@@ -1,14 +1,14 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.131

-Release:	2%{?dist}

+Version:	4.4.137

+Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

 Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=6811784d7abf4cd84f99c188c397b893deb35551

+%define sha1 linux=05b18bc780fb6f534dbf47825945b4e6eca15143

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Wed Jun 13 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.137-1

+-   Update to version 4.4.137

 *   Mon May 21 2018 Bo Gan <ganb@vmware.com> 4.4.131-2

 -   Sync with syscall number change for f*xattrat syscalls family

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-1

deleted file mode 100644

@@ -1,38 +0,0 @@

-From 0ddcff49b672239dda94d70d0fcf50317a9f4b51 Mon Sep 17 00:00:00 2001

-From: "weiyongjun (A)" <weiyongjun1@huawei.com>

-Date: Thu, 18 Jan 2018 02:23:34 +0000

-Subject: [PATCH] mac80211_hwsim: fix possible memory leak in

- hwsim_new_radio_nl()

-

-'hwname' is malloced in hwsim_new_radio_nl() and should be freed

-before leaving from the error handling cases, otherwise it will cause

-memory leak.

-

-Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")

-Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>

-Reviewed-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

-Signed-off-by: Johannes Berg <johannes.berg@intel.com>

-Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

- drivers/net/wireless/mac80211_hwsim.c | 4 +++-

- 1 file changed, 3 insertions(+), 1 deletion(-)

-

-diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c

-index 8a9164d..e8b770a 100644

-+++ b/drivers/net/wireless/mac80211_hwsim.c

-@@ -2925,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)

- 	if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {

- 		u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);

- 

--		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))

-+		if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {

-+			kfree(hwname);

- 			return -EINVAL;

-+		}

- 		param.regd = hwsim_world_regdom_custom[idx];

- 	}

- 

-2.7.4

-

@@ -105,7 +105,7 @@ index 7d344259..3c42478 100644

 +

  static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)

  {

- 	if (skb_cow(skb, skb_headroom(skb)) < 0) {

+ 	int mac_len;

 diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c

 index c2fbde7..93d6a21 100644

 --- a/net/sched/sch_tbf.c

deleted file mode 100644

@@ -1,47 +0,0 @@

-From 1572e45a924f254d9570093abde46430c3172e3d Mon Sep 17 00:00:00 2001

-From: Tan Xiaojun <tanxiaojun@huawei.com>

-Date: Thu, 23 Feb 2017 14:04:39 +0800

-Subject: [PATCH] perf/core: Fix the perf_cpu_time_max_percent check

-

-Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input

-value from user-space.

-

-If not, we can set a big value and some vars will overflow like

-"sysctl_perf_event_sample_rate" which will cause a lot of unexpected

-problems.

-

-Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>

-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>

-Cc: <acme@kernel.org>

-Cc: <alexander.shishkin@linux.intel.com>

-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>

-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>

-Cc: Jiri Olsa <jolsa@redhat.com>

-Cc: Linus Torvalds <torvalds@linux-foundation.org>

-Cc: Peter Zijlstra <peterz@infradead.org>

-Cc: Stephane Eranian <eranian@google.com>

-Cc: Thomas Gleixner <tglx@linutronix.de>

-Cc: Vince Weaver <vincent.weaver@maine.edu>

-Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com

-Signed-off-by: Ingo Molnar <mingo@kernel.org>

-Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

- kernel/events/core.c | 2 +-

- 1 file changed, 1 insertion(+), 1 deletion(-)

-

-diff --git a/kernel/events/core.c b/kernel/events/core.c

-index 6aeb0ef..92d1f12 100644

-+++ b/kernel/events/core.c

-@@ -229,7 +229,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,

- 				void __user *buffer, size_t *lenp,

- 				loff_t *ppos)

- {

--	int ret = proc_dointvec(table, write, buffer, lenp, ppos);

-+	int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);

- 

- 	if (ret || !write)

- 		return ret;

-2.7.4

-

@@ -186,6 +186,7 @@ CONFIG_RD_LZMA=y

 CONFIG_RD_XZ=y

 CONFIG_RD_LZO=y

 CONFIG_RD_LZ4=y

+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y

 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set

 CONFIG_SYSCTL=y

 CONFIG_ANON_INODES=y

@@ -1350,7 +1351,9 @@ CONFIG_CEPH_LIB=m

 # CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set

 # CONFIG_NFC is not set

 # CONFIG_LWTUNNEL is not set

+CONFIG_DST_CACHE=y

 CONFIG_HAVE_BPF_JIT=y

+CONFIG_HAVE_EBPF_JIT=y

 #

 # Device Drivers

@@ -180,6 +180,7 @@ CONFIG_RD_LZMA=y

 CONFIG_RD_XZ=y

 CONFIG_RD_LZO=y

 CONFIG_RD_LZ4=y

+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y

 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set

 CONFIG_SYSCTL=y

 CONFIG_ANON_INODES=y

@@ -1154,7 +1155,9 @@ CONFIG_NET_9P=m

 # CONFIG_CEPH_LIB is not set

 # CONFIG_NFC is not set

 # CONFIG_LWTUNNEL is not set

+CONFIG_DST_CACHE=y

 CONFIG_HAVE_BPF_JIT=y

+CONFIG_HAVE_EBPF_JIT=y

 #

 # Device Drivers

new file mode 100644

@@ -0,0 +1,150 @@

+From 00f30dfb8966dc12d852807c1c691c28a33c966c Mon Sep 17 00:00:00 2001

+From: Masami Hiramatsu <mhiramat@kernel.org>

+Date: Tue, 12 Jun 2018 23:10:56 +0000

+Subject: [PATCH] kprobes/x86: Do not modify singlestep buffer while resuming

+

+commit 804dec5bda9b4fcdab5f67fe61db4a0498af5221 upstream.

+

+Do not modify singlestep execution buffer (kprobe.ainsn.insn)

+while resuming from single-stepping, instead, modifies

+the buffer to add a jump back instruction at preparing

+buffer.

+

+Commit 176bee4cfcec ("kprobes/x86: Set kprobes pages read-only")

+introduced a bug in stable 4.4.y by making singlestep buffer page

+read-only. Attempts to modify singlestep buffer, to insert a jump

+instruction, at resume_execution() lead to kernel panic.

+

+  BUG: unable to handle kernel paging request at ffffffffa0011001

+  IP: [<ffffffff8105711c>] resume_execution+0x14c/0x1a0

+  PGD 1c0f067 PUD 1c10063 PMD 42ac74067 PTE 41cc35061

+  Oops: 0003 [#1] SMP

+  Modules linked in: stap_6eaf26e7bd7018624e4c19b7486f4bb8_1857(OE) ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) <...>

+  CPU: 5 PID: 1857 Comm: stapio Tainted: G           OE   4.4.136+ #1

+  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/24/2017

+  task: ffff880425044940 ti: ffff88042d160000 task.ti: ffff88042d160000

+  RIP: 0010:[<ffffffff8105711c>]  [<ffffffff8105711c>] resume_execution+0x14c/0x1a0

+  RSP: 0018:ffff88043fd4aeb0  EFLAGS: 00010086

+  RAX: ffffffffa0011001 RBX: ffff88043fd4af58 RCX: 0000000000000006

+  RDX: ffffffff811b9f71 RSI: ffff88043fd4af58 RDI: 0000000000000055

+  RBP: ffff88043fd4aee8 R08: 0000000000000001 R09: ffff88041cce8100

+  R10: 0000000000000004 R11: ffff8804252d9238 R12: ffff88042c6051c0

+  R13: ffffffff811b9f70 R14: ffff88042d163f08 R15: ffffffffa0011000

+  FS:  00007f05f6439740(0000) GS:ffff88043fd40000(0000) knlGS:0000000000000000

+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

+  CR2: ffffffffa0011001 CR3: 000000042944a000 CR4: 0000000000160670

+  Stack:

+   ffff88043fd4fee0 0000000000000000 ffff88043fd4fee0 ffff88043fd4af58

+   ffff88042c6051c0 0000000000000000 00007ffd23764640 ffff88043fd4af10

+   ffffffff810571a8 ffff88043fd4af58 ffff880425044940 0000000000000000

+  Call Trace:

+   <#DB>

+   [<ffffffff810571a8>] kprobe_debug_handler+0x38/0xd0

+   [<ffffffff81016de2>] do_debug+0x82/0x1b0

+   [<ffffffff817e6aa5>] debug+0x35/0x70

+   <<EOE>>

+   [<ffffffff811bac51>] ? SyS_read+0x41/0xa0

+   [<ffffffff817e48a1>] entry_SYSCALL_64_fastpath+0x1e/0x95

+

+Issue was found and fix was verified by running systemtap:

+  stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'

+

+Fixes: 176bee4cfcec ("kprobes/x86: Set kprobes pages read-only")

+Cc: stable@vger.kernel.org # v4.4

+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>

+Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>

+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>

+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>

+Cc: Borislav Petkov <bp@alien8.de>

+Cc: Brian Gerst <brgerst@gmail.com>

+Cc: David S . Miller <davem@davemloft.net>

+Cc: Denys Vlasenko <dvlasenk@redhat.com>

+Cc: H. Peter Anvin <hpa@zytor.com>

+Cc: Josh Poimboeuf <jpoimboe@redhat.com>

+Cc: Linus Torvalds <torvalds@linux-foundation.org>

+Cc: Peter Zijlstra <peterz@infradead.org>

+Cc: Thomas Gleixner <tglx@linutronix.de>

+Cc: Ye Xiaolong <xiaolong.ye@intel.com>

+Link: http://lkml.kernel.org/r/149076361560.22469.1610155860343077495.stgit@devbox

+Signed-off-by: Ingo Molnar <mingo@kernel.org>

+Reviewed-by/Acked-by: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>

+---

+ arch/x86/kernel/kprobes/core.c | 42 ++++++++++++++++++++----------------------

+ 1 file changed, 20 insertions(+), 22 deletions(-)

+

+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c

+index df9be5b91270..1f5c47a49e35 100644

+--- a/arch/x86/kernel/kprobes/core.c

+@@ -411,25 +411,38 @@ void free_insn_page(void *page)

+ 	module_memfree(page);

+ }

+ 

++/* Prepare reljump right after instruction to boost */

++static void prepare_boost(struct kprobe *p, int length)

++{

++	if (can_boost(p->ainsn.insn, p->addr) &&

++	    MAX_INSN_SIZE - length >= RELATIVEJUMP_SIZE) {

++		/*

++		 * These instructions can be executed directly if it

++		 * jumps back to correct address.

++		 */

++		synthesize_reljump(p->ainsn.insn + length, p->addr + length);

++		p->ainsn.boostable = 1;

++	} else {

++		p->ainsn.boostable = -1;

++	}

++}

++

+ static int arch_copy_kprobe(struct kprobe *p)

+ {

+-	int ret;

++	int len;

+ 

+ 	set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1);

+ 

+ 	/* Copy an instruction with recovering if other optprobe modifies it.*/

+-	ret = __copy_instruction(p->ainsn.insn, p->addr);

+-	if (!ret)

++	len = __copy_instruction(p->ainsn.insn, p->addr);

++	if (!len)

+ 		return -EINVAL;

+ 

+ 	/*

+ 	 * __copy_instruction can modify the displacement of the instruction,

+ 	 * but it doesn't affect boostable check.

+ 	 */

+-	if (can_boost(p->ainsn.insn, p->addr))

+-		p->ainsn.boostable = 0;

+-	else

+-		p->ainsn.boostable = -1;

++	prepare_boost(p, len);

+ 

+ 	set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1);

+ 

+@@ -894,21 +907,6 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,

+ 		break;

+ 	}

+ 

+-	if (p->ainsn.boostable == 0) {

+-		if ((regs->ip > copy_ip) &&

+-		    (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) {

+-			/*

+-			 * These instructions can be executed directly if it

+-			 * jumps back to correct address.

+-			 */

+-			synthesize_reljump((void *)regs->ip,

+-				(void *)orig_ip + (regs->ip - copy_ip));

+-			p->ainsn.boostable = 1;

+-		} else {

+-			p->ainsn.boostable = -1;

+-		}

+-	}

+-

+ 	regs->ip += orig_ip - copy_ip;

+ 

+ no_change:

+-- 

+2.14.2

+

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.131

-Release:       3%{?dist}

+Version:       4.4.137

+Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=6811784d7abf4cd84f99c188c397b893deb35551

+%define sha1 linux=05b18bc780fb6f534dbf47825945b4e6eca15143

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -23,7 +23,7 @@ Patch8:        04-quiet-boot.patch

 Patch9:        05-pv-ops.patch

 Patch10:       06-sunrpc.patch

 Patch11:       vmxnet3-1.4.6.0-avoid-calling-pskb_may_pull-with-interrupts-disabled.patch

