--- /dev/null
+From b8d55a90fd55b767c25687747e2b24abd1ef8680 Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Tue, 26 Dec 2023 15:32:19 +0530
+Subject: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit b8d55a90fd55b767c25687747e2b24abd1ef8680 upstream.
+
+Return invalid error code -EINVAL for invalid block id.
+
+Fixes the below:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)
+
+Suggested-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Cc: Tao Zhou <tao.zhou1@amd.com>
+Cc: Hawking Zhang <Hawking.Zhang@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[Ajay: applied AMDGPU_RAS_BLOCK_COUNT condition to amdgpu_ras_query_error_status()
+ as amdgpu_ras_query_error_status_helper() not present in v5.15
+ amdgpu_ras_query_error_status_helper() was introduced in 8cc0f5669eb6]
+Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+@@ -820,6 +820,9 @@ int amdgpu_ras_query_error_status(struct
+ if (!obj)
+ return -EINVAL;
+
++ if (!info || info->head.block == AMDGPU_RAS_BLOCK_COUNT)
++ return -EINVAL;
++
+ switch (info->head.block) {
+ case AMDGPU_RAS_BLOCK__UMC:
+ if (adev->umc.ras_funcs &&
--- /dev/null
+From 6c41468c7c12d74843bb414fc00307ea8a6318c3 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 22 Mar 2023 07:32:59 -0700
+Subject: KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 6c41468c7c12d74843bb414fc00307ea8a6318c3 upstream.
+
+When injecting an exception into a vCPU in Real Mode, suppress the error
+code by clearing the flag that tracks whether the error code is valid, not
+by clearing the error code itself. The "typo" was introduced by recent
+fix for SVM's funky Paged Real Mode.
+
+Opportunistically hoist the logic above the tracepoint so that the trace
+is coherent with respect to what is actually injected (this was also the
+behavior prior to the buggy commit).
+
+Fixes: b97f07458373 ("KVM: x86: determine if an exception has an error code only when injecting it.")
+Cc: stable@vger.kernel.org
+Cc: Maxim Levitsky <mlevitsk@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20230322143300.2209476-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[nsaenz: backport to 5.15.y]
+Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Sean Christopherson <seanjc@google.com>
+---
+ arch/x86/kvm/x86.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9134,13 +9134,20 @@ int kvm_check_nested_events(struct kvm_v
+
+ static void kvm_inject_exception(struct kvm_vcpu *vcpu)
+ {
++ /*
++ * Suppress the error code if the vCPU is in Real Mode, as Real Mode
++ * exceptions don't report error codes. The presence of an error code
++ * is carried with the exception and only stripped when the exception
++ * is injected as intercepted #PF VM-Exits for AMD's Paged Real Mode do
++ * report an error code despite the CPU being in Real Mode.
++ */
++ vcpu->arch.exception.has_error_code &= is_protmode(vcpu);
++
+ trace_kvm_inj_exception(vcpu->arch.exception.nr,
+ vcpu->arch.exception.has_error_code,
+ vcpu->arch.exception.error_code,
+ vcpu->arch.exception.injected);
+
+- if (vcpu->arch.exception.error_code && !is_protmode(vcpu))
+- vcpu->arch.exception.error_code = false;
+ static_call(kvm_x86_queue_exception)(vcpu);
+ }
+
--- /dev/null
+From d0f95894fda7d4f895b29c1097f92d7fee278cb2 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 3 Oct 2023 18:34:55 +0000
+Subject: netlink: annotate data-races around sk->sk_err
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d0f95894fda7d4f895b29c1097f92d7fee278cb2 upstream.
+
+syzbot caught another data-race in netlink when
+setting sk->sk_err.
+
+Annotate all of them for good measure.
+
+BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
+
+write to 0xffff8881613bb220 of 4 bytes by task 28147 on cpu 0:
+netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994
+sock_recvmsg_nosec net/socket.c:1027 [inline]
+sock_recvmsg net/socket.c:1049 [inline]
+__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229
+__do_sys_recvfrom net/socket.c:2247 [inline]
+__se_sys_recvfrom net/socket.c:2243 [inline]
+__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+write to 0xffff8881613bb220 of 4 bytes by task 28146 on cpu 1:
+netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994
+sock_recvmsg_nosec net/socket.c:1027 [inline]
+sock_recvmsg net/socket.c:1049 [inline]
+__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229
+__do_sys_recvfrom net/socket.c:2247 [inline]
+__se_sys_recvfrom net/socket.c:2243 [inline]
+__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00000000 -> 0x00000016
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 28146 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-00055-g9ed22ae6be81 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231003183455.3410550-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: yenchia.chen <yenchia.chen@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -352,7 +352,7 @@ static void netlink_overrun(struct sock
+ if (!(nlk->flags & NETLINK_F_RECV_NO_ENOBUFS)) {
+ if (!test_and_set_bit(NETLINK_S_CONGESTED,
+ &nlk_sk(sk)->state)) {
+- sk->sk_err = ENOBUFS;
++ WRITE_ONCE(sk->sk_err, ENOBUFS);
+ sk_error_report(sk);
+ }
+ }
+@@ -1591,7 +1591,7 @@ static int do_one_set_err(struct sock *s
+ goto out;
+ }
+
+- sk->sk_err = p->code;
++ WRITE_ONCE(sk->sk_err, p->code);
+ sk_error_report(sk);
+ out:
+ return ret;
+@@ -2006,7 +2006,7 @@ static int netlink_recvmsg(struct socket
+ atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
+ ret = netlink_dump(sk);
+ if (ret) {
+- sk->sk_err = -ret;
++ WRITE_ONCE(sk->sk_err, -ret);
+ sk_error_report(sk);
+ }
+ }
+@@ -2442,7 +2442,7 @@ void netlink_ack(struct sk_buff *in_skb,
+
+ skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
+ if (!skb) {
+- NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
++ WRITE_ONCE(NETLINK_CB(in_skb).sk->sk_err, ENOBUFS);
+ sk_error_report(NETLINK_CB(in_skb).sk);
+ return;
+ }
--- /dev/null
+From a1865f2e7d10dde00d35a2122b38d2e469ae67ed Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Apr 2023 21:46:43 +0000
+Subject: netlink: annotate lockless accesses to nlk->max_recvmsg_len
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a1865f2e7d10dde00d35a2122b38d2e469ae67ed upstream.
+
+syzbot reported a data-race in data-race in netlink_recvmsg() [1]
+
+Indeed, netlink_recvmsg() can be run concurrently,
+and netlink_dump() also needs protection.
+
+[1]
+BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
+
+read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:
+netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988
+sock_recvmsg_nosec net/socket.c:1017 [inline]
+sock_recvmsg net/socket.c:1038 [inline]
+__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194
+__do_sys_recvfrom net/socket.c:2212 [inline]
+__se_sys_recvfrom net/socket.c:2208 [inline]
+__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:
+netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989
+sock_recvmsg_nosec net/socket.c:1017 [inline]
+sock_recvmsg net/socket.c:1038 [inline]
+____sys_recvmsg+0x156/0x310 net/socket.c:2720
+___sys_recvmsg net/socket.c:2762 [inline]
+do_recvmmsg+0x2e5/0x710 net/socket.c:2856
+__sys_recvmmsg net/socket.c:2935 [inline]
+__do_sys_recvmmsg net/socket.c:2958 [inline]
+__se_sys_recvmmsg net/socket.c:2951 [inline]
+__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x0000000000000000 -> 0x0000000000001000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+
+Fixes: 9063e21fb026 ("netlink: autosize skb lengthes")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230403214643.768555-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: yenchia.chen <yenchia.chen@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1935,7 +1935,7 @@ static int netlink_recvmsg(struct socket
+ struct sock *sk = sock->sk;
+ struct netlink_sock *nlk = nlk_sk(sk);
+ int noblock = flags & MSG_DONTWAIT;
+- size_t copied;
++ size_t copied, max_recvmsg_len;
+ struct sk_buff *skb, *data_skb;
+ int err, ret;
+
+@@ -1968,9 +1968,10 @@ static int netlink_recvmsg(struct socket
+ #endif
+
+ /* Record the max length of recvmsg() calls for future allocations */
+- nlk->max_recvmsg_len = max(nlk->max_recvmsg_len, len);
+- nlk->max_recvmsg_len = min_t(size_t, nlk->max_recvmsg_len,
+- SKB_WITH_OVERHEAD(32768));
++ max_recvmsg_len = max(READ_ONCE(nlk->max_recvmsg_len), len);
++ max_recvmsg_len = min_t(size_t, max_recvmsg_len,
++ SKB_WITH_OVERHEAD(32768));
++ WRITE_ONCE(nlk->max_recvmsg_len, max_recvmsg_len);
+
+ copied = data_skb->len;
+ if (len < copied) {
+@@ -2219,6 +2220,7 @@ static int netlink_dump(struct sock *sk)
+ struct netlink_ext_ack extack = {};
+ struct netlink_callback *cb;
+ struct sk_buff *skb = NULL;
++ size_t max_recvmsg_len;
+ struct module *module;
+ int err = -ENOBUFS;
+ int alloc_min_size;
+@@ -2241,8 +2243,9 @@ static int netlink_dump(struct sock *sk)
+ cb = &nlk->cb;
+ alloc_min_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE);
+
+- if (alloc_min_size < nlk->max_recvmsg_len) {
+- alloc_size = nlk->max_recvmsg_len;
++ max_recvmsg_len = READ_ONCE(nlk->max_recvmsg_len);
++ if (alloc_min_size < max_recvmsg_len) {
++ alloc_size = max_recvmsg_len;
+ skb = alloc_skb(alloc_size,
+ (GFP_KERNEL & ~__GFP_DIRECT_RECLAIM) |
+ __GFP_NOWARN | __GFP_NORETRY);
net-tls-factor-out-tls_-crypt_async_wait.patch
tls-fix-race-between-async-notify-and-socket-close.patch
net-tls-handle-backlogging-of-crypto-requests.patch
+netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch
+netlink-annotate-data-races-around-sk-sk_err.patch
+kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch
+drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
