[linux] 04/05: Update to 4.1.6
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Aug 22 17:28:12 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit cbf8872266e33ea9b8a525441b4371b721c299cb
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Aug 22 19:24:56 2015 +0200
Update to 4.1.6
Drop patches applied upstream.
Ignore an ABI change in ppc crypto drivers.
---
debian/changelog | 85 +++++-
debian/config/defines | 2 +
.../md-use-kzalloc-when-bitmap-is-disabled.patch | 69 -----
...ry-64-Remove-pointless-jump-to-irq_return.patch | 47 ----
...ble-nested-do_nmi-handling-for-64-bit-ker.patch | 191 --------------
...x86-nmi-64-Remove-asm-code-that-saves-cr2.patch | 53 ----
...i-64-Switch-stacks-on-userspace-NMI-entry.patch | 112 --------
...07-x86-nmi-64-Improve-nested-NMI-comments.patch | 286 ---------------------
...0008-x86-nmi-64-Reorder-nested-NMI-checks.patch | 91 -------
...Use-DF-to-avoid-userspace-RSP-confusing-n.patch | 90 -------
...-kvm_apic_has_events-to-check-for-null-po.patch | 24 --
debian/patches/series | 10 -
12 files changed, 86 insertions(+), 974 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a838e1e..4b14fa9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,87 @@
-linux (4.1.5-2) UNRELEASED; urgency=medium
+linux (4.1.6-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.6
+ - [mips*] unaligned: Fix build error on big endian R6 kernels
+ - [mips*] Replace add and sub instructions in relocate_kernel.S with addiu
+ - [mips*/*-malta] Don't reinitialise RTC
+ - [mips*] Fix sched_getaffinity with MT FPAFF enabled
+ - [mips*] Export get_c0_perfcount_int()
+ - [mips*] do_mcheck: Fix kernel code dump with EVA
+ - [mips*] show_stack: Fix stack trace with EVA
+ - [mips*] Revert "MIPS: BCM63xx: Provide a plat_post_dma_flush hook"
+ - [mips*] Flush RPS on kernel entry with EVA
+ - [mips*] Make set_pte() SMP safe.
+ - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
+ - [x86] drm/i915: Declare the swizzling unknown for L-shaped configurations
+ - [x86] drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop
+ - drm/radeon: rework audio detect (v4)
+ - drm/radeon/combios: add some validation of lvds values
+ - drm/dp-mst: Remove debug WARN_ON
+ - ipr: Fix locking for unit attention handling
+ - ipr: Fix incorrect trace indexing
+ - ipr: Fix invalid array indexing for HRRQ
+ - Bluetooth: Fix NULL pointer dereference in smp_conn_security
+ - dmaengine: pl330: Fix overflow when reporting residue in memcpy
+ - dmaengine: pl330: Really fix choppy sound because of wrong residue
+ calculation
+ - xhci: fix off by one error in TRB DMA address boundary check
+ - drivers/usb: Delete XHCI command timer if necessary
+ - USB: sierra: add 1199:68AB device ID
+ - usb: udc: core: add device_del() call to error pathway
+ - usb: chipidea: ehci_init_driver is intended to call one time
+ - phy: twl4030-usb: make runtime pm more reliable.
+ - ath10k: fix qca61x4 hw2.1 support
+ - dmaengine: at_xdmac: fix transfer data width in at_xdmac_prep_slave_sg()
+ - [ppc64*] crypto: nx - Fixing NX data alignment with nx_sg list
+ - [ppc64*] crypto: nx - Fixing SHA update bug
+ - [ppc64*] crypto: nx - Fix reentrancy bugs
+ - [sparc*] Fix userspace FPU register corruptions.
+ - clk: keystone: add support for post divider register for main pll
+ - [armel,armhf] dts: keystone: fix dt bindings to use post div register for
+ mainpll
+ - [x86] ASoC: Intel: Get correct usage_count value to load firmware
+ - ASoC: ssm4567: Keep TDM_BCLKS in ssm4567_set_dai_fmt
+ - ASoC: pcm1681: Fix setting de-emphasis sampling rate selection
+ - ASoC: dapm: Lock during userspace access
+ - ASoC: dapm: Don't add prefix to widget stream name
+ - [x86] xen: Probe target addresses in set_aliased_prot() before the
+ hypercall
+ - xen/gntdevt: Fix race condition in gntdev_release()
+ - hwrng: core - correct error check of kthread_run call
+ - crypto: qat - Fix invalid synchronization between register/unregister sym
+ algs
+ - [armel] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
+ - rbd: fix copyup completion race
+ - [armhf] OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc
+ - ALSA: hda - fix cs4210_spdif_automute()
+ - ALSA: hda - one Dell machine needs the headphone white noise fixup
+ - ALSA: fireworks/firewire-lib: add support for recent firmware quirk
+ - hwmon: (nct7904) Export I2C module alias information
+ - [x86] hwmon: (dell-smm) Blacklist Dell Studio XPS 8100
+ - ipc: modify message queue accounting to not take kernel data structures
+ into account
+ - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
+ - ocfs2: fix shift left overflow
+ - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
+ - md/raid1: extend spinlock to protect raid1_end_read_request against
+ inconsistencies
+ - dm: fix dm_merge_bvec regression on 32 bit systems
+ - staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
+ - staging: lustre: Include unaligned.h instead of access_ok.h
+ - usb: gadget: f_uac2: fix calculation of uac2->p_interval
+ - USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
+ - USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
+ - mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict
+ - Input: alps - only Dell laptops have separate button bits for v2
+ dualpoint sticks
+ - [armhf] thermal: exynos: Disable the regulator on probe failure
+ - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
+ - signalfd: fix information leak in signalfd_copyinfo
+ - signal: fix information leak in copy_siginfo_to_user
+ - signal: fix information leak in copy_siginfo_from_user32
+ - nfsd: refactor nfs4_preprocess_stateid_op
+ - nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid
[ Aurelien Jarno ]
* [mips*] Build ext4 as module. Add core-modules and ext4-modules udeb.
diff --git a/debian/config/defines b/debian/config/defines
index 3d7652d..02bc3b1 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -1,5 +1,7 @@
[abi]
abiname: 2
+ignore-changes:
+ module:drivers/crypto/nx/
[base]
arches:
diff --git a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch b/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
deleted file mode 100644
index 5a7e204..0000000
--- a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Benjamin Randazzo <benjamin at randazzo.fr>
-Date: Sat, 25 Jul 2015 16:36:50 +0200
-Subject: md: use kzalloc() when bitmap is disabled
-Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
-
-In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
-mdu_bitmap_file_t called "file".
-
-5769 file = kmalloc(sizeof(*file), GFP_NOIO);
-5770 if (!file)
-5771 return -ENOMEM;
-
-This structure is copied to user space at the end of the function.
-
-5786 if (err == 0 &&
-5787 copy_to_user(arg, file, sizeof(*file)))
-5788 err = -EFAULT
-
-But if bitmap is disabled only the first byte of "file" is initialized
-with zero, so it's possible to read some bytes (up to 4095) of kernel
-space memory from user space. This is an information leak.
-
-5775 /* bitmap disabled, zero the first byte and copy out */
-5776 if (!mddev->bitmap_info.file)
-5777 file->pathname[0] = '\0';
-
-Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
-Signed-off-by: NeilBrown <neilb at suse.com>
-[bwh: Backported to 4.1: using d_path() instead of file_path()]
----
- drivers/md/md.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev
- char *ptr;
- int err;
-
-- file = kmalloc(sizeof(*file), GFP_NOIO);
-+ file = kzalloc(sizeof(*file), GFP_NOIO);
- if (!file)
- return -ENOMEM;
-
- err = 0;
- spin_lock(&mddev->lock);
-- /* bitmap disabled, zero the first byte and copy out */
-- if (!mddev->bitmap_info.file)
-- file->pathname[0] = '\0';
-- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
-- file->pathname, sizeof(file->pathname))),
-- IS_ERR(ptr))
-- err = PTR_ERR(ptr);
-- else
-- memmove(file->pathname, ptr,
-- sizeof(file->pathname)-(ptr-file->pathname));
-+ /* bitmap enabled */
-+ if (mddev->bitmap_info.file) {
-+ ptr = d_path(&mddev->bitmap_info.file->f_path, file->pathname,
-+ sizeof(file->pathname));
-+ if (IS_ERR(ptr))
-+ err = PTR_ERR(ptr);
-+ else
-+ memmove(file->pathname, ptr,
-+ sizeof(file->pathname)-(ptr-file->pathname));
-+ }
- spin_unlock(&mddev->lock);
-
- if (err == 0 &&
diff --git a/debian/patches/bugfix/x86/0003-x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch b/debian/patches/bugfix/x86/0003-x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch
deleted file mode 100644
index 2865c6f..0000000
--- a/debian/patches/bugfix/x86/0003-x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Thu, 4 Jun 2015 13:24:29 -0700
-Subject: [3/9] x86/asm/entry/64: Remove pointless jump to irq_return
-Origin: https://git.kernel.org/linus/5ca6f70f387b4f82903037cc3c5488e2c97dcdbc
-
-INTERRUPT_RETURN turns into a jmp instruction. There's no need
-for extra indirection.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Cc: <linux-kernel at vger.kernel.org>
-Cc: Andrew Morton <akpm at linux-foundation.org>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Link: http://lkml.kernel.org/r/2f2318653dbad284a59311f13f08cea71298fd7c.1433449436.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.1: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -811,8 +811,6 @@ retint_kernel:
- restore_c_regs_and_iret:
- RESTORE_C_REGS
- REMOVE_PT_GPREGS_FROM_STACK 8
--
--irq_return:
- INTERRUPT_RETURN
-
- ENTRY(native_iret)
-@@ -1658,7 +1656,7 @@ nmi_restore:
-
- /* Clear the NMI executing stack variable */
- movq $0, 5*8(%rsp)
-- jmp irq_return
-+ INTERRUPT_RETURN
- CFI_ENDPROC
- END(nmi)
-
diff --git a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch b/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
deleted file mode 100644
index cb18ec2..0000000
--- a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:33 -0700
-Subject: [4/9] x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
-Origin: https://git.kernel.org/linus/9d05041679904b12c12421cbcf9cb5f4860a8d7b
-
-32-bit kernels handle nested NMIs in C. Enable the exact same
-handling on 64-bit kernels as well. This isn't currently
-necessary, but it will become necessary once the asm code starts
-allowing limited nesting.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Cc: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- arch/x86/kernel/nmi.c | 123 +++++++++++++++++++++-----------------------------
- 1 file changed, 52 insertions(+), 71 deletions(-)
-
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
-
- /*
-- * NMIs can hit breakpoints which will cause it to lose its
-- * NMI context with the CPU when the breakpoint does an iret.
-- */
--#ifdef CONFIG_X86_32
--/*
-- * For i386, NMIs use the same stack as the kernel, and we can
-- * add a workaround to the iret problem in C (preventing nested
-- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
-- * can be in:
-+ * NMIs can hit breakpoints which will cause it to lose its NMI context
-+ * with the CPU when the breakpoint or page fault does an IRET.
-+ *
-+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
-+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
-+ * if the outer NMI came from kernel mode, but we can still nest if the
-+ * outer NMI came from user mode.
-+ *
-+ * To handle these nested NMIs, we have three states:
- *
- * 1) not running
- * 2) executing
-@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
- * (Note, the latch is binary, thus multiple NMIs triggering,
- * when one is running, are ignored. Only one NMI is restarted.)
- *
-- * If an NMI hits a breakpoint that executes an iret, another
-- * NMI can preempt it. We do not want to allow this new NMI
-- * to run, but we want to execute it when the first one finishes.
-- * We set the state to "latched", and the exit of the first NMI will
-- * perform a dec_return, if the result is zero (NOT_RUNNING), then
-- * it will simply exit the NMI handler. If not, the dec_return
-- * would have set the state to NMI_EXECUTING (what we want it to
-- * be when we are running). In this case, we simply jump back
-- * to rerun the NMI handler again, and restart the 'latched' NMI.
-+ * If an NMI executes an iret, another NMI can preempt it. We do not
-+ * want to allow this new NMI to run, but we want to execute it when the
-+ * first one finishes. We set the state to "latched", and the exit of
-+ * the first NMI will perform a dec_return, if the result is zero
-+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
-+ * dec_return would have set the state to NMI_EXECUTING (what we want it
-+ * to be when we are running). In this case, we simply jump back to
-+ * rerun the NMI handler again, and restart the 'latched' NMI.
- *
- * No trap (breakpoint or page fault) should be hit before nmi_restart,
- * thus there is no race between the first check of state for NOT_RUNNING
-@@ -461,49 +460,36 @@ enum nmi_states {
- static DEFINE_PER_CPU(enum nmi_states, nmi_state);
- static DEFINE_PER_CPU(unsigned long, nmi_cr2);
-
--#define nmi_nesting_preprocess(regs) \
-- do { \
-- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \
-- this_cpu_write(nmi_state, NMI_LATCHED); \
-- return; \
-- } \
-- this_cpu_write(nmi_state, NMI_EXECUTING); \
-- this_cpu_write(nmi_cr2, read_cr2()); \
-- } while (0); \
-- nmi_restart:
--
--#define nmi_nesting_postprocess() \
-- do { \
-- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \
-- write_cr2(this_cpu_read(nmi_cr2)); \
-- if (this_cpu_dec_return(nmi_state)) \
-- goto nmi_restart; \
-- } while (0)
--#else /* x86_64 */
-+#ifdef CONFIG_X86_64
- /*
-- * In x86_64 things are a bit more difficult. This has the same problem
-- * where an NMI hitting a breakpoint that calls iret will remove the
-- * NMI context, allowing a nested NMI to enter. What makes this more
-- * difficult is that both NMIs and breakpoints have their own stack.
-- * When a new NMI or breakpoint is executed, the stack is set to a fixed
-- * point. If an NMI is nested, it will have its stack set at that same
-- * fixed address that the first NMI had, and will start corrupting the
-- * stack. This is handled in entry_64.S, but the same problem exists with
-- * the breakpoint stack.
-- *
-- * If a breakpoint is being processed, and the debug stack is being used,
-- * if an NMI comes in and also hits a breakpoint, the stack pointer
-- * will be set to the same fixed address as the breakpoint that was
-- * interrupted, causing that stack to be corrupted. To handle this case,
-- * check if the stack that was interrupted is the debug stack, and if
-- * so, change the IDT so that new breakpoints will use the current stack
-- * and not switch to the fixed address. On return of the NMI, switch back
-- * to the original IDT.
-+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without
-+ * some care, the inner breakpoint will clobber the outer breakpoint's
-+ * stack.
-+ *
-+ * If a breakpoint is being processed, and the debug stack is being
-+ * used, if an NMI comes in and also hits a breakpoint, the stack
-+ * pointer will be set to the same fixed address as the breakpoint that
-+ * was interrupted, causing that stack to be corrupted. To handle this
-+ * case, check if the stack that was interrupted is the debug stack, and
-+ * if so, change the IDT so that new breakpoints will use the current
-+ * stack and not switch to the fixed address. On return of the NMI,
-+ * switch back to the original IDT.
- */
- static DEFINE_PER_CPU(int, update_debug_stack);
-+#endif
-
--static inline void nmi_nesting_preprocess(struct pt_regs *regs)
-+dotraplinkage notrace void
-+do_nmi(struct pt_regs *regs, long error_code)
- {
-+ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
-+ this_cpu_write(nmi_state, NMI_LATCHED);
-+ return;
-+ }
-+ this_cpu_write(nmi_state, NMI_EXECUTING);
-+ this_cpu_write(nmi_cr2, read_cr2());
-+nmi_restart:
-+
-+#ifdef CONFIG_X86_64
- /*
- * If we interrupted a breakpoint, it is possible that
- * the nmi handler will have breakpoints too. We need to
-@@ -514,22 +500,8 @@ static inline void nmi_nesting_preproces
- debug_stack_set_zero();
- this_cpu_write(update_debug_stack, 1);
- }
--}
--
--static inline void nmi_nesting_postprocess(void)
--{
-- if (unlikely(this_cpu_read(update_debug_stack))) {
-- debug_stack_reset();
-- this_cpu_write(update_debug_stack, 0);
-- }
--}
- #endif
-
--dotraplinkage notrace void
--do_nmi(struct pt_regs *regs, long error_code)
--{
-- nmi_nesting_preprocess(regs);
--
- nmi_enter();
-
- inc_irq_stat(__nmi_count);
-@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_
-
- nmi_exit();
-
-- /* On i386, may loop back to preprocess */
-- nmi_nesting_postprocess();
-+#ifdef CONFIG_X86_64
-+ if (unlikely(this_cpu_read(update_debug_stack))) {
-+ debug_stack_reset();
-+ this_cpu_write(update_debug_stack, 0);
-+ }
-+#endif
-+
-+ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
-+ write_cr2(this_cpu_read(nmi_cr2));
-+ if (this_cpu_dec_return(nmi_state))
-+ goto nmi_restart;
- }
- NOKPROBE_SYMBOL(do_nmi);
-
diff --git a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch b/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
deleted file mode 100644
index 32985d1..0000000
--- a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:34 -0700
-Subject: [5/9] x86/nmi/64: Remove asm code that saves CR2
-Origin: https://git.kernel.org/linus/0e181bb58143cb4a2e8f01c281b0816cd0e4798e
-
-Now that do_nmi saves CR2, we don't need to save it in asm.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Acked-by: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 18 ------------------
- 1 file changed, 18 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1621,29 +1621,11 @@ end_repeat_nmi:
- call paranoid_entry
- DEFAULT_FRAME 0
-
-- /*
-- * Save off the CR2 register. If we take a page fault in the NMI then
-- * it could corrupt the CR2 value. If the NMI preempts a page fault
-- * handler before it was able to read the CR2 register, and then the
-- * NMI itself takes a page fault, the page fault that was preempted
-- * will read the information from the NMI page fault and not the
-- * origin fault. Save it off and restore it if it changes.
-- * Use the r12 callee-saved register.
-- */
-- movq %cr2, %r12
--
- /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
- movq %rsp,%rdi
- movq $-1,%rsi
- call do_nmi
-
-- /* Did the NMI take a page fault? Restore cr2 if it did */
-- movq %cr2, %rcx
-- cmpq %rcx, %r12
-- je 1f
-- movq %r12, %cr2
--1:
--
- testl %ebx,%ebx /* swapgs needed? */
- jnz nmi_restore
- nmi_swapgs:
diff --git a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch b/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
deleted file mode 100644
index 0e85fc4..0000000
--- a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:35 -0700
-Subject: [6/9] x86/nmi/64: Switch stacks on userspace NMI entry
-Origin: https://git.kernel.org/linus/9b6e6a8334d56354853f9c255d1395c2ba570e0a
-
-Returning to userspace is tricky: IRET can fail, and ESPFIX can
-rearrange the stack prior to IRET.
-
-The NMI nesting fixup relies on a precise stack layout and
-atomic IRET. Rather than trying to teach the NMI nesting fixup
-to handle ESPFIX and failed IRET, punt: run NMIs that came from
-user mode on the normal kernel stack.
-
-This will make some nested NMIs visible to C code, but the C
-code is okay with that.
-
-As a side effect, this should speed up perf: it eliminates an
-RDMSR when NMIs come from user mode.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Reviewed-by: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.1:
- - Adjust filename, context
- - Use kernel_stack instead of cpu_current_top_of_stack]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1442,19 +1442,73 @@ ENTRY(nmi)
- * a nested NMI that updated the copy interrupt stack frame, a
- * jump will be made to the repeat_nmi code that will handle the second
- * NMI.
-+ *
-+ * However, espfix prevents us from directly returning to userspace
-+ * with a single IRET instruction. Similarly, IRET to user mode
-+ * can fault. We therefore handle NMIs from user space like
-+ * other IST entries.
- */
-
- /* Use %rdx as our temp variable throughout */
- pushq_cfi %rdx
- CFI_REL_OFFSET rdx, 0
-
-+ testb $3, CS-RIP+8(%rsp)
-+ jz .Lnmi_from_kernel
-+
-+ /*
-+ * NMI from user mode. We need to run on the thread stack, but we
-+ * can't go through the normal entry paths: NMIs are masked, and
-+ * we don't want to enable interrupts, because then we'll end
-+ * up in an awkward situation in which IRQs are on but NMIs
-+ * are off.
-+ */
-+
-+ SWAPGS
-+ cld
-+ movq %rsp, %rdx
-+ movq PER_CPU_VAR(kernel_stack), %rsp
-+ pushq 5*8(%rdx) /* pt_regs->ss */
-+ pushq 4*8(%rdx) /* pt_regs->rsp */
-+ pushq 3*8(%rdx) /* pt_regs->flags */
-+ pushq 2*8(%rdx) /* pt_regs->cs */
-+ pushq 1*8(%rdx) /* pt_regs->rip */
-+ pushq $-1 /* pt_regs->orig_ax */
-+ pushq %rdi /* pt_regs->di */
-+ pushq %rsi /* pt_regs->si */
-+ pushq (%rdx) /* pt_regs->dx */
-+ pushq %rcx /* pt_regs->cx */
-+ pushq %rax /* pt_regs->ax */
-+ pushq %r8 /* pt_regs->r8 */
-+ pushq %r9 /* pt_regs->r9 */
-+ pushq %r10 /* pt_regs->r10 */
-+ pushq %r11 /* pt_regs->r11 */
-+ pushq %rbx /* pt_regs->rbx */
-+ pushq %rbp /* pt_regs->rbp */
-+ pushq %r12 /* pt_regs->r12 */
-+ pushq %r13 /* pt_regs->r13 */
-+ pushq %r14 /* pt_regs->r14 */
-+ pushq %r15 /* pt_regs->r15 */
-+
-+ /*
-+ * At this point we no longer need to worry about stack damage
-+ * due to nesting -- we're on the normal thread stack and we're
-+ * done with the NMI stack.
-+ */
-+
-+ movq %rsp, %rdi
-+ movq $-1, %rsi
-+ call do_nmi
-+
- /*
-- * If %cs was not the kernel segment, then the NMI triggered in user
-- * space, which means it is definitely not nested.
-+ * Return back to user mode. We must *not* do the normal exit
-+ * work, because we don't want to enable interrupts. Fortunately,
-+ * do_nmi doesn't modify pt_regs.
- */
-- cmpl $__KERNEL_CS, 16(%rsp)
-- jne first_nmi
-+ SWAPGS
-+ jmp restore_c_regs_and_iret
-
-+.Lnmi_from_kernel:
- /*
- * Check the special variable on the stack to see if NMIs are
- * executing.
diff --git a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch b/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
deleted file mode 100644
index 24d04f1..0000000
--- a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:36 -0700
-Subject: [7/9] x86/nmi/64: Improve nested NMI comments
-Origin: https://git.kernel.org/linus/0b22930ebad563ae97ff3f8d7b9f12060b4c6e6b
-
-I found the nested NMI documentation to be difficult to follow.
-Improve the comments.
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Cc: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.1: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 159 ++++++++++++++++++++++++++-------------------
- arch/x86/kernel/nmi.c | 4 +-
- 2 files changed, 93 insertions(+), 70 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1429,11 +1429,12 @@ ENTRY(nmi)
- * If the variable is not set and the stack is not the NMI
- * stack then:
- * o Set the special variable on the stack
-- * o Copy the interrupt frame into a "saved" location on the stack
-- * o Copy the interrupt frame into a "copy" location on the stack
-+ * o Copy the interrupt frame into an "outermost" location on the
-+ * stack
-+ * o Copy the interrupt frame into an "iret" location on the stack
- * o Continue processing the NMI
- * If the variable is set or the previous stack is the NMI stack:
-- * o Modify the "copy" location to jump to the repeate_nmi
-+ * o Modify the "iret" location to jump to the repeat_nmi
- * o return back to the first NMI
- *
- * Now on exit of the first NMI, we first clear the stack variable
-@@ -1510,18 +1511,60 @@ ENTRY(nmi)
-
- .Lnmi_from_kernel:
- /*
-- * Check the special variable on the stack to see if NMIs are
-- * executing.
-+ * Here's what our stack frame will look like:
-+ * +---------------------------------------------------------+
-+ * | original SS |
-+ * | original Return RSP |
-+ * | original RFLAGS |
-+ * | original CS |
-+ * | original RIP |
-+ * +---------------------------------------------------------+
-+ * | temp storage for rdx |
-+ * +---------------------------------------------------------+
-+ * | "NMI executing" variable |
-+ * +---------------------------------------------------------+
-+ * | iret SS } Copied from "outermost" frame |
-+ * | iret Return RSP } on each loop iteration; overwritten |
-+ * | iret RFLAGS } by a nested NMI to force another |
-+ * | iret CS } iteration if needed. |
-+ * | iret RIP } |
-+ * +---------------------------------------------------------+
-+ * | outermost SS } initialized in first_nmi; |
-+ * | outermost Return RSP } will not be changed before |
-+ * | outermost RFLAGS } NMI processing is done. |
-+ * | outermost CS } Copied to "iret" frame on each |
-+ * | outermost RIP } iteration. |
-+ * +---------------------------------------------------------+
-+ * | pt_regs |
-+ * +---------------------------------------------------------+
-+ *
-+ * The "original" frame is used by hardware. Before re-enabling
-+ * NMIs, we need to be done with it, and we need to leave enough
-+ * space for the asm code here.
-+ *
-+ * We return by executing IRET while RSP points to the "iret" frame.
-+ * That will either return for real or it will loop back into NMI
-+ * processing.
-+ *
-+ * The "outermost" frame is copied to the "iret" frame on each
-+ * iteration of the loop, so each iteration starts with the "iret"
-+ * frame pointing to the final return target.
-+ */
-+
-+ /*
-+ * Determine whether we're a nested NMI.
-+ *
-+ * First check "NMI executing". If it's set, then we're nested.
-+ * This will not detect if we interrupted an outer NMI just
-+ * before IRET.
- */
- cmpl $1, -8(%rsp)
- je nested_nmi
-
- /*
-- * Now test if the previous stack was an NMI stack.
-- * We need the double check. We check the NMI stack to satisfy the
-- * race when the first NMI clears the variable before returning.
-- * We check the variable because the first NMI could be in a
-- * breakpoint routine using a breakpoint stack.
-+ * Now test if the previous stack was an NMI stack. This covers
-+ * the case where we interrupt an outer NMI after it clears
-+ * "NMI executing" but before IRET.
- */
- lea 6*8(%rsp), %rdx
- /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1538,9 +1581,11 @@ ENTRY(nmi)
-
- nested_nmi:
- /*
-- * Do nothing if we interrupted the fixup in repeat_nmi.
-- * It's about to repeat the NMI handler, so we are fine
-- * with ignoring this one.
-+ * If we interrupted an NMI that is between repeat_nmi and
-+ * end_repeat_nmi, then we must not modify the "iret" frame
-+ * because it's being written by the outer NMI. That's okay;
-+ * the outer NMI handler is about to call do_nmi anyway,
-+ * so we can just resume the outer NMI.
- */
- movq $repeat_nmi, %rdx
- cmpq 8(%rsp), %rdx
-@@ -1550,7 +1595,10 @@ nested_nmi:
- ja nested_nmi_out
-
- 1:
-- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
-+ /*
-+ * Modify the "iret" frame to point to repeat_nmi, forcing another
-+ * iteration of NMI handling.
-+ */
- leaq -1*8(%rsp), %rdx
- movq %rdx, %rsp
- CFI_ADJUST_CFA_OFFSET 1*8
-@@ -1569,60 +1617,23 @@ nested_nmi_out:
- popq_cfi %rdx
- CFI_RESTORE rdx
-
-- /* No need to check faults here */
-+ /* We are returning to kernel mode, so this cannot result in a fault. */
- INTERRUPT_RETURN
-
- CFI_RESTORE_STATE
- first_nmi:
-- /*
-- * Because nested NMIs will use the pushed location that we
-- * stored in rdx, we must keep that space available.
-- * Here's what our stack frame will look like:
-- * +-------------------------+
-- * | original SS |
-- * | original Return RSP |
-- * | original RFLAGS |
-- * | original CS |
-- * | original RIP |
-- * +-------------------------+
-- * | temp storage for rdx |
-- * +-------------------------+
-- * | NMI executing variable |
-- * +-------------------------+
-- * | copied SS |
-- * | copied Return RSP |
-- * | copied RFLAGS |
-- * | copied CS |
-- * | copied RIP |
-- * +-------------------------+
-- * | Saved SS |
-- * | Saved Return RSP |
-- * | Saved RFLAGS |
-- * | Saved CS |
-- * | Saved RIP |
-- * +-------------------------+
-- * | pt_regs |
-- * +-------------------------+
-- *
-- * The saved stack frame is used to fix up the copied stack frame
-- * that a nested NMI may change to make the interrupted NMI iret jump
-- * to the repeat_nmi. The original stack frame and the temp storage
-- * is also used by nested NMIs and can not be trusted on exit.
-- */
-- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
-+ /* Restore rdx. */
- movq (%rsp), %rdx
- CFI_RESTORE rdx
-
-- /* Set the NMI executing variable on the stack. */
-+ /* Set "NMI executing" on the stack. */
- pushq_cfi $1
-
-- /*
-- * Leave room for the "copied" frame
-- */
-+ /* Leave room for the "iret" frame */
- subq $(5*8), %rsp
- CFI_ADJUST_CFA_OFFSET 5*8
-
-- /* Copy the stack frame to the Saved frame */
-+ /* Copy the "original" frame to the "outermost" frame */
- .rept 5
- pushq_cfi 11*8(%rsp)
- .endr
-@@ -1630,6 +1641,7 @@ first_nmi:
-
- /* Everything up to here is safe from nested NMIs */
-
-+repeat_nmi:
- /*
- * If there was a nested NMI, the first NMI's iret will return
- * here. But NMIs are still enabled and we can take another
-@@ -1638,16 +1650,21 @@ first_nmi:
- * it will just return, as we are about to repeat an NMI anyway.
- * This makes it safe to copy to the stack frame that a nested
- * NMI will update.
-- */
--repeat_nmi:
-- /*
-- * Update the stack variable to say we are still in NMI (the update
-- * is benign for the non-repeat case, where 1 was pushed just above
-- * to this very stack slot).
-+ *
-+ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
-+ * we're repeating an NMI, gsbase has the same value that it had on
-+ * the first iteration. paranoid_entry will load the kernel
-+ * gsbase if needed before we call do_nmi.
-+ *
-+ * Set "NMI executing" in case we came back here via IRET.
- */
- movq $1, 10*8(%rsp)
-
-- /* Make another copy, this one may be modified by nested NMIs */
-+ /*
-+ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
-+ * here must not modify the "iret" frame while we're writing to
-+ * it or it will end up containing garbage.
-+ */
- addq $(10*8), %rsp
- CFI_ADJUST_CFA_OFFSET -10*8
- .rept 5
-@@ -1658,9 +1675,9 @@ repeat_nmi:
- end_repeat_nmi:
-
- /*
-- * Everything below this point can be preempted by a nested
-- * NMI if the first NMI took an exception and reset our iret stack
-- * so that we repeat another NMI.
-+ * Everything below this point can be preempted by a nested NMI.
-+ * If this happens, then the inner NMI will change the "iret"
-+ * frame to point back to repeat_nmi.
- */
- pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
- ALLOC_PT_GPREGS_ON_STACK
-@@ -1687,11 +1704,18 @@ nmi_swapgs:
- nmi_restore:
- RESTORE_EXTRA_REGS
- RESTORE_C_REGS
-- /* Pop the extra iret frame at once */
-+
-+ /* Point RSP at the "iret" frame. */
- REMOVE_PT_GPREGS_FROM_STACK 6*8
-
-- /* Clear the NMI executing stack variable */
-+ /* Clear "NMI executing". */
- movq $0, 5*8(%rsp)
-+
-+ /*
-+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
-+ * stack in a single instruction. We are returning to kernel
-+ * mode, so this cannot result in a fault.
-+ */
- INTERRUPT_RETURN
- CFI_ENDPROC
- END(nmi)
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,8 +408,8 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
-
- /*
-- * NMIs can hit breakpoints which will cause it to lose its NMI context
-- * with the CPU when the breakpoint or page fault does an IRET.
-+ * NMIs can page fault or hit breakpoints which will cause it to lose
-+ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
- *
- * As a result, NMIs can nest if NMIs get unmasked due an IRET during
- * NMI processing. On x86_64, the asm glue protects us from nested NMIs
diff --git a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch b/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
deleted file mode 100644
index d010de0..0000000
--- a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:37 -0700
-Subject: [8/9] x86/nmi/64: Reorder nested NMI checks
-Origin: https://git.kernel.org/linus/a27507ca2d796cfa8d907de31ad730359c8a6d06
-
-Check the repeat_nmi .. end_repeat_nmi special case first. The
-next patch will rework the RSP check and, as a side effect, the
-RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
-we'll need this ordering of the checks.
-
-Note: this is more subtle than it appears. The check for
-repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
-instead of adjusting the "iret" frame to force a repeat. This
-is necessary, because the code between repeat_nmi and
-end_repeat_nmi sets "NMI executing" and then writes to the
-"iret" frame itself. If a nested NMI comes in and modifies the
-"iret" frame while repeat_nmi is also modifying it, we'll end up
-with garbage. The old code got this right, as does the new
-code, but the new code is a bit more explicit.
-
-If we were to move the check right after the "NMI executing"
-check, then we'd get it wrong and have random crashes.
-
-( Because the "NMI executing" check would jump to the code that would
- modify the "iret" frame without checking if the interrupted NMI was
- currently modifying it. )
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Cc: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.1: adjust filename, spacing]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 34 ++++++++++++++++++----------------
- 1 file changed, 18 insertions(+), 16 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1554,7 +1554,24 @@ ENTRY(nmi)
- /*
- * Determine whether we're a nested NMI.
- *
-- * First check "NMI executing". If it's set, then we're nested.
-+ * If we interrupted kernel code between repeat_nmi and
-+ * end_repeat_nmi, then we are a nested NMI. We must not
-+ * modify the "iret" frame because it's being written by
-+ * the outer NMI. That's okay; the outer NMI handler is
-+ * about to about to call do_nmi anyway, so we can just
-+ * resume the outer NMI.
-+ */
-+
-+ movq $repeat_nmi, %rdx
-+ cmpq 8(%rsp), %rdx
-+ ja 1f
-+ movq $end_repeat_nmi, %rdx
-+ cmpq 8(%rsp), %rdx
-+ ja nested_nmi_out
-+1:
-+
-+ /*
-+ * Now check "NMI executing". If it's set, then we're nested.
- * This will not detect if we interrupted an outer NMI just
- * before IRET.
- */
-@@ -1581,21 +1598,6 @@ ENTRY(nmi)
-
- nested_nmi:
- /*
-- * If we interrupted an NMI that is between repeat_nmi and
-- * end_repeat_nmi, then we must not modify the "iret" frame
-- * because it's being written by the outer NMI. That's okay;
-- * the outer NMI handler is about to call do_nmi anyway,
-- * so we can just resume the outer NMI.
-- */
-- movq $repeat_nmi, %rdx
-- cmpq 8(%rsp), %rdx
-- ja 1f
-- movq $end_repeat_nmi, %rdx
-- cmpq 8(%rsp), %rdx
-- ja nested_nmi_out
--
--1:
-- /*
- * Modify the "iret" frame to point to repeat_nmi, forcing another
- * iteration of NMI handling.
- */
diff --git a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch b/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
deleted file mode 100644
index 60e0bda..0000000
--- a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Wed, 15 Jul 2015 10:29:38 -0700
-Subject: x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI
- detection
-Origin: https://git.kernel.org/linus/810bc075f78ff2c221536eb3008eac6a492dba2d
-
-We have a tricky bug in the nested NMI code: if we see RSP
-pointing to the NMI stack on NMI entry from kernel mode, we
-assume that we are executing a nested NMI.
-
-This isn't quite true. A malicious userspace program can point
-RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
-happen while RSP is still pointing at the NMI stack.
-
-Fix it with a sneaky trick. Set DF in the region of code that
-the RSP check is intended to detect. IRET will clear DF
-atomically.
-
-( Note: other than paravirt, there's little need for all this
- complexity. We could check RIP instead of RSP. )
-
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Cc: Borislav Petkov <bp at suse.de>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: stable at vger.kernel.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 4.1: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1581,7 +1581,14 @@ ENTRY(nmi)
- /*
- * Now test if the previous stack was an NMI stack. This covers
- * the case where we interrupt an outer NMI after it clears
-- * "NMI executing" but before IRET.
-+ * "NMI executing" but before IRET. We need to be careful, though:
-+ * there is one case in which RSP could point to the NMI stack
-+ * despite there being no NMI active: naughty userspace controls
-+ * RSP at the very beginning of the SYSCALL targets. We can
-+ * pull a fast one on naughty userspace, though: we program
-+ * SYSCALL to mask DF, so userspace cannot cause DF to be set
-+ * if it controls the kernel's RSP. We set DF before we clear
-+ * "NMI executing".
- */
- lea 6*8(%rsp), %rdx
- /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1592,10 +1599,16 @@ ENTRY(nmi)
- cmpq %rdx, 4*8(%rsp)
- /* If it is below the NMI stack, it is a normal NMI */
- jb first_nmi
-- /* Ah, it is within the NMI stack, treat it as nested */
-+
-+ /* Ah, it is within the NMI stack. */
-+
-+ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
-+ jz first_nmi /* RSP was user controlled. */
-
- CFI_REMEMBER_STATE
-
-+ /* This is a nested NMI. */
-+
- nested_nmi:
- /*
- * Modify the "iret" frame to point to repeat_nmi, forcing another
-@@ -1710,8 +1723,16 @@ nmi_restore:
- /* Point RSP at the "iret" frame. */
- REMOVE_PT_GPREGS_FROM_STACK 6*8
-
-- /* Clear "NMI executing". */
-- movq $0, 5*8(%rsp)
-+ /*
-+ * Clear "NMI executing". Set DF first so that we can easily
-+ * distinguish the remaining code between here and IRET from
-+ * the SYSCALL entry and exit paths. On a native kernel, we
-+ * could just inspect RIP, but, on paravirt kernels,
-+ * INTERRUPT_RETURN can translate into a jump into a
-+ * hypercall page.
-+ */
-+ std
-+ movq $0, 5*8(%rsp) /* clear "NMI executing" */
-
- /*
- * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch b/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
deleted file mode 100644
index 47de607..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Sat, 30 May 2015 14:31:24 +0200
-Subject: kvm: x86: fix kvm_apic_has_events to check for NULL pointer
-Origin: https://git.kernel.org/linus/ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009
-
-Malicious (or egregiously buggy) userspace can trigger it, but it
-should never happen in normal operation.
-
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- arch/x86/kvm/lapic.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/x86/kvm/lapic.h
-+++ b/arch/x86/kvm/lapic.h
-@@ -165,7 +165,7 @@ static inline u16 apic_logical_id(struct
-
- static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
- {
-- return vcpu->arch.apic->pending_events;
-+ return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
- }
-
- bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
diff --git a/debian/patches/series b/debian/patches/series
index 1f21623..60a3950 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -81,16 +81,6 @@ features/all/efi-autoload-efi-pstore.patch
features/all/cpufreq-dt-allow-driver-to-boot-automatically.patch
features/all/regulator-axp20x-Add-module-alias.patch
-bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
-bugfix/x86/0003-x86-asm-entry-64-Remove-pointless-jump-to-irq_return.patch
-bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
-bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
-bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
-bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
-bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
-bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
-bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
-
# Hardening from grsecurity
features/all/grsecurity/grsecurity-kconfig.patch
# Disabled until we add code into the grsecurity/ directory
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list