debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 3.8.11 

svn path=/dists/sid/linux/; revision=20012
This commit is contained in:
Ben Hutchings 2013-05-04 17:21:58 +00:00
parent f0b5fe588b
commit 37b0eaaa6d
13 changed files with 119 additions and 610 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
debian/changelog vendored
View File

@ -1,3 +1,108 @@
linux (3.8.11-1) UNRELEASED; urgency=high
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.6
- sysfs: fix race between readdir and lseek
- sysfs: handle failure path correctly for readdir()
- rtlwifi: usb: add missing freeing of skbuff
- b43: A fix for DMA transmission sequence errors
- tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
- xen-blkback: fix dispatch_rw_block_io() error path
- net/irda: add missing error path release_sock call
- usb: xhci: Fix TRB transfer length macro used for Event TRB.
- Btrfs: fix locking on ROOT_REPLACE operations in tree mod log
- Btrfs: fix race between mmap writes and compression
- USB: serial: fix use-after-free in TIOCMIWAIT
- loop: prevent bdev freeing while device in use
- virtio: console: add locking around c_ovq operations
- nfsd4: reject "negative" acl lengths
- Btrfs: fix space leak when we fail to reserve metadata space
- net: remove a WARN_ON() in net_enable_timestamp()
- 8021q: fix a potential use-after-free
- unix: fix a race condition in unix_release()
- atl1e: drop pci-msi support because of packet corruption
(possibly fixes: #577747)
- ipv6: fix bad free of addrconf_init_net
- ipv6: don't accept multicast traffic with scope 0
- ipv6: don't accept node local multicast traffic from the wire
- pch_gbe: fix ip_summed checksum reporting on rx
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.7
- drm/nouveau: fix handling empty channel list in ioctl's
- drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2)
(fixes regression in 3.8.3)
- drm: correctly restore mappings if drm_open fails
- mm: prevent mmap_cache race in find_vma()
- mwifiex: limit channel number not to overflow memory
- spinlocks and preemption points need to be at least compiler barriers
- crypto: gcm - fix assumption that assoc has one segment
- NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
- vfio-pci: Fix possible integer overflow
- can: gw: use kmem_cache_free() instead of kfree()
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.8
- ipc: set msg back to -EAGAIN if copy wasn't performed
- GFS2: Fix unlock of fcntl locks during withdrawn state
- cifs: Allow passwords which begin with a delimitor (fixes
regression in 3.8)
- [i386] Fix possible incomplete TLB invalidate with PAE pagetables
- sched_clock: Prevent 64bit inatomicity on 32bit systems
- [x86] mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates
- tty: don't deadlock while flushing workqueue
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9
- [powerpc] add a missing label in resume_kernel
- [powerpc] kvm/powerpc/e500mc: fix tlb invalidation on cpu migration
- kthread: Prevent unpark race which puts threads on the wrong cpu
- hrtimer: Don't reinitialize a cpu_base lock on CPU_UP
- hugetlbfs: add swap entry check in follow_hugetlb_page()
- kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
- hfsplus: fix potential overflow in hfsplus_file_truncate()
- md: raid1,10: Handle REQ_WRITE_SAME flag in write bios
- [x86] KVM: Allow cross page reads and writes from cached translations.
(fixes regression in fix for CVE-2013-1796)
- hsched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s
- [armel] Fix kexec by setting outer_cache.inv_all for Feroceon
- ath9k_htc: accept 1.x firmware newer than 1.3
- mac80211: fix cfg80211 interaction on auth/assoc request
- crypto: algif - suppress sending source address information in recvmsg
(CVE-2013-3076)
- vm: add and use vm_iomap_memory() helper function
- Btrfs: make sure nbytes are right after log replay
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.10
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.11
- TTY: do not update atime/mtime on read/write
- TTY: fix atime/mtime regression
- [sparc] sparc64: Fix race in TLB batch processing.
- atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
- ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
- Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
- Bluetooth: RFCOMM - Fix missing msg_namelen update in
rfcomm_sock_recvmsg() (CVE-2013-3225)
- Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg()
- caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
(CVE-2013-3227)
- irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
(CVE-2013-3228)
- [s390] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
(CVE-2013-3229)
- l2tp: fix info leak in l2tp_ip6_recvmsg()
- llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
- netrom: fix info leak via msg_name in nr_recvmsg()
- NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
- rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
- tipc: fix info leaks via msg_name in recv_msg/recv_stream
(CVE-2013-3235)
- atl1e: limit gso segment size to prevent generation of wrong ip length
fields (Closes: #565404)
- af_unix: If we don't care about credentials coallesce all messages
- ipv6/tcp: Stop processing ICMPv6 redirect messages
- rtnetlink: Call nlmsg_parse() with correct header length
- tcp: incoming connections might use wrong route under synflood
- tcp: Reallocate headroom if it would overflow csum_start
- net: cdc_mbim: remove bogus sizeof()
- net: fix incorrect credentials passing (CVE-2013-1979)
- net: drop dst before queueing fragments
-- Ben Hutchings <ben@decadent.org.uk> Sat, 04 May 2013 03:45:10 +0100
linux (3.8.5-1~experimental.1) experimental; urgency=high
* New upstream stable update:

42
debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch vendored
View File

@ -1,42 +0,0 @@
From: Andy Honig <ahonig@google.com>
Date: Wed, 20 Feb 2013 14:49:16 -0800
Subject: KVM: Fix bounds checking in ioapic indirect register reads
(CVE-2013-1798)
commit a2c118bfab8bc6b8bb213abfc35201e441693d55 upstream.
If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
that request. ioapic_read_indirect contains an
ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
non-debug builds. In recent kernels this allows a guest to cause a kernel
oops by reading invalid memory. In older kernels (pre-3.3) this allows a
guest to read from large ranges of host memory.
Tested: tested against apic unit tests.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
---
virt/kvm/ioapic.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
index ce82b94..5ba005c 100644
--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -74,9 +74,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
u64 redir_content;
- ASSERT(redir_index < IOAPIC_NUM_PINS);
+ if (redir_index < IOAPIC_NUM_PINS)
+ redir_content =
+ ioapic->redirtbl[redir_index].bits;
+ else
+ redir_content = ~0ULL;
- redir_content = ioapic->redirtbl[redir_index].bits;
result = (ioapic->ioregsel & 0x1) ?
(redir_content >> 32) & 0xffffffff :
redir_content & 0xffffffff;

6
debian/patches/bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch vendored
View File

@ -61,8 +61,8 @@ Signed-off-by: Tony Luck <tony.luck@intel.com>
*id = part;
return ret;
@@ -1670,6 +1674,75 @@ static ssize_t efivar_delete(struct file
return count;
@@ -1717,6 +1721,75 @@ static unsigned long var_name_strnsize(e
return min(len, variable_name_size);
}
+static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor)
@ -137,7 +137,7 @@ Signed-off-by: Tony Luck <tony.luck@intel.com>
/*
* Let's not leave out systab information that snuck into
* the efivars driver
@@ -2000,6 +2073,8 @@ err_put:
@@ -2087,6 +2160,8 @@ err_put:
static void __exit
efivars_exit(void)
{

64
debian/patches/bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch vendored
View File

@ -70,15 +70,14 @@ Reported-by: Lingzhu Xiang <lxiang@redhat.com>
Tested-by: Lingzhu Xiang <lxiang@redhat.com>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
[bwh: Apply only the part not included in 3.8.6]
---
drivers/firmware/efivars.c | 48 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
index 1e9d9b9..d64661f 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -170,6 +170,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
@@ -171,6 +171,7 @@ efivar_create_sysfs_entry(struct efivars
static void efivar_update_sysfs_entries(struct work_struct *);
static DECLARE_WORK(efivar_work, efivar_update_sysfs_entries);
@ -86,7 +85,7 @@ index 1e9d9b9..d64661f 100644
/* Return the number of unicode characters in data */
static unsigned long
@@ -1444,7 +1445,7 @@ static int efi_pstore_write(enum pstore_type_id type,
@@ -1435,7 +1436,7 @@ static int efi_pstore_write(enum pstore_
spin_unlock_irqrestore(&efivars->lock, flags);
@ -95,20 +94,10 @@ index 1e9d9b9..d64661f 100644
schedule_work(&efivar_work);
*id = part;
@@ -1975,6 +1976,35 @@ void unregister_efivars(struct efivars *efivars)
}
EXPORT_SYMBOL_GPL(unregister_efivars);
@@ -1998,6 +1999,13 @@ static void dup_variable_bug(efi_char16_
size_t i, len8 = len16 / sizeof(efi_char16_t);
char *s8;
+/*
+ * Print a warning when duplicate EFI variables are encountered and
+ * disable the sysfs workqueue since the firmware is buggy.
+ */
+static void dup_variable_bug(efi_char16_t *s16, efi_guid_t *vendor_guid,
+ unsigned long len16)
+{
+ size_t i, len8 = len16 / sizeof(efi_char16_t);
+ char *s8;
+
+ /*
+ * Disable the workqueue since the algorithm it uses for
+ * detecting new variables won't work with this buggy
@ -116,41 +105,6 @@ index 1e9d9b9..d64661f 100644
+ */
+ efivar_wq_enabled = false;
+
+ s8 = kzalloc(len8, GFP_KERNEL);
+ if (!s8)
+ return;
+
+ for (i = 0; i < len8; i++)
+ s8[i] = s16[i];
+
+ printk(KERN_WARNING "efivars: duplicate variable: %s-%pUl\n",
+ s8, vendor_guid);
+ kfree(s8);
+}
+
int register_efivars(struct efivars *efivars,
const struct efivar_operations *ops,
struct kobject *parent_kobj)
@@ -2025,6 +2055,22 @@ int register_efivars(struct efivars *efivars,
case EFI_SUCCESS:
variable_name_size = var_name_strnsize(variable_name,
variable_name_size);
+
+ /*
+ * Some firmware implementations return the
+ * same variable name on multiple calls to
+ * get_next_variable(). Terminate the loop
+ * immediately as there is no guarantee that
+ * we'll ever see a different variable name,
+ * and may end up looping here forever.
+ */
+ if (variable_is_present(variable_name, &vendor_guid)) {
+ dup_variable_bug(variable_name, &vendor_guid,
+ variable_name_size);
+ status = EFI_NOT_FOUND;
+ break;
+ }
+
efivar_create_sysfs_entry(efivars,
variable_name_size,
variable_name,
s8 = kzalloc(len8, GFP_KERNEL);
if (!s8)
return;

44
debian/patches/bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch vendored
View File

@ -37,45 +37,14 @@ Cc: Lee, Chun-Yi <jlee@suse.com>
Cc: Lingzhu Xiang <lxiang@redhat.com>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
[bwh: Apply only the part not included in 3.8.6]
---
drivers/firmware/efivars.c | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -1044,6 +1044,31 @@ static bool variable_is_present(efi_char
return found;
}
+/*
+ * Returns the size of variable_name, in bytes, including the
+ * terminating NULL character, or variable_name_size if no NULL
+ * character is found among the first variable_name_size bytes.
+ */
+static unsigned long var_name_strnsize(efi_char16_t *variable_name,
+ unsigned long variable_name_size)
+{
+ unsigned long len;
+ efi_char16_t c;
+
+ /*
+ * The variable name is, by definition, a NULL-terminated
+ * string, so make absolutely sure that variable_name_size is
+ * the value we expect it to be. If not, return the real size.
+ */
+ for (len = 2; len <= variable_name_size; len += sizeof(c)) {
+ c = variable_name[(len / sizeof(c)) - 1];
+ if (!c)
+ break;
+ }
+
+ return min(len, variable_name_size);
+}
+
static void efivar_update_sysfs_entries(struct work_struct *work)
{
struct efivars *efivars = &__efivars;
@@ -1084,10 +1109,13 @@ static void efivar_update_sysfs_entries(
@@ -1783,10 +1783,13 @@ static void efivar_update_sysfs_entries(
if (!found) {
kfree(variable_name);
break;
@ -90,12 +59,3 @@ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
}
}
@@ -1318,6 +1346,8 @@ int register_efivars(struct efivars *efi
&vendor_guid);
switch (status) {
case EFI_SUCCESS:
+ variable_name_size = var_name_strnsize(variable_name,
+ variable_name_size);
efivar_create_sysfs_entry(efivars,
variable_name_size,
variable_name,

36
debian/patches/bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch vendored
View File

@ -1,36 +0,0 @@
From: Andrew Morton <akpm@linux-foundation.org>
Date: Wed, 13 Mar 2013 14:59:34 -0700
Subject: kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER
commit 522cff142d7d2f9230839c9e1f21a4d8bcc22a4a upstream.
__ARCH_HAS_SA_RESTORER is the preferred conditional for use in 3.9 and
later kernels, per Kees.
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Julien Tinnes <jln@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
kernel/signal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index 43b0d4a..dd72567 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -485,7 +485,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
if (force_default || ka->sa.sa_handler != SIG_IGN)
ka->sa.sa_handler = SIG_DFL;
ka->sa.sa_flags = 0;
-#ifdef SA_RESTORER
+#ifdef __ARCH_HAS_SA_RESTORER
ka->sa.sa_restorer = NULL;
#endif
sigemptyset(&ka->sa.sa_mask);

149
debian/patches/bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch vendored
View File

@ -1,149 +0,0 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 25 Nov 2012 22:24:19 -0500
Subject: signal: Fix use of missing sa_restorer field
flush_signal_handlers() needs to know whether sigaction::sa_restorer
is defined, not whether SA_RESTORER is defined. Define the
__ARCH_HAS_SA_RESTORER macro to indicate this.
Vaguely based on upstream commit 574c4866e33d 'consolidate kernel-side
struct sigaction declarations'.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
---
--- a/arch/arm/include/asm/signal.h
+++ b/arch/arm/include/asm/signal.h
@@ -29,6 +29,7 @@ struct sigaction {
__sigrestore_t sa_restorer;
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/avr32/include/asm/signal.h
+++ b/arch/avr32/include/asm/signal.h
@@ -29,6 +29,7 @@ struct sigaction {
__sigrestore_t sa_restorer;
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/cris/include/asm/signal.h
+++ b/arch/cris/include/asm/signal.h
@@ -29,6 +29,7 @@ struct sigaction {
void (*sa_restorer)(void);
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/h8300/include/asm/signal.h
+++ b/arch/h8300/include/asm/signal.h
@@ -29,6 +29,7 @@ struct sigaction {
void (*sa_restorer)(void);
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/m32r/include/asm/signal.h
+++ b/arch/m32r/include/asm/signal.h
@@ -22,6 +22,7 @@ struct sigaction {
__sigrestore_t sa_restorer;
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/m68k/include/asm/signal.h
+++ b/arch/m68k/include/asm/signal.h
@@ -29,6 +29,7 @@ struct sigaction {
__sigrestore_t sa_restorer;
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/mn10300/include/asm/signal.h
+++ b/arch/mn10300/include/asm/signal.h
@@ -39,6 +39,7 @@ struct sigaction {
__sigrestore_t sa_restorer;
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/powerpc/include/asm/signal.h
+++ b/arch/powerpc/include/asm/signal.h
@@ -1,6 +1,7 @@
#ifndef _ASM_POWERPC_SIGNAL_H
#define _ASM_POWERPC_SIGNAL_H
+#define __ARCH_HAS_SA_RESTORER
#include <uapi/asm/signal.h>
#endif /* _ASM_POWERPC_SIGNAL_H */
--- a/arch/s390/include/asm/signal.h
+++ b/arch/s390/include/asm/signal.h
@@ -34,6 +34,7 @@ struct sigaction {
void (*sa_restorer)(void);
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/arch/sparc/include/asm/signal.h
+++ b/arch/sparc/include/asm/signal.h
@@ -26,5 +26,7 @@ struct k_sigaction {
void __user *ka_restorer;
};
+#define __ARCH_HAS_SA_RESTORER
+
#endif /* !(__ASSEMBLY__) */
#endif /* !(__SPARC_SIGNAL_H) */
--- a/arch/x86/include/asm/signal.h
+++ b/arch/x86/include/asm/signal.h
@@ -31,6 +31,9 @@ typedef sigset_t compat_sigset_t;
#include <uapi/asm/signal.h>
#ifndef __ASSEMBLY__
extern void do_notify_resume(struct pt_regs *, void *, __u32);
+
+#define __ARCH_HAS_SA_RESTORER
+
#ifdef __i386__
struct old_sigaction {
__sighandler_t sa_handler;
--- a/arch/xtensa/include/asm/signal.h
+++ b/arch/xtensa/include/asm/signal.h
@@ -21,6 +21,7 @@ struct sigaction {
void (*sa_restorer)(void);
sigset_t sa_mask; /* mask last for extensibility */
};
+#define __ARCH_HAS_SA_RESTORER
struct k_sigaction {
struct sigaction sa;
--- a/include/uapi/asm-generic/signal.h
+++ b/include/uapi/asm-generic/signal.h
@@ -93,6 +93,10 @@ typedef unsigned long old_sigset_t;
#include <asm-generic/signal-defs.h>
+#ifdef SA_RESTORER
+#define __ARCH_HAS_SA_RESTORER
+#endif
+
struct sigaction {
__sighandler_t sa_handler;
unsigned long sa_flags;

161
debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch vendored
View File

@ -1,161 +0,0 @@
From: Andy Honig <ahonig@google.com>
Date: Wed, 20 Feb 2013 14:48:10 -0800
Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache
functions (CVE-2013-1797)
commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream.
There is a potential use after free issue with the handling of
MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
memory such as frame buffers then KVM might continue to write to that
address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
the page in memory so it's unlikely to cause an issue, but if the user
space component re-purposes the memory previously used for the guest, then
the guest will be able to corrupt that memory.
Tested: Tested against kvmclock unit test
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
---
arch/x86/include/asm/kvm_host.h | 4 ++--
arch/x86/kvm/x86.c | 47 +++++++++++++++++----------------------
2 files changed, 22 insertions(+), 29 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 635a74d..4979778 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -414,8 +414,8 @@ struct kvm_vcpu_arch {
gpa_t time;
struct pvclock_vcpu_time_info hv_clock;
unsigned int hw_tsc_khz;
- unsigned int time_offset;
- struct page *time_page;
+ struct gfn_to_hva_cache pv_time;
+ bool pv_time_enabled;
/* set guest stopped flag in pvclock flags field */
bool pvclock_set_guest_stopped_request;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2ade60c..f19ac0a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1406,10 +1406,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
unsigned long flags, this_tsc_khz;
struct kvm_vcpu_arch *vcpu = &v->arch;
struct kvm_arch *ka = &v->kvm->arch;
- void *shared_kaddr;
s64 kernel_ns, max_kernel_ns;
u64 tsc_timestamp, host_tsc;
- struct pvclock_vcpu_time_info *guest_hv_clock;
+ struct pvclock_vcpu_time_info guest_hv_clock;
u8 pvclock_flags;
bool use_master_clock;
@@ -1463,7 +1462,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
local_irq_restore(flags);
- if (!vcpu->time_page)
+ if (!vcpu->pv_time_enabled)
return 0;
/*
@@ -1525,12 +1524,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
*/
vcpu->hv_clock.version += 2;
- shared_kaddr = kmap_atomic(vcpu->time_page);
-
- guest_hv_clock = shared_kaddr + vcpu->time_offset;
+ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time,
+ &guest_hv_clock, sizeof(guest_hv_clock))))
+ return 0;
/* retain PVCLOCK_GUEST_STOPPED if set in guest copy */
- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED);
+ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED);
if (vcpu->pvclock_set_guest_stopped_request) {
pvclock_flags |= PVCLOCK_GUEST_STOPPED;
@@ -1543,12 +1542,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
vcpu->hv_clock.flags = pvclock_flags;
- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,
- sizeof(vcpu->hv_clock));
-
- kunmap_atomic(shared_kaddr);
-
- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT);
+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
+ &vcpu->hv_clock,
+ sizeof(vcpu->hv_clock));
return 0;
}
@@ -1837,10 +1833,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
static void kvmclock_reset(struct kvm_vcpu *vcpu)
{
- if (vcpu->arch.time_page) {
- kvm_release_page_dirty(vcpu->arch.time_page);
- vcpu->arch.time_page = NULL;
- }
+ vcpu->arch.pv_time_enabled = false;
}
static void accumulate_steal_time(struct kvm_vcpu *vcpu)
@@ -1947,6 +1940,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
break;
case MSR_KVM_SYSTEM_TIME_NEW:
case MSR_KVM_SYSTEM_TIME: {
+ u64 gpa_offset;
kvmclock_reset(vcpu);
vcpu->arch.time = data;
@@ -1956,19 +1950,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
if (!(data & 1))
break;
- /* ...but clean it before doing the actual write */
- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+ gpa_offset = data & ~(PAGE_MASK | 1);
/* Check that the address is 32-byte aligned. */
- if (vcpu->arch.time_offset &
- (sizeof(struct pvclock_vcpu_time_info) - 1))
+ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
break;
- vcpu->arch.time_page =
- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
-
- if (is_error_page(vcpu->arch.time_page))
- vcpu->arch.time_page = NULL;
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+ &vcpu->arch.pv_time, data & ~1ULL))
+ vcpu->arch.pv_time_enabled = false;
+ else
+ vcpu->arch.pv_time_enabled = true;
break;
}
@@ -2972,7 +2964,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu,
*/
static int kvm_set_guest_paused(struct kvm_vcpu *vcpu)
{
- if (!vcpu->arch.time_page)
+ if (!vcpu->arch.pv_time_enabled)
return -EINVAL;
vcpu->arch.pvclock_set_guest_stopped_request = true;
kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
@@ -6723,6 +6715,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
goto fail_free_wbinvd_dirty_mask;
vcpu->arch.ia32_tsc_adjust_msr = 0x0;
+ vcpu->arch.pv_time_enabled = false;
kvm_async_pf_hash_reset(vcpu);
kvm_pmu_init(vcpu);

39
debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch vendored
View File

@ -1,39 +0,0 @@
From: Andy Honig <ahonig@google.com>
Date: Mon, 11 Mar 2013 09:34:52 -0700
Subject: KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME
(CVE-2013-1796)
commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream.
If the guest sets the GPA of the time_page so that the request to update the
time straddles a page then KVM will write onto an incorrect page. The
write is done byusing kmap atomic to get a pointer to the page for the time
structure and then performing a memcpy to that page starting at an offset
that the guest controls. Well behaved guests always provide a 32-byte aligned
address, however a malicious guest could use this to corrupt host kernel
memory.
Tested: Tested against kvmclock unit test.
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
---
arch/x86/kvm/x86.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index f7c850b..2ade60c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
/* ...but clean it before doing the actual write */
vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+ /* Check that the address is 32-byte aligned. */
+ if (vcpu->arch.time_offset &
+ (sizeof(struct pvclock_vcpu_time_info) - 1))
+ break;
+
vcpu->arch.time_page =
gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);

26
debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch vendored
View File

@ -1,26 +0,0 @@
From: Jani Nikula <jani.nikula@intel.com>
Date: Tue, 22 Jan 2013 10:50:35 +0000
Subject: drm/i915: add quirk to invert brightness on eMachines e725
commit 01e3a8feb40e54b962a20fa7eb595c5efef5e109 upstream.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=31522#c35
[Note: There are more than one broken setups in the bug. This fixes one.]
Reported-by: Martins <andrissr@inbox.lv>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 44f9d8f..8575a62 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8602,6 +8602,9 @@ static struct intel_quirk intel_quirks[] = {
/* Acer/eMachines G725 */
{ 0x2a42, 0x1025, 0x0210, quirk_invert_brightness },
+
+ /* Acer/eMachines e725 */
+ { 0x2a42, 0x1025, 0x0212, quirk_invert_brightness },
};
static void intel_init_quirks(struct drm_device *dev)

24
debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch vendored
View File

@ -1,24 +0,0 @@
From: Jani Nikula <jani.nikula@intel.com>
Date: Tue, 22 Jan 2013 10:50:34 +0000
Subject: drm/i915: add quirk to invert brightness on eMachines G725
commit 1ffff60320879830e469e26062c18f75236822ba upstream.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=59628
Reported-by: Roland Gruber <post@rolandgruber.de>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Adjust context to apply after 3.8.1]
---
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8599,6 +8599,9 @@ static struct intel_quirk intel_quirks[] = {
/* Acer Aspire 4736Z */
{ 0x2a42, 0x1025, 0x0260, quirk_invert_brightness },
+
+ /* Acer/eMachines G725 */
+ { 0x2a42, 0x1025, 0x0210, quirk_invert_brightness },
};
static void intel_init_quirks(struct drm_device *dev)

25
debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch vendored
View File

@ -1,25 +0,0 @@
From: Jani Nikula <jani.nikula@intel.com>
Date: Tue, 22 Jan 2013 10:50:36 +0000
Subject: drm/i915: add quirk to invert brightness on Packard Bell NCL20
commit 5559ecadad5a73b27f863e92f4b4f369501dce6f upstream.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44156
Reported-by: Alan Zimmerman <alan.zimm@gmail.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 8575a62..7262786 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8605,6 +8605,9 @@ static struct intel_quirk intel_quirks[] = {
/* Acer/eMachines e725 */
{ 0x2a42, 0x1025, 0x0212, quirk_invert_brightness },
+
+ /* Acer/Packard Bell NCL20 */
+ { 0x2a42, 0x1025, 0x034b, quirk_invert_brightness },
};
static void intel_init_quirks(struct drm_device *dev)

8
debian/patches/series vendored
View File

@ -70,21 +70,13 @@ features/all/alx/mark-as-staging.patch
bugfix/ia64/nouveau-ACPI-support-is-dependent-on-X86.patch
debian/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch
bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch
bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch
features/all/alx/alx-update-for-3.8.patch
bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch
bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch
bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch
debian/efi-autoload-efivars.patch
bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch
bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch
bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch
debian/efivars-remove-check-for-50-full-on-write.patch
bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch
bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch
bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch
debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch