[El-errata] ELSA-2018-1854 Important: Oracle Linux 6 kernel security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Jun 26 13:19:28 PDT 2018

Oracle Linux Security Advisory ELSA-2018-1854


The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:




Description of changes:

- Update genkey [bug 25599697]

- [powerpc] 64s: Add support for a store forwarding barrier at kernel 
entry/exit (Mauricio Oliveira) [1581053] {CVE-2018-3639}
- [x86] amd: Disable AMD SSBD mitigation in a VM (Waiman Long) [1580360]
- [x86] spec_ctrl: Fix late microcode problem with AMD (Waiman Long) 
[1566899] {CVE-2018-3639}
- [x86] spec_ctrl: Clean up entry code & remove unused APIs (Waiman 
Long) [1566899] {CVE-2018-3639}
- [x86] spec_ctrl: Mask off SPEC_CTRL MSR bits that are managed by 
kernel (Waiman Long) [1566899] {CVE-2018-3639}
- [x86] spec_ctrl: add support for SSBD to RHEL IBRS entry/exit macros 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] bugs: Rename _RDS to _SSBD (Waiman Long) [1566899] {CVE-2018-3639}
- [x86] speculation: Add prctl for Speculative Store Bypass mitigation 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] process: Allow runtime control of Speculative Store Bypass 
(Waiman Long) [1566899] {CVE-2018-3639}
- [kernel] prctl: Add speculation control prctls (Waiman Long) [1566899] 
- [x86] kvm: Expose the RDS bit to the guest (Waiman Long) [1566899] 
- [x86] bugs/AMD: Add support to disable RDS on Fam(15, 16, 17)h if 
requested (Waiman Long) [1566899] {CVE-2018-3639}
- [x86] spec_ctrl: Sync up RDS setting with IBRS code (Waiman Long) 
[1566899] {CVE-2018-3639}
- [x86] bugs: Provide boot parameters for the spec_store_bypass_disable 
mitigation (Waiman Long) [1566899] {CVE-2018-3639}
- [x86] bugs: Expose the /sys/../spec_store_bypass and 
X86_BUG_SPEC_STORE_BYPASS (Waiman Long) [1566899] {CVE-2018-3639}
- [x86] bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] spec_ctrl: Use separate PCP variables for IBRS entry and exit 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] cpu/intel: Knight Mill and Moorefield update to intel-family.h 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] speculation: Update Speculation Control microcode blacklist 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] cpufeatures: Clean up Spectre v2 related CPUID flags (Waiman 
Long) [1566899] {CVE-2018-3639}
- [x86] cpufeatures: Add AMD feature bits for Speculation Control 
(Waiman Long) [1566899] {CVE-2018-3639}
- [x86] cpufeatures: Add Intel feature bits for Speculation (Waiman 
Long) [1566899] {CVE-2018-3639}
- [x86] cpufeatures: Add CPUID_7_EDX CPUID leaf (Waiman Long) [1566899] 
- [x86] cpu: Fill in feature word 13, CPUID_8000_0008_EBX (Waiman Long) 
[1566899] {CVE-2018-3639}
- [x86] Extend RH cpuinfo to 10 extra words (Waiman Long) [1566899] 
- [x86] invpcid: Enable 'noinvpcid' boot parameter for X86_32 (Waiman 
Long) [1560494]
- [x86] dumpstack_32: Fix kernel panic in dump_trace (Waiman Long) [1577351]
- [fs] gfs2: For fs_freeze, do a log flush and flush the ail1 list 
(Robert S Peterson) [1569148]
- [net] dccp: check sk for closed state in dccp_sendmsg() (Stefano 
Brivio) [1576586] {CVE-2018-1130}
- [net] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped 
(Stefano Brivio) [1576586] {CVE-2018-1130}

- [x86] vm86-32: Properly set up vm86-32 stack for task switching 
(Waiman Long) [1572865]
- [x86] spec_ctrl: Enable IBRS and RSB stuffing in 32-bit interrupts 
(Waiman Long) [1571362]
- [x86] entry/32: Fix regressions in 32-bit debug exception (Waiman 
Long) [1571362]

- [x86] kpti/kexec: fix wrong page address in clear_page (Dave Young) 
- [fs] fix WARNING in rmdir() (Miklos Szeredi) [1282117]
- [net] sctp: label accepted/peeled off sockets (Marcelo Leitner) [1571357]
- [net] security: export security_sk_clone (Marcelo Leitner) [1571357]

- [md] dm thin: fix regression that caused discards to be disabled if 
passdown was (Mike Snitzer) [1569377]
- [s390] configs: enable auto expoline support (Hendrik Brueckner) [1554959]
- [s390] correct nospec auto detection init order (Hendrik Brueckner) 
- [s390] add sysfs attributes for spectre (Hendrik Brueckner) [1554959]
- [s390] report spectre mitigation via syslog (Hendrik Brueckner) [1554959]
- [s390] add automatic detection of the spectre defense (Hendrik 
Brueckner) [1554959]
- [s390] move nobp parameter functions to nospec-branch.c (Hendrik 
Brueckner) [1554959]
- [s390] do not bypass BPENTER for interrupt system calls (Hendrik 
Brueckner) [1554959]
- [s390] Replace IS_ENABLED(EXPOLINE_*) with 
IS_ENABLED(CONFIG_EXPOLINE_*) (Hendrik Brueckner) [1554959]
- [s390] introduce execute-trampolines for branches (Hendrik Brueckner) 
- [s390] run user space and KVM guests with modified branch prediction 
(Hendrik Brueckner) [1554959]
- [s390] add optimized array_index_mask_nospec (Hendrik Brueckner) [1554959]
- [s390] scrub registers on kernel entry and KVM exit (Hendrik 
Brueckner) [1554959]
- [s390] align and prepare spectre mitigation for upstream commits 
(Hendrik Brueckner) [1554959]
- [x86] xen: do not use xen_info on HVM, set pv_info name to "Xen HVM" 
(Vitaly Kuznetsov) [1568241]
- [net] sctp: verify size of a new chunk in _sctp_make_chunk() (Stefano 
Brivio) [1551908] {CVE-2018-5803}

- [fs] fuse: fix punching hole with unaligned end (Miklos Szeredi) 
[1387473] {CVE-2017-15121}
- [documentation] kdump: fix documentation about panic_on_warn to match 
rhel6 (Pingfan Liu) [1555196]
- [fs] Provide sane values for nlink (Leif Sahlberg) [1554342]

- [powerpc] pseries: Restore default security feature flags on setup 
(Mauricio Oliveira) [1561788]
- [powerpc] Move default security feature flags (Mauricio Oliveira) 
- [powerpc] pseries: Fix clearing of security feature flags (Mauricio 
Oliveira) [1561788]
- [powerpc] 64s: Wire up cpu_show_spectre_v2() (Mauricio Oliveira) [1561788]
- [powerpc] 64s: Wire up cpu_show_spectre_v1() (Mauricio Oliveira) [1561788]
- [powerpc] pseries: Use the security flags in pseries_setup_rfi_flush() 
(Mauricio Oliveira) [1561788]
- [powerpc] 64s: Enhance the information in cpu_show_meltdown() 
(Mauricio Oliveira) [1561788]
- [powerpc] 64s: Move cpu_show_meltdown() (Mauricio Oliveira) [1561788]
- [powerpc] pseries: Set or clear security feature flags (Mauricio 
Oliveira) [1561788]
- [powerpc] Add security feature flags for Spectre/Meltdown (Mauricio 
Oliveira) [1561788]
- [powerpc] pseries: Add new H_GET_CPU_CHARACTERISTICS flags (Mauricio 
Oliveira) [1561788]
- [lib] seq: Add seq_buf_printf() (Mauricio Oliveira) [1561788]
- [powerpc] rfi-flush: Call setup_rfi_flush() after LPM migration 
(Mauricio Oliveira) [1561786]
- [powerpc] rfi-flush: Differentiate enabled and patched flush types 
(Mauricio Oliveira) [1561786]
- [powerpc] rfi-flush: Always enable fallback flush on pseries (Mauricio 
Oliveira) [1561786]
- [powerpc] rfi-flush: Make it possible to call setup_rfi_flush() again 
(Mauricio Oliveira) [1561786]
- [powerpc] rfi-flush: Move the logic to avoid a redo into the debugfs 
code (Mauricio Oliveira) [1561786]
- [x86] pti/32: Don't use trampoline stack on Xen PV (Waiman Long) [1562725]
- [x86] pti: Use boot_cpu_has(X86_FEATURE_PTI_SUPPORT) for early call 
sites (Waiman Long) [1562725]
- [x86] pti: Set X86_FEATURE_PTI_SUPPORT early (Waiman Long) [1562725]
- [x86] pti: Rename X86_FEATURE_NOPTI to X86_FEATURE_PTI_SUPPORT (Waiman 
Long) [1562725]
- [x86] pti/32: Fix setup_trampoline_page_table() bug (Waiman Long) 
- [x86] entry: Remove extra argument in call instruction (Waiman Long) 
- [x86] syscall: Fix ia32_ptregs handling bug in 64-bit kernel (Waiman 
Long) [1557562 1562552]
- [x86] efi/64: Align efi_pgd on even page boundary (Waiman Long) [1558845]
- [x86] pgtable/pae: Revert "Use separate kernel PMDs for user 
page-table" (Waiman Long) [1558845]
- [x86] pgtable/pae: Revert "Unshare kernel PMDs when PTI is enabled" 
(Waiman Long) [1558845]
- [x86] mm: Dump both kernel & user page tables at fault (Waiman Long) 
- [x86] entry/32: Fix typo in PARANOID_EXIT_TO_KERNEL_MODE (Waiman Long) 

- [mm] fold arch_randomize_brk into ARCH_HAS_ELF_RANDOMIZE (Bhupesh 
Sharma) [1494380]
- [mm] brk: fix min_brk lower bound computation for COMPAT_BRK (Bhupesh 
Sharma) [1494380]
- [mm] split ET_DYN ASLR from mmap ASLR (Bhupesh Sharma) [1494380]
- [s390] redefine randomize_et_dyn for ELF_ET_DYN_BASE (Bhupesh Sharma) 
- [mm] expose arch_mmap_rnd when available (Bhupesh Sharma) [1494380]
- [s390] standardize mmap_rnd() usage (Bhupesh Sharma) [1494380]
- [s390] mmap: randomize mmap base for bottom up direction (Bhupesh 
Sharma) [1494380]
- [powerpc] standardize mmap_rnd() usage (Bhupesh Sharma) [1494380]
- [x86] standardize mmap_rnd() usage (Bhupesh Sharma) [1494380]
- [fs] binfmt_elf: create Kconfig variable for PIE randomization 
(Bhupesh Sharma) [1494380]
- [fs] binfmt_elf: PIE: make PF_RANDOMIZE check comment more accurate 
(Bhupesh Sharma) [1494380]
- [fs] binfmt_elf: fix PIE execution with randomization disabled 
(Bhupesh Sharma) [1494380]
- [acpi] acpica: Support calling _REG methods within ACPI interpreter 
(Lenny Szubowicz) [1522849]
- [acpi] acpica: Function to test if ACPI interpreter already entered 
(Lenny Szubowicz) [1522849]
- [acpi] acpica: Function to test if ACPI mutex held by this thread 
(Lenny Szubowicz) [1522849]

- [fs] gfs2: Check for the end of metadata in trunc_dealloc (Robert S 
Peterson) [1559928]
- [fs] gfs2: clear journal live bit in gfs2_log_flush (Robert S 
Peterson) [1559928]
- [netdrv] vmxnet3: fix tx data ring copy for variable size (Neil 
Horman) [1530378]
- [mm] account skipped entries to avoid looping in find_get_pages (Dave 
Wysochanski) [1559386]
- [powerpc] pseries: Support firmware disable of RFI flush (Mauricio 
Oliveira) [1554631]
- [powerpc] pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper 
(Mauricio Oliveira) [1554631]
- [powerpc] 64s: Allow control of RFI flush via debugfs (Mauricio 
Oliveira) [1554630]
- [powerpc] 64s: Improve RFI L1-D cache flush fallback (Mauricio 
Oliveira) [1554630]
- [powerpc] 64s: Wire up cpu_show_meltdown() (Mauricio Oliveira) [1554630]

- [dm] fix race between dm_get_from_kobject() and __dm_destroy() (Mike 
Snitzer) [1551999] {CVE-2017-18203}
- [x86] pti: Disable kaiser_add_mapping if X86_FEATURE_NOPTI (Waiman 
Long) [1557562]
- [x86] irq/ioapic: Check for valid irq_cfg pointer in 
smp_irq_move_cleanup_interrupt (Waiman Long) [1550599] {CVE-2017-5754}
- [x86] kexec/64: Clear control page after PGD init (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] efi/64: Fix potential PTI data corruption problem (Waiman Long) 
[1550599] {CVE-2017-5754}
- [ipmi] pick up slave address from SMBIOS on an ACPI device (Tony 
Camuso) [1484525]
- [ipmi] fix watchdog timeout set on reboot (Tony Camuso) [1484525]
- [ipmi] fix watchdog hang on panic waiting for ipmi response (Tony 
Camuso) [1484525]
- [ipmi] use smi_num for init_name (Tony Camuso) [1484525]
- [ipmi] move platform device creation earlier in the initialization 
(Tony Camuso) [1484525]
- [ipmi] clean up printks (Tony Camuso) [1484525]
- [ipmi] cleanup error return (Tony Camuso) [1484525]
- [md] raid0: apply base queue limits *before* disk_stack_limits (Xiao 
Ni) [1417294]
- [md] raid0: update queue parameter in a safer location (Xiao Ni) [1417294]
- [md] raid0: conditional mddev->queue access to suit dm-raid (Xiao Ni) 
- [md] raid0: access mddev->queue (request queue member) conditionally 
because it is not set when accessed from dm-raid (Xiao Ni) [1417294]

- [x86] pti/mm: Fix machine check with PTI on old AMD CPUs (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] pti/mm: Enable PAGE_GLOBAL if not affected by Meltdown (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] retpoline: Avoid retpolines for built-in __init functions 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] kexec/32: Allocate 8k PGD for PTI (Waiman Long) [1550599] 
- [x86] spec_ctrl: Patch out lfence on old 32-bit CPUs (Waiman Long) 
[1550599] {CVE-2017-5754}
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic 
fixup (Jarod Wilson) [1548432] {CVE-2017-13166}
- [scsi] lpfc: Fix crash from memory alloc at interrupt level with 
GFP_KERNEL set (Dick Kennedy) [1540706]

- [dm] io: fix duplicate bio completion due to missing ref count 
(Mikulas Patocka) [1334224]
- [fs] gfs2: Reduce contention on gfs2_log_lock (Robert S Peterson) 
- [fs] gfs2: Inline function meta_lo_add (Robert S Peterson) [1399822]
- [fs] gfs2: Switch tr_touched to flag in transaction (Robert S 
Peterson) [1399822]

- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic 
(Jarod Wilson) [1548432] {CVE-2017-13166}
- [kernel] cgroup: initialize xattr before calling d_instantiate() 
(Aristeu Rozanski) [1533523]
- [fs] ext*: Don't clear SGID when inheriting ACLs (Andreas Grunbacher) 
- [fs] gfs2: writeout truncated pages (Robert S Peterson) [1331076]
- [fs] export __block_write_full_page (Robert S Peterson) [1331076]
- [scsi] mark queue as PREEMPT_ONLY before setting quiesce (Ming Lei) 
- [block] call blk_queue_enter() before allocating request (Ming Lei) 
- [block] introduce blk_queue_enter() (Ming Lei) [1462959]
- [mm] shmem: replace_page must flush_dcache and others (Waiman Long) 
- [mm] shmem: replace page if mapping excludes its zone (Waiman Long) 
- [x86] cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 
microcodes (Waiman Long) [1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Enable IBRS processing on kernel entries & exits 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Stuff RSB on kernel entry (Waiman Long) [1550599] 
- [x86] pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32 (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] pti/32: Add a PAE specific version of __pti_set_user_pgd (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Support PAE page table dumping (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Use separate kernel PMDs for user page-table 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] mm/pae: Populate valid user PGD entries (Waiman Long) [1550599] 
- [x86] pti: Enable x86-32 for kaiser.c (Waiman Long) [1550599] 
- [x86] pti: Disable PCID handling in x86-32 TLB flushing code (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] pgtable: Disable user PGD poisoning for PAE (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] pgtable: Move more PTI functions out of pgtable_64.h (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] pgtable: Move pgdp kernel/user conversion functions to pgtable.h 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] pgtable/32: Allocate 8k page-tables when PTI is enabled (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Unshare kernel PMDs when PTI is enabled (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Handle debug exception similar to NMI (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switch to non-NMI entry/exit points 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switches to NMI handler code (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Enable the use of trampoline stack (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Change INT80 to be an interrupt gate (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Handle Entry from Kernel-Mode on Entry-Stack (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Leave the kernel via trampoline stack (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Enter the kernel via trampoline stack (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Restore segments before int registers (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Split off return-to-kernel path (Waiman Long) 
[1550599] {CVE-2017-5754}
- [x86] entry/32: Unshare NMI return path (Waiman Long) [1550599] 
- [x86] entry/32: Put ESPFIX code into a macro (Waiman Long) [1550599] 
- [x86] entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Rename TSS_sysenter_sp0 to TSS_entry_stack (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] pti: Add X86_FEATURE_NOPTI to permanently disable PTI (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] entry/32: Simplify and fix up the SYSENTER stack #DB/NMI fixup 
(Waiman Long) [1550599] {CVE-2017-5754}
- [x86] doublefault: Set the right gs register for doublefault (Waiman 
Long) [1550599] {CVE-2017-5754}
- [x86] syscall: int80 must not clobber r12-15 (Waiman Long) [1550599] 
- [x86] syscall: change ia32_syscall() to create the full register frame 
in ia32_do_call() (Waiman Long) [1550599] {CVE-2017-5754}
- [x86] cve: Make all Meltdown/Spectre percpu variables available to 
x86-32 (Waiman Long) [1550599] {CVE-2017-5754}

- [mm] prevent /proc/sys/vm/percpu_pagelist_fraction divide-by-zero 
(Dave Anderson) [1405879]
- [fs] proc: Resolve performance issues with multiple /proc/stat reads 
(Prarit Bhargava) [1544565]
- [fs] nfs: fix pnfs direct write memory leak (Scott Mayhew) [1536900]
- [fs] dcache: prevent multiple shrink_dcache_parent() on the same 
dentry (Miklos Szeredi) [1269288]
- [fs] fifo: do not restart open() if it already found a partner (Miklos 
Szeredi) [1482983]
- [audit] reinstate check for failed execve (Denys Vlasenko) [1488822]
- [perf] x86/intel/uncore: Make PCI and MSR uncore independent (Jiri 
Olsa) [1427324]
- [perf] fix perf_event_comm() vs. exec() assumption (Jiri Olsa) [1478980]
- [lib] prevent BUG in kfree() due to memory exhaustion in 
__sg_alloc_table() (Larry Woodman) [1454453]
- [kernel] sched/core: Rework rq->clock update skips (Lauro Ramos 
Venancio) [1212959]
- [kernel] sched: Remove useless code in yield_to() (Lauro Ramos 
Venancio) [1212959]
- [kernel] sched: Set skip_clock_update in yield_task_fair() (Lauro 
Ramos Venancio) [1212959]
- [kernel] sched, rt: Update rq clock when unthrottling of an otherwise 
idle CPU (Lauro Ramos Venancio) [1212959]
- [kernel] lockdep: Fix lock_is_held() on recursion (Lauro Ramos 
Venancio) [1212959]
- [x86] skip check for spurious faults for non-present faults (Daniel 
Vacek) [1495167]
- [x86] mm: Fix boot crash caused by incorrect loop count calculation in 
sync_global_pgds() (Daniel Vacek) [1495167]
- [fs] gfs2: Defer deleting inodes under memory pressure (Andreas 
Grunbacher) [1255872]
- [fs] gfs2: gfs2_clear_inode, gfs2_delete_inode: Put glocks 
asynchronously (Andreas Grunbacher) [1255872]
- [fs] gfs2: Get rid of gfs2_set_nlink (Andreas Grunbacher) [1255872]
- [fs] add set_nlink() (Andreas Grunbacher) [1255872]
- [fs] gfs2: gfs2_glock_get: Wait on freeing glocks (Andreas Grunbacher) 
- [fs] gfs2: gfs2_create_inode: Keep glock across iput (Andreas 
Grunbacher) [1255872]
- [fs] gfs2: Clean up glock work enqueuing (Andreas Grunbacher) [1255872]
- [fs] gfs2: Protect gl->gl_object by spin lock (Andreas Grunbacher) 
- [fs] gfs2: Get rid of flush_delayed_work in gfs2_clear_inode (Andreas 
Grunbacher) [1255872]
- [fs] revert "gfs2: Wait for iopen glock dequeues" (Andreas Grunbacher) 
- [fs] gfs2: Fixup to "Clear gl_object if gfs2_create_inode fails" 
(Andreas Grunbacher) [1506281]
- [scsi] dual scan thread bug fix (Ewan Milne) [1508512]
- [scsi] fix our current target reap infrastructure (Ewan Milne) [1508512]
- [scsi] bnx2fc: Fix check in SCSI completion handler for timed out 
request (Chad Dupuis) [1538168]

- [net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff 
(Florian Westphal) [1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: fix handling of malformed TCP header and 
options (Florian Westphal) [1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: SYN packets are allowed to contain data 
(Florian Westphal) [1543091] {CVE-2017-18017}
- [net] sctp: return error if the asoc has been peeled off in 
sctp_wait_for_sndbuf (Hangbin Liu) [1470559]
- [net] sctp: use the right sk after waking up from wait_buf sleep 
(Hangbin Liu) [1470559]
- [net] sctp: do not free asoc when it is already dead in sctp_sendmsg 
(Hangbin Liu) [1470559]
- [net] packet: Allow packets with only a header (but no payload) 
(Lorenzo Bianconi) [1535024]
- [net] packet: make packet too small warning match condition (Lorenzo 
Bianconi) [1535024]
- [net] packet: bail out of packet_snd() if L2 header creation fails 
(Lorenzo Bianconi) [1535024]
- [net] packet: make packet_snd fail on len smaller than l2 header 
(Lorenzo Bianconi) [1535024]
- [net] bonding: discard lowest hash bit for 802.3ad layer3+4 (Hangbin 
Liu) [1532167]
- [net] revert "net: use lib/percpu_counter API for fragmentation mem 
accounting" (Jesper Brouer) [1508504]
- [scsi] lpfc: fix pci hot plug crash in list_add call (Dick Kennedy) 
- [scsi] hpsa: update driver version (Joseph Szczypek) [1541517]
- [scsi] hpsa: correct resets on retried commands (Joseph Szczypek) 
- [scsi] hpsa: rescan later if reset in progress (Joseph Szczypek) [1541517]

- [x86] retpoline/hyperv: Convert assembler indirect jumps (Waiman Long) 
- [x86] spec_ctrl: Upgrade GCC retpoline warning to an error for brew 
builds (Waiman Long) [1535645]
- [x86] retpoline: Don't use kernel indirect thunks in vsyscalls (Waiman 
Long) [1535645]
- [x86] spec_ctrl: Add a read-only retp_enabled debugfs knob (Waiman 
Long) [1535645]
- [x86] spec_ctrl: detect unretpolined modules (Waiman Long) [1535645]
- [x86] retpoline/ACPI: Convert indirect jump in wakeup code (Waiman 
Long) [1535645]
- [x86] retpoline/efi: Convert stub indirect calls & jumps (Waiman Long) 
- [watchdog] hpwdt: remove indirect call in drivers/watchdog/hpwdt.c 
(Waiman Long) [1535645]
- [x86] spec_ctrl: cleanup __ptrace_may_access (Waiman Long) [1535645]
- [x86] bugs: Drop one "mitigation" from dmesg (Waiman Long) [1535645]
- [x86] spec_ctrl: fix ptrace IBPB optimization (Waiman Long) [1535645]
- [x86] spec_ctrl: Avoid returns in IBRS-disabled regions (Waiman Long) 
- [x86] spectre/meltdown: avoid the vulnerability directory to weaken 
kernel security (Waiman Long) [1535645]
- [x86] spec_ctrl: Update spec_ctrl.txt and kernel-parameters.txt 
(Waiman Long) [1535645]
- [x86] Use IBRS for firmware update path (Waiman Long) [1535645]
- [x86] spec_ctrl: stuff RSB on context switch with SMEP enabled (Waiman 
Long) [1535645]
- [x86] spec_ctrl: use upstream RSB stuffing function (Waiman Long) 
- [x86] spec_ctrl: add ibrs_enabled=3 (ibrs_user) (Waiman Long) [1535645]
- [x86] spec_ctrl: Integrate IBRS with retpoline (Waiman Long) [1535645]
- [x86] spec_ctrl: print features changed by microcode loading (Waiman 
Long) [1535645]
- [x86] spec_ctrl: refactor the init and microcode loading paths (Waiman 
Long) [1535645]
- [x86] spec_ctrl: move initialization of X86_FEATURE_IBPB_SUPPORT 
(Waiman Long) [1535645]
- [x86] spec_ctrl: remove SPEC_CTRL_PCP_IBPB bit (Waiman Long) [1535645]
- [x86] spec_ctrl: remove ibrs_enabled variable (Waiman Long) [1535645]
- [x86] spec_ctrl: add ibp_disabled variable (Waiman Long) [1535645]
- [x86] spec_ctrl: add X86_FEATURE_IBP_DISABLE (Waiman Long) [1535645]
- [x86] spec_ctrl: remove IBP disable for AMD model 0x16 (Waiman Long) 
- [x86] spec_ctrl: remove performance measurements from documentation 
(Waiman Long) [1535645]
- [x86] spec_ctrl: make ipbp_enabled read-only (Waiman Long) [1535645]
- [x86] spec_ctrl: remove ibpb_enabled=2 mode (Waiman Long) [1535645]
- [x86] spec_ctrl: Enable spec_ctrl functions for x86-32 (Waiman Long) 
- [x86] spec_ctrl: move vmexit rmb in the last branch before IBRS 
(Waiman Long) [1535645]
- [x86] spec_ctrl: satisfy the barrier like semantics of IBRS (Waiman 
Long) [1535645]
- [x86] spectre_v1: Mark it as mitigated (Waiman Long) [1535645]
- [x86] pti: Do not enable PTI on CPUs which are not vulnerable to 
Meltdown (Waiman Long) [1535645]
- [x86] mce: Make machine check speculation protected (Waiman Long) 
- [x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros 
(Waiman Long) [1535645]
- [x86] retpoline: Fill return stack buffer on vmexit (Waiman Long) 
- [x86] retpoline/irq32: Convert assembler indirect jumps (Waiman Long) 
- [x86] retpoline/checksum32: Convert assembler indirect jumps (Waiman 
Long) [1535645]
- [x86] retpoline/entry: Convert entry assembler indirect (Waiman Long) 
- [x86] retpoline/crypto: Convert crypto assembler indirect jumps 
(Waiman Long) [1535645]
- [x86] spectre: Add boot time option to select Spectre v2 mitigation 
(Waiman Long) [1535645]
- [x86] retpoline: Add initial retpoline support (Waiman Long) [1535645]
- [x86] cpu: Implement CPU vulnerabilites sysfs functions (Waiman Long) 
- [base] sysfs/cpu: Add vulnerability folder (Waiman Long) [1535645]
- [x86] cpufeatures: Add X86_BUG_SPECTRE_V(12) (Waiman Long) [1535645]
- [x86] pti: Add the pti= cmdline option and documentation (Waiman Long) 
- [x86] cpufeatures: Add X86_BUG_CPU_MELTDOWN (Waiman Long) [1535645]
Long) [1535645]
- [x86] cpu: Expand cpufeature facility to include cpu bugs (Waiman 
Long) [1535645]
- [x86] cpu: Merge bugs.c and bugs_64.c (Waiman Long) [1535645]
- [x86] cpu/intel: Introduce macros for Intel family numbers (Waiman 
Long) [1535645]
- [x86] alternatives: Add missing 'n' at end of ALTERNATIVE inline asm 
(Waiman Long) [1535645]
- [x86] alternatives: Fix alt_max_short macro to really be a max() 
(Waiman Long) [1535645]
- [x86] asm: Make asm/alternative.h safe from assembly (Waiman Long) 
- [x86] alternatives: Document macros (Waiman Long) [1535645]
- [x86] alternatives: Fix ALTERNATIVE_2 padding generation properly 
(Waiman Long) [1535645]
- [x86] alternatives: Add instruction padding (Waiman Long) [1535645]
- [x86] alternative: Add header guards to asm/alternative-asm.h (Waiman 
Long) [1535645]
- [x86] alternative: Use .pushsection/.popsection (Waiman Long) [1535645]
- [x86] copy_user_generic: Optimize copy_user_generic with CPU erms 
feature (Waiman Long) [1535645]
- [x86] Make .altinstructions bit size neutral (Waiman Long) [1535645]

- [powerpc] spinlock: add gmb memory barrier (Mauricio Oliveira) [1538543]
- [powerpc] prevent Meltdown attack with L1-D$ flush (Mauricio Oliveira) 
- [s390] vtime: turn BP on when going idle (Hendrik Brueckner) [1538542]
- [s390] cpuinfo: show facilities as reported by stfle (Hendrik 
Brueckner) [1538542]
- [s390] kconfigs: turn off SHARED_KERNEL support for s390 (Hendrik 
Brueckner) [1538542]
- [s390] add ppa to system call and program check path (Hendrik 
Brueckner) [1538542]
- [s390] spinlock: add gmb memory barrier (Hendrik Brueckner) [1538542]
- [s390] introduce CPU alternatives (Hendrik Brueckner) [1538542]

- [x86] pti: Rework the trampoline stack switching code (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] pti: Disable interrupt before trampoline stack switching (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] pti/mm: Fix trampoline stack problem with XEN PV (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] kaiser/efi: unbreak tboot (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: Fix XEN PV boot failure (Waiman Long) [1519802] 
- [x86] entry: Invoke TRACE_IRQS_IRETQ in paranoid_userspace_restore_all 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] spec_ctrl: show added cpuid flags in /proc/cpuinfo after late 
microcode update (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas 
functional (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: Eliminate redundnat FEATURE Not Present messages 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: enable IBRS and stuff_RSB before calling NMI C code 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: skip CAP_SYS_PTRACE check to skip audit (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: disable ibrs while in intel_idle() (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: skip IBRS/CR3 restore when paranoid exception returns 
to userland (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] Revert "entry: Use retpoline for syscall's indirect calls" 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] mm/dump_pagetables: Allow dumping current pagetables (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Add a pgd argument to walk_pgd_level() 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Add page table directory (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] entry: Remove unneeded nmi_userspace code (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] entry: Fix nmi exit code with CONFIG_TRACE_IRQFLAGS (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED 
per-cpu section (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: Clear kdump pgd page to prevent incorrect behavior 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: consider the init_mm.pgd a kaiser pgd (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: convert userland visible "kpti" name to "pti" (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] spec_ctrl: set IBRS during resume from RAM if ibrs_enabled is 2 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] mm/kaiser: __load_cr3 in resume from RAM after kernel gs has 
been restored (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] mm/kaiser: Revert the __GFP_COMP flag change (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] spec_ctrl: allow use_ibp_disable only if both SPEC_CTRL and 
IBPB_SUPPORT are missing (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: Documentation spec_ctrl.txt (Waiman Long) [1519796] 
- [x86] spec_ctrl: remove irqs_disabled() check from intel_idle() 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: use enum when setting ibrs/ibpb_enabled (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: undo speculation barrier for ibrs_enabled and 
noibrs_cmdline (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: introduce ibpb_enabled = 2 for IBPB instead of IBRS 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: introduce SPEC_CTRL_PCP_ONLY_IBPB (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: cleanup s/flush/sync/ naming when sending IPIs 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: set IBRS during CPU init if in ibrs_enabled == 2 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: use IBRS_ENABLED instead of 1 (Waiman Long) [1519796] 
- [x86] spec_ctrl: allow the IBP disable feature to be toggled at 
runtime (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: always initialize save_reg in 
ENABLE_IBRS_SAVE_AND_CLOBBER (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: ibrs_enabled() is expected to return > 1 (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on syscall (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] entry: Add back STUFF_RSB to interrupt and error paths (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] mm/kaiser: make is_kaiser_pgd reliable (Waiman Long) [1519802] 
- [x86] mm/kaiser: disable global pages by default with KAISER (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] Revert "mm/kaiser: Disable global pages by default with KAISER" 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] kaiser/mm: fix pgd freeing in error path (Waiman Long) [1519802] 
- [x86] entry: Fix 32-bit program crash with 64-bit kernel on AMD boxes 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: reload spec_ctrl cpuid in all microcode load paths 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: add noibrs noibpb boot options (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] entry: Use retpoline for syscall's indirect calls (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on 32-bit compatible 
syscall entrance (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: rescan cpuid after a late microcode update (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: consolidate the spec control boot detection (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] Remove __cpuinitdata from some data & function (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Waiman Long) [1519796] 
- [x86] entry: Remove STUFF_RSB in error and interrupt code (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] mm: Only set IBPB when the new thread cannot ptrace (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] mm: Set IBPB upon context switch (Waiman Long) [1519796] 
- [x86] idle: Disable IBRS when offlining cpu and re-enable (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: implement spec ctrl C methods (Waiman Long) [1519796] 
- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] enter: Use IBRS on syscall and interrupts (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline 
(Waiman Long) [1519796] {CVE-2017-5715}
- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and 
ibrs (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] enter: MACROS to set/clear IBRS and set IBPB (Waiman Long) 
[1519796] {CVE-2017-5715}
- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Waiman Long) 
[1519796] {CVE-2017-5715}
- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] svm: Set IBPB when running a different VCPU (Waiman Long) 
[1519796] {CVE-2017-5715}
- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Waiman Long) 
[1519796] {CVE-2017-5715}
- [kvm] vmx: Set IBPB when running a different VCPU (Waiman Long) 
[1519796] {CVE-2017-5715}
- [kvm] x86: clear registers on VM exit (Waiman Long) [1519796] 
- [x86] kvm: Pad RSB on VM transition (Waiman Long) [1519796] 
- [security] Add SPEC_CTRL Kconfig option (Waiman Long) [1519796] 
- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not 
available (Waiman Long) [1519796] {CVE-2017-5715}
- [x86] feature: Report presence of IBPB and IBRS control (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] feature: Enable the x86 feature to control Speculation (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] cpuid: Provide get_scattered_cpuid_leaf() (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] cpuid: Cleanup cpuid_regs definitions (Waiman Long) [1519796] 
- [x86] microcode: Share native MSR accessing variants (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] nop: Make the ASM_NOP* macros work from assembly (Waiman Long) 
[1519796] {CVE-2017-5715}
- [x86] cpu: Clean up and unify the NOP selection infrastructure (Waiman 
Long) [1519796] {CVE-2017-5715}
- [x86] entry: Further simplify the paranoid_exit code (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] entry: Remove trampoline check from paranoid entry path (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] entry: Don't switch to trampoline stack in paranoid_exit (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Waiman Long) 
[1519802] {CVE-2017-5754}
- [misc] locking/barriers: prevent speculative execution based on 
Coverity scan results (Waiman Long) [1519789] {CVE-2017-5753}
- [fs] udf: prevent speculative execution (Waiman Long) [1519789] 
- [fs] prevent speculative execution (Waiman Long) [1519789] {CVE-2017-5753}
- [scsi] qla2xxx: prevent speculative execution (Waiman Long) [1519789] 
- [netdrv] p54: prevent speculative execution (Waiman Long) [1519789] 
- [netdrv] carl9170: prevent speculative execution (Waiman Long) 
[1519789] {CVE-2017-5753}
- [media] uvcvideo: prevent speculative execution (Waiman Long) 
[1519789] {CVE-2017-5753}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature 
(Waiman Long) [1519789] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Waiman Long) 
[1519789] {CVE-2017-5753}
- [kernel] locking/barriers: introduce new memory barrier gmb() (Waiman 
Long) [1519789] {CVE-2017-5753}
- [x86] Fix typo preventing msr_set/clear_bit from having an effect 
(Waiman Long) [1519789] {CVE-2017-5753}
- [x86] Add another set of MSR accessor functions (Waiman Long) 
[1519789] {CVE-2017-5753}
- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] kaiser/mm: fix RESTORE_CR3 crash in kaiser_stop_machine (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: use stop_machine for enable/disable knob (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] kaiser/mm: use atomic ops to poison/unpoison user pagetables 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit 
kernel (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: stop patching flush_tlb_single (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm: If INVPCID is available, use it to flush global mappings 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: use PCID feature to make user and kernel switches 
faster (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/64: Initialize CR4.PCIDE early (Waiman Long) [1519802] 
- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: validate trampoline stack (Waiman Long) [1519802] 
- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: isolate the user mapped per cpu areas (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: enable kaiser in build (Waiman Long) [1519802] 
- [x86] mm/kaiser: selective boot time defaults (Waiman Long) [1519802] 
- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen 
PV (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: add Kconfig (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: Respect disabled CPU features (Waiman Long) [1519802] 
- [x86] kaiser/mm: trampoline stack comments (Waiman Long) [1519802] 
- [x86] mm/kaiser: stack trampoline (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: re-enable vsyscalls (Waiman Long) [1519802] 
- [x86] mm/kaiser: allow to build KAISER with KASRL (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: un-poison PGDs at runtime (Waiman Long) [1519802] 
- [x86] mm/kaiser: add a function to check for KAISER being enabled 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: disable native VSYSCALL (Waiman Long) [1519802] 
- [x86] mm/kaiser: map virtually-addressed performance monitoring 
buffers (Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: add kprobes text section (Waiman Long) [1519802] 
- [x86] mm/kaiser: map trace interrupt entry (Waiman Long) [1519802] 
- [x86] mm/kaiser: map entry stack per-cpu areas (Waiman Long) [1519802] 
- [x86] mm/kaiser: map dynamically-allocated LDTs (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: make sure static PGDs are 8k in size (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: add cr3 switches to entry code (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/kaiser: remove scratch registers (Waiman Long) [1519802] 
- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm/kaiser: Disable global pages by default with KAISER (Waiman 
Long) [1519802] {CVE-2017-5754}
- [x86] mm: Document X86_CR4_PGE toggling behavior (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] increase robusteness of bad_iret fixup handler (Waiman Long) 
[1519802] {CVE-2017-5754}
- [x86] mm: Check if PUD is large when validating a kernel address 
(Waiman Long) [1519802] {CVE-2017-5754}
- [x86] Separate out entry text section (Waiman Long) [1519802] 
- [include] linux/const.h: Add _BITUL() and _BITULL() (Waiman Long) 
[1519802] {CVE-2017-5754}
- [include] linux/mmdebug.h: add VM_WARN_ON() and VM_WARN_ON_ONCE() 
(Waiman Long) [1519802] {CVE-2017-5754}
- [include] stddef.h: Move offsetofend() from vfio.h to a generic kernel 
header (Waiman Long) [1519802] {CVE-2017-5754}

- [hv] netvsc: get rid of completion timeouts (Vitaly Kuznetsov) [1538592]
- [fs] gfs2: Special case the rindex in gfs2_write_alloc_required() 
(Andrew Price) [1384184]
- [scsi] scsi_dh_alua: fix race condition that causes multipath to hang 
(Mike Snitzer) [1500192]
- [virtio] virtio-pci: fix leaks of msix_affinity_masks (Jason Wang) 
- [fs] sunrpc: avoid warning in gss_key_timeout (J. Bruce Fields) [1456594]
- [fs] sunrpc: fix RCU handling of gc_ctx field (J. Bruce Fields) [1456594]

- [drm] nouveau/disp/nv50-: execute supervisor on its own workqueue (Ben 
Skeggs) [1468825]
- [net] bluetooth: Prevent uninitialized data (Gopal Tiwari) [1519626] 
- [scsi] storvsc: do not assume SG list is continuous when doing bounce 
buffers (for 4.1 and prior) (Cathy Avery) [1533175]

- [x86] tighten /dev/mem with zeroing reads (Bruno Eduardo de Oliveira 
Meneguele) [1449676] {CVE-2017-7889}
- [char] /dev/mem: make size_inside_page() logic straight (Bruno Eduardo 
de Oliveira Meneguele) [1449676] {CVE-2017-7889}
- [char] /dev/mem: cleanup unxlate_dev_mem_ptr() calls (Bruno Eduardo de 
Oliveira Meneguele) [1449676] {CVE-2017-7889}
- [char] /dev/mem: introduce size_inside_page() (Bruno Eduardo de 
Oliveira Meneguele) [1449676] {CVE-2017-7889}
- [char] /dev/mem: remove redundant test on len (Bruno Eduardo de 
Oliveira Meneguele) [1449676] {CVE-2017-7889}
- [scsi] lpfc: Null pointer dereference when log_verbose is set to 
0xffffffff (Dick Kennedy) [1538340]

- [netdrv] bnx2x: prevent crash when accessing PTP with interface down 
(Michal Schmidt) [1518669]
- [hv] vss: Operation timeouts should match host expectation (Mohammed 
Gamal) [1511431]
- [hv] utils: reduce HV_UTIL_NEGO_TIMEOUT timeout (Mohammed Gamal) [1511431]
- [hv] utils: Check VSS daemon is listening before a hot backup 
(Mohammed Gamal) [1511431]
- [hv] utils: Continue to poll VSS channel after handling requests 
(Mohammed Gamal) [1511431]
- [md] dm: clear all discard attributes in queue_limits when discards 
are disabled (Mike Snitzer) [1433297]
- [md] dm: discard support requires all targets in a table support 
discards (Mike Snitzer) [1433297]
- [net] dccp: use-after-free in DCCP code (Stefano Brivio) [1520817] 
- [net] tcp: fix tcp_trim_head() (Paolo Abeni) [1274139]
- [net] sctp: fix src address selection if using secondary addresses for 
ipv6 (Xin Long) [1445919]
- [net] sctp: deny peeloff operation on asocs with threads sleeping on 
it (Hangbin Liu) [1470559]
- [net] sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Hangbin Liu) [1470559]
- [net] tcp: fix race during timewait sk creation (Florian Westphal) 

- [fs] sunrpc: Revert "sunrpc: always treat the invalid cache as 
unexpired" (Thiago Becker) [1532786]
- [net] dma: fix memory leak in dma_pin_iocvec_pages (Sabrina Dubroca) 
- [s390] qeth: check not more than 16 SBALEs on the completion queue 
(Hendrik Brueckner) [1520860]
- [s390] fix transactional execution control register handling (Hendrik 
Brueckner) [1520862]
- [mm] prevent concurrent unmap_mapping_range() on the same inode 
(Miklos Szeredi) [1408108]

- [mm] add cpu_relax() to "dont return 0 too early" patch (Ian Kent) 
- [mm] don't return 0 too early from find_get_pages() (Ian Kent) [988988]
- [crypto] cryptd: Add cryptd_max_cpu_qlen module parameter (Jon 
Maxwell) [1503322]
- [s390] cpcmd,vmcp: avoid GFP_DMA allocations (Hendrik Brueckner) [1496105]
- [fs] gfs2: Withdraw for IO errors writing to the journal or statfs 
(Robert S Peterson) [1505956]
- [netdrv] ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp 
flags (Ken Cox) [1523856]

- [kernel] fix __wait_on_atomic_t() to call the action func if the 
counter != 0 (David Howells) [1418631]
- [fs] fscache: fix dead object requeue (David Howells) [1333592 1418631]
- [fs] fscache: clear outstanding writes when disabling a cookie (David 
Howells) [1418631]
- [fs] fscache: initialise stores_lock in netfs cookie (David Howells) 
- [fs] cachefiles: fix attempt to read i_blocks after deleting file 
(David Howells) [1418631]
- [fs] cachefiles: fix race between inactivating and culling a cache 
object (David Howells) [1418631]
- [fs] fscache: make check_consistency callback return int (David 
Howells) [1418631]
- [fs] fscache: wake write waiter after invalidating writes (David 
Howells) [1418631]
- [fs] cachefiles: provide read-and-reset release counters for 
cachefilesd (David Howells) [1418631]
- [s390] disassembler: increase show_code buffer size (Hendrik 
Brueckner) [1516654]
- [fs] sunrpc: remove BUG_ONs checking RPC_IS_QUEUED (Dave Wysochanski) 
- [fs] nfsv4.1: nfs4_fl_prepare_ds must be careful about reporting 
success (Scott Mayhew) [1205448]
- [fs] cifs: add ratelimit for the log entry that causes a lockup (Leif 
Sahlberg) [1494999]
- [fs] nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) 

- [scsi] avoid a permanent stop of the scsi device's request queue (Ewan 
Milne) [1513455]
- [fs] bio: more bio_map_user_iov() leak fixes (Ming Lei) [1503590] 
- [fs] bio: fix unbalanced page refcounting in bio_map_user_iov (Ming 
Lei) [1503590] {CVE-2017-12190}

- [scsi] bnx2fc: Fix hung task messages when a cleanup response is not 
received during abort (Chad Dupuis) [1504260]

- [mm] introduce dedicated WQ_MEM_RECLAIM workqueue to do 
lru_add_drain_all (Waiman Long) [1463754]
- [netdrv] cxgb4: Clear On FLASH config file after a FW upgrade (Arjun 
Vynipadath) [1446952]
- [netdrv] chelsio : Fixes the issue seen on initiator while stopping 
the target (Sai Vemuri) [1442097]
- [netdrv] be2net: Fix UE detection logic for BE3 (Ivan Vecera) [1437991]
- [netdrv] cxgb4vf: don't offload Rx checksums for IPv6 fragments 
(Davide Caratti) [1427036]
- [scsi] qla2xxx: Get mutex lock before checking optrom_state (Himanshu 
Madhani) [1408549]

- [net] sctp: do not loose window information if in rwnd_over (Marcelo 
Leitner) [1492220]
- [net] sctp: fix recovering from 0 win with small data chunks (Marcelo 
Leitner) [1492220]

- [s390] qdio: clear DSCI prior to scanning multiple input queues 
(Hendrik Brueckner) [1467962]

- [s390] zfcp: fix erp_action use-before-initialize in REC action trace 
(Hendrik Brueckner) [1497000]
- [ipmi] create hardware-independent softdep for ipmi_devintf (Tony 
Camuso) [1457915]

- [fs] nfsd: reorder nfsd_cache_match to check more powerful 
discriminators first (Thiago Becker) [1435787]
- [fs] nfsd: split DRC global spinlock into per-bucket locks (Thiago 
Becker) [1435787]
- [fs] nfsd: convert num_drc_entries to an atomic_t (Thiago Becker) 
- [fs] nfsd: remove the cache_hash list (Thiago Becker) [1435787]
- [fs] nfsd: convert the lru list into a per-bucket thing (Thiago 
Becker) [1435787]
- [fs] nfsd: clean up drc cache in preparation for global spinlock 
elimination (Thiago Becker) [1435787]

- [hv] vmbus: Fix error code returned by vmbus_post_msg() (Vitaly 
Kuznetsov) [1491846]
- [hv] vmbus: Increase the time between retries in vmbus_post_msg() 
(Vitaly Kuznetsov) [1491846]
- [hv] vmbus: Raise retry/wait limits in vmbus_post_msg() (Vitaly 
Kuznetsov) [1491846]
- [hv] vmbus: Reduce the delay between retries in vmbus_post_msg() 
(Vitaly Kuznetsov) [1491846]

- [scsi] be2iscsi: fix bad extern declaration (Maurizio Lombardi) [1497152]
- [kernel] mqueue: fix a use-after-free in sys_mq_notify() (Davide 
Caratti) [1476124] {CVE-2017-11176}

- [char] ipmi: use rcu lock around call to intf->handlers->sender() 
(Tony Camuso) [1466034]
- [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) 
[1481943] {CVE-2017-1000111}
- [net] packet: fix overflow in check for tp_frame_nr (Stefano Brivio) 
[1484946] {CVE-2017-7308}
- [net] packet: fix overflow in check for tp_reserve (Stefano Brivio) 
[1484946] {CVE-2017-7308}
- [fs] binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length 
mappings (Petr  Matousek) [1492961] {CVE-2017-1000253}
- [fs] binfmt_elf.c: fix bug in loading of PIE binaries (Petr  Matousek) 
[1492961] {CVE-2017-1000253}

- [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide 
Caratti) [1488340] {CVE-2017-14106}
- [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) 
[1488340] {CVE-2017-14106}
- [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 
(Matteo Croce) [1477006] {CVE-2017-7542}
- [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Matteo 
Croce) [1477006] {CVE-2017-7542}
- [net] udp: consistently apply ufo or fragmentation (Davide Caratti) 
[1481529] {CVE-2017-1000112}
- [net] ipv6: Should use consistent conditional judgement for ip6 
fragment between __ip6_append_data and ip6_finish_output (Davide 
Caratti) [1481529] {CVE-2017-1000112}
- [net] ipv4: Should use consistent conditional judgement for ip 
fragment in __ip_append_data and ip_finish_output (Davide Caratti) 
[1481529] {CVE-2017-1000112}

- [fs] nfs: don't disconnect open-owner on NFS4ERR_BAD_SEQID (Dave 
Wysochanski) [1459636]
- [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil 
Horman) [1490062] {CVE-2017-1000251}

- [fs] sunrpc: always treat the invalid cache as unexpired (Thiago 
Becker) [1477288]
- [fs] sunrpc: xpt_auth_cache should be ignored when expired (Thiago 
Becker) [1477288]

- [video] efifb: allow user to disable write combined mapping (Dave 
Airlie) [1465097]

- [netdrv] sfc: tx ring can only have 2048 entries for all EF10 NICs 
(Jarod Wilson) [1441773]
- [netdrv] brcmfmac: fix possible buffer overflow in 
brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474782] {CVE-2017-7541}
- [scsi] lpfc: fix "integer constant too large" error on 32bit archs 
(Maurizio Lombardi) [1441169]
- [scsi] lpfc: version is with no_hba_reset patches 
(Maurizio Lombardi) [1441169]
- [scsi] lpfc: Vport creation is failing with "Link Down" error 
(Maurizio Lombardi) [1441169]
- [scsi] lpfc: Fix panic on BFS configuration (Maurizio Lombardi) [1441169]
- [scsi] lpfc: Fix eh_deadline setting for sli3 adapters (Maurizio 
Lombardi) [1441169]
- [scsi] lpfc: Correct panics with eh_timeout and eh_deadline (Maurizio 
Lombardi) [1441169]

- [x86] fix /proc/mtrr with base/size more than 44bits (Jerome Marchand) 

- [fs] gfs2: clear gl_object when deleting an inode in gfs2_delete_inode 
(Robert S Peterson) [1464541]
- [fs] gfs2: clear gl_object if gfs2_create_inode fails (Robert S 
Peterson) [1464541]
- [fs] gfs2: set gl_object in inode lookup only after block type check 
(Robert S Peterson) [1464541]
- [fs] gfs2: introduce helpers for setting and clearing gl_object 
(Robert S Peterson) [1464541]

- [net] ipv6: Fix leak in ipv6_gso_segment() (Sabrina Dubroca) [1459951] 
- [net] gre: fix a possible skb leak (Sabrina Dubroca) [1459951] 
- [net] ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 
(Sabrina Dubroca) [1459951] {CVE-2017-9074}
- [net] ipv6: Check ip6_find_1stfragopt() return value properly (Sabrina 
Dubroca) [1459951] {CVE-2017-9074}
- [net] ipv6: Prevent overrun when parsing v6 header options (Sabrina 
Dubroca) [1459951] {CVE-2017-9074}

- [mm] backport upstream large stack guard patch to RHEL6 (Larry 
Woodman) [1464237 1452730] {CVE-2017-1000364}
- [mm] revert "enlarge stack guard gap" (Larry Woodman) [1452730] 
- [mm] revert "allow JVM to implement its own stack guard pages" (Larry 
Woodman) [1464237]

- [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave 
Wysochanski) [1459978]
- [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan 
Milne) [1452358]

- [mm] allow JVM to implement its own stack guard pages (Larry Woodman) 
- [mm] enlarge stack guard gap (Larry Woodman) [1452730] {CVE-2017-1000364}

- [netdrv] bnxt_en: Update to firmware interface spec 1.5.1 (Jonathan 
Toppins) [1439450]
- [netdrv] bnxt_en: Added support for Secure Firmware Update (Jonathan 
Toppins) [1439450]
- [netdrv] bnxt_en: Add support for firmware updates for additional 
processors (Jonathan Toppins) [1439450]
- [netdrv] bnxt_en: Update firmware spec. to 1.3.0 (Jonathan Toppins) 
- [netdrv] bnxt_en: Add support for updating flash more securely 
(Jonathan Toppins) [1439450]
- [netdrv] bnxt_en: Request firmware reset after successful firwmare 
update (Jonathan Toppins) [1439450]
- [netdrv] bnxt_en: Add hwrm_send_message_silent() (Jonathan Toppins) 
- [netdrv] bnxt_en: Add installed-package firmware version reporting via 
Ethtool GDRVINFO (Jonathan Toppins) [1439450]
- [netdrv] bnxt_en: Reset embedded processor after applying firmware 
upgrade (Jonathan Toppins) [1439450]
- [netdrv] bnxt_en: Add support for upgrading APE/NC-SI firmware via 
Ethtool FLASHDEV (Jonathan Toppins) [1439450]
- [net] sctp: do not inherit ipv6_(mc|ac|fl)_list from parent (Florian 
Westphal) [1455612] {CVE-2017-9075}
- [net] ipv6/dccp: do not inherit ipv6_mc_list from parent (Florian 
Westphal) [1455612] {CVE-2017-9076 CVE-2017-9077}
- [net] dccp/tcp: do not inherit mc_list from parent (Florian Westphal) 
[1455612] {CVE-2017-8890}
- [net] ipv6: nullify ipv6_ac_list and ipv6_fl_list when creating new 
socket (Florian Westphal) [1455612]

- [fs] sunrpc: Enable the keepalive option for TCP sockets (Dave 
Wysochanski) [1458421]
- [mm] mempolicy.c: fix error handling in set_mempolicy and mbind (Bruno 
E. O. Meneguele) [1443539] {CVE-2017-7616}
- [s390] zfcp: fix use-after-"free" in FC ingress path after TMF 
(Hendrik Brueckner) [1421762]
- [scsi] scsi_transport_srp: Fix a race condition (Don Dutile) [1417305]
- [scsi] scsi_transport_srp: Introduce srp_wait_for_queuecommand() (Don 
Dutile) [1417305]
- [block] make blk_cleanup_queue() wait until request_fn finished (Don 
Dutile) [1417305]

- [kernel] audit: acquire creds selectively to reduce atomic op overhead 
(Paul Moore) [1454847]
- [s390] kernel: initial cr0 bits (Hendrik Brueckner) [1445326]
- [s390] zfcp: do not trace pure benign residual HBA responses at 
default level (Hendrik Brueckner) [1421760]
- [s390] zfcp: fix rport unblock race with LUN recovery (Hendrik 
Brueckner) [1421761]

- [netdrv] ixgbe: fix setup_fc for x550em (Ken Cox) [1442030]
- [scsi] bnx2fc: fix race condition in bnx2fc_get_host_stats() (Maurizio 
Lombardi) [1393672]

- [fs] nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce 
Fields) [1446755] {CVE-2017-7895}
- [fs] nfsd4: minor NFSv2/v3 write decoding cleanup (J. Bruce Fields) 
[1446755] {CVE-2017-7895}
- [perf] fix concurrent sys_perf_event_open() vs move_group race (Jiri 
Olsa) [1434751] {CVE-2017-6001}
- [perf] remove confusing comment and move put_ctx() (Jiri Olsa) 
[1434751] {CVE-2017-6001}
- [perf] restructure perf syscall point of no return (Jiri Olsa) 
[1434751] {CVE-2017-6001}
- [perf] fix move_group() order (Jiri Olsa) [1434751] {CVE-2017-6001}
- [perf] generalize event->group_flags (Jiri Olsa) [1434751] {CVE-2017-6001}
- [scsi] libfc: quarantine timed out xids (Chris Leech) [1431440]

- [fs] sunrpc: Ensure that we wait for connections to complete before 
retrying (Dave Wysochanski) [1448170]
- [net] ipv6: check raw payload size correctly in ioctl (Jamie 
Bainbridge) [1441909]

- [fs] nfsv4: fix getacl ERANGE for some ACL buffer sizes (J. Bruce 
Fields) [869942]
- [fs] nfsv4: fix getacl head length estimation (J. Bruce Fields) [869942]

- [fs] xfs: handle array index overrun in xfs_dir2_leaf_readbuf() 
(Carlos Maiolino) [1440361]
- [net] ping: implement proper locking (Jakub Sitnicki) [1438999] 
- [net] tcp: avoid infinite loop in tcp_splice_read() (Davide Caratti) 
[1430578] {CVE-2017-6214}
- [net] ipv6: ip6_fragment: fix headroom tests and skb leak (Hannes 
Frederic Sowa) [1412331]

- [x86] vmalloc_sync: avoid syncing vmalloc area on crashing cpu 
(Pingfan Liu) [1146727]
- [kernel] audit: plug cred memory leak in audit_filter_rules (Richard 
Guy Briggs) [1434560]

- [mm] hugetlb: check for pte NULL pointer in page_check_address() 
(Herton R. Krzesinski) [1431508]
- [netdrv] be2net: Fix endian issue in logical link config command (Ivan 
Vecera) [1436527]
- [crypto] mpi: Fix NULL ptr dereference in mpi_powm() (Mateusz Guzik) 
[1398456] {CVE-2016-8650}
- [fs] aio: properly check iovec sizes (Mateusz Guzik) [1337517] 
- [fs] vfs: make AIO use the proper rw_verify_area() area helpers 
(Mateusz Guzik) [1337535] {CVE-2012-6701}

- [scsi] lpfc: update for rhel6 (Maurizio Lombardi) [1429881]
- [scsi] lpfc: The lpfc driver does not issue RFF_ID and RFT_ID in the 
correct sequence (Maurizio Lombardi) [1429881]

- [sched] fair: Rework throttle_count sync (Jiri Olsa) [1250762]
- [sched] fair: Reorder cgroup creation code (Jiri Olsa) [1250762]
- [sched] fair: Initialize throttle_count for new task-groups lazily 
(Jiri Olsa) [1250762]
- [sched] fair: Do not announce throttled next buddy in 
dequeue_task_fair() (Jiri Olsa) [1250762]

- [block] fix use-after-free in seq file (Denys Vlasenko) [1418549] 
- [firmware] Replacing the chelsio firmware (t4,t5)fw- (Sai 
Vemuri) [1425749]
- [kernel] genirq: Avoid taking sparse_irq_lock for non-existent irqs 
(Dave Wysochanski) [1360930]
- [tty] n_hdlc: get rid of racy n_hdlc.tbuf (Herton R. Krzesinski) 
[1429918] {CVE-2017-2636}

More information about the El-errata mailing list