Also, remove most of the remaining out-of-tree spectre patches, since
the existing spectre mitigations in 4.4.y have rendered them obsolete.
(However, retain the "x86/syscall: Clear unused extra registers on
syscall entrance" patch for now, as it needs a deeper look before we
can retire it).
Change-Id: I56bf8b34946d4085f75d9ef1e460a3a498d52472
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5468
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.4.145 |
|
3 |
+Version: 4.4.146 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1 |
|
11 |
+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
# From SPECS/linux and used by linux-esx only |
14 | 14 |
# It provides f*xattrat syscalls |
... | ... |
@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
29 | 29 |
%defattr(-,root,root) |
30 | 30 |
%{_includedir}/* |
31 | 31 |
%changelog |
32 |
+* Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1 |
|
33 |
+- Update to version 4.4.146 |
|
32 | 34 |
* Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1 |
33 | 35 |
- Update to version 4.4.145 |
34 | 36 |
* Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.4.145 |
|
4 |
+Version: 4.4.146 |
|
5 | 5 |
Release: 1%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1 |
|
12 |
+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Patch0: double-tcp_mem-limits.patch |
15 | 15 |
Patch1: linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch |
... | ... |
@@ -64,18 +64,6 @@ Patch47: 0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch |
64 | 64 |
Patch48: 0008-xfs-enhance-dinode-verifier.patch |
65 | 65 |
|
66 | 66 |
# For Spectre |
67 |
-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
|
68 |
-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch |
|
69 |
-Patch56: 0145-carl9170-prevent-speculative-execution.patch |
|
70 |
-Patch57: 0146-p54-prevent-speculative-execution.patch |
|
71 |
-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch |
|
72 |
-Patch59: 0148-cw1200-prevent-speculative-execution.patch |
|
73 |
-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch |
|
74 |
-Patch61: 0150-ipv4-prevent-speculative-execution.patch |
|
75 |
-Patch62: 0151-ipv6-prevent-speculative-execution.patch |
|
76 |
-Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
|
77 |
-Patch65: 0154-udf-prevent-speculative-execution.patch |
|
78 |
-Patch66: 0155-userns-prevent-speculative-execution.patch |
|
79 | 67 |
Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
80 | 68 |
|
81 | 69 |
Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch |
... | ... |
@@ -161,18 +149,6 @@ The Linux package contains the Linux kernel doc files |
161 | 161 |
%patch47 -p1 |
162 | 162 |
%patch48 -p1 |
163 | 163 |
|
164 |
-%patch52 -p1 |
|
165 |
-%patch55 -p1 |
|
166 |
-%patch56 -p1 |
|
167 |
-%patch57 -p1 |
|
168 |
-%patch58 -p1 |
|
169 |
-%patch59 -p1 |
|
170 |
-%patch60 -p1 |
|
171 |
-%patch61 -p1 |
|
172 |
-%patch62 -p1 |
|
173 |
-%patch64 -p1 |
|
174 |
-%patch65 -p1 |
|
175 |
-%patch66 -p1 |
|
176 | 164 |
%patch67 -p1 |
177 | 165 |
|
178 | 166 |
%patch70 -p1 |
... | ... |
@@ -264,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
264 | 264 |
/usr/src/linux-headers-%{uname_r} |
265 | 265 |
|
266 | 266 |
%changelog |
267 |
+* Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1 |
|
268 |
+- Update to version 4.4.146 |
|
267 | 269 |
* Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1 |
268 | 270 |
- Update to version 4.4.145 and clear stack on fork. |
269 | 271 |
* Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.4.145 |
|
4 |
+Version: 4.4.146 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz |
12 |
-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1 |
|
12 |
+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b |
|
13 | 13 |
Source1: config |
14 | 14 |
