From 0faec04810b97537ea4267b3316ef29d2a54dfef Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Mar 26 2015 21:16:58 +0000 Subject: Linux v3.19.3 --- diff --git a/aarch64-fix-tlb-issues.patch b/aarch64-fix-tlb-issues.patch deleted file mode 100644 index 439da38..0000000 --- a/aarch64-fix-tlb-issues.patch +++ /dev/null @@ -1,85 +0,0 @@ -commit 285994a62c80f1d72c6924282bcb59608098d5ec -Author: Catalin Marinas -Date: Wed Mar 11 12:20:39 2015 +0000 - - arm64: Invalidate the TLB corresponding to intermediate page table levels - - The ARM architecture allows the caching of intermediate page table - levels and page table freeing requires a sequence like: - - pmd_clear() - TLB invalidation - pte page freeing - - With commit 5e5f6dc10546 (arm64: mm: enable HAVE_RCU_TABLE_FREE logic), - the page table freeing batching was moved from tlb_remove_page() to - tlb_remove_table(). The former takes care of TLB invalidation as this is - also shared with pte clearing and page cache page freeing. The latter, - however, does not invalidate the TLBs for intermediate page table levels - as it probably relies on the architecture code to do it if required. - When the mm->mm_users < 2, tlb_remove_table() does not do any batching - and page table pages are freed before tlb_finish_mmu() which performs - the actual TLB invalidation. - - This patch introduces __tlb_flush_pgtable() for arm64 and calls it from - the {pte,pmd,pud}_free_tlb() directly without relying on deferred page - table freeing. - - Fixes: 5e5f6dc10546 arm64: mm: enable HAVE_RCU_TABLE_FREE logic - Reported-by: Jon Masters - Tested-by: Jon Masters - Tested-by: Steve Capper - Signed-off-by: Catalin Marinas - -diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h -index c028fe3..53d9c35 100644 ---- a/arch/arm64/include/asm/tlb.h -+++ b/arch/arm64/include/asm/tlb.h -@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_gather *tlb) - static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte, - unsigned long addr) - { -+ __flush_tlb_pgtable(tlb->mm, addr); - pgtable_page_dtor(pte); - tlb_remove_entry(tlb, pte); - } -@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte, - static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp, - unsigned long addr) - { -+ __flush_tlb_pgtable(tlb->mm, addr); - tlb_remove_entry(tlb, virt_to_page(pmdp)); - } - #endif -@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp, - static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp, - unsigned long addr) - { -+ __flush_tlb_pgtable(tlb->mm, addr); - tlb_remove_entry(tlb, virt_to_page(pudp)); - } - #endif -diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h -index 4abe9b9..c3bb05b 100644 ---- a/arch/arm64/include/asm/tlbflush.h -+++ b/arch/arm64/include/asm/tlbflush.h -@@ -144,6 +144,19 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end - } - - /* -+ * Used to invalidate the TLB (walk caches) corresponding to intermediate page -+ * table levels (pgd/pud/pmd). -+ */ -+static inline void __flush_tlb_pgtable(struct mm_struct *mm, -+ unsigned long uaddr) -+{ -+ unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48); -+ -+ dsb(ishst); -+ asm("tlbi vae1is, %0" : : "r" (addr)); -+ dsb(ish); -+} -+/* - * On AArch64, the cache coherency is handled via the set_pte_at() function. - */ - static inline void update_mmu_cache(struct vm_area_struct *vma, diff --git a/kernel.spec b/kernel.spec index 97ac5a6..62e5d20 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -639,9 +639,6 @@ Patch26161: Input-synaptics-re-route-tracksticks-buttons-on-the-.patch Patch26162: Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch Patch26163: Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch -#CVE-2015-2150 rhbz 1196266 1200397 -Patch26165: xen-pciback-limit-guest-control-of-command-register.patch - #CVE-2014-8159 rhbz 1181166 1200950 Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch @@ -657,9 +654,6 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch -Patch30001: aarch64-fix-tlb-issues.patch - -Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch #rhbz 1204512 Patch26174: tun-return-proper-error-code-from-tun_do_read.patch @@ -1407,9 +1401,6 @@ ApplyPatch Input-synaptics-re-route-tracksticks-buttons-on-the-.patch ApplyPatch Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch ApplyPatch Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch -#CVE-2015-2150 rhbz 1196266 1200397 -ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch - #CVE-2014-8159 rhbz 1181166 1200950 ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch @@ -1425,15 +1416,11 @@ ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch -# Just needed for 3.19 -ApplyPatch aarch64-fix-tlb-issues.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. ApplyPatch kernel-arm64.patch -R %endif %endif -ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch - #rhbz 1204512 ApplyPatch tun-return-proper-error-code-from-tun_do_read.patch @@ -2296,6 +2283,9 @@ fi # ||----w | # || || %changelog +* Thu Mar 26 2015 Justin M. Forbes - 3.19.3-200 +- Linux v3.19.3 + * Thu Mar 26 2015 Peter Robinson - Disable the broken CONFIG_MSM_IOMMU diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch deleted file mode 100644 index 70c28d7..0000000 --- a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Al Viro -Date: Fri, 20 Mar 2015 17:41:43 +0000 -Subject: [PATCH] net: validate the range we feed to iov_iter_init() in - sys_sendto/sys_recvfrom - -Cc: stable@vger.kernel.org # v3.19 -Signed-off-by: Al Viro -Signed-off-by: David S. Miller ---- - net/socket.