1. 24 Oct, 2014 10 commits
    • Paolo Bonzini's avatar
      KVM: emulate: avoid accessing NULL ctxt->memopp · a430c916
      Paolo Bonzini authored
      A failure to decode the instruction can cause a NULL pointer access.
      This is fixed simply by moving the "done" label as close as possible
      to the return.
      
      This fixes CVE-2014-8481.
      Reported-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Cc: stable@vger.kernel.org
      Fixes: 41061cdbSigned-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a430c916
    • Nadav Amit's avatar
      KVM: x86: Decoding guest instructions which cross page boundary may fail · 08da44ae
      Nadav Amit authored
      Once an instruction crosses a page boundary, the size read from the second page
      disregards the common case that part of the operand resides on the first page.
      As a result, fetch of long insturctions may fail, and thereby cause the
      decoding to fail as well.
      
      Cc: stable@vger.kernel.org
      Fixes: 5cfc7e0fSigned-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      08da44ae
    • Michael S. Tsirkin's avatar
      kvm: x86: don't kill guest on unknown exit reason · 2bc19dc3
      Michael S. Tsirkin authored
      KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
      triggered by a priveledged application.  Let's not kill the guest: WARN
      and inject #UD instead.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      2bc19dc3
    • Petr Matousek's avatar
      kvm: vmx: handle invvpid vm exit gracefully · a642fc30
      Petr Matousek authored
      On systems with invvpid instruction support (corresponding bit in
      IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
      causes vm exit, which is currently not handled and results in
      propagation of unknown exit to userspace.
      
      Fix this by installing an invvpid vm exit handler.
      
      This is CVE-2014-3646.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPetr Matousek <pmatouse@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a642fc30
    • Nadav Amit's avatar
      KVM: x86: Handle errors when RIP is set during far jumps · d1442d85
      Nadav Amit authored
      Far jmp/call/ret may fault while loading a new RIP.  Currently KVM does not
      handle this case, and may result in failed vm-entry once the assignment is
      done.  The tricky part of doing so is that loading the new CS affects the
      VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
      unconsistent state.  Therefore, this patch saves on 64-bit the old CS
      descriptor and restores it if loading RIP failed.
      
      This fixes CVE-2014-3647.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      d1442d85
    • Nadav Amit's avatar
      KVM: x86: Emulator fixes for eip canonical checks on near branches · 234f3ce4
      Nadav Amit authored
      Before changing rip (during jmp, call, ret, etc.) the target should be asserted
      to be canonical one, as real CPUs do.  During sysret, both target rsp and rip
      should be canonical. If any of these values is noncanonical, a #GP exception
      should occur.  The exception to this rule are syscall and sysenter instructions
      in which the assigned rip is checked during the assignment to the relevant
      MSRs.
      
      This patch fixes the emulator to behave as real CPUs do for near branches.
      Far branches are handled by the next patch.
      
      This fixes CVE-2014-3647.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      234f3ce4
    • Nadav Amit's avatar
      KVM: x86: Fix wrong masking on relative jump/call · 05c83ec9
      Nadav Amit authored
      Relative jumps and calls do the masking according to the operand size, and not
      according to the address size as the KVM emulator does today.
      
      This patch fixes KVM behavior.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      05c83ec9
    • Andy Honig's avatar
      KVM: x86: Improve thread safety in pit · 2febc839
      Andy Honig authored
      There's a race condition in the PIT emulation code in KVM.  In
      __kvm_migrate_pit_timer the pit_timer object is accessed without
      synchronization.  If the race condition occurs at the wrong time this
      can crash the host kernel.
      
      This fixes CVE-2014-3611.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      2febc839
    • Andy Honig's avatar
      KVM: x86: Prevent host from panicking on shared MSR writes. · 8b3c3104
      Andy Honig authored
      The previous patch blocked invalid writes directly when the MSR
      is written.  As a precaution, prevent future similar mistakes by
      gracefulling handle GPs caused by writes to shared MSRs.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      [Remove parts obsoleted by Nadav's patch. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      8b3c3104
    • Nadav Amit's avatar
      KVM: x86: Check non-canonical addresses upon WRMSR · 854e8bb1
      Nadav Amit authored
      Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
      written to certain MSRs. The behavior is "almost" identical for AMD and Intel
      (ignoring MSRs that are not implemented in either architecture since they would
      anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
      non-canonical address is written on Intel but not on AMD (which ignores the top
      32-bits).
      
      Accordingly, this patch injects a #GP on the MSRs which behave identically on
      Intel and AMD.  To eliminate the differences between the architecutres, the
      value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
      canonical value before writing instead of injecting a #GP.
      
      Some references from Intel and AMD manuals:
      
      According to Intel SDM description of WRMSR instruction #GP is expected on
      WRMSR "If the source register contains a non-canonical address and ECX
      specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
      IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
      
      According to AMD manual instruction manual:
      LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
      LSTAR and CSTAR registers.  If an RIP written by WRMSR is not in canonical
      form, a general-protection exception (#GP) occurs."
      IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
      base field must be in canonical form or a #GP fault will occur."
      IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
      be in canonical form."
      
      This patch fixes CVE-2014-3610.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      854e8bb1
  2. 21 Oct, 2014 9 commits
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · c3351dfa
      Linus Torvalds authored
      Pull SCSI target updates from Nicholas Bellinger:
       "Here are the target updates for v3.18-rc2 code.  These where
        originally destined for -rc1, but due to the combination of travel
        last week for KVM Forum and my mistake of taking the three week merge
        window literally, the pull request slipped..  Apologies for that.
      
        Things where reasonably quiet this round.  The highlights include:
      
         - New userspace backend driver (target_core_user.ko) by Shaohua Li
           and Andy Grover
         - A number of cleanups in target, iscsi-taret and qla_target code
           from Joern Engel
         - Fix an OOPs related to queue full handling with CHECK_CONDITION
           status from Quinn Tran
         - Fix to disable TX completion interrupt coalescing in iser-target,
           that was causing problems on some hardware
         - Fix for PR APTPL metadata handling with demo-mode ACLs
      
        I'm most excited about the new backend driver that uses UIO + shared
        memory ring to dispatch I/O and control commands into user-space.
        This was probably the most requested feature by users over the last
        couple of years, and opens up a new area of development + porting of
        existing user-space storage applications to LIO.  Thanks to Shaohua +
        Andy for making this happen.
      
        Also another honorable mention, a new Xen PV SCSI driver was merged
        via the xen/tip.git tree recently, which puts us now at 10 target
        drivers in upstream! Thanks to David Vrabel + Juergen Gross for their
        work to get this code merged"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (40 commits)
        target/file: fix inclusive vfs_fsync_range() end
        iser-target: Disable TX completion interrupt coalescing
        target: Add force_pr_aptpl device attribute
        target: Fix APTPL metadata handling for dynamic MappedLUNs
        qla_target: don't delete changed nacls
        target/user: Recalculate pad size inside is_ring_space_avail()
        tcm_loop: Fixup tag handling
        iser-target: Fix smatch warning
        target/user: Fix up smatch warnings in tcmu_netlink_event
        target: Add a user-passthrough backstore
        target: Add documentation on the target userspace pass-through driver
        uio: Export definition of struct uio_device
        target: Remove unneeded check in sbc_parse_cdb
        target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
        qla_target: rearrange struct qla_tgt_prm
        qla_target: improve qlt_unmap_sg()
        qla_target: make some global functions static
        qla_target: remove unused parameter
        target: simplify core_tmr_abort_task
        target: encapsulate smp_mb__after_atomic()
        ...
      c3351dfa
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd · 848a5528
      Linus Torvalds authored
      Pull email address change from Boaz Harrosh.
      
      * 'for-linus' of git://git.open-osd.org/linux-open-osd:
        Boaz Harrosh - fix email in Documentation
        Boaz Harrosh - Fix broken email address
        MAINTAINERS: Change Boaz Harrosh's email
      848a5528
    • Linus Torvalds's avatar
      Merge branch 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration · 43d451f1
      Linus Torvalds authored
      Pull mailbox framework from Jassi Brar:
       "A framework for Mailbox controllers and clients have been cooking for
        more than a year now.
      
        Everybody in the CC list had been copied on patchset revisions and
        most of them have made sounds of approval, though just one concrete
        Reviewed-by.  The patchset has also been in linux-next for a couple of
        weeks now and no conflict has been reported.  The framework has the
        backing of at least 5 platforms, though I can't say if/when they
        upstream their drivers (some businesses have 'changed')"
      
      (Further acked-by by Arnd Bergmann and Suman Anna in the pull request
      thread)
      
      * 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        dt: mailbox: add generic bindings
        doc: add documentation for mailbox framework
        mailbox: Introduce framework for mailbox
        mailbox: rename pl320-ipc specific mailbox.h
      43d451f1
    • Linus Torvalds's avatar
      Merge git://www.linux-watchdog.org/linux-watchdog · 21d2271f
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
       - new Cadence WDT driver
       - new Ricoh RN5T618 watchdog
       - new DA9063 PMIC watchdog driver
       - new Meson WDT driver
       - add restart handling code
       - fixes and improvements
      
      * git://www.linux-watchdog.org/linux-watchdog: (25 commits)
        watchdog: meson: remove magic value for reboot
        watchdog: Let XILINX_WATCHDOG and TEGRA_WATCHDOG depend on HAS_IOMEM
        watchdog: sunxi: Add A31 watchdog support
        watchdog: sunxi: support parameterized compatible strings
        watchdog: imx2_wdt: add restart handler support
        watchdog: qcom: register a restart notifier
        watchdog: s3c2410: add restart handler
        watchdog: dw_wdt: add restart handler support
        ARM: defconfig: update multi_v7_defconfig
        ARM: meson: add watchdog driver
        ARM: docs: add documentation binding for meson watchdog
        stmp3xxx_rtc_wdt: Add suspend/resume PM support
        watchdog: Add DA9063 PMIC watchdog driver.
        watchdog: add driver for Ricoh RN5T618 watchdog
        watchdog: s3c2410_wdt: Add support for Watchdog device on Exynos7
        watchdog: qcom: document device tree bindings
        watchdog: qcom: add support for KPSS WDT
        watchdog: dw_wdt: initialise TOP_INIT in dw_wdt_set_top()
        devicetree: Add Cadence WDT devicetree bindings documentation
        watchdog: Add Cadence WDT driver
        ...
      21d2271f
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds · 045aaeda
      Linus Torvalds authored
      Pull LED update from Bryan Wu:
       "Basically we have some bug fixing and clean up and one big thing is we
        start to merge patch to add support LED Flash class"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
        leds: gpio: cleanup the leds-gpio driver
        led: gpio: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
        led: gpio: Sort include headers alphabetically
        leds: Improve and export led_update_brightness
        leds: trigger: gpio: fix warning in gpio trigger for gpios whose accessor function may sleep
        leds: lp3944: fix sparse warning
        leds: avoid using DEVICE_ATTR macro for max_brightness attribute
        leds: make brightness type consistent across whole subsystem
        leds: Reorder include directives
      045aaeda
    • Linus Torvalds's avatar
      Merge tag 'pwm/for-3.18-rc1' of... · 5b9c8972
      Linus Torvalds authored
      Merge tag 'pwm/for-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm changes from Thierry Reding:
       "There are no new drivers here, only a couple of fixes all over the
        place"
      
      * tag 'pwm/for-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
        pwm: Let PWM_CLPS711X depend on HAS_IOMEM
        pwm: atmel: Fix calculation of prescale value
        pwm: Fix uninitialized warnings in pwm_get()
        pwm: rockchip: Allow polarity invert on rk3288
        pwm: imx: Avoid sample FIFO overflow for i.MX PWM version2
        pwm: imx: Cleanup indentation for register definitions
        pwm: imx: Fix the macro MX3_PWMCR_PRESCALER(x) definition
        pwm: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
        pwm: lpss: make it buildable only on X86
        pwm: lpss: use c99 initializers in structures
        pwm: lpss: Fix build failure on PowerPC
        pwm: lpss: pci: Move to use pcim_enable_device()
        pwm: lpss: Properly split driver to parts
        pwm: lpss: Add ACPI and PCI IDs for Intel Braswell
        pwm: fsl-ftm: Select REGMAP_MMIO
        pwm: fsl-ftm: Document 'big-endian' property
        pwm: fsl-ftm: Convert to direct regmap API usage
        pwm: fsl-ftm: Clean up the code
      5b9c8972
    • Linus Torvalds's avatar
      Merge tag 'arc-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 3d430bdb
      Linus Torvalds authored
      Pull ARC updates from Vineet Gupta:
       "Sorry for the late pull request.  Current stuff was ready for a while
        but I was hoping to squeeze in support for almost ready ARC SDP
        platform (and avoid a 2nd pull request), however it seems there are
        still some loose ends which warrant more time.
      
         - Platform code reduction/moving-up (TB10X no longer needs any
           callbacks)
         - updated boot printing
         - kgdb update for arc gdb 7.5
         - bug fixes (some marked for stable)
         - more code refactoring/consolidation"
      
      * tag 'arc-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: boot: cpu feature print enhancements
        ARC: boot: consolidate cross-checking of h/w and s/w
        ARC: unbork FPU save/restore
        ARC: remove extraneous __KERNEL__ guards
        ARC: Update order of registers in KGDB to match GDB 7.5
        ARC: Remove unneeded Kconfig entry NO_DMA
        ARC: BUG() dumps stack after @msg (@msg now same as in generic BUG))
        ARC: refactoring: reduce the scope of some local vars
        ARC: remove gcc mpy heuristics
        ARC: RIP @running_on_hw
        ARC: Update comments about uncached address space
        ARC: rename kconfig option for unaligned emulation
        ARC: [nsimosci] Allow "headless" models to boot
        ARC: [arcfpga] Get rid of ARC_BOARD_ANGEL4 and ARC_BOARD_ML509
        ARC: [arcfpga] Remove more dead code
        ARC: [plat*] move code out of .init_machine into common
        ARC: [arcfpga] consolidate machine description, DT
        ARC: Allow SMP kernel to build/boot on UP-only infrastructure
      3d430bdb
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux · dc303408
      Linus Torvalds authored
      Pull more powerpc updates from Michael Ellerman:
       "Here's some more updates for powerpc for 3.18.
      
        They are a bit late I know, though must are actually bug fixes.  In my
        defence I nearly cut the top of my finger off last weekend in a
        gruesome bike maintenance accident, so I spent a good part of the week
        waiting around for doctors.  True story, I can send photos if you like :)
      
        Probably the most interesting fix is the sys_call_table one, which
        enables syscall tracing for powerpc.  There's a fix for HMI handling
        for old firmware, more endian fixes for firmware interfaces, more EEH
        fixes, Anton fixed our routine that gets the current stack pointer,
        and a few other misc bits"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux: (22 commits)
        powerpc: Only do dynamic DMA zone limits on platforms that need it
        powerpc: sync pseries_le_defconfig with pseries_defconfig
        powerpc: Add printk levels to setup_system output
        powerpc/vphn: NUMA node code expects big-endian
        powerpc/msi: Use WARN_ON() in msi bitmap selftests
        powerpc/msi: Fix the msi bitmap alignment tests
        powerpc/eeh: Block CFG upon frozen Shiner adapter
        powerpc/eeh: Don't collect logs on PE with blocked config space
        powerpc/eeh: Block PCI config access upon frozen PE
        powerpc/pseries: Drop config requests in EEH accessors
        powerpc/powernv: Drop config requests in EEH accessors
        powerpc/eeh: Rename flag EEH_PE_RESET to EEH_PE_CFG_BLOCKED
        powerpc/eeh: Fix condition for isolated state
        powerpc/pseries: Make CPU hotplug path endian safe
        powerpc/pseries: Use dump_stack instead of show_stack
        powerpc: Rename __get_SP() to current_stack_pointer()
        powerpc: Reimplement __get_SP() as a function not a define
        powerpc/numa: Add ability to disable and debug topology updates
        powerpc/numa: check error return from proc_create
        powerpc/powernv: Fallback to old HMI handling behavior for old firmware
        ...
      dc303408
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · c4301c32
      Linus Torvalds authored
      Pull s390 updates from Martin Schwidefsky:
       "One patch to enable the BPF system call and three more bug fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/uprobes: fix kprobes dependency
        s390: wire up bpf syscall
        s390/mm: fixing calls of pte_unmap_unlock
        s390/hmcdrv: Restrict s390 HMC driver to S390 arch
      c4301c32
  3. 20 Oct, 2014 21 commits