From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Jul 2022 15:48:32 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v5.10.133~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=239e028de3cc0e13cdeaa2fcd0eb755134c89a69;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	kvm-don-t-null-dereference-ops-destroy.patch
---

diff --git a/queue-5.10/kvm-don-t-null-dereference-ops-destroy.patch b/queue-5.10/kvm-don-t-null-dereference-ops-destroy.patch
new file mode 100644
index 00000000000..9763ee40031
--- /dev/null
+++ b/queue-5.10/kvm-don-t-null-dereference-ops-destroy.patch
@@ -0,0 +1,47 @@
+From e8bc2427018826e02add7b0ed0fc625a60390ae5 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 1 Jun 2022 03:43:28 +0200
+Subject: KVM: Don't null dereference ops->destroy
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit e8bc2427018826e02add7b0ed0fc625a60390ae5 upstream.
+
+A KVM device cleanup happens in either of two callbacks:
+1) destroy() which is called when the VM is being destroyed;
+2) release() which is called when a device fd is closed.
+
+Most KVM devices use 1) but Book3s's interrupt controller KVM devices
+(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during
+the machine execution. The error handling in kvm_ioctl_create_device()
+assumes destroy() is always defined which leads to NULL dereference as
+discovered by Syzkaller.
+
+This adds a checks for destroy!=NULL and adds a missing release().
+
+This is not changing kvm_destroy_devices() as devices with defined
+release() should have been removed from the KVM devices list by then.
+
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3644,8 +3644,11 @@ static int kvm_ioctl_create_device(struc
+ 		kvm_put_kvm_no_destroy(kvm);
+ 		mutex_lock(&kvm->lock);
+ 		list_del(&dev->vm_node);
++		if (ops->release)
++			ops->release(dev);
+ 		mutex_unlock(&kvm->lock);
+-		ops->destroy(dev);
++		if (ops->destroy)
++			ops->destroy(dev);
+ 		return ret;
+ 	}
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index cb4b4b1e4b1..d33e5162cb6 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -75,3 +75,4 @@ tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch
 tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch
 tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch
 spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch
+kvm-don-t-null-dereference-ops-destroy.patch