From: Greg Kroah-Hartman Date: Wed, 17 Nov 2021 17:53:11 +0000 (+0100) Subject: drop some broken s390 patches from 4.9 and 4.14 X-Git-Tag: v5.14.20~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e259d8bb85c1d2ae59145b2389fd0708a5aee99;p=thirdparty%2Fkernel%2Fstable-queue.git drop some broken s390 patches from 4.9 and 4.14 --- diff --git a/queue-4.14/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch b/queue-4.14/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch index 976f8453b15..649bee2122e 100644 --- a/queue-4.14/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch +++ b/queue-4.14/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch @@ -23,15 +23,13 @@ Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin --- - arch/s390/mm/gmap.c | 5 +++-- + arch/s390/mm/gmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c -index 55cf3ed1d1fae..979e2c53a513a 100644 --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c -@@ -671,9 +671,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - +@@ -665,9 +665,10 @@ void __gmap_zap(struct gmap *gmap, unsig + vmaddr |= gaddr & ~PMD_MASK; /* Get pointer to the page table entry */ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) @@ -43,6 +41,3 @@ index 55cf3ed1d1fae..979e2c53a513a 100644 } } EXPORT_SYMBOL_GPL(__gmap_zap); --- -2.33.0 - diff --git a/queue-4.14/s390-gmap-validate-vma-in-__gmap_zap.patch b/queue-4.14/s390-gmap-validate-vma-in-__gmap_zap.patch deleted file mode 100644 index 7d09718762c..00000000000 --- a/queue-4.14/s390-gmap-validate-vma-in-__gmap_zap.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d20014a393c9a02727204b3789ee45ef732a72c7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 Sep 2021 18:22:40 +0200 -Subject: s390/gmap: validate VMA in __gmap_zap() - -From: David Hildenbrand - -[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ] - -We should not walk/touch page tables outside of VMA boundaries when -holding only the mmap sem in read mode. Evil user space can modify the -VMA layout just before this function runs and e.g., trigger races with -page table removal code since commit dd2283f2605e ("mm: mmap: zap pages -with read mmap_sem in munmap"). The pure prescence in our guest_to_host -radix tree does not imply that there is a VMA. - -Further, we should not allocate page tables (via get_locked_pte()) outside -of VMA boundaries: if evil user space decides to map hugetlbfs to these -ranges, bad things will happen because we suddenly have PTE or PMD page -tables where we shouldn't have them. - -Similarly, we have to check if we suddenly find a hugetlbfs VMA, before -calling get_locked_pte(). - -Note that gmap_discard() is different: -zap_page_range()->unmap_single_vma() makes sure to stay within VMA -boundaries. - -Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management") -Signed-off-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Acked-by: Heiko Carstens -Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com -Signed-off-by: Christian Borntraeger -Signed-off-by: Sasha Levin ---- - arch/s390/mm/gmap.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c -index a29d2e88b00ef..55cf3ed1d1fae 100644 ---- a/arch/s390/mm/gmap.c -+++ b/arch/s390/mm/gmap.c -@@ -654,6 +654,7 @@ EXPORT_SYMBOL_GPL(gmap_fault); - */ - void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - { -+ struct vm_area_struct *vma; - unsigned long vmaddr; - spinlock_t *ptl; - pte_t *ptep; -@@ -663,6 +664,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - gaddr >> PMD_SHIFT); - if (vmaddr) { - vmaddr |= gaddr & ~PMD_MASK; -+ -+ vma = vma_lookup(gmap->mm, vmaddr); -+ if (!vma || is_vm_hugetlb_page(vma)) -+ return; -+ - /* Get pointer to the page table entry */ - ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) --- -2.33.0 - diff --git a/queue-4.14/s390-mm-validate-vma-in-pgste-manipulation-functions.patch