From: Sasha Levin <sashal@kernel.org>
Date: Fri, 18 Jun 2021 23:05:31 +0000 (-0400)
Subject: Fixes for 5.4
X-Git-Tag: v5.4.128~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9564b62b3eee4f6070250e425f44da8176cc3ef8;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch b/queue-5.4/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch
new file mode 100644
index 00000000000..289ffb03c4d
--- /dev/null
+++ b/queue-5.4/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch
@@ -0,0 +1,43 @@
+From a2d01bdd29f4730e08627951a063aa9c1981f553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 13:52:24 -0700
+Subject: kvm: LAPIC: Restore guard to prevent illegal APIC register access
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 218bf772bddd221489c38dde6ef8e917131161f6 ]
+
+Per the SDM, "any access that touches bytes 4 through 15 of an APIC
+register may cause undefined behavior and must not be executed."
+Worse, such an access in kvm_lapic_reg_read can result in a leak of
+kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC:
+write down valid APIC registers"), such an access was explicitly
+disallowed. Restore the guard that was removed in that commit.
+
+Fixes: 01402cf81051 ("kvm: LAPIC: write down valid APIC registers")
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Message-Id: <20210602205224.3189316-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/lapic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 3f6b866c644d..eea2d6f10f59 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1332,6 +1332,9 @@ int kvm_lapic_reg_read(struct kvm_lapic *apic, u32 offset, int len,
+ 	if (!apic_x2apic_mode(apic))
+ 		valid_reg_mask |= APIC_REG_MASK(APIC_ARBPRI);
+ 
++	if (alignment + len > 4)
++		return 1;
++
+ 	if (offset > 0x3f0 || !(valid_reg_mask & APIC_REG_MASK(offset)))
+ 		return 1;
+ 
+-- 
+2.30.2
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 577e8a8fd01..f90af7432b1 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -3,3 +3,4 @@ dmaengine-qcom_hidma_mgmt-depends-on-has_iomem.patch
 dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch
 afs-fix-an-is_err-vs-null-check.patch
 mm-memory-failure-make-sure-wait-for-page-writeback-.patch
+kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch