Chen <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/char/ipmi/ipmi_msghandler.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 810b138f5897..c82d9fd2f05a 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4030,7 +4030,8 @@ smi_from_recv_msg(ipmi_smi_t intf, struct ipmi_recv_msg *recv_msg, + } + + static void check_msg_timeout(ipmi_smi_t intf, struct seq_table *ent, +- struct list_head *timeouts, long timeout_period, ++ struct list_head *timeouts, ++ unsigned long timeout_period, + int slot, unsigned long *flags, + unsigned int *waiting_msgs) + { +@@ -4043,8 +4044,8 @@ static void check_msg_timeout(ipmi_smi_t intf, struct seq_table *ent, + if (!ent->inuse) + return; + +- ent->timeout -= timeout_period; +- if (ent->timeout > 0) { ++ if (timeout_period < ent->timeout) { ++ ent->timeout -= timeout_period; + (*waiting_msgs)++; + return; + } +@@ -4110,7 +4111,8 @@ static void check_msg_timeout(ipmi_smi_t intf, struct seq_table *ent, + } + } + +-static unsigned int ipmi_timeout_handler(ipmi_smi_t intf, long timeout_period) ++static unsigned int ipmi_timeout_handler(ipmi_smi_t intf, ++ unsigned long timeout_period) + { + struct list_head timeouts; + struct ipmi_recv_msg *msg, *msg2; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-016-mm-page_alloc.c-broken-deferred-calculation.patch new/patches.kernel.org/4.14.2-016-mm-page_alloc.c-broken-deferred-calculation.patch --- old/patches.kernel.org/4.14.2-016-mm-page_alloc.c-broken-deferred-calculation.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-016-mm-page_alloc.c-broken-deferred-calculation.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,113 @@ +From: Pavel Tatashin <[email protected]> +Date: Wed, 15 Nov 2017 17:38:41 -0800 +Subject: [PATCH] mm/page_alloc.c: broken deferred calculation +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: d135e5750205a21a212a19dbb05aeb339e2cbea7 + +commit d135e5750205a21a212a19dbb05aeb339e2cbea7 upstream. + +In reset_deferred_meminit() we determine number of pages that must not +be deferred. We initialize pages for at least 2G of memory, but also +pages for reserved memory in this node. + +The reserved memory is determined in this function: +memblock_reserved_memory_within(), which operates over physical +addresses, and returns size in bytes. However, reset_deferred_meminit() +assumes that that this function operates with pfns, and returns page +count. + +The result is that in the best case machine boots slower than expected +due to initializing more pages than needed in single thread, and in the +worst case panics because fewer than needed pages are initialized early. + +Link: http://lkml.kernel.org/r/[email protected] +Fixes: 864b9a393dcb ("mm: consider memblock reservations for deferred memory initialization sizing") +Signed-off-by: Pavel Tatashin <[email protected]> +Acked-by: Michal Hocko <[email protected]> +Cc: Mel Gorman <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + include/linux/mmzone.h | 3 ++- + mm/page_alloc.c | 27 ++++++++++++++++++--------- + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h +index c9c4a81b9767..18b06983131a 100644 +--- a/include/linux/mmzone.h ++++ b/include/linux/mmzone.h +@@ -700,7 +700,8 @@ typedef struct pglist_data { + * is the first PFN that needs to be initialised. + */ + unsigned long first_deferred_pfn; +- unsigned long static_init_size; ++ /* Number of non-deferred pages */ ++ unsigned long static_init_pgcnt; + #endif /* CONFIG_DEFERRED_STRUCT_PAGE_INIT */ + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 77e4d3c5c57b..82a6270c9743 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -290,28 +290,37 @@ EXPORT_SYMBOL(nr_online_nodes); + int page_group_by_mobility_disabled __read_mostly; + + #ifdef CONFIG_DEFERRED_STRUCT_PAGE_INIT ++ ++/* ++ * Determine how many pages need to be initialized durig early boot ++ * (non-deferred initialization). ++ * The value of first_deferred_pfn will be set later, once non-deferred pages ++ * are initialized, but for now set it ULONG_MAX. ++ */ + static inline void reset_deferred_meminit(pg_data_t *pgdat) + { +- unsigned long max_initialise; +- unsigned long reserved_lowmem; ++ phys_addr_t start_addr, end_addr; ++ unsigned long max_pgcnt; ++ unsigned long reserved; + + /* + * Initialise at least 2G of a node but also take into account that + * two large system hashes that can take up 1GB for 0.25TB/node. + */ +- max_initialise = max(2UL << (30 - PAGE_SHIFT), +- (pgdat->node_spanned_pages >> 8)); ++ max_pgcnt = max(2UL << (30 - PAGE_SHIFT), ++ (pgdat->node_spanned_pages >> 8)); + + /* + * Compensate the all the memblock reservations (e.g. crash kernel) + * from the initial estimation to make sure we will initialize enough + * memory to boot. + */ +- reserved_lowmem = memblock_reserved_memory_within(pgdat->node_start_pfn, +- pgdat->node_start_pfn + max_initialise); +- max_initialise += reserved_lowmem; ++ start_addr = PFN_PHYS(pgdat->node_start_pfn); ++ end_addr = PFN_PHYS(pgdat->node_start_pfn + max_pgcnt); ++ reserved = memblock_reserved_memory_within(start_addr, end_addr); ++ max_pgcnt += PHYS_PFN(reserved); + +- pgdat->static_init_size = min(max_initialise, pgdat->node_spanned_pages); ++ pgdat->static_init_pgcnt = min(max_pgcnt, pgdat->node_spanned_pages); + pgdat->first_deferred_pfn = ULONG_MAX; + } + +@@ -338,7 +347,7 @@ static inline bool update_defer_init(pg_data_t *pgdat, + if (zone_end < pgdat_end_pfn(pgdat)) + return true; + (*nr_initialised)++; +- if ((*nr_initialised > pgdat->static_init_size) && ++ if ((*nr_initialised > pgdat->static_init_pgcnt) && + (pfn & (PAGES_PER_SECTION - 1)) == 0) { + pgdat->first_deferred_pfn = pfn; + return false; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-017-mm-page_ext.c-check-if-page_ext-is-not-prepare.patch new/patches.kernel.org/4.14.2-017-mm-page_ext.c-check-if-page_ext-is-not-prepare.patch --- old/patches.kernel.org/4.14.2-017-mm-page_ext.c-check-if-page_ext-is-not-prepare.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-017-mm-page_ext.c-check-if-page_ext-is-not-prepare.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,100 @@ +From: Jaewon Kim <[email protected]> +Date: Wed, 15 Nov 2017 17:39:07 -0800 +Subject: [PATCH] mm/page_ext.c: check if page_ext is not prepared +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: e492080e640c2d1235ddf3441cae634cfffef7e1 + +commit e492080e640c2d1235ddf3441cae634cfffef7e1 upstream. + +online_page_ext() and page_ext_init() allocate page_ext for each +section, but they do not allocate if the first PFN is !pfn_present(pfn) +or !pfn_valid(pfn). Then section->page_ext remains as NULL. +lookup_page_ext checks NULL only if CONFIG_DEBUG_VM is enabled. For a +valid PFN, __set_page_owner will try to get page_ext through +lookup_page_ext. Without CONFIG_DEBUG_VM lookup_page_ext will misuse +NULL pointer as value 0. This incurrs invalid address access. + +This is the panic example when PFN 0x100000 is not valid but PFN +0x13FC00 is being used for page_ext. section->page_ext is NULL, +get_entry returned invalid page_ext address as 0x1DFA000 for a PFN +0x13FC00. + +To avoid this panic, CONFIG_DEBUG_VM should be removed so that page_ext +will be checked at all times. + + Unable to handle kernel paging request at virtual address 01dfa014 + ------------[ cut here ]------------ + Kernel BUG at ffffff80082371e0 [verbose debug info unavailable] + Internal error: Oops: 96000045 [#1] PREEMPT SMP + Modules linked in: + PC is at __set_page_owner+0x48/0x78 + LR is at __set_page_owner+0x44/0x78 + __set_page_owner+0x48/0x78 + get_page_from_freelist+0x880/0x8e8 + __alloc_pages_nodemask+0x14c/0xc48 + __do_page_cache_readahead+0xdc/0x264 + filemap_fault+0x2ac/0x550 + ext4_filemap_fault+0x3c/0x58 + __do_fault+0x80/0x120 + handle_mm_fault+0x704/0xbb0 + do_page_fault+0x2e8/0x394 + do_mem_abort+0x88/0x124 + +Pre-4.7 kernels also need commit f86e4271978b ("mm: check the return +value of lookup_page_ext for all call sites"). + +Link: http://lkml.kernel.org/r/[email protected] +Fixes: eefa864b701d ("mm/page_ext: resurrect struct page extending code for debugging") +Signed-off-by: Jaewon Kim <[email protected]> +Acked-by: Michal Hocko <[email protected]> +Cc: Vlastimil Babka <[email protected]> +Cc: Minchan Kim <[email protected]> +Cc: Joonsoo Kim <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + mm/page_ext.