From: Greg Kroah-Hartman Date: Fri, 19 Aug 2016 07:38:56 +0000 (+0200) Subject: removed queue-3.14/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch X-Git-Tag: v3.14.77~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c5396f9a450828650fd1c61879fc3ad9a47e3ec;p=thirdparty%2Fkernel%2Fstable-queue.git removed queue-3.14/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch --- diff --git a/queue-3.14/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch b/queue-3.14/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch deleted file mode 100644 index 14c975554fa..00000000000 --- a/queue-3.14/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 93d17397e4e2182fdaad503e2f9da46202c0f1c3 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Wed, 22 Jun 2016 15:52:55 +1000 -Subject: KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE - -From: Paul Mackerras - -commit 93d17397e4e2182fdaad503e2f9da46202c0f1c3 upstream. - -It turns out that if the guest does a H_CEDE while the CPU is in -a transactional state, and the H_CEDE does a nap, and the nap -loses the architected state of the CPU (which is is allowed to do), -then we lose the checkpointed state of the virtual CPU. In addition, -the transactional-memory state recorded in the MSR gets reset back -to non-transactional, and when we try to return to the guest, we take -a TM bad thing type of program interrupt because we are trying to -transition from non-transactional to transactional with a hrfid -instruction, which is not permitted. - -The result of the program interrupt occurring at that point is that -the host CPU will hang in an infinite loop with interrupts disabled. -Thus this is a denial of service vulnerability in the host which can -be triggered by any guest (and depending on the guest kernel, it can -potentially triggered by unprivileged userspace in the guest). - -This vulnerability has been assigned the ID CVE-2016-5412. - -To fix this, we save the TM state before napping and restore it -on exit from the nap, when handling a H_CEDE in real mode. The -case where H_CEDE exits to host virtual mode is already OK (as are -other hcalls which exit to host virtual mode) because the exit -path saves the TM state. - -Signed-off-by: Paul Mackerras -Signed-off-by: Greg Kroah-Hartman - ---- - arch/powerpc/kvm/book3s_hv_rmhandlers.S | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - ---- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S -+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S -@@ -1901,6 +1901,13 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_206) - /* save FP state */ - bl kvmppc_save_fp - -+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM -+BEGIN_FTR_SECTION -+ ld r9, HSTATE_KVM_VCPU(r13) -+ bl kvmppc_save_tm -+END_FTR_SECTION_IFSET(CPU_FTR_TM) -+#endif -+ - /* - * Take a nap until a decrementer or external or doobell interrupt - * occurs, with PECE1, PECE0 and PECEDP set in LPCR -@@ -1935,6 +1942,12 @@ kvm_end_cede: - /* Woken by external or decrementer interrupt */ - ld r1, HSTATE_HOST_R1(r13) - -+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM -+BEGIN_FTR_SECTION -+ bl kvmppc_restore_tm -+END_FTR_SECTION_IFSET(CPU_FTR_TM) -+#endif -+ - /* load up FP state */ - bl kvmppc_load_fp - diff --git a/queue-3.14/series b/queue-3.14/series index a0b7ad05564..b3af6c6d404 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -3,7 +3,6 @@ usb-renesas_usbhs-protect-the-cfifosel-setting-in-usbhsg_ep_enable.patch usb-serial-option-add-support-for-telit-le910-pid-0x1206.patch gpio-pca953x-fix-nbank-calculation-for-pca9536.patch gpio-intel-mid-remove-potentially-harmful-code.patch -kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch s5p-mfc-set-device-name-for-reserved-memory-region-devs.patch s5p-mfc-add-release-callback-for-memory-region-devs.patch