--- /dev/null
+From 9c3d7c0f86762b77d5cc0a931abf0e046dfcb7ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 15:26:29 -0800
+Subject: KVM: nVMX: Don't emulate instructions in guest mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 07721feee46b4b248402133228235318199b05ec ]
+
+vmx_check_intercept is not yet fully implemented. To avoid emulating
+instructions disallowed by the L1 hypervisor, refuse to emulate
+instructions by default.
+
+Cc: stable@vger.kernel.org
+[Made commit, added commit msg - Oliver]
+Signed-off-by: Oliver Upton <oupton@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 6c2b45f5d5016..be7f4c018943b 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10744,7 +10744,7 @@ static int vmx_check_intercept(struct kvm_vcpu *vcpu,
+ struct x86_instruction_info *info,
+ enum x86_intercept_stage stage)
+ {
+- return X86EMUL_CONTINUE;
++ return X86EMUL_UNHANDLEABLE;
+ }
+
+ static void vmx_sched_in(struct kvm_vcpu *vcpu, int cpu)
+--
+2.20.1
+
--- /dev/null
+From a2ff7136d227bca57e64b1064a2f963cc3cc4d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2020 13:35:01 -0800
+Subject: netfilter: xt_bpf: add overflow checks
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 ]
+
+Check whether inputs from userspace are too long (explicit length field too
+big or string not null-terminated) to avoid out-of-bounds reads.
+
+As far as I can tell, this can at worst lead to very limited kernel heap
+memory disclosure or oopses.
+
+This bug can be triggered by an unprivileged user even if the xt_bpf module
+is not loaded: iptables is available in network namespaces, and the xt_bpf
+module can be autoloaded.
+
+Triggering the bug with a classic BPF filter with fake length 0x1000 causes
+the following KASAN report:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
+Read of size 32768 at addr ffff8801eff2c494 by task test/4627
+
+CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
+[...]
+Call Trace:
+ dump_stack+0x5c/0x85
+ print_address_description+0x6a/0x260
+ kasan_report+0x254/0x370
+ ? bpf_prog_create+0x84/0xf0
+ memcpy+0x1f/0x50
+ bpf_prog_create+0x84/0xf0
+ bpf_mt_check+0x90/0xd6 [xt_bpf]
+[...]
+Allocated by task 4627:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc_node+0x47/0x60
+ xt_alloc_table_info+0x41/0x70 [x_tables]
+[...]
+The buggy address belongs to the object at ffff8801eff2c3c0
+ which belongs to the cache kmalloc-2048 of size 2048
+The buggy address is located 212 bytes inside of
+ 2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
+[...]
+==================================================================
+
+Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_bpf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
+index dffee9d47ec4b..7b993f25aab92 100644
+--- a/net/netfilter/xt_bpf.c
++++ b/net/netfilter/xt_bpf.c
+@@ -25,6 +25,9 @@ static int bpf_mt_check(const struct xt_mtchk_param *par)
+ struct xt_bpf_info *info = par->matchinfo;
+ struct sock_fprog_kern program;
+
++ if (info->bpf_program_num_elem > XT_BPF_MAX_NUM_INSTR)
++ return -EINVAL;
++
+ program.len = info->bpf_program_num_elem;
+ program.filter = info->bpf_program;
+
+--
+2.20.1
+
tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
xhci-apply-xhci_pme_stuck_quirk-to-intel-comet-lake-platforms.patch
+vt_resizex-get-rid-of-field-by-field-copyin.patch
+vt-vt_ioctl-fix-race-in-vt_resizex.patch
+kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
+netfilter-xt_bpf-add-overflow-checks.patch
--- /dev/null
+From f46da4763627097b6a68c4a01693f3deeaf05dbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 11:07:21 -0800
+Subject: vt: vt_ioctl: fix race in VT_RESIZEX
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6cd1ed50efd88261298577cd92a14f2768eddeeb ]
+
+We need to make sure vc_cons[i].d is not NULL after grabbing
+console_lock(), or risk a crash.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]
+CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0x123/0x180 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45b399
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399
+RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c
+Modules linked in:
+---[ end trace 80970faf7a67eb77 ]---
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index a1e5c408c931b..e9d9f9f3dc886 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -879,15 +879,20 @@ int vt_ioctl(struct tty_struct *tty,
+ return -EINVAL;
+
+ for (i = 0; i < MAX_NR_CONSOLES; i++) {
++ struct vc_data *vcp;
++
+ if (!vc_cons[i].d)
+ continue;
+ console_lock();
+- if (v.v_vlin)
+- vc_cons[i].d->vc_scan_lines = v.v_vlin;
+- if (v.v_clin)
+- vc_cons[i].d->vc_font.height = v.v_clin;
+- vc_cons[i].d->vc_resize_user = 1;
+- vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
++ vcp = vc_cons[i].d;
++ if (vcp) {
++ if (v.v_vlin)
++ vcp->vc_scan_lines = v.v_vlin;
++ if (v.v_clin)
++ vcp->vc_font.height = v.v_clin;
++ vcp->vc_resize_user = 1;
++ vc_resize(vcp, v.v_cols, v.v_rows);
++ }
+ console_unlock();
+ }
+ break;
+--
+2.20.1
+
--- /dev/null
+From 384eea419bf20af984ea4e6c7debb011424d80d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2017 12:34:13 -0400
+Subject: VT_RESIZEX: get rid of field-by-field copyin
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 1b3bce4d6bf839304a90951b4b25a5863533bf2a ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 68 ++++++++++++++++-----------------------
+ 1 file changed, 27 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index a86bc7afb3b28..a1e5c408c931b 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -850,58 +850,44 @@ int vt_ioctl(struct tty_struct *tty,
+
+ case VT_RESIZEX:
+ {
+- struct vt_consize __user *vtconsize = up;
+- ushort ll,cc,vlin,clin,vcol,ccol;
++ struct vt_consize v;
+ if (!perm)
+ return -EPERM;
+- if (!access_ok(VERIFY_READ, vtconsize,
+- sizeof(struct vt_consize))) {
+- ret = -EFAULT;
+- break;
+- }
++ if (copy_from_user(&v, up, sizeof(struct vt_consize)))
++ return -EFAULT;
+ /* FIXME: Should check the copies properly */
+- __get_user(ll, &vtconsize->v_rows);
+- __get_user(cc, &vtconsize->v_cols);
+- __get_user(vlin, &vtconsize->v_vlin);
+- __get_user(clin, &vtconsize->v_clin);
+- __get_user(vcol, &vtconsize->v_vcol);
+- __get_user(ccol, &vtconsize->v_ccol);
+- vlin = vlin ? vlin : vc->vc_scan_lines;
+- if (clin) {
+- if (ll) {
+- if (ll != vlin/clin) {
+- /* Parameters don't add up */
+- ret = -EINVAL;
+- break;
+- }
+- } else
+- ll = vlin/clin;
++ if (!v.v_vlin)
++ v.v_vlin = vc->vc_scan_lines;
++ if (v.v_clin) {
++ int rows = v.v_vlin/v.v_clin;
++ if (v.v_rows != rows) {
++ if (v.v_rows) /* Parameters don't add up */
++ return -EINVAL;
++ v.v_rows = rows;
++ }
+ }
+- if (vcol && ccol) {
+- if (cc) {
+- if (cc != vcol/ccol) {
+- ret = -EINVAL;
+- break;
+- }
+- } else
+- cc = vcol/ccol;
++ if (v.v_vcol && v.v_ccol) {
++ int cols = v.v_vcol/v.v_ccol;
++ if (v.v_cols != cols) {
++ if (v.v_cols)
++ return -EINVAL;
++ v.v_cols = cols;
++ }
+ }
+
+- if (clin > 32) {
+- ret = -EINVAL;
+- break;
+- }
+-
++ if (v.v_clin > 32)
++ return -EINVAL;
++
+ for (i = 0; i < MAX_NR_CONSOLES; i++) {
+ if (!vc_cons[i].d)
+ continue;
+ console_lock();
+- if (vlin)
+- vc_cons[i].d->vc_scan_lines = vlin;
+- if (clin)
+- vc_cons[i].d->vc_font.height = clin;
++ if (v.v_vlin)
++ vc_cons[i].d->vc_scan_lines = v.v_vlin;
++ if (v.v_clin)
++ vc_cons[i].d->vc_font.height = v.v_clin;
+ vc_cons[i].d->vc_resize_user = 1;
+- vc_resize(vc_cons[i].d, cc, ll);
++ vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
+ console_unlock();
+ }
+ break;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
