jforbes pushed to kernel (f21). "Linux v3.19.3"

notifications at fedoraproject.org notifications at fedoraproject.org
Thu Mar 26 21:17:14 UTC 2015 

>From 0faec04810b97537ea4267b3316ef29d2a54dfef Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes at redhat.com>
Date: Thu, 26 Mar 2015 16:16:58 -0500
Subject: Linux v3.19.3


diff --git a/aarch64-fix-tlb-issues.patch b/aarch64-fix-tlb-issues.patch
deleted file mode 100644
index 439da38..0000000
--- a/aarch64-fix-tlb-issues.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-commit 285994a62c80f1d72c6924282bcb59608098d5ec
-Author: Catalin Marinas <catalin.marinas at arm.com>
-Date:   Wed Mar 11 12:20:39 2015 +0000
-
-    arm64: Invalidate the TLB corresponding to intermediate page table levels
-    
-    The ARM architecture allows the caching of intermediate page table
-    levels and page table freeing requires a sequence like:
-    
-    	pmd_clear()
-    	TLB invalidation
-    	pte page freeing
-    
-    With commit 5e5f6dc10546 (arm64: mm: enable HAVE_RCU_TABLE_FREE logic),
-    the page table freeing batching was moved from tlb_remove_page() to
-    tlb_remove_table(). The former takes care of TLB invalidation as this is
-    also shared with pte clearing and page cache page freeing. The latter,
-    however, does not invalidate the TLBs for intermediate page table levels
-    as it probably relies on the architecture code to do it if required.
-    When the mm->mm_users < 2, tlb_remove_table() does not do any batching
-    and page table pages are freed before tlb_finish_mmu() which performs
-    the actual TLB invalidation.
-    
-    This patch introduces __tlb_flush_pgtable() for arm64 and calls it from
-    the {pte,pmd,pud}_free_tlb() directly without relying on deferred page
-    table freeing.
-    
-    Fixes: 5e5f6dc10546 arm64: mm: enable HAVE_RCU_TABLE_FREE logic
-    Reported-by: Jon Masters <jcm at redhat.com>
-    Tested-by: Jon Masters <jcm at redhat.com>
-    Tested-by: Steve Capper <steve.capper at linaro.org>
-    Signed-off-by: Catalin Marinas <catalin.marinas at arm.com>
-
-diff --git a/arch/arm64/include/asm/tlb.h b/arch/arm64/include/asm/tlb.h
-index c028fe3..53d9c35 100644
---- a/arch/arm64/include/asm/tlb.h
-+++ b/arch/arm64/include/asm/tlb.h
-@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_gather *tlb)
- static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
- 				  unsigned long addr)
- {
-+	__flush_tlb_pgtable(tlb->mm, addr);
- 	pgtable_page_dtor(pte);
- 	tlb_remove_entry(tlb, pte);
- }
-@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
- static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
- 				  unsigned long addr)
- {
-+	__flush_tlb_pgtable(tlb->mm, addr);
- 	tlb_remove_entry(tlb, virt_to_page(pmdp));
- }
- #endif
-@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
- static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp,
- 				  unsigned long addr)
- {
-+	__flush_tlb_pgtable(tlb->mm, addr);
- 	tlb_remove_entry(tlb, virt_to_page(pudp));
- }
- #endif
-diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
-index 4abe9b9..c3bb05b 100644
---- a/arch/arm64/include/asm/tlbflush.h
-+++ b/arch/arm64/include/asm/tlbflush.h
-@@ -144,6 +144,19 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end
- }
- 
- /*
-+ * Used to invalidate the TLB (walk caches) corresponding to intermediate page
-+ * table levels (pgd/pud/pmd).
-+ */
-+static inline void __flush_tlb_pgtable(struct mm_struct *mm,
-+				       unsigned long uaddr)
-+{
-+	unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48);
-+
-+	dsb(ishst);
-+	asm("tlbi	vae1is, %0" : : "r" (addr));
-+	dsb(ish);
-+}
-+/*
-  * On AArch64, the cache coherency is handled via the set_pte_at() function.
-  */
- static inline void update_mmu_cache(struct vm_area_struct *vma,
diff --git a/kernel.spec b/kernel.spec
index 97ac5a6..62e5d20 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 201
+%global baserelease 200
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -639,9 +639,6 @@ Patch26161: Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
 Patch26162: Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
 Patch26163: Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
 
-#CVE-2015-2150 rhbz 1196266 1200397
-Patch26165: xen-pciback-limit-guest-control-of-command-register.patch
-
 #CVE-2014-8159 rhbz 1181166 1200950
 Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
 
@@ -657,9 +654,6 @@ Patch26172: x86-microcode-intel-Guard-against-stack-overflow-in-.patch
 
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
-Patch30001: aarch64-fix-tlb-issues.patch
-
-Patch26173: net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
 
 #rhbz 1204512
 Patch26174: tun-return-proper-error-code-from-tun_do_read.patch
@@ -1407,9 +1401,6 @@ ApplyPatch Input-synaptics-re-route-tracksticks-buttons-on-the-.patch
 ApplyPatch Input-synaptics-remove-X1-Carbon-3rd-gen-from-the-to.patch
 ApplyPatch Input-synaptics-remove-X250-from-the-topbuttonpad-li.patch
 
-#CVE-2015-2150 rhbz 1196266 1200397
-ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch
-
 #CVE-2014-8159 rhbz 1181166 1200950
 ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
 
@@ -1425,15 +1416,11 @@ ApplyPatch x86-microcode-intel-Guard-against-stack-overflow-in-.patch
 
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
-# Just needed for 3.19
-ApplyPatch aarch64-fix-tlb-issues.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
 ApplyPatch kernel-arm64.patch -R
 %endif
 %endif
 
-ApplyPatch net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
-
 #rhbz 1204512
 ApplyPatch tun-return-proper-error-code-from-tun_do_read.patch
 
@@ -2296,6 +2283,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Thu Mar 26 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.19.3-200
+- Linux v3.19.3
+
 * Thu Mar 26 2015 Peter Robinson <pbrobinson at fedoraproject.org>
 - Disable the broken CONFIG_MSM_IOMMU
 
diff --git a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch b/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
deleted file mode 100644
index 70c28d7..0000000
--- a/net-validate-the-range-we-feed-to-iov_iter_init-in-s.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Al Viro <viro at ZenIV.linux.org.uk>
-Date: Fri, 20 Mar 2015 17:41:43 +0000
-Subject: [PATCH] net: validate the range we feed to iov_iter_init() in
- sys_sendto/sys_recvfrom
-
-Cc: stable at vger.kernel.org # v3.19
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/socket.c b/net/socket.c
-index 418795caa897..d50e7ca6aeea 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
- 
- 	if (len > INT_MAX)
- 		len = INT_MAX;
-+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
-+		return -EFAULT;
- 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
- 	if (!sock)
- 		goto out;
-@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
- 
- 	if (size > INT_MAX)
- 		size = INT_MAX;
-+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
-+		return -EFAULT;
- 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
- 	if (!sock)
- 		goto out;
--- 
-2.1.0
-
diff --git a/sources b/sources
index ed7d07f..137f1ac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 d3fc8316d4d4d04b65cbc2d70799e763  linux-3.19.tar.xz
 15d8d2f97ce056488451a5bfb2944603  perf-man-3.19.tar.gz
-6f7128647a2fc0912958ac1cbf96a95a  patch-3.19.2.xz
+1fec75551b2f55fced43df8394b1fd9a  patch-3.19.3.xz
diff --git a/xen-pciback-limit-guest-control-of-command-register.patch b/xen-pciback-limit-guest-control-of-command-register.patch
deleted file mode 100644
index 8760046..0000000
--- a/xen-pciback-limit-guest-control-of-command-register.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From: Jan Beulich <JBeulich at suse.com>
-Date: Wed, 11 Mar 2015 13:51:17 +0000
-Subject: [PATCH] xen-pciback: limit guest control of command register
-
-Otherwise the guest can abuse that control to cause e.g. PCIe
-Unsupported Request responses (by disabling memory and/or I/O decoding
-and subsequently causing [CPU side] accesses to the respective address
-ranges), which (depending on system configuration) may be fatal to the
-host.
-
-Note that to alter any of the bits collected together as
-PCI_COMMAND_GUEST permissive mode is now required to be enabled
-globally or on the specific device.
-
-This is CVE-2015-2150 / XSA-120.
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
----
- drivers/xen/xen-pciback/conf_space.c        |  2 +-
- drivers/xen/xen-pciback/conf_space.h        |  2 +
- drivers/xen/xen-pciback/conf_space_header.c | 61 +++++++++++++++++++++++------
- 3 files changed, 51 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c
-index 46ae0f9f02ad..75fe3d466515 100644
---- a/drivers/xen/xen-pciback/conf_space.c
-+++ b/drivers/xen/xen-pciback/conf_space.c
-@@ -16,7 +16,7 @@
- #include "conf_space.h"
- #include "conf_space_quirks.h"
- 
--static bool permissive;
-+bool permissive;
- module_param(permissive, bool, 0644);
- 
- /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
-diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h
-index e56c934ad137..2e1d73d1d5d0 100644
---- a/drivers/xen/xen-pciback/conf_space.h
-+++ b/drivers/xen/xen-pciback/conf_space.h
-@@ -64,6 +64,8 @@ struct config_field_entry {
- 	void *data;
- };
- 
-+extern bool permissive;
-+
- #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
- 
- /* Add fields to a device - the add_fields macro expects to get a pointer to
-diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c
-index c5ee82587e8c..2d7369391472 100644
---- a/drivers/xen/xen-pciback/conf_space_header.c
-+++ b/drivers/xen/xen-pciback/conf_space_header.c
-@@ -11,6 +11,10 @@
- #include "pciback.h"
- #include "conf_space.h"
- 
-+struct pci_cmd_info {
-+	u16 val;
-+};
-+
- struct pci_bar_info {
- 	u32 val;
- 	u32 len_val;
-@@ -20,22 +24,36 @@ struct pci_bar_info {
- #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
- #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
- 
--static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
-+/* Bits guests are allowed to control in permissive mode. */
-+#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
-+			   PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
-+			   PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
-+
-+static void *command_init(struct pci_dev *dev, int offset)
- {
--	int i;
--	int ret;
--
--	ret = xen_pcibk_read_config_word(dev, offset, value, data);
--	if (!pci_is_enabled(dev))
--		return ret;
--
--	for (i = 0; i < PCI_ROM_RESOURCE; i++) {
--		if (dev->resource[i].flags & IORESOURCE_IO)
--			*value |= PCI_COMMAND_IO;
--		if (dev->resource[i].flags & IORESOURCE_MEM)
--			*value |= PCI_COMMAND_MEMORY;
-+	struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
-+	int err;
-+
-+	if (!cmd)
-+		return ERR_PTR(-ENOMEM);
-+
-+	err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
-+	if (err) {
-+		kfree(cmd);
-+		return ERR_PTR(err);
- 	}
- 
-+	return cmd;
-+}
-+
-+static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
-+{
-+	int ret = pci_read_config_word(dev, offset, value);
-+	const struct pci_cmd_info *cmd = data;
-+
-+	*value &= PCI_COMMAND_GUEST;
-+	*value |= cmd->val & ~PCI_COMMAND_GUEST;
-+
- 	return ret;
- }
- 
-@@ -43,6 +61,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
- {
- 	struct xen_pcibk_dev_data *dev_data;
- 	int err;
-+	u16 val;
-+	struct pci_cmd_info *cmd = data;
- 
- 	dev_data = pci_get_drvdata(dev);
- 	if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
-@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
- 		}
- 	}
- 
-+	cmd->val = value;
-+
-+	if (!permissive && (!dev_data || !dev_data->permissive))
-+		return 0;
-+
-+	/* Only allow the guest to control certain bits. */
-+	err = pci_read_config_word(dev, offset, &val);
-+	if (err || val == value)
-+		return err;
-+
-+	value &= PCI_COMMAND_GUEST;
-+	value |= val & ~PCI_COMMAND_GUEST;
-+
- 	return pci_write_config_word(dev, offset, value);
- }
- 
-@@ -282,6 +315,8 @@ static const struct config_field header_common[] = {
- 	{
- 	 .offset    = PCI_COMMAND,
- 	 .size      = 2,
-+	 .init      = command_init,
-+	 .release   = bar_release,
- 	 .u.w.read  = command_read,
- 	 .u.w.write = command_write,
- 	},
--- 
-2.1.0
-
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f21&id=0faec04810b97537ea4267b3316ef29d2a54dfef

More information about the scm-commits mailing list