These leaks were observed in the RT kernel but the fixes
are not RT specific. We deemed it prudent to also
include the fixes in the std kernel as well.
See the specific patches for details.
Change-Id: I00e6d06a82e289806e5d51008ea1597735b2ad0f
Closes-Bug: 1836638
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Security Fix(es):
(CVE-2019-11477)-
An integer overflow flaw was found in the way
the Linux kernel's networking subsystem processed
TCP Selective Acknowledgment (SACK) segments.
While processing SACK segments,
the Linux kernel's socket buffer (SKB) data structure
becomes fragmented. Each fragment is about TCP
maximum segment size (MSS) bytes.
To efficiently process SACK blocks, the Linux kernel merges
multiple fragmented SKBs into one, potentially overflowing
the variable holding the number of segments.
A remote attacker could use this flaw to crash the Linux kernel
by sending a crafted sequence of SACK segments on a TCP
connection with small value of TCP MSS,
resulting in a denial of service (DoS).
(CVE-2019-11478)-
Kernel: tcp: excessive resource consumption while processing SACK
blocks allows remote denial of service.
(CVE-2019-11479)-
Kernel: tcp: excessive resource consumption for TCP connections with low MSS
allows remote denial of service.
Details:
https://access.redhat.com/errata/RHSA-2019:1481https://access.redhat.com/errata/RHSA-2019:1486https://nvd.nist.gov/vuln/detail/
Closes-Bug: 1836685
Depends-On: https://review.opendev.org/670856
Change-Id: I150bdf60cec23058e656c60a3fdd677a14259795
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
Security Fix(es):
(CVE-2019-11477)-
An integer overflow flaw was found in the way
the Linux kernel's networking subsystem processed
TCP Selective Acknowledgment (SACK) segments.
While processing SACK segments,
the Linux kernel's socket buffer (SKB) data structure
becomes fragmented. Each fragment is about TCP
maximum segment size (MSS) bytes.
To efficiently process SACK blocks, the Linux kernel merges
multiple fragmented SKBs into one, potentially overflowing
the variable holding the number of segments.
A remote attacker could use this flaw to crash the Linux kernel
by sending a crafted sequence of SACK segments on a TCP
connection with small value of TCP MSS,
resulting in a denial of service (DoS).
(CVE-2019-11478)-
Kernel: tcp: excessive resource consumption while processing SACK blocks
allows remote denial of service.
(CVE-2019-11479)-
Kernel: tcp: excessive resource consumption for TCP connections with low MSS
allows remote denial of service.
Details:
https://access.redhat.com/errata/RHSA-2019:1481https://access.redhat.com/errata/RHSA-2019:1486https://nvd.nist.gov/vuln/detail/
Closes-Bug: 1836685
Depends-On: https://review.opendev.org/670856
Change-Id: I24cd556b9aafd2aa3234ab2f0b7dd6b23185ffd2
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
back port upstream patch
ebe06187bf
the epi is removed from list by list_del_rcu(&epi->fllink);
under list_for_each_entry_rcu() without rcu_read_lock.
if the rcu grace-period thread free epi before next list_for_each loop,
the content of epi will be corrupted.
Change-Id: I75dbf8ada5ca4734761efe260ca6d6f85886b180
Closes-Bug: 1837430
Suggested-by: daniel.badea@windriver.com
Signed-off-by: Bin Yang <bin.yang@intel.com>
Low-latency profile of StarlingX is affected by a deadlock in
CFS scheduler. spin_lock is used in IRQ handler there instead of
spin_lock_irqsave. This leads to an attempt to lock the same
spinlock twice and inevitable system freeze. Backporting c0ad4aa4d8
commit from upstream kernel to cure the issue.
Change-Id: I5416c0e0886f42d2bcec8e3e5da063e6af6916f8
Closes-bug: 1832854
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
The kernel memory accounting in the RHEL kernel is broken and
results in a slab memory leak when it is enabled. See the
following bug for details:
https://bugzilla.redhat.com/show_bug.cgi?id=1507149
Unfortunately, this option is enabled by default, so it must be
disabled. Even worse, the kernel won't compile with the option
disabled, so a fix for the compile error is also included.
Change-Id: I627106ae25f86204c1954c1c21171bbef348afaf
Closes-Bug: 1835534
Signed-off-by: Bart Wensley <barton.wensley@windriver.com>
New set of CVEs was reported against Intel CPUs: CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091.
For these CVEs there are RH and CentOS updates available.
CVE-2018-12126:
Microarchitectural Store Buffer Data Sampling (MSBDS):
Store buffers on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially
enable information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-12127:
Microarchitectural Load Port Data Sampling (MLPDS):
Load ports on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-12130:
Microarchitectural Fill Buffer Data Sampling (MFBDS):
Fill buffers on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-11091:
Microarchitectural Data Sampling Uncacheable Memory(MDSUM):
Uncacheable memory on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially enable
information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
These are from the http://cve.mitre.org website.
These are the MDS security CVEs.
The patch is modified as follows:
1.Delete the 929-931 line of the arch/x86/kernel/cpu/cacheinfo.c file,
because starlingx's Porting-Cacheinfo-from-Kernel-4.10.17.patch
removes the ici_cpuid4_info structure.
2.The build-logic-and-sources-for-TiC.patch version number
has been modified.
3.In addition to the modifications in the files in 1 and 2,
other patches only modify the line number.
Closes-Bug: 1830487
Depends-On: https://review.opendev.org/663071
Change-Id: I4cad783311ed4a6c60b4f69bdad75d773d0cd23d
Signed-off-by: zhiguo.zhang <zhiguox.zhang@intel.com>
New set of CVEs was reported against Intel CPUs: CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091.
For these CVEs there are RH and CentOS updates available.
CVE-2018-12126:
Microarchitectural Store Buffer Data Sampling (MSBDS):
Store buffers on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially
enable information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-12127:
Microarchitectural Load Port Data Sampling (MLPDS):
Load ports on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-12130:
Microarchitectural Fill Buffer Data Sampling (MFBDS):
Fill buffers on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-11091:
Microarchitectural Data Sampling Uncacheable Memory(MDSUM):
Uncacheable memory on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially enable
information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf
These are from the http://cve.mitre.org website.
These are the MDS security CVEs.
The patch is modified as follows:
1.Delete the 929-931 line of the arch/x86/kernel/cpu/cacheinfo.c
file,
because starlingx's Porting-Cacheinfo-from-Kernel-4.10.17.patch
removes the ici_cpuid4_info structure.
2.Except for the modification of the file in 1, the other patches
only modify the line number.
Closes-Bug: 1830487
Depends-On: https://review.opendev.org/663071
Change-Id: I16ac63df21eeb85b4fc3ab19d539986e77c8c0d3
Signed-off-by: zhiguo.zhang <zhiguox.zhang@intel.com>
This commit upgrades the ixgbe and ixgbevf drivers to the
latest versions.
ixgbe is upversioned to 5.5.5 from 5.5.3
ixgbevf is upversioned to 4.5.3 from 4.5.1
For ixgbe, Intel has noted that RHEL 7.6 support is introduced
in version 5.5.5, whereas only RHEL 7.5 support is present in version
5.5.3. The 5.5.5 version will also pick up a bug fix needed
for SR-IOV operations.
For ixgbevf, Intel has verified RHEL 7.6 support in version 4.5.3,
while they have verified only RHEL 7.5 in version 4.5.1.
Depends-On: https://review.opendev.org/#/c/664280
Change-Id: Ic7e0089a7b218094f3367cdce17ec950359cedae
Closes-Bug: #1830636
Signed-off-by: Steven Webster <steven.webster@windriver.com>
1. Update qat driver version from QAT1.7.Upstream.L.1.0.3-42
to QAT1.7.L.4.5.0-00034;
2. StarlingX need the specific qat_service, which is in qat17/files/qat_service
3. qat_service patch file "0001-Install-config-file-for-each-VF_new.patch"
is not neeeded.
4. Delete qat_service patching process in qat17.spec
Story: 2004901
Task: 29235
Depends-On: https://review.opendev.org/#/c/654830
Change-Id: Id675512a522d88c9a0378e367a87f81d1bde2703
Signed-off-by: Long.Li <longx.li@intel.com>
integrity tarball in my local mirror is wrong, cause the patch is
not correct. Correct the patch with the right tarball.
Story: 2004521
Task: 29194
Change-Id: Iee0e7afa12b8583d1bb3d620a5f7626a28f57fed
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Porting upstream patch to fix the build failure with CentOS 7.6 kernel
If we choose to upgrade tpm driver to include this patch, there will
be other build failure due to some structure missing in 957 kernel.
So I decide to back port upstream patch instead of upgrade tpm driver.
Depends-On: https://review.openstack.org/625785
Depends-On: https://review.openstack.org/625786
Story: 2004521
Task: 28534
Change-Id: I00d88f4d27ac47107825a17b3bf6d8c74194a7ff
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Porting upstream patch to fix the build failure with the new kernel
Depends-On: https://review.openstack.org/625785
Depends-On: https://review.openstack.org/625786
Story: 2004521
Task: 28584
Change-Id: I261d2d9534d90064d250ffabc11221caadcc2a04
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
The compile issue is fixed with new version, so delete the patch.
Depends-On: https://review.openstack.org/627744
Depends-On: https://review.openstack.org/625785
Story: 2004521
Task: 28671
Change-Id: Ib4851888be98351ffa6a0d847e7871c30a75ad48
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
It is for CentOS 7.6 support
Depends-On: https://review.openstack.org/627739
Story: 2004521
Task: 28532
Change-Id: I6a008dfa28a51316f2e2138213fb9b803f357ce8
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
timer-Reduce-timer-migration-overhead-if-disabled.patch
timer-Minimize-nohz-off-overhead.patch
two patches already included in upgraded kernel
remove description in meta patch.
fix compile error in drbd_req.c for improper usage of
request queue API; fix warning in kernel/bpf/core.c
for implicit declaration trace call for CFLAG
-Werror-implicit-function-declaration.
remove patch change is_swiotlb_buffer in lib/swiotlb.c
As change already in new kernel code.
explicitly disable three config, CONFIG_TORTURE_TEST=n,
CONFIG_RCU_TORTURE_TEST=n, CONFIG_LOCK_TORTURE_TEST=n.
