--- /dev/null
+From 2f80d502d627f30257ba7e3655e71c373b7d1a5a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 22 Dec 2020 05:20:43 -0500
+Subject: KVM: x86: fix shift out of bounds reported by UBSAN
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 2f80d502d627f30257ba7e3655e71c373b7d1a5a upstream.
+
+Since we know that e >= s, we can reassociate the left shift,
+changing the shifted number from 1 to 2 in exchange for
+decreasing the right hand side by 1.
+
+Reported-by: syzbot+e87846c48bf72bc85311@syzkaller.appspotmail.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.h
++++ b/arch/x86/kvm/mmu.h
+@@ -53,7 +53,7 @@ static inline u64 rsvd_bits(int s, int e
+ if (e < s)
+ return 0;
+
+- return ((1ULL << (e - s + 1)) - 1) << s;
++ return ((2ULL << (e - s)) - 1) << s;
+ }
+
+ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value);
--- /dev/null
+From 5c8193f568ae16f3242abad6518dc2ca6c8eef86 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 17 Dec 2020 17:53:18 +0300
+Subject: netfilter: ipset: fix shift-out-of-bounds in htable_bits()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 5c8193f568ae16f3242abad6518dc2ca6c8eef86 upstream.
+
+htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds
+
+UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6
+shift exponent 32 is too large for 32-bit type 'unsigned int'
+CPU: 0 PID: 8498 Comm: syz-executor519
+ Not tainted 5.10.0-rc7-next-20201208-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline]
+ hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524
+ ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115
+ nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
+ nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This patch replaces htable_bits() by simple fls(hashsize - 1) call:
+it alone returns valid nbits both for round and non-round hashsizes.
+It is normal to set any nbits here because it is validated inside
+following htable_size() call which returns 0 for nbits>31.
+
+Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation")
+Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -115,20 +115,6 @@ htable_size(u8 hbits)
+ return hsize * sizeof(struct hbucket *) + sizeof(struct htable);
+ }
+
+-/* Compute htable_bits from the user input parameter hashsize */
+-static u8
+-htable_bits(u32 hashsize)
+-{
+- /* Assume that hashsize == 2^htable_bits */
+- u8 bits = fls(hashsize - 1);
+-
+- if (jhash_size(bits) != hashsize)
+- /* Round up to the first 2^n value */
+- bits = fls(hashsize);
+-
+- return bits;
+-}
+-
+ #ifdef IP_SET_HASH_WITH_NETS
+ #if IPSET_NET_COUNT > 1
+ #define __CIDR(cidr, i) (cidr[i])
+@@ -1287,7 +1273,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net *
+ if (!h)
+ return -ENOMEM;
+
+- hbits = htable_bits(hashsize);
++ /* Compute htable_bits from the user input parameter hashsize.
++ * Assume that hashsize == 2^htable_bits,
++ * otherwise round up to the first 2^n value.
++ */
++ hbits = fls(hashsize - 1);
+ hsize = htable_size(hbits);
+ if (hsize == 0) {
+ kfree(h);
--- /dev/null
+From 443d6e86f821a165fae3fc3fc13086d27ac140b1 Mon Sep 17 00:00:00 2001
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Wed, 16 Dec 2020 21:38:02 -0700
+Subject: netfilter: x_tables: Update remaining dereference to RCU
+
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+
+commit 443d6e86f821a165fae3fc3fc13086d27ac140b1 upstream.
+
+This fixes the dereference to fetch the RCU pointer when holding
+the appropriate xtables lock.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: cc00bcaa5899 ("netfilter: x_tables: Switch synchronization to RCU")
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 2 +-
+ net/ipv4/netfilter/ip_tables.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1405,7 +1405,7 @@ static int compat_get_entries(struct net
+ xt_compat_lock(NFPROTO_ARP);
+ t = xt_find_table_lock(net, NFPROTO_ARP, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+
+ ret = compat_table_info(private, &info);
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1619,7 +1619,7 @@ compat_get_entries(struct net *net, stru
+ xt_compat_lock(AF_INET);
+ t = xt_find_table_lock(net, AF_INET, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+ ret = compat_table_info(private, &info);
+ if (!ret && get.size == info.size)
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1628,7 +1628,7 @@ compat_get_entries(struct net *net, stru
+ xt_compat_lock(AF_INET6);
+ t = xt_find_table_lock(net, AF_INET6, get.name);
+ if (!IS_ERR(t)) {
+- const struct xt_table_info *private = t->private;
++ const struct xt_table_info *private = xt_table_get_private_protected(t);
+ struct xt_table_info info;
+ ret = compat_table_info(private, &info);
+ if (!ret && get.size == info.size)
--- /dev/null
+From 6cb56218ad9e580e519dcd23bfb3db08d8692e5a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 22 Dec 2020 23:23:56 +0100
+Subject: netfilter: xt_RATEEST: reject non-null terminated string from userspace
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream.
+
+syzbot reports:
+detected buffer overflow in strlen
+[..]
+Call Trace:
+ strlen include/linux/string.h:325 [inline]
+ strlcpy include/linux/string.h:348 [inline]
+ xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143
+
+strlcpy assumes src is a c-string. Check info->name before its used.
+
+Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com
+Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_RATEEST.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/xt_RATEEST.c
++++ b/net/netfilter/xt_RATEEST.c
+@@ -118,6 +118,9 @@ static int xt_rateest_tg_checkentry(cons
+ } cfg;
+ int ret;
+
++ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
++ return -ENAMETOOLONG;
++
+ net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));
+
+ mutex_lock(&xn->hash_lock);
alsa-hda-realtek-fix-speaker-volume-control-on-lenovo-c940.patch
btrfs-send-fix-wrong-file-path-when-there-is-an-inode-with-a-pending-rmdir.patch
revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch
+xen-pvh-correctly-setup-the-pv-efi-interface-for-dom0.patch
+netfilter-x_tables-update-remaining-dereference-to-rcu.patch
+netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch
+netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch
+x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch
+kvm-x86-fix-shift-out-of-bounds-reported-by-ubsan.patch
--- /dev/null
+From cb7f4a8b1fb426a175d1708f05581939c61329d4 Mon Sep 17 00:00:00 2001
+From: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+Date: Tue, 15 Dec 2020 15:07:20 +0800
+Subject: x86/mtrr: Correct the range check before performing MTRR type lookups
+
+From: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+
+commit cb7f4a8b1fb426a175d1708f05581939c61329d4 upstream.
+
+In mtrr_type_lookup(), if the input memory address region is not in the
+MTRR, over 4GB, and not over the top of memory, a write-back attribute
+is returned. These condition checks are for ensuring the input memory
+address region is actually mapped to the physical memory.
+
+However, if the end address is just aligned with the top of memory,
+the condition check treats the address is over the top of memory, and
+write-back attribute is not returned.
+
+And this hits in a real use case with NVDIMM: the nd_pmem module tries
+to map NVDIMMs as cacheable memories when NVDIMMs are connected. If a
+NVDIMM is the last of the DIMMs, the performance of this NVDIMM becomes
+very low since it is aligned with the top of memory and its memory type
+is uncached-minus.
+
+Move the input end address change to inclusive up into
+mtrr_type_lookup(), before checking for the top of memory in either
+mtrr_type_lookup_{variable,fixed}() helpers.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 0cc705f56e40 ("x86/mm/mtrr: Clean up mtrr_type_lookup()")
+Signed-off-by: Ying-Tsun Huang <ying-tsun.huang@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20201215070721.4349-1-ying-tsun.huang@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -166,9 +166,6 @@ static u8 mtrr_type_lookup_variable(u64
+ *repeat = 0;
+ *uniform = 1;
+
+- /* Make end inclusive instead of exclusive */
+- end--;
+-
+ prev_match = MTRR_TYPE_INVALID;
+ for (i = 0; i < num_var_ranges; ++i) {
+ unsigned short start_state, end_state, inclusive;
+@@ -260,6 +257,9 @@ u8 mtrr_type_lookup(u64 start, u64 end,
+ int repeat;
+ u64 partial_end;
+
++ /* Make end inclusive instead of exclusive */
++ end--;
++
+ if (!mtrr_state_set)
+ return MTRR_TYPE_INVALID;
+
--- /dev/null
+From 72813bfbf0276a97c82af038efb5f02dcdd9e310 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Tue, 23 Apr 2019 15:04:16 +0200
+Subject: xen/pvh: correctly setup the PV EFI interface for dom0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 72813bfbf0276a97c82af038efb5f02dcdd9e310 upstream.
