1 files changed, 86 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
new file mode 100644
index 0000000..e43771c
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
@@ -0,0 +1,86 @@
+From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
+ path.
+commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+Fix for CVE-2014-8369
+Upstream-Status: Backport
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index dec9971..a650aa4 100644
+--- a/virt/kvm/iommu.c
+++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
+                                gfn_t base_gfn, unsigned long npages);
+ 
+ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
+-                          unsigned long size)
+                          unsigned long npages)
+ {
+        gfn_t end_gfn;
+        pfn_t pfn;
+ 
+        pfn     = gfn_to_pfn_memslot(slot, gfn);
+-       end_gfn = gfn + (size >> PAGE_SHIFT);
+       end_gfn = gfn + npages;
+        gfn    += 1;
+ 
+        if (is_error_noslot_pfn(pfn))
+@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+                 * Pin all pages we are about to map in memory. This is
+                 * important because we unmap and unpin in 4kb steps later.
+                 */
+-               pfn = kvm_pin_pages(slot, gfn, page_size);
+               pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
+                if (is_error_noslot_pfn(pfn)) {
+                        gfn += 1;
+                        continue;
+@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+                if (r) {
+                        printk(KERN_ERR "kvm_iommu_map_address:"
+                               "iommu failed to map pfn=%llx\n", pfn);
+-                       kvm_unpin_pages(kvm, pfn, page_size);
+                       kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+                        goto unmap_pages;
+                }
+ 
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch new file mode 100644 index 0000000..e43771c --- /dev/null +++ b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
@@ -0,0 +1,86 @@
	1	From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001
	2	From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
	3	Date: Fri, 17 Oct 2014 22:55:59 +0200
	4	Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
	5	path.
	6
	7	commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
	8
	9	The third parameter of kvm_unpin_pages() when called from
	10	kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
	11	and not the page size.
	12
	13	This error was facilitated with an inconsistent API: kvm_pin_pages() takes
	14	a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
	15	by matching the two.
	16
	17	This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
	18	of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
	19	un-pinning for pages intended to be un-pinned (i.e. memory leak) but
	20	unfortunately potentially aggravated the number of pages we un-pin that
	21	should have stayed pinned. As far as I understand though, the same
	22	practical mitigations apply.
	23
	24	This issue was found during review of Red Hat 6.6 patches to prepare
	25	Ksplice rebootless updates.
	26
	27	Thanks to Vegard for his time on a late Friday evening to help me in
	28	understanding this code.
	29
	30	Fix for CVE-2014-8369
	31
	32	Upstream-Status: Backport
	33
	34	Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
	35	Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
	36	Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
	37	Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
	38	Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
	39	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	40	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
	41	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	42	---
	43	virt/kvm/iommu.c \| 8 ++++----
	44	1 file changed, 4 insertions(+), 4 deletions(-)
	45
	46	diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
	47	index dec9971..a650aa4 100644
	48	--- a/virt/kvm/iommu.c
	49	+++ b/virt/kvm/iommu.c
	50	@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
	51	gfn_t base_gfn, unsigned long npages);
	52
	53	static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
	54	- unsigned long size)
	55	+ unsigned long npages)
	56	{
	57	gfn_t end_gfn;
	58	pfn_t pfn;
	59
	60	pfn = gfn_to_pfn_memslot(slot, gfn);
	61	- end_gfn = gfn + (size >> PAGE_SHIFT);
	62	+ end_gfn = gfn + npages;
	63	gfn += 1;
	64
	65	if (is_error_noslot_pfn(pfn))
	66	@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm kvm, struct kvm_memory_slot slot)
	67	* Pin all pages we are about to map in memory. This is
	68	* important because we unmap and unpin in 4kb steps later.
	69	*/
	70	- pfn = kvm_pin_pages(slot, gfn, page_size);
	71	+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
	72	if (is_error_noslot_pfn(pfn)) {
	73	gfn += 1;
	74	continue;
	75	@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm kvm, struct kvm_memory_slot slot)
	76	if (r) {
	77	printk(KERN_ERR "kvm_iommu_map_address:"
	78	"iommu failed to map pfn=%llx\n", pfn);
	79	- kvm_unpin_pages(kvm, pfn, page_size);
	80	+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
	81	goto unmap_pages;
	82	}
	83
	84	--
	85	1.9.1
	86