From be580f9f8d4f5a306087959bcdd1e0d00c0529c4 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <dvlasenk@redhat.com>
Date: Wed, 8 Nov 2023 14:04:36 +0100
Subject: [PATCH] kernel-4.18.0-523.el8

* Wed Nov 08 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-523.el8]
- cifs: Fix UAF in cifs_demultiplex_thread() (Scott Mayhew) [RHEL-7930 RHEL-9046] {CVE-2023-1192}
- x86/platform/uv: Use alternate source for socket to node data (Frank Ramsay) [RHEL-13360]
- media: technisat-usb2: break out of loop at end of buffer (Desnes Nunes) [RHEL-3013 RHEL-3895] {CVE-2019-15505}
- can: af_can: fix NULL pointer dereference in can_rcv_filter (Ricardo Robaina) [RHEL-6429 RHEL-7053] {CVE-2023-2166}
- PCI/portdrv: Prevent LS7A Bus Master clearing on shutdown (Myron Stowe) [RHEL-5147]
- kernel/fork: beware of __put_task_struct() calling context (Wander Lairson Costa) [RHEL-14767]
- KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs (Peter Xu) [RHEL-7210]
- net: tun: fix bugs for oversize packet when napi frags enabled (Ricardo Robaina) [RHEL-7185 RHEL-7267] {CVE-2023-3812}
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (Jose Ignacio Tornos Martinez) [RHEL-6357] {CVE-2023-31083}
- RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() (Kamal Heib) [RHEL-10313 RHEL-11030]
- RDMA/qedr: fix repeated words in comments (Kamal Heib) [RHEL-10313 RHEL-11030]
- x86/sev: Check for user-space IOIO pointing to kernel space (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
- x86/sev: Check IOBM for IOIO exceptions from user-space (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
- x86/sev: Disable MMIO emulation from user mode (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
- x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
- USB: core: Fix oversight in SuperSpeed initialization (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
- USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
- USB: core: Change usb_get_device_descriptor() API (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
- USB: core: Unite old scheme and new scheme descriptor reads (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
- bonding: do not assume skb mac_header is set (Hangbin Liu) [RHEL-13959]
- bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves (Hangbin Liu) [RHEL-13959]
- bonding: support balance-alb with openvswitch (Hangbin Liu) [RHEL-13959]
- bonding: reset bond's flags when down link is P2P device (Hangbin Liu) [RHEL-13959]
- net: fix stack overflow when LRO is disabled for virtual interfaces (Hangbin Liu) [RHEL-13959]
- Documentation: bonding: fix the doc of peer_notif_delay (Hangbin Liu) [RHEL-13959]
- bonding: fix send_peer_notif overflow (Hangbin Liu) [RHEL-13959]
- bonding: Fix memory leak when changing bond type to Ethernet (Hangbin Liu) [RHEL-13959]
- bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails (Hangbin Liu) [RHEL-13959]
- bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change (Hangbin Liu) [RHEL-13959]
- drivers/net/bonding/bond_3ad: return when there's no aggregator (Hangbin Liu) [RHEL-13959]
- KVM: s390: pv: Allow AP-instructions for pv-guests (Thomas Huth) [2111392]
- KVM: s390: Add UV feature negotiation (Thomas Huth) [2111392]
- s390/uv: UV feature check utility (Thomas Huth) [2111392]
- s390/vfio-ap: make sure nib is shared (Thomas Huth) [2111392]
- KVM: s390: export kvm_s390_pv*_is_protected functions (Thomas Huth) [2111392]
- s390/uv: export uv_pin_shared for direct usage (Thomas Huth) [2111392]
- s390/vfio-ap: check for TAPQ response codes 0x35 and 0x36 (Thomas Huth) [2111392]
- s390/vfio-ap: handle queue state change in progress on reset (Thomas Huth) [2111392]
- s390/vfio-ap: use work struct to verify queue reset (Thomas Huth) [2111392]
- s390/vfio-ap: store entire AP queue status word with the queue object (Thomas Huth) [2111392]
- s390/vfio-ap: remove upper limit on wait for queue reset to complete (Thomas Huth) [2111392]
- s390/vfio-ap: allow deconfigured queue to be passed through to a guest (Thomas Huth) [2111392]
- s390/vfio-ap: wait for response code 05 to clear on queue reset (Thomas Huth) [2111392]
- s390/vfio-ap: clean up irq resources if possible (Thomas Huth) [2111392]
- s390/vfio-ap: no need to check the 'E' and 'I' bits in APQSW after TAPQ (Thomas Huth) [2111392]
- s390/vfio-ap: fix memory leak in vfio_ap device driver (Thomas Huth) [2111392]
- s390/vfio-ap: remove redundant driver match function (Thomas Huth) [2111392]
- s390/vfio_ap: increase max wait time for reset verification (Thomas Huth) [2111392]
- s390/vfio_ap: fix handling of error response codes (Thomas Huth) [2111392]
- s390/vfio_ap: verify ZAPQ completion after return of response code zero (Thomas Huth) [2111392]
- s390/vfio_ap: use TAPQ to verify reset in progress completes (Thomas Huth) [2111392]
- s390/vfio_ap: check TAPQ response code when waiting for queue reset (Thomas Huth) [2111392]
- s390/vfio-ap: verify reset complete in separate function (Thomas Huth) [2111392]
- s390/vfio-ap: fix an error handling path in vfio_ap_mdev_probe_queue() (Thomas Huth) [2111392]
- s390/vfio-ap: add s390dbf logging to the vfio_ap_irq_enable function (Thomas Huth) [2111392]
- s390-vfio-ap: introduces s390 kernel debug feature for vfio_ap device driver (Thomas Huth) [2111392]
Resolves: rhbz#2111392, RHEL-10313, RHEL-11030, RHEL-13360, RHEL-13959, RHEL-14767, RHEL-14978, RHEL-2569, RHEL-2675, RHEL-3013, RHEL-3895, RHEL-5147, RHEL-6357, RHEL-6429, RHEL-7053, RHEL-7185, RHEL-7210, RHEL-7267, RHEL-7930, RHEL-9046

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 kernel.spec | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 sources     |  6 ++---
 2 files changed, 64 insertions(+), 6 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index 75bf653b7..3ac077c7a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -12,7 +12,7 @@
 # change below to w4T.xzdio):
 %define _binary_payload w3T.xzdio
 
-%global distro_build 522
+%global distro_build 523
 
 # Sign the x86_64 kernel for secure boot authentication
 %ifarch x86_64 aarch64 s390x ppc64le
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 522.el8
+%define pkgrelease 523.el8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 522%{?dist}
+%define specrelease 523%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -2695,6 +2695,64 @@ fi
 #
 #
 %changelog
+* Wed Nov 08 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-523.el8]
+- cifs: Fix UAF in cifs_demultiplex_thread() (Scott Mayhew) [RHEL-7930 RHEL-9046] {CVE-2023-1192}
+- x86/platform/uv: Use alternate source for socket to node data (Frank Ramsay) [RHEL-13360]
+- media: technisat-usb2: break out of loop at end of buffer (Desnes Nunes) [RHEL-3013 RHEL-3895] {CVE-2019-15505}
+- can: af_can: fix NULL pointer dereference in can_rcv_filter (Ricardo Robaina) [RHEL-6429 RHEL-7053] {CVE-2023-2166}
+- PCI/portdrv: Prevent LS7A Bus Master clearing on shutdown (Myron Stowe) [RHEL-5147]
+- kernel/fork: beware of __put_task_struct() calling context (Wander Lairson Costa) [RHEL-14767]
+- KVM: x86/mmu: Fix an sign-extension bug with mmu_seq that hangs vCPUs (Peter Xu) [RHEL-7210]
+- net: tun: fix bugs for oversize packet when napi frags enabled (Ricardo Robaina) [RHEL-7185 RHEL-7267] {CVE-2023-3812}
+- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (Jose Ignacio Tornos Martinez) [RHEL-6357] {CVE-2023-31083}
+- RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() (Kamal Heib) [RHEL-10313 RHEL-11030]
+- RDMA/qedr: fix repeated words in comments (Kamal Heib) [RHEL-10313 RHEL-11030]
+- x86/sev: Check for user-space IOIO pointing to kernel space (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
+- x86/sev: Check IOBM for IOIO exceptions from user-space (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
+- x86/sev: Disable MMIO emulation from user mode (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
+- x86/sev-es: Fix SEV-ES OUT/IN immediate opcode vc handling (Wander Lairson Costa) [RHEL-14978] {CVE-2023-46813}
+- USB: core: Fix oversight in SuperSpeed initialization (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
+- USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
+- USB: core: Change usb_get_device_descriptor() API (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
+- USB: core: Unite old scheme and new scheme descriptor reads (Desnes Nunes) [RHEL-2569 RHEL-2675] {CVE-2023-37453}
+- bonding: do not assume skb mac_header is set (Hangbin Liu) [RHEL-13959]
+- bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves (Hangbin Liu) [RHEL-13959]
+- bonding: support balance-alb with openvswitch (Hangbin Liu) [RHEL-13959]
+- bonding: reset bond's flags when down link is P2P device (Hangbin Liu) [RHEL-13959]
