@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.9.80

+Version:	4.9.89

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067

+%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967

 BuildArch:	noarch

 %description

 The Linux API Headers expose the kernel's API for use by Glibc.

@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1

+-   Update to version 4.9.89

 *   Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1

 -   Update to version 4.9.80

 *   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

@@ -1172,13 +1172,14 @@ index 9976fce..bf5f3e0 100644

 +CFLAGS_REMOVE_syscall_32.o = $(RAP_PLUGIN_ABS_CFLAGS)

 +CFLAGS_REMOVE_syscall_64.o = $(RAP_PLUGIN_ABS_CFLAGS)

 diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c

-index bdd9cc5..790badd 100644

+index b0cd306..f384da6 100644

 --- a/arch/x86/entry/common.c

 +++ b/arch/x86/entry/common.c

-@@ -277,9 +277,29 @@ __visible void do_syscall_64(struct pt_regs *regs)

- 	 * regs->orig_ax, which changes the behavior of some syscalls.

+@@ -279,9 +279,30 @@ __visible void do_syscall_64(struct pt_regs *regs)

  	 */

  	if (likely((nr & __SYSCALL_MASK) < NR_syscalls)) {

+ 		nr = array_index_nospec(nr & __SYSCALL_MASK, NR_syscalls);

++

 +#ifdef CONFIG_PAX_RAP

 +		asm volatile("movq %[param1],%%rdi\n\t"

 +			     "movq %[param2],%%rsi\n\t"

@@ -1189,7 +1190,7 @@ index bdd9cc5..790badd 100644

 +			     "call *%P[syscall]\n\t"

 +			     "mov %%rax,%[result]\n\t"

 +			: [result] "=m" (regs->ax)

-+			: [syscall] "m" (sys_call_table[nr & __SYSCALL_MASK]),

++			: [syscall] "m" (sys_call_table[nr]),

 +			  [param1] "m" (regs->di),

 +			  [param2] "m" (regs->si),

 +			  [param3] "m" (regs->dx),

@@ -1198,7 +1199,7 @@ index bdd9cc5..790badd 100644

 +			  [param6] "m" (regs->r9)

 +			: "ax", "di", "si", "dx", "cx", "r8", "r9", "r10", "r11", "memory");

 +#else

- 		regs->ax = sys_call_table[nr & __SYSCALL_MASK](

+ 		regs->ax = sys_call_table[nr](

  			regs->di, regs->si, regs->dx,

  			regs->r10, regs->r8, regs->r9);

 +#endif

@@ -4544,10 +4545,10 @@ index a260cde..1b99d3b 100644

  	int len = strlen(kmessage);

 diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c

-index 9269d56..78d2a06 100644

+index b90ef96..12f6ec5 100644

 --- a/drivers/video/console/dummycon.c

 +++ b/drivers/video/console/dummycon.c

-@@ -41,12 +41,60 @@ static void dummycon_init(struct vc_data *vc, int init)

+@@ -41,12 +41,55 @@ static void dummycon_init(struct vc_data *vc, int init)

  	vc_resize(vc, DUMMY_COLUMNS, DUMMY_ROWS);

  }

@@ -4593,11 +4594,6 @@ index 9269d56..78d2a06 100644

 +    return 0;

 +}

 +

-+static int dummycon_font_get(struct vc_data *a, struct console_font *b)

-+{

-+    return 0;

-+}

-+

 +static int dummycon_font_default(struct vc_data *a, struct console_font *b , char *c)

 +{

 +    return 0;

@@ -4610,7 +4606,7 @@ index 9269d56..78d2a06 100644

  /*

   *  The console `switch' structure for the dummy console

-@@ -58,17 +106,17 @@ const struct consw dummy_con = {

+@@ -58,16 +101,16 @@ const struct consw dummy_con = {

      .owner =		THIS_MODULE,

      .con_startup =	dummycon_startup,

      .con_init =		dummycon_init,

@@ -4623,7 +4619,6 @@ index 9269d56..78d2a06 100644

 -    .con_switch =	DUMMY,

 -    .con_blank =	DUMMY,

 -    .con_font_set =	DUMMY,

--    .con_font_get =	DUMMY,

 -    .con_font_default =	DUMMY,

 -    .con_font_copy =	DUMMY,

 +    .con_deinit =	dummycon_deinit,

@@ -4635,7 +4630,6 @@ index 9269d56..78d2a06 100644

 +    .con_switch =	dummycon_switch,

 +    .con_blank =	dummycon_blank,

 +    .con_font_set =	dummycon_font_set,

-+    .con_font_get =	dummycon_font_get,

 +    .con_font_default =	dummycon_font_default,

 +    .con_font_copy =	dummycon_font_copy,

  };

@@ -30,24 +30,15 @@ index af4e581..3547f1f 100644

  .macro TRACE_IRQS_IRETQ

  #ifdef CONFIG_TRACE_IRQFLAGS

  	bt	$9, EFLAGS(%rsp)		/* interrupts off? */

-@@ -225,6 +235,8 @@ entry_SYSCALL_64_fastpath:

- 	testl	$_TIF_ALLWORK_MASK, TASK_TI_flags(%r11)

- 	jnz	1f

- 

-+	pax_rand_kstack

-+

- 	LOCKDEP_SYS_EXIT

- 	TRACE_IRQS_ON		/* user mode is traced as IRQs on */

- 	movq	RIP(%rsp), %rcx

-@@ -261,6 +273,8 @@ entry_SYSCALL64_slow_path:

+@@ -201,6 +201,8 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)

+ 	movq	%rsp, %rdi

  	call	do_syscall_64		/* returns with IRQs disabled */

- return_from_SYSCALL_64:

 +	pax_rand_kstack

 +

+ 	RESTORE_EXTRA_REGS

  	TRACE_IRQS_IRETQ		/* we're about to change IF */

- 	/*

 @@ -449,6 +463,7 @@ ENTRY(ret_from_fork)

  2:

  	movq	%rsp, %rdi

@@ -36,12 +36,13 @@ index 1a87443..ea4a86e 100644

  	WARN_ON(xen_cpuhp_setup());

  	xen_unplug_emulated_devices();

 diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c

-index 7f664c4..a88065e 100644

+index 4ecd0de..8ad0c96 100644

 --- a/arch/x86/xen/suspend.c

 +++ b/arch/x86/xen/suspend.c

-@@ -1,14 +1,19 @@

+@@ -1,17 +1,22 @@

  #include <linux/types.h>

  #include <linux/tick.h>

+ #include <linux/percpu-defs.h>

 +#include <linux/syscore_ops.h>

 +#include <linux/kernel_stat.h>

@@ -52,6 +53,8 @@ index 7f664c4..a88065e 100644

  #include <xen/events.h>

 +#include <xen/xen-ops.h>

+ #include <asm/cpufeatures.h>

+ #include <asm/msr-index.h>

  #include <asm/xen/hypercall.h>

  #include <asm/xen/page.h>

  #include <asm/fixmap.h>

deleted file mode 100644

@@ -1,37 +0,0 @@

-commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76

-Author: Mohamed Ghannam <simo.ghannam@gmail.com>

-Date:   Tue Dec 5 20:58:35 2017 +0000

-

-    dccp: CVE-2017-8824: use-after-free in DCCP code

-

-    Whenever the sock object is in DCCP_CLOSED state,

-    dccp_disconnect() must free dccps_hc_tx_ccid and

-    dccps_hc_rx_ccid and set to NULL.

-

-    Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>

-    Reviewed-by: Eric Dumazet <edumazet@google.com>

-    Signed-off-by: David S. Miller <davem@davemloft.net>

-

-diff --git a/net/dccp/proto.c b/net/dccp/proto.c

-index b68168f..9d43c1f 100644

-+++ b/net/dccp/proto.c

-@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)

- {

- 	struct inet_connection_sock *icsk = inet_csk(sk);

- 	struct inet_sock *inet = inet_sk(sk);

-+	struct dccp_sock *dp = dccp_sk(sk);

- 	int err = 0;

- 	const int old_state = sk->sk_state;

- 

-@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)

- 		sk->sk_err = ECONNRESET;

- 

- 	dccp_clear_xmit_timers(sk);

-+	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);

-+	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);

-+	dp->dccps_hc_rx_ccid = NULL;

-+	dp->dccps_hc_tx_ccid = NULL;

- 

- 	__skb_queue_purge(&sk->sk_receive_queue);

- 	__skb_queue_purge(&sk->sk_write_queue);

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-aws

-Version:        4.9.80

-Release:        4%{?kat_build:.%kat_build}%{?dist}

+Version:        4.9.89

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067

+%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967

 Source1:	config-aws

 Source2:	initramfs.trigger

 # common

@@ -42,8 +42,6 @@ Patch25:        0002-allow-also-ecb-cipher_null.patch

 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 # Fix CVE-2017-1000252

 Patch28:        kvm-dont-accept-wrong-gsi-values.patch

-# Fix CVE-2017-8824

-Patch29:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

 Patch32:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -57,12 +55,9 @@ Patch59: 0148-cw1200-prevent-speculative-execution.patch

 Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

 Patch61: 0150-ipv4-prevent-speculative-execution.patch

 Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch63: 0152-fs-prevent-speculative-execution.patch

 Patch64: 0153-net-mpls-prevent-speculative-execution.patch

 Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

-Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

 # Amazon AWS

 Patch101: 0002-lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch

 Patch102: 0009-bump-the-default-TTL-to-255.patch

@@ -206,7 +201,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch25 -p1

 %patch26 -p1

 %patch28 -p1

-%patch29 -p1

 %patch32 -p1

 %patch52 -p1

@@ -220,12 +214,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch60 -p1

 %patch61 -p1

 %patch62 -p1

-%patch63 -p1

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-%patch67 -p1

-%patch68 -p1

 %patch101 -p1

 %patch102 -p1

@@ -430,6 +421,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1

+-   Update to version 4.9.89

 *   Fri Mar 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-4

 -   Tweak config options to fix issues on AWS.

 *   Thu Mar 1 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-3

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-esx

-Version:        4.9.80

+Version:        4.9.89

 Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067

+%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967

 Source1:        config-esx

 Source2:        initramfs.trigger

 # common

@@ -39,8 +39,6 @@ Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.pat

 # Fix CVE-2017-1000252

 Patch24:        kvm-dont-accept-wrong-gsi-values.patch

 Patch25:        init-do_mounts-recreate-dev-root.patch

-# Fix CVE-2017-8824

-Patch26:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

 Patch29:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -54,12 +52,9 @@ Patch59: 0148-cw1200-prevent-speculative-execution.patch

 Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

 Patch61: 0150-ipv4-prevent-speculative-execution.patch

 Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch63: 0152-fs-prevent-speculative-execution.patch

 Patch64: 0153-net-mpls-prevent-speculative-execution.patch

 Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

-Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

 BuildRequires: bc

 BuildRequires: kbd

@@ -121,7 +116,6 @@ The Linux package contains the Linux kernel doc files

 %patch22 -p1

 %patch24 -p1

 %patch25 -p1

-%patch26 -p1

 %patch29 -p1

 %patch52 -p1

@@ -135,12 +129,9 @@ The Linux package contains the Linux kernel doc files

 %patch60 -p1

 %patch61 -p1

 %patch62 -p1

-%patch63 -p1

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-%patch67 -p1

-%patch68 -p1

 %build

 # patch vmw_balloon driver

@@ -237,6 +228,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1

+-   Update to version 4.9.89

 *   Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1

 -   Update to version 4.9.80

 *   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-secure

-Version:        4.9.80

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Version:        4.9.89

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067

+%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967

 Source1:        config-secure

 Source2:        aufs4.9.tar.gz

 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906

@@ -48,8 +48,6 @@ Patch28:        0002-allow-also-ecb-cipher_null.patch

 Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 # Fix CVE-2017-1000252

 Patch31:        kvm-dont-accept-wrong-gsi-values.patch

-# Fix CVE-2017-8824

-Patch32:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

 Patch35:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -63,12 +61,9 @@ Patch59: 0148-cw1200-prevent-speculative-execution.patch

 Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

 Patch61: 0150-ipv4-prevent-speculative-execution.patch

 Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch63: 0152-fs-prevent-speculative-execution.patch

 Patch64: 0153-net-mpls-prevent-speculative-execution.patch

 Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

-Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

@@ -174,7 +169,6 @@ EOF

 %patch28 -p1

 %patch29 -p1

 %patch31 -p1

-%patch32 -p1

 %patch35 -p1

 # spectre

@@ -189,12 +183,9 @@ EOF

 %patch60 -p1

 %patch61 -p1

 %patch62 -p1

-%patch63 -p1

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-%patch67 -p1

-%patch68 -p1

 # secure

 %patch13 -p1

@@ -326,7 +317,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

-*   Mon Mar 18 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2

+*   Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1

+-   Update to version 4.9.89

+*   Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2

 -   Extra hardening: slab_nomerge, disable /proc/kcore

 *   Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1

 -   Update to version 4.9.80

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:        4.9.80

+Version:        4.9.89

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=1e815669d45b0e0ebfa14bfa9823e9795274f067

+%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967

 Source1:	config

 Source2:	initramfs.trigger

 %define ena_version 1.1.3

@@ -45,8 +45,6 @@ Patch25:        0002-allow-also-ecb-cipher_null.patch

 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 # Fix CVE-2017-1000252

 Patch28:        kvm-dont-accept-wrong-gsi-values.patch

-# Fix CVE-2017-8824

-Patch29:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

 Patch32:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -60,12 +58,9 @@ Patch59: 0148-cw1200-prevent-speculative-execution.patch

 Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

 Patch61: 0150-ipv4-prevent-speculative-execution.patch

 Patch62: 0151-ipv6-prevent-speculative-execution.patch

-Patch63: 0152-fs-prevent-speculative-execution.patch

 Patch64: 0153-net-mpls-prevent-speculative-execution.patch

 Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

-Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

 %if 0%{?kat_build:1}

 Patch1000:	%{kat_build}.patch

@@ -164,7 +159,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch25 -p1

 %patch26 -p1

 %patch28 -p1

-%patch29 -p1

 %patch32 -p1

 %patch52 -p1

@@ -178,12 +172,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch60 -p1

 %patch61 -p1

 %patch62 -p1

-%patch63 -p1

 %patch64 -p1

 %patch65 -p1

 %patch66 -p1

-%patch67 -p1

-%patch68 -p1

 %if 0%{?kat_build:1}

 %patch1000 -p1

@@ -351,6 +342,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1

+-   Update to version 4.9.89

 *   Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1

 -   Update to version 4.9.80

 *   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

deleted file mode 100644

@@ -1,37 +0,0 @@

-From d7ca466502c0427749f64a6bdb47d96f848bf72d Mon Sep 17 00:00:00 2001

-From: Elena Reshetova <elena.reshetova@intel.com>

-Date: Wed, 30 Aug 2017 13:52:22 +0300

-Subject: [PATCH 152/194] fs: prevent speculative execution

-

-Since the fd value in function __fcheck_files()

-seems to be controllable by userspace and later on

-conditionally (upon bound check) used to resolve

-fdt->fd, insert an observable speculation

-barrier before its usage. This should prevent

-observable speculation on that branch and avoid

-kernel memory leak.

-

-Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

- include/linux/fdtable.h | 4 +++-

- 1 file changed, 3 insertions(+), 1 deletion(-)

-

-diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h

-index 1c65817..dbc1200 100644

-+++ b/include/linux/fdtable.h

-@@ -82,8 +82,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i

- {

- 	struct fdtable *fdt = rcu_dereference_raw(files->fdt);

- 

--	if (fd < fdt->max_fds)

-+	if (fd < fdt->max_fds) {

-+		osb();

- 		return rcu_dereference_raw(fdt->fd[fd]);

-+	}

- 	return NULL;

- }

- 

-2.9.5

-

deleted file mode 100644

@@ -1,84 +0,0 @@

-From 632c8d1eaacb69fb0e8ed5c6d8e19e4f69a17554 Mon Sep 17 00:00:00 2001

-From: Tim Chen <tim.c.chen@linux.intel.com>

-Date: Tue, 19 Sep 2017 15:21:40 -0700

-Subject: [PATCH 169/194] x86/syscall: Clear unused extra registers on syscall

- entrance

-

-To prevent the unused registers %r12-%r15, %rbp and %rbx from

-being used speculatively, we clear them upon syscall entrance

-for code hygiene.

- arch/x86/entry/calling.h  | 19 +++++++++++++++++++

- arch/x86/entry/entry_64.S | 13 ++++++++++---

- 2 files changed, 29 insertions(+), 3 deletions(-)

-

- Removed arch/x86/entry/calling.h changes, as it's in 4.9 upstream already

-

-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S

-index af4e581..9e31419 100644

-+++ b/arch/x86/entry/entry_64.S

-@@ -176,7 +176,14 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)

- 	pushq	%r9				/* pt_regs->r9 */

- 	pushq	%r10				/* pt_regs->r10 */

- 	pushq	%r11				/* pt_regs->r11 */

--	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not saved */

-+	sub	$(6*8), %rsp			/* pt_regs->bp, bx, r12-15 not used */

-+

-+	/*

-+	 * Clear the unused extra regs for code hygiene.

-+	 * Will restore the callee saved extra regs at end of syscall.

-+	 */

-+	SAVE_EXTRA_REGS

-+	ZERO_EXTRA_REGS

- 

- 	/*

- 	 * If we need to do entry work or if we guess we'll need to do

-@@ -229,6 +236,7 @@ entry_SYSCALL_64_fastpath:

- 	TRACE_IRQS_ON		/* user mode is traced as IRQs on */

- 	movq	RIP(%rsp), %rcx

- 	movq	EFLAGS(%rsp), %r11

-+	RESTORE_EXTRA_REGS

- 	RESTORE_C_REGS_EXCEPT_RCX_R11

- 	/*

- 	 * This opens a window where we have a user CR3, but are

-@@ -249,19 +257,16 @@ entry_SYSCALL_64_fastpath:

- 	 */

- 	TRACE_IRQS_ON

- 	ENABLE_INTERRUPTS(CLBR_NONE)

--	SAVE_EXTRA_REGS

- 	movq	%rsp, %rdi

- 	call	syscall_return_slowpath	/* returns with IRQs disabled */

- 	jmp	return_from_SYSCALL_64

- 

- entry_SYSCALL64_slow_path:

- 	/* IRQs are off. */

--	SAVE_EXTRA_REGS

- 	movq	%rsp, %rdi

- 	call	do_syscall_64		/* returns with IRQs disabled */

- 

- return_from_SYSCALL_64:

--	RESTORE_EXTRA_REGS

- 	TRACE_IRQS_IRETQ		/* we're about to change IF */

- 

- 	/*

-@@ -331,6 +336,7 @@ return_from_SYSCALL_64:

- 	 * perf profiles. Nothing jumps here.

- 	 */

- syscall_return_via_sysret:

-+	RESTORE_EXTRA_REGS

- 	/* rcx and r11 are already restored (see code above) */

- 	RESTORE_C_REGS_EXCEPT_RCX_R11

- 	/*

-@@ -354,7 +360,7 @@ opportunistic_sysret_failed:

- 	 */

- 	SWITCH_USER_CR3

- 	SWAPGS

--	jmp	restore_c_regs_and_iret

-+	jmp	restore_regs_and_iret

- END(entry_SYSCALL_64)

- 

- ENTRY(stub_ptregs_64)

-2.9.5

-

deleted file mode 100644

@@ -1,101 +0,0 @@

-From 2c536e1e9227a94ce8f3fb8e52591a1c4b9e3975 Mon Sep 17 00:00:00 2001

-From: Tim Chen <tim.c.chen@linux.intel.com>

-Date: Fri, 15 Sep 2017 19:41:24 -0700

-Subject: [PATCH 170/194] x86/syscall: Clear unused extra registers on 32-bit

- compatible syscall entrance

-

-To prevent the unused registers %r8-%r15, from being used speculatively,

-we clear them upon syscall entrance for code hygiene in 32 bit compatible

-mode.

-

-Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>

- arch/x86/entry/calling.h         | 11 +++++++++++

- arch/x86/entry/entry_64_compat.S | 18 ++++++++++++++----

- 2 files changed, 25 insertions(+), 4 deletions(-)

-

-diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h

-index 9a9e588..1439429 100644

-+++ b/arch/x86/entry/calling.h

-@@ -129,6 +129,17 @@ For 32-bit we have the following conventions - kernel is built with

- 	SAVE_C_REGS_HELPER 0, 0, 0, 1, 0

- 	.endm

- 

-+	.macro CLEAR_R8_TO_R15

-+	xorq %r15, %r15

-+	xorq %r14, %r14

-+	xorq %r13, %r13

-+	xorq %r12, %r12

-+	xorq %r11, %r11

-+	xorq %r10, %r10

-+	xorq %r9, %r9

-+	xorq %r8, %r8

-+	.endm

-+

- 	.macro SAVE_EXTRA_REGS offset=0

- 	movq %r15, 0*8+\offset(%rsp)

- 	movq %r14, 1*8+\offset(%rsp)

-diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S

-index d76a976..9217245 100644

-+++ b/arch/x86/entry/entry_64_compat.S

-@@ -88,12 +88,14 @@ ENTRY(entry_SYSENTER_compat)

- 	pushq   $0			/* pt_regs->r11 = 0 */

- 	pushq   %rbx                    /* pt_regs->rbx */

- 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */

--	pushq   $0			/* pt_regs->r12 = 0 */

--	pushq   $0			/* pt_regs->r13 = 0 */

--	pushq   $0			/* pt_regs->r14 = 0 */

--	pushq   $0			/* pt_regs->r15 = 0 */

-+	pushq   %r12                    /* pt_regs->r12 */

-+	pushq   %r13                    /* pt_regs->r13 */

-+	pushq   %r14                    /* pt_regs->r14 */

-+	pushq   %r15                    /* pt_regs->r15 */

- 	cld

- 

-+	CLEAR_R8_TO_R15

-+

- 	/*

- 	 * SYSENTER doesn't filter flags, so we need to clear NT and AC

- 	 * ourselves.  To save a few cycles, we can check whether

-@@ -214,10 +217,12 @@ ENTRY(entry_SYSCALL_compat)

- 	pushq   $0			/* pt_regs->r11 = 0 */

- 	pushq   %rbx                    /* pt_regs->rbx */

- 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */

--	pushq   $0			/* pt_regs->r12 = 0 */

--	pushq   $0			/* pt_regs->r13 = 0 */

--	pushq   $0			/* pt_regs->r14 = 0 */

--	pushq   $0			/* pt_regs->r15 = 0 */

-+	pushq   %r12                    /* pt_regs->r12 */

-+	pushq   %r13                    /* pt_regs->r13 */

-+	pushq   %r14                    /* pt_regs->r14 */

-+	pushq   %r15                    /* pt_regs->r15 */

-+

-+	CLEAR_R8_TO_R15

- 

- 	/*

- 	 * User mode is traced as though IRQs are on, and SYSENTER

-@@ -234,6 +238,10 @@ ENTRY(entry_SYSCALL_compat)

- 	/* Opportunistic SYSRET */

- sysret32_from_system_call:

- 	TRACE_IRQS_ON			/* User mode traces as IRQs on. */

-+	movq    R15(%rsp), %r15         /* pt_regs->r15 */

-+	movq    R14(%rsp), %r14         /* pt_regs->r14 */

-+	movq    R13(%rsp), %r13         /* pt_regs->r13 */

-+	movq    R12(%rsp), %r12         /* pt_regs->r12 */

- 	movq	RBX(%rsp), %rbx		/* pt_regs->rbx */

- 	movq	RBP(%rsp), %rbp		/* pt_regs->rbp */

- 	movq	EFLAGS(%rsp), %r11	/* pt_regs->flags (in r11) */

-@@ -331,6 +339,8 @@ ENTRY(entry_INT80_compat)

- 	pushq   %r15                    /* pt_regs->r15 */

- 	cld

- 

-+	CLEAR_R8_TO_R15

-+

- 	/*

- 	 * User mode is traced as though IRQs are on, and the interrupt

- 	 * gate turned them off.

-2.9.5

-