[linux] 01/01: Update to 3.2.73
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Nov 17 16:17:01 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy
in repository linux.
commit 044577e0274425ca8d1d05332f847fca208dee1d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Nov 17 16:14:31 2015 +0000
Update to 3.2.73
Drop patches applied upstream.
---
debian/changelog | 71 +++++++++++--
...9xxx-don-t-unmap-bounce-buffered-commands.patch | 98 -----------------
...ash-when-attempt-to-garbage-collect-an-un.patch | 75 -------------
...ce-between-key-destruction-and-finding-a-.patch | 48 ---------
...-file-is-opened-wronly-and-server-reboots.patch | 39 -------
...ument-to-skb_copy_and_csum_datagram_iovec.patch | 116 ---------------------
...-intercept-ac-to-avoid-guest-host-exploit.patch | 38 -------
...x-avoid-guest-host-dos-by-intercepting-ac.patch | 44 --------
...kvm-mmu-fix-validation-of-mmio-page-fault.patch | 94 -----------------
debian/patches/series | 8 --
10 files changed, 62 insertions(+), 569 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 7b79f97..170dd57 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.2.72-1) UNRELEASED; urgency=medium
+linux (3.2.73-1) UNRELEASED; urgency=medium
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.72
@@ -33,7 +33,6 @@ linux (3.2.72-1) UNRELEASED; urgency=medium
- mac80211: enable assoc check for mesh interfaces
- PCI: Add VPD function 0 quirk for Intel Ethernet devices
- usb: gadget: m66592-udc: forever loop in set_feature()
- - KVM: MMU: fix validation of mmio page fault
- auxdisplay: ks0108: fix refcount
- devres: fix devres_get()
- [powerpc] windfarm: decrement client count when unregistering
@@ -83,16 +82,70 @@ linux (3.2.72-1) UNRELEASED; urgency=medium
- ipv6: prevent fib6_run_gc() contention
- ipv6: update ip6_rt_last_gc every time GC is run
- jbd2: avoid infinite loop when destroying aborted journal
+ http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.73
+ - module: Fix locking in symbol_put_addr()
+ - regmap: debugfs: Ensure we don't underflow when printing access masks
+ - regmap: debugfs: Don't bother actually printing when calculating max
+ length
+ - ath9k: declare required extra tx headroom
+ - [x86] xen: Do not clip xen_e820_map to xen_e820_map_entries when
+ sanitizing map
+ - UBI: Validate data_size
+ - UBI: return ENOSPC if no enough space available
+ - [mips*] dma-default: Fix 32-bit fall back to GFP_DMA
+ - [amd64] process: Add proper bound checks in 64bit get_wchan()
+ - genirq: Fix race in register_irq_proc()
+ - mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a
+ fault
+ - cifs: Do not fall back to SMBWriteX in set_file_size error cases
+ - md/raid0: update queue parameter in a safer location.
+ - md/raid0: apply base queue limits *before* disk_stack_limits
+ - clocksource: Fix abs() usage w/ 64bit values
+ - iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
+ - USB: Add reset-resume quirk for two Plantronics usb headphones.
+ - usb: Add device quirk for Logitech PTZ cameras
+ - tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
+ - drivers/tty: require read access for controlling terminal
+ - ppp: don't override sk->sk_state in pppoe_flush_dev()
+ - iwlwifi: dvm: fix D3 firmware PN programming
+ - ALSA: synth: Fix conflicting OSS device registration on AWE32
+ - sched/core: Fix TASK_DEAD race in finish_task_switch()
+ - 3w-9xxx: don't unmap bounce buffered commands (regression in 3.2.70)
+ - xen-blkfront: check for null drvdata in blkback_changed
+ (XenbusStateClosing)
+ - ALSA: hda - Fix inverted internal mic on Lenovo G50-80
+ - crypto: ahash - ensure statesize is non-zero
+ - [x86] iommu/vt-d: fix range computation when making room for large pages
+ - xhci: don't finish a TD if we get a short transfer event mid TD
+ - xhci: handle no ping response error properly
+ - xhci: Switch Intel Lynx Point LP ports to EHCI on shutdown.
+ - xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
+ - crypto: api - Only abort operations on fatal signal
+ - IB/cm: Fix rb-tree duplicate free and use-after-free
+ - drm/nouveau/gem: return only valid domain when there's only one
+ - [powerpc*] rtas: Validate rtas.entry before calling enter_rtas()
+ - mm: make sendfile(2) killable
+ - ppp: fix pppoe_dev deletion condition in pppoe_release()
+ - dm btree remove: fix a bug when rebalancing nodes after removal
+ - dm btree: fix leak of bufio-backed block in btree_split_beneath error path
+ - md/raid1: ensure device failure recorded before write request returns.
+ - md/raid1: don't clear bitmap bit when bad-block-list write fails.
+ - md/raid10: ensure device failure recorded before write request returns.
+ - md/raid10: don't clear bitmap bit when bad-block-list write fails.
+ - mvsas: Fix NULL pointer dereference in mvs_slot_task_free
+ - sched: declare pid_alive as inline
+ - net: add length argument to skb_copy_and_csum_datagram_iovec
+ (regression in 3.2.72) (CVE-2015-8019)
+ - skbuff: Fix skb checksum flag on skb pull
+ - skbuff: Fix skb checksum partial check.
+ - ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
+ - asix: Don't reset PHY on if_up for ASIX 88772
+ - asix: Do full reset during ax88772_bind
+ - nfs: Failing to send a CLOSE if file is opened WRONLY and server reboots
+ on a 4.x mount (regression in 3.2.71)
[ Ben Hutchings ]
* [rt] Update to 3.2.72-rt105 (no functional change)
- * net: add length argument to skb_copy_and_csum_datagram_iovec
- (regression in 3.2.72) (CVE-2015-8019)
- * [x86] Revert "KVM: MMU: fix validation of mmio page fault", wrongly
- included in 3.2.72
- * 3w-9xxx: don't unmap bounce buffered commands (regression in 3.2.70)
- * nfs: Failing to send a CLOSE if file is opened WRONLY and server reboots
- on a 4.x mount (regression in 3.2.71)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 14 Oct 2015 01:11:17 +0100
diff --git a/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch b/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
deleted file mode 100644
index cc805ab..0000000
--- a/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From: Christoph Hellwig <hch at lst.de>
-Date: Sat, 3 Oct 2015 19:16:07 +0200
-Subject: 3w-9xxx: don't unmap bounce buffered commands
-Origin: https://git.kernel.org/linus/15e3d5a285ab9283136dba34bbf72886d9146706
-
-3w controller don't dma map small single SGL entry commands but instead
-bounce buffer them. Add a helper to identify these commands and don't
-call scsi_dma_unmap for them.
-
-Based on an earlier patch from James Bottomley.
-
-Fixes: 118c85 ("3w-9xxx: fix command completion race")
-Reported-by: Tóth Attila <atoth at atoth.sote.hu>
-Tested-by: Tóth Attila <atoth at atoth.sote.hu>
-Signed-off-by: Christoph Hellwig <hch at lst.de>
-Acked-by: Adam Radford <aradford at gmail.com>
-Signed-off-by: James Bottomley <JBottomley at Odin.com>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/scsi/3w-9xxx.c | 28 +++++++++++++++++++++-------
- 1 file changed, 21 insertions(+), 7 deletions(-)
-
---- a/drivers/scsi/3w-9xxx.c
-+++ b/drivers/scsi/3w-9xxx.c
-@@ -225,6 +225,17 @@ static const struct file_operations twa_
- .llseek = noop_llseek,
- };
-
-+/*
-+ * The controllers use an inline buffer instead of a mapped SGL for small,
-+ * single entry buffers. Note that we treat a zero-length transfer like
-+ * a mapped SGL.
-+ */
-+static bool twa_command_mapped(struct scsi_cmnd *cmd)
-+{
-+ return scsi_sg_count(cmd) != 1 ||
-+ scsi_bufflen(cmd) >= TW_MIN_SGL_LENGTH;
-+}
-+
- /* This function will complete an aen request from the isr */
- static int twa_aen_complete(TW_Device_Extension *tw_dev, int request_id)
- {
-@@ -1351,7 +1362,8 @@ static irqreturn_t twa_interrupt(int irq
- }
-
- /* Now complete the io */
-- scsi_dma_unmap(cmd);
-+ if (twa_command_mapped(cmd))
-+ scsi_dma_unmap(cmd);
- cmd->scsi_done(cmd);
- tw_dev->state[request_id] = TW_S_COMPLETED;
- twa_free_request_id(tw_dev, request_id);
-@@ -1594,7 +1606,8 @@ static int twa_reset_device_extension(TW
- struct scsi_cmnd *cmd = tw_dev->srb[i];
-
- cmd->result = (DID_RESET << 16);
-- scsi_dma_unmap(cmd);
-+ if (twa_command_mapped(cmd))
-+ scsi_dma_unmap(cmd);
- cmd->scsi_done(cmd);
- }
- }
-@@ -1777,12 +1790,14 @@ static int twa_scsi_queue_lck(struct scs
- retval = twa_scsiop_execute_scsi(tw_dev, request_id, NULL, 0, NULL);
- switch (retval) {
- case SCSI_MLQUEUE_HOST_BUSY:
-- scsi_dma_unmap(SCpnt);
-+ if (twa_command_mapped(SCpnt))
-+ scsi_dma_unmap(SCpnt);
- twa_free_request_id(tw_dev, request_id);
- break;
- case 1:
- SCpnt->result = (DID_ERROR << 16);
-- scsi_dma_unmap(SCpnt);
-+ if (twa_command_mapped(SCpnt))
-+ scsi_dma_unmap(SCpnt);
- done(SCpnt);
- tw_dev->state[request_id] = TW_S_COMPLETED;
- twa_free_request_id(tw_dev, request_id);
-@@ -1843,8 +1858,7 @@ static int twa_scsiop_execute_scsi(TW_De
- /* Map sglist from scsi layer to cmd packet */
-
- if (scsi_sg_count(srb)) {
-- if ((scsi_sg_count(srb) == 1) &&
-- (scsi_bufflen(srb) < TW_MIN_SGL_LENGTH)) {
-+ if (!twa_command_mapped(srb)) {
- if (srb->sc_data_direction == DMA_TO_DEVICE ||
- srb->sc_data_direction == DMA_BIDIRECTIONAL)
- scsi_sg_copy_to_buffer(srb,
-@@ -1917,7 +1931,7 @@ static void twa_scsiop_execute_scsi_comp
- {
- struct scsi_cmnd *cmd = tw_dev->srb[request_id];
-
-- if (scsi_bufflen(cmd) < TW_MIN_SGL_LENGTH &&
-+ if (!twa_command_mapped(cmd) &&
- (cmd->sc_data_direction == DMA_FROM_DEVICE ||
- cmd->sc_data_direction == DMA_BIDIRECTIONAL)) {
- if (scsi_sg_count(cmd) == 1) {
diff --git a/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch b/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
deleted file mode 100644
index 5b56b79..0000000
--- a/debian/patches/bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Thu, 15 Oct 2015 17:21:37 +0100
-Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
- keyring
-Origin: https://git.kernel.org/linus/f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61
-
-The following sequence of commands:
-
- i=`keyctl add user a a @s`
- keyctl request2 keyring foo bar @t
- keyctl unlink $i @s
-
-tries to invoke an upcall to instantiate a keyring if one doesn't already
-exist by that name within the user's keyring set. However, if the upcall
-fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
-other error code. When the key is garbage collected, the key destroy
-function is called unconditionally and keyring_destroy() uses list_empty()
-on keyring->type_data.link - which is in a union with reject_error.
-Subsequently, the kernel tries to unlink the keyring from the keyring names
-list - which oopses like this:
-
- BUG: unable to handle kernel paging request at 00000000ffffff8a
- IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
- ...
- Workqueue: events key_garbage_collector
- ...
- RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
- RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
- RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
- RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
- RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
- R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
- R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
- ...
- CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
- ...
- Call Trace:
- [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
- [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
- [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
- [<ffffffff8105fd17>] worker_thread+0x26e/0x361
- [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
- [<ffffffff810648ad>] kthread+0xf3/0xfb
- [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
- [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
- [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-
-Note the value in RAX. This is a 32-bit representation of -ENOKEY.
-
-The solution is to only call ->destroy() if the key was successfully
-instantiated.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-[carnil: Backported for 3.2: adjust context]
----
- security/keys/gc.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -172,8 +172,10 @@ static noinline void key_gc_unused_key(s
- {
- key_check(key);
-
-- /* Throw away the key data */
-- if (key->type->destroy)
-+ /* Throw away the key data if the key is instantiated */
-+ if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
-+ !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
-+ key->type->destroy)
- key->type->destroy(key);
-
- security_key_free(key);
diff --git a/debian/patches/bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch b/debian/patches/bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
deleted file mode 100644
index cc574ec..0000000
--- a/debian/patches/bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Fri, 25 Sep 2015 16:30:08 +0100
-Subject: KEYS: Fix race between key destruction and finding a keyring by name
-Origin: https://git.kernel.org/linus/94c4554ba07adbdde396748ee7ae01e86cf2d8d7
-
-There appears to be a race between:
-
- (1) key_gc_unused_keys() which frees key->security and then calls
- keyring_destroy() to unlink the name from the name list
-
- (2) find_keyring_by_name() which calls key_permission(), thus accessing
- key->security, on a key before checking to see whether the key usage is 0
- (ie. the key is dead and might be cleaned up).
-
-Fix this by calling ->destroy() before cleaning up the core key data -
-including key->security.
-
-Reported-by: Petr Matousek <pmatouse at redhat.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-[carnil: Backported to 3.2: adjust context]
----
- security/keys/gc.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -172,6 +172,10 @@ static noinline void key_gc_unused_key(s
- {
- key_check(key);
-
-+ /* Throw away the key data */
-+ if (key->type->destroy)
-+ key->type->destroy(key);
-+
- security_key_free(key);
-
- /* deal with the user's key tracking and quota */
-@@ -186,10 +190,6 @@ static noinline void key_gc_unused_key(s
- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- atomic_dec(&key->user->nikeys);
-
-- /* now throw away the key memory */
-- if (key->type->destroy)
-- key->type->destroy(key);
--
- key_user_put(key->user);
-
- kfree(key->description);
diff --git a/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch b/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
deleted file mode 100644
index 471f0ef..0000000
--- a/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Olga Kornievskaia <aglo at umich.edu>
-Date: Mon, 14 Sep 2015 19:54:36 -0400
-Subject: Failing to send a CLOSE if file is opened WRONLY and server reboots
- on a 4.x mount
-Origin: https://git.kernel.org/linus/a41cbe86df3afbc82311a1640e20858c0cd7e065
-
-A test case is as the description says:
-open(foobar, O_WRONLY);
-sleep() --> reboot the server
-close(foobar)
-
-The bug is because in nfs4state.c in nfs4_reclaim_open_state() a few
-line before going to restart, there is
-clear_bit(NFS4CLNT_RECLAIM_NOGRACE, &state->flags).
-
-NFS4CLNT_RECLAIM_NOGRACE is a flag for the client states not open
-owner states. Value of NFS4CLNT_RECLAIM_NOGRACE is 4 which is the
-value of NFS_O_WRONLY_STATE in nfs4_state->flags. So clearing it wipes
-out state and when we go to close it, “call_close” doesn’t get set as
-state flag is not set and CLOSE doesn’t go on the wire.
-
-Signed-off-by: Olga Kornievskaia <aglo at umich.edu>
-Signed-off-by: Trond Myklebust <trond.myklebust at primarydata.com>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- fs/nfs/nfs4state.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/nfs/nfs4state.c
-+++ b/fs/nfs/nfs4state.c
-@@ -1192,7 +1192,7 @@ restart:
- }
- spin_unlock(&state->state_lock);
- nfs4_put_open_state(state);
-- clear_bit(NFS4CLNT_RECLAIM_NOGRACE,
-+ clear_bit(NFS_STATE_RECLAIM_NOGRACE,
- &state->flags);
- goto restart;
- }
diff --git a/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch b/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
deleted file mode 100644
index fb391e0..0000000
--- a/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From: Sabrina Dubroca <sd at queasysnail.net>
-Date: Thu, 15 Oct 2015 14:25:03 +0200
-Subject: net: add length argument to skb_copy_and_csum_datagram_iovec
-Origin: https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y-queue.git/tree/queue-3.2/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
-
-Without this length argument, we can read past the end of the iovec in
-memcpy_toiovec because we have no way of knowing the total length of the
-iovec's buffers.
-
-This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb
-csum races when peeking") has been backported but that don't have the
-ioviter conversion, which is almost all the stable trees <= 3.18.
-
-This also fixes a kernel crash for NFS servers when the client uses
- -onfsvers=3,proto=udp to mount the export.
-
-Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
-Reviewed-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
-[bwh: Backported to 3.2: adjust context in include/linux/skbuff.h]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/linux/skbuff.h
-+++ b/include/linux/skbuff.h
-@@ -2136,7 +2136,8 @@ extern int skb_copy_datagram_iove
- int size);
- extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
- int hlen,
-- struct iovec *iov);
-+ struct iovec *iov,
-+ int len);
- extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
- int offset,
- const struct iovec *from,
---- a/net/core/datagram.c
-+++ b/net/core/datagram.c
-@@ -709,6 +709,7 @@ EXPORT_SYMBOL(__skb_checksum_complete);
- * @skb: skbuff
- * @hlen: hardware length
- * @iov: io vector
-+ * @len: amount of data to copy from skb to iov
- *
- * Caller _must_ check that skb will fit to this iovec.
- *
-@@ -718,11 +719,14 @@ EXPORT_SYMBOL(__skb_checksum_complete);
- * can be modified!
- */
- int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-- int hlen, struct iovec *iov)
-+ int hlen, struct iovec *iov, int len)
- {
- __wsum csum;
- int chunk = skb->len - hlen;
-
-+ if (chunk > len)
-+ chunk = len;
-+
- if (!chunk)
- return 0;
-
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -5198,7 +5198,7 @@ static int tcp_copy_to_iovec(struct sock
- err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
- else
- err = skb_copy_and_csum_datagram_iovec(skb, hlen,
-- tp->ucopy.iov);
-+ tp->ucopy.iov, chunk);
-
- if (!err) {
- tp->ucopy.len -= chunk;
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -1207,7 +1207,7 @@ try_again:
- else {
- err = skb_copy_and_csum_datagram_iovec(skb,
- sizeof(struct udphdr),
-- msg->msg_iov);
-+ msg->msg_iov, copied);
-
- if (err == -EINVAL)
- goto csum_copy_err;
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -479,7 +479,7 @@ static int rawv6_recvmsg(struct kiocb *i
- goto csum_copy_err;
- err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
- } else {
-- err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
-+ err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -383,7 +383,8 @@ try_again:
- err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
- msg->msg_iov, copied );
- else {
-- err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
-+ err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
-+ msg->msg_iov, copied);
- if (err == -EINVAL)
- goto csum_copy_err;
- }
---- a/net/rxrpc/ar-recvmsg.c
-+++ b/net/rxrpc/ar-recvmsg.c
-@@ -185,7 +185,8 @@ int rxrpc_recvmsg(struct kiocb *iocb, st
- msg->msg_iov, copy);
- } else {
- ret = skb_copy_and_csum_datagram_iovec(skb, offset,
-- msg->msg_iov);
-+ msg->msg_iov,
-+ copy);
- if (ret == -EINVAL)
- goto csum_copy_error;
- }
diff --git a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch b/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
deleted file mode 100644
index bb7ecb7..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit
-
----
-M arch/x86/kvm/svm.c
-1 file changed, 8 insertions(+), 0 deletions(-)
-
-
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1014,6 +1014,7 @@ static void init_vmcb(struct vcpu_svm *s
- set_exception_intercept(svm, PF_VECTOR);
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
-+ set_exception_intercept(svm, AC_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1689,6 +1690,12 @@ static int ud_interception(struct vcpu_s
- return 1;
- }
-
-+static int ac_interception(struct vcpu_svm *svm)
-+{
-+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
-+ return 1;
-+}
-+
- static void svm_fpu_activate(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-@@ -3188,6 +3195,7 @@ static int (*svm_exit_handlers[])(struct
- [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
- [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
- [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
-+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
- [SVM_EXIT_INTR] = intr_interception,
- [SVM_EXIT_NMI] = nmi_interception,
- [SVM_EXIT_SMI] = nop_on_interception,
diff --git a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch b/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
deleted file mode 100644
index d60fd13..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Eric Northup <digitaleric at google.com>
-Date: Thu Sep 10 11:36:28 2015 -0700
-Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC
-
-A pathological (or malicious) guest can hang a host core by
-mis-configuring its GDT/IDT and enabling alignment checks.
-
-[bwh: Backported to 3.2: adjust filename]
-
---- a/arch/x86/include/asm/kvm_host.h
-+++ b/arch/x86/include/asm/kvm_host.h
-@@ -83,6 +83,7 @@
- #define GP_VECTOR 13
- #define PF_VECTOR 14
- #define MF_VECTOR 16
-+#define AC_VECTOR 17
- #define MC_VECTOR 18
-
- #define SELECTOR_TI_MASK (1 << 2)
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1171,7 +1171,7 @@ static void update_exception_bitmap(stru
- u32 eb;
-
- eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
-- (1u << NM_VECTOR) | (1u << DB_VECTOR);
-+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
- if ((vcpu->guest_debug &
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
- (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
-@@ -4286,6 +4286,13 @@ static int handle_exception(struct kvm_v
- kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
- kvm_run->debug.arch.exception = ex_no;
- break;
-+ case AC_VECTOR:
-+ /*
-+ * We have already enabled interrupts and pre-emption, so
-+ * it's OK to loop here if that is what will happen.
-+ */
-+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
-+ return 1;
- default:
- kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
- kvm_run->ex.exception = ex_no;
diff --git a/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch b/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
deleted file mode 100644
index e90a484..0000000
--- a/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Thu, 15 Oct 2015 01:20:29 +0100
-Subject: Revert "KVM: MMU: fix validation of mmio page fault"
-Origin: https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y-queue.git/tree/queue-3.2/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
-
-This reverts commit 41e3025eacd6daafc40c3e7850fbcabc8b847805, which
-was commit 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e upstream.
-
-The fix is only needed after commit f8f559422b6c ("KVM: MMU: fast
-invalidate all mmio sptes"), included in Linux 3.11.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kvm/mmu.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 45 insertions(+)
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index cac7b2b..4a949c7 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -326,6 +326,12 @@ static u64 __get_spte_lockless(u64 *sptep)
- {
- return ACCESS_ONCE(*sptep);
- }
-+
-+static bool __check_direct_spte_mmio_pf(u64 spte)
-+{
-+ /* It is valid if the spte is zapped. */
-+ return spte == 0ull;
-+}
- #else
- union split_spte {
- struct {
-@@ -430,6 +436,23 @@ retry:
-
- return spte.spte;
- }
-+
-+static bool __check_direct_spte_mmio_pf(u64 spte)
-+{
-+ union split_spte sspte = (union split_spte)spte;
-+ u32 high_mmio_mask = shadow_mmio_mask >> 32;
-+
-+ /* It is valid if the spte is zapped. */
-+ if (spte == 0ull)
-+ return true;
-+
-+ /* It is valid if the spte is being zapped. */
-+ if (sspte.spte_low == 0ull &&
-+ (sspte.spte_high & high_mmio_mask) == high_mmio_mask)
-+ return true;
-+
-+ return false;
-+}
- #endif
-
- static bool spte_has_volatile_bits(u64 spte)
-@@ -2872,6 +2895,21 @@ static bool quickly_check_mmio_pf(struct kvm_vcpu *vcpu, u64 addr, bool direct)
- return vcpu_match_mmio_gva(vcpu, addr);
- }
-
-+
-+/*
-+ * On direct hosts, the last spte is only allows two states
-+ * for mmio page fault:
-+ * - It is the mmio spte
-+ * - It is zapped or it is being zapped.
-+ *
-+ * This function completely checks the spte when the last spte
-+ * is not the mmio spte.
-+ */
-+static bool check_direct_spte_mmio_pf(u64 spte)
-+{
-+ return __check_direct_spte_mmio_pf(spte);
-+}
-+
- static u64 walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr)
- {
- struct kvm_shadow_walk_iterator iterator;
-@@ -2913,6 +2951,13 @@ int handle_mmio_page_fault_common(struct kvm_vcpu *vcpu, u64 addr, bool direct)
- }
-
- /*
-+ * It's ok if the gva is remapped by other cpus on shadow guest,
-+ * it's a BUG if the gfn is not a mmio page.
-+ */
-+ if (direct && !check_direct_spte_mmio_pf(spte))
-+ return -1;
-+
-+ /*
- * If the page table is zapped by other cpus, let CPU fault again on
- * the address.
- */
-
diff --git a/debian/patches/series b/debian/patches/series
index 82c04c5..0551155 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1159,14 +1159,6 @@ debian/usb-avoid-abi-change-in-3.2.69.patch
debian/bh-avoid-abi-change-in-3.2.71.patch
debian/x86-mm-avoid-abi-change-in-3.2.72.patch
-bugfix/all/KEYS-Fix-race-between-key-destruction-and-finding-a-.patch
-bugfix/all/KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
-bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
-bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
-bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
-bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
-bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
-bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list