From: Greg Kroah-Hartman Date: Sun, 15 Jul 2018 11:42:13 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.141~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f879d40180826f401b2f6ad4793baeda40b41c76;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch loop-add-recursion-validation-to-loop_change_fd.patch loop-remember-whether-sysfs_create_group-was-done.patch netfilter-nf_queue-augment-nfqa_cfg_policy.patch netfilter-x_tables-initialise-match-target-check-parameter-struct.patch pm-hibernate-fix-oops-at-snapshot_write.patch rdma-ucm-mark-ucm-interface-as-broken.patch uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch --- diff --git a/queue-4.4/kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch b/queue-4.4/kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch new file mode 100644 index 00000000000..f83a9549927 --- /dev/null +++ b/queue-4.4/kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch @@ -0,0 +1,164 @@ +From 0447378a4a793da008451fad50bc0f93e9675ae6 Mon Sep 17 00:00:00 2001 +From: Marc Orr +Date: Wed, 20 Jun 2018 17:21:29 -0700 +Subject: kvm: vmx: Nested VM-entry prereqs for event inj. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Orr + +commit 0447378a4a793da008451fad50bc0f93e9675ae6 upstream. + +This patch extends the checks done prior to a nested VM entry. +Specifically, it extends the check_vmentry_prereqs function with checks +for fields relevant to the VM-entry event injection information, as +described in the Intel SDM, volume 3. + +This patch is motivated by a syzkaller bug, where a bad VM-entry +interruption information field is generated in the VMCS02, which causes +the nested VM launch to fail. Then, KVM fails to resume L1. + +While KVM should be improved to correctly resume L1 execution after a +failed nested launch, this change is justified because the existing code +to resume L1 is flaky/ad-hoc and the test coverage for resuming L1 is +sparse. + +Reported-by: syzbot +Signed-off-by: Marc Orr +[Removed comment whose parts were describing previous revisions and the + rest was obvious from function/variable naming. - Radim] +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/vmx.h | 3 ++ + arch/x86/kvm/vmx.c | 67 +++++++++++++++++++++++++++++++++++++++++++++ + arch/x86/kvm/x86.h | 9 ++++++ + 3 files changed, 79 insertions(+) + +--- a/arch/x86/include/asm/vmx.h ++++ b/arch/x86/include/asm/vmx.h +@@ -110,6 +110,7 @@ + #define VMX_MISC_PREEMPTION_TIMER_RATE_MASK 0x0000001f + #define VMX_MISC_SAVE_EFER_LMA 0x00000020 + #define VMX_MISC_ACTIVITY_HLT 0x00000040 ++#define VMX_MISC_ZERO_LEN_INS 0x40000000 + + /* VMCS Encodings */ + enum vmcs_field { +@@ -307,11 +308,13 @@ enum vmcs_field { + #define VECTORING_INFO_VALID_MASK INTR_INFO_VALID_MASK + + #define INTR_TYPE_EXT_INTR (0 << 8) /* external interrupt */ ++#define INTR_TYPE_RESERVED (1 << 8) /* reserved */ + #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */ + #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */ + #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */ + #define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */ + #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */ ++#define INTR_TYPE_OTHER_EVENT (7 << 8) /* other event */ + + /* GUEST_INTERRUPTIBILITY_INFO flags. */ + #define GUEST_INTR_STATE_STI 0x00000001 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1212,6 +1212,17 @@ static inline bool report_flexpriority(v + return flexpriority_enabled; + } + ++static inline bool nested_cpu_has_zero_length_injection(struct kvm_vcpu *vcpu) ++{ ++ return to_vmx(vcpu)->nested.msrs.misc_low & VMX_MISC_ZERO_LEN_INS; ++} ++ ++static inline bool nested_cpu_supports_monitor_trap_flag(struct kvm_vcpu *vcpu) ++{ ++ return to_vmx(vcpu)->nested.msrs.procbased_ctls_high & ++ CPU_BASED_MONITOR_TRAP_FLAG; ++} ++ + static inline bool nested_cpu_has(struct vmcs12 *vmcs12, u32 bit) + { + return vmcs12->cpu_based_vm_exec_control & bit; +@@ -10997,6 +11008,62 @@ static int __init vmx_init(void) + crash_vmclear_local_loaded_vmcss); + #endif + ++ /* ++ * From the Intel SDM, volume 3: ++ * Fields relevant to VM-entry event injection must be set properly. ++ * These fields are the VM-entry interruption-information field, the ++ * VM-entry exception error code, and the VM-entry instruction length. ++ */ ++ if (vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK) { ++ u32 intr_info = vmcs12->vm_entry_intr_info_field; ++ u8 vector = intr_info & INTR_INFO_VECTOR_MASK; ++ u32 intr_type = intr_info & INTR_INFO_INTR_TYPE_MASK; ++ bool has_error_code = intr_info & INTR_INFO_DELIVER_CODE_MASK; ++ bool should_have_error_code; ++ bool urg = nested_cpu_has2(vmcs12, ++ SECONDARY_EXEC_UNRESTRICTED_GUEST); ++ bool prot_mode = !urg || vmcs12->guest_cr0 & X86_CR0_PE; ++ ++ /* VM-entry interruption-info field: interruption type */ ++ if (intr_type == INTR_TYPE_RESERVED || ++ (intr_type == INTR_TYPE_OTHER_EVENT && ++ !nested_cpu_supports_monitor_trap_flag(vcpu))) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ ++ /* VM-entry interruption-info field: vector */ ++ if ((intr_type == INTR_TYPE_NMI_INTR && vector != NMI_VECTOR) || ++ (intr_type == INTR_TYPE_HARD_EXCEPTION && vector > 31) || ++ (intr_type == INTR_TYPE_OTHER_EVENT && vector != 0)) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ ++ /* VM-entry interruption-info field: deliver error code */ ++ should_have_error_code = ++ intr_type == INTR_TYPE_HARD_EXCEPTION && prot_mode && ++ x86_exception_has_error_code(vector); ++ if (has_error_code != should_have_error_code) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ ++ /* VM-entry exception error code */ ++ if (has_error_code && ++ vmcs12->vm_entry_exception_error_code & GENMASK(31, 15)) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ ++ /* VM-entry interruption-info field: reserved bits */ ++ if (intr_info & INTR_INFO_RESVD_BITS_MASK) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ ++ /* VM-entry instruction length */ ++ switch (intr_type) { ++ case INTR_TYPE_SOFT_EXCEPTION: ++ case INTR_TYPE_SOFT_INTR: ++ case INTR_TYPE_PRIV_SW_EXCEPTION: ++ if ((vmcs12->vm_entry_instruction_len > 15) || ++ (vmcs12->vm_entry_instruction_len == 0 && ++ !nested_cpu_has_zero_length_injection(vcpu))) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ } ++ } ++ + return 0; + } + +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -59,6 +59,15 @@ static inline bool is_64_bit_mode(struct + return cs_l; + } + ++static inline bool x86_exception_has_error_code(unsigned int vector) ++{ ++ static u32 exception_has_error_code = BIT(DF_VECTOR) | BIT(TS_VECTOR) | ++ BIT(NP_VECTOR) | BIT(SS_VECTOR) | BIT(GP_VECTOR) | ++ BIT(PF_VECTOR) | BIT(AC_VECTOR); ++ ++ return (1U << vector) & exception_has_error_code; ++} ++ + static inline bool mmu_is_nested(struct kvm_vcpu *vcpu) + { + return vcpu->arch.walk_mmu == &vcpu->arch.nested_mmu; diff --git a/queue-4.4/loop-add-recursion-validation-to-loop_change_fd.patch b/queue-4.4/loop-add-recursion-validation-to-loop_change_fd.patch new file mode 100644 index 00000000000..03df778062e --- /dev/null +++ b/queue-4.4/loop-add-recursion-validation-to-loop_change_fd.patch @@ -0,0 +1,143 @@ +From d2ac838e4cd7e5e9891ecc094d626734b0245c99 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 7 May 2018 11:37:58 -0400 +Subject: loop: add recursion validation to LOOP_CHANGE_FD + +From: Theodore Ts'o + +commit d2ac838e4cd7e5e9891ecc094d626734b0245c99 upstream. + +Refactor the validation code used in LOOP_SET_FD so it is also used in +LOOP_CHANGE_FD. Otherwise it is possible to construct a set of loop +devices that all refer to each other. This can lead to a infinite +loop in starting with "while (is_loop_device(f)) .." in loop_set_fd(). + +Fix this by refactoring out the validation code and using it for +LOOP_CHANGE_FD as well as LOOP_SET_FD. + +Reported-by: syzbot+4349872271ece473a7c91190b68b4bac7c5dbc87@syzkaller.appspotmail.com +Reported-by: syzbot+40bd32c4d9a3cc12a339@syzkaller.appspotmail.com +Reported-by: syzbot+769c54e66f994b041be7@syzkaller.appspotmail.com +Reported-by: syzbot+0a89a9ce473936c57065@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 68 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 38 insertions(+), 30 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -651,6 +651,36 @@ static void loop_reread_partitions(struc + __func__, lo->lo_number, lo->lo_file_name, rc); + } + ++static inline int is_loop_device(struct file *file) ++{ ++ struct inode *i = file->f_mapping->host; ++ ++ return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; ++} ++ ++static int loop_validate_file(struct file *file, struct block_device *bdev) ++{ ++ struct inode *inode = file->f_mapping->host; ++ struct file *f = file; ++ ++ /* Avoid recursion */ ++ while (is_loop_device(f)) { ++ struct loop_device *l; ++ ++ if (f->f_mapping->host->i_bdev == bdev) ++ return -EBADF; ++ ++ l = f->f_mapping->host->i_bdev->bd_disk->private_data; ++ if (l->lo_state == Lo_unbound) { ++ return -EINVAL; ++ } ++ f = l->lo_backing_file; ++ } ++ if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode)) ++ return -EINVAL; ++ return 0; ++} ++ + /* + * loop_change_fd switched the backing store of a loopback device to + * a new file. This is useful for operating system installers to free up +@@ -680,14 +710,15 @@ static int loop_change_fd(struct loop_de + if (!file) + goto out; + ++ error = loop_validate_file(file, bdev); ++ if (error) ++ goto out_putf; ++ + inode = file->f_mapping->host; + old_file = lo->lo_backing_file; + + error = -EINVAL; + +- if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode)) +- goto out_putf; +- + /* size of the new backing store needs to be the same */ + if (get_loop_size(lo, file) != get_loop_size(lo, old_file)) + goto out_putf; +@@ -708,13 +739,6 @@ static int loop_change_fd(struct loop_de + return error; + } + +-static inline int is_loop_device(struct file *file) +-{ +- struct inode *i = file->f_mapping->host; +- +- return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR; +-} +- + /* loop sysfs attributes */ + + static ssize_t loop_attr_show(struct device *dev, char *page, +@@ -872,7 +896,7 @@ static int loop_prepare_queue(struct loo + static int loop_set_fd(struct loop_device *lo, fmode_t mode, + struct block_device *bdev, unsigned int arg) + { +- struct file *file, *f; ++ struct file *file; + struct inode *inode; + struct address_space *mapping; + unsigned lo_blocksize; +@@ -892,29 +916,13 @@ static int loop_set_fd(struct loop_devic + if (lo->lo_state != Lo_unbound) + goto out_putf; + +- /* Avoid recursion */ +- f = file; +- while (is_loop_device(f)) { +- struct loop_device *l; +- +- if (f->f_mapping->host->i_bdev == bdev) +- goto out_putf; +- +- l = f->f_mapping->host->i_bdev->bd_disk->private_data; +- if (l->lo_state == Lo_unbound) { +- error = -EINVAL; +- goto out_putf; +- } +- f = l->lo_backing_file; +- } ++ error = loop_validate_file(file, bdev); ++ if (error) ++ goto out_putf; + + mapping = file->f_mapping; + inode = mapping->host; + +- error = -EINVAL; +- if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode)) +- goto out_putf; +- + if (!(file->f_mode & FMODE_WRITE) || !(mode & FMODE_WRITE) || + !file->f_op->write_iter) + lo_flags |= LO_FLAGS_READ_ONLY; diff --git a/queue-4.4/loop-remember-whether-sysfs_create_group-was-done.patch b/queue-4.4/loop-remember-whether-sysfs_create_group-was-done.patch new file mode 100644 index 00000000000..f9e489ee693 --- /dev/null +++ b/queue-4.4/loop-remember-whether-sysfs_create_group-was-done.patch @@ -0,0 +1,65 @@ +From d3349b6b3c373ac1fbfb040b810fcee5e2adc7e0 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 4 May 2018 10:58:09 -0600 +Subject: loop: remember whether sysfs_create_group() was done + +From: Tetsuo Handa + +commit d3349b6b3c373ac1fbfb040b810fcee5e2adc7e0 upstream. + +syzbot is hitting WARN() triggered by memory allocation fault +injection [1] because loop module is calling sysfs_remove_group() +when sysfs_create_group() failed. +Fix this by remembering whether sysfs_create_group() succeeded. + +[1] https://syzkaller.appspot.com/bug?id=3f86c0edf75c86d2633aeb9dd69eccc70bc7e90b + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Greg Kroah-Hartman + +Renamed sysfs_ready -> sysfs_inited. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 11 ++++++----- + drivers/block/loop.h | 1 + + 2 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -835,16 +835,17 @@ static struct attribute_group loop_attri + .attrs= loop_attrs, + }; + +-static int loop_sysfs_init(struct loop_device *lo) ++static void loop_sysfs_init(struct loop_device *lo) + { +- return sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj, +- &loop_attribute_group); ++ lo->sysfs_inited = !sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj, ++ &loop_attribute_group); + } + + static void loop_sysfs_exit(struct loop_device *lo) + { +- sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj, +- &loop_attribute_group); ++ if (lo->sysfs_inited) ++ sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj, ++ &loop_attribute_group); + } + + static void loop_config_discard(struct loop_device *lo) +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -59,6 +59,7 @@ struct loop_device { + struct kthread_worker worker; + struct task_struct *worker_task; + bool use_dio; ++ bool sysfs_inited; + + struct request_queue *lo_queue; + struct blk_mq_tag_set tag_set; diff --git a/queue-4.4/netfilter-nf_queue-augment-nfqa_cfg_policy.patch b/queue-4.4/netfilter-nf_queue-augment-nfqa_cfg_policy.patch new file mode 100644 index 00000000000..519d0579f4d --- /dev/null +++ b/queue-4.4/netfilter-nf_queue-augment-nfqa_cfg_policy.patch @@ -0,0 +1,94 @@ +From ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 13 Jun 2018 09:13:39 -0700 +Subject: netfilter: nf_queue: augment nfqa_cfg_policy + +From: Eric Dumazet + +commit ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc upstream. + +Three attributes are currently not verified, thus can trigger KMSAN +warnings such as : + +BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] +BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline] +BUG: KMSAN: uninit-value in nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268 +CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117 + __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620 + __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] + __fswab32 include/uapi/linux/swab.h:59 [inline] + nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268 + nfnetlink_rcv_msg+0xb2e/0xc80 net/netfilter/nfnetlink.c:212 + netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448 + nfnetlink_rcv+0x2fe/0x680 net/netfilter/nfnetlink.c:513 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x43fd59 +RSP: 002b:00007ffde0e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 +RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680 +R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 + kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2753 [inline] + __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:988 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg net/socket.c:639 [inline] + ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117 + __sys_sendmsg net/socket.c:2155 [inline] + __do_sys_sendmsg net/socket.c:2164 [inline] + __se_sys_sendmsg net/socket.c:2162 [inline] + __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 + do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: fdb694a01f1f ("netfilter: Add fail-open support") +Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_queue.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1106,6 +1106,9 @@ nfqnl_recv_unsupp(struct sock *ctnl, str + static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = { + [NFQA_CFG_CMD] = { .len = sizeof(struct nfqnl_msg_config_cmd) }, + [NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) }, ++ [NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 }, ++ [NFQA_CFG_MASK] = { .type = NLA_U32 }, ++ [NFQA_CFG_FLAGS] = { .type = NLA_U32 }, + }; + + static const struct nf_queue_handler nfqh = { diff --git a/queue-4.4/netfilter-x_tables-initialise-match-target-check-parameter-struct.patch b/queue-4.4/netfilter-x_tables-initialise-match-target-check-parameter-struct.patch new file mode 100644 index 00000000000..7a9f2c224df --- /dev/null +++ b/queue-4.4/netfilter-x_tables-initialise-match-target-check-parameter-struct.patch @@ -0,0 +1,70 @@ +From c568503ef02030f169c9e19204def610a3510918 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 7 Jun 2018 21:34:43 +0200 +Subject: netfilter: x_tables: initialise match/target check parameter struct + +From: Florian Westphal + +commit c568503ef02030f169c9e19204def610a3510918 upstream. + +syzbot reports following splat: + +BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450 + net/bridge/netfilter/ebt_stp.c:162 + ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162 + xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506 + ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline] + ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline] + +The uninitialised access is + xt_mtchk_param->nft_compat + +... which should be set to 0. +Fix it by zeroing the struct beforehand, same for tgchk. + +ip(6)tables targetinfo uses c99-style initialiser, so no change +needed there. + +Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com +Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 1 + + net/ipv6/netfilter/ip6_tables.c | 1 + + 3 files changed, 4 insertions(+) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -701,6 +701,8 @@ ebt_check_entry(struct ebt_entry *e, str + } + i = 0; + ++ memset(&mtpar, 0, sizeof(mtpar)); ++ memset(&tgpar, 0, sizeof(tgpar)); + mtpar.net = tgpar.net = net; + mtpar.table = tgpar.table = name; + mtpar.entryinfo = tgpar.entryinfo = e; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -663,6 +663,7 @@ find_check_entry(struct ipt_entry *e, st + return -ENOMEM; + + j = 0; ++ memset(&mtpar, 0, sizeof(mtpar)); + mtpar.net = net; + mtpar.table = name; + mtpar.entryinfo = &e->ip; +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -676,6 +676,7 @@ find_check_entry(struct ip6t_entry *e, s + return -ENOMEM; + + j = 0; ++ memset(&mtpar, 0, sizeof(mtpar)); + mtpar.net = net; + mtpar.table = name; + mtpar.entryinfo = &e->ipv6; diff --git a/queue-4.4/pm-hibernate-fix-oops-at-snapshot_write.patch b/queue-4.4/pm-hibernate-fix-oops-at-snapshot_write.patch new file mode 100644 index 00000000000..24c9c60c93d --- /dev/null +++ b/queue-4.4/pm-hibernate-fix-oops-at-snapshot_write.patch @@ -0,0 +1,38 @@ +From fc14eebfc20854a38fd9f1d93a42b1783dad4d17 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:59:36 +0900 +Subject: PM / hibernate: Fix oops at snapshot_write() + +From: Tetsuo Handa + +commit fc14eebfc20854a38fd9f1d93a42b1783dad4d17 upstream. + +syzbot is reporting NULL pointer dereference at snapshot_write() [1]. +This is because data->handle is zero-cleared by ioctl(SNAPSHOT_FREE). +Fix this by checking data_of(data->handle) != NULL before using it. + +[1] https://syzkaller.appspot.com/bug?id=828a3c71bd344a6de8b6a31233d51a72099f27fd + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/user.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -184,6 +184,11 @@ static ssize_t snapshot_write(struct fil + res = PAGE_SIZE - pg_offp; + } + ++ if (!data_of(data->handle)) { ++ res = -EINVAL; ++ goto unlock; ++ } ++ + res = simple_write_to_buffer(data_of(data->handle), res, &pg_offp, + buf, count); + if (res > 0) diff --git a/queue-4.4/rdma-ucm-mark-ucm-interface-as-broken.patch b/queue-4.4/rdma-ucm-mark-ucm-interface-as-broken.patch new file mode 100644 index 00000000000..feefe5efb9b --- /dev/null +++ b/queue-4.4/rdma-ucm-mark-ucm-interface-as-broken.patch @@ -0,0 +1,66 @@ +From 7a8690ed6f5346f6738971892205e91d39b6b901 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 23 May 2018 08:22:11 +0300 +Subject: RDMA/ucm: Mark UCM interface as BROKEN + +From: Leon Romanovsky + +commit 7a8690ed6f5346f6738971892205e91d39b6b901 upstream. + +In commit 357d23c811a7 ("Remove the obsolete libibcm library") +in rdma-core [1], we removed obsolete library which used the +/dev/infiniband/ucmX interface. + +Following multiple syzkaller reports about non-sanitized +user input in the UCMA module, the short audit reveals the same +issues in UCM module too. + +It is better to disable this interface in the kernel, +before syzkaller team invests time and energy to harden +this unused interface. + +[1] https://github.com/linux-rdma/rdma-core/pull/279 + +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/Kconfig | 12 ++++++++++++ + drivers/infiniband/core/Makefile | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/Kconfig ++++ b/drivers/infiniband/Kconfig +@@ -33,6 +33,18 @@ config INFINIBAND_USER_ACCESS + libibverbs, libibcm and a hardware driver library from + . + ++config INFINIBAND_USER_ACCESS_UCM ++ bool "Userspace CM (UCM, DEPRECATED)" ++ depends on BROKEN ++ depends on INFINIBAND_USER_ACCESS ++ help ++ The UCM module has known security flaws, which no one is ++ interested to fix. The user-space part of this code was ++ dropped from the upstream a long time ago. ++ ++ This option is DEPRECATED and planned to be removed. ++ ++ + config INFINIBAND_USER_MEM + bool + depends on INFINIBAND_USER_ACCESS != n +--- a/drivers/infiniband/core/Makefile ++++ b/drivers/infiniband/core/Makefile +@@ -5,8 +5,8 @@ obj-$(CONFIG_INFINIBAND) += ib_core.o i + ib_cm.o iw_cm.o ib_addr.o \ + $(infiniband-y) + obj-$(CONFIG_INFINIBAND_USER_MAD) += ib_umad.o +-obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o ib_ucm.o \ +- $(user_access-y) ++obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o $(user_access-y) ++obj-$(CONFIG_INFINIBAND_USER_ACCESS_UCM) += ib_ucm.o $(user_access-y) + + ib_core-y := packer.o ud_header.o verbs.o sysfs.o \ + device.o fmr_pool.o cache.o netlink.o \ diff --git a/queue-4.4/series b/queue-4.4/series index 03feb8f79ce..83172009f83 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -34,3 +34,11 @@ x86-cpufeature-x86-mm-pkeys-fix-broken-compile-time-disabling-of-pkeys.patch x86-cpufeature-update-cpufeaure-macros.patch x86-cpufeature-make-sure-disabled-required-macros-are-updated.patch x86-cpufeature-add-helper-macro-for-mask-check-macros.patch +uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch +netfilter-nf_queue-augment-nfqa_cfg_policy.patch +netfilter-x_tables-initialise-match-target-check-parameter-struct.patch +loop-add-recursion-validation-to-loop_change_fd.patch +pm-hibernate-fix-oops-at-snapshot_write.patch +rdma-ucm-mark-ucm-interface-as-broken.patch +loop-remember-whether-sysfs_create_group-was-done.patch +kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch diff --git a/queue-4.4/uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch b/queue-4.4/uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch new file mode 100644 index 00000000000..c1d752be18c --- /dev/null +++ b/queue-4.4/uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch @@ -0,0 +1,39 @@ +From 90718e32e1dcc2479acfa208ccfc6442850b594c Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 18 May 2018 18:27:39 +0200 +Subject: uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() + +From: Oleg Nesterov + +commit 90718e32e1dcc2479acfa208ccfc6442850b594c upstream. + +insn_get_length() has the side-effect of processing the entire instruction +but only if it was decoded successfully, otherwise insn_complete() can fail +and in this case we need to just return an error without warning. + +Reported-by: syzbot+30d675e3ca03c1c351e7@syzkaller.appspotmail.com +Signed-off-by: Oleg Nesterov +Reviewed-by: Masami Hiramatsu +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: syzkaller-bugs@googlegroups.com +Link: https://lkml.kernel.org/lkml/20180518162739.GA5559@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/uprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -290,7 +290,7 @@ static int uprobe_init_insn(struct arch_ + insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64); + /* has the side-effect of processing the entire instruction */ + insn_get_length(insn); +- if (WARN_ON_ONCE(!insn_complete(insn))) ++ if (!insn_complete(insn)) + return -ENOEXEC; + + if (is_prefix_bad(insn))