%define ena_version 1.1.3 |
15 | 15 |
Source2: https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz |
... | ... |
@@ -64,18 +64,6 @@ Patch40: 0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch |
64 | 64 |
Patch41: 0008-xfs-enhance-dinode-verifier.patch |
65 | 65 |
|
66 | 66 |
# For Spectre |
67 |
-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
|
68 |
-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch |
|
69 |
-Patch56: 0145-carl9170-prevent-speculative-execution.patch |
|
70 |
-Patch57: 0146-p54-prevent-speculative-execution.patch |
|
71 |
-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch |
|
72 |
-Patch59: 0148-cw1200-prevent-speculative-execution.patch |
|
73 |
-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch |
|
74 |
-Patch61: 0150-ipv4-prevent-speculative-execution.patch |
|
75 |
-Patch62: 0151-ipv6-prevent-speculative-execution.patch |
|
76 |
-Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
|
77 |
-Patch65: 0154-udf-prevent-speculative-execution.patch |
|
78 |
-Patch66: 0155-userns-prevent-speculative-execution.patch |
|
79 | 67 |
Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
80 | 68 |
|
81 | 69 |
Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch |
... | ... |
@@ -193,18 +181,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
193 | 193 |
%patch40 -p1 |
194 | 194 |
%patch41 -p1 |
195 | 195 |
|
196 |
-%patch52 -p1 |
|
197 |
-%patch55 -p1 |
|
198 |
-%patch56 -p1 |
|
199 |
-%patch57 -p1 |
|
200 |
-%patch58 -p1 |
|
201 |
-%patch59 -p1 |
|
202 |
-%patch60 -p1 |
|
203 |
-%patch61 -p1 |
|
204 |
-%patch62 -p1 |
|
205 |
-%patch64 -p1 |
|
206 |
-%patch65 -p1 |
|
207 |
-%patch66 -p1 |
|
208 | 196 |
%patch67 -p1 |
209 | 197 |
|
210 | 198 |
%patch70 -p1 |
... | ... |
@@ -364,6 +340,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
364 | 364 |
/usr/share/perf-core |
365 | 365 |
|
366 | 366 |
%changelog |
367 |
+* Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1 |
|
368 |
+- Update to version 4.4.146 |
|
367 | 369 |
* Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1 |
368 | 370 |
- Update to version 4.4.145 and clear stack on fork. |
369 | 371 |
* Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1 |
370 | 372 |
deleted file mode 100644 |
... | ... |
@@ -1,62 +0,0 @@ |
1 |
-From 11ea2f142cc668db2383015c722bcd71b6b10ba7 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Mon, 7 Aug 2017 11:03:42 +0300 |
|
4 |
-Subject: [PATCH 141/194] locking/barriers: introduce new observable |
|
5 |
- speculation barrier |
|
6 |
- |
|
7 |
-The new observable speculation barrier, osb(), ensures |
|
8 |
-that any user observable speculation doesn't cross the boundary. |
|
9 |
- |
|
10 |
-Any user observable speculative activity on this CPU |
|
11 |
-thread before this point either completes, reaches a |
|
12 |
-state it can no longer cause an observable activity, or |
|
13 |
-is aborted before instructions after the barrier execute. |
|
14 |
- |
|
15 |
-In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC |
|
16 |
-is present. Other architectures can define their variants. |
|
17 |
- |
|
18 |
-Suggested-by: Arjan van de Ven <arjan@linux.intel.com> |
|
19 |
-Suggested-by: Alan Cox <alan.cox@intel.com> |
|
20 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
21 |
- arch/x86/include/asm/barrier.h | 2 ++ |
|
22 |
- include/asm-generic/barrier.h | 11 +++++++++++ |
|
23 |
- 2 files changed, 13 insertions(+) |
|
24 |
- |
|
25 |
-diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h |
|
26 |
-index 01727db..a0f695a 100644 |
|
27 |
-+++ b/arch/x86/include/asm/barrier.h |
|
28 |
-@@ -77,6 +77,8 @@ do { \ |
|
29 |
- |
|
30 |
- #endif |
|
31 |
- |
|
32 |
-+#define osb() alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC) |
|
33 |
-+ |
|
34 |
- /* Atomic operations are already serializing on x86 */ |
|
35 |
- #define smp_mb__before_atomic() barrier() |
|
36 |
- #define smp_mb__after_atomic() barrier() |
|
37 |
-diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h |
|
38 |
-index b42afad..7a9184d 100644 |
|
39 |
-+++ b/include/asm-generic/barrier.h |
|
40 |
-@@ -119,5 +119,16 @@ do { \ |
|
41 |
- ___p1; \ |
|
42 |
- }) |
|
43 |
- |
|
44 |
-+/* Observable speculation barrier: ensures that any user |
|
45 |
-+ * observable speculation doesn't cross the boundary. |
|
46 |
-+ * Any user observable speculative activity on this CPU |
|
47 |
-+ * thread before this point either completes, reaches a |
|
48 |
-+ * state it can no longer cause observable activity, or |
|
49 |
-+ * is aborted before instructions after the barrier execute. |
|
50 |
-+ */ |
|
51 |
-+#ifndef osb |
|
52 |
-+#define osb() do { } while (0) |
|
53 |
-+#endif |
|
54 |
-+ |
|
55 |
- #endif /* !__ASSEMBLY__ */ |
|
56 |
- #endif /* __ASM_GENERIC_BARRIER_H */ |
|
57 |
-2.9.5 |
|
58 |
- |
59 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:41:27 +0300 |
|
4 |
-Subject: [PATCH 144/194] uvcvideo: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the index value in function uvc_ioctl_enum_input() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used to resolve |
|
9 |
-selector->baSourceID, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/media/usb/uvc/uvc_v4l2.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c |
|
19 |
-index 3e7e283..65175bb 100644 |
|
20 |
-+++ b/drivers/media/usb/uvc/uvc_v4l2.c |
|
21 |
-@@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh, |
|
22 |
- } |
|
23 |
- pin = iterm->id; |
|
24 |
- } else if (index < selector->bNrInPins) { |
|
25 |
-+ osb(); |
|
26 |
- pin = selector->baSourceID[index]; |
|
27 |
- list_for_each_entry(iterm, &chain->entities, chain) { |
|
28 |
- if (!UVC_ENTITY_IS_ITERM(iterm)) |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 9c2549c6adcafe2c2f35d44dc87ec23cc52a68b2 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:43:39 +0300 |
|
4 |
-Subject: [PATCH 145/194] carl9170: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the queue value in function carl9170_op_conf_tx() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used to resolve |
|
9 |
-ar9170_qmap and following ar->edcf, insert an observable |
|
10 |
-speculation barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/net/wireless/ath/carl9170/main.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c |
|
19 |
-index 988c885..cf267b7 100644 |
|
20 |
-+++ b/drivers/net/wireless/ath/carl9170/main.c |
|
21 |
-@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw, |
|
22 |
- |
|
23 |
- mutex_lock(&ar->mutex); |
|
24 |
- if (queue < ar->hw->queues) { |
|
25 |
-+ osb(); |
|
26 |
- memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param)); |
|
27 |
- ret = carl9170_set_qos(ar); |
|
28 |
- } else { |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 07f7bcf24d303ec6d91d7da809f3b6e6760f8301 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:44:38 +0300 |
|
4 |
-Subject: [PATCH 146/194] p54: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the queue value in function p54_conf_tx() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used to resolve |
|
9 |
-priv->qos_params, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/net/wireless/p54/main.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/drivers/net/wireless/p54/main.c b/drivers/net/wireless/p54/main.c |
|
19 |
-index d5a3bf9..3d20b47 100644 |
|
20 |
-+++ b/drivers/net/wireless/p54/main.c |
|
21 |
-@@ -415,6 +415,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev, |
|
22 |
- |
|
23 |
- mutex_lock(&priv->conf_mutex); |
|
24 |
- if (queue < dev->queues) { |
|
25 |
-+ osb(); |
|
26 |
- P54_SET_QUEUE(priv->qos_params[queue], params->aifs, |
