--- /dev/null
+From f199d01619f94223c34d2d0a8872a21c5c7feae3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 13:32:06 +1000
+Subject: fanotify: fix copy_event_to_user() fid error clean up
+
+From: Matthew Bobrowski <repnop@google.com>
+
+[ Upstream commit f644bc449b37cc32d3ce7b36a88073873aa21bd5 ]
+
+Ensure that clean up is performed on the allocated file descriptor and
+struct file object in the event that an error is encountered while copying
+fid info objects. Currently, we return directly to the caller when an error
+is experienced in the fid info copying helper, which isn't ideal given that
+the listener process could be left with a dangling file descriptor in their
+fdtable.
+
+Fixes: 5e469c830fdb ("fanotify: copy event fid info to user")
+Fixes: 44d705b0370b ("fanotify: report name info for FAN_DIR_MODIFY event")
+Link: https://lore.kernel.org/linux-fsdevel/YMKv1U7tNPK955ho@google.com/T/#m15361cd6399dad4396aad650de25dbf6b312288e
+Link: https://lore.kernel.org/r/1ef8ae9100101eb1a91763c516c2e9a3a3b112bd.1623376346.git.repnop@google.com
+Signed-off-by: Matthew Bobrowski <repnop@google.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/fanotify/fanotify_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
+index 9e0c1afac8bd..c175523b0a2c 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -378,7 +378,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
+ info_type, fanotify_info_name(info),
+ info->name_len, buf, count);
+ if (ret < 0)
+- return ret;
++ goto out_close_fd;
+
+ buf += ret;
+ count -= ret;
+@@ -426,7 +426,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
+ fanotify_event_object_fh(event),
+ info_type, dot, dot_len, buf, count);
+ if (ret < 0)
+- return ret;
++ goto out_close_fd;
+
+ buf += ret;
+ count -= ret;
+--
+2.30.2
+
--- /dev/null
+From c186ca2b92183fe6e0b692c3da8a0899c2d940bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 13:52:24 -0700
+Subject: kvm: LAPIC: Restore guard to prevent illegal APIC register access
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 218bf772bddd221489c38dde6ef8e917131161f6 ]
+
+Per the SDM, "any access that touches bytes 4 through 15 of an APIC
+register may cause undefined behavior and must not be executed."
+Worse, such an access in kvm_lapic_reg_read can result in a leak of
+kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC:
+write down valid APIC registers"), such an access was explicitly
+disallowed. Restore the guard that was removed in that commit.
+
+Fixes: 01402cf81051 ("kvm: LAPIC: write down valid APIC registers")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Message-Id: <20210602205224.3189316-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index fa023f3feb25..43013ac0fd4d 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1410,6 +1410,9 @@ int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len,
+ if (!apic_x2apic_mode(apic))
+ valid_reg_mask |= APIC_REG_MASK(APIC_ARBPRI);
+
++ if (alignment + len > 4)
++ return 1;
++
+ if (offset > 0x3f0 || !(valid_reg_mask & APIC_REG_MASK(offset)))
+ return 1;
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
