1. 24 10月, 2014 3 次提交
    • A
      KVM: x86: Improve thread safety in pit · 2febc839
      Andy Honig 提交于
      There's a race condition in the PIT emulation code in KVM.  In
      __kvm_migrate_pit_timer the pit_timer object is accessed without
      synchronization.  If the race condition occurs at the wrong time this
      can crash the host kernel.
      
      This fixes CVE-2014-3611.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndrew Honig <ahonig@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      2febc839
    • A
      KVM: x86: Prevent host from panicking on shared MSR writes. · 8b3c3104
      Andy Honig 提交于
      The previous patch blocked invalid writes directly when the MSR
      is written.  As a precaution, prevent future similar mistakes by
      gracefulling handle GPs caused by writes to shared MSRs.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndrew Honig <ahonig@google.com>
      [Remove parts obsoleted by Nadav's patch. - Paolo]
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      8b3c3104
    • N
      KVM: x86: Check non-canonical addresses upon WRMSR · 854e8bb1
      Nadav Amit 提交于
      Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
      written to certain MSRs. The behavior is "almost" identical for AMD and Intel
      (ignoring MSRs that are not implemented in either architecture since they would
      anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
      non-canonical address is written on Intel but not on AMD (which ignores the top
      32-bits).
      
      Accordingly, this patch injects a #GP on the MSRs which behave identically on
      Intel and AMD.  To eliminate the differences between the architecutres, the
      value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
      canonical value before writing instead of injecting a #GP.
      
      Some references from Intel and AMD manuals:
      
      According to Intel SDM description of WRMSR instruction #GP is expected on
      WRMSR "If the source register contains a non-canonical address and ECX
      specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
      IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
      
      According to AMD manual instruction manual:
      LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
      LSTAR and CSTAR registers.  If an RIP written by WRMSR is not in canonical
      form, a general-protection exception (#GP) occurs."
      IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
      base field must be in canonical form or a #GP fault will occur."
      IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
      be in canonical form."
      
      This patch fixes CVE-2014-3610.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      854e8bb1
  2. 22 10月, 2014 3 次提交
    • L
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · c3351dfa
      Linus Torvalds 提交于
      Pull SCSI target updates from Nicholas Bellinger:
       "Here are the target updates for v3.18-rc2 code.  These where
        originally destined for -rc1, but due to the combination of travel
        last week for KVM Forum and my mistake of taking the three week merge
        window literally, the pull request slipped..  Apologies for that.
      
        Things where reasonably quiet this round.  The highlights include:
      
         - New userspace backend driver (target_core_user.ko) by Shaohua Li
           and Andy Grover
         - A number of cleanups in target, iscsi-taret and qla_target code
           from Joern Engel
         - Fix an OOPs related to queue full handling with CHECK_CONDITION
           status from Quinn Tran
         - Fix to disable TX completion interrupt coalescing in iser-target,
           that was causing problems on some hardware
         - Fix for PR APTPL metadata handling with demo-mode ACLs
      
        I'm most excited about the new backend driver that uses UIO + shared
        memory ring to dispatch I/O and control commands into user-space.
        This was probably the most requested feature by users over the last
        couple of years, and opens up a new area of development + porting of
        existing user-space storage applications to LIO.  Thanks to Shaohua +
        Andy for making this happen.
      
        Also another honorable mention, a new Xen PV SCSI driver was merged
        via the xen/tip.git tree recently, which puts us now at 10 target
        drivers in upstream! Thanks to David Vrabel + Juergen Gross for their
        work to get this code merged"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (40 commits)
        target/file: fix inclusive vfs_fsync_range() end
        iser-target: Disable TX completion interrupt coalescing
        target: Add force_pr_aptpl device attribute
        target: Fix APTPL metadata handling for dynamic MappedLUNs
        qla_target: don't delete changed nacls
        target/user: Recalculate pad size inside is_ring_space_avail()
        tcm_loop: Fixup tag handling
        iser-target: Fix smatch warning
        target/user: Fix up smatch warnings in tcmu_netlink_event
        target: Add a user-passthrough backstore
        target: Add documentation on the target userspace pass-through driver
        uio: Export definition of struct uio_device
        target: Remove unneeded check in sbc_parse_cdb
        target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
        qla_target: rearrange struct qla_tgt_prm
        qla_target: improve qlt_unmap_sg()
        qla_target: make some global functions static
        qla_target: remove unused parameter
        target: simplify core_tmr_abort_task
        target: encapsulate smp_mb__after_atomic()
        ...
      c3351dfa
    • L
      Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd · 848a5528
      Linus Torvalds 提交于
      Pull email address change from Boaz Harrosh.
      
      * 'for-linus' of git://git.open-osd.org/linux-open-osd:
        Boaz Harrosh - fix email in Documentation
        Boaz Harrosh - Fix broken email address
        MAINTAINERS: Change Boaz Harrosh's email
      848a5528
    • L
      Merge branch 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration · 43d451f1
      Linus Torvalds 提交于
      Pull mailbox framework from Jassi Brar:
       "A framework for Mailbox controllers and clients have been cooking for
        more than a year now.
      
        Everybody in the CC list had been copied on patchset revisions and
        most of them have made sounds of approval, though just one concrete
        Reviewed-by.  The patchset has also been in linux-next for a couple of
        weeks now and no conflict has been reported.  The framework has the
        backing of at least 5 platforms, though I can't say if/when they
        upstream their drivers (some businesses have 'changed')"
      
      (Further acked-by by Arnd Bergmann and Suman Anna in the pull request
      thread)
      
      * 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        dt: mailbox: add generic bindings
        doc: add documentation for mailbox framework
        mailbox: Introduce framework for mailbox
        mailbox: rename pl320-ipc specific mailbox.h
      43d451f1
  3. 21 10月, 2014 32 次提交
  4. 20 10月, 2014 2 次提交
新手
引导
客服 返回
顶部