From 5c70f75d84822a14cccbed8038dd2c31bf5ead78 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 May 2021 10:26:46 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
---
 ...-pvclock_gtod_work-on-module-removal.patch | 44 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 queue-4.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch

diff --git a/queue-4.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch b/queue-4.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
new file mode 100644
index 00000000000..7ed8559375a
--- /dev/null
+++ b/queue-4.4/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
@@ -0,0 +1,44 @@
+From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 5 May 2021 23:48:17 +0200
+Subject: KVM: x86: Cancel pvclock_gtod_work on module removal
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 594b27e677b35f9734b1969d175ebc6146741109 upstream.
+
+Nothing prevents the following:
+
+  pvclock_gtod_notify()
+    queue_work(system_long_wq, &pvclock_gtod_work);
+  ...
+  remove_module(kvm);
+  ...
+  work_queue_run()
+    pvclock_gtod_work()	<- UAF
+
+Ditto for any other operation on that workqueue list head which touches
+pvclock_gtod_work after module removal.
+
+Cancel the work in kvm_arch_exit() to prevent that.
+
+Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6016,6 +6016,7 @@ void kvm_arch_exit(void)
+ 	unregister_hotcpu_notifier(&kvmclock_cpu_notifier_block);
+ #ifdef CONFIG_X86_64
+ 	pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier);
++	cancel_work_sync(&pvclock_gtod_work);
+ #endif
+ 	kvm_x86_ops = NULL;
+ 	kvm_mmu_module_exit();
diff --git a/queue-4.4/series b/queue-4.4/series
index 017141e48e5..caa2f6ae80b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -166,3 +166,4 @@ usb-fotg210-hcd-fix-an-error-message.patch
 usb-xhci-increase-timeout-for-hc-halt.patch
 usb-dwc2-fix-gadget-dma-unmap-direction.patch
 usb-core-hub-fix-race-condition-about-trsmrcy-of-resume.patch
+kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
-- 
2.47.3