+
+This involves initializing the boot params EFI related fields and the
+efi global variable.
+
+Without this fix a PVH dom0 doesn't detect when booted from EFI, and
+thus doesn't support accessing any of the EFI related data.
+
+Reported-by: PGNet Dev <pgnet.dev@gmail.com>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Jinoh Kang <jinoh.kang.kr@gmail.com>
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/xen/efi.c | 12 ++++++------
+ arch/x86/xen/enlighten_pv.c | 2 +-
+ arch/x86/xen/enlighten_pvh.c | 4 ++++
+ arch/x86/xen/xen-ops.h | 4 ++--
+ 4 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/xen/efi.c
++++ b/arch/x86/xen/efi.c
+@@ -172,7 +172,7 @@ static enum efi_secureboot_mode xen_efi_
+ return efi_secureboot_mode_unknown;
+ }
+
+-void __init xen_efi_init(void)
++void __init xen_efi_init(struct boot_params *boot_params)
+ {
+ efi_system_table_t *efi_systab_xen;
+
+@@ -181,12 +181,12 @@ void __init xen_efi_init(void)
+ if (efi_systab_xen == NULL)
+ return;
+
+- strncpy((char *)&boot_params.efi_info.efi_loader_signature, "Xen",
+- sizeof(boot_params.efi_info.efi_loader_signature));
+- boot_params.efi_info.efi_systab = (__u32)__pa(efi_systab_xen);
+- boot_params.efi_info.efi_systab_hi = (__u32)(__pa(efi_systab_xen) >> 32);
++ strncpy((char *)&boot_params->efi_info.efi_loader_signature, "Xen",
++ sizeof(boot_params->efi_info.efi_loader_signature));
++ boot_params->efi_info.efi_systab = (__u32)__pa(efi_systab_xen);
++ boot_params->efi_info.efi_systab_hi = (__u32)(__pa(efi_systab_xen) >> 32);
+
+- boot_params.secure_boot = xen_efi_get_secureboot();
++ boot_params->secure_boot = xen_efi_get_secureboot();
+
+ set_bit(EFI_BOOT, &efi.flags);
+ set_bit(EFI_PARAVIRT, &efi.flags);
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1409,7 +1409,7 @@ asmlinkage __visible void __init xen_sta
+ /* We need this for printk timestamps */
+ xen_setup_runstate_info(0);
+
+- xen_efi_init();
++ xen_efi_init(&boot_params);
+
+ /* Start the world */
+ #ifdef CONFIG_X86_32
+--- a/arch/x86/xen/enlighten_pvh.c
++++ b/arch/x86/xen/enlighten_pvh.c
+@@ -14,6 +14,8 @@
+ #include <xen/interface/memory.h>
+ #include <xen/interface/hvm/start_info.h>
+
++#include "xen-ops.h"
++
+ /*
+ * PVH variables.
+ *
+@@ -79,6 +81,8 @@ static void __init init_pvh_bootparams(v
+ pvh_bootparams.hdr.type_of_loader = (9 << 4) | 0; /* Xen loader */
+
+ x86_init.acpi.get_root_pointer = pvh_get_root_pointer;
++
++ xen_efi_init(&pvh_bootparams);
+ }
+
+ /*
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -122,9 +122,9 @@ static inline void __init xen_init_vga(c
+ void __init xen_init_apic(void);
+
+ #ifdef CONFIG_XEN_EFI
+-extern void xen_efi_init(void);
++extern void xen_efi_init(struct boot_params *boot_params);
+ #else
+-static inline void __init xen_efi_init(void)
++static inline void __init xen_efi_init(struct boot_params *boot_params)
+ {
+ }
+ #endif
projects / thirdparty / kernel / stable-queue.git / commitdiff
