From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 16:24:33 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.219~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04c14b5a50ddd97d27c730cfb6dff3633358b273;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch media-cedrus-set-the-platform-driver-data-earlier.patch --- diff --git a/queue-5.4/drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch b/queue-5.4/drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch new file mode 100644 index 00000000000..8addd523316 --- /dev/null +++ b/queue-5.4/drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch @@ -0,0 +1,39 @@ +From 540dfd188ea2940582841c1c220bd035a7db0e51 Mon Sep 17 00:00:00 2001 +From: Jianglei Nie +Date: Tue, 5 Jul 2022 21:25:46 +0800 +Subject: drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table() + +From: Jianglei Nie + +commit 540dfd188ea2940582841c1c220bd035a7db0e51 upstream. + +nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code +back to the caller. On failures, ttm will call nouveau_bo_del_ttm() and +free the memory.Thus, when nouveau_bo_init() returns an error, the gem +object has already been released. Then the call to nouveau_bo_ref() will +use the freed "nvbo->bo" and lead to a use-after-free bug. + +We should delete the call to nouveau_bo_ref() to avoid the use-after-free. + +Signed-off-by: Jianglei Nie +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Fixes: 019cbd4a4feb ("drm/nouveau: Initialize GEM object before TTM object") +Cc: Thierry Reding +Cc: # v5.4+ +Link: https://patchwork.freedesktop.org/patch/msgid/20220705132546.2247677-1-niejianglei2021@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_prime.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -90,7 +90,6 @@ struct drm_gem_object *nouveau_gem_prime + + ret = nouveau_bo_init(nvbo, size, align, flags, sg, robj); + if (ret) { +- nouveau_bo_ref(NULL, &nvbo); + obj = ERR_PTR(ret); + goto unlock; + } diff --git a/queue-5.4/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch b/queue-5.4/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch new file mode 100644 index 00000000000..3d0b705ad62 --- /dev/null +++ b/queue-5.4/kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch @@ -0,0 +1,72 @@ +From d953540430c5af57f5de97ea9e36253908204027 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 30 Aug 2022 23:15:48 +0000 +Subject: KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" + +From: Sean Christopherson + +commit d953540430c5af57f5de97ea9e36253908204027 upstream. + +Drop pending exceptions and events queued for re-injection when leaving +nested guest mode, even if the "exit" is due to VM-Fail, SMI, or forced +by host userspace. Failure to purge events could result in an event +belonging to L2 being injected into L1. + +This _should_ never happen for VM-Fail as all events should be blocked by +nested_run_pending, but it's possible if KVM, not the L1 hypervisor, is +the source of VM-Fail when running vmcs02. + +SMI is a nop (barring unknown bugs) as recognition of SMI and thus entry +to SMM is blocked by pending exceptions and re-injected events. + +Forced exit is definitely buggy, but has likely gone unnoticed because +userspace probably follows the forced exit with KVM_SET_VCPU_EVENTS (or +some other ioctl() that purges the queue). + +Fixes: 4f350c6dbcb9 ("kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-2-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/nested.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3762,14 +3762,6 @@ static void prepare_vmcs12(struct kvm_vc + nested_vmx_abort(vcpu, + VMX_ABORT_SAVE_GUEST_MSR_FAIL); + } +- +- /* +- * Drop what we picked up for L2 via vmx_complete_interrupts. It is +- * preserved above and would only end up incorrectly in L1. +- */ +- vcpu->arch.nmi_injected = false; +- kvm_clear_exception_queue(vcpu); +- kvm_clear_interrupt_queue(vcpu); + } + + /* +@@ -4104,6 +4096,17 @@ void nested_vmx_vmexit(struct kvm_vcpu * + WARN_ON_ONCE(nested_early_check); + } + ++ /* ++ * Drop events/exceptions that were queued for re-injection to L2 ++ * (picked up via vmx_complete_interrupts()), as well as exceptions ++ * that were pending for L2. Note, this must NOT be hoisted above ++ * prepare_vmcs12(), events/exceptions queued for re-injection need to ++ * be captured in vmcs12 (see vmcs12_save_pending_event()). ++ */ ++ vcpu->arch.nmi_injected = false; ++ kvm_clear_exception_queue(vcpu); ++ kvm_clear_interrupt_queue(vcpu); ++ + vmx_switch_vmcs(vcpu, &vmx->vmcs01); + + /* Update any VMCS fields that might have changed while L2 ran */ diff --git a/queue-5.4/kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch b/queue-5.4/kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch new file mode 100644 index 00000000000..50559c2cc10 --- /dev/null +++ b/queue-5.4/kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch @@ -0,0 +1,72 @@ +From eba9799b5a6efe2993cf92529608e4aa8163d73b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 30 Aug 2022 23:15:49 +0000 +Subject: KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS + +From: Sean Christopherson + +commit eba9799b5a6efe2993cf92529608e4aa8163d73b upstream. + +Deliberately truncate the exception error code when shoving it into the +VMCS (VM-Entry field for vmcs01 and vmcs02, VM-Exit field for vmcs12). +Intel CPUs are incapable of handling 32-bit error codes and will never +generate an error code with bits 31:16, but userspace can provide an +arbitrary error code via KVM_SET_VCPU_EVENTS. Failure to drop the bits +on exception injection results in failed VM-Entry, as VMX disallows +setting bits 31:16. Setting the bits on VM-Exit would at best confuse +L1, and at worse induce a nested VM-Entry failure, e.g. if L1 decided to +reinject the exception back into L2. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-3-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/nested.c | 11 ++++++++++- + arch/x86/kvm/vmx/vmx.c | 12 +++++++++++- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3427,7 +3427,16 @@ static void nested_vmx_inject_exception_ + u32 intr_info = nr | INTR_INFO_VALID_MASK; + + if (vcpu->arch.exception.has_error_code) { +- vmcs12->vm_exit_intr_error_code = vcpu->arch.exception.error_code; ++ /* ++ * Intel CPUs do not generate error codes with bits 31:16 set, ++ * and more importantly VMX disallows setting bits 31:16 in the ++ * injected error code for VM-Entry. Drop the bits to mimic ++ * hardware and avoid inducing failure on nested VM-Entry if L1 ++ * chooses to inject the exception back to L2. AMD CPUs _do_ ++ * generate "full" 32-bit error codes, so KVM allows userspace ++ * to inject exception error codes with bits 31:16 set. ++ */ ++ vmcs12->vm_exit_intr_error_code = (u16)vcpu->arch.exception.error_code; + intr_info |= INTR_INFO_DELIVER_CODE_MASK; + } + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1676,7 +1676,17 @@ static void vmx_queue_exception(struct k + kvm_deliver_exception_payload(vcpu); + + if (has_error_code) { +- vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code); ++ /* ++ * Despite the error code being architecturally defined as 32 ++ * bits, and the VMCS field being 32 bits, Intel CPUs and thus ++ * VMX don't actually supporting setting bits 31:16. Hardware ++ * will (should) never provide a bogus error code, but AMD CPUs ++ * do generate error codes with bits 31:16 set, and so KVM's ++ * ABI lets userspace shove in arbitrary 32-bit values. Drop ++ * the upper bits to avoid VM-Fail, losing information that ++ * does't really exist is preferable to killing the VM. ++ */ ++ vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)error_code); + intr_info |= INTR_INFO_DELIVER_CODE_MASK; + } + diff --git a/queue-5.4/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch b/queue-5.4/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch new file mode 100644 index 00000000000..8b8bbb77355 --- /dev/null +++ b/queue-5.4/kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch @@ -0,0 +1,34 @@ +From 6aa5c47c351b22c21205c87977c84809cd015fcf Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Mon, 22 Aug 2022 00:06:47 +0200 +Subject: KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility + +From: Michal Luczaj + +commit 6aa5c47c351b22c21205c87977c84809cd015fcf upstream. + +The emulator checks the wrong variable while setting the CPU +interruptibility state, the target segment is embedded in the instruction +opcode, not the ModR/M register. Fix the condition. + +Signed-off-by: Michal Luczaj +Fixes: a5457e7bcf9a ("KVM: emulate: POP SS triggers a MOV SS shadow too") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20220821215900.1419215-1-mhal@rbox.co +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2020,7 +2020,7 @@ static int em_pop_sreg(struct x86_emulat + if (rc != X86EMUL_CONTINUE) + return rc; + +- if (ctxt->modrm_reg == VCPU_SREG_SS) ++ if (seg == VCPU_SREG_SS) + ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS; + if (ctxt->op_bytes > 2) + rsp_increment(ctxt, ctxt->op_bytes - 2); diff --git a/queue-5.4/media-cedrus-set-the-platform-driver-data-earlier.patch b/queue-5.4/media-cedrus-set-the-platform-driver-data-earlier.patch new file mode 100644 index 00000000000..3f5286e5c47 --- /dev/null +++ b/queue-5.4/media-cedrus-set-the-platform-driver-data-earlier.patch @@ -0,0 +1,46 @@ +From 708938f8495147fe2e77a9a3e1015d8e6899323e Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 18 Aug 2022 22:33:07 +0200 +Subject: media: cedrus: Set the platform driver data earlier + +From: Dmitry Osipenko + +commit 708938f8495147fe2e77a9a3e1015d8e6899323e upstream. + +The cedrus_hw_resume() crashes with NULL deference on driver probe if +runtime PM is disabled because it uses platform data that hasn't been +set up yet. Fix this by setting the platform data earlier during probe. + +Cc: stable@vger.kernel.org +Fixes: 50e761516f2b (media: platform: Add Cedrus VPU decoder driver) +Signed-off-by: Dmitry Osipenko +Signed-off-by: Nicolas Dufresne +Reviewed-by: Samuel Holland +Acked-by: Paul Kocialkowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/sunxi/cedrus/cedrus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/sunxi/cedrus/cedrus.c ++++ b/drivers/staging/media/sunxi/cedrus/cedrus.c +@@ -323,6 +323,8 @@ static int cedrus_probe(struct platform_ + if (!dev) + return -ENOMEM; + ++ platform_set_drvdata(pdev, dev); ++ + dev->vfd = cedrus_video_device; + dev->dev = &pdev->dev; + dev->pdev = pdev; +@@ -392,8 +394,6 @@ static int cedrus_probe(struct platform_ + goto err_m2m_mc; + } + +- platform_set_drvdata(pdev, dev); +- + return 0; + + err_m2m_mc: diff --git a/queue-5.4/series b/queue-5.4/series index 4990b3a1b82..54da9712eaa 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -48,3 +48,8 @@ ring-buffer-allow-splice-to-read-previous-partially-read-pages.patch ring-buffer-have-the-shortest_full-queue-be-the-shortest-not-longest.patch ring-buffer-check-pending-waiters-when-doing-wake-ups-as-well.patch ring-buffer-fix-race-between-reset-page-and-reading-page.patch +media-cedrus-set-the-platform-driver-data-earlier.patch +kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch +kvm-nvmx-unconditionally-purge-queued-injected-events-on-nested-exit.patch +kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch +drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch