From d9789553c663eeb28e3a272d29caaa67d0403413 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 13 Jun 2024 09:21:16 +0200 Subject: [PATCH] 5.15-stable patches added patches: crypto-ecdsa-fix-module-auto-load-on-add-key.patch crypto-ecrdsa-fix-module-auto-load-on-add_key.patch crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch --- ...cdsa-fix-module-auto-load-on-add-key.patch | 56 +++++++++++++++ ...rdsa-fix-module-auto-load-on-add_key.patch | 64 +++++++++++++++++ ...t-fix-adf_dev_reset_sync-memory-leak.patch | 71 +++++++++++++++++++ ...tate.m-to-be-restored-as-system-mode.patch | 34 +++++++++ ...egister-narrowing-on-userspace-write.patch | 49 +++++++++++++ queue-5.15/series | 5 ++ 6 files changed, 279 insertions(+) create mode 100644 queue-5.15/crypto-ecdsa-fix-module-auto-load-on-add-key.patch create mode 100644 queue-5.15/crypto-ecrdsa-fix-module-auto-load-on-add_key.patch create mode 100644 queue-5.15/crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch create mode 100644 queue-5.15/kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch create mode 100644 queue-5.15/kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch diff --git a/queue-5.15/crypto-ecdsa-fix-module-auto-load-on-add-key.patch b/queue-5.15/crypto-ecdsa-fix-module-auto-load-on-add-key.patch new file mode 100644 index 00000000000..557a7d797c5 --- /dev/null +++ b/queue-5.15/crypto-ecdsa-fix-module-auto-load-on-add-key.patch @@ -0,0 +1,56 @@ +From 48e4fd6d54f54d0ceab5a952d73e47a9454a6ccb Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 21 Mar 2024 10:44:33 -0400 +Subject: crypto: ecdsa - Fix module auto-load on add-key + +From: Stefan Berger + +commit 48e4fd6d54f54d0ceab5a952d73e47a9454a6ccb upstream. + +Add module alias with the algorithm cra_name similar to what we have for +RSA-related and other algorithms. + +The kernel attempts to modprobe asymmetric algorithms using the names +"crypto-$cra_name" and "crypto-$cra_name-all." However, since these +aliases are currently missing, the modules are not loaded. For instance, +when using the `add_key` function, the hash algorithm is typically +loaded automatically, but the asymmetric algorithm is not. + +Steps to test: + +1. Create certificate + + openssl req -x509 -sha256 -newkey ec \ + -pkeyopt "ec_paramgen_curve:secp384r1" -keyout key.pem -days 365 \ + -subj '/CN=test' -nodes -outform der -out nist-p384.der + +2. Optionally, trace module requests with: trace-cmd stream -e module & + +3. Trigger add_key call for the cert: + + # keyctl padd asymmetric "" @u < nist-p384.der + 641069229 + # lsmod | head -2 + Module Size Used by + ecdsa_generic 16384 0 + +Fixes: c12d448ba939 ("crypto: ecdsa - Register NIST P384 and extend test suite") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Berger +Reviewed-by: Vitaly Chikunov +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ecdsa.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/ecdsa.c ++++ b/crypto/ecdsa.c +@@ -373,4 +373,7 @@ module_exit(ecdsa_exit); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Stefan Berger "); + MODULE_DESCRIPTION("ECDSA generic algorithm"); ++MODULE_ALIAS_CRYPTO("ecdsa-nist-p192"); ++MODULE_ALIAS_CRYPTO("ecdsa-nist-p256"); ++MODULE_ALIAS_CRYPTO("ecdsa-nist-p384"); + MODULE_ALIAS_CRYPTO("ecdsa-generic"); diff --git a/queue-5.15/crypto-ecrdsa-fix-module-auto-load-on-add_key.patch b/queue-5.15/crypto-ecrdsa-fix-module-auto-load-on-add_key.patch new file mode 100644 index 00000000000..9a66d175088 --- /dev/null +++ b/queue-5.15/crypto-ecrdsa-fix-module-auto-load-on-add_key.patch @@ -0,0 +1,64 @@ +From eb5739a1efbc9ff216271aeea0ebe1c92e5383e5 Mon Sep 17 00:00:00 2001 +From: Vitaly Chikunov +Date: Mon, 18 Mar 2024 03:42:40 +0300 +Subject: crypto: ecrdsa - Fix module auto-load on add_key + +From: Vitaly Chikunov + +commit eb5739a1efbc9ff216271aeea0ebe1c92e5383e5 upstream. + +Add module alias with the algorithm cra_name similar to what we have for +RSA-related and other algorithms. + +The kernel attempts to modprobe asymmetric algorithms using the names +"crypto-$cra_name" and "crypto-$cra_name-all." However, since these +aliases are currently missing, the modules are not loaded. For instance, +when using the `add_key` function, the hash algorithm is typically +loaded automatically, but the asymmetric algorithm is not. + +Steps to test: + +1. Cert is generated usings ima-evm-utils test suite with + `gen-keys.sh`, example cert is provided below: + + $ base64 -d >test-gost2012_512-A.cer < +Cc: stable@vger.kernel.org +Signed-off-by: Vitaly Chikunov +Tested-by: Stefan Berger +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ecrdsa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/ecrdsa.c ++++ b/crypto/ecrdsa.c +@@ -294,4 +294,5 @@ module_exit(ecrdsa_mod_fini); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Vitaly Chikunov "); + MODULE_DESCRIPTION("EC-RDSA generic algorithm"); ++MODULE_ALIAS_CRYPTO("ecrdsa"); + MODULE_ALIAS_CRYPTO("ecrdsa-generic"); diff --git a/queue-5.15/crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch b/queue-5.15/crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch new file mode 100644 index 00000000000..c5abf26fc5c --- /dev/null +++ b/queue-5.15/crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch @@ -0,0 +1,71 @@ +From d3b17c6d9dddc2db3670bc9be628b122416a3d26 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Wed, 8 May 2024 16:39:51 +0800 +Subject: crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak + +From: Herbert Xu + +commit d3b17c6d9dddc2db3670bc9be628b122416a3d26 upstream. + +Using completion_done to determine whether the caller has gone +away only works after a complete call. Furthermore it's still +possible that the caller has not yet called wait_for_completion, +resulting in another potential UAF. + +Fix this by making the caller use cancel_work_sync and then freeing +the memory safely. + +Fixes: 7d42e097607c ("crypto: qat - resolve race condition during AER recovery") +Cc: #6.8+ +Signed-off-by: Herbert Xu +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qat/qat_common/adf_aer.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +--- a/drivers/crypto/qat/qat_common/adf_aer.c ++++ b/drivers/crypto/qat/qat_common/adf_aer.c +@@ -95,8 +95,7 @@ static void adf_device_reset_worker(stru + if (adf_dev_init(accel_dev) || adf_dev_start(accel_dev)) { + /* The device hanged and we can't restart it so stop here */ + dev_err(&GET_DEV(accel_dev), "Restart device failed\n"); +- if (reset_data->mode == ADF_DEV_RESET_ASYNC || +- completion_done(&reset_data->compl)) ++ if (reset_data->mode == ADF_DEV_RESET_ASYNC) + kfree(reset_data); + WARN(1, "QAT: device restart failed. Device is unusable\n"); + return; +@@ -104,16 +103,8 @@ static void adf_device_reset_worker(stru + adf_dev_restarted_notify(accel_dev); + clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status); + +- /* +- * The dev is back alive. Notify the caller if in sync mode +- * +- * If device restart will take a more time than expected, +- * the schedule_reset() function can timeout and exit. This can be +- * detected by calling the completion_done() function. In this case +- * the reset_data structure needs to be freed here. +- */ +- if (reset_data->mode == ADF_DEV_RESET_ASYNC || +- completion_done(&reset_data->compl)) ++ /* The dev is back alive. Notify the caller if in sync mode */ ++ if (reset_data->mode == ADF_DEV_RESET_ASYNC) + kfree(reset_data); + else + complete(&reset_data->compl); +@@ -148,10 +139,10 @@ static int adf_dev_aer_schedule_reset(st + if (!timeout) { + dev_err(&GET_DEV(accel_dev), + "Reset device timeout expired\n"); ++ cancel_work_sync(&reset_data->reset_work); + ret = -EFAULT; +- } else { +- kfree(reset_data); + } ++ kfree(reset_data); + return ret; + } + return 0; diff --git a/queue-5.15/kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch b/queue-5.15/kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch new file mode 100644 index 00000000000..6e8b21db581 --- /dev/null +++ b/queue-5.15/kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch @@ -0,0 +1,34 @@ +From dfe6d190f38fc5df5ff2614b463a5195a399c885 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 24 May 2024 15:19:55 +0100 +Subject: KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode + +From: Marc Zyngier + +commit dfe6d190f38fc5df5ff2614b463a5195a399c885 upstream. + +It appears that we don't allow a vcpu to be restored in AArch32 +System mode, as we *never* included it in the list of valid modes. + +Just add it to the list of allowed modes. + +Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu") +Cc: stable@vger.kernel.org +Acked-by: Oliver Upton +Link: https://lore.kernel.org/r/20240524141956.1450304-3-maz@kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/guest.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -250,6 +250,7 @@ static int set_core_reg(struct kvm_vcpu + case PSR_AA32_MODE_SVC: + case PSR_AA32_MODE_ABT: + case PSR_AA32_MODE_UND: ++ case PSR_AA32_MODE_SYS: + if (!vcpu_el1_is_32bit(vcpu)) + return -EINVAL; + break; diff --git a/queue-5.15/kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch b/queue-5.15/kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch new file mode 100644 index 00000000000..f42bcf4e70f --- /dev/null +++ b/queue-5.15/kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch @@ -0,0 +1,49 @@ +From 947051e361d551e0590777080ffc4926190f62f2 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 24 May 2024 15:19:54 +0100 +Subject: KVM: arm64: Fix AArch32 register narrowing on userspace write + +From: Marc Zyngier + +commit 947051e361d551e0590777080ffc4926190f62f2 upstream. + +When userspace writes to one of the core registers, we make +sure to narrow the corresponding GPRs if PSTATE indicates +an AArch32 context. + +The code tries to check whether the context is EL0 or EL1 so +that it narrows the correct registers. But it does so by checking +the full PSTATE instead of PSTATE.M. + +As a consequence, and if we are restoring an AArch32 EL0 context +in a 64bit guest, and that PSTATE has *any* bit set outside of +PSTATE.M, we narrow *all* registers instead of only the first 15, +destroying the 64bit state. + +Obviously, this is not something the guest is likely to enjoy. + +Correctly masking PSTATE to only evaluate PSTATE.M fixes it. + +Fixes: 90c1f934ed71 ("KVM: arm64: Get rid of the AArch32 register mapping code") +Reported-by: Nina Schoetterl-Glausch +Cc: stable@vger.kernel.org +Reviewed-by: Nina Schoetterl-Glausch +Acked-by: Oliver Upton +Link: https://lore.kernel.org/r/20240524141956.1450304-2-maz@kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/guest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -270,7 +270,7 @@ static int set_core_reg(struct kvm_vcpu + if (*vcpu_cpsr(vcpu) & PSR_MODE32_BIT) { + int i, nr_reg; + +- switch (*vcpu_cpsr(vcpu)) { ++ switch (*vcpu_cpsr(vcpu) & PSR_AA32_MODE_MASK) { + /* + * Either we are dealing with user mode, and only the + * first 15 registers (+ PC) must be narrowed to 32bit. diff --git a/queue-5.15/series b/queue-5.15/series index 123533f00b9..02ffff13b7e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -373,3 +373,8 @@ mmc-sdhci-acpi-fix-lenovo-yoga-tablet-2-pro-1380-sdcard-slot-not-working.patch mmc-sdhci-acpi-disable-write-protect-detection-on-toshiba-wt10-a.patch fbdev-savage-handle-err-return-when-savagefb_check_var-failed.patch drm-amdgpu-atomfirmware-add-intergrated-info-v2.3-table.patch +kvm-arm64-fix-aarch32-register-narrowing-on-userspace-write.patch +kvm-arm64-allow-aarch32-pstate.m-to-be-restored-as-system-mode.patch +crypto-ecdsa-fix-module-auto-load-on-add-key.patch +crypto-ecrdsa-fix-module-auto-load-on-add_key.patch +crypto-qat-fix-adf_dev_reset_sync-memory-leak.patch -- 2.47.3