@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.4.110

-Release:       1%{?dist}

+Release:       2%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -46,6 +46,27 @@ Patch28:       netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch

 # Fix CVE-2017-17450

 Patch29:       netfilter-xt_osf-Add-missing-permission-checks.patch

 Patch30:       revert-SMB-validate-negotiate-even-if-signing-off.patch

+# For Spectre

+Patch50: 0139-x86-cpu-AMD-Make-the-LFENCE-instruction-serialized.patch

+Patch51: 0140-x86-cpu-AMD-Remove-now-unused-definition-of-MFENCE_R.patch

+Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

+Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

+#Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

+Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

+Patch56: 0145-carl9170-prevent-speculative-execution.patch

+Patch57: 0146-p54-prevent-speculative-execution.patch

+Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

+Patch59: 0148-cw1200-prevent-speculative-execution.patch

+Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

+Patch61: 0150-ipv4-prevent-speculative-execution.patch

+Patch62: 0151-ipv6-prevent-speculative-execution.patch

+Patch63: 0152-fs-prevent-speculative-execution.patch

+Patch64: 0153-net-mpls-prevent-speculative-execution.patch

+Patch65: 0154-udf-prevent-speculative-execution.patch

+Patch66: 0155-userns-prevent-speculative-execution.patch

+Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

+Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

+

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -113,6 +134,26 @@ The Linux package contains the Linux kernel doc files

 %patch29 -p1

 %patch30 -p1

+%patch50 -p1

+%patch51 -p1

+%patch52 -p1

+%patch53 -p1

+#%patch54 -p1

+%patch55 -p1

+%patch56 -p1

+%patch57 -p1

+%patch58 -p1

+%patch59 -p1

+%patch60 -p1

+%patch61 -p1

+%patch62 -p1

+%patch63 -p1

+%patch64 -p1

+%patch65 -p1

+%patch66 -p1

+%patch67 -p1

+%patch68 -p1

+

 %build

 # patch vmw_balloon driver

 sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c

@@ -200,6 +241,10 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Jan 08 2018 Bo Gan <ganb@vmware.com> 4.4.110-2

+-   Initial Spectre fix

+-   Add Observable speculation barrier

+-   Clear unused register upon syscall entry

 *   Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.4.110-1

 -   Version update to 4.4.110

 *   Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-3

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:    	4.4.110

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -45,6 +45,26 @@ Patch22:        netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch

 # Fix CVE-2017-17450

 Patch23:        netfilter-xt_osf-Add-missing-permission-checks.patch

 Patch24:        revert-SMB-validate-negotiate-even-if-signing-off.patch

+# For Spectre

+Patch50: 0139-x86-cpu-AMD-Make-the-LFENCE-instruction-serialized.patch

+Patch51: 0140-x86-cpu-AMD-Remove-now-unused-definition-of-MFENCE_R.patch

+Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

+Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch

+#Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch

+Patch55: 0144-uvcvideo-prevent-speculative-execution.patch

+Patch56: 0145-carl9170-prevent-speculative-execution.patch

+Patch57: 0146-p54-prevent-speculative-execution.patch

+Patch58: 0147-qla2xxx-prevent-speculative-execution.patch

+Patch59: 0148-cw1200-prevent-speculative-execution.patch

+Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch

+Patch61: 0150-ipv4-prevent-speculative-execution.patch

+Patch62: 0151-ipv6-prevent-speculative-execution.patch

+Patch63: 0152-fs-prevent-speculative-execution.patch

+Patch64: 0153-net-mpls-prevent-speculative-execution.patch

+Patch65: 0154-udf-prevent-speculative-execution.patch

+Patch66: 0155-userns-prevent-speculative-execution.patch

+Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

+Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch

 %if 0%{?kat_build:1}

 Patch1000:	%{kat_build}.patch

@@ -143,6 +163,26 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch23 -p1

 %patch24 -p1

+%patch50 -p1

+%patch51 -p1

+%patch52 -p1

+%patch53 -p1

+#%patch54 -p1

+%patch55 -p1

+%patch56 -p1

+%patch57 -p1

+%patch58 -p1

+%patch59 -p1

+%patch60 -p1

+%patch61 -p1

+%patch62 -p1

+%patch63 -p1

+%patch64 -p1

+%patch65 -p1

+%patch66 -p1

+%patch67 -p1

+%patch68 -p1

+

 %if 0%{?kat_build:1}

 %patch1000 -p1

 %endif

@@ -298,6 +338,10 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Jan 08 2018 Bo Gan <ganb@vmware.com> 4.4.110-2

+-   Initial Spectre fix

+-   Add Observable speculation barrier

+-   Clear unused register upon syscall entry

 *   Fri Jan 05 2018 Anish Swaminathan <anishs@vmware.com> 4.4.110-1

 -   Version update to 4.4.110

 *   Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-3

new file mode 100644

@@ -0,0 +1,58 @@

+From 9883f4d618615acaa9541aaae38e8434d699593f Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Thu, 14 Dec 2017 09:57:58 +0200

+Subject: [PATCH 139/194] x86/cpu/AMD: Make the LFENCE instruction serialized

+

+In order to reduce the impact of using MFENCE, make the execution of the

+LFENCE instruction serialized.  This is done by setting bit 1 of MSR

+0xc0011029 (DE_CFG).

+

+Some families that support LFENCE do not have this MSR.  For these

+families, the LFENCE instruction is already serialized.

+

+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>

+---

+ arch/x86/include/asm/msr-index.h |  2 ++

+ arch/x86/kernel/cpu/amd.c        | 13 +++++++++++--

+ 2 files changed, 13 insertions(+), 2 deletions(-)

+

+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h

+index ab02261..1e7d710 100644

+--- a/arch/x86/include/asm/msr-index.h

+@@ -352,6 +352,8 @@

+ #define FAM10H_MMIO_CONF_BASE_MASK	0xfffffffULL

+ #define FAM10H_MMIO_CONF_BASE_SHIFT	20

+ #define MSR_FAM10H_NODE_ID		0xc001100c

++#define MSR_F10H_DECFG			0xc0011029

++#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1

+ 

+ /* K8 MSRs */

+ #define MSR_K8_TOP_MEM1			0xc001001a

+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c

+index e2defc7..5751810 100644

+--- a/arch/x86/kernel/cpu/amd.c

+@@ -746,8 +746,17 @@ static void init_amd(struct cpuinfo_x86 *c)

+ 		set_cpu_cap(c, X86_FEATURE_K8);

+ 

+ 	if (cpu_has_xmm2) {

+-		/* MFENCE stops RDTSC speculation */

+-		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);

++		/*

++		 * Use LFENCE for execution serialization. On some families

++		 * LFENCE is already serialized and the MSR is not available,

++		 * but msr_set_bit() uses rdmsrl_safe() and wrmsrl_safe().

++		 */

++		if (c->x86 > 0xf)

++			msr_set_bit(MSR_F10H_DECFG,

++				    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);

++

++		/* LFENCE with MSR_F10H_DECFG[1]=1 stops RDTSC speculation */

++		set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);

+ 	}

+ 

+ 	/*

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,45 @@

+From 3325f36c2f6f6335cb3161977ba07ee58a03577f Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Thu, 14 Dec 2017 10:09:03 +0200

+Subject: [PATCH 140/194] x86/cpu/AMD: Remove now unused definition of

+ MFENCE_RDTSC feature

+

+With the switch to using LFENCE_RDTSC on AMD platforms there is no longer

+a need for the MFENCE_RDTSC feature.  Remove its usage and definition.

