--- /dev/null
+From 51f625377561e5b167da2db5aafb7ee268f691c5 Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Thu, 28 Sep 2023 13:24:32 -0400
+Subject: mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit 51f625377561e5b167da2db5aafb7ee268f691c5 upstream.
+
+The two users of mbind_range() are expecting that mbind_range() will
+update the pointer to the previous VMA, or return an error. However,
+set_mempolicy_home_node() does not call mbind_range() if there is no VMA
+policy. The fix is to update the pointer to the previous VMA prior to
+continuing iterating the VMAs when there is no policy.
+
+Users may experience a WARN_ON() during VMA policy updates when updating
+a range of VMAs on the home node.
+
+Link: https://lkml.kernel.org/r/20230928172432.2246534-1-Liam.Howlett@oracle.com
+Link: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/
+Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>
+Closes: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/
+Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempolicy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1525,8 +1525,10 @@ SYSCALL_DEFINE4(set_mempolicy_home_node,
+ /*
+ * Only update home node if there is an existing vma policy
+ */
+- if (!new)
++ if (!new) {
++ prev = vma;
+ continue;
++ }
+
+ /*
+ * If any vma in the range got policy other than MPOL_BIND
--- /dev/null
+From 824135c46b00df7fb369ec7f1f8607427bbebeb0 Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Fri, 29 Sep 2023 14:30:40 -0400
+Subject: mmap: fix error paths with dup_anon_vma()
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit 824135c46b00df7fb369ec7f1f8607427bbebeb0 upstream.
+
+When the calling function fails after the dup_anon_vma(), the
+duplication of the anon_vma is not being undone. Add the necessary
+unlink_anon_vma() call to the error paths that are missing them.
+
+This issue showed up during inspection of the error path in vma_merge()
+for an unrelated vma iterator issue.
+
+Users may experience increased memory usage, which may be problematic as
+the failure would likely be caused by a low memory situation.
+
+Link: https://lkml.kernel.org/r/20230929183041.2835469-3-Liam.Howlett@oracle.com
+Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Jann Horn <jannh@google.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -519,6 +519,7 @@ inline int vma_expand(struct ma_state *m
+ struct anon_vma *anon_vma = vma->anon_vma;
+ struct file *file = vma->vm_file;
+ bool remove_next = false;
++ struct vm_area_struct *anon_dup = NULL;
+
+ if (next && (vma != next) && (end == next->vm_end)) {
+ remove_next = true;
+@@ -530,6 +531,8 @@ inline int vma_expand(struct ma_state *m
+ error = anon_vma_clone(vma, next);
+ if (error)
+ return error;
++
++ anon_dup = vma;
+ }
+ }
+
+@@ -602,6 +605,9 @@ inline int vma_expand(struct ma_state *m
+ return 0;
+
+ nomem:
++ if (anon_dup)
++ unlink_anon_vmas(anon_dup);
++
+ return -ENOMEM;
+ }
+
+@@ -629,6 +635,7 @@ int __vma_adjust(struct vm_area_struct *
+ int remove_next = 0;
+ MA_STATE(mas, &mm->mm_mt, 0, 0);
+ struct vm_area_struct *exporter = NULL, *importer = NULL;
++ struct vm_area_struct *anon_dup = NULL;
+
+ if (next && !insert) {
+ if (end >= next->vm_end) {
+@@ -709,11 +716,17 @@ int __vma_adjust(struct vm_area_struct *
+ error = anon_vma_clone(importer, exporter);
+ if (error)
+ return error;
++
++ anon_dup = importer;
+ }
+ }
+
+- if (mas_preallocate(&mas, vma, GFP_KERNEL))
++ if (mas_preallocate(&mas, vma, GFP_KERNEL)) {
++ if (anon_dup)
++ unlink_anon_vmas(anon_dup);
++
+ return -ENOMEM;
++ }
+
+ vma_adjust_trans_huge(orig_vma, start, end, adjust_next);
+ if (file) {
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- tools/perf/util/evlist.c | 5 +++--
+ tools/perf/util/evlist.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c
-index 6612b00949e70..ca08e6dc8b232 100644
--- a/tools/perf/util/evlist.c
+++ b/tools/perf/util/evlist.c
-@@ -252,6 +252,9 @@ static struct evsel *evlist__dummy_event(struct evlist *evlist)
+@@ -252,6 +252,9 @@ static struct evsel *evlist__dummy_event
.type = PERF_TYPE_SOFTWARE,
.config = PERF_COUNT_SW_DUMMY,
.size = sizeof(attr), /* to capture ABI version */
};
return evsel__new_idx(&attr, evlist->core.nr_entries);
-@@ -278,8 +281,6 @@ struct evsel *evlist__add_aux_dummy(struct evlist *evlist, bool system_wide)
+@@ -278,8 +281,6 @@ struct evsel *evlist__add_aux_dummy(stru
evsel->core.attr.exclude_kernel = 1;
evsel->core.attr.exclude_guest = 1;
evsel->core.attr.exclude_hv = 1;
evsel->core.system_wide = system_wide;
evsel->no_aux_samples = true;
evsel->name = strdup("dummy:u");
---
-2.42.0
-
ceph_wait_on_conflict_unlink-grab-reference-before-d.patch
power-supply-core-use-blocking_notifier_call_chain-t.patch
perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch
+x86-kvm-svm-always-update-the-x2avic-msr-interception.patch
+mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch
+mmap-fix-error-paths-with-dup_anon_vma.patch
--- /dev/null
+From b65235f6e102354ccafda601eaa1c5bef5284d21 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Thu, 28 Sep 2023 20:33:51 +0300
+Subject: x86: KVM: SVM: always update the x2avic msr interception
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+commit b65235f6e102354ccafda601eaa1c5bef5284d21 upstream.
+
+The following problem exists since x2avic was enabled in the KVM:
+
+svm_set_x2apic_msr_interception is called to enable the interception of
+the x2apic msrs.
+
+In particular it is called at the moment the guest resets its apic.
+
+Assuming that the guest's apic was in x2apic mode, the reset will bring
+it back to the xapic mode.
+
+The svm_set_x2apic_msr_interception however has an erroneous check for
+'!apic_x2apic_mode()' which prevents it from doing anything in this case.
+
+As a result of this, all x2apic msrs are left unintercepted, and that
+exposes the bare metal x2apic (if enabled) to the guest.
+Oops.
+
+Remove the erroneous '!apic_x2apic_mode()' check to fix that.
+
+This fixes CVE-2023-5090
+
+Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Reviewed-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20230928173354.217464-2-mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/svm.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -822,8 +822,7 @@ void svm_set_x2apic_msr_interception(str
+ if (intercept == svm->x2avic_msrs_intercepted)
+ return;
+
+- if (avic_mode != AVIC_MODE_X2 ||
+- !apic_x2apic_mode(svm->vcpu.arch.apic))
++ if (avic_mode != AVIC_MODE_X2)
+ return;
+
+ for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
