From: Sasha Levin Date: Fri, 18 Jun 2021 23:05:30 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.4.128~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c903341385b8dded313783c1b959969c984cdfe;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/fanotify-fix-copy_event_to_user-fid-error-clean-up.patch b/queue-5.10/fanotify-fix-copy_event_to_user-fid-error-clean-up.patch new file mode 100644 index 00000000000..6551b232f2a --- /dev/null +++ b/queue-5.10/fanotify-fix-copy_event_to_user-fid-error-clean-up.patch @@ -0,0 +1,52 @@ +From c24dae224b9822e768d6e49e72017f0acfd499bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 13:32:06 +1000 +Subject: fanotify: fix copy_event_to_user() fid error clean up + +From: Matthew Bobrowski + +[ Upstream commit f644bc449b37cc32d3ce7b36a88073873aa21bd5 ] + +Ensure that clean up is performed on the allocated file descriptor and +struct file object in the event that an error is encountered while copying +fid info objects. Currently, we return directly to the caller when an error +is experienced in the fid info copying helper, which isn't ideal given that +the listener process could be left with a dangling file descriptor in their +fdtable. + +Fixes: 5e469c830fdb ("fanotify: copy event fid info to user") +Fixes: 44d705b0370b ("fanotify: report name info for FAN_DIR_MODIFY event") +Link: https://lore.kernel.org/linux-fsdevel/YMKv1U7tNPK955ho@google.com/T/#m15361cd6399dad4396aad650de25dbf6b312288e +Link: https://lore.kernel.org/r/1ef8ae9100101eb1a91763c516c2e9a3a3b112bd.1623376346.git.repnop@google.com +Signed-off-by: Matthew Bobrowski +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/fanotify/fanotify_user.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index dcab112e1f00..086b6bacbad1 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -378,7 +378,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + info_type, fanotify_info_name(info), + info->name_len, buf, count); + if (ret < 0) +- return ret; ++ goto out_close_fd; + + buf += ret; + count -= ret; +@@ -426,7 +426,7 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + fanotify_event_object_fh(event), + info_type, dot, dot_len, buf, count); + if (ret < 0) +- return ret; ++ goto out_close_fd; + + buf += ret; + count -= ret; +-- +2.30.2 + diff --git a/queue-5.10/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch b/queue-5.10/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch new file mode 100644 index 00000000000..77501f16cdd --- /dev/null +++ b/queue-5.10/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch @@ -0,0 +1,43 @@ +From dd81650968b14e978ada4fe730b0a6d0a328c0ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 13:52:24 -0700 +Subject: kvm: LAPIC: Restore guard to prevent illegal APIC register access + +From: Jim Mattson + +[ Upstream commit 218bf772bddd221489c38dde6ef8e917131161f6 ] + +Per the SDM, "any access that touches bytes 4 through 15 of an APIC +register may cause undefined behavior and must not be executed." +Worse, such an access in kvm_lapic_reg_read can result in a leak of +kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC: +write down valid APIC registers"), such an access was explicitly +disallowed. Restore the guard that was removed in that commit. + +Fixes: 01402cf81051 ("kvm: LAPIC: write down valid APIC registers") +Signed-off-by: Jim Mattson +Reported-by: syzbot +Message-Id: <20210602205224.3189316-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 5759eb075d2f..677d21082454 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1405,6 +1405,9 @@ int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len, + if (!apic_x2apic_mode(apic)) + valid_reg_mask |= APIC_REG_MASK(APIC_ARBPRI); + ++ if (alignment + len > 4) ++ return 1; ++ + if (offset > 0x3f0 || !(valid_reg_mask & APIC_REG_MASK(offset))) + return 1; + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index ab4fa312eae..aa98f653d98 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -7,3 +7,5 @@ dmaengine-sf_pdma-depends-on-has_iomem.patch dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch afs-fix-an-is_err-vs-null-check.patch mm-memory-failure-make-sure-wait-for-page-writeback-.patch +kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch +fanotify-fix-copy_event_to_user-fid-error-clean-up.patch