+

+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>

+---

+ arch/x86/include/asm/cpufeatures.h | 2 +-

+ arch/x86/include/asm/msr.h         | 3 +--

+ 2 files changed, 2 insertions(+), 3 deletions(-)

+

+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h

+index f8c2bd4..86c68cb 100644

+--- a/arch/x86/include/asm/cpufeature.h

+@@ -96,7 +96,7 @@

+ #define X86_FEATURE_SYSCALL32	( 3*32+14) /* "" syscall in ia32 userspace */

+ #define X86_FEATURE_SYSENTER32	( 3*32+15) /* "" sysenter in ia32 userspace */

+ #define X86_FEATURE_REP_GOOD	( 3*32+16) /* rep microcode works well */

+-#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */

++

+ #define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */

+ /* free, was #define X86_FEATURE_11AP	( 3*32+19) * "" Bad local APIC aka 11AP */

+ #define X86_FEATURE_NOPL	( 3*32+20) /* The NOPL (0F 1F) instructions */

+diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h

+index 07962f5..8d8d7ae2 100644

+--- a/arch/x86/include/asm/msr.h

+@@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void)

+ 	 * that some other imaginary CPU is updating continuously with a

+ 	 * time stamp.

+ 	 */

+-	alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC,

+-			  "lfence", X86_FEATURE_LFENCE_RDTSC);

++	alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC);

+ 	return rdtsc();

+ }

+ 

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,62 @@

+From 11ea2f142cc668db2383015c722bcd71b6b10ba7 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Mon, 7 Aug 2017 11:03:42 +0300

+Subject: [PATCH 141/194] locking/barriers: introduce new observable

+ speculation barrier

+

+The new observable speculation barrier, osb(), ensures

+that any user observable speculation doesn't cross the boundary.

+

+Any user observable speculative activity on this CPU

+thread before this point either completes, reaches a

+state it can no longer cause an observable activity, or

+is aborted before instructions after the barrier execute.

+

+In x86 case, osb() resolves in lfence if X86_FEATURE_LFENCE_RDTSC

+is present. Other architectures can define their variants.

+

+Suggested-by: Arjan van de Ven <arjan@linux.intel.com>

+Suggested-by: Alan Cox <alan.cox@intel.com>

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ arch/x86/include/asm/barrier.h |  2 ++

+ include/asm-generic/barrier.h  | 11 +++++++++++

+ 2 files changed, 13 insertions(+)

+

+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h

+index 01727db..a0f695a 100644

+--- a/arch/x86/include/asm/barrier.h

+@@ -77,6 +77,8 @@ do {									\

+ 

+ #endif

+ 

++#define osb() alternative("", "lfence", X86_FEATURE_LFENCE_RDTSC)

++

+ /* Atomic operations are already serializing on x86 */

+ #define smp_mb__before_atomic()	barrier()

+ #define smp_mb__after_atomic()	barrier()

+diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h

+index b42afad..7a9184d 100644

+--- a/include/asm-generic/barrier.h

+@@ -119,5 +119,16 @@ do {									\

+ 	___p1;								\

+ })

+ 

++/* Observable speculation barrier: ensures that any user

++ * observable speculation doesn't cross the boundary.

++ * Any user observable speculative activity on this CPU

++ * thread before this point either completes, reaches a

++ * state it can no longer cause observable activity, or

++ * is aborted before instructions after the barrier execute.

++ */

++#ifndef osb

++#define osb()	do { } while (0)

++#endif

++

+ #endif /* !__ASSEMBLY__ */

+ #endif /* __ASM_GENERIC_BARRIER_H */

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,48 @@

+From acc08dc457b9c6b30c21f589ef4f2f5235d1e654 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Mon, 7 Aug 2017 11:10:28 +0300

+Subject: [PATCH 142/194] bpf: prevent speculative execution in eBPF

+ interpreter

+

+This adds an observable speculation barrier before LD_IMM_DW and

+LDX_MEM_B/H/W/DW eBPF instructions during eBPF program

+execution in order to prevent speculative execution on out

+of bound BFP_MAP array indexes. This way an arbitary kernel

+memory is not exposed through side channel attacks.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ kernel/bpf/core.c | 3 +++