|
27 |
- params->cw_min, params->cw_max, params->txop); |
|
28 |
- ret = p54_set_edcf(priv); |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,55 +0,0 @@ |
1 |
-From f7de96128d46f9d9ecad5c1ded3133e2da25f39c Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:45:35 +0300 |
|
4 |
-Subject: [PATCH 147/194] qla2xxx: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the handle value in functions qlafx00_status_entry() |
|
7 |
-and qlafx00_multistatus_entry() seems to be controllable |
|
8 |
-by userspace and later on conditionally (upon bound check) |
|
9 |
-used to resolve req->outstanding_cmds, insert an observable |
|
10 |
-speculation barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid kernel |
|
12 |
-memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++---- |
|
16 |
- 1 file changed, 8 insertions(+), 4 deletions(-) |
|
17 |
- |
|
18 |
-diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c |
|
19 |
-index e23a3d4..9090283 100644 |
|
20 |
-+++ b/drivers/scsi/qla2xxx/qla_mr.c |
|
21 |
-@@ -2305,10 +2305,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) |
|
22 |
- req = ha->req_q_map[que]; |
|
23 |
- |
|
24 |
- /* Validate handle. */ |
|
25 |
-- if (handle < req->num_outstanding_cmds) |
|
26 |
-+ if (handle < req->num_outstanding_cmds) { |
|
27 |
-+ osb(); |
|
28 |
- sp = req->outstanding_cmds[handle]; |
|
29 |
-- else |
|
30 |
-+ } else { |
|
31 |
- sp = NULL; |
|
32 |
-+ } |
|
33 |
- |
|
34 |
- if (sp == NULL) { |
|
35 |
- ql_dbg(ql_dbg_io, vha, 0x3034, |
|
36 |
-@@ -2656,10 +2658,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha, |
|
37 |
- req = ha->req_q_map[que]; |
|
38 |
- |
|
39 |
- /* Validate handle. */ |
|
40 |
-- if (handle < req->num_outstanding_cmds) |
|
41 |
-+ if (handle < req->num_outstanding_cmds) { |
|
42 |
-+ osb(); |
|
43 |
- sp = req->outstanding_cmds[handle]; |
|
44 |
-- else |
|
45 |
-+ } else { |
|
46 |
- sp = NULL; |
|
47 |
-+ } |
|
48 |
- |
|
49 |
- if (sp == NULL) { |
|
50 |
- ql_dbg(ql_dbg_io, vha, 0x3044, |
|
51 |
-2.9.5 |
|
52 |
- |
53 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 9a0dc9abad09792c93d099d5e92af5788c224791 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:46:21 +0300 |
|
4 |
-Subject: [PATCH 148/194] cw1200: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the queue value in function cw1200_conf_tx() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used in |
|
9 |
-WSM_TX_QUEUE_SET, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/net/wireless/cw1200/sta.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/drivers/net/wireless/cw1200/sta.c b/drivers/net/wireless/cw1200/sta.c |
|
19 |
-index a522248..754fc43 100644 |
|
20 |
-+++ b/drivers/net/wireless/cw1200/sta.c |
|
21 |
-@@ -619,6 +619,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif, |
|
22 |
- mutex_lock(&priv->conf_mutex); |
|
23 |
- |
|
24 |
- if (queue < dev->queues) { |
|
25 |
-+ osb(); |
|
26 |
- old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags); |
|
27 |
- |
|
28 |
- WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0); |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,47 +0,0 @@ |
1 |
-From d9542e2d9b4b1e4649f0c1ea13a1b5dcfc1e2674 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:47:12 +0300 |
|
4 |
-Subject: [PATCH 149/194] Thermal/int340x: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the trip value in function int340x_thermal_get_trip_temp() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used to resolve |
|
9 |
-d->aux_trips, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- drivers/thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++----- |
|
16 |
- 1 file changed, 6 insertions(+), 5 deletions(-) |
|
17 |
- |
|
18 |
-diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c |
|
19 |
