From: Greg Kroah-Hartman Date: Tue, 23 Aug 2022 07:59:58 +0000 (+0200) Subject: drop 2 duplicate 5.4 patches X-Git-Tag: v4.9.326~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=730767c8208a5f516227e3cc346ecca5623d785a;p=thirdparty%2Fkernel%2Fstable-queue.git drop 2 duplicate 5.4 patches --- diff --git a/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch b/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch deleted file mode 100644 index 8a77272bd8a..00000000000 --- a/queue-5.4/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 250cedbe34c467df6f6cf1dfe1489f9ba3fc63b7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 23:27:48 +0000 -Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks - -From: Sean Christopherson - -commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. - -Wait to mark the TSS as busy during LTR emulation until after all fault -checks for the LTR have passed. Specifically, don't mark the TSS busy if -the new TSS base is non-canonical. - -Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the -only reason for the early check was to avoid marking a !PRESENT TSS as -busy, i.e. the common !PRESENT is now done before setting the busy bit. - -Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") -Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com -Cc: stable@vger.kernel.org -Cc: Tetsuo Handa -Cc: Hou Wenlong -Signed-off-by: Sean Christopherson -Reviewed-by: Maxim Levitsky -Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com -Signed-off-by: Sean Christopherson -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/emulate.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index fcb59dc54bf5..325f3520713b 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1802,6 +1802,15 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - if (ret != X86EMUL_CONTINUE) - return ret; - } -+ -+ if (seg == VCPU_SREG_TR) { -+ old_desc = seg_desc; -+ seg_desc.type |= 2; /* busy */ -+ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, -+ sizeof(seg_desc), &ctxt->exception); -+ if (ret != X86EMUL_CONTINUE) -+ return ret; -+ } - load: - ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); - if (desc) --- -2.35.1 - diff --git a/queue-5.4/series b/queue-5.4/series index 33d1f76bb40..9d0f9007346 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -345,8 +345,6 @@ fec-fix-timer-capture-timing-in-fec_ptp_enable_pps.patch igb-add-lock-to-avoid-data-race.patch gcc-plugins-undefine-latent_entropy_plugin-when-plugin-disabled-for-a-file.patch locking-atomic-make-test_and_-_bit-ordered-on-failure.patch -kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch -tee-add-overflow-check-in-register_shm_helper.patch-3415 drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch usb-cdns3-fix-use-after-free-at-workaround-2.patch diff --git a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 b/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 deleted file mode 100644 index 787e90e79b1..00000000000 --- a/queue-5.4/tee-add-overflow-check-in-register_shm_helper.patch-3415 +++ /dev/null @@ -1,65 +0,0 @@ -From 33a8cb3b7eee713281a22f4e34f50a8137fc310c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Aug 2022 13:08:59 +0200 -Subject: tee: add overflow check in register_shm_helper() - -From: Jens Wiklander - -commit 573ae4f13f630d6660008f1974c0a8a29c30e18a upstream. - -With special lengths supplied by user space, register_shm_helper() has -an integer overflow when calculating the number of pages covered by a -supplied user space memory region. - -This causes internal_get_user_pages_fast() a helper function of -pin_user_pages_fast() to do a NULL pointer dereference: - - Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 - Modules linked in: - CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 - Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 - pc : internal_get_user_pages_fast+0x474/0xa80 - Call trace: - internal_get_user_pages_fast+0x474/0xa80 - pin_user_pages_fast+0x24/0x4c - register_shm_helper+0x194/0x330 - tee_shm_register_user_buf+0x78/0x120 - tee_ioctl+0xd0/0x11a0 - __arm64_sys_ioctl+0xa8/0xec - invoke_syscall+0x48/0x114 - -Fix this by adding an an explicit call to access_ok() in -tee_shm_register_user_buf() to catch an invalid user space address -early. - -Fixes: 033ddf12bcf5 ("tee: add register user memory") -Cc: stable@vger.kernel.org -Reported-by: Nimish Mishra -Reported-by: Anirban Chakraborty -Reported-by: Debdeep Mukhopadhyay -Suggested-by: Jerome Forissier -Signed-off-by: Jens Wiklander -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tee/tee_shm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c -index 0d5ae8053049..6b8d112d492e 100644 ---- a/drivers/tee/tee_shm.c -+++ b/drivers/tee/tee_shm.c -@@ -239,6 +239,9 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, - goto err; - } - -+ if (!access_ok((void __user *)addr, length)) -+ return ERR_PTR(-EFAULT); -+ - mutex_lock(&teedev->mutex); - list_add_tail(&shm->link, &ctx->list_shm); - mutex_unlock(&teedev->mutex); --- -2.35.1 -