Linux v3.19.3
This commit is contained in:
parent
a091e2f95c
commit
0faec04810
|
@ -1,85 +0,0 @@
|
|||
commit 285994a62c80f1d72c6924282bcb59608098d5ec
|
||||
Author: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Date: Wed Mar 11 12:20:39 2015 +0000
|
||||
|
||||
arm64: Invalidate the TLB corresponding to intermediate page table levels
|
||||
|
||||
The ARM architecture allows the caching of intermediate page table
|
||||
levels and page table freeing requires a sequence like:
|
||||
|
||||
pmd_clear()
|
||||
TLB invalidation
|
||||
pte page freeing
|
||||
|
||||
With commit 5e5f6dc10546 (arm64: mm: enable HAVE_RCU_TABLE_FREE logic),
|
||||
the page table freeing batching was moved from tlb_remove_page() to
|
||||
tlb_remove_table(). The former takes care of TLB invalidation as this is
|
||||
also shared with pte clearing and page cache page freeing. The latter,
|
||||
however, does not invalidate the TLBs for intermediate page table levels
|
||||
as it probably relies on the architecture code to do it if required.
|
||||
When the mm->mm_users < 2, tlb_remove_table() does not do any batching
|
||||
and page table pages are freed before tlb_finish_mmu() which performs
|
||||
the actual TLB invalidation.
|
||||
|
||||
This patch introduces __tlb_flush_pgtable() for arm64 and calls it from
|
||||
the {pte,pmd,pud}_free_tlb() directly without relying on deferred page
|
||||
table freeing.
|
||||
|
||||
Fixes: 5e5f6dc10546 arm64: mm: enable HAVE_RCU_TABLE_FREE logic
|
||||
Reported-by: Jon Masters <jcm@redhat.com>
|
||||
Tested-by: Jon Masters <jcm@redhat.com>
|
||||
Tested-by: Steve Capper <steve.capper@linaro.org>
|
||||
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
|
||||
|
||||
diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h
|
||||
index c028fe3..53d9c35 100644
|
||||
--- a/arch/arm64/include/asm/tlb.h
|
||||
+++ b/arch/arm64/include/asm/tlb.h
|
||||
@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_gather *tlb)
|
||||
static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
|
||||
unsigned long addr)
|
||||
{
|
||||
+ __flush_tlb_pgtable(tlb->mm, addr);
|
||||
pgtable_page_dtor(pte);
|
||||
tlb_remove_entry(tlb, pte);
|
||||
}
|
||||
@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
|
||||
static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
|
||||
unsigned long addr)
|
||||
{
|
||||
+ __flush_tlb_pgtable(tlb->mm, addr);
|
||||
tlb_remove_entry(tlb, virt_to_page(pmdp));
|
||||
}
|
||||
#endif
|
||||
@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
|
||||
static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp,
|
||||
unsigned long addr)
|
||||
{
|
||||
+ __flush_tlb_pgtable(tlb->mm, addr);
|
||||
tlb_remove_entry(tlb, virt_to_page(pudp));
|
||||
}
|
||||
#endif
|
||||
diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
|
||||
index 4abe9b9..c3bb05b 100644
|
||||
--- a/arch/arm64/include/asm/tlbflush.h
|
||||
+++ b/arch/arm64/include/asm/tlbflush.h
|
||||
@@ -144,6 +144,19 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Used to invalidate the TLB (walk caches) corresponding to intermediate page
|
||||
+ * table levels (pgd/pud/pmd).
|
||||
+ */
|
||||
+static inline void __flush_tlb_pgtable(struct mm_struct *mm,
|
||||
+ unsigned long uaddr)
|
||||
+{
|
||||
+ unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48);
|
||||
+
|
||||
+ dsb(ishst);
|
||||
+ asm("tlbi vae1is, %0" : : "r" (addr));
|
||||
+ dsb(ish);
|
||||
+}
|
||||
+/*
|
||||
* On AArch64, the cache coherency is handled via the set_pte_at() function.
|
||||
*/
|
||||
static inline void update_mmu_cache(struct vm_area_struct *vma,
|
20
kernel.spec
20
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 2
|
||||
%define stable_update 3
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -639,9 +639,6 @@ Patch26161: Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
|
|||
Patch26162: Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
|
||||
Patch26163: Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
|
||||
|
||||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
Patch26165: xen-pciback-limit-guest-control-of-command-register.patch
|
||||
|
||||
#CVE-2014-8159 rhbz 1181166 1200950
|
||||
Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
|
||||
|
||||
|
@ -657,9 +654,6 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
|
|||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
Patch30001: aarch64-fix-tlb-issues.patch
|
||||
|
||||
Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
#rhbz 1204512
|
||||
Patch26174: tun-return-proper-error-code-from-tun_do_read.patch
|
||||
|
@ -1407,9 +1401,6 @@ ApplyPatch Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
|
|||
ApplyPatch Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
|
||||
ApplyPatch Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
|
||||
|
||||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch
|
||||
|
||||
#CVE-2014-8159 rhbz 1181166 1200950
|
||||
ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
|
||||
|
||||
|
@ -1425,15 +1416,11 @@ ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
|
|||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
# Just needed for 3.19
|
||||
ApplyPatch aarch64-fix-tlb-issues.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
ApplyPatch kernel-arm64.patch -R
|
||||
%endif
|
||||
%endif
|
||||
|
||||
ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
|
||||
|
||||
#rhbz 1204512
|
||||
ApplyPatch tun-return-proper-error-code-from-tun_do_read.patch
|
||||
|
||||
|
@ -2296,6 +2283,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Mar 26 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.19.3-200
|
||||
- Linux v3.19.3
|
||||
|
||||
* Thu Mar 26 2015 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Disable the broken CONFIG_MSM_IOMMU
|
||||
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
From: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Date: Fri, 20 Mar 2015 17:41:43 +0000
|
||||
Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
|
||||
sys_sendto/sys_recvfrom
|
||||
|
||||
Cc: stable@vger.kernel.org # v3.19
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/socket.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index 418795caa897..d50e7ca6aeea 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
|
||||
|
||||
if (len > INT_MAX)
|
||||
len = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
|
||||
|
||||
if (size > INT_MAX)
|
||||
size = INT_MAX;
|
||||
+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
|
||||
+ return -EFAULT;
|
||||
sock = sockfd_lookup_light(fd, &err, &fput_needed);
|
||||
if (!sock)
|
||||
goto out;
|
||||
--
|
||||
2.1.0
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
d3fc8316d4d4d04b65cbc2d70799e763 linux-3.19.tar.xz
|
||||
15d8d2f97ce056488451a5bfb2944603 perf-man-3.19.tar.gz
|
||||
6f7128647a2fc0912958ac1cbf96a95a patch-3.19.2.xz
|
||||
1fec75551b2f55fced43df8394b1fd9a patch-3.19.3.xz
|
||||
|
|
|
@ -1,156 +0,0 @@
|
|||
From: Jan Beulich <JBeulich@suse.com>
|
||||
Date: Wed, 11 Mar 2015 13:51:17 +0000
|
||||
Subject: [PATCH] xen-pciback: limit guest control of command register
|
||||
|
||||
Otherwise the guest can abuse that control to cause e.g. PCIe
|
||||
Unsupported Request responses (by disabling memory and/or I/O decoding
|
||||
and subsequently causing [CPU side] accesses to the respective address
|
||||
ranges), which (depending on system configuration) may be fatal to the
|
||||
host.
|
||||
|
||||
Note that to alter any of the bits collected together as
|
||||
PCI_COMMAND_GUEST permissive mode is now required to be enabled
|
||||
globally or on the specific device.
|
||||
|
||||
This is CVE-2015-2150 / XSA-120.
|
||||
|
||||
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
---
|
||||
drivers/xen/xen-pciback/conf_space.c | 2 +-
|
||||
drivers/xen/xen-pciback/conf_space.h | 2 +
|
||||
drivers/xen/xen-pciback/conf_space_header.c | 61 +++++++++++++++++++++++------
|
||||
3 files changed, 51 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c
|
||||
index 46ae0f9f02ad..75fe3d466515 100644
|
||||
--- a/drivers/xen/xen-pciback/conf_space.c
|
||||
+++ b/drivers/xen/xen-pciback/conf_space.c
|
||||
@@ -16,7 +16,7 @@
|
||||
#include "conf_space.h"
|
||||
#include "conf_space_quirks.h"
|
||||
|
||||
-static bool permissive;
|
||||
+bool permissive;
|
||||
module_param(permissive, bool, 0644);
|
||||
|
||||
/* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
|
||||
diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h
|
||||
index e56c934ad137..2e1d73d1d5d0 100644
|
||||
--- a/drivers/xen/xen-pciback/conf_space.h
|
||||
+++ b/drivers/xen/xen-pciback/conf_space.h
|
||||
@@ -64,6 +64,8 @@ struct config_field_entry {
|
||||
void *data;
|
||||
};
|
||||
|
||||
+extern bool permissive;
|
||||
+
|
||||
#define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
|
||||
|
||||
/* Add fields to a device - the add_fields macro expects to get a pointer to
|
||||
diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c
|
||||
index c5ee82587e8c..2d7369391472 100644
|
||||
--- a/drivers/xen/xen-pciback/conf_space_header.c
|
||||
+++ b/drivers/xen/xen-pciback/conf_space_header.c
|
||||
@@ -11,6 +11,10 @@
|
||||
#include "pciback.h"
|
||||
#include "conf_space.h"
|
||||
|
||||
+struct pci_cmd_info {
|
||||
+ u16 val;
|
||||
+};
|
||||
+
|
||||
struct pci_bar_info {
|
||||
u32 val;
|
||||
u32 len_val;
|
||||
@@ -20,22 +24,36 @@ struct pci_bar_info {
|
||||
#define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
|
||||
#define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
|
||||
|
||||
-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
|
||||
+/* Bits guests are allowed to control in permissive mode. */
|
||||
+#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
|
||||
+ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
|
||||
+ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
|
||||
+
|
||||
+static void *command_init(struct pci_dev *dev, int offset)
|
||||
{
|
||||
- int i;
|
||||
- int ret;
|
||||
-
|
||||
- ret = xen_pcibk_read_config_word(dev, offset, value, data);
|
||||
- if (!pci_is_enabled(dev))
|
||||
- return ret;
|
||||
-
|
||||
- for (i = 0; i < PCI_ROM_RESOURCE; i++) {
|
||||
- if (dev->resource[i].flags & IORESOURCE_IO)
|
||||
- *value |= PCI_COMMAND_IO;
|
||||
- if (dev->resource[i].flags & IORESOURCE_MEM)
|
||||
- *value |= PCI_COMMAND_MEMORY;
|
||||
+ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
|
||||
+ int err;
|
||||
+
|
||||
+ if (!cmd)
|
||||
+ return ERR_PTR(-ENOMEM);
|
||||
+
|
||||
+ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
|
||||
+ if (err) {
|
||||
+ kfree(cmd);
|
||||
+ return ERR_PTR(err);
|
||||
}
|
||||
|
||||
+ return cmd;
|
||||
+}
|
||||
+
|
||||
+static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
|
||||
+{
|
||||
+ int ret = pci_read_config_word(dev, offset, value);
|
||||
+ const struct pci_cmd_info *cmd = data;
|
||||
+
|
||||
+ *value &= PCI_COMMAND_GUEST;
|
||||
+ *value |= cmd->val & ~PCI_COMMAND_GUEST;
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
|
||||
{
|
||||
struct xen_pcibk_dev_data *dev_data;
|
||||
int err;
|
||||
+ u16 val;
|
||||
+ struct pci_cmd_info *cmd = data;
|
||||
|
||||
dev_data = pci_get_drvdata(dev);
|
||||
if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
|
||||
@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
|
||||
}
|
||||
}
|
||||
|
||||
+ cmd->val = value;
|
||||
+
|
||||
+ if (!permissive && (!dev_data || !dev_data->permissive))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Only allow the guest to control certain bits. */
|
||||
+ err = pci_read_config_word(dev, offset, &val);
|
||||
+ if (err || val == value)
|
||||
+ return err;
|
||||
+
|
||||
+ value &= PCI_COMMAND_GUEST;
|
||||
+ value |= val & ~PCI_COMMAND_GUEST;
|
||||
+
|
||||
return pci_write_config_word(dev, offset, value);
|
||||
}
|
||||
|
||||
@@ -282,6 +315,8 @@ static const struct config_field header_common[] = {
|
||||
{
|
||||
.offset = PCI_COMMAND,
|
||||
.size = 2,
|
||||
+ .init = command_init,
|
||||
+ .release = bar_release,
|
||||
.u.w.read = command_read,
|
||||
.u.w.write = command_write,
|
||||
},
|
||||
--
|
||||
2.1.0
|
||||
|
Loading…
Reference in New Issue