From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 13:10:13 +0000 (+0100) Subject: 3.14-stable patches X-Git-Tag: v3.19.3~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44891232952a418c1a92f03e2dd75680571b0b98;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-aesni-fix-memory-usage-in-gcm-decryption.patch crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch libsas-fix-kernel-crash-in-smp_execute_task.patch netfilter-nft_compat-fix-module-refcount-underflow.patch netfilter-xt_socket-fix-a-stack-corruption-bug.patch pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch x86-vdso-fix-the-build-on-gcc5.patch xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch xen-pciback-limit-guest-control-of-command-register.patch --- diff --git a/queue-3.14/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch b/queue-3.14/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch new file mode 100644 index 00000000000..815e395c5b2 --- /dev/null +++ b/queue-3.14/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch @@ -0,0 +1,65 @@ +From ccfe8c3f7e52ae83155cb038753f4c75b774ca8a Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 12 Mar 2015 09:17:51 +0100 +Subject: crypto: aesni - fix memory usage in GCM decryption + +From: Stephan Mueller + +commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream. + +The kernel crypto API logic requires the caller to provide the +length of (ciphertext || authentication tag) as cryptlen for the +AEAD decryption operation. Thus, the cipher implementation must +calculate the size of the plaintext output itself and cannot simply use +cryptlen. + +The RFC4106 GCM decryption operation tries to overwrite cryptlen memory +in req->dst. As the destination buffer for decryption only needs to hold +the plaintext memory but cryptlen references the input buffer holding +(ciphertext || authentication tag), the assumption of the destination +buffer length in RFC4106 GCM operation leads to a too large size. This +patch simply uses the already calculated plaintext size. + +In addition, this patch fixes the offset calculation of the AAD buffer +pointer: as mentioned before, cryptlen already includes the size of the +tag. Thus, the tag does not need to be added. With the addition, the AAD +will be written beyond the already allocated buffer. + +Note, this fixes a kernel crash that can be triggered from user space +via AF_ALG(aead) -- simply use the libkcapi test application +from [1] and update it to use rfc4106-gcm-aes. + +Using [1], the changes were tested using CAVS vectors to demonstrate +that the crypto operation still delivers the right results. + +[1] http://www.chronox.de/libkcapi.html + +CC: Tadeusz Struk +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_glue.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -1109,7 +1109,7 @@ static int __driver_rfc4106_decrypt(stru + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1134,7 +1134,7 @@ static int __driver_rfc4106_decrypt(stru + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; diff --git a/queue-3.14/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch b/queue-3.14/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch new file mode 100644 index 00000000000..d486beddfca --- /dev/null +++ b/queue-3.14/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch @@ -0,0 +1,124 @@ +From 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 26 Feb 2015 07:22:05 +0000 +Subject: crypto: arm/aes update NEON AES module to latest OpenSSL version + +From: Ard Biesheuvel + +commit 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed upstream. + +This updates the bit sliced AES module to the latest version in the +upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a +bug in the XTS decryption path, where data chunked in a certain way +could trigger the ciphertext stealing code, which is not supposed to +be active in the kernel build (The kernel implementation of XTS only +supports round multiples of the AES block size of 16 bytes, whereas +the conformant OpenSSL implementation of XTS supports inputs of +arbitrary size by applying ciphertext stealing). This is fixed in +the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK +around the offending instructions. + +The upstream code also contains the change applied by Russell to +build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7, +but implemented slightly differently. + +Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") +Reported-by: Adrian Kotelba +Signed-off-by: Ard Biesheuvel +Tested-by: Milan Broz +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/crypto/aesbs-core.S_shipped | 12 ++++++++---- + arch/arm/crypto/bsaes-armv7.pl | 12 ++++++++---- + 2 files changed, 16 insertions(+), 8 deletions(-) + +--- a/arch/arm/crypto/aesbs-core.S_shipped ++++ b/arch/arm/crypto/aesbs-core.S_shipped +@@ -58,14 +58,18 @@ + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -74,8 +78,6 @@ + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt: + vld1.8 {q8}, [r0] @ initial tweak + adr r2, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst r9, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne r9, #0x10 @ subtract another 16 bytes ++#endif + subs r9, #0x80 + + blo .Lxts_dec_short +--- a/arch/arm/crypto/bsaes-armv7.pl ++++ b/arch/arm/crypto/bsaes-armv7.pl +@@ -701,14 +701,18 @@ $code.=<<___; + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -717,8 +721,6 @@ $code.=<<___; + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt: + vld1.8 {@XMM[8]}, [r0] @ initial tweak + adr $magic, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst $len, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne $len, #0x10 @ subtract another 16 bytes ++#endif + subs $len, #0x80 + + blo .Lxts_dec_short diff --git a/queue-3.14/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch b/queue-3.14/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch new file mode 100644 index 00000000000..c0673f7c138 --- /dev/null +++ b/queue-3.14/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch @@ -0,0 +1,49 @@ +From 528c943f3bb919aef75ab2fff4f00176f09a4019 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sat, 21 Feb 2015 21:03:10 +0200 +Subject: ipvs: add missing ip_vs_pe_put in sync code + +From: Julian Anastasov + +commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream. + +ip_vs_conn_fill_param_sync() gets in param.pe a module +reference for persistence engine from __ip_vs_pe_getbyname() +but forgets to put it. Problem occurs in backup for +sync protocol v1 (2.6.39). + +Also, pe_data usually comes in sync messages for +connection templates and ip_vs_conn_new() copies +the pointer only in this case. Make sure pe_data +is not leaked if it comes unexpectedly for normal +connections. Leak can happen only if bogus messages +are sent to backup server. + +Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_sync.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -891,6 +891,8 @@ static void ip_vs_proc_conn(struct net * + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } + + if (opt) +@@ -1164,6 +1166,7 @@ static inline int ip_vs_proc_sync_conn(s + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: diff --git a/queue-3.14/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch b/queue-3.14/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch new file mode 100644 index 00000000000..7bbe31e8c28 --- /dev/null +++ b/queue-3.14/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch @@ -0,0 +1,127 @@ +From 579eb62ac35845686a7c4286c0a820b4eb1f96aa Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Thu, 18 Dec 2014 22:41:23 +0200 +Subject: ipvs: rerouting to local clients is not needed anymore + +From: Julian Anastasov + +commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream. + +commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP") +from 2.6.37 introduced ip_route_me_harder() call for responses to +local clients, so that we can provide valid rt_src after SNAT. +It was used by TCP to provide valid daddr for ip_send_reply(). +After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to +ip_send_reply()." from 3.0 this rerouting is not needed anymore +and should be avoided, especially in LOCAL_IN. + +Fixes 3.12.33 crash in xfrm reported by Florian Wiessner: +"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6" + +Reported-by: Smart Weblications GmbH - Florian Wiessner +Tested-by: Smart Weblications GmbH - Florian Wiessner +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_core.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -658,16 +658,24 @@ static inline int ip_vs_gather_frags(str + return err; + } + +-static int ip_vs_route_me_harder(int af, struct sk_buff *skb) ++static int ip_vs_route_me_harder(int af, struct sk_buff *skb, ++ unsigned int hooknum) + { ++ if (!sysctl_snat_reroute(skb)) ++ return 0; ++ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */ ++ if (NF_INET_LOCAL_IN == hooknum) ++ return 0; + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && ++ ip6_route_me_harder(skb) != 0) + return 1; + } else + #endif +- if ((sysctl_snat_reroute(skb) || +- skb_rtable(skb)->rt_flags & RTCF_LOCAL) && ++ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && + ip_route_me_harder(skb, RTN_LOCAL) != 0) + return 1; + +@@ -790,7 +798,8 @@ static int handle_response_icmp(int af, + union nf_inet_addr *snet, + __u8 protocol, struct ip_vs_conn *cp, + struct ip_vs_protocol *pp, +- unsigned int offset, unsigned int ihl) ++ unsigned int offset, unsigned int ihl, ++ unsigned int hooknum) + { + unsigned int verdict = NF_DROP; + +@@ -820,7 +829,7 @@ static int handle_response_icmp(int af, + #endif + ip_vs_nat_icmp(skb, pp, cp, 1); + +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto out; + + /* do the statistics and put it back */ +@@ -915,7 +924,7 @@ static int ip_vs_out_icmp(struct sk_buff + + snet.ip = iph->saddr; + return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, +- pp, ciph.len, ihl); ++ pp, ciph.len, ihl, hooknum); + } + + #ifdef CONFIG_IP_VS_IPV6 +@@ -980,7 +989,8 @@ static int ip_vs_out_icmp_v6(struct sk_b + snet.in6 = ciph.saddr.in6; + writable = ciph.len; + return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, +- pp, writable, sizeof(struct ipv6hdr)); ++ pp, writable, sizeof(struct ipv6hdr), ++ hooknum); + } + #endif + +@@ -1039,7 +1049,8 @@ static inline bool is_new_conn(const str + */ + static unsigned int + handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, +- struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) ++ struct ip_vs_conn *cp, struct ip_vs_iphdr *iph, ++ unsigned int hooknum) + { + struct ip_vs_protocol *pp = pd->pp; + +@@ -1077,7 +1088,7 @@ handle_response(int af, struct sk_buff * + * if it came from this machine itself. So re-compute + * the routing information. + */ +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto drop; + + IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); +@@ -1180,7 +1191,7 @@ ip_vs_out(unsigned int hooknum, struct s + cp = pp->conn_out_get(af, skb, &iph, 0); + + if (likely(cp)) +- return handle_response(af, skb, pd, cp, &iph); ++ return handle_response(af, skb, pd, cp, &iph, hooknum); + if (sysctl_nat_icmp_send(net) && + (pp->protocol == IPPROTO_TCP || + pp->protocol == IPPROTO_UDP || diff --git a/queue-3.14/libsas-fix-kernel-crash-in-smp_execute_task.patch b/queue-3.14/libsas-fix-kernel-crash-in-smp_execute_task.patch new file mode 100644 index 00000000000..1c6b4b51361 --- /dev/null +++ b/queue-3.14/libsas-fix-kernel-crash-in-smp_execute_task.patch @@ -0,0 +1,97 @@ +From 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 4 Mar 2015 16:18:33 -0800 +Subject: libsas: Fix Kernel Crash in smp_execute_task + +From: James Bottomley + +commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream. + +This crash was reported: + +[ 366.947370] sd 3:0:1:0: [sdb] Spinning up disk.... +[ 368.804046] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 368.804072] IP: [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804098] PGD 0 +[ 368.804114] Oops: 0002 [#1] SMP +[ 368.804143] CPU 1 +[ 368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common +[ 368.804749] +[ 368.804764] Pid: 392, comm: kworker/u:3 Tainted: P W O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920 +[ 368.804802] RIP: 0010:[] [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804827] RSP: 0018:ffff880117001cc0 EFLAGS: 00010246 +[ 368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420 +[ 368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4 +[ 368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe +[ 368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4 +[ 368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8 +[ 368.804916] FS: 0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000 +[ 368.804931] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0 +[ 368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0) +[ 368.805009] Stack: +[ 368.805017] ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c +[ 368.805062] 000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000 +[ 368.805100] ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac +[ 368.805135] Call Trace: +[ 368.805153] [] ? up+0xb/0x33 +[ 368.805168] [] ? mutex_lock+0x16/0x25 +[ 368.805194] [] ? smp_execute_task+0x4e/0x222 [libsas] +[ 368.805217] [] ? sas_find_bcast_dev+0x3c/0x15d [libsas] +[ 368.805240] [] ? sas_find_bcast_dev+0x6f/0x15d [libsas] +[ 368.805264] [] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas] +[ 368.805280] [] ? printk+0x43/0x48 +[ 368.805296] [] ? _raw_spin_unlock_irqrestore+0xc/0xd +[ 368.805318] [] ? sas_revalidate_domain+0x85/0xb6 [libsas] +[ 368.805336] [] ? process_one_work+0x151/0x27c +[ 368.805351] [] ? worker_thread+0xbb/0x152 +[ 368.805366] [] ? manage_workers.isra.29+0x163/0x163 +[ 368.805382] [] ? kthread+0x79/0x81 +[ 368.805399] [] ? kernel_thread_helper+0x4/0x10 +[ 368.805416] [] ? kthread_flush_work_fn+0x9/0x9 +[ 368.805431] [] ? gs_change+0x13/0x13 +[ 368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41 +[ 368.805851] RIP [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.805877] RSP +[ 368.805886] CR2: 0000000000000000 +[ 368.805899] ---[ end trace b720682065d8f4cc ]--- + +It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task +execution, but shows a deeper cause: expander functions expect to be able to +cast to and treat domain devices as expanders. The correct fix is to only do +expander discover when we know we've got an expander device to avoid wrongly +casting a non-expander device. + +Reported-by: Praveen Murali +Tested-by: Praveen Murali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libsas/sas_discover.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct + struct sas_discovery_event *ev = to_sas_discovery_event(work); + struct asd_sas_port *port = ev->port; + struct sas_ha_struct *ha = port->ha; ++ struct domain_device *ddev = port->port_dev; + + /* prevent revalidation from finding sata links in recovery */ + mutex_lock(&ha->disco_mutex); +@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); + +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE || ++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); diff --git a/queue-3.14/netfilter-nft_compat-fix-module-refcount-underflow.patch b/queue-3.14/netfilter-nft_compat-fix-module-refcount-underflow.patch new file mode 100644 index 00000000000..8633aa00a1b --- /dev/null +++ b/queue-3.14/netfilter-nft_compat-fix-module-refcount-underflow.patch @@ -0,0 +1,61 @@ +From 520aa7414bb590f39d0d1591b06018e60cbc7cf4 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 12 Feb 2015 22:15:31 +0100 +Subject: netfilter: nft_compat: fix module refcount underflow + +From: Pablo Neira Ayuso + +commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream. + +Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------ +Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba() +Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G W 3.19.0-rc6+ #43 +[...] +Feb 12 18:20:42 nfdev kernel: Call Trace: +Feb 12 18:20:42 nfdev kernel: [] dump_stack+0x4c/0x65 +Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_common+0x9c/0xb6 +Feb 12 18:20:42 nfdev kernel: [] ? module_put+0x9b/0xba +Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_null+0x15/0x17 +Feb 12 18:20:42 nfdev kernel: [] module_put+0x9b/0xba +Feb 12 18:20:42 nfdev kernel: [] nft_match_destroy+0x45/0x4c +Feb 12 18:20:42 nfdev kernel: [] nf_tables_rule_destroy+0x28/0x70 + +Reported-by: Arturo Borrero Gonzalez +Signed-off-by: Pablo Neira Ayuso +Tested-by: Arturo Borrero Gonzalez +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_compat.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -611,8 +611,12 @@ nft_match_select_ops(const struct nft_ct + struct xt_match *match = nft_match->ops.data; + + if (strcmp(match->name, mt_name) == 0 && +- match->revision == rev && match->family == family) ++ match->revision == rev && match->family == family) { ++ if (!try_module_get(match->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_match->ops; ++ } + } + + match = xt_request_find_match(family, mt_name, rev); +@@ -682,8 +686,12 @@ nft_target_select_ops(const struct nft_c + struct xt_target *target = nft_target->ops.data; + + if (strcmp(target->name, tg_name) == 0 && +- target->revision == rev && target->family == family) ++ target->revision == rev && target->family == family) { ++ if (!try_module_get(target->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_target->ops; ++ } + } + + target = xt_request_find_target(family, tg_name, rev); diff --git a/queue-3.14/netfilter-xt_socket-fix-a-stack-corruption-bug.patch b/queue-3.14/netfilter-xt_socket-fix-a-stack-corruption-bug.patch new file mode 100644 index 00000000000..dc3e54f7365 --- /dev/null +++ b/queue-3.14/netfilter-xt_socket-fix-a-stack-corruption-bug.patch @@ -0,0 +1,85 @@ +From 78296c97ca1fd3b104f12e1f1fbc06c46635990b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 15 Feb 2015 19:03:45 -0800 +Subject: netfilter: xt_socket: fix a stack corruption bug + +From: Eric Dumazet + +commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream. + +As soon as extract_icmp6_fields() returns, its local storage (automatic +variables) is deallocated and can be overwritten. + +Lets add an additional parameter to make sure storage is valid long +enough. + +While we are at it, adds some const qualifiers. + +Signed-off-by: Eric Dumazet +Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_socket.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -243,12 +243,13 @@ static int + extract_icmp6_fields(const struct sk_buff *skb, + unsigned int outside_hdrlen, + int *protocol, +- struct in6_addr **raddr, +- struct in6_addr **laddr, ++ const struct in6_addr **raddr, ++ const struct in6_addr **laddr, + __be16 *rport, +- __be16 *lport) ++ __be16 *lport, ++ struct ipv6hdr *ipv6_var) + { +- struct ipv6hdr *inside_iph, _inside_iph; ++ const struct ipv6hdr *inside_iph; + struct icmp6hdr *icmph, _icmph; + __be16 *ports, _ports[2]; + u8 inside_nexthdr; +@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buf + if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK) + return 1; + +- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph); ++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), ++ sizeof(*ipv6_var), ipv6_var); + if (inside_iph == NULL) + return 1; + inside_nexthdr = inside_iph->nexthdr; + +- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), ++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + ++ sizeof(*ipv6_var), + &inside_nexthdr, &inside_fragoff); + if (inside_hdrlen < 0) + return 1; /* hjm: Packet has no/incomplete transport layer headers. */ +@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, c + static bool + socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + { +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb); + struct udphdr _hdr, *hp = NULL; + struct sock *sk = skb->sk; +- struct in6_addr *daddr = NULL, *saddr = NULL; ++ const struct in6_addr *daddr = NULL, *saddr = NULL; + __be16 uninitialized_var(dport), uninitialized_var(sport); + int thoff = 0, uninitialized_var(tproto); + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; +@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *s + + } else if (tproto == IPPROTO_ICMPV6) { + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, +- &sport, &dport)) ++ &sport, &dport, &ipv6_var)) + return false; + } else { + return false; diff --git a/queue-3.14/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch b/queue-3.14/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch new file mode 100644 index 00000000000..336aae9935d --- /dev/null +++ b/queue-3.14/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch @@ -0,0 +1,45 @@ +From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 9 Mar 2015 23:11:12 +0200 +Subject: pagemap: do not leak physical addresses to non-privileged userspace + +From: "Kirill A. Shutemov" + +commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream. + +As pointed by recent post[1] on exploiting DRAM physical imperfection, +/proc/PID/pagemap exposes sensitive information which can be used to do +attacks. + +This disallows anybody without CAP_SYS_ADMIN to read the pagemap. + +[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html + +[ Eventually we might want to do anything more finegrained, but for now + this is the simple model. - Linus ] + +Signed-off-by: Kirill A. Shutemov +Acked-by: Konstantin Khlebnikov +Acked-by: Andy Lutomirski +Cc: Pavel Emelyanov +Cc: Andrew Morton +Cc: Mark Seaborn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1227,6 +1227,9 @@ out: + + static int pagemap_open(struct inode *inode, struct file *file) + { ++ /* do not disclose physical addresses: attack vector */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " + "to stop being page-shift some time soon. See the " + "linux/Documentation/vm/pagemap.txt for details.\n"); diff --git a/queue-3.14/series b/queue-3.14/series index 44779129724..f948ae530c4 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -51,3 +51,16 @@ regulator-only-enable-disabled-regulators-on-resume.patch regulator-core-fix-enable-gpio-reference-counting.patch nilfs2-fix-deadlock-of-segment-constructor-during-recovery.patch drm-vmwgfx-reorder-device-takedown-somewhat.patch +xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch +xen-pciback-limit-guest-control-of-command-register.patch +libsas-fix-kernel-crash-in-smp_execute_task.patch +pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch +crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch +crypto-aesni-fix-memory-usage-in-gcm-decryption.patch +x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch +x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch +x86-vdso-fix-the-build-on-gcc5.patch +ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch +ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch +netfilter-nft_compat-fix-module-refcount-underflow.patch +netfilter-xt_socket-fix-a-stack-corruption-bug.patch diff --git a/queue-3.14/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch b/queue-3.14/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch new file mode 100644 index 00000000000..9e6d5723705 --- /dev/null +++ b/queue-3.14/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch @@ -0,0 +1,87 @@ +From a7c80ebcac3068b1c3cb27d538d29558c30010c8 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:09 +0100 +Subject: x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() + +From: Oleg Nesterov + +commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream. + +math_state_restore() assumes it is called with irqs disabled, +but this is not true if the caller is __restore_xstate_sig(). + +This means that if ia32_fxstate == T and __copy_from_user() +fails, __restore_xstate_sig() returns with irqs disabled too. + +This triggers: + + BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41 + dump_stack + ___might_sleep + ? _raw_spin_unlock_irqrestore + __might_sleep + down_read + ? _raw_spin_unlock_irqrestore + print_vma_addr + signal_fault + sys32_rt_sigreturn + +Change __restore_xstate_sig() to call set_used_math() +unconditionally. This avoids enabling and disabling interrupts +in math_state_restore(). If copy_from_user() fails, we can +simply do fpu_finit() by hand. + +[ Note: this is only the first step. math_state_restore() should + not check used_math(), it should set this flag. While + init_fpu() should simply die. ] + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Rik van Riel +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/xsave.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -375,7 +375,7 @@ int __restore_xstate_sig(void __user *bu + * thread's fpu state, reconstruct fxstate from the fsave + * header. Sanitize the copied state etc. + */ +- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave; ++ struct fpu *fpu = &tsk->thread.fpu; + struct user_i387_ia32_struct env; + int err = 0; + +@@ -389,14 +389,15 @@ int __restore_xstate_sig(void __user *bu + */ + drop_fpu(tsk); + +- if (__copy_from_user(xsave, buf_fx, state_size) || ++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) || + __copy_from_user(&env, buf, sizeof(env))) { ++ fpu_finit(fpu); + err = -1; + } else { + sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only); +- set_used_math(); + } + ++ set_used_math(); + if (use_eager_fpu()) { + preempt_disable(); + math_state_restore(); diff --git a/queue-3.14/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch b/queue-3.14/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch new file mode 100644 index 00000000000..0b02631e8e2 --- /dev/null +++ b/queue-3.14/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch @@ -0,0 +1,50 @@ +From f4c3686386393c120710dd34df2a74183ab805fd Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:10 +0100 +Subject: x86/fpu: Drop_fpu() should not assume that tsk equals current + +From: Oleg Nesterov + +commit f4c3686386393c120710dd34df2a74183ab805fd upstream. + +drop_fpu() does clear_used_math() and usually this is correct +because tsk == current. + +However switch_fpu_finish()->restore_fpu_checking() is called before +__switch_to() updates the "current_task" variable. If it fails, +we will wrongly clear the PF_USED_MATH flag of the previous task. + +So use clear_stopped_child_used_math() instead. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Reviewed-by: Rik van Riel +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fpu-internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_ + preempt_disable(); + tsk->thread.fpu_counter = 0; + __drop_fpu(tsk); +- clear_used_math(); ++ clear_stopped_child_used_math(tsk); + preempt_enable(); + } + diff --git a/queue-3.14/x86-vdso-fix-the-build-on-gcc5.patch b/queue-3.14/x86-vdso-fix-the-build-on-gcc5.patch new file mode 100644 index 00000000000..0e06df8ef7c --- /dev/null +++ b/queue-3.14/x86-vdso-fix-the-build-on-gcc5.patch @@ -0,0 +1,62 @@ +From e893286918d2cde3a94850d8f7101cd1039e0c62 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Thu, 5 Mar 2015 09:13:31 +0100 +Subject: x86/vdso: Fix the build on GCC5 + +From: Jiri Slaby + +commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream. + +On gcc5 the kernel does not link: + + ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670. + +Because prior GCC versions always emitted NOPs on ALIGN directives, but +gcc5 started omitting them. + +.LSTARTFDEDLSI1 says: + + /* HACK: The dwarf2 unwind routines will subtract 1 from the + return address to get an address in the middle of the + presumed call instruction. Since we didn't get here via + a call, we need to include the nop before the real start + to make up for it. */ + .long .LSTART_sigreturn-1-. /* PC-relative start address */ + +But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25 +replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before +__kernel_sigreturn. + +Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses +vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN". + +So fix this by adding to that point at least a single NOP and make the +function ALIGN possibly with more NOPs then. + +Kudos for reporting and diagnosing should go to Richard. + +Reported-by: Richard Biener +Signed-off-by: Jiri Slaby +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/vdso/vdso32/sigreturn.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: diff --git a/queue-3.14/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch b/queue-3.14/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch new file mode 100644 index 00000000000..cbc9fbe16ae --- /dev/null +++ b/queue-3.14/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch @@ -0,0 +1,65 @@ +From 85e40b0539b24518c8bdf63e2605c8522377d00f Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 26 Feb 2015 06:52:05 +0100 +Subject: xen/events: avoid NULL pointer dereference in dom0 on large machines + +From: Juergen Gross + +commit 85e40b0539b24518c8bdf63e2605c8522377d00f upstream. + +Using the pvops kernel a NULL pointer dereference was detected on a +large machine (144 processors) when booting as dom0 in +evtchn_fifo_unmask() during assignment of a pirq. + +The event channel in question was the first to need a new entry in +event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup() +is called with evtchn being 0 for a new pirq and the real event channel +number is assigned to the pirq only during __startup_pirq(). + +It is mandatory to call xen_evtchn_port_setup() after assigning the +event channel number to the pirq to make sure all memory needed for the +event channel is allocated. + +Signed-off-by: Juergen Gross +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/events/events_base.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -547,20 +547,26 @@ static unsigned int __startup_pirq(unsig + pirq_query_unmask(irq); + + rc = set_evtchn_to_irq(evtchn, irq); +- if (rc != 0) { +- pr_err("irq%d: Failed to set port to irq mapping (%d)\n", +- irq, rc); +- xen_evtchn_close(evtchn); +- return 0; +- } ++ if (rc) ++ goto err; ++ + bind_evtchn_to_cpu(evtchn, 0); + info->evtchn = evtchn; + ++ rc = xen_evtchn_port_setup(info); ++ if (rc) ++ goto err; ++ + out: + unmask_evtchn(evtchn); + eoi_pirq(irq_get_irq_data(irq)); + + return 0; ++ ++err: ++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc); ++ xen_evtchn_close(evtchn); ++ return 0; + } + + static unsigned int startup_pirq(struct irq_data *data) diff --git a/queue-3.14/xen-pciback-limit-guest-control-of-command-register.patch b/queue-3.14/xen-pciback-limit-guest-control-of-command-register.patch new file mode 100644 index 00000000000..89240bc1564 --- /dev/null +++ b/queue-3.14/xen-pciback-limit-guest-control-of-command-register.patch @@ -0,0 +1,154 @@ +From af6fc858a35b90e89ea7a7ee58e66628c55c776b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 11 Mar 2015 13:51:17 +0000 +Subject: xen-pciback: limit guest control of command register + +From: Jan Beulich + +commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream. + +Otherwise the guest can abuse that control to cause e.g. PCIe +Unsupported Request responses by disabling memory and/or I/O decoding +and subsequently causing (CPU side) accesses to the respective address +ranges, which (depending on system configuration) may be fatal to the +host. + +Note that to alter any of the bits collected together as +PCI_COMMAND_GUEST permissive mode is now required to be enabled +globally or on the specific device. + +This is CVE-2015-2150 / XSA-120. + +Signed-off-by: Jan Beulich +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-pciback/conf_space.c | 2 + drivers/xen/xen-pciback/conf_space.h | 2 + drivers/xen/xen-pciback/conf_space_header.c | 59 ++++++++++++++++++++++------ + 3 files changed, 50 insertions(+), 13 deletions(-) + +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static bool permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -11,6 +11,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -20,22 +24,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; + +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -43,6 +61,8 @@ static int command_write(struct pci_dev + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_ + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + },