@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.9.116

+Version:	4.9.118

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ebd02e892297444ea927a45184f10f58fc77dea1

+%define sha1 linux=1f441c2113d0b7bba57dd8f6e5f5db07d222d47b

 BuildArch:	noarch

 Patch0:         Implement-the-f-xattrat-family-of-functions.patch

 %description

@@ -27,6 +27,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.118-1

+-   Update to version 4.9.118

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.116-1

 -   Update to version 4.9.116

 *   Mon Jul 23 2018 srinidhira0 <srinidhir@vmware.com> 4.9.114-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-aws

-Version:        4.9.116

+Version:        4.9.118

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ebd02e892297444ea927a45184f10f58fc77dea1

+%define sha1 linux=1f441c2113d0b7bba57dd8f6e5f5db07d222d47b

 Source1:	config-aws

 Source2:	initramfs.trigger

 # common

@@ -66,22 +66,6 @@ Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch47:        0002-xfs-verify-dinode-header-first.patch

 Patch48:        0003-xfs-enhance-dinode-verifier.patch

-# For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

-Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

-

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

 # Out-of-tree patches from AppArmor:

@@ -250,21 +234,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch47 -p1

 %patch48 -p1

-%patch52 -p1

-%patch53 -p1

-%patch54 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

-

 %patch70 -p1

 %patch71 -p1

@@ -475,6 +444,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.118-1

+-   Update to version 4.9.118

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.116-1

 -   Update to version 4.9.116 and clear stack on fork.

 *   Mon Jul 23 2018 srinidhira0 <srinidhir@vmware.com> 4.9.114-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-esx

-Version:        4.9.116

+Version:        4.9.118

 Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ebd02e892297444ea927a45184f10f58fc77dea1

+%define sha1 linux=1f441c2113d0b7bba57dd8f6e5f5db07d222d47b

 Source1:        config-esx

 Source2:        initramfs.trigger

 # common

@@ -63,22 +63,6 @@ Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch47:        0002-xfs-verify-dinode-header-first.patch

 Patch48:        0003-xfs-enhance-dinode-verifier.patch

-# For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

-Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

-

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

@@ -160,21 +144,6 @@ The Linux package contains the Linux kernel doc files

 %patch47 -p1

 %patch48 -p1

-%patch52 -p1

-%patch53 -p1

-%patch54 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

-

 %patch70 -p1

 %build

@@ -272,6 +241,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.118-1

+-   Update to version 4.9.118

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.116-1

 -   Update to version 4.9.116 and clear stack on fork.

 *   Mon Jul 23 2018 srinidhira0 <srinidhir@vmware.com> 4.9.114-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-secure

-Version:        4.9.116

+Version:        4.9.118

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ebd02e892297444ea927a45184f10f58fc77dea1

+%define sha1 linux=1f441c2113d0b7bba57dd8f6e5f5db07d222d47b

 Source1:        config-secure

 Source2:        aufs4.9.tar.gz

 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906

@@ -72,22 +72,6 @@ Patch48:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch49:        0002-xfs-verify-dinode-header-first.patch

 Patch50:        0003-xfs-enhance-dinode-verifier.patch

-# For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

-Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

-

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

 # Out-of-tree patches from AppArmor:

@@ -216,22 +200,6 @@ EOF

 %patch49 -p1

 %patch50 -p1

-# spectre

-%patch52 -p1

-%patch53 -p1

-%patch54 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

-

 %patch70 -p1

 %patch71 -p1

@@ -368,6 +336,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.118-1

+-   Update to version 4.9.118

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.116-1

 -   Update to version 4.9.116 and clear stack on fork.

 *   Mon Jul 23 2018 srinidhira0 <srinidhir@vmware.com> 4.9.114-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:        4.9.116

+Version:        4.9.118

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ebd02e892297444ea927a45184f10f58fc77dea1

+%define sha1 linux=1f441c2113d0b7bba57dd8f6e5f5db07d222d47b

 Source1:	config

 Source2:	initramfs.trigger

 %define ena_version 1.1.3

@@ -71,23 +71,6 @@ Patch46:        0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch

 Patch47:        0002-xfs-verify-dinode-header-first.patch

 Patch48:        0003-xfs-enhance-dinode-verifier.patch

-

-# For Spectre

-Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

-Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

-Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

-Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

-Patch56: 0145-carl9170-prevent-speculative-execution.patch

-Patch57: 0146-p54-prevent-speculative-execution.patch

-Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

-Patch59: 0148-cw1200-prevent-speculative-execution.patch

-Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

-Patch61: 0150-ipv4-prevent-speculative-execution.patch

-Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch64: 0153-net-mpls-prevent-speculative-execution.patch

-Patch65: 0154-udf-prevent-speculative-execution.patch

-Patch66: 0155-userns-prevent-speculative-execution.patch

-

 Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

 # Out-of-tree patches from AppArmor:

@@ -209,21 +192,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch47 -p1

 %patch48 -p1

-%patch52 -p1

-%patch53 -p1

-%patch54 -p1

-%patch55 -p1

-%patch56 -p1

-%patch57 -p1

-%patch58 -p1

-%patch59 -p1

-%patch60 -p1

-%patch61 -p1

-%patch62 -p1

-%patch64 -p1

-%patch65 -p1

-%patch66 -p1

-

 %patch70 -p1

 %patch71 -p1

@@ -399,6 +367,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.118-1

+-   Update to version 4.9.118

 *   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.116-1

 -   Update to version 4.9.116 and clear stack on fork.

 *   Wed Jul 25 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.114-2

deleted file mode 100644

@@ -1,62 +0,0 @@

-From 11ea2f142cc668db2383015c722bcd71b6b10ba7 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Mon, 7 Aug 2017 11:03:42 +0300

-Subject: [PATCH 141/194] locking/barriers: introduce new observable

- speculation barrier

-

-The new observable speculation barrier, osb(), ensures

-that any user observable speculation doesn't cross the boundary.

-

-Any user observable speculative activity on this CPU

-thread before this point either completes, reaches a

-state it can no longer cause an observable activity, or

-is aborted before instructions after the barrier execute.

-

-In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC

-is present. Other architectures can define their variants.

-

-Suggested-by: Arjan van de Ven <arjan@linux.intel.com>

-Suggested-by: Alan Cox <alan.cox@intel.com>

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- arch/x86/include/asm/barrier.h |  2 ++

- include/asm-generic/barrier.h  | 11 +++++++++++

- 2 files changed, 13 insertions(+)

-

-diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h

-index 01727db..a0f695a 100644

-+++ b/arch/x86/include/asm/barrier.h

-@@ -77,6 +77,8 @@ do {									\

- 

- #endif

- 

-+#define osb() alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC)

-+

- /* Atomic operations are already serializing on x86 */

- #define __smp_mb__before_atomic()	barrier()

- #define __smp_mb__after_atomic()	barrier()

-diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h

-index fe297b5..04b3b1f 100644

-+++ b/include/asm-generic/barrier.h

-@@ -246,5 +246,16 @@ do {									\

- })

- #endif

- 

-+/* Observable speculation barrier: ensures that any user

-+ * observable speculation doesn't cross the boundary.

-+ * Any user observable speculative activity on this CPU

-+ * thread before this point either completes, reaches a

-+ * state it can no longer cause observable activity, or

-+ * is aborted before instructions after the barrier execute.

-+ */

-+#ifndef osb

-+#define osb()	do { } while (0)

-+#endif

-+

- #endif /* !__ASSEMBLY__ */

- #endif /* __ASM_GENERIC_BARRIER_H */

-2.9.5

-

deleted file mode 100644

@@ -1,48 +0,0 @@

-From acc08dc457b9c6b30c21f589ef4f2f5235d1e654 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Mon, 7 Aug 2017 11:10:28 +0300

-Subject: [PATCH 142/194] bpf: prevent speculative execution in eBPF

- interpreter

-

-This adds an observable speculation barrier before LD_IMM_DW and

-LDX_MEM_B/H/W/DW eBPF instructions during eBPF program

-execution in order to prevent speculative execution on out

-of bound BFP_MAP array indexes. This way an arbitary kernel

-memory is not exposed through side channel attacks.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- kernel/bpf/core.c | 3 +++

- 1 file changed, 3 insertions(+)

-

-diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c

-index 7b62df8..b28eca1 100644

-+++ b/kernel/bpf/core.c

-@@ -33,6 +33,7 @@

- #include <linux/frame.h>

- 

- #include <asm/unaligned.h>

-+#include <asm/barrier.h>

- 

- /* Registers */

- #define BPF_R0	regs[BPF_REG_0]

-@@ -932,6 +933,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,

- 		DST = IMM;

- 		CONT;

- 	LD_IMM_DW:

-+		osb();

- 		DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;

- 		insn++;

- 		CONT;

-@@ -1193,6 +1195,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,

- 		*(SIZE *)(unsigned long) (DST + insn->off) = IMM;	\

- 		CONT;							\

- 	LDX_MEM_##SIZEOP:						\

-+		osb();							\

- 		DST = *(SIZE *)(unsigned long) (SRC + insn->off);	\

- 		CONT;

- 

-2.9.5

-

deleted file mode 100644

@@ -1,111 +0,0 @@

-From e3b71cad927d33b8e20c66bf07956f935c9c6eef Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Tue, 8 Aug 2017 12:06:58 +0300

-Subject: [PATCH 143/194] x86, bpf, jit: prevent speculative execution when JIT

- is enabled

-

-When constant blinding is enabled (bpf_jit_harden = 1), this adds

-an observable speculation barrier before emitting x86 jitted code

-for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X

-(for BPF_REG_AX register) eBPF instructions. This is needed in order

-to prevent speculative execution on out of bounds BPF_MAP array

-indexes when JIT is enabled. This way an arbitary kernel memory is

-not exposed through side-channel attacks.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- arch/x86/net/bpf_jit_comp.c | 28 +++++++++++++++++++++++++++-

- include/linux/filter.h      |  9 +++++++++

- 2 files changed, 36 insertions(+), 1 deletion(-)

-

-diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c

-index 0554e8a..f01480a 100644

-+++ b/arch/x86/net/bpf_jit_comp.c

-@@ -16,6 +16,7 @@

- #include <linux/bpf.h>

- 

- int bpf_jit_enable __read_mostly;

-+u8 bpf_jit_fence = 0;

- 

- /*

-  * assembly code in arch/x86/net/bpf_jit.S

-@@ -109,6 +110,18 @@ static void bpf_flush_icache(void *start, void *end)

- 	set_fs(old_fs);

- }

- 

-+static void emit_memory_barrier(u8 **pprog)

-+{

-+	u8 *prog = *pprog;

-+	int cnt = 0;

-+

-+	if (bpf_jit_fence)

-+			EMIT3(0x0f, 0xae, 0xe8);

-+

-+	*pprog = prog;

-+	return;

-+}

-+

- #define CHOOSE_LOAD_FUNC(K, func) \

- 	((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)

- 

-@@ -400,7 +413,7 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,

- 			case BPF_ADD: b2 = 0x01; break;

- 			case BPF_SUB: b2 = 0x29; break;

- 			case BPF_AND: b2 = 0x21; break;

--			case BPF_OR: b2 = 0x09; break;

-+			case BPF_OR: b2 = 0x09; emit_memory_barrier(&prog); break;

- 			case BPF_XOR: b2 = 0x31; break;

- 			}

- 			if (BPF_CLASS(insn->code) == BPF_ALU64)

-@@ -647,6 +660,16 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,

- 		case BPF_ALU64 | BPF_RSH | BPF_X:

- 		case BPF_ALU64 | BPF_ARSH | BPF_X:

- 

-+			/* If blinding is enabled, each

-+			 * BPF_LD | BPF_IMM | BPF_DW instruction

-+			 * is converted to 4 eBPF instructions with

-+			 * BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32)

-+			 * always present(number 3). Detect such cases

-+			 * and insert memory barriers. */

-+			if ((BPF_CLASS(insn->code) == BPF_ALU64)

-+				&& (BPF_OP(insn->code) == BPF_LSH)

-+				&& (src_reg == BPF_REG_AX))

-+				emit_memory_barrier(&prog);

- 			/* check for bad case when dst_reg == rcx */

- 			if (dst_reg == BPF_REG_4) {

- 				/* mov r11, dst_reg */

-@@ -1124,6 +1147,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)

- 	if (!bpf_jit_enable)

- 		return orig_prog;

- 

-+	if (bpf_jit_fence_present() && bpf_jit_blinding_enabled())

-+		bpf_jit_fence = 1;

-+

- 	tmp = bpf_jit_blind_constants(prog);

- 	/* If blinding was requested and we failed during blinding,

- 	 * we must fall back to the interpreter.

-diff --git a/include/linux/filter.h b/include/linux/filter.h

-index 48ec57e..cba50a5 100644

-+++ b/include/linux/filter.h

-@@ -651,6 +651,16 @@ static inline bool bpf_jit_blinding_enabled(void)

- 

- 	return true;

- }

-+

-+static inline bool bpf_jit_fence_present(void)

-+{

-+	/* Check if lfence is present on CPU

-+	 */

-+	if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC))

-+		return true;

-+	return false;

-+}

-+

- #else

- static inline void bpf_jit_compile(struct bpf_prog *fp)

- {

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:41:27 +0300

-Subject: [PATCH 144/194] uvcvideo: prevent speculative execution

-

-Since the index value in function uvc_ioctl_enum_input()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-selector->baSourceID, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/media/usb/uvc/uvc_v4l2.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

-index 3e7e283..65175bb 100644

-+++ b/drivers/media/usb/uvc/uvc_v4l2.c

-@@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,

- 		}

- 		pin = iterm->id;

- 	} else if (index < selector->bNrInPins) {

-+		osb();

- 		pin = selector->baSourceID[index];

- 		list_for_each_entry(iterm, &chain->entities, chain) {

- 			if (!UVC_ENTITY_IS_ITERM(iterm))

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9c2549c6adcafe2c2f35d44dc87ec23cc52a68b2 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:43:39 +0300

-Subject: [PATCH 145/194] carl9170: prevent speculative execution

-

-Since the queue value in function carl9170_op_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-ar9170_qmap and following ar->edcf, insert an observable

-speculation barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/ath/carl9170/main.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c

-index 988c885..cf267b7 100644

-+++ b/drivers/net/wireless/ath/carl9170/main.c

-@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,

- 

- 	mutex_lock(&ar->mutex);

- 	if (queue < ar->hw->queues) {

-+		osb();

- 		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));

- 		ret = carl9170_set_qos(ar);

- 	} else {

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 07f7bcf24d303ec6d91d7da809f3b6e6760f8301 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:44:38 +0300

-Subject: [PATCH 146/194] p54: prevent speculative execution

-

-Since the queue value in function p54_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-priv->qos_params, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/intersil/p54/main.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c

-index d5a3bf9..3d20b47 100644

-+++ b/drivers/net/wireless/intersil/p54/main.c

-@@ -415,6 +415,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev,

- 

- 	mutex_lock(&priv->conf_mutex);

- 	if (queue < dev->queues) {

-+		osb();

- 		P54_SET_QUEUE(priv->qos_params[queue], params->aifs,

- 			params->cw_min, params->cw_max, params->txop);

- 		ret = p54_set_edcf(priv);

-2.9.5

-

deleted file mode 100644

@@ -1,55 +0,0 @@

-From f7de96128d46f9d9ecad5c1ded3133e2da25f39c Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:45:35 +0300

-Subject: [PATCH 147/194] qla2xxx: prevent speculative execution

-

-Since the handle value in functions qlafx00_status_entry()

-and qlafx00_multistatus_entry() seems to be controllable

-by userspace and later on conditionally (upon bound check)

-used to resolve req->outstanding_cmds, insert an observable

-speculation barrier before its usage. This should prevent

-observable speculation on that branch and avoid kernel

-memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++----

- 1 file changed, 8 insertions(+), 4 deletions(-)

-

-diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c

-index e23a3d4..9090283 100644

-+++ b/drivers/scsi/qla2xxx/qla_mr.c

-@@ -2305,10 +2305,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)

- 	req = ha->req_q_map[que];

- 

- 	/* Validate handle. */

--	if (handle < req->num_outstanding_cmds)

-+	if (handle < req->num_outstanding_cmds) {

-+		osb();

- 		sp = req->outstanding_cmds[handle];

--	else

-+	} else {

- 		sp = NULL;

-+	}

- 

- 	if (sp == NULL) {

- 		ql_dbg(ql_dbg_io, vha, 0x3034,

-@@ -2656,10 +2658,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,

- 		req = ha->req_q_map[que];

- 

- 		/* Validate handle. */

--		if (handle < req->num_outstanding_cmds)

-+		if (handle < req->num_outstanding_cmds) {

-+			osb();

- 			sp = req->outstanding_cmds[handle];

--		else

-+		} else {

- 			sp = NULL;

-+		}

- 

- 		if (sp == NULL) {

- 			ql_dbg(ql_dbg_io, vha, 0x3044,

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9a0dc9abad09792c93d099d5e92af5788c224791 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:46:21 +0300

-Subject: [PATCH 148/194] cw1200: prevent speculative execution

-

-Since the queue value in function cw1200_conf_tx()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in

-WSM_TX_QUEUE_SET, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/net/wireless/st/cw1200/sta.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c

-index a522248..754fc43 100644

-+++ b/drivers/net/wireless/st/cw1200/sta.c

-@@ -619,6 +619,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif,

- 	mutex_lock(&priv->conf_mutex);

- 

- 	if (queue < dev->queues) {

-+		osb();

- 		old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags);

- 

- 		WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0);

-2.9.5

-

deleted file mode 100644

@@ -1,47 +0,0 @@

-From d9542e2d9b4b1e4649f0c1ea13a1b5dcfc1e2674 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:47:12 +0300

-Subject: [PATCH 149/194] Thermal/int340x: prevent speculative execution

-

-Since the trip value in function int340x_thermal_get_trip_temp()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-d->aux_trips, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- drivers/thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++-----

- 1 file changed, 6 insertions(+), 5 deletions(-)

-

-diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

-index 145a5c53..d732b34 100644

-+++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

-@@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,

- 	if (d->override_ops && d->override_ops->get_trip_temp)

- 		return d->override_ops->get_trip_temp(zone, trip, temp);

- 

--	if (trip < d->aux_trip_nr)

-+	if (trip < d->aux_trip_nr) {

-+		osb();

- 		*temp = d->aux_trips[trip];

--	else if (trip == d->crt_trip_id)

-+	} else if (trip == d->crt_trip_id) {

- 		*temp = d->crt_temp;

--	else if (trip == d->psv_trip_id)

-+	} else if (trip == d->psv_trip_id) {

- 		*temp = d->psv_temp;

--	else if (trip == d->hot_trip_id)

-+	} else if (trip == d->hot_trip_id) {

- 		*temp = d->hot_temp;

--	else {

-+	} else {

- 		for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {

- 			if (d->act_trips[i].valid &&

- 			    d->act_trips[i].id == trip) {

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 9515f43ddd006464308b2796b63b7d6446d922b8 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 13 Dec 2017 10:16:07 +0200

-Subject: [PATCH 150/194] ipv4: prevent speculative execution

-

-Since the offset value in function raw_getfrag()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in the following

-memcpy, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/ipv4/raw.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c

-index 33b70bf..c9d33f1 100644

-+++ b/net/ipv4/raw.c

-@@ -476,6 +476,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,

- 	if (offset < rfv->hlen) {

- 		int copy = min(rfv->hlen - offset, len);

- 

-+		osb();

- 		if (skb->ip_summed == CHECKSUM_PARTIAL)

- 			memcpy(to, rfv->hdr.c + offset, copy);

- 		else

-2.9.5

-

deleted file mode 100644

@@ -1,33 +0,0 @@

-From 1ce83a2cfe57cec87a22e69b726e9547b4d830f8 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:48:35 +0300

-Subject: [PATCH 151/194] ipv6: prevent speculative execution

-

-Since the offset value in function raw6_getfrag()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used in the

-following memcpy, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/ipv6/raw.c | 1 +

- 1 file changed, 1 insertion(+)

-

-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c

-index e4462b0..8794d92 100644

-+++ b/net/ipv6/raw.c

-@@ -729,6 +729,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,

- 	if (offset < rfv->hlen) {

- 		int copy = min(rfv->hlen - offset, len);

- 

-+		osb();

- 		if (skb->ip_summed == CHECKSUM_PARTIAL)

- 			memcpy(to, rfv->c + offset, copy);

- 		else

-2.9.5

-

deleted file mode 100644

@@ -1,34 +0,0 @@

-From 3e9a34c67e5376bedd9e79e6a7e16b01a01c8215 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:55:54 +0300

-Subject: [PATCH 153/194] net: mpls: prevent speculative execution

-

-Since the index value in function mpls_route_input_rcu()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-platform_label, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- net/mpls/af_mpls.c | 2 ++

- 1 file changed, 2 insertions(+)

-

-diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c

-index c5b9ce4..3bdf8d8 100644

-+++ b/net/mpls/af_mpls.c

-@@ -50,6 +50,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)

- 	if (index < net->mpls.platform_labels) {

- 		struct mpls_route __rcu **platform_label =

- 			rcu_dereference(net->mpls.platform_label);

-+

-+		osb();

- 		rt = rcu_dereference(platform_label[index]);

- 	}

- 	return rt;

-2.9.5

-

deleted file mode 100644

@@ -1,52 +0,0 @@

-From bbb72371d2212fe0526f1ae679d5d55fe51bd909 Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 13 Dec 2017 10:15:30 +0200

-Subject: [PATCH 154/194] udf: prevent speculative execution

-