diff --git a/debian/changelog b/debian/changelog index 78414bf5c..35c69593d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,108 @@ +linux (3.8.11-1) UNRELEASED; urgency=high + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.6 + - sysfs: fix race between readdir and lseek + - sysfs: handle failure path correctly for readdir() + - rtlwifi: usb: add missing freeing of skbuff + - b43: A fix for DMA transmission sequence errors + - tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929) + - xen-blkback: fix dispatch_rw_block_io() error path + - net/irda: add missing error path release_sock call + - usb: xhci: Fix TRB transfer length macro used for Event TRB. + - Btrfs: fix locking on ROOT_REPLACE operations in tree mod log + - Btrfs: fix race between mmap writes and compression + - USB: serial: fix use-after-free in TIOCMIWAIT + - loop: prevent bdev freeing while device in use + - virtio: console: add locking around c_ovq operations + - nfsd4: reject "negative" acl lengths + - Btrfs: fix space leak when we fail to reserve metadata space + - net: remove a WARN_ON() in net_enable_timestamp() + - 8021q: fix a potential use-after-free + - unix: fix a race condition in unix_release() + - atl1e: drop pci-msi support because of packet corruption + (possibly fixes: #577747) + - ipv6: fix bad free of addrconf_init_net + - ipv6: don't accept multicast traffic with scope 0 + - ipv6: don't accept node local multicast traffic from the wire + - pch_gbe: fix ip_summed checksum reporting on rx + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.7 + - drm/nouveau: fix handling empty channel list in ioctl's + - drm/i915: Be sure to turn hsync/vsync back on at crt enable (v2) + (fixes regression in 3.8.3) + - drm: correctly restore mappings if drm_open fails + - mm: prevent mmap_cache race in find_vma() + - mwifiex: limit channel number not to overflow memory + - spinlocks and preemption points need to be at least compiler barriers + - crypto: gcm - fix assumption that assoc has one segment + - NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list + - vfio-pci: Fix possible integer overflow + - can: gw: use kmem_cache_free() instead of kfree() + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.8 + - ipc: set msg back to -EAGAIN if copy wasn't performed + - GFS2: Fix unlock of fcntl locks during withdrawn state + - cifs: Allow passwords which begin with a delimitor (fixes + regression in 3.8) + - [i386] Fix possible incomplete TLB invalidate with PAE pagetables + - sched_clock: Prevent 64bit inatomicity on 32bit systems + - [x86] mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates + - tty: don't deadlock while flushing workqueue + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9 + - [powerpc] add a missing label in resume_kernel + - [powerpc] kvm/powerpc/e500mc: fix tlb invalidation on cpu migration + - kthread: Prevent unpark race which puts threads on the wrong cpu + - hrtimer: Don't reinitialize a cpu_base lock on CPU_UP + - hugetlbfs: add swap entry check in follow_hugetlb_page() + - kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + - hfsplus: fix potential overflow in hfsplus_file_truncate() + - md: raid1,10: Handle REQ_WRITE_SAME flag in write bios + - [x86] KVM: Allow cross page reads and writes from cached translations. + (fixes regression in fix for CVE-2013-1796) + - hsched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s + - [armel] Fix kexec by setting outer_cache.inv_all for Feroceon + - ath9k_htc: accept 1.x firmware newer than 1.3 + - mac80211: fix cfg80211 interaction on auth/assoc request + - crypto: algif - suppress sending source address information in recvmsg + (CVE-2013-3076) + - vm: add and use vm_iomap_memory() helper function + - Btrfs: make sure nbytes are right after log replay + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.10 + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.11 + - TTY: do not update atime/mtime on read/write + - TTY: fix atime/mtime regression + - [sparc] sparc64: Fix race in TLB batch processing. + - atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222) + - ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223) + - Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224) + - Bluetooth: RFCOMM - Fix missing msg_namelen update in + rfcomm_sock_recvmsg() (CVE-2013-3225) + - Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() + - caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() + (CVE-2013-3227) + - irda: Fix missing msg_namelen update in irda_recvmsg_dgram() + (CVE-2013-3228) + - [s390] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() + (CVE-2013-3229) + - l2tp: fix info leak in l2tp_ip6_recvmsg() + - llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231) + - netrom: fix info leak via msg_name in nr_recvmsg() + - NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() + - rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234) + - tipc: fix info leaks via msg_name in recv_msg/recv_stream + (CVE-2013-3235) + - atl1e: limit gso segment size to prevent generation of wrong ip length + fields (Closes: #565404) + - af_unix: If we don't care about credentials coallesce all messages + - ipv6/tcp: Stop processing ICMPv6 redirect messages + - rtnetlink: Call nlmsg_parse() with correct header length + - tcp: incoming connections might use wrong route under synflood + - tcp: Reallocate headroom if it would overflow csum_start + - net: cdc_mbim: remove bogus sizeof() + - net: fix incorrect credentials passing (CVE-2013-1979) + - net: drop dst before queueing fragments + + -- Ben Hutchings Sat, 04 May 2013 03:45:10 +0100 + linux (3.8.5-1~experimental.1) experimental; urgency=high * New upstream stable update: diff --git a/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch b/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch deleted file mode 100644 index 1fec3af2c..000000000 --- a/debian/patches/bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Andy Honig -Date: Wed, 20 Feb 2013 14:49:16 -0800 -Subject: KVM: Fix bounds checking in ioapic indirect register reads - (CVE-2013-1798) - -commit a2c118bfab8bc6b8bb213abfc35201e441693d55 upstream. - -If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows -that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate -that request. ioapic_read_indirect contains an -ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in -non-debug builds. In recent kernels this allows a guest to cause a kernel -oops by reading invalid memory. In older kernels (pre-3.3) this allows a -guest to read from large ranges of host memory. - -Tested: tested against apic unit tests. - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - virt/kvm/ioapic.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c -index ce82b94..5ba005c 100644 ---- a/virt/kvm/ioapic.c -+++ b/virt/kvm/ioapic.c -@@ -74,9 +74,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, - u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; - u64 redir_content; - -- ASSERT(redir_index < IOAPIC_NUM_PINS); -+ if (redir_index < IOAPIC_NUM_PINS) -+ redir_content = -+ ioapic->redirtbl[redir_index].bits; -+ else -+ redir_content = ~0ULL; - -- redir_content = ioapic->redirtbl[redir_index].bits; - result = (ioapic->ioregsel & 0x1) ? - (redir_content >> 32) & 0xffffffff : - redir_content & 0xffffffff; diff --git a/debian/patches/bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch b/debian/patches/bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch index 11183c399..f126ecad8 100644 --- a/debian/patches/bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch +++ b/debian/patches/bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch @@ -61,8 +61,8 @@ Signed-off-by: Tony Luck *id = part; return ret; -@@ -1670,6 +1674,75 @@ static ssize_t efivar_delete(struct file - return count; +@@ -1717,6 +1721,75 @@ static unsigned long var_name_strnsize(e + return min(len, variable_name_size); } +static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor) @@ -137,7 +137,7 @@ Signed-off-by: Tony Luck /* * Let's not leave out systab information that snuck into * the efivars driver -@@ -2000,6 +2073,8 @@ err_put: +@@ -2087,6 +2160,8 @@ err_put: static void __exit efivars_exit(void) { diff --git a/debian/patches/bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch b/debian/patches/bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch index bbff6c362..5f4477785 100644 --- a/debian/patches/bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch +++ b/debian/patches/bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch @@ -70,15 +70,14 @@ Reported-by: Lingzhu Xiang Tested-by: Lingzhu Xiang Cc: Seiji Aguchi Signed-off-by: Matt Fleming +[bwh: Apply only the part not included in 3.8.6] --- drivers/firmware/efivars.c | 48 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index 1e9d9b9..d64661f 100644 --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c -@@ -170,6 +170,7 @@ efivar_create_sysfs_entry(struct efivars *efivars, +@@ -171,6 +171,7 @@ efivar_create_sysfs_entry(struct efivars static void efivar_update_sysfs_entries(struct work_struct *); static DECLARE_WORK(efivar_work, efivar_update_sysfs_entries); @@ -86,7 +85,7 @@ index 1e9d9b9..d64661f 100644 /* Return the number of unicode characters in data */ static unsigned long -@@ -1444,7 +1445,7 @@ static int efi_pstore_write(enum pstore_type_id type, +@@ -1435,7 +1436,7 @@ static int efi_pstore_write(enum pstore_ spin_unlock_irqrestore(&efivars->lock, flags); @@ -95,20 +94,10 @@ index 1e9d9b9..d64661f 100644 schedule_work(&efivar_work); *id = part; -@@ -1975,6 +1976,35 @@ void unregister_efivars(struct efivars *efivars) - } - EXPORT_SYMBOL_GPL(unregister_efivars); +@@ -1998,6 +1999,13 @@ static void dup_variable_bug(efi_char16_ + size_t i, len8 = len16 / sizeof(efi_char16_t); + char *s8; -+/* -+ * Print a warning when duplicate EFI variables are encountered and -+ * disable the sysfs workqueue since the firmware is buggy. -+ */ -+static void dup_variable_bug(efi_char16_t *s16, efi_guid_t *vendor_guid, -+ unsigned long len16) -+{ -+ size_t i, len8 = len16 / sizeof(efi_char16_t); -+ char *s8; -+ + /* + * Disable the workqueue since the algorithm it uses for + * detecting new variables won't work with this buggy @@ -116,41 +105,6 @@ index 1e9d9b9..d64661f 100644 + */ + efivar_wq_enabled = false; + -+ s8 = kzalloc(len8, GFP_KERNEL); -+ if (!s8) -+ return; -+ -+ for (i = 0; i < len8; i++) -+ s8[i] = s16[i]; -+ -+ printk(KERN_WARNING "efivars: duplicate variable: %s-%pUl\n", -+ s8, vendor_guid); -+ kfree(s8); -+} -+ - int register_efivars(struct efivars *efivars, - const struct efivar_operations *ops, - struct kobject *parent_kobj) -@@ -2025,6 +2055,22 @@ int register_efivars(struct efivars *efivars, - case EFI_SUCCESS: - variable_name_size = var_name_strnsize(variable_name, - variable_name_size); -+ -+ /* -+ * Some firmware implementations return the -+ * same variable name on multiple calls to -+ * get_next_variable(). Terminate the loop -+ * immediately as there is no guarantee that -+ * we'll ever see a different variable name, -+ * and may end up looping here forever. -+ */ -+ if (variable_is_present(variable_name, &vendor_guid)) { -+ dup_variable_bug(variable_name, &vendor_guid, -+ variable_name_size); -+ status = EFI_NOT_FOUND; -+ break; -+ } -+ - efivar_create_sysfs_entry(efivars, - variable_name_size, - variable_name, + s8 = kzalloc(len8, GFP_KERNEL); + if (!s8) + return; diff --git a/debian/patches/bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch b/debian/patches/bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch index ddfa2ec95..55fe6a4c1 100644 --- a/debian/patches/bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch +++ b/debian/patches/bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch @@ -37,45 +37,14 @@ Cc: Lee, Chun-Yi Cc: Lingzhu Xiang Cc: Seiji Aguchi Signed-off-by: Matt Fleming +[bwh: Apply only the part not included in 3.8.6] --- drivers/firmware/efivars.c | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c -@@ -1044,6 +1044,31 @@ static bool variable_is_present(efi_char - return found; - } - -+/* -+ * Returns the size of variable_name, in bytes, including the -+ * terminating NULL character, or variable_name_size if no NULL -+ * character is found among the first variable_name_size bytes. -+ */ -+static unsigned long var_name_strnsize(efi_char16_t *variable_name, -+ unsigned long variable_name_size) -+{ -+ unsigned long len; -+ efi_char16_t c; -+ -+ /* -+ * The variable name is, by definition, a NULL-terminated -+ * string, so make absolutely sure that variable_name_size is -+ * the value we