new file mode 100644

@@ -0,0 +1,47 @@

+From d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 Mon Sep 17 00:00:00 2001

+From: Yunlei He <heyunlei@huawei.com>

+Date: Thu, 1 Jun 2017 16:43:51 +0800

+Subject: [PATCH] f2fs: fix a panic caused by NULL flush_cmd_control

+

+Mount fs with option noflush_merge, boot failed for illegal address

+fcc in function f2fs_issue_flush:

+

+        if (!test_opt(sbi, FLUSH_MERGE)) {

+                ret = submit_flush_wait(sbi);

+                atomic_inc(&fcc->issued_flush);   ->  Here, fcc illegal

+                return ret;

+        }

+

+Signed-off-by: Yunlei He <heyunlei@huawei.com>

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/segment.c | 5 ++++-

+ 1 file changed, 4 insertions(+), 1 deletion(-)

+

+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c

+index e10f616..c94d5a9 100644

+--- a/fs/f2fs/segment.c

+@@ -488,6 +488,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi)

+ 	init_waitqueue_head(&fcc->flush_wait_queue);

+ 	init_llist_head(&fcc->issue_list);

+ 	SM_I(sbi)->cmd_control_info = fcc;

++	if (!test_opt(sbi, FLUSH_MERGE))

++		return err;

++

+ 	fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi,

+ 				"f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev));

+ 	if (IS_ERR(fcc->f2fs_issue_flush)) {

+@@ -2534,7 +2537,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi)

+ 

+ 	INIT_LIST_HEAD(&sm_info->sit_entry_set);

+ 

+-	if (test_opt(sbi, FLUSH_MERGE) && !f2fs_readonly(sbi->sb)) {

++	if (!f2fs_readonly(sbi->sb)) {

+ 		err = create_flush_cmd_control(sbi);

+ 		if (err)

+ 			return err;

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,38 @@

+From 0ddcff49b672239dda94d70d0fcf50317a9f4b51 Mon Sep 17 00:00:00 2001

+From: "weiyongjun (A)" <weiyongjun1@huawei.com>

+Date: Thu, 18 Jan 2018 02:23:34 +0000

+Subject: [PATCH] mac80211_hwsim: fix possible memory leak in

+ hwsim_new_radio_nl()

+

+'hwname' is malloced in hwsim_new_radio_nl() and should be freed

+before leaving from the error handling cases, otherwise it will cause

+memory leak.

+

+Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")

+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

+Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

+Signed-off-by: Johannes Berg <johannes.berg@intel.com>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/net/wireless/mac80211_hwsim.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c

+index 2681b533..95e9641 100644

+--- a/drivers/net/wireless/mac80211_hwsim.c

+@@ -3084,8 +3084,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)

+ 	if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {

+ 		u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);

+ 

+-		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))

++		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {

++			kfree(hwname);

+ 			return -EINVAL;

++		}

+ 		param.regd = hwsim_world_regdom_custom[idx];

+ 	}

+ 

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,45 @@

+From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001

+From: Wei Yongjun <weiyongjun1@huawei.com>

+Date: Thu, 11 Jan 2018 11:21:51 +0000

+Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in

+ unimac_mdio_probe()

+

+platform_get_resource() may fail and return NULL, so we should

+better check it's return value to avoid a NULL pointer dereference

+a bit later in the code.

+

+This is detected by Coccinelle semantic patch.

+

+@@

+expression pdev, res, n, t, e, e1, e2;

+@@

+

+res = platform_get_resource(pdev, t, n);

++ if (!res)

++   return -EINVAL;

+... when != res == NULL

+e = devm_ioremap(e1, res->start, e2);

+

+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/net/phy/mdio-bcm-unimac.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c

+index 8c73b2e..e6ff731 100644

+--- a/drivers/net/phy/mdio-bcm-unimac.c

+@@ -177,6 +177,8 @@ static int unimac_mdio_probe(struct platform_device *pdev)

+ 		return -ENOMEM;

+ 

+ 	r = platform_get_resource(pdev, IORESOURCE_MEM, 0);

++	if (!r)

++		return -EINVAL;

+ 

+ 	/* Just ioremap, as this MDIO block is usually integrated into an

+ 	 * Ethernet MAC controller register range

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,121 @@

+From 3e4c56d41eef5595035872a2ec5a483f42e8917f Mon Sep 17 00:00:00 2001

+From: alex chen <alex.chen@huawei.com>

+Date: Wed, 15 Nov 2017 17:31:44 -0800

+Subject: [PATCH] ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()

+

+ip_alloc_sem should be taken in ocfs2_get_block() when reading file in

+DIRECT mode to prevent concurrent access to extent tree with

+ocfs2_dio_end_io_write(), which may cause BUGON in the following

+situation:

+

+read file 'A'                                  end_io of writing file 'A'

+vfs_read

+ __vfs_read

+  ocfs2_file_read_iter

+   generic_file_read_iter

+    ocfs2_direct_IO

+     __blockdev_direct_IO

+      do_blockdev_direct_IO

+       do_direct_IO

+        get_more_blocks

+         ocfs2_get_block

+          ocfs2_extent_map_get_blocks

+           ocfs2_get_clusters

+            ocfs2_get_clusters_nocache()

+             ocfs2_search_extent_list

+              return the index of record which

+              contains the v_cluster, that is

+              v_cluster > rec[i]->e_cpos.

+                                                ocfs2_dio_end_io

+                                                 ocfs2_dio_end_io_write

+                                                  down_write(&oi->ip_alloc_sem);

+                                                  ocfs2_mark_extent_written

+                                                   ocfs2_change_extent_flag

+                                                    ocfs2_split_extent

+                                                     ...

+                                                 --> modify the rec[i]->e_cpos, resulting

+                                                     in v_cluster < rec[i]->e_cpos.

+             BUG_ON(v_cluster < le32_to_cpu(rec->e_cpos))

+

+[alex.chen@huawei.com: v3]

+  Link: http://lkml.kernel.org/r/59EF3614.6050008@huawei.com

+Link: http://lkml.kernel.org/r/59EF3614.6050008@huawei.com

+Fixes: c15471f79506 ("ocfs2: fix sparse file & data ordering issue in direct io")

+Signed-off-by: Alex Chen <alex.chen@huawei.com>

+Reviewed-by: Jun Piao <piaojun@huawei.com>

+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>

+Reviewed-by: Gang He <ghe@suse.com>

+Acked-by: Changwei Ge <ge.changwei@h3c.com>

+Cc: Mark Fasheh <mfasheh@versity.com>

+Cc: Joel Becker <jlbec@evilplan.org>

+Cc: Junxiao Bi <junxiao.bi@oracle.com>

+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/ocfs2/aops.c | 26 ++++++++++++++++++--------

+ 1 file changed, 18 insertions(+), 8 deletions(-)

+

+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c

+index f2961b1..c26d046 100644

+--- a/fs/ocfs2/aops.c

+@@ -134,6 +134,19 @@ static int ocfs2_symlink_get_block(struct inode *inode, sector_t iblock,

+ 	return err;

+ }

+ 

++static int ocfs2_lock_get_block(struct inode *inode, sector_t iblock,

++		    struct buffer_head *bh_result, int create)

++{

++	int ret = 0;

++	struct ocfs2_inode_info *oi = OCFS2_I(inode);

++

++	down_read(&oi->ip_alloc_sem);

++	ret = ocfs2_get_block(inode, iblock, bh_result, create);

++	up_read(&oi->ip_alloc_sem);

++

++	return ret;

++}

++

+ int ocfs2_get_block(struct inode *inode, sector_t iblock,

+ 		    struct buffer_head *bh_result, int create)

+ {

+@@ -2120,7 +2133,7 @@ static void ocfs2_dio_free_write_ctx(struct inode *inode,

+  * called like this: dio->get_blocks(dio->inode, fs_startblk,

+  * 					fs_count, map_bh, dio->rw == WRITE);

+  */

+-static int ocfs2_dio_get_block(struct inode *inode, sector_t iblock,

++static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,

+ 			       struct buffer_head *bh_result, int create)

+ {

+ 	struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);

+@@ -2146,12 +2159,9 @@ static int ocfs2_dio_get_block(struct inode *inode, sector_t iblock,

+ 	 * while file size will be changed.

+ 	 */

+ 	if (pos + total_len <= i_size_read(inode)) {

+-		down_read(&oi->ip_alloc_sem);

+-		/* This is the fast path for re-write. */

+-		ret = ocfs2_get_block(inode, iblock, bh_result, create);

+-

+-		up_read(&oi->ip_alloc_sem);

+ 

++		/* This is the fast path for re-write. */

++		ret = ocfs2_lock_get_block(inode, iblock, bh_result, create);

+ 		if (buffer_mapped(bh_result) &&

+ 		    !buffer_new(bh_result) &&

+ 		    ret == 0)

+@@ -2416,9 +2426,9 @@ static ssize_t ocfs2_direct_IO(struct kiocb *iocb, struct iov_iter *iter)

+ 		return 0;

+ 

+ 	if (iov_iter_rw(iter) == READ)

+-		get_block = ocfs2_get_block;

++		get_block = ocfs2_lock_get_block;

+ 	else

+-		get_block = ocfs2_dio_get_block;

++		get_block = ocfs2_dio_wr_get_block;

+ 

+ 	return __blockdev_direct_IO(iocb, inode, inode->i_sb->s_bdev,

+ 				    iter, get_block,

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,208 @@

+From 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 Mon Sep 17 00:00:00 2001

+From: alex chen <alex.chen@huawei.com>

+Date: Wed, 15 Nov 2017 17:31:48 -0800

+Subject: [PATCH] ocfs2: subsystem.su_mutex is required while accessing the

+ item->ci_parent

+

+The subsystem.su_mutex is required while accessing the item->ci_parent,

+otherwise, NULL pointer dereference to the item->ci_parent will be

+triggered in the following situation:

+

+add node                     delete node

+sys_write

+ vfs_write

+  configfs_write_file

+   o2nm_node_store

+    o2nm_node_local_write

+                             do_rmdir

+                              vfs_rmdir

+                               configfs_rmdir

+                                mutex_lock(&subsys->su_mutex);

+                                unlink_obj

+                                 item->ci_group = NULL;

+                                 item->ci_parent = NULL;

+	 to_o2nm_cluster_from_node

+	  node->nd_item.ci_parent->ci_parent

+	  BUG since of NULL pointer dereference to nd_item.ci_parent

+

+Moreover, the o2nm_cluster also should be protected by the

+subsystem.su_mutex.

+

+[alex.chen@huawei.com: v2]

+  Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com

+Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com

+Signed-off-by: Alex Chen <alex.chen@huawei.com>

+Reviewed-by: Jun Piao <piaojun@huawei.com>

+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>

+Cc: Mark Fasheh <mfasheh@versity.com>

+Cc: Joel Becker <jlbec@evilplan.org>

+Cc: Junxiao Bi <junxiao.bi@oracle.com>

+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------

+ 1 file changed, 55 insertions(+), 8 deletions(-)

+

+diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c

+index a51200e..da64c3a2 100644

+--- a/fs/ocfs2/cluster/nodemanager.c

+@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {

+ 		"panic",	/* O2NM_FENCE_PANIC */

+ };

+ 

++static inline void o2nm_lock_subsystem(void);

++static inline void o2nm_unlock_subsystem(void);

++

+ struct o2nm_node *o2nm_get_node_by_num(u8 node_num)

+ {

+ 	struct o2nm_node *node = NULL;

+@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)

+ {

+ 	/* through the first node_set .parent

+ 	 * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */

+-	return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);

++	if (node->nd_item.ci_parent)

++		return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);

++	else

++		return NULL;

+ }

+ 

+ enum {

+@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 				   size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	unsigned long tmp;

+ 	char *p = (char *)page;

+ 	int ret = 0;

+@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))

+ 		return -EINVAL; /* XXX */

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		o2nm_unlock_subsystem();

++		return -EINVAL;

++	}

++

+ 	write_lock(&cluster->cl_nodes_lock);

+ 	if (cluster->cl_nodes[tmp])

+ 		ret = -EEXIST;

+@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 		set_bit(tmp, cluster->cl_nodes_bitmap);

+ 	}

+ 	write_unlock(&cluster->cl_nodes_lock);

++	o2nm_unlock_subsystem();

++

+ 	if (ret)

+ 		return ret;

+ 

+@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 					    size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	int ret, i;

+ 	struct rb_node **p, *parent;

+ 	unsigned int octets[4];

+@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 		be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));

+ 	}

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		o2nm_unlock_subsystem();

++		return -EINVAL;

++	}

++

+ 	ret = 0;

+ 	write_lock(&cluster->cl_nodes_lock);

+ 	if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))

+@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 		rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);

+ 	}

+ 	write_unlock(&cluster->cl_nodes_lock);

++	o2nm_unlock_subsystem();

++

+ 	if (ret)

+ 		return ret;

+ 

+@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 				     size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	unsigned long tmp;

+ 	char *p = (char *)page;

+ 	ssize_t ret;

+@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))

+ 		return -EINVAL; /* XXX */

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		ret = -EINVAL;

++		goto out;

