jforbes pushed to kernel (f21). "Linux v3.19.3"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 21:17:14 UTC 2015
>From 0faec04810b97537ea4267b3316ef29d2a54dfef Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes at redhat.com>
Date: Thu, 26 Mar 2015 16:16:58 -0500
Subject: Linux v3.19.3
diff --git a/aarch64-fix-tlb-issues.patch b/aarch64-fix-tlb-issues.patch
deleted file mode 100644
index 439da38..0000000
--- a/aarch64-fix-tlb-issues.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-commit 285994a62c80f1d72c6924282bcb59608098d5ec
-Author: Catalin Marinas <catalin.marinas at arm.com>
-Date: Wed Mar 11 12:20:39 2015 +0000
-
- arm64: Invalidate the TLB corresponding to intermediate page table levels
-
- The ARM architecture allows the caching of intermediate page table
- levels and page table freeing requires a sequence like:
-
- pmd_clear()
- TLB invalidation
- pte page freeing
-
- With commit 5e5f6dc10546 (arm64: mm: enable HAVE_RCU_TABLE_FREE logic),
- the page table freeing batching was moved from tlb_remove_page() to
- tlb_remove_table(). The former takes care of TLB invalidation as this is
- also shared with pte clearing and page cache page freeing. The latter,
- however, does not invalidate the TLBs for intermediate page table levels
- as it probably relies on the architecture code to do it if required.
- When the mm->mm_users < 2, tlb_remove_table() does not do any batching
- and page table pages are freed before tlb_finish_mmu() which performs
- the actual TLB invalidation.
-
- This patch introduces __tlb_flush_pgtable() for arm64 and calls it from
- the {pte,pmd,pud}_free_tlb() directly without relying on deferred page
- table freeing.
-
- Fixes: 5e5f6dc10546 arm64: mm: enable HAVE_RCU_TABLE_FREE logic
- Reported-by: Jon Masters <jcm at redhat.com>
- Tested-by: Jon Masters <jcm at redhat.com>
- Tested-by: Steve Capper <steve.capper at linaro.org>
- Signed-off-by: Catalin Marinas <catalin.marinas at arm.com>
-
-diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h
-index c028fe3..53d9c35 100644
---- a/arch/arm64/include/asm/tlb.h
-+++ b/arch/arm64/include/asm/tlb.h
-@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_gather *tlb)
- static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
- unsigned long addr)
- {
-+ __flush_tlb_pgtable(tlb->mm, addr);
- pgtable_page_dtor(pte);
- tlb_remove_entry(tlb, pte);
- }
-@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
- static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
- unsigned long addr)
- {
-+ __flush_tlb_pgtable(tlb->mm, addr);
- tlb_remove_entry(tlb, virt_to_page(pmdp));
- }
- #endif
-@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
- static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp,
- unsigned long addr)
- {
-+ __flush_tlb_pgtable(tlb->mm, addr);
- tlb_remove_entry(tlb, virt_to_page(pudp));
- }
- #endif
-diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
-index 4abe9b9..c3bb05b 100644
---- a/arch/arm64/include/asm/tlbflush.h
-+++ b/arch/arm64/include/asm/tlbflush.h
-@@ -144,6 +144,19 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end
- }
-
- /*
-+ * Used to invalidate the TLB (walk caches) corresponding to intermediate page
-+ * table levels (pgd/pud/pmd).
-+ */
-+static inline void __flush_tlb_pgtable(struct mm_struct *mm,
-+ unsigned long uaddr)
-+{
-+ unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48);
-+
-+ dsb(ishst);
-+ asm("tlbi vae1is, %0" : : "r" (addr));
-+ dsb(ish);
-+}
-+/*
- * On AArch64, the cache coherency is handled via the set_pte_at() function.
- */
- static inline void update_mmu_cache(struct vm_area_struct *vma,
diff --git a/kernel.spec b/kernel.spec
index 97ac5a6..62e5d20 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 201
+%global baserelease 200
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -639,9 +639,6 @@ Patch26161: Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
Patch26162: Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
Patch26163: Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
-#CVE-2015-2150 rhbz 1196266 1200397
-Patch26165: xen-pciback-limit-guest-control-of-command-register.patch
-
#CVE-2014-8159 rhbz 1181166 1200950
Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
@@ -657,9 +654,6 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
-Patch30001: aarch64-fix-tlb-issues.patch
-
-Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
#rhbz 1204512
Patch26174: tun-return-proper-error-code-from-tun_do_read.patch
@@ -1407,9 +1401,6 @@ ApplyPatch Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
ApplyPatch Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
ApplyPatch Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
-#CVE-2015-2150 rhbz 1196266 1200397
-ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch
-
#CVE-2014-8159 rhbz 1181166 1200950
ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
@@ -1425,15 +1416,11 @@ ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
-# Just needed for 3.19
-ApplyPatch aarch64-fix-tlb-issues.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
ApplyPatch kernel-arm64.patch -R
%endif
%endif
-ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
-
#rhbz 1204512
ApplyPatch tun-return-proper-error-code-from-tun_do_read.patch
@@ -2296,6 +2283,9 @@ fi
# ||----w |
# || ||
%changelog
+* Thu Mar 26 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.19.3-200
+- Linux v3.19.3
+
* Thu Mar 26 2015 Peter Robinson <pbrobinson at fedoraproject.org>
- Disable the broken CONFIG_MSM_IOMMU
diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
deleted file mode 100644
index 70c28d7..0000000
--- a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Al Viro <viro at ZenIV.linux.org.uk>
-Date: Fri, 20 Mar 2015 17:41:43 +0000
-Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
- sys_sendto/sys_recvfrom
-
-Cc: stable at vger.kernel.org # v3.19
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/socket.c b/net/socket.c
-index 418795caa897..d50e7ca6aeea 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
-
- if (len > INT_MAX)
- len = INT_MAX;
-+ if (unlikely(!access_ok(VERIFY_READ, buff, len)))
-+ return -EFAULT;
- sock = sockfd_lookup_light(fd, &err, &fput_needed);
- if (!sock)
- goto out;
-@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
-
- if (size > INT_MAX)
- size = INT_MAX;
-+ if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
-+ return -EFAULT;
- sock = sockfd_lookup_light(fd, &err, &fput_needed);
- if (!sock)
- goto out;
---
-2.1.0
-
diff --git a/sources b/sources
index ed7d07f..137f1ac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
d3fc8316d4d4d04b65cbc2d70799e763 linux-3.19.tar.xz
15d8d2f97ce056488451a5bfb2944603 perf-man-3.19.tar.gz
-6f7128647a2fc0912958ac1cbf96a95a patch-3.19.2.xz
+1fec75551b2f55fced43df8394b1fd9a patch-3.19.3.xz
diff --git a/xen-pciback-limit-guest-control-of-command-register.patch b/xen-pciback-limit-guest-control-of-command-register.patch
deleted file mode 100644
index 8760046..0000000
--- a/xen-pciback-limit-guest-control-of-command-register.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From: Jan Beulich <JBeulich at suse.com>
-Date: Wed, 11 Mar 2015 13:51:17 +0000
-Subject: [PATCH] xen-pciback: limit guest control of command register
-
-Otherwise the guest can abuse that control to cause e.g. PCIe
-Unsupported Request responses (by disabling memory and/or I/O decoding
-and subsequently causing [CPU side] accesses to the respective address
-ranges), which (depending on system configuration) may be fatal to the
-host.
-
-Note that to alter any of the bits collected together as
-PCI_COMMAND_GUEST permissive mode is now required to be enabled
-globally or on the specific device.
-
-This is CVE-2015-2150 / XSA-120.
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/conf_space.c | 2 +-
- drivers/xen/xen-pciback/conf_space.h | 2 +
- drivers/xen/xen-pciback/conf_space_header.c | 61 +++++++++++++++++++++++------
- 3 files changed, 51 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c
-index 46ae0f9f02ad..75fe3d466515 100644
---- a/drivers/xen/xen-pciback/conf_space.c
-+++ b/drivers/xen/xen-pciback/conf_space.c
-@@ -16,7 +16,7 @@
- #include "conf_space.h"
- #include "conf_space_quirks.h"
-
--static bool permissive;
-+bool permissive;
- module_param(permissive, bool, 0644);
-
- /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
-diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h
-index e56c934ad137..2e1d73d1d5d0 100644
---- a/drivers/xen/xen-pciback/conf_space.h
-+++ b/drivers/xen/xen-pciback/conf_space.h
-@@ -64,6 +64,8 @@ struct config_field_entry {
- void *data;
- };
-
-+extern bool permissive;
-+
- #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
-
- /* Add fields to a device - the add_fields macro expects to get a pointer to
-diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c
-index c5ee82587e8c..2d7369391472 100644
---- a/drivers/xen/xen-pciback/conf_space_header.c
-+++ b/drivers/xen/xen-pciback/conf_space_header.c
-@@ -11,6 +11,10 @@
- #include "pciback.h"
- #include "conf_space.h"
-
-+struct pci_cmd_info {
-+ u16 val;
-+};
-+
- struct pci_bar_info {
- u32 val;
- u32 len_val;
-@@ -20,22 +24,36 @@ struct pci_bar_info {
- #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
- #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
-
--static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
-+/* Bits guests are allowed to control in permissive mode. */
-+#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
-+ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
-+ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
-+
-+static void *command_init(struct pci_dev *dev, int offset)
- {
-- int i;
-- int ret;
--
-- ret = xen_pcibk_read_config_word(dev, offset, value, data);
-- if (!pci_is_enabled(dev))
-- return ret;
--
-- for (i = 0; i < PCI_ROM_RESOURCE; i++) {
-- if (dev->resource[i].flags & IORESOURCE_IO)
-- *value |= PCI_COMMAND_IO;
-- if (dev->resource[i].flags & IORESOURCE_MEM)
-- *value |= PCI_COMMAND_MEMORY;
-+ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
-+ int err;
-+
-+ if (!cmd)
-+ return ERR_PTR(-ENOMEM);
-+
-+ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
-+ if (err) {
-+ kfree(cmd);
-+ return ERR_PTR(err);
- }
-
-+ return cmd;
-+}
-+
-+static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
-+{
-+ int ret = pci_read_config_word(dev, offset, value);
-+ const struct pci_cmd_info *cmd = data;
-+
-+ *value &= PCI_COMMAND_GUEST;
-+ *value |= cmd->val & ~PCI_COMMAND_GUEST;
-+
- return ret;
- }
-
-@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
- {
- struct xen_pcibk_dev_data *dev_data;
- int err;
-+ u16 val;
-+ struct pci_cmd_info *cmd = data;
-
- dev_data = pci_get_drvdata(dev);
- if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
-@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
- }
- }
-
-+ cmd->val = value;
-+
-+ if (!permissive && (!dev_data || !dev_data->permissive))
-+ return 0;
-+
-+ /* Only allow the guest to control certain bits. */
-+ err = pci_read_config_word(dev, offset, &val);
-+ if (err || val == value)
-+ return err;
-+
-+ value &= PCI_COMMAND_GUEST;
-+ value |= val & ~PCI_COMMAND_GUEST;
-+
- return pci_write_config_word(dev, offset, value);
- }
-
-@@ -282,6 +315,8 @@ static const struct config_field header_common[] = {
- {
- .offset = PCI_COMMAND,
- .size = 2,
-+ .init = command_init,
-+ .release = bar_release,
- .u.w.read = command_read,
- .u.w.write = command_write,
- },
---
-2.1.0
-
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f21&id=0faec04810b97537ea4267b3316ef29d2a54dfef
More information about the scm-commits
mailing list