@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.139

+Version:	4.4.140

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ce4028904ab97c1942cc1c1b917520065529dc34

+%define sha1 linux=55dc1299e981cb4ef8ef0c92a4df52c2f4df4835

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1

+-   Update to version 4.4.140

 *   Tue Jul 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-1

 -   Update to version 4.4.139

 *   Mon Jun 25 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.138-1

new file mode 100644

@@ -0,0 +1,166 @@

+From e61ebdeb4893582189c03ac2e86ff6c1b2ccb03b Mon Sep 17 00:00:00 2001

+From: Jaegeuk Kim <jaegeuk@kernel.org>

+Date: Sat, 2 Jan 2016 09:19:41 -0800

+Subject: [PATCH 1/4] f2fs: cover more area with nat_tree_lock

+

+commit a51311938e14c17f5a94d30baac9d7bec71f5858 upstream.

+

+There was a subtle bug on nat cache management which incurs wrong nid allocation

+or wrong block addresses when try_to_free_nats is triggered heavily.

+This patch enlarges the previous coverage of nat_tree_lock to avoid data race.

+

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/node.c | 29 ++++++++++++-----------------

+ 1 file changed, 12 insertions(+), 17 deletions(-)

+

+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c

+index 7bcbc6e..8f6784f 100644

+--- a/fs/f2fs/node.c

+@@ -261,13 +261,11 @@ static void cache_nat_entry(struct f2fs_nm_info *nm_i, nid_t nid,

+ {

+ 	struct nat_entry *e;

+ 

+-	down_write(&nm_i->nat_tree_lock);

+ 	e = __lookup_nat_cache(nm_i, nid);

+ 	if (!e) {

+ 		e = grab_nat_entry(nm_i, nid);

+ 		node_info_from_raw_nat(&e->ni, ne);

+ 	}

+-	up_write(&nm_i->nat_tree_lock);

+ }

+ 

+ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni,

+@@ -379,6 +377,8 @@ void get_node_info(struct f2fs_sb_info *sbi, nid_t nid, struct node_info *ni)

+ 

+ 	memset(&ne, 0, sizeof(struct f2fs_nat_entry));

+ 

++	down_write(&nm_i->nat_tree_lock);

++

+ 	/* Check current segment summary */

+ 	mutex_lock(&curseg->curseg_mutex);

+ 	i = lookup_journal_in_cursum(sum, NAT_JOURNAL, nid, 0);

+@@ -399,6 +399,7 @@ void get_node_info(struct f2fs_sb_info *sbi, nid_t nid, struct node_info *ni)

+ cache:

+ 	/* cache nat entry */

+ 	cache_nat_entry(NM_I(sbi), nid, &ne);

++	up_write(&nm_i->nat_tree_lock);

+ }

+ 

+ /*

+@@ -1440,13 +1441,10 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ 

+ 	if (build) {

+ 		/* do not add allocated nids */

+-		down_read(&nm_i->nat_tree_lock);

+ 		ne = __lookup_nat_cache(nm_i, nid);

+-		if (ne &&

+-			(!get_nat_flag(ne, IS_CHECKPOINTED) ||

++		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

+ 				nat_get_blkaddr(ne) != NULL_ADDR))

+ 			allocated = true;

+-		up_read(&nm_i->nat_tree_lock);

+ 		if (allocated)

+ 			return 0;

+ 	}

+@@ -1532,6 +1530,8 @@ static void build_free_nids(struct f2fs_sb_info *sbi)

+ 	ra_meta_pages(sbi, NAT_BLOCK_OFFSET(nid), FREE_NID_PAGES,

+ 							META_NAT, true);

+ 

++	down_read(&nm_i->nat_tree_lock);

++

+ 	while (1) {

+ 		struct page *page = get_current_nat_page(sbi, nid);

+ 

+@@ -1560,6 +1560,7 @@ static void build_free_nids(struct f2fs_sb_info *sbi)

+ 			remove_free_nid(nm_i, nid);

+ 	}

+ 	mutex_unlock(&curseg->curseg_mutex);

++	up_read(&nm_i->nat_tree_lock);

+ 

+ 	ra_meta_pages(sbi, NAT_BLOCK_OFFSET(nm_i->next_scan_nid),

+ 					nm_i->ra_nid_pages, META_NAT, false);

+@@ -1842,14 +1843,12 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)

+ 

+ 		raw_ne = nat_in_journal(sum, i);

+ 

+-		down_write(&nm_i->nat_tree_lock);

+ 		ne = __lookup_nat_cache(nm_i, nid);

+ 		if (!ne) {

+ 			ne = grab_nat_entry(nm_i, nid);

+ 			node_info_from_raw_nat(&ne->ni, &raw_ne);

+ 		}

+ 		__set_nat_cache_dirty(nm_i, ne);

+-		up_write(&nm_i->nat_tree_lock);

+ 	}

+ 	update_nats_in_cursum(sum, -i);

+ 	mutex_unlock(&curseg->curseg_mutex);

+@@ -1883,7 +1882,6 @@ static void __flush_nat_entry_set(struct f2fs_sb_info *sbi,

+ 	struct f2fs_nat_block *nat_blk;

+ 	struct nat_entry *ne, *cur;

+ 	struct page *page = NULL;

+-	struct f2fs_nm_info *nm_i = NM_I(sbi);

+ 

+ 	/*

+ 	 * there are two steps to flush nat entries:

+@@ -1920,12 +1918,8 @@ static void __flush_nat_entry_set(struct f2fs_sb_info *sbi,

+ 			raw_ne = &nat_blk->entries[nid - start_nid];

+ 		}

+ 		raw_nat_from_node_info(raw_ne, &ne->ni);

+-

+-		down_write(&NM_I(sbi)->nat_tree_lock);

+ 		nat_reset_flag(ne);

+ 		__clear_nat_cache_dirty(NM_I(sbi), ne);

+-		up_write(&NM_I(sbi)->nat_tree_lock);

+-

+ 		if (nat_get_blkaddr(ne) == NULL_ADDR)

+ 			add_free_nid(sbi, nid, false);

+ 	}

+@@ -1937,9 +1931,7 @@ static void __flush_nat_entry_set(struct f2fs_sb_info *sbi,

+ 

+ 	f2fs_bug_on(sbi, set->entry_cnt);

+ 

+-	down_write(&nm_i->nat_tree_lock);

+ 	radix_tree_delete(&NM_I(sbi)->nat_set_root, set->set);

+-	up_write(&nm_i->nat_tree_lock);

+ 	kmem_cache_free(nat_entry_set_slab, set);

+ }

+ 

+@@ -1959,6 +1951,9 @@ void flush_nat_entries(struct f2fs_sb_info *sbi)

+ 

+ 	if (!nm_i->dirty_nat_cnt)

+ 		return;

++

++	down_write(&nm_i->nat_tree_lock);

++

+ 	/*

+ 	 * if there are no enough space in journal to store dirty nat

+ 	 * entries, remove all entries from journal and merge them

+@@ -1967,7 +1962,6 @@ void flush_nat_entries(struct f2fs_sb_info *sbi)

+ 	if (!__has_cursum_space(sum, nm_i->dirty_nat_cnt, NAT_JOURNAL))

+ 		remove_nats_in_journal(sbi);

+ 

+-	down_write(&nm_i->nat_tree_lock);

+ 	while ((found = __gang_lookup_nat_set(nm_i,

+ 					set_idx, SETVEC_SIZE, setvec))) {

+ 		unsigned idx;

+@@ -1976,12 +1970,13 @@ void flush_nat_entries(struct f2fs_sb_info *sbi)

+ 			__adjust_nat_entry_set(setvec[idx], &sets,

+ 							MAX_NAT_JENTRIES(sum));

+ 	}

+-	up_write(&nm_i->nat_tree_lock);

+ 

+ 	/* flush dirty nats in nat entry set */

+ 	list_for_each_entry_safe(set, tmp, &sets, set_list)

+ 		__flush_nat_entry_set(sbi, set);

+ 

++	up_write(&nm_i->nat_tree_lock);

++

+ 	f2fs_bug_on(sbi, nm_i->dirty_nat_cnt);

+ }

+ 

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,50 @@

+From 55160d13998452c3a9f60234d6c9cc10c1098ead Mon Sep 17 00:00:00 2001

+From: Jaegeuk Kim <jaegeuk@kernel.org>

+Date: Sat, 2 Jan 2016 09:23:27 -0800

+Subject: [PATCH 2/4] Revert "f2fs: check the node block address of newly

+ allocated nid"

+

+commit 957efb0c2144cc5ff1795f43bf2d2ca430eaa227 upstream.

+

+Original issue is fixed by:

+

+  f2fs: cover more area with nat_tree_lock

+

+This reverts commit 24928634f81b1592e83b37dcd89ed45c28f12feb.

+

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/node.c | 9 ---------

+ 1 file changed, 9 deletions(-)

+

+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c

+index 8f6784f..5ff9224 100644

+--- a/fs/f2fs/node.c

+@@ -1583,8 +1583,6 @@ retry:

+ 

+ 	/* We should not use stale free nids created by build_free_nids */

+ 	if (nm_i->fcnt && !on_build_free_nids(nm_i)) {

+-		struct node_info ni;

+-

+ 		f2fs_bug_on(sbi, list_empty(&nm_i->free_nid_list));

+ 		list_for_each_entry(i, &nm_i->free_nid_list, list)

+ 			if (i->state == NID_NEW)

+@@ -1595,13 +1593,6 @@ retry:

+ 		i->state = NID_ALLOC;

+ 		nm_i->fcnt--;

+ 		spin_unlock(&nm_i->free_nid_list_lock);

+-

+-		/* check nid is allocated already */

+-		get_node_info(sbi, *nid, &ni);

+-		if (ni.blk_addr != NULL_ADDR) {

+-			alloc_nid_done(sbi, *nid);

+-			goto retry;

+-		}

+ 		return true;

+ 	}

+ 	spin_unlock(&nm_i->free_nid_list_lock);

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,39 @@

+From 6dc3cc6deeb03e181fcac1f57fd55deebc234873 Mon Sep 17 00:00:00 2001

+From: Jaegeuk Kim <jaegeuk@kernel.org>

+Date: Wed, 4 May 2016 09:58:10 -0700

+Subject: [PATCH 3/4] f2fs: remove an obsolete variable

+

+commit fb58ae22067e0595d974e3d856522c1ed6d2d7bf upstream.

+

+This patch removes an obsolete variable used in add_free_nid.

+

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/node.c | 3 ---

+ 1 file changed, 3 deletions(-)

+

+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c

+index 5ff9224..1b10cd3 100644

+--- a/fs/f2fs/node.c

+@@ -1430,7 +1430,6 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ 	struct f2fs_nm_info *nm_i = NM_I(sbi);

+ 	struct free_nid *i;

+ 	struct nat_entry *ne;

+-	bool allocated = false;

+ 

+ 	if (!available_free_memory(sbi, FREE_NIDS))

+ 		return -1;

+@@ -1444,8 +1443,6 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ 		ne = __lookup_nat_cache(nm_i, nid);

+ 		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

+ 				nat_get_blkaddr(ne) != NULL_ADDR))

+-			allocated = true;

+-		if (allocated)

+ 			return 0;

+ 	}

+ 

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,146 @@

+From 60594341975112eb05e84ecbf319f99db268548e Mon Sep 17 00:00:00 2001

+From: Chao Yu <yuchao0@huawei.com>

+Date: Wed, 22 Mar 2017 14:45:05 +0800

+Subject: [PATCH 4/4] f2fs: fix race condition in between free nid

+ allocator/initializer

+

+commit 30a61ddf8117c26ac5b295e1233eaa9629a94ca3 upstream.

+

+In below concurrent case, allocated nid can be loaded into free nid cache

+and be allocated again.

