From 13c48296bea28f4c27408bb4c52427e0cff365cd Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 3 Dec 2014 05:58:41 +0000 Subject: [PATCH] Update to 3.16.7-ckt1 svn path=/dists/sid/linux/; revision=22101 --- debian/changelog | 113 +++++- ...-dbg-files-into-the-correct-director.patch | 52 --- ...read-and-max_write-in-direct_io-mode.patch | 123 ------- ...t_root-from-creating-a-loop-in-the-m.patch | 42 --- ...-m25p80-get-rid-of-spi_get_device_id.patch | 46 --- ...pi-nor-Fix-module-aliases-for-m25p80.patch | 125 ------- ...-for-struct-flash_platform_data-into.patch | 119 ------- ...-spi_nor_scan-take-a-chip-type-name-.patch | 162 --------- ...fix-panic-on-duplicate-ASCONF-chunks.patch | 87 ----- ...ote-memory-pressure-from-excessive-q.patch | 149 -------- ..._over_panic-when-receiving-malformed.patch | 336 ------------------ ...get_pages-to-passing-maximal-number-.patch | 119 ------- ...ISA-restrictions-for-cop1x_op-instru.patch | 50 --- ...rly-fix-HUGE-TLB-Refill-exception-ha.patch | 90 ----- ...k-non-canonical-addresses-upon-WRMSR.patch | 135 ------- ...-fixes-for-eip-canonical-checks-on-n.patch | 229 ------------ ...-wrong-masking-on-relative-jump-call.patch | 60 ---- ...rrors-when-RIP-is-set-during-far-jum.patch | 246 ------------- ...KVM-x86-Improve-thread-safety-in-pit.patch | 34 -- ...host-from-panicking-on-shared-MSR-wr.patch | 81 ----- ...mx-handle-invvpid-vm-exit-gracefully.patch | 72 ---- ...-fix-far-jump-to-non-canonical-check.patch | 58 --- ...less-rt2x00-add-new-rt2800usb-device.patch | 26 -- debian/patches/series | 22 -- 24 files changed, 112 insertions(+), 2464 deletions(-) delete mode 100644 debian/patches/bugfix/all/builddeb-put-the-dbg-files-into-the-correct-director.patch delete mode 100644 debian/patches/bugfix/all/fuse-honour-max_read-and-max_write-in-direct_io-mode.patch delete mode 100644 debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch delete mode 100644 debian/patches/bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch delete mode 100644 debian/patches/bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch delete mode 100644 debian/patches/bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch delete mode 100644 debian/patches/bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch delete mode 100644 debian/patches/bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch delete mode 100644 debian/patches/bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch delete mode 100644 debian/patches/bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch delete mode 100644 debian/patches/bugfix/all/switch-iov_iter_get_pages-to-passing-maximal-number-.patch delete mode 100644 debian/patches/bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch delete mode 100644 debian/patches/bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch delete mode 100644 debian/patches/bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch delete mode 100644 debian/patches/bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch delete mode 100644 debian/patches/features/all/wireless-rt2x00-add-new-rt2800usb-device.patch diff --git a/debian/changelog b/debian/changelog index 9a54ce9e6..928b7553c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,115 @@ -linux (3.16.7-3) UNRELEASED; urgency=medium +linux (3.16.7-ckt1-1) UNRELEASED; urgency=medium + + * New upstream stable update: + http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt1 + - drm/tilcdc: Fix the error path in tilcdc_load() + - usb: phy: return -ENODEV on failure of try_module_get + - PM / clk: Fix crash in clocks management code if !CONFIG_PM_RUNTIME + - rt2x00: support Ralink 5362. + - wireless: rt2x00: add new rt2800usb devices + - NFS: Fix /proc/fs/nfsfs/servers and /proc/fs/nfsfs/volumes + - nfs: fix duplicate proc entries + - mm: page_alloc: fix zone allocation fairness on UP + - ext4: check EA value offset when loading + - jbd2: free bh when descriptor block checksum fails + - ext4: don't check quota format when there are no quota files + - target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE + - vfs: fix data corruption when blocksize < pagesize for mmaped data + - ext4: fix mmap data corruption when blocksize < pagesize + - ext4: grab missed write_count for EXT4_IOC_SWAP_BOOT + - qla_target: don't delete changed nacls + - target: Fix APTPL metadata handling for dynamic MappedLUNs + - iser-target: Disable TX completion interrupt coalescing + - ext4: don't orphan or truncate the boot loader inode + - ext4: add ext4_iget_normal() which is to be used for dir tree lookups + - ext4: fix reservation overflow in ext4_da_write_begin + - ext4: Replace open coded mdata csum feature to helper function + - ext4: move error report out of atomic context in ext4_init_block_bitmap() + - ext4: check s_chksum_driver when looking for bg csum presence + - drm/radeon: fix speaker allocation setup + - drm/radeon: use gart memory for DMA ring tests + - random: add and use memzero_explicit() for clearing data + - freezer: Do not freeze tasks killed by OOM killer + - OOM, PM: OOM killed task shouldn't escape PM suspend + - [mips*/loongson-2f] loongson2_cpufreq: Fix CPU clock rate setting mismerge + - drm/cirrus: bind also to qemu-xen-traditional + - cpufreq: intel_pstate: Fix setting max_perf_pct in performance policy + - cpufreq: expose scaling_cur_freq sysfs file for set_policy() drivers + - cpufreq: intel_pstate: Reflect current no_turbo state correctly + - [x86] intel_pstate: Don't lose sysfs settings during cpu offline + - [x86] intel_pstate: Fix BYT frequency reporting + - [x86] intel_pstate: Correct BYT VID values. + - [x86] kvm: don't kill guest on unknown exit reason + - kvm: fix excessive pages un-pinning in kvm_iommu_map error path. + - vfs: be careful with nd->inode in path_init() and follow_dotdot_rcu() + - pstore: Fix duplicate {console,ftrace}-efi entries + - [x86] bpf_jit: fix two bugs in eBPF JIT compiler (regression in 3.16) + - vxlan: fix a use after free in vxlan_encap_bypass + - vxlan: using pskb_may_pull as early as possible + - vxlan: fix a free after use + - ipv4: dst_entry leak in ip_send_unicast_reply() + - ipv4: fix a potential use after free in ip_tunnel_core.c + (regression in 3.11) + - net: tso: fix unaligned access to crafted TCP header in helper API + - [x86] hyperv: Fix the total_data_buflen in send path + - tcp: md5: do not use alloc_percpu() + - macvlan: fix a race on port dismantle and possible skb leaks + (regression in 3.16) + - net/mlx4_en: Don't attempt to TX offload the outer UDP checksum for VXLAN + (regression in 3.14) + - gre: Use inner mac length when computing tunnel length + (regression in 3.14) + - [armhf] spi: pl022: Fix incorrect dma_unmap_sg + - mac80211: fix typo in starting baserate for rts_cts_rate_idx + - staging: comedi: (regression) channel list must be set for COMEDI_CMD + ioctl (regression in 3.15) + - nfsd4: fix response size estimation for OP_SEQUENCE (regression in 3.16) + - quota: Properly return errors from dquot_writeback_dquots() + - i3200_edac: Report CE events properly + - i82860_edac: Report CE events properly + - cpc925_edac: Report UE events properly + - e7xxx_edac: Report CE events properly + - scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND + - usb: serial: ftdi_sio: add "bricked" FTDI device PID + - [armhf] Revert "usb: dwc3: dwc3-omap: Disable/Enable only wrapper + interrupts in prepare/complete" (regression in 3.16) + - usb: gadget: f_fs: remove redundant ffs_data_get() (regression in 3.14) + - [armhf] usb: ffs: fix regression when quirk_ep_out_aligned_size flag is + set (regression in 3.15) + - [armhf] usb: musb: dsps: start OTG timer on resume again + (regression in 3.16.6) + - usb: gadget: udc: core: fix kernel oops with soft-connect + - nfsd4: fix crash on unknown operation number + - Revert "iwlwifi: mvm: treat EAPOLs like mgmt frames wrt rate" + (regression in 3.16.4) + - [armhf] usb: dwc3: gadget: Properly initialize LINK TRB + - posix-timers: Fix stack info leak in timer_create() + - futex: Fix a race condition between REQUEUE_PI and task death + - ALSA: bebob: Uninitialized id returned by saffirepro_both_clk_src_get + - PM / Sleep: fix async suspend_late/freeze_late error handling + (regression in 3.15) + - Revert "block: all blk-mq requests are tagged" (regression in 3.16) + - ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode + - zap_pte_range: update addr when forcing flush after TLB batching faiure + - staging: comedi: fix memory leak / bad pointer freeing for chanlist + (regression in 3.15) + - [x86] drm/i915: Ignore VBT backlight check on Macbook 2, 1 + (regression in 3.15) + - [i386/686-pae] pageattr: Prevent overflow in slow_virt_to_phys() for + X86_PAE + - [x86] ACPI / EC: Fix regression due to conflicting firmware behavior + between Samsung and Acer. (regression in 3.16.3) + - mm: free compound page with correct order + - lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}() + - ext4: fix overflow when updating superblock backups after resize + - ext4: fix oops when loading block bitmap failed + - ext4: enable journal checksum when metadata checksum feature enabled + - ext4: prevent bugon on race between write/fcntl + - ext4: bail out from make_indexed_dir() on first error + - PCI: Rename sysfs 'enabled' file back to 'enable' (regression in 3.13) + - fs: allow open(dir, O_TMPFILE|..., 0) with mode 0 + - [arm*] tracing/syscalls: Ignore numbers outside NR_syscalls' range + - nfs: fix kernel warning when removing proc entry [ Ben Hutchings ] * [x86] Complete Thunderbolt support on Apple computers (Closes: #768653) diff --git a/debian/patches/bugfix/all/builddeb-put-the-dbg-files-into-the-correct-director.patch b/debian/patches/bugfix/all/builddeb-put-the-dbg-files-into-the-correct-director.patch deleted file mode 100644 index e259e41ba..000000000 --- a/debian/patches/bugfix/all/builddeb-put-the-dbg-files-into-the-correct-director.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Michal Marek -Date: Fri, 22 Aug 2014 15:51:03 +0200 -Subject: builddeb: put the dbg files into the correct directory -Origin: https://git.kernel.org/cgit/linux/kernel/git/mmarek/kbuild.git//commit?id=2d0871396995139b37f9ceb153c8b07589148343 - -Since the conversion of objtree to use relative pathnames (commit -7e1c04779e, "kbuild: Use relative path for $(objtree)"), the debug -info files have been ending up in /debian/dbgtmp/ in the regular -linux-image package instead of the debug files package. Fix up the -paths so that the debug files end up in the -dbg package. - -This is based on a similar patch by Darrick. - -Reported-and-tested-by: "Darrick J. Wong" -Signed-off-by: Michal Marek ---- - scripts/package/builddeb | 22 ++++++++++------------ - 1 file changed, 10 insertions(+), 12 deletions(-) - -diff --git a/scripts/package/builddeb b/scripts/package/builddeb -index 35d5a58..7c0e6e4 100644 ---- a/scripts/package/builddeb -+++ b/scripts/package/builddeb -@@ -152,18 +152,16 @@ if grep -q '^CONFIG_MODULES=y' $KCONFIG_CONFIG ; then - rmdir "$tmpdir/lib/modules/$version" - fi - if [ -n "$BUILD_DEBUG" ] ; then -- ( -- cd $tmpdir -- for module in $(find lib/modules/ -name *.ko); do -- mkdir -p $(dirname $dbg_dir/usr/lib/debug/$module) -- # only keep debug symbols in the debug file -- $OBJCOPY --only-keep-debug $module $dbg_dir/usr/lib/debug/$module -- # strip original module from debug symbols -- $OBJCOPY --strip-debug $module -- # then add a link to those -- $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $module -- done -- ) -+ for module in $(find $tmpdir/lib/modules/ -name *.ko -printf '%P\n'); do -+ module=lib/modules/$module -+ mkdir -p $(dirname $dbg_dir/usr/lib/debug/$module) -+ # only keep debug symbols in the debug file -+ $OBJCOPY --only-keep-debug $tmpdir/$module $dbg_dir/usr/lib/debug/$module -+ # strip original module from debug symbols -+ $OBJCOPY --strip-debug $tmpdir/$module -+ # then add a link to those -+ $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $tmpdir/$module -+ done - fi - fi - diff --git a/debian/patches/bugfix/all/fuse-honour-max_read-and-max_write-in-direct_io-mode.patch b/debian/patches/bugfix/all/fuse-honour-max_read-and-max_write-in-direct_io-mode.patch deleted file mode 100644 index e039cba2a..000000000 --- a/debian/patches/bugfix/all/fuse-honour-max_read-and-max_write-in-direct_io-mode.patch +++ /dev/null @@ -1,123 +0,0 @@ -From: Miklos Szeredi -Date: Wed, 24 Sep 2014 17:09:11 +0200 -Subject: fuse: honour max_read and max_write in direct_io mode -Origin: https://git.kernel.org/linus/2c80929c4c4d54e568b07ab85877d5fd38f4b02f - -The third argument of fuse_get_user_pages() "nbytesp" refers to the number of -bytes a caller asked to pack into fuse request. This value may be lesser -than capacity of fuse request or iov_iter. So fuse_get_user_pages() must -ensure that *nbytesp won't grow. - -Now, when helper iov_iter_get_pages() performs all hard work of extracting -pages from iov_iter, it can be done by passing properly calculated -"maxsize" to the helper. - -The other caller of iov_iter_get_pages() (dio_refill_pages()) doesn't need -this capability, so pass LONG_MAX as the maxsize argument here. - -Fixes: c9c37e2e6378 ("fuse: switch to iov_iter_get_pages()") -Reported-by: Werner Baumann -Tested-by: Maxim Patlasov -Signed-off-by: Miklos Szeredi -Signed-off-by: Al Viro ---- - fs/direct-io.c | 2 +- - fs/fuse/file.c | 1 + - include/linux/uio.h | 2 +- - mm/iov_iter.c | 14 +++++++++----- - 4 files changed, 12 insertions(+), 7 deletions(-) - -diff --git a/fs/direct-io.c b/fs/direct-io.c -index c311640..e181b6b 100644 ---- a/fs/direct-io.c -+++ b/fs/direct-io.c -@@ -158,7 +158,7 @@ static inline int dio_refill_pages(struct dio *dio, struct dio_submit *sdio) - { - ssize_t ret; - -- ret = iov_iter_get_pages(sdio->iter, dio->pages, DIO_PAGES, -+ ret = iov_iter_get_pages(sdio->iter, dio->pages, LONG_MAX, DIO_PAGES, - &sdio->from); - - if (ret < 0 && sdio->blocks_available && (dio->rw & WRITE)) { -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 912061a..caa8d95 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -1305,6 +1305,7 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii, - size_t start; - ssize_t ret = iov_iter_get_pages(ii, - &req->pages[req->num_pages], -+ *nbytesp - nbytes, - req->max_pages - req->num_pages, - &start); - if (ret < 0) -diff --git a/include/linux/uio.h b/include/linux/uio.h -index 48d64e6..290fbf0 100644 ---- a/include/linux/uio.h -+++ b/include/linux/uio.h -@@ -84,7 +84,7 @@ unsigned long iov_iter_alignment(const struct iov_iter *i); - void iov_iter_init(struct iov_iter *i, int direction, const struct iovec *iov, - unsigned long nr_segs, size_t count); - ssize_t iov_iter_get_pages(struct iov_iter *i, struct page **pages, -- unsigned maxpages, size_t *start); -+ size_t maxsize, unsigned maxpages, size_t *start); - ssize_t iov_iter_get_pages_alloc(struct iov_iter *i, struct page ***pages, - size_t maxsize, size_t *start); - int iov_iter_npages(const struct iov_iter *i, int maxpages); -diff --git a/mm/iov_iter.c b/mm/iov_iter.c -index ab88dc0..9a09f20 100644 ---- a/mm/iov_iter.c -+++ b/mm/iov_iter.c -@@ -310,7 +310,7 @@ void iov_iter_init(struct iov_iter *i, int direction, - EXPORT_SYMBOL(iov_iter_init); - - static ssize_t get_pages_iovec(struct iov_iter *i, -- struct page **pages, unsigned maxpages, -+ struct page **pages, size_t maxsize, unsigned maxpages, - size_t *start) - { - size_t offset = i->iov_offset; -@@ -323,6 +323,8 @@ static ssize_t get_pages_iovec(struct iov_iter *i, - len = iov->iov_len - offset; - if (len > i->count) - len = i->count; -+ if (len > maxsize) -+ len = maxsize; - addr = (unsigned long)iov->iov_base + offset; - len += *start = addr & (PAGE_SIZE - 1); - if (len > maxpages * PAGE_SIZE) -@@ -588,13 +590,15 @@ static unsigned long alignment_bvec(const struct iov_iter *i) - } - - static ssize_t get_pages_bvec(struct iov_iter *i, -- struct page **pages, unsigned maxpages, -+ struct page **pages, size_t maxsize, unsigned maxpages, - size_t *start) - { - const struct bio_vec *bvec = i->bvec; - size_t len = bvec->bv_len - i->iov_offset; - if (len > i->count) - len = i->count; -+ if (len > maxsize) -+ len = maxsize; - /* can't be more than PAGE_SIZE */ - *start = bvec->bv_offset + i->iov_offset; - -@@ -711,13 +715,13 @@ unsigned long iov_iter_alignment(const struct iov_iter *i) - EXPORT_SYMBOL(iov_iter_alignment); - - ssize_t iov_iter_get_pages(struct iov_iter *i, -- struct page **pages, unsigned maxpages, -+ struct page **pages, size_t maxsize, unsigned maxpages, - size_t *start) - { - if (i->type & ITER_BVEC) -- return get_pages_bvec(i, pages, maxpages, start); -+ return get_pages_bvec(i, pages, maxsize, maxpages, start); - else -- return get_pages_iovec(i, pages, maxpages, start); -+ return get_pages_iovec(i, pages, maxsize, maxpages, start); - } - EXPORT_SYMBOL(iov_iter_get_pages); - diff --git a/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch deleted file mode 100644 index e2cccaadb..000000000 --- a/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: "Eric W. Biederman" -Date: Wed, 8 Oct 2014 10:42:27 -0700 -Subject: mnt: Prevent pivot_root from creating a loop in the mount tree -Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d - -Andy Lutomirski recently demonstrated that when chroot is used to set -the root path below the path for the new ``root'' passed to pivot_root -the pivot_root system call succeeds and leaks mounts. - -In examining the code I see that starting with a new root that is -below the current root in the mount tree will result in a loop in the -mount tree after the mounts are detached and then reattached to one -another. Resulting in all kinds of ugliness including a leak of that -mounts involved in the leak of the mount loop. - -Prevent this problem by ensuring that the new mount is reachable from -the current root of the mount tree. - -[Added stable cc. Fixes CVE-2014-7970. --Andy] - -Cc: stable@vger.kernel.org -Reported-by: Andy Lutomirski -Reviewed-by: Andy Lutomirski -Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Andy Lutomirski ---- - fs/namespace.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _ - /* make sure we can reach put_old from new_root */ - if (!is_path_reachable(old_mnt, old.dentry, &new)) - goto out4; -+ /* make certain new is below the root */ -+ if (!is_path_reachable(new_mnt, new.dentry, &root)) -+ goto out4; - root_mp->m_count++; /* pin it so it won't go away */ - lock_mount_hash(); - detach_mnt(new_mnt, &parent_path); diff --git a/debian/patches/bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch b/debian/patches/bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch deleted file mode 100644 index e308907ed..000000000 --- a/debian/patches/bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Date: Mon, 29 Sep 2014 11:47:53 +0200 -Subject: [2/4] mtd: m25p80: get rid of spi_get_device_id -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: http://git.infradead.org/l2-mtd.git/commit/90e55b3812a1245bb674afcc4410ddba7db402f6 - -This simplifies the way we use spi_nor framework and will allow us to -drop spi_nor_match_id. - -Signed-off-by: Rafał Miłecki -Signed-off-by: Brian Norris ---- - drivers/mtd/devices/m25p80.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c -index dcda628..822209d 100644 ---- a/drivers/mtd/devices/m25p80.c -+++ b/drivers/mtd/devices/m25p80.c -@@ -197,6 +197,7 @@ static int m25p_probe(struct spi_device *spi) - struct m25p *flash; - struct spi_nor *nor; - enum read_mode mode = SPI_NOR_NORMAL; -+ char *flash_name = NULL; - int ret; - - data = dev_get_platdata(&spi->dev); -@@ -236,12 +237,11 @@ static int m25p_probe(struct spi_device *spi) - * If that's the case, respect "type" and ignore a "name". - */ - if (data && data->type) -- id = spi_nor_match_id(data->type); -- -- /* If we didn't get name from platform, simply use "modalias". */ -- if (!id) -- id = spi_get_device_id(spi); -+ flash_name = data->type; -+ else -+ flash_name = spi->modalias; - -+ id = spi_nor_match_id(flash_name); - ret = spi_nor_scan(nor, id, mode); - if (ret) - return ret; diff --git a/debian/patches/bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch b/debian/patches/bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch deleted file mode 100644 index faa9fdf44..000000000 --- a/debian/patches/bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: Ben Hutchings -Date: Tue, 30 Sep 2014 03:14:55 +0100 -Subject: [4/4] mtd: m25p80,spi-nor: Fix module aliases for m25p80 -Origin: http://git.infradead.org/l2-mtd.git/commit/a5b7616c55e188fe3d6ef686bef402d4703ecb62 - -m25p80's device ID table is now spi_nor_ids, defined in spi-nor. The -MODULE_DEVICE_TABLE() macro doesn't work with extern definitions, but -its use was also removed at the same time. Now if m25p80 is built as -a module it doesn't get the necessary aliases to be loaded -automatically. - -A clean solution to this will involve defining the list of device -IDs in spi-nor.h and removing struct spi_device_id from the spi-nor -API, but this is quite a large change. - -As a quick fix suitable for stable, copy the device IDs back into -m25p80. - -Fixes: 03e296f613af ("mtd: m25p80: use the SPI nor framework") -Cc: # 3.16.x: 32f1b7c8352f: mtd: move support for struct flash_platform_data into m25p80 -Cc: # 3.16.x: 90e55b3812a1: mtd: m25p80: get rid of spi_get_device_id -Cc: # 3.16.x: 70f3ce0510af: mtd: spi-nor: make spi_nor_scan() take a chip type name, not spi_device_id -Cc: # 3.16.x -Signed-off-by: Ben Hutchings -Signed-off-by: Brian Norris ---- - drivers/mtd/devices/m25p80.c | 52 ++++++++++++++++++++++++++++++++++++++++++- - drivers/mtd/spi-nor/spi-nor.c | 3 +-- - include/linux/mtd/spi-nor.h | 1 - - 3 files changed, 52 insertions(+), 4 deletions(-) - ---- a/drivers/mtd/devices/m25p80.c -+++ b/drivers/mtd/devices/m25p80.c -@@ -261,12 +261,62 @@ static int m25p_remove(struct spi_device - } - - -+/* -+ * XXX This needs to be kept in sync with spi_nor_ids. We can't share -+ * it with spi-nor, because if this is built as a module then modpost -+ * won't be able to read it and add appropriate aliases. -+ */ -+static const struct spi_device_id m25p_ids[] = { -+ {"at25fs010"}, {"at25fs040"}, {"at25df041a"}, {"at25df321a"}, -+ {"at25df641"}, {"at26f004"}, {"at26df081a"}, {"at26df161a"}, -+ {"at26df321"}, {"at45db081d"}, -+ {"en25f32"}, {"en25p32"}, {"en25q32b"}, {"en25p64"}, -+ {"en25q64"}, {"en25qh128"}, {"en25qh256"}, -+ {"f25l32pa"}, -+ {"mr25h256"}, {"mr25h10"}, -+ {"gd25q32"}, {"gd25q64"}, -+ {"160s33b"}, {"320s33b"}, {"640s33b"}, -+ {"mx25l2005a"}, {"mx25l4005a"}, {"mx25l8005"}, {"mx25l1606e"}, -+ {"mx25l3205d"}, {"mx25l3255e"}, {"mx25l6405d"}, {"mx25l12805d"}, -+ {"mx25l12855e"},{"mx25l25635e"},{"mx25l25655e"},{"mx66l51235l"}, -+ {"mx66l1g55g"}, -+ {"n25q064"}, {"n25q128a11"}, {"n25q128a13"}, {"n25q256a"}, -+ {"n25q512a"}, {"n25q512ax3"}, {"n25q00"}, -+ {"pm25lv512"}, {"pm25lv010"}, {"pm25lq032"}, -+ {"s25sl032p"}, {"s25sl064p"}, {"s25fl256s0"}, {"s25fl256s1"}, -+ {"s25fl512s"}, {"s70fl01gs"}, {"s25sl12800"}, {"s25sl12801"}, -+ {"s25fl129p0"}, {"s25fl129p1"}, {"s25sl004a"}, {"s25sl008a"}, -+ {"s25sl016a"}, {"s25sl032a"}, {"s25sl064a"}, {"s25fl008k"}, -+ {"s25fl016k"}, {"s25fl064k"}, -+ {"sst25vf040b"},{"sst25vf080b"},{"sst25vf016b"},{"sst25vf032b"}, -+ {"sst25vf064c"},{"sst25wf512"}, {"sst25wf010"}, {"sst25wf020"}, -+ {"sst25wf040"}, -+ {"m25p05"}, {"m25p10"}, {"m25p20"}, {"m25p40"}, -+ {"m25p80"}, {"m25p16"}, {"m25p32"}, {"m25p64"}, -+ {"m25p128"}, {"n25q032"}, -+ {"m25p05-nonjedec"}, {"m25p10-nonjedec"}, {"m25p20-nonjedec"}, -+ {"m25p40-nonjedec"}, {"m25p80-nonjedec"}, {"m25p16-nonjedec"}, -+ {"m25p32-nonjedec"}, {"m25p64-nonjedec"}, {"m25p128-nonjedec"}, -+ {"m45pe10"}, {"m45pe80"}, {"m45pe16"}, -+ {"m25pe20"}, {"m25pe80"}, {"m25pe16"}, -+ {"m25px16"}, {"m25px32"}, {"m25px32-s0"}, {"m25px32-s1"}, -+ {"m25px64"}, -+ {"w25x10"}, {"w25x20"}, {"w25x40"}, {"w25x80"}, -+ {"w25x16"}, {"w25x32"}, {"w25q32"}, {"w25q32dw"}, -+ {"w25x64"}, {"w25q64"}, {"w25q128"}, {"w25q80"}, -+ {"w25q80bl"}, {"w25q128"}, {"w25q256"}, {"cat25c11"}, -+ {"cat25c03"}, {"cat25c09"}, {"cat25c17"}, {"cat25128"}, -+ { }, -+}; -+MODULE_DEVICE_TABLE(spi, m25p_ids); -+ -+ - static struct spi_driver m25p80_driver = { - .driver = { - .name = "m25p80", - .owner = THIS_MODULE, - }, -- .id_table = spi_nor_ids, -+ .id_table = m25p_ids, - .probe = m25p_probe, - .remove = m25p_remove, - ---- a/drivers/mtd/spi-nor/spi-nor.c -+++ b/drivers/mtd/spi-nor/spi-nor.c -@@ -429,7 +429,7 @@ struct flash_info { - * more nor chips. This current list focusses on newer chips, which - * have been converging on command sets which including JEDEC ID. - */ --const struct spi_device_id spi_nor_ids[] = { -+static const struct spi_device_id spi_nor_ids[] = { - /* Atmel -- some are (confusingly) marketed as "DataFlash" */ - { "at25fs010", INFO(0x1f6601, 0, 32 * 1024, 4, SECT_4K) }, - { "at25fs040", INFO(0x1f6604, 0, 64 * 1024, 8, SECT_4K) }, -@@ -590,7 +590,6 @@ const struct spi_device_id spi_nor_ids[] - { "cat25128", CAT25_INFO(2048, 8, 64, 2, SPI_NOR_NO_ERASE | SPI_NOR_NO_FR) }, - { }, - }; --EXPORT_SYMBOL_GPL(spi_nor_ids); - - static const struct spi_device_id *spi_nor_read_id(struct spi_nor *nor) - { ---- a/include/linux/mtd/spi-nor.h -+++ b/include/linux/mtd/spi-nor.h -@@ -195,6 +195,5 @@ struct spi_nor { - * Return: 0 for success, others for failure. - */ - int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode); --extern const struct spi_device_id spi_nor_ids[]; - - #endif diff --git a/debian/patches/bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch b/debian/patches/bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch deleted file mode 100644 index 4d1c73fcd..000000000 --- a/debian/patches/bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch +++ /dev/null @@ -1,119 +0,0 @@ -From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= -Date: Sun, 28 Sep 2014 22:36:54 +0200 -Subject: [1/4] mtd: move support for struct flash_platform_data into m25p80 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: http://git.infradead.org/l2-mtd.git/commit/32f1b7c8352fd33d41bcec3cfb054ccdcfd40a42 - -This "type" seems to be an extra hint for m25p80 about the flash. Some -archs register flash_platform_data with "name" set to "m25p80" and then -with a real flash name set in "type". It seems to be a trick specific -to the m25p80 so let's move it out of spi-nor. -Btw switch to the spi_nor_match_id instead of iterating spi_nor_ids. - -Signed-off-by: Rafał Miłecki -Signed-off-by: Brian Norris ---- - drivers/mtd/devices/m25p80.c | 22 ++++++++++++++++++++-- - drivers/mtd/spi-nor/spi-nor.c | 28 +--------------------------- - 2 files changed, 21 insertions(+), 29 deletions(-) - ---- a/drivers/mtd/devices/m25p80.c -+++ b/drivers/mtd/devices/m25p80.c -@@ -193,11 +193,14 @@ static int m25p_probe(struct spi_device - { - struct mtd_part_parser_data ppdata; - struct flash_platform_data *data; -+ const struct spi_device_id *id = NULL; - struct m25p *flash; - struct spi_nor *nor; - enum read_mode mode = SPI_NOR_NORMAL; - int ret; - -+ data = dev_get_platdata(&spi->dev); -+ - flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL); - if (!flash) - return -ENOMEM; -@@ -223,11 +226,26 @@ static int m25p_probe(struct spi_device - mode = SPI_NOR_QUAD; - else if (spi->mode & SPI_RX_DUAL) - mode = SPI_NOR_DUAL; -- ret = spi_nor_scan(nor, spi_get_device_id(spi), mode); -+ -+ if (data && data->name) -+ flash->mtd.name = data->name; -+ -+ /* For some (historical?) reason many platforms provide two different -+ * names in flash_platform_data: "name" and "type". Quite often name is -+ * set to "m25p80" and then "type" provides a real chip name. -+ * If that's the case, respect "type" and ignore a "name". -+ */ -+ if (data && data->type) -+ id = spi_nor_match_id(data->type); -+ -+ /* If we didn't get name from platform, simply use "modalias". */ -+ if (!id) -+ id = spi_get_device_id(spi); -+ -+ ret = spi_nor_scan(nor, id, mode); - if (ret) - return ret; - -- data = dev_get_platdata(&spi->dev); - ppdata.of_node = spi->dev.of_node; - - return mtd_device_parse_register(&flash->mtd, NULL, &ppdata, ---- a/drivers/mtd/spi-nor/spi-nor.c -+++ b/drivers/mtd/spi-nor/spi-nor.c -@@ -871,7 +871,6 @@ int spi_nor_scan(struct spi_nor *nor, co - enum read_mode mode) - { - struct flash_info *info; -- struct flash_platform_data *data; - struct device *dev = nor->dev; - struct mtd_info *mtd = nor->mtd; - struct device_node *np = dev->of_node; -@@ -882,28 +881,6 @@ int spi_nor_scan(struct spi_nor *nor, co - if (ret) - return ret; - -- /* Platform data helps sort out which chip type we have, as -- * well as how this board partitions it. If we don't have -- * a chip ID, try the JEDEC id commands; they'll work for most -- * newer chips, even if we don't recognize the particular chip. -- */ -- data = dev_get_platdata(dev); -- if (data && data->type) { -- const struct spi_device_id *plat_id; -- -- for (i = 0; i < ARRAY_SIZE(spi_nor_ids) - 1; i++) { -- plat_id = &spi_nor_ids[i]; -- if (strcmp(data->type, plat_id->name)) -- continue; -- break; -- } -- -- if (i < ARRAY_SIZE(spi_nor_ids) - 1) -- id = plat_id; -- else -- dev_warn(dev, "unrecognized id %s\n", data->type); -- } -- - info = (void *)id->driver_data; - - if (info->jedec_id) { -@@ -941,11 +918,8 @@ int spi_nor_scan(struct spi_nor *nor, co - write_sr(nor, 0); - } - -- if (data && data->name) -- mtd->name = data->name; -- else -+ if (!mtd->name) - mtd->name = dev_name(dev); -- - mtd->type = MTD_NORFLASH; - mtd->writesize = 1; - mtd->flags = MTD_CAP_NORFLASH; diff --git a/debian/patches/bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch b/debian/patches/bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch deleted file mode 100644 index 9e580e756..000000000 --- a/debian/patches/bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch +++ /dev/null @@ -1,162 +0,0 @@ -From: Ben Hutchings -Date: Mon, 29 Sep 2014 11:47:54 +0200 -Subject: [3/4] mtd: spi-nor: make spi_nor_scan() take a chip type name, not - spi_device_id -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: http://git.infradead.org/l2-mtd.git/commit/70f3ce0510afdad7cbaf27ab7ab961377205c782 - -Drivers currently call spi_nor_match_id() and then spi_nor_scan(). -This adds a dependency on struct spi_device_id which we want to -avoid. Make spi_nor_scan() do it for them. - -Signed-off-by: Ben Hutchings -Signed-off-by: Rafał Miłecki -Signed-off-by: Brian Norris ---- - drivers/mtd/devices/m25p80.c | 4 +--- - drivers/mtd/spi-nor/fsl-quadspi.c | 7 +------ - drivers/mtd/spi-nor/spi-nor.c | 13 +++++++++---- - include/linux/mtd/spi-nor.h | 20 +++----------------- - 4 files changed, 14 insertions(+), 30 deletions(-) - ---- a/drivers/mtd/devices/m25p80.c -+++ b/drivers/mtd/devices/m25p80.c -@@ -193,7 +193,6 @@ static int m25p_probe(struct spi_device - { - struct mtd_part_parser_data ppdata; - struct flash_platform_data *data; -- const struct spi_device_id *id = NULL; - struct m25p *flash; - struct spi_nor *nor; - enum read_mode mode = SPI_NOR_NORMAL; -@@ -241,8 +240,7 @@ static int m25p_probe(struct spi_device - else - flash_name = spi->modalias; - -- id = spi_nor_match_id(flash_name); -- ret = spi_nor_scan(nor, id, mode); -+ ret = spi_nor_scan(nor, flash_name, mode); - if (ret) - return ret; - ---- a/drivers/mtd/spi-nor/fsl-quadspi.c -+++ b/drivers/mtd/spi-nor/fsl-quadspi.c -@@ -881,7 +881,6 @@ static int fsl_qspi_probe(struct platfor - - /* iterate the subnodes. */ - for_each_available_child_of_node(dev->of_node, np) { -- const struct spi_device_id *id; - char modalias[40]; - - /* skip the holes */ -@@ -909,10 +908,6 @@ static int fsl_qspi_probe(struct platfor - if (of_modalias_node(np, modalias, sizeof(modalias)) < 0) - goto map_failed; - -- id = spi_nor_match_id(modalias); -- if (!id) -- goto map_failed; -- - ret = of_property_read_u32(np, "spi-max-frequency", - &q->clk_rate); - if (ret < 0) -@@ -921,7 +916,7 @@ static int fsl_qspi_probe(struct platfor - /* set the chip address for READID */ - fsl_qspi_set_base_addr(q, nor); - -- ret = spi_nor_scan(nor, id, SPI_NOR_QUAD); -+ ret = spi_nor_scan(nor, modalias, SPI_NOR_QUAD); - if (ret) - goto map_failed; - ---- a/drivers/mtd/spi-nor/spi-nor.c -+++ b/drivers/mtd/spi-nor/spi-nor.c -@@ -28,6 +28,8 @@ - - #define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16) - -+static const struct spi_device_id *spi_nor_match_id(const char *name); -+ - /* - * Read the status register, returning its value in the location - * Return the status register value. -@@ -867,9 +869,9 @@ static int spi_nor_check(struct spi_nor - return 0; - } - --int spi_nor_scan(struct spi_nor *nor, const struct spi_device_id *id, -- enum read_mode mode) -+int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode) - { -+ const struct spi_device_id *id = NULL; - struct flash_info *info; - struct device *dev = nor->dev; - struct mtd_info *mtd = nor->mtd; -@@ -881,6 +883,10 @@ int spi_nor_scan(struct spi_nor *nor, co - if (ret) - return ret; - -+ id = spi_nor_match_id(name); -+ if (!id) -+ return -ENOENT; -+ - info = (void *)id->driver_data; - - if (info->jedec_id) { -@@ -1062,7 +1068,7 @@ int spi_nor_scan(struct spi_nor *nor, co - } - EXPORT_SYMBOL_GPL(spi_nor_scan); - --const struct spi_device_id *spi_nor_match_id(char *name) -+static const struct spi_device_id *spi_nor_match_id(const char *name) - { - const struct spi_device_id *id = spi_nor_ids; - -@@ -1073,7 +1079,6 @@ const struct spi_device_id *spi_nor_matc - } - return NULL; - } --EXPORT_SYMBOL_GPL(spi_nor_match_id); - - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Huang Shijie "); ---- a/include/linux/mtd/spi-nor.h -+++ b/include/linux/mtd/spi-nor.h -@@ -183,32 +183,18 @@ struct spi_nor { - /** - * spi_nor_scan() - scan the SPI NOR - * @nor: the spi_nor structure -- * @id: the spi_device_id provided by the driver -+ * @name: the chip type name - * @mode: the read mode supported by the driver - * - * The drivers can use this fuction to scan the SPI NOR. - * In the scanning, it will try to get all the necessary information to - * fill the mtd_info{} and the spi_nor{}. - * -- * The board may assigns a spi_device_id with @id which be used to compared with -- * the spi_device_id detected by the scanning. -+ * The chip type name can be provided through the @name parameter. - * - * Return: 0 for success, others for failure. - */ --int spi_nor_scan(struct spi_nor *nor, const struct spi_device_id *id, -- enum read_mode mode); -+int spi_nor_scan(struct spi_nor *nor, const char *name, enum read_mode mode); - extern const struct spi_device_id spi_nor_ids[]; - --/** -- * spi_nor_match_id() - find the spi_device_id by the name -- * @name: the name of the spi_device_id -- * -- * The drivers use this function to find the spi_device_id -- * specified by the @name. -- * -- * Return: returns the right spi_device_id pointer on success, -- * and returns NULL on failure. -- */ --const struct spi_device_id *spi_nor_match_id(char *name); -- - #endif diff --git a/debian/patches/bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch b/debian/patches/bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch deleted file mode 100644 index f6fefd250..000000000 --- a/debian/patches/bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:32 +0200 -Subject: net: sctp: fix panic on duplicate ASCONF chunks -Origin: https://git.kernel.org/linus/b69040d8e39f20d5215a03502a8e8b4c6ab78395 - -When receiving a e.g. semi-good formed connection scan in the -form of ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ---------------- ASCONF_a; ASCONF_b -----------------> - -... where ASCONF_a equals ASCONF_b chunk (at least both serials -need to be equal), we panic an SCTP server! - -The problem is that good-formed ASCONF chunks that we reply with -ASCONF_ACK chunks are cached per serial. Thus, when we receive a -same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do -not need to process them again on the server side (that was the -idea, also proposed in the RFC). Instead, we know it was cached -and we just resend the cached chunk instead. So far, so good. - -Where things get nasty is in SCTP's side effect interpreter, that -is, sctp_cmd_interpreter(): - -While incoming ASCONF_a (chunk = event_arg) is being marked -!end_of_packet and !singleton, and we have an association context, -we do not flush the outqueue the first time after processing the -ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it -queued up, although we set local_cork to 1. Commit 2e3216cd54b1 -changed the precedence, so that as long as we get bundled, incoming -chunks we try possible bundling on outgoing queue as well. Before -this commit, we would just flush the output queue. - -Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we -continue to process the same ASCONF_b chunk from the packet. As -we have cached the