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 4f0367d472c4..2c16216c29b6 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -125,7 +125,6 @@ struct page_ext *lookup_page_ext(struct page *page) + struct page_ext *base; + + base = NODE_DATA(page_to_nid(page))->node_page_ext; +-#if defined(CONFIG_DEBUG_VM) + /* + * The sanity checks the page allocator does upon freeing a + * page can reach here before the page_ext arrays are +@@ -134,7 +133,6 @@ struct page_ext *lookup_page_ext(struct page *page) + */ + if (unlikely(!base)) + return NULL; +-#endif + index = pfn - round_down(node_start_pfn(page_to_nid(page)), + MAX_ORDER_NR_PAGES); + return get_entry(base, index); +@@ -199,7 +197,6 @@ struct page_ext *lookup_page_ext(struct page *page) + { + unsigned long pfn = page_to_pfn(page); + struct mem_section *section = __pfn_to_section(pfn); +-#if defined(CONFIG_DEBUG_VM) + /* + * The sanity checks the page allocator does upon freeing a + * page can reach here before the page_ext arrays are +@@ -208,7 +205,6 @@ struct page_ext *lookup_page_ext(struct page *page) + */ + if (!section->page_ext) + return NULL; +-#endif + return get_entry(section->page_ext, pfn); + } + +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-018-coda-fix-kernel-memory-exposure-attempt-in-fsy.patch new/patches.kernel.org/4.14.2-018-coda-fix-kernel-memory-exposure-attempt-in-fsy.patch --- old/patches.kernel.org/4.14.2-018-coda-fix-kernel-memory-exposure-attempt-in-fsy.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-018-coda-fix-kernel-memory-exposure-attempt-in-fsy.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,46 @@ +From: Jan Harkes <[email protected]> +Date: Wed, 27 Sep 2017 15:52:12 -0400 +Subject: [PATCH] coda: fix 'kernel memory exposure attempt' in fsync +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: d337b66a4c52c7b04eec661d86c2ef6e168965a2 + +commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream. + +When an application called fsync on a file in Coda a small request with +just the file identifier was allocated, but the declared length was set +to the size of union of all possible upcall requests. + +This bug has been around for a very long time and is now caught by the +extra checking in usercopy that was introduced in Linux-4.8. + +The exposure happens when the Coda cache manager process reads the fsync +upcall request at which point it is killed. As a result there is nobody +servicing any further upcalls, trapping any processes that try to access +the mounted Coda filesystem. + +Signed-off-by: Jan Harkes <[email protected]> +Signed-off-by: Al Viro <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + fs/coda/upcall.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c +index a37f003530d7..1175a1722411 100644 +--- a/fs/coda/upcall.c ++++ b/fs/coda/upcall.c +@@ -447,8 +447,7 @@ int venus_fsync(struct super_block *sb, struct CodaFid *fid) + UPARG(CODA_FSYNC); + + inp->coda_fsync.VFid = *fid; +- error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs), +- &outsize, inp); ++ error = coda_upcall(coda_vcp(sb), insize, &outsize, inp); + + CODA_FREE(inp, insize); + return error; +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-019-ipmi-Prefer-ACPI-system-interfaces-over-SMBIOS.patch new/patches.kernel.org/4.14.2-019-ipmi-Prefer-ACPI-system-interfaces-over-SMBIOS.patch --- old/patches.kernel.org/4.14.2-019-ipmi-Prefer-ACPI-system-interfaces-over-SMBIOS.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-019-ipmi-Prefer-ACPI-system-interfaces-over-SMBIOS.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,91 @@ +From: Corey Minyard <[email protected]> +Date: Fri, 8 Sep 2017 14:05:58 -0500 +Subject: [PATCH] ipmi: Prefer ACPI system interfaces over SMBIOS ones +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: 7e030d6dff713250c7dcfb543cad2addaf479b0e + +commit 7e030d6dff713250c7dcfb543cad2addaf479b0e upstream. + +The recent changes to add SMBIOS (DMI) IPMI interfaces as platform +devices caused DMI to be selected before ACPI, causing ACPI type +of operations to not work. + +Signed-off-by: Corey Minyard <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/char/ipmi/ipmi_si_intf.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 36f47e8d06a3..bc3984ffe867 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -3424,7 +3424,7 @@ static inline void wait_for_timer_and_thread(struct smi_info *smi_info) + del_timer_sync(&smi_info->si_timer); + } + +-static int is_new_interface(struct smi_info *info) ++static struct smi_info *find_dup_si(struct smi_info *info) + { + struct smi_info *e; + +@@ -3439,24 +3439,36 @@ static int is_new_interface(struct smi_info *info) + */ + if (info->slave_addr && !e->slave_addr) + e->slave_addr = info->slave_addr; +- return 0; ++ return e; + } + } + +- return 1; ++ return NULL; + } + + static int add_smi(struct smi_info *new_smi) + { + int rv = 0; ++ struct smi_info *dup; + + mutex_lock(&smi_infos_lock); +- if (!is_new_interface(new_smi)) { +- pr_info(PFX "%s-specified %s state machine: duplicate\n", +- ipmi_addr_src_to_str(new_smi->addr_source), +- si_to_str[new_smi->si_type]); +- rv = -EBUSY; +- goto out_err; ++ dup = find_dup_si(new_smi); ++ if (dup) { ++ if (new_smi->addr_source == SI_ACPI && ++ dup->addr_source == SI_SMBIOS) { ++ /* We prefer ACPI over SMBIOS. */ ++ dev_info(dup->dev, ++ "Removing SMBIOS-specified %s state machine in favor of ACPI\n", ++ si_to_str[new_smi->si_type]); ++ cleanup_one_si(dup); ++ } else { ++ dev_info(new_smi->dev, ++ "%s-specified %s state machine: duplicate\n", ++ ipmi_addr_src_to_str(new_smi->addr_source), ++ si_to_str[new_smi->si_type]); ++ rv = -EBUSY; ++ goto out_err; ++ } + } + + pr_info(PFX "Adding %s-specified %s state machine\n", +@@ -3865,7 +3877,8 @@ static void cleanup_one_si(struct smi_info *to_clean) + poll(to_clean); + schedule_timeout_uninterruptible(1); + } +- disable_si_irq(to_clean, false); ++ if (to_clean->handlers) ++ disable_si_irq(to_clean, false); + while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { + poll(to_clean); + schedule_timeout_uninterruptible(1); +-- +2.15.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.14.2-020-Linux-4.14.2.patch new/patches.kernel.org/4.14.2-020-Linux-4.14.2.patch --- old/patches.kernel.org/4.14.2-020-Linux-4.14.2.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.14.2-020-Linux-4.14.2.patch 2017-11-24 09:05:44.000000000 +0100 @@ -0,0 +1,28 @@ +From: Greg Kroah-Hartman <[email protected]> +Date: Fri, 24 Nov 2017 08:37:05 +0100 +Subject: [PATCH] Linux 4.14.2 +References: bnc#1012628 +Patch-mainline: 4.14.2 +Git-commit: f9f0b03dedc19a6363a305d119efcb48667a3027 + +Signed-off-by: Jiri Slaby <[email protected]> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 01f9df1af256..75d89dc2b94a 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 1 ++SUBLEVEL = 2 + EXTRAVERSION = + NAME = Petit Gorille + +-- +2.15.0 + ++++++ patches.suse.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/0001-AppArmor-basic-networking-rules.patch new/patches.suse/0001-AppArmor-basic-networking-rules.patch --- old/patches.suse/0001-AppArmor-basic-networking-rules.patch 2017-11-21 17:16:04.000000000 +0100 +++ new/patches.suse/0001-AppArmor-basic-networking-rules.patch 2017-11-24 09:20:07.000000000 +0100 @@ -13,22 +13,20 @@ Signed-off-by: John Johansen <[email protected]> Acked-by: Jeff Mahoney <[email protected]> --- - security/apparmor/.gitignore | 1 + - security/apparmor/Makefile | 40 ++++++++- - security/apparmor/apparmorfs.c | 1 + - security/apparmor/include/audit.h | 4 + - security/apparmor/include/net.h | 44 ++++++++++ - security/apparmor/include/policy.h | 3 + - security/apparmor/lsm.c | 113 +++++++++++++++++++++++++ - security/apparmor/net.c | 164 +++++++++++++++++++++++++++++++++++++ - security/apparmor/policy.c | 1 + - security/apparmor/policy_unpack.c | 46 +++++++++++ + security/apparmor/.gitignore | 1 + security/apparmor/Makefile | 40 ++++++++- + security/apparmor/apparmorfs.c | 1 + security/apparmor/include/audit.h | 4 + security/apparmor/include/net.h | 44 +++++++++ + security/apparmor/include/policy.h | 3 + security/apparmor/lsm.c | 113 +++++++++++++++++++++++++ + security/apparmor/net.c | 164 +++++++++++++++++++++++++++++++++++++ + security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 46 ++++++++++ 10 files changed, 416 insertions(+), 1 deletion(-) create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/net.c -diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore -index 9cdec70d72b8..d5b291e94264 100644 --- a/security/apparmor/.gitignore +++ b/security/apparmor/.gitignore @@ -1,5 +1,6 @@ @@ -38,11 +36,9 @@ +net_names.h capability_names.h rlim_names.h -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 9a6b4033d52b..b74034664b46 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile -@@ -5,7 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o +@@ -5,7 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += appar apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ @@ -51,7 +47,7 @@ apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o clean-files := capability_names.h rlim_names.h -@@ -26,6 +26,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ +@@ -26,6 +26,38 @@ cmd_make-caps = echo "static const char -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ @@ -90,7 +86,7 @@ # Build a lower case string table of rlimit names. # Transforms lines from -@@ -62,6 +94,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ +@@ -62,6 +94,7 @@ cmd_make-rlim = echo "static const char tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ $(obj)/capability.o : $(obj)/capability_names.h @@ -98,7 +94,7 @@ $(obj)/resource.o : $(obj)/rlim_names.h $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ $(src)/Makefile -@@ -69,3 +102,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ +@@ -69,3 +102,8 @@ $(obj)/capability_names.h : $(srctree)/i $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ $(src)/Makefile $(call cmd,make-rlim) @@ -107,11 +103,9 @@ + $(src)/Makefile + $(call cmd,make-af) + $(call cmd,make-sock) -diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index caaf51dda648..518d5928661b 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c -@@ -2202,6 +2202,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = { +@@ -2202,6 +2202,7 @@ static struct aa_sfs_entry aa_sfs_entry_ AA_SFS_DIR("policy", aa_sfs_entry_policy), AA_SFS_DIR("domain", aa_sfs_entry_domain), AA_SFS_DIR("file", aa_sfs_entry_file), @@ -119,14 +113,12 @@ AA_SFS_DIR("mount", aa_sfs_entry_mount), AA_SFS_DIR("namespaces", aa_sfs_entry_ns), AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), -diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h -index 620e81169659..ac3666ff7892 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h -@@ -125,6 +125,10 @@ struct apparmor_audit_data { - const char *target; - kuid_t ouid; - } fs; +@@ -128,6 +128,10 @@ struct apparmor_audit_data { + } fs; + int signal; + }; + struct { + int type, protocol; + struct sock *sk; @@ -134,9 +126,6 @@ }; struct { struct aa_profile *profile; -diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h -new file mode 100644 -index 000000000000..5223318b6c81 --- /dev/null +++ b/security/apparmor/include/net.h @@ -0,0 +1,44 @@ @@ -184,8 +173,6 @@ +} + +#endif /* __AA_NET_H */ -diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index 17fe41a9cac3..de69b0a68d22 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -28,6 +28,7 @@ @@ -212,8 +199,6 @@ struct aa_rlimit rlimits; struct aa_loaddata *rawdata; -diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 1346ee5be04f..df5329be3ee4 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -33,6 +33,7 @@ @@ -224,7 +209,7 @@ #include "include/path.h" #include "include/label.h" #include "include/policy.h" -@@ -736,6 +737,105 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, +@@ -736,6 +737,105 @@ static int apparmor_task_kill(struct tas return error; } @@ -330,7 +315,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), -@@ -770,6 +870,19 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { +@@ -770,6 +870,19 @@ static struct security_hook_list apparmo LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), @@ -350,9 +335,6 @@ LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), LSM_HOOK_INIT(cred_free, apparmor_cred_free), LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), -diff --git a/security/apparmor/net.c b/security/apparmor/net.c -new file mode 100644 -index 000000000000..fe675807d6cf --- /dev/null +++ b/security/apparmor/net.c @@ -0,0 +1,164 @@ @@ -520,11 +502,9 @@ + + return error; +} -diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 4243b0c3f0e4..ea8acc9fcfda 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c -@@ -225,6 +225,7 @@ void aa_free_profile(struct aa_profile *profile) +@@ -225,6 +225,7 @@ void aa_free_profile(struct aa_profile * aa_free_file_rules(&profile->file); aa_free_cap_rules(&profile->caps); @@ -532,11 +512,9 @@ aa_free_rlimit_rules(&profile->rlimits); kzfree(profile->dirname); -diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 4ede87c30f8b..c02e2b9472bb 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c -@@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) +@@ -275,6 +275,19 @@ fail: return 0; } @@ -556,7 +534,7 @@ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) { if (unpack_nameX(e, AA_U32, name)) { -@@ -591,6 +604,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) +@@ -591,6 +604,7 @@ static struct aa_profile *unpack_profile int i, error = -EPROTO; kernel_cap_t tmpcap; u32 tmp; @@ -564,7 +542,7 @@ *ns_name = NULL; -@@ -717,6 +731,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) +@@ -717,6 +731,38 @@ static struct aa_profile *unpack_profile goto fail; } @@ -603,6 +581,3 @@ if (unpack_nameX(e, AA_STRUCT, "policydb")) { /* generic policy dfa - optional and may be NULL */ info = "failed to unpack policydb"; --- -2.13.6 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/apparmor-fix-oops-in-audit_signal_cb-hook.patch new/patches.suse/apparmor-fix-oops-in-audit_signal_cb-hook.patch --- old/patches.suse/apparmor-fix-oops-in-audit_signal_cb-hook.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/apparmor-fix-oops-in-audit_signal_cb-hook.patch 2017-11-24 09:20:07.000000000 +0100 @@ -0,0 +1,134 @@ +From: John Johansen <[email protected]> +Date: Wed, 22 Nov 2017 07:33:38 -0800 +Subject: apparmor: fix oops in audit_signal_cb hook +Patch-mainline: submitted on 22/11/2017 +References: bnc#1069562 + +The apparmor_audit_data struct ordering got messed up during a merge +conflict, resulting in the signal integer and peer pointer being in +a union instead of a struct together. + +For most of the 4.13 and 4.14 life cycle, this was hidden by commit +651e28c5537abb39076d3949fb7618536f1d242e which fixed the +apparmor_audit_data struct when its data was added. When that commit +was reverted in -rc7 the signal audit bug was exposed, and +unfortunately it never showed up in any of the testing until after +4.14 was released, and Shaun Khan, Zephaniah E. Loss-Cutler-Hull filed +nearly simultaneous bug reports (with different oopes, the smaller of +which is included below). + +Full credit goes to Tetsuo Handa for jumping on this as well and +noticing the audit data struct problem and reporting it. + +Alright, trying again, this time with my mail settings to actually send +as plain text, and with some more detail. + +I am running Ubuntu 16.04, with a mainline 4.14 kernel. + +[ 76.178568] BUG: unable to handle kernel paging request at +ffffffff0eee3bc0 +[ 76.178579] IP: audit_signal_cb+0x6c/0xe0 +[ 76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0 +[ 76.178586] Oops: 0000 [#1] PREEMPT SMP +[ 76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb +btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables +xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack +iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw +iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher +nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel +[ 76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted +4.14.0-f1-dirty #135 +[ 76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio +9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015 +[ 76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000 +[ 76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0 +[ 76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292 +[ 76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX: +0000000000000000 +[ 76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI: +ffff9c7a9493d800 +[ 76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09: +ffffa09b02a4fc46 +[ 76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12: +ffffa09b02a4fd40 +[ 76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15: +0000000000000001 +[ 76.178646] FS: 00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000) +knlGS:0000000000000000 +[ 76.178648] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4: +00000000001606f0 +[ 76.178652] Call Trace: +[ 76.178660] common_lsm_audit+0x1da/0x780 +[ 76.178665] ? d_absolute_path+0x60/0x90 +[ 76.178669] ? aa_check_perms+0xcd/0xe0 +[ 76.178672] aa_check_perms+0xcd/0xe0 +[ 76.178675] profile_signal_perm.part.0+0x90/0xa0 +[ 76.178679] aa_may_signal+0x16e/0x1b0 +[ 76.178686] apparmor_task_kill+0x51/0x120 +[ 76.178690] security_task_kill+0x44/0x60 +[ 76.178695] group_send_sig_info+0x25/0x60 +[ 76.178699] kill_pid_info+0x36/0x60 +[ 76.178703] SYSC_kill+0xdb/0x180 +[ 76.178707] ? preempt_count_sub+0x92/0xd0 +[ 76.178712] ? _raw_write_unlock_irq+0x13/0x30 +[ 76.178716] ? task_work_run+0x6a/0x90 +[ 76.178720] ? exit_to_usermode_loop+0x80/0xa0 +[ 76.178723] entry_SYSCALL_64_fastpath+0x13/0x94 +[ 76.178727] RIP: 0033:0x7f8b0e58b767 +[ 76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX: +000000000000003e +[ 76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX: +00007f8b0e58b767 +[ 76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI: +000000000000263b +[ 76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09: +0000000000000001 +[ 76.178739] R10: 000000000000022d R11: 0000000000000206 R12: +0000000000000000 +[ 76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15: +0000000000000000 +[ 76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b +42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd +00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35 +[ 76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08 +[ 76.178796] CR2: ffffffff0eee3bc0 +[ 76.178799] ---[ end trace 514af9529297f1a3 ]--- + +Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals") +Reported-by: Zephaniah E. Loss-Cutler-Hull <[email protected]> +Reported-by: Shuah Khan <[email protected]> +Reported-by: Tetsuo Handa <[email protected]> +Signed-off-by: John Johansen <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + security/apparmor/include/audit.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -121,17 +121,19 @@ struct apparmor_audit_data { + /* these entries require a custom callback fn */ + struct { + struct aa_label *peer; +- struct { +- const char *target; +- kuid_t ouid; +- } fs; ++ union { ++ struct { ++ const char *target; ++ kuid_t ouid; ++ } fs; ++ int signal; ++ }; + }; + struct { + struct aa_profile *profile; + const char *ns; + long pos; + } iface; +- int signal; + struct { + int rlim; + unsigned long max; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/ipmi_si-fix-memory-leak-on-new_smi.patch new/patches.suse/ipmi_si-fix-memory-leak-on-new_smi.patch --- old/patches.suse/ipmi_si-fix-memory-leak-on-new_smi.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/ipmi_si-fix-memory-leak-on-new_smi.patch 2017-11-24 09:20:07.000000000 +0100 @@ -0,0 +1,30 @@ +From: Colin Ian King <[email protected]> +Date: Tue, 17 Oct 2017 16:54:52 +0100 +Subject: ipmi_si: fix memory leak on new_smi +Git-commit: c0a32fe13cd323ca9420500b16fd69589c9ba91e +Patch-mainline: 4.15-rc1 +References: git-fixes + +The error exit path omits kfree'ing the allocated new_smi, causing a memory +leak. Fix this by kfree'ing new_smi. + +Detected by CoverityScan, CID#14582571 ("Resource Leak") + +Fixes: 7e030d6dff71 ("ipmi: Prefer ACPI system interfaces over SMBIOS ones") +Signed-off-by: Colin Ian King <[email protected]> +Signed-off-by: Corey Minyard <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/char/ipmi/ipmi_si_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -3467,6 +3467,7 @@ static int add_smi(struct smi_info *new_ + ipmi_addr_src_to_str(new_smi->addr_source), + si_to_str[new_smi->si_type]); + rv = -EBUSY; ++ kfree(new_smi); + goto out_err; + } + } ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:28.499919230 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:28.499919230 +0100 @@ -62,6 +62,26 @@ patches.kernel.org/4.14.1-033-sparc64-mmu_context-Add-missing-include-files.patch patches.kernel.org/4.14.1-034-sparc64-Fix-page-table-walk-for-PUD-hugepages.patch patches.kernel.org/4.14.1-035-Linux-4.14.1.patch + patches.kernel.org/4.14.2-001-bio-ensure-__bio_clone_fast-copies-bi_partno.patch + patches.kernel.org/4.14.2-002-af_netlink-ensure-that-NLMSG_DONE-never-fails-.patch + patches.kernel.org/4.14.2-003-vxlan-fix-the-issue-that-neigh-proxy-blocks-al.patch + patches.kernel.org/4.14.2-004-net-cdc_ncm-GetNtbFormat-endian-fix.patch + patches.kernel.org/4.14.2-005-fealnx-Fix-building-error-on-MIPS.patch + patches.kernel.org/4.14.2-006-net-sctp-Always-set-scope_id-in-sctp_inet6_skb.patch + patches.kernel.org/4.14.2-007-ima-do-not-update-security.ima-if-appraisal-st.patch + patches.kernel.org/4.14.2-008-serial-omap-Fix-EFR-write-on-RTS-deassertion.patch + patches.kernel.org/4.14.2-009-serial-8250_fintek-Fix-finding-base_port-with-.patch + patches.kernel.org/4.14.2-010-tpm-dev-common-Reject-too-short-writes.patch + patches.kernel.org/4.14.2-011-rcu-Fix-up-pending-cbs-check-in-rcu_prepare_fo.patch + patches.kernel.org/4.14.2-012-mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch + patches.kernel.org/4.14.2-013-ocfs2-fix-cluster-hang-after-a-node-dies.patch + patches.kernel.org/4.14.2-014-ocfs2-should-wait-dio-before-inode-lock-in-ocf.patch + patches.kernel.org/4.14.2-015-ipmi-fix-unsigned-long-underflow.patch + patches.kernel.org/4.14.2-016-mm-page_alloc.c-broken-deferred-calculation.patch + patches.kernel.org/4.14.2-017-mm-page_ext.c-check-if-page_ext-is-not-prepare.patch + patches.kernel.org/4.14.2-018-coda-fix-kernel-memory-exposure-attempt-in-fsy.patch + patches.kernel.org/4.14.2-019-ipmi-Prefer-ACPI-system-interfaces-over-SMBIOS.patch + patches.kernel.org/4.14.2-020-Linux-4.14.2.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -377,6 +397,7 @@ ######################################################## # Char / serial ######################################################## + patches.suse/ipmi_si-fix-memory-leak-on-new_smi.patch ######################################################## # Other driver fixes @@ -417,6 +438,7 @@ ########################################################## # AppArmor ########################################################## + patches.suse/apparmor-fix-oops-in-audit_signal_cb-hook.patch patches.suse/0001-AppArmor-basic-networking-rules.patch patches.suse/0002-apparmor-update-apparmor-basic-networking-rules-for-.patch patches.suse/0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.wtL7xP/_old 2017-11-26 10:34:28.523918355 +0100 +++ /var/tmp/diff_new_pack.wtL7xP/_new 2017-11-26 10:34:28.527918209 +0100 @@ -1,3 +1,3 @@ -2017-11-21 19:26:02 +0100 -GIT Revision: a5bca710415e13e8ff49be54f17d7c00b62f22a8 +2017-11-24 09:20:07 +0100 +GIT Revision: b0610fc12a3de5d90a17bfb04d0f1c82df57c4ea GIT Branch: stable
