3.17-stable patches

added patches:
	x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch

diff --git a/queue-3.17/series b/queue-3.17/series
index d2ab40023427c24f82a5a03242cd1a1be5f1eec1..52245a5fa88ce9a98ac6e0a4d29272734baa210a 100644 (file)
--- a/queue-3.17/series
+++ b/queue-3.17/series
@@ -2,3 +2,4 @@ isofs-fix-infinite-looping-over-ce-entries.patch
 x86-tls-validate-tls-entries-to-protect-espfix.patch
 x86-tls-disallow-unusual-tls-segments.patch
 x86_64-switch_to-load-tls-descriptors-before-switching-ds-and-es.patch
+x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch

diff --git a/queue-3.17/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch b/queue-3.17/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
new file mode 100644 (file)
index 0000000..f7be498
--- /dev/null
+++ b/queue-3.17/x86-kvm-clear-paravirt_enabled-on-kvm-guests-for-espfix32-s-benefit.patch
@@ -0,0 +1,68 @@
+From 29fa6825463c97e5157284db80107d1bfac5d77b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Fri, 5 Dec 2014 19:03:28 -0800
+Subject: x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 29fa6825463c97e5157284db80107d1bfac5d77b upstream.
+
+paravirt_enabled has the following effects:
+
+ - Disables the F00F bug workaround warning.  There is no F00F bug
+   workaround any more because Linux's standard IDT handling already
+   works around the F00F bug, but the warning still exists.  This
+   is only cosmetic, and, in any event, there is no such thing as
+   KVM on a CPU with the F00F bug.
+
+ - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
+   there should be no APM BIOS anyway.
+
+ - Disables tboot.  I think that the tboot code should check the
+   CPUID hypervisor bit directly if it matters.
+
+ - paravirt_enabled disables espfix32.  espfix32 should *not* be
+   disabled under KVM paravirt.
+
+The last point is the purpose of this patch.  It fixes a leak of the
+high 16 bits of the kernel stack address on 32-bit KVM paravirt
+guests.  Fixes CVE-2014-8134.
+
+Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kvm.c      |    9 ++++++++-
+ arch/x86/kernel/kvmclock.c |    1 -
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -282,7 +282,14 @@ NOKPROBE_SYMBOL(do_async_page_fault);
+ static void __init paravirt_ops_setup(void)
+ {
+       pv_info.name = "KVM";
+-      pv_info.paravirt_enabled = 1;
++
++      /*
++       * KVM isn't paravirt in the sense of paravirt_enabled.  A KVM
++       * guest kernel works like a bare metal kernel with additional
++       * features, and paravirt_enabled is about features that are
++       * missing.
++       */
++      pv_info.paravirt_enabled = 0;
+ 
+       if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
+               pv_cpu_ops.io_delay = kvm_io_delay;
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -263,7 +263,6 @@ void __init kvmclock_init(void)
+ #endif
+       kvm_get_preset_lpj();
+       clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
+-      pv_info.paravirt_enabled = 1;
+       pv_info.name = "KVM";
+ 
+       if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))