@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.145

+Version:	4.4.146

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1

+-   Update to version 4.4.146

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

 -   Update to version 4.4.145

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.145

+Version:       4.4.146

 Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -64,18 +64,6 @@ Patch47:        0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch

 Patch48:        0008-xfs-enhance-dinode-verifier.patch

 # For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

@@ -161,18 +149,6 @@ The Linux package contains the Linux kernel doc files

 %patch47 -p1

 %patch48 -p1

-%patch52 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

 %patch67 -p1

 %patch70 -p1

@@ -264,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1

+-   Update to version 4.4.146

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

 -   Update to version 4.4.145 and clear stack on fork.

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.145

+Version:    	4.4.146

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

+%define sha1 linux=e1f85bb95eb77f49ec9e0fe680ee287732c0ab3b

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -64,18 +64,6 @@ Patch40:        0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch

 Patch41:        0008-xfs-enhance-dinode-verifier.patch

 # For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

@@ -193,18 +181,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch40 -p1

 %patch41 -p1

-%patch52 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

 %patch67 -p1

 %patch70 -p1

@@ -364,6 +340,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1

+-   Update to version 4.4.146

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

 -   Update to version 4.4.145 and clear stack on fork.

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

deleted file mode 100644

@@ -1,62 +0,0 @@

-From 11ea2f142cc668db2383015c722bcd71b6b10ba7 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Mon, 7 Aug 2017 11:03:42 +0300

-Subject: [PATCH 141/194] locking/barriers: introduce new observable

- speculation barrier

-

-The new observable speculation barrier, osb(), ensures

-that any user observable speculation doesn't cross the boundary.

-

-Any user observable speculative activity on this CPU

-thread before this point either completes, reaches a

-state it can no longer cause an observable activity, or

-is aborted before instructions after the barrier execute.

-

-In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC

-is present. Other architectures can define their variants.

-

-Suggested-by: Arjan van de Ven <arjan@linux.intel.com>

-Suggested-by: Alan Cox <alan.cox@intel.com>

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- arch/x86/include/asm/barrier.h |  2 ++

- include/asm-generic/barrier.h  | 11 +++++++++++

- 2 files changed, 13 insertions(+)

-

-diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h

-index 01727db..a0f695a 100644

-+++ b/arch/x86/include/asm/barrier.h

-@@ -77,6 +77,8 @@ do {									\

- 

- #endif

- 

-+#define osb() alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC)

-+

- /* Atomic operations are already serializing on x86 */

- #define smp_mb__before_atomic()	barrier()

- #define smp_mb__after_atomic()	barrier()

-diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h

-index b42afad..7a9184d 100644

-+++ b/include/asm-generic/barrier.h

-@@ -119,5 +119,16 @@ do {									\

- 	___p1;								\

- })

- 

-+/* Observable speculation barrier: ensures that any user

-+ * observable speculation doesn't cross the boundary.

-+ * Any user observable speculative activity on this CPU

-+ * thread before this point either completes, reaches a

-+ * state it can no longer cause observable activity, or

-+ * is aborted before instructions after the barrier execute.

-+ */

-+#ifndef osb

-+#define osb()	do { } while (0)

-+#endif

-+

- #endif /* !__ASSEMBLY__ */

- #endif /* __ASM_GENERIC_BARRIER_H */

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:41:27 +0300

-Subject: [PATCH 144/194] uvcvideo: prevent speculative execution

-

-Since the index value in function uvc_ioctl_enum_input()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-selector->baSourceID, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/media/usb/uvc/uvc_v4l2.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

-index 3e7e283..65175bb 100644

-+++ b/drivers/media/usb/uvc/uvc_v4l2.c

-@@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,

- 		}

- 		pin = iterm->id;

- 	} else if (index < selector->bNrInPins) {

-+		osb();

- 		pin = selector->baSourceID[index];

- 		list_for_each_entry(iterm, &chain->entities, chain) {

- 			if (!UVC_ENTITY_IS_ITERM(iterm))

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9c2549c6adcafe2c2f35d44dc87ec23cc52a68b2 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:43:39 +0300

-Subject: [PATCH 145/194] carl9170: prevent speculative execution

-

-Since the queue value in function carl9170_op_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-ar9170_qmap and following ar->edcf, insert an observable

-speculation barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/ath/carl9170/main.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c

-index 988c885..cf267b7 100644

-+++ b/drivers/net/wireless/ath/carl9170/main.c

-@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,

- 

- 	mutex_lock(&ar->mutex);

- 	if (queue < ar->hw->queues) {

-+		osb();

- 		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));

- 		ret = carl9170_set_qos(ar);

- 	} else {

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 07f7bcf24d303ec6d91d7da809f3b6e6760f8301 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:44:38 +0300

-Subject: [PATCH 146/194] p54: prevent speculative execution

-

-Since the queue value in function p54_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-priv->qos_params, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/p54/main.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/p54/main.c b/drivers/net/wireless/p54/main.c

-index d5a3bf9..3d20b47 100644

-+++ b/drivers/net/wireless/p54/main.c

-@@ -415,6 +415,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev,

- 

- 	mutex_lock(&priv->conf_mutex);

- 	if (queue < dev->queues) {

-+		osb();

- 		P54_SET_QUEUE(priv->qos_params[queue], params->aifs,

- 			params->cw_min, params->cw_max, params->txop);

- 		ret = p54_set_edcf(priv);

-2.9.5

-

deleted file mode 100644

@@ -1,55 +0,0 @@

-From f7de96128d46f9d9ecad5c1ded3133e2da25f39c Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:45:35 +0300

-Subject: [PATCH 147/194] qla2xxx: prevent speculative execution

-

-Since the handle value in functions qlafx00_status_entry()

-and qlafx00_multistatus_entry() seems to be controllable

-by userspace and later on conditionally (upon bound check)

-used to resolve req->outstanding_cmds, insert an observable

-speculation barrier before its usage. This should prevent

-observable speculation on that branch and avoid kernel

-memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++----

- 1 file changed, 8 insertions(+), 4 deletions(-)

-

-diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c

-index e23a3d4..9090283 100644

-+++ b/drivers/scsi/qla2xxx/qla_mr.c

-@@ -2305,10 +2305,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)

- 	req = ha->req_q_map[que];

- 

- 	/* Validate handle. */

--	if (handle < req->num_outstanding_cmds)

-+	if (handle < req->num_outstanding_cmds) {

-+		osb();

- 		sp = req->outstanding_cmds[handle];

--	else

-+	} else {

- 		sp = NULL;

-+	}

- 

- 	if (sp == NULL) {

- 		ql_dbg(ql_dbg_io, vha, 0x3034,

-@@ -2656,10 +2658,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,

- 		req = ha->req_q_map[que];

- 

- 		/* Validate handle. */

--		if (handle < req->num_outstanding_cmds)

-+		if (handle < req->num_outstanding_cmds) {

-+			osb();

- 			sp = req->outstanding_cmds[handle];

--		else

-+		} else {

- 			sp = NULL;

-+		}

- 

- 		if (sp == NULL) {

- 			ql_dbg(ql_dbg_io, vha, 0x3044,

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9a0dc9abad09792c93d099d5e92af5788c224791 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:46:21 +0300

-Subject: [PATCH 148/194] cw1200: prevent speculative execution

-

-Since the queue value in function cw1200_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in

-WSM_TX_QUEUE_SET, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/cw1200/sta.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/cw1200/sta.c b/drivers/net/wireless/cw1200/sta.c

-index a522248..754fc43 100644

-+++ b/drivers/net/wireless/cw1200/sta.c

-@@ -619,6 +619,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif,

- 	mutex_lock(&priv->conf_mutex);

- 

- 	if (queue < dev->queues) {

-+		osb();

- 		old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags);

- 

- 		WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0);

-2.9.5

-

deleted file mode 100644

@@ -1,47 +0,0 @@

-From d9542e2d9b4b1e4649f0c1ea13a1b5dcfc1e2674 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:47:12 +0300

-Subject: [PATCH 149/194] Thermal/int340x: prevent speculative execution

-

-Since the trip value in function int340x_thermal_get_trip_temp()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-d->aux_trips, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++-----

- 1 file changed, 6 insertions(+), 5 deletions(-)

-

-diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

-index 145a5c53..d732b34 100644

-+++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

-@@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,

- 	if (d->override_ops && d->override_ops->get_trip_temp)

- 		return d->override_ops->get_trip_temp(zone, trip, temp);

- 

--	if (trip < d->aux_trip_nr)

-+	if (trip < d->aux_trip_nr) {

-+		osb();

- 		*temp = d->aux_trips[trip];

--	else if (trip == d->crt_trip_id)

-+	} else if (trip == d->crt_trip_id) {

- 		*temp = d->crt_temp;

--	else if (trip == d->psv_trip_id)

-+	} else if (trip == d->psv_trip_id) {

- 		*temp = d->psv_temp;

--	else if (trip == d->hot_trip_id)

-+	} else if (trip == d->hot_trip_id) {

- 		*temp = d->hot_temp;

--	else {

-+	} else {

- 		for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {

- 			if (d->act_trips[i].valid &&

- 			    d->act_trips[i].id == trip) {

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9515f43ddd006464308b2796b63b7d6446d922b8 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 13 Dec 2017 10:16:07 +0200

-Subject: [PATCH 150/194] ipv4: prevent speculative execution

-

-Since the offset value in function raw_getfrag()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in the following

-memcpy, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/ipv4/raw.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c

-index 33b70bf..c9d33f1 100644

-+++ b/net/ipv4/raw.c

-@@ -476,6 +476,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,

- 	if (offset < rfv->hlen) {

- 		int copy = min(rfv->hlen - offset, len);

- 

-+		osb();

- 		if (skb->ip_summed == CHECKSUM_PARTIAL)

- 			memcpy(to, rfv->hdr.c + offset, copy);

- 		else

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 1ce83a2cfe57cec87a22e69b726e9547b4d830f8 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:48:35 +0300

-Subject: [PATCH 151/194] ipv6: prevent speculative execution

-

-Since the offset value in function raw6_getfrag()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in the

-following memcpy, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/ipv6/raw.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c

-index e4462b0..8794d92 100644

-+++ b/net/ipv6/raw.c

-@@ -729,6 +729,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,

- 	if (offset < rfv->hlen) {

- 		int copy = min(rfv->hlen - offset, len);

- 

-+		osb();

- 		if (skb->ip_summed == CHECKSUM_PARTIAL)

- 			memcpy(to, rfv->c + offset, copy);

- 		else

-2.9.5

-

deleted file mode 100644

@@ -1,34 +0,0 @@

-From 3e9a34c67e5376bedd9e79e6a7e16b01a01c8215 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:55:54 +0300

-Subject: [PATCH 153/194] net: mpls: prevent speculative execution

-

-Since the index value in function mpls_route_input_rcu()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-platform_label, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/mpls/af_mpls.c | 2 ++

- 1 file changed, 2 insertions(+)

-

-diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c

-index c5b9ce4..3bdf8d8 100644

-+++ b/net/mpls/af_mpls.c

-@@ -50,6 +50,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)

- 	if (index < net->mpls.platform_labels) {

- 		struct mpls_route __rcu **platform_label =

- 			rcu_dereference(net->mpls.platform_label);

-+

-+		osb();

- 		rt = rcu_dereference(platform_label[index]);

- 	}

- 	return rt;

-2.9.5

-

deleted file mode 100644

@@ -1,52 +0,0 @@

-From bbb72371d2212fe0526f1ae679d5d55fe51bd909 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 13 Dec 2017 10:15:30 +0200

-Subject: [PATCH 154/194] udf: prevent speculative execution

-

-Since the eahd->appAttrLocation value in function

-udf_add_extendedattr() seems to be controllable by

-userspace and later on conditionally (upon bound check)

-used in following memmove, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- fs/udf/misc.c | 6 ++++++

- 1 file changed, 6 insertions(+)

-

-diff --git a/fs/udf/misc.c b/fs/udf/misc.c

-index 3949c4b..c826ccc 100644

-+++ b/fs/udf/misc.c

-@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,

- 					iinfo->i_lenEAttr) {

- 				uint32_t aal =

- 					le32_to_cpu(eahd->appAttrLocation);

-+

-+				osb();

- 				memmove(&ea[offset - aal + size],

- 					&ea[aal], offset - aal);

- 				offset -= aal;

-@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,

- 					iinfo->i_lenEAttr) {

- 				uint32_t ial =

- 					le32_to_cpu(eahd->impAttrLocation);

-+

-+				osb();

- 				memmove(&ea[offset - ial + size],

- 					&ea[ial], offset - ial);

- 				offset -= ial;

-@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,

- 					iinfo->i_lenEAttr) {

- 				uint32_t aal =

- 					le32_to_cpu(eahd->appAttrLocation);

-+

-+				osb();

- 				memmove(&ea[offset - aal + size],

- 					&ea[aal], offset - aal);

- 				offset -= aal;

-2.9.5

-

deleted file mode 100644

@@ -1,39 +0,0 @@

-From 616abca9e7f1add8e8f26cf6d33992b76412bcec Mon Sep 17 00:00:00 2001

-From: Tim Chen <tim.c.chen@linux.intel.com>

-Date: Fri, 15 Dec 2017 02:29:09 -0800

-Subject: [PATCH 155/194] userns: prevent speculative execution

-

-From: Elena Reshetova <elena.reshetova@intel.com>

-

-Since the pos value in function m_start()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-map->extent, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- kernel/user_namespace.c | 4 +++-

- 1 file changed, 3 insertions(+), 1 deletion(-)

-

-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c

-index c490f1e..2240f36 100644

-+++ b/kernel/user_namespace.c

-@@ -543,8 +543,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,

- 	struct uid_gid_extent *extent = NULL;

- 	loff_t pos = *ppos;

- 

--	if (pos < map->nr_extents)

-+	if (pos < map->nr_extents) {

-+		osb();

- 		extent = &map->extent[pos];

-+	}

- 

- 	return extent;

- }

-2.9.5

-