@@ -1,14 +1,14 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.124

-Release:	2%{?dist}

+Version:	4.4.130

+Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

 Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=d5241400e6e5ed97fbdba1f92cf62c0a4382a30a

+%define sha1 linux=301ecffcd9714f17b229c0eaff8a711a419bbbdb

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Apr 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.130-1

+-   Update to version 4.4.130

 *   Thu Apr 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-2

 -   Add full retpoline support by building with retpoline-enabled gcc.

 *   Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-1

new file mode 100644

@@ -0,0 +1,131 @@

+From 2b16f048729bf35e6c28a40cbfad07239f9dcd90 Mon Sep 17 00:00:00 2001

+From: Daniel Axtens <dja@axtens.net>

+Date: Wed, 31 Jan 2018 14:15:33 +1100

+Subject: [PATCH] net: create skb_gso_validate_mac_len()

+

+If you take a GSO skb, and split it into packets, will the MAC

+length (L2 + L3 + L4 headers + payload) of those packets be small

+enough to fit within a given length?

+

+Move skb_gso_mac_seglen() to skbuff.h with other related functions

+like skb_gso_network_seglen() so we can use it, and then create

+skb_gso_validate_mac_len to do the full calculation.

+

+Signed-off-by: Daniel Axtens <dja@axtens.net>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+[ Srivatsa: Removed all references to GSO_BY_FRAGS, as that feature is not

+available on 4.4 kernels. ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ include/linux/skbuff.h | 16 +++++++++++++

+ net/core/skbuff.c      | 63 +++++++++++++++++++++++++++++++++++++++-----------

+ net/sched/sch_tbf.c    | 10 --------

+ 3 files changed, 66 insertions(+), 23 deletions(-)

+

+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h

+index a6da214..2a62725 100644

+--- a/include/linux/skbuff.h

+@@ -2896,6 +2896,7 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);

+ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);

+ void skb_scrub_packet(struct sk_buff *skb, bool xnet);

+ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);

++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);

+ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);

+ struct sk_buff *skb_vlan_untag(struct sk_buff *skb);

+ int skb_ensure_writable(struct sk_buff *skb, int write_len);

+@@ -3651,5 +3652,20 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)

+ 	return hdr_len + skb_gso_transport_seglen(skb);

+ }

+ 

++/**

++ * skb_gso_mac_seglen - Return length of individual segments of a gso packet

++ *

++ * @skb: GSO skb

++ *

++ * skb_gso_mac_seglen is used to determine the real size of the

++ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4

++ * headers (TCP/UDP).

++ */

++static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)

++{

++	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);

++	return hdr_len + skb_gso_transport_seglen(skb);

++}

++

+ #endif	/* __KERNEL__ */

+ #endif	/* _LINUX_SKBUFF_H */

+diff --git a/net/core/skbuff.c b/net/core/skbuff.c

+index 7d344259..3c42478 100644

+--- a/net/core/skbuff.c

+@@ -4292,6 +4292,46 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)

+ }

+ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);

+ 

++/**

++ * skb_gso_size_check - check the skb size

++ *

++ * There are a couple of instances where we have a GSO skb, and we

++ * want to determine what size it would be after it is segmented.

++ *

++ * We might want to check:

++ * -    L3+L4+payload size (e.g. IP forwarding)

++ * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)

++ *

++ * This is a helper to do that correctly.

++ *

++ * @seg_len: The segmented length (from skb_gso_*_seglen).

++ *

++ * @max_len: The maximum permissible length.

++ *

++ * Returns true if the segmented length <= max length.

++ */

++static inline bool skb_gso_size_check(const struct sk_buff *skb,

++				      unsigned int seg_len,

++				      unsigned int max_len) {

++	return seg_len <= max_len;

++}

++

++

++/**

++ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?

++ *

++ * @skb: GSO skb

++ * @len: length to validate against

++ *

++ * skb_gso_validate_mac_len validates if a given skb will fit a wanted

++ * length once split, including L2, L3 and L4 headers and the payload.

++ */

++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)

++{

++	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);

++}

++EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);

++

+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)

+ {

+ 	if (skb_cow(skb, skb_headroom(skb)) < 0) {

+diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c

+index c2fbde7..93d6a21 100644

+--- a/net/sched/sch_tbf.c

+@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,

+ 	return len;

+ }

+ 

+-/*

+- * Return length of individual segments of a gso packet,

+- * including all headers (MAC, IP, TCP/UDP)

+- */

+-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)

+-{

+-	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);

+-	return hdr_len + skb_gso_transport_seglen(skb);

+-}

+-

+ /* GSO packet is too big, segment it so that tbf can transmit

+  * each segment in time

+  */

+-- 

+2.7.4

new file mode 100644

@@ -0,0 +1,57 @@

+From 8914a595110a6eca69a5e275b323f5d09e18f4f9 Mon Sep 17 00:00:00 2001

+From: Daniel Axtens <dja@axtens.net>

+Date: Wed, 31 Jan 2018 14:15:34 +1100

+Subject: [PATCH] bnx2x: disable GSO where gso_size is too big for hardware

+

+If a bnx2x card is passed a GSO packet with a gso_size larger than

+~9700 bytes, it will cause a firmware error that will bring the card

+down:

+

+bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!

+bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2

+bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052

+bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1

+... (dump of values continues) ...

+

+Detect when the mac length of a GSO packet is greater than the maximum

+packet size (9700 bytes) and disable GSO.

+

+Signed-off-by: Daniel Axtens <dja@axtens.net>

+Reviewed-by: Eric Dumazet <edumazet@google.com>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+[ Srivatsa: Removed reference to GSO_BY_FRAGS, as that feature is not

+available on 4.4 kernels. ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++

+ 1 file changed, 18 insertions(+)

+

+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c

+index 8ddb68a..5a7c775 100644

+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c

+@@ -12818,6 +12818,22 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb,

+ 					      struct net_device *dev,

+ 					      netdev_features_t features)

+ {

++	/*

++	 * A skb with gso_size + header length > 9700 will cause a

++	 * firmware panic. Drop GSO support.

++	 *

++	 * Eventually the upper layer should not pass these packets down.

++	 *

++	 * For speed, if the gso_size is <= 9000, assume there will

++	 * not be 700 bytes of headers and pass it through. Only do a

++	 * full (slow) validation if the gso_size is > 9000.

++	 *

++	 */

++	if (unlikely(skb_is_gso(skb) &&

++		     (skb_shinfo(skb)->gso_size > 9000) &&

++		     !skb_gso_validate_mac_len(skb, 9700)))

++		features &= ~NETIF_F_GSO_MASK;

++

+ 	features = vlan_features_check(skb, features);

+ 	return vxlan_features_check(skb, features);

+ }

+-- 

+2.7.4

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.124

-Release:       2%{?dist}

+Version:       4.4.130

+Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=d5241400e6e5ed97fbdba1f92cf62c0a4382a30a

+%define sha1 linux=301ecffcd9714f17b229c0eaff8a711a419bbbdb

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -37,6 +37,9 @@ Patch22:       vsock-transport-for-9p.patch

 Patch23:       p9fs_dir_readdir-offset-support.patch

 Patch24:       Implement-the-f-xattrat-family-of-functions.patch

 Patch26:       init-do_mounts-recreate-dev-root.patch

+# Fixes for CVE-2018-1000026

+Patch27:       0001-net-create-skb_gso_validate_mac_len.patch

+Patch28:       0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

 Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

@@ -114,6 +117,8 @@ The Linux package contains the Linux kernel doc files

 %patch23 -p1

 %patch24 -p1

 %patch26 -p1

+%patch27 -p1

+%patch28 -p1

 %patch52 -p1

 %patch55 -p1

@@ -217,6 +222,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Apr 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.130-1

+-   Update to version 4.4.130 and fix CVE-2018-1000026.

 *   Thu Apr 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-2

 -   Add full retpoline support by building with retpoline-enabled gcc.

 *   Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.124

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Version:    	4.4.130

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=d5241400e6e5ed97fbdba1f92cf62c0a4382a30a

+%define sha1 linux=301ecffcd9714f17b229c0eaff8a711a419bbbdb

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -36,6 +36,9 @@ Patch16:        vsock-transport-for-9p.patch

 #allow some algorithms in FIPS mode

 Patch17:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch18:        0002-allow-also-ecb-cipher_null.patch

+# Fixes for CVE-2018-1000026

+Patch19:        0001-net-create-skb_gso_validate_mac_len.patch

+Patch20:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

 Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

@@ -144,6 +147,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch16 -p1

 %patch17 -p1

 %patch18 -p1

+%patch19 -p1

+%patch20 -p1

 %patch52 -p1

 %patch55 -p1

@@ -315,6 +320,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Apr 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.130-1

+-   Update to version 4.4.130 and fix CVE-2018-1000026.

 *   Thu Apr 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-2

 -   Add full retpoline support by building with retpoline-enabled gcc.

 *   Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.124-1

@@ -53,35 +53,5 @@

                      {"package": "libgomp", "version": "7.3.0"},

                      {"package": "libgomp-devel", "version": "7.3.0"}

         ]

-    },

-

-    "linux-secure": {

-        "files": [],

-        "macros": [],

-        "override_toolchain": [

-                     {"package": "gcc", "version": "7.3.0"},

-                     {"package": "libgcc", "version": "7.3.0"},

-                     {"package": "libgcc-devel", "version": "7.3.0"},

-                     {"package": "libgcc-atomic", "version": "7.3.0"},

-                     {"package": "libstdc++", "version": "7.3.0"},

-                     {"package": "libstdc++-devel", "version": "7.3.0"},

-                     {"package": "libgomp", "version": "7.3.0"},

-                     {"package": "libgomp-devel", "version": "7.3.0"}

-        ]

-    },

-

-    "linux-aws": {

-        "files": [],

-        "macros": [],

-        "override_toolchain": [

-                     {"package": "gcc", "version": "7.3.0"},

-                     {"package": "libgcc", "version": "7.3.0"},

-                     {"package": "libgcc-devel", "version": "7.3.0"},

-                     {"package": "libgcc-atomic", "version": "7.3.0"},

-                     {"package": "libstdc++", "version": "7.3.0"},

-                     {"package": "libstdc++-devel", "version": "7.3.0"},

-                     {"package": "libgomp", "version": "7.3.0"},

-                     {"package": "libgomp-devel", "version": "7.3.0"}

-        ]

     }

 }