x86-fpu-shift-drop_init_fpu-from-save_xstate_sig-to-handle_signal.patch
x86-flags-rename-x86_eflags_bit1-to-x86_eflags_fixed.patch
x86_64-entry-filter-rflags.nt-on-entry-from-userspace.patch
+x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
+x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
--- /dev/null
+From d1cd1210834649ce1ca6bafe5ac25d2f40331343 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Wed, 29 Oct 2014 03:53:37 -0700
+Subject: x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit d1cd1210834649ce1ca6bafe5ac25d2f40331343 upstream.
+
+pte_pfn() returns a PFN of long (32 bits in 32-PAE), so "long <<
+PAGE_SHIFT" will overflow for PFNs above 4GB.
+
+Due to this issue, some Linux 32-PAE distros, running as guests on Hyper-V,
+with 5GB memory assigned, can't load the netvsc driver successfully and
+hence the synthetic network device can't work (we can use the kernel parameter
+mem=3000M to work around the issue).
+
+Cast pte_pfn() to phys_addr_t before shifting.
+
+Fixes: "commit d76565344512: x86, mm: Create slow_virt_to_phys()"
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: gregkh@linuxfoundation.org
+Cc: linux-mm@kvack.org
+Cc: olaf@aepfle.de
+Cc: apw@canonical.com
+Cc: jasowang@redhat.com
+Cc: dave.hansen@intel.com
+Cc: riel@redhat.com
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1414580017-27444-1-git-send-email-decui@microsoft.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pageattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -389,7 +389,7 @@ phys_addr_t slow_virt_to_phys(void *__vi
+ psize = page_level_size(level);
+ pmask = page_level_mask(level);
+ offset = virt_addr & ~pmask;
+- phys_addr = pte_pfn(*pte) << PAGE_SHIFT;
++ phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT;
+ return (phys_addr | offset);
+ }
+ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
--- /dev/null
+From 653bc77af60911ead1f423e588f54fc2547c4957 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Fri, 31 Oct 2014 18:08:45 -0700
+Subject: x86_64, entry: Fix out of bounds read on sysenter
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 653bc77af60911ead1f423e588f54fc2547c4957 upstream.
+
+Rusty noticed a Really Bad Bug (tm) in my NT fix. The entry code
+reads out of bounds, causing the NT fix to be unreliable. But, and
+this is much, much worse, if your stack is somehow just below the
+top of the direct map (or a hole), you read out of bounds and crash.
+
+Excerpt from the crash:
+
+[ 1.129513] RSP: 0018:ffff88001da4bf88 EFLAGS: 00010296
+
+ 2b:* f7 84 24 90 00 00 00 testl $0x4000,0x90(%rsp)
+
+That read is deterministically above the top of the stack. I
+thought I even single-stepped through this code when I wrote it to
+check the offset, but I clearly screwed it up.
+
+Fixes: 8c7aa698baca ("x86_64, entry: Filter RFLAGS.NT on entry from userspace")
+Reported-by: Rusty Russell <rusty@ozlabs.org>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/ia32/ia32entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -157,7 +157,7 @@ ENTRY(ia32_sysenter_target)
+ * ourselves. To save a few cycles, we can check whether
+ * NT was set instead of doing an unconditional popfq.
+ */
+- testl $X86_EFLAGS_NT,EFLAGS(%rsp) /* saved EFLAGS match cpu */
++ testl $X86_EFLAGS_NT,EFLAGS-ARGOFFSET(%rsp)
+ jnz sysenter_fix_flags
+ sysenter_flags_fixed:
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