-

+Patch12:       kprobes-x86-Do-not-modify-singlestep-buffer-while-re.patch

 Patch13:       REVERT-sched-fair-Beef-up-wake_wide.patch

 Patch14:       e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch

@@ -40,14 +40,10 @@ Patch26:       init-do_mounts-recreate-dev-root.patch

 # Fixes for CVE-2018-1000026

 Patch27:       0001-net-create-skb_gso_validate_mac_len.patch

 Patch28:       0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

-# Fix for CVE-2017-18255

-Patch29:       0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

 # Fix for CVE-2018-8043

 Patch30:       0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

 # Fix for CVE-2017-18216

 Patch31:       0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

-# Fix for CVE-2018-8087

-Patch32:       0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

 # Fix for CVE-2017-18241

 Patch33:       0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

@@ -114,7 +110,7 @@ The Linux package contains the Linux kernel doc files

 %patch9 -p1

 %patch10 -p1

 %patch11 -p1

-

+%patch12 -p1

 %patch13 -p1

 %patch14 -p1

@@ -130,10 +126,8 @@ The Linux package contains the Linux kernel doc files

 %patch26 -p1

 %patch27 -p1

 %patch28 -p1

-%patch29 -p1

 %patch30 -p1

 %patch31 -p1

-%patch32 -p1

 %patch33 -p1

 %patch52 -p1

@@ -238,6 +232,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Wed Jun 13 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.137-1

+-   Update to version 4.4.137. Fix panic in kprobe.

 *   Fri May 18 2018 Bo Gan <ganb@vmware.com> 4.4.131-3

 -   rebase fXxattrat syscall number to avoid conflict with new syscalls

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-2

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.131

-Release:        3%{?kat_build:.%kat_build}%{?dist}

+Version:    	4.4.137

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=6811784d7abf4cd84f99c188c397b893deb35551

+%define sha1 linux=05b18bc780fb6f534dbf47825945b4e6eca15143

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -26,7 +26,7 @@ Patch7:	        vmxnet3-1.4.6.0-avoid-calling-pskb_may_pull-with-interrupts-disa

 Patch8:		perf-top-sigsegv-fix.patch

 Patch9:         REVERT-sched-fair-Beef-up-wake_wide.patch

 Patch10:        e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch

-

+Patch11:        kprobes-x86-Do-not-modify-singlestep-buffer-while-re.patch

 Patch12:        vmxnet3-1.4.6.0-fix-lock-imbalance-in-vmxnet3_tq_xmit.patch

 Patch13:        vmxnet3-1.4.7.0-set-CHECKSUM_UNNECESSARY-for-IPv6-packets.patch

 Patch14:        vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch

@@ -39,14 +39,10 @@ Patch18:        0002-allow-also-ecb-cipher_null.patch

 # Fixes for CVE-2018-1000026

 Patch19:        0001-net-create-skb_gso_validate_mac_len.patch

 Patch20:        0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch

-# Fix for CVE-2017-18255

-Patch21:        0001-perf-core-Fix-the-perf_cpu_time_max_percent-check.patch

 # Fix for CVE-2018-8043

 Patch22:        0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch

 # Fix for CVE-2017-18216

 Patch23:        0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch

-# Fix for CVE-2018-8087

-Patch24:        0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch

 # Fix for CVE-2017-18241

 Patch25:        0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch

 Patch26:        Implement-the-f-xattrat-family-of-functions.patch

@@ -151,7 +147,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch8 -p1

 %patch9 -p1

 %patch10 -p1

-

+%patch11 -p1

 %patch12 -p1

 %patch13 -p1

 %patch14 -p1

@@ -161,10 +157,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch18 -p1

 %patch19 -p1

 %patch20 -p1

-%patch21 -p1

 %patch22 -p1

 %patch23 -p1

-%patch24 -p1

 %patch25 -p1

 %patch26 -p1

@@ -338,6 +332,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Wed Jun 13 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.137-1

+-   Update to version 4.4.137. Fix panic in kprobe.

 *   Mon May 21 2018 Bo Gan <ganb@vmware.com> 4.4.131-3

 -   Implement the f*xattrat family of syscalls (Previously linux-esx only)

 *   Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.131-2