Merge remote-tracking branch 'origin/f27' into f27-user-thl-vanilla-fedora

7 files changed, 292 insertions, 179 deletions

diff --git a/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch b/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
deleted file mode 100644
index ed73771aa..000000000
--- a/1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From patchwork Thu Jun 21 13:00:20 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [1/2] xen-netfront: Fix mismatched rtnl_unlock
-X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com>
-X-Patchwork-Id: 932721
-Message-Id: <20180621130021.27029-2-ross.lagerwall@citrix.com>
-To: <netdev@vger.kernel.org>
-Cc: Ross Lagerwall <ross.lagerwall@citrix.com>,
- Boris Ostrovsky <boris.ostrovsky@oracle.com>,
- Juergen Gross <jgross@suse.com>, "David S. Miller" <davem@davemloft.net>,
- <xen-devel@lists.xenproject.org>, <linux-kernel@vger.kernel.org>
-Date: Thu, 21 Jun 2018 14:00:20 +0100
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-List-Id: <netdev.vger.kernel.org>
-
-Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
-Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
----
- drivers/net/xen-netfront.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index 922ce0a..ee4cb6c 100644
---- a/drivers/net/xen-netfront.c
-+++ b/drivers/net/xen-netfront.c
-@@ -1810,7 +1810,7 @@ static int talk_to_netback(struct xenbus_device *dev,
- 	err = xen_net_read_mac(dev, info->netdev->dev_addr);
- 	if (err) {
- 		xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename);
--		goto out;
-+		goto out_unlocked;
- 	}
- 
- 	rtnl_lock();
-@@ -1925,6 +1925,7 @@ static int talk_to_netback(struct xenbus_device *dev,
- 	xennet_destroy_queues(info);
-  out:
- 	rtnl_unlock();
-+out_unlocked:
- 	device_unregister(&dev->dev);
- 	return err;
- }
diff --git a/2-2-xen-netfront-Update-features-after-registering-netdev.patch b/2-2-xen-netfront-Update-features-after-registering-netdev.patch
deleted file mode 100644
index b23d6bfaa..000000000
--- a/2-2-xen-netfront-Update-features-after-registering-netdev.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From patchwork Thu Jun 21 13:00:21 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [2/2] xen-netfront: Update features after registering netdev
-X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com>
-X-Patchwork-Id: 932720
-Message-Id: <20180621130021.27029-3-ross.lagerwall@citrix.com>
-To: <netdev@vger.kernel.org>
-Cc: Ross Lagerwall <ross.lagerwall@citrix.com>,
- Boris Ostrovsky <boris.ostrovsky@oracle.com>,
- Juergen Gross <jgross@suse.com>, "David S. Miller" <davem@davemloft.net>,
- <xen-devel@lists.xenproject.org>, <linux-kernel@vger.kernel.org>,
- Liam Shepherd <liam@dancer.es>
-Date: Thu, 21 Jun 2018 14:00:21 +0100
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-List-Id: <netdev.vger.kernel.org>
-
-Update the features after calling register_netdev() otherwise the
-device features are not set up correctly and it not possible to change
-the MTU of the device. After this change, the features reported by
-ethtool match the device's features before the commit which introduced
-the issue and it is possible to change the device's MTU.
-
-Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
-Reported-by: Liam Shepherd <liam@dancer.es>
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
-Reviewed-by: Juergen Gross <jgross@suse.com>
----
- drivers/net/xen-netfront.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index ee4cb6c..a57daec 100644
---- a/drivers/net/xen-netfront.c
-+++ b/drivers/net/xen-netfront.c
-@@ -1951,10 +1951,6 @@ static int xennet_connect(struct net_device *dev)
- 	/* talk_to_netback() sets the correct number of queues */
- 	num_queues = dev->real_num_tx_queues;
- 
--	rtnl_lock();
--	netdev_update_features(dev);
--	rtnl_unlock();
--
- 	if (dev->reg_state == NETREG_UNINITIALIZED) {
- 		err = register_netdev(dev);
- 		if (err) {
-@@ -1964,6 +1960,10 @@ static int xennet_connect(struct net_device *dev)
- 		}
- 	}
- 
-+	rtnl_lock();
-+	netdev_update_features(dev);
-+	rtnl_unlock();
-+
- 	/*
- 	 * All public and private state should now be sane.  Get
- 	 * ready to start sending and receiving packets and give the driver
diff --git a/ext4-fix-false-negative-and-false-positives.patch b/ext4-fix-false-negative-and-false-positives.patch
new file mode 100644
index 000000000..2beba4f94
--- /dev/null
+++ b/ext4-fix-false-negative-and-false-positives.patch
@@ -0,0 +1,56 @@
+From 44de022c4382541cebdd6de4465d1f4f465ff1dd Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 8 Jul 2018 19:35:02 -0400
+Subject: ext4: fix false negatives *and* false positives in
+ ext4_check_descriptors()
+
+Ext4_check_descriptors() was getting called before s_gdb_count was
+initialized.  So for file systems w/o the meta_bg feature, allocation
+bitmaps could overlap the block group descriptors and ext4 wouldn't
+notice.
+
+For file systems with the meta_bg feature enabled, there was a
+fencepost error which would cause the ext4_check_descriptors() to
+incorrectly believe that the block allocation bitmap overlaps with the
+block group descriptor blocks, and it would reject the mount.
+
+Fix both of these problems.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+---
+ fs/ext4/super.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index ba2396a7bd04..eff5c983e067 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2342,7 +2342,7 @@ static int ext4_check_descriptors(struct super_block *sb,
+ 	struct ext4_sb_info *sbi = EXT4_SB(sb);
+ 	ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block);
+ 	ext4_fsblk_t last_block;
+-	ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1;
++	ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0);
+ 	ext4_fsblk_t block_bitmap;
+ 	ext4_fsblk_t inode_bitmap;
+ 	ext4_fsblk_t inode_table;
+@@ -4085,14 +4085,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ 			goto failed_mount2;
+ 		}
+ 	}
++	sbi->s_gdb_count = db_count;
+ 	if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
+ 		ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
+ 		ret = -EFSCORRUPTED;
+ 		goto failed_mount2;
+ 	}
+ 
+-	sbi->s_gdb_count = db_count;
+-
+ 	timer_setup(&sbi->s_err_report, print_daily_error_info, 0);
+ 
+ 	/* Register extent status tree shrinker */
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/kernel.spec b/kernel.spec
index 5d7d6fe89..5c2058e75 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -134,6 +134,10 @@ Summary: The Linux kernel
 # See also 'make debug' and 'make release'.
 %define debugbuildsenabled 1
 
+# Kernel headers are being split out into a separate package
+%define with_headers 0
+%define with_cross_headers 0
+
 %if %{with_verbose}
 %define make_opts V=1
 %else
@@ -656,10 +660,6 @@ Patch508: ath10k-Update-the-phymode-along-with-bandwidth-change.patch
 # In 4.18
 Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch
 
-# rhbz 1584216
-Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
-Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch
-
 # rhbz 1591516
 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch
 
@@ -688,8 +688,11 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 # rhbz 1597333
 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch
 
-# i686 patch that will eventually be 4.17.8
-Patch527: mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch
+# rhbz 1602971
+Patch529: ext4-fix-false-negative-and-false-positives.patch
+
+# CVE-2018-14678 rhbz 1608559 1608560
+Patch530: xsa274-linux-4_17.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1943,6 +1946,21 @@ fi
 #
 #
 %changelog
+* Mon Jul 30 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.11-100
+- Linux v4.17.11
+- Turn off kernel-headers for the split
+- Fix CVE-2018-14678 (rhbz 1608559 1608560)
+
+* Wed Jul 25 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.10-100
+- Linux v4.17.10
+
+* Mon Jul 23 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.9-200
+- Linux v4.17.9
+- Fix emergency shell with ext4 rootfs (rhbz 1602971)
+
+* Mon Jul 23 2018 Jeremy Cline <jeremy@jcline.org>
+- Fix iwlwifi module load failure (rhbz 1607092)
+
 * Tue Jul 17 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.7-100
 - Linux v4.17.7
 
diff --git a/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch b/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch
deleted file mode 100644
index f72e111ad..000000000
--- a/mm-don-t-do-zero_resv_unavail-if-memmap-is-not-allocated.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From d1b47a7c9efcf3c3384b70f6e3c8f1423b44d8c7 Mon Sep 17 00:00:00 2001
-From: Pavel Tatashin <pasha.tatashin@oracle.com>
-Date: Mon, 16 Jul 2018 11:16:30 -0400
-Subject: mm: don't do zero_resv_unavail if memmap is not allocated
-
-From: Pavel Tatashin <pasha.tatashin@oracle.com>
-
-commit d1b47a7c9efcf3c3384b70f6e3c8f1423b44d8c7 upstream.
-
-Moving zero_resv_unavail before memmap_init_zone(), caused a regression on
-x86-32.
-
-The cause is that we access struct pages before they are allocated when
-CONFIG_FLAT_NODE_MEM_MAP is used.
-
-free_area_init_nodes()
-  zero_resv_unavail()
-    mm_zero_struct_page(pfn_to_page(pfn)); <- struct page is not alloced
-  free_area_init_node()
-    if CONFIG_FLAT_NODE_MEM_MAP
-      alloc_node_mem_map()
-        memblock_virt_alloc_node_nopanic() <- struct page alloced here
-
-On the other hand memblock_virt_alloc_node_nopanic() zeroes all the memory
-that it returns, so we do not need to do zero_resv_unavail() here.
-
-Fixes: e181ae0c5db9 ("mm: zero unavailable pages before memmap init")
-Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
-Tested-by: Matt Hart <matt@mattface.org>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- include/linux/mm.h |    2 +-
- mm/page_alloc.c    |    4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -2081,7 +2081,7 @@ extern int __meminit __early_pfn_to_nid(
- 					struct mminit_pfnnid_cache *state);
- #endif
- 
--#ifdef CONFIG_HAVE_MEMBLOCK
-+#if defined(CONFIG_HAVE_MEMBLOCK) && !defined(CONFIG_FLAT_NODE_MEM_MAP)
- void zero_resv_unavail(void);
- #else
- static inline void zero_resv_unavail(void) {}
---- a/mm/page_alloc.c
-+++ b/mm/page_alloc.c
-@@ -6377,7 +6377,7 @@ void __paginginit free_area_init_node(in
- 	free_area_init_core(pgdat);
- }
- 
--#ifdef CONFIG_HAVE_MEMBLOCK
-+#if defined(CONFIG_HAVE_MEMBLOCK) && !defined(CONFIG_FLAT_NODE_MEM_MAP)
- /*
-  * Only struct pages that are backed by physical memory are zeroed and
-  * initialized by going through __init_single_page(). But, there are some
-@@ -6415,7 +6415,7 @@ void __paginginit zero_resv_unavail(void
- 	if (pgcnt)
- 		pr_info("Reserved but unavailable: %lld pages", pgcnt);
- }
--#endif /* CONFIG_HAVE_MEMBLOCK */
-+#endif /* CONFIG_HAVE_MEMBLOCK && !CONFIG_FLAT_NODE_MEM_MAP */
- 
- #ifdef CONFIG_HAVE_MEMBLOCK_NODE_MAP
- 
diff --git a/scripts/create_headers_tarball.sh b/scripts/create_headers_tarball.sh
new file mode 100755
index 000000000..fee658579
--- /dev/null
+++ b/scripts/create_headers_tarball.sh
@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# This script is aimed at generating the headers from the kernel sources.
+# Please do a git checkout of the kernel sources, or run until %prep step of
+# kernel rpm build. Then go into the directory with the sources, and run this
+# script
+#
+# Author: Herton R. Krzesinski <herton@redhat.com>
+
+# ARCH_LIST below has the default list of supported architectures
+# (the architectures names may be different from rpm, you list here the
+# names of arch/<arch> directories in the kernel sources)
+ARCH_LIST="arm arm64 powerpc s390 x86"
+
+# If the kernel Makefile doesn't contain enough information for the tarball
+# release, you can specify the release of the package so it'll be included
+# in the name of the created tarball
+TB_RELEASE="1"
+
+# If kernel Makefile has the package release number, you can specify the name of
+# Makefile variable here.
+MAKE_RELEASE=""
+
+# Extra string (usually dist tag) that goes into the tarball name
+EXTRA=""
+
+while [ ! -z "$1" ]; do
+	opt="$1"
+	case $opt in
+		--arch-list|-a)
+			ARCH_LIST="$2"
+			shift
+			;;
+		--extra|-e)
+			EXTRA="$2"
+			shift
+			;;
+		--make-release|-m)
+			MAKE_RELEASE=$2
+			shift
+			;;
+		--release|-r)
+			TB_RELEASE=$2
+			shift
+			;;
+		*)
+			echo "Unknown option ($1) to $0"
+			exit
+			;;
+	esac
+	shift
+done
+
+KVERSION=$(cat Makefile | sed -ne '/^VERSION\ =\ /{s///;p;q}')
+KPATCHLEVEL=$(cat Makefile | sed -ne '/^PATCHLEVEL\ =\ /{s///;p;q}')
+KSUBLEVEL=$(cat Makefile | sed -ne '/^SUBLEVEL\ =\ /{s///;p;q}')
+TB_VERSION=$KVERSION.$KPATCHLEVEL.$KSUBLEVEL
+if [ -z "$TB_RELEASE" ]; then
+	KEXTRAVERSION=$(cat Makefile | sed -ne '/^EXTRAVERSION\ =\ /{s///;p;q}')
+	DISTRO_RELEASE=""
+	if [ -n "$MAKE_RELEASE" ]; then
+		DISTRO_RELEASE=.$(cat Makefile | sed -ne "/^$MAKE_RELEASE\ =\ /{s///;p;q}")
+	fi
+	if [ -n "$KEXTRAVERSION" ]; then
+		KEXTRAVERSION=$(echo $KEXTRAVERSION | sed -e s/-/./)
+		TB_RELEASE=0$KEXTRAVERSION$DISTRO_RELEASE$EXTRA
+	else
+		TB_RELEASE=$DISTRO_RELEASE$EXTRA
+	fi
+fi
+
+headers_dir=$(mktemp -d)
+trap 'rm -rf "$headers_dir"' SIGHUP SIGINT SIGTERM EXIT
+
+make HDR_ARCH_LIST="$ARCH_LIST" INSTALL_HDR_PATH=$headers_dir headers_install_all
+find $headers_dir \
+	\( -name .install -o -name .check -o \
+	-name ..install.cmd -o -name ..check.cmd \) | xargs rm -f
+
+TARBALL=$PWD/kernel-headers-$TB_VERSION-$TB_RELEASE.tar.xz
+pushd $headers_dir
+	tar -Jcf $TARBALL *
+popd
+
+echo wrote $TARBALL
diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch
new file mode 100644
index 000000000..7a9bbf768
--- /dev/null
+++ b/xsa274-linux-4_17.patch
@@ -0,0 +1,127 @@
+From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
+
+error_entry and error_exit communicate the user vs kernel status of
+the frame using %ebx.  This is unnecessary -- the information is in
+regs->cs.  Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug.  Before all the Spectre nonsense, The
+xen_failsafe_callback entry point returned like this:
+
+        ALLOC_PT_GPREGS_ON_STACK
+        SAVE_C_REGS
+        SAVE_EXTRA_REGS
+        ENCODE_FRAME_POINTER
+        jmp     error_exit
+
+And it did not go through error_entry.  This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used.  As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks.  Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes.  This was introduced by:
+
+    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
+    exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[Historical note: I wrote this patch as a cleanup before I was aware
+ of the bug it fixed.]
+
+[Note to stable maintainers: this should probably get applied to all
+ kernels.  If you're nervous about that, a more conservative fix to
+ add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+ also fix the problem.]
+
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: x86@kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index 73a522d53b53..8ae7ffda8f98 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -981,7 +981,7 @@ ENTRY(\sym)
+ 
+ 	call	\do_sym
+ 
+-	jmp	error_exit			/* %ebx: no swapgs flag */
++	jmp	error_exit
+ 	.endif
+ END(\sym)
+ .endm
+@@ -1222,7 +1222,6 @@ END(paranoid_exit)
+ 
+ /*
+  * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+  */
+ ENTRY(error_entry)
+ 	UNWIND_HINT_FUNC
+@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
+ 	 * for these here too.
+ 	 */
+ .Lerror_kernelspace:
+-	incl	%ebx
+ 	leaq	native_irq_return_iret(%rip), %rcx
+ 	cmpq	%rcx, RIP+8(%rsp)
+ 	je	.Lerror_bad_iret
+@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
+ 
+ 	/*
+ 	 * Pretend that the exception came from user mode: set up pt_regs
+-	 * as if we faulted immediately after IRET and clear EBX so that
+-	 * error_exit knows that we will be returning to user mode.
++	 * as if we faulted immediately after IRET.
+ 	 */
+ 	mov	%rsp, %rdi
+ 	call	fixup_bad_iret
+ 	mov	%rax, %rsp
+-	decl	%ebx
+ 	jmp	.Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+ 
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- *   1: already in kernel mode, don't need SWAPGS
+- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ 	UNWIND_HINT_REGS
+ 	DISABLE_INTERRUPTS(CLBR_ANY)
+ 	TRACE_IRQS_OFF
+-	testl	%ebx, %ebx
+-	jnz	retint_kernel
++	testb	$3, CS(%rsp)
++	jz	retint_kernel
+ 	jmp	retint_user
+ END(error_exit)
+ 
+-- 
+2.18.0
+