As torture.c, locktorture.c, rcutorture.c are introduced
by new kernel release, which request CONFIG_PERCPU_RWSEM
be enabled. But config file generated by merge
kernel-3.10.0-x86_64-rt.config in source rpm and
kernel-3.10.0-x86_64-rt.config.tis_extra in meta_patch,
disable CONFIG_PERCPU_RWSEM, which makes build error
with "undefined symbol". These three file are built to
generate one module for one upper layer torture test
tool, so explicitly disable these config.
Depends-On: https://review.openstack.org/625773/
Story: 2004521
Task: 28352
Change-Id: I0f7e7db51aa38e98eae1219196a926ed8fc1b152
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
fix compile error in drbd_req.c for improper usage of
request queue API; fix warning in kernel/bpf/core.c
for implicit declaration trace call for CFLAG
-Werror-implicit-function-declaration
remove patch change is_swiotlb_buffer in lib/swiotlb.c
As change already in new kernel code base
Story: 2004521
Task: 28260
Depends-On: https://review.openstack.org/625773/
Change-Id: I4a3af98b6efe6d31e66db39302f3af8c4ff19d2c
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
"compat-Statically-initialize-families.patch" is already contained in
the new version, so delete it.
Reset TIS_PATCH_VER to 0 since version is upgraded.
Depends-On: https://review.openstack.org/605292
Story: 2003597
Task: 26588
Change-Id: I628f5b0497df188ea9fa7b7860b56de78382c510
Signed-off-by: slin14 <shuicheng.lin@intel.com>
the standard kernel includes a public ima certificate
that does not match the development signing key
This modification simply updates the certificate
with the proper version
Closes-Bug: #1797204
Change-Id: Ic085ad0c1c4527e31efa96906475f79701d8fb79
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
Story: 2003596
Task: 24917
Depends-On: https://review.openstack.org/601202
since related rpm is also upgraded, no longer need to downgrade the linux-firmware and compiler dependencies
Change-Id: I9e535f95d18f3db8b4b9c4375504e82c4597d697
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Story: 2003596
Task: 26354
Depends-On: https://review.openstack.org/601202
no longer need to downgrade the linux-firmware and compiler dependencies
Change-Id: I23ae86b523ef0d8a25c0a1fed141393efad02b69
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Problem:
The kernel is sporadically reporting build failures due to
'no space on device' when compiled in a 10 GB tmpfs.
Solution:
Two parts:
1) Increase required size to 11 GB in the build_srpm.data.
2) Modify build system to allow alocation of a 11 GB tmpfs.
Change-Id: I48aeff586f71ee5000a99354e33d199a38afec9e
Story: 2002835
Task: 24519
Signed-off-by: Scott Little <scott.little@windriver.com>
The IEEE 1588 standard defines a method to precisely
synchronize distributed clocks over Ethernet networks. The
standard defines a Precision Time Protocol (PTP), which can
be used to achieve synchronization within a few dozen
microseconds. In addition, with the help of special hardware
time stamping units, it can be possible to achieve
synchronization to within a few hundred nanoseconds.
Story: 2002935
Task: 22922
Change-Id: Ibb4e9b8f61198c88d3aaec02f441574b580afdd7
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
Kernel update to CentOS 7.5 versions are to be paired with updated
out-of-tree kernel modules, mostly for compilation purposes.
Depends-On: https://review.openstack.org/580689
Change-Id: Ie947ad4b2b4bc88d06f454a36eef0a787d23f289
Signed-off-by: Jason McKenna <jason.mckenna@windriver.com>
Story: 2002761
Task: 22841
Signed-off-by: Scott Little <scott.little@windriver.com>
Before opensource these patches a kernel revision different
from the available in upstream was used. This changes recreates
the patches to use a valid revision.
Story: 2002964
Task: 22967
Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847
Required-By: https://review.openstack.org/#/c/583016/
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
The original TPM patches were applied to a modified version of
the TPM module. After the download of tarballs was enabled this
patch started to fail. This patch fixes the problem as uses the
upstream code to apply the patch.
Story: 2002945
Task: 22938
Depends-On: https://review.openstack.org/581915
Change-Id: I54d1a4655cd0dec84b6fb6d1bd2bc83e0d068c5c
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
Kernel update to CentOS 7.5 versions are to be paired with updated
out-of-tree kernel modules, mostly for compilation purposes.
Depends-On: https://review.openstack.org/580689
Change-Id: Ibe2027f802c47d75e543e9458931c0e0a714a93d
Signed-off-by: Jason McKenna <jason.mckenna@windriver.com>
Story: 2002761
Task: 22841
Signed-off-by: Scott Little <scott.little@windriver.com>
