Update to kernel-4.14.150

* origin/pr/93:
  Update to kernel-4.14.143

config-base

@@ -1,4 +1,4 @@
-# Base config based on Fedora's config (kernel-core-4.14.11-300.fc27.x86_64.rpm)
+# Base config based on Fedora's config (kernel-core-4.14.18-300.fc27.x86_64.rpm)
 # Only modification is `yes '' | make oldconfig` to drop config settings which
 # depend on Fedora patches and adjust for the small version difference.
 
@@ -230,6 +230,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -463,6 +464,7 @@ CONFIG_X86_FAST_FEATURE_TESTS=y
 CONFIG_X86_X2APIC=y
 CONFIG_X86_MPPARSE=y
 # CONFIG_GOLDFISH is not set
+CONFIG_RETPOLINE=y
 CONFIG_INTEL_RDT=y
 CONFIG_X86_EXTENDED_PLATFORM=y
 CONFIG_X86_NUMACHIP=y
@@ -1845,6 +1847,7 @@ CONFIG_TEST_ASYNC_DRIVER_PROBE=m
 CONFIG_SYS_HYPERVISOR=y
 # CONFIG_GENERIC_CPU_DEVICES is not set
 CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
 CONFIG_REGMAP=y
 CONFIG_REGMAP_I2C=y
 CONFIG_REGMAP_SPI=y
@@ -7199,7 +7202,7 @@ CONFIG_EFI_RUNTIME_WRAPPERS=y
 # CONFIG_EFI_CAPSULE_LOADER is not set
 # CONFIG_EFI_TEST is not set
 CONFIG_APPLE_PROPERTIES=y
-CONFIG_RESET_ATTACK_MITIGATION=y
+# CONFIG_RESET_ATTACK_MITIGATION is not set
 CONFIG_UEFI_CPER=y
 CONFIG_EFI_DEV_PATH_PARSER=y
 

config-qubes

@@ -87,8 +87,6 @@ CONFIG_SECURITY_YAMA=y
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
 
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
-
 
 ################################################################################
 ## Enable paravirt spinlocks. This should be more performant.
@@ -129,6 +127,13 @@ CONFIG_USB_CONFIGFS_MASS_STORAGE=y
 CONFIG_USB_DUMMY_HCD=m
 
 
+################################################################################
+## Enable AppArmor
+## It's optionally used by Whonix (https://www.whonix.org/wiki/AppArmor).
+
+CONFIG_SECURITY_APPARMOR=y
+
+
 ################################################################################
 ## TODO: from diff to old config
 
@@ -139,7 +144,6 @@ CONFIG_USB_DUMMY_HCD=m
 ##
 ## CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
 ##
-## CONFIG_SECURITY_APPARMOR=y
 ## sensors from 0f976d972a1671a303fad30a5e690304b0b82ee0
 ##
 ## Intel ME driver e0f8e9ca81b80d897b190f48a4af80eff3198cb1

kernel.spec

@@ -53,6 +53,14 @@ BuildRequires:  bc
 BuildRequires:  openssl-devel
 BuildRequires:  gcc-plugin-devel
 BuildRequires:  elfutils-libelf-devel
+
+# gcc with support for BTI mitigation
+%if 0%{?fedora} == 23
+BuildRequires:  gcc >= 5.3.1-6.qubes1
+%else
+BuildRequires:  gcc >= 6.4.1-1.qubes1
+%endif
+
 Provides:       multiversion(kernel)
 Provides:       %name = %kernelrelease
 
@@ -459,13 +467,16 @@ umount /tmp/qubes-modules-%kernelrelease
 rmdir /tmp/qubes-modules-%kernelrelease
 mv /tmp/qubes-modules-%kernelrelease.img %vm_install_dir/modules.img
 
-%if "%{name_suffix}" == ""
+current_default="$(qubes-prefs default-kernel)"
+current_default_path="/var/lib/qubes/vm-kernels/$current_default"
+current_default_package="$(rpm --qf '%{NAME}' -qf "$current_default_path")"
+if [ "$current_default_package" = "%{name}-qubes-vm" ]; then
 # Set kernel as default VM kernel if we are the default package.
 
 # If qubes-prefs isn't installed yet, the default kernel will be set by %post
 # of qubes-core-dom0
 type qubes-prefs &>/dev/null && qubes-prefs --set default-kernel %version-%plainrel
-%endif
+fi
 
 exit 0
 

patches.rpmify/makefile-after_link.patch

@@ -1,4 +1,4 @@
-From 649d991ca7737dd227f2a1ca4f30247daf6a7b4b Mon Sep 17 00:00:00 2001
+From 2f41a374760c07fc0a8f13050d7f24f773a39529 Mon Sep 17 00:00:00 2001
 From: Roland McGrath <roland@redhat.com>
 Date: Mon, 6 Oct 2008 23:03:03 -0700
 Subject: [PATCH] kbuild: AFTER_LINK
@@ -11,20 +11,16 @@ Upstream-status: ??
 
 Signed-off-by: Roland McGrath <roland@redhat.com>
 ---
- arch/arm64/kernel/vdso/Makefile     | 3 ++-
- arch/powerpc/kernel/vdso32/Makefile | 3 ++-
- arch/powerpc/kernel/vdso64/Makefile | 3 ++-
- arch/s390/kernel/vdso32/Makefile    | 3 ++-
- arch/s390/kernel/vdso64/Makefile    | 3 ++-
- arch/x86/entry/vdso/Makefile        | 5 +++--
- scripts/link-vmlinux.sh             | 4 ++++
- 7 files changed, 17 insertions(+), 7 deletions(-)
+ arch/arm64/kernel/vdso/Makefile | 3 ++-
+ arch/x86/entry/vdso/Makefile    | 5 +++--
+ scripts/link-vmlinux.sh         | 4 ++++
+ 3 files changed, 9 insertions(+), 3 deletions(-)
 
 diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
-index 62c84f7..f44236a 100644
+index b215c712d897..e18cd2a3ea53 100644
 --- a/arch/arm64/kernel/vdso/Makefile
 +++ b/arch/arm64/kernel/vdso/Makefile
-@@ -54,7 +54,8 @@ $(obj-vdso): %.o: %.S FORCE
+@@ -55,7 +55,8 @@ $(obj-vdso): %.o: %.S FORCE
  
  # Actual build commands
  quiet_cmd_vdsold = VDSOL   $@
@@ -34,83 +30,27 @@ index 62c84f7..f44236a 100644
  quiet_cmd_vdsoas = VDSOA   $@
        cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
  
-diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile
-index 78a7449..c9592c0 100644
---- a/arch/powerpc/kernel/vdso32/Makefile
-+++ b/arch/powerpc/kernel/vdso32/Makefile
-@@ -44,7 +44,8 @@ $(obj-vdso32): %.o: %.S FORCE
- 
- # actual build commands
- quiet_cmd_vdso32ld = VDSO32L $@
--      cmd_vdso32ld = $(CROSS32CC) $(c_flags) -o $@ -Wl,-T$(filter %.lds,$^) $(filter %.o,$^)
-+      cmd_vdso32ld = $(CROSS32CC) $(c_flags) -o $@ -Wl,-T$(filter %.lds,$^) $(filter %.o,$^) \
-+		     $(if $(AFTER_LINK),; $(AFTER_LINK))
- quiet_cmd_vdso32as = VDSO32A $@
-       cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
- 
-diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile
-index 31107bf..96aded3 100644
---- a/arch/powerpc/kernel/vdso64/Makefile
-+++ b/arch/powerpc/kernel/vdso64/Makefile
-@@ -33,7 +33,8 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE
- 
- # actual build commands
- quiet_cmd_vdso64ld = VDSO64L $@
--      cmd_vdso64ld = $(CC) $(c_flags) -o $@ -Wl,-T$(filter %.lds,$^) $(filter %.o,$^)
-+      cmd_vdso64ld = $(CC) $(c_flags) -o $@ -Wl,-T$(filter %.lds,$^) $(filter %.o,$^) \
-+		    $(if $(AFTER_LINK),; $(AFTER_LINK))
- 
- # install commands for the unstripped file
- quiet_cmd_vdso_install = INSTALL $@
-diff --git a/arch/s390/kernel/vdso32/Makefile b/arch/s390/kernel/vdso32/Makefile
-index 6cc9478..94fb536 100644
---- a/arch/s390/kernel/vdso32/Makefile
-+++ b/arch/s390/kernel/vdso32/Makefile
-@@ -46,7 +46,8 @@ $(obj-vdso32): %.o: %.S
- 
- # actual build commands
- quiet_cmd_vdso32ld = VDSO32L $@
--      cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@
-+      cmd_vdso32ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
-+		     $(if $(AFTER_LINK),; $(AFTER_LINK))
- quiet_cmd_vdso32as = VDSO32A $@
-       cmd_vdso32as = $(CC) $(a_flags) -c -o $@ $<
- 
-diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
-index 2d54c18..a0e3e9d 100644
---- a/arch/s390/kernel/vdso64/Makefile
-+++ b/arch/s390/kernel/vdso64/Makefile
-@@ -46,7 +46,8 @@ $(obj-vdso64): %.o: %.S
- 
- # actual build commands
- quiet_cmd_vdso64ld = VDSO64L $@
--      cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@
-+      cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
-+		     $(if $(AFTER_LINK),; $(AFTER_LINK))
- quiet_cmd_vdso64as = VDSO64A $@
-       cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $<
- 
 diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
-index d540966..eeb47b6 100644
+index ab7f730cf7f2..7b6c1583f910 100644
 --- a/arch/x86/entry/vdso/Makefile
 +++ b/arch/x86/entry/vdso/Makefile
-@@ -167,8 +167,9 @@ $(obj)/vdso32.so.dbg: FORCE \
+@@ -178,8 +178,9 @@ $(obj)/vdso32.so.dbg: FORCE \
  quiet_cmd_vdso = VDSO    $@
-       cmd_vdso = $(CC) -nostdlib -o $@ \
+       cmd_vdso = $(LD) -nostdlib -o $@ \
  		       $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
--		       -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
+-		       -T $(filter %.lds,$^) $(filter %.o,$^) && \
 -		 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
-+		       -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) \
++		       -T $(filter %.lds,$^) $(filter %.o,$^) \
 +		$(if $(AFTER_LINK),; $(AFTER_LINK)) && \
 +		sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
  
- VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=both) \
- 	$(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
+ VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \
+ 	$(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \
 diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
-index f742c65..526eee4 100755
+index e6818b8e7141..54bbfafaf0fc 100755
 --- a/scripts/link-vmlinux.sh
 +++ b/scripts/link-vmlinux.sh
-@@ -111,6 +111,10 @@ vmlinux_link()
+@@ -139,6 +139,10 @@ vmlinux_link()
  			-lutil -lrt -lpthread
  		rm -f linux
  	fi
@@ -122,5 +62,5 @@ index f742c65..526eee4 100755
  
  
 -- 
-2.7.4
+2.20.1
 

patches.xen/xen-Fix-set-clear-_foreign_p2m_mapping-on-autotransl.patch

@@ -1,40 +0,0 @@
-From c71b9388cef5106ad8aa4f8db3d03388e74e5b89 Mon Sep 17 00:00:00 2001
-From: Simon Gaiser <simon@invisiblethingslab.com>
-Date: Fri, 5 Jan 2018 18:28:39 +0100
-Subject: [PATCH] xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating
- guests
-
-Commit 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths")
-removed the check for autotranslation from {set,clear}_foreign_p2m_mapping
-but those are called by grant-table.c also on PVH/HVM guests.
----
- arch/x86/xen/p2m.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
-index 6083ba462f35..15812e553b95 100644
---- a/arch/x86/xen/p2m.c
-+++ b/arch/x86/xen/p2m.c
-@@ -694,6 +694,9 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops,
- 	int i, ret = 0;
- 	pte_t *pte;
- 
-+	if (xen_feature(XENFEAT_auto_translated_physmap))
-+		return 0;
-+
- 	if (kmap_ops) {
- 		ret = HYPERVISOR_grant_table_op(GNTTABOP_map_grant_ref,
- 						kmap_ops, count);
-@@ -736,6 +739,9 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
- {
- 	int i, ret = 0;
- 
-+	if (xen_feature(XENFEAT_auto_translated_physmap))
-+		return 0;
-+
- 	for (i = 0; i < count; i++) {
- 		unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i]));
- 		unsigned long pfn = page_to_pfn(pages[i]);
--- 
-2.15.1
-

patches.xen/xsa155-linux-0008-xen-Add-RING_COPY_RESPONSE.patch

@@ -1,13 +1,11 @@
-From 8322f4eddaf1fe5a9bdf5252c8140daa8bad60fd Mon Sep 17 00:00:00 2001
+From bf0b3f33476360b5d72f87d749409b0a2b1a57cb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Tue, 15 Dec 2015 21:35:14 +0100
-Subject: [PATCH 08/13] xen: Add RING_COPY_RESPONSE()
+Subject: [PATCH] xen: Add RING_COPY_RESPONSE()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Using RING_GET_RESPONSE() on a shared ring is easy to use incorrectly
 (i.e., by not considering that the other end may alter the data in the
@@ -31,10 +29,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 14 insertions(+)
 
 diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
-index 7dc685b..312415c 100644
+index 3f40501fc60b..03702f6874df 100644
 --- a/include/xen/interface/io/ring.h
 +++ b/include/xen/interface/io/ring.h
-@@ -198,6 +198,20 @@ struct __name##_back_ring {						\
+@@ -201,6 +201,20 @@ struct __name##_back_ring {						\
  #define RING_GET_RESPONSE(_r, _idx)					\
      (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
  
@@ -56,5 +54,5 @@ index 7dc685b..312415c 100644
  #define RING_REQUEST_CONS_OVERFLOW(_r, _cons)				\
      (((_cons) - (_r)->rsp_prod_pvt) >= RING_SIZE(_r))
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux-0011-xen-netfront-add-range-check-for-Tx-response-id.patch

@@ -1,13 +1,11 @@
-From 76a020d3b2023ca02961eab38318ef2d6f1338d9 Mon Sep 17 00:00:00 2001
+From f8bc4b3be49e47dcf005ce12ef25071fe16bd45b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:22:24 +0100
-Subject: [PATCH 11/13] xen-netfront: add range check for Tx response id
+Subject: [PATCH] xen-netfront: add range check for Tx response id
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Tx response ID is fetched from shared page, so make sure it is sane
 before using it as an array index.
@@ -21,10 +19,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index 959e479..94309e6 100644
+index 026d39702217..4150128ab893 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -379,6 +379,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
+@@ -395,6 +395,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
  				continue;
  
  			id  = txrsp.id;
@@ -33,5 +31,5 @@ index 959e479..94309e6 100644
  			if (unlikely(gnttab_query_foreign_access(
  				queue->grant_tx_ref[id]) != 0)) {
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux312-0012-xen-blkfront-make-local-copy-of-response-before-usin.patch

@@ -1,14 +1,11 @@
-From ef0d243bfeaf1da8854c26f89536dc1b69c56602 Mon Sep 17 00:00:00 2001
+From 26baa3367516dac7e376e2595d187dd9887bf0e0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:51:10 +0100
-Subject: [PATCH 12/13] xen-blkfront: make local copy of response before using
- it
+Subject: [PATCH] xen-blkfront: make local copy of response before using it
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Data on the shared page can be changed at any time by the backend. Make
 a local copy, which is no longer controlled by the backend. And only
@@ -23,10 +20,10 @@ Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  1 file changed, 17 insertions(+), 17 deletions(-)
 
 diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index 2fee2ee..5d7eb04 100644
+index b5cedccb5d7d..87781c076733 100644
 --- a/drivers/block/xen-blkfront.c
 +++ b/drivers/block/xen-blkfront.c
-@@ -1552,7 +1552,7 @@ static bool blkif_completion(unsigned long *id,
+@@ -1548,7 +1548,7 @@ static bool blkif_completion(unsigned long *id,
  static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  {
  	struct request *req;
@@ -35,7 +32,7 @@ index 2fee2ee..5d7eb04 100644
  	RING_IDX i, rp;
  	unsigned long flags;
  	struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id;
-@@ -1569,8 +1569,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1565,8 +1565,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  	for (i = rinfo->ring.rsp_cons; i != rp; i++) {
  		unsigned long id;
  
@@ -46,7 +43,7 @@ index 2fee2ee..5d7eb04 100644
  		/*
  		 * The backend has messed up and given us an id that we would
  		 * never have given to it (we stamp it up to BLK_RING_SIZE -
-@@ -1578,39 +1578,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1574,39 +1574,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  		 */
  		if (id >= BLK_RING_SIZE(info)) {
  			WARN(1, "%s: response to %s has incorrect id (%ld)\n",
@@ -94,7 +91,7 @@ index 2fee2ee..5d7eb04 100644
  				blkif_req(req)->error = BLK_STS_NOTSUPP;
  				info->feature_discard = 0;
  				info->feature_secdiscard = 0;
-@@ -1620,15 +1620,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1616,15 +1616,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  			break;
  		case BLKIF_OP_FLUSH_DISKCACHE:
  		case BLKIF_OP_WRITE_BARRIER:
@@ -114,7 +111,7 @@ index 2fee2ee..5d7eb04 100644
  				blkif_req(req)->error = BLK_STS_NOTSUPP;
  			}
  			if (unlikely(blkif_req(req)->error)) {
-@@ -1641,9 +1641,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
+@@ -1637,9 +1637,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
  			/* fall through */
  		case BLKIF_OP_READ:
  		case BLKIF_OP_WRITE:
@@ -127,5 +124,5 @@ index 2fee2ee..5d7eb04 100644
  			break;
  		default:
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux44-0009-xen-netfront-copy-response-out-of-shared-buffer-befo.patch

@@ -1,14 +1,12 @@
-From 3a1006355114da4b8fc4b935a64928b7f6ae374f Mon Sep 17 00:00:00 2001
+From c7c1661d1b265ea620939bb5da4958eb0fb1385b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:09:55 +0100
-Subject: [PATCH 09/13] xen-netfront: copy response out of shared buffer before
+Subject: [PATCH] xen-netfront: copy response out of shared buffer before
  accessing it
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Make local copy of the response, otherwise backend might modify it while
 frontend is already processing it - leading to time of check / time of
@@ -16,14 +14,14 @@ use issue.
 
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/net/xen-netfront.c | 51 +++++++++++++++++++++++-----------------------
+ drivers/net/xen-netfront.c | 51 +++++++++++++++++++-------------------
  1 file changed, 25 insertions(+), 26 deletions(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index d6abf19..2af5100 100644
+index 9dd2ca62d84a..1b6c319d74f1 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -372,13 +372,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
+@@ -388,13 +388,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
  		rmb(); /* Ensure we see responses up to 'rp'. */
  
  		for (cons = queue->tx.rsp_cons; cons != prod; cons++) {
@@ -41,7 +39,7 @@ index d6abf19..2af5100 100644
  			skb = queue->tx_skbs[id].skb;
  			if (unlikely(gnttab_query_foreign_access(
  				queue->grant_tx_ref[id]) != 0)) {
-@@ -721,7 +721,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
+@@ -742,7 +742,7 @@ static int xennet_get_extras(struct netfront_queue *queue,
  			     RING_IDX rp)
  
  {
@@ -50,7 +48,7 @@ index d6abf19..2af5100 100644
  	struct device *dev = &queue->info->netdev->dev;
  	RING_IDX cons = queue->rx.rsp_cons;
  	int err = 0;
-@@ -737,24 +737,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
+@@ -758,24 +758,23 @@ static int xennet_get_extras(struct netfront_queue *queue,
  			break;
  		}
  
@@ -82,7 +80,7 @@ index d6abf19..2af5100 100644
  
  	queue->rx.rsp_cons = cons;
  	return err;
-@@ -764,28 +763,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -785,28 +784,28 @@ static int xennet_get_responses(struct netfront_queue *queue,
  				struct netfront_rx_info *rinfo, RING_IDX rp,
  				struct sk_buff_head *list)
  {
@@ -93,8 +91,8 @@ index d6abf19..2af5100 100644
  	RING_IDX cons = queue->rx.rsp_cons;
  	struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
  	grant_ref_t ref = xennet_get_rx_ref(queue, cons);
--	int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD);
-+	int max = MAX_SKB_FRAGS + (rx.status <= RX_COPY_THRESHOLD);
+-	int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
++	int max = XEN_NETIF_NR_SLOTS_MIN + (rx.status <= RX_COPY_THRESHOLD);
  	int slots = 1;
  	int err = 0;
  	unsigned long ret;
@@ -117,7 +115,7 @@ index d6abf19..2af5100 100644
  			xennet_move_rx_slot(queue, skb, ref);
  			err = -EINVAL;
  			goto next;
-@@ -799,7 +798,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -820,7 +819,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  		if (ref == GRANT_INVALID_REF) {
  			if (net_ratelimit())
  				dev_warn(dev, "Bad rx response id %d.\n",
@@ -126,7 +124,7 @@ index d6abf19..2af5100 100644
  			err = -EINVAL;
  			goto next;
  		}
-@@ -812,7 +811,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
+@@ -833,7 +832,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  		__skb_queue_tail(list, skb);
  
  next:
@@ -135,7 +133,7 @@ index d6abf19..2af5100 100644
  			break;
  
  		if (cons + slots == rp) {
-@@ -822,7 +821,7 @@ next:
+@@ -843,7 +842,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
  			break;
  		}
  
@@ -144,7 +142,7 @@ index d6abf19..2af5100 100644
  		skb = xennet_get_rx_skb(queue, cons + slots);
  		ref = xennet_get_rx_ref(queue, cons + slots);
  		slots++;
-@@ -878,9 +877,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
+@@ -898,9 +897,9 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
  	struct sk_buff *nskb;
  
  	while ((nskb = __skb_dequeue(list))) {
@@ -154,18 +152,18 @@ index d6abf19..2af5100 100644
  		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
 +		RING_COPY_RESPONSE(&queue->rx, ++cons, &rx);
  
- 		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+ 		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
  			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
-@@ -891,7 +890,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
- 		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+@@ -912,7 +911,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
  
- 		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
+ 		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+ 				skb_frag_page(nfrag),
 -				rx->offset, rx->status, PAGE_SIZE);
 +				rx.offset, rx.status, PAGE_SIZE);
  
  		skb_shinfo(nskb)->nr_frags = 0;
  		kfree_skb(nskb);
-@@ -987,7 +986,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
+@@ -1008,7 +1007,7 @@ static int xennet_poll(struct napi_struct *napi, int budget)
  	i = queue->rx.rsp_cons;
  	work_done = 0;
  	while ((i != rp) && (work_done < budget)) {
@@ -175,5 +173,5 @@ index d6abf19..2af5100 100644
  
  		err = xennet_get_responses(queue, &rinfo, rp, &tmpq);
 -- 
-2.1.0
+2.17.1
 

patches.xen/xsa155-linux44-0010-xen-netfront-do-not-use-data-already-exposed-to-back.patch

@@ -1,14 +1,11 @@
-From 2adc557330dde5b474d885518d2663180d3c8f45 Mon Sep 17 00:00:00 2001
+From 11b753cc107f41aca56ba0698a1bd6b806cd6795 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 05:19:37 +0100
-Subject: [PATCH 10/13] xen-netfront: do not use data already exposed to
- backend
+Subject: [PATCH] xen-netfront: do not use data already exposed to backend
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Backend may freely modify anything on shared page, so use data which was
 supposed to be written there, instead of reading it back from the shared
@@ -19,14 +16,14 @@ This is part of XSA155.
 CC: stable@vger.kernel.org
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/net/xen-netfront.c | 32 +++++++++++---------------------
- 1 file changed, 11 insertions(+), 21 deletions(-)
+ drivers/net/xen-netfront.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index 2af5100..959e479 100644
+index 1b6c319d74f1..026d39702217 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
-@@ -453,7 +453,7 @@ static void xennet_tx_setup_grant(unsign
+@@ -459,7 +459,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset,
  	tx->flags = 0;
  
  	info->tx = tx;
@@ -35,7 +32,7 @@ index 2af5100..959e479 100644
  }
  
  static struct xen_netif_tx_request *xennet_make_first_txreq(
-@@ -522,7 +524,7 @@ static int xennet_start_xmit(struct sk_b
+@@ -575,7 +575,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
  	int slots;
  	struct page *page;
  	unsigned int offset;
@@ -44,7 +41,7 @@ index 2af5100..959e479 100644
  	unsigned long flags;
  	struct netfront_queue *queue = NULL;
  	unsigned int num_queues = dev->real_num_tx_queues;
-@@ -614,14 +614,15 @@ static int xennet_start_xmit(struct sk_b
+@@ -635,14 +635,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
  	}
  
  	/* First request for the linear area. */
@@ -62,3 +59,6 @@ index 2af5100..959e479 100644
  
  	if (skb->ip_summed == CHECKSUM_PARTIAL)
  		/* local packet? */
+-- 
+2.17.1
+

patches.xen/xsa155-linux44-0013-xen-blkfront-prepare-request-locally-only-then-put-i.patch

@@ -1,14 +1,12 @@
-From 74aaa42e1f25309a163acd00083ecbbc186fbb47 Mon Sep 17 00:00:00 2001
+From 5c574ee1c388258969b2c66d46db20be16c3aeb3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
  <marmarek@invisiblethingslab.com>
 Date: Wed, 16 Dec 2015 06:07:14 +0100
-Subject: [PATCH 13/13] xen-blkfront: prepare request locally, only then put it
- on the shared ring
+Subject: [PATCH] xen-blkfront: prepare request locally, only then put it on
+ the shared ring
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Organization: Invisible Things Lab
-Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 
 Do not reuse data which theoretically might be already modified by the
 backend. This is mostly about private copy of the request
@@ -20,14 +18,14 @@ This is part of XSA155.
 CC: stable@vger.kernel.org
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
- drivers/block/xen-blkfront.c | 56 ++++++++++++++++++++++++--------------------
- 1 file changed, 30 insertions(+), 26 deletions(-)
+ drivers/block/xen-blkfront.c | 76 +++++++++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 32 deletions(-)
 
 diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
-index e99ea22..7191800 100644
+index 87781c076733..3da0f6be24c9 100644
 --- a/drivers/block/xen-blkfront.c
 +++ b/drivers/block/xen-blkfront.c
-@@ -528,19 +528,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -524,19 +524,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode,
  
  static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
  					    struct request *req,
@@ -49,7 +47,7 @@ index e99ea22..7191800 100644
  
  	return id;
  }
-@@ -548,23 +545,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
+@@ -544,23 +541,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo,
  static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo)
  {
  	struct blkfront_info *info = rinfo->dev_info;
@@ -86,7 +84,7 @@ index e99ea22..7191800 100644
  
  	return 0;
  }
-@@ -696,7 +698,7 @@ static void blkif_setup_extra_req(struct blkif_request *first,
+@@ -692,7 +694,7 @@ static void blkif_setup_extra_req(struct blkif_request *first,
  static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *rinfo)
  {
  	struct blkfront_info *info = rinfo->dev_info;
@@ -95,7 +93,7 @@ index e99ea22..7191800 100644
  	unsigned long id, extra_id = NO_ASSOCIATED_ID;
  	bool require_extra_req = false;
  	int i;
-@@ -761,16 +763,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -757,16 +759,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  		 * BLKIF_OP_WRITE
  		 */
  		BUG_ON(req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA);
@@ -120,7 +118,7 @@ index e99ea22..7191800 100644
  			BLKIF_OP_WRITE : BLKIF_OP_READ;
  		if (req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA) {
  			/*
-@@ -781,15 +783,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -777,15 +779,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  			 * since it is guaranteed ordered WRT previous writes.)
  			 */
  			if (info->feature_flush && info->feature_fua)
@@ -140,7 +138,7 @@ index e99ea22..7191800 100644
  		if (unlikely(require_extra_req)) {
  			extra_id = blkif_ring_get_request(rinfo, req,
  							  &extra_ring_req);
-@@ -799,7 +801,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -795,7 +797,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  			 */
  			rinfo->shadow[extra_id].num_sg = 0;
  
@@ -149,7 +147,7 @@ index e99ea22..7191800 100644
  
  			/* Link the 2 requests together */
  			rinfo->shadow[extra_id].associated_id = id;
-@@ -807,12 +809,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -803,12 +805,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  		}
  	}
  
@@ -164,7 +162,7 @@ index e99ea22..7191800 100644
  
  	for_each_sg(rinfo->shadow[id].sg, sg, num_sg, i) {
  		BUG_ON(sg->offset + sg->length > PAGE_SIZE);
-@@ -834,10 +836,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
+@@ -830,10 +832,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri
  	if (setup.segments)
  		kunmap_atomic(setup.segments);
  
@@ -188,3 +186,6 @@ index e99ea22..7191800 100644
  
  	if (new_persistent_gnts)
  		gnttab_free_grant_references(setup.gref_head);
+-- 
+2.17.1
+

series.conf

@@ -24,6 +24,3 @@ patches.xen/pci_op-cleanup.patch
 
 # Fix for MSI support with stubdoms
 patches.xen/xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch
-
-# Fix for grant-table in PVH/HVM in 4.14
-patches.xen/xen-Fix-set-clear-_foreign_p2m_mapping-on-autotransl.patch

suffix

@@ -1 +1 @@
--latest
+-414

version

@@ -1 +1 @@
-4.14.12
+4.14.150