[kernel] r22936 - in dists/wheezy-backports/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Sat Aug 8 19:02:45 UTC 2015
Author: benh
Date: Sat Aug 8 19:02:45 2015
New Revision: 22936
Log:
Merge changes from jessie-security up to 3.16.7-ckt11-1+deb8u3~bpo70+1
Added:
dists/wheezy-backports/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
dists/wheezy-backports/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
dists/wheezy-backports/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
dists/wheezy-backports/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
- copied unchanged from r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
Modified:
dists/wheezy-backports/linux/ (props changed)
dists/wheezy-backports/linux/debian/changelog
dists/wheezy-backports/linux/debian/patches/series
Modified: dists/wheezy-backports/linux/debian/changelog
==============================================================================
--- dists/wheezy-backports/linux/debian/changelog Sat Aug 8 18:17:51 2015 (r22935)
+++ dists/wheezy-backports/linux/debian/changelog Sat Aug 8 19:02:45 2015 (r22936)
@@ -1,3 +1,28 @@
+linux (3.16.7-ckt11-1+deb8u3~bpo70+1) wheezy-backports; urgency=high
+
+ * Rebuild for wheezy:
+ - Disable architectures that weren't part of wheezy
+ - Use gcc-4.6 for all architectures
+ - Change ABI number to 0.bpo.4
+ - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS)
+ - linux-image: Depend on initramfs-tools without any alternatives, so
+ that neither apt nor aptitude will automatically switch to dracut
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sat, 08 Aug 2015 21:01:58 +0200
+
+linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high
+
+ * path_openat(): fix double fput() (CVE-2015-5706)
+ * KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333)
+ * sctp: fix ASCONF list handling (CVE-2015-3212)
+ * [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692)
+ * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
+ * sg_start_req(): make sure that there's not too many elements in iovec
+ (CVE-2015-5707)
+ * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Tue, 04 Aug 2015 01:50:04 +0100
+
linux (3.16.7-ckt11-1+deb8u2~bpo70+1) wheezy-backports; urgency=high
* Rebuild for wheezy:
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch)
@@ -0,0 +1,37 @@
+From: Colin Ian King <colin.king at canonical.com>
+Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
+Origin: https://marc.info/?l=oss-security&m=143800676725867&w=2
+
+__key_link_end is not freeing the associated array edit structure
+and this leads to a 512 byte memory leak each time an identical
+existing key is added with add_key().
+
+The reason the add_key() system call returns okay is that
+key_create_or_update() calls __key_link_begin() before checking to see
+whether it can update a key directly rather than adding/replacing - which
+it turns out it can. Thus __key_link() is not called through
+__key_instantiate_and_link() and __key_link_end() must cancel the edit.
+
+CVE-2015-1333
+
+Signed-off-by: Colin Ian King <colin.king at canonical.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+---
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1152,9 +1152,11 @@ void __key_link_end(struct key *keyring,
+ if (index_key->type == &key_type_keyring)
+ up_write(&keyring_serialise_link_sem);
+
+- if (edit && !edit->dead_leaf) {
+- key_payload_reserve(keyring,
+- keyring->datalen - KEYQUOTA_LINK_BYTES);
++ if (edit) {
++ if (!edit->dead_leaf) {
++ key_payload_reserve(keyring,
++ keyring->datalen - KEYQUOTA_LINK_BYTES);
++ }
+ assoc_array_cancel_edit(edit);
+ }
+ up_write(&keyring->sem);
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch)
@@ -0,0 +1,42 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769 file = kmalloc(sizeof(*file), GFP_NOIO);
+5770 if (!file)
+5771 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786 if (err == 0 &&
+5787 copy_to_user(arg, file, sizeof(*file)))
+5788 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775 /* bitmap disabled, zero the first byte and copy out */
+5776 if (!mddev->bitmap_info.file)
+5777 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 3.16: don't touch anything but the allocation call, as
+ the following code is significantly different here.]
+---
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5624,7 +5624,7 @@ static int get_bitmap_file(struct mddev
+ char *ptr, *buf = NULL;
+ int err = -ENOMEM;
+
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+
+ if (!file)
+ goto out;
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/all/path_openat-fix-double-fput.patch)
@@ -0,0 +1,41 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 8 May 2015 22:53:15 -0400
+Subject: path_openat(): fix double fput()
+Origin: http://kernel.ubuntu.com/git/ubuntu/linux.git/commit?id=bedf03d0b88db4de0b66a1ef81df4faec7a0ceb4
+
+commit f15133df088ecadd141ea1907f2c96df67c729f0 upstream.
+
+path_openat() jumps to the wrong place after do_tmpfile() - it has
+already done path_cleanup() (as part of path_lookupat() called by
+do_tmpfile()), so doing that again can lead to double fput().
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[ luis: backported to 3.16:
+ - adjusted context as 3.16 doesn't have path_cleanup() helper,
+ introduced by 893b7775a70e ("fs/namei.c: new helper (path_cleanup())") ]
+Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 19ac9c8..15fc3f5 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3194,7 +3194,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+
+ if (unlikely(file->f_flags & __O_TMPFILE)) {
+ error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
+- goto out;
++ goto out2;
+ }
+
+ error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
+@@ -3232,6 +3232,7 @@ out:
+ path_put(&nd->root);
+ if (base)
+ fput(base);
++out2:
+ if (!(opened & FILE_OPENED)) {
+ BUG_ON(!error);
+ put_filp(file);
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch)
@@ -0,0 +1,179 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Fri, 12 Jun 2015 10:16:41 -0300
+Subject: sctp: fix ASCONF list handling
+Origin: https://git.kernel.org/linus/2d45a02d0166caf2627fe91897c6ffc3b19514c4
+
+->auto_asconf_splist is per namespace and mangled by functions like
+sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
+
+Also, the call to inet_sk_copy_descendant() was backuping
+->auto_asconf_list through the copy but was not honoring
+->do_auto_asconf, which could lead to list corruption if it was
+different between both sockets.
+
+This commit thus fixes the list handling by using ->addr_wq_lock
+spinlock to protect the list. A special handling is done upon socket
+creation and destruction for that. Error handlig on sctp_init_sock()
+will never return an error after having initialized asconf, so
+sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
+will be take on sctp_close_sock(), before locking the socket, so we
+don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
+
+Instead of taking the lock on sctp_sock_migrate() for copying and
+restoring the list values, it's preferred to avoid rewritting it by
+implementing sctp_copy_descendant().
+
+Issue was found with a test application that kept flipping sysctl
+default_auto_asconf on and off, but one could trigger it by issuing
+simultaneous setsockopt() calls on multiple sockets or by
+creating/destroying sockets fast enough. This is only triggerable
+locally.
+
+Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
+Reported-by: Ji Jianwen <jiji at redhat.com>
+Suggested-by: Neil Horman <nhorman at tuxdriver.com>
+Suggested-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ include/net/netns/sctp.h | 1 +
+ include/net/sctp/structs.h | 4 ++++
+ net/sctp/socket.c | 43 ++++++++++++++++++++++++++++++++-----------
+ 3 files changed, 37 insertions(+), 11 deletions(-)
+
+--- a/include/net/netns/sctp.h
++++ b/include/net/netns/sctp.h
+@@ -31,6 +31,7 @@ struct netns_sctp {
+ struct list_head addr_waitq;
+ struct timer_list addr_wq_timer;
+ struct list_head auto_asconf_splist;
++ /* Lock that protects both addr_waitq and auto_asconf_splist */
+ spinlock_t addr_wq_lock;
+
+ /* Lock that protects the local_addr_list writers */
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -219,6 +219,10 @@ struct sctp_sock {
+ atomic_t pd_mode;
+ /* Receive to here while partial delivery is in effect. */
+ struct sk_buff_head pd_lobby;
++
++ /* These must be the last fields, as they will skipped on copies,
++ * like on accept and peeloff operations
++ */
+ struct list_head auto_asconf_list;
+ int do_auto_asconf;
+ };
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk,
+
+ /* Supposedly, no process has access to the socket, but
+ * the net layers still may.
++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
++ * held and that should be grabbed before socket lock.
+ */
+- local_bh_disable();
++ spin_lock_bh(&net->sctp.addr_wq_lock);
+ bh_lock_sock(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+@@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk,
+ sk_common_release(sk);
+
+ bh_unlock_sock(sk);
+- local_bh_enable();
++ spin_unlock_bh(&net->sctp.addr_wq_lock);
+
+ sock_put(sk);
+
+@@ -3519,6 +3521,7 @@ static int sctp_setsockopt_auto_asconf(s
+ if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
+ return 0;
+
++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ if (val == 0 && sp->do_auto_asconf) {
+ list_del(&sp->auto_asconf_list);
+ sp->do_auto_asconf = 0;
+@@ -3527,6 +3530,7 @@ static int sctp_setsockopt_auto_asconf(s
+ &sock_net(sk)->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+ }
++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
+ return 0;
+ }
+
+@@ -4017,18 +4021,28 @@ static int sctp_init_sock(struct sock *s
+ local_bh_disable();
+ percpu_counter_inc(&sctp_sockets_allocated);
+ sock_prot_inuse_add(net, sk->sk_prot, 1);
++
++ /* Nothing can fail after this block, otherwise
++ * sctp_destroy_sock() will be called without addr_wq_lock held
++ */
+ if (net->sctp.default_auto_asconf) {
++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
+ list_add_tail(&sp->auto_asconf_list,
+ &net->sctp.auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+- } else
++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
++ } else {
+ sp->do_auto_asconf = 0;
++ }
++
+ local_bh_enable();
+
+ return 0;
+ }
+
+-/* Cleanup any SCTP per socket resources. */
++/* Cleanup any SCTP per socket resources. Must be called with
++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
++ */
+ static void sctp_destroy_sock(struct sock *sk)
+ {
+ struct sctp_sock *sp;
+@@ -6987,6 +7001,19 @@ void sctp_copy_sock(struct sock *newsk,
+ newinet->mc_list = NULL;
+ }
+
++static inline void sctp_copy_descendant(struct sock *sk_to,
++ const struct sock *sk_from)
++{
++ int ancestor_size = sizeof(struct inet_sock) +
++ sizeof(struct sctp_sock) -
++ offsetof(struct sctp_sock, auto_asconf_list);
++
++ if (sk_from->sk_family == PF_INET6)
++ ancestor_size += sizeof(struct ipv6_pinfo);
++
++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
++}
++
+ /* Populate the fields of the newsk from the oldsk and migrate the assoc
+ * and its messages to the newsk.
+ */
+@@ -7001,7 +7028,6 @@ static void sctp_sock_migrate(struct soc
+ struct sk_buff *skb, *tmp;
+ struct sctp_ulpevent *event;
+ struct sctp_bind_hashbucket *head;
+- struct list_head tmplist;
+
+ /* Migrate socket buffer sizes and all the socket level options to the
+ * new socket.
+@@ -7009,12 +7035,7 @@ static void sctp_sock_migrate(struct soc
+ newsk->sk_sndbuf = oldsk->sk_sndbuf;
+ newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
+ /* Brute force copy old sctp opt. */
+- if (oldsp->do_auto_asconf) {
+- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
+- inet_sk_copy_descendant(newsk, oldsk);
+- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
+- } else
+- inet_sk_copy_descendant(newsk, oldsk);
++ sctp_copy_descendant(newsk, oldsk);
+
+ /* Restore the ep value that was overwritten with the above structure
+ * copy.
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch)
@@ -0,0 +1,34 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there. If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Cc: stable at vger.kernel.org # way, way back
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+ that function.]
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1693,6 +1693,9 @@ static int sg_start_req(Sg_request *srp,
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch)
@@ -0,0 +1,24 @@
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Sat, 30 May 2015 14:31:24 +0200
+Subject: kvm: x86: fix kvm_apic_has_events to check for NULL pointer
+Origin: https://git.kernel.org/linus/ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009
+
+Malicious (or egregiously buggy) userspace can trigger it, but it
+should never happen in normal operation.
+
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/lapic.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct
+
+ static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
+ {
+- return vcpu->arch.apic->pending_events;
++ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
+ }
+
+ bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
Copied: dists/wheezy-backports/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch (from r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-backports/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch Sat Aug 8 19:02:45 2015 (r22936, copy of r22928, dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch)
@@ -0,0 +1,41 @@
+From: Alexei Starovoitov <ast at plumgrid.com>
+Date: Fri, 22 May 2015 15:42:55 -0700
+Subject: x86: bpf_jit: fix compilation of large bpf programs
+Origin: https://git.kernel.org/linus/3f7352bf21f8fd7ba3e2fcef9488756f188e12be
+
+x86 has variable length encoding. x86 JIT compiler is trying
+to pick the shortest encoding for given bpf instruction.
+While doing so the jump targets are changing, so JIT is doing
+multiple passes over the program. Typical program needs 3 passes.
+Some very short programs converge with 2 passes. Large programs
+may need 4 or 5. But specially crafted bpf programs may hit the
+pass limit and if the program converges on the last iteration
+the JIT compiler will be producing an image full of 'int 3' insns.
+Fix this corner case by doing final iteration over bpf program.
+
+Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64")
+Reported-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast at plumgrid.com>
+Tested-by: Daniel Borkmann <daniel at iogearbox.net>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ arch/x86/net/bpf_jit_comp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -906,7 +906,12 @@ void bpf_int_jit_compile(struct sk_filte
+ }
+ ctx.cleanup_addr = proglen;
+
+- for (pass = 0; pass < 10; pass++) {
++ /* JITed image shrinks with every pass and the loop iterates
++ * until the image stops shrinking. Very large bpf programs
++ * may converge on the last pass. In such case do one more
++ * pass to emit the final image
++ */
++ for (pass = 0; pass < 10 || image; pass++) {
+ proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
+ if (proglen <= 0) {
+ image = NULL;
Modified: dists/wheezy-backports/linux/debian/patches/series
==============================================================================
--- dists/wheezy-backports/linux/debian/patches/series Sat Aug 8 18:17:51 2015 (r22935)
+++ dists/wheezy-backports/linux/debian/patches/series Sat Aug 8 19:02:45 2015 (r22936)
@@ -634,3 +634,10 @@
bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+bugfix/all/path_openat-fix-double-fput.patch
+bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
+bugfix/all/sctp-fix-asconf-list-handling.patch
+bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
+bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
+bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
More information about the Kernel-svn-changes
mailing list