--- /dev/null
+From d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 8 Oct 2023 19:36:53 +0200
+Subject: netfilter: nft_payload: fix wrong mac header matching
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Westphal <fw@strlen.de>
+
+commit d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 upstream.
+
+mcast packets get looped back to the local machine.
+Such packets have a 0-length mac header, we should treat
+this like "mac header not set" and abort rule evaluation.
+
+As-is, we just copy data from the network header instead.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Reported-by: Blažej Krajňák <krajnak@levonet.sk>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_payload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -93,7 +93,7 @@ void nft_payload_eval(const struct nft_e
+
+ switch (priv->base) {
+ case NFT_PAYLOAD_LL_HEADER:
+- if (!skb_mac_header_was_set(skb))
++ if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0)
+ goto err;
+
+ if (skb_vlan_tag_present(skb)) {
nfc-nci-fix-possible-null-pointer-dereference-in-send_acknowledge.patch
regmap-fix-null-deref-on-lookup.patch
kvm-x86-mask-lvtpc-when-handling-a-pmi.patch
+x86-sev-disable-mmio-emulation-from-user-mode.patch
+x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch
+x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch
+tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch
+netfilter-nft_payload-fix-wrong-mac-header-matching.patch
--- /dev/null
+From 6db8a37dfc541e059851652cfd4f0bb13b8ff6af Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 18 Oct 2023 11:23:53 -0700
+Subject: tcp: check mptcp-level constraints for backlog coalescing
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 6db8a37dfc541e059851652cfd4f0bb13b8ff6af upstream.
+
+The MPTCP protocol can acquire the subflow-level socket lock and
+cause the tcp backlog usage. When inserting new skbs into the
+backlog, the stack will try to coalesce them.
+
+Currently, we have no check in place to ensure that such coalescing
+will respect the MPTCP-level DSS, and that may cause data stream
+corruption, as reported by Christoph.
+
+Address the issue by adding the relevant admission check for coalescing
+in tcp_add_backlog().
+
+Note the issue is not easy to reproduce, as the MPTCP protocol tries
+hard to avoid acquiring the subflow-level socket lock.
+
+Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path")
+Cc: stable@vger.kernel.org
