[linux] 02/04: Update to 3.16.7-ckt17
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Sep 22 19:19:41 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 612c261c0c8877667c9595af6a04fe6f07da5615
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Sep 22 17:40:55 2015 +0200
Update to 3.16.7-ckt17
Drop many patches that were applied upstream.
---
debian/changelog | 252 ++++++++++++++++++-
...0011-kernel-tighten-rules-for-ACCESS-ONCE.patch | 4 +-
...-a-full-clone-when-splitting-discard-bios.patch | 60 -----
...ree-the-assoc-array-edit-if-edit-is-valid.patch | 37 ---
.../bugfix/all/libata-add-ata_horkage_notrim.patch | 45 ----
...a-force-disable-trim-for-supersspeed-s238.patch | 28 ---
.../md-use-kzalloc-when-bitmap-is-disabled.patch | 42 ----
...q-make-sure-that-there-s-not-too-many-ele.patch | 34 ---
.../vhost-actually-track-log-eventfd-file.patch | 28 ---
...ry-64-Fold-the-test_in_nmi-macro-into-its.patch | 71 ------
...-x86-asm-entry-64-Remove-a-redundant-jump.patch | 42 ----
...ble-nested-do_nmi-handling-for-64-bit-ker.patch | 189 --------------
...x86-nmi-64-Remove-asm-code-that-saves-cr2.patch | 51 ----
...i-64-Switch-stacks-on-userspace-NMI-entry.patch | 133 ----------
...07-x86-nmi-64-Improve-nested-NMI-comments.patch | 279 ---------------------
...0008-x86-nmi-64-Reorder-nested-NMI-checks.patch | 83 ------
...Use-DF-to-avoid-userspace-RSP-confusing-n.patch | 86 -------
debian/patches/series | 15 --
18 files changed, 253 insertions(+), 1226 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index fea23b1..2b769f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.16.7-ckt15-1) UNRELEASED; urgency=medium
+linux (3.16.7-ckt17-1) UNRELEASED; urgency=medium
* New upstream stable updates:
http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt12
@@ -453,6 +453,256 @@ linux (3.16.7-ckt15-1) UNRELEASED; urgency=medium
- ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
- LZ4 : fix the data abort issue
- lz4: fix system halt at boot kernel on x86_64
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt16
+ - netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings
+ - Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list
+ - Btrfs: use kmem_cache_free when freeing entry in inode cache
+ - Btrfs: fix race between caching kthread and returning inode to inode cache
+ - Btrfs: fix fsync data loss after append write
+ - ext4: fix reservation release on invalidatepage for delalloc fs
+ - ext4: be more strict when migrating to non-extent based file
+ - ext4: correctly migrate a file with a hole at the beginning
+ - ext4: replace open coded nofail allocation in ext4_free_blocks()
+ - drm/radeon: Handle irqs only based on irq ring, not irq status regs.
+ - drm/radeon: unpin cursor BOs on suspend and pin them again on resume (v2)
+ - hpfs: kstrdup() out of memory handling
+ - hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
+ - 9p: don't leave a half-initialized inode sitting around
+ - MIPS: kernel: traps: Fix broken indentation
+ - thermal: step_wise: fix: Prevent from binary overflow when trend is dropping
+ - spi: pl022: Specify 'num-cs' property as required in devicetree binding
+ - iio: twl4030-madc: Pass the IRQF_ONESHOT flag
+ - iio: inv-mpu: Specify the expected format/precision for write channels
+ - iio: DAC: ad5624r_spi: fix bit shift of output data value
+ - iio: adc: at91_adc: allow to use full range of startup time
+ - ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4
+ - iio: tmp006: Check channel info on write
+ - dm btree remove: fix bug in redistribute3
+ - kbuild: Allow arch Makefiles to override {cpp,ld,c}flags
+ - ARC: Override toplevel default -O2 with -O3
+ - crypto: omap-des - Fix unmapping of dma channels
+ - USB: option: add 2020:4000 ID
+ - USB: cp210x: add ID for Aruba Networks controllers
+ - dm btree: silence lockdep lock inversion in dm_btree_del()
+ - usb: musb: host: rely on port_mode to call musb_start()
+ - usb: f_mass_storage: limit number of reported LUNs
+ - drm: add a check for x/y in drm_mode_setcrtc
+ - bio integrity: do not assume bio_integrity_pool exists if bioset exists
+ - ARM: dts: mx23: fix iio-hwmon support
+ - tracing: Have branch tracer use recursive field of task struct
+ - drivers: net: cpsw: fix crash while accessing second slave ethernet interface
+ - USB: serial: Destroy serial_minors IDR on module exit
+ - Btrfs: fix memory leak in the extent_same ioctl
+ - Btrfs: fix list transaction->pending_ordered corruption
+ - can: rcar_can: fix IRQ check
+ - ARC: make sure instruction_pointer() returns unsigned value
+ - Btrfs: fix file corruption after cloning inline extents
+ - st: null pointer dereference panic caused by use after kref_put by st_open
+ - drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5
+ - drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
+ - genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD
+ - x86/asm/entry/64: Fold the 'test_in_nmi' macro into its only user
+ - x86/asm/entry/64: Remove a redundant jump
+ - x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
+ - x86/nmi/64: Remove asm code that saves CR2
+ - x86/nmi/64: Switch stacks on userspace NMI entry
+ - x86/nmi/64: Improve nested NMI comments
+ - x86/nmi/64: Reorder nested NMI checks
+ - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
+ - ARM: 8404/1: dma-mapping: fix off-by-one error in bitmap size check
+ - ipv6: Make MLD packets to only be processed locally
+ - bridge: mdb: start delete timer for temp static entries
+ - net: graceful exit from netif_alloc_netdev_queues()
+ - ip_tunnel: fix ipv4 pmtu check to honor inner ip header df
+ - bridge: mdb: zero out the local br_ip variable before use
+ - net: do not process device backlog during unregistration
+ - net: dsa: Test array index before use
+ - net: dsa: Fix off-by-one in switch address parsing
+ - can: rcar_can: print signed IRQ #
+ - perf symbols: Store if there is a filter in place
+ - perf hists browser: Take the --comm, --dsos, etc filters into account
+ - rds: rds_ib_device.refcount overflow
+ - KEYS: ensure we free the assoc array edit if edit is valid
+ - mm: avoid setting up anonymous pages into file mapping
+ - evm: labeling pseudo filesystems exception
+ - USB: usbfs: allow URBs to be reaped after disconnection
+ - sg_start_req(): make sure that there's not too many elements in iovec
+ - HID: cp2112: fix to force single data-report reply
+ - ata: pmp: add quirk for Marvell 4140 SATA PMP
+ - libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER
+ - libata: add ATA_HORKAGE_NOTRIM
+ - libata: force disable trim for SuperSSpeed S238
+ - libata: increase the timeout when setting transfer mode
+ - can: mcp251x: fix resume when device is down
+ - libata: Do not blacklist M510DC
+ - mac80211: clear subdir_stations when removing debugfs
+ - iio: adc: vf610: fix the adc register read fail issue
+ - net: mvneta: fix refilling for Rx DMA buffers
+ - ALSA: hda - Add new GPU codec ID 0x10de007d to snd-hda
+ - xdrm/i915: Use two 32bit reads for select 64bit REG_READ ioctls
+ - usb: dwc3: gadget: return error if command sent to DEPCMD register fails
+ - usb: dwc3: Reset the transfer resource index on SET_INTERFACE
+ - usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function
+ - xhci: Calculate old endpoints correctly on device reset
+ - xhci: report U3 when link is in resume state
+ - xhci: prevent bus_suspend if SS port resuming in phase 1
+ - xhci: do not report PLC when link is in internal resume state
+ - usb: core: lpm: set lpm_capable for root hub device
+ - USB: OHCI: Fix race between ED unlink and URB submission
+ - usb-storage: ignore ZTE MF 823 card reader in mode 0x1225
+ - blkcg: fix gendisk reference leak in blkg_conf_prep()
+ - tile: use free_bootmem_late() for initrd
+ - Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen
+ - block: Do a full clone when splitting discard bios
+ - md/raid1: fix test for 'was read error from last working device'.
+ - mmc: omap_hsmmc: Fix DTO and DCRC handling
+ - mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict
+ - net/xen-netback: off by one in BUG_ON() condition
+ - bridge: mdb: fix double add notification
+ - isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
+ - usb: gadget: mv_udc_core: fix phy_regs I/O memory leak
+ - bonding: fix destruction of bond with devices different from arphrd_ether
+ - bonding: correctly handle bonding type change on enslave failure
+ - inet: frags: fix defragmented packet's IP header for af_packet
+ - mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
+ - mmc: sdhci-esdhc: Make 8BIT bus work
+ - mmc: sdhci-pxav3: fix platform_data is not initialized
+ - freeing unlinked file indefinitely delayed
+ - s390/sclp: clear upper register halves in _sclp_print_early
+ - s390/process: fix sfpc inline assembly
+ - mmc: sdhci: Fix FSL ESDHC reset handling quirk
+ - md: fix a build warning
+ http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt17
+ - md: use kzalloc() when bitmap is disabled
+ - sparc64: Fix userspace FPU register corruptions.
+ - sysfs: Create mountpoints with sysfs_create_mount_point
+ - ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc
+ - ASoC: pcm1681: Fix setting de-emphasis sampling rate selection
+ - iscsi-target: Fix use-after-free during TPG session shutdown
+ - iscsi-target: Fix iscsit_start_kthreads failure OOPs
+ - iscsi-target: Fix iser explicit logout TX kthread leak
+ - ARM: dts: i.MX35: Fix can support.
+ - ALSA: hda - Apply fixup for another Toshiba Satellite S50D
+ - vhost: actually track log eventfd file
+ - arm64/efi: map the entire UEFI vendor string before reading it
+ - xfs: remote attribute headers contain an invalid LSN
+ - xfs: remote attributes need to be considered data
+ - ALSA: hda - Apply a fixup to Dell Vostro 5480
+ - ALSA: usb-audio: add dB range mapping for some devices
+ - drm/i915: Replace WARN inside I915_READ64_2x32 with retry loop
+ - drm/radeon/combios: add some validation of lvds values
+ - x86/efi: Use all 64 bit of efi_memmap in setup_e820()
+ - ipr: Fix locking for unit attention handling
+ - ipr: Fix incorrect trace indexing
+ - ipr: Fix invalid array indexing for HRRQ
+ - ALSA: hda - Fix MacBook Pro 5,2 quirk
+ - x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
+ - netfilter: ctnetlink: put back references to master ct and expect objects
+ - ipvs: do not use random local source address for tunnels
+ - ipvs: fix crash if scheduler is changed
+ - ipvs: fix crash with sync protocol v0 and FTP
+ - netfilter: nf_conntrack: Support expectations in different zones
+ - NFS: Don't revalidate the mapping if both size and change attr are up to date
+ - ALSA: hda - fix cs4210_spdif_automute()
+ - net/mlx4_core: Fix wrong index in propagating port change event to VFs
+ - niu: don't count tx error twice in case of headroom realloc fails
+ - avr32: handle NULL as a valid clock object
+ - packet: missing dev_put() in packet_do_bind()
+ - packet: tpacket_snd(): fix signed/unsigned comparison
+ - bridge: mdb: fix delmdb state in the notification
+ - net: sched: fix refcount imbalance in actions
+ - act_pedit: check binding before calling tcf_hash_release()
+ - PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
+ - USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
+ - USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
+ - nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
+ - crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
+ - USB: sierra: add 1199:68AB device ID
+ - rbd: fix copyup completion race
+ - md/bitmap: return an error when bitmap superblock is corrupt.
+ - md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
+ - thermal: exynos: Disable the regulator on probe failure
+ - MIPS: Fix sched_getaffinity with MT FPAFF enabled
+ - MIPS: Malta: Don't reinitialise RTC
+ - MIPS: do_mcheck: Fix kernel code dump with EVA
+ - MIPS: show_stack: Fix stack trace with EVA
+ - MIPS: Flush RPS on kernel entry with EVA
+ - xhci: fix off by one error in TRB DMA address boundary check
+ - drivers/usb: Delete XHCI command timer if necessary
+ - ALSA: fireworks/firewire-lib: add support for recent firmware quirk
+ - mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
+ - MIPS: Make set_pte() SMP safe.
+ - ipc: modify message queue accounting to not take kernel data structures into account
+ - ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
+ - fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
+ - drm/radeon: fix hotplug race at startup
+ - rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver
+ - net/tipc: initialize security state for new connection socket
+ - net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
+ - net: call rcu_read_lock early in process_backlog
+ - net: Clone skb before setting peeked flag
+ - net: Fix skb csum races when peeking
+ - net: Fix skb_set_peeked use-after-free bug
+ - ipv6: lock socket in ip6_datagram_connect()
+ - bonding: correct the MAC address for "follow" fail_over_mac policy
+ - netlink: don't hold mutex in rcu callback when releasing mmapd ring
+ - rds: fix an integer overflow test in rds_info_getsockopt()
+ - udp: fix dst races with multicast early demux
+ - bna: fix interrupts storm caused by erroneous packets
+ - net: gso: use feature flag argument in all protocol gso handlers
+ - Fix firmware loader uevent buffer NULL pointer dereference
+ - qla2xxx: Mark port lost when we receive an RSCN for it.
+ - megaraid_sas: use raw_smp_processor_id()
+ - fs/buffer.c: support buffer cache allocations with gfp modifiers
+ - bufferhead: Add _gfp version for sb_getblk()
+ - ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp
+ - HID: usbhid: add Chicony/Pixart usb optical mouse that needs QUIRK_ALWAYS_POLL
+ - ima: add support for new "euid" policy condition
+ - ima: extend "mask" policy matching support
+ - mfd: arizona: Fix initialisation of the PM runtime
+ - xen-blkfront: don't add indirect pages to list when !feature_persistent
+ - xen-blkback: replace work_pending with work_busy in purge_persistent_gnt()
+ - regmap: regcache-rbtree: Clean new present bits on present bitmap resize
+ - target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
+ - target: REPORT LUNS should return LUN 0 even for dynamic ACLs
+ - perf: Fix fasync handling on inherited events
+ - KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
+ - x86/ldt: Make modify_ldt synchronous
+ - x86/ldt: Correct LDT access in single stepping logic
+ - rcu: Provide counterpart to rcu_dereference() for non-RCU situations
+ - rcu: Move lockless_dereference() out of rcupdate.h
+ - x86/ldt: Correct FPU emulation access to LDT
+ - localmodconfig: Use Kbuild files too
+ - dm thin metadata: delete btrees when releasing metadata snapshot
+ - dm btree: add ref counting ops for the leaves of top level btrees
+ - drm/radeon: add new OLAND pci id
+ - libiscsi: Fix host busy blocking during connection teardown
+ - libfc: Fix fc_exch_recv_req() error path
+ - libfc: Fix fc_fcp_cleanup_each_cmd()
+ - EDAC, ppc4xx: Access mci->csrows array elements properly
+ - crypto: caam - fix memory corruption in ahash_final_ctx
+ - drm/vmwgfx: Fix execbuf locking issues
+ - mm/hwpoison: fix page refcount of unknown non LRU page
+ - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
+ - ipc/sem.c: change memory barrier in sem_lock() to smp_rmb()
+ - ipc/sem.c: update/correct memory barriers
+ - MIPS: Fix seccomp syscall argument for MIPS64
+ - x86/ldt: Further fix FPU emulation
+ - SCSI: Fix NULL pointer dereference in runtime PM
+ - ALSA: usb-audio: Fix runtime PM unbalance
+ - Add factory recertified Crucial M500s to blacklist
+ - arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
+ - batman-adv: fix kernel crash due to missing NULL checks
+ - batman-adv: protect tt_local_entry from concurrent delete events
+ - perf: Fix PERF_EVENT_IOC_PERIOD migration race
+ - net: Fix RCU splat in af_key
+ - ip6_gre: release cached dst on tunnel removal
+ - s390/sclp: fix compile error
+ - xen/gntdev: convert priv->lock to a mutex
+ - xen/gntdevt: Fix race condition in gntdev_release()
+ - signalfd: fix information leak in signalfd_copyinfo
+ - signal: fix information leak in copy_siginfo_to_user
+ - signal: fix information leak in copy_siginfo_from_user32
[ Ben Hutchings ]
* [x86] vmwgfx: Enable DRM_VMWGFX_FBCON (Closes: #714929)
diff --git a/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch b/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
index 11832b2..b9c9c27 100644
--- a/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
+++ b/debian/patches/bugfix/all/access_once/0011-kernel-tighten-rules-for-ACCESS-ONCE.patch
@@ -43,5 +43,5 @@ Reviewed-by: Paul E. McKenney <paulmck at linux.vnet.ibm.com>
+ (volatile typeof(x) *)&(x); })
+#define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
- /* Ignore/forbid kprobes attach on very low level functions marked by this attribute: */
- #ifdef CONFIG_KPROBES
+ /**
+ * lockless_dereference() - safely load a pointer for later dereference
diff --git a/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch b/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
deleted file mode 100644
index e49647c..0000000
--- a/debian/patches/bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: "Martin K. Petersen" <martin.petersen at oracle.com>
-Date: Wed, 22 Jul 2015 07:57:12 -0400
-Subject: block: Do a full clone when splitting discard bios
-Origin: https://git.kernel.org/linus/f3f5da624e0a891c34d8cd513c57f1d9b0c7dadc
-Bug-Debian: https://bugs.debian.org/793326
-
-This fixes a data corruption bug when using discard on top of MD linear,
-raid0 and raid10 personalities.
-
-Commit 20d0189b1012 "block: Introduce new bio_split()" permits sharing
-the bio_vec between the two resulting bios. That is fine for read/write
-requests where the bio_vec is immutable. For discards, however, we need
-to be able to attach a payload and update the bio_vec so the page can
-get mapped to a scatterlist entry. Therefore the bio_vec can not be
-shared when splitting discards and we must do a full clone.
-
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-Reported-by: Seunguk Shin <seunguk.shin at samsung.com>
-Tested-by: Seunguk Shin <seunguk.shin at samsung.com>
-Cc: Seunguk Shin <seunguk.shin at samsung.com>
-Cc: Jens Axboe <axboe at fb.com>
-Cc: Kent Overstreet <kent.overstreet at gmail.com>
-Cc: <stable at vger.kernel.org> # v3.14+
-Reviewed-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Jens Axboe <axboe at fb.com>
----
- block/bio.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
---- a/block/bio.c
-+++ b/block/bio.c
-@@ -1820,8 +1820,9 @@ EXPORT_SYMBOL(bio_endio_nodec);
- * Allocates and returns a new bio which represents @sectors from the start of
- * @bio, and updates @bio to represent the remaining sectors.
- *
-- * The newly allocated bio will point to @bio's bi_io_vec; it is the caller's
-- * responsibility to ensure that @bio is not freed before the split.
-+ * Unless this is a discard request the newly allocated bio will point
-+ * to @bio's bi_io_vec; it is the caller's responsibility to ensure that
-+ * @bio is not freed before the split.
- */
- struct bio *bio_split(struct bio *bio, int sectors,
- gfp_t gfp, struct bio_set *bs)
-@@ -1831,7 +1832,15 @@ struct bio *bio_split(struct bio *bio, i
- BUG_ON(sectors <= 0);
- BUG_ON(sectors >= bio_sectors(bio));
-
-- split = bio_clone_fast(bio, gfp, bs);
-+ /*
-+ * Discards need a mutable bio_vec to accommodate the payload
-+ * required by the DSM TRIM and UNMAP commands.
-+ */
-+ if (bio->bi_rw & REQ_DISCARD)
-+ split = bio_clone_bioset(bio, gfp, bs);
-+ else
-+ split = bio_clone_fast(bio, gfp, bs);
-+
- if (!split)
- return NULL;
-
diff --git a/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch b/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
deleted file mode 100644
index a1a31d8..0000000
--- a/debian/patches/bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Colin Ian King <colin.king at canonical.com>
-Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
-Origin: https://marc.info/?l=oss-security&m=143800676725867&w=2
-
-__key_link_end is not freeing the associated array edit structure
-and this leads to a 512 byte memory leak each time an identical
-existing key is added with add_key().
-
-The reason the add_key() system call returns okay is that
-key_create_or_update() calls __key_link_begin() before checking to see
-whether it can update a key directly rather than adding/replacing - which
-it turns out it can. Thus __key_link() is not called through
-__key_instantiate_and_link() and __key_link_end() must cancel the edit.
-
-CVE-2015-1333
-
-Signed-off-by: Colin Ian King <colin.king at canonical.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
----
-
---- a/security/keys/keyring.c
-+++ b/security/keys/keyring.c
-@@ -1152,9 +1152,11 @@ void __key_link_end(struct key *keyring,
- if (index_key->type == &key_type_keyring)
- up_write(&keyring_serialise_link_sem);
-
-- if (edit && !edit->dead_leaf) {
-- key_payload_reserve(keyring,
-- keyring->datalen - KEYQUOTA_LINK_BYTES);
-+ if (edit) {
-+ if (!edit->dead_leaf) {
-+ key_payload_reserve(keyring,
-+ keyring->datalen - KEYQUOTA_LINK_BYTES);
-+ }
- assoc_array_cancel_edit(edit);
- }
- up_write(&keyring->sem);
diff --git a/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch b/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch
deleted file mode 100644
index 13ed921..0000000
--- a/debian/patches/bugfix/all/libata-add-ata_horkage_notrim.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Arne Fitzenreiter <arne_f at ipfire.org>
-Date: Wed, 15 Jul 2015 13:54:36 +0200
-Subject: libata: add ATA_HORKAGE_NOTRIM
-Origin: https://git.kernel.org/linus/71d126fd28de2d4d9b7b2088dbccd7ca62fad6e0
-
-Some devices lose data on TRIM whether queued or not. This patch adds
-a horkage to disable TRIM.
-
-tj: Collapsed unnecessary if() nesting.
-
-Signed-off-by: Arne Fitzenreiter <arne_f at ipfire.org>
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Cc: stable at vger.kernel.org
-[bwh: Backported to 3.16:
- - Adjust context
- - Drop changes to show_ata_dev_trim()]
----
- drivers/ata/libata-scsi.c | 3 ++-
- drivers/ata/libata-transport.c | 2 ++
- include/linux/libata.h | 2 ++
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -2514,7 +2514,8 @@ static unsigned int ata_scsiop_read_cap(
- rbuf[14] = (lowest_aligned >> 8) & 0x3f;
- rbuf[15] = lowest_aligned;
-
-- if (ata_id_has_trim(args->id)) {
-+ if (ata_id_has_trim(args->id) &&
-+ !(dev->horkage & ATA_HORKAGE_NOTRIM)) {
- rbuf[14] |= 0x80; /* TPE */
-
- if (ata_id_has_zero_after_trim(args->id))
---- a/include/linux/libata.h
-+++ b/include/linux/libata.h
-@@ -422,6 +422,8 @@ enum {
- ATA_HORKAGE_NO_NCQ_TRIM = (1 << 19), /* don't use queued TRIM */
- ATA_HORKAGE_NOLPM = (1 << 20), /* don't use LPM */
- ATA_HORKAGE_WD_BROKEN_LPM = (1 << 21), /* some WDs have broken LPM */
-+ ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */
-+
-
- /* DMA mask for user DMA control: User visible values; DO NOT
- renumber */
diff --git a/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch b/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
deleted file mode 100644
index 7bddada..0000000
--- a/debian/patches/bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Arne Fitzenreiter <arne_f at ipfire.org>
-Date: Wed, 15 Jul 2015 13:54:37 +0200
-Subject: libata: force disable trim for SuperSSpeed S238
-Origin: https://git.kernel.org/linus/cda57b1b05cf7b8b99ab4b732bea0b05b6c015cc
-
-This device loses blocks, often the partition table area, on trim.
-Disable TRIM.
-http://pcengines.ch/msata16a.htm
-
-Signed-off-by: Arne Fitzenreiter <arne_f at ipfire.org>
-Signed-off-by: Tejun Heo <tj at kernel.org>
-Cc: stable at vger.kernel.org
----
- drivers/ata/libata-core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/ata/libata-core.c
-+++ b/drivers/ata/libata-core.c
-@@ -4231,6 +4231,9 @@ static const struct ata_blacklist_entry
- { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
-
-+ /* devices that don't properly handle TRIM commands */
-+ { "SuperSSpeed S238*", NULL, ATA_HORKAGE_NOTRIM, },
-+
- /*
- * Some WD SATA-I drives spin up and down erratically when the link
- * is put into the slumber mode. We don't have full list of the
diff --git a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch b/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
deleted file mode 100644
index 0e9a792..0000000
--- a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Benjamin Randazzo <benjamin at randazzo.fr>
-Date: Sat, 25 Jul 2015 16:36:50 +0200
-Subject: md: use kzalloc() when bitmap is disabled
-Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
-
-In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
-mdu_bitmap_file_t called "file".
-
-5769 file = kmalloc(sizeof(*file), GFP_NOIO);
-5770 if (!file)
-5771 return -ENOMEM;
-
-This structure is copied to user space at the end of the function.
-
-5786 if (err == 0 &&
-5787 copy_to_user(arg, file, sizeof(*file)))
-5788 err = -EFAULT
-
-But if bitmap is disabled only the first byte of "file" is initialized
-with zero, so it's possible to read some bytes (up to 4095) of kernel
-space memory from user space. This is an information leak.
-
-5775 /* bitmap disabled, zero the first byte and copy out */
-5776 if (!mddev->bitmap_info.file)
-5777 file->pathname[0] = '\0';
-
-Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
-Signed-off-by: NeilBrown <neilb at suse.com>
-[bwh: Backported to 3.16: don't touch anything but the allocation call, as
- the following code is significantly different here.]
----
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5624,7 +5624,7 @@ static int get_bitmap_file(struct mddev
- char *ptr, *buf = NULL;
- int err = -ENOMEM;
-
-- file = kmalloc(sizeof(*file), GFP_NOIO);
-+ file = kzalloc(sizeof(*file), GFP_NOIO);
-
- if (!file)
- goto out;
diff --git a/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch b/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
deleted file mode 100644
index 951ba17..0000000
--- a/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Sat, 21 Mar 2015 20:08:18 -0400
-Subject: sg_start_req(): make sure that there's not too many elements in iovec
-Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
-
-unfortunately, allowing an arbitrary 16bit value means a possibility of
-overflow in the calculation of total number of pages in bio_map_user_iov() -
-we rely on there being no more than PAGE_SIZE members of sum in the
-first loop there. If that sum wraps around, we end up allocating
-too small array of pointers to pages and it's easy to overflow it in
-the second loop.
-
-X-Coverup: TINC (and there's no lumber cartel either)
-Cc: stable at vger.kernel.org # way, way back
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
-[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
- fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
- that function.]
----
- drivers/scsi/sg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -1693,6 +1693,9 @@ static int sg_start_req(Sg_request *srp,
- md->from_user = 0;
- }
-
-+ if (unlikely(iov_count > UIO_MAXIOV))
-+ return -EINVAL;
-+
- if (iov_count) {
- int len, size = sizeof(struct sg_iovec) * iov_count;
- struct iovec *iov;
diff --git a/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch b/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch
deleted file mode 100644
index 0ffcc61..0000000
--- a/debian/patches/bugfix/all/vhost-actually-track-log-eventfd-file.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau at redhat.com>
-Date: Fri, 17 Jul 2015 15:32:03 +0200
-Subject: vhost: actually track log eventfd file
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5
-
-While reviewing vhost log code, I found out that log_file is never
-set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
----
- drivers/vhost/vhost.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -882,6 +882,7 @@ long vhost_dev_ioctl(struct vhost_dev *d
- }
- if (eventfp != d->log_file) {
- filep = d->log_file;
-+ d->log_file = eventfp;
- ctx = d->log_ctx;
- d->log_ctx = eventfp ?
- eventfd_ctx_fileget(eventfp) : NULL;
diff --git a/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch b/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
deleted file mode 100644
index 635bdc6..0000000
--- a/debian/patches/bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From: Denys Vlasenko <dvlasenk at redhat.com>
-Date: Wed, 1 Apr 2015 16:50:57 +0200
-Subject: [PATCH 1/9] x86/asm/entry/64: Fold the 'test_in_nmi' macro into its
- only user
-Origin: https://git.kernel.org/linus/0784b36448a2a85b95b6eb21a69b9045c896c065
-
-No code changes.
-
-Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
-Acked-by: Borislav Petkov <bp at suse.de>
-Cc: Alexei Starovoitov <ast at plumgrid.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Oleg Nesterov <oleg at redhat.com>
-Cc: Steven Rostedt <rostedt at goodmis.org>
-Cc: Will Drewry <wad at chromium.org>
-Link: http://lkml.kernel.org/r/1427899858-7165-1-git-send-email-dvlasenk@redhat.com
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 28 +++++++++++++---------------
- 1 file changed, 13 insertions(+), 15 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1441,19 +1441,7 @@ ENTRY(error_exit)
- CFI_ENDPROC
- END(error_exit)
-
--/*
-- * Test if a given stack is an NMI stack or not.
-- */
-- .macro test_in_nmi reg stack nmi_ret normal_ret
-- cmpq %\reg, \stack
-- ja \normal_ret
-- subq $EXCEPTION_STKSZ, %\reg
-- cmpq %\reg, \stack
-- jb \normal_ret
-- jmp \nmi_ret
-- .endm
--
-- /* runs on exception stack */
-+/* Runs on exception stack */
- ENTRY(nmi)
- INTR_FRAME
- PARAVIRT_ADJUST_EXCEPTION_FRAME
-@@ -1514,8 +1502,18 @@ ENTRY(nmi)
- * We check the variable because the first NMI could be in a
- * breakpoint routine using a breakpoint stack.
- */
-- lea 6*8(%rsp), %rdx
-- test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
-+ lea 6*8(%rsp), %rdx
-+ /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-+ cmpq %rdx, 4*8(%rsp)
-+ /* If the stack pointer is above the NMI stack, this is a normal NMI */
-+ ja first_nmi
-+ subq $EXCEPTION_STKSZ, %rdx
-+ cmpq %rdx, 4*8(%rsp)
-+ /* If it is below the NMI stack, it is a normal NMI */
-+ jb first_nmi
-+ /* Ah, it is within the NMI stack, treat it as nested */
-+ jmp nested_nmi
-+
- CFI_REMEMBER_STATE
-
- nested_nmi:
diff --git a/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch b/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
deleted file mode 100644
index 31cf68f..0000000
--- a/debian/patches/bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Denys Vlasenko <dvlasenk at redhat.com>
-Date: Tue, 7 Apr 2015 22:43:41 +0200
-Subject: [PATCH 2/9] x86/asm/entry/64: Remove a redundant jump
-Origin: https://git.kernel.org/linus/a30b0085f54efae11f6256df4e4a16af7eefc1c4
-
-Jumping to the very next instruction is not very useful:
-
- jmp label
- label:
-
-Removing the jump.
-
-Signed-off-by: Denys Vlasenko <dvlasenk at redhat.com>
-Cc: Alexei Starovoitov <ast at plumgrid.com>
-Cc: Andy Lutomirski <luto at amacapital.net>
-Cc: Borislav Petkov <bp at alien8.de>
-Cc: Brian Gerst <brgerst at gmail.com>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: H. Peter Anvin <hpa at zytor.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Oleg Nesterov <oleg at redhat.com>
-Cc: Steven Rostedt <rostedt at goodmis.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Will Drewry <wad at chromium.org>
-Link: http://lkml.kernel.org/r/1428439424-7258-5-git-send-email-dvlasenk@redhat.com
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 1 -
- 1 file changed, 1 deletion(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1512,7 +1512,6 @@ ENTRY(nmi)
- /* If it is below the NMI stack, it is a normal NMI */
- jb first_nmi
- /* Ah, it is within the NMI stack, treat it as nested */
-- jmp nested_nmi
-
- CFI_REMEMBER_STATE
-
diff --git a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch b/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
deleted file mode 100644
index 2804ad9..0000000
--- a/debian/patches/bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 11:19:37 -0700
-Subject: [PATCH 4/9] x86/nmi: Enable nested do_nmi handling for 64-bit kernels
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=aad62c1521e5904e376b88e71c60849954cbf9de
-
-32-bit kernels handle nested NMIs in C. Enable the exact same
-handling on 64-bit kernels as well. This isn't currently necessary,
-but it will become necessary once the asm code starts allowing
-limited nesting.
-
-This is a prerequisite for the fix for CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/nmi.c | 123 +++++++++++++++++++++-----------------------------
- 1 file changed, 52 insertions(+), 71 deletions(-)
-
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
-
- /*
-- * NMIs can hit breakpoints which will cause it to lose its
-- * NMI context with the CPU when the breakpoint does an iret.
-- */
--#ifdef CONFIG_X86_32
--/*
-- * For i386, NMIs use the same stack as the kernel, and we can
-- * add a workaround to the iret problem in C (preventing nested
-- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
-- * can be in:
-+ * NMIs can hit breakpoints which will cause it to lose its NMI context
-+ * with the CPU when the breakpoint or page fault does an IRET.
-+ *
-+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
-+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
-+ * if the outer NMI came from kernel mode, but we can still nest if the
-+ * outer NMI came from user mode.
-+ *
-+ * To handle these nested NMIs, we have three states:
- *
- * 1) not running
- * 2) executing
-@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
- * (Note, the latch is binary, thus multiple NMIs triggering,
- * when one is running, are ignored. Only one NMI is restarted.)
- *
-- * If an NMI hits a breakpoint that executes an iret, another
-- * NMI can preempt it. We do not want to allow this new NMI
-- * to run, but we want to execute it when the first one finishes.
-- * We set the state to "latched", and the exit of the first NMI will
-- * perform a dec_return, if the result is zero (NOT_RUNNING), then
-- * it will simply exit the NMI handler. If not, the dec_return
-- * would have set the state to NMI_EXECUTING (what we want it to
-- * be when we are running). In this case, we simply jump back
-- * to rerun the NMI handler again, and restart the 'latched' NMI.
-+ * If an NMI executes an iret, another NMI can preempt it. We do not
-+ * want to allow this new NMI to run, but we want to execute it when the
-+ * first one finishes. We set the state to "latched", and the exit of
-+ * the first NMI will perform a dec_return, if the result is zero
-+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
-+ * dec_return would have set the state to NMI_EXECUTING (what we want it
-+ * to be when we are running). In this case, we simply jump back to
-+ * rerun the NMI handler again, and restart the 'latched' NMI.
- *
- * No trap (breakpoint or page fault) should be hit before nmi_restart,
- * thus there is no race between the first check of state for NOT_RUNNING
-@@ -461,49 +460,36 @@ enum nmi_states {
- static DEFINE_PER_CPU(enum nmi_states, nmi_state);
- static DEFINE_PER_CPU(unsigned long, nmi_cr2);
-
--#define nmi_nesting_preprocess(regs) \
-- do { \
-- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \
-- this_cpu_write(nmi_state, NMI_LATCHED); \
-- return; \
-- } \
-- this_cpu_write(nmi_state, NMI_EXECUTING); \
-- this_cpu_write(nmi_cr2, read_cr2()); \
-- } while (0); \
-- nmi_restart:
--
--#define nmi_nesting_postprocess() \
-- do { \
-- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \
-- write_cr2(this_cpu_read(nmi_cr2)); \
-- if (this_cpu_dec_return(nmi_state)) \
-- goto nmi_restart; \
-- } while (0)
--#else /* x86_64 */
-+#ifdef CONFIG_X86_64
- /*
-- * In x86_64 things are a bit more difficult. This has the same problem
-- * where an NMI hitting a breakpoint that calls iret will remove the
-- * NMI context, allowing a nested NMI to enter. What makes this more
-- * difficult is that both NMIs and breakpoints have their own stack.
-- * When a new NMI or breakpoint is executed, the stack is set to a fixed
-- * point. If an NMI is nested, it will have its stack set at that same
-- * fixed address that the first NMI had, and will start corrupting the
-- * stack. This is handled in entry_64.S, but the same problem exists with
-- * the breakpoint stack.
-- *
-- * If a breakpoint is being processed, and the debug stack is being used,
-- * if an NMI comes in and also hits a breakpoint, the stack pointer
-- * will be set to the same fixed address as the breakpoint that was
-- * interrupted, causing that stack to be corrupted. To handle this case,
-- * check if the stack that was interrupted is the debug stack, and if
-- * so, change the IDT so that new breakpoints will use the current stack
-- * and not switch to the fixed address. On return of the NMI, switch back
-- * to the original IDT.
-+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without
-+ * some care, the inner breakpoint will clobber the outer breakpoint's
-+ * stack.
-+ *
-+ * If a breakpoint is being processed, and the debug stack is being
-+ * used, if an NMI comes in and also hits a breakpoint, the stack
-+ * pointer will be set to the same fixed address as the breakpoint that
-+ * was interrupted, causing that stack to be corrupted. To handle this
-+ * case, check if the stack that was interrupted is the debug stack, and
-+ * if so, change the IDT so that new breakpoints will use the current
-+ * stack and not switch to the fixed address. On return of the NMI,
-+ * switch back to the original IDT.
- */
- static DEFINE_PER_CPU(int, update_debug_stack);
-+#endif
-
--static inline void nmi_nesting_preprocess(struct pt_regs *regs)
-+dotraplinkage notrace void
-+do_nmi(struct pt_regs *regs, long error_code)
- {
-+ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
-+ this_cpu_write(nmi_state, NMI_LATCHED);
-+ return;
-+ }
-+ this_cpu_write(nmi_state, NMI_EXECUTING);
-+ this_cpu_write(nmi_cr2, read_cr2());
-+nmi_restart:
-+
-+#ifdef CONFIG_X86_64
- /*
- * If we interrupted a breakpoint, it is possible that
- * the nmi handler will have breakpoints too. We need to
-@@ -514,22 +500,8 @@ static inline void nmi_nesting_preproces
- debug_stack_set_zero();
- this_cpu_write(update_debug_stack, 1);
- }
--}
--
--static inline void nmi_nesting_postprocess(void)
--{
-- if (unlikely(this_cpu_read(update_debug_stack))) {
-- debug_stack_reset();
-- this_cpu_write(update_debug_stack, 0);
-- }
--}
- #endif
-
--dotraplinkage notrace void
--do_nmi(struct pt_regs *regs, long error_code)
--{
-- nmi_nesting_preprocess(regs);
--
- nmi_enter();
-
- inc_irq_stat(__nmi_count);
-@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_
-
- nmi_exit();
-
-- /* On i386, may loop back to preprocess */
-- nmi_nesting_postprocess();
-+#ifdef CONFIG_X86_64
-+ if (unlikely(this_cpu_read(update_debug_stack))) {
-+ debug_stack_reset();
-+ this_cpu_write(update_debug_stack, 0);
-+ }
-+#endif
-+
-+ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
-+ write_cr2(this_cpu_read(nmi_cr2));
-+ if (this_cpu_dec_return(nmi_state))
-+ goto nmi_restart;
- }
- NOKPROBE_SYMBOL(do_nmi);
-
diff --git a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch b/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
deleted file mode 100644
index 0228968..0000000
--- a/debian/patches/bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 12:03:34 -0700
-Subject: [PATCH 5/9] x86/nmi/64: Remove asm code that saves cr2
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=e7c2c90651fd54c3ca499fbb065ea5cbac30047d
-
-Now that do_nmi saves cr2, we don't need to save it in asm.
-
-This is a prerequisity for the fix for CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Acked-by: Borislav Petkov <bp at suse.de>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 18 ------------------
- 1 file changed, 18 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1654,29 +1654,11 @@ end_repeat_nmi:
- call save_paranoid
- DEFAULT_FRAME 0
-
-- /*
-- * Save off the CR2 register. If we take a page fault in the NMI then
-- * it could corrupt the CR2 value. If the NMI preempts a page fault
-- * handler before it was able to read the CR2 register, and then the
-- * NMI itself takes a page fault, the page fault that was preempted
-- * will read the information from the NMI page fault and not the
-- * origin fault. Save it off and restore it if it changes.
-- * Use the r12 callee-saved register.
-- */
-- movq %cr2, %r12
--
- /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
- movq %rsp,%rdi
- movq $-1,%rsi
- call do_nmi
-
-- /* Did the NMI take a page fault? Restore cr2 if it did */
-- movq %cr2, %rcx
-- cmpq %rcx, %r12
-- je 1f
-- movq %r12, %cr2
--1:
--
- testl %ebx,%ebx /* swapgs needed? */
- jnz nmi_restore
- nmi_swapgs:
diff --git a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch b/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
deleted file mode 100644
index 3654565..0000000
--- a/debian/patches/bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 11:35:31 -0700
-Subject: [PATCH 6/9] x86/nmi/64: Switch stacks on userspace NMI entry
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=4fb2a8d9cb0efcd7405f1ad105d7f3c764afe02f
-
-Returning to userspace is tricky: IRET can fail, and ESPFIX can
-rearrange the stack prior to IRET.
-
-The NMI nesting fixup relies on a precise stack layout and atomic
-IRET. Rather than trying to teach the NMI nesting fixup to handle
-ESPFIX and failed IRET, punt: run NMIs that came from user mode on
-the normal kernel stack.
-
-This will make some nested NMIs visible to C code, but the C code is
-okay with that.
-
-As a side effect, this should speed up perf: it eliminates an RDMSR
-when NMIs come from user mode.
-
-Fixes CVE-2015-3290.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Reviewed-by: Borislav Petkov <bp at suse.de>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0:
- - Adjust filename, context
- - s/restore_c_regs_and_iret/restore_args/
- - Use kernel_stack + KERNEL_STACK_OFFSET instead of cpu_current_top_of_stack]
-[luto: Open-coded return path to avoid dependency on partial pt_regs details]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
----
- arch/x86/kernel/entry_64.S | 79 +++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 75 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1475,19 +1475,90 @@ ENTRY(nmi)
- * a nested NMI that updated the copy interrupt stack frame, a
- * jump will be made to the repeat_nmi code that will handle the second
- * NMI.
-+ *
-+ * However, espfix prevents us from directly returning to userspace
-+ * with a single IRET instruction. Similarly, IRET to user mode
-+ * can fault. We therefore handle NMIs from user space like
-+ * other IST entries.
- */
-
- /* Use %rdx as out temp variable throughout */
- pushq_cfi %rdx
- CFI_REL_OFFSET rdx, 0
-
-+ testb $3, CS-RIP+8(%rsp)
-+ jz .Lnmi_from_kernel
-+
-+ /*
-+ * NMI from user mode. We need to run on the thread stack, but we
-+ * can't go through the normal entry paths: NMIs are masked, and
-+ * we don't want to enable interrupts, because then we'll end
-+ * up in an awkward situation in which IRQs are on but NMIs
-+ * are off.
-+ */
-+
-+ SWAPGS
-+ cld
-+ movq %rsp, %rdx
-+ movq PER_CPU_VAR(kernel_stack), %rsp
-+ addq $KERNEL_STACK_OFFSET, %rsp
-+ pushq 5*8(%rdx) /* pt_regs->ss */
-+ pushq 4*8(%rdx) /* pt_regs->rsp */
-+ pushq 3*8(%rdx) /* pt_regs->flags */
-+ pushq 2*8(%rdx) /* pt_regs->cs */
-+ pushq 1*8(%rdx) /* pt_regs->rip */
-+ pushq $-1 /* pt_regs->orig_ax */
-+ pushq %rdi /* pt_regs->di */
-+ pushq %rsi /* pt_regs->si */
-+ pushq (%rdx) /* pt_regs->dx */
-+ pushq %rcx /* pt_regs->cx */
-+ pushq %rax /* pt_regs->ax */
-+ pushq %r8 /* pt_regs->r8 */
-+ pushq %r9 /* pt_regs->r9 */
-+ pushq %r10 /* pt_regs->r10 */
-+ pushq %r11 /* pt_regs->r11 */
-+ pushq %rbx /* pt_regs->rbx */
-+ pushq %rbp /* pt_regs->rbp */
-+ pushq %r12 /* pt_regs->r12 */
-+ pushq %r13 /* pt_regs->r13 */
-+ pushq %r14 /* pt_regs->r14 */
-+ pushq %r15 /* pt_regs->r15 */
-+
-+ /*
-+ * At this point we no longer need to worry about stack damage
-+ * due to nesting -- we're on the normal thread stack and we're
-+ * done with the NMI stack.
-+ */
-+
-+ movq %rsp, %rdi
-+ movq $-1, %rsi
-+ call do_nmi
-+
-+ /*
-+ * Return back to user mode. We must *not* do the normal exit
-+ * work, because we don't want to enable interrupts. Fortunately,
-+ * do_nmi doesn't modify pt_regs.
-+ */
-+ SWAPGS
-+
- /*
-- * If %cs was not the kernel segment, then the NMI triggered in user
-- * space, which means it is definitely not nested.
-+ * Open-code the entire return process for compatibility with varying
-+ * register layouts across different kernel versions.
- */
-- cmpl $__KERNEL_CS, 16(%rsp)
-- jne first_nmi
-+ addq $6*8, %rsp /* skip bx, bp, and r12-r15 */
-+ popq %r11 /* pt_regs->r11 */
-+ popq %r10 /* pt_regs->r10 */
-+ popq %r9 /* pt_regs->r9 */
-+ popq %r8 /* pt_regs->r8 */
-+ popq %rax /* pt_regs->ax */
-+ popq %rcx /* pt_regs->cx */
-+ popq %rdx /* pt_regs->dx */
-+ popq %rsi /* pt_regs->si */
-+ popq %rdi /* pt_regs->di */
-+ addq $8, %rsp /* skip orig_ax */
-+ INTERRUPT_RETURN
-
-+.Lnmi_from_kernel:
- /*
- * Check the special variable on the stack to see if NMIs are
- * executing.
diff --git a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch b/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
deleted file mode 100644
index d69d5e3..0000000
--- a/debian/patches/bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 17:13:26 -0700
-Subject: [PATCH 7/9] x86/nmi/64: Improve nested NMI comments
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=ed02eaa10579ffd480c3bda29701e658f17196e9
-
-I found the nested NMI documentation to be difficult to follow.
-Improve the comments.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 159 ++++++++++++++++++++++++++-------------------
- arch/x86/kernel/nmi.c | 4 +-
- 2 files changed, 93 insertions(+), 70 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1462,11 +1462,12 @@ ENTRY(nmi)
- * If the variable is not set and the stack is not the NMI
- * stack then:
- * o Set the special variable on the stack
-- * o Copy the interrupt frame into a "saved" location on the stack
-- * o Copy the interrupt frame into a "copy" location on the stack
-+ * o Copy the interrupt frame into an "outermost" location on the
-+ * stack
-+ * o Copy the interrupt frame into an "iret" location on the stack
- * o Continue processing the NMI
- * If the variable is set or the previous stack is the NMI stack:
-- * o Modify the "copy" location to jump to the repeate_nmi
-+ * o Modify the "iret" location to jump to the repeat_nmi
- * o return back to the first NMI
- *
- * Now on exit of the first NMI, we first clear the stack variable
-@@ -1560,18 +1561,60 @@ ENTRY(nmi)
-
- .Lnmi_from_kernel:
- /*
-- * Check the special variable on the stack to see if NMIs are
-- * executing.
-+ * Here's what our stack frame will look like:
-+ * +---------------------------------------------------------+
-+ * | original SS |
-+ * | original Return RSP |
-+ * | original RFLAGS |
-+ * | original CS |
-+ * | original RIP |
-+ * +---------------------------------------------------------+
-+ * | temp storage for rdx |
-+ * +---------------------------------------------------------+
-+ * | "NMI executing" variable |
-+ * +---------------------------------------------------------+
-+ * | iret SS } Copied from "outermost" frame |
-+ * | iret Return RSP } on each loop iteration; overwritten |
-+ * | iret RFLAGS } by a nested NMI to force another |
-+ * | iret CS } iteration if needed. |
-+ * | iret RIP } |
-+ * +---------------------------------------------------------+
-+ * | outermost SS } initialized in first_nmi; |
-+ * | outermost Return RSP } will not be changed before |
-+ * | outermost RFLAGS } NMI processing is done. |
-+ * | outermost CS } Copied to "iret" frame on each |
-+ * | outermost RIP } iteration. |
-+ * +---------------------------------------------------------+
-+ * | pt_regs |
-+ * +---------------------------------------------------------+
-+ *
-+ * The "original" frame is used by hardware. Before re-enabling
-+ * NMIs, we need to be done with it, and we need to leave enough
-+ * space for the asm code here.
-+ *
-+ * We return by executing IRET while RSP points to the "iret" frame.
-+ * That will either return for real or it will loop back into NMI
-+ * processing.
-+ *
-+ * The "outermost" frame is copied to the "iret" frame on each
-+ * iteration of the loop, so each iteration starts with the "iret"
-+ * frame pointing to the final return target.
-+ */
-+
-+ /*
-+ * Determine whether we're a nested NMI.
-+ *
-+ * First check "NMI executing". If it's set, then we're nested.
-+ * This will not detect if we interrupted an outer NMI just
-+ * before IRET.
- */
- cmpl $1, -8(%rsp)
- je nested_nmi
-
- /*
-- * Now test if the previous stack was an NMI stack.
-- * We need the double check. We check the NMI stack to satisfy the
-- * race when the first NMI clears the variable before returning.
-- * We check the variable because the first NMI could be in a
-- * breakpoint routine using a breakpoint stack.
-+ * Now test if the previous stack was an NMI stack. This covers
-+ * the case where we interrupt an outer NMI after it clears
-+ * "NMI executing" but before IRET.
- */
- lea 6*8(%rsp), %rdx
- /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1588,9 +1631,11 @@ ENTRY(nmi)
-
- nested_nmi:
- /*
-- * Do nothing if we interrupted the fixup in repeat_nmi.
-- * It's about to repeat the NMI handler, so we are fine
-- * with ignoring this one.
-+ * If we interrupted an NMI that is between repeat_nmi and
-+ * end_repeat_nmi, then we must not modify the "iret" frame
-+ * because it's being written by the outer NMI. That's okay:
-+ * the outer NMI handler is about to call do_nmi anyway,
-+ * so we can just resume the outer NMI.
- */
- movq $repeat_nmi, %rdx
- cmpq 8(%rsp), %rdx
-@@ -1600,7 +1645,10 @@ nested_nmi:
- ja nested_nmi_out
-
- 1:
-- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
-+ /*
-+ * Modify the "iret" frame to point to repeat_nmi, forcing another
-+ * iteration of NMI handling.
-+ */
- leaq -1*8(%rsp), %rdx
- movq %rdx, %rsp
- CFI_ADJUST_CFA_OFFSET 1*8
-@@ -1619,60 +1667,23 @@ nested_nmi_out:
- popq_cfi %rdx
- CFI_RESTORE rdx
-
-- /* No need to check faults here */
-+ /* We are returning to kernel mode, so this cannot result in a fault. */
- INTERRUPT_RETURN
-
- CFI_RESTORE_STATE
- first_nmi:
-- /*
-- * Because nested NMIs will use the pushed location that we
-- * stored in rdx, we must keep that space available.
-- * Here's what our stack frame will look like:
-- * +-------------------------+
-- * | original SS |
-- * | original Return RSP |
-- * | original RFLAGS |
-- * | original CS |
-- * | original RIP |
-- * +-------------------------+
-- * | temp storage for rdx |
-- * +-------------------------+
-- * | NMI executing variable |
-- * +-------------------------+
-- * | copied SS |
-- * | copied Return RSP |
-- * | copied RFLAGS |
-- * | copied CS |
-- * | copied RIP |
-- * +-------------------------+
-- * | Saved SS |
-- * | Saved Return RSP |
-- * | Saved RFLAGS |
-- * | Saved CS |
-- * | Saved RIP |
-- * +-------------------------+
-- * | pt_regs |
-- * +-------------------------+
-- *
-- * The saved stack frame is used to fix up the copied stack frame
-- * that a nested NMI may change to make the interrupted NMI iret jump
-- * to the repeat_nmi. The original stack frame and the temp storage
-- * is also used by nested NMIs and can not be trusted on exit.
-- */
-- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
-+ /* Restore rdx. */
- movq (%rsp), %rdx
- CFI_RESTORE rdx
-
-- /* Set the NMI executing variable on the stack. */
-+ /* Set "NMI executing" on the stack. */
- pushq_cfi $1
-
-- /*
-- * Leave room for the "copied" frame
-- */
-+ /* Leave room for the "iret" frame */
- subq $(5*8), %rsp
- CFI_ADJUST_CFA_OFFSET 5*8
-
-- /* Copy the stack frame to the Saved frame */
-+ /* Copy the "original" frame to the "outermost" frame */
- .rept 5
- pushq_cfi 11*8(%rsp)
- .endr
-@@ -1680,6 +1691,7 @@ first_nmi:
-
- /* Everything up to here is safe from nested NMIs */
-
-+repeat_nmi:
- /*
- * If there was a nested NMI, the first NMI's iret will return
- * here. But NMIs are still enabled and we can take another
-@@ -1688,16 +1700,21 @@ first_nmi:
- * it will just return, as we are about to repeat an NMI anyway.
- * This makes it safe to copy to the stack frame that a nested
- * NMI will update.
-- */
--repeat_nmi:
-- /*
-- * Update the stack variable to say we are still in NMI (the update
-- * is benign for the non-repeat case, where 1 was pushed just above
-- * to this very stack slot).
-+ *
-+ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
-+ * we're repeating an NMI, gsbase has the same value that it had on
-+ * the first iteration. paranoid_entry will load the kernel
-+ * gsbase if needed before we call do_nmi.
-+ *
-+ * Set "NMI executing" in case we came back here via IRET.
- */
- movq $1, 10*8(%rsp)
-
-- /* Make another copy, this one may be modified by nested NMIs */
-+ /*
-+ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
-+ * here must not modify the "iret" frame while we're writing to
-+ * it or it will end up containing garbage.
-+ */
- addq $(10*8), %rsp
- CFI_ADJUST_CFA_OFFSET -10*8
- .rept 5
-@@ -1708,9 +1725,9 @@ repeat_nmi:
- end_repeat_nmi:
-
- /*
-- * Everything below this point can be preempted by a nested
-- * NMI if the first NMI took an exception and reset our iret stack
-- * so that we repeat another NMI.
-+ * Everything below this point can be preempted by a nested NMI.
-+ * If this happens, then the inner NMI will change the "iret"
-+ * frame to point back to repeat_nmi.
- */
- pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
- subq $ORIG_RAX-R15, %rsp
-@@ -1735,11 +1752,17 @@ end_repeat_nmi:
- nmi_swapgs:
- SWAPGS_UNSAFE_STACK
- nmi_restore:
-- /* Pop the extra iret frame at once */
-+
- RESTORE_ALL 6*8
-
-- /* Clear the NMI executing stack variable */
-+ /* Clear "NMI executing". */
- movq $0, 5*8(%rsp)
-+
-+ /*
-+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
-+ * stack in a single instruction. We are returning to kernel
-+ * mode, so this cannot result in a fault.
-+ */
- jmp irq_return
- CFI_ENDPROC
- END(nmi)
---- a/arch/x86/kernel/nmi.c
-+++ b/arch/x86/kernel/nmi.c
-@@ -408,8 +408,8 @@ static void default_do_nmi(struct pt_reg
- NOKPROBE_SYMBOL(default_do_nmi);
-
- /*
-- * NMIs can hit breakpoints which will cause it to lose its NMI context
-- * with the CPU when the breakpoint or page fault does an IRET.
-+ * NMIs can page fault or hit breakpoints which will cause it to lose
-+ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
- *
- * As a result, NMIs can nest if NMIs get unmasked due an IRET during
- * NMI processing. On x86_64, the asm glue protects us from nested NMIs
diff --git a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch b/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
deleted file mode 100644
index 196dd15..0000000
--- a/debian/patches/bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Sun, 12 Jul 2015 20:59:57 -0700
-Subject: [PATCH 8/9] x86/nmi/64: Reorder nested NMI checks
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=b7dcb27674b28ca49b710e95da74c44d32154bed
-
-Check the repeat_nmi .. end_repeat_nmi special case first. The next
-patch will rework the RSP check and, as a side effect, the RSP check
-will no longer detect repeat_nmi .. end_repeat_nmi, so we'll need
-this ordering of the checks.
-
-Note: this is more subtle than it appears. The check for repeat_nmi
-.. end_repeat_nmi jumps straight out of the NMI code instead of
-adjusting the "iret" frame to force a repeat. This is necessary,
-because the code between repeat_nmi and end_repeat_nmi sets "NMI
-executing" and then writes to the "iret" frame itself. If a nested
-NMI comes in and modifies the "iret" frame while repeat_nmi is also
-modifying it, we'll end up with garbage. The old code got this
-right, as does the new code, but the new code is a bit more
-explicit.
-
-If we were to move the check right after the "NMI executing" check,
-then we'd get it wrong and have random crashes.
-
-This is a prerequisite for the fix for CVE-2015-3291.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, spacing]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 34 ++++++++++++++++++----------------
- 1 file changed, 18 insertions(+), 16 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1604,7 +1604,24 @@ ENTRY(nmi)
- /*
- * Determine whether we're a nested NMI.
- *
-- * First check "NMI executing". If it's set, then we're nested.
-+ * If we interrupted kernel code between repeat_nmi and
-+ * end_repeat_nmi, then we are a nested NMI. We must not
-+ * modify the "iret" frame because it's being written by
-+ * the outer NMI. That's okay: the outer NMI handler is
-+ * about to about to call do_nmi anyway, so we can just
-+ * resume the outer NMI.
-+ */
-+
-+ movq $repeat_nmi, %rdx
-+ cmpq 8(%rsp), %rdx
-+ ja 1f
-+ movq $end_repeat_nmi, %rdx
-+ cmpq 8(%rsp), %rdx
-+ ja nested_nmi_out
-+1:
-+
-+ /*
-+ * Now check "NMI executing". If it's set, then we're nested.
- * This will not detect if we interrupted an outer NMI just
- * before IRET.
- */
-@@ -1631,21 +1648,6 @@ ENTRY(nmi)
-
- nested_nmi:
- /*
-- * If we interrupted an NMI that is between repeat_nmi and
-- * end_repeat_nmi, then we must not modify the "iret" frame
-- * because it's being written by the outer NMI. That's okay:
-- * the outer NMI handler is about to call do_nmi anyway,
-- * so we can just resume the outer NMI.
-- */
-- movq $repeat_nmi, %rdx
-- cmpq 8(%rsp), %rdx
-- ja 1f
-- movq $end_repeat_nmi, %rdx
-- cmpq 8(%rsp), %rdx
-- ja nested_nmi_out
--
--1:
-- /*
- * Modify the "iret" frame to point to repeat_nmi, forcing another
- * iteration of NMI handling.
- */
diff --git a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch b/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
deleted file mode 100644
index 1795485..0000000
--- a/debian/patches/bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From: Andy Lutomirski <luto at kernel.org>
-Date: Fri, 10 Jul 2015 17:25:53 -0700
-Subject: [PATCH 9/9] x86/nmi/64: Use DF to avoid userspace RSP confusing
- nested NMI detection
-Origin: https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/?commit=dc68c0f2ec634b2cfecf879235564da58d422cee
-
-We have a tricky bug in the nested NMI code: if we see RSP pointing
-to the NMI stack on NMI entry from kernel mode, we assume that we
-are executing a nested NMI.
-
-This isn't quite true. A malicious userspace program can point RSP
-at the NMI stack, issue SYSCALL, and arrange for an NMI to happen
-while RSP is still pointing at the NMI stack.
-
-Fix it with a sneaky trick. Set DF in the region of code that the RSP
-check is intended to detect. IRET will clear DF atomically.
-
-(Note: other than paravirt, there's little need for all this complexity.
- We could check RIP instead of RSP.)
-
-Fixes CVE-2015-3291.
-
-Cc: stable at vger.kernel.org
-Reviewed-by: Steven Rostedt <rostedt at goodmis.org>
-Signed-off-by: Andy Lutomirski <luto at kernel.org>
-[bwh: Backported to 4.0: adjust filename, context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kernel/entry_64.S | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/entry_64.S
-+++ b/arch/x86/kernel/entry_64.S
-@@ -1631,7 +1631,14 @@ ENTRY(nmi)
- /*
- * Now test if the previous stack was an NMI stack. This covers
- * the case where we interrupt an outer NMI after it clears
-- * "NMI executing" but before IRET.
-+ * "NMI executing" but before IRET. We need to be careful, though:
-+ * there is one case in which RSP could point to the NMI stack
-+ * despite there being no NMI active: naughty userspace controls
-+ * RSP at the very beginning of the SYSCALL targets. We can
-+ * pull a fast one on naughty userspace, though: we program
-+ * SYSCALL to mask DF, so userspace cannot cause DF to be set
-+ * if it controls the kernel's RSP. We set DF before we clear
-+ * "NMI executing".
- */
- lea 6*8(%rsp), %rdx
- /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
-@@ -1642,10 +1649,16 @@ ENTRY(nmi)
- cmpq %rdx, 4*8(%rsp)
- /* If it is below the NMI stack, it is a normal NMI */
- jb first_nmi
-- /* Ah, it is within the NMI stack, treat it as nested */
-+
-+ /* Ah, it is within the NMI stack. */
-+
-+ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
-+ jz first_nmi /* RSP was user controlled. */
-
- CFI_REMEMBER_STATE
-
-+ /* This is a nested NMI. */
-+
- nested_nmi:
- /*
- * Modify the "iret" frame to point to repeat_nmi, forcing another
-@@ -1757,8 +1770,16 @@ nmi_restore:
-
- RESTORE_ALL 6*8
-
-- /* Clear "NMI executing". */
-- movq $0, 5*8(%rsp)
-+ /*
-+ * Clear "NMI executing". Set DF first so that we can easily
-+ * distinguish the remaining code between here and IRET from
-+ * the SYSCALL entry and exit paths. On a native kernel, we
-+ * could just inspect RIP, but, on paravirt kernels,
-+ * INTERRUPT_RETURN can translate into a jump into a
-+ * hypercall page.
-+ */
-+ std
-+ movq $0, 5*8(%rsp) /* clear "NMI executing" */
-
- /*
- * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
diff --git a/debian/patches/series b/debian/patches/series
index 7b612a3..890c21e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -87,14 +87,6 @@ bugfix/x86/input-synaptics-re-route-tracksticks-buttons-on-the-.patch
bugfix/mips/mips-normalise-code-flow-in-the-cpu-exception-handle.patch
bugfix/mips/mips-correct-fp-isa-requirements.patch
bugfix/mips/mips-math-emu-correct-delay-slot-exception-propagation.patch
-bugfix/x86/0001-x86-asm-entry-64-Fold-the-test_in_nmi-macro-into-its.patch
-bugfix/x86/0002-x86-asm-entry-64-Remove-a-redundant-jump.patch
-bugfix/x86/0004-x86-nmi-Enable-nested-do_nmi-handling-for-64-bit-ker.patch
-bugfix/x86/0005-x86-nmi-64-Remove-asm-code-that-saves-cr2.patch
-bugfix/x86/0006-x86-nmi-64-Switch-stacks-on-userspace-NMI-entry.patch
-bugfix/x86/0007-x86-nmi-64-Improve-nested-NMI-comments.patch
-bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
-bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
features/all/readq-writeq-Add-explicit-lo_hi_-read-write-_q-and-h.patch
@@ -634,15 +626,8 @@ debian/procfs-avoid-abi-change-in-3.16.7-ckt8.patch
debian/revert-libata-ignore-spurious-phy-event-on-lpm-polic.patch
debian/udp-fix-abi-change-in-3.16.7-ckt14.patch
debian/revert-acpica-utilities-split-io-address-types-from-.patch
-bugfix/all/libata-add-ata_horkage_notrim.patch
-bugfix/all/libata-force-disable-trim-for-supersspeed-s238.patch
-bugfix/all/block-do-a-full-clone-when-splitting-discard-bios.patch
-bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
-bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
-bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
bugfix/all/virtio-net-drop-netif_f_fraglist.patch
-bugfix/all/vhost-actually-track-log-eventfd-file.patch
bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list