diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2016-05-29 22:33:26 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-05-29 22:33:26 +0100 |
commit | 6976b08b12b3a2069af49cded3e30a16322f1f37 (patch) | |
tree | dc89f76b31a66bca9d22ab7bf93348e13f91b533 | |
parent | 2d3c4236d293112f89b5f7d71e8f10c40fa51303 (diff) | |
parent | f122b3358b6ee51341f1ead76543ca364fc5a4ce (diff) | |
download | kernel_replicant_linux-6976b08b12b3a2069af49cded3e30a16322f1f37.tar.gz kernel_replicant_linux-6976b08b12b3a2069af49cded3e30a16322f1f37.tar.bz2 kernel_replicant_linux-6976b08b12b3a2069af49cded3e30a16322f1f37.zip |
Merge tag 'debian/4.5.5-1'
10 files changed, 468 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index b301b49f8738..f4dd64071e4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -91,6 +91,121 @@ linux (4.6~rc3-1~exp1) experimental; urgency=medium -- Ben Hutchings <ben@decadent.org.uk> Thu, 14 Apr 2016 23:55:15 +0100 +linux (4.5.5-1) unstable; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 + - decnet: Do not build routes to devices without decnet private data. + - route: do not cache fib route info on local routes with oif + - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface + - net: sched: do not requeue a NULL skb + - bpf/verifier: reject invalid LD_ABS | BPF_DW instruction + - cdc_mbim: apply "NDP to end" quirk to all Huawei devices + - soreuseport: fix ordering for mixed v4/v6 sockets + - net: use skb_postpush_rcsum instead of own implementations + - vlan: pull on __vlan_insert_tag error path and fix csum correction + - openvswitch: Orphan skbs before IPv6 defrag + - openvswitch: use flow protocol when recalculating ipv6 checksums + - net/mlx5_core: Fix soft lockup in steering error flow + - net/mlx5e: Device's mtu field is u16 and not int + - net/mlx5e: Fix minimum MTU + - net/mlx5e: Use vport MTU rather than physical port MTU + - ipv4/fib: don't warn when primary address is missing if in_dev is dead + - net/mlx4_en: fix spurious timestamping callbacks + - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case + - gre: do not pull header in ICMP error processing + - net_sched: introduce qdisc_replace() helper + - net_sched: update hierarchical backlog too + - sch_htb: update backlog as well + - sch_dsmark: update backlog as well + - netem: Segment GSO packets on enqueue + - ipv6/ila: fix nlsize calculation for lwtunnel + - net/mlx4_en: Fix endianness bug in IPV6 csum calculation + - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only + - net: bridge: fix old ioctl unlocked net device walk + - bridge: fix igmp / mld query parsing + - net: fix a kernel infoleak in x25 module (CVE-2016-4580) + - net: thunderx: avoid exposing kernel stack + - tcp: refresh skb timestamp at retransmit time + - net/route: enforce hoplimit max value + - ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang + - ocfs2: fix posix_acl_create deadlock + - zsmalloc: fix zs_can_compact() integer overflow + - mm: thp: calculate the mapcount correctly for THP pages during WP faults + - [x86] crypto: qat - fix invalid pf2vf_resp_wq logic + - crypto: testmgr - Use kmalloc memory for RSA input + - ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) + - ALSA: usb-audio: Yet another Phoneix Audio device quirk + - ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 + - ALSA: hda - Fix white noise on Asus UX501VW headset + - ALSA: hda - Fix broken reconfig + - [armhf] spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is + overridden + - [armhf] spi: spi-ti-qspi: Handle truncated frames properly + - perf diff: Fix duplicated output column + - perf/core: Disable the event on a truncated AUX record + - vfs: rename: check backing inode being equal + - workqueue: fix rebind bound workers warning + - [armhf] regulator: s2mps11: Fix invalid selector mask and voltages + for buck9 + - [armhf] regulator: axp20x: Fix axp22x ldo_io voltage ranges + - atomic_open(): fix the handling of create_error + - qla1280: Don't allocate 512kb of host tags + - tools lib traceevent: Do not reassign parg after collapse_tree() + - [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk + frequency + - drm/radeon: fix PLL sharing on DCE6.1 (v2) + - [x86] drm/i915: Bail out of pipe config compute loop on LPT + - [x86] Revert "drm/i915: start adding dp mst audio" + - [x86] drm/i915/bdw: Add missing delay during L3 SQC credit programming + - drm/radeon: fix DP link training issue with second 4K monitor + - drm/radeon: fix DP mode validation + - [x86] drm/amdgpu: fix DP mode validation + - btrfs: reada: Fix in-segment calculation for reada + - Btrfs: fix truncate_space_check + - btrfs: remove error message from search ioctl for nonexistent tree + - btrfs: change max_inline default to 2048 + - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync + - Btrfs: fix file loss on log replay after renaming a file and fsync + - Btrfs: fix extent_same allowing destination offset beyond i_size + - Btrfs: fix deadlock between direct IO reads and buffered writes + - Btrfs: fix race when checking if we can skip fsync'ing an inode + - Btrfs: do not collect ordered extents when logging that inode exists + - btrfs: csum_tree_block: return proper errno value + - btrfs: do not write corrupted metadata blocks to disk + - Btrfs: fix invalid reference in replace_path + - btrfs: handle non-fatal errors in btrfs_qgroup_inherit() + - btrfs: fallback to vmalloc in btrfs_compare_tree + - Btrfs: don't use src fd for printk + - btrfs: Reset IO error counters before start of device replacing + + [ Salvatore Bonaccorso ] + * tipc: check nl sock before parsing nested attributes (CVE-2016-4951) + + [ Ben Hutchings ] + * aufs: Update support patches to aufs4.5-20160523 + - mmap: Fix use-after-free in remap_file_pages(2) + * Revert "stmmac: Fix 'eth0: No PHY found' regression" (Closes: #823493) + * [x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440) + * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482) + * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569) + * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or + snd_timer_user_tinterrupt (CVE-2016-4578) + * dwc3-exynos: Fix deferred probing storm (Closes: #823552; thanks to + Steinar H. Gunderson) + * Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing", + reverted upstream in 4.5.5 + + [ Roger Shimizu ] + * [armhf] Enable SENSORS_PWM_FAN / PWM_SAMSUNG as module, as recommended by + Steinar H. Gunderson. (Closes: #824941) + * [armhf] For Odroid-U3 (Exynos4) support, enable ARCH_EXYNOS4 / MFD_MAX77686 + / RTC_DRV_MAX77686 as built-in, and COMMON_CLK_MAX77686 + / REGULATOR_MAX77686 / MMC_SDHCI_S3C as module. Thanks to + Vagrant Cascadian. (Closes: #825139) + + -- Ben Hutchings <ben@decadent.org.uk> Sun, 29 May 2016 22:21:11 +0100 + linux (4.5.4-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/config/armhf/config b/debian/config/armhf/config index 22129c4a59f4..bcfc316c51dc 100644 --- a/debian/config/armhf/config +++ b/debian/config/armhf/config @@ -47,7 +47,7 @@ CONFIG_ARCH_BCM2835=y ## CONFIG_ARCH_EXYNOS=y # CONFIG_ARCH_EXYNOS3 is not set -# CONFIG_ARCH_EXYNOS4 is not set +CONFIG_ARCH_EXYNOS4=y CONFIG_ARCH_EXYNOS5=y CONFIG_EXYNOS5420_MCPM=y @@ -176,6 +176,7 @@ CONFIG_HW_RANDOM_OMAP=m ## ## file: drivers/clk/Kconfig ## +CONFIG_COMMON_CLK_MAX77686=m CONFIG_COMMON_CLK_S2MPS11=m CONFIG_CLK_TWL6040=m @@ -362,6 +363,7 @@ CONFIG_OMAP_SSI=m ## CONFIG_SENSORS_G762=m CONFIG_SENSORS_GPIO_FAN=m +CONFIG_SENSORS_PWM_FAN=m ## ## file: drivers/hwspinlock/Kconfig @@ -532,6 +534,7 @@ CONFIG_MFD_AS3722=y CONFIG_MFD_AXP20X_I2C=y CONFIG_MFD_DA9052_SPI=y CONFIG_MFD_DA9052_I2C=y +CONFIG_MFD_MAX77686=y CONFIG_MFD_MC13XXX_SPI=m CONFIG_MFD_MC13XXX_I2C=m CONFIG_MFD_SEC_CORE=y @@ -565,6 +568,7 @@ CONFIG_MMC_SDHCI_ESDHC_IMX=m CONFIG_MMC_SDHCI_TEGRA=m CONFIG_MMC_SDHCI_PXAV3=m CONFIG_MMC_SDHCI_BCM2835=m +CONFIG_MMC_SDHCI_S3C=m CONFIG_MMC_OMAP=m CONFIG_MMC_OMAP_HS=m CONFIG_MMC_MVSDIO=m @@ -854,6 +858,7 @@ CONFIG_PWM=y CONFIG_PWM_BCM2835=m CONFIG_PWM_IMX=m CONFIG_PWM_ROCKCHIP=m +CONFIG_PWM_SAMSUNG=m CONFIG_PWM_SUN4I=m CONFIG_PWM_TEGRA=m CONFIG_PWM_TIECAP=m @@ -873,6 +878,7 @@ CONFIG_REGULATOR_AXP20X=m CONFIG_REGULATOR_DA9052=m CONFIG_REGULATOR_FAN53555=m CONFIG_REGULATOR_GPIO=m +CONFIG_REGULATOR_MAX77686=m CONFIG_REGULATOR_MC13783=m CONFIG_REGULATOR_MC13892=m CONFIG_REGULATOR_PALMAS=y @@ -901,6 +907,7 @@ CONFIG_RTC_DRV_DA9052=y CONFIG_RTC_DRV_EFI=y CONFIG_RTC_DRV_IMXDI=y CONFIG_RTC_DRV_OMAP=y +CONFIG_RTC_DRV_MAX77686=y CONFIG_RTC_DRV_PL030=y CONFIG_RTC_DRV_PL031=y CONFIG_RTC_DRV_VT8500=y diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch new file mode 100644 index 000000000000..7881d70d884e --- /dev/null +++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch @@ -0,0 +1,28 @@ +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch new file mode 100644 index 000000000000..cf9da77fc6c3 --- /dev/null +++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch @@ -0,0 +1,28 @@ +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5 + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1290,6 +1290,7 @@ static void snd_timer_user_tinterrupt(st + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch new file mode 100644 index 000000000000..c67d2f71c0eb --- /dev/null +++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch @@ -0,0 +1,28 @@ +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1755,6 +1755,7 @@ static int snd_timer_user_params(struct + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; diff --git a/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch new file mode 100644 index 000000000000..934147dd5293 --- /dev/null +++ b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch @@ -0,0 +1,36 @@ +From: Richard Alpe <richard.alpe@ericsson.com> +Date: Mon, 16 May 2016 11:14:54 +0200 +Subject: tipc: check nl sock before parsing nested attributes +Origin: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c + +Make sure the socket for which the user is listing publication exists +before parsing the socket netlink attributes. + +Prior to this patch a call without any socket caused a NULL pointer +dereference in tipc_nl_publ_dump(). + +Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com> +Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> +Acked-by: Jon Maloy <jon.maloy@ericsson.cm> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/tipc/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 1262889..3b7a799 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) + if (err) + return err; + ++ if (!attrs[TIPC_NLA_SOCK]) ++ return -EINVAL; ++ + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, + attrs[TIPC_NLA_SOCK], + tipc_nl_sock_policy); +-- +2.8.1 + diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch new file mode 100644 index 000000000000..dee56c6ce512 --- /dev/null +++ b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch @@ -0,0 +1,36 @@ +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:32:16 -0400 +Subject: USB: usbfs: fix potential infoleak in devio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee + +The stack object “ci” has a total size of 8 bytes. Its last 3 bytes +are padding bytes which are not initialized and leaked to userland +via “copy_to_user”. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/core/devio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1186,10 +1186,11 @@ static int proc_getdriver(struct usb_dev + + static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci = { +- .devnum = ps->dev->devnum, +- .slow = ps->dev->speed == USB_SPEED_LOW +- }; ++ struct usbdevfs_connectinfo ci; ++ ++ memset(&ci, 0, sizeof(ci)); ++ ci.devnum = ps->dev->devnum; ++ ci.slow = ps->dev->speed == USB_SPEED_LOW; + + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT; diff --git a/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch b/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch new file mode 100644 index 000000000000..08d894fc4eec --- /dev/null +++ b/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch @@ -0,0 +1,81 @@ +From: "Steinar H. Gunderson" <sesse@google.com> +Date: Tue, 24 May 2016 20:13:15 +0200 +Forwarded: http://mid.gmane.org/E1b6Hj3-0001MI-AS@pannekake.samfundet.no +Subject: dwc3-exynos: Fix deferred probing storm. +Bug-Debian: https://bugs.debian.org/823552 + +dwc3-exynos has two problems during init if the regulators are slow +to come up (for instance if the I2C bus driver is not on the initramfs) +and return probe deferral. First, every time this happens, the driver +leaks the USB phys created; they need to be deallocated on error. + +Second, since the phy devices are created before the regulators fail, +this means that there's a new device to re-trigger deferred probing, +which causes it to essentially go into a busy loop of re-probing the +device until the regulators come up. + +Move the phy creation to after the regulators have succeeded, and also +fix cleanup on failure. On my ODROID XU4 system (with Debian's initramfs +which doesn't contain the I2C driver), this reduces the number of probe +attempts (for each of the two controllers) from more than 2000 to eight. + +Signed-off-by: Steinar H. Gunderson <sesse@google.com> +Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> +Reviewed-by: Vivek Gautam <gautam.vivek@samsung.com> +Fixes: d720f057fda4 ("usb: dwc3: exynos: add nop transceiver support") +Cc: <stable@vger.kernel.org> +--- + drivers/usb/dwc3/dwc3-exynos.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c +index dd5cb55..2f1fb7e 100644 +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -128,12 +128,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, exynos); + +- ret = dwc3_exynos_register_phys(exynos); +- if (ret) { +- dev_err(dev, "couldn't register PHYs\n"); +- return ret; +- } +- + exynos->dev = dev; + + exynos->clk = devm_clk_get(dev, "usbdrd30"); +@@ -183,20 +177,29 @@ static int dwc3_exynos_probe(struct platform_device *pdev) + goto err3; + } + ++ ret = dwc3_exynos_register_phys(exynos); ++ if (ret) { ++ dev_err(dev, "couldn't register PHYs\n"); ++ goto err4; ++ } ++ + if (node) { + ret = of_platform_populate(node, NULL, NULL, dev); + if (ret) { + dev_err(dev, "failed to add dwc3 core\n"); +- goto err4; ++ goto err5; + } + } else { + dev_err(dev, "no device node, failed to add dwc3 core\n"); + ret = -ENODEV; +- goto err4; ++ goto err5; + } + + return 0; + ++err5: ++ platform_device_unregister(exynos->usb2_phy); ++ platform_device_unregister(exynos->usb3_phy); + err4: + regulator_disable(exynos->vdd10); + err3: + + diff --git a/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch new file mode 100644 index 000000000000..ca5e6ad6e020 --- /dev/null +++ b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch @@ -0,0 +1,101 @@ +From: Roman Kagan <rkagan@virtuozzo.com> +Subject: kvm:vmx: more complete state update on APICv on/off +Date: Wed, 18 May 2016 17:48:20 +0300 +Origin: http://article.gmane.org/gmane.comp.emulators.kvm.devel/152191 + +The function to update APICv on/off state (in particular, to deactivate +it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust +APICv-related fields among secondary processor-based VM-execution +controls. + +As a result, Windows 2012 guests would get stuck when SynIC-based +auto-EOI interrupt intersected with e.g. an IPI in the guest. + +In addition, the MSR intercept bitmap wasn't updated to correspond to +whether "virtualize x2APIC mode" was enabled. This path used not to be +triggered, since Windows didn't use x2APIC but rather their own +synthetic APIC access MSRs; however it represented a security risk +because the guest running in a SynIC-enabled VM could switch to x2APIC +and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang +<yang.zhang.wz@gmail.com> for spotting this). + +The patch fixes those omissions. + +Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> +Cc: Steve Rutherford <srutherford@google.com> +Cc: Yang Zhang <yang.zhang.wz@gmail.com> +--- + arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 18 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2397,7 +2397,9 @@ static void vmx_set_msr_bitmap(struct kv + + if (is_guest_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_nested; +- else if (vcpu->arch.apic_base & X2APIC_ENABLE) { ++ else if (cpu_has_secondary_exec_ctrls() && ++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & ++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { + if (is_long_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_longmode_x2apic; + else +@@ -4758,6 +4760,19 @@ static void vmx_refresh_apicv_exec_ctrl( + struct vcpu_vmx *vmx = to_vmx(vcpu); + + vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx)); ++ if (cpu_has_secondary_exec_ctrls()) { ++ if (kvm_vcpu_apicv_active(vcpu)) ++ vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ else ++ vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ } ++ ++ if (cpu_has_vmx_msr_bitmap()) ++ vmx_set_msr_bitmap(vcpu); + } + + static u32 vmx_exec_control(struct vcpu_vmx *vmx) +@@ -6313,23 +6328,20 @@ static __init int hardware_setup(void) + + set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ + +- if (enable_apicv) { +- for (msr = 0x800; msr <= 0x8ff; msr++) +- vmx_disable_intercept_msr_read_x2apic(msr); +- +- /* According SDM, in x2apic mode, the whole id reg is used. +- * But in KVM, it only use the highest eight bits. Need to +- * intercept it */ +- vmx_enable_intercept_msr_read_x2apic(0x802); +- /* TMCCT */ +- vmx_enable_intercept_msr_read_x2apic(0x839); +- /* TPR */ +- vmx_disable_intercept_msr_write_x2apic(0x808); +- /* EOI */ +- vmx_disable_intercept_msr_write_x2apic(0x80b); +- /* SELF-IPI */ +- vmx_disable_intercept_msr_write_x2apic(0x83f); +- } ++ for (msr = 0x800; msr <= 0x8ff; msr++) ++ vmx_disable_intercept_msr_read_x2apic(msr); ++ ++ /* According SDM, in x2apic mode, the whole id reg is used. But in ++ * KVM, it only use the highest eight bits. Need to intercept it */ ++ vmx_enable_intercept_msr_read_x2apic(0x802); ++ /* TMCCT */ ++ vmx_enable_intercept_msr_read_x2apic(0x839); ++ /* TPR */ ++ vmx_disable_intercept_msr_write_x2apic(0x808); ++ /* EOI */ ++ vmx_disable_intercept_msr_write_x2apic(0x80b); ++ /* SELF-IPI */ ++ vmx_disable_intercept_msr_write_x2apic(0x83f); + + if (enable_ept) { + kvm_mmu_set_mask_ptes(0ull, diff --git a/debian/patches/series b/debian/patches/series index f28f1eddc9a2..d64c767994c6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -49,6 +49,7 @@ bugfix/mips/MIPS-Disable-preemption-during-prctl-PR_SET_FP_MODE.patch bugfix/mips/MIPS-Force-CPUs-to-lose-FP-context-during-mode-switc.patch bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch +bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch # Arch features features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch @@ -103,6 +104,12 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch +bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch +bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch +bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch +bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch +bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch +bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch |