From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 8 Nov 2014 00:41:30 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.60~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=472958ac70b813e098153b2b00c82f7d17cdeeb7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
	x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
---

diff --git a/queue-3.10/series b/queue-3.10/series
index 8f8a4fcd7fa..f1b39841a68 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -19,3 +19,5 @@ x86-fpu-__restore_xstate_sig-math_state_restore-needs-preempt_disable.patch
 x86-fpu-shift-drop_init_fpu-from-save_xstate_sig-to-handle_signal.patch
 x86-flags-rename-x86_eflags_bit1-to-x86_eflags_fixed.patch
 x86_64-entry-filter-rflags.nt-on-entry-from-userspace.patch
+x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
+x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
diff --git a/queue-3.10/x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch b/queue-3.10/x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
new file mode 100644
index 00000000000..de38f2d2e2d
--- /dev/null
+++ b/queue-3.10/x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
@@ -0,0 +1,50 @@
+From d1cd1210834649ce1ca6bafe5ac25d2f40331343 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Wed, 29 Oct 2014 03:53:37 -0700
+Subject: x86, pageattr: Prevent overflow in slow_virt_to_phys() for X86_PAE
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit d1cd1210834649ce1ca6bafe5ac25d2f40331343 upstream.
+
+pte_pfn() returns a PFN of long (32 bits in 32-PAE), so "long <<
+PAGE_SHIFT" will overflow for PFNs above 4GB.
+
+Due to this issue, some Linux 32-PAE distros, running as guests on Hyper-V,
+with 5GB memory assigned, can't load the netvsc driver successfully and
+hence the synthetic network device can't work (we can use the kernel parameter
+mem=3000M to work around the issue).
+
+Cast pte_pfn() to phys_addr_t before shifting.
+
+Fixes: "commit d76565344512: x86, mm: Create slow_virt_to_phys()"
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: gregkh@linuxfoundation.org
+Cc: linux-mm@kvack.org
+Cc: olaf@aepfle.de
+Cc: apw@canonical.com
+Cc: jasowang@redhat.com
+Cc: dave.hansen@intel.com
+Cc: riel@redhat.com
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1414580017-27444-1-git-send-email-decui@microsoft.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pageattr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -389,7 +389,7 @@ phys_addr_t slow_virt_to_phys(void *__vi
+ 	psize = page_level_size(level);
+ 	pmask = page_level_mask(level);
+ 	offset = virt_addr & ~pmask;
+-	phys_addr = pte_pfn(*pte) << PAGE_SHIFT;
++	phys_addr = (phys_addr_t)pte_pfn(*pte) << PAGE_SHIFT;
+ 	return (phys_addr | offset);
+ }
+ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
diff --git a/queue-3.10/x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch b/queue-3.10/x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
new file mode 100644
index 00000000000..3088194e96c
--- /dev/null
+++ b/queue-3.10/x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
@@ -0,0 +1,45 @@
+From 653bc77af60911ead1f423e588f54fc2547c4957 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Fri, 31 Oct 2014 18:08:45 -0700
+Subject: x86_64, entry: Fix out of bounds read on sysenter
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 653bc77af60911ead1f423e588f54fc2547c4957 upstream.
+
+Rusty noticed a Really Bad Bug (tm) in my NT fix.  The entry code
+reads out of bounds, causing the NT fix to be unreliable.  But, and
+this is much, much worse, if your stack is somehow just below the
+top of the direct map (or a hole), you read out of bounds and crash.
+
+Excerpt from the crash:
+
+[    1.129513] RSP: 0018:ffff88001da4bf88  EFLAGS: 00010296
+
+  2b:*    f7 84 24 90 00 00 00     testl  $0x4000,0x90(%rsp)
+
+That read is deterministically above the top of the stack.  I
+thought I even single-stepped through this code when I wrote it to
+check the offset, but I clearly screwed it up.
+
+Fixes: 8c7aa698baca ("x86_64, entry: Filter RFLAGS.NT on entry from userspace")
+Reported-by: Rusty Russell <rusty@ozlabs.org>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/ia32/ia32entry.S |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -157,7 +157,7 @@ ENTRY(ia32_sysenter_target)
+ 	 * ourselves.  To save a few cycles, we can check whether
+ 	 * NT was set instead of doing an unconditional popfq.
+ 	 */
+-	testl $X86_EFLAGS_NT,EFLAGS(%rsp)	/* saved EFLAGS match cpu */
++	testl $X86_EFLAGS_NT,EFLAGS-ARGOFFSET(%rsp)
+ 	jnz sysenter_fix_flags
+ sysenter_flags_fixed:
+