+++ /dev/null
-From e51e38494a8ecc18650efb0c840600637891de2c Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Thu, 20 Aug 2015 14:28:48 -0700
-Subject: Input: synaptics - fix handling of disabling gesture mode
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit e51e38494a8ecc18650efb0c840600637891de2c upstream.
-
-Bit 2 of the mode byte has dual meaning: it can disable reporting of
-gestures when touchpad works in Relative mode or normal Absolute mode,
-or it can enable so called Extended W-Mode when touchpad uses enhanced
-Absolute mode (W-mode). The extended W-Mode confuses our driver and
-causes missing button presses on some Thinkpads (x250, T450s), so let's
-make sure we do not enable it.
-
-Also, according to the spec W mode "... bit is defined only in Absolute
-mode on pads whose capExtended capability bit is set. In Relative mode and
-in TouchPads without this capability, the bit is reserved and should be
-left at 0.", so let's make sure we respect this requirement as well.
-
-Reported-by: Nick Bowler <nbowler@draconx.ca>
-Suggested-by: Gabor Balla <gaborwho@gmail.com>
-Tested-by: Gabor Balla <gaborwho@gmail.com>
-Tested-by: Nick Bowler <nbowler@draconx.ca>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/input/mouse/synaptics.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -447,14 +447,18 @@ static int synaptics_set_mode(struct psm
- struct synaptics_data *priv = psmouse->private;
-
- priv->mode = 0;
-- if (priv->absolute_mode)
-+
-+ if (priv->absolute_mode) {
- priv->mode |= SYN_BIT_ABSOLUTE_MODE;
-- if (priv->disable_gesture)
-+ if (SYN_CAP_EXTENDED(priv->capabilities))
-+ priv->mode |= SYN_BIT_W_MODE;
-+ }
-+
-+ if (!SYN_MODE_WMODE(priv->mode) && priv->disable_gesture)
- priv->mode |= SYN_BIT_DISABLE_GESTURE;
-+
- if (psmouse->rate >= 80)
- priv->mode |= SYN_BIT_HIGH_RATE;
-- if (SYN_CAP_EXTENDED(priv->capabilities))
-- priv->mode |= SYN_BIT_W_MODE;
-
- if (synaptics_mode_cmd(psmouse, priv->mode))
- return -1;
--- /dev/null
+From fb35e914b3f88cda9ee6f9d776910c35269c4ecf Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Mon, 3 Mar 2014 11:09:47 -0700
+Subject: NVMe: Initialize device reference count earlier
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit fb35e914b3f88cda9ee6f9d776910c35269c4ecf upstream.
+
+If an NVMe device becomes ready but fails to create IO queues, the driver
+creates a character device handle so the device can be managed. The
+device reference count needs to be initialized before creating the
+character device.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nvme-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/nvme-core.c
++++ b/drivers/block/nvme-core.c
+@@ -2464,6 +2464,7 @@ static int nvme_probe(struct pci_dev *pd
+ if (result)
+ goto release;
+
++ kref_init(&dev->kref);
+ result = nvme_dev_start(dev);
+ if (result) {
+ if (result == -EBUSY)
+@@ -2471,7 +2472,6 @@ static int nvme_probe(struct pci_dev *pd
+ goto release_pools;
+ }
+
+- kref_init(&dev->kref);
+ result = nvme_dev_add(dev);
+ if (result)
+ goto shutdown;
arm64-head.s-initialise-mdcr_el2-in-el2_setup.patch
arm64-errata-add-module-build-workaround-for-erratum-843419.patch
arm64-kvm-disable-virtual-timer-even-if-the-guest-is-not-using-it.patch
-input-synaptics-fix-handling-of-disabling-gesture-mode.patch
input-evdev-do-not-report-errors-form-flush.patch
alsa-hda-enable-headphone-jack-detect-on-old-fujitsu-laptops.patch
alsa-hda-use-alc880_fixup_fujitsu-for-fsc-amilo-m1437.patch
subject-net-gso-use-feature-flag-argument-in-all-protocol-gso-handlers.patch
revert-iio-bmg160-iio_buffer-and-iio_triggered_buffer-are-required.patch
x86-nmi-enable-nested-do_nmi-handling-for-64-bit-kernels.patch
+x86-nmi-64-remove-asm-code-that-saves-cr2.patch
+x86-nmi-64-switch-stacks-on-userspace-nmi-entry.patch
+x86-nmi-64-improve-nested-nmi-comments.patch
+x86-nmi-64-reorder-nested-nmi-checks.patch
+x86-nmi-64-use-df-to-avoid-userspace-rsp-confusing-nested-nmi-detection.patch
+udf-check-length-of-extended-attributes-and-allocation.patch
+nvme-initialize-device-reference-count-earlier.patch
--- /dev/null
+From 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation
+ descriptors
+
+From: Jan Kara <jack@suse.cz>
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+This fixes CVE-2015-4167.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+[Use make_bad_inode() instead of branching due to older implementation.]
+Signed-off-by: Chas Williams <3chas3@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode
+ iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ }
+
++ /*
++ * Sanity check length of allocation descriptors and extended attrs to
++ * avoid integer overflows
++ */
++ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
++ || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
++ make_bad_inode(inode);
++ return;
++ }
++ /* Now do exact checks */
++ if (udf_file_entry_alloc_offset(inode)
++ + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
++ make_bad_inode(inode);
++ return;
++ }
++
+ switch (fe->icbTag.fileType) {
+ case ICBTAG_FILE_TYPE_DIRECTORY:
+ inode->i_op = &udf_dir_inode_operations;
--- /dev/null
+From 0b22930ebad563ae97ff3f8d7b9f12060b4c6e6b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 15 Jul 2015 10:29:36 -0700
+Subject: x86/nmi/64: Improve nested NMI comments
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 0b22930ebad563ae97ff3f8d7b9f12060b4c6e6b upstream.
+
+I found the nested NMI documentation to be difficult to follow.
+Improve the comments.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_64.S | 159 +++++++++++++++++++++++++--------------------
+ arch/x86/kernel/nmi.c | 4 -
+ 2 files changed, 93 insertions(+), 70 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1702,11 +1702,12 @@ ENTRY(nmi)
+ * If the variable is not set and the stack is not the NMI
+ * stack then:
+ * o Set the special variable on the stack
+- * o Copy the interrupt frame into a "saved" location on the stack
+- * o Copy the interrupt frame into a "copy" location on the stack
++ * o Copy the interrupt frame into an "outermost" location on the
++ * stack
++ * o Copy the interrupt frame into an "iret" location on the stack
+ * o Continue processing the NMI
+ * If the variable is set or the previous stack is the NMI stack:
+- * o Modify the "copy" location to jump to the repeate_nmi
++ * o Modify the "iret" location to jump to the repeat_nmi
+ * o return back to the first NMI
+ *
+ * Now on exit of the first NMI, we first clear the stack variable
+@@ -1798,18 +1799,60 @@ ENTRY(nmi)
+
+ .Lnmi_from_kernel:
+ /*
+- * Check the special variable on the stack to see if NMIs are
+- * executing.
++ * Here's what our stack frame will look like:
++ * +---------------------------------------------------------+
++ * | original SS |
++ * | original Return RSP |
++ * | original RFLAGS |
++ * | original CS |
++ * | original RIP |
++ * +---------------------------------------------------------+
++ * | temp storage for rdx |
++ * +---------------------------------------------------------+
++ * | "NMI executing" variable |
++ * +---------------------------------------------------------+
++ * | iret SS } Copied from "outermost" frame |
++ * | iret Return RSP } on each loop iteration; overwritten |
++ * | iret RFLAGS } by a nested NMI to force another |
++ * | iret CS } iteration if needed. |
++ * | iret RIP } |
++ * +---------------------------------------------------------+
++ * | outermost SS } initialized in first_nmi; |
++ * | outermost Return RSP } will not be changed before |
++ * | outermost RFLAGS } NMI processing is done. |
++ * | outermost CS } Copied to "iret" frame on each |
++ * | outermost RIP } iteration. |
++ * +---------------------------------------------------------+
++ * | pt_regs |
++ * +---------------------------------------------------------+
++ *
++ * The "original" frame is used by hardware. Before re-enabling
++ * NMIs, we need to be done with it, and we need to leave enough
++ * space for the asm code here.
++ *
++ * We return by executing IRET while RSP points to the "iret" frame.
++ * That will either return for real or it will loop back into NMI
++ * processing.
++ *
++ * The "outermost" frame is copied to the "iret" frame on each
++ * iteration of the loop, so each iteration starts with the "iret"
++ * frame pointing to the final return target.
++ */
++
++ /*
++ * Determine whether we're a nested NMI.
++ *
++ * First check "NMI executing". If it's set, then we're nested.
++ * This will not detect if we interrupted an outer NMI just
++ * before IRET.
+ */
+ cmpl $1, -8(%rsp)
+ je nested_nmi
+
+ /*
+- * Now test if the previous stack was an NMI stack.
+- * We need the double check. We check the NMI stack to satisfy the
+- * race when the first NMI clears the variable before returning.
+- * We check the variable because the first NMI could be in a
+- * breakpoint routine using a breakpoint stack.
++ * Now test if the previous stack was an NMI stack. This covers
++ * the case where we interrupt an outer NMI after it clears
++ * "NMI executing" but before IRET.
+ */
+ lea 6*8(%rsp), %rdx
+ test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
+@@ -1817,9 +1860,11 @@ ENTRY(nmi)
+
+ nested_nmi:
+ /*
+- * Do nothing if we interrupted the fixup in repeat_nmi.
+- * It's about to repeat the NMI handler, so we are fine
+- * with ignoring this one.
++ * If we interrupted an NMI that is between repeat_nmi and
++ * end_repeat_nmi, then we must not modify the "iret" frame
++ * because it's being written by the outer NMI. That's okay;
++ * the outer NMI handler is about to call do_nmi anyway,
++ * so we can just resume the outer NMI.
+ */
+ movq $repeat_nmi, %rdx
+ cmpq 8(%rsp), %rdx
+@@ -1829,7 +1874,10 @@ nested_nmi:
+ ja nested_nmi_out
+
+ 1:
+- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
++ /*
++ * Modify the "iret" frame to point to repeat_nmi, forcing another
++ * iteration of NMI handling.
++ */
+ leaq -1*8(%rsp), %rdx
+ movq %rdx, %rsp
+ CFI_ADJUST_CFA_OFFSET 1*8
+@@ -1848,60 +1896,23 @@ nested_nmi_out:
+ popq_cfi %rdx
+ CFI_RESTORE rdx
+
+- /* No need to check faults here */
++ /* We are returning to kernel mode, so this cannot result in a fault. */
+ INTERRUPT_RETURN
+
+ CFI_RESTORE_STATE
+ first_nmi:
+- /*
+- * Because nested NMIs will use the pushed location that we
+- * stored in rdx, we must keep that space available.
+- * Here's what our stack frame will look like:
+- * +-------------------------+
+- * | original SS |
+- * | original Return RSP |
+- * | original RFLAGS |
+- * | original CS |
+- * | original RIP |
+- * +-------------------------+
+- * | temp storage for rdx |
+- * +-------------------------+
+- * | NMI executing variable |
+- * +-------------------------+
+- * | copied SS |
+- * | copied Return RSP |
+- * | copied RFLAGS |
+- * | copied CS |
+- * | copied RIP |
+- * +-------------------------+
+- * | Saved SS |
+- * | Saved Return RSP |
+- * | Saved RFLAGS |
+- * | Saved CS |
+- * | Saved RIP |
+- * +-------------------------+
+- * | pt_regs |
+- * +-------------------------+
+- *
+- * The saved stack frame is used to fix up the copied stack frame
+- * that a nested NMI may change to make the interrupted NMI iret jump
+- * to the repeat_nmi. The original stack frame and the temp storage
+- * is also used by nested NMIs and can not be trusted on exit.
+- */
+- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
++ /* Restore rdx. */
+ movq (%rsp), %rdx
+ CFI_RESTORE rdx
+
+- /* Set the NMI executing variable on the stack. */
++ /* Set "NMI executing" on the stack. */
+ pushq_cfi $1
+
+- /*
+- * Leave room for the "copied" frame
+- */
++ /* Leave room for the "iret" frame */
+ subq $(5*8), %rsp
+ CFI_ADJUST_CFA_OFFSET 5*8
+
+- /* Copy the stack frame to the Saved frame */
++ /* Copy the "original" frame to the "outermost" frame */
+ .rept 5
+ pushq_cfi 11*8(%rsp)
+ .endr
+@@ -1909,6 +1920,7 @@ first_nmi:
+
+ /* Everything up to here is safe from nested NMIs */
+
++repeat_nmi:
+ /*
+ * If there was a nested NMI, the first NMI's iret will return
+ * here. But NMIs are still enabled and we can take another
+@@ -1917,16 +1929,21 @@ first_nmi:
+ * it will just return, as we are about to repeat an NMI anyway.
+ * This makes it safe to copy to the stack frame that a nested
+ * NMI will update.
+- */
+-repeat_nmi:
+- /*
+- * Update the stack variable to say we are still in NMI (the update
+- * is benign for the non-repeat case, where 1 was pushed just above
+- * to this very stack slot).
++ *
++ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
++ * we're repeating an NMI, gsbase has the same value that it had on
++ * the first iteration. paranoid_entry will load the kernel
++ * gsbase if needed before we call do_nmi.
++ *
++ * Set "NMI executing" in case we came back here via IRET.
+ */
+ movq $1, 10*8(%rsp)
+
+- /* Make another copy, this one may be modified by nested NMIs */
++ /*
++ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
++ * here must not modify the "iret" frame while we're writing to
++ * it or it will end up containing garbage.
++ */
+ addq $(10*8), %rsp
+ CFI_ADJUST_CFA_OFFSET -10*8
+ .rept 5
+@@ -1937,9 +1954,9 @@ repeat_nmi:
+ end_repeat_nmi:
+
+ /*
+- * Everything below this point can be preempted by a nested
+- * NMI if the first NMI took an exception and reset our iret stack
+- * so that we repeat another NMI.
++ * Everything below this point can be preempted by a nested NMI.
++ * If this happens, then the inner NMI will change the "iret"
++ * frame to point back to repeat_nmi.
+ */
+ pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
+ subq $ORIG_RAX-R15, %rsp
+@@ -1967,9 +1984,15 @@ nmi_restore:
+ /* Pop the extra iret frame at once */
+ RESTORE_ALL 6*8
+
+- /* Clear the NMI executing stack variable */
++ /* Clear "NMI executing". */
+ movq $0, 5*8(%rsp)
+- jmp irq_return
++
++ /*
++ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
++ * stack in a single instruction. We are returning to kernel
++ * mode, so this cannot result in a fault.
++ */
++ INTERRUPT_RETURN
+ CFI_ENDPROC
+ END(nmi)
+
+--- a/arch/x86/kernel/nmi.c
++++ b/arch/x86/kernel/nmi.c
+@@ -392,8 +392,8 @@ static __kprobes void default_do_nmi(str
+ }
+
+ /*
+- * NMIs can hit breakpoints which will cause it to lose its NMI context
+- * with the CPU when the breakpoint or page fault does an IRET.
++ * NMIs can page fault or hit breakpoints which will cause it to lose
++ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
+ *
+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
--- /dev/null
+From 0e181bb58143cb4a2e8f01c281b0816cd0e4798e Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 15 Jul 2015 10:29:34 -0700
+Subject: x86/nmi/64: Remove asm code that saves CR2
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 0e181bb58143cb4a2e8f01c281b0816cd0e4798e upstream.
+
+Now that do_nmi saves CR2, we don't need to save it in asm.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/kernel/entry_64.S | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1885,28 +1885,10 @@ end_repeat_nmi:
+ call save_paranoid
+ DEFAULT_FRAME 0
+
+- /*
+- * Save off the CR2 register. If we take a page fault in the NMI then
+- * it could corrupt the CR2 value. If the NMI preempts a page fault
+- * handler before it was able to read the CR2 register, and then the
+- * NMI itself takes a page fault, the page fault that was preempted
+- * will read the information from the NMI page fault and not the
+- * origin fault. Save it off and restore it if it changes.
+- * Use the r12 callee-saved register.
+- */
+- movq %cr2, %r12
+-
+ /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
+ movq %rsp,%rdi
+ movq $-1,%rsi
+ call do_nmi
+-
+- /* Did the NMI take a page fault? Restore cr2 if it did */
+- movq %cr2, %rcx
+- cmpq %rcx, %r12
+- je 1f
+- movq %r12, %cr2
+-1:
+
+ testl %ebx,%ebx /* swapgs needed? */
+ jnz nmi_restore
--- /dev/null
+From a27507ca2d796cfa8d907de31ad730359c8a6d06 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 15 Jul 2015 10:29:37 -0700
+Subject: x86/nmi/64: Reorder nested NMI checks
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit a27507ca2d796cfa8d907de31ad730359c8a6d06 upstream.
+
+Check the repeat_nmi .. end_repeat_nmi special case first. The
+next patch will rework the RSP check and, as a side effect, the
+RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
+we'll need this ordering of the checks.
+
+Note: this is more subtle than it appears. The check for
+repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
+instead of adjusting the "iret" frame to force a repeat. This
+is necessary, because the code between repeat_nmi and
+end_repeat_nmi sets "NMI executing" and then writes to the
+"iret" frame itself. If a nested NMI comes in and modifies the
+"iret" frame while repeat_nmi is also modifying it, we'll end up
+with garbage. The old code got this right, as does the new
+code, but the new code is a bit more explicit.
+
+If we were to move the check right after the "NMI executing"
+check, then we'd get it wrong and have random crashes.
+
+( Because the "NMI executing" check would jump to the code that would
+ modify the "iret" frame without checking if the interrupted NMI was
+ currently modifying it. )
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_64.S | 33 +++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1842,7 +1842,23 @@ ENTRY(nmi)
+ /*
+ * Determine whether we're a nested NMI.
+ *
+- * First check "NMI executing". If it's set, then we're nested.
++ * If we interrupted kernel code between repeat_nmi and
++ * end_repeat_nmi, then we are a nested NMI. We must not
++ * modify the "iret" frame because it's being written by
++ * the outer NMI. That's okay; the outer NMI handler is
++ * about to about to call do_nmi anyway, so we can just
++ * resume the outer NMI.
++ */
++ movq $repeat_nmi, %rdx
++ cmpq 8(%rsp), %rdx
++ ja 1f
++ movq $end_repeat_nmi, %rdx
++ cmpq 8(%rsp), %rdx
++ ja nested_nmi_out
++1:
++
++ /*
++ * Now check "NMI executing". If it's set, then we're nested.
+ * This will not detect if we interrupted an outer NMI just
+ * before IRET.
+ */
+@@ -1860,21 +1876,6 @@ ENTRY(nmi)
+
+ nested_nmi:
+ /*
+- * If we interrupted an NMI that is between repeat_nmi and
+- * end_repeat_nmi, then we must not modify the "iret" frame
+- * because it's being written by the outer NMI. That's okay;
+- * the outer NMI handler is about to call do_nmi anyway,
+- * so we can just resume the outer NMI.
+- */
+- movq $repeat_nmi, %rdx
+- cmpq 8(%rsp), %rdx
+- ja 1f
+- movq $end_repeat_nmi, %rdx
+- cmpq 8(%rsp), %rdx
+- ja nested_nmi_out
+-
+-1:
+- /*
+ * Modify the "iret" frame to point to repeat_nmi, forcing another
+ * iteration of NMI handling.
+ */
--- /dev/null
+From 9b6e6a8334d56354853f9c255d1395c2ba570e0a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 15 Jul 2015 10:29:35 -0700
+Subject: x86/nmi/64: Switch stacks on userspace NMI entry
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 9b6e6a8334d56354853f9c255d1395c2ba570e0a upstream.
+
+Returning to userspace is tricky: IRET can fail, and ESPFIX can
+rearrange the stack prior to IRET.
+
+The NMI nesting fixup relies on a precise stack layout and
+atomic IRET. Rather than trying to teach the NMI nesting fixup
+to handle ESPFIX and failed IRET, punt: run NMIs that came from
+user mode on the normal kernel stack.
+
+This will make some nested NMIs visible to C code, but the C
+code is okay with that.
+
+As a side effect, this should speed up perf: it eliminates an
+RDMSR when NMIs come from user mode.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_64.S | 77 ++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 73 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1715,19 +1715,88 @@ ENTRY(nmi)
+ * a nested NMI that updated the copy interrupt stack frame, a
+ * jump will be made to the repeat_nmi code that will handle the second
+ * NMI.
++ *
++ * However, espfix prevents us from directly returning to userspace
++ * with a single IRET instruction. Similarly, IRET to user mode
++ * can fault. We therefore handle NMIs from user space like
++ * other IST entries.
+ */
+
+ /* Use %rdx as out temp variable throughout */
+ pushq_cfi %rdx
+ CFI_REL_OFFSET rdx, 0
+
++ testb $3, CS-RIP+8(%rsp)
++ jz .Lnmi_from_kernel
++
++ /*
++ * NMI from user mode. We need to run on the thread stack, but we
++ * can't go through the normal entry paths: NMIs are masked, and
++ * we don't want to enable interrupts, because then we'll end
++ * up in an awkward situation in which IRQs are on but NMIs
++ * are off.
++ */
++ SWAPGS
++ cld
++ movq %rsp, %rdx
++ movq PER_CPU_VAR(kernel_stack), %rsp
++ addq $KERNEL_STACK_OFFSET, %rsp
++ pushq 5*8(%rdx) /* pt_regs->ss */
++ pushq 4*8(%rdx) /* pt_regs->rsp */
++ pushq 3*8(%rdx) /* pt_regs->flags */
++ pushq 2*8(%rdx) /* pt_regs->cs */
++ pushq 1*8(%rdx) /* pt_regs->rip */
++ pushq $-1 /* pt_regs->orig_ax */
++ pushq %rdi /* pt_regs->di */
++ pushq %rsi /* pt_regs->si */
++ pushq (%rdx) /* pt_regs->dx */
++ pushq %rcx /* pt_regs->cx */
++ pushq %rax /* pt_regs->ax */
++ pushq %r8 /* pt_regs->r8 */
++ pushq %r9 /* pt_regs->r9 */
++ pushq %r10 /* pt_regs->r10 */
++ pushq %r11 /* pt_regs->r11 */
++ pushq %rbx /* pt_regs->rbx */
++ pushq %rbp /* pt_regs->rbp */
++ pushq %r12 /* pt_regs->r12 */
++ pushq %r13 /* pt_regs->r13 */
++ pushq %r14 /* pt_regs->r14 */
++ pushq %r15 /* pt_regs->r15 */
++
++ /*
++ * At this point we no longer need to worry about stack damage
++ * due to nesting -- we're on the normal thread stack and we're
++ * done with the NMI stack.
++ */
++ movq %rsp, %rdi
++ movq $-1, %rsi
++ call do_nmi
++
++ /*
++ * Return back to user mode. We must *not* do the normal exit
++ * work, because we don't want to enable interrupts. Fortunately,
++ * do_nmi doesn't modify pt_regs.
++ */
++ SWAPGS
++
+ /*
+- * If %cs was not the kernel segment, then the NMI triggered in user
+- * space, which means it is definitely not nested.
++ * Open-code the entire return process for compatibility with varying
++ * register layouts across different kernel versions.
+ */
+- cmpl $__KERNEL_CS, 16(%rsp)
+- jne first_nmi
++ addq $6*8, %rsp /* skip bx, bp, and r12-r15 */
++ popq %r11 /* pt_regs->r11 */
++ popq %r10 /* pt_regs->r10 */
++ popq %r9 /* pt_regs->r9 */
++ popq %r8 /* pt_regs->r8 */
++ popq %rax /* pt_regs->ax */
++ popq %rcx /* pt_regs->cx */
++ popq %rdx /* pt_regs->dx */
++ popq %rsi /* pt_regs->si */
++ popq %rdi /* pt_regs->di */
++ addq $8, %rsp /* skip orig_ax */
++ INTERRUPT_RETURN
+
++.Lnmi_from_kernel:
+ /*
+ * Check the special variable on the stack to see if NMIs are
+ * executing.
--- /dev/null
+From 810bc075f78ff2c221536eb3008eac6a492dba2d Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 15 Jul 2015 10:29:38 -0700
+Subject: x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 810bc075f78ff2c221536eb3008eac6a492dba2d upstream.
+
+We have a tricky bug in the nested NMI code: if we see RSP
+pointing to the NMI stack on NMI entry from kernel mode, we
+assume that we are executing a nested NMI.
+
+This isn't quite true. A malicious userspace program can point
+RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
+happen while RSP is still pointing at the NMI stack.
+
+Fix it with a sneaky trick. Set DF in the region of code that
+the RSP check is intended to detect. IRET will clear DF
+atomically.
+
+( Note: other than paravirt, there's little need for all this
+ complexity. We could check RIP instead of RSP. )
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/kernel/entry_64.S | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1868,10 +1868,25 @@ ENTRY(nmi)
+ /*
+ * Now test if the previous stack was an NMI stack. This covers
+ * the case where we interrupt an outer NMI after it clears
+- * "NMI executing" but before IRET.
++ * "NMI executing" but before IRET. We need to be careful, though:
++ * there is one case in which RSP could point to the NMI stack
++ * despite there being no NMI active: naughty userspace controls
++ * RSP at the very beginning of the SYSCALL targets. We can
++ * pull a fast one on naughty userspace, though: we program
++ * SYSCALL to mask DF, so userspace cannot cause DF to be set
++ * if it controls the kernel's RSP. We set DF before we clear
++ * "NMI executing".
+ */
+ lea 6*8(%rsp), %rdx
+ test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
++
++ /* Ah, it is within the NMI stack. */
++
++ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
++ jz first_nmi /* RSP was user controlled. */
++
++ /* This is a nested NMI. */
++
+ CFI_REMEMBER_STATE
+
+ nested_nmi:
+@@ -1985,8 +2000,16 @@ nmi_restore:
+ /* Pop the extra iret frame at once */
+ RESTORE_ALL 6*8
+
+- /* Clear "NMI executing". */
+- movq $0, 5*8(%rsp)
++ /*
++ * Clear "NMI executing". Set DF first so that we can easily
++ * distinguish the remaining code between here and IRET from
++ * the SYSCALL entry and exit paths. On a native kernel, we
++ * could just inspect RIP, but, on paravirt kernels,
++ * INTERRUPT_RETURN can translate into a jump into a
++ * hypercall page.
++ */
++ std
++ movq $0, 5*8(%rsp) /* clear "NMI executing" */
+
+ /*
+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
projects / thirdparty / kernel / stable-queue.git / commitdiff