b/queue-4.14/s390-mm-validate-vma-in-pgste-manipulation-functions.patch deleted file mode 100644 index ab14a8b765b..00000000000 --- a/queue-4.14/s390-mm-validate-vma-in-pgste-manipulation-functions.patch +++ /dev/null @@ -1,90 +0,0 @@ -From b9eaebec12377e206c0c9ed092464987a81c2dfd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 Sep 2021 18:22:42 +0200 -Subject: s390/mm: validate VMA in PGSTE manipulation functions - -From: David Hildenbrand - -[ Upstream commit fe3d10024073f06f04c74b9674bd71ccc1d787cf ] - -We should not walk/touch page tables outside of VMA boundaries when -holding only the mmap sem in read mode. Evil user space can modify the -VMA layout just before this function runs and e.g., trigger races with -page table removal code since commit dd2283f2605e ("mm: mmap: zap pages -with read mmap_sem in munmap"). gfn_to_hva() will only translate using -KVM memory regions, but won't validate the VMA. - -Further, we should not allocate page tables outside of VMA boundaries: if -evil user space decides to map hugetlbfs to these ranges, bad things will -happen because we suddenly have PTE or PMD page tables where we -shouldn't have them. - -Similarly, we have to check if we suddenly find a hugetlbfs VMA, before -calling get_locked_pte(). - -Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions") -Signed-off-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Acked-by: Heiko Carstens -Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com -Signed-off-by: Christian Borntraeger -Signed-off-by: Sasha Levin ---- - arch/s390/mm/pgtable.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c -index ae677f814bc07..a2182d5a1a105 100644 ---- a/arch/s390/mm/pgtable.c -+++ b/arch/s390/mm/pgtable.c -@@ -896,6 +896,7 @@ EXPORT_SYMBOL(get_guest_storage_key); - int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc, - unsigned long *oldpte, unsigned long *oldpgste) - { -+ struct vm_area_struct *vma; - unsigned long pgstev; - spinlock_t *ptl; - pgste_t pgste; -@@ -905,6 +906,10 @@ int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc, - WARN_ON_ONCE(orc > ESSA_MAX); - if (unlikely(orc > ESSA_MAX)) - return -EINVAL; -+ -+ vma = vma_lookup(mm, hva); -+ if (!vma || is_vm_hugetlb_page(vma)) -+ return -EFAULT; - ptep = get_locked_pte(mm, hva, &ptl); - if (unlikely(!ptep)) - return -EFAULT; -@@ -997,10 +1002,14 @@ EXPORT_SYMBOL(pgste_perform_essa); - int set_pgste_bits(struct mm_struct *mm, unsigned long hva, - unsigned long bits, unsigned long value) - { -+ struct vm_area_struct *vma; - spinlock_t *ptl; - pgste_t new; - pte_t *ptep; - -+ vma = vma_lookup(mm, hva); -+ if (!vma || is_vm_hugetlb_page(vma)) -+ return -EFAULT; - ptep = get_locked_pte(mm, hva, &ptl); - if (unlikely(!ptep)) - return -EFAULT; -@@ -1025,9 +1034,13 @@ EXPORT_SYMBOL(set_pgste_bits); - */ - int get_pgste(struct mm_struct *mm, unsigned long hva, unsigned long *pgstep) - { -+ struct vm_area_struct *vma; - spinlock_t *ptl; - pte_t *ptep; - -+ vma = vma_lookup(mm, hva); -+ if (!vma || is_vm_hugetlb_page(vma)) -+ return -EFAULT; - ptep = get_locked_pte(mm, hva, &ptl); - if (unlikely(!ptep)) - return -EFAULT; --- -2.33.0 - diff --git a/queue-4.14/series b/queue-4.14/series index 8fb77300cbb..80f51242bef 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -127,9 +127,7 @@ mwifiex-send-delba-requests-according-to-spec.patch phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch pm-hibernate-fix-sparse-warnings.patch smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch -s390-gmap-validate-vma-in-__gmap_zap.patch s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch -s390-mm-validate-vma-in-pgste-manipulation-functions.patch irq-mips-avoid-nested-irq_enter.patch samples-kretprobes-fix-return-value-if-register_kret.patch libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch diff --git a/queue-4.9/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch b/queue-4.9/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch index 87a6de06fc6..2116bd7c15c 100644 --- a/queue-4.9/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch +++ b/queue-4.9/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch @@ -23,15 +23,13 @@ Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin --- - arch/s390/mm/gmap.c | 5 +++-- + arch/s390/mm/gmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c -index a8498870bcf49..ffc1372e4c56d 100644 --- a/arch/s390/mm/gmap.c +++ b/arch/s390/mm/gmap.c -@@ -668,9 +668,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - +@@ -662,9 +662,10 @@ void __gmap_zap(struct gmap *gmap, unsig + vmaddr |= gaddr & ~PMD_MASK; /* Get pointer to the page table entry */ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) @@ -43,6 +41,3 @@ index a8498870bcf49..ffc1372e4c56d 100644 } } EXPORT_SYMBOL_GPL(__gmap_zap); --- -2.33.0 - diff --git a/queue-4.9/s390-gmap-validate-vma-in-__gmap_zap.patch b/queue-4.9/s390-gmap-validate-vma-in-__gmap_zap.patch deleted file mode 100644 index 88b0be99952..00000000000 --- a/queue-4.9/s390-gmap-validate-vma-in-__gmap_zap.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 35177947f8b30a9282dc9149cb936de4c6dd487e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 Sep 2021 18:22:40 +0200 -Subject: s390/gmap: validate VMA in __gmap_zap() - -From: David Hildenbrand - -[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ] - -We should not walk/touch page tables outside of VMA boundaries when -holding only the mmap sem in read mode. Evil user space can modify the -VMA layout just before this function runs and e.g., trigger races with -page table removal code since commit dd2283f2605e ("mm: mmap: zap pages -with read mmap_sem in munmap"). The pure prescence in our guest_to_host -radix tree does not imply that there is a VMA. - -Further, we should not allocate page tables (via get_locked_pte()) outside -of VMA boundaries: if evil user space decides to map hugetlbfs to these -ranges, bad things will happen because we suddenly have PTE or PMD page -tables where we shouldn't have them. - -Similarly, we have to check if we suddenly find a hugetlbfs VMA, before -calling get_locked_pte(). - -Note that gmap_discard() is different: -zap_page_range()->unmap_single_vma() makes sure to stay within VMA -boundaries. - -Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management") -Signed-off-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Acked-by: Heiko Carstens -Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com -Signed-off-by: Christian Borntraeger -Signed-off-by: Sasha Levin ---- - arch/s390/mm/gmap.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c -index 0195c3983f540..a8498870bcf49 100644 ---- a/arch/s390/mm/gmap.c -+++ b/arch/s390/mm/gmap.c -@@ -651,6 +651,7 @@ EXPORT_SYMBOL_GPL(gmap_fault); - */ - void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - { -+ struct vm_area_struct *vma; - unsigned long vmaddr; - spinlock_t *ptl; - pte_t *ptep; -@@ -660,6 +661,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) - gaddr >> PMD_SHIFT); - if (vmaddr) { - vmaddr |= gaddr & ~PMD_MASK; -+ -+ vma = vma_lookup(gmap->mm, vmaddr); -+ if (!vma || is_vm_hugetlb_page(vma)) -+ return; -+ - /* Get pointer to the page table entry */ - ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); - if (likely(ptep)) --- -2.33.0 - diff --git a/queue-4.9/series b/queue-4.9/series index bd9c6b60b46..8f8daa283e0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -106,7 +106,6 @@ platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch mwifiex-send-delba-requests-according-to-spec.patch phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch -s390-gmap-validate-vma-in-__gmap_zap.patch s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch irq-mips-avoid-nested-irq_enter.patch samples-kretprobes-fix-return-value-if-register_kret.patch