diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-21 07:56:01 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-21 07:56:01 +0200 |
commit | a7a0c90031acf1cd1e7bd777bda70e1738c805c9 (patch) | |
tree | 9188e551ff78c6423cfdf95240226ed368bb482f | |
parent | 89f8c3ffa504e07b9ce529acf90c4bfd22a440a4 (diff) | |
parent | 8a052bf240d0b95d9c255ca9291a0669e5e28ac5 (diff) | |
download | kernel-a7a0c90031acf1cd1e7bd777bda70e1738c805c9.tar.gz kernel-a7a0c90031acf1cd1e7bd777bda70e1738c805c9.tar.xz kernel-a7a0c90031acf1cd1e7bd777bda70e1738c805c9.zip |
Merge remote-tracking branch 'origin/master'kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc25kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc24kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc23kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc22
-rw-r--r-- | ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 | ||||
-rw-r--r-- | Add-an-EFI-signature-blob-parser-and-key-loader.patch | 29 | ||||
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
-rw-r--r-- | config-arm-generic | 9 | ||||
-rw-r--r-- | config-arm64 | 1 | ||||
-rw-r--r-- | config-armv7 | 1 | ||||
-rw-r--r-- | config-armv7-generic | 4 | ||||
-rw-r--r-- | config-generic | 10 | ||||
-rw-r--r-- | config-x86-generic | 1 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 26 | ||||
-rw-r--r-- | kvm-vmx-more-complete-state-update-on-APICv-on-off.patch | 112 | ||||
-rw-r--r-- | sources | 2 |
15 files changed, 162 insertions, 185 deletions
diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch deleted file mode 100644 index 3eb8bf183..000000000 --- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:07 -0400 -Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “tread” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 6469bedda2f3..964f5ebf495e 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, - if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { - if (tu->tread) { - struct snd_timer_tread tread; -+ memset(&tread, 0, sizeof(tread)); - tread.event = SNDRV_TIMER_EVENT_EARLY; - tread.tstamp.tv_sec = 0; - tread.tstamp.tv_nsec = 0; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch deleted file mode 100644 index e6f46f8a8..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +++ /dev/null @@ -1,34 +0,0 @@ -From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:20 -0400 -Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via - snd_timer_user_ccallback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 964f5ebf495e..e98fa5feb731 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, - tu->tstamp = *tstamp; - if ((tu->filter & (1 << event)) == 0 || !tu->tread) - return; -+ memset(&r1, 0, sizeof(r1)); - r1.event = event; - r1.tstamp = *tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch deleted file mode 100644 index 7851c55a2..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:32 -0400 -Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via - snd_timer_user_tinterrupt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index e98fa5feb731..c69a27155433 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, - } - if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && - tu->last_resolution != resolution) { -+ memset(&r1, 0, sizeof(r1)); - r1.event = SNDRV_TIMER_EVENT_RESOLUTION; - r1.tstamp = tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index 86a285581..78f482b39 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,4 +1,4 @@ -From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 +From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001 From: Dave Howells <dhowells@redhat.com> Date: Tue, 23 Oct 2012 09:36:28 -0400 Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. @@ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. +[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED] Signed-off-by: David Howells <dhowells@redhat.com> --- crypto/asymmetric_keys/Kconfig | 8 +++ crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ include/linux/efi.h | 4 ++ - 4 files changed, 122 insertions(+) + 4 files changed, 121 insertions(+) create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 4870f28403f5..4a1b50d73b80 100644 +index e28e912..94024e8 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig -@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION +@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. @@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index cd1406f9b14a..d9db380bbe53 100644 +index 6516855..c099fe1 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile -@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o +@@ -10,6 +10,7 @@ asymmetric_keys-y := \ + signature.o obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o @@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644 # X.509 Certificate handling diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c new file mode 100644 -index 000000000000..424896a0b169 +index 0000000..636feb1 --- /dev/null +++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,109 @@ +@@ -0,0 +1,108 @@ +/* EFI signature/key/certificate list parser + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. @@ -139,8 +141,7 @@ index 000000000000..424896a0b169 + esize - sizeof(*elem), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); ++ KEY_ALLOC_NOT_IN_QUOTA); + + if (IS_ERR(key)) + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", @@ -159,10 +160,10 @@ index 000000000000..424896a0b169 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index fac43c611614..414c3c3d988d 100644 +index b80227a..18443e3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void); +@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, char * __init efi_md_typeattr_format(char *buf, size_t size, const efi_memory_desc_t *md); @@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -2.4.3 +2.5.5 diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch deleted file mode 100644 index 8066b2e8f..000000000 --- a/KVM-MTRR-remove-MSR-0x2f8.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> -Date: Mon, 16 May 2016 09:45:35 -0400 -Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support -was introduced by 9ba075a664df ("KVM: MTRR support"). - -0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the -size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, -which made access to index 124 out of bounds. The surrounding code only -WARNs in this situation, thus the guest gained a limited read/write -access to struct kvm_arch_vcpu. - -0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR -MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 -was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was -not implemented in KVM, therefore 0x2f8 could never do anything useful -and getting rid of it is safe. - -This fixes CVE-2016-TBD. - -Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") -Cc: stable@vger.kernel.org -Reported-by: David Matlack <dmatlack@google.com> -Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> ---- - arch/x86/kvm/mtrr.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c -index 3f8c732117ec..c146f3c262c3 100644 ---- a/arch/x86/kvm/mtrr.c -+++ b/arch/x86/kvm/mtrr.c -@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) - case MSR_MTRRdefType: - case MSR_IA32_CR_PAT: - return true; -- case 0x2f8: -- return true; - } - return false; - } --- -2.5.5 - diff --git a/config-arm-generic b/config-arm-generic index dfbab76cc..2b71fa092 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -6,8 +6,9 @@ CONFIG_EARLY_PRINTK=y CONFIG_SERIAL_EARLYCON_ARM_SEMIHOST=y CONFIG_FB_SSD1307=m CONFIG_HW_PERF_EVENTS=y -CONFIG_NFS_FS=y CONFIG_FORCE_MAX_ZONEORDER=11 +CONFIG_XZ_DEC_ARM=y +CONFIG_XZ_DEC_ARMTHUMB=y CONFIG_CC_STACKPROTECTOR=y @@ -154,6 +155,8 @@ CONFIG_RTC_DRV_TEGRA=m CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_TEGRA124_CPUFREQ=m CONFIG_TEGRA_SOCTHERM=m +CONFIG_PHY_TEGRA_XUSB=m +CONFIG_USB_XHCI_TEGRA=m CONFIG_TEGRA_HOST1X=m CONFIG_TEGRA_HOST1X_FIREWALL=y @@ -165,7 +168,6 @@ CONFIG_SND_HDA_TEGRA=m # CONFIG_ARM_TEGRA20_CPUFREQ is not set # CONFIG_MFD_NVEC is not set -# CONFIG_PHY_TEGRA_XUSB is not set # Virt CONFIG_PARAVIRT=y @@ -545,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y # CONFIG_HW_RANDOM_HISI is not set # CONFIG_QRTR is not set + +# This Xilinx option is now built for arm64 as well as ARM +CONFIG_XILINX_VDMA=m diff --git a/config-arm64 b/config-arm64 index 5c338d7fa..7266b7db3 100644 --- a/config-arm64 +++ b/config-arm64 @@ -162,6 +162,7 @@ CONFIG_HI6220_MBOX=m # Tegra CONFIG_ARCH_TEGRA_132_SOC=y CONFIG_ARCH_TEGRA_210_SOC=y +CONFIG_TEGRA210_ADMA=y # AllWinner CONFIG_MACH_SUN50I=y diff --git a/config-armv7 b/config-armv7 index 755cefa99..d2191cee9 100644 --- a/config-armv7 +++ b/config-armv7 @@ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m CONFIG_I2C_CADENCE=m CONFIG_XILINX_WATCHDOG=m CONFIG_XILINX_XADC=m -CONFIG_XILINX_VDMA=m CONFIG_SND_SOC_ADI=m CONFIG_SND_SOC_ADI_AXI_I2S=m CONFIG_SND_SOC_ADI_AXI_SPDIF=m diff --git a/config-armv7-generic b/config-armv7-generic index 486a445ce..0b99be151 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -30,7 +30,6 @@ CONFIG_ATAGS=y CONFIG_ATAGS_PROC=y CONFIG_ZBOOT_ROM_TEXT=0x0 CONFIG_ZBOOT_ROM_BSS=0x0 -CONFIG_XZ_DEC_ARMTHUMB=y CONFIG_ARCH_HAS_TICK_BROADCAST=y CONFIG_IRQ_CROSSBAR=y CONFIG_IOMMU_IO_PGTABLE_LPAE=y @@ -164,8 +163,6 @@ CONFIG_DEVFREQ_GOV_USERSPACE=y CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 CONFIG_LSM_MMAP_MIN_ADDR=32768 -CONFIG_XZ_DEC_ARM=y - # CONFIG_PCI_LAYERSCAPE is not set # Do NOT enable this, it breaks stuff and makes things go slow # CONFIG_UACCESS_WITH_MEMCPY is not set @@ -464,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m CONFIG_LEDS_NS2=m CONFIG_SERIAL_MVEBU_UART=y # CONFIG_SERIAL_MVEBU_CONSOLE is not set +# CONFIG_PCIE_ARMADA_8K is not set # DRM panels CONFIG_DRM_PANEL=y diff --git a/config-generic b/config-generic index 21ac74dae..9601b58d2 100644 --- a/config-generic +++ b/config-generic @@ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y # CONFIG_HOTPLUG_PCI_SHPC is not set CONFIG_HOTPLUG_PCI_PCIE=y # CONFIG_PCIE_DW_PLAT is not set +CONFIG_PCIE_DPC=m # CONFIG_SGI_IOC4 is not set @@ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y @@ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y CONFIG_BIG_KEYS=y CONFIG_TRUSTED_KEYS=m CONFIG_ENCRYPTED_KEYS=m +CONFIG_KEY_DH_OPERATIONS=y CONFIG_CDROM_PKTCDVD=m CONFIG_CDROM_PKTCDVD_BUFFERS=8 # CONFIG_CDROM_PKTCDVD_WCACHE is not set @@ -5580,10 +5583,6 @@ CONFIG_GPIOLIB=y CONFIG_NET_DSA=m CONFIG_NET_DSA_HWMON=y CONFIG_NET_DSA_MV88E6060=m -CONFIG_NET_DSA_MV88E6131=m -CONFIG_NET_DSA_MV88E6123=m -CONFIG_NET_DSA_MV88E6171=m -CONFIG_NET_DSA_MV88E6352=m CONFIG_NET_DSA_MV88E6XXX=m CONFIG_NET_DSA_BCM_SF2=m @@ -5924,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYS="" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +CONFIG_SECONDARY_TRUSTED_KEYRING=y CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set CONFIG_SIGNED_PE_FILE_VERIFICATION=y @@ -5959,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y # The kernel code has a nice comment # WARNING: Do not even assume this interface is staying stable! # CONFIG_MCE_AMD_INJ is not set + +# CONFIG_EZNPS_GIC is not set diff --git a/config-x86-generic b/config-x86-generic index 328f40020..5418ee7ab 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m +CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m CONFIG_SND_SOC_AC97_CODEC=m # CONFIG_SND_SOC_TAS571X is not set # CONFIG_SND_SUN4I_CODEC is not set @@ -1 +1 @@ -2600a46ee0ed57c0e0a382c2a37ebac64d374d20 +03b979dd0323ace8e29a0561cd5232f73a060c09 diff --git a/kernel.spec b/kernel.spec index 0e508fdb5..aa273c948 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 4 +%define gitrev 5 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -579,7 +579,10 @@ Patch487: Add-EFI-signature-data-types.patch Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch -Patch489: KEYS-Add-a-system-blacklist-keyring.patch +# This doesn't apply. It seems like it could be replaced by +# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c +# which has an explicit line about blacklisting +# Patch489: KEYS-Add-a-system-blacklist-keyring.patch Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -623,13 +626,8 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4569 rhbz 1334643 1334645 -Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch -Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch -Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch - -#CVE-2016-3713 rhbz 1332139 1336410 -Patch717: KVM-MTRR-remove-MSR-0x2f8.patch +#CVE-2016-4440 rhbz 1337806 1337807 +Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch # END OF PATCH DEFINITIONS @@ -2159,6 +2157,16 @@ fi # # %changelog +* Fri May 20 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git5.1 +- Linux v4.6-6148-g03b979d +- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges + +* Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807) + +* Fri May 20 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Minor ARM cleanups, enable Tegra USB-3 controller + * Thu May 19 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git4.1 - Linux v4.6-5028-g2600a46 - trace, audit, input, media, scsi, armsoc merges diff --git a/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch new file mode 100644 index 000000000..67043300c --- /dev/null +++ b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch @@ -0,0 +1,112 @@ +From: Roman Kagan <rkagan@virtuozzo.com> +Subject: [PATCH v3] kvm:vmx: more complete state update on APICv on/off +Date: 2016-05-18 14:48:20 GMT (1 day, 21 hours and 23 minutes ago) + +The function to update APICv on/off state (in particular, to deactivate +it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust +APICv-related fields among secondary processor-based VM-execution +controls. + +As a result, Windows 2012 guests would get stuck when SynIC-based +auto-EOI interrupt intersected with e.g. an IPI in the guest. + +In addition, the MSR intercept bitmap wasn't updated to correspond to +whether "virtualize x2APIC mode" was enabled. This path used not to be +triggered, since Windows didn't use x2APIC but rather their own +synthetic APIC access MSRs; however it represented a security risk +because the guest running in a SynIC-enabled VM could switch to x2APIC +and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang +<yang.zhang.wz@gmail.com> for spotting this). + +The patch fixes those omissions. + +Signed-off-by: Roman Kagan <rkagan@virtuozzo.com> +Cc: Steve Rutherford <srutherford@google.com> +Cc: Yang Zhang <yang.zhang.wz@gmail.com> +--- +v2 -> v3: + - only switch to x2apic msr bitmap if virtualize x2apic mode is on in vmcs + +v1 -> v2: + - only update relevant bits in the secondary exec control + - update msr intercept bitmap (also make x2apic msr bitmap always + correspond to APICv) + + arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index ee1c8a9..cef741a 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2418,7 +2418,9 @@ static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu) + + if (is_guest_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_nested; +- else if (vcpu->arch.apic_base & X2APIC_ENABLE) { ++ else if (cpu_has_secondary_exec_ctrls() && ++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & ++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { + if (is_long_mode(vcpu)) + msr_bitmap = vmx_msr_bitmap_longmode_x2apic; + else +@@ -4783,6 +4785,19 @@ static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu) + struct vcpu_vmx *vmx = to_vmx(vcpu); + + vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx)); ++ if (cpu_has_secondary_exec_ctrls()) { ++ if (kvm_vcpu_apicv_active(vcpu)) ++ vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ else ++ vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL, ++ SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY); ++ } ++ ++ if (cpu_has_vmx_msr_bitmap()) ++ vmx_set_msr_bitmap(vcpu); + } + + static u32 vmx_exec_control(struct vcpu_vmx *vmx) +@@ -6329,23 +6344,20 @@ static __init int hardware_setup(void) + + set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */ + +- if (enable_apicv) { +- for (msr = 0x800; msr <= 0x8ff; msr++) +- vmx_disable_intercept_msr_read_x2apic(msr); +- +- /* According SDM, in x2apic mode, the whole id reg is used. +- * But in KVM, it only use the highest eight bits. Need to +- * intercept it */ +- vmx_enable_intercept_msr_read_x2apic(0x802); +- /* TMCCT */ +- vmx_enable_intercept_msr_read_x2apic(0x839); +- /* TPR */ +- vmx_disable_intercept_msr_write_x2apic(0x808); +- /* EOI */ +- vmx_disable_intercept_msr_write_x2apic(0x80b); +- /* SELF-IPI */ +- vmx_disable_intercept_msr_write_x2apic(0x83f); +- } ++ for (msr = 0x800; msr <= 0x8ff; msr++) ++ vmx_disable_intercept_msr_read_x2apic(msr); ++ ++ /* According SDM, in x2apic mode, the whole id reg is used. But in ++ * KVM, it only use the highest eight bits. Need to intercept it */ ++ vmx_enable_intercept_msr_read_x2apic(0x802); ++ /* TMCCT */ ++ vmx_enable_intercept_msr_read_x2apic(0x839); ++ /* TPR */ ++ vmx_disable_intercept_msr_write_x2apic(0x808); ++ /* EOI */ ++ vmx_disable_intercept_msr_write_x2apic(0x80b); ++ /* SELF-IPI */ ++ vmx_disable_intercept_msr_write_x2apic(0x83f); + + if (enable_ept) { + kvm_mmu_set_mask_ptes(0ull, +-- +2.5.5 @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -be912d5f22aba6286ac2e205e2ce1202 patch-4.6-git4.xz +9bcfe711504d6e532084a2c2cc610b73 patch-4.6-git5.xz |