++	}

++

+ 	/* the only failure case is trying to set a new local node

+ 	 * when a different one is already set */

+ 	if (tmp && tmp == cluster->cl_has_local &&

+-	    cluster->cl_local_node != node->nd_num)

+-		return -EBUSY;

++	    cluster->cl_local_node != node->nd_num) {

++		ret = -EBUSY;

++		goto out;

++	}

+ 

+ 	/* bring up the rx thread if we're setting the new local node. */

+ 	if (tmp && !cluster->cl_has_local) {

+ 		ret = o2net_start_listening(node);

+ 		if (ret)

+-			return ret;

++			goto out;

+ 	}

+ 

+ 	if (!tmp && cluster->cl_has_local &&

+@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 		cluster->cl_local_node = node->nd_num;

+ 	}

+ 

+-	return count;

++	ret = count;

++

++out:

++	o2nm_unlock_subsystem();

++	return ret;

+ }

+ 

+ CONFIGFS_ATTR(o2nm_node_, num);

+@@ -738,6 +775,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {

+ 	},

+ };

+ 

++static inline void o2nm_lock_subsystem(void)

++{

++	mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);

++}

++

++static inline void o2nm_unlock_subsystem(void)

++{

++	mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);

++}

++

+ int o2nm_depend_item(struct config_item *item)

+ {

+ 	return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);

+-- 

+2.7.4

+

@@ -1481,7 +1481,7 @@ CONFIG_PNP_DEBUG_MESSAGES=y

 CONFIG_PNPACPI=y

 CONFIG_BLK_DEV=y

 CONFIG_BLK_DEV_NULL_BLK=m

-CONFIG_BLK_DEV_FD=m

+# CONFIG_BLK_DEV_FD is not set

 # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set

 CONFIG_ZRAM=m

 # CONFIG_BLK_CPQ_CISS_DA is not set

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-aws

 Version:        4.9.98

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -51,6 +51,16 @@ Patch34:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch35:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch36:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2017-18216

+Patch37:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8043

+Patch38:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2018-8087

+Patch39:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

+# Fix for CVE-2017-18224

+Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -217,6 +227,11 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch34 -p1

 %patch35 -p1

 %patch36 -p1

+%patch37 -p1

+%patch38 -p1

+%patch39 -p1

+%patch40 -p1

+%patch41 -p1

 %patch52 -p1

 %patch53 -p1

@@ -436,6 +451,10 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2

+-   Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241,

+-   CVE-2017-18224.

+-   Disable floppy driver support (CONFIG_BLK_DEV_FD) in config-aws.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1

 -   Update to version 4.9.98

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.98

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -48,6 +48,16 @@ Patch34:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch35:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch36:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2017-18216

+Patch37:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8043

+Patch38:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2018-8087

+Patch39:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

+# Fix for CVE-2017-18224

+Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -132,6 +142,11 @@ The Linux package contains the Linux kernel doc files

 %patch34 -p1

 %patch35 -p1

 %patch36 -p1

+%patch37 -p1

+%patch38 -p1

+%patch39 -p1

+%patch40 -p1

+%patch41 -p1

 %patch52 -p1

 %patch53 -p1

@@ -243,6 +258,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2

+-   Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241,

+-   CVE-2017-18224.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1

 -   Update to version 4.9.98

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.98

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -57,6 +57,16 @@ Patch36:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch37:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch38:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2017-18216

+Patch39:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8043

+Patch40:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2018-8087

+Patch41:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch42:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

+# Fix for CVE-2017-18224

+Patch43:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -185,6 +195,11 @@ EOF

 %patch36 -p1

 %patch37 -p1

 %patch38 -p1

+%patch39 -p1

+%patch40 -p1

+%patch41 -p1

+%patch42 -p1

+%patch43 -p1

 # spectre

 %patch52 -p1

@@ -332,6 +347,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2

+-   Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241,

+-   CVE-2017-18224.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1

 -   Update to version 4.9.98

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.98

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -55,6 +55,16 @@ Patch34:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch35:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch36:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2017-18216

+Patch37:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8043

+Patch38:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2018-8087

+Patch39:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch40:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

+# Fix for CVE-2017-18224

+Patch41:        0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -176,6 +186,11 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch34 -p1

 %patch35 -p1

 %patch36 -p1

+%patch37 -p1

+%patch38 -p1

+%patch39 -p1

+%patch40 -p1

+%patch41 -p1

 %patch52 -p1

 %patch53 -p1

@@ -358,6 +373,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2

+-   Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241,

+-   CVE-2017-18224.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1

 -   Update to version 4.9.98

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3