From 8950cad274c4cd495dc1e55fdfd778c59e26efbc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 3 Dec 2014 14:42:26 -0800 Subject: [PATCH] 3.14-stable patches added patches: uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch x86-microcode-update-bsps-microcode-on-resume.patch x86-mm-set-nx-across-entire-pmd-at-boot.patch x86-require-exact-match-for-noxsave-command-line-option.patch --- queue-3.14/series | 5 ++ ...ix-_tif_uprobe-vs-_tif_notify_resume.patch | 50 ++++++++++++ ...ndle-gold-linker-for-finding-bss-brk.patch | 45 +++++++++++ ...code-update-bsps-microcode-on-resume.patch | 46 +++++++++++ ...-mm-set-nx-across-entire-pmd-at-boot.patch | 77 +++++++++++++++++++ ...atch-for-noxsave-command-line-option.patch | 54 +++++++++++++ 6 files changed, 277 insertions(+) create mode 100644 queue-3.14/uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch create mode 100644 queue-3.14/x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch create mode 100644 queue-3.14/x86-microcode-update-bsps-microcode-on-resume.patch create mode 100644 queue-3.14/x86-mm-set-nx-across-entire-pmd-at-boot.patch create mode 100644 queue-3.14/x86-require-exact-match-for-noxsave-command-line-option.patch diff --git a/queue-3.14/series b/queue-3.14/series index bb46fbc181c..a103ad471d4 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -3,3 +3,8 @@ mips-loongson-make-platform-serial-setup-always-built-in.patch x86_64-traps-fix-the-espfix64-df-fixup-and-rewrite-it-in-c.patch x86_64-traps-stop-using-ist-for-ss.patch x86_64-traps-rework-bad_iret.patch +x86-require-exact-match-for-noxsave-command-line-option.patch +x86-mm-set-nx-across-entire-pmd-at-boot.patch +x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch +x86-microcode-update-bsps-microcode-on-resume.patch +uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch diff --git a/queue-3.14/uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch b/queue-3.14/uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch new file mode 100644 index 00000000000..89b8e862de1 --- /dev/null +++ b/queue-3.14/uprobes-x86-fix-_tif_uprobe-vs-_tif_notify_resume.patch @@ -0,0 +1,50 @@ +From 82975bc6a6df743b9a01810fb32cb65d0ec5d60b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 21 Nov 2014 13:26:07 -0800 +Subject: uprobes, x86: Fix _TIF_UPROBE vs _TIF_NOTIFY_RESUME + +From: Andy Lutomirski + +commit 82975bc6a6df743b9a01810fb32cb65d0ec5d60b upstream. + +x86 call do_notify_resume on paranoid returns if TIF_UPROBE is set but +not on non-paranoid returns. I suspect that this is a mistake and that +the code only works because int3 is paranoid. + +Setting _TIF_NOTIFY_RESUME in the uprobe code was probably a workaround +for the x86 bug. With that bug fixed, we can remove _TIF_NOTIFY_RESUME +from the uprobes code. + +Reported-by: Oleg Nesterov +Acked-by: Srikar Dronamraju +Acked-by: Borislav Petkov +Signed-off-by: Andy Lutomirski +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/thread_info.h | 2 +- + kernel/events/uprobes.c | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/include/asm/thread_info.h ++++ b/arch/x86/include/asm/thread_info.h +@@ -144,7 +144,7 @@ struct thread_info { + /* Only used for 64 bit */ + #define _TIF_DO_NOTIFY_MASK \ + (_TIF_SIGPENDING | _TIF_MCE_NOTIFY | _TIF_NOTIFY_RESUME | \ +- _TIF_USER_RETURN_NOTIFY) ++ _TIF_USER_RETURN_NOTIFY | _TIF_UPROBE) + + /* flags to check in __switch_to() */ + #define _TIF_WORK_CTXSW \ +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1621,7 +1621,6 @@ bool uprobe_deny_signal(void) + if (__fatal_signal_pending(t) || arch_uprobe_xol_was_trapped(t)) { + utask->state = UTASK_SSTEP_TRAPPED; + set_tsk_thread_flag(t, TIF_UPROBE); +- set_tsk_thread_flag(t, TIF_NOTIFY_RESUME); + } + } + diff --git a/queue-3.14/x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch b/queue-3.14/x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch new file mode 100644 index 00000000000..232b2c6f883 --- /dev/null +++ b/queue-3.14/x86-kaslr-handle-gold-linker-for-finding-bss-brk.patch @@ -0,0 +1,45 @@ +From 70b61e362187b5fccac206506d402f3424e3e749 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 17 Nov 2014 16:16:04 -0800 +Subject: x86, kaslr: Handle Gold linker for finding bss/brk + +From: Kees Cook + +commit 70b61e362187b5fccac206506d402f3424e3e749 upstream. + +When building with the Gold linker, the .bss and .brk areas of vmlinux +are shown as consecutive instead of having the same file offset. Allow +for either state, as long as things add up correctly. + +Fixes: e6023367d779 ("x86, kaslr: Prevent .bss from overlaping initrd") +Reported-by: Markus Trippelsdorf +Signed-off-by: Kees Cook +Cc: Junjie Mao +Link: http://lkml.kernel.org/r/20141118001604.GA25045@www.outflux.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/tools/calc_run_size.pl | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/tools/calc_run_size.pl ++++ b/arch/x86/tools/calc_run_size.pl +@@ -19,7 +19,16 @@ while (<>) { + if ($file_offset == 0) { + $file_offset = $offset; + } elsif ($file_offset != $offset) { +- die ".bss and .brk lack common file offset\n"; ++ # BFD linker shows the same file offset in ELF. ++ # Gold linker shows them as consecutive. ++ next if ($file_offset + $mem_size == $offset + $size); ++ ++ printf STDERR "file_offset: 0x%lx\n", $file_offset; ++ printf STDERR "mem_size: 0x%lx\n", $mem_size; ++ printf STDERR "offset: 0x%lx\n", $offset; ++ printf STDERR "size: 0x%lx\n", $size; ++ ++ die ".bss and .brk are non-contiguous\n"; + } + } + } diff --git a/queue-3.14/x86-microcode-update-bsps-microcode-on-resume.patch b/queue-3.14/x86-microcode-update-bsps-microcode-on-resume.patch new file mode 100644 index 00000000000..2c622589530 --- /dev/null +++ b/queue-3.14/x86-microcode-update-bsps-microcode-on-resume.patch @@ -0,0 +1,46 @@ +From fb86b97300d930b57471068720c52bfa8622eab7 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Tue, 18 Nov 2014 10:46:57 +0100 +Subject: x86, microcode: Update BSPs microcode on resume + +From: Borislav Petkov + +commit fb86b97300d930b57471068720c52bfa8622eab7 upstream. + +In the situation when we apply early microcode but do *not* apply late +microcode, we fail to update the BSP's microcode on resume because we +haven't initialized the uci->mc microcode pointer. So, in order to +alleviate that, we go and dig out the stashed microcode patch during +early boot. It is basically the same thing that is done on the APs early +during boot so do that too here. + +Tested-by: alex.schnaidt@gmail.com +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88001 +Cc: Henrique de Moraes Holschuh +Cc: Fenghua Yu +Signed-off-by: Borislav Petkov +Link: http://lkml.kernel.org/r/20141118094657.GA6635@pd.tnic +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/microcode/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -462,6 +462,14 @@ static void mc_bp_resume(void) + + if (uci->valid && uci->mc) + microcode_ops->apply_microcode(cpu); ++ else if (!uci->mc) ++ /* ++ * We might resume and not have applied late microcode but still ++ * have a newer patch stashed from the early loader. We don't ++ * have it in uci->mc so we have to load it the same way we're ++ * applying patches early on the APs. ++ */ ++ load_ucode_ap(); + } + + static struct syscore_ops mc_syscore_ops = { diff --git a/queue-3.14/x86-mm-set-nx-across-entire-pmd-at-boot.patch b/queue-3.14/x86-mm-set-nx-across-entire-pmd-at-boot.patch new file mode 100644 index 00000000000..7a5278c206c --- /dev/null +++ b/queue-3.14/x86-mm-set-nx-across-entire-pmd-at-boot.patch @@ -0,0 +1,77 @@ +From 45e2a9d4701d8c624d4a4bcdd1084eae31e92f58 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 14 Nov 2014 11:47:37 -0800 +Subject: x86, mm: Set NX across entire PMD at boot + +From: Kees Cook + +commit 45e2a9d4701d8c624d4a4bcdd1084eae31e92f58 upstream. + +When setting up permissions on kernel memory at boot, the end of the +PMD that was split from bss remained executable. It should be NX like +the rest. This performs a PMD alignment instead of a PAGE alignment to +get the correct span of memory. + +Before: +---[ High Kernel Mapping ]--- +... +0xffffffff8202d000-0xffffffff82200000 1868K RW GLB NX pte +0xffffffff82200000-0xffffffff82c00000 10M RW PSE GLB NX pmd +0xffffffff82c00000-0xffffffff82df5000 2004K RW GLB NX pte +0xffffffff82df5000-0xffffffff82e00000 44K RW GLB x pte +0xffffffff82e00000-0xffffffffc0000000 978M pmd + +After: +---[ High Kernel Mapping ]--- +... +0xffffffff8202d000-0xffffffff82200000 1868K RW GLB NX pte +0xffffffff82200000-0xffffffff82e00000 12M RW PSE GLB NX pmd +0xffffffff82e00000-0xffffffffc0000000 978M pmd + +[ tglx: Changed it to roundup(_brk_end, PMD_SIZE) and added a comment. + We really should unmap the reminder along with the holes + caused by init,initdata etc. but thats a different issue ] + +Signed-off-by: Kees Cook +Cc: Andy Lutomirski +Cc: Toshi Kani +Cc: Yasuaki Ishimatsu +Cc: David Vrabel +Cc: Wang Nan +Cc: Yinghai Lu +Link: http://lkml.kernel.org/r/20141114194737.GA3091@www.outflux.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/init_64.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1110,7 +1110,7 @@ void mark_rodata_ro(void) + unsigned long end = (unsigned long) &__end_rodata_hpage_align; + unsigned long text_end = PFN_ALIGN(&__stop___ex_table); + unsigned long rodata_end = PFN_ALIGN(&__end_rodata); +- unsigned long all_end = PFN_ALIGN(&_end); ++ unsigned long all_end; + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +@@ -1121,7 +1121,16 @@ void mark_rodata_ro(void) + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. ++ * ++ * We align all_end to PMD_SIZE because the existing mapping ++ * is a full PMD. If we would align _brk_end to PAGE_SIZE we ++ * split the PMD and the reminder between _brk_end and the end ++ * of the PMD will remain mapped executable. ++ * ++ * Any PMD which was setup after the one which covers _brk_end ++ * has been zapped already via cleanup_highmem(). + */ ++ all_end = roundup((unsigned long)_brk_end, PMD_SIZE); + set_memory_nx(rodata_start, (all_end - rodata_start) >> PAGE_SHIFT); + + rodata_test(); diff --git a/queue-3.14/x86-require-exact-match-for-noxsave-command-line-option.patch b/queue-3.14/x86-require-exact-match-for-noxsave-command-line-option.patch new file mode 100644 index 00000000000..426e1305b9d --- /dev/null +++ b/queue-3.14/x86-require-exact-match-for-noxsave-command-line-option.patch @@ -0,0 +1,54 @@ +From 2cd3949f702692cf4c5d05b463f19cd706a92dd3 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 11 Nov 2014 14:01:33 -0800 +Subject: x86: Require exact match for 'noxsave' command line option + +From: Dave Hansen + +commit 2cd3949f702692cf4c5d05b463f19cd706a92dd3 upstream. + +We have some very similarly named command-line options: + +arch/x86/kernel/cpu/common.c:__setup("noxsave", x86_xsave_setup); +arch/x86/kernel/cpu/common.c:__setup("noxsaveopt", x86_xsaveopt_setup); +arch/x86/kernel/cpu/common.c:__setup("noxsaves", x86_xsaves_setup); + +__setup() is designed to match options that take arguments, like +"foo=bar" where you would have: + + __setup("foo", x86_foo_func...); + +The problem is that "noxsave" actually _matches_ "noxsaves" in +the same way that "foo" matches "foo=bar". If you boot an old +kernel that does not know about "noxsaves" with "noxsaves" on the +command line, it will interpret the argument as "noxsave", which +is not what you want at all. + +This makes the "noxsave" handler only return success when it finds +an *exact* match. + +[ tglx: We really need to make __setup() more robust. ] + +Signed-off-by: Dave Hansen +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: x86@kernel.org +Link: http://lkml.kernel.org/r/20141111220133.FE053984@viggo.jf.intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -144,6 +144,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page); + + static int __init x86_xsave_setup(char *s) + { ++ if (strlen(s)) ++ return 0; + setup_clear_cpu_cap(X86_FEATURE_XSAVE); + setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT); + setup_clear_cpu_cap(X86_FEATURE_AVX); -- 2.47.3