From fcc68d3c0f96ca4f798dba21fd4f5234219b4b19 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 Oct 2020 11:50:51 +0200 Subject: [PATCH] 4.14-stable patches added patches: cifs-remove-bogus-debug-code.patch cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch kvm-svm-initialize-prev_ga_tag-before-use.patch kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch --- queue-4.14/cifs-remove-bogus-debug-code.patch | 72 +++++++++++++++++++ ...t_message-when-enc-dec-key-not-found.patch | 44 ++++++++++++ ...vm-initialize-prev_ga_tag-before-use.patch | 62 ++++++++++++++++ ...invalid-pages-when-recovering-lpages.patch | 39 ++++++++++ queue-4.14/series | 4 ++ 5 files changed, 221 insertions(+) create mode 100644 queue-4.14/cifs-remove-bogus-debug-code.patch create mode 100644 queue-4.14/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch create mode 100644 queue-4.14/kvm-svm-initialize-prev_ga_tag-before-use.patch create mode 100644 queue-4.14/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch diff --git a/queue-4.14/cifs-remove-bogus-debug-code.patch b/queue-4.14/cifs-remove-bogus-debug-code.patch new file mode 100644 index 00000000000..00c3828c45e --- /dev/null +++ b/queue-4.14/cifs-remove-bogus-debug-code.patch @@ -0,0 +1,72 @@ +From d367cb960ce88914898cbfa43645c2e43ede9465 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Sep 2020 23:18:21 +0300 +Subject: cifs: remove bogus debug code + +From: Dan Carpenter + +commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream. + +The "end" pointer is either NULL or it points to the next byte to parse. +If there isn't a next byte then dereferencing "end" is an off-by-one out +of bounds error. And, of course, if it's NULL that leads to an Oops. +Printing "*end" doesn't seem very useful so let's delete this code. + +Also for the last debug statement, I noticed that it should be printing +"sequence_end" instead of "end" so fix that as well. + +Reported-by: Dominik Maier +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/asn1.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/cifs/asn1.c ++++ b/fs/cifs/asn1.c +@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n", ++ cls, con, tag, end); + return 0; + } + +@@ -563,8 +563,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -575,8 +575,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n", ++ cls, con, tag, sequence_end); + return 0; + } + diff --git a/queue-4.14/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch b/queue-4.14/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch new file mode 100644 index 00000000000..0e35df194ef --- /dev/null +++ b/queue-4.14/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch @@ -0,0 +1,44 @@ +From 0bd294b55a5de442370c29fa53bab17aef3ff318 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Thu, 15 Oct 2020 10:41:31 -0700 +Subject: cifs: Return the error from crypt_message when enc/dec key not found. + +From: Shyam Prasad N + +commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream. + +In crypt_message, when smb2_get_enc_key returns error, we need to +return the error back to the caller. If not, we end up processing +the message further, causing a kernel oops due to unwarranted access +of memory. + +Call Trace: +smb3_receive_transform+0x120/0x870 [cifs] +cifs_demultiplex_thread+0xb53/0xc20 [cifs] +? cifs_handle_standard+0x190/0x190 [cifs] +kthread+0x116/0x130 +? kthread_park+0x80/0x80 +ret_from_fork+0x1f/0x30 + +Signed-off-by: Shyam Prasad N +Reviewed-by: Pavel Shilovsky +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2305,7 +2305,7 @@ crypt_message(struct TCP_Server_Info *se + if (rc) { + cifs_dbg(VFS, "%s: Could not get %scryption key\n", __func__, + enc ? "en" : "de"); +- return 0; ++ return rc; + } + + rc = smb3_crypto_aead_allocate(server); diff --git a/queue-4.14/kvm-svm-initialize-prev_ga_tag-before-use.patch b/queue-4.14/kvm-svm-initialize-prev_ga_tag-before-use.patch new file mode 100644 index 00000000000..0e30ade6b00 --- /dev/null +++ b/queue-4.14/kvm-svm-initialize-prev_ga_tag-before-use.patch @@ -0,0 +1,62 @@ +From f6426ab9c957e97418ac5b0466538792767b1738 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Sat, 3 Oct 2020 23:27:07 +0000 +Subject: KVM: SVM: Initialize prev_ga_tag before use + +From: Suravee Suthikulpanit + +commit f6426ab9c957e97418ac5b0466538792767b1738 upstream. + +The function amd_ir_set_vcpu_affinity makes use of the parameter struct +amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct +amd_iommu_pi_data from a list when not running in AVIC mode. + +However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero +uninitialized value can cause unintended code path, which ends up making +use of the struct vcpu_svm.ir_list and ir_list_lock without being +initialized (since they are intended only for the AVIC case). + +This triggers NULL pointer dereference bug in the function vm_ir_list_del +with the following call trace: + + svm_update_pi_irte+0x3c2/0x550 [kvm_amd] + ? proc_create_single_data+0x41/0x50 + kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm] + __connect+0x5f/0xb0 [irqbypass] + irq_bypass_register_producer+0xf8/0x120 [irqbypass] + vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci] + vfio_msi_set_block+0x77/0xe0 [vfio_pci] + vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci] + vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci] + vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci] + ? alloc_file_pseudo+0xa5/0x100 + vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + __x64_sys_ioctl+0x96/0xd0 + do_syscall_64+0x37/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Therefore, initialize prev_ga_tag to zero before use. This should be safe +because ga_tag value 0 is invalid (see function avic_vm_init). + +Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()") +Signed-off-by: Suravee Suthikulpanit +Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4862,6 +4862,7 @@ static int svm_update_pi_irte(struct kvm + * - Tell IOMMU to use legacy mode for this interrupt. + * - Retrieve ga_tag of prior interrupt remapping data. + */ ++ pi.prev_ga_tag = 0; + pi.is_guest_mode = false; + ret = irq_set_vcpu_affinity(host_irq, &pi); + diff --git a/queue-4.14/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch b/queue-4.14/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch new file mode 100644 index 00000000000..a1265c2ae16 --- /dev/null +++ b/queue-4.14/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch @@ -0,0 +1,39 @@ +From e89505698c9f70125651060547da4ff5046124fc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Sep 2020 11:37:28 -0700 +Subject: KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages + +From: Sean Christopherson + +commit e89505698c9f70125651060547da4ff5046124fc upstream. + +Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in +kvm_recover_nx_lpages() to finish zapping pages in the unlikely event +that the loop exited due to lpage_disallowed_mmu_pages being empty. +Because the recovery thread drops mmu_lock() when rescheduling, it's +possible that lpage_disallowed_mmu_pages could be emptied by a different +thread without to_zap reaching zero despite to_zap being derived from +the number of disallowed lpages. + +Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages") +Cc: Junaid Shahid +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -5846,6 +5846,7 @@ static void kvm_recover_nx_lpages(struct + cond_resched_lock(&kvm->mmu_lock); + } + } ++ kvm_mmu_commit_zap_page(kvm, &invalid_list); + + spin_unlock(&kvm->mmu_lock); + srcu_read_unlock(&kvm->srcu, rcu_idx); diff --git a/queue-4.14/series b/queue-4.14/series index 4ae905f6549..9001ef4c524 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -13,3 +13,7 @@ net-hdlc_raw_eth-clear-the-iff_tx_skb_sharing-flag-after-calling-ether_setup.pat nfc-ensure-presence-of-nfc_attr_firmware_name-attribute-in-nfc_genl_fw_download.patch tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch icmp-randomize-the-global-rate-limiter.patch +cifs-remove-bogus-debug-code.patch +cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch +kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch +kvm-svm-initialize-prev_ga_tag-before-use.patch -- 2.47.3