From: Greg Kroah-Hartman Date: Thu, 29 Nov 2012 21:43:27 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.6.9~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc4fe0d85b306756bc36a8e5f790d407d39e0dd3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ixgbe-add-support-for-x540-at1.patch kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch sata_svw-check-dma-start-bit-before-reset.patch --- diff --git a/queue-3.4/ixgbe-add-support-for-x540-at1.patch b/queue-3.4/ixgbe-add-support-for-x540-at1.patch new file mode 100644 index 00000000000..a3f76258ec0 --- /dev/null +++ b/queue-3.4/ixgbe-add-support-for-x540-at1.patch @@ -0,0 +1,72 @@ +From df376f0de167754da9b3ece4afdb5bb8bf3fbf3e Mon Sep 17 00:00:00 2001 +From: "joshua.a.hay@intel.com" +Date: Fri, 21 Sep 2012 00:08:21 +0000 +Subject: ixgbe: add support for X540-AT1 + +From: "joshua.a.hay@intel.com" + +commit df376f0de167754da9b3ece4afdb5bb8bf3fbf3e upstream. + +This patch adds device support for Ethernet Controller X540-AT1. + +Signed-off-by: Josh Hay +Tested-by: Phil Schmitt +Signed-off-by: Jeff Kirsher +Signed-off-by: Abdallah Chatila +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 1 + + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 1 + + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 ++ + drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 1 + + 4 files changed, 5 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -3216,6 +3216,7 @@ static s32 ixgbe_device_supports_autoneg + + switch (hw->device_id) { + case IXGBE_DEV_ID_X540T: ++ case IXGBE_DEV_ID_X540T1: + return 0; + case IXGBE_DEV_ID_82599_T3_LOM: + return 0; +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -2006,6 +2006,7 @@ static int ixgbe_wol_exclusion(struct ix + retval = 0; + break; + case IXGBE_DEV_ID_X540T: ++ case IXGBE_DEV_ID_X540T1: + /* check eeprom to see if enabled wol */ + if ((wol_cap == IXGBE_DEVICE_CAPS_WOL_PORT0_1) || + ((wol_cap == IXGBE_DEVICE_CAPS_WOL_PORT0) && +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -114,6 +114,7 @@ static DEFINE_PCI_DEVICE_TABLE(ixgbe_pci + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_LS), board_82599 }, + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599EN_SFP), board_82599 }, + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP_SF_QP), board_82599 }, ++ {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_X540T1), board_X540 }, + /* required last entry */ + {0, } + }; +@@ -7060,6 +7061,7 @@ static int __devinit ixgbe_probe(struct + adapter->wol = IXGBE_WUFC_MAG; + break; + case IXGBE_DEV_ID_X540T: ++ case IXGBE_DEV_ID_X540T1: + /* Check eeprom to see if it is enabled */ + hw->eeprom.ops.read(hw, 0x2c, &adapter->eeprom_cap); + wol_cap = adapter->eeprom_cap & IXGBE_DEVICE_CAPS_WOL_MASK; +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +@@ -67,6 +67,7 @@ + #define IXGBE_DEV_ID_82599_LS 0x154F + #define IXGBE_DEV_ID_X540T 0x1528 + #define IXGBE_DEV_ID_82599_SFP_SF_QP 0x154A ++#define IXGBE_DEV_ID_X540T1 0x1560 + + /* VF Device IDs */ + #define IXGBE_DEV_ID_82599_VF 0x10ED diff --git a/queue-3.4/kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch b/queue-3.4/kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch new file mode 100644 index 00000000000..f3bcb6e1eaf --- /dev/null +++ b/queue-3.4/kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch @@ -0,0 +1,81 @@ +From 6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Tue, 6 Nov 2012 19:24:07 +0100 +Subject: KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461) + +From: Petr Matousek + +commit 6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 upstream. + +On hosts without the XSAVE support unprivileged local user can trigger +oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest +cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN +ioctl. + +invalid opcode: 0000 [#2] SMP +Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables +... +Pid: 24935, comm: zoog_kvm_monito Tainted: G D 3.2.0-3-686-pae +EIP: 0060:[] EFLAGS: 00210246 CPU: 0 +EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] +EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000 +ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0 +task.ti=d7c62000) +Stack: + 00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000 + ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0 + c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80 +Call Trace: + [] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm] +... + [] ? syscall_call+0x7/0xb +Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74 +1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01 +d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89 +EIP: [] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP +0068:d7c63e70 + +QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID +and then sets them later. So guest's X86_FEATURE_XSAVE should be masked +out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with +X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with +X86_FEATURE_XSAVE even on hosts that do not support it, might be +susceptible to this attack from inside the guest as well. + +Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support. + +Signed-off-by: Petr Matousek +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/cpuid.h | 3 +++ + arch/x86/kvm/x86.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/arch/x86/kvm/cpuid.h ++++ b/arch/x86/kvm/cpuid.h +@@ -23,6 +23,9 @@ static inline bool guest_cpuid_has_xsave + { + struct kvm_cpuid_entry2 *best; + ++ if (!static_cpu_has(X86_FEATURE_XSAVE)) ++ return 0; ++ + best = kvm_find_cpuid_entry(vcpu, 1, 0); + return best && (best->ecx & bit(X86_FEATURE_XSAVE)); + } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5697,6 +5697,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct + int pending_vec, max_bits, idx; + struct desc_ptr dt; + ++ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) ++ return -EINVAL; ++ + dt.size = sregs->idt.limit; + dt.address = sregs->idt.base; + kvm_x86_ops->set_idt(vcpu, &dt); diff --git a/queue-3.4/sata_svw-check-dma-start-bit-before-reset.patch b/queue-3.4/sata_svw-check-dma-start-bit-before-reset.patch new file mode 100644 index 00000000000..de9a62b0092 --- /dev/null +++ b/queue-3.4/sata_svw-check-dma-start-bit-before-reset.patch @@ -0,0 +1,85 @@ +From b03e66a6be91f8389fcd902ab6c1563db1c9c06b Mon Sep 17 00:00:00 2001 +From: David Milburn +Date: Mon, 29 Oct 2012 18:00:22 -0500 +Subject: sata_svw: check DMA start bit before reset + +From: David Milburn + +commit b03e66a6be91f8389fcd902ab6c1563db1c9c06b upstream. + +If kdump is triggered with pending IO, controller may not respond causing +kdump to fail. + +http://marc.info/?l=linux-ide&m=133032255424658&w=2 + +During error recovery ata_do_dev_read_id never completes due hang +in mmio_insw. + +ata_do_dev_read_id + ata_sff_data_xfer + ioread16_rep + mmio_insw + +if DMA start bit is cleared before reset, PIO command is successful +and kdump succeeds. + +Signed-off-by: David Milburn +Signed-off-by: Jeff Garzik +Cc: CAI Qian +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_svw.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +--- a/drivers/ata/sata_svw.c ++++ b/drivers/ata/sata_svw.c +@@ -142,6 +142,39 @@ static int k2_sata_scr_write(struct ata_ + return 0; + } + ++static int k2_sata_softreset(struct ata_link *link, ++ unsigned int *class, unsigned long deadline) ++{ ++ u8 dmactl; ++ void __iomem *mmio = link->ap->ioaddr.bmdma_addr; ++ ++ dmactl = readb(mmio + ATA_DMA_CMD); ++ ++ /* Clear the start bit */ ++ if (dmactl & ATA_DMA_START) { ++ dmactl &= ~ATA_DMA_START; ++ writeb(dmactl, mmio + ATA_DMA_CMD); ++ } ++ ++ return ata_sff_softreset(link, class, deadline); ++} ++ ++static int k2_sata_hardreset(struct ata_link *link, ++ unsigned int *class, unsigned long deadline) ++{ ++ u8 dmactl; ++ void __iomem *mmio = link->ap->ioaddr.bmdma_addr; ++ ++ dmactl = readb(mmio + ATA_DMA_CMD); ++ ++ /* Clear the start bit */ ++ if (dmactl & ATA_DMA_START) { ++ dmactl &= ~ATA_DMA_START; ++ writeb(dmactl, mmio + ATA_DMA_CMD); ++ } ++ ++ return sata_sff_hardreset(link, class, deadline); ++} + + static void k2_sata_tf_load(struct ata_port *ap, const struct ata_taskfile *tf) + { +@@ -346,6 +379,8 @@ static struct scsi_host_template k2_sata + + static struct ata_port_operations k2_sata_ops = { + .inherits = &ata_bmdma_port_ops, ++ .softreset = k2_sata_softreset, ++ .hardreset = k2_sata_hardreset, + .sff_tf_load = k2_sata_tf_load, + .sff_tf_read = k2_sata_tf_read, + .sff_check_status = k2_stat_check_status, diff --git a/queue-3.4/series b/queue-3.4/series index f8399b3daa0..d271bc96962 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -38,3 +38,6 @@ alsa-hda-fix-missing-beep-on-asus-x43u-notebook.patch alsa-hda-add-support-for-realtek-alc292.patch bas_gigaset-fix-pre_reset-handling.patch scsi-silence-unnecessary-warnings-about-ioctl-to-partition.patch +kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch +ixgbe-add-support-for-x540-at1.patch +sata_svw-check-dma-start-bit-before-reset.patch