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net/socket.c b/net/socket.c -index 418795caa897..d50e7ca6aeea 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len, - - if (len > INT_MAX) - len = INT_MAX; -+ if (unlikely(!access_ok(VERIFY_READ, buff, len))) -+ return -EFAULT; - sock = sockfd_lookup_light(fd, &err, &fput_needed); - if (!sock) - goto out; -@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - - if (size > INT_MAX) - size = INT_MAX; -+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size))) -+ return -EFAULT; - sock = sockfd_lookup_light(fd, &err, &fput_needed); - if (!sock) - goto out; --- -2.1.0 - diff --git a/sources b/sources index ed7d07f..137f1ac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ d3fc8316d4d4d04b65cbc2d70799e763 linux-3.19.tar.xz 15d8d2f97ce056488451a5bfb2944603 perf-man-3.19.tar.gz -6f7128647a2fc0912958ac1cbf96a95a patch-3.19.2.xz +1fec75551b2f55fced43df8394b1fd9a patch-3.19.3.xz diff --git a/xen-pciback-limit-guest-control-of-command-register.patch b/xen-pciback-limit-guest-control-of-command-register.patch deleted file mode 100644 index 8760046..0000000 --- a/xen-pciback-limit-guest-control-of-command-register.patch +++ /dev/null @@ -1,156 +0,0 @@ -From: Jan Beulich -Date: Wed, 11 Mar 2015 13:51:17 +0000 -Subject: [PATCH] xen-pciback: limit guest control of command register - -Otherwise the guest can abuse that control to cause e.g. PCIe -Unsupported Request responses (by disabling memory and/or I/O decoding -and subsequently causing [CPU side] accesses to the respective address -ranges), which (depending on system configuration) may be fatal to the -host. - -Note that to alter any of the bits collected together as -PCI_COMMAND_GUEST permissive mode is now required to be enabled -globally or on the specific device. - -This is CVE-2015-2150 / XSA-120. - -Signed-off-by: Jan Beulich -Reviewed-by: Konrad Rzeszutek Wilk ---- - drivers/xen/xen-pciback/conf_space.c | 2 +- - drivers/xen/xen-pciback/conf_space.h | 2 + - drivers/xen/xen-pciback/conf_space_header.c | 61 +++++++++++++++++++++++------ - 3 files changed, 51 insertions(+), 14 deletions(-) - -diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c -index 46ae0f9f02ad..75fe3d466515 100644 ---- a/drivers/xen/xen-pciback/conf_space.c -+++ b/drivers/xen/xen-pciback/conf_space.c -@@ -16,7 +16,7 @@ - #include "conf_space.h" - #include "conf_space_quirks.h" - --static bool permissive; -+bool permissive; - module_param(permissive, bool, 0644); - - /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, -diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h -index e56c934ad137..2e1d73d1d5d0 100644 ---- a/drivers/xen/xen-pciback/conf_space.h -+++ b/drivers/xen/xen-pciback/conf_space.h -@@ -64,6 +64,8 @@ struct config_field_entry { - void *data; - }; - -+extern bool permissive; -+ - #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) - - /* Add fields to a device - the add_fields macro expects to get a pointer to -diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c -index c5ee82587e8c..2d7369391472 100644 ---- a/drivers/xen/xen-pciback/conf_space_header.c -+++ b/drivers/xen/xen-pciback/conf_space_header.c -@@ -11,6 +11,10 @@ - #include "pciback.h" - #include "conf_space.h" - -+struct pci_cmd_info { -+ u16 val; -+}; -+ - struct pci_bar_info { - u32 val; - u32 len_val; -@@ -20,22 +24,36 @@ struct pci_bar_info { - #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) - #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) - --static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) -+/* Bits guests are allowed to control in permissive mode. */ -+#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ -+ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ -+ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) -+ -+static void *command_init(struct pci_dev *dev, int offset) - { -- int i; -- int ret; -- -- ret = xen_pcibk_read_config_word(dev, offset, value, data); -- if (!pci_is_enabled(dev)) -- return ret; -- -- for (i = 0; i < PCI_ROM_RESOURCE; i++) { -- if (dev->resource[i].flags & IORESOURCE_IO) -- *value |= PCI_COMMAND_IO; -- if (dev->resource[i].flags & IORESOURCE_MEM) -- *value |= PCI_COMMAND_MEMORY; -+ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); -+ int err; -+ -+ if (!cmd) -+ return ERR_PTR(-ENOMEM); -+ -+ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); -+ if (err) { -+ kfree(cmd); -+ return ERR_PTR(err); - } - -+ return cmd; -+} -+ -+static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) -+{ -+ int ret = pci_read_config_word(dev, offset, value); -+ const struct pci_cmd_info *cmd = data; -+ -+ *value &= PCI_COMMAND_GUEST; -+ *value |= cmd->val & ~PCI_COMMAND_GUEST; -+ - return ret; - } - -@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) - { - struct xen_pcibk_dev_data *dev_data; - int err; -+ u16 val; -+ struct pci_cmd_info *cmd = data; - - dev_data = pci_get_drvdata(dev); - if (!pci_is_enabled(dev) && is_enable_cmd(value)) { -@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data) - } - } - -+ cmd->val = value; -+ -+ if (!permissive && (!dev_data || !dev_data->permissive)) -+ return 0; -+ -+ /* Only allow the guest to control certain bits. */ -+ err = pci_read_config_word(dev, offset, &val); -+ if (err || val == value) -+ return err; -+ -+ value &= PCI_COMMAND_GUEST; -+ value |= val & ~PCI_COMMAND_GUEST; -+ - return pci_write_config_word(dev, offset, value); - } - -@@ -282,6 +315,8 @@ static const struct config_field header_common[] = { - { - .offset = PCI_COMMAND, - .size = 2, -+ .init = command_init, -+ .release = bar_release, - .u.w.read = command_read, - .u.w.write = command_write, - }, --- -2.1.0 -