1. 14 Feb, 2013 5 commits
  2. 03 Feb, 2013 11 commits
  3. 20 Jan, 2013 1 commit
  4. 16 Jan, 2013 3 commits
    • Andrew Cooper's avatar
      xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests. · 9174adbe
      Andrew Cooper authored
      This fixes CVE-2013-0190 / XSA-40
      
      There has been an error on the xen_failsafe_callback path for failed
      iret, which causes the stack pointer to be wrong when entering the
      iret_exc error path.  This can result in the kernel crashing.
      
      In the classic kernel case, the relevant code looked a little like:
      
              popl %eax      # Error code from hypervisor
              jz 5f
              addl $16,%esp
              jmp iret_exc   # Hypervisor said iret fault
      5:      addl $16,%esp
                             # Hypervisor said segment selector fault
      
      Here, there are two identical addls on either option of a branch which
      appears to have been optimised by hoisting it above the jz, and
      converting it to an lea, which leaves the flags register unaffected.
      
      In the PVOPS case, the code looks like:
      
              popl_cfi %eax         # Error from the hypervisor
              lea 16(%esp),%esp     # Add $16 before choosing fault path
              CFI_ADJUST_CFA_OFFSET -16
              jz 5f
              addl $16,%esp         # Incorrectly adjust %esp again
              jmp iret_exc
      
      It is possible unprivileged userspace applications to cause this
      behaviour, for example by loading an LDT code selector, then changing
      the code selector to be not-present.  At this point, there is a race
      condition where it is possible for the hypervisor to return back to
      userspace from an interrupt, fault on its own iret, and inject a
      failsafe_callback into the kernel.
      
      This bug has been present since the introduction of Xen PVOPS support
      in commit 5ead97c8 (xen: Core Xen implementation), in 2.6.23.
      Signed-off-by: default avatarFrediano Ziglio <frediano.ziglio@citrix.com>
      Signed-off-by: default avatarAndrew Cooper <andrew.cooper3@citrix.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      9174adbe
    • Heiko Carstens's avatar
      s390/time: fix sched_clock() overflow · ed4f2094
      Heiko Carstens authored
      Converting a 64 Bit TOD format value to nanoseconds means that the value
      must be divided by 4.096. In order to achieve that we multiply with 125
      and divide by 512.
      When used within sched_clock() this triggers an overflow after appr.
      417 days. Resulting in a sched_clock() return value that is much smaller
      than previously and therefore may cause all sort of weird things in
      subsystems that rely on a monotonic sched_clock() behaviour.
      
      To fix this implement a tod_to_ns() helper function which converts TOD
      values without overflow and call this function from both places that
      open coded the conversion: sched_clock() and kvm_s390_handle_wait().
      
      Cc: stable@kernel.org
      Reviewed-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      ed4f2094
    • Kuninori Morimoto's avatar
      sh: ecovec: add sample amixer settings · 035688d9
      Kuninori Morimoto authored
      FSI - DA7210 needs amixer settings to use it.
      This patch adds quick setting guide
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarPaul Mundt <lethal@linux-sh.org>
      035688d9
  5. 15 Jan, 2013 2 commits
  6. 14 Jan, 2013 4 commits
  7. 13 Jan, 2013 2 commits
  8. 12 Jan, 2013 3 commits
  9. 11 Jan, 2013 5 commits
  10. 10 Jan, 2013 4 commits