expect it to be. If not, return the real size. -+ */ -+ for (len = 2; len <= variable_name_size; len += sizeof(c)) { -+ c = variable_name[(len / sizeof(c)) - 1]; -+ if (!c) -+ break; -+ } -+ -+ return min(len, variable_name_size); -+} -+ - static void efivar_update_sysfs_entries(struct work_struct *work) - { - struct efivars *efivars = &__efivars; -@@ -1084,10 +1109,13 @@ static void efivar_update_sysfs_entries( +@@ -1783,10 +1783,13 @@ static void efivar_update_sysfs_entries( if (!found) { kfree(variable_name); break; @@ -90,12 +59,3 @@ Signed-off-by: Matt Fleming } } -@@ -1318,6 +1346,8 @@ int register_efivars(struct efivars *efi - &vendor_guid); - switch (status) { - case EFI_SUCCESS: -+ variable_name_size = var_name_strnsize(variable_name, -+ variable_name_size); - efivar_create_sysfs_entry(efivars, - variable_name_size, - variable_name, diff --git a/debian/patches/bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch b/debian/patches/bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch deleted file mode 100644 index 2a6c05fd9..000000000 --- a/debian/patches/bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Andrew Morton -Date: Wed, 13 Mar 2013 14:59:34 -0700 -Subject: kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER - -commit 522cff142d7d2f9230839c9e1f21a4d8bcc22a4a upstream. - -__ARCH_HAS_SA_RESTORER is the preferred conditional for use in 3.9 and -later kernels, per Kees. - -Cc: Emese Revfy -Cc: Emese Revfy -Cc: PaX Team -Cc: Al Viro -Cc: Oleg Nesterov -Cc: "Eric W. Biederman" -Cc: Serge Hallyn -Cc: Julien Tinnes -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - kernel/signal.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/signal.c b/kernel/signal.c -index 43b0d4a..dd72567 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -485,7 +485,7 @@ flush_signal_handlers(struct task_struct *t, int force_default) - if (force_default || ka->sa.sa_handler != SIG_IGN) - ka->sa.sa_handler = SIG_DFL; - ka->sa.sa_flags = 0; --#ifdef SA_RESTORER -+#ifdef __ARCH_HAS_SA_RESTORER - ka->sa.sa_restorer = NULL; - #endif - sigemptyset(&ka->sa.sa_mask); diff --git a/debian/patches/bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch b/debian/patches/bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch deleted file mode 100644 index 04c890554..000000000 --- a/debian/patches/bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Ben Hutchings -Date: Sun, 25 Nov 2012 22:24:19 -0500 -Subject: signal: Fix use of missing sa_restorer field - -flush_signal_handlers() needs to know whether sigaction::sa_restorer -is defined, not whether SA_RESTORER is defined. Define the -__ARCH_HAS_SA_RESTORER macro to indicate this. - -Vaguely based on upstream commit 574c4866e33d 'consolidate kernel-side -struct sigaction declarations'. - -Signed-off-by: Ben Hutchings -Cc: Al Viro ---- ---- a/arch/arm/include/asm/signal.h -+++ b/arch/arm/include/asm/signal.h -@@ -29,6 +29,7 @@ struct sigaction { - __sigrestore_t sa_restorer; - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/avr32/include/asm/signal.h -+++ b/arch/avr32/include/asm/signal.h -@@ -29,6 +29,7 @@ struct sigaction { - __sigrestore_t sa_restorer; - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/cris/include/asm/signal.h -+++ b/arch/cris/include/asm/signal.h -@@ -29,6 +29,7 @@ struct sigaction { - void (*sa_restorer)(void); - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/h8300/include/asm/signal.h -+++ b/arch/h8300/include/asm/signal.h -@@ -29,6 +29,7 @@ struct sigaction { - void (*sa_restorer)(void); - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/m32r/include/asm/signal.h -+++ b/arch/m32r/include/asm/signal.h -@@ -22,6 +22,7 @@ struct sigaction { - __sigrestore_t sa_restorer; - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/m68k/include/asm/signal.h -+++ b/arch/m68k/include/asm/signal.h -@@ -29,6 +29,7 @@ struct sigaction { - __sigrestore_t sa_restorer; - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/mn10300/include/asm/signal.h -+++ b/arch/mn10300/include/asm/signal.h -@@ -39,6 +39,7 @@ struct sigaction { - __sigrestore_t sa_restorer; - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/powerpc/include/asm/signal.h -+++ b/arch/powerpc/include/asm/signal.h -@@ -1,6 +1,7 @@ - #ifndef _ASM_POWERPC_SIGNAL_H - #define _ASM_POWERPC_SIGNAL_H - -+#define __ARCH_HAS_SA_RESTORER - #include - - #endif /* _ASM_POWERPC_SIGNAL_H */ ---- a/arch/s390/include/asm/signal.h -+++ b/arch/s390/include/asm/signal.h -@@ -34,6 +34,7 @@ struct sigaction { - void (*sa_restorer)(void); - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/arch/sparc/include/asm/signal.h -+++ b/arch/sparc/include/asm/signal.h -@@ -26,5 +26,7 @@ struct k_sigaction { - void __user *ka_restorer; - }; - -+#define __ARCH_HAS_SA_RESTORER -+ - #endif /* !(__ASSEMBLY__) */ - #endif /* !(__SPARC_SIGNAL_H) */ ---- a/arch/x86/include/asm/signal.h -+++ b/arch/x86/include/asm/signal.h -@@ -31,6 +31,9 @@ typedef sigset_t compat_sigset_t; - #include - #ifndef __ASSEMBLY__ - extern void do_notify_resume(struct pt_regs *, void *, __u32); -+ -+#define __ARCH_HAS_SA_RESTORER -+ - #ifdef __i386__ - struct old_sigaction { - __sighandler_t sa_handler; ---- a/arch/xtensa/include/asm/signal.h -+++ b/arch/xtensa/include/asm/signal.h -@@ -21,6 +21,7 @@ struct sigaction { - void (*sa_restorer)(void); - sigset_t sa_mask; /* mask last for extensibility */ - }; -+#define __ARCH_HAS_SA_RESTORER - - struct k_sigaction { - struct sigaction sa; ---- a/include/uapi/asm-generic/signal.h -+++ b/include/uapi/asm-generic/signal.h -@@ -93,6 +93,10 @@ typedef unsigned long old_sigset_t; - - #include - -+#ifdef SA_RESTORER -+#define __ARCH_HAS_SA_RESTORER -+#endif -+ - struct sigaction { - __sighandler_t sa_handler; - unsigned long sa_flags; diff --git a/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch b/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch deleted file mode 100644 index cae9a784c..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch +++ /dev/null @@ -1,161 +0,0 @@ -From: Andy Honig -Date: Wed, 20 Feb 2013 14:48:10 -0800 -Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache - functions (CVE-2013-1797) - -commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream. - -There is a potential use after free issue with the handling of -MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable -memory such as frame buffers then KVM might continue to write to that -address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins -the page in memory so it's unlikely to cause an issue, but if the user -space component re-purposes the memory previously used for the guest, then -the guest will be able to corrupt that memory. - -Tested: Tested against kvmclock unit test - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - arch/x86/include/asm/kvm_host.h | 4 ++-- - arch/x86/kvm/x86.c | 47 +++++++++++++++++---------------------- - 2 files changed, 22 insertions(+), 29 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 635a74d..4979778 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -414,8 +414,8 @@ struct kvm_vcpu_arch { - gpa_t time; - struct pvclock_vcpu_time_info hv_clock; - unsigned int hw_tsc_khz; -- unsigned int time_offset; -- struct page *time_page; -+ struct gfn_to_hva_cache pv_time; -+ bool pv_time_enabled; - /* set guest stopped flag in pvclock flags field */ - bool pvclock_set_guest_stopped_request; - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 2ade60c..f19ac0a 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1406,10 +1406,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - unsigned long flags, this_tsc_khz; - struct kvm_vcpu_arch *vcpu = &v->arch; - struct kvm_arch *ka = &v->kvm->arch; -- void *shared_kaddr; - s64 kernel_ns, max_kernel_ns; - u64 tsc_timestamp, host_tsc; -- struct pvclock_vcpu_time_info *guest_hv_clock; -+ struct pvclock_vcpu_time_info guest_hv_clock; - u8 pvclock_flags; - bool use_master_clock; - -@@ -1463,7 +1462,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - - local_irq_restore(flags); - -- if (!vcpu->time_page) -+ if (!vcpu->pv_time_enabled) - return 0; - - /* -@@ -1525,12 +1524,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - */ - vcpu->hv_clock.version += 2; - -- shared_kaddr = kmap_atomic(vcpu->time_page); -- -- guest_hv_clock = shared_kaddr + vcpu->time_offset; -+ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time, -+ &guest_hv_clock, sizeof(guest_hv_clock)))) -+ return 0; - - /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ -- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); -+ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED); - - if (vcpu->pvclock_set_guest_stopped_request) { - pvclock_flags |= PVCLOCK_GUEST_STOPPED; -@@ -1543,12 +1542,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - - vcpu->hv_clock.flags = pvclock_flags; - -- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock, -- sizeof(vcpu->hv_clock)); -- -- kunmap_atomic(shared_kaddr); -- -- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT); -+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time, -+ &vcpu->hv_clock, -+ sizeof(vcpu->hv_clock)); - return 0; - } - -@@ -1837,10 +1833,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data) - - static void kvmclock_reset(struct kvm_vcpu *vcpu) - { -- if (vcpu->arch.time_page) { -- kvm_release_page_dirty(vcpu->arch.time_page); -- vcpu->arch.time_page = NULL; -- } -+ vcpu->arch.pv_time_enabled = false; - } - - static void accumulate_steal_time(struct kvm_vcpu *vcpu) -@@ -1947,6 +1940,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - break; - case MSR_KVM_SYSTEM_TIME_NEW: - case MSR_KVM_SYSTEM_TIME: { -+ u64 gpa_offset; - kvmclock_reset(vcpu); - - vcpu->arch.time = data; -@@ -1956,19 +1950,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - if (!(data & 1)) - break; - -- /* ...but clean it before doing the actual write */ -- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); -+ gpa_offset = data & ~(PAGE_MASK | 1); - - /* Check that the address is 32-byte aligned. */ -- if (vcpu->arch.time_offset & -- (sizeof(struct pvclock_vcpu_time_info) - 1)) -+ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) - break; - -- vcpu->arch.time_page = -- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); -- -- if (is_error_page(vcpu->arch.time_page)) -- vcpu->arch.time_page = NULL; -+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, -+ &vcpu->arch.pv_time, data & ~1ULL)) -+ vcpu->arch.pv_time_enabled = false; -+ else -+ vcpu->arch.pv_time_enabled = true; - - break; - } -@@ -2972,7 +2964,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu, - */ - static int kvm_set_guest_paused(struct kvm_vcpu *vcpu) - { -- if (!vcpu->arch.time_page) -+ if (!vcpu->arch.pv_time_enabled) - return -EINVAL; - vcpu->arch.pvclock_set_guest_stopped_request = true; - kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); -@@ -6723,6 +6715,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) - goto fail_free_wbinvd_dirty_mask; - - vcpu->arch.ia32_tsc_adjust_msr = 0x0; -+ vcpu->arch.pv_time_enabled = false; - kvm_async_pf_hash_reset(vcpu); - kvm_pmu_init(vcpu); - diff --git a/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch b/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch deleted file mode 100644 index 444989428..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Andy Honig -Date: Mon, 11 Mar 2013 09:34:52 -0700 -Subject: KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME - (CVE-2013-1796) - -commit c300aa64ddf57d9c5d9c898a64b36877345dd4a9 upstream. - -If the guest sets the GPA of the time_page so that the request to update the -time straddles a page then KVM will write onto an incorrect page. The -write is done byusing kmap atomic to get a pointer to the page for the time -structure and then performing a memcpy to that page starting at an offset -that the guest controls. Well behaved guests always provide a 32-byte aligned -address, however a malicious guest could use this to corrupt host kernel -memory. - -Tested: Tested against kvmclock unit test. - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - arch/x86/kvm/x86.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index f7c850b..2ade60c 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - /* ...but clean it before doing the actual write */ - vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); - -+ /* Check that the address is 32-byte aligned. */ -+ if (vcpu->arch.time_offset & -+ (sizeof(struct pvclock_vcpu_time_info) - 1)) -+ break; -+ - vcpu->arch.time_page = - gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); - diff --git a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch b/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch deleted file mode 100644 index a210c9003..000000000 --- a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Jani Nikula -Date: Tue, 22 Jan 2013 10:50:35 +0000 -Subject: drm/i915: add quirk to invert brightness on eMachines e725 - -commit 01e3a8feb40e54b962a20fa7eb595c5efef5e109 upstream. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=31522#c35 -[Note: There are more than one broken setups in the bug. This fixes one.] -Reported-by: Martins -Signed-off-by: Jani Nikula -Signed-off-by: Daniel Vetter ---- -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 44f9d8f..8575a62 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8602,6 +8602,9 @@ static struct intel_quirk intel_quirks[] = { - - /* Acer/eMachines G725 */ - { 0x2a42, 0x1025, 0x0210, quirk_invert_brightness }, -+ -+ /* Acer/eMachines e725 */ -+ { 0x2a42, 0x1025, 0x0212, quirk_invert_brightness }, - }; - - static void intel_init_quirks(struct drm_device *dev) diff --git a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch b/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch deleted file mode 100644 index e02188c2a..000000000 --- a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Jani Nikula -Date: Tue, 22 Jan 2013 10:50:34 +0000 -Subject: drm/i915: add quirk to invert brightness on eMachines G725 - -commit 1ffff60320879830e469e26062c18f75236822ba upstream. - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=59628 -Reported-by: Roland Gruber -Signed-off-by: Jani Nikula -Signed-off-by: Daniel Vetter -[bwh: Adjust context to apply after 3.8.1] ---- ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8599,6 +8599,9 @@ static struct intel_quirk intel_quirks[] = { - - /* Acer Aspire 4736Z */ - { 0x2a42, 0x1025, 0x0260, quirk_invert_brightness }, -+ -+ /* Acer/eMachines G725 */ -+ { 0x2a42, 0x1025, 0x0210, quirk_invert_brightness }, - }; - - static void intel_init_quirks(struct drm_device *dev) diff --git a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch b/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch deleted file mode 100644 index 0127aa9c8..000000000 --- a/debian/patches/bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Jani Nikula -Date: Tue, 22 Jan 2013 10:50:36 +0000 -Subject: drm/i915: add quirk to invert brightness on Packard Bell NCL20 - -commit 5559ecadad5a73b27f863e92f4b4f369501dce6f upstream. - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44156 -Reported-by: Alan Zimmerman -Signed-off-by: Jani Nikula -Signed-off-by: Daniel Vetter ---- -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 8575a62..7262786 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8605,6 +8605,9 @@ static struct intel_quirk intel_quirks[] = { - - /* Acer/eMachines e725 */ - { 0x2a42, 0x1025, 0x0212, quirk_invert_brightness }, -+ -+ /* Acer/Packard Bell NCL20 */ -+ { 0x2a42, 0x1025, 0x034b, quirk_invert_brightness }, - }; - - static void intel_init_quirks(struct drm_device *dev) diff --git a/debian/patches/series b/debian/patches/series index 226c2605b..09fd4d59c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -70,21 +70,13 @@ features/all/alx/mark-as-staging.patch bugfix/ia64/nouveau-ACPI-support-is-dependent-on-X86.patch debian/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch -bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-g725.patch -bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-emachines-e725.patch -bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch features/all/alx/alx-update-for-3.8.patch bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch -bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch -bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch debian/efi-autoload-efivars.patch bugfix/all/efi_pstore-Introducing-workqueue-updating-sysfs.patch bugfix/all/efivars-explicitly-calculate-length-of-VariableName.patch bugfix/all/efivars-Handle-duplicate-names-from-get_next_variabl.patch debian/efivars-remove-check-for-50-full-on-write.patch -bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch -bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch -bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch