Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBorislav Petkov <bp@suse.de>2018-01-12 22:55:47 +0100
committerBorislav Petkov <bp@suse.de>2018-01-12 22:55:47 +0100
commitea8be21453a1c41a4ed6aef1ed1a4690a3061719 (patch)
tree2c9f127e64c4c1bdca7f3cd29146fa6c49d3d326
parent4ffe4d79bfd9dd2bdf96300233762d980cf4c404 (diff)
- x86/dumpstack: Fix partial register dumps (bsc#1068032
CVE-2017-5754). - x86/process: Define cpu_tss_rw in same section as declaration (bsc#1068032 CVE-2017-5754). - x86/xen/64: Fix the reported SS and CS in SYSCALL (bsc#1068032 CVE-2017-5754). - x86/entry/64: Fix entry_SYSCALL_64_after_hwframe() IRQ tracing (bsc#1068032 CVE-2017-5754). - Refresh patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch. - Refresh patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch.
-rw-r--r--patches.arch/03.1-x86-dumpstack-fix-partial-register-dumps.patch159
-rw-r--r--patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch7
-rw-r--r--patches.arch/11.1-x86-process-define-cpu_tss_rw-in-same-section-as-declaration.patch52
-rw-r--r--patches.arch/17.1-x86-xen-64-fix-the-reported-ss-and-cs-in-syscall.patch72
-rw-r--r--patches.arch/17.2-x86-entry-64-fix-entry_syscall_64_after_hwframe-irq-tracing.patch59
-rw-r--r--patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch6
-rw-r--r--series.conf4
7 files changed, 351 insertions, 8 deletions
diff --git a/patches.arch/03.1-x86-dumpstack-fix-partial-register-dumps.patch b/patches.arch/03.1-x86-dumpstack-fix-partial-register-dumps.patch
new file mode 100644
index 0000000000..9355cb5a08
--- /dev/null
+++ b/patches.arch/03.1-x86-dumpstack-fix-partial-register-dumps.patch
@@ -0,0 +1,159 @@
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Sun, 31 Dec 2017 10:18:06 -0600
+Subject: x86/dumpstack: Fix partial register dumps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: a9cdbe72c4e8bf3b38781c317a79326e2e1a230d
+Patch-mainline: v4.15-rc7
+References: bsc#1068032 CVE-2017-5754
+
+The show_regs_safe() logic is wrong. When there's an iret stack frame,
+it prints the entire pt_regs -- most of which is random stack data --
+instead of just the five registers at the end.
+
+show_regs_safe() is also poorly named: the on_stack() checks aren't for
+safety. Rename the function to show_regs_if_on_stack() and add a
+comment to explain why the checks are needed.
+
+These issues were introduced with the "partial register dump" feature of
+the following commit:
+
+ b02fcf9ba121 ("x86/unwinder: Handle stack overflows more gracefully")
+
+That patch had gone through a few iterations of development, and the
+above issues were artifacts from a previous iteration of the patch where
+'regs' pointed directly to the iret frame rather than to the (partially
+empty) pt_regs.
+
+Tested-by: Alexander Tsoy <alexander@tsoy.me>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toralf Förster <toralf.foerster@gmx.de>
+Cc: stable@vger.kernel.org
+Fixes: b02fcf9ba121 ("x86/unwinder: Handle stack overflows more gracefully")
+Link: http://lkml.kernel.org/r/5b05b8b344f59db2d3d50dbdeba92d60f2304c54.1514736742.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/include/asm/unwind.h | 17 +++++++++++++----
+ arch/x86/kernel/dumpstack.c | 28 ++++++++++++++++++++--------
+ arch/x86/kernel/stacktrace.c | 2 +-
+ 3 files changed, 34 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/include/asm/unwind.h
++++ b/arch/x86/include/asm/unwind.h
+@@ -55,18 +55,27 @@ void unwind_start(struct unwind_state *s
+
+ #if defined(CONFIG_UNWINDER_ORC) || defined(CONFIG_UNWINDER_FRAME_POINTER)
+ /*
+- * WARNING: The entire pt_regs may not be safe to dereference. In some cases,
+- * only the iret frame registers are accessible. Use with caution!
++ * If 'partial' returns true, only the iret frame registers are valid.
+ */
+-static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state)
++static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state,
++ bool *partial)
+ {
+ if (unwind_done(state))
+ return NULL;
+
++ if (partial) {
++#ifdef CONFIG_UNWINDER_ORC
++ *partial = !state->full_regs;
++#else
++ *partial = false;
++#endif
++ }
++
+ return state->regs;
+ }
+ #else
+-static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state)
++static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state,
++ bool *partial)
+ {
+ return NULL;
+ }
+--- a/arch/x86/kernel/dumpstack.c
++++ b/arch/x86/kernel/dumpstack.c
+@@ -57,12 +57,23 @@ void show_iret_regs(struct pt_regs *regs
+ regs->sp, regs->flags);
+ }
+
+-static void show_regs_safe(struct stack_info *info, struct pt_regs *regs)
++static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs,
++ bool partial)
+ {
+- if (on_stack(info, regs, sizeof(*regs)))
++ /*
++ * These on_stack() checks aren't strictly necessary: the unwind code
++ * has already validated the 'regs' pointer. The checks are done for
++ * ordering reasons: if the registers are on the next stack, we don't
++ * want to print them out yet. Otherwise they'll be shown as part of
++ * the wrong stack. Later, when show_trace_log_lvl() switches to the
++ * next stack, this function will be called again with the same regs so
++ * they can be printed in the right context.
++ */
++ if (!partial && on_stack(info, regs, sizeof(*regs))) {
+ __show_regs(regs, 0);
+- else if (on_stack(info, (void *)regs + IRET_FRAME_OFFSET,
+- IRET_FRAME_SIZE)) {
++
++ } else if (partial && on_stack(info, (void *)regs + IRET_FRAME_OFFSET,
++ IRET_FRAME_SIZE)) {
+ /*
+ * When an interrupt or exception occurs in entry code, the
+ * full pt_regs might not have been saved yet. In that case
+@@ -79,6 +90,7 @@ void show_trace_log_lvl(struct task_stru
+ struct stack_info stack_info = {0};
+ unsigned long visit_mask = 0;
+ int graph_idx = 0;
++ bool partial;
+
+ printk("%sCall Trace:\n", log_lvl);
+
+@@ -117,7 +129,7 @@ void show_trace_log_lvl(struct task_stru
+ printk("%s <%s>\n", log_lvl, stack_name);
+
+ if (regs)
+- show_regs_safe(&stack_info, regs);
++ show_regs_if_on_stack(&stack_info, regs, partial);
+
+ /*
+ * Scan the stack, printing any text addresses we find. At the
+@@ -141,7 +153,7 @@ void show_trace_log_lvl(struct task_stru
+
+ /*
+ * Don't print regs->ip again if it was already printed
+- * by show_regs_safe() below.
++ * by show_regs_if_on_stack().
+ */
+ if (regs && stack == &regs->ip)
+ goto next;
+@@ -176,9 +188,9 @@ next:
+ unwind_next_frame(&state);
+
+ /* if the frame has entry regs, print them */
+- regs = unwind_get_entry_regs(&state);
++ regs = unwind_get_entry_regs(&state, &partial);
+ if (regs)
+- show_regs_safe(&stack_info, regs);
++ show_regs_if_on_stack(&stack_info, regs, partial);
+ }
+
+ if (stack_name)
+--- a/arch/x86/kernel/stacktrace.c
++++ b/arch/x86/kernel/stacktrace.c
+@@ -102,7 +102,7 @@ __save_stack_trace_reliable(struct stack
+ for (unwind_start(&state, task, NULL, NULL); !unwind_done(&state);
+ unwind_next_frame(&state)) {
+
+- regs = unwind_get_entry_regs(&state);
++ regs = unwind_get_entry_regs(&state, NULL);
+ if (regs) {
+ /* Success path for user tasks */
+ if (user_mode(regs))
diff --git a/patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch b/patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch
index 60d1f6e846..107c0cd338 100644
--- a/patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch
+++ b/patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch
@@ -38,14 +38,12 @@ Link: https://lkml.kernel.org/r/20171204150605.802057305@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Borislav Petkov <bp@suse.de>
---
- arch/x86/kernel/dumpstack.c | 24 ++++++++++++++----------
+ arch/x86/kernel/dumpstack.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
-diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
-index a33a1373a252..64f8ed2a4827 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
-@@ -112,24 +112,28 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+@@ -124,24 +124,28 @@ void show_trace_log_lvl(struct task_stru
* - task stack
* - interrupt stack
* - HW exception stacks (double fault, nmi, debug, mce)
@@ -84,4 +82,3 @@ index a33a1373a252..64f8ed2a4827 100644
stack_name = stack_type_name(stack_info.type);
if (stack_name)
-
diff --git a/patches.arch/11.1-x86-process-define-cpu_tss_rw-in-same-section-as-declaration.patch b/patches.arch/11.1-x86-process-define-cpu_tss_rw-in-same-section-as-declaration.patch
new file mode 100644
index 0000000000..15dd3e7ec9
--- /dev/null
+++ b/patches.arch/11.1-x86-process-define-cpu_tss_rw-in-same-section-as-declaration.patch
@@ -0,0 +1,52 @@
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 3 Jan 2018 12:39:52 -0800
+Subject: x86/process: Define cpu_tss_rw in same section as declaration
+Git-commit: 2fd9c41aea47f4ad071accf94b94f94f2c4d31eb
+Patch-mainline: v4.15-rc7
+References: bsc#1068032 CVE-2017-5754
+
+cpu_tss_rw is declared with DECLARE_PER_CPU_PAGE_ALIGNED
+but then defined with DEFINE_PER_CPU_SHARED_ALIGNED
+leading to section mismatch warnings.
+
+Use DEFINE_PER_CPU_PAGE_ALIGNED consistently. This is necessary because
+it's mapped to the cpu entry area and must be page aligned.
+
+[ tglx: Massaged changelog a bit ]
+
+Fixes: 1a935bc3d4ea ("x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: thomas.lendacky@amd.com
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: tklauser@distanz.ch
+Cc: minipli@googlemail.com
+Cc: me@kylehuey.com
+Cc: namit@vmware.com
+Cc: luto@kernel.org
+Cc: jpoimboe@redhat.com
+Cc: tj@kernel.org
+Cc: cl@linux.com
+Cc: bp@suse.de
+Cc: thgarnie@google.com
+Cc: kirill.shutemov@linux.intel.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180103203954.183360-1-ndesaulniers@google.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -46,7 +46,7 @@
+ * section. Since TSS's are completely CPU-local, we want them
+ * on exact cacheline boundaries, to eliminate cacheline ping-pong.
+ */
+-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
++__visible DEFINE_PER_CPU_PAGE_ALIGNED(struct tss_struct, cpu_tss) = {
+ .x86_tss = {
+ /*
+ * .sp0 is only used when entering ring 0 from a lower
diff --git a/patches.arch/17.1-x86-xen-64-fix-the-reported-ss-and-cs-in-syscall.patch b/patches.arch/17.1-x86-xen-64-fix-the-reported-ss-and-cs-in-syscall.patch
new file mode 100644
index 0000000000..b4005524c9
--- /dev/null
+++ b/patches.arch/17.1-x86-xen-64-fix-the-reported-ss-and-cs-in-syscall.patch
@@ -0,0 +1,72 @@
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 14 Aug 2017 22:36:19 -0700
+Subject: x86/xen/64: Fix the reported SS and CS in SYSCALL
+Git-commit: fa2016a8e7d846b306e431646d250500e1da0c33
+Patch-mainline: v4.14-rc1
+References: bsc#1068032 CVE-2017-5754
+
+When I cleaned up the Xen SYSCALL entries, I inadvertently changed
+the reported segment registers. Before my patch, regs->ss was
+__USER(32)_DS and regs->cs was __USER(32)_CS. After the patch, they
+are FLAT_USER_CS/DS(32).
+
+This had a couple unfortunate effects. It confused the
+opportunistic fast return logic. It also significantly increased
+the risk of triggering a nasty glibc bug:
+
+ https://sourceware.org/bugzilla/show_bug.cgi?id=21269
+
+Update the Xen entry code to change it back.
+
+Reported-by: Brian Gerst <brgerst@gmail.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: xen-devel@lists.xenproject.org
+Fixes: 8a9949bc71a7 ("x86/xen/64: Rearrange the SYSCALL entries")
+Link: http://lkml.kernel.org/r/daba8351ea2764bb30272296ab9ce08a81bd8264.1502775273.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/xen/xen-asm_64.S | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/arch/x86/xen/xen-asm_64.S
++++ b/arch/x86/xen/xen-asm_64.S
+@@ -119,6 +119,15 @@ RELOC(xen_sysret64, 1b+1)
+ ENTRY(xen_syscall_target)
+ popq %rcx
+ popq %r11
++
++ /*
++ * Neither Xen nor the kernel really knows what the old SS and
++ * CS were. The kernel expects __USER_DS and __USER_CS, so
++ * report those values even though Xen will guess its own values.
++ */
++ movq $__USER_DS, 4*8(%rsp)
++ movq $__USER_CS, 1*8(%rsp)
++
+ jmp entry_SYSCALL_64_after_hwframe
+ ENDPROC(xen_syscall_target)
+
+@@ -128,6 +137,15 @@ ENDPROC(xen_syscall_target)
+ ENTRY(xen_syscall32_target)
+ popq %rcx
+ popq %r11
++
++ /*
++ * Neither Xen nor the kernel really knows what the old SS and
++ * CS were. The kernel expects __USER32_DS and __USER32_CS, so
++ * report those values even though Xen will guess its own values.
++ */
++ movq $__USER32_DS, 4*8(%rsp)
++ movq $__USER32_CS, 1*8(%rsp)
++
+ jmp entry_SYSCALL_compat_after_hwframe
+ ENDPROC(xen_syscall32_target)
+
diff --git a/patches.arch/17.2-x86-entry-64-fix-entry_syscall_64_after_hwframe-irq-tracing.patch b/patches.arch/17.2-x86-entry-64-fix-entry_syscall_64_after_hwframe-irq-tracing.patch
new file mode 100644
index 0000000000..62e57a9993
--- /dev/null
+++ b/patches.arch/17.2-x86-entry-64-fix-entry_syscall_64_after_hwframe-irq-tracing.patch
@@ -0,0 +1,59 @@
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 21 Nov 2017 20:43:56 -0800
+Subject: x86/entry/64: Fix entry_SYSCALL_64_after_hwframe() IRQ tracing
+Git-commit: 548c3050ea8d16997ae27f9e080a8338a606fc93
+Patch-mainline: v4.15-rc1
+References: bsc#1068032 CVE-2017-5754
+
+When I added entry_SYSCALL_64_after_hwframe(), I left TRACE_IRQS_OFF
+before it. This means that users of entry_SYSCALL_64_after_hwframe()
+were responsible for invoking TRACE_IRQS_OFF, and the one and only
+user (Xen, added in the same commit) got it wrong.
+
+I think this would manifest as a warning if a Xen PV guest with
+CONFIG_DEBUG_LOCKDEP=y were used with context tracking. (The
+context tracking bit is to cause lockdep to get invoked before we
+turn IRQs back on.) I haven't tested that for real yet because I
+can't get a kernel configured like that to boot at all on Xen PV.
+
+Move TRACE_IRQS_OFF below the label.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: 8a9949bc71a7 ("x86/xen/64: Rearrange the SYSCALL entries")
+Link: http://lkml.kernel.org/r/9150aac013b7b95d62c2336751d5b6e91d2722aa.1511325444.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/entry/entry_64.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -147,8 +147,6 @@ ENTRY(entry_SYSCALL_64)
+ movq %rsp, PER_CPU_VAR(rsp_scratch)
+ movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+
+- TRACE_IRQS_OFF
+-
+ /* Construct struct pt_regs on stack */
+ pushq $__USER_DS /* pt_regs->ss */
+ pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
+@@ -169,6 +167,8 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
+ sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
+ UNWIND_HINT_REGS extra=0
+
++ TRACE_IRQS_OFF
++
+ /*
+ * If we need to do entry work or if we guess we'll need to do
+ * exit work, go straight to the slow path.
diff --git a/patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch b/patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch
index 3699842e7b..127f02ae1a 100644
--- a/patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch
+++ b/patches.arch/22-x86-entry-64-make-cpu_entry_area-tss-read-only.patch
@@ -379,12 +379,12 @@ Acked-by: Borislav Petkov <bp@suse.de>
* section. Since TSS's are completely CPU-local, we want them
* on exact cacheline boundaries, to eliminate cacheline ping-pong.
*/
--__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
-+__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss_rw) = {
+-__visible DEFINE_PER_CPU_PAGE_ALIGNED(struct tss_struct, cpu_tss) = {
++__visible DEFINE_PER_CPU_PAGE_ALIGNED(struct tss_struct, cpu_tss_rw) = {
.x86_tss = {
/*
* .sp0 is only used when entering ring 0 from a lower
-@@ -81,7 +81,7 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(
+@@ -81,7 +81,7 @@ __visible DEFINE_PER_CPU_PAGE_ALIGNED(st
.io_bitmap = { [0 ... IO_BITMAP_LONGS] = ~0 },
#endif
};
diff --git a/series.conf b/series.conf
index 516dbf107f..01d3867632 100644
--- a/series.conf
+++ b/series.conf
@@ -7375,6 +7375,7 @@
patches.arch/01-x86-entry-64-paravirt-use-paravirt-safe-macro-to-access-eflags.patch
patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch
patches.arch/03-x86-unwinder-handle-stack-overflows-more-gracefully.patch
+ patches.arch/03.1-x86-dumpstack-fix-partial-register-dumps.patch
patches.arch/04-x86-irq-64-print-the-offending-ip-in-the-stack-overflow-warning.patch
patches.arch/05-x86-entry-64-allocate-and-enable-the-sysenter-stack.patch
patches.arch/06-x86-dumpstack-add-get_stack_info-support-for-the-sysenter-stack.patch
@@ -7383,12 +7384,15 @@
patches.arch/09-x86-entry-fix-assumptions-that-the-hw-tss-is-at-the-beginning-of-cpu_tss.patch
patches.arch/10-x86-dumpstack-handle-stack-overflow-on-all-stacks.patch
patches.arch/11-x86-entry-move-sysenter_stack-to-the-beginning-of-struct-tss_struct.patch
+ patches.arch/11.1-x86-process-define-cpu_tss_rw-in-same-section-as-declaration.patch
patches.arch/12-x86-entry-remap-the-tss-into-the-cpu-entry-area.patch
patches.arch/13-x86-entry-64-separate-cpu_current_top_of_stack-from-tss-sp0.patch
patches.arch/14-x86-espfix-64-stop-assuming-that-pt_regs-is-on-the-entry-stack.patch
patches.arch/15-x86-entry-64-use-a-per-cpu-trampoline-stack-for-idt-entries.patch
patches.arch/16-x86-entry-64-return-to-userspace-from-the-trampoline-stack.patch
patches.arch/17-x86-xen-64-rearrange-the-syscall-entries.patch
+ patches.arch/17.1-x86-xen-64-fix-the-reported-ss-and-cs-in-syscall.patch
+ patches.arch/17.2-x86-entry-64-fix-entry_syscall_64_after_hwframe-irq-tracing.patch
patches.arch/18-x86-entry-64-create-a-per-cpu-syscall-entry-trampoline.patch
patches.arch/19-x86-entry-64-move-the-ist-stacks-into-struct-cpu_entry_area.patch
patches.arch/20-x86-entry-64-remove-the-sysenter-stack-canary.patch