From: Greg Kroah-Hartman Date: Mon, 26 Feb 2024 10:38:17 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.308~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c70cd45a33f73d6d20294387734f92af268a9a34;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch s390-cio-fix-invalid-ebusy-on-ccw_device_start.patch --- diff --git a/queue-5.10/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch b/queue-5.10/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch new file mode 100644 index 00000000000..d2d7d18a27b --- /dev/null +++ b/queue-5.10/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch @@ -0,0 +1,43 @@ +From 50c70240097ce41fe6bce6478b80478281e4d0f7 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 19 Feb 2024 21:30:10 +0100 +Subject: dm-crypt: don't modify the data when using authenticated encryption + +From: Mikulas Patocka + +commit 50c70240097ce41fe6bce6478b80478281e4d0f7 upstream. + +It was said that authenticated encryption could produce invalid tag when +the data that is being encrypted is modified [1]. So, fix this problem by +copying the data into the clone bio first and then encrypt them inside the +clone bio. + +This may reduce performance, but it is needed to prevent the user from +corrupting the device by writing data with O_DIRECT and modifying them at +the same time. + +[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2064,6 +2064,12 @@ static void kcryptd_crypt_write_convert( + io->ctx.bio_out = clone; + io->ctx.iter_out = clone->bi_iter; + ++ if (crypt_integrity_aead(cc)) { ++ bio_copy_data(clone, io->base_bio); ++ io->ctx.bio_in = clone; ++ io->ctx.iter_in = clone->bi_iter; ++ } ++ + sector += bio_sectors(clone); + + crypt_inc_pending(io); diff --git a/queue-5.10/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch b/queue-5.10/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch new file mode 100644 index 00000000000..2e88762f244 --- /dev/null +++ b/queue-5.10/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch @@ -0,0 +1,97 @@ +From 136cfaca22567a03bbb3bf53a43d8cb5748b80ec Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Wed, 14 Feb 2024 19:27:33 +0300 +Subject: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() + +From: Vasiliy Kovalev + +commit 136cfaca22567a03bbb3bf53a43d8cb5748b80ec upstream. + +The gtp_net_ops pernet operations structure for the subsystem must be +registered before registering the generic netlink family. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +general protection fault, probably for non-canonical address +0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] +Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 + df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> + 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 +RSP: 0018:ffff888014107220 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 +FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? show_regs+0x90/0xa0 + ? die_addr+0x50/0xd0 + ? exc_general_protection+0x148/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] + ? __alloc_skb+0x1dd/0x350 + ? __pfx___alloc_skb+0x10/0x10 + genl_dumpit+0x11d/0x230 + netlink_dump+0x5b9/0xce0 + ? lockdep_hardirqs_on_prepare+0x253/0x430 + ? __pfx_netlink_dump+0x10/0x10 + ? kasan_save_track+0x10/0x40 + ? __kasan_kmalloc+0x9b/0xa0 + ? genl_start+0x675/0x970 + __netlink_dump_start+0x6fc/0x9f0 + genl_family_rcv_msg_dumpit+0x1bb/0x2d0 + ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 + ? genl_op_from_small+0x2a/0x440 + ? cap_capable+0x1d0/0x240 + ? __pfx_genl_start+0x10/0x10 + ? __pfx_genl_dumpit+0x10/0x10 + ? __pfx_genl_done+0x10/0x10 + ? security_capable+0x9d/0xe0 + +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Link: https://lore.kernel.org/r/20240214162733.34214-1-kovalev@altlinux.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1410,20 +1410,20 @@ static int __init gtp_init(void) + if (err < 0) + goto error_out; + +- err = genl_register_family(>p_genl_family); ++ err = register_pernet_subsys(>p_net_ops); + if (err < 0) + goto unreg_rtnl_link; + +- err = register_pernet_subsys(>p_net_ops); ++ err = genl_register_family(>p_genl_family); + if (err < 0) +- goto unreg_genl_family; ++ goto unreg_pernet_subsys; + + pr_info("GTP module loaded (pdp ctx size %zd bytes)\n", + sizeof(struct pdp_ctx)); + return 0; + +-unreg_genl_family: +- genl_unregister_family(>p_genl_family); ++unreg_pernet_subsys: ++ unregister_pernet_subsys(>p_net_ops); + unreg_rtnl_link: + rtnl_link_unregister(>p_link_ops); + error_out: diff --git a/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch b/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch new file mode 100644 index 00000000000..20f1b4aae33 --- /dev/null +++ b/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch @@ -0,0 +1,36 @@ +From 8d3a7dfb801d157ac423261d7cd62c33e95375f8 Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Wed, 21 Feb 2024 09:27:31 +0000 +Subject: KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() + +From: Oliver Upton + +commit 8d3a7dfb801d157ac423261d7cd62c33e95375f8 upstream. + +vgic_get_irq() may not return a valid descriptor if there is no ITS that +holds a valid translation for the specified INTID. If that is the case, +it is safe to silently ignore it and continue processing the LPI pending +table. + +Cc: stable@vger.kernel.org +Fixes: 33d3bc9556a7 ("KVM: arm64: vgic-its: Read initial LPI pending table") +Signed-off-by: Oliver Upton +Link: https://lore.kernel.org/r/20240221092732.4126848-2-oliver.upton@linux.dev +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -462,6 +462,9 @@ static int its_sync_lpi_pending_table(st + } + + irq = vgic_get_irq(vcpu->kvm, NULL, intids[i]); ++ if (!irq) ++ continue; ++ + raw_spin_lock_irqsave(&irq->irq_lock, flags); + irq->pending_latch = pendmask & (1U << bit_nr); + vgic_queue_irq_unlock(vcpu->kvm, irq, flags); diff --git a/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch b/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch new file mode 100644 index 00000000000..6251e959245 --- /dev/null +++ b/queue-5.10/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch @@ -0,0 +1,35 @@ +From 85a71ee9a0700f6c18862ef3b0011ed9dad99aca Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Wed, 21 Feb 2024 09:27:32 +0000 +Subject: KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler + +From: Oliver Upton + +commit 85a71ee9a0700f6c18862ef3b0011ed9dad99aca upstream. + +It is possible that an LPI mapped in a different ITS gets unmapped while +handling the MOVALL command. If that is the case, there is no state that +can be migrated to the destination. Silently ignore it and continue +migrating other LPIs. + +Cc: stable@vger.kernel.org +Fixes: ff9c114394aa ("KVM: arm/arm64: GICv4: Handle MOVALL applied to a vPE") +Signed-off-by: Oliver Upton +Link: https://lore.kernel.org/r/20240221092732.4126848-3-oliver.upton@linux.dev +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -1374,6 +1374,8 @@ static int vgic_its_cmd_handle_movall(st + + for (i = 0; i < irq_count; i++) { + irq = vgic_get_irq(kvm, NULL, intids[i]); ++ if (!irq) ++ continue; + + update_affinity(irq, vcpu2); + diff --git a/queue-5.10/s390-cio-fix-invalid-ebusy-on-ccw_device_start.patch b/queue-5.10/s390-cio-fix-invalid-ebusy-on-ccw_device_start.patch new file mode 100644 index 00000000000..85bc2df2301 --- /dev/null +++ b/queue-5.10/s390-cio-fix-invalid-ebusy-on-ccw_device_start.patch @@ -0,0 +1,104 @@ +From 5ef1dc40ffa6a6cb968b0fdc43c3a61727a9e950 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Wed, 14 Feb 2024 16:06:28 +0100 +Subject: s390/cio: fix invalid -EBUSY on ccw_device_start + +From: Peter Oberparleiter + +commit 5ef1dc40ffa6a6cb968b0fdc43c3a61727a9e950 upstream. + +The s390 common I/O layer (CIO) returns an unexpected -EBUSY return code +when drivers try to start I/O while a path-verification (PV) process is +pending. This can lead to failed device initialization attempts with +symptoms like broken network connectivity after boot. + +Fix this by replacing the -EBUSY return code with a deferred condition +code 1 reply to make path-verification handling consistent from a +driver's point of view. + +The problem can be reproduced semi-regularly using the following process, +while repeating steps 2-3 as necessary (example assumes an OSA device +with bus-IDs 