+

+Thread A				Thread B

+- f2fs_create

+ - f2fs_new_inode

+  - alloc_nid

+   - __insert_nid_to_list(ALLOC_NID_LIST)

+					- f2fs_balance_fs_bg

+					 - build_free_nids

+					  - __build_free_nids

+					   - scan_nat_page

+					    - add_free_nid

+					     - __lookup_nat_cache

+ - f2fs_add_link

+  - init_inode_metadata

+   - new_inode_page

+    - new_node_page

+     - set_node_addr

+ - alloc_nid_done

+  - __remove_nid_from_list(ALLOC_NID_LIST)

+					     - __insert_nid_to_list(FREE_NID_LIST)

+

+This patch makes nat cache lookup and free nid list operation being atomical

+to avoid this race condition.

+

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Chao Yu <yuchao0@huawei.com>

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+[ Srivatsa: Backported to 4.4.y ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/node.c | 72 +++++++++++++++++++++++++++++++++++++++++-----------------

+ 1 file changed, 51 insertions(+), 21 deletions(-)

+

+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c

+index 1b10cd3..53a023b 100644

+--- a/fs/f2fs/node.c

+@@ -1428,8 +1428,10 @@ static void __del_from_free_nid_list(struct f2fs_nm_info *nm_i,

+ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ {

+ 	struct f2fs_nm_info *nm_i = NM_I(sbi);

+-	struct free_nid *i;

++	struct free_nid *i, *e;

+ 	struct nat_entry *ne;

++	int err = -EINVAL;

++	int ret = 0;

+ 

+ 	if (!available_free_memory(sbi, FREE_NIDS))

+ 		return -1;

+@@ -1438,35 +1440,63 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)

+ 	if (unlikely(nid == 0))

+ 		return 0;

+ 

+-	if (build) {

+-		/* do not add allocated nids */

+-		ne = __lookup_nat_cache(nm_i, nid);

+-		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

+-				nat_get_blkaddr(ne) != NULL_ADDR))

+-			return 0;

+-	}

+-

+ 	i = f2fs_kmem_cache_alloc(free_nid_slab, GFP_NOFS);

+ 	i->nid = nid;

+ 	i->state = NID_NEW;

+ 

+-	if (radix_tree_preload(GFP_NOFS)) {

+-		kmem_cache_free(free_nid_slab, i);

+-		return 0;

+-	}

++	if (radix_tree_preload(GFP_NOFS))

++		goto err;

+ 

+ 	spin_lock(&nm_i->free_nid_list_lock);

+-	if (radix_tree_insert(&nm_i->free_nid_root, i->nid, i)) {

+-		spin_unlock(&nm_i->free_nid_list_lock);

+-		radix_tree_preload_end();

+-		kmem_cache_free(free_nid_slab, i);

+-		return 0;

++

++	if (build) {

++

++		/*

++		 *   Thread A             Thread B

++		 *  - f2fs_create

++		 *   - f2fs_new_inode

++		 *    - alloc_nid

++		 *     - __insert_nid_to_list(ALLOC_NID_LIST)

++		 *                     - f2fs_balance_fs_bg

++		 *                      - build_free_nids

++		 *                       - __build_free_nids

++		 *                        - scan_nat_page

++		 *                         - add_free_nid

++		 *                          - __lookup_nat_cache

++		 *  - f2fs_add_link

++		 *   - init_inode_metadata

++		 *    - new_inode_page

++		 *     - new_node_page

++		 *      - set_node_addr

++		 *  - alloc_nid_done

++		 *   - __remove_nid_from_list(ALLOC_NID_LIST)

++		 *                         - __insert_nid_to_list(FREE_NID_LIST)

++		 */

++		ne = __lookup_nat_cache(nm_i, nid);

++		if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||

++				nat_get_blkaddr(ne) != NULL_ADDR))

++			goto err_out;

++

++		e = __lookup_free_nid_list(nm_i, nid);

++		if (e) {

++			if (e->state == NID_NEW)

++				ret = 1;

++			goto err_out;

++		}

++	}

++	ret = 1;

++	err = radix_tree_insert(&nm_i->free_nid_root, i->nid, i);

++	if (!err) {

++		list_add_tail(&i->list, &nm_i->free_nid_list);

++		nm_i->fcnt++;

+ 	}

+-	list_add_tail(&i->list, &nm_i->free_nid_list);

+-	nm_i->fcnt++;

++err_out:

+ 	spin_unlock(&nm_i->free_nid_list_lock);

+ 	radix_tree_preload_end();

+-	return 1;

++err:

++	if (err)

++		kmem_cache_free(free_nid_slab, i);

++	return ret;

+ }

+ 

+ static void remove_free_nid(struct f2fs_nm_info *nm_i, nid_t nid)

+-- 

+2.7.4

+

deleted file mode 100644

@@ -1,150 +0,0 @@

-From 00f30dfb8966dc12d852807c1c691c28a33c966c Mon Sep 17 00:00:00 2001

-From: Masami Hiramatsu <mhiramat@kernel.org>

-Date: Tue, 12 Jun 2018 23:10:56 +0000

-Subject: [PATCH] kprobes/x86: Do not modify singlestep buffer while resuming

-

-commit 804dec5bda9b4fcdab5f67fe61db4a0498af5221 upstream.

-

-Do not modify singlestep execution buffer (kprobe.ainsn.insn)

-while resuming from single-stepping, instead, modifies

-the buffer to add a jump back instruction at preparing

-buffer.

-

-Commit 176bee4cfcec ("kprobes/x86: Set kprobes pages read-only")

-introduced a bug in stable 4.4.y by making singlestep buffer page

-read-only. Attempts to modify singlestep buffer, to insert a jump

-instruction, at resume_execution() lead to kernel panic.

-

-  BUG: unable to handle kernel paging request at ffffffffa0011001

-  IP: [<ffffffff8105711c>] resume_execution+0x14c/0x1a0

-  PGD 1c0f067 PUD 1c10063 PMD 42ac74067 PTE 41cc35061

-  Oops: 0003 [#1] SMP

-  Modules linked in: stap_6eaf26e7bd7018624e4c19b7486f4bb8_1857(OE) ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) <...>

-  CPU: 5 PID: 1857 Comm: stapio Tainted: G           OE   4.4.136+ #1

-  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/24/2017

-  task: ffff880425044940 ti: ffff88042d160000 task.ti: ffff88042d160000

-  RIP: 0010:[<ffffffff8105711c>]  [<ffffffff8105711c>] resume_execution+0x14c/0x1a0

-  RSP: 0018:ffff88043fd4aeb0  EFLAGS: 00010086

-  RAX: ffffffffa0011001 RBX: ffff88043fd4af58 RCX: 0000000000000006

-  RDX: ffffffff811b9f71 RSI: ffff88043fd4af58 RDI: 0000000000000055

-  RBP: ffff88043fd4aee8 R08: 0000000000000001 R09: ffff88041cce8100

-  R10: 0000000000000004 R11: ffff8804252d9238 R12: ffff88042c6051c0

-  R13: ffffffff811b9f70 R14: ffff88042d163f08 R15: ffffffffa0011000

-  FS:  00007f05f6439740(0000) GS:ffff88043fd40000(0000) knlGS:0000000000000000

-  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

-  CR2: ffffffffa0011001 CR3: 000000042944a000 CR4: 0000000000160670

-  Stack:

-   ffff88043fd4fee0 0000000000000000 ffff88043fd4fee0 ffff88043fd4af58

-   ffff88042c6051c0 0000000000000000 00007ffd23764640 ffff88043fd4af10

-   ffffffff810571a8 ffff88043fd4af58 ffff880425044940 0000000000000000

-  Call Trace:

-   <#DB>

-   [<ffffffff810571a8>] kprobe_debug_handler+0x38/0xd0

-   [<ffffffff81016de2>] do_debug+0x82/0x1b0

-   [<ffffffff817e6aa5>] debug+0x35/0x70

-   <<EOE>>

-   [<ffffffff811bac51>] ? SyS_read+0x41/0xa0

-   [<ffffffff817e48a1>] entry_SYSCALL_64_fastpath+0x1e/0x95

-

-Issue was found and fix was verified by running systemtap:

-  stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'

-

-Fixes: 176bee4cfcec ("kprobes/x86: Set kprobes pages read-only")

-Cc: stable@vger.kernel.org # v4.4

-Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>

-Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>

-Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>

-Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>

-Cc: Borislav Petkov <bp@alien8.de>

-Cc: Brian Gerst <brgerst@gmail.com>

-Cc: David S . Miller <davem@davemloft.net>

-Cc: Denys Vlasenko <dvlasenk@redhat.com>

-Cc: H. Peter Anvin <hpa@zytor.com>

-Cc: Josh Poimboeuf <jpoimboe@redhat.com>

-Cc: Linus Torvalds <torvalds@linux-foundation.org>

-Cc: Peter Zijlstra <peterz@infradead.org>

-Cc: Thomas Gleixner <tglx@linutronix.de>

-Cc: Ye Xiaolong <xiaolong.ye@intel.com>

-Link: http://lkml.kernel.org/r/149076361560.22469.1610155860343077495.stgit@devbox

-Signed-off-by: Ingo Molnar <mingo@kernel.org>

-Reviewed-by/Acked-by: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

-Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

- arch/x86/kernel/kprobes/core.c | 42 ++++++++++++++++++++----------------------

- 1 file changed, 20 insertions(+), 22 deletions(-)

-

-diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c

-index df9be5b91270..1f5c47a49e35 100644

-+++ b/arch/x86/kernel/kprobes/core.c

-@@ -411,25 +411,38 @@ void free_insn_page(void *page)

- 	module_memfree(page);

- }

- 

-+/* Prepare reljump right after instruction to boost */

-+static void prepare_boost(struct kprobe *p, int length)

-+{

-+	if (can_boost(p->ainsn.insn, p->addr) &&

-+	    MAX_INSN_SIZE - length >= RELATIVEJUMP_SIZE) {

-+		/*

-+		 * These instructions can be executed directly if it

-+		 * jumps back to correct address.

-+		 */

-+		synthesize_reljump(p->ainsn.insn + length, p->addr + length);

-+		p->ainsn.boostable = 1;

-+	} else {

-+		p->ainsn.boostable = -1;

-+	}

-+}

-+

- static int arch_copy_kprobe(struct kprobe *p)

- {

--	int ret;

-+	int len;

- 

- 	set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1);

- 

- 	/* Copy an instruction with recovering if other optprobe modifies it.*/

--	ret = __copy_instruction(p->ainsn.insn, p->addr);

--	if (!ret)

-+	len = __copy_instruction(p->ainsn.insn, p->addr);

-+	if (!len)

- 		return -EINVAL;

- 

- 	/*

- 	 * __copy_instruction can modify the displacement of the instruction,

- 	 * but it doesn't affect boostable check.

- 	 */

--	if (can_boost(p->ainsn.insn, p->addr))

--		p->ainsn.boostable = 0;

--	else

--		p->ainsn.boostable = -1;

-+	prepare_boost(p, len);

- 

- 	set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1);

- 

-@@ -894,21 +907,6 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,

- 		break;

- 	}

- 

--	if (p->ainsn.boostable == 0) {

--		if ((regs->ip > copy_ip) &&

--		    (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) {

--			/*

--			 * These instructions can be executed directly if it

--			 * jumps back to correct address.

--			 */

--			synthesize_reljump((void *)regs->ip,

--				(void *)orig_ip + (regs->ip - copy_ip));

--			p->ainsn.boostable = 1;

--		} else {

--			p->ainsn.boostable = -1;

--		}

--	}

--

- 	regs->ip += orig_ip - copy_ip;

- 

- no_change:

-2.14.2

-

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.139

-Release:       2%{?dist}

+Version:       4.4.140

+Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=ce4028904ab97c1942cc1c1b917520065529dc34

+%define sha1 linux=55dc1299e981cb4ef8ef0c92a4df52c2f4df4835

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -23,7 +23,6 @@ Patch8:        04-quiet-boot.patch

 Patch9:        05-pv-ops.patch

 Patch10:       06-sunrpc.patch

 Patch11:       vmxnet3-1.4.6.0-avoid-calling-pskb_may_pull-with-interrupts-disabled.patch

-Patch12:       kprobes-x86-Do-not-modify-singlestep-buffer-while-re.patch

 Patch13:       REVERT-sched-fair-Beef-up-wake_wide.patch

 Patch14:       e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch

@@ -51,7 +50,11 @@ Patch34:       0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

 Patch35:       0001-scsi-libsas-direct-call-probe-and-destruct.patch

 # Fix for CVE-2018-10323

 Patch36:       0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

-

+# Fix for CVE-2017-18249 (following 4 patches)

+Patch37:       0001-f2fs-cover-more-area-with-nat_tree_lock.patch

+Patch38:       0002-Revert-f2fs-check-the-node-block-address-of-newly-al.patch

+Patch39:       0003-f2fs-remove-an-obsolete-variable.patch

+Patch40:       0004-f2fs-fix-race-condition-in-between-free-nid-allocato.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -221,7 +224,6 @@ The Linux package contains the Linux kernel doc files

 %patch9 -p1

 %patch10 -p1

 %patch11 -p1

-%patch12 -p1

 %patch13 -p1

 %patch14 -p1

@@ -243,6 +245,10 @@ The Linux package contains the Linux kernel doc files

 %patch34 -p1

 %patch35 -p1

 %patch36 -p1

+%patch37 -p1

+%patch38 -p1

+%patch39 -p1

+%patch40 -p1

 %patch52 -p1

 %patch55 -p1

@@ -448,6 +454,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1

+-   Update to version 4.4.140 and fix CVE-2017-18249

 *   Tue Jul 10 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-2

 -   Fix CVE-2017-18232 and CVE-2018-10323.

 *   Tue Jul 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.139

-Release:        3%{?kat_build:.%kat_build}%{?dist}

+Version:    	4.4.140

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=ce4028904ab97c1942cc1c1b917520065529dc34

+%define sha1 linux=55dc1299e981cb4ef8ef0c92a4df52c2f4df4835

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -26,7 +26,6 @@ Patch7:	        vmxnet3-1.4.6.0-avoid-calling-pskb_may_pull-with-interrupts-disa

 Patch8:		perf-top-sigsegv-fix.patch

 Patch9:         REVERT-sched-fair-Beef-up-wake_wide.patch

 Patch10:        e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch

-Patch11:        kprobes-x86-Do-not-modify-singlestep-buffer-while-re.patch

 Patch12:        vmxnet3-1.4.6.0-fix-lock-imbalance-in-vmxnet3_tq_xmit.patch

 Patch13:        vmxnet3-1.4.7.0-set-CHECKSUM_UNNECESSARY-for-IPv6-packets.patch

 Patch14:        vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch

@@ -51,6 +50,11 @@ Patch27:        0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

 Patch28:        0001-scsi-libsas-direct-call-probe-and-destruct.patch

 # Fix for CVE-2018-10323

 Patch29:        0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch

+# Fix for CVE-2017-18249 (following 4 patches)

+Patch30:        0001-f2fs-cover-more-area-with-nat_tree_lock.patch

+Patch31:        0002-Revert-f2fs-check-the-node-block-address-of-newly-al.patch

+Patch32:        0003-f2fs-remove-an-obsolete-variable.patch

+Patch33:        0004-f2fs-fix-race-condition-in-between-free-nid-allocato.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -257,7 +261,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch8 -p1

 %patch9 -p1

 %patch10 -p1

-%patch11 -p1

 %patch12 -p1

 %patch13 -p1

 %patch14 -p1

@@ -274,6 +277,10 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch27 -p1

 %patch28 -p1

 %patch29 -p1

+%patch30 -p1

+%patch31 -p1

+%patch32 -p1

+%patch33 -p1

 %patch52 -p1

 %patch55 -p1

@@ -547,6 +554,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1

+-   Update to version 4.4.140 and fix CVE-2017-18249

 *   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-3

 -   Use AppArmor security module by default.

 *   Tue Jul 10 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-2