Fix kernel memory leaks in ipvs and ext4

These leaks were observed in the RT kernel but the fixes
are not RT specific.  We deemed it prudent to also
include the fixes in the std kernel as well.

See the specific patches for details.

Change-Id: I00e6d06a82e289806e5d51008ea1597735b2ad0f
Closes-Bug: 1836638
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

kernel/kernel-rt/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-rt/centos/meta_patches/Compile-issues.patch

@@ -1,33 +1,37 @@
-From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001
+From d85ae09a0e333ba2c0b2630a1d4768655cacf481 Mon Sep 17 00:00:00 2001
+Message-Id: <d85ae09a0e333ba2c0b2630a1d4768655cacf481.1566591106.git.Jim.Somerville@windriver.com>
+In-Reply-To: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
+References: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
 From: Bin Yang <bin.yang@intel.com>
 Date: Wed, 31 Jul 2019 14:23:20 +0800
-Subject: [PATCH 3/3] Compile issues
+Subject: [PATCH 2/2] Compile issues
 
 Signed-off-by: Bin Yang <bin.yang@intel.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
  SPECS/kernel-rt.spec | 8 ++++++++
  1 file changed, 8 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index e94ec2f..e6e71e4 100644
+index f7aad95..29d3878 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch
+@@ -424,6 +424,11 @@ Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
- Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
+ Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
- Patch1030: robustify-CFS-bandwidth-timer-locking.patch
+ Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
- Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
-+Patch1032: fix-compilation-issues.patch
++Patch1035: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch1036: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch1037: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
+@@ -791,6 +796,9 @@ ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
- ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
+ ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
- ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
+ ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
- ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +ApplyPatch fix-compilation-issues.patch
 +ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
@@ -35,5 +39,5 @@ index e94ec2f..e6e71e4 100644
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-2.7.4
+1.8.3.1
 

kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,20 @@
-From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001
+From 5d869ea9407975726a95d046391cd640b726ca93 Mon Sep 17 00:00:00 2001
+Message-Id: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
 From: Bin Yang <bin.yang@intel.com>
 Date: Mon, 29 Jul 2019 11:48:49 -0400
-Subject: [PATCH 2/3] Kernel source patches for TiC
+Subject: [PATCH 1/2] Kernel source patches for TiC
 
 Signed-off-by: Bin Yang <bin.yang@intel.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
- SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ SPECS/kernel-rt.spec | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 66 insertions(+)
+ 1 file changed, 73 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index efc89cd..e94ec2f 100644
+index adffde2..f7aad95 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf
+@@ -386,6 +386,44 @@ Source1000: modprobe-dccp-blacklist.conf
  
  # Empty final patch file to facilitate testing of kernel patches
  Patch999999: linux-kernel-test.patch
@@ -50,10 +52,14 @@ index efc89cd..e94ec2f 100644
 +Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +Patch1030: robustify-CFS-bandwidth-timer-locking.patch
 +Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
++# Fix three potential kernel memory leaks
++Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -718,6 +752,38 @@ cp %{SOURCE38} .
+@@ -718,6 +756,41 @@ cp %{SOURCE38} .
  
  ## Apply Patches here
  ApplyPatch linux-kernel-test.patch
@@ -89,9 +95,12 @@ index efc89cd..e94ec2f 100644
 +ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
 +ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
++ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
  
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-2.7.4
+1.8.3.1
 

kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch

@@ -0,0 +1,57 @@
+From fdb837fb87ff4907436dfab16709b64d6c3488fd Mon Sep 17 00:00:00 2001
+Message-Id: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 7 May 2015 15:12:21 +0300
+Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
+
+[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
+
+Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
+ip_vs_ctl local vars moved to ipvs struct."):
+
+unreferenced object 0xffff88005785b800 (size 2048):
+  comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
+  hex dump (first 32 bytes):
+    bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff  .........x.N....
+    04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
+    [<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
+    [<ffffffff811b88a0>] kmemdup+0x20/0x50
+    [<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
+    [<ffffffff8231d630>] __ip_vs_init+0x100/0x250
+    [<ffffffff822363a1>] ops_init+0x41/0x190
+    [<ffffffff82236583>] setup_net+0x93/0x150
+    [<ffffffff82236cc2>] copy_net_ns+0x82/0x140
+    [<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
+    [<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
+    [<ffffffff810833e3>] SyS_unshare+0x173/0x310
+    [<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
+    [<ffffffffffffffff>] 0xffffffffffffffff
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 02409f3..3738b84 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
+ 	cancel_delayed_work_sync(&ipvs->defense_work);
+ 	cancel_work_sync(&ipvs->defense_work.work);
+ 	unregister_net_sysctl_table(ipvs->sysctl_hdr);
++
++	if (!net_eq(net, &init_net))
++		kfree(ipvs->sysctl_tbl);
+ }
+ 
+ #else
+-- 
+1.8.3.1
+

kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch

@@ -0,0 +1,67 @@
+From a16765613c5cb9b6cb86bc92d21030be124b2dde Mon Sep 17 00:00:00 2001
+Message-Id: <a16765613c5cb9b6cb86bc92d21030be124b2dde.1566590430.git.Jim.Somerville@windriver.com>
+In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:14 +0300
+Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
+
+[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked.  So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+In scope of https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index 917e819..fce029f 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -297,7 +297,7 @@ cleanup:
+ int
+ ext4_acl_chmod(struct inode *inode)
+ {
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	handle_t *handle;
+ 	int retries = 0;
+ 	int error;
+@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
+ 	error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
+ 	if (error)
+ 		return error;
++
++	real_acl = acl;
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+ 				    ext4_jbd2_credits_xattr(inode));
+@@ -341,7 +343,7 @@ out_stop:
+ 	    ext4_should_retry_alloc(inode->i_sb, &retries))
+ 		goto retry;
+ out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch

@@ -0,0 +1,79 @@
+From 916c45d11310d03a4a76bd80a40f0c6a767ba39e Mon Sep 17 00:00:00 2001
+Message-Id: <916c45d11310d03a4a76bd80a40f0c6a767ba39e.1566590430.git.Jim.Somerville@windriver.com>
+In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:15 +0300
+Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
+
+[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+v2: Added affected kernel version + RHEL bug URL
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index fce029f..046b338 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ {
+ 	struct inode *inode = dentry->d_inode;
+ 	handle_t *handle;
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	int error, retries = 0;
+ 	int update_mode = 0;
+ 	umode_t mode = inode->i_mode;
+@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 		return -EPERM;
+ 
+ 	if (value) {
+-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
++		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ 		if (IS_ERR(acl))
+ 			return PTR_ERR(acl);
+ 		else if (acl) {
+@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 				goto release_and_out;
+ 		}
+ 	} else
+-		acl = NULL;
++		acl = real_acl = NULL;
+ 
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -454,7 +454,7 @@ out_stop:
+ 		goto retry;
+ 
+ release_and_out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-std/centos/meta_patches/Compile-issues.patch

@@ -1,34 +1,38 @@
-From a38da63c3677f78c33b3896699788bd5eb77116e Mon Sep 17 00:00:00 2001
+From f9a5a49c9daac827d94cd562c0c6f100388fd798 Mon Sep 17 00:00:00 2001
+Message-Id: <f9a5a49c9daac827d94cd562c0c6f100388fd798.1566587341.git.Jim.Somerville@windriver.com>
+In-Reply-To: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
+References: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
 From: "zhao.shuai" <zhaos@neusoft.com>
 Date: Tue, 6 Aug 2019 16:18:04 +0800
-Subject: [PATCH 3/3] Compile issues
+Subject: [PATCH 2/2] Compile issues
 
 Signed-off-by: zhao.shuai <zhaos@neusoft.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
  SPECS/kernel.spec | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index 418cdd0..a5de0aa 100644
+index d5df4a4..1d765ed 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch
+@@ -495,6 +495,12 @@ Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
- Patch40026: turn-off-write-same-in-smartqpi-driver.patch
+ Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
- # Fix use-after-free in eventpoll_release_file
+ Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
- Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +# Fix assorted compilation issues
-+Patch40028: fix-compilation-issues.patch
++Patch40031: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch40032: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch40033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
-@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
+@@ -869,6 +875,9 @@ ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
- ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
+ ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
- ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
+ ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
- ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +ApplyOptionalPatch fix-compilation-issues.patch
 +ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch

kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,20 @@
-From e9f7eeea6002b26912b6434c324ac19c2987afe8 Mon Sep 17 00:00:00 2001
+From ac67546ccbecd3ee18145be31d87d7253048adda Mon Sep 17 00:00:00 2001
+Message-Id: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
 From: "zhao.shuai" <zhaos@neusoft.com>
 Date: Mon, 5 Aug 2019 17:55:01 +0800
-Subject: [PATCH 2/3] Kernel-source-patches-for-TiC
+Subject: [PATCH 1/2] Kernel-source-patches-for-TiC
 
 Signed-off-by: zhao.shuai <zhaos@neusoft.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
- SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ SPECS/kernel.spec | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 61 insertions(+)
+ 1 file changed, 68 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index e42177e..418cdd0 100644
+index e42177e..d5df4a4 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch
+@@ -460,6 +460,42 @@ Patch1002: debrand-rh-i686-cpu.patch
  Source30000: kernel-3.10.0-x86_64.config.tis_extra
  Source30001: ima_signing_key.pub
  
@@ -47,11 +49,15 @@ index e42177e..418cdd0 100644
 +Patch40026: turn-off-write-same-in-smartqpi-driver.patch
 +# Fix use-after-free in eventpoll_release_file
 +Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
++# Fix three potential kernel memory leaks
++Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
  %description
-@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch
+@@ -802,6 +838,38 @@ ApplyOptionalPatch debrand-single-cpu.patch
  ApplyOptionalPatch debrand-rh_taint.patch
  ApplyOptionalPatch debrand-rh-i686-cpu.patch
  
@@ -83,6 +89,9 @@ index e42177e..418cdd0 100644
 +ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
 +ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
 +ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
++ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +
  # Any further pre-build tree manipulations happen here.
  

kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch

@@ -0,0 +1,57 @@
+From e3887b1e84e274be02f992e034e0dba1f53925b6 Mon Sep 17 00:00:00 2001
+Message-Id: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 7 May 2015 15:12:21 +0300
+Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
+
+[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
+
+Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
+ip_vs_ctl local vars moved to ipvs struct."):
+
+unreferenced object 0xffff88005785b800 (size 2048):
+  comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
+  hex dump (first 32 bytes):
+    bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff  .........x.N....
+    04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
+    [<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
+    [<ffffffff811b88a0>] kmemdup+0x20/0x50
+    [<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
+    [<ffffffff8231d630>] __ip_vs_init+0x100/0x250
+    [<ffffffff822363a1>] ops_init+0x41/0x190
+    [<ffffffff82236583>] setup_net+0x93/0x150
+    [<ffffffff82236cc2>] copy_net_ns+0x82/0x140
+    [<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
+    [<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
+    [<ffffffff810833e3>] SyS_unshare+0x173/0x310
+    [<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
+    [<ffffffffffffffff>] 0xffffffffffffffff
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 02409f3..3738b84 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
+ 	cancel_delayed_work_sync(&ipvs->defense_work);
+ 	cancel_work_sync(&ipvs->defense_work.work);
+ 	unregister_net_sysctl_table(ipvs->sysctl_hdr);
++
++	if (!net_eq(net, &init_net))
++		kfree(ipvs->sysctl_tbl);
+ }
+ 
+ #else
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch

@@ -0,0 +1,67 @@
+From 598c88638d4f46a38bf3d0669bc042c1ea1e4605 Mon Sep 17 00:00:00 2001
+Message-Id: <598c88638d4f46a38bf3d0669bc042c1ea1e4605.1566585829.git.Jim.Somerville@windriver.com>
+In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:14 +0300
+Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
+
+[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked.  So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+In scope of https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index 917e819..fce029f 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -297,7 +297,7 @@ cleanup:
+ int
+ ext4_acl_chmod(struct inode *inode)
+ {
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	handle_t *handle;
+ 	int retries = 0;
+ 	int error;
+@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
+ 	error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
+ 	if (error)
+ 		return error;
++
++	real_acl = acl;
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+ 				    ext4_jbd2_credits_xattr(inode));
+@@ -341,7 +343,7 @@ out_stop:
+ 	    ext4_should_retry_alloc(inode->i_sb, &retries))
+ 		goto retry;
+ out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch

@@ -0,0 +1,79 @@
+From 190fe153e1def764a02d7cb3438f5bc7c0402e48 Mon Sep 17 00:00:00 2001
+Message-Id: <190fe153e1def764a02d7cb3438f5bc7c0402e48.1566585829.git.Jim.Somerville@windriver.com>
+In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:15 +0300
+Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
+
+[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+v2: Added affected kernel version + RHEL bug URL
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index fce029f..046b338 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ {
+ 	struct inode *inode = dentry->d_inode;
+ 	handle_t *handle;
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	int error, retries = 0;
+ 	int update_mode = 0;
+ 	umode_t mode = inode->i_mode;
+@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 		return -EPERM;
+ 
+ 	if (value) {
+-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
++		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ 		if (IS_ERR(acl))
+ 			return PTR_ERR(acl);
+ 		else if (acl) {
+@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 				goto release_and_out;
+ 		}
+ 	} else
+-		acl = NULL;
++		acl = real_acl = NULL;
+ 
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -454,7 +454,7 @@ out_stop:
+ 		goto retry;
+ 
+ release_and_out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+