-index 145a5c53..d732b34 100644 |
|
20 |
-+++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c |
|
21 |
-@@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone, |
|
22 |
- if (d->override_ops && d->override_ops->get_trip_temp) |
|
23 |
- return d->override_ops->get_trip_temp(zone, trip, temp); |
|
24 |
- |
|
25 |
-- if (trip < d->aux_trip_nr) |
|
26 |
-+ if (trip < d->aux_trip_nr) { |
|
27 |
-+ osb(); |
|
28 |
- *temp = d->aux_trips[trip]; |
|
29 |
-- else if (trip == d->crt_trip_id) |
|
30 |
-+ } else if (trip == d->crt_trip_id) { |
|
31 |
- *temp = d->crt_temp; |
|
32 |
-- else if (trip == d->psv_trip_id) |
|
33 |
-+ } else if (trip == d->psv_trip_id) { |
|
34 |
- *temp = d->psv_temp; |
|
35 |
-- else if (trip == d->hot_trip_id) |
|
36 |
-+ } else if (trip == d->hot_trip_id) { |
|
37 |
- *temp = d->hot_temp; |
|
38 |
-- else { |
|
39 |
-+ } else { |
|
40 |
- for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) { |
|
41 |
- if (d->act_trips[i].valid && |
|
42 |
- d->act_trips[i].id == trip) { |
|
43 |
-2.9.5 |
|
44 |
- |
45 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 9515f43ddd006464308b2796b63b7d6446d922b8 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 13 Dec 2017 10:16:07 +0200 |
|
4 |
-Subject: [PATCH 150/194] ipv4: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the offset value in function raw_getfrag() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used in the following |
|
9 |
-memcpy, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- net/ipv4/raw.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c |
|
19 |
-index 33b70bf..c9d33f1 100644 |
|
20 |
-+++ b/net/ipv4/raw.c |
|
21 |
-@@ -476,6 +476,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd, |
|
22 |
- if (offset < rfv->hlen) { |
|
23 |
- int copy = min(rfv->hlen - offset, len); |
|
24 |
- |
|
25 |
-+ osb(); |
|
26 |
- if (skb->ip_summed == CHECKSUM_PARTIAL) |
|
27 |
- memcpy(to, rfv->hdr.c + offset, copy); |
|
28 |
- else |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,33 +0,0 @@ |
1 |
-From 1ce83a2cfe57cec87a22e69b726e9547b4d830f8 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:48:35 +0300 |
|
4 |
-Subject: [PATCH 151/194] ipv6: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the offset value in function raw6_getfrag() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used in the |
|
9 |
-following memcpy, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- net/ipv6/raw.c | 1 + |
|
16 |
- 1 file changed, 1 insertion(+) |
|
17 |
- |
|
18 |
-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c |
|
19 |
-index e4462b0..8794d92 100644 |
|
20 |
-+++ b/net/ipv6/raw.c |
|
21 |
-@@ -729,6 +729,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, |
|
22 |
- if (offset < rfv->hlen) { |
|
23 |
- int copy = min(rfv->hlen - offset, len); |
|
24 |
- |
|
25 |
-+ osb(); |
|
26 |
- if (skb->ip_summed == CHECKSUM_PARTIAL) |
|
27 |
- memcpy(to, rfv->c + offset, copy); |
|
28 |
- else |
|
29 |
-2.9.5 |
|
30 |
- |
31 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,34 +0,0 @@ |
1 |
-From 3e9a34c67e5376bedd9e79e6a7e16b01a01c8215 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 30 Aug 2017 13:55:54 +0300 |
|
4 |
-Subject: [PATCH 153/194] net: mpls: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the index value in function mpls_route_input_rcu() |
|
7 |
-seems to be controllable by userspace and later on |
|
8 |
-conditionally (upon bound check) used to resolve |
|
9 |
-platform_label, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- net/mpls/af_mpls.c | 2 ++ |
|
16 |
- 1 file changed, 2 insertions(+) |
|
17 |
- |
|
18 |
-diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c |
|
19 |
-index c5b9ce4..3bdf8d8 100644 |
|
20 |
-+++ b/net/mpls/af_mpls.c |
|
21 |