previous ASCONF_ACK, we find it, grab it and -do another SCTP_CMD_REPLY command on it. So, effectively, we rip -the chunk->list pointers and requeue the same ASCONF_ACK chunk -another time. Since we process ASCONF_b, it's correctly marked -with end_of_packet and we enforce an uncork, and thus flush, thus -crashing the kernel. - -Fix it by testing if the ASCONF_ACK is currently pending and if -that is the case, do not requeue it. When flushing the output -queue we may relink the chunk for preparing an outgoing packet, -but eventually unlink it when it's copied into the skb right -before transmission. - -Joint work with Vlad Yasevich. - -Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- - include/net/sctp/sctp.h | 5 +++++ - net/sctp/associola.c | 2 ++ - 2 files changed, 7 insertions(+) - ---- a/include/net/sctp/sctp.h -+++ b/include/net/sctp/sctp.h -@@ -433,6 +433,11 @@ static inline void sctp_assoc_pending_pm - asoc->pmtu_pending = 0; - } - -+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk) -+{ -+ return !list_empty(&chunk->list); -+} -+ - /* Walk through a list of TLV parameters. Don't trust the - * individual parameter lengths and instead depend on - * the chunk length to indicate when to stop. Make sure ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -1670,6 +1670,8 @@ struct sctp_chunk *sctp_assoc_lookup_asc - * ack chunk whose serial number matches that of the request. - */ - list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) { -+ if (sctp_chunk_pending(ack)) -+ continue; - if (ack->subh.addip_hdr->serial == serial) { - sctp_chunk_hold(ack); - return ack; diff --git a/debian/patches/bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch b/debian/patches/bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch deleted file mode 100644 index f4cbd12cd..000000000 --- a/debian/patches/bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:33 +0200 -Subject: net: sctp: fix remote memory pressure from excessive queueing -Origin: https://git.kernel.org/linus/26b87c7881006311828bb0ab271a551a62dcceb4 - -This scenario is not limited to ASCONF, just taken as one -example triggering the issue. When receiving ASCONF probes -in the form of ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------> - [...] - ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------> - -... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed -ASCONFs and have increasing serial numbers, we process such -ASCONF chunk(s) marked with !end_of_packet and !singleton, -since we have not yet reached the SCTP packet end. SCTP does -only do verification on a chunk by chunk basis, as an SCTP -packet is nothing more than just a container of a stream of -chunks which it eats up one by one. - -We could run into the case that we receive a packet with a -malformed tail, above marked as trailing JUNK. All previous -chunks are here goodformed, so the stack will eat up all -previous chunks up to this point. In case JUNK does not fit -into a chunk header and there are no more other chunks in -the input queue, or in case JUNK contains a garbage chunk -header, but the encoded chunk length would exceed the skb -tail, or we came here from an entirely different scenario -and the chunk has pdiscard=1 mark (without having had a flush -point), it will happen, that we will excessively queue up -the association's output queue (a correct final chunk may -then turn it into a response flood when flushing the -queue ;)): I ran a simple script with incremental ASCONF -serial numbers and could see the server side consuming -excessive amount of RAM [before/after: up to 2GB and more]. - -The issue at heart is that the chunk train basically ends -with !end_of_packet and !singleton markers and since commit -2e3216cd54b1 ("sctp: Follow security requirement of responding -with 1 packet") therefore preventing an output queue flush -point in sctp_do_sm() -> sctp_cmd_interpreter() on the input -chunk (chunk = event_arg) even though local_cork is set, -but its precedence has changed since then. In the normal -case, the last chunk with end_of_packet=1 would trigger the -queue flush to accommodate possible outgoing bundling. - -In the input queue, sctp_inq_pop() seems to do the right thing -in terms of discarding invalid chunks. So, above JUNK will -not enter the state machine and instead be released and exit -the sctp_assoc_bh_rcv() chunk processing loop. It's simply -the flush point being missing at loop exit. Adding a try-flush -approach on the output queue might not work as the underlying -infrastructure might be long gone at this point due to the -side-effect interpreter run. - -One possibility, albeit a bit of a kludge, would be to defer -invalid chunk freeing into the state machine in order to -possibly trigger packet discards and thus indirectly a queue -flush on error. It would surely be better to discard chunks -as in the current, perhaps better controlled environment, but -going back and forth, it's simply architecturally not possible. -I tried various trailing JUNK attack cases and it seems to -look good now. - -Joint work with Vlad Yasevich. - -Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- - net/sctp/inqueue.c | 33 +++++++-------------------------- - net/sctp/sm_statefuns.c | 3 +++ - 2 files changed, 10 insertions(+), 26 deletions(-) - -diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c -index 4de12af..7e8a16c 100644 ---- a/net/sctp/inqueue.c -+++ b/net/sctp/inqueue.c -@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - } else { - /* Nothing to do. Next chunk in the packet, please. */ - ch = (sctp_chunkhdr_t *) chunk->chunk_end; -- - /* Force chunk->skb->data to chunk->chunk_end. */ -- skb_pull(chunk->skb, -- chunk->chunk_end - chunk->skb->data); -- -- /* Verify that we have at least chunk headers -- * worth of buffer left. -- */ -- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- } -+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); -+ /* We are guaranteed to pull a SCTP header. */ - } - } - -@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); - chunk->subh.v = NULL; /* Subheader is no longer valid. */ - -- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) { -+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < -+ skb_tail_pointer(chunk->skb)) { - /* This is not a singleton */ - chunk->singleton = 0; - } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) { -- /* RFC 2960, Section 6.10 Bundling -- * -- * Partial chunks MUST NOT be placed in an SCTP packet. -- * If the receiver detects a partial chunk, it MUST drop -- * the chunk. -- * -- * Since the end of the chunk is past the end of our buffer -- * (which contains the whole packet, we can freely discard -- * the whole packet. -- */ -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- -- return NULL; -+ /* Discard inside state machine. */ -+ chunk->pdiscard = 1; -+ chunk->chunk_end = skb_tail_pointer(chunk->skb); - } else { - /* We are at the end of the packet, so mark the chunk - * in case we need to send a SACK. -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index bdea3df..3ee27b7 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk, - { - __u16 chunk_length = ntohs(chunk->chunk_hdr->length); - -+ /* Previously already marked? */ -+ if (unlikely(chunk->pdiscard)) -+ return 0; - if (unlikely(chunk_length < required_length)) - return 0; - diff --git a/debian/patches/bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch b/debian/patches/bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch deleted file mode 100644 index 7e5fa1fc6..000000000 --- a/debian/patches/bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch +++ /dev/null @@ -1,336 +0,0 @@ -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:31 +0200 -Subject: net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks -Origin: https://git.kernel.org/linus/9de7922bc709eee2f609cd01d98aaedc4cf5ea74 - -Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for -ASCONF chunk") added basic verification of ASCONF chunks, however, -it is still possible to remotely crash a server by sending a -special crafted ASCONF chunk, even up to pre 2.6.12 kernels: - -skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768 - head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950 - end:0x440 dev: - ------------[ cut here ]------------ -kernel BUG at net/core/skbuff.c:129! -[...] -Call Trace: - - [] skb_put+0x5c/0x70 - [] sctp_addto_chunk+0x63/0xd0 [sctp] - [] sctp_process_asconf+0x1af/0x540 [sctp] - [] ? _read_unlock_bh+0x15/0x20 - [] sctp_sf_do_asconf+0x168/0x240 [sctp] - [] sctp_do_sm+0x71/0x1210 [sctp] - [] ? fib_rules_lookup+0xad/0xf0 - [] ? sctp_cmp_addr_exact+0x32/0x40 [sctp] - [] sctp_assoc_bh_rcv+0xd3/0x180 [sctp] - [] sctp_inq_push+0x56/0x80 [sctp] - [] sctp_rcv+0x982/0xa10 [sctp] - [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] - [] ? nf_iterate+0x69/0xb0 - [] ? ip_local_deliver_finish+0x0/0x2d0 - [] ? nf_hook_slow+0x76/0x120 - [] ? ip_local_deliver_finish+0x0/0x2d0 - [] ip_local_deliver_finish+0xdd/0x2d0 - [] ip_local_deliver+0x98/0xa0 - [] ip_rcv_finish+0x12d/0x440 - [] ip_rcv+0x275/0x350 - [] __netif_receive_skb+0x4ab/0x750 - [] netif_receive_skb+0x58/0x60 - -This can be triggered e.g., through a simple scripted nmap -connection scan injecting the chunk after the handshake, for -example, ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ------------------ ASCONF; UNKNOWN ------------------> - -... where ASCONF chunk of length 280 contains 2 parameters ... - - 1) Add IP address parameter (param length: 16) - 2) Add/del IP address parameter (param length: 255) - -... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the -Address Parameter in the ASCONF chunk is even missing, too. -This is just an example and similarly-crafted ASCONF chunks -could be used just as well. - -The ASCONF chunk passes through sctp_verify_asconf() as all -parameters passed sanity checks, and after walking, we ended -up successfully at the chunk end boundary, and thus may invoke -sctp_process_asconf(). Parameter walking is done with -WORD_ROUND() to take padding into account. - -In sctp_process_asconf()'s TLV processing, we may fail in -sctp_process_asconf_param() e.g., due to removal of the IP -address that is also the source address of the packet containing -the ASCONF chunk, and thus we need to add all TLVs after the -failure to our ASCONF response to remote via helper function -sctp_add_asconf_response(), which basically invokes a -sctp_addto_chunk() adding the error parameters to the given -skb. - -When walking to the next parameter this time, we proceed -with ... - - length = ntohs(asconf_param->param_hdr.length); - asconf_param = (void *)asconf_param + length; - -... instead of the WORD_ROUND()'ed length, thus resulting here -in an off-by-one that leads to reading the follow-up garbage -parameter length of 12336, and thus throwing an skb_over_panic -for the reply when trying to sctp_addto_chunk() next time, -which implicitly calls the skb_put() with that length. - -Fix it by using sctp_walk_params() [ which is also used in -INIT parameter processing ] macro in the verification *and* -in ASCONF processing: it will make sure we don't spill over, -that we walk parameters WORD_ROUND()'ed. Moreover, we're being -more defensive and guard against unknown parameter types and -missized addresses. - -Joint work with Vlad Yasevich. - -Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller ---- - include/net/sctp/sm.h | 6 +-- - net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++--------------------- - net/sctp/sm_statefuns.c | 18 +-------- - 3 files changed, 60 insertions(+), 63 deletions(-) - -diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h -index 7f4eeb3..72a31db 100644 ---- a/include/net/sctp/sm.h -+++ b/include/net/sctp/sm.h -@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *, - int, __be16); - struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, - union sctp_addr *addr); --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp); -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp); - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf); - int sctp_process_asconf_ack(struct sctp_association *asoc, -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index ae0e616..ab734be 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -3110,50 +3110,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, - return SCTP_ERROR_NO_ERROR; - } - --/* Verify the ASCONF packet before we process it. */ --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp) { -- sctp_addip_param_t *asconf_param; -+/* Verify the ASCONF packet before we process it. */ -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp) -+{ -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr; - union sctp_params param; -- int length, plen; -- -- param.v = (sctp_paramhdr_t *) param_hdr; -- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { -- length = ntohs(param.p->length); -- *errp = param.p; -+ bool addr_param_seen = false; - -- if (param.v > chunk_end - length || -- length < sizeof(sctp_paramhdr_t)) -- return 0; -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ size_t length = ntohs(param.p->length); - -+ *errp = param.p; - switch (param.p->type) { -+ case SCTP_PARAM_ERR_CAUSE: -+ break; -+ case SCTP_PARAM_IPV4_ADDRESS: -+ if (length != sizeof(sctp_ipv4addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; -+ case SCTP_PARAM_IPV6_ADDRESS: -+ if (length != sizeof(sctp_ipv6addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; - case SCTP_PARAM_ADD_IP: - case SCTP_PARAM_DEL_IP: - case SCTP_PARAM_SET_PRIMARY: -- asconf_param = (sctp_addip_param_t *)param.v; -- plen = ntohs(asconf_param->param_hdr.length); -- if (plen < sizeof(sctp_addip_param_t) + -- sizeof(sctp_paramhdr_t)) -- return 0; -+ /* In ASCONF chunks, these need to be first. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ length = ntohs(param.addip->param_hdr.length); -+ if (length < sizeof(sctp_addip_param_t) + -+ sizeof(sctp_paramhdr_t)) -+ return false; - break; - case SCTP_PARAM_SUCCESS_REPORT: - case SCTP_PARAM_ADAPTATION_LAYER_IND: - if (length != sizeof(sctp_addip_param_t)) -- return 0; -- -+ return false; - break; - default: -- break; -+ /* This is unkown to us, reject! */ -+ return false; - } -- -- param.v += WORD_ROUND(length); - } - -- if (param.v != chunk_end) -- return 0; -+ /* Remaining sanity checks. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ if (!addr_param_needed && addr_param_seen) -+ return false; -+ if (param.v != chunk->chunk_end) -+ return false; - -- return 1; -+ return true; - } - - /* Process an incoming ASCONF chunk with the next expected serial no. and -@@ -3162,16 +3175,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc, - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf) - { -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr; -+ bool all_param_pass = true; -+ union sctp_params param; - sctp_addiphdr_t *hdr; - union sctp_addr_param *addr_param; - sctp_addip_param_t *asconf_param; - struct sctp_chunk *asconf_ack; -- - __be16 err_code; - int length = 0; - int chunk_len; - __u32 serial; -- int all_param_pass = 1; - - chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); - hdr = (sctp_addiphdr_t *)asconf->skb->data; -@@ -3199,9 +3213,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - goto done; - - /* Process the TLVs contained within the ASCONF chunk. */ -- while (chunk_len > 0) { -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ /* Skip preceeding address parameters. */ -+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS || -+ param.p->type == SCTP_PARAM_IPV6_ADDRESS) -+ continue; -+ - err_code = sctp_process_asconf_param(asoc, asconf, -- asconf_param); -+ param.addip); - /* ADDIP 4.1 A7) - * If an error response is received for a TLV parameter, - * all TLVs with no response before the failed TLV are -@@ -3209,28 +3228,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - * the failed response are considered unsuccessful unless - * a specific success indication is present for the parameter. - */ -- if (SCTP_ERROR_NO_ERROR != err_code) -- all_param_pass = 0; -- -+ if (err_code != SCTP_ERROR_NO_ERROR) -+ all_param_pass = false; - if (!all_param_pass) -- sctp_add_asconf_response(asconf_ack, -- asconf_param->crr_id, err_code, -- asconf_param); -+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id, -+ err_code, param.addip); - - /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add - * an IP address sends an 'Out of Resource' in its response, it - * MUST also fail any subsequent add or delete requests bundled - * in the ASCONF. - */ -- if (SCTP_ERROR_RSRC_LOW == err_code) -+ if (err_code == SCTP_ERROR_RSRC_LOW) - goto done; -- -- /* Move to the next ASCONF param. */ -- length = ntohs(asconf_param->param_hdr.length); -- asconf_param = (void *)asconf_param + length; -- chunk_len -= length; - } -- - done: - asoc->peer.addip_serial++; - -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index c8f6063..bdea3df 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -3591,9 +3591,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, - struct sctp_chunk *asconf_ack = NULL; - struct sctp_paramhdr *err_param = NULL; - sctp_addiphdr_t *hdr; -- union sctp_addr_param *addr_param; - __u32 serial; -- int length; - - if (!sctp_vtag_verify(chunk, asoc)) { - sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, -@@ -3618,17 +3616,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, - hdr = (sctp_addiphdr_t *)chunk->skb->data; - serial = ntohl(hdr->serial); - -- addr_param = (union sctp_addr_param *)hdr->params; -- length = ntohs(addr_param->p.length); -- if (length < sizeof(sctp_paramhdr_t)) -- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, -- (void *)addr_param, commands); -- - /* Verify the ASCONF chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)((void *)addr_param + length), -- (void *)chunk->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) - return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, - (void *)err_param, commands); - -@@ -3745,10 +3734,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net, - rcvd_serial = ntohl(addip_hdr->serial); - - /* Verify the ASCONF-ACK chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)addip_hdr->params, -- (void *)asconf_ack->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) - return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, - (void *)err_param, commands); - diff --git a/debian/patches/bugfix/all/switch-iov_iter_get_pages-to-passing-maximal-number-.patch b/debian/patches/bugfix/all/switch-iov_iter_get_pages-to-passing-maximal-number-.patch deleted file mode 100644 index 033c3cc5c..000000000 --- a/debian/patches/bugfix/all/switch-iov_iter_get_pages-to-passing-maximal-number-.patch +++ /dev/null @@ -1,119 +0,0 @@ -From: Al Viro -Date: Wed, 18 Jun 2014 20:34:33 -0400 -Subject: switch iov_iter_get_pages() to passing maximal number of pages -Origin: https://git.kernel.org/linus/c7f3888ad7f0932a87fb76e6e4edff2a90cc7920 - -... instead of maximal size. - -Signed-off-by: Al Viro ---- - fs/direct-io.c | 2 +- - fs/fuse/file.c | 4 ++-- - include/linux/uio.h | 2 +- - mm/iov_iter.c | 17 ++++++++--------- - 4 files changed, 12 insertions(+), 13 deletions(-) - -diff --git a/fs/direct-io.c b/fs/direct-io.c -index 17e39b0..c311640 100644 ---- a/fs/direct-io.c -+++ b/fs/direct-io.c -@@ -158,7 +158,7 @@ static inline int dio_refill_pages(struct dio *dio, struct dio_submit *sdio) - { - ssize_t ret; - -- ret = iov_iter_get_pages(sdio->iter, dio->pages, DIO_PAGES * PAGE_SIZE, -+ ret = iov_iter_get_pages(sdio->iter, dio->pages, DIO_PAGES, - &sdio->from); - - if (ret < 0 && sdio->blocks_available && (dio->rw & WRITE)) { -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 40ac262..912061a 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -1303,10 +1303,10 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii, - while (nbytes < *nbytesp && req->num_pages < req->max_pages) { - unsigned npages; - size_t start; -- unsigned n = req->max_pages - req->num_pages; - ssize_t ret = iov_iter_get_pages(ii, - &req->pages[req->num_pages], -- n * PAGE_SIZE, &start); -+ req->max_pages - req->num_pages, -+ &start); - if (ret < 0) - return ret; - -diff --git a/include/linux/uio.h b/include/linux/uio.h -index 09a7cff..48d64e6 100644 ---- a/include/linux/uio.h -+++ b/include/linux/uio.h -@@ -84,7 +84,7 @@ unsigned long iov_iter_alignment(const struct iov_iter *i); - void iov_iter_init(struct iov_iter *i, int direction, const struct iovec *iov, - unsigned long nr_segs, size_t count); - ssize_t iov_iter_get_pages(struct iov_iter *i, struct page **pages, -- size_t maxsize, size_t *start); -+ unsigned maxpages, size_t *start); - ssize_t iov_iter_get_pages_alloc(struct iov_iter *i, struct page ***pages, - size_t maxsize, size_t *start); - int iov_iter_npages(const struct iov_iter *i, int maxpages); -diff --git a/mm/iov_iter.c b/mm/iov_iter.c -index 7b5dbd1..ab88dc0 100644 ---- a/mm/iov_iter.c -+++ b/mm/iov_iter.c -@@ -310,7 +310,7 @@ void iov_iter_init(struct iov_iter *i, int direction, - EXPORT_SYMBOL(iov_iter_init); - - static ssize_t get_pages_iovec(struct iov_iter *i, -- struct page **pages, size_t maxsize, -+ struct page **pages, unsigned maxpages, - size_t *start) - { - size_t offset = i->iov_offset; -@@ -323,10 +323,10 @@ static ssize_t get_pages_iovec(struct iov_iter *i, - len = iov->iov_len - offset; - if (len > i->count) - len = i->count; -- if (len > maxsize) -- len = maxsize; - addr = (unsigned long)iov->iov_base + offset; - len += *start = addr & (PAGE_SIZE - 1); -+ if (len > maxpages * PAGE_SIZE) -+ len = maxpages * PAGE_SIZE; - addr &= ~(PAGE_SIZE - 1); - n = (len + PAGE_SIZE - 1) / PAGE_SIZE; - res = get_user_pages_fast(addr, n, (i->type & WRITE) != WRITE, pages); -@@ -588,15 +588,14 @@ static unsigned long alignment_bvec(const struct iov_iter *i) - } - - static ssize_t get_pages_bvec(struct iov_iter *i, -- struct page **pages, size_t maxsize, -+ struct page **pages, unsigned maxpages, - size_t *start) - { - const struct bio_vec *bvec = i->bvec; - size_t len = bvec->bv_len - i->iov_offset; - if (len > i->count) - len = i->count; -- if (len > maxsize) -- len = maxsize; -+ /* can't be more than PAGE_SIZE */ - *start = bvec->bv_offset + i->iov_offset; - - get_page(*pages = bvec->bv_page); -@@ -712,13 +711,13 @@ unsigned long iov_iter_alignment(const struct iov_iter *i) - EXPORT_SYMBOL(iov_iter_alignment); - - ssize_t iov_iter_get_pages(struct iov_iter *i, -- struct page **pages, size_t maxsize, -+ struct page **pages, unsigned maxpages, - size_t *start) - { - if (i->type & ITER_BVEC) -- return get_pages_bvec(i, pages, maxsize, start); -+ return get_pages_bvec(i, pages, maxpages, start); - else -- return get_pages_iovec(i, pages, maxsize, start); -+ return get_pages_iovec(i, pages, maxpages, start); - } - EXPORT_SYMBOL(iov_iter_get_pages); - diff --git a/debian/patches/bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch b/debian/patches/bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch deleted file mode 100644 index 9ac7f2010..000000000 --- a/debian/patches/bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Markos Chandras -Date: Tue, 21 Oct 2014 10:21:54 +0100 -Subject: MIPS: cp1emu: Fix ISA restrictions for cop1x_op instructions -Origin: https://git.kernel.org/linus/a5466d7bba9af83a82cc7c081b2a7d557cde3204 - -Commit 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") removed -the #ifdef ISA conditions and switched to runtime detection. However, -according to the instruction set manual, the cop1x_op instructions are -available in >=MIPS32r2 as well. This fixes a problem on MIPS32r2 -with the ntpd package which failed to execute with a SIGILL exit code due -to the fact that a madd.d instruction was not being emulated. - -Signed-off-by: Markos Chandras -Fixes: 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") -Cc: # v3.16+ -Cc: linux-mips@linux-mips.org -Reviewed-by: Paul Burton -Reviewed-by: James Hogan -Cc: Markos Chandras -Patchwork: https://patchwork.linux-mips.org/patch/8173/ -Signed-off-by: Ralf Baechle ---- - arch/mips/math-emu/cp1emu.