summaryrefslogtreecommitdiffstats
path: root/freed-ora/current
diff options
context:
space:
mode:
authorAlexandre Oliva <lxoliva@fsfla.org>2014-11-03 05:11:04 +0000
committerAlexandre Oliva <lxoliva@fsfla.org>2014-11-03 05:11:04 +0000
commit926a5f3f59d00bea7017251ddbd932a2c0afab9a (patch)
tree5512d7556d83879479b21570e790dc8fda9a1ad6 /freed-ora/current
parentd683dec697f673576f1e91e3c8e98a4cbf34474d (diff)
downloadlinux-libre-raptor-926a5f3f59d00bea7017251ddbd932a2c0afab9a.tar.gz
linux-libre-raptor-926a5f3f59d00bea7017251ddbd932a2c0afab9a.zip
3.14.23-100.fc19.gnu
Diffstat (limited to 'freed-ora/current')
-rw-r--r--freed-ora/current/f19/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch145
-rw-r--r--freed-ora/current/f19/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch234
-rw-r--r--freed-ora/current/f19/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch64
-rw-r--r--freed-ora/current/f19/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch287
-rw-r--r--freed-ora/current/f19/KVM-x86-Improve-thread-safety-in-pit.patch36
-rw-r--r--freed-ora/current/f19/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch89
-rwxr-xr-xfreed-ora/current/f19/deblob-check257
-rw-r--r--freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch31
-rw-r--r--freed-ora/current/f19/kernel.spec50
-rw-r--r--freed-ora/current/f19/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch78
-rw-r--r--freed-ora/current/f19/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch79
-rw-r--r--freed-ora/current/f19/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch54
-rw-r--r--freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign7
-rw-r--r--freed-ora/current/f19/patch-3.14-gnu-3.14.23-gnu.xz.sign7
-rw-r--r--freed-ora/current/f19/sources2
15 files changed, 1367 insertions, 53 deletions
diff --git a/freed-ora/current/f19/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch b/freed-ora/current/f19/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch
new file mode 100644
index 000000000..103e40b7f
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch
@@ -0,0 +1,145 @@
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Fri, 24 Oct 2014 17:07:12 +0200
+Subject: [PATCH] KVM: x86: Check non-canonical addresses upon WRMSR
+
+Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
+written to certain MSRs. The behavior is "almost" identical for AMD and Intel
+(ignoring MSRs that are not implemented in either architecture since they would
+anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
+non-canonical address is written on Intel but not on AMD (which ignores the top
+32-bits).
+
+Accordingly, this patch injects a #GP on the MSRs which behave identically on
+Intel and AMD. To eliminate the differences between the architecutres, the
+value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
+canonical value before writing instead of injecting a #GP.
+
+Some references from Intel and AMD manuals:
+
+According to Intel SDM description of WRMSR instruction #GP is expected on
+WRMSR "If the source register contains a non-canonical address and ECX
+specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
+IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
+
+According to AMD manual instruction manual:
+LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
+LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
+form, a general-protection exception (#GP) occurs."
+IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
+base field must be in canonical form or a #GP fault will occur."
+IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
+be in canonical form."
+
+This patch fixes CVE-2014-3610.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++
+ arch/x86/kvm/svm.c | 2 +-
+ arch/x86/kvm/vmx.c | 2 +-
+ arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 7c492ed9087b..78d014c83ae3 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -990,6 +990,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code)
+ kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
+ }
+
++static inline u64 get_canonical(u64 la)
++{
++ return ((int64_t)la << 16) >> 16;
++}
++
++static inline bool is_noncanonical_address(u64 la)
++{
++#ifdef CONFIG_X86_64
++ return get_canonical(la) != la;
++#else
++ return false;
++#endif
++}
++
+ #define TSS_IOPB_BASE_OFFSET 0x66
+ #define TSS_BASE_SIZE 0x68
+ #define TSS_IOPB_SIZE (65536 / 8)
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index ddf742768ecf..e2de97daa03c 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3234,7 +3234,7 @@ static int wrmsr_interception(struct vcpu_svm *svm)
+ msr.host_initiated = false;
+
+ svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
+- if (svm_set_msr(&svm->vcpu, &msr)) {
++ if (kvm_set_msr(&svm->vcpu, &msr)) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(&svm->vcpu, 0);
+ } else {
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 6a118fa378b5..3a3e419780df 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5263,7 +5263,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu)
+ msr.data = data;
+ msr.index = ecx;
+ msr.host_initiated = false;
+- if (vmx_set_msr(vcpu, &msr) != 0) {
++ if (kvm_set_msr(vcpu, &msr) != 0) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 8f1e22d3b286..1f9a233d8624 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -984,7 +984,6 @@ void kvm_enable_efer_bits(u64 mask)
+ }
+ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+
+-
+ /*
+ * Writes msr value into into the appropriate "register".
+ * Returns 0 on success, non-0 otherwise.
+@@ -992,8 +991,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+ */
+ int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+ {
++ switch (msr->index) {
++ case MSR_FS_BASE:
++ case MSR_GS_BASE:
++ case MSR_KERNEL_GS_BASE:
++ case MSR_CSTAR:
++ case MSR_LSTAR:
++ if (is_noncanonical_address(msr->data))
++ return 1;
++ break;
++ case MSR_IA32_SYSENTER_EIP:
++ case MSR_IA32_SYSENTER_ESP:
++ /*
++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
++ * non-canonical address is written on Intel but not on
++ * AMD (which ignores the top 32-bits, because it does
++ * not implement 64-bit SYSENTER).
++ *
++ * 64-bit code should hence be able to write a non-canonical
++ * value on AMD. Making the address canonical ensures that
++ * vmentry does not fail on Intel after writing a non-canonical
++ * value, and that something deterministic happens if the guest
++ * invokes 64-bit SYSENTER.
++ */
++ msr->data = get_canonical(msr->data);
++ }
+ return kvm_x86_ops->set_msr(vcpu, msr);
+ }
++EXPORT_SYMBOL_GPL(kvm_set_msr);
+
+ /*
+ * Adapt set_msr() to msr_io()'s calling convention
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch b/freed-ora/current/f19/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
new file mode 100644
index 000000000..a0f0e454f
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
@@ -0,0 +1,234 @@
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Fri, 24 Oct 2014 17:07:16 +0200
+Subject: [PATCH] KVM: x86: Emulator fixes for eip canonical checks on near
+ branches
+
+Before changing rip (during jmp, call, ret, etc.) the target should be asserted
+to be canonical one, as real CPUs do. During sysret, both target rsp and rip
+should be canonical. If any of these values is noncanonical, a #GP exception
+should occur. The exception to this rule are syscall and sysenter instructions
+in which the assigned rip is checked during the assignment to the relevant
+MSRs.
+
+This patch fixes the emulator to behave as real CPUs do for near branches.
+Far branches are handled by the next patch.
+
+This fixes CVE-2014-3647.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/emulate.c | 78 ++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 24 deletions(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index a85f438b6a47..e52e74feedb8 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -563,7 +563,8 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt)
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
+-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
++ int cs_l)
+ {
+ switch (ctxt->op_bytes) {
+ case 2:
+@@ -573,16 +574,25 @@ static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
+ ctxt->_eip = (u32)dst;
+ break;
+ case 8:
++ if ((cs_l && is_noncanonical_address(dst)) ||
++ (!cs_l && (dst & ~(u32)-1)))
++ return emulate_gp(ctxt, 0);
+ ctxt->_eip = dst;
+ break;
+ default:
+ WARN(1, "unsupported eip assignment size\n");
+ }
++ return X86EMUL_CONTINUE;
++}
++
++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+ {
+- assign_eip_near(ctxt, ctxt->_eip + rel);
++ return assign_eip_near(ctxt, ctxt->_eip + rel);
+ }
+
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+@@ -1989,13 +1999,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt)
+ case 2: /* call near abs */ {
+ long int old_eip;
+ old_eip = ctxt->_eip;
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
++ if (rc != X86EMUL_CONTINUE)
++ break;
+ ctxt->src.val = old_eip;
+ rc = em_push(ctxt);
+ break;
+ }
+ case 4: /* jmp abs */
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
+ break;
+ case 5: /* jmp far */
+ rc = em_jmp_far(ctxt);
+@@ -2030,10 +2042,14 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
+
+ static int em_ret(struct x86_emulate_ctxt *ctxt)
+ {
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- return em_pop(ctxt);
++ int rc;
++ unsigned long eip;
++
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ return assign_eip_near(ctxt, eip);
+ }
+
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+@@ -2314,7 +2330,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ struct desc_struct cs, ss;
+- u64 msr_data;
++ u64 msr_data, rcx, rdx;
+ int usermode;
+ u16 cs_sel = 0, ss_sel = 0;
+
+@@ -2330,6 +2346,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
+ else
+ usermode = X86EMUL_MODE_PROT32;
+
++ rcx = reg_read(ctxt, VCPU_REGS_RCX);
++ rdx = reg_read(ctxt, VCPU_REGS_RDX);
++
+ cs.dpl = 3;
+ ss.dpl = 3;
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+@@ -2347,6 +2366,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
+ ss_sel = cs_sel + 8;
+ cs.d = 0;
+ cs.l = 1;
++ if (is_noncanonical_address(rcx) ||
++ is_noncanonical_address(rdx))
++ return emulate_gp(ctxt, 0);
+ break;
+ }
+ cs_sel |= SELECTOR_RPL_MASK;
+@@ -2355,8 +2377,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
+ ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
+- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
++ ctxt->_eip = rdx;
++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
+
+ return X86EMUL_CONTINUE;
+ }
+@@ -2897,10 +2919,13 @@ static int em_aad(struct x86_emulate_ctxt *ctxt)
+
+ static int em_call(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc;
+ long rel = ctxt->src.val;
+
+ ctxt->src.val = (unsigned long)ctxt->_eip;
+- jmp_rel(ctxt, rel);
++ rc = jmp_rel(ctxt, rel);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
+ return em_push(ctxt);
+ }
+
+@@ -2932,11 +2957,12 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
++ unsigned long eip;
+
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_near(ctxt, eip);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rsp_increment(ctxt, ctxt->src.val);
+@@ -3267,20 +3293,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt)
+
+ static int em_loop(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
+ if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
+ (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_jcxz(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_in(struct x86_emulate_ctxt *ctxt)
+@@ -4728,7 +4758,7 @@ special_insn:
+ break;
+ case 0x70 ... 0x7f: /* jcc (short) */
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x8d: /* lea r16/r32, m */
+ ctxt->dst.val = ctxt->src.addr.mem.ea;
+@@ -4758,7 +4788,7 @@ special_insn:
+ break;
+ case 0xe9: /* jmp rel */
+ case 0xeb: /* jmp rel short */
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ ctxt->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xf4: /* hlt */
+@@ -4881,7 +4911,7 @@ twobyte_insn:
+ break;
+ case 0x80 ... 0x8f: /* jnz rel, etc*/
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x90 ... 0x9f: /* setcc r/m8 */
+ ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch b/freed-ora/current/f19/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch
new file mode 100644
index 000000000..89a00fd05
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch
@@ -0,0 +1,64 @@
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Fri, 24 Oct 2014 17:07:15 +0200
+Subject: [PATCH] KVM: x86: Fix wrong masking on relative jump/call
+
+Relative jumps and calls do the masking according to the operand size, and not
+according to the address size as the KVM emulator does today.
+
+This patch fixes KVM behavior.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 03954f7900f5..a85f438b6a47 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -504,11 +504,6 @@ static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc)
+ masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+-{
+- register_address_increment(ctxt, &ctxt->_eip, rel);
+-}
+-
+ static u32 desc_limit_scaled(struct desc_struct *desc)
+ {
+ u32 limit = get_desc_limit(desc);
+@@ -568,6 +563,28 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt)
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ switch (ctxt->op_bytes) {
++ case 2:
++ ctxt->_eip = (u16)dst;
++ break;
++ case 4:
++ ctxt->_eip = (u32)dst;
++ break;
++ case 8:
++ ctxt->_eip = dst;
++ break;
++ default:
++ WARN(1, "unsupported eip assignment size\n");
++ }
++}
++
++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++{
++ assign_eip_near(ctxt, ctxt->_eip + rel);
++}
++
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+ {
+ u16 selector;
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch b/freed-ora/current/f19/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch
new file mode 100644
index 000000000..df63304c8
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch
@@ -0,0 +1,287 @@
+From 1985aa0a5af1888329b9db477a00c3598880fb2b Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Fri, 24 Oct 2014 17:07:17 +0200
+Subject: [PATCH] KVM: x86: Handle errors when RIP is set during far jumps
+
+Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not
+handle this case, and may result in failed vm-entry once the assignment is
+done. The tricky part of doing so is that loading the new CS affects the
+VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
+unconsistent state. Therefore, this patch saves on 64-bit the old CS
+descriptor and restores it if loading RIP failed.
+
+This fixes CVE-2014-3647.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/emulate.c | 113 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 77 insertions(+), 36 deletions(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 38d3751472e4..dd2fdb29a7d4 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1437,7 +1437,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+
+ /* Does not support long mode */
+ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+- u16 selector, int seg)
++ u16 selector, int seg, struct desc_struct *desc)
+ {
+ struct desc_struct seg_desc, old_desc;
+ u8 dpl, rpl, cpl;
+@@ -1564,6 +1564,8 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+ }
+ load:
+ ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
++ if (desc)
++ *desc = seg_desc;
+ return X86EMUL_CONTINUE;
+ exception:
+ emulate_exception(ctxt, err_vec, err_code, true);
+@@ -1770,7 +1772,7 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- rc = load_segment_descriptor(ctxt, (u16)selector, seg);
++ rc = load_segment_descriptor(ctxt, (u16)selector, seg, NULL);
+ return rc;
+ }
+
+@@ -1859,7 +1861,7 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS);
++ rc = load_segment_descriptor(ctxt, cs, VCPU_SREG_CS, NULL);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+@@ -1925,7 +1927,7 @@ static int emulate_iret_real(struct x86_emulate_ctxt *ctxt)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
++ rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, NULL);
+
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+@@ -1964,17 +1966,30 @@ static int em_iret(struct x86_emulate_ctxt *ctxt)
+ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned short sel;
++ unsigned short sel, old_sel;
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++ u8 cpl = ctxt->ops->cpl(ctxt);
++
++ /* Assignment of RIP may only fail in 64-bit mode */
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
++ VCPU_SREG_CS);
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+
+- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
++ rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, &new_desc);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- ctxt->_eip = 0;
+- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
+- return X86EMUL_CONTINUE;
++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
++ if (rc != X86EMUL_CONTINUE) {
++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
++ /* assigning eip failed; restore the old cs */
++ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
++ return rc;
++ }
++ return rc;
+ }
+
+ static int em_grp45(struct x86_emulate_ctxt *ctxt)
+@@ -2038,21 +2053,33 @@ static int em_ret(struct x86_emulate_ctxt *ctxt)
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned long cs;
++ unsigned long eip, cs;
++ u16 old_cs;
+ int cpl = ctxt->ops->cpl(ctxt);
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
++ VCPU_SREG_CS);
+
+- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+- if (ctxt->op_bytes == 4)
+- ctxt->_eip = (u32)ctxt->_eip;
+ rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ /* Outer-privilege level return is not implemented */
+ if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
+ return X86EMUL_UNHANDLEABLE;
+- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
++ rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, &new_desc);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_far(ctxt, eip, new_desc.l);
++ if (rc != X86EMUL_CONTINUE) {
++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
++ }
+ return rc;
+ }
+
+@@ -2093,7 +2120,7 @@ static int em_lseg(struct x86_emulate_ctxt *ctxt)
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+
+- rc = load_segment_descriptor(ctxt, sel, seg);
++ rc = load_segment_descriptor(ctxt, sel, seg, NULL);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+@@ -2473,19 +2500,19 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
+ * Now load segment descriptors. If fault happens at this stage
+ * it is handled in a context of new task
+ */
+- ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
++ ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
++ ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
++ ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
++ ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
++ ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+@@ -2614,25 +2641,25 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
+ * Now load segment descriptors. If fault happenes at this stage
+ * it is handled in a context of new task
+ */
+- ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
++ ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
++ ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
++ ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
++ ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
++ ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
++ ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
++ ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+@@ -2912,24 +2939,38 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
+ u16 sel, old_cs;
+ ulong old_eip;
+ int rc;
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++ int cpl = ctxt->ops->cpl(ctxt);
+
+- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
+ old_eip = ctxt->_eip;
++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
++ rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, &new_desc);
++ if (rc != X86EMUL_CONTINUE)
+ return X86EMUL_CONTINUE;
+
+- ctxt->_eip = 0;
+- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
++ if (rc != X86EMUL_CONTINUE)
++ goto fail;
+
+ ctxt->src.val = old_cs;
+ rc = em_push(ctxt);
+ if (rc != X86EMUL_CONTINUE)
+- return rc;
++ goto fail;
+
+ ctxt->src.val = old_eip;
+- return em_push(ctxt);
++ rc = em_push(ctxt);
++ /* If we failed, we tainted the memory, but the very least we should
++ restore cs */
++ if (rc != X86EMUL_CONTINUE)
++ goto fail;
++ return rc;
++fail:
++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
++ return rc;
++
+ }
+
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+@@ -3115,7 +3156,7 @@ static int em_mov_sreg_rm(struct x86_emulate_ctxt *ctxt)
+
+ /* Disable writeback. */
+ ctxt->dst.type = OP_NONE;
+- return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg);
++ return load_segment_descriptor(ctxt, sel, ctxt->modrm_reg, NULL);
+ }
+
+ static int em_lldt(struct x86_emulate_ctxt *ctxt)
+@@ -3124,7 +3165,7 @@ static int em_lldt(struct x86_emulate_ctxt *ctxt)
+
+ /* Disable writeback. */
+ ctxt->dst.type = OP_NONE;
+- return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR);
++ return load_segment_descriptor(ctxt, sel, VCPU_SREG_LDTR, NULL);
+ }
+
+ static int em_ltr(struct x86_emulate_ctxt *ctxt)
+@@ -3133,7 +3174,7 @@ static int em_ltr(struct x86_emulate_ctxt *ctxt)
+
+ /* Disable writeback. */
+ ctxt->dst.type = OP_NONE;
+- return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR);
++ return load_segment_descriptor(ctxt, sel, VCPU_SREG_TR, NULL);
+ }
+
+ static int em_invlpg(struct x86_emulate_ctxt *ctxt)
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/KVM-x86-Improve-thread-safety-in-pit.patch b/freed-ora/current/f19/KVM-x86-Improve-thread-safety-in-pit.patch
new file mode 100644
index 000000000..e6ba59924
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Improve-thread-safety-in-pit.patch
@@ -0,0 +1,36 @@
+From: Andy Honig <ahonig@google.com>
+Date: Fri, 24 Oct 2014 17:07:14 +0200
+Subject: [PATCH] KVM: x86: Improve thread safety in pit
+
+There's a race condition in the PIT emulation code in KVM. In
+__kvm_migrate_pit_timer the pit_timer object is accessed without
+synchronization. If the race condition occurs at the wrong time this
+can crash the host kernel.
+
+This fixes CVE-2014-3611.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/i8254.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 518d86471b76..298781d4cfb4 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
+ return;
+
+ timer = &pit->pit_state.timer;
++ mutex_lock(&pit->pit_state.lock);
+ if (hrtimer_cancel(timer))
+ hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
++ mutex_unlock(&pit->pit_state.lock);
+ }
+
+ static void destroy_pit_timer(struct kvm_pit *pit)
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch b/freed-ora/current/f19/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch
new file mode 100644
index 000000000..f8a9d2dd3
--- /dev/null
+++ b/freed-ora/current/f19/KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch
@@ -0,0 +1,89 @@
+From: Andy Honig <ahonig@google.com>
+Date: Fri, 24 Oct 2014 17:07:13 +0200
+Subject: [PATCH] KVM: x86: Prevent host from panicking on shared MSR writes.
+
+The previous patch blocked invalid writes directly when the MSR
+is written. As a precaution, prevent future similar mistakes by
+gracefulling handle GPs caused by writes to shared MSRs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Honig <ahonig@google.com>
+[Remove parts obsoleted by Nadav's patch. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/vmx.c | 7 +++++--
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 78d014c83ae3..d16311f4099e 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1062,7 +1062,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcpu *v);
+ void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
+
+ void kvm_define_shared_msr(unsigned index, u32 msr);
+-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
+
+ bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 3a3e419780df..0881ec6154cc 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2632,12 +2632,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ default:
+ msr = find_msr_entry(vmx, msr_index);
+ if (msr) {
++ u64 old_msr_data = msr->data;
+ msr->data = data;
+ if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
+ preempt_disable();
+- kvm_set_shared_msr(msr->index, msr->data,
+- msr->mask);
++ ret = kvm_set_shared_msr(msr->index, msr->data,
++ msr->mask);
+ preempt_enable();
++ if (ret)
++ msr->data = old_msr_data;
+ }
+ break;
+ }
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 1f9a233d8624..9d292e8372d6 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -229,20 +229,25 @@ static void kvm_shared_msr_cpu_online(void)
+ shared_msr_update(i, shared_msrs_global.msrs[i]);
+ }
+
+-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+ {
+ unsigned int cpu = smp_processor_id();
+ struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
++ int err;
+
+ if (((value ^ smsr->values[slot].curr) & mask) == 0)
+- return;
++ return 0;
+ smsr->values[slot].curr = value;
+- wrmsrl(shared_msrs_global.msrs[slot], value);
++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
++ if (err)
++ return 1;
++
+ if (!smsr->registered) {
+ smsr->urn.on_user_return = kvm_on_user_return;
+ user_return_notifier_register(&smsr->urn);
+ smsr->registered = true;
+ }
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
+
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/deblob-check b/freed-ora/current/f19/deblob-check
index 3fcd05cde..2b84cb21f 100755
--- a/freed-ora/current/f19/deblob-check
+++ b/freed-ora/current/f19/deblob-check
@@ -1,6 +1,6 @@
#! /bin/sh
-# deblob-check version 2014-06-07
+# deblob-check version 2014-10-30
# Inspired in gNewSense's find-firmware script.
# Written by Alexandre Oliva <lxoliva@fsfla.org>
@@ -891,7 +891,7 @@ set_except () {
blobna 'DEFAULT_FIRMWARE'
blobna '\([.]\|->\)firmware[ \n]*=[^=]'
blobna 'mod_firmware_load' # sound/
- blobname '[.]\(fw\|bin[0-9]*\|hex\|frm\|co[dx]\|dat\|elf\|xlx\|rfb\|ucode\|img\|sbcf\|ctx\(prog\|vals\)\|z77\|wfw\|inp\)["]'
+ blobname '[.]\(fw\|bin[0-9]*\|hex\|frm\|co[dx]\|dat\|elf\|xlx\|rfb\|ucode\|img\|sbcf\|ctx\(prog\|vals\)\|z77\|wfw\|inp\|dlmem\)["]'
# Ideally we'd whitelist URLs that don't recommend non-Free
# Software, but there are just too many URLs in Linux, and most are
# fine, so we just blacklist when we find undesirable URLs.
@@ -3470,7 +3470,7 @@ set_except () {
defsnc 'static[ ]const[ ]unsigned[ ]int[ ]bsc_data32_pins\[\][ ]=' drivers/pinctrl/pinctrl-baytrail.c
blobname 'mt76\(50\|62\)\.bin' drivers/staging/btmtk_usb/btmtk_usb.c
accept '[ ]*data->firmware[ ]=[ ]firmware[;]' drivers/staging/btmtk_usb/btmtk_usb.c
- accept '[ ]\[CODE_IMX\(27\|53\)\][ ]=[ ][{][\n][ ][ ]\.firmware[ ]*=' drivers/media/platform/coda.c
+ accept '[ ]\[CODA_IMX\(27\|53\)\][ ]=[ ][{][\n][ ][ ]\.firmware[ ]*=' drivers/media/platform/coda.c
blobname 'exynos4_\(fimc_is_fw\|s5k6a3_setfile\)\?\.bin' drivers/media/platform/exynos4-is/fimc-is.h
accept '[ ]*ret[ ]=[ ]process_sigma_firmware[(]client[,][ ]ADAU1701_FIRMWARE[)][;]' sound/soc/codecs/adau1701.c
defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5640_reg\[RT5640_VENDOR_ID2[ ][+][ ]1\][ ]=' sound/soc/codecs/rt5640.c
@@ -3485,8 +3485,8 @@ set_except () {
defsnc '__visible[ ]const[ ]u64[ ]camellia_sp\(10011110\|22000222\|03303033\|00444404\|02220222\|30333033\|44044404\|11101110\)\[256\][ ]=' arch/x86/crypto/camellia_glue.c
defsnc '__visible[ ]const[ ]u32[ ]crypto_[fi][tl]_tab\[4\]\[256\][ ]=' crypto/aes_generic.c
defsnc '__visible[ ]const[ ]u32[ ]cast_s[1234]\[256\][ ]=' crypto/cast_common.c
- defsnc '[ ]*interrupts[ ]=[ ]<[ ]*\(0[ ]2[012][0-9][ ]4[ \n]*\)*>[;]' Documentation/devicetree/bindings/dma/shdma.txt
- defsnc '[ ][ ]interrupts[ ]=[ ]<\([\n][ ]*0x\([ef]\|1[01]\)[0-9a-f][ ]0[ ]0[ ]0\)*>[;]' Documentation/devicetree/bindings/powerpc/fsl/msi-pic.txt
+ accept '[ ]*interrupts[ ]=[ ]<[ ]*\(0[ ]2[012][0-9][ ]4[ \n]*\)*>[;]' Documentation/devicetree/bindings/dma/shdma.txt
+ accept '[ ][ ]interrupts[ ]=[ ]<\([\n][ ]*0x\([ef]\|1[01]\)[0-9a-f][ ]0[ ]0[ ]0\)*>[;]' Documentation/devicetree/bindings/powerpc/fsl/msi-pic.txt
defsnc 'static[ ]const[ ]int[ ]a370_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]__initconst[ ]=' drivers/clk/mvebu/armada-370.c
defsnc 'static[ ]const[ ]int[ ]axp_\(nb\|h\|dram\)clk_ratios\[32\]\[2\][ ]__initconst[ ]=' drivers/clk/mvebu/armada-xp.c
defsnc 'static[ ]const[ ]int[ ]\(dove\|kirkwood\)_cpu_ddr_ratios\[16\]\[2\][ ]__initconst[ ]=' drivers/clk/mvebu/clk-core.c
@@ -3584,12 +3584,245 @@ set_except () {
# New in 3.14.6
blobname 'radeon[/]\(%s\|BONAIRE\|HAWAII\|TAHITI\|PITCAIRN\|VERDE\|OLAND\|HAINAN\)_mc2\.bin' 'drivers/gpu/drm/radeon/\(cik\|si\)\.c'
+
+ # New in 3.15
+ defsnc '\(static[ ]\)\?const[ ]struct[ ]nvc0_graph_init[\n]nvc0_graph_init_\(main\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc0.c
+ defsnc 'static[ ]const[ ]u32[ ]godavari_golden_registers\[\][ ]=' drivers/gpu/drm/radeon/cik.c
+ blobname 'brcm[/]brcmfmac4354-sdio\.bin' drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+ blobname '%s%s\.ucode' drivers/net/wireless/iwlwifi/iwl-drv.c
+ blobname 'ti-connectivity[/]wl18xx-fw-3\.bin' drivers/net/wireless/ti/wl18xx/main.c
+ blobname 'ql2700_fw\.bin' drivers/scsi/qla2xxx/qla_os.c
+
+ # New in 3.16
+ defsnc '[\t]*atmel[,]pll-clk-output-ranges[ ]=[ ]<' 'Documentation/devicetree/bindings/clock/at91-clock\.txt\|arch/arm/boot/dts/at91sam9x5\.dtsi'
+ blobname 'imx[/]sdma[/]sdma-imx25\.bin' arch/arm/boot/dts/imx25.dtsi
+ blobname 'imx[/]sdma[/]sdma-imx35\.bin' arch/arm/boot/dts/imx35.dtsi
+ blobname 'imx[/]sdma[/]sdma-imx50\.bin' arch/arm/boot/dts/imx50.dtsi
+ blobname 'sdma-imx53\.bin' arch/arm/boot/dts/imx53-tx53.dtsi
+ defsnc 'struct[ ]sock_filter[ ]code\[\][ ]=' Documentation/networking/filter.txt
+ initnc '\.L\(Forward\|Reverse\)_Sbox:[\n][\t]\.byte[\t]*' arch/arm64/crypto/aes-neon.S
+ initnc '\.Lsha2_rcon:[\n][\t]\.word[\t]*' arch/arm64/crypto/sha2-ce-core.S
+ defsnc 'static[ ]const[ ]u8[ ]sata_phy_config[12]\[\][ ]*=' arch/mips/netlogic/xlp/ahci-init-xlp2.c
+ accept '[ ]*interrupts[ ]=[ ]<108[ ]0\([\n][ ]*1[012][0-9][ ]0\)*>[;]' arch/powerpc/boot/dts/akebono.dts
+ defsnc '[\t]static[ ]int[ ]sysdiv_code_to_x2\[\][ ]=' arch/powerpc/platforms/512x/clock-commonclk.c
+ accept '[#][#][ ]*0[ ]1[ ]2[ ]3[ ]4[ ]5[ ]6[ ]7[ ]8[ ]9[ ]0[ ]1[ ]2[ ]3[ ]4[ ]5[ ]6[ ]7[ ]8[ ]9[ ]0[ ]1[ ]2[ ]3[ ]4[ ]5[ ]6[ ]7[ ]8[ ]9[ ]0[ ]1' arch/x86/crypto/aesni-intel_avx-x86_64.S
+ defsc 'static[ ]struct[ ]aead_testvec[ ]hmac_sha\(1\|224\|256\|384\|512\)_\(aes\|des\|des3_ede\)_cbc_enc_tv_temp\[\][ ]=' crypto/testmgr.h
+ accept '#define[ \t]*ACPI_TABLE_FILE_SUFFIX[\t ]*["]\.dat["]' drivers/acpi/acpica/acapps.h
+ accept '[ ][*][ ]request_firmware\(_direct\)\?:[ ]-[ ]load[ ]firmware[ ]directly[ ]without[ ]usermode[ ]helper' drivers/base/firmware_class.c
+ accept '[ ][*][ ]This[ ]function[ ]works[ ]pretty[ ]much[ ]like[ ]request_firmware[(][)]' drivers/base/firmware_class.c
+ accept 'int[ ]request_firmware_direct[(]' 'drivers/base/firmware_class\.c\|include/linux/firmware\.h'
+ accept '[\t]ret[ ]=[ ]_request_firmware[(]firmware_p[,][ ]name[,][ ]device[,][ ]FW_OPT_UEVENT[)][;]' drivers/base/firmware_class.c
+ accept 'EXPORT_SYMBOL_GPL[(]request_firmware_direct[)][;]' drivers/base/firmware_class.c
+ defsnc 'static[ ]const[ ]int[ ]armada_375_cpu_\(l2\|ddr\)_ratios\[32\]\[2\][ ]__initconst[ ]=[ ]' drivers/clk/mvebu/armada-375.c
+ defsnc 'static[ ]const[ ]int[ ]armada_38x_cpu_\(l2\|ddr\)_ratios\[32\]\[2\][ ]__initconst[ ]=[ ]' drivers/clk/mvebu/armada-38x.c
+ defsnc 'static[ ]struct[ ]cpufreq_frequency_table[ ]s3c64xx_freq_table\[\][ ]=' drivers/cpufreq/s3c64xx-cpufreq.c
+ defsnc 'static[ ]const[ ]u8[ ]ccp_sha\(1\|224\|256\)_zero\[CCP_SHA_CTXSIZE\][ ]=' drivers/crpto/ccp/ccp-ops.c
+ blobname 'ast_dp501_fw\.bin' drivers/gpu/drm/ast/ast_dp501.c
+ accept '[\t]["]edid[/]\(800x600\)\.bin["]' drivers/gpu/drm/drm_edid_load.c
+ defsnc 'static[ ]void[ ][*]edid_load[(][^)]*[)][\n][{]\([\n]\+[^\n}][^\n]*\)*[^\n]*err[ ]=[ ]request_firmware[(][&]fw[,][ ]name[,][ ][&]pdev' drivers/gpu/drm/drm_edid_load.c
+ defsnc 'static[ ]const[ ]struct[ ]hdmiphy_config[ ]hdmiphy_5420_configs\[\][ ]=' drivers/gpu/drm/exynos/exynos_hdmi.c
+ # These seem too sparse to be code.
+ defsnc 'static[ ]const[ ]u32[ ]gen6_null_state_batch\[\][ ]=' drivers/gpu/drm/i915/intel_renderstate_gen6.c
+ defsnc 'static[ ]const[ ]u32[ ]gen7_null_state_batch\[\][ ]=' drivers/gpu/drm/i915/intel_renderstate_gen7.c
+ defsnc 'static[ ]const[ ]u32[ ]gen8_null_state_batch\[\][ ]=' drivers/gpu/drm/i915/intel_renderstate_gen8.c
+ defsnc 'nv50_disp_\(mast_mthd_head\|\(sync\|ovly\)_mthd_base\)[ ]=' drivers/gpu/drm/nouveau/core/engine/disp/nv50.c
+ defsnc 'nv84_disp_\(mast_mthd_head\|\(sync\|ovly\)_mthd_base\)[ ]=' drivers/gpu/drm/nouveau/core/engine/disp/nv84.c
+ defsnc 'nva0_disp_ovly_mthd_base[ ]=' drivers/gpu/drm/nouveau/core/engine/disp/nva0.c
+ defsnc 'nvd0_disp_\(mast_mthd_head\|\(sync\|ovly\)_mthd_base\)[ ]=' drivers/gpu/drm/nouveau/core/engine/disp/nvd0.c
+ defsnc 'nve0_disp_\(mast_mthd_head\|ovly_mthd_base\)[ ]=' drivers/gpu/drm/nouveau/core/engine/disp/nve0.c
+ defsnc 'gm107_grctx_init_\(\(icmd\|b097\|fe\|ds\|pd\|be\|setup\|tex\|mpc\|sm\|wwdx\)_0\|gpc_unk_2\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxgm107.c
+ defsnc 'nv108_grctx_init_\(icmd\|fe\|ds\|pd\|rstr2d\|be\|prop\|setup\|crstr\|tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnv108.c
+ defsnc 'nvc0_grctx_init_\(icmd\|9097\|902d\|90c0\|fe\|memfmt\|rstr2d\|prop\|setup\|crstr\|zcullr\|wwdx\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc0.c
+ defsnc 'nvc1_grctx_init_\(icmd\|9097\|setup\|wwdx\|tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c
+ defsnc 'nvc4_grctx_init_\(tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc4.c
+ defsnc 'nvc8_grctx_init_\(icmd\|setup\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc8.c
+ defsnc 'nvd7_grctx_init_\(ds\|pd\|setup\|tex\|wwdx\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c
+ defsnc 'nvd9_grctx_init_\(icmd\|90c0\|fe\|ds\|prop\|setup\|crstr\|tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c
+ defsnc 'nve4_grctx_init_\(icmd\|a097\|fe\|memfmt\|ds\|pd\|be\|setup\|tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnve4.c
+ defsnc 'nvf0_grctx_init_\(icmd\|a197\|fe\|pd\|be\|setup\|tex\|sm\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/ctxnvf0.c
+ defsnc 'uint32_t[ ]gm107_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcgm107.fuc5.h
+ defsnc 'uint32_t[ ]nv108_grgpc_code\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/gpcnv108.fuc5.h
+ defsnc 'uint32_t[ ]gm107_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubgm107.fuc5.h
+ defsnc 'uint32_t[ ]nv108_grhub_\(data\|code\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/fuc/hubnv108.fuc5.h
+ defsnc 'gm107_graph_init_\(main\|tpccs\|tex\|sm\|be\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/gm107.c
+ defsnc 'nv108_graph_init_\(main\|l1c\)_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nv108.c
+ defsnc 'nvc4_graph_init_sm_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc4.c
+ defsnc 'nvc8_graph_init_sm_0\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvc8.c
+ defsnc 'nvd9_graph_init_\(gpc_unk_1\|sm_0\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvd9.c
+ defsnc 'nve4_graph_init_\(\(main\|l1c\|sm\|be\)_0\|gpc_unk_1\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nve4.c
+ defsnc 'nvf0_graph_init_\(\(l1c\|sm\)_0\|gpc_unk_1\)\[\][ ]=' drivers/gpu/drm/nouveau/core/engine/graph/nvf0.c
+ defsnc 'static[ ]u8[ ]const[ ]ld9040_gammas\[25\]\[22\][ ]=' drivers/gpu/drm/panel/panel-ld9040.c
+ defsnc 'static[ ]void[ ]s6e8aa0_panel_cond_set[(][^)]*[)][\n][{]\([\n]\+[^\n}][^\n]*\)*[^\n]*s6e8aa0_dcs_write_seq_static[(]ctx[,][\n\t0x0-9a-f, ]*[)][;]' drivers/gpu/drm/panel/panel-s6e8aa0.c
+ defsnc 'static[ ]const[ ]s6e8aa0_gamma_table[ ]s6e8aa0_gamma_tables_v\(142\|96\|32\)\[GAMMA_LEVEL_NUM\][ ]=' drivers/gpu/drm/panel/panel-s6e8aa0.c
+ blobname 'radeon[/]BONAIRE_vce\.bin' drivers/gpu/drm/radeon/radeon_vce.c
+ defsnc '[\t]static[ ]const[ ]__u8[ ]sixaxis_leds\[10\]\[4\][ ]=' drivers/hid/hid-sony.c
+ defsnc '[\t]union[ ]sixaxis_output_report_01[ ]report[ ]=' drivers/hid/hid-sony.c
+ defsnc 'static[ ]int[ ]twl4030_therm_tbl\[\][ ]=' drivers/iio/adc/twl4030-madc.c
+ defsnc 'static[ ]struct[ ]linear_segments[ ]strength_to_db_table\[\][ ]=' drivers/media/dvb-frontends/dib8000.c
+ blobname 'dvb-fe-drxj-mc-1\.0\.8\.fw' drivers/media/dvb-frontends/drx39xyj/drxj.c
+ defsnc 'static[ ]const[ ]u16[ ]nicam_presc_table_val\[43\][ ]=' drivers/media/dvb-frontends/drx39xyj/drxj.c
+ accept '[\t][\t]*demod->firmware[ ]=[ ]\(fw\|NULL\)[;]' drivers/media/dvb-frontends/drx39xyj/drxj.c
+ blobname 'dvb-demod-m88ds3103\.fw' drivers/media/dvb-frontends/m88ds3103_priv.h
+ defsnc 'static[ ]const[ ]struct[ ]m88ds3103_reg_val[ ]m88ds3103_dvbs2\?_init_reg_vals\[\][ ]=' drivers/media/dvb-frontends/m88ds3103_priv.h
+ blobname 'dvb-demod-si2168-02\.fw' drivers/media/dvb-frontends/si2168_priv.h
+ blobname 's5k5baf-cfg\.bin' drivers/media/i2c/s5k5baf.c
+ defsnc 'static[ ]const[ ]u16[ ]scaler_[hv]s_coeffs\[1[35]\]\[SC_NUM_PHASES[ ][*][ ]2[ ][*][ ]SC_[HV]_NUM_TAPS\][ ]=' drivers/media/platform/ti-vpe/sc_coeff.h
+ defsnc 'static[ ]const[ ]struct[ ]si4713_start_seq_table[ ]start_seq\[\][ ]=' drivers/media/radio/si4713/radio-usb-si4713.c
+ defsnc 'static[ ]const[ ]struct[ ]e4000_if_gain[ ]e4000_if_gain_lut\[\][ ]=' drivers/media/tuners/e4000_priv.h
+ defsnc 'static[ ]const[ ]struct[ ]dtcs033_usb_requests[ ]dtcs033_start_reqs\[\][ ]=' drivers/media/usb/gspca/dtcs033.c
+ defsnc 'static[ ]struct[ ]idxdata[ ]tbl_\(\(middle\|end\)_hvflip\(_\(low\|big\)\)\?\|init_post_alt_\(low[123]\|big\|3B\)\)\[\][ ]=' drivers/media/usb/gspca/gl860/gl860-mi2020.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]wm5110_revd_patch\[\][ ]=' drivers/mfd/wm5110-tables.c
+ defsnc 'static[ ]const[ ]u32[ ]tuning_block_128\[\][ ]=' drivers/mmc/host/sdhci-msm.c
+ defsnc 'static[ ]struct[ ]nand_ecclayout[ ]hwecc4_2048[ ]=' drivers/mtd/nand/davinci_nand.c
+ defsnc 'static[ ]struct[ ]nand_ecclayout[ ]ecc_layout_[24]KB_bch[48]bit[ ]=' drivers/mtd/nand/pxa3xx_nand.c
+ defsnc '[\t]static[ ]char[ ]packet\[\][ ]=' drivers/net/ethernet/intel/i40e/i40e_txrx.c
+ defsnc 'u8[ ]netvsc_hash_key\[HASH_KEYLEN\][ ]=' drivers/net/hyperv/rndis_filter.c
+ defsnc 'static[ ]const[ ]u32[ ]ar9300Modes_high_power_tx_gain_table_buffalo\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9003_buffalo_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]ar9340_cus227_tx_gain_table_1p0\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9340_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]ar9462_2p0_common_\(mixed_\)\?rx_gain\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]ar9462_2p0_modes_\(low\|mix\|high\)_ob_db_tx_gain\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]qca953x_1p[01]_\(\(mac\|baseband\|radio\)_core\|modes_\(no_\)\?xpa_tx_gain_table\)\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar953x_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]qca953x_1p0_\(baseband\|radio\)_postamble\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar953x_initvals.h
+ accept '[ ]err[ ]=[ ]request_firmware_nowait[(][^\n]*,[ ]CARL9170FW_NAME,' drivers/net/wireless/carl9170/usb.c
+ defsnc 'static[ ]const[ ]struct[ ]b43_nphy_channeltab_entry_rev3[ ]b43_nphy_channeltab_\(phy\|radio\)_rev\([34568]\|7_9\|11\)\[\][ ]=' drivers/net/wireless/b43/radio_2056.c
+ defsnc 'static[ ]const[ ]u32[ ]b43_ntab_noisevar_r3\[\][ ]=' drivers/net/wireless/b43/tables_nphy.c
+ blobname 'iwlwifi-8000-' drivers/net/wireless/iwlwifi/iwl-8000.c
+ blobname 'iwl_nvm_8000\.bin' drivers/net/wireless/iwlwifi/iwl-8000.c
+ defsnc 'static[ ]const[ ]u8[ ]iwl_nvm_channels_family_8000\[\][ ]=' drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
+ defsnc 'static[ ]const[ ]u16[ ]expected_tpt_\(siso\|mimo2\)_[248]0MHz\[4\]\[IWL_RATE_COUNT\][ ]=' drivers/net/wireless/iwlwifi/mvm/rs.c
+ blobname 'rsi_91x\.fw' drivers/net/wireless/rsi/rsi_common.h
+ defsnc 'static[ ]const[ ]u32[ ]RF_GAIN_TABLE\[\][ ]=' drivers/net/wireless/rtl818x/rtl8180/rtl8225se.c
+ defsnc 'static[ ]const[ ]u8[ ]\(cck_ofdm_gain_settings\|rtl8225se_tx_power_cck\(_ch14\)\?\|ZEBRA_AGC\|OFDM_CONFIG\)\[\][ ]=' drivers/net/wireless/rtl818x/rtl8180/rtl8225se.c
+ defsnc '[\t]u16[ ]toshiba_smid1\[\][ ]=' drivers/net/wireless/rtlwifi/rtl8723be/hw.c
+ blobname 'rtlwifi[/]rtl8723befw\.bin' drivers/net/wireless/rtlwifi/rtl8723be/sw.c
+ defsnc 'u32[ ]RTL8723BE\(PHY_REG\|_RADIOA\|MAC\|AGCTAB\)_\(1T_\?ARRAY\|ARRAY_PG\)\[\][ ]=' drivers/net/wireless/rtlwfi/rtl8723be/table.c
+ defsnc 'static[ ]\(const[ ]unsigned[ ]\)\?int[ ]tps65864[03]_sm2_voltages\[\][ ]=' drivers/regulator/tps6586x-regulator.c
+ defsnc 'static[ ]const[ ]uint32_t[ ]ql27xx_fwdt_default_template\[\][ ]=' drivers/scsi/qla2xxx/qla_tmpl.c
+ blobname 'dgap[/]\(sx\|cxp\|pci\|xr\)\(bios\|fep\)\.bin' drivers/staging/dgap/dgap.c
+ accept '[\t][ ]*kernel[ ]firmware[ ]framework[,][ ]request_firmware[(][)]' drivers/staging/gs_fpgaboot/README
+ defsnc 'static[ ]u8[ ]ecctable\[256\][ ]=' drivers/staging/keucr/smilecc.c
+ defsnc '[\t]u8[ ]data_ptr\[36\][ ]=' drivers/staging/keucr/smscsi.c
+ # This is a default for the user-supplied fpga configuration; it
+ # is overridable with a module parameter.
+ accept 'static[ ]char[ \t]*[*]file[ ]=[ ]["]xlinx_fpga_firmware\.bit["][;]' drivers/staging/gs_fpgaboot/gs_fpgaboot.c
+ accept '[\t]pr_info[(]["]load[ ]fpgaimage[ ]%s[\\]n["][,][ ]file[)][;][\n]*[\t]err[ ]=[ ]request_firmware[(][&]fimage->fw_entry[,]' drivers/staging/gs_fpgaboot/gs_fpgaboot.c
+ blobname '\(ti1273\(_\(pre\)\?le\)\?\|bc[m4]fw\)\.bin' drivers/staging/nokia_h4p/nokia_fw.c
+ defsnc '[\t]u8[ ]channel5g\[CHANNEL_MAX_NUMBER_5G\][ ]=' drivers/staging/rtl8192ee/rtl8192ee/hw.c
+ blobname 'rtlwifi[/]rtl8192eefw\.bin' drivers/staging/rtl8192ee/rtl8192ee/sw.c
+ defsnc 'u32[ ]RTL8192EE_\(PHY_REG\|RADIO[AB]\|MAC\|AGC_TAB\)_ARRAY\(_PG\)\?\[\][ ]=' drivers/staging/rtl8192ee/rtl8192ee/table.c
+ defsnc '[\t]u8[ ]Channel_5G\[45\][ ]=' drivers/staging/rtl8723au/core/rtw_mlme_ext.c
+ defsnc 'static[ ]const[ ]unsigned[ ]short[ ]Sbox1\[2\]\[256\]=' drivers/staging/rtl8723au/core/rtw_security.c
+ defsnc 'u32[ ]Rtl8723UPHY_REG_Array_PG\[Rtl8723UPHY_REG_Array_PGLength\][ ]=' drivers/staging/rtl8723au/hal/Hal8723UHWImg_CE.c
+ defsnc 'static[ ]u32[ ]Array_\(AGC_TAB\|PHY_REG\)_\(1T\|PG\)_8723A\[\][ ]=' drivers/staging/rtl8723au/hal/HalHWImg8723A_BB.c
+ defsnc 'static[ ]u32[ ]Array_MAC_REG_8723A\[\][ ]=' drivers/staging/rtl8723au/hal/HalHWImg8723A_MAC.c
+ defsnc 'static[ ]u32[ ]Array_RadioA_1T_8723A\[\][ ]=' drivers/staging/rtl8723au/hal/HalHWImg8723A_RF.c
+ blobname 'rtlwifi[/]rtl8723aufw_\(A\|B\(_NoBT\)\?\)\.bin' drivers/staging/rtl8723au/hal/rtl8723a_hal_init.c
+ defsnc 'u8[ ]rtl88\(12\|21\)ae_delta_swing_table_idx_5g[ab]_[np]_txpwrtrack\[\]\[DELTA_SWINGIDX_SIZE\][ ]=' drivers/staging/rtl8821ae/rtl8821ae/dm.c
+ defsnc 'static[ ]u8[ ]reserved_page_packet_8821\[TOTAL_RESERVED_PKT_LEN_8821\][ ]=' drivers/staging/rtl8821ae/rtl8821ae/fw.c
+ defsnc 'static[ ]u8[ ]reserved_page_packet_8812\[TOTAL_RESERVED_PKT_LEN_8812\][ ]=' drivers/staging/rtl8821ae/rtl8821ae/fw.c
+ defsnc '[\t]u8[ ]channel_5g\[CHANNEL_MAX_NUMBER_5G\][ ]=' 'drivers/staging/rtl8821ae/rtl8821ae/\(hw\|phy\)\.c'
+ defsnc '[\t]u8[ ]channel_all\[TARGET_CHNL_NUM_2G_5G_8812\][ ]=' drivers/staging/rtl8821ae/rtl8821ae/phy.c
+ blobname 'rtlwifi[/]rtl8821aefw\.bin' drivers/staging/rtl8821ae/rtl8821ae/sw.c
+ defsnc 'u32[ ]RTL88\(12\|21\)AE_\(\(PHY\|MAC\)_REG\|RADIO[AB]\|AGC_TAB\)_ARRAY\(_PG\)\?\[\][ ]=' drivers/staging/rtl8821ae/rtl8821ae/table.c
+ accept '#define[ ]CONFIG_PATH[\t]*["][/]etc[/]vntconfiguration[.]dat["]' drivers/staging/vt6656/device.h
+ defsnc 'static[ ]const[ ]u8[ ]TKIP_Sbox_\(Lower\|Upper\)\[256\][ ]=' drivers/staging/vt6656/tkip.c
+ blobname 'moxa[/]moxa-\(%04x\|[0-9a-f][0-9a-f][0-9a-f][0-9a-f]\)\.fw' drivers/usb/serial/mxuport.c
+ accept '#define[ \t]request_firmware_direct[ \t]request_firmware' include/linux/firmware.h
+ accept '[\t]report_missing_free_firmware[^\n]*[\n][\t]retval[ ]=[ ]request_firmware_direct[(]' include/linux/firmware.h
+ defsnc 'const[ ]u8[ ]crc7_be_syndrome_table\[256\][ ]=' lib/crc7.c
+ defsnc 'static[ ]struct[ ]bpf_test[ ]tests\[\][ ]=' lib/test_bpf.c
+ defsnc '[\t]static[ ]struct[ ]sock_filter[ ]ptp_filter\[\][ ]__initdata[ ]=' net/core/ptp_classifier.c
+ blobname 'adau1761\.bin' sound/soc/codecs/adau1761.c
+ accept '[\t][\t]ret[ ]=[ ]adau17x1_load_firmware[(]adau[,][ ]codec->dev[,][\n][\t ]*ADAU1761_FIRMWARE[)][;]' sound/soc/codecs/adau1761.c
+ blobname 'adau1[37]81\.bin' sound/soc/codecs/adau1781.c
+ accept '[\t][\t]firmware[ ]=[ ]ADAU1[37]81_FIRMWARE[;]\([\n][\n]*[\t][^\n]*\)*ret[ ]=[ ]adau17x1_load_firmware[(]adau[,][ ]codec->dev[,][ ]firmware[)][;]' sound/soc/codecs/adau1781.c
+ blobna 'adau17x1_load_firmware' sound/soc/codecs/adau17x1.c
+ accept 'int[ ]adau17x1_load_firmware[(]' 'sound/soc/codecs/adau17x1\.[ch]'
+ accept 'EXPORT_SYMBOL_GPL[(]adau17x1_load_firmware[)][;]' sound/soc/codecs/adau17x1.c
+ accept '[ ]*ret[ ]=[ ]process_sigma_firmware_regmap[(]dev[,][ ]adau->regmap[,][ ]firmware[)][;]' sound/soc/codecs/adau17x1.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]adau1977_reg_defaults\[\][ ]=' sound/soc/codecs/adau1977.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]ak4641_reg_defaults\[\][ ]=' sound/soc/codecs/ak4641.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]ak464[28]_reg\[\][ ]=' sound/soc/codecs/ak4642.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5640_reg\[\][ ]=' sound/soc/codecs/rt5640.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5645_reg\[\][ ]=' sound/soc/codecs/rt5645.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5651_reg\[\][ ]=' sound/soc/codecs/rt5651.c
+ defsnc 'int[ ]_process_sigma_firmware[(]' sound/soc/codecs/sigmadsp.c
+ accept 'EXPORT_SYMBOL_GPL[(]_process_sigma_firmware[)]' sound/soc/codecs/sigmadsp.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]sta350_regs\[\][ ]=' sound/soc/codecs/sta350.c
+ defsnc 'static[ ]const[ ]struct[ ]aic31xx_rate_divs[ ]aic31xx_divs\[\][ ]=' sound/soc/codecs/tlv320aic31xx.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]wm5110_sysclk_revd_patch\[\][ ]=' sound/soc/codecs/wm5110.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]wm8974_reg_defaults\[\][ ]=' sound/soc/codecs/wm8974.c
+ blobname 'intel[/]IntcSST[12]\.bin' sound/soc/intel/sst-acpi.c
+ blobname 'intel[/]fw_sst_0f28\.bin-i2s_master' sound/soc/intel/sst-acpi.c
+ defsnc 'static[ ]unsigned[ ]char[ ]bcd2000_init_sequence\[\][ ]=' sound/usb/bcd2000/bcd2000.c
+ blobna '[ ][*][ ]xxd[ ]-r[ ]-p[ ]mXTXXX[^\n]*maxtouch\.fw[\n][ \t]*[*][/]' drivers/input/touchscreen/atmel_mxt_ts.c
+ blobname 's5p-mfc-v8\.fw' drivers/media/platform/s5p-mfc/s5p_mfc.c
+
+ # New in 3.17
+ blobname 'radeon[/]\(%s\|kaveri\|KAVERI\)_mec2\.bin' drivers/gpu/drm/radeon/cik.c
+ blobname 'dvb-demod-si2168-\(\(a[23]\|b4\)0-01\|-02\)\.fw' drivers/media/dvb-frontends/si2168_priv.h
+ accept '[ ]\[CODA_IMX6\(Q\|DL\)\][ ]=[ ][{][\n][ ][ ]\.firmware[ ]*=' drivers/media/platform/coda.c
+ blobname 'v4l-coda960-imx6\(q\|dl\)\.bin' drivers/media/platform/coda.c
+ blobname 's5p-mfc-v6-v2\.fw' drivers/media/platform/s5p-mfc/s5p_mfc.c
+ blobname 'dvb-fe-xc4000-1\.4\(\.1\)\?\.fw' drivers/media/tuners/xc4000.c
+ blobname 'ti-connectivity[/]TIInit_\(\(%d\|[0-9]\+\)[.]\)\+bts' drivers/misc/ti-st/st_kim.c
+ blobname 'fw-5\.bin' drivers/net/wireless/ath/ath6kl/core.h
+ blobname 'brcm[/]brcmfmac43569\.bin' drivers/net/wireless/brcm80211/brcmfmac/usb.c
+ blobname '3826\.eeprom' drivers/net/wireless/p54/p54spi.c
+ defsnc 'static[ ]const[ ]u64[ ]sha512_k\[\][ ]=' arch/arm/crypto/sha512_neon_glue.c
+ accept 'K_table:\([\n][ ]*\.long[ ]*0x[0-9a-f]*[,][ ]0x[0-9a-f]*\)*' arch/x86/crypto/crc32c-pcl-intel-asm_64.S
+ accept '\.L_s[12345678]:\([\n][ ]*\.quad[ ]*0x[0-9a-f]*[,][ ]0x[0-9a-f]*\)*' arch/x86/crypto/des3_ede-asm_64.S
+ defsnc '[\t]const[ ]unsigned[ ]char[ ][*]K[ ]=[ ][(]unsigned[ ]char[ ][*][)]' crypto/drbg.c
+ accept '[\t]ret[ ]=[ ]_request_firmware[(]firmware_p[,][ ]name[,][ ]device[,]' drivers/base/firmware_class.c
+ defsnc 'static[ ]const[ ]uint64_t[ ]inst\[\][ ]=' drivers/crypto/qat/qat_common/qat_hal.c
+ defsnc 'gk110b_\(grctx\|graph\)_init_\(sm\|l1c\)_0\[\][ ]=' drivers/gpu/dm/nouveau/core/engine/graph/ctxgk110b.c
+ defsnc '[\t]const[ ]u16[ ]map\[\][ ]=' drivers/hwmon/asc7621.c
+ defsnc '[}][ ]samp_freq_table\[\][ ]=' drivers/iio/accel/kxcjk-1013.c
+ defsnc 'static[ ]const[ ]unsigned[ ]char[ ]jpeg_dqt\[4\]\[DQT_LEN\][ ]=' drivers/media/pci/solo6x10/solo6x10-jpeg.h
+ defsnc 'static[ ]const[ ]u32[ ]qca953x_2p0_baseband_core\[\]\[2\][ ]=' drivers/net/wireless/ath/ath9k/ar953x_initvals.h
+ defsnc 'static[ ]const[ ]u32[ ]qca953x_2p0_baseband_postamble\[\]\[5\][ ]=' drivers/net/wireless/ath/ath9k/ar953x_initvals.h
+ defsnc 'static[ ]u16[ ]r2057_rev\(4\|5a\?\|[789]\|14\)_init\[\]\[2\][ ]=' drivers/net/wireless/b43/radio_2057.c
+ defsnc 'static[ ]const[ ]u32[ ]b43_ntab_\(\(tmap\|noisevar\)_r7\|tx_gain_\(epa\|ipa\(_2057\)\?\)_rev\([34569]\|14\)_\(hi_pwr_\)\?\(2g\|5g\)\)\[\][ ]=' drivers/net/wireless/b43/tables_nphy.c
+ accept '[ ]ret[ ]=[ ]request_firmware[(][&]pm8001_ha->fw_image,' drivers/scsi/pm8001/pm8001_ctl.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253InitTab_RFMD\[CB_VT3253_INIT_FOR_RFMD\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253B0_RFMD\[CB_VT3253B0_INIT_FOR_RFMD\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253B0_AGC4_RFMD2959\[CB_VT3253B0_AGC_FOR_RFMD2959\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253B0_AIROHA2230\[CB_VT3253B0_INIT_FOR_AIROHA2230\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253B0_UW2451\[CB_VT3253B0_INIT_FOR_UW2451\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]unsigned[ ]char[ ]byVT3253B0_AGC\[CB_VT3253B0_AGC\]\[2\][ ]=' drivers/staging/vt6655/baseband.c
+ defsnc 'static[ ]u8[ ]al2230_init_table\[CB_AL2230_INIT_SEQ\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]u8[ ]\(al2230\|vt3226\)_channel_table[012]\[CB_MAX_CHANNEL_24G\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]u8[ ]al7230_init_table\(_amode\)\?\[CB_AL7230_INIT_SEQ\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]u8[ ]\(al7230\|vt3342\)_channel_table[012]\[CB_MAX_CHANNEL\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]u8[ ]vt3226\(d0\)\?_init_table\[CB_VT3226_INIT_SEQ\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]u8[ ]vt3342a0_init_table\[CB_VT3342_INIT_SEQ\]\[3\][ ]=' drivers/staging/vt6656/rf.c
+ defsnc 'static[ ]const[ ]u32[ ]al2230_power_table\[AL2230_PWR_IDX_LEN\][ ]=' drivers/staging/vt6656/rf.c
+ accept 'static[ ]inline[ ]int[ ]request_firmware_direct[(]const[ ]struct[ ]firmware[ ][*][*]fw[,]' include/linux/firmware.h
+ defsnc 'static[ ]u8[ ]const[ ]__aligned[(]8[)][ ]test_buf\[\][ ]__initconst[ ]=' lib/crc32.c
+ defsnc 'static[ ]struct[ ]crc_test[ ][{][^}]*[}][ ]const[ ]test\[\][ ]__initconst[ ]=' lib/crc32.c
+ accept '[\t]rc[ ]=[ ]request_firmware[(][&]test_firmware[,]' lib/test_firmware.c
+ defsnc 'static[ ]struct[ ]reg_default[ ]rt286_index_def\[\][ ]=' sound/soc/codecs/rt286.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt286_reg\[\][ ]=' sound/soc/codecs/rt286.c
+ defsnc 'static[ ]const[ ]struct[ ]reg_default[ ]rt5670_reg\[\][ ]=' sound/soc/codecs/rt5670.c
+ accept 'FW=["][$]FWPATH[/]test-firmware\.bin["]' 'tools/testing/selftests/firmware/fw_\(filesystem\|userhelper\)\.sh'
+ blobname 'qat_895xcc\.bin' drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.h
+ blobname 'dvb-demod-si2165\.fw' drivers/media/dvb-frontends/si2165_priv.h
+ blobname 'dvb-tuner-si2158-a20-01\.fw' drivers/media/tuners/si2157_priv.h
+ blobname 'brcm[/]brcmfmac43\(602\|5[46]\|570\)-pcie\.bin' drivers/net/wireless/brcm80211/brcmfmac/pcie.c
+ blobname 'r8a779x_usb3_v1\.dlmem' drivers/usb/host/xhci-rcar.c
+ blobname 'iwlwifi-3165-' drivers/net/wireless/iwlwifi/iwl-7000.c
;;
*/*freedo*.patch | */*logo*.patch)
accept 'P[13]\([\n]#[^\n]*\)*[\n]*\([\n][0-9 ]*\)\+' drivers/video/logo/logo_libre_clut224.ppm
;;
+ */patch*-3.1[467].*)
+ # False positives in patch-3.17.2, 3.16.7, 3.14.23 and newer.
+ accept '[;][/][*]@@[ ]-[0-9]*,[0-9]*[ ][+][0-9]*,[0-9]*[ ]@@[ ]_request_firmware[(]const[ ]struct[ ]firmware' drivers/base/firmware_class.c
+ accept '[ ]ret[ ]=[ ]_request_firmware_prepare[(]' drivers/base/firmware_class.c
+ ;;
+
*/patch-3.13*)
# Introduced in 3.13.2.
accept '[\t][\t][\t]err[ ]=[ ]request_firmware[(][&]firmware[,][ \t\n]*rtlpriv->cfg' drivers/net/wireless/rtlwifi/core.c
@@ -7583,7 +7816,19 @@ BAD regular expression:
# Extract or otherwise munge...
case /$input in
*.tar*)
- cmd="tar -xf - --to-command='echo \";/*begin \$TAR_FILENAME*/;\"; cat; echo; echo \";/*end \$TAR_FILENAME*/;\"'"
+ tarwrap=`mktemp -t deblob-check-tarwrap-XXXXXX`
+ tempfiles="$tempfiles $tarwrap"
+
+ cat >> $tarwrap <<EOF
+#! /bin/sh
+echo='$echo' &&
+\$echo ";/*begin \$1*/;" &&
+cat &&
+echo &&
+\$echo ";/*end \$1*/;"
+EOF
+ chmod +x $tarwrap
+ cmd="tar -xf - --to-command='$tarwrap \"\$TAR_FILENAME\"'"
;;
*.patch | *.patch.*z* | */patch-* | *.diff | *.diff.*z*)
if $reverse_patch; then
diff --git a/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch b/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch
deleted file mode 100644
index ce9de6641..000000000
--- a/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Andy Lutomirski <luto@amacapital.net>
-Date: Wed, 8 Oct 2014 12:37:46 -0700
-Subject: [PATCH] fs: Add a missing permission check to do_umount
-
-Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
-only one of the two call sites was appropriately protected.
-
-Fixes CVE-2014-7975.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
----
- fs/namespace.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/namespace.c b/fs/namespace.c
-index c8e3034ff4b2..fbba8b17330d 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)
- * Special case for "unmounting" root ...
- * we just try to remount it readonly.
- */
-+ if (!capable(CAP_SYS_ADMIN))
-+ return -EPERM;
- down_write(&sb->s_umount);
- if (!(sb->s_flags & MS_RDONLY))
- retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
---
-1.9.3
-
diff --git a/freed-ora/current/f19/kernel.spec b/freed-ora/current/f19/kernel.spec
index 7e94b6580..2bc5e47b8 100644
--- a/freed-ora/current/f19/kernel.spec
+++ b/freed-ora/current/f19/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 101
+%global baserelease 100
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -112,7 +112,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 22
+%define stable_update 23
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@@ -819,9 +819,6 @@ Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
#CVE-2014-7970 rhbz 1151095 1151484
Patch26032: mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
-#CVE-2014-7975 rhbz 1151108 1152025
-Patch26042: fs-Add-a-missing-permission-check-to-do_umount.patch
-
# CVE-2014-3690 rhbz 1153322 1155372
Patch26060: x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
@@ -834,6 +831,20 @@ Patch26062: net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
#CVE-2014-3673 rhbz 1147850 1155727
Patch26063: net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+# CVE-2014-3610 kvm: noncanonical MSR writes (rhbz 1144883 1156543)
+# CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537)
+# CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534)
+# CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522)
+Patch26070: KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch
+Patch26071: KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch
+Patch26072: KVM-x86-Improve-thread-safety-in-pit.patch
+Patch26073: KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch
+Patch26074: KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
+Patch26075: KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch
+Patch26076: kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
+Patch26077: kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
+Patch26082: kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1595,9 +1606,6 @@ ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
#CVE-2014-7970 rhbz 1151095 1151484
ApplyPatch mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
-#CVE-2014-7975 rhbz 1151108 1152025
-ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
-
# CVE-2014-3690 rhbz 1153322 1155372
ApplyPatch x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
@@ -1610,6 +1618,20 @@ ApplyPatch net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
#CVE-2014-3673 rhbz 1147850 1155727
ApplyPatch net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+# CVE-2014-3610 kvm: noncanonical MSR writes (rhbz 1144883 1156543)
+# CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537)
+# CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534)
+# CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522)
+ApplyPatch KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch
+ApplyPatch KVM-x86-Prevent-host-from-panicking-on-shared-MSR-wr.patch
+ApplyPatch KVM-x86-Improve-thread-safety-in-pit.patch
+ApplyPatch KVM-x86-Fix-wrong-masking-on-relative-jump-call.patch
+ApplyPatch KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
+ApplyPatch KVM-x86-Handle-errors-when-RIP-is-set-during-far-jum.patch
+ApplyPatch kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
+ApplyPatch kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
+ApplyPatch kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2433,6 +2455,18 @@ fi
# and build.
%changelog
+* Thu Oct 30 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.14.23-gnu.
+
+* Thu Oct 30 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.23-100
+- Linux v3.14.23
+
+* Fri Oct 24 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-3610 kvm: noncanonical MSR writes (rhbz 1144883 1156543)
+- CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537)
+- CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534)
+- CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522)
+
* Wed Oct 22 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.14.22-101
- CVE-2014-3688 sctp: remote memory pressure from excessive queuing (rhbz 1155745 1155751)
- CVE-2014-3687 sctp: panic on duplicate ASCONF chunks (rhbz 1155731 1155738)
diff --git a/freed-ora/current/f19/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch b/freed-ora/current/f19/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
new file mode 100644
index 000000000..a94089d98
--- /dev/null
+++ b/freed-ora/current/f19/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
@@ -0,0 +1,78 @@
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Fri, 24 Oct 2014 17:07:24 +0200
+Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
+ path.
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index 714b94932312..1f0dc1e5f1f0 100644
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
+- unsigned long size)
++ unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_noslot_pfn(pfn))
+@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(slot, gfn, page_size);
++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_noslot_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch b/freed-ora/current/f19/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
new file mode 100644
index 000000000..25c6af8c5
--- /dev/null
+++ b/freed-ora/current/f19/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
@@ -0,0 +1,79 @@
+From 1d4d4260d85f76b6c07ec165fba0fa81005ae68b Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Fri, 24 Oct 2014 17:07:18 +0200
+Subject: [PATCH] kvm: vmx: handle invvpid vm exit gracefully
+
+On systems with invvpid instruction support (corresponding bit in
+IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
+causes vm exit, which is currently not handled and results in
+propagation of unknown exit to userspace.
+
+Fix this by installing an invvpid vm exit handler.
+
+This is CVE-2014-3646.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/include/uapi/asm/vmx.h | 2 ++
+ arch/x86/kvm/vmx.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h
+index 0e79420376eb..990a2fe1588d 100644
+--- a/arch/x86/include/uapi/asm/vmx.h
++++ b/arch/x86/include/uapi/asm/vmx.h
+@@ -67,6 +67,7 @@
+ #define EXIT_REASON_EPT_MISCONFIG 49
+ #define EXIT_REASON_INVEPT 50
+ #define EXIT_REASON_PREEMPTION_TIMER 52
++#define EXIT_REASON_INVVPID 53
+ #define EXIT_REASON_WBINVD 54
+ #define EXIT_REASON_XSETBV 55
+ #define EXIT_REASON_APIC_WRITE 56
+@@ -114,6 +115,7 @@
+ { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \
+ { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \
+ { EXIT_REASON_INVD, "INVD" }, \
++ { EXIT_REASON_INVVPID, "INVVPID" }, \
+ { EXIT_REASON_INVPCID, "INVPCID" }
+
+ #endif /* _UAPIVMX_H */
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index f0d9b00cfc9f..4e9a45dab731 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6450,6 +6450,12 @@ static int handle_invept(struct kvm_vcpu *vcpu)
+ return 1;
+ }
+
++static int handle_invvpid(struct kvm_vcpu *vcpu)
++{
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++}
++
+ /*
+ * The exit handlers return 1 if the exit was handled fully and guest execution
+ * may resume. Otherwise they set the kvm_run parameter to indicate what needs
+@@ -6495,6 +6501,7 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
+ [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op,
+ [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op,
+ [EXIT_REASON_INVEPT] = handle_invept,
++ [EXIT_REASON_INVVPID] = handle_invvpid,
+ };
+
+ static const int kvm_vmx_max_exit_handlers =
+@@ -6728,7 +6735,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
+ case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
+ case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
+ case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
+- case EXIT_REASON_INVEPT:
++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
+ /*
+ * VMX instructions trap unconditionally. This allows L1 to
+ * emulate them for its L2 guest, i.e., allows 3-level nesting!
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch b/freed-ora/current/f19/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
new file mode 100644
index 000000000..d6283bc64
--- /dev/null
+++ b/freed-ora/current/f19/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
@@ -0,0 +1,54 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 24 Oct 2014 17:07:19 +0200
+Subject: [PATCH] kvm: x86: don't kill guest on unknown exit reason
+
+KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
+triggered by a priveledged application. Let's not kill the guest: WARN
+and inject #UD instead.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/svm.c | 6 +++---
+ arch/x86/kvm/vmx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index e2de97daa03c..78dadc36fc78 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3534,9 +3534,9 @@ static int handle_exit(struct kvm_vcpu *vcpu)
+
+ if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
+ || !svm_exit_handlers[exit_code]) {
+- kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+- kvm_run->hw.hardware_exit_reason = exit_code;
+- return 0;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+
+ return svm_exit_handlers[exit_code](svm);
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 12dd2b2e655c..41a5426c8edb 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7065,10 +7065,10 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+ && kvm_vmx_exit_handlers[exit_reason])
+ return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ else {
+- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
+- vcpu->run->hw.hardware_exit_reason = exit_reason;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+- return 0;
+ }
+
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
+--
+1.9.3
+
diff --git a/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign b/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign
deleted file mode 100644
index 063e0b6b5..000000000
--- a/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEUEABECAAYFAlQ/Ix0ACgkQvLfPh359R6cCVQCYw00+rGBb0WefZv9O7Zbp7SKS
-0QCgp7xp3cvpTALk6Usbgd8WTlfEQkM=
-=11Vx
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f19/patch-3.14-gnu-3.14.23-gnu.xz.sign b/freed-ora/current/f19/patch-3.14-gnu-3.14.23-gnu.xz.sign
new file mode 100644
index 000000000..9e9f94c21
--- /dev/null
+++ b/freed-ora/current/f19/patch-3.14-gnu-3.14.23-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlRSzGYACgkQvLfPh359R6fkQgCeJ9IxKtsfQDCgG4S4rkG2vNai
+VT4An2VTux7czPOb1KYBwxxktbcuLkjg
+=D/CK
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f19/sources b/freed-ora/current/f19/sources
index 427a25e8d..a8cffe14d 100644
--- a/freed-ora/current/f19/sources
+++ b/freed-ora/current/f19/sources
@@ -1,2 +1,2 @@
c108ec52eeb2a9b9ddbb8d12496ff25f linux-libre-3.14-gnu.tar.xz
-548d5b5c7e091eeb23cc3204a7dc4d07 patch-3.14-gnu-3.14.22-gnu.xz
+2ec8e88a8768e9c6e64ff7f55fd64f95 patch-3.14-gnu-3.14.23-gnu.xz
OpenPOWER on IntegriCloud