5.12-stable patches

added patches:
	kvm-fix-previous-commit-for-32-bit-builds.patch
	nfs-fix-use-after-free-in-nfs4_init_client.patch

diff --git a/queue-5.12/kvm-fix-previous-commit-for-32-bit-builds.patch b/queue-5.12/kvm-fix-previous-commit-for-32-bit-builds.patch
new file mode 100644 (file)
index 0000000..c66c6e5
--- /dev/null
+++ b/queue-5.12/kvm-fix-previous-commit-for-32-bit-builds.patch
@@ -0,0 +1,33 @@
+From 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 9 Jun 2021 01:49:13 -0400
+Subject: kvm: fix previous commit for 32-bit builds
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 upstream.
+
+array_index_nospec does not work for uint64_t on 32-bit builds.
+However, the size of a memory slot must be less than 20 bits wide
+on those system, since the memory slot must fit in the user
+address space.  So just store it in an unsigned long.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1124,8 +1124,8 @@ __gfn_to_hva_memslot(struct kvm_memory_s
+        * table walks, do not let the processor speculate loads outside
+        * the guest's registered memslots.
+        */
+-      unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
+-                                                slot->npages);
++      unsigned long offset = gfn - slot->base_gfn;
++      offset = array_index_nospec(offset, slot->npages);
+       return slot->userspace_addr + offset * PAGE_SIZE;
+ }
+ 

diff --git a/queue-5.12/nfs-fix-use-after-free-in-nfs4_init_client.patch b/queue-5.12/nfs-fix-use-after-free-in-nfs4_init_client.patch
new file mode 100644 (file)
index 0000000..12ea1a2
--- /dev/null
+++ b/queue-5.12/nfs-fix-use-after-free-in-nfs4_init_client.patch
@@ -0,0 +1,38 @@
+From 476bdb04c501fc64bf3b8464ffddefc8dbe01577 Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 2 Jun 2021 14:31:20 -0400
+Subject: NFS: Fix use-after-free in nfs4_init_client()
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit 476bdb04c501fc64bf3b8464ffddefc8dbe01577 upstream.
+
+KASAN reports a use-after-free when attempting to mount two different
+exports through two different NICs that belong to the same server.
+
+Olga was able to hit this with kernels starting somewhere between 5.7
+and 5.10, but I traced the patch that introduced the clear_bit() call to
+4.13. So something must have changed in the refcounting of the clp
+pointer to make this call to nfs_put_client() the very last one.
+
+Fixes: 8dcbec6d20 ("NFSv41: Handle EXCHID4_FLAG_CONFIRMED_R during NFSv4.1 migration")
+Cc: stable@vger.kernel.org # 4.13+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4client.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(stru
+                */
+               nfs_mark_client_ready(clp, -EPERM);
+       }
+-      nfs_put_client(clp);
+       clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags);
++      nfs_put_client(clp);
+       return old;
+ 
+ error:

diff --git a/queue-5.12/series b/queue-5.12/series
index be2dc9fba540848f00c39a2857af8d4d8f89df87..3a3adcf3ea4e9856e5d89ef7340c69f4a3b1f4f0 100644 (file)
--- a/queue-5.12/series
+++ b/queue-5.12/series
@@ -163,3 +163,5 @@ nfs-fix-a-potential-null-dereference-in-nfs_get_clie.patch
 nfsv4-fix-deadlock-between-nfs4_evict_inode-and-nfs4.patch
 pinctrl-qcom-make-it-possible-to-select-sc8180x-tlmm.patch
 perf-session-correct-buffer-copying-when-peeking-eve.patch
+kvm-fix-previous-commit-for-32-bit-builds.patch
+nfs-fix-use-after-free-in-nfs4_init_client.patch