0.0.a000-0.0.a002 on CHPID 0.02): + +1. echo 0.0.a000,0.0.a001,0.0.a002 >/sys/bus/ccwgroup/drivers/qeth/group +2. echo 0 > /sys/bus/ccwgroup/devices/0.0.a000/online +3. echo 1 > /sys/bus/ccwgroup/devices/0.0.a000/online ; \ + echo on > /sys/devices/css0/chp0.02/status + +Background information: + +The common I/O layer starts path-verification I/Os when it receives +indications about changes in a device path's availability. This occurs +for example when hardware events indicate a change in channel-path +status, or when a manual operation such as a CHPID vary or configure +operation is performed. + +If a driver attempts to start I/O while a PV is running, CIO reports a +successful I/O start (ccw_device_start() return code 0). Then, after +completion of PV, CIO synthesizes an interrupt response that indicates +an asynchronous status condition that prevented the start of the I/O +(deferred condition code 1). + +If a PV indication arrives while a device is busy with driver-owned I/O, +PV is delayed until after I/O completion was reported to the driver's +interrupt handler. To ensure that PV can be started eventually, CIO +reports a device busy condition (ccw_device_start() return code -EBUSY) +if a driver tries to start another I/O while PV is pending. + +In some cases this -EBUSY return code causes device drivers to consider +a device not operational, resulting in failed device initialization. + +Note: The code that introduced the problem was added in 2003. Symptoms +started appearing with the following CIO commit that causes a PV +indication when a device is removed from the cio_ignore list after the +associated parent subchannel device was probed, but before online +processing of the CCW device has started: + +2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") + +During boot, the cio_ignore list is modified by the cio_ignore dracut +module [1] as well as Linux vendor-specific systemd service scripts[2]. +When combined, this commit and boot scripts cause a frequent occurrence +of the problem during boot. + +[1] https://github.com/dracutdevs/dracut/tree/master/modules.d/81cio_ignore +[2] https://github.com/SUSE/s390-tools/blob/master/cio_ignore.service + +Cc: stable@vger.kernel.org # v5.15+ +Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") +Tested-By: Thorsten Winkler +Reviewed-by: Thorsten Winkler +Signed-off-by: Peter Oberparleiter +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_ops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/cio/device_ops.c b/drivers/s390/cio/device_ops.c +index c533d1dadc6b..a5dba3829769 100644 +--- a/drivers/s390/cio/device_ops.c ++++ b/drivers/s390/cio/device_ops.c +@@ -202,7 +202,8 @@ int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, + return -EINVAL; + if (cdev->private->state == DEV_STATE_NOT_OPER) + return -ENODEV; +- if (cdev->private->state == DEV_STATE_VERIFY) { ++ if (cdev->private->state == DEV_STATE_VERIFY || ++ cdev->private->flags.doverify) { + /* Remember to fake irb when finished. */ + if (!cdev->private->flags.fake_irb) { + cdev->private->flags.fake_irb = FAKE_CMD_IRB; +@@ -214,8 +215,7 @@ int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, + } + if (cdev->private->state != DEV_STATE_ONLINE || + ((sch->schib.scsw.cmd.stctl & SCSW_STCTL_PRIM_STATUS) && +- !(sch->schib.scsw.cmd.stctl & SCSW_STCTL_SEC_STATUS)) || +- cdev->private->flags.doverify) ++ !(sch->schib.scsw.cmd.stctl & SCSW_STCTL_SEC_STATUS))) + return -EBUSY; + ret = cio_set_options (sch, flags); + if (ret) +-- +2.44.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 61a72548dd2..bfb5f1f0ff9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -72,3 +72,8 @@ jbd2-fix-wrongly-judgement-for-buffer-head-removing-.patch x86-drop-bogus-cc-clobber-from-__try_cmpxchg_user_asm.patch erofs-fix-lz4-inplace-decompression.patch ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch +s390-cio-fix-invalid-ebusy-on-ccw_device_start.patch +dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch +kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch +kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch +gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch