[kernel] r22855 - in dists/jessie/linux/debian: . patches patches/bugfix/all patches/bugfix/arm patches/bugfix/x86
Uwe Kleine-König
ukleinek-guest at moszumanska.debian.org
Sat Jul 25 19:35:03 UTC 2015
Author: ukleinek-guest
Date: Sat Jul 25 19:35:02 2015
New Revision: 22855
Log:
Merge jessie-security up to 3.16.7-ckt11-1+deb8u2
Added:
dists/jessie/linux/debian/patches/bugfix/all/cdc_ncm-fix-tx_bytes-statistics.patch
dists/jessie/linux/debian/patches/bugfix/all/config-enable-need_dma_map_state-by-default-when-swi.patch
dists/jessie/linux/debian/patches/bugfix/all/ext4-fix-data-corruption-caused-by-unwritten-and-del.patch
dists/jessie/linux/debian/patches/bugfix/all/ext4-move-check-under-lock-scope-to-close-a-race.patch
dists/jessie/linux/debian/patches/bugfix/all/libata-blacklist-queued-trim-on-samsung-ssd-850-pro.patch
dists/jessie/linux/debian/patches/bugfix/all/libata-update-crucial-micron-blacklist.patch
dists/jessie/linux/debian/patches/bugfix/all/md-raid0-fix-restore-to-sector-variable-in-raid0_make_request.patch
dists/jessie/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
dists/jessie/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
dists/jessie/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
dists/jessie/linux/debian/patches/bugfix/arm/arm-mvebu-armada-xp-openblocks-ax3-4-disable-interna.patch
dists/jessie/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
dists/jessie/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
dists/jessie/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
dists/jessie/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
dists/jessie/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
dists/jessie/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
dists/jessie/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
dists/jessie/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
- copied unchanged from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
Modified:
dists/jessie/linux/debian/changelog
dists/jessie/linux/debian/patches/series
Modified: dists/jessie/linux/debian/changelog
==============================================================================
--- dists/jessie/linux/debian/changelog Fri Jul 24 21:53:57 2015 (r22854)
+++ dists/jessie/linux/debian/changelog Sat Jul 25 19:35:02 2015 (r22855)
@@ -464,8 +464,34 @@
* of: make sure of_alias is initialized before accessing it.
(Closes: #784053)
+ [ Uwe Kleine-König ]
+ * Merge jessie-security changes
+
-- Ben Hutchings <ben at decadent.org.uk> Tue, 26 May 2015 01:42:36 +0100
+linux (3.16.7-ckt11-1+deb8u2) jessie-security; urgency=high
+
+ * [amd64] Restore "perf/x86: Further optimize copy_from_user_nmi()"
+ * [amd64] Fix nested NMI handling (CVE-2015-3290, CVE-2015-3291)
+ - Enable nested do_nmi handling for 64-bit kernels
+ - Remove asm code that saves cr2
+ - Switch stacks on userspace NMI entry
+ - Reorder nested NMI checks
+ - Use DF to avoid userspace RSP confusing nested NMI detection
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 17 Jul 2015 21:28:00 +0100
+
+linux (3.16.7-ckt11-1+deb8u1) jessie-security; urgency=medium
+
+ * udf: Remove repeated loads blocksize
+ * udf: Check length of extended attributes and allocation descriptors
+ (CVE-2015-4167)
+ * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
+ * [amd64] Revert "perf/x86: Further optimize copy_from_user_nmi()"
+ (CVE-2015-3290)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 16 Jul 2015 20:18:18 +0100
+
linux (3.16.7-ckt11-1) jessie; urgency=medium
* New upstream stable update:
Added: dists/jessie/linux/debian/patches/bugfix/all/cdc_ncm-fix-tx_bytes-statistics.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/cdc_ncm-fix-tx_bytes-statistics.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,37 @@
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn at mork.no>
+Date: Fri, 22 May 2015 13:15:22 +0200
+Subject: cdc_ncm: Fix tx_bytes statistics
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/44f6731d8b68fa02f5ed65eaceac41f8c3c9279e
+
+The tx_curr_frame_payload field is u32. When we try to calculate a
+small negative delta based on it, we end up with a positive integer
+close to 2^32 instead. So the tx_bytes pointer increases by about
+2^32 for every transmitted frame.
+
+Fix by calculating the delta as a signed long.
+
+Cc: Ben Hutchings <ben.hutchings at codethink.co.uk>
+Reported-by: Florian Bruhin <me at the-compiler.org>
+Fixes: 7a1e890e2168 ("usbnet: Fix tx_bytes statistic running backward in cdc_ncm")
+Signed-off-by: Bjørn Mork <bjorn at mork.no>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/usb/cdc_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index c3e4da9..8067b8f 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1182,7 +1182,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
+ * payload data instead.
+ */
+ usbnet_set_skb_tx_stats(skb_out, n,
+- ctx->tx_curr_frame_payload - skb_out->len);
++ (long)ctx->tx_curr_frame_payload - skb_out->len);
+
+ return skb_out;
+
Added: dists/jessie/linux/debian/patches/bugfix/all/config-enable-need_dma_map_state-by-default-when-swi.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/config-enable-need_dma_map_state-by-default-when-swi.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,54 @@
+From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Date: Fri, 17 Apr 2015 15:04:48 -0400
+Subject: config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected
+Origin: https://git.kernel.org/linus/a6dfa128ce5c414ab46b1d690f7a1b8decb8526d
+Bug-Debian: https://bugs.debian.org/786551
+
+A huge amount of NIC drivers use the DMA API, however if
+compiled under 32-bit an very important part of the DMA API can
+be ommitted leading to the drivers not working at all
+(especially if used with 'swiotlb=force iommu=soft').
+
+As Prashant Sreedharan explains it: "the driver [tg3] uses
+DEFINE_DMA_UNMAP_ADDR(), dma_unmap_addr_set() to keep a copy of
+the dma "mapping" and dma_unmap_addr() to get the "mapping"
+value. On most of the platforms this is a no-op, but ... with
+"iommu=soft and swiotlb=force" this house keeping is required,
+... otherwise we pass 0 while calling pci_unmap_/pci_dma_sync_
+instead of the DMA address."
+
+As such enable this even when using 32-bit kernels.
+
+Reported-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Acked-by: David S. Miller <davem at davemloft.net>
+Acked-by: Prashant Sreedharan <prashant at broadcom.com>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Michael Chan <mchan at broadcom.com>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: boris.ostrovsky at oracle.com
+Cc: cascardo at linux.vnet.ibm.com
+Cc: david.vrabel at citrix.com
+Cc: sanjeevb at broadcom.com
+Cc: siva.kallam at broadcom.com
+Cc: vyasevich at gmail.com
+Cc: xen-devel at lists.xensource.com
+Link: http://lkml.kernel.org/r/20150417190448.GA9462@l.oracle.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+---
+ arch/x86/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -164,7 +164,7 @@ config SBUS
+
+ config NEED_DMA_MAP_STATE
+ def_bool y
+- depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG
++ depends on X86_64 || INTEL_IOMMU || DMA_API_DEBUG || SWIOTLB
+
+ config NEED_SG_DMA_LENGTH
+ def_bool y
Added: dists/jessie/linux/debian/patches/bugfix/all/ext4-fix-data-corruption-caused-by-unwritten-and-del.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/ext4-fix-data-corruption-caused-by-unwritten-and-del.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,86 @@
+From: Lukas Czerner <lczerner at redhat.com>
+Date: Sat, 2 May 2015 21:36:55 -0400
+Subject: ext4: fix data corruption caused by unwritten and delayed extents
+Origin: https://git.kernel.org/linus/d2dc317d564a46dfc683978a2e5a4f91434e9711
+Bug-Debian: https://bugs.debian.org/785672
+
+Currently it is possible to lose whole file system block worth of data
+when we hit the specific interaction with unwritten and delayed extents
+in status extent tree.
+
+The problem is that when we insert delayed extent into extent status
+tree the only way to get rid of it is when we write out delayed buffer.
+However there is a limitation in the extent status tree implementation
+so that when inserting unwritten extent should there be even a single
+delayed block the whole unwritten extent would be marked as delayed.
+
+At this point, there is no way to get rid of the delayed extents,
+because there are no delayed buffers to write out. So when a we write
+into said unwritten extent we will convert it to written, but it still
+remains delayed.
+
+When we try to write into that block later ext4_da_map_blocks() will set
+the buffer new and delayed and map it to invalid block which causes
+the rest of the block to be zeroed loosing already written data.
+
+For now we can fix this by simply not allowing to set delayed status on
+written extent in the extent status tree. Also add WARN_ON() to make
+sure that we notice if this happens in the future.
+
+This problem can be easily reproduced by running the following xfs_io.
+
+xfs_io -f -c "pwrite -S 0xaa 4096 2048" \
+ -c "falloc 0 131072" \
+ -c "pwrite -S 0xbb 65536 2048" \
+ -c "fsync" /mnt/test/fff
+
+echo 3 > /proc/sys/vm/drop_caches
+xfs_io -c "pwrite -S 0xdd 67584 2048" /mnt/test/fff
+
+This can be theoretically also reproduced by at random by running fsx,
+but it's not very reliable, though on machines with bigger page size
+(like ppc) this can be seen more often (especially xfstest generic/127)
+
+Signed-off-by: Lukas Czerner <lczerner at redhat.com>
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+Cc: stable at vger.kernel.org
+---
+ fs/ext4/extents_status.c | 8 ++++++++
+ fs/ext4/inode.c | 2 ++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -662,6 +662,14 @@ int ext4_es_insert_extent(struct inode *
+
+ BUG_ON(end < lblk);
+
++ if ((status & EXTENT_STATUS_DELAYED) &&
++ (status & EXTENT_STATUS_WRITTEN)) {
++ ext4_warning(inode->i_sb, "Inserting extent [%u/%u] as "
++ " delayed and written which can potentially "
++ " cause data loss.\n", lblk, len);
++ WARN_ON(1);
++ }
++
+ newes.es_lblk = lblk;
+ newes.es_len = len;
+ ext4_es_store_pblock_status(&newes, pblk, status);
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -577,6 +577,7 @@ int ext4_map_blocks(handle_t *handle, st
+ status = map->m_flags & EXT4_MAP_UNWRITTEN ?
+ EXTENT_STATUS_UNWRITTEN : EXTENT_STATUS_WRITTEN;
+ if (!(flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) &&
++ !(status & EXTENT_STATUS_WRITTEN) &&
+ ext4_find_delalloc_range(inode, map->m_lblk,
+ map->m_lblk + map->m_len - 1))
+ status |= EXTENT_STATUS_DELAYED;
+@@ -691,6 +692,7 @@ found:
+ status = map->m_flags & EXT4_MAP_UNWRITTEN ?
+ EXTENT_STATUS_UNWRITTEN : EXTENT_STATUS_WRITTEN;
+ if (!(flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) &&
++ !(status & EXTENT_STATUS_WRITTEN) &&
+ ext4_find_delalloc_range(inode, map->m_lblk,
+ map->m_lblk + map->m_len - 1))
+ status |= EXTENT_STATUS_DELAYED;
Added: dists/jessie/linux/debian/patches/bugfix/all/ext4-move-check-under-lock-scope-to-close-a-race.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/ext4-move-check-under-lock-scope-to-close-a-race.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,48 @@
+From: Davide Italiano <dccitaliano at gmail.com>
+Date: Sat, 2 May 2015 23:21:15 -0400
+Subject: ext4: move check under lock scope to close a race.
+Origin: https://git.kernel.org/linus/280227a75b56ab5d35854f3a77ef74a7ad56a203
+
+fallocate() checks that the file is extent-based and returns
+EOPNOTSUPP in case is not. Other tasks can convert from and to
+indirect and extent so it's safe to check only after grabbing
+the inode mutex.
+
+Signed-off-by: Davide Italiano <dccitaliano at gmail.com>
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+Cc: stable at vger.kernel.org
+---
+ fs/ext4/extents.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4933,13 +4933,6 @@ long ext4_fallocate(struct file *file, i
+ if (ret)
+ return ret;
+
+- /*
+- * currently supporting (pre)allocate mode for extent-based
+- * files _only_
+- */
+- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
+- return -EOPNOTSUPP;
+-
+ if (mode & FALLOC_FL_COLLAPSE_RANGE)
+ return ext4_collapse_range(inode, offset, len);
+
+@@ -4961,6 +4954,14 @@ long ext4_fallocate(struct file *file, i
+
+ mutex_lock(&inode->i_mutex);
+
++ /*
++ * We only support preallocation for extent-based files only
++ */
++ if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) {
++ ret = -EOPNOTSUPP;
++ goto out;
++ }
++
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+ offset + len > i_size_read(inode)) {
+ new_size = offset + len;
Added: dists/jessie/linux/debian/patches/bugfix/all/libata-blacklist-queued-trim-on-samsung-ssd-850-pro.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/libata-blacklist-queued-trim-on-samsung-ssd-850-pro.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,27 @@
+From: "Martin K. Petersen" <martin.petersen at oracle.com>
+Date: Fri, 27 Mar 2015 15:17:21 -0400
+Subject: libata: Blacklist queued TRIM on Samsung SSD 850 Pro
+Origin: https://git.kernel.org/linus/6fc4d97a4987c5d247655a157a9377996626221a
+
+Blacklist queued TRIM on this drive for now.
+
+Reported-by: Stefan Keller <linux-list at zahlenfresser.de>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+CC: stable at vger.kernel.org
+Signed-off-by: Tejun Heo <tj at kernel.org>
+[bwh: Backported to 3.16: adjust context and drop ZERO_AFTER_TRIM flag]
+Signed-off-by; Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4229,6 +4229,7 @@ static const struct ata_blacklist_entry
+ { "Micron_M5[15]0*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Crucial_CT*M550*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
++ { "Samsung SSD 850 PRO*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+
+ /*
+ * Some WD SATA-I drives spin up and down erratically when the link
Added: dists/jessie/linux/debian/patches/bugfix/all/libata-update-crucial-micron-blacklist.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/libata-update-crucial-micron-blacklist.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,37 @@
+From: "Martin K. Petersen" <martin.petersen at oracle.com>
+Date: Fri, 27 Mar 2015 15:17:20 -0400
+Subject: libata: Update Crucial/Micron blacklist
+Origin: https://git.kernel.org/linus/ff7f53fb82a7801a778e5902bdbbc5e195ab0de0
+
+Micron has released an updated firmware (MU02) for M510/M550/MX100
+drives to fix the issues with queued TRIM. Queued TRIM remains broken on
+M500 but is working fine on later drives such as M600 and MX200.
+
+Tweak our blacklist to reflect the above.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=71371
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Tejun Heo <tj at kernel.org>
+[bwh: Backported to 3.16: adjust context and drop ZERO_AFTER_TRIM flags]
+Signed-off-by; Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/ata/libata-core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4225,9 +4225,10 @@ static const struct ata_blacklist_entry
+
+ /* devices that don't properly handle queued TRIM commands */
+ { "Micron_M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+- { "Crucial_CT???M500SSD*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+- { "Micron_M550*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+- { "Crucial_CT*M550SSD*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
++ { "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
++ { "Micron_M5[15]0*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
++ { "Crucial_CT*M550*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
++ { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
+
+ /*
+ * Some WD SATA-I drives spin up and down erratically when the link
Added: dists/jessie/linux/debian/patches/bugfix/all/md-raid0-fix-restore-to-sector-variable-in-raid0_make_request.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/md-raid0-fix-restore-to-sector-variable-in-raid0_make_request.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,46 @@
+From: Eric Work <work.eric at gmail.com>
+Date: Mon, 18 May 2015 23:26:23 -0700
+Subject: md/raid0: fix restore to sector variable in raid0_make_request
+Origin: http://git.neil.brown.name/?p=md.git;a=commitdiff;h=a81157768a00e8cf8a7b43b5ea5cac931262374f
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=98501
+Bug-Debian: https://bugs.debian.org/786372
+
+The variable "sector" in "raid0_make_request()" was improperly updated
+by a call to "sector_div()" which modifies its first argument in place.
+Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable
+after the call for later re-use. Unfortunetly the restore was done after
+the referenced variable "bio" was advanced. This lead to the original
+value and the restored value being different. Here we move this line to
+the proper place.
+
+One observed side effect of this bug was discarding a file though
+unlinking would cause an unrelated file's contents to be discarded.
+
+Signed-off-by: NeilBrown <neilb at suse.de>
+Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.")
+Cc: stable at vger.kernel.org (any that received above backport)
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501
+---
+ drivers/md/raid0.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -531,6 +531,9 @@ static void raid0_make_request(struct md
+ ? (sector & (chunk_sects-1))
+ : sector_div(sector, chunk_sects));
+
++ /* Restore due to sector_div */
++ sector = bio->bi_iter.bi_sector;
++
+ if (sectors < bio_sectors(bio)) {
+ split = bio_split(bio, sectors, GFP_NOIO, fs_bio_set);
+ bio_chain(split, bio);
+@@ -538,7 +541,6 @@ static void raid0_make_request(struct md
+ split = bio;
+ }
+
+- sector = bio->bi_iter.bi_sector;
+ zone = find_zone(mddev->private, §or);
+ tmp_dev = map_sector(mddev, zone, sector, §or);
+ split->bi_bdev = tmp_dev->bdev;
Copied: dists/jessie/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
@@ -0,0 +1,41 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+Origin: https://git.kernel.org/linus/925cab7b6a683f791644dfde345f91e87017a023
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1494,6 +1494,19 @@ static void udf_fill_inode(struct inode
+ iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ }
+
++ /*
++ * Sanity check length of allocation descriptors and extended attrs to
++ * avoid integer overflows
++ */
++ if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
++ /* Now do exact checks */
++ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
+ /* Sanity checks for files in ICB so that we don't get confused later */
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ /*
Copied: dists/jessie/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
@@ -0,0 +1,83 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: udf: Remove repeated loads blocksize
+Origin: https://git.kernel.org/linus/79144954278d4bb5989f8b903adcac7a20ff2a5a
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Needed for the following fix. Backported to 3.16: adjust context.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1365,6 +1365,7 @@ static void udf_fill_inode(struct inode
+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ unsigned int link_count;
++ int bs = inode->i_sb->s_blocksize;
+
+ fe = (struct fileEntry *)bh->b_data;
+ efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1385,41 +1386,38 @@ static void udf_fill_inode(struct inode
+ if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ iinfo->i_efe = 1;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct extendedFileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct extendedFileEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct extendedFileEntry));
++ bs - sizeof(struct extendedFileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct fileEntry))) {
++ if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct fileEntry),
+- inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++ bs - sizeof(struct fileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 1;
+ iinfo->i_lenAlloc = le32_to_cpu(
+ ((struct unallocSpaceEntry *)bh->b_data)->
+ lengthAllocDescs);
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct unallocSpaceEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct unallocSpaceEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct unallocSpaceEntry));
++ bs - sizeof(struct unallocSpaceEntry));
+ return;
+ }
+
+@@ -1507,8 +1505,7 @@ static void udf_fill_inode(struct inode
+ return;
+ }
+ /* File in ICB has to fit in there... */
+- if (inode->i_size > inode->i_sb->s_blocksize -
+- udf_file_entry_alloc_offset(inode)) {
++ if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ make_bad_inode(inode);
+ return;
+ }
Copied: dists/jessie/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch)
@@ -0,0 +1,58 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Sat, 30 May 2015 09:16:53 -0700
+Subject: udp: fix behavior of wrong checksums
+Origin: https://git.kernel.org/linus/beb39db59d14990e401e235faf66a6b9b31240b0
+
+We have two problems in UDP stack related to bogus checksums :
+
+1) We return -EAGAIN to application even if receive queue is not empty.
+ This breaks applications using edge trigger epoll()
+
+2) Under UDP flood, we can loop forever without yielding to other
+ processes, potentially hanging the host, especially on non SMP.
+
+This patch is an attempt to make things better.
+
+We might in the future add extra support for rt applications
+wanting to better control time spent doing a recv() in a hostile
+environment. For example we could validate checksums before queuing
+packets in socket receive queue.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/udp.c | 6 ++----
+ net/ipv6/udp.c | 6 ++----
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1356,10 +1356,8 @@ csum_copy_err:
+ }
+ unlock_sock_fast(sk, slow);
+
+- if (noblock)
+- return -EAGAIN;
+-
+- /* starting over for a new packet */
++ /* starting over for a new packet, but check if we need to yield */
++ cond_resched();
+ msg->msg_flags &= ~MSG_TRUNC;
+ goto try_again;
+ }
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -515,10 +515,8 @@ csum_copy_err:
+ }
+ unlock_sock_fast(sk, slow);
+
+- if (noblock)
+- return -EAGAIN;
+-
+- /* starting over for a new packet */
++ /* starting over for a new packet, but check if we need to yield */
++ cond_resched();
+ msg->msg_flags &= ~MSG_TRUNC;
+ goto try_again;
+ }
Added: dists/jessie/linux/debian/patches/bugfix/arm/arm-mvebu-armada-xp-openblocks-ax3-4-disable-interna.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/arm/arm-mvebu-armada-xp-openblocks-ax3-4-disable-interna.patch Sat Jul 25 19:35:02 2015 (r22855)
@@ -0,0 +1,32 @@
+From: Gregory CLEMENT <gregory.clement at free-electrons.com>
+Date: Tue, 14 Apr 2015 11:50:13 +0200
+Subject: ARM: mvebu: armada-xp-openblocks-ax3-4: Disable internal RTC
+Origin: https://git.kernel.org/linus/750e30d4076ae5e02ad13a376e96c95a2627742c
+Bug-Debian: https://bugs.debian.org/784146
+
+There is no crystal connected to the internal RTC on the Open Block
+AX3. So let's disable it in order to prevent the kernel probing the
+driver uselessly. Eventually this patches removes the following
+warning message from the boot log:
+"rtc-mv d0010300.rtc: internal RTC not ticking"
+
+Acked-by: Andrew Lunn <andrew at lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement at free-electrons.com>
+Cc: <stable at vger.kernel.org> # v3.8 +
+---
+ arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts
++++ b/arch/arm/boot/dts/armada-xp-openblocks-ax3-4.dts
+@@ -71,6 +71,10 @@
+ };
+
+ internal-regs {
++ rtc at 10300 {
++ /* No crystal connected to the internal RTC */
++ status = "disabled";
++ };
+ serial at 12000 {
+ status = "okay";
+ };
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch)
@@ -0,0 +1,71 @@
+From: Denys Vlasenko <dvlasenk at redhat.com>
+Date: Wed, 1 Apr 2015 16:50:57 +0200
+Subject: [PATCH 1/9] x86/asm/entry/64: Fold the 'test_in_nmi' macro into its
+ only user
+Origin: https://git.kernel.org/linus/0784b36448a2a85b95b6eb21a69b9045c896c065
+
+No code changes.
+
+Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
+Acked-by: Borislav Petkov <bp at suse.de>
+Cc: Alexei Starovoitov <ast at plumgrid.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Kees Cook <keescook at chromium.org>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Steven Rostedt <rostedt at goodmis.org>
+Cc: Will Drewry <wad at chromium.org>
+Link: http://lkml.kernel.org/r/1427899858-7165-1-git-send-email-dvlasenk@redhat.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1441,19 +1441,7 @@ ENTRY(error_exit)
+ CFI_ENDPROC
+ END(error_exit)
+
+-/*
+- * Test if a given stack is an NMI stack or not.
+- */
+- .macro test_in_nmi reg stack nmi_ret normal_ret
+- cmpq %\reg, \stack
+- ja \normal_ret
+- subq $EXCEPTION_STKSZ, %\reg
+- cmpq %\reg, \stack
+- jb \normal_ret
+- jmp \nmi_ret
+- .endm
+-
+- /* runs on exception stack */
++/* Runs on exception stack */
+ ENTRY(nmi)
+ INTR_FRAME
+ PARAVIRT_ADJUST_EXCEPTION_FRAME
+@@ -1514,8 +1502,18 @@ ENTRY(nmi)
+ * We check the variable because the first NMI could be in a
+ * breakpoint routine using a breakpoint stack.
+ */
+- lea 6*8(%rsp), %rdx
+- test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
++ lea 6*8(%rsp), %rdx
++ /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
++ cmpq %rdx, 4*8(%rsp)
++ /* If the stack pointer is above the NMI stack, this is a normal NMI */
++ ja first_nmi
++ subq $EXCEPTION_STKSZ, %rdx
++ cmpq %rdx, 4*8(%rsp)
++ /* If it is below the NMI stack, it is a normal NMI */
++ jb first_nmi
++ /* Ah, it is within the NMI stack, treat it as nested */
++ jmp nested_nmi
++
+ CFI_REMEMBER_STATE
+
+ nested_nmi:
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch)
@@ -0,0 +1,42 @@
+From: Denys Vlasenko <dvlasenk at redhat.com>
+Date: Tue, 7 Apr 2015 22:43:41 +0200
+Subject: [PATCH 2/9] x86/asm/entry/64: Remove a redundant jump
+Origin: https://git.kernel.org/linus/a30b0085f54efae11f6256df4e4a16af7eefc1c4
+
+Jumping to the very next instruction is not very useful:
+
+ jmp label
+ label:
+
+Removing the jump.
+
+Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
+Cc: Alexei Starovoitov <ast at plumgrid.com>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: Brian Gerst <brgerst at gmail.com>
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Kees Cook <keescook at chromium.org>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Steven Rostedt <rostedt at goodmis.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Will Drewry <wad at chromium.org>
+Link: http://lkml.kernel.org/r/1428439424-7258-5-git-send-email-dvlasenk@redhat.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1512,7 +1512,6 @@ ENTRY(nmi)
+ /* If it is below the NMI stack, it is a normal NMI */
+ jb first_nmi
+ /* Ah, it is within the NMI stack, treat it as nested */
+- jmp nested_nmi
+
+ CFI_REMEMBER_STATE
+
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch)
@@ -0,0 +1,189 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Fri, 10 Jul 2015 11:19:37 -0700
+Subject: [PATCH 4/9] x86/nmi: Enable nested do_nmi handling for 64-bit kernels
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=aad62c1521e5904e376b88e71c60849954cbf9de
+
+32-bit kernels handle nested NMIs in C. Enable the exact same
+handling on 64-bit kernels as well. This isn't currently necessary,
+but it will become necessary once the asm code starts allowing
+limited nesting.
+
+This is a prerequisite for the fix for CVE-2015-3290.
+
+Cc: stable at vger.kernel.org
+Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/nmi.c | 123 +++++++++++++++++++++-----------------------------
+ 1 file changed, 52 insertions(+), 71 deletions(-)
+
+--- a/arch/x86/kernel/nmi.c
++++ b/arch/x86/kernel/nmi.c
+@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_reg
+ NOKPROBE_SYMBOL(default_do_nmi);
+
+ /*
+- * NMIs can hit breakpoints which will cause it to lose its
+- * NMI context with the CPU when the breakpoint does an iret.
+- */
+-#ifdef CONFIG_X86_32
+-/*
+- * For i386, NMIs use the same stack as the kernel, and we can
+- * add a workaround to the iret problem in C (preventing nested
+- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
+- * can be in:
++ * NMIs can hit breakpoints which will cause it to lose its NMI context
++ * with the CPU when the breakpoint or page fault does an IRET.
++ *
++ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
++ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
++ * if the outer NMI came from kernel mode, but we can still nest if the
++ * outer NMI came from user mode.
++ *
++ * To handle these nested NMIs, we have three states:
+ *
+ * 1) not running
+ * 2) executing
+@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
+ * (Note, the latch is binary, thus multiple NMIs triggering,
+ * when one is running, are ignored. Only one NMI is restarted.)
+ *
+- * If an NMI hits a breakpoint that executes an iret, another
+- * NMI can preempt it. We do not want to allow this new NMI
+- * to run, but we want to execute it when the first one finishes.
+- * We set the state to "latched", and the exit of the first NMI will
+- * perform a dec_return, if the result is zero (NOT_RUNNING), then
+- * it will simply exit the NMI handler. If not, the dec_return
+- * would have set the state to NMI_EXECUTING (what we want it to
+- * be when we are running). In this case, we simply jump back
+- * to rerun the NMI handler again, and restart the 'latched' NMI.
++ * If an NMI executes an iret, another NMI can preempt it. We do not
++ * want to allow this new NMI to run, but we want to execute it when the
++ * first one finishes. We set the state to "latched", and the exit of
++ * the first NMI will perform a dec_return, if the result is zero
++ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
++ * dec_return would have set the state to NMI_EXECUTING (what we want it
++ * to be when we are running). In this case, we simply jump back to
++ * rerun the NMI handler again, and restart the 'latched' NMI.
+ *
+ * No trap (breakpoint or page fault) should be hit before nmi_restart,
+ * thus there is no race between the first check of state for NOT_RUNNING
+@@ -461,49 +460,36 @@ enum nmi_states {
+ static DEFINE_PER_CPU(enum nmi_states, nmi_state);
+ static DEFINE_PER_CPU(unsigned long, nmi_cr2);
+
+-#define nmi_nesting_preprocess(regs) \
+- do { \
+- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \
+- this_cpu_write(nmi_state, NMI_LATCHED); \
+- return; \
+- } \
+- this_cpu_write(nmi_state, NMI_EXECUTING); \
+- this_cpu_write(nmi_cr2, read_cr2()); \
+- } while (0); \
+- nmi_restart:
+-
+-#define nmi_nesting_postprocess() \
+- do { \
+- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \
+- write_cr2(this_cpu_read(nmi_cr2)); \
+- if (this_cpu_dec_return(nmi_state)) \
+- goto nmi_restart; \
+- } while (0)
+-#else /* x86_64 */
++#ifdef CONFIG_X86_64
+ /*
+- * In x86_64 things are a bit more difficult. This has the same problem
+- * where an NMI hitting a breakpoint that calls iret will remove the
+- * NMI context, allowing a nested NMI to enter. What makes this more
+- * difficult is that both NMIs and breakpoints have their own stack.
+- * When a new NMI or breakpoint is executed, the stack is set to a fixed
+- * point. If an NMI is nested, it will have its stack set at that same
+- * fixed address that the first NMI had, and will start corrupting the
+- * stack. This is handled in entry_64.S, but the same problem exists with
+- * the breakpoint stack.
+- *
+- * If a breakpoint is being processed, and the debug stack is being used,
+- * if an NMI comes in and also hits a breakpoint, the stack pointer
+- * will be set to the same fixed address as the breakpoint that was
+- * interrupted, causing that stack to be corrupted. To handle this case,
+- * check if the stack that was interrupted is the debug stack, and if
+- * so, change the IDT so that new breakpoints will use the current stack
+- * and not switch to the fixed address. On return of the NMI, switch back
+- * to the original IDT.
++ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without
++ * some care, the inner breakpoint will clobber the outer breakpoint's
++ * stack.
++ *
++ * If a breakpoint is being processed, and the debug stack is being
++ * used, if an NMI comes in and also hits a breakpoint, the stack
++ * pointer will be set to the same fixed address as the breakpoint that
++ * was interrupted, causing that stack to be corrupted. To handle this
++ * case, check if the stack that was interrupted is the debug stack, and
++ * if so, change the IDT so that new breakpoints will use the current
++ * stack and not switch to the fixed address. On return of the NMI,
++ * switch back to the original IDT.
+ */
+ static DEFINE_PER_CPU(int, update_debug_stack);
++#endif
+
+-static inline void nmi_nesting_preprocess(struct pt_regs *regs)
++dotraplinkage notrace void
++do_nmi(struct pt_regs *regs, long error_code)
+ {
++ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
++ this_cpu_write(nmi_state, NMI_LATCHED);
++ return;
++ }
++ this_cpu_write(nmi_state, NMI_EXECUTING);
++ this_cpu_write(nmi_cr2, read_cr2());
++nmi_restart:
++
++#ifdef CONFIG_X86_64
+ /*
+ * If we interrupted a breakpoint, it is possible that
+ * the nmi handler will have breakpoints too. We need to
+@@ -514,22 +500,8 @@ static inline void nmi_nesting_preproces
+ debug_stack_set_zero();
+ this_cpu_write(update_debug_stack, 1);
+ }
+-}
+-
+-static inline void nmi_nesting_postprocess(void)
+-{
+- if (unlikely(this_cpu_read(update_debug_stack))) {
+- debug_stack_reset();
+- this_cpu_write(update_debug_stack, 0);
+- }
+-}
+ #endif
+
+-dotraplinkage notrace void
+-do_nmi(struct pt_regs *regs, long error_code)
+-{
+- nmi_nesting_preprocess(regs);
+-
+ nmi_enter();
+
+ inc_irq_stat(__nmi_count);
+@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_
+
+ nmi_exit();
+
+- /* On i386, may loop back to preprocess */
+- nmi_nesting_postprocess();
++#ifdef CONFIG_X86_64
++ if (unlikely(this_cpu_read(update_debug_stack))) {
++ debug_stack_reset();
++ this_cpu_write(update_debug_stack, 0);
++ }
++#endif
++
++ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
++ write_cr2(this_cpu_read(nmi_cr2));
++ if (this_cpu_dec_return(nmi_state))
++ goto nmi_restart;
+ }
+ NOKPROBE_SYMBOL(do_nmi);
+
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch)
@@ -0,0 +1,51 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Fri, 10 Jul 2015 12:03:34 -0700
+Subject: [PATCH 5/9] x86/nmi/64: Remove asm code that saves cr2
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=e7c2c90651fd54c3ca499fbb065ea5cbac30047d
+
+Now that do_nmi saves cr2, we don't need to save it in asm.
+
+This is a prerequisity for the fix for CVE-2015-3290.
+
+Cc: stable at vger.kernel.org
+Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
+Acked-by: Borislav Petkov <bp at suse.de>
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+[bwh: Backported to 4.0: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1654,29 +1654,11 @@ end_repeat_nmi:
+ call save_paranoid
+ DEFAULT_FRAME 0
+
+- /*
+- * Save off the CR2 register. If we take a page fault in the NMI then
+- * it could corrupt the CR2 value. If the NMI preempts a page fault
+- * handler before it was able to read the CR2 register, and then the
+- * NMI itself takes a page fault, the page fault that was preempted
+- * will read the information from the NMI page fault and not the
+- * origin fault. Save it off and restore it if it changes.
+- * Use the r12 callee-saved register.
+- */
+- movq %cr2, %r12
+-
+ /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
+ movq %rsp,%rdi
+ movq $-1,%rsi
+ call do_nmi
+
+- /* Did the NMI take a page fault? Restore cr2 if it did */
+- movq %cr2, %rcx
+- cmpq %rcx, %r12
+- je 1f
+- movq %r12, %cr2
+-1:
+-
+ testl %ebx,%ebx /* swapgs needed? */
+ jnz nmi_restore
+ nmi_swapgs:
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch)
@@ -0,0 +1,133 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Fri, 10 Jul 2015 11:35:31 -0700
+Subject: [PATCH 6/9] x86/nmi/64: Switch stacks on userspace NMI entry
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=4fb2a8d9cb0efcd7405f1ad105d7f3c764afe02f
+
+Returning to userspace is tricky: IRET can fail, and ESPFIX can
+rearrange the stack prior to IRET.
+
+The NMI nesting fixup relies on a precise stack layout and atomic
+IRET. Rather than trying to teach the NMI nesting fixup to handle
+ESPFIX and failed IRET, punt: run NMIs that came from user mode on
+the normal kernel stack.
+
+This will make some nested NMIs visible to C code, but the C code is
+okay with that.
+
+As a side effect, this should speed up perf: it eliminates an RDMSR
+when NMIs come from user mode.
+
+Fixes CVE-2015-3290.
+
+Cc: stable at vger.kernel.org
+Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
+Reviewed-by: Borislav Petkov <bp at suse.de>
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+[bwh: Backported to 4.0:
+ - Adjust filename, context
+ - s/restore_c_regs_and_iret/restore_args/
+ - Use kernel_stack + KERNEL_STACK_OFFSET instead of cpu_current_top_of_stack]
+[luto: Open-coded return path to avoid dependency on partial pt_regs details]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+---
+ arch/x86/kernel/entry_64.S | 79 +++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 75 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1475,19 +1475,90 @@ ENTRY(nmi)
+ * a nested NMI that updated the copy interrupt stack frame, a
+ * jump will be made to the repeat_nmi code that will handle the second
+ * NMI.
++ *
++ * However, espfix prevents us from directly returning to userspace
++ * with a single IRET instruction. Similarly, IRET to user mode
++ * can fault. We therefore handle NMIs from user space like
++ * other IST entries.
+ */
+
+ /* Use %rdx as out temp variable throughout */
+ pushq_cfi %rdx
+ CFI_REL_OFFSET rdx, 0
+
++ testb $3, CS-RIP+8(%rsp)
++ jz .Lnmi_from_kernel
++
++ /*
++ * NMI from user mode. We need to run on the thread stack, but we
++ * can't go through the normal entry paths: NMIs are masked, and
++ * we don't want to enable interrupts, because then we'll end
++ * up in an awkward situation in which IRQs are on but NMIs
++ * are off.
++ */
++
++ SWAPGS
++ cld
++ movq %rsp, %rdx
++ movq PER_CPU_VAR(kernel_stack), %rsp
++ addq $KERNEL_STACK_OFFSET, %rsp
++ pushq 5*8(%rdx) /* pt_regs->ss */
++ pushq 4*8(%rdx) /* pt_regs->rsp */
++ pushq 3*8(%rdx) /* pt_regs->flags */
++ pushq 2*8(%rdx) /* pt_regs->cs */
++ pushq 1*8(%rdx) /* pt_regs->rip */
++ pushq $-1 /* pt_regs->orig_ax */
++ pushq %rdi /* pt_regs->di */
++ pushq %rsi /* pt_regs->si */
++ pushq (%rdx) /* pt_regs->dx */
++ pushq %rcx /* pt_regs->cx */
++ pushq %rax /* pt_regs->ax */
++ pushq %r8 /* pt_regs->r8 */
++ pushq %r9 /* pt_regs->r9 */
++ pushq %r10 /* pt_regs->r10 */
++ pushq %r11 /* pt_regs->r11 */
++ pushq %rbx /* pt_regs->rbx */
++ pushq %rbp /* pt_regs->rbp */
++ pushq %r12 /* pt_regs->r12 */
++ pushq %r13 /* pt_regs->r13 */
++ pushq %r14 /* pt_regs->r14 */
++ pushq %r15 /* pt_regs->r15 */
++
++ /*
++ * At this point we no longer need to worry about stack damage
++ * due to nesting -- we're on the normal thread stack and we're
++ * done with the NMI stack.
++ */
++
++ movq %rsp, %rdi
++ movq $-1, %rsi
++ call do_nmi
++
++ /*
++ * Return back to user mode. We must *not* do the normal exit
++ * work, because we don't want to enable interrupts. Fortunately,
++ * do_nmi doesn't modify pt_regs.
++ */
++ SWAPGS
++
+ /*
+- * If %cs was not the kernel segment, then the NMI triggered in user
+- * space, which means it is definitely not nested.
++ * Open-code the entire return process for compatibility with varying
++ * register layouts across different kernel versions.
+ */
+- cmpl $__KERNEL_CS, 16(%rsp)
+- jne first_nmi
++ addq $6*8, %rsp /* skip bx, bp, and r12-r15 */
++ popq %r11 /* pt_regs->r11 */
++ popq %r10 /* pt_regs->r10 */
++ popq %r9 /* pt_regs->r9 */
++ popq %r8 /* pt_regs->r8 */
++ popq %rax /* pt_regs->ax */
++ popq %rcx /* pt_regs->cx */
++ popq %rdx /* pt_regs->dx */
++ popq %rsi /* pt_regs->si */
++ popq %rdi /* pt_regs->di */
++ addq $8, %rsp /* skip orig_ax */
++ INTERRUPT_RETURN
+
++.Lnmi_from_kernel:
+ /*
+ * Check the special variable on the stack to see if NMIs are
+ * executing.
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch)
@@ -0,0 +1,279 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Fri, 10 Jul 2015 17:13:26 -0700
+Subject: [PATCH 7/9] x86/nmi/64: Improve nested NMI comments
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=ed02eaa10579ffd480c3bda29701e658f17196e9
+
+I found the nested NMI documentation to be difficult to follow.
+Improve the comments.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+[bwh: Backported to 4.0: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 159 ++++++++++++++++++++++++++-------------------
+ arch/x86/kernel/nmi.c | 4 +-
+ 2 files changed, 93 insertions(+), 70 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1462,11 +1462,12 @@ ENTRY(nmi)
+ * If the variable is not set and the stack is not the NMI
+ * stack then:
+ * o Set the special variable on the stack
+- * o Copy the interrupt frame into a "saved" location on the stack
+- * o Copy the interrupt frame into a "copy" location on the stack
++ * o Copy the interrupt frame into an "outermost" location on the
++ * stack
++ * o Copy the interrupt frame into an "iret" location on the stack
+ * o Continue processing the NMI
+ * If the variable is set or the previous stack is the NMI stack:
+- * o Modify the "copy" location to jump to the repeate_nmi
++ * o Modify the "iret" location to jump to the repeat_nmi
+ * o return back to the first NMI
+ *
+ * Now on exit of the first NMI, we first clear the stack variable
+@@ -1560,18 +1561,60 @@ ENTRY(nmi)
+
+ .Lnmi_from_kernel:
+ /*
+- * Check the special variable on the stack to see if NMIs are
+- * executing.
++ * Here's what our stack frame will look like:
++ * +---------------------------------------------------------+
++ * | original SS |
++ * | original Return RSP |
++ * | original RFLAGS |
++ * | original CS |
++ * | original RIP |
++ * +---------------------------------------------------------+
++ * | temp storage for rdx |
++ * +---------------------------------------------------------+
++ * | "NMI executing" variable |
++ * +---------------------------------------------------------+
++ * | iret SS } Copied from "outermost" frame |
++ * | iret Return RSP } on each loop iteration; overwritten |
++ * | iret RFLAGS } by a nested NMI to force another |
++ * | iret CS } iteration if needed. |
++ * | iret RIP } |
++ * +---------------------------------------------------------+
++ * | outermost SS } initialized in first_nmi; |
++ * | outermost Return RSP } will not be changed before |
++ * | outermost RFLAGS } NMI processing is done. |
++ * | outermost CS } Copied to "iret" frame on each |
++ * | outermost RIP } iteration. |
++ * +---------------------------------------------------------+
++ * | pt_regs |
++ * +---------------------------------------------------------+
++ *
++ * The "original" frame is used by hardware. Before re-enabling
++ * NMIs, we need to be done with it, and we need to leave enough
++ * space for the asm code here.
++ *
++ * We return by executing IRET while RSP points to the "iret" frame.
++ * That will either return for real or it will loop back into NMI
++ * processing.
++ *
++ * The "outermost" frame is copied to the "iret" frame on each
++ * iteration of the loop, so each iteration starts with the "iret"
++ * frame pointing to the final return target.
++ */
++
++ /*
++ * Determine whether we're a nested NMI.
++ *
++ * First check "NMI executing". If it's set, then we're nested.
++ * This will not detect if we interrupted an outer NMI just
++ * before IRET.
+ */
+ cmpl $1, -8(%rsp)
+ je nested_nmi
+
+ /*
+- * Now test if the previous stack was an NMI stack.
+- * We need the double check. We check the NMI stack to satisfy the
+- * race when the first NMI clears the variable before returning.
+- * We check the variable because the first NMI could be in a
+- * breakpoint routine using a breakpoint stack.
++ * Now test if the previous stack was an NMI stack. This covers
++ * the case where we interrupt an outer NMI after it clears
++ * "NMI executing" but before IRET.
+ */
+ lea 6*8(%rsp), %rdx
+ /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
+@@ -1588,9 +1631,11 @@ ENTRY(nmi)
+
+ nested_nmi:
+ /*
+- * Do nothing if we interrupted the fixup in repeat_nmi.
+- * It's about to repeat the NMI handler, so we are fine
+- * with ignoring this one.
++ * If we interrupted an NMI that is between repeat_nmi and
++ * end_repeat_nmi, then we must not modify the "iret" frame
++ * because it's being written by the outer NMI. That's okay:
++ * the outer NMI handler is about to call do_nmi anyway,
++ * so we can just resume the outer NMI.
+ */
+ movq $repeat_nmi, %rdx
+ cmpq 8(%rsp), %rdx
+@@ -1600,7 +1645,10 @@ nested_nmi:
+ ja nested_nmi_out
+
+ 1:
+- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
++ /*
++ * Modify the "iret" frame to point to repeat_nmi, forcing another
++ * iteration of NMI handling.
++ */
+ leaq -1*8(%rsp), %rdx
+ movq %rdx, %rsp
+ CFI_ADJUST_CFA_OFFSET 1*8
+@@ -1619,60 +1667,23 @@ nested_nmi_out:
+ popq_cfi %rdx
+ CFI_RESTORE rdx
+
+- /* No need to check faults here */
++ /* We are returning to kernel mode, so this cannot result in a fault. */
+ INTERRUPT_RETURN
+
+ CFI_RESTORE_STATE
+ first_nmi:
+- /*
+- * Because nested NMIs will use the pushed location that we
+- * stored in rdx, we must keep that space available.
+- * Here's what our stack frame will look like:
+- * +-------------------------+
+- * | original SS |
+- * | original Return RSP |
+- * | original RFLAGS |
+- * | original CS |
+- * | original RIP |
+- * +-------------------------+
+- * | temp storage for rdx |
+- * +-------------------------+
+- * | NMI executing variable |
+- * +-------------------------+
+- * | copied SS |
+- * | copied Return RSP |
+- * | copied RFLAGS |
+- * | copied CS |
+- * | copied RIP |
+- * +-------------------------+
+- * | Saved SS |
+- * | Saved Return RSP |
+- * | Saved RFLAGS |
+- * | Saved CS |
+- * | Saved RIP |
+- * +-------------------------+
+- * | pt_regs |
+- * +-------------------------+
+- *
+- * The saved stack frame is used to fix up the copied stack frame
+- * that a nested NMI may change to make the interrupted NMI iret jump
+- * to the repeat_nmi. The original stack frame and the temp storage
+- * is also used by nested NMIs and can not be trusted on exit.
+- */
+- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
++ /* Restore rdx. */
+ movq (%rsp), %rdx
+ CFI_RESTORE rdx
+
+- /* Set the NMI executing variable on the stack. */
++ /* Set "NMI executing" on the stack. */
+ pushq_cfi $1
+
+- /*
+- * Leave room for the "copied" frame
+- */
++ /* Leave room for the "iret" frame */
+ subq $(5*8), %rsp
+ CFI_ADJUST_CFA_OFFSET 5*8
+
+- /* Copy the stack frame to the Saved frame */
++ /* Copy the "original" frame to the "outermost" frame */
+ .rept 5
+ pushq_cfi 11*8(%rsp)
+ .endr
+@@ -1680,6 +1691,7 @@ first_nmi:
+
+ /* Everything up to here is safe from nested NMIs */
+
++repeat_nmi:
+ /*
+ * If there was a nested NMI, the first NMI's iret will return
+ * here. But NMIs are still enabled and we can take another
+@@ -1688,16 +1700,21 @@ first_nmi:
+ * it will just return, as we are about to repeat an NMI anyway.
+ * This makes it safe to copy to the stack frame that a nested
+ * NMI will update.
+- */
+-repeat_nmi:
+- /*
+- * Update the stack variable to say we are still in NMI (the update
+- * is benign for the non-repeat case, where 1 was pushed just above
+- * to this very stack slot).
++ *
++ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
++ * we're repeating an NMI, gsbase has the same value that it had on
++ * the first iteration. paranoid_entry will load the kernel
++ * gsbase if needed before we call do_nmi.
++ *
++ * Set "NMI executing" in case we came back here via IRET.
+ */
+ movq $1, 10*8(%rsp)
+
+- /* Make another copy, this one may be modified by nested NMIs */
++ /*
++ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
++ * here must not modify the "iret" frame while we're writing to
++ * it or it will end up containing garbage.
++ */
+ addq $(10*8), %rsp
+ CFI_ADJUST_CFA_OFFSET -10*8
+ .rept 5
+@@ -1708,9 +1725,9 @@ repeat_nmi:
+ end_repeat_nmi:
+
+ /*
+- * Everything below this point can be preempted by a nested
+- * NMI if the first NMI took an exception and reset our iret stack
+- * so that we repeat another NMI.
++ * Everything below this point can be preempted by a nested NMI.
++ * If this happens, then the inner NMI will change the "iret"
++ * frame to point back to repeat_nmi.
+ */
+ pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
+ subq $ORIG_RAX-R15, %rsp
+@@ -1735,11 +1752,17 @@ end_repeat_nmi:
+ nmi_swapgs:
+ SWAPGS_UNSAFE_STACK
+ nmi_restore:
+- /* Pop the extra iret frame at once */
++
+ RESTORE_ALL 6*8
+
+- /* Clear the NMI executing stack variable */
++ /* Clear "NMI executing". */
+ movq $0, 5*8(%rsp)
++
++ /*
++ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
++ * stack in a single instruction. We are returning to kernel
++ * mode, so this cannot result in a fault.
++ */
+ jmp irq_return
+ CFI_ENDPROC
+ END(nmi)
+--- a/arch/x86/kernel/nmi.c
++++ b/arch/x86/kernel/nmi.c
+@@ -408,8 +408,8 @@ static void default_do_nmi(struct pt_reg
+ NOKPROBE_SYMBOL(default_do_nmi);
+
+ /*
+- * NMIs can hit breakpoints which will cause it to lose its NMI context
+- * with the CPU when the breakpoint or page fault does an IRET.
++ * NMIs can page fault or hit breakpoints which will cause it to lose
++ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
+ *
+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch)
@@ -0,0 +1,83 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Sun, 12 Jul 2015 20:59:57 -0700
+Subject: [PATCH 8/9] x86/nmi/64: Reorder nested NMI checks
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=b7dcb27674b28ca49b710e95da74c44d32154bed
+
+Check the repeat_nmi .. end_repeat_nmi special case first. The next
+patch will rework the RSP check and, as a side effect, the RSP check
+will no longer detect repeat_nmi .. end_repeat_nmi, so we'll need
+this ordering of the checks.
+
+Note: this is more subtle than it appears. The check for repeat_nmi
+.. end_repeat_nmi jumps straight out of the NMI code instead of
+adjusting the "iret" frame to force a repeat. This is necessary,
+because the code between repeat_nmi and end_repeat_nmi sets "NMI
+executing" and then writes to the "iret" frame itself. If a nested
+NMI comes in and modifies the "iret" frame while repeat_nmi is also
+modifying it, we'll end up with garbage. The old code got this
+right, as does the new code, but the new code is a bit more
+explicit.
+
+If we were to move the check right after the "NMI executing" check,
+then we'd get it wrong and have random crashes.
+
+This is a prerequisite for the fix for CVE-2015-3291.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+[bwh: Backported to 4.0: adjust filename, spacing]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1604,7 +1604,24 @@ ENTRY(nmi)
+ /*
+ * Determine whether we're a nested NMI.
+ *
+- * First check "NMI executing". If it's set, then we're nested.
++ * If we interrupted kernel code between repeat_nmi and
++ * end_repeat_nmi, then we are a nested NMI. We must not
++ * modify the "iret" frame because it's being written by
++ * the outer NMI. That's okay: the outer NMI handler is
++ * about to about to call do_nmi anyway, so we can just
++ * resume the outer NMI.
++ */
++
++ movq $repeat_nmi, %rdx
++ cmpq 8(%rsp), %rdx
++ ja 1f
++ movq $end_repeat_nmi, %rdx
++ cmpq 8(%rsp), %rdx
++ ja nested_nmi_out
++1:
++
++ /*
++ * Now check "NMI executing". If it's set, then we're nested.
+ * This will not detect if we interrupted an outer NMI just
+ * before IRET.
+ */
+@@ -1631,21 +1648,6 @@ ENTRY(nmi)
+
+ nested_nmi:
+ /*
+- * If we interrupted an NMI that is between repeat_nmi and
+- * end_repeat_nmi, then we must not modify the "iret" frame
+- * because it's being written by the outer NMI. That's okay:
+- * the outer NMI handler is about to call do_nmi anyway,
+- * so we can just resume the outer NMI.
+- */
+- movq $repeat_nmi, %rdx
+- cmpq 8(%rsp), %rdx
+- ja 1f
+- movq $end_repeat_nmi, %rdx
+- cmpq 8(%rsp), %rdx
+- ja nested_nmi_out
+-
+-1:
+- /*
+ * Modify the "iret" frame to point to repeat_nmi, forcing another
+ * iteration of NMI handling.
+ */
Copied: dists/jessie/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch (from r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch Sat Jul 25 19:35:02 2015 (r22855, copy of r22854, dists/jessie-security/linux/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch)
@@ -0,0 +1,86 @@
+From: Andy Lutomirski <luto at kernel.org>
+Date: Fri, 10 Jul 2015 17:25:53 -0700
+Subject: [PATCH 9/9] x86/nmi/64: Use DF to avoid userspace RSP confusing
+ nested NMI detection
+Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=dc68c0f2ec634b2cfecf879235564da58d422cee
+
+We have a tricky bug in the nested NMI code: if we see RSP pointing
+to the NMI stack on NMI entry from kernel mode, we assume that we
+are executing a nested NMI.
+
+This isn't quite true. A malicious userspace program can point RSP
+at the NMI stack, issue SYSCALL, and arrange for an NMI to happen
+while RSP is still pointing at the NMI stack.
+
+Fix it with a sneaky trick. Set DF in the region of code that the RSP
+check is intended to detect. IRET will clear DF atomically.
+
+(Note: other than paravirt, there's little need for all this complexity.
+ We could check RIP instead of RSP.)
+
+Fixes CVE-2015-3291.
+
+Cc: stable at vger.kernel.org
+Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
+Signed-off-by: Andy Lutomirski <luto at kernel.org>
+[bwh: Backported to 4.0: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kernel/entry_64.S | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1631,7 +1631,14 @@ ENTRY(nmi)
+ /*
+ * Now test if the previous stack was an NMI stack. This covers
+ * the case where we interrupt an outer NMI after it clears
+- * "NMI executing" but before IRET.
++ * "NMI executing" but before IRET. We need to be careful, though:
++ * there is one case in which RSP could point to the NMI stack
++ * despite there being no NMI active: naughty userspace controls
++ * RSP at the very beginning of the SYSCALL targets. We can
++ * pull a fast one on naughty userspace, though: we program
++ * SYSCALL to mask DF, so userspace cannot cause DF to be set
++ * if it controls the kernel's RSP. We set DF before we clear
++ * "NMI executing".
+ */
+ lea 6*8(%rsp), %rdx
+ /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
+@@ -1642,10 +1649,16 @@ ENTRY(nmi)
+ cmpq %rdx, 4*8(%rsp)
+ /* If it is below the NMI stack, it is a normal NMI */
+ jb first_nmi
+- /* Ah, it is within the NMI stack, treat it as nested */
++
++ /* Ah, it is within the NMI stack. */
++
++ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
++ jz first_nmi /* RSP was user controlled. */
+
+ CFI_REMEMBER_STATE
+
++ /* This is a nested NMI. */
++
+ nested_nmi:
+ /*
+ * Modify the "iret" frame to point to repeat_nmi, forcing another
+@@ -1757,8 +1770,16 @@ nmi_restore:
+
+ RESTORE_ALL 6*8
+
+- /* Clear "NMI executing". */
+- movq $0, 5*8(%rsp)
++ /*
++ * Clear "NMI executing". Set DF first so that we can easily
++ * distinguish the remaining code between here and IRET from
++ * the SYSCALL entry and exit paths. On a native kernel, we
++ * could just inspect RIP, but, on paravirt kernels,
++ * INTERRUPT_RETURN can translate into a jump into a
++ * hypercall page.
++ */
++ std
++ movq $0, 5*8(%rsp) /* clear "NMI executing" */
+
+ /*
+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
Modified: dists/jessie/linux/debian/patches/series
==============================================================================
--- dists/jessie/linux/debian/patches/series Fri Jul 24 21:53:57 2015 (r22854)
+++ dists/jessie/linux/debian/patches/series Sat Jul 25 19:35:02 2015 (r22855)
@@ -620,3 +620,11 @@
debian/procfs-avoid-abi-change-in-3.16.7-ckt8.patch
bugfix/mips/mips-normalise-code-flow-in-the-cpu-exception-handle.patch
bugfix/mips/mips-correct-fp-isa-requirements.patch
+bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
+bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
+bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
+bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
+bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
+bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
+bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
+bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
More information about the Kernel-svn-changes
mailing list