+- net: fix stack overflow when LRO is disabled for virtual interfaces (Hangbin Liu) [RHEL-13959]
+- Documentation: bonding: fix the doc of peer_notif_delay (Hangbin Liu) [RHEL-13959]
+- bonding: fix send_peer_notif overflow (Hangbin Liu) [RHEL-13959]
+- bonding: Fix memory leak when changing bond type to Ethernet (Hangbin Liu) [RHEL-13959]
+- bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails (Hangbin Liu) [RHEL-13959]
+- bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change (Hangbin Liu) [RHEL-13959]
+- drivers/net/bonding/bond_3ad: return when there's no aggregator (Hangbin Liu) [RHEL-13959]
+- KVM: s390: pv: Allow AP-instructions for pv-guests (Thomas Huth) [2111392]
+- KVM: s390: Add UV feature negotiation (Thomas Huth) [2111392]
+- s390/uv: UV feature check utility (Thomas Huth) [2111392]
+- s390/vfio-ap: make sure nib is shared (Thomas Huth) [2111392]
+- KVM: s390: export kvm_s390_pv*_is_protected functions (Thomas Huth) [2111392]
+- s390/uv: export uv_pin_shared for direct usage (Thomas Huth) [2111392]
+- s390/vfio-ap: check for TAPQ response codes 0x35 and 0x36 (Thomas Huth) [2111392]
+- s390/vfio-ap: handle queue state change in progress on reset (Thomas Huth) [2111392]
+- s390/vfio-ap: use work struct to verify queue reset (Thomas Huth) [2111392]
+- s390/vfio-ap: store entire AP queue status word with the queue object (Thomas Huth) [2111392]
+- s390/vfio-ap: remove upper limit on wait for queue reset to complete (Thomas Huth) [2111392]
+- s390/vfio-ap: allow deconfigured queue to be passed through to a guest (Thomas Huth) [2111392]
+- s390/vfio-ap: wait for response code 05 to clear on queue reset (Thomas Huth) [2111392]
+- s390/vfio-ap: clean up irq resources if possible (Thomas Huth) [2111392]
+- s390/vfio-ap: no need to check the 'E' and 'I' bits in APQSW after TAPQ (Thomas Huth) [2111392]
+- s390/vfio-ap: fix memory leak in vfio_ap device driver (Thomas Huth) [2111392]
+- s390/vfio-ap: remove redundant driver match function (Thomas Huth) [2111392]
+- s390/vfio_ap: increase max wait time for reset verification (Thomas Huth) [2111392]
+- s390/vfio_ap: fix handling of error response codes (Thomas Huth) [2111392]
+- s390/vfio_ap: verify ZAPQ completion after return of response code zero (Thomas Huth) [2111392]
+- s390/vfio_ap: use TAPQ to verify reset in progress completes (Thomas Huth) [2111392]
+- s390/vfio_ap: check TAPQ response code when waiting for queue reset (Thomas Huth) [2111392]
+- s390/vfio-ap: verify reset complete in separate function (Thomas Huth) [2111392]
+- s390/vfio-ap: fix an error handling path in vfio_ap_mdev_probe_queue() (Thomas Huth) [2111392]
+- s390/vfio-ap: add s390dbf logging to the vfio_ap_irq_enable function (Thomas Huth) [2111392]
+- s390-vfio-ap: introduces s390 kernel debug feature for vfio_ap device driver (Thomas Huth) [2111392]
+
 * Sun Nov 05 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-522.el8]
 - netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (Florian Westphal) [RHEL-8444] {CVE-2023-42753}
 - cxgb4: fix use after free bugs caused by circular dependency problem (Ricardo Robaina) [RHEL-6261 RHEL-7058] {CVE-2023-4133}
diff --git a/sources b/sources
index 0cd2f7e41..429717300 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-522.el8.tar.xz) = 703aa76ae20ac9072127f7236acbc6be7a38a02ad268e09349f5afb68fcc3ac9ae68462af8a30699c6f297d8ea605a6f1c4f7fa52b464aab7660c00dd1ac4534
-SHA512 (kernel-abi-stablelists-4.18.0-522.tar.bz2) = 86cae5cca443ee9944696fcc3630db78962a25614924ee2133b79e4d62e2fc0e98647270c69d9792667642ffb425e5acd8abee1420c5da0df7d3fa746e39c9f9
-SHA512 (kernel-kabi-dw-4.18.0-522.tar.bz2) = f7bbf94096acc33486535d9eece268c543c6a05d93ee262d64dc22b220f1cb3ff49b4cf091a5c748811c4229fdf674be4c816174575161b0ca5e457726595b32
+SHA512 (linux-4.18.0-523.el8.tar.xz) = c89555a5aa067901764bdf85a7974deaefdc6310ba125accd51a93deb7f21a67dda96e97d5d0f8c2f7b15c0ae16cbca30a1bbc0e799d53926a0801dfaed4589e
+SHA512 (kernel-abi-stablelists-4.18.0-523.tar.bz2) = 6c1eb6a0e42986a3906e12909580da95b660f3123ce8dbe85a7d53faef7a516a127187a230ced3cb637b45de447f2a59440ae2e0ee67a77cefa9db2f310d09b9
+SHA512 (kernel-kabi-dw-4.18.0-523.tar.bz2) = f7bbf94096acc33486535d9eece268c543c6a05d93ee262d64dc22b220f1cb3ff49b4cf091a5c748811c4229fdf674be4c816174575161b0ca5e457726595b32