From 3493e30d78ffe59610df2484b48fcf28950e755e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 14:11:41 +0100 Subject: [PATCH] 3.10-stable patches added patches: crypto-aesni-fix-memory-usage-in-gcm-decryption.patch ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch libsas-fix-kernel-crash-in-smp_execute_task.patch powerpc-smp-wait-until-secondaries-are-active-online.patch x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch x86-vdso-fix-the-build-on-gcc5.patch xen-pciback-limit-guest-control-of-command-register.patch --- ...i-fix-memory-usage-in-gcm-decryption.patch | 65 ++++++++ ...dd-missing-ip_vs_pe_put-in-sync-code.patch | 49 ++++++ ...-local-clients-is-not-needed-anymore.patch | 127 +++++++++++++++ ...fix-kernel-crash-in-smp_execute_task.patch | 97 +++++++++++ ...-until-secondaries-are-active-online.patch | 61 +++++++ queue-3.10/series | 9 + ...ut-used_math-in-__restore_xstate_sig.patch | 87 ++++++++++ ...d-not-assume-that-tsk-equals-current.patch | 50 ++++++ .../x86-vdso-fix-the-build-on-gcc5.patch | 62 +++++++ ...it-guest-control-of-command-register.patch | 154 ++++++++++++++++++ 10 files changed, 761 insertions(+) create mode 100644 queue-3.10/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch create mode 100644 queue-3.10/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch create mode 100644 queue-3.10/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch create mode 100644 queue-3.10/libsas-fix-kernel-crash-in-smp_execute_task.patch create mode 100644 queue-3.10/powerpc-smp-wait-until-secondaries-are-active-online.patch create mode 100644 queue-3.10/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch create mode 100644 queue-3.10/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch create mode 100644 queue-3.10/x86-vdso-fix-the-build-on-gcc5.patch create mode 100644 queue-3.10/xen-pciback-limit-guest-control-of-command-register.patch diff --git a/queue-3.10/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch b/queue-3.10/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch new file mode 100644 index 00000000000..d21bb14ffe2 --- /dev/null +++ b/queue-3.10/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch @@ -0,0 +1,65 @@ +From ccfe8c3f7e52ae83155cb038753f4c75b774ca8a Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 12 Mar 2015 09:17:51 +0100 +Subject: crypto: aesni - fix memory usage in GCM decryption + +From: Stephan Mueller + +commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream. + +The kernel crypto API logic requires the caller to provide the +length of (ciphertext || authentication tag) as cryptlen for the +AEAD decryption operation. Thus, the cipher implementation must +calculate the size of the plaintext output itself and cannot simply use +cryptlen. + +The RFC4106 GCM decryption operation tries to overwrite cryptlen memory +in req->dst. As the destination buffer for decryption only needs to hold +the plaintext memory but cryptlen references the input buffer holding +(ciphertext || authentication tag), the assumption of the destination +buffer length in RFC4106 GCM operation leads to a too large size. This +patch simply uses the already calculated plaintext size. + +In addition, this patch fixes the offset calculation of the AAD buffer +pointer: as mentioned before, cryptlen already includes the size of the +tag. Thus, the tag does not need to be added. With the addition, the AAD +will be written beyond the already allocated buffer. + +Note, this fixes a kernel crash that can be triggered from user space +via AF_ALG(aead) -- simply use the libkcapi test application +from [1] and update it to use rfc4106-gcm-aes. + +Using [1], the changes were tested using CAVS vectors to demonstrate +that the crypto operation still delivers the right results. + +[1] http://www.chronox.de/libkcapi.html + +CC: Tadeusz Struk +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_glue.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -989,7 +989,7 @@ static int __driver_rfc4106_decrypt(stru + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1014,7 +1014,7 @@ static int __driver_rfc4106_decrypt(stru + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; diff --git a/queue-3.10/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch b/queue-3.10/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch new file mode 100644 index 00000000000..0aae4442f55 --- /dev/null +++ b/queue-3.10/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch @@ -0,0 +1,49 @@ +From 528c943f3bb919aef75ab2fff4f00176f09a4019 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sat, 21 Feb 2015 21:03:10 +0200 +Subject: ipvs: add missing ip_vs_pe_put in sync code + +From: Julian Anastasov + +commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream. + +ip_vs_conn_fill_param_sync() gets in param.pe a module +reference for persistence engine from __ip_vs_pe_getbyname() +but forgets to put it. Problem occurs in backup for +sync protocol v1 (2.6.39). + +Also, pe_data usually comes in sync messages for +connection templates and ip_vs_conn_new() copies +the pointer only in this case. Make sure pe_data +is not leaked if it comes unexpectedly for normal +connections. Leak can happen only if bogus messages +are sent to backup server. + +Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_sync.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -878,6 +878,8 @@ static void ip_vs_proc_conn(struct net * + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } + + if (opt) +@@ -1151,6 +1153,7 @@ static inline int ip_vs_proc_sync_conn(s + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: diff --git a/queue-3.10/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch b/queue-3.10/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch new file mode 100644 index 00000000000..5081d55132a --- /dev/null +++ b/queue-3.10/ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch @@ -0,0 +1,127 @@ +From 579eb62ac35845686a7c4286c0a820b4eb1f96aa Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Thu, 18 Dec 2014 22:41:23 +0200 +Subject: ipvs: rerouting to local clients is not needed anymore + +From: Julian Anastasov + +commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream. + +commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP") +from 2.6.37 introduced ip_route_me_harder() call for responses to +local clients, so that we can provide valid rt_src after SNAT. +It was used by TCP to provide valid daddr for ip_send_reply(). +After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to +ip_send_reply()." from 3.0 this rerouting is not needed anymore +and should be avoided, especially in LOCAL_IN. + +Fixes 3.12.33 crash in xfrm reported by Florian Wiessner: +"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6" + +Reported-by: Smart Weblications GmbH - Florian Wiessner +Tested-by: Smart Weblications GmbH - Florian Wiessner +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_core.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -650,16 +650,24 @@ static inline int ip_vs_gather_frags(str + return err; + } + +-static int ip_vs_route_me_harder(int af, struct sk_buff *skb) ++static int ip_vs_route_me_harder(int af, struct sk_buff *skb, ++ unsigned int hooknum) + { ++ if (!sysctl_snat_reroute(skb)) ++ return 0; ++ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */ ++ if (NF_INET_LOCAL_IN == hooknum) ++ return 0; + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) ++ struct dst_entry *dst = skb_dst(skb); ++ ++ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && ++ ip6_route_me_harder(skb) != 0) + return 1; + } else + #endif +- if ((sysctl_snat_reroute(skb) || +- skb_rtable(skb)->rt_flags & RTCF_LOCAL) && ++ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && + ip_route_me_harder(skb, RTN_LOCAL) != 0) + return 1; + +@@ -782,7 +790,8 @@ static int handle_response_icmp(int af, + union nf_inet_addr *snet, + __u8 protocol, struct ip_vs_conn *cp, + struct ip_vs_protocol *pp, +- unsigned int offset, unsigned int ihl) ++ unsigned int offset, unsigned int ihl, ++ unsigned int hooknum) + { + unsigned int verdict = NF_DROP; + +@@ -812,7 +821,7 @@ static int handle_response_icmp(int af, + #endif + ip_vs_nat_icmp(skb, pp, cp, 1); + +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto out; + + /* do the statistics and put it back */ +@@ -907,7 +916,7 @@ static int ip_vs_out_icmp(struct sk_buff + + snet.ip = iph->saddr; + return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, +- pp, ciph.len, ihl); ++ pp, ciph.len, ihl, hooknum); + } + + #ifdef CONFIG_IP_VS_IPV6 +@@ -972,7 +981,8 @@ static int ip_vs_out_icmp_v6(struct sk_b + snet.in6 = ciph.saddr.in6; + writable = ciph.len; + return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, +- pp, writable, sizeof(struct ipv6hdr)); ++ pp, writable, sizeof(struct ipv6hdr), ++ hooknum); + } + #endif + +@@ -1031,7 +1041,8 @@ static inline bool is_new_conn(const str + */ + static unsigned int + handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, +- struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) ++ struct ip_vs_conn *cp, struct ip_vs_iphdr *iph, ++ unsigned int hooknum) + { + struct ip_vs_protocol *pp = pd->pp; + +@@ -1069,7 +1080,7 @@ handle_response(int af, struct sk_buff * + * if it came from this machine itself. So re-compute + * the routing information. + */ +- if (ip_vs_route_me_harder(af, skb)) ++ if (ip_vs_route_me_harder(af, skb, hooknum)) + goto drop; + + IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); +@@ -1172,7 +1183,7 @@ ip_vs_out(unsigned int hooknum, struct s + cp = pp->conn_out_get(af, skb, &iph, 0); + + if (likely(cp)) +- return handle_response(af, skb, pd, cp, &iph); ++ return handle_response(af, skb, pd, cp, &iph, hooknum); + if (sysctl_nat_icmp_send(net) && + (pp->protocol == IPPROTO_TCP || + pp->protocol == IPPROTO_UDP || diff --git a/queue-3.10/libsas-fix-kernel-crash-in-smp_execute_task.patch b/queue-3.10/libsas-fix-kernel-crash-in-smp_execute_task.patch new file mode 100644 index 00000000000..1c6b4b51361 --- /dev/null +++ b/queue-3.10/libsas-fix-kernel-crash-in-smp_execute_task.patch @@ -0,0 +1,97 @@ +From 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 4 Mar 2015 16:18:33 -0800 +Subject: libsas: Fix Kernel Crash in smp_execute_task + +From: James Bottomley + +commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream. + +This crash was reported: + +[ 366.947370] sd 3:0:1:0: [sdb] Spinning up disk.... +[ 368.804046] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 368.804072] IP: [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804098] PGD 0 +[ 368.804114] Oops: 0002 [#1] SMP +[ 368.804143] CPU 1 +[ 368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common +[ 368.804749] +[ 368.804764] Pid: 392, comm: kworker/u:3 Tainted: P W O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920 +[ 368.804802] RIP: 0010:[] [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804827] RSP: 0018:ffff880117001cc0 EFLAGS: 00010246 +[ 368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420 +[ 368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4 +[ 368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe +[ 368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4 +[ 368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8 +[ 368.804916] FS: 0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000 +[ 368.804931] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0 +[ 368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0) +[ 368.805009] Stack: +[ 368.805017] ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c +[ 368.805062] 000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000 +[ 368.805100] ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac +[ 368.805135] Call Trace: +[ 368.805153] [] ? up+0xb/0x33 +[ 368.805168] [] ? mutex_lock+0x16/0x25 +[ 368.805194] [] ? smp_execute_task+0x4e/0x222 [libsas] +[ 368.805217] [] ? sas_find_bcast_dev+0x3c/0x15d [libsas] +[ 368.805240] [] ? sas_find_bcast_dev+0x6f/0x15d [libsas] +[ 368.805264] [] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas] +[ 368.805280] [] ? printk+0x43/0x48 +[ 368.805296] [] ? _raw_spin_unlock_irqrestore+0xc/0xd +[ 368.805318] [] ? sas_revalidate_domain+0x85/0xb6 [libsas] +[ 368.805336] [] ? process_one_work+0x151/0x27c +[ 368.805351] [] ? worker_thread+0xbb/0x152 +[ 368.805366] [] ? manage_workers.isra.29+0x163/0x163 +[ 368.805382] [] ? kthread+0x79/0x81 +[ 368.805399] [] ? kernel_thread_helper+0x4/0x10 +[ 368.805416] [] ? kthread_flush_work_fn+0x9/0x9 +[ 368.805431] [] ? gs_change+0x13/0x13 +[ 368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41 +[ 368.805851] RIP [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.805877] RSP +[ 368.805886] CR2: 0000000000000000 +[ 368.805899] ---[ end trace b720682065d8f4cc ]--- + +It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task +execution, but shows a deeper cause: expander functions expect to be able to +cast to and treat domain devices as expanders. The correct fix is to only do +expander discover when we know we've got an expander device to avoid wrongly +casting a non-expander device. + +Reported-by: Praveen Murali +Tested-by: Praveen Murali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libsas/sas_discover.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct + struct sas_discovery_event *ev = to_sas_discovery_event(work); + struct asd_sas_port *port = ev->port; + struct sas_ha_struct *ha = port->ha; ++ struct domain_device *ddev = port->port_dev; + + /* prevent revalidation from finding sata links in recovery */ + mutex_lock(&ha->disco_mutex); +@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); + +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE || ++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); diff --git a/queue-3.10/powerpc-smp-wait-until-secondaries-are-active-online.patch b/queue-3.10/powerpc-smp-wait-until-secondaries-are-active-online.patch new file mode 100644 index 00000000000..3bda0679dfc --- /dev/null +++ b/queue-3.10/powerpc-smp-wait-until-secondaries-are-active-online.patch @@ -0,0 +1,61 @@ +From 875ebe940d77a41682c367ad799b4f39f128d3fa Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 24 Feb 2015 17:58:02 +1100 +Subject: powerpc/smp: Wait until secondaries are active & online + +From: Michael Ellerman + +commit 875ebe940d77a41682c367ad799b4f39f128d3fa upstream. + +Anton has a busy ppc64le KVM box where guests sometimes hit the infamous +"kernel BUG at kernel/smpboot.c:134!" issue during boot: + + BUG_ON(td->cpu != smp_processor_id()); + +Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops +output confirms it: + + CPU: 0 + Comm: watchdog/130 + +The problem is that we aren't ensuring the CPU active bit is set for the +secondary before allowing the master to continue on. The master unparks +the secondary CPU's kthreads and the scheduler looks for a CPU to run +on. It calls select_task_rq() and realises the suggested CPU is not in +the cpus_allowed mask. It then ends up in select_fallback_rq(), and +since the active bit isnt't set we choose some other CPU to run on. + +This seems to have been introduced by 6acbfb96976f "sched: Fix hotplug +vs. set_cpus_allowed_ptr()", which changed from setting active before +online to setting active after online. However that was in turn fixing a +bug where other code assumed an active CPU was also online, so we can't +just revert that fix. + +The simplest fix is just to spin waiting for both active & online to be +set. We already have a barrier prior to set_cpu_online() (which also +sets active), to ensure all other setup is completed before online & +active are set. + +Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()") +Signed-off-by: Michael Ellerman +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -544,8 +544,8 @@ int __cpuinit __cpu_up(unsigned int cpu, + if (smp_ops->give_timebase) + smp_ops->give_timebase(); + +- /* Wait until cpu puts itself in the online map */ +- while (!cpu_online(cpu)) ++ /* Wait until cpu puts itself in the online & active maps */ ++ while (!cpu_online(cpu) || !cpu_active(cpu)) + cpu_relax(); + + return 0; diff --git a/queue-3.10/series b/queue-3.10/series index 7d3171739c9..e33112474ae 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -37,3 +37,12 @@ alsa-hda-treat-stereo-to-mono-mix-properly.patch regulator-only-enable-disabled-regulators-on-resume.patch regulator-core-fix-enable-gpio-reference-counting.patch nilfs2-fix-deadlock-of-segment-constructor-during-recovery.patch +xen-pciback-limit-guest-control-of-command-register.patch +libsas-fix-kernel-crash-in-smp_execute_task.patch +crypto-aesni-fix-memory-usage-in-gcm-decryption.patch +x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch +x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch +x86-vdso-fix-the-build-on-gcc5.patch +powerpc-smp-wait-until-secondaries-are-active-online.patch +ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch +ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch diff --git a/queue-3.10/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch b/queue-3.10/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch new file mode 100644 index 00000000000..aef8529b409 --- /dev/null +++ b/queue-3.10/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch @@ -0,0 +1,87 @@ +From a7c80ebcac3068b1c3cb27d538d29558c30010c8 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:09 +0100 +Subject: x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() + +From: Oleg Nesterov + +commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream. + +math_state_restore() assumes it is called with irqs disabled, +but this is not true if the caller is __restore_xstate_sig(). + +This means that if ia32_fxstate == T and __copy_from_user() +fails, __restore_xstate_sig() returns with irqs disabled too. + +This triggers: + + BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41 + dump_stack + ___might_sleep + ? _raw_spin_unlock_irqrestore + __might_sleep + down_read + ? _raw_spin_unlock_irqrestore + print_vma_addr + signal_fault + sys32_rt_sigreturn + +Change __restore_xstate_sig() to call set_used_math() +unconditionally. This avoids enabling and disabling interrupts +in math_state_restore(). If copy_from_user() fails, we can +simply do fpu_finit() by hand. + +[ Note: this is only the first step. math_state_restore() should + not check used_math(), it should set this flag. While + init_fpu() should simply die. ] + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Rik van Riel +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/xsave.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -376,7 +376,7 @@ int __restore_xstate_sig(void __user *bu + * thread's fpu state, reconstruct fxstate from the fsave + * header. Sanitize the copied state etc. + */ +- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave; ++ struct fpu *fpu = &tsk->thread.fpu; + struct user_i387_ia32_struct env; + int err = 0; + +@@ -390,14 +390,15 @@ int __restore_xstate_sig(void __user *bu + */ + drop_fpu(tsk); + +- if (__copy_from_user(xsave, buf_fx, state_size) || ++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) || + __copy_from_user(&env, buf, sizeof(env))) { ++ fpu_finit(fpu); + err = -1; + } else { + sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only); +- set_used_math(); + } + ++ set_used_math(); + if (use_eager_fpu()) { + preempt_disable(); + math_state_restore(); diff --git a/queue-3.10/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch b/queue-3.10/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch new file mode 100644 index 00000000000..cda36cf0337 --- /dev/null +++ b/queue-3.10/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch @@ -0,0 +1,50 @@ +From f4c3686386393c120710dd34df2a74183ab805fd Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:10 +0100 +Subject: x86/fpu: Drop_fpu() should not assume that tsk equals current + +From: Oleg Nesterov + +commit f4c3686386393c120710dd34df2a74183ab805fd upstream. + +drop_fpu() does clear_used_math() and usually this is correct +because tsk == current. + +However switch_fpu_finish()->restore_fpu_checking() is called before +__switch_to() updates the "current_task" variable. If it fails, +we will wrongly clear the PF_USED_MATH flag of the previous task. + +So use clear_stopped_child_used_math() instead. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Reviewed-by: Rik van Riel +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fpu-internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -370,7 +370,7 @@ static inline void drop_fpu(struct task_ + preempt_disable(); + tsk->fpu_counter = 0; + __drop_fpu(tsk); +- clear_used_math(); ++ clear_stopped_child_used_math(tsk); + preempt_enable(); + } + diff --git a/queue-3.10/x86-vdso-fix-the-build-on-gcc5.patch b/queue-3.10/x86-vdso-fix-the-build-on-gcc5.patch new file mode 100644 index 00000000000..0e06df8ef7c --- /dev/null +++ b/queue-3.10/x86-vdso-fix-the-build-on-gcc5.patch @@ -0,0 +1,62 @@ +From e893286918d2cde3a94850d8f7101cd1039e0c62 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Thu, 5 Mar 2015 09:13:31 +0100 +Subject: x86/vdso: Fix the build on GCC5 + +From: Jiri Slaby + +commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream. + +On gcc5 the kernel does not link: + + ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670. + +Because prior GCC versions always emitted NOPs on ALIGN directives, but +gcc5 started omitting them. + +.LSTARTFDEDLSI1 says: + + /* HACK: The dwarf2 unwind routines will subtract 1 from the + return address to get an address in the middle of the + presumed call instruction. Since we didn't get here via + a call, we need to include the nop before the real start + to make up for it. */ + .long .LSTART_sigreturn-1-. /* PC-relative start address */ + +But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25 +replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before +__kernel_sigreturn. + +Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses +vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN". + +So fix this by adding to that point at least a single NOP and make the +function ALIGN possibly with more NOPs then. + +Kudos for reporting and diagnosing should go to Richard. + +Reported-by: Richard Biener +Signed-off-by: Jiri Slaby +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/vdso/vdso32/sigreturn.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: diff --git a/queue-3.10/xen-pciback-limit-guest-control-of-command-register.patch b/queue-3.10/xen-pciback-limit-guest-control-of-command-register.patch new file mode 100644 index 00000000000..1c87dc221c6 --- /dev/null +++ b/queue-3.10/xen-pciback-limit-guest-control-of-command-register.patch @@ -0,0 +1,154 @@ +From af6fc858a35b90e89ea7a7ee58e66628c55c776b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 11 Mar 2015 13:51:17 +0000 +Subject: xen-pciback: limit guest control of command register + +From: Jan Beulich + +commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream. + +Otherwise the guest can abuse that control to cause e.g. PCIe +Unsupported Request responses by disabling memory and/or I/O decoding +and subsequently causing (CPU side) accesses to the respective address +ranges, which (depending on system configuration) may be fatal to the +host. + +Note that to alter any of the bits collected together as +PCI_COMMAND_GUEST permissive mode is now required to be enabled +globally or on the specific device. + +This is CVE-2015-2150 / XSA-120. + +Signed-off-by: Jan Beulich +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-pciback/conf_space.c | 2 + drivers/xen/xen-pciback/conf_space.h | 2 + drivers/xen/xen-pciback/conf_space_header.c | 59 ++++++++++++++++++++++------ + 3 files changed, 50 insertions(+), 13 deletions(-) + +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static bool permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -9,6 +9,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -18,22 +22,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; + +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -41,6 +59,8 @@ static int command_write(struct pci_dev + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_ + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + }, -- 2.47.3