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c -index 7a47277..51a0fde 100644 ---- a/arch/mips/math-emu/cp1emu.c -+++ b/arch/mips/math-emu/cp1emu.c -@@ -1023,7 +1023,7 @@ emul: - goto emul; - - case cop1x_op: -- if (cpu_has_mips_4_5 || cpu_has_mips64) -+ if (cpu_has_mips_4_5 || cpu_has_mips64 || cpu_has_mips32r2) - /* its one of ours */ - goto emul; - -@@ -1068,7 +1068,7 @@ emul: - break; - - case cop1x_op: -- if (!cpu_has_mips_4_5 && !cpu_has_mips64) -+ if (!cpu_has_mips_4_5 && !cpu_has_mips64 && !cpu_has_mips32r2) - return SIGILL; - - sig = fpux_emu(xcp, ctx, ir, fault_addr); --- -2.1.1 - diff --git a/debian/patches/bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch b/debian/patches/bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch deleted file mode 100644 index 66c993f88..000000000 --- a/debian/patches/bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: David Daney -Date: Mon, 20 Oct 2014 15:34:23 -0700 -Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler -Origin: https://git.kernel.org/linus/9e0f162a36914937a937358fcb45e0609ef2bfc4 - -In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for -HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets -would work properly with huge pages. The change was incorrect in that -it broke the OCTEON case. - -The problem is shown here: - - xxx0: df7a0000 ld k0,0(k1) - . - . - . - xxxc0: df610000 ld at,0(k1) - xxxc4: 335a0ff0 andi k0,k0,0xff0 - xxxc8: e825ffcd bbit1 at,0x5,0x0 - xxxcc: 003ad82d daddu k1,at,k0 - . - . - . - -In the non-octeon case there is a destructive test for the huge PTE -bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609 -patch added). - -In the octeon case, we modify k1 in the branch delay slot, but we -never need k0 again, so the new load is not needed, but since k1 is -modified, if we do the load, we load from a garbage location and then -get a nested TLB Refill, which is seen in userspace as either SIGBUS -or SIGSEGV (depending on the garbage). - -The real fix is to only do this reloading if it is needed, and never -where it is harmful. - -Signed-off-by: David Daney -Cc: Huacai Chen -Cc: Fuxin Zhang -Cc: Zhangjin Wu -Cc: stable@vger.kernel.org -Cc: linux-mips@linux-mips.org -Patchwork: https://patchwork.linux-mips.org/patch/8151/ -Signed-off-by: Ralf Baechle ---- - arch/mips/mm/tlbex.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c -index a08dd53..b5f228e 100644 ---- a/arch/mips/mm/tlbex.c -+++ b/arch/mips/mm/tlbex.c -@@ -1062,6 +1062,7 @@ static void build_update_entries(u32 **p, unsigned int tmp, unsigned int ptep) - struct mips_huge_tlb_info { - int huge_pte; - int restore_scratch; -+ bool need_reload_pte; - }; - - static struct mips_huge_tlb_info -@@ -1076,6 +1077,7 @@ build_fast_tlb_refill_handler (u32 **p, struct uasm_label **l, - - rv.huge_pte = scratch; - rv.restore_scratch = 0; -+ rv.need_reload_pte = false; - - if (check_for_high_segbits) { - UASM_i_MFC0(p, tmp, C0_BADVADDR); -@@ -1264,6 +1266,7 @@ static void build_r4000_tlb_refill_handler(void) - } else { - htlb_info.huge_pte = K0; - htlb_info.restore_scratch = 0; -+ htlb_info.need_reload_pte = true; - vmalloc_mode = refill_noscratch; - /* - * create the plain linear handler -@@ -1300,7 +1303,8 @@ static void build_r4000_tlb_refill_handler(void) - } - #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT - uasm_l_tlb_huge_update(&l, p); -- UASM_i_LW(&p, K0, 0, K1); -+ if (htlb_info.need_reload_pte) -+ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); - build_huge_update_entries(&p, htlb_info.huge_pte, K1); - build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, - htlb_info.restore_scratch); --- -2.1.1 - diff --git a/debian/patches/bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch b/debian/patches/bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch deleted file mode 100644 index a590779b2..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch +++ /dev/null @@ -1,135 +0,0 @@ -From: Nadav Amit -Date: Tue, 16 Sep 2014 03:24:05 +0300 -Subject: KVM: x86: Check non-canonical addresses upon WRMSR -Origin: https://git.kernel.org/linus/854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 - -Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is -written to certain MSRs. The behavior is "almost" identical for AMD and Intel -(ignoring MSRs that are not implemented in either architecture since they would -anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if -non-canonical address is written on Intel but not on AMD (which ignores the top -32-bits). - -Accordingly, this patch injects a #GP on the MSRs which behave identically on -Intel and AMD. To eliminate the differences between the architecutres, the -value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to -canonical value before writing instead of injecting a #GP. - -Some references from Intel and AMD manuals: - -According to Intel SDM description of WRMSR instruction #GP is expected on -WRMSR "If the source register contains a non-canonical address and ECX -specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE, -IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP." - -According to AMD manual instruction manual: -LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the -LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical -form, a general-protection exception (#GP) occurs." -IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the -base field must be in canonical form or a #GP fault will occur." -IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must -be in canonical form." - -This patch fixes CVE-2014-3610. - -Cc: stable@vger.kernel.org -Signed-off-by: Nadav Amit -Signed-off-by: Paolo Bonzini ---- - arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++ - arch/x86/kvm/svm.c | 2 +- - arch/x86/kvm/vmx.c | 2 +- - arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++- - 4 files changed, 42 insertions(+), 3 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -989,6 +989,20 @@ static inline void kvm_inject_gp(struct - kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); - } - -+static inline u64 get_canonical(u64 la) -+{ -+ return ((int64_t)la << 16) >> 16; -+} -+ -+static inline bool is_noncanonical_address(u64 la) -+{ -+#ifdef CONFIG_X86_64 -+ return get_canonical(la) != la; -+#else -+ return false; -+#endif -+} -+ - #define TSS_IOPB_BASE_OFFSET 0x66 - #define TSS_BASE_SIZE 0x68 - #define TSS_IOPB_SIZE (65536 / 8) ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -3228,7 +3228,7 @@ static int wrmsr_interception(struct vcp - msr.host_initiated = false; - - svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; -- if (svm_set_msr(&svm->vcpu, &msr)) { -+ if (kvm_set_msr(&svm->vcpu, &msr)) { - trace_kvm_msr_write_ex(ecx, data); - kvm_inject_gp(&svm->vcpu, 0); - } else { ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -5246,7 +5246,7 @@ static int handle_wrmsr(struct kvm_vcpu - msr.data = data; - msr.index = ecx; - msr.host_initiated = false; -- if (vmx_set_msr(vcpu, &msr) != 0) { -+ if (kvm_set_msr(vcpu, &msr) != 0) { - trace_kvm_msr_write_ex(ecx, data); - kvm_inject_gp(vcpu, 0); - return 1; ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -948,7 +948,6 @@ void kvm_enable_efer_bits(u64 mask) - } - EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); - -- - /* - * Writes msr value into into the appropriate "register". - * Returns 0 on success, non-0 otherwise. -@@ -956,8 +955,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); - */ - int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) - { -+ switch (msr->index) { -+ case MSR_FS_BASE: -+ case MSR_GS_BASE: -+ case MSR_KERNEL_GS_BASE: -+ case MSR_CSTAR: -+ case MSR_LSTAR: -+ if (is_noncanonical_address(msr->data)) -+ return 1; -+ break; -+ case MSR_IA32_SYSENTER_EIP: -+ case MSR_IA32_SYSENTER_ESP: -+ /* -+ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if -+ * non-canonical address is written on Intel but not on -+ * AMD (which ignores the top 32-bits, because it does -+ * not implement 64-bit SYSENTER). -+ * -+ * 64-bit code should hence be able to write a non-canonical -+ * value on AMD. Making the address canonical ensures that -+ * vmentry does not fail on Intel after writing a non-canonical -+ * value, and that something deterministic happens if the guest -+ * invokes 64-bit SYSENTER. -+ */ -+ msr->data = get_canonical(msr->data); -+ } - return kvm_x86_ops->set_msr(vcpu, msr); - } -+EXPORT_SYMBOL_GPL(kvm_set_msr); - - /* - * Adapt set_msr() to msr_io()'s calling convention diff --git a/debian/patches/bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch b/debian/patches/bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch deleted file mode 100644 index 21a789a8b..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch +++ /dev/null @@ -1,229 +0,0 @@ -From: Nadav Amit -Date: Thu, 18 Sep 2014 22:39:38 +0300 -Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches -Origin: https://git.kernel.org/linus/234f3ce485d54017f15cf5e0699cff4100121601 - -Before changing rip (during jmp, call, ret, etc.) the target should be asserted -to be canonical one, as real CPUs do. During sysret, both target rsp and rip -should be canonical. If any of these values is noncanonical, a #GP exception -should occur. The exception to this rule are syscall and sysenter instructions -in which the assigned rip is checked during the assignment to the relevant -MSRs. - -This patch fixes the emulator to behave as real CPUs do for near branches. -Far branches are handled by the next patch. - -This fixes CVE-2014-3647. - -Cc: stable@vger.kernel.org -Signed-off-by: Nadav Amit -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 78 ++++++++++++++++++++++++++++++++++---------------- - 1 file changed, 54 insertions(+), 24 deletions(-) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -572,7 +572,8 @@ static int emulate_nm(struct x86_emulate - return emulate_exception(ctxt, NM_VECTOR, 0, false); - } - --static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) -+static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, -+ int cs_l) - { - switch (ctxt->op_bytes) { - case 2: -@@ -582,16 +583,25 @@ static inline void assign_eip_near(struc - ctxt->_eip = (u32)dst; - break; - case 8: -+ if ((cs_l && is_noncanonical_address(dst)) || -+ (!cs_l && (dst & ~(u32)-1))) -+ return emulate_gp(ctxt, 0); - ctxt->_eip = dst; - break; - default: - WARN(1, "unsupported eip assignment size\n"); - } -+ return X86EMUL_CONTINUE; -+} -+ -+static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) -+{ -+ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); - } - --static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) -+static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) - { -- assign_eip_near(ctxt, ctxt->_eip + rel); -+ return assign_eip_near(ctxt, ctxt->_eip + rel); - } - - static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) -@@ -1986,13 +1996,15 @@ static int em_grp45(struct x86_emulate_c - case 2: /* call near abs */ { - long int old_eip; - old_eip = ctxt->_eip; -- ctxt->_eip = ctxt->src.val; -+ rc = assign_eip_near(ctxt, ctxt->src.val); -+ if (rc != X86EMUL_CONTINUE) -+ break; - ctxt->src.val = old_eip; - rc = em_push(ctxt); - break; - } - case 4: /* jmp abs */ -- ctxt->_eip = ctxt->src.val; -+ rc = assign_eip_near(ctxt, ctxt->src.val); - break; - case 5: /* jmp far */ - rc = em_jmp_far(ctxt); -@@ -2024,10 +2036,14 @@ static int em_cmpxchg8b(struct x86_emula - - static int em_ret(struct x86_emulate_ctxt *ctxt) - { -- ctxt->dst.type = OP_REG; -- ctxt->dst.addr.reg = &ctxt->_eip; -- ctxt->dst.bytes = ctxt->op_bytes; -- return em_pop(ctxt); -+ int rc; -+ unsigned long eip; -+ -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ -+ return assign_eip_near(ctxt, eip); - } - - static int em_ret_far(struct x86_emulate_ctxt *ctxt) -@@ -2305,7 +2321,7 @@ static int em_sysexit(struct x86_emulate - { - const struct x86_emulate_ops *ops = ctxt->ops; - struct desc_struct cs, ss; -- u64 msr_data; -+ u64 msr_data, rcx, rdx; - int usermode; - u16 cs_sel = 0, ss_sel = 0; - -@@ -2321,6 +2337,9 @@ static int em_sysexit(struct x86_emulate - else - usermode = X86EMUL_MODE_PROT32; - -+ rcx = reg_read(ctxt, VCPU_REGS_RCX); -+ rdx = reg_read(ctxt, VCPU_REGS_RDX); -+ - cs.dpl = 3; - ss.dpl = 3; - ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); -@@ -2338,6 +2357,9 @@ static int em_sysexit(struct x86_emulate - ss_sel = cs_sel + 8; - cs.d = 0; - cs.l = 1; -+ if (is_noncanonical_address(rcx) || -+ is_noncanonical_address(rdx)) -+ return emulate_gp(ctxt, 0); - break; - } - cs_sel |= SELECTOR_RPL_MASK; -@@ -2346,8 +2368,8 @@ static int em_sysexit(struct x86_emulate - ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); - ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); - -- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); -- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); -+ ctxt->_eip = rdx; -+ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; - - return X86EMUL_CONTINUE; - } -@@ -2888,10 +2910,13 @@ static int em_aad(struct x86_emulate_ctx - - static int em_call(struct x86_emulate_ctxt *ctxt) - { -+ int rc; - long rel = ctxt->src.val; - - ctxt->src.val = (unsigned long)ctxt->_eip; -- jmp_rel(ctxt, rel); -+ rc = jmp_rel(ctxt, rel); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; - return em_push(ctxt); - } - -@@ -2923,11 +2948,12 @@ static int em_call_far(struct x86_emulat - static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) - { - int rc; -+ unsigned long eip; - -- ctxt->dst.type = OP_REG; -- ctxt->dst.addr.reg = &ctxt->_eip; -- ctxt->dst.bytes = ctxt->op_bytes; -- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ rc = assign_eip_near(ctxt, eip); - if (rc != X86EMUL_CONTINUE) - return rc; - rsp_increment(ctxt, ctxt->src.val); -@@ -3257,20 +3283,24 @@ static int em_lmsw(struct x86_emulate_ct - - static int em_loop(struct x86_emulate_ctxt *ctxt) - { -+ int rc = X86EMUL_CONTINUE; -+ - register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); - if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && - (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - -- return X86EMUL_CONTINUE; -+ return rc; - } - - static int em_jcxz(struct x86_emulate_ctxt *ctxt) - { -+ int rc = X86EMUL_CONTINUE; -+ - if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - -- return X86EMUL_CONTINUE; -+ return rc; - } - - static int em_in(struct x86_emulate_ctxt *ctxt) -@@ -4671,7 +4701,7 @@ special_insn: - break; - case 0x70 ... 0x7f: /* jcc (short) */ - if (test_cc(ctxt->b, ctxt->eflags)) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - break; - case 0x8d: /* lea r16/r32, m */ - ctxt->dst.val = ctxt->src.addr.mem.ea; -@@ -4700,7 +4730,7 @@ special_insn: - break; - case 0xe9: /* jmp rel */ - case 0xeb: /* jmp rel short */ -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - ctxt->dst.type = OP_NONE; /* Disable writeback. */ - break; - case 0xf4: /* hlt */ -@@ -4820,7 +4850,7 @@ twobyte_insn: - break; - case 0x80 ... 0x8f: /* jnz rel, etc*/ - if (test_cc(ctxt->b, ctxt->eflags)) -- jmp_rel(ctxt, ctxt->src.val); -+ rc = jmp_rel(ctxt, ctxt->src.val); - break; - case 0x90 ... 0x9f: /* setcc r/m8 */ - ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); diff --git a/debian/patches/bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch b/debian/patches/bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch deleted file mode 100644 index 1c175580c..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Nadav Amit -Date: Thu, 18 Sep 2014 22:39:37 +0300 -Subject: KVM: x86: Fix wrong masking on relative jump/call -Origin: https://git.kernel.org/linus/05c83ec9b73c8124555b706f6af777b10adf0862 - -Relative jumps and calls do the masking according to the operand size, and not -according to the address size as the KVM emulator does today. - -This patch fixes KVM behavior. - -Cc: stable@vger.kernel.org -Signed-off-by: Nadav Amit -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -499,11 +499,6 @@ static void rsp_increment(struct x86_emu - masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); - } - --static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) --{ -- register_address_increment(ctxt, &ctxt->_eip, rel); --} -- - static u32 desc_limit_scaled(struct desc_struct *desc) - { - u32 limit = get_desc_limit(desc); -@@ -577,6 +572,28 @@ static int emulate_nm(struct x86_emulate - return emulate_exception(ctxt, NM_VECTOR, 0, false); - } - -+static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) -+{ -+ switch (ctxt->op_bytes) { -+ case 2: -+ ctxt->_eip = (u16)dst; -+ break; -+ case 4: -+ ctxt->_eip = (u32)dst; -+ break; -+ case 8: -+ ctxt->_eip = dst; -+ break; -+ default: -+ WARN(1, "unsupported eip assignment size\n"); -+ } -+} -+ -+static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) -+{ -+ assign_eip_near(ctxt, ctxt->_eip + rel); -+} -+ - static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) - { - u16 selector; diff --git a/debian/patches/bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch b/debian/patches/bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch deleted file mode 100644 index 944d7851b..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch +++ /dev/null @@ -1,246 +0,0 @@ -From: Nadav Amit -Date: Thu, 18 Sep 2014 22:39:39 +0300 -Subject: KVM: x86: Handle errors when RIP is set during far jumps -Origin: https://git.kernel.org/linus/d1442d85cc30ea75f7d399474ca738e0bc96f715 - -Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not -handle this case, and may result in failed vm-entry once the assignment is -done. The tricky part of doing so is that loading the new CS affects the -VMCS/VMCB state, so if we fail during loading the new RIP, we are left in -unconsistent state. Therefore, this patch saves on 64-bit the old CS -descriptor and restores it if loading RIP failed. - -This fixes CVE-2014-3647. - -Cc: stable@vger.kernel.org -Signed-off-by: Nadav Amit -Signed-off-by: Paolo Bonzini -[bwh: Backported to 3.16: Adjust context] ---- - arch/x86/kvm/emulate.c | 118 ++++++++++++++++++++++++++++++++++++------------- - 1 file changed, 88 insertions(+), 30 deletions(-) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1439,7 +1439,9 @@ static int write_segment_descriptor(stru - - /* Does not support long mode */ - static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, -- u16 selector, int seg, u8 cpl, bool in_task_switch) -+ u16 selector, int seg, u8 cpl, -+ bool in_task_switch, -+ struct desc_struct *desc) - { - struct desc_struct seg_desc, old_desc; - u8 dpl, rpl; -@@ -1568,6 +1570,8 @@ static int __load_segment_descriptor(str - } - load: - ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg); -+ if (desc) -+ *desc = seg_desc; - return X86EMUL_CONTINUE; - exception: - emulate_exception(ctxt, err_vec, err_code, true); -@@ -1578,7 +1582,7 @@ static int load_segment_descriptor(struc - u16 selector, int seg) - { - u8 cpl = ctxt->ops->cpl(ctxt); -- return __load_segment_descriptor(ctxt, selector, seg, cpl, false); -+ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL); - } - - static void write_register_operand(struct operand *op) -@@ -1975,17 +1979,31 @@ static int em_iret(struct x86_emulate_ct - static int em_jmp_far(struct x86_emulate_ctxt *ctxt) - { - int rc; -- unsigned short sel; -+ unsigned short sel, old_sel; -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; -+ u8 cpl = ctxt->ops->cpl(ctxt); -+ -+ /* Assignment of RIP may only fail in 64-bit mode */ -+ if (ctxt->mode == X86EMUL_MODE_PROT64) -+ ops->get_segment(ctxt, &old_sel, &old_desc, NULL, -+ VCPU_SREG_CS); - - memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); - -- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS); -+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false, -+ &new_desc); - if (rc != X86EMUL_CONTINUE) - return rc; - -- ctxt->_eip = 0; -- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); -- return X86EMUL_CONTINUE; -+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); -+ /* assigning eip failed; restore the old cs */ -+ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); -+ return rc; -+ } -+ return rc; - } - - static int em_grp45(struct x86_emulate_ctxt *ctxt) -@@ -2049,21 +2067,34 @@ static int em_ret(struct x86_emulate_ctx - static int em_ret_far(struct x86_emulate_ctxt *ctxt) - { - int rc; -- unsigned long cs; -+ unsigned long eip, cs; -+ u16 old_cs; - int cpl = ctxt->ops->cpl(ctxt); -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; -+ -+ if (ctxt->mode == X86EMUL_MODE_PROT64) -+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, -+ VCPU_SREG_CS); - -- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes); -+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); - if (rc != X86EMUL_CONTINUE) - return rc; -- if (ctxt->op_bytes == 4) -- ctxt->_eip = (u32)ctxt->_eip; - rc = emulate_pop(ctxt, &cs, ctxt->op_bytes); - if (rc != X86EMUL_CONTINUE) - return rc; - /* Outer-privilege level return is not implemented */ - if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl) - return X86EMUL_UNHANDLEABLE; -- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS); -+ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, false, -+ &new_desc); -+ if (rc != X86EMUL_CONTINUE) -+ return rc; -+ rc = assign_eip_far(ctxt, eip, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) { -+ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); -+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); -+ } - return rc; - } - -@@ -2487,19 +2518,24 @@ static int load_state_from_tss16(struct - * Now load segment descriptors. If fault happens at this stage - * it is handled in a context of new task - */ -- ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; - -@@ -2624,25 +2660,32 @@ static int load_state_from_tss32(struct - * Now load segment descriptors. If fault happenes at this stage - * it is handled in a context of new task - */ -- ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, -+ cpl, true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; -- ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, true); -+ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, -+ true, NULL); - if (ret != X86EMUL_CONTINUE) - return ret; - -@@ -2925,24 +2968,39 @@ static int em_call_far(struct x86_emulat - u16 sel, old_cs; - ulong old_eip; - int rc; -+ struct desc_struct old_desc, new_desc; -+ const struct x86_emulate_ops *ops = ctxt->ops; -+ int cpl = ctxt->ops->cpl(ctxt); - -- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS); - old_eip = ctxt->_eip; -+ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS); - - memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); -- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS)) -+ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false, -+ &new_desc); -+ if (rc != X86EMUL_CONTINUE) - return X86EMUL_CONTINUE; - -- ctxt->_eip = 0; -- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); -+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); -+ if (rc != X86EMUL_CONTINUE) -+ goto fail; - - ctxt->src.val = old_cs; - rc = em_push(ctxt); - if (rc != X86EMUL_CONTINUE) -- return rc; -+ goto fail; - - ctxt->src.val = old_eip; -- return em_push(ctxt); -+ rc = em_push(ctxt); -+ /* If we failed, we tainted the memory, but the very least we should -+ restore cs */ -+ if (rc != X86EMUL_CONTINUE) -+ goto fail; -+ return rc; -+fail: -+ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); -+ return rc; -+ - } - - static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) diff --git a/debian/patches/bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch b/debian/patches/bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch deleted file mode 100644 index 0ec348000..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Andy Honig -Date: Wed, 27 Aug 2014 14:42:54 -0700 -Subject: KVM: x86: Improve thread safety in pit -Origin: https://git.kernel.org/linus/2febc839133280d5a5e8e1179c94ea674489dae2 - -There's a race condition in the PIT emulation code in KVM. In -__kvm_migrate_pit_timer the pit_timer object is accessed without -synchronization. If the race condition occurs at the wrong time this -can crash the host kernel. - -This fixes CVE-2014-3611. - -Cc: stable@vger.kernel.org -Signed-off-by: Andrew Honig -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/i8254.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c -index 518d864..298781d 100644 ---- a/arch/x86/kvm/i8254.c -+++ b/arch/x86/kvm/i8254.c -@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu) - return; - - timer = &pit->pit_state.timer; -+ mutex_lock(&pit->pit_state.lock); - if (hrtimer_cancel(timer)) - hrtimer_start_expires(timer, HRTIMER_MODE_ABS); -+ mutex_unlock(&pit->pit_state.lock); - } - - static void destroy_pit_timer(struct kvm_pit *pit) diff --git a/debian/patches/bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch b/debian/patches/bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch deleted file mode 100644 index 3fd1fe0f4..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Andy Honig -Date: Wed, 27 Aug 2014 11:16:44 -0700 -Subject: KVM: x86: Prevent host from panicking on shared MSR writes. -Origin: https://git.kernel.org/linus/8b3c3104c3f4f706e99365c3e0d2aa61b95f969f - -The previous patch blocked invalid writes directly when the MSR -is written. As a precaution, prevent future similar mistakes by -gracefulling handle GPs caused by writes to shared MSRs. - -Cc: stable@vger.kernel.org -Signed-off-by: Andrew Honig -[Remove parts obsoleted by Nadav's patch. - Paolo] -Signed-off-by: Paolo Bonzini ---- - arch/x86/include/asm/kvm_host.h | 2 +- - arch/x86/kvm/vmx.c | 7 +++++-- - arch/x86/kvm/x86.c | 11 ++++++++--- - 3 files changed, 14 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -1061,7 +1061,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp - void kvm_vcpu_reset(struct kvm_vcpu *vcpu); - - void kvm_define_shared_msr(unsigned index, u32 msr); --void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); -+int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); - - bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -2615,12 +2615,15 @@ static int vmx_set_msr(struct kvm_vcpu * - default: - msr = find_msr_entry(vmx, msr_index); - if (msr) { -+ u64 old_msr_data = msr->data; - msr->data = data; - if (msr - vmx->guest_msrs < vmx->save_nmsrs) { - preempt_disable(); -- kvm_set_shared_msr(msr->index, msr->data, -- msr->mask); -+ ret = kvm_set_shared_msr(msr->index, msr->data, -+ msr->mask); - preempt_enable(); -+ if (ret) -+ msr->data = old_msr_data; - } - break; - } ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -227,20 +227,25 @@ static void kvm_shared_msr_cpu_online(vo - shared_msr_update(i, shared_msrs_global.msrs[i]); - } - --void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) -+int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) - { - unsigned int cpu = smp_processor_id(); - struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); -+ int err; - - if (((value ^ smsr->values[slot].curr) & mask) == 0) -- return; -+ return 0; - smsr->values[slot].curr = value; -- wrmsrl(shared_msrs_global.msrs[slot], value); -+ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); -+ if (err) -+ return 1; -+ - if (!smsr->registered) { - smsr->urn.on_user_return = kvm_on_user_return; - user_return_notifier_register(&smsr->urn); - smsr->registered = true; - } -+ return 0; - } - EXPORT_SYMBOL_GPL(kvm_set_shared_msr); - diff --git a/debian/patches/bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch b/debian/patches/bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch deleted file mode 100644 index ffe371864..000000000 --- a/debian/patches/bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Petr Matousek -Date: Tue, 23 Sep 2014 20:22:30 +0200 -Subject: kvm: vmx: handle invvpid vm exit gracefully -Origin: https://git.kernel.org/linus/a642fc305053cc1c6e47e4f4df327895747ab485 - -On systems with invvpid instruction support (corresponding bit in -IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid -causes vm exit, which is currently not handled and results in -propagation of unknown exit to userspace. - -Fix this by installing an invvpid vm exit handler. - -This is CVE-2014-3646. - -Cc: stable@vger.kernel.org -Signed-off-by: Petr Matousek -Signed-off-by: Paolo Bonzini ---- - arch/x86/include/uapi/asm/vmx.h | 2 ++ - arch/x86/kvm/vmx.c | 9 ++++++++- - 2 files changed, 10 insertions(+), 1 deletion(-) - ---- a/arch/x86/include/uapi/asm/vmx.h -+++ b/arch/x86/include/uapi/asm/vmx.h -@@ -67,6 +67,7 @@ - #define EXIT_REASON_EPT_MISCONFIG 49 - #define EXIT_REASON_INVEPT 50 - #define EXIT_REASON_PREEMPTION_TIMER 52 -+#define EXIT_REASON_INVVPID 53 - #define EXIT_REASON_WBINVD 54 - #define EXIT_REASON_XSETBV 55 - #define EXIT_REASON_APIC_WRITE 56 -@@ -114,6 +115,7 @@ - { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \ - { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \ - { EXIT_REASON_INVD, "INVD" }, \ -+ { EXIT_REASON_INVVPID, "INVVPID" }, \ - { EXIT_REASON_INVPCID, "INVPCID" } - - #endif /* _UAPIVMX_H */ ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -6618,6 +6618,12 @@ static int handle_invept(struct kvm_vcpu - return 1; - } - -+static int handle_invvpid(struct kvm_vcpu *vcpu) -+{ -+ kvm_queue_exception(vcpu, UD_VECTOR); -+ return 1; -+} -+ - /* - * The exit handlers return 1 if the exit was handled fully and guest execution - * may resume. Otherwise they set the kvm_run parameter to indicate what needs -@@ -6663,6 +6669,7 @@ static int (*const kvm_vmx_exit_handlers - [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait, - [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor, - [EXIT_REASON_INVEPT] = handle_invept, -+ [EXIT_REASON_INVVPID] = handle_invvpid, - }; - - static const int kvm_vmx_max_exit_handlers = -@@ -6896,7 +6903,7 @@ static bool nested_vmx_exit_handled(stru - case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: - case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: - case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: -- case EXIT_REASON_INVEPT: -+ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: - /* - * VMX instructions trap unconditionally. This allows L1 to - * emulate them for its L2 guest, i.e., allows 3-level nesting! diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch b/debian/patches/bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch deleted file mode 100644 index 5b151a4b8..000000000 --- a/debian/patches/bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Nadav Amit -Date: Tue, 28 Oct 2014 00:03:43 +0200 -Subject: KVM: x86: Fix far-jump to non-canonical check -Origin: https://git.kernel.org/linus/7e46dddd6f6cd5dbf3c7bd04a7e75d19475ac9f2 - -Commit d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far -jumps") introduced a bug that caused the fix to be incomplete. Due to -incorrect evaluation, far jump to segment with L bit cleared (i.e., 32-bit -segment) and RIP with any of the high bits set (i.e, RIP[63:32] != 0) set may -not trigger #GP. As we know, this imposes a security problem. - -In addition, the condition for two warnings was incorrect. - -Fixes: d1442d85cc30ea75f7d399474ca738e0bc96f715 -Reported-by: Dan Carpenter -Signed-off-by: Nadav Amit -[Add #ifdef CONFIG_X86_64 to avoid complaints of undefined behavior. - Paolo] -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -582,12 +582,14 @@ static inline int assign_eip_far(struct - case 4: - ctxt->_eip = (u32)dst; - break; -+#ifdef CONFIG_X86_64 - case 8: - if ((cs_l && is_noncanonical_address(dst)) || -- (!cs_l && (dst & ~(u32)-1))) -+ (!cs_l && (dst >> 32) != 0)) - return emulate_gp(ctxt, 0); - ctxt->_eip = dst; - break; -+#endif - default: - WARN(1, "unsupported eip assignment size\n"); - } -@@ -1998,7 +2000,7 @@ static int em_jmp_far(struct x86_emulate - - rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); - if (rc != X86EMUL_CONTINUE) { -- WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); -+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); - /* assigning eip failed; restore the old cs */ - ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); - return rc; -@@ -2092,7 +2094,7 @@ static int em_ret_far(struct x86_emulate - return rc; - rc = assign_eip_far(ctxt, eip, new_desc.l); - if (rc != X86EMUL_CONTINUE) { -- WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); -+ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); - ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); - } - return rc; diff --git a/debian/patches/features/all/wireless-rt2x00-add-new-rt2800usb-device.patch b/debian/patches/features/all/wireless-rt2x00-add-new-rt2800usb-device.patch deleted file mode 100644 index 58df0ff47..000000000 --- a/debian/patches/features/all/wireless-rt2x00-add-new-rt2800usb-device.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Cyril Brulebois -Date: Sun, 26 Oct 2014 12:33:38 +0100 -Subject: wireless: rt2x00: add new rt2800usb device -Bug-Debian: https://bugs.debian.org/766802 -Forwarded: http://article.gmane.org/gmane.linux.kernel/1815824 - -0x1b75 0xa200 AirLive WN-200USB wireless 11b/g/n dongle - -References: https://bugs.debian.org/766802 -Reported-by: Martin Mokrejs -Cc: stable@vger.kernel.org -Signed-off-by: Cyril Brulebois ---- - drivers/net/wireless/rt2x00/rt2800usb.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/wireless/rt2x00/rt2800usb.c -+++ b/drivers/net/wireless/rt2x00/rt2800usb.c -@@ -1111,6 +1111,7 @@ static struct usb_device_id rt2800usb_de - /* Ovislink */ - { USB_DEVICE(0x1b75, 0x3071) }, - { USB_DEVICE(0x1b75, 0x3072) }, -+ { USB_DEVICE(0x1b75, 0xa200) }, - /* Para */ - { USB_DEVICE(0x20b8, 0x8888) }, - /* Pegatron */ diff --git a/debian/patches/series b/debian/patches/series index 603c1e9f5..bd9be7fb8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -54,19 +54,9 @@ bugfix/m68k/ethernat-kconfig.patch bugfix/x86/x86-reject-x32-executables-if-x32-abi-not-supported.patch bugfix/s390/s390-3215-fix-hanging-console-issue.patch bugfix/arm64/arm64-crypto-fix-makefile-rule-for-aes-glue-.o.patch -bugfix/mips/MIPS-cp1emu-Fix-ISA-restrictions-for-cop1x_op-instru.patch -bugfix/mips/MIPS-tlbex-Properly-fix-HUGE-TLB-Refill-exception-ha.patch bugfix/s390/s390-3215-fix-tty-output-containing-tabs.patch bugfix/x86/drm-i915-initialise-userptr-mmu_notifier-serial-to-1.patch bugfix/x86/drm-i915-Add-some-L3-registers-to-the-parser-whiteli.patch -bugfix/x86/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch -bugfix/x86/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch -bugfix/x86/KVM-x86-Improve-thread-safety-in-pit.patch -bugfix/x86/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch -bugfix/x86/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch -bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch -bugfix/x86/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch -bugfix/x86/kvm-x86-fix-far-jump-to-non-canonical-check.patch bugfix/parisc/parisc-reduce-sigrtmin-from-37-to-32-to-behave-like-.patch bugfix/arm64/arm64-add-missing-dts-entry-for-X-Gene-platform.patch bugfix/arm64/arm64-removed-using-of-the-mask-attribute-in-the-dts.patch @@ -141,25 +131,14 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/disable-some-marvell-phys.patch debian/i2o-disable-i2o_ext_adaptec-on-64bit.patch bugfix/all/aic94xx-remove-broken-fallback-for-missing-ctrl-a.patch -bugfix/all/builddeb-put-the-dbg-files-into-the-correct-director.patch bugfix/all/fold-swapping-d_name.hash-into-switch_names.patch bugfix/all/vfs-Don-t-exchange-short-filenames-unconditionally.patch bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch -bugfix/all/switch-iov_iter_get_pages-to-passing-maximal-number-.patch -bugfix/all/fuse-honour-max_read-and-max_write-in-direct_io-mode.patch bugfix/all/SUNRPC-Don-t-wake-tasks-during-connection-abort.patch bugfix/all/lockd-Try-to-reconnect-if-statd-has-moved.patch -bugfix/all/mtd-move-support-for-struct-flash_platform_data-into.patch -bugfix/all/mtd-m25p80-get-rid-of-spi_get_device_id.patch -bugfix/all/mtd-spi-nor-make-spi_nor_scan-take-a-chip-type-name-.patch -bugfix/all/mtd-m25p80-spi-nor-Fix-module-aliases-for-m25p80.patch bugfix/all/HID-i2c-hid-call-the-hid-driver-s-suspend-and-resume.patch bugfix/all/drivers-net-Disable-UFO-through-virtio.patch bugfix/all/drivers-net-ipv6-Select-IPv6-fragment-idents-for-vir.patch -bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch -bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch -bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch -bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch bugfix/all/net-mv643xx_eth-reclaim-TX-skbs-only-when-released-b.patch bugfix/all/xen-netback-Adding-debugfs-io_ring_qX-files.patch bugfix/all/xen-netback-Using-a-new-state-bit-instead-of-carrier.patch @@ -201,7 +180,6 @@ debian/revert-staging-sm7xxfb-remove-driver.patch features/all/sfc-Adding-PCI-ID-for-Solarflare-7000-series-40G-net.patch features/all/sfc-Add-40G-link-capability-decoding.patch features/all/mmc_block-increase-max_devices.patch -features/all/wireless-rt2x00-add-new-rt2800usb-device.patch features/all/of-Create-of_console_check-for-selecting-a-console-s.patch features/all/of-Enable-console-on-serial-ports-specified-by-chose.patch features/all/of-correct-of_console_check-s-return-value.patch