From: Greg Kroah-Hartman Date: Mon, 14 Jun 2021 08:42:45 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.273~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7000545325ae7a539df1ea4272e50bcb7a1b1230;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: kvm-fix-previous-commit-for-32-bit-builds.patch nfs-fix-use-after-free-in-nfs4_init_client.patch --- diff --git a/queue-5.4/kvm-fix-previous-commit-for-32-bit-builds.patch b/queue-5.4/kvm-fix-previous-commit-for-32-bit-builds.patch new file mode 100644 index 00000000000..834394da584 --- /dev/null +++ b/queue-5.4/kvm-fix-previous-commit-for-32-bit-builds.patch @@ -0,0 +1,33 @@ +From 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 9 Jun 2021 01:49:13 -0400 +Subject: kvm: fix previous commit for 32-bit builds + +From: Paolo Bonzini + +commit 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 upstream. + +array_index_nospec does not work for uint64_t on 32-bit builds. +However, the size of a memory slot must be less than 20 bits wide +on those system, since the memory slot must fit in the user +address space. So just store it in an unsigned long. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1051,8 +1051,8 @@ __gfn_to_hva_memslot(struct kvm_memory_s + * table walks, do not let the processor speculate loads outside + * the guest's registered memslots. + */ +- unsigned long offset = array_index_nospec(gfn - slot->base_gfn, +- slot->npages); ++ unsigned long offset = gfn - slot->base_gfn; ++ offset = array_index_nospec(offset, slot->npages); + return slot->userspace_addr + offset * PAGE_SIZE; + } + diff --git a/queue-5.4/nfs-fix-use-after-free-in-nfs4_init_client.patch b/queue-5.4/nfs-fix-use-after-free-in-nfs4_init_client.patch new file mode 100644 index 00000000000..12ea1a2408e --- /dev/null +++ b/queue-5.4/nfs-fix-use-after-free-in-nfs4_init_client.patch @@ -0,0 +1,38 @@ +From 476bdb04c501fc64bf3b8464ffddefc8dbe01577 Mon Sep 17 00:00:00 2001 +From: Anna Schumaker +Date: Wed, 2 Jun 2021 14:31:20 -0400 +Subject: NFS: Fix use-after-free in nfs4_init_client() + +From: Anna Schumaker + +commit 476bdb04c501fc64bf3b8464ffddefc8dbe01577 upstream. + +KASAN reports a use-after-free when attempting to mount two different +exports through two different NICs that belong to the same server. + +Olga was able to hit this with kernels starting somewhere between 5.7 +and 5.10, but I traced the patch that introduced the clear_bit() call to +4.13. So something must have changed in the refcounting of the clp +pointer to make this call to nfs_put_client() the very last one. + +Fixes: 8dcbec6d20 ("NFSv41: Handle EXCHID4_FLAG_CONFIRMED_R during NFSv4.1 migration") +Cc: stable@vger.kernel.org # 4.13+ +Signed-off-by: Anna Schumaker +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(stru + */ + nfs_mark_client_ready(clp, -EPERM); + } +- nfs_put_client(clp); + clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags); ++ nfs_put_client(clp); + return old; + + error: diff --git a/queue-5.4/series b/queue-5.4/series index 923fde5f6ff..b8d0f9d1b30 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -72,3 +72,5 @@ ib-mlx5-fix-initializing-cq-fragments-buffer.patch nfs-fix-a-potential-null-dereference-in-nfs_get_clie.patch nfsv4-fix-deadlock-between-nfs4_evict_inode-and-nfs4.patch perf-session-correct-buffer-copying-when-peeking-eve.patch +kvm-fix-previous-commit-for-32-bit-builds.patch +nfs-fix-use-after-free-in-nfs4_init_client.patch