From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 25 Jul 2017 00:23:29 +0000 (-0700)
Subject: 4.12-stable patches
X-Git-Tag: v3.18.63~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=233e97f7b58b7b5e1449f8acc8b3e0a78ba9eca9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.12-stable patches

added patches:
	x86-xen-allow-userspace-access-during-hypercalls.patch
---

diff --git a/queue-4.12/series b/queue-4.12/series
index 331ab058473..3fd1cb68c58 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -74,3 +74,4 @@ usb-renesas_usbhs-gadget-disable-all-eps-when-the-driver-stops.patch
 hid-multitouch-do-not-blindly-set-ev_key-or-ev_abs-bits.patch
 md-don-t-use-flush_signals-in-userspace-processes.patch
 md-fix-deadlock-between-mddev_suspend-and-md_write_start.patch
+x86-xen-allow-userspace-access-during-hypercalls.patch
diff --git a/queue-4.12/x86-xen-allow-userspace-access-during-hypercalls.patch b/queue-4.12/x86-xen-allow-userspace-access-during-hypercalls.patch
new file mode 100644
index 00000000000..a6904db2ec0
--- /dev/null
+++ b/queue-4.12/x86-xen-allow-userspace-access-during-hypercalls.patch
@@ -0,0 +1,66 @@
+From c54590cac51db8ab5fd30156bdaba34af915e629 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Mon, 26 Jun 2017 14:49:46 +0200
+Subject: x86/xen: allow userspace access during hypercalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+commit c54590cac51db8ab5fd30156bdaba34af915e629 upstream.
+
+Userspace application can do a hypercall through /dev/xen/privcmd, and
+some for some hypercalls argument is a pointers to user-provided
+structure. When SMAP is supported and enabled, hypervisor can't access.
+So, lets allow it.
+
+The same applies to HYPERVISOR_dm_op, where additionally privcmd driver
+carefully verify buffer addresses.
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/xen/hypercall.h |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/xen/hypercall.h
++++ b/arch/x86/include/asm/xen/hypercall.h
+@@ -43,6 +43,7 @@
+ 
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
++#include <asm/smap.h>
+ 
+ #include <xen/interface/xen.h>
+ #include <xen/interface/sched.h>
+@@ -214,10 +215,12 @@ privcmd_call(unsigned call,
+ 	__HYPERCALL_DECLS;
+ 	__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
+ 
++	stac();
+ 	asm volatile("call *%[call]"
+ 		     : __HYPERCALL_5PARAM
+ 		     : [call] "a" (&hypercall_page[call])
+ 		     : __HYPERCALL_CLOBBER5);
++	clac();
+ 
+ 	return (long)__res;
+ }
+@@ -476,7 +479,11 @@ static inline int
+ HYPERVISOR_dm_op(
+ 	domid_t dom, unsigned int nr_bufs, void *bufs)
+ {
+-	return _hypercall3(int, dm_op, dom, nr_bufs, bufs);
++	int ret;
++	stac();
++	ret = _hypercall3(int, dm_op, dom, nr_bufs, bufs);
++	clac();
++	return ret;
+ }
+ 
+ static inline void