From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 25 Jul 2017 01:02:54 +0000 (-0700)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.63~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6d68667c394657c0525600a560a4d204ac8ddf5;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	x86-xen-allow-userspace-access-during-hypercalls.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 552f7832b76..f6ce0e07cb6 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -38,3 +38,4 @@ usb-cdc-acm-add-device-id-for-quirky-printer.patch
 usb-renesas_usbhs-fix-usbhsc_resume-for-usbhsf_runtime_pwctrl.patch
 usb-renesas_usbhs-gadget-disable-all-eps-when-the-driver-stops.patch
 md-don-t-use-flush_signals-in-userspace-processes.patch
+x86-xen-allow-userspace-access-during-hypercalls.patch
diff --git a/queue-4.4/x86-xen-allow-userspace-access-during-hypercalls.patch b/queue-4.4/x86-xen-allow-userspace-access-during-hypercalls.patch
new file mode 100644
index 00000000000..bd0c2d91df9
--- /dev/null
+++ b/queue-4.4/x86-xen-allow-userspace-access-during-hypercalls.patch
@@ -0,0 +1,55 @@
+From c54590cac51db8ab5fd30156bdaba34af915e629 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Mon, 26 Jun 2017 14:49:46 +0200
+Subject: x86/xen: allow userspace access during hypercalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+commit c54590cac51db8ab5fd30156bdaba34af915e629 upstream.
+
+Userspace application can do a hypercall through /dev/xen/privcmd, and
+some for some hypercalls argument is a pointers to user-provided
+structure. When SMAP is supported and enabled, hypervisor can't access.
+So, lets allow it.
+
+The same applies to HYPERVISOR_dm_op, where additionally privcmd driver
+carefully verify buffer addresses.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+[HYPERVISOR_dm_op dropped - not present until 4.11]
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/xen/hypercall.h |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/include/asm/xen/hypercall.h
++++ b/arch/x86/include/asm/xen/hypercall.h
+@@ -43,6 +43,7 @@
+ 
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
++#include <asm/smap.h>
+ 
+ #include <xen/interface/xen.h>
+ #include <xen/interface/sched.h>
+@@ -213,10 +214,12 @@ privcmd_call(unsigned call,
+ 	__HYPERCALL_DECLS;
+ 	__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
+ 
++	stac();
+ 	asm volatile("call *%[call]"
+ 		     : __HYPERCALL_5PARAM
+ 		     : [call] "a" (&hypercall_page[call])
+ 		     : __HYPERCALL_CLOBBER5);
++	clac();
+ 
+ 	return (long)__res;
+ }