-@@ -50,6 +50,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index) |
|
22 |
- if (index < net->mpls.platform_labels) { |
|
23 |
- struct mpls_route __rcu **platform_label = |
|
24 |
- rcu_dereference(net->mpls.platform_label); |
|
25 |
-+ |
|
26 |
-+ osb(); |
|
27 |
- rt = rcu_dereference(platform_label[index]); |
|
28 |
- } |
|
29 |
- return rt; |
|
30 |
-2.9.5 |
|
31 |
- |
32 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,52 +0,0 @@ |
1 |
-From bbb72371d2212fe0526f1ae679d5d55fe51bd909 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
3 |
-Date: Wed, 13 Dec 2017 10:15:30 +0200 |
|
4 |
-Subject: [PATCH 154/194] udf: prevent speculative execution |
|
5 |
- |
|
6 |
-Since the eahd->appAttrLocation value in function |
|
7 |
-udf_add_extendedattr() seems to be controllable by |
|
8 |
-userspace and later on conditionally (upon bound check) |
|
9 |
-used in following memmove, insert an observable speculation |
|
10 |
-barrier before its usage. This should prevent |
|
11 |
-observable speculation on that branch and avoid |
|
12 |
-kernel memory leak. |
|
13 |
- |
|
14 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
15 |
- fs/udf/misc.c | 6 ++++++ |
|
16 |
- 1 file changed, 6 insertions(+) |
|
17 |
- |
|
18 |
-diff --git a/fs/udf/misc.c b/fs/udf/misc.c |
|
19 |
-index 3949c4b..c826ccc 100644 |
|
20 |
-+++ b/fs/udf/misc.c |
|
21 |
-@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
22 |
- iinfo->i_lenEAttr) { |
|
23 |
- uint32_t aal = |
|
24 |
- le32_to_cpu(eahd->appAttrLocation); |
|
25 |
-+ |
|
26 |
-+ osb(); |
|
27 |
- memmove(&ea[offset - aal + size], |
|
28 |
- &ea[aal], offset - aal); |
|
29 |
- offset -= aal; |
|
30 |
-@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
31 |
- iinfo->i_lenEAttr) { |
|
32 |
- uint32_t ial = |
|
33 |
- le32_to_cpu(eahd->impAttrLocation); |
|
34 |
-+ |
|
35 |
-+ osb(); |
|
36 |
- memmove(&ea[offset - ial + size], |
|
37 |
- &ea[ial], offset - ial); |
|
38 |
- offset -= ial; |
|
39 |
-@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, |
|
40 |
- iinfo->i_lenEAttr) { |
|
41 |
- uint32_t aal = |
|
42 |
- le32_to_cpu(eahd->appAttrLocation); |
|
43 |
-+ |
|
44 |
-+ osb(); |
|
45 |
- memmove(&ea[offset - aal + size], |
|
46 |
- &ea[aal], offset - aal); |
|
47 |
- offset -= aal; |
|
48 |
-2.9.5 |
|
49 |
- |
50 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,39 +0,0 @@ |
1 |
-From 616abca9e7f1add8e8f26cf6d33992b76412bcec Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Tim Chen <tim.c.chen@linux.intel.com> |
|
3 |
-Date: Fri, 15 Dec 2017 02:29:09 -0800 |
|
4 |
-Subject: [PATCH 155/194] userns: prevent speculative execution |
|
5 |
- |
|
6 |
-From: Elena Reshetova <elena.reshetova@intel.com> |
|
7 |
- |
|
8 |
-Since the pos value in function m_start() |
|
9 |
-seems to be controllable by userspace and later on |
|
10 |
-conditionally (upon bound check) used to resolve |
|
11 |
-map->extent, insert an observable speculation |
|
12 |
-barrier before its usage. This should prevent |
|
13 |
-observable speculation on that branch and avoid |
|
14 |
-kernel memory leak. |
|
15 |
- |
|
16 |
-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> |
|
17 |
- kernel/user_namespace.c | 4 +++- |
|
18 |
- 1 file changed, 3 insertions(+), 1 deletion(-) |
|
19 |
- |
|
20 |
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c |
|
21 |
-index c490f1e..2240f36 100644 |
|
22 |
-+++ b/kernel/user_namespace.c |
|
23 |
-@@ -543,8 +543,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos, |
|
24 |
- struct uid_gid_extent *extent = NULL; |
|
25 |
- loff_t pos = *ppos; |
|
26 |
- |
|
27 |
-- if (pos < map->nr_extents) |
|
28 |
-+ if (pos < map->nr_extents) { |
|
29 |
-+ osb(); |
|
30 |
- extent = &map->extent[pos]; |
|
31 |
-+ } |
|
32 |
- |
|
33 |
- return extent; |
|
34 |
- } |
|
35 |
-2.9.5 |
|
36 |
- |