Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.5.6-200.vanilla.knurd.1.fc23

6 files changed, 167 insertions, 135 deletions

diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch
deleted file mode 100644
index 8066b2e8f..000000000
--- a/KVM-MTRR-remove-MSR-0x2f8.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
-Date: Mon, 16 May 2016 09:45:35 -0400
-Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
-was introduced by 9ba075a664df ("KVM: MTRR support").
-
-0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
-size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
-which made access to index 124 out of bounds.  The surrounding code only
-WARNs in this situation, thus the guest gained a limited read/write
-access to struct kvm_arch_vcpu.
-
-0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
-MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
-was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
-not implemented in KVM, therefore 0x2f8 could never do anything useful
-and getting rid of it is safe.
-
-This fixes CVE-2016-TBD.
-
-Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
-Cc: stable@vger.kernel.org
-Reported-by: David Matlack <dmatlack@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
----
- arch/x86/kvm/mtrr.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
-index 3f8c732117ec..c146f3c262c3 100644
---- a/arch/x86/kvm/mtrr.c
-+++ b/arch/x86/kvm/mtrr.c
-@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
- 	case MSR_MTRRdefType:
- 	case MSR_IA32_CR_PAT:
- 		return true;
--	case 0x2f8:
--		return true;
- 	}
- 	return false;
- }
--- 
-2.5.5
-
diff --git a/kernel.spec b/kernel.spec
index 46b0a1da1..ea69f8061 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -663,9 +663,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#rhbz 1328633
-Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch
-
 #CVE-2016-4569 rhbz 1334643 1334645
 Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
 Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -674,8 +671,11 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 #CVE-2016-0758 rhbz 1300257 1335386
 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
-#CVE-2016-3713 rhbz 1332139 1336410
-Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
+#CVE-2016-4440 rhbz 1337806 1337807
+Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
+
+#CVE-2016-4951 rhbz 1338625 1338626
+Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -751,7 +751,6 @@ files combining both kernel and initial ramdisk.
 %package debuginfo-common-%{_target_cpu}
 Summary: Kernel source files used by %{name}-debuginfo packages
 Group: Development/Debug
-Provides: installonlypkg(kernel)
 %description debuginfo-common-%{_target_cpu}
 This package is required by %{name}-debuginfo subpackages.
 It provides the kernel source files common to all builds.
@@ -868,7 +867,6 @@ Summary: Debug information for package %{name}%{?1:-%{1}}\
 Group: Development/Debug\
 Requires: %{name}-debuginfo-common-%{_target_cpu} = %{version}-%{release}\
 Provides: %{name}%{?1:-%{1}}-debuginfo-%{_target_cpu} = %{version}-%{release}\
-Provides: installonlypkg(kernel)\
 AutoReqProv: no\
 %description %{?1:%{1}-}debuginfo\
 This package provides debug information for package %{name}%{?1:-%{1}}.\
@@ -948,7 +946,6 @@ summary: kernel meta-package for the %{1} kernel\
 group: system environment/kernel\
 Requires: kernel-%{1}-core-uname-r = %{KVERREL}%{?variant}+%{1}\
 Requires: kernel-%{1}-modules-uname-r = %{KVERREL}%{?variant}+%{1}\
-Provides: installonlypkg(kernel)\
 %description %{1}\
 The meta-package for the %{1} kernel\
 %{nil}
@@ -963,7 +960,6 @@ The meta-package for the %{1} kernel\
 Summary: %{variant_summary}\
 Group: System Environment/Kernel\
 Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
-Provides: installonlypkg(kernel)\
 %{expand:%%kernel_reqprovconf}\
 %if %{?1:1} %{!?1:0} \
 %{expand:%%kernel_meta_package %{?1:%{1}}}\
@@ -2201,6 +2197,18 @@ fi
 #
 # 
 %changelog
+* Wed Jun 01 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.6-200
+- Linux v4.5.6
+
+* Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626)
+
+* Fri May 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.5-201
+- Remove the installonly additions until dnf can handle the transition
+
+* Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807)
+
 * Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.5-200
 - Linux v4.5.5
 - CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)
diff --git a/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
new file mode 100644
index 000000000..67043300c
--- /dev/null
+++ b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
@@ -0,0 +1,112 @@
+From: Roman Kagan <rkagan@virtuozzo.com>
+Subject: [PATCH v3] kvm:vmx: more complete state update on APICv on/off
+Date: 2016-05-18 14:48:20 GMT (1 day, 21 hours and 23 minutes ago)
+
+The function to update APICv on/off state (in particular, to deactivate
+it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust
+APICv-related fields among secondary processor-based VM-execution
+controls.
+
+As a result, Windows 2012 guests would get stuck when SynIC-based
+auto-EOI interrupt intersected with e.g. an IPI in the guest.
+
+In addition, the MSR intercept bitmap wasn't updated to correspond to
+whether "virtualize x2APIC mode" was enabled.  This path used not to be
+triggered, since Windows didn't use x2APIC but rather their own
+synthetic APIC access MSRs; however it represented a security risk
+because the guest running in a SynIC-enabled VM could switch to x2APIC
+and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang
+<yang.zhang.wz@gmail.com> for spotting this).
+
+The patch fixes those omissions.
+
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Steve Rutherford <srutherford@google.com>
+Cc: Yang Zhang <yang.zhang.wz@gmail.com>
+---
+v2 -> v3:
+ - only switch to x2apic msr bitmap if virtualize x2apic mode is on in vmcs
+
+v1 -> v2:
+ - only update relevant bits in the secondary exec control
+ - update msr intercept bitmap (also make x2apic msr bitmap always
+   correspond to APICv)
+
+ arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ee1c8a9..cef741a 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2418,7 +2418,9 @@ static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu)
+
+ 	if (is_guest_mode(vcpu))
+ 		msr_bitmap = vmx_msr_bitmap_nested;
+-	else if (vcpu->arch.apic_base & X2APIC_ENABLE) {
++	else if (cpu_has_secondary_exec_ctrls() &&
++		 (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
++		  SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ 		if (is_long_mode(vcpu))
+ 			msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
+ 		else
+@@ -4783,6 +4785,19 @@ static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ 	vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx));
++	if (cpu_has_secondary_exec_ctrls()) {
++		if (kvm_vcpu_apicv_active(vcpu))
++			vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
++				      SECONDARY_EXEC_APIC_REGISTER_VIRT |
++				      SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++		else
++			vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
++					SECONDARY_EXEC_APIC_REGISTER_VIRT |
++					SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++	}
++
++	if (cpu_has_vmx_msr_bitmap())
++		vmx_set_msr_bitmap(vcpu);
+ }
+
+ static u32 vmx_exec_control(struct vcpu_vmx *vmx)
+@@ -6329,23 +6344,20 @@ static __init int hardware_setup(void)
+
+ 	set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
+
+-	if (enable_apicv) {
+-		for (msr = 0x800; msr <= 0x8ff; msr++)
+-			vmx_disable_intercept_msr_read_x2apic(msr);
+-
+-		/* According SDM, in x2apic mode, the whole id reg is used.
+-		 * But in KVM, it only use the highest eight bits. Need to
+-		 * intercept it */
+-		vmx_enable_intercept_msr_read_x2apic(0x802);
+-		/* TMCCT */
+-		vmx_enable_intercept_msr_read_x2apic(0x839);
+-		/* TPR */
+-		vmx_disable_intercept_msr_write_x2apic(0x808);
+-		/* EOI */
+-		vmx_disable_intercept_msr_write_x2apic(0x80b);
+-		/* SELF-IPI */
+-		vmx_disable_intercept_msr_write_x2apic(0x83f);
+-	}
++	for (msr = 0x800; msr <= 0x8ff; msr++)
++		vmx_disable_intercept_msr_read_x2apic(msr);
++
++	/* According SDM, in x2apic mode, the whole id reg is used.  But in
++	 * KVM, it only use the highest eight bits. Need to intercept it */
++	vmx_enable_intercept_msr_read_x2apic(0x802);
++	/* TMCCT */
++	vmx_enable_intercept_msr_read_x2apic(0x839);
++	/* TPR */
++	vmx_disable_intercept_msr_write_x2apic(0x808);
++	/* EOI */
++	vmx_disable_intercept_msr_write_x2apic(0x80b);
++	/* SELF-IPI */
++	vmx_disable_intercept_msr_write_x2apic(0x83f);
+
+ 	if (enable_ept) {
+ 		kvm_mmu_set_mask_ptes(0ull,
+-- 
+2.5.5
diff --git a/sources b/sources
index aa475431e..51db1cae0 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-fe89010925304f6f07713741f0c8e811  patch-4.5.5.xz
+165ea1f74c34d264f11be8c25d97635b  patch-4.5.6.xz
diff --git a/sp5100_tco-properly-check-for-new-register-layouts.patch b/sp5100_tco-properly-check-for-new-register-layouts.patch
deleted file mode 100644
index 83c86d151..000000000
--- a/sp5100_tco-properly-check-for-new-register-layouts.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 5896a59895689db447e888c1714022bbb9526ede Mon Sep 17 00:00:00 2001
-From: Lucas Stach <dev@lynxeye.de>
-Date: Tue, 3 May 2016 19:15:58 +0200
-Subject: [PATCH] sp5100_tco: properly check for new register layouts
-
-Commits 190aa4304de6 (Add AMD Mullins platform support) and
-cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the
-driver on a lot more devices, but the following commit missed
-a single location in the code when checking if the SB800 register
-offsets should be used. This leads to the wrong register being
-written which in turn causes ACPI to go haywire.
-
-Fix this by introducing a helper function to check for the new
-register layout and use this consistently.
-
-https://bugzilla.kernel.org/show_bug.cgi?id=114201
-https://bugzilla.redhat.com/show_bug.cgi?id=1329910
-Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800
-and later chipsets)
-Cc: stable@vger.kernel.org (4.5+)
-Signed-off-by: Lucas Stach <dev@lynxeye.de>
----
- drivers/watchdog/sp5100_tco.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c
-index 6467b91..028618c 100644
---- a/drivers/watchdog/sp5100_tco.c
-+++ b/drivers/watchdog/sp5100_tco.c
-@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started."
- /*
-  * Some TCO specific functions
-  */
-+
-+static bool tco_has_sp5100_reg_layout(struct pci_dev *dev)
-+{
-+	return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
-+	       dev->revision < 0x40;
-+}
-+
- static void tco_timer_start(void)
- {
- 	u32 val;
-@@ -129,7 +136,7 @@ static void tco_timer_enable(void)
- {
- 	int val;
-
--	if (sp5100_tco_pci->revision >= 0x40) {
-+	if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
- 		/* For SB800 or later */
- 		/* Set the Watchdog timer resolution to 1 sec */
- 		outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG);
-@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdevice(void)
- 	/*
- 	 * Determine type of southbridge chipset.
- 	 */
--	if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
--	    sp5100_tco_pci->revision < 0x40) {
-+	if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
- 		dev_name = SP5100_DEVNAME;
- 		index_reg = SP5100_IO_PM_INDEX_REG;
- 		data_reg = SP5100_IO_PM_DATA_REG;
-@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdevice(void)
- 	 * Secondly, Find the watchdog timer MMIO address
- 	 * from SBResource_MMIO register.
- 	 */
--	if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
--	    sp5100_tco_pci->revision < 0x40) {
-+	if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) {
- 		/* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */
- 		pci_read_config_dword(sp5100_tco_pci,
- 				      SP5100_SB_RESOURCE_MMIO_BASE, &val);
--- 
-2.7.4
-
diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch
new file mode 100644
index 000000000..09bfe1485
--- /dev/null
+++ b/tipc-check-nl-sock-before-parsing-nested-attributes.patch
@@ -0,0 +1,36 @@
+From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: [PATCH] tipc: check nl sock before parsing nested attributes
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 12628890c219..3b7a79991d55 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ 		if (err)
+ 			return err;
+ 
++		if (!attrs[TIPC_NLA_SOCK])
++			return -EINVAL;
++
+ 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ 				       attrs[TIPC_NLA_SOCK],
+ 				       tipc_nl_sock_policy);
+-- 
+2.5.5
+