+ 1 file changed, 3 insertions(+)

+

+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c

+index 334b1bd..ae3d943 100644

+--- a/kernel/bpf/core.c

+@@ -29,6 +29,7 @@

+ #include <linux/bpf.h>

+ 

+ #include <asm/unaligned.h>

++#include <asm/barrier.h>

+ 

+ /* Registers */

+ #define BPF_R0	regs[BPF_REG_0]

+@@ -356,6 +357,7 @@ select_insn:

+ 		DST = IMM;

+ 		CONT;

+ 	LD_IMM_DW:

++		osb();

+ 		DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;

+ 		insn++;

+ 		CONT;

+@@ -570,6 +572,7 @@ out:

+ 		*(SIZE *)(unsigned long) (DST + insn->off) = IMM;	\

+ 		CONT;							\

+ 	LDX_MEM_##SIZEOP:						\

++		osb();							\

+ 		DST = *(SIZE *)(unsigned long) (SRC + insn->off);	\

+ 		CONT;

+ 

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,111 @@

+From e3b71cad927d33b8e20c66bf07956f935c9c6eef Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Tue, 8 Aug 2017 12:06:58 +0300

+Subject: [PATCH 143/194] x86, bpf, jit: prevent speculative execution when JIT

+ is enabled

+

+When constant blinding is enabled (bpf_jit_harden = 1), this adds

+an observable speculation barrier before emitting x86 jitted code

+for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X

+(for BPF_REG_AX register) eBPF instructions. This is needed in order

+to prevent speculative execution on out of bounds BPF_MAP array

+indexes when JIT is enabled. This way an arbitary kernel memory is

+not exposed through side-channel attacks.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ arch/x86/net/bpf_jit_comp.c | 28 +++++++++++++++++++++++++++-

+ include/linux/filter.h      |  9 +++++++++

+ 2 files changed, 36 insertions(+), 1 deletion(-)

+

+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c

+index 0554e8a..f01480a 100644

+--- a/arch/x86/net/bpf_jit_comp.c

+@@ -16,6 +16,7 @@

+ #include <linux/bpf.h>

+ 

+ int bpf_jit_enable __read_mostly;

++u8 bpf_jit_fence = 0;

+ 

+ /*

+  * assembly code in arch/x86/net/bpf_jit.S

+@@ -109,6 +110,18 @@ static void bpf_flush_icache(void *start, void *end)

+ 	set_fs(old_fs);

+ }

+ 

++static void emit_memory_barrier(u8 **pprog)

++{

++	u8 *prog = *pprog;

++	int cnt = 0;

++

++	if (bpf_jit_fence)

++			EMIT3(0x0f, 0xae, 0xe8);

++

++	*pprog = prog;

++	return;

++}

++

+ #define CHOOSE_LOAD_FUNC(K, func) \

+ 	((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)

+ 

+@@ -400,7 +413,7 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,

+ 			case BPF_ADD: b2 = 0x01; break;

+ 			case BPF_SUB: b2 = 0x29; break;

+ 			case BPF_AND: b2 = 0x21; break;

+-			case BPF_OR: b2 = 0x09; break;

++			case BPF_OR: b2 = 0x09; emit_memory_barrier(&prog); break;

+ 			case BPF_XOR: b2 = 0x31; break;

+ 			}

+ 			if (BPF_CLASS(insn->code) == BPF_ALU64)

+@@ -647,6 +660,16 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,

+ 		case BPF_ALU64 | BPF_RSH | BPF_X:

+ 		case BPF_ALU64 | BPF_ARSH | BPF_X:

+ 

++			/* If blinding is enabled, each

++			 * BPF_LD | BPF_IMM | BPF_DW instruction

++			 * is converted to 4 eBPF instructions with

++			 * BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32)

++			 * always present(number 3). Detect such cases

++			 * and insert memory barriers. */

++			if ((BPF_CLASS(insn->code) == BPF_ALU64)

++				&& (BPF_OP(insn->code) == BPF_LSH)

++				&& (src_reg == BPF_REG_AX))

++				emit_memory_barrier(&prog);

+ 			/* check for bad case when dst_reg == rcx */

+ 			if (dst_reg == BPF_REG_4) {

+ 				/* mov r11, dst_reg */

+@@ -1124,6 +1147,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)

+ 	if (!bpf_jit_enable)

+ 		return orig_prog;

+ 

++	if (bpf_jit_fence_present() && bpf_jit_blinding_enabled())

++		bpf_jit_fence = 1;

++

+ 	tmp = bpf_jit_blind_constants(prog);

+ 	/* If blinding was requested and we failed during blinding,

+ 	 * we must fall back to the interpreter.

+diff --git a/include/linux/filter.h b/include/linux/filter.h

+index 48ec57e..cba50a5 100644

+--- a/include/linux/filter.h

+@@ -651,6 +651,16 @@ static inline bool bpf_jit_blinding_enabled(void)

+ 

+ 	return true;

+ }

++

++static inline bool bpf_jit_fence_present(void)

++{

++	/* Check if lfence is present on CPU

++	 */

++	if (boot_cpu_has(X86_FEATURE_LFENCE_RDTSC))

++		return true;

++	return false;

++}

++

+ #else

+ static inline void bpf_jit_compile(struct bpf_prog *fp)

+ {

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:41:27 +0300

+Subject: [PATCH 144/194] uvcvideo: prevent speculative execution

+

+Since the index value in function uvc_ioctl_enum_input()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+selector->baSourceID, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/media/usb/uvc/uvc_v4l2.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c

+index 3e7e283..65175bb 100644

+--- a/drivers/media/usb/uvc/uvc_v4l2.c

+@@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,

+ 		}

+ 		pin = iterm->id;

+ 	} else if (index < selector->bNrInPins) {

++		osb();

+ 		pin = selector->baSourceID[index];

+ 		list_for_each_entry(iterm, &chain->entities, chain) {

+ 			if (!UVC_ENTITY_IS_ITERM(iterm))

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 9c2549c6adcafe2c2f35d44dc87ec23cc52a68b2 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:43:39 +0300

+Subject: [PATCH 145/194] carl9170: prevent speculative execution

+

+Since the queue value in function carl9170_op_conf_tx()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+ar9170_qmap and following ar->edcf, insert an observable

+speculation barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/net/wireless/ath/carl9170/main.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c

+index 988c885..cf267b7 100644

+--- a/drivers/net/wireless/ath/carl9170/main.c

+@@ -1388,6 +1388,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,

+ 

+ 	mutex_lock(&ar->mutex);

+ 	if (queue < ar->hw->queues) {

++		osb();

+ 		memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));

+ 		ret = carl9170_set_qos(ar);

+ 	} else {

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 07f7bcf24d303ec6d91d7da809f3b6e6760f8301 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:44:38 +0300

+Subject: [PATCH 146/194] p54: prevent speculative execution

+

+Since the queue value in function p54_conf_tx()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+priv->qos_params, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/net/wireless/p54/main.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/net/wireless/p54/main.c b/drivers/net/wireless/p54/main.c

+index d5a3bf9..3d20b47 100644

+--- a/drivers/net/wireless/p54/main.c

+@@ -415,6 +415,7 @@ static int p54_conf_tx(struct ieee80211_hw *dev,

+ 

+ 	mutex_lock(&priv->conf_mutex);

+ 	if (queue < dev->queues) {

++		osb();

+ 		P54_SET_QUEUE(priv->qos_params[queue], params->aifs,

+ 			params->cw_min, params->cw_max, params->txop);

+ 		ret = p54_set_edcf(priv);

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,55 @@

+From f7de96128d46f9d9ecad5c1ded3133e2da25f39c Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:45:35 +0300

+Subject: [PATCH 147/194] qla2xxx: prevent speculative execution

+

+Since the handle value in functions qlafx00_status_entry()

+and qlafx00_multistatus_entry() seems to be controllable

+by userspace and later on conditionally (upon bound check)

+used to resolve req->outstanding_cmds, insert an observable

+speculation barrier before its usage. This should prevent

+observable speculation on that branch and avoid kernel

+memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++----

+ 1 file changed, 8 insertions(+), 4 deletions(-)

+

+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c

+index e23a3d4..9090283 100644

+--- a/drivers/scsi/qla2xxx/qla_mr.c

+@@ -2305,10 +2305,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)

+ 	req = ha->req_q_map[que];

+ 

+ 	/* Validate handle. */

+-	if (handle < req->num_outstanding_cmds)

++	if (handle < req->num_outstanding_cmds) {

++		osb();

+ 		sp = req->outstanding_cmds[handle];

+-	else

++	} else {

+ 		sp = NULL;

++	}

+ 

+ 	if (sp == NULL) {

+ 		ql_dbg(ql_dbg_io, vha, 0x3034,

+@@ -2656,10 +2658,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,

+ 		req = ha->req_q_map[que];

+ 

+ 		/* Validate handle. */

+-		if (handle < req->num_outstanding_cmds)

++		if (handle < req->num_outstanding_cmds) {

++			osb();

+ 			sp = req->outstanding_cmds[handle];

+-		else

++		} else {

+ 			sp = NULL;

++		}

+ 

+ 		if (sp == NULL) {

+ 			ql_dbg(ql_dbg_io, vha, 0x3044,

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 9a0dc9abad09792c93d099d5e92af5788c224791 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:46:21 +0300

+Subject: [PATCH 148/194] cw1200: prevent speculative execution

+

+Since the queue value in function cw1200_conf_tx()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used in

+WSM_TX_QUEUE_SET, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/net/wireless/cw1200/sta.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/drivers/net/wireless/cw1200/sta.c b/drivers/net/wireless/cw1200/sta.c

+index a522248..754fc43 100644

+--- a/drivers/net/wireless/cw1200/sta.c

+@@ -619,6 +619,7 @@ int cw1200_conf_tx(struct ieee80211_hw *dev, struct ieee80211_vif *vif,

+ 	mutex_lock(&priv->conf_mutex);

+ 

+ 	if (queue < dev->queues) {

++		osb();

+ 		old_uapsd_flags = le16_to_cpu(priv->uapsd_info.uapsd_flags);

+ 

+ 		WSM_TX_QUEUE_SET(&priv->tx_queue_params, queue, 0, 0, 0);

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,47 @@

+From d9542e2d9b4b1e4649f0c1ea13a1b5dcfc1e2674 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:47:12 +0300

+Subject: [PATCH 149/194] Thermal/int340x: prevent speculative execution

+

+Since the trip value in function int340x_thermal_get_trip_temp()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+d->aux_trips, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ drivers/thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++-----

+ 1 file changed, 6 insertions(+), 5 deletions(-)

+

+diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

+index 145a5c53..d732b34 100644

+--- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c

+@@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,

+ 	if (d->override_ops && d->override_ops->get_trip_temp)

+ 		return d->override_ops->get_trip_temp(zone, trip, temp);

+ 

+-	if (trip < d->aux_trip_nr)

++	if (trip < d->aux_trip_nr) {

++		osb();

+ 		*temp = d->aux_trips[trip];

+-	else if (trip == d->crt_trip_id)

++	} else if (trip == d->crt_trip_id) {

+ 		*temp = d->crt_temp;

+-	else if (trip == d->psv_trip_id)

++	} else if (trip == d->psv_trip_id) {

+ 		*temp = d->psv_temp;

+-	else if (trip == d->hot_trip_id)

++	} else if (trip == d->hot_trip_id) {

+ 		*temp = d->hot_temp;

+-	else {

++	} else {

+ 		for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {

+ 			if (d->act_trips[i].valid &&

+ 			    d->act_trips[i].id == trip) {

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 9515f43ddd006464308b2796b63b7d6446d922b8 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 13 Dec 2017 10:16:07 +0200

+Subject: [PATCH 150/194] ipv4: prevent speculative execution

+

+Since the offset value in function raw_getfrag()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used in the following

+memcpy, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ net/ipv4/raw.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c

+index 33b70bf..c9d33f1 100644

+--- a/net/ipv4/raw.c

+@@ -476,6 +476,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,

+ 	if (offset < rfv->hlen) {

+ 		int copy = min(rfv->hlen - offset, len);

+ 

++		osb();

+ 		if (skb->ip_summed == CHECKSUM_PARTIAL)

+ 			memcpy(to, rfv->hdr.c + offset, copy);

+ 		else

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,33 @@

+From 1ce83a2cfe57cec87a22e69b726e9547b4d830f8 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:48:35 +0300

+Subject: [PATCH 151/194] ipv6: prevent speculative execution

+

+Since the offset value in function raw6_getfrag()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used in the

+following memcpy, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ net/ipv6/raw.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c

+index e4462b0..8794d92 100644

+--- a/net/ipv6/raw.c

+@@ -729,6 +729,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,

+ 	if (offset < rfv->hlen) {

+ 		int copy = min(rfv->hlen - offset, len);

+ 

++		osb();

+ 		if (skb->ip_summed == CHECKSUM_PARTIAL)

+ 			memcpy(to, rfv->c + offset, copy);

+ 		else

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,37 @@

+From d7ca466502c0427749f64a6bdb47d96f848bf72d Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:52:22 +0300

+Subject: [PATCH 152/194] fs: prevent speculative execution

+

+Since the fd value in function __fcheck_files()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+fdt->fd, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ include/linux/fdtable.h | 4 +++-

+ 1 file changed, 3 insertions(+), 1 deletion(-)

+

+diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h

+index 1c65817..dbc1200 100644

+--- a/include/linux/fdtable.h

+@@ -82,8 +82,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i

+ {

+ 	struct fdtable *fdt = rcu_dereference_raw(files->fdt);

+ 

+-	if (fd < fdt->max_fds)

++	if (fd < fdt->max_fds) {

++		osb();

+ 		return rcu_dereference_raw(fdt->fd[fd]);

++	}

+ 	return NULL;

+ }

+ 

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,34 @@

+From 3e9a34c67e5376bedd9e79e6a7e16b01a01c8215 Mon Sep 17 00:00:00 2001

+From: Elena Reshetova <elena.reshetova@intel.com>

+Date: Wed, 30 Aug 2017 13:55:54 +0300

+Subject: [PATCH 153/194] net: mpls: prevent speculative execution

+

+Since the index value in function mpls_route_input_rcu()

+seems to be controllable by userspace and later on

+conditionally (upon bound check) used to resolve

+platform_label, insert an observable speculation

+barrier before its usage. This should prevent

+observable speculation on that branch and avoid

+kernel memory leak.

+

+Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

+---

+ net/mpls/af_mpls.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c

+index c5b9ce4..3bdf8d8 100644

+--- a/net/mpls/af_mpls.c

+@@ -50,6 +50,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)

+ 	if (index < net->mpls.platform_labels) {

+ 		struct mpls_route __rcu **platform_label =

+ 			rcu_dereference(net->mpls.platform_label);

++

++		osb();

+ 		rt = rcu_dereference(platform_label[index]);

+ 	}

+ 	return rt;

+-- 

+2.9.5

+

new file mode 100644

@@ -0,0 +1,52 @@

+From bbb72371d2212fe0526f1ae679d5d55fe51bd909 Mon Sep 17 00:00:00 2001