new file mode 100644

@@ -0,0 +1,47 @@

+From d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 Mon Sep 17 00:00:00 2001

+From: Yunlei He <heyunlei@huawei.com>

+Date: Thu, 1 Jun 2017 16:43:51 +0800

+Subject: [PATCH] f2fs: fix a panic caused by NULL flush_cmd_control

+

+Mount fs with option noflush_merge, boot failed for illegal address

+fcc in function f2fs_issue_flush:

+

+        if (!test_opt(sbi, FLUSH_MERGE)) {

+                ret = submit_flush_wait(sbi);

+                atomic_inc(&fcc->issued_flush);   ->  Here, fcc illegal

+                return ret;

+        }

+

+Signed-off-by: Yunlei He <heyunlei@huawei.com>

+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/f2fs/segment.c | 5 ++++-

+ 1 file changed, 4 insertions(+), 1 deletion(-)

+

+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c

+index f77b325..87406ef 100644

+--- a/fs/f2fs/segment.c

+@@ -395,6 +395,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi)

+ 	init_waitqueue_head(&fcc->flush_wait_queue);

+ 	init_llist_head(&fcc->issue_list);

+ 	SM_I(sbi)->cmd_control_info = fcc;

++	if (!test_opt(sbi, FLUSH_MERGE))

++		return err;

++

+ 	fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi,

+ 				"f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev));

+ 	if (IS_ERR(fcc->f2fs_issue_flush)) {

+@@ -2313,7 +2316,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi)

+ 

+ 	INIT_LIST_HEAD(&sm_info->sit_entry_set);

+ 

+-	if (test_opt(sbi, FLUSH_MERGE) && !f2fs_readonly(sbi->sb)) {

++	if (!f2fs_readonly(sbi->sb)) {

+ 		err = create_flush_cmd_control(sbi);

+ 		if (err)

+ 			return err;

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,38 @@

+From 0ddcff49b672239dda94d70d0fcf50317a9f4b51 Mon Sep 17 00:00:00 2001

+From: "weiyongjun (A)" <weiyongjun1@huawei.com>

+Date: Thu, 18 Jan 2018 02:23:34 +0000

+Subject: [PATCH] mac80211_hwsim: fix possible memory leak in

+ hwsim_new_radio_nl()

+

+'hwname' is malloced in hwsim_new_radio_nl() and should be freed

+before leaving from the error handling cases, otherwise it will cause

+memory leak.

+

+Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")

+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

+Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

+Signed-off-by: Johannes Berg <johannes.berg@intel.com>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/net/wireless/mac80211_hwsim.c | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c

+index 8a9164d..e8b770a 100644

+--- a/drivers/net/wireless/mac80211_hwsim.c

+@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)

+ 	if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {

+ 		u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);

+ 

+-		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))

++		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {

++			kfree(hwname);

+ 			return -EINVAL;

++		}

+ 		param.regd = hwsim_world_regdom_custom[idx];

+ 	}

+ 

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,45 @@

+From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001

+From: Wei Yongjun <weiyongjun1@huawei.com>

+Date: Thu, 11 Jan 2018 11:21:51 +0000

+Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in

+ unimac_mdio_probe()

+

+platform_get_resource() may fail and return NULL, so we should

+better check it's return value to avoid a NULL pointer dereference

+a bit later in the code.

+

+This is detected by Coccinelle semantic patch.

+

+@@

+expression pdev, res, n, t, e, e1, e2;

+@@

+

+res = platform_get_resource(pdev, t, n);

++ if (!res)

++   return -EINVAL;

+... when != res == NULL

+e = devm_ioremap(e1, res->start, e2);

+

+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

+Signed-off-by: David S. Miller <davem@davemloft.net>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ drivers/net/phy/mdio-bcm-unimac.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c

+index 4bde5e7..fd8692b 100644

+--- a/drivers/net/phy/mdio-bcm-unimac.c

+@@ -177,6 +177,8 @@ static int unimac_mdio_probe(struct platform_device *pdev)

+ 		return -ENOMEM;

+ 

+ 	r = platform_get_resource(pdev, IORESOURCE_MEM, 0);

++	if (!r)

++		return -EINVAL;

+ 

+ 	/* Just ioremap, as this MDIO block is usually integrated into an

+ 	 * Ethernet MAC controller register range

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,208 @@

+From 853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 Mon Sep 17 00:00:00 2001

+From: alex chen <alex.chen@huawei.com>

+Date: Wed, 15 Nov 2017 17:31:48 -0800

+Subject: [PATCH] ocfs2: subsystem.su_mutex is required while accessing the

+ item->ci_parent

+

+The subsystem.su_mutex is required while accessing the item->ci_parent,

+otherwise, NULL pointer dereference to the item->ci_parent will be

+triggered in the following situation:

+

+add node                     delete node

+sys_write

+ vfs_write

+  configfs_write_file

+   o2nm_node_store

+    o2nm_node_local_write

+                             do_rmdir

+                              vfs_rmdir

+                               configfs_rmdir

+                                mutex_lock(&subsys->su_mutex);

+                                unlink_obj

+                                 item->ci_group = NULL;

+                                 item->ci_parent = NULL;

+	 to_o2nm_cluster_from_node

+	  node->nd_item.ci_parent->ci_parent

+	  BUG since of NULL pointer dereference to nd_item.ci_parent

+

+Moreover, the o2nm_cluster also should be protected by the

+subsystem.su_mutex.

+

+[alex.chen@huawei.com: v2]

+  Link: http://lkml.kernel.org/r/59EEAA69.9080703@huawei.com

+Link: http://lkml.kernel.org/r/59E9B36A.10700@huawei.com

+Signed-off-by: Alex Chen <alex.chen@huawei.com>

+Reviewed-by: Jun Piao <piaojun@huawei.com>

+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>

+Cc: Mark Fasheh <mfasheh@versity.com>

+Cc: Joel Becker <jlbec@evilplan.org>

+Cc: Junxiao Bi <junxiao.bi@oracle.com>

+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/ocfs2/cluster/nodemanager.c | 63 ++++++++++++++++++++++++++++++++++++------

+ 1 file changed, 55 insertions(+), 8 deletions(-)

+

+diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c

+index 72afdca..3c45a93 100644

+--- a/fs/ocfs2/cluster/nodemanager.c

+@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {

+ 		"panic",	/* O2NM_FENCE_PANIC */

+ };

+ 

++static inline void o2nm_lock_subsystem(void);

++static inline void o2nm_unlock_subsystem(void);

++

+ struct o2nm_node *o2nm_get_node_by_num(u8 node_num)

+ {

+ 	struct o2nm_node *node = NULL;

+@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)

+ {

+ 	/* through the first node_set .parent

+ 	 * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */

+-	return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);

++	if (node->nd_item.ci_parent)

++		return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);

++	else

++		return NULL;

+ }

+ 

+ enum {

+@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 				   size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	unsigned long tmp;

+ 	char *p = (char *)page;

+ 	int ret = 0;

+@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))

+ 		return -EINVAL; /* XXX */

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		o2nm_unlock_subsystem();

++		return -EINVAL;

++	}

++

+ 	write_lock(&cluster->cl_nodes_lock);

+ 	if (cluster->cl_nodes[tmp])

+ 		ret = -EEXIST;

+@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,

+ 		set_bit(tmp, cluster->cl_nodes_bitmap);

+ 	}

+ 	write_unlock(&cluster->cl_nodes_lock);

++	o2nm_unlock_subsystem();

++

+ 	if (ret)

+ 		return ret;

+ 

+@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 					    size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	int ret, i;

+ 	struct rb_node **p, *parent;

+ 	unsigned int octets[4];

+@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 		be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));

+ 	}

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		o2nm_unlock_subsystem();

++		return -EINVAL;

++	}

++

+ 	ret = 0;

+ 	write_lock(&cluster->cl_nodes_lock);

+ 	if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))

+@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,

+ 		rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);

+ 	}

+ 	write_unlock(&cluster->cl_nodes_lock);

++	o2nm_unlock_subsystem();

++

+ 	if (ret)

+ 		return ret;

+ 

+@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 				     size_t count)

+ {

+ 	struct o2nm_node *node = to_o2nm_node(item);

+-	struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);

++	struct o2nm_cluster *cluster;

+ 	unsigned long tmp;

+ 	char *p = (char *)page;

+ 	ssize_t ret;

+@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 	    !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))

+ 		return -EINVAL; /* XXX */

+ 

++	o2nm_lock_subsystem();

++	cluster = to_o2nm_cluster_from_node(node);

++	if (!cluster) {

++		ret = -EINVAL;

++		goto out;

++	}

++

+ 	/* the only failure case is trying to set a new local node

+ 	 * when a different one is already set */

+ 	if (tmp && tmp == cluster->cl_has_local &&

+-	    cluster->cl_local_node != node->nd_num)

+-		return -EBUSY;

++	    cluster->cl_local_node != node->nd_num) {

++		ret = -EBUSY;

++		goto out;

++	}

+ 

+ 	/* bring up the rx thread if we're setting the new local node. */

+ 	if (tmp && !cluster->cl_has_local) {

+ 		ret = o2net_start_listening(node);

+ 		if (ret)

+-			return ret;

++			goto out;

+ 	}

+ 

+ 	if (!tmp && cluster->cl_has_local &&

+@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,

+ 		cluster->cl_local_node = node->nd_num;

+ 	}

+ 

+-	return count;

++	ret = count;

++

++out:

++	o2nm_unlock_subsystem();

++	return ret;

+ }

+ 

+ CONFIGFS_ATTR(o2nm_node_, num);

+@@ -750,6 +787,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {

+ 	},

+ };

+ 

++static inline void o2nm_lock_subsystem(void)

++{

++	mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);

++}

++

++static inline void o2nm_unlock_subsystem(void)

++{

++	mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);

++}

++

+ int o2nm_depend_item(struct config_item *item)

+ {

+ 	return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);

+-- 

+2.7.4

+

@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.4.131

-Release:       1%{?dist}

+Release:       2%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -42,6 +42,14 @@ Patch27:       0001-net-create-skb_gso_validate_mac_len.patch

 Patch28:       0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch29:       0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2018-8043

+Patch30:       0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2017-18216

+Patch31:       0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8087

+Patch32:       0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch33:       0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -123,6 +131,10 @@ The Linux package contains the Linux kernel doc files

 %patch27 -p1

 %patch28 -p1

 %patch29 -p1

+%patch30 -p1

+%patch31 -p1

+%patch32 -p1

+%patch33 -p1

 %patch52 -p1

 %patch55 -p1

@@ -226,6 +238,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-2

+-   Fix CVE-2018-8043, CVE-2017-18216, CVE-2018-8087, CVE-2017-18241.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-1

 -   Update to version 4.4.131

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.130-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:    	4.4.131

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -41,6 +41,14 @@ Patch19:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch20:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

 # Fix for CVE-2017-18255

 Patch21:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

+# Fix for CVE-2018-8043

+Patch22:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

+# Fix for CVE-2017-18216

+Patch23:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

+# Fix for CVE-2018-8087

+Patch24:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

+# Fix for CVE-2017-18241

+Patch25:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -153,6 +161,10 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch19 -p1

 %patch20 -p1

 %patch21 -p1

+%patch22 -p1

+%patch23 -p1

+%patch24 -p1

+%patch25 -p1

 %patch52 -p1

 %patch55 -p1

@@ -324,6 +336,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-2

+-   Fix CVE-2018-8043, CVE-2017-18216, CVE-2018-8087, CVE-2017-18241.

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-1

 -   Update to version 4.4.131

 *   Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.130-2