--- /dev/null
+From mtosatti@redhat.com Mon Dec 6 11:01:47 2010
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Mon, 29 Nov 2010 13:00:14 -0200
+Subject: KVM: x86: fix information leak to userland
+To: greg@kroah.com
+Cc: avi@redhat.com, mtosatti@redhat.com, stable@kernel.org, Vasiliy Kulikov <segooon@gmail.com>
+Message-ID: <20101129150040.136400937@redhat.com>
+Content-Disposition: inline; filename=0001-KVM-x86-fix-information-leak-to-userland.patch
+
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 97e69aa62f8b5d338d6cff49be09e37cc1262838 upstream.
+
+Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and
+kvm_clock_data are copied to userland with some padding and reserved
+fields unitialized. It leads to leaking of contents of kernel stack
+memory. We have to initialize them to zero.
+
+In patch v1 Jan Kiszka suggested to fill reserved fields with zeros
+instead of memset'ting the whole struct. It makes sense as these
+fields are explicitly marked as padding. No more fields need zeroing.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2102,6 +2102,7 @@ static int kvm_vm_ioctl_get_pit2(struct
+ sizeof(ps->channels));
+ ps->flags = kvm->arch.vpit->pit_state.flags;
+ mutex_unlock(&kvm->arch.vpit->pit_state.lock);
++ memset(&ps->reserved, 0, sizeof(ps->reserved));
+ return r;
+ }
+
+@@ -2439,6 +2440,7 @@ long kvm_arch_vm_ioctl(struct file *filp
+ now_ns = timespec_to_ns(&now);
+ user_ns.clock = kvm->arch.kvmclock_offset + now_ns;
+ user_ns.flags = 0;
++ memset(&user_ns.pad, 0, sizeof(user_ns.pad));
+
+ r = -EFAULT;
+ if (copy_to_user(argp, &user_ns, sizeof(user_ns)))
--- /dev/null
+From 0613a59456980161d0cd468bae6c63d772743102 Mon Sep 17 00:00:00 2001
+From: Daniel T Chen <crimsun@ubuntu.com>
+Date: Mon, 1 Nov 2010 01:14:51 -0400
+Subject: ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and Headphone controls
+
+From: Daniel T Chen <crimsun@ubuntu.com>
+
+commit 0613a59456980161d0cd468bae6c63d772743102 upstream.
+
+BugLink: https://launchpad.net/bugs/669279
+
+The original reporter states: "The Master mixer does not change the
+volume from the headphone output (which is affected by the headphone
+mixer). Instead it only seems to control the on-board speaker volume.
+This confuses PulseAudio greatly as the Master channel is merged into
+the volume mix."
+
+Fix this symptom by applying the hp_only quirk for the reporter's SSID.
+The fix is applicable to all stable kernels.
+
+Reported-and-tested-by: Ben Gamari <bgamari@gmail.com>
+Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/intel8x0.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/pci/intel8x0.c
++++ b/sound/pci/intel8x0.c
+@@ -1866,6 +1866,12 @@ static struct ac97_quirk ac97_quirks[] _
+ },
+ {
+ .subvendor = 0x1028,
++ .subdevice = 0x0182,
++ .name = "Dell Latitude D610", /* STAC9750/51 */
++ .type = AC97_TUNE_HP_ONLY
++ },
++ {
++ .subvendor = 0x1028,
+ .subdevice = 0x0186,
+ .name = "Dell Latitude D810", /* cf. Malone #41015 */
+ .type = AC97_TUNE_HP_MUTE_LED
--- /dev/null
+From cc1c452e509aefc28f7ad2deed75bc69d4f915f7 Mon Sep 17 00:00:00 2001
+From: David Henningsson <david.henningsson@canonical.com>
+Date: Wed, 24 Nov 2010 14:17:47 +0100
+Subject: ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
+
+From: David Henningsson <david.henningsson@canonical.com>
+
+commit cc1c452e509aefc28f7ad2deed75bc69d4f915f7 upstream.
+
+The patch enables ALC887-VD to use the DAC at nid 0x26,
+which makes it possible to use this DAC for e g Headphone
+volume.
+
+Signed-off-by: David Henningsson <david.henningsson@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -17260,6 +17260,8 @@ static inline hda_nid_t alc662_mix_to_da
+ return 0x02;
+ else if (nid >= 0x0c && nid <= 0x0e)
+ return nid - 0x0c + 0x02;
++ else if (nid == 0x26) /* ALC887-VD has this DAC too */
++ return 0x25;
+ else
+ return 0;
+ }
+@@ -17268,7 +17270,7 @@ static inline hda_nid_t alc662_mix_to_da
+ static hda_nid_t alc662_dac_to_mix(struct hda_codec *codec, hda_nid_t pin,
+ hda_nid_t dac)
+ {
+- hda_nid_t mix[4];
++ hda_nid_t mix[5];
+ int i, num;
+
+ num = snd_hda_get_connections(codec, pin, mix, ARRAY_SIZE(mix));
--- /dev/null
+From 0defe09ca70daccdc83abd9c3c24cd89ae6a1141 Mon Sep 17 00:00:00 2001
+From: Daniel T Chen <crimsun@ubuntu.com>
+Date: Wed, 1 Dec 2010 19:16:07 -0500
+Subject: ALSA: hda: Use "alienware" model quirk for another SSID
+
+From: Daniel T Chen <crimsun@ubuntu.com>
+
+commit 0defe09ca70daccdc83abd9c3c24cd89ae6a1141 upstream.
+
+BugLink: https://launchpad.net/bugs/683695
+
+The original reporter states that headphone jacks do not appear to
+work. Upon inspecting his codec dump, and upon further testing, it is
+confirmed that the "alienware" model quirk is correct.
+
+Reported-and-tested-by: Cody Thierauf
+Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_sigmatel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -1602,6 +1602,8 @@ static struct snd_pci_quirk stac92hd73xx
+ static struct snd_pci_quirk stac92hd73xx_codec_id_cfg_tbl[] = {
+ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02a1,
+ "Alienware M17x", STAC_ALIENWARE_M17X),
++ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x043a,
++ "Alienware M17x", STAC_ALIENWARE_M17X),
+ {} /* terminator */
+ };
+
--- /dev/null
+From 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Wed, 7 Apr 2010 08:30:50 +0200
+Subject: firewire: cdev: fix information leak
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.
+
+A userspace client got to see uninitialized stack-allocated memory if it
+specified an _IOC_READ type of ioctl and an argument size larger than
+expected by firewire-core's ioctl handlers (but not larger than the
+core's union ioctl_arg).
+
+Fix this by clearing the requested buffer size to zero, but only at _IOR
+ioctls. This way, there is almost no runtime penalty to legitimate
+ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
+or 16 bytes to memset.
+
+[Another way to fix this would be strict checking of argument size (and
+possibly direction) vs. command number. However, we then need a lookup
+table, and we need to allow for slight size deviations in case of 32bit
+userland on 64bit kernel.]
+
+Reported-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+[ Backported to 2.6.32 firewire core -maks ]
+Signed-off-by: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/core-cdev.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -1299,24 +1299,24 @@ static int dispatch_ioctl(struct client
+ int ret;
+
+ if (_IOC_TYPE(cmd) != '#' ||
+- _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))
++ _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers) ||
++ _IOC_SIZE(cmd) > sizeof(buffer))
+ return -EINVAL;
+
+- if (_IOC_DIR(cmd) & _IOC_WRITE) {
+- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
+- copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
++ if (_IOC_DIR(cmd) == _IOC_READ)
++ memset(&buffer, 0, _IOC_SIZE(cmd));
++
++ if (_IOC_DIR(cmd) & _IOC_WRITE)
++ if (copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
+ return -EFAULT;
+- }
+
+ ret = ioctl_handlers[_IOC_NR(cmd)](client, buffer);
+ if (ret < 0)
+ return ret;
+
+- if (_IOC_DIR(cmd) & _IOC_READ) {
+- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
+- copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
++ if (_IOC_DIR(cmd) & _IOC_READ)
++ if (copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
+ return -EFAULT;
+- }
+
+ return ret;
+ }
--- /dev/null
+From 137d9ebfdbaa45c01f9f0f6d5121ae6f1eb942bd Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Fri, 19 Feb 2010 21:00:02 +0100
+Subject: firewire: core: fix an information leak
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit 137d9ebfdbaa45c01f9f0f6d5121ae6f1eb942bd upstream.
+
+If a device exposes a sparsely populated configuration ROM,
+firewire-core's sysfs interface and character device file interface
+showed random data in the gaps between config ROM blocks. Fix this by
+zero-initialization of the config ROM reader's scratch buffer.
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Cc: maximilian attems <max@stro.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/core-device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/firewire/core-device.c
++++ b/drivers/firewire/core-device.c
+@@ -463,6 +463,7 @@ static int read_bus_info_block(struct fw
+ return -ENOMEM;
+
+ stack = &rom[READ_BIB_ROM_SIZE];
++ memset(rom, 0, sizeof(*rom) * READ_BIB_ROM_SIZE);
+
+ device->max_speed = SCODE_100;
+
--- /dev/null
+From 85f7ffd5d2b320f73912b15fe8cef34bae297daf Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Mon, 25 Oct 2010 11:41:53 +0200
+Subject: firewire: ohci: fix buffer overflow in AR split packet handling
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit 85f7ffd5d2b320f73912b15fe8cef34bae297daf upstream.
+
+When the controller had to split a received asynchronous packet into two
+buffers, the driver tries to reassemble it by copying both parts into
+the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet
+unhandled packets before the split packet, the split packet itself, and
+any received packets after the split packet are together larger than one
+page, then the memory after the first page would get overwritten.
+
+To fix this, do not try to copy the data of all unhandled packets at
+once, but copy the possibly needed data every time when handling
+a packet.
+
+This gets rid of most of the infamous crashes and data corruptions when
+using firewire-net.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t)
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/drivers/firewire/ohci.c
++++ b/drivers/firewire/ohci.c
+@@ -739,7 +739,7 @@ static void ar_context_tasklet(unsigned long data)
+ d = &ab->descriptor;
+
+ if (d->res_count == 0) {
+- size_t size, rest, offset;
++ size_t size, size2, rest, pktsize, size3, offset;
+ dma_addr_t start_bus;
+ void *start;
+
+@@ -756,12 +756,41 @@ static void ar_context_tasklet(unsigned long data)
+ ab = ab->next;
+ d = &ab->descriptor;
+ size = buffer + PAGE_SIZE - ctx->pointer;
++ /* valid buffer data in the next page */
+ rest = le16_to_cpu(d->req_count) - le16_to_cpu(d->res_count);
++ /* what actually fits in this page */
++ size2 = min(rest, (size_t)PAGE_SIZE - size);
+ memmove(buffer, ctx->pointer, size);
+- memcpy(buffer + size, ab->data, rest);
++ memcpy(buffer + size, ab->data, size2);
+ ctx->current_buffer = ab;
+ ctx->pointer = (void *) ab->data + rest;
+- end = buffer + size + rest;
++
++ while (size > 0) {
++ void *next = handle_ar_packet(ctx, buffer);
++ pktsize = next - buffer;
++ if (pktsize >= size) {
++ /*
++ * We have handled all the data that was
++ * originally in this page, so we can now
++ * continue in the next page.
++ */
++ buffer = next;
++ break;
++ }
++ /* move the next packet to the start of the buffer */
++ memmove(buffer, next, size + size2 - pktsize);
++ size -= pktsize;
++ /* fill up this page again */
++ size3 = min(rest - size2,
++ (size_t)PAGE_SIZE - size - size2);
++ memcpy(buffer + size + size2,
++ (void *) ab->data + size2, size3);
++ size2 += size3;
++ }
++
++ /* handle the packets that are fully in the next page */
++ buffer = (void *) ab->data + (buffer - (start + size));
++ end = (void *) ab->data + rest;
+
+ while (buffer < end)
+ buffer = handle_ar_packet(ctx, buffer);
--- /dev/null
+From a1f805e5e73a8fe166b71c6592d3837df0cd5e2e Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Mon, 25 Oct 2010 11:42:20 +0200
+Subject: firewire: ohci: fix race in AR split packet handling
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit a1f805e5e73a8fe166b71c6592d3837df0cd5e2e upstream.
+
+When handling an AR buffer that has been completely filled, we assumed
+that its descriptor will not be read by the controller and can be
+overwritten. However, when the last received packet happens to end at
+the end of the buffer, the controller might not yet have moved on to the
+next buffer and might read the branch address later. If we overwrite
+and free the page before that, the DMA context will either go dead
+because of an invalid Z value, or go off into some random memory.
+
+To fix this, ensure that the descriptor does not get overwritten by
+using only the actual buffer instead of the entire page for reassembling
+the split packet. Furthermore, to avoid freeing the page too early,
+move on to the next buffer only when some data in it guarantees that the
+controller has moved on.
+
+This should eliminate the remaining firewire-net problems.
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/ohci.c | 39 +++++++++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 16 deletions(-)
+
+--- a/drivers/firewire/ohci.c
++++ b/drivers/firewire/ohci.c
+@@ -639,20 +639,19 @@ static void ar_context_tasklet(unsigned
+ */
+
+ offset = offsetof(struct ar_buffer, data);
+- start = buffer = ab;
++ start = ab;
+ start_bus = le32_to_cpu(ab->descriptor.data_address) - offset;
++ buffer = ab->data;
+
+ ab = ab->next;
+ d = &ab->descriptor;
+- size = buffer + PAGE_SIZE - ctx->pointer;
++ size = start + PAGE_SIZE - ctx->pointer;
+ /* valid buffer data in the next page */
+ rest = le16_to_cpu(d->req_count) - le16_to_cpu(d->res_count);
+ /* what actually fits in this page */
+- size2 = min(rest, (size_t)PAGE_SIZE - size);
++ size2 = min(rest, (size_t)PAGE_SIZE - offset - size);
+ memmove(buffer, ctx->pointer, size);
+ memcpy(buffer + size, ab->data, size2);
+- ctx->current_buffer = ab;
+- ctx->pointer = (void *) ab->data + rest;
+
+ while (size > 0) {
+ void *next = handle_ar_packet(ctx, buffer);
+@@ -671,22 +670,30 @@ static void ar_context_tasklet(unsigned
+ size -= pktsize;
+ /* fill up this page again */
+ size3 = min(rest - size2,
+- (size_t)PAGE_SIZE - size - size2);
++ (size_t)PAGE_SIZE - offset - size - size2);
+ memcpy(buffer + size + size2,
+ (void *) ab->data + size2, size3);
+ size2 += size3;
+ }
+
+- /* handle the packets that are fully in the next page */
+- buffer = (void *) ab->data + (buffer - (start + size));
+- end = (void *) ab->data + rest;
+-
+- while (buffer < end)
+- buffer = handle_ar_packet(ctx, buffer);
+-
+- dma_free_coherent(ohci->card.device, PAGE_SIZE,
+- start, start_bus);
+- ar_context_add_page(ctx);
++ if (rest > 0) {
++ /* handle the packets that are fully in the next page */
++ buffer = (void *) ab->data +
++ (buffer - (start + offset + size));
++ end = (void *) ab->data + rest;
++
++ while (buffer < end)
++ buffer = handle_ar_packet(ctx, buffer);
++
++ ctx->current_buffer = ab;
++ ctx->pointer = end;
++
++ dma_free_coherent(ohci->card.device, PAGE_SIZE,
++ start, start_bus);
++ ar_context_add_page(ctx);
++ } else {
++ ctx->pointer = start + PAGE_SIZE;
++ }
+ } else {
+ buffer = ctx->pointer;
+ ctx->pointer = end =
--- /dev/null
+From mtosatti@redhat.com Mon Dec 6 11:02:14 2010
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 29 Nov 2010 13:00:15 -0200
+Subject: KVM: VMX: Fix host userspace gsbase corruption
+To: greg@kroah.com
+Cc: avi@redhat.com, mtosatti@redhat.com, stable@kernel.org
+Message-ID: <20101129150040.205107681@redhat.com>
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78 upstream.
+
+We now use load_gs_index() to load gs safely; unfortunately this also
+changes MSR_KERNEL_GS_BASE, which we managed separately. This resulted
+in confusion and breakage running 32-bit host userspace on a 64-bit kernel.
+
+Fix by
+- saving guest MSR_KERNEL_GS_BASE before we we reload the host's gs
+- doing the host save/load unconditionally, instead of only when in guest
+ long mode
+
+Things can be cleaned up further, but this is the minmal fix for now.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+[bwh: Backport to 2.6.32]
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/vmx.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -654,10 +654,7 @@ static void vmx_save_host_state(struct k
+ #endif
+
+ #ifdef CONFIG_X86_64
+- if (is_long_mode(&vmx->vcpu))
+- save_msrs(vmx->host_msrs +
+- vmx->msr_offset_kernel_gs_base, 1);
+-
++ save_msrs(vmx->host_msrs + vmx->msr_offset_kernel_gs_base, 1);
+ #endif
+ load_msrs(vmx->guest_msrs, vmx->save_nmsrs);
+ load_transition_efer(vmx);
+@@ -672,17 +669,26 @@ static void __vmx_load_host_state(struct
+ vmx->host_state.loaded = 0;
+ if (vmx->host_state.fs_reload_needed)
+ loadsegment(fs, vmx->host_state.fs_sel);
++#ifdef CONFIG_X86_64
++ if (is_long_mode(&vmx->vcpu))
++ save_msrs(vmx->guest_msrs + vmx->msr_offset_kernel_gs_base, 1);
++#endif
+ if (vmx->host_state.gs_ldt_reload_needed) {
+ kvm_load_ldt(vmx->host_state.ldt_sel);
+ #ifdef CONFIG_X86_64
+ load_gs_index(vmx->host_state.gs_sel);
+- wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
+ #else
+ loadsegment(gs, vmx->host_state.gs_sel);
+ #endif
+ }
+ reload_tss();
++#ifdef CONFIG_X86_64
++ save_msrs(vmx->guest_msrs, vmx->msr_offset_kernel_gs_base);
++ save_msrs(vmx->guest_msrs + vmx->msr_offset_kernel_gs_base + 1,
++ vmx->save_nmsrs - vmx->msr_offset_kernel_gs_base - 1);
++#else
+ save_msrs(vmx->guest_msrs, vmx->save_nmsrs);
++#endif
+ load_msrs(vmx->host_msrs, vmx->save_nmsrs);
+ reload_host_efer(vmx);
+ load_gdt(&__get_cpu_var(host_gdt));
--- /dev/null
+From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Wed, 10 Nov 2010 12:08:12 +0200
+Subject: KVM: VMX: fix vmx null pointer dereference on debug register access
+
+There is a bug in KVM that can be used to crash a host on Intel
+machines. If emulator is tricked into emulating mov to/from DR instruction
+it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
+are not initialized. Recently this is not exploitable from guest
+userspace, but malicious guest kernel can trigger it easily.
+
+CVE-2010-0435
+
+On upstream bug was fixed differently around 2.6.34.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_c
+ {
+ struct kvm_vcpu *vcpu = ctxt->vcpu;
+
++ if (!kvm_x86_ops->get_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ switch (dr) {
+ case 0 ... 3:
+ *dest = kvm_x86_ops->get_dr(vcpu, dr);
+@@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_c
+ unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
+ int exception;
+
++ if (!kvm_x86_ops->set_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
+ if (exception) {
+ /* FIXME: better handling */
--- /dev/null
+From 38715258aa2e8cd94bd4aafadc544e5104efd551 Mon Sep 17 00:00:00 2001
+From: Ken Chen <kenchen@google.com>
+Date: Thu, 11 Nov 2010 14:05:16 -0800
+Subject: latencytop: fix per task accumulator
+
+From: Ken Chen <kenchen@google.com>
+
+commit 38715258aa2e8cd94bd4aafadc544e5104efd551 upstream.
+
+Per task latencytop accumulator prematurely terminates due to erroneous
+placement of latency_record_count. It should be incremented whenever a
+new record is allocated instead of increment on every latencytop event.
+
+Also fix search iterator to only search known record events instead of
+blindly searching all pre-allocated space.
+
+Signed-off-by: Ken Chen <kenchen@google.com>
+Reviewed-by: Arjan van de Ven <arjan@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/latencytop.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/kernel/latencytop.c
++++ b/kernel/latencytop.c
+@@ -195,14 +195,7 @@ __account_scheduler_latency(struct task_
+
+ account_global_scheduler_latency(tsk, &lat);
+
+- /*
+- * short term hack; if we're > 32 we stop; future we recycle:
+- */
+- tsk->latency_record_count++;
+- if (tsk->latency_record_count >= LT_SAVECOUNT)
+- goto out_unlock;
+-
+- for (i = 0; i < LT_SAVECOUNT; i++) {
++ for (i = 0; i < tsk->latency_record_count; i++) {
+ struct latency_record *mylat;
+ int same = 1;
+
+@@ -228,8 +221,14 @@ __account_scheduler_latency(struct task_
+ }
+ }
+
++ /*
++ * short term hack; if we're > 32 we stop; future we recycle:
++ */
++ if (tsk->latency_record_count >= LT_SAVECOUNT)
++ goto out_unlock;
++
+ /* Allocated a new one: */
+- i = tsk->latency_record_count;
++ i = tsk->latency_record_count++;
+ memcpy(&tsk->latency_record[i], &lat, sizeof(struct latency_record));
+
+ out_unlock:
--- /dev/null
+From 8d056cb965b8fb7c53c564abf28b1962d1061cd3 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+Date: Thu, 11 Nov 2010 14:05:15 -0800
+Subject: mm/vfs: revalidate page->mapping in do_generic_file_read()
+
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+
+commit 8d056cb965b8fb7c53c564abf28b1962d1061cd3 upstream.
+
+70 hours into some stress tests of a 2.6.32-based enterprise kernel, we
+ran into a NULL dereference in here:
+
+ int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc,
+ unsigned long from)
+ {
+----> struct inode *inode = page->mapping->host;
+
+It looks like page->mapping was the culprit. (xmon trace is below).
+After closer examination, I realized that do_generic_file_read() does a
+find_get_page(), and eventually locks the page before calling
+block_is_partially_uptodate(). However, it doesn't revalidate the
+page->mapping after the page is locked. So, there's a small window
+between the find_get_page() and ->is_partially_uptodate() where the page
+could get truncated and page->mapping cleared.
+
+We _have_ a reference, so it can't get reclaimed, but it certainly
+can be truncated.
+
+I think the correct thing is to check page->mapping after the
+trylock_page(), and jump out if it got truncated. This patch has been
+running in the test environment for a month or so now, and we have not
+seen this bug pop up again.
+
+xmon info:
+
+ 1f:mon> e
+ cpu 0x1f: Vector: 300 (Data Access) at [c0000002ae36f770]
+ pc: c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100
+ lr: c000000000142944: .generic_file_aio_read+0x1e4/0x770
+ sp: c0000002ae36f9f0
+ msr: 8000000000009032
+ dar: 0
+ dsisr: 40000000
+ current = 0xc000000378f99e30
+ paca = 0xc000000000f66300
+ pid = 21946, comm = bash
+ 1f:mon> r
+ R00 = 0025c0500000006d R16 = 0000000000000000
+ R01 = c0000002ae36f9f0 R17 = c000000362cd3af0
+ R02 = c000000000e8cd80 R18 = ffffffffffffffff
+ R03 = c0000000031d0f88 R19 = 0000000000000001
+ R04 = c0000002ae36fa68 R20 = c0000003bb97b8a0
+ R05 = 0000000000000000 R21 = c0000002ae36fa68
+ R06 = 0000000000000000 R22 = 0000000000000000
+ R07 = 0000000000000001 R23 = c0000002ae36fbb0
+ R08 = 0000000000000002 R24 = 0000000000000000
+ R09 = 0000000000000000 R25 = c000000362cd3a80
+ R10 = 0000000000000000 R26 = 0000000000000002
+ R11 = c0000000001e7b60 R27 = 0000000000000000
+ R12 = 0000000042000484 R28 = 0000000000000001
+ R13 = c000000000f66300 R29 = c0000003bb97b9b8
+ R14 = 0000000000000001 R30 = c000000000e28a08
+ R15 = 000000000000ffff R31 = c0000000031d0f88
+ pc = c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100
+ lr = c000000000142944 .generic_file_aio_read+0x1e4/0x770
+ msr = 8000000000009032 cr = 22000488
+ ctr = c0000000001e7a60 xer = 0000000020000000 trap = 300
+ dar = 0000000000000000 dsisr = 40000000
+ 1f:mon> t
+ [link register ] c000000000142944 .generic_file_aio_read+0x1e4/0x770
+ [c0000002ae36f9f0] c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable)
+ [c0000002ae36fb40] c0000000001b03e4 .do_sync_read+0xd4/0x160
+ [c0000002ae36fce0] c0000000001b153c .vfs_read+0xec/0x1f0
+ [c0000002ae36fd80] c0000000001b1768 .SyS_read+0x58/0xb0
+ [c0000002ae36fe30] c00000000000852c syscall_exit+0x0/0x40
+ --- Exception: c00 (System Call) at 00000080a840bc54
+ SP (fffca15df30) is in userspace
+ 1f:mon> di c0000000001e7a6c
+ c0000000001e7a6c e9290000 ld r9,0(r9)
+ c0000000001e7a70 418200c0 beq c0000000001e7b30 # .block_is_partially_uptodate+0xd0/0x100
+ c0000000001e7a74 e9440008 ld r10,8(r4)
+ c0000000001e7a78 78a80020 clrldi r8,r5,32
+ c0000000001e7a7c 3c000001 lis r0,1
+ c0000000001e7a80 812900a8 lwz r9,168(r9)
+ c0000000001e7a84 39600001 li r11,1
+ c0000000001e7a88 7c080050 subf r0,r8,r0
+ c0000000001e7a8c 7f805040 cmplw cr7,r0,r10
+ c0000000001e7a90 7d6b4830 slw r11,r11,r9
+ c0000000001e7a94 796b0020 clrldi r11,r11,32
+ c0000000001e7a98 419d00a8 bgt cr7,c0000000001e7b40 # .block_is_partially_uptodate+0xe0/0x100
+ c0000000001e7a9c 7fa55840 cmpld cr7,r5,r11
+ c0000000001e7aa0 7d004214 add r8,r0,r8
+ c0000000001e7aa4 79080020 clrldi r8,r8,32
+ c0000000001e7aa8 419c0078 blt cr7,c0000000001e7b20 # .block_is_partially_uptodate+0xc0/0x100
+
+Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
+Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
+Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Rik van Riel <riel@redhat.com>
+Cc: <arunabal@in.ibm.com>
+Cc: <sbest@us.ibm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Minchan Kim <minchan.kim@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/filemap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1030,6 +1030,9 @@ find_page:
+ goto page_not_up_to_date;
+ if (!trylock_page(page))
+ goto page_not_up_to_date;
++ /* Did it get truncated before we got the lock? */
++ if (!page->mapping)
++ goto page_not_up_to_date_locked;
+ if (!mapping->a_ops->is_partially_uptodate(page,
+ desc, offset))
+ goto page_not_up_to_date_locked;
--- /dev/null
+From 6b1686a71e3158d3c5f125260effce171cc7852b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 28 Oct 2010 12:34:21 +0200
+Subject: netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem pages
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 6b1686a71e3158d3c5f125260effce171cc7852b upstream.
+
+commit ea781f197d6a8 (use SLAB_DESTROY_BY_RCU and get rid of call_rcu())
+did a mistake in __vmalloc() call in nf_ct_alloc_hashtable().
+
+I forgot to add __GFP_HIGHMEM, so pages were taken from LOWMEM only.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netfilter/nf_conntrack_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1173,7 +1173,8 @@ void *nf_ct_alloc_hashtable(unsigned int
+ if (!hash) {
+ *vmalloced = 1;
+ printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
+- hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
++ hash = __vmalloc(sz, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
++ PAGE_KERNEL);
+ }
+
+ if (hash && nulls)
tty-restore-tty_ldisc_wait_idle.patch
tty_ldisc-fix-bug-on-hangup.patch
tty-ldisc-fix-open-flag-handling.patch
+kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
+0001-KVM-x86-fix-information-leak-to-userland.patch
+kvm-vmx-fix-host-userspace-gsbase-corruption.patch
+firewire-cdev-fix-information-leak.patch
+firewire-core-fix-an-information-leak.patch
+firewire-ohci-fix-buffer-overflow-in-ar-split-packet-handling.patch
+firewire-ohci-fix-race-in-ar-split-packet-handling.patch
+alsa-ac97-apply-quirk-for-dell-latitude-d610-binding-master-and-headphone-controls.patch
+alsa-hda-add-an-extra-dac-for-realtek-alc887-vd.patch
+alsa-hda-use-alienware-model-quirk-for-another-ssid.patch
+netfilter-nf_conntrack-allow-nf_ct_alloc_hashtable-to-get-highmem-pages.patch
+latencytop-fix-per-task-accumulator.patch
+mm-vfs-revalidate-page-mapping-in-do_generic_file_read.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
