x86_64-traps-fix-the-espfix64-df-fixup-and-rewrite-it-in-c.patch
x86_64-traps-stop-using-ist-for-ss.patch
x86_64-traps-rework-bad_iret.patch
+x86-require-exact-match-for-noxsave-command-line-option.patch
+x86-mm-set-nx-across-entire-pmd-at-boot.patch
+x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch
+x86-microcode-update-bsps-microcode-on-resume.patch
+uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch
--- /dev/null
+From 82975bc6a6df743b9a01810fb32cb65d0ec5d60b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Fri, 21 Nov 2014 13:26:07 -0800
+Subject: uprobes, x86: Fix _TIF_UPROBE vs _TIF_NOTIFY_RESUME
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 82975bc6a6df743b9a01810fb32cb65d0ec5d60b upstream.
+
+x86 call do_notify_resume on paranoid returns if TIF_UPROBE is set but
+not on non-paranoid returns. I suspect that this is a mistake and that
+the code only works because int3 is paranoid.
+
+Setting _TIF_NOTIFY_RESUME in the uprobe code was probably a workaround
+for the x86 bug. With that bug fixed, we can remove _TIF_NOTIFY_RESUME
+from the uprobes code.
+
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/thread_info.h | 2 +-
+ kernel/events/uprobes.c | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/thread_info.h
++++ b/arch/x86/include/asm/thread_info.h
+@@ -141,7 +141,7 @@ struct thread_info {
+ /* Only used for 64 bit */
+ #define _TIF_DO_NOTIFY_MASK \
+ (_TIF_SIGPENDING | _TIF_MCE_NOTIFY | _TIF_NOTIFY_RESUME | \
+- _TIF_USER_RETURN_NOTIFY)
++ _TIF_USER_RETURN_NOTIFY | _TIF_UPROBE)
+
+ /* flags to check in __switch_to() */
+ #define _TIF_WORK_CTXSW \
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1640,7 +1640,6 @@ bool uprobe_deny_signal(void)
+ if (__fatal_signal_pending(t) || arch_uprobe_xol_was_trapped(t)) {
+ utask->state = UTASK_SSTEP_TRAPPED;
+ set_tsk_thread_flag(t, TIF_UPROBE);
+- set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
+ }
+ }
+
--- /dev/null
+From 70b61e362187b5fccac206506d402f3424e3e749 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 17 Nov 2014 16:16:04 -0800
+Subject: x86, kaslr: Handle Gold linker for finding bss/brk
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 70b61e362187b5fccac206506d402f3424e3e749 upstream.
+
+When building with the Gold linker, the .bss and .brk areas of vmlinux
+are shown as consecutive instead of having the same file offset. Allow
+for either state, as long as things add up correctly.
+
+Fixes: e6023367d779 ("x86, kaslr: Prevent .bss from overlaping initrd")
+Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Junjie Mao <eternal.n08@gmail.com>
+Link: http://lkml.kernel.org/r/20141118001604.GA25045@www.outflux.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/tools/calc_run_size.pl | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/tools/calc_run_size.pl
++++ b/arch/x86/tools/calc_run_size.pl
+@@ -19,7 +19,16 @@ while (<>) {
+ if ($file_offset == 0) {
+ $file_offset = $offset;
+ } elsif ($file_offset != $offset) {
+- die ".bss and .brk lack common file offset\n";
++ # BFD linker shows the same file offset in ELF.
++ # Gold linker shows them as consecutive.
++ next if ($file_offset + $mem_size == $offset + $size);
++
++ printf STDERR "file_offset: 0x%lx\n", $file_offset;
++ printf STDERR "mem_size: 0x%lx\n", $mem_size;
++ printf STDERR "offset: 0x%lx\n", $offset;
++ printf STDERR "size: 0x%lx\n", $size;
++
++ die ".bss and .brk are non-contiguous\n";
+ }
+ }
+ }
--- /dev/null
+From fb86b97300d930b57471068720c52bfa8622eab7 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 18 Nov 2014 10:46:57 +0100
+Subject: x86, microcode: Update BSPs microcode on resume
+
+From: Borislav Petkov <bp@suse.de>
+
+commit fb86b97300d930b57471068720c52bfa8622eab7 upstream.
+
+In the situation when we apply early microcode but do *not* apply late
+microcode, we fail to update the BSP's microcode on resume because we
+haven't initialized the uci->mc microcode pointer. So, in order to
+alleviate that, we go and dig out the stashed microcode patch during
+early boot. It is basically the same thing that is done on the APs early
+during boot so do that too here.
+
+Tested-by: alex.schnaidt@gmail.com
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88001
+Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: http://lkml.kernel.org/r/20141118094657.GA6635@pd.tnic
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/microcode/core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -465,6 +465,14 @@ static void mc_bp_resume(void)
+
+ if (uci->valid && uci->mc)
+ microcode_ops->apply_microcode(cpu);
++ else if (!uci->mc)
++ /*
++ * We might resume and not have applied late microcode but still
++ * have a newer patch stashed from the early loader. We don't
++ * have it in uci->mc so we have to load it the same way we're
++ * applying patches early on the APs.
++ */
++ load_ucode_ap();
+ }
+
+ static struct syscore_ops mc_syscore_ops = {
--- /dev/null
+From 45e2a9d4701d8c624d4a4bcdd1084eae31e92f58 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 14 Nov 2014 11:47:37 -0800
+Subject: x86, mm: Set NX across entire PMD at boot
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 45e2a9d4701d8c624d4a4bcdd1084eae31e92f58 upstream.
+
+When setting up permissions on kernel memory at boot, the end of the
+PMD that was split from bss remained executable. It should be NX like
+the rest. This performs a PMD alignment instead of a PAGE alignment to
+get the correct span of memory.
+
+Before:
+---[ High Kernel Mapping ]---
+...
+0xffffffff8202d000-0xffffffff82200000 1868K RW GLB NX pte
+0xffffffff82200000-0xffffffff82c00000 10M RW PSE GLB NX pmd
+0xffffffff82c00000-0xffffffff82df5000 2004K RW GLB NX pte
+0xffffffff82df5000-0xffffffff82e00000 44K RW GLB x pte
+0xffffffff82e00000-0xffffffffc0000000 978M pmd
+
+After:
+---[ High Kernel Mapping ]---
+...
+0xffffffff8202d000-0xffffffff82200000 1868K RW GLB NX pte
+0xffffffff82200000-0xffffffff82e00000 12M RW PSE GLB NX pmd
+0xffffffff82e00000-0xffffffffc0000000 978M pmd
+
+[ tglx: Changed it to roundup(_brk_end, PMD_SIZE) and added a comment.
+ We really should unmap the reminder along with the holes
+ caused by init,initdata etc. but thats a different issue ]
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Link: http://lkml.kernel.org/r/20141114194737.GA3091@www.outflux.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/init_64.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/mm/init_64.c
++++ b/arch/x86/mm/init_64.c
+@@ -1111,7 +1111,7 @@ void mark_rodata_ro(void)
+ unsigned long end = (unsigned long) &__end_rodata_hpage_align;
+ unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
+ unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
+- unsigned long all_end = PFN_ALIGN(&_end);
++ unsigned long all_end;
+
+ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
+ (end - start) >> 10);
+@@ -1122,7 +1122,16 @@ void mark_rodata_ro(void)
+ /*
+ * The rodata/data/bss/brk section (but not the kernel text!)
+ * should also be not-executable.
++ *
++ * We align all_end to PMD_SIZE because the existing mapping
++ * is a full PMD. If we would align _brk_end to PAGE_SIZE we
++ * split the PMD and the reminder between _brk_end and the end
++ * of the PMD will remain mapped executable.
++ *
++ * Any PMD which was setup after the one which covers _brk_end
++ * has been zapped already via cleanup_highmem().
+ */
++ all_end = roundup((unsigned long)_brk_end, PMD_SIZE);
+ set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT);
+
+ rodata_test();
--- /dev/null
+From 2cd3949f702692cf4c5d05b463f19cd706a92dd3 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 11 Nov 2014 14:01:33 -0800
+Subject: x86: Require exact match for 'noxsave' command line option
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 2cd3949f702692cf4c5d05b463f19cd706a92dd3 upstream.
+
+We have some very similarly named command-line options:
+
+arch/x86/kernel/cpu/common.c:__setup("noxsave", x86_xsave_setup);
+arch/x86/kernel/cpu/common.c:__setup("noxsaveopt", x86_xsaveopt_setup);
+arch/x86/kernel/cpu/common.c:__setup("noxsaves", x86_xsaves_setup);
+
+__setup() is designed to match options that take arguments, like
+"foo=bar" where you would have:
+
+ __setup("foo", x86_foo_func...);
+
+The problem is that "noxsave" actually _matches_ "noxsaves" in
+the same way that "foo" matches "foo=bar". If you boot an old
+kernel that does not know about "noxsaves" with "noxsaves" on the
+command line, it will interpret the argument as "noxsave", which
+is not what you want at all.
+
+This makes the "noxsave" handler only return success when it finds
+an *exact* match.
+
+[ tglx: We really need to make __setup() more robust. ]
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Hansen <dave@sr71.net>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: x86@kernel.org
+Link: http://lkml.kernel.org/r/20141111220133.FE053984@viggo.jf.intel.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -146,6 +146,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
+
+ static int __init x86_xsave_setup(char *s)
+ {
++ if (strlen(s))
++ return 0;
+ setup_clear_cpu_cap(X86_FEATURE_XSAVE);
+ setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
+ setup_clear_cpu_cap(X86_FEATURE_XSAVES);