Update to 3.12.6
svn path=/dists/sid/linux/; revision=20905
This commit is contained in:
parent
0813c82451
commit
0a09a09a42
|
@ -1,4 +1,4 @@
|
|||
linux (3.12.5-1) UNRELEASED; urgency=medium
|
||||
linux (3.12.6-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4
|
||||
|
@ -34,6 +34,48 @@ linux (3.12.5-1) UNRELEASED; urgency=medium
|
|||
- SCSI: Disable WRITE SAME for RAID and virtual host adapter drivers
|
||||
- tg3: avoid double-freeing of rx data memory
|
||||
- crypto: scatterwalk - Use sg_chain_ptr on chain entries
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.6
|
||||
- ALSA: memalloc.h - fix wrong truncation of dma_addr_t
|
||||
- [arm] 7912/1: check stack pointer in get_wchan
|
||||
- [arm] 7913/1: fix framepointer check in unwind_frame
|
||||
- KVM: Improve create VCPU parameter (CVE-2013-4587)
|
||||
- [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367)
|
||||
- [x86] KVM: Convert vapic synchronization to _cached functions
|
||||
(CVE-2013-6368)
|
||||
- [x86] KVM: fix guest-initiated crash with x2apic (CVE-2013-6376)
|
||||
- xfs: growfs overruns AGFL buffer on V4 filesystems
|
||||
- futex: fix handling of read-only-mapped hugepages
|
||||
- nfsd: when reusing an existing repcache entry, unhash it first
|
||||
- [armhf] usb: musb: musb_cppi41: handle pre-mature TX complete interrupt
|
||||
- powerpc: Fix PTE page address mismatch in pgtable ctor/dtor
|
||||
- mm: memcg: do not allow task about to OOM kill to bypass the limit
|
||||
- mm: memcg: fix race condition between memcg teardown and swapin
|
||||
- cfg80211: disable 5/10 MHz support for all drivers
|
||||
- Revert "mac80211: allow disable power save in mesh"
|
||||
- mac80211: fix scheduled scan rtnl deadlock
|
||||
- iwlwifi: mvm: check sta_id/drain values in debugfs
|
||||
- Btrfs: fix access_ok() check in btrfs_ioctl_send()
|
||||
- dm snapshot: avoid snapshot space leak on crash
|
||||
- dm array: fix a reference counting bug in shadow_ablock
|
||||
- dm space map metadata: return on failure in sm_metadata_new_block
|
||||
- dm space map: disallow decrementing a reference count below zero
|
||||
- dm table: fail dm_table_create on dm_round_up overflow
|
||||
- dm thin: switch to read only mode if a mapping insert fails
|
||||
- dm thin: switch to read-only mode if metadata space is exhausted
|
||||
- dm thin: always fallback the pool mode if commit fails
|
||||
- dm thin: re-establish read-only state when switching to fail mode
|
||||
- dm thin: allow pool in read-only mode to transition to read-write mode
|
||||
- media/cxd2820r_core: Fix regression in 3.12.3
|
||||
- sched: Avoid throttle_cfs_rq() racing with period_timer stopping
|
||||
- Btrfs: do a full search everytime in btrfs_search_old_slot
|
||||
- Btrfs: reset intwrite on transaction abort
|
||||
- Btrfs: fix memory leak of chunks' extent map
|
||||
- Btrfs: fix hole check in log_one_extent
|
||||
- Btrfs: fix incorrect inode acl reset
|
||||
- Btrfs: take ordered root lock when removing ordered operations inode
|
||||
- Btrfs: do not run snapshot-aware defragment on error
|
||||
- Btrfs: fix a crash when running balance and defrag concurrently
|
||||
- Btrfs: fix lockdep error in async commit
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* udeb: Add ohci-pci to usb-modules (Closes: #730789)
|
||||
|
@ -53,12 +95,6 @@ linux (3.12.5-1) UNRELEASED; urgency=medium
|
|||
(Closes: #732106)
|
||||
* linux-source: Compress with gzip -1 (Closes: #725492)
|
||||
* [alpha] Prevent a NULL ptr dereference in csum_partial_copy
|
||||
* media/cxd2820r_core: Fix regression in 3.12.3, thanks to Frederik Himpe
|
||||
* KVM: Improve create VCPU parameter (CVE-2013-4587)
|
||||
* [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367)
|
||||
* [x86] KVM: Convert vapic synchronization to _cached functions
|
||||
(CVE-2013-6368)
|
||||
* [x86] KVM: fix guest-initiated crash with x2apic (CVE-2013-6376)
|
||||
* Set ABI to 1
|
||||
* [ia64] Enable PSTORE, EFI_VARS_PSTORE
|
||||
* [x86,ia64] udeb: Remove zlib-modules as zlib is now built-in
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Mon, 18 Nov 2013 16:09:22 -0800
|
||||
Subject: KVM: Improve create VCPU parameter (CVE-2013-4587)
|
||||
Origin: https://git.kernel.org/linus/338c7dbadd2671189cec7faf64c84d01071b3f96
|
||||
|
||||
In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
|
||||
malicious user could specify a vcpu_id greater than 255 in order to set or
|
||||
clear bits in kernel memory. This could be used to elevate priveges in the
|
||||
kernel. This patch verifies that the vcpu_id provided is less than 255.
|
||||
The api documentation already specifies that the vcpu_id must be less than
|
||||
max_vcpus, but this is currently not checked.
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
virt/kvm/kvm_main.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/virt/kvm/kvm_main.c
|
||||
+++ b/virt/kvm/kvm_main.c
|
||||
@@ -1893,6 +1893,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
|
||||
int r;
|
||||
struct kvm_vcpu *vcpu, *v;
|
||||
|
||||
+ if (id >= KVM_MAX_VCPUS)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
vcpu = kvm_arch_vcpu_create(kvm, id);
|
||||
if (IS_ERR(vcpu))
|
||||
return PTR_ERR(vcpu);
|
|
@ -1,41 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Tue, 19 Nov 2013 14:12:18 -0800
|
||||
Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
|
||||
Origin: https://git.kernel.org/linus/b963a22e6d1a266a67e9eecc88134713fd54775c
|
||||
|
||||
Under guest controllable circumstances apic_get_tmcct will execute a
|
||||
divide by zero and cause a crash. If the guest cpuid support
|
||||
tsc deadline timers and performs the following sequence of requests
|
||||
the host will crash.
|
||||
- Set the mode to periodic
|
||||
- Set the TMICT to 0
|
||||
- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
|
||||
- Set the TMICT to non-zero.
|
||||
Then the lapic_timer.period will be 0, but the TMICT will not be. If the
|
||||
guest then reads from the TMCCT then the host will perform a divide by 0.
|
||||
|
||||
This patch ensures that if the lapic_timer.period is 0, then the division
|
||||
does not occur.
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index 5439117..89b52ec 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
|
||||
ASSERT(apic != NULL);
|
||||
|
||||
/* if initial count is 0, current count should also be 0 */
|
||||
- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
|
||||
+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
|
||||
+ apic->lapic_timer.period == 0)
|
||||
return 0;
|
||||
|
||||
remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
|
|
@ -1,39 +0,0 @@
|
|||
From: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Date: Fri, 4 Oct 2013 11:01:43 -0300
|
||||
Subject: [media] cxd2820r_core: fix sparse warnings
|
||||
Origin: https://git.kernel.org/linus/0db3fa2741ad8371c21b3a6785416a4afc0cc1d4
|
||||
|
||||
drivers/media/dvb-frontends/cxd2820r_core.c:34:32: error: cannot size expression
|
||||
drivers/media/dvb-frontends/cxd2820r_core.c:68:32: error: cannot size expression
|
||||
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Acked-by: Antti Palosaari <crope@iki.fi>
|
||||
Reviewed-by: Antti Palosaari <crope@iki.fi>
|
||||
Reviewed-by: Michael Krufky <mkrufky@linuxtv.org>
|
||||
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
||||
[bwh: Commit 8393796dfa4c ('media: dvb-frontends: Don't use dynamic static
|
||||
allocation') depends on this but was cherry-picked for 3.12.3 without this]
|
||||
---
|
||||
drivers/media/dvb-frontends/cxd2820r_core.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/drivers/media/dvb-frontends/cxd2820r_core.c
|
||||
+++ b/drivers/media/dvb-frontends/cxd2820r_core.c
|
||||
@@ -34,7 +34,7 @@ static int cxd2820r_wr_regs_i2c(struct c
|
||||
{
|
||||
.addr = i2c,
|
||||
.flags = 0,
|
||||
- .len = sizeof(buf),
|
||||
+ .len = len + 1,
|
||||
.buf = buf,
|
||||
}
|
||||
};
|
||||
@@ -75,7 +75,7 @@ static int cxd2820r_rd_regs_i2c(struct c
|
||||
}, {
|
||||
.addr = i2c,
|
||||
.flags = I2C_M_RD,
|
||||
- .len = sizeof(buf),
|
||||
+ .len = len,
|
||||
.buf = buf,
|
||||
}
|
||||
};
|
|
@ -1,46 +0,0 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Sat, 23 Nov 2013 15:59:42 +1100
|
||||
Subject: xfs: underflow bug in xfs_attrlist_by_handle()
|
||||
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
If we allocate less than sizeof(struct attrlist) then we end up corrupting
|
||||
memory or doing a ZERO_PTR_SIZE dereference.
|
||||
|
||||
This can only be triggered with CAP_SYS_ADMIN.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Acked-by: Ben Myers <bpm@sgi.com>
|
||||
Cc: Alex Elder <elder@kernel.org>
|
||||
Reviewed-by: Dave Chinner <dchinner@redhat.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
fs/xfs/xfs_ioctl.c | 3 ++-
|
||||
fs/xfs/xfs_ioctl32.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/fs/xfs/xfs_ioctl.c
|
||||
+++ b/fs/xfs/xfs_ioctl.c
|
||||
@@ -443,7 +443,8 @@ xfs_attrlist_by_handle(
|
||||
return -XFS_ERROR(EPERM);
|
||||
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
||||
--- a/fs/xfs/xfs_ioctl32.c
|
||||
+++ b/fs/xfs/xfs_ioctl32.c
|
||||
@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle(
|
||||
if (copy_from_user(&al_hreq, arg,
|
||||
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
|
@ -1,183 +0,0 @@
|
|||
From: Andy Honig <ahonig@google.com>
|
||||
Date: Wed, 20 Nov 2013 10:23:22 -0800
|
||||
Subject: KVM: x86: Convert vapic synchronization to _cached functions
|
||||
(CVE-2013-6368)
|
||||
Origin: https://git.kernel.org/linus/fda4e2e85589191b123d31cdc21fd33ee70f50fd
|
||||
|
||||
In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
|
||||
potential to corrupt kernel memory if userspace provides an address that
|
||||
is at the end of a page. This patches concerts those functions to use
|
||||
kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
|
||||
vapic_address specified by userspace during ioctl processing and returns
|
||||
an error to userspace if the address is not a valid GPA.
|
||||
|
||||
This is generally not guest triggerable, because the required write is
|
||||
done by firmware that runs before the guest. Also, it only affects AMD
|
||||
processors and oldish Intel that do not have the FlexPriority feature
|
||||
(unless you disable FlexPriority, of course; then newer processors are
|
||||
also affected).
|
||||
|
||||
Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
|
||||
|
||||
Reported-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
|
||||
arch/x86/kvm/lapic.h | 4 ++--
|
||||
arch/x86/kvm/x86.c | 40 +---------------------------------------
|
||||
3 files changed, 18 insertions(+), 53 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(
|
||||
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
u32 data;
|
||||
- void *vapic;
|
||||
|
||||
if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
|
||||
apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
|
||||
@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kv
|
||||
if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
|
||||
return;
|
||||
|
||||
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
|
||||
- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
|
||||
- kunmap_atomic(vapic);
|
||||
+ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
|
||||
+ sizeof(u32));
|
||||
|
||||
apic_set_tpr(vcpu->arch.apic, data & 0xff);
|
||||
}
|
||||
@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_
|
||||
u32 data, tpr;
|
||||
int max_irr, max_isr;
|
||||
struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- void *vapic;
|
||||
|
||||
apic_sync_pv_eoi_to_guest(vcpu, apic);
|
||||
|
||||
@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_
|
||||
max_isr = 0;
|
||||
data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
|
||||
|
||||
- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
|
||||
- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
|
||||
- kunmap_atomic(vapic);
|
||||
+ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
|
||||
+ sizeof(u32));
|
||||
}
|
||||
|
||||
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
|
||||
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
|
||||
{
|
||||
- vcpu->arch.apic->vapic_addr = vapic_addr;
|
||||
- if (vapic_addr)
|
||||
+ if (vapic_addr) {
|
||||
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
|
||||
+ &vcpu->arch.apic->vapic_cache,
|
||||
+ vapic_addr, sizeof(u32)))
|
||||
+ return -EINVAL;
|
||||
__set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
|
||||
- else
|
||||
+ } else {
|
||||
__clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
|
||||
+ }
|
||||
+
|
||||
+ vcpu->arch.apic->vapic_addr = vapic_addr;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
|
||||
--- a/arch/x86/kvm/lapic.h
|
||||
+++ b/arch/x86/kvm/lapic.h
|
||||
@@ -34,7 +34,7 @@ struct kvm_lapic {
|
||||
*/
|
||||
void *regs;
|
||||
gpa_t vapic_addr;
|
||||
- struct page *vapic_page;
|
||||
+ struct gfn_to_hva_cache vapic_cache;
|
||||
unsigned long pending_events;
|
||||
unsigned int sipi_vector;
|
||||
};
|
||||
@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struc
|
||||
void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
|
||||
void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
|
||||
|
||||
-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
|
||||
+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
|
||||
void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
|
||||
void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
|
||||
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -3192,8 +3192,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi
|
||||
r = -EFAULT;
|
||||
if (copy_from_user(&va, argp, sizeof va))
|
||||
goto out;
|
||||
- r = 0;
|
||||
- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
|
||||
+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
|
||||
break;
|
||||
}
|
||||
case KVM_X86_SETUP_MCE: {
|
||||
@@ -5718,36 +5717,6 @@ static void post_kvm_run_save(struct kvm
|
||||
!kvm_event_needs_reinjection(vcpu);
|
||||
}
|
||||
|
||||
-static int vapic_enter(struct kvm_vcpu *vcpu)
|
||||
-{
|
||||
- struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- struct page *page;
|
||||
-
|
||||
- if (!apic || !apic->vapic_addr)
|
||||
- return 0;
|
||||
-
|
||||
- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
|
||||
- if (is_error_page(page))
|
||||
- return -EFAULT;
|
||||
-
|
||||
- vcpu->arch.apic->vapic_page = page;
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-static void vapic_exit(struct kvm_vcpu *vcpu)
|
||||
-{
|
||||
- struct kvm_lapic *apic = vcpu->arch.apic;
|
||||
- int idx;
|
||||
-
|
||||
- if (!apic || !apic->vapic_addr)
|
||||
- return;
|
||||
-
|
||||
- idx = srcu_read_lock(&vcpu->kvm->srcu);
|
||||
- kvm_release_page_dirty(apic->vapic_page);
|
||||
- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
|
||||
- srcu_read_unlock(&vcpu->kvm->srcu, idx);
|
||||
-}
|
||||
-
|
||||
static void update_cr8_intercept(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
int max_irr, tpr;
|
||||
@@ -6047,11 +6016,6 @@ static int __vcpu_run(struct kvm_vcpu *v
|
||||
struct kvm *kvm = vcpu->kvm;
|
||||
|
||||
vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
|
||||
- r = vapic_enter(vcpu);
|
||||
- if (r) {
|
||||
- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
|
||||
- return r;
|
||||
- }
|
||||
|
||||
r = 1;
|
||||
while (r > 0) {
|
||||
@@ -6110,8 +6074,6 @@ static int __vcpu_run(struct kvm_vcpu *v
|
||||
|
||||
srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
|
||||
|
||||
- vapic_exit(vcpu);
|
||||
-
|
||||
return r;
|
||||
}
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
From: Gleb Natapov <gleb@redhat.com>
|
||||
Date: Thu, 12 Dec 2013 21:20:08 +0100
|
||||
Subject: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
|
||||
Origin: https://git.kernel.org/linus/17d68b763f09a9ce824ae23eb62c9efc57b69271
|
||||
|
||||
A guest can cause a BUG_ON() leading to a host kernel crash.
|
||||
When the guest writes to the ICR to request an IPI, while in x2apic
|
||||
mode the following things happen, the destination is read from
|
||||
ICR2, which is a register that the guest can control.
|
||||
|
||||
kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
|
||||
cluster id. A BUG_ON is triggered, which is a protection against
|
||||
accessing map->logical_map with an out-of-bounds access and manages
|
||||
to avoid that anything really unsafe occurs.
|
||||
|
||||
The logic in the code is correct from real HW point of view. The problem
|
||||
is that KVM supports only one cluster with ID 0 in clustered mode, but
|
||||
the code that has the bug does not take this into account.
|
||||
|
||||
Reported-by: Lars Bull <larsbull@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Gleb Natapov <gleb@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/lapic.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
|
||||
index b8bec45..dec48bf 100644
|
||||
--- a/arch/x86/kvm/lapic.c
|
||||
+++ b/arch/x86/kvm/lapic.c
|
||||
@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
|
||||
return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
|
||||
}
|
||||
|
||||
+#define KVM_X2APIC_CID_BITS 0
|
||||
+
|
||||
static void recalculate_apic_map(struct kvm *kvm)
|
||||
{
|
||||
struct kvm_apic_map *new, *old = NULL;
|
||||
@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm)
|
||||
if (apic_x2apic_mode(apic)) {
|
||||
new->ldr_bits = 32;
|
||||
new->cid_shift = 16;
|
||||
- new->cid_mask = new->lid_mask = 0xffff;
|
||||
+ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1;
|
||||
+ new->lid_mask = 0xffff;
|
||||
} else if (kvm_apic_sw_enabled(apic) &&
|
||||
!new->cid_mask /* flat mode */ &&
|
||||
kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
|
|
@ -77,13 +77,7 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
|||
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||
bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
|
||||
bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
bugfix/arm/ahci-imx-Explicitly-clear-IMX6Q_GPR13_SATA_MPLL_CLK_.patch
|
||||
bugfix/all/disable-some-marvell-phys.patch
|
||||
features/all/media-az6007-support-Technisat-Cablestar-Combo-HDCI-.patch
|
||||
bugfix/all/alpha-Prevent-a-NULL-ptr-dereference-in-csum_partial.patch
|
||||
bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch
|
||||
bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch
|
||||
bugfix/all/KVM-x86-Fix-potential-divide-by-0-in-lapic-CVE-2013-.patch
|
||||
bugfix/x86/KVM-x86-Convert-vapic-synchronization-to-_cached-fun.patch
|
||||
bugfix/x86/KVM-x86-fix-guest-initiated-crash-with-x2apic-CVE-20.patch
|
||||
|
|
Loading…
Reference in New Issue