Home Home > GIT Browse
AgeCommit message (Collapse)Author
2019-07-11Bump up the version number in spec fileSLE12-SP4_Update_3Nicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-10Merge branch 'bsc#1137597_12.4u0-4' into SLE12-SP4_Update_3Nicolai Stange
2019-07-10Fix regression bsc#1140747 ("applications tcp socket get stuck")Nicolai Stange
The fix for CVE-2019-11478 ("SACK Slowness / extensive resource usage") can cause TCP connection stalls for applications having setup very low SO_SNDBUF values. Fix this by applying stable-4.4.y commit 46c7b5d6f2a5 ("tcp: refine memory limit test in tcp_fragment()") to the live patch mitigating this CVE. Fixes: 856c35df5e20 ('Fix for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of service issues (SACK Panic)")') References: bsc#1140747 bsc#1137597 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-09bsc#1137597: fill in upstream commit idsNicolai Stange
At the time the live patch for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of service issues (SACK Panic)") was being prepared, the issue had been under embargo and no upstream commits published. Add their ids to the live patch's file header comment. References: bsc#1137597 CVE-2019-11477 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-30Merge branch 'bsc#1136446_12.4u0-4' into SLE12-SP4_Update_3Nicolai Stange
2019-06-18bsc#1136446: get rid of unwanted dependency on cfg80211.koNicolai Stange
The fix for bsc#1136446, CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie function of Marvell Wifi Driver in Linux kernel") introduced a dependency on cfg80211.ko from the live patch module by mistake. It isn't a serious problem, but not really nice either. Fix it up. Fixes: 419681f71c33 ('Fix for CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie function of Marvell Wifi Driver in Linux kernel")') References: bsc#1136446 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-18Bump up the version number in spec fileMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2019-06-17Merge branch 'bsc#1137597_12.4u0-4' into SLE12-SP4_Update_3Nicolai Stange
2019-06-17Merge branch 'bsc#1136446_12.4u0-4' into SLE12-SP4_Update_3Nicolai Stange
2019-06-17Merge branch 'bsc#1133191_12.4u3' into SLE12-SP4_Update_3Nicolai Stange
2019-06-16Fix for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of ↵Nicolai Stange
service issues (SACK Panic)") Live patch for CVE-2019-11477 and CVE-2019-11478. No upstream commits yet. KLP: CVE-2019-11477 CVE-2019-11478 References: bsc#1137597 CVE-2019-11477 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-16Fix for CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie ↵Nicolai Stange
function of Marvell Wifi Driver in Linux kernel") Live patch for CVE-2019-3846 as well as the related heap overflow handled in bsc#1136935 which hasn't got a unique CVE number assigned yet. Upstream commits 13ec7f10b87f ("mwifiex: Fix possible buffer overflows at parsing bss descriptor") 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element") 69ae4f6aac15 ("mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()") KLP: CVE-2019-3846 References: bsc#1136446 bsc#1136935 CVE-2019-3846 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-16Fix for CVE-2019-11487 ("The Linux kernel [...] allows page->_refcount ↵Nicolai Stange
reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists") Live patch for CVE-2019-11487. Upstream commits f958d7b528 ("mm: make page ref count overflow check tighter and more explicit") 88b1a17dfc ("mm: add 'try_get_page()' helper function") 8fde12ca79 ("mm: prevent get_user_pages() from overflowing page refcount") 15fab63e1e ("fs: prevent page refcount overflow in pipe_buf_get") KLP: CVE-2019-11487 References: bsc#1133191 CVE-2019-11487 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-03-14Update IBS_PROJECT to correct maintenance incident after initial submissionMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2019-03-12New branch for SLE12-SP4_Update_3Nicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-03-07Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
2019-03-07livepatch_main.c: Adaptation to a new livepatch APIMiroslav Benes
The atomic replace patch set among others removed the two-stage API. There is no (un)registration step needed now. SLES backport defines KLP_NOREG_API macro to easily distinguish whether the kernel provides the old or the new API. Use it and change the module init and exit functions accordingly. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2019-02-13Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
Conflicts: rpm/kgraft-patch.spec scripts/tar-up.sh
2019-02-13uname_patch: Use klp-convert macros and rely on klp-convert whereMiroslav Benes
possible Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2019-02-13Define macros to switch easily between klp-convert and kallsymsMiroslav Benes
Kallsyms trick does not have to be used for resolving undefined symbols when klp-convert is available. It would be great though to share live patches sources between both modes of operation. Define macros to help with the task. Their definitions depend on whether USE_KLP_CONVERT macro is defined. tar-up.sh script is responsible to decide. Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2019-02-13Use klp-convert where providedMiroslav Benes
klp-convert tool converts undefined symbols in a live patch kernel module to special relocation records which are resolved by the kernel. It allows to omit kallsyms tricks. Wire it to the spec file and let tar-up.sh script decide if it is to be used depending on a codestream. SLE15-SP1 is supported currently. Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2018-12-31Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
2018-12-11Merge branch 'master' into master-livepatchMiroslav Benes
2018-12-11uname_patch: don't hold uts_sem while accessing userspace memoryHEADmasterMiroslav Benes
Backport upstream patch 42a0cc347858 ("sys: don't hold uts_sem while accessing userspace memory"). Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-08-09Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
2018-08-09Provide common kallsyms wrapper APINicolai Stange
With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-19Rename .spec and .changes files from kernel-livepatch to kgraft-patchMiroslav Benes
Someone/something might get confused otherwise. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-11Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
2018-07-11provide KLP_SHADOW_ID() helper macroNicolai Stange
In analogy to the KGR_SHADOW_ID() macro, introduce KLP_SHADOW_ID() for the construction of unique shadow variable id's. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10Merge branch 'master-livepatch' into master-livepatch-sle12Miroslav Benes
2018-07-10scripts/register-patches.sh: implement conditional inclusionNicolai Stange
Currently, subpatches provide a patched_funcs.csv file describing what needs to be patched. register-patches.sh inspects those to assemble one global klp_patch structure. The current format for these patched_funcs.csv's is obj old_func(,sympos) newfun However, sometimes subpatches depend on some kernel configuration values like CONFIG_X86_64 and functions shall get patched only if the target kernel configuration matches. Extends the patched_funcs.csv format to obj old_func(,sympos) newfun (cpp condition) where everything coming after 'newfun' is taken to be a CPP condition to be used for conditional inclusion. In case there's no condition specified, assign that entry the same semantics as if a '1' had been given. Make register-patches.sh guard the corresponding klp_func entries with #if pragmas. Furthermore, let it guard the enclosing klp_object instances by or'ing together all its klp_funcs' conditions. For the sake of better readability, omit redundant #if pragmas as well as condition clauses. In particular, - if a function entry hasn't got any condition explicitly specified, there won't be any #if pragma, neither at the klp_func nor at the klp_object level, - if multiple function entries for an object are protected by the same condition, it'll be or'ed in at the klp_object level only once, - if all of an object's functions share the same condition, no #if pragmas will be emitted at the klp_func level because they would only duplicate what's already there for the enclosing object and - multiple subsequent function entries sharing the same condition get collated. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10scripts/register-patches.sh: allow spaces as patched_funcs.csv separatorsNicolai Stange
Currently there's one single cut(1) usage which requires that (single) tabs are used as field separators for the patched_funcs.csv. As the rest of the code can deal with sequences of any whitespace already, this imposes an unnecessary restriction on the format. Substitute that cut(1) usage by a sed(1) invocation as appropriate. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10rpm/config.sh: Change IBS_PROJECT to SLE12-SP4Miroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10Partial livepatch to kGraft migrationMiroslav Benes
SLE12-SP4 is going to be based on upstream livepatch implementation. Same as SLE15. However we need to preserve at least kGraft outer appearance. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-06-04livepatch_main.c: Set .replace to trueMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-05-14Merge branch 'master' into master-livepatchMiroslav Benes
2018-05-14scrips/create-makefile.sh: add support for assembly filesNicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08Revert "shadow variables: introduce upstream patch"Miroslav Benes
This reverts commit e899c4fd3fe7602ebd70f578d8475f1049de7c78.
2017-12-08Revert "shadow variables: drop EXPORT_SYMBOL()s"Miroslav Benes
This reverts commit ac6cfebd7f831213ebcd4b2690672871572ec49e.
2017-12-08Revert "shadow variables: share shadow data among KGraft modules"Miroslav Benes
This reverts commit 8e1e705d4d56981949f7ae3854d8e1cc2be7f40f.
2017-12-08Revert "shadow variables: add KGR_SHADOW_ID helper"Miroslav Benes
This reverts commit 237c8f3d13c382321d3e65d138d328eae0b82f6c.
2017-12-08livepatch_main.c: klp_patch_init(): fix error handlingNicolai Stange
In case either of the invocations of klp_register_patch() or klp_enable_patch() fails, anything which has been setup by the prior per-(sub-)patch initialiation code, i.e. the expansion of @@KLP_PATCHES_INIT_CALLS@@, won't get undone. Fix this. Also make klp_patch_init() look more like the common 'goto err' idiom and adjust scripts/register_patches.sh accordingly. Fix for commit 7e20201cdcb8 ("kGraft to livepatch migration. API change."). Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08scripts/register_patches.sh: generate klp_object arrayNicolai Stange
The KLP API doesn't take a flat list of to be patched functions like KGraft did, but introduces an intermediate layer: struct klp_object. Each klp_patch instance is supposed to reference an array of klp_object's which in turn provide an array of klp_func's each. To facilitate merging, we want to generate this list of klp_object's automatically, exactly like we did for the flat function list with KGraft. For each klp_patch instance, there must be at most one klp_object entry referring to the same object. Hence care must be taken not to add an entry for the same object twice in case two different (sub-)patches both patch some functions therein. Require from each (sub-)patch to provide the list of to be patched symbols in a file named SUBPATCH/patched_funcs.csv with each line conforming to the obj old_func(,sympos) new_func pattern. Make scripts/register.sh generate an klp_object array initializer based on this and let it expand the @@KLP_PATCHES_OBJS@@ tag within livepatch_main.c accordingly. Do not replace the now obsolete @@KLP_PATCHES_FUNCS@@ anymore. Add and remove the @@KLP_PATCHES_OBJS@@ and @@KLP_PATCHES_FUNCS@@ markers to and from livepatch_main.c respectively. Signed-off-by: Nicolai Stange <nstange@suse.de> [ mb: amend copy&paste error ($newfun at the end of uname klp_func[]) ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08rpm/config.sh: Use SUSE:SLE-15:GA projectMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08Revert "scripts: Generate ExclusiveArch in spec file dynamically"Miroslav Benes
This reverts commit 95ed856ea8f99b4e48d7d324278b3628d2ac2fa2. SLE15 will support ppc64le arch from the beginning.
2017-12-08kGraft to livepatch migration. External rename.Libor Pechacek
External rename and thus final step of kGraft -> upstream livepatch migration. kgraft-patch* modules are now livepatch* and live in /lib/modules/$(uname -r)/livepatch. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08kGraft to livepatch migration. API change.Libor Pechacek
Change from kGraft API to livepatch API. Note: error handling in _init() function is broken and fixed later. Automatic generation of klp_objects is not present at all. Added later. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog, patch split, whitespace errors ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08kGraft to livepatch migration. Internal rename.Libor Pechacek
Internal rename in preparation for kGraft -> upstream livepatch migration. External module naming stays the same. API is not touched yet. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog edit ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-05uname_patch: fix UNAME26 for 4.0Miroslav Benes
Backport upstream commit 39afb5ee4640 ("kernel/sys.c: fix UNAME26 for 4.0"). Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-04Revert "Add compat.h to deal with changes of KGR_PATCH macro"Miroslav Benes
This reverts commit 4186bef35862029a2fd36ba4a73d5fa538992709. All currently supported kernels (that is, everything since SLE12_Update_14 and SLE12-SP1_Update_5) have sympos support. We can drop compat, because we don't need it anymore. Signed-off-by: Miroslav Benes <mbenes@suse.cz>