From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Aug 2018 09:54:59 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.18.5~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06f4719f52e245611a3c0bb13c4bafeda9397e80;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
---

diff --git a/queue-4.4/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch b/queue-4.4/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
new file mode 100644
index 00000000000..b5c79665d9b
--- /dev/null
+++ b/queue-4.4/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
@@ -0,0 +1,51 @@
+From 9432a3175770e06cb83eada2d91fac90c977cb99 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 28 May 2018 13:31:13 +0200
+Subject: KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.
+
+A comment warning against this bug is there, but the code is not doing what
+the comment says.  Therefore it is possible that an EPOLLHUP races against
+irq_bypass_register_consumer.  The EPOLLHUP handler schedules irqfd_shutdown,
+and if that runs soon enough, you get a use-after-free.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/eventfd.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -405,11 +405,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ 	if (events & POLLIN)
+ 		schedule_work(&irqfd->inject);
+ 
+-	/*
+-	 * do not drop the file until the irqfd is fully initialized, otherwise
+-	 * we might race against the POLLHUP
+-	 */
+-	fdput(f);
+ #ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+ 	irqfd->consumer.token = (void *)irqfd->eventfd;
+ 	irqfd->consumer.add_producer = kvm_arch_irq_bypass_add_producer;
+@@ -423,6 +418,12 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ #endif
+ 
+ 	srcu_read_unlock(&kvm->irq_srcu, idx);
++
++	/*
++	 * do not drop the file until the irqfd is fully initialized, otherwise
++	 * we might race against the POLLHUP
++	 */
++	fdput(f);
+ 	return 0;
+ 
+ fail:
diff --git a/queue-4.4/series b/queue-4.4/series
index 21a7573762d..80661251dd4 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -65,3 +65,4 @@ net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch
 net-qca_spi-fix-log-level-if-probe-fails.patch
 tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch
 staging-android-ion-check-for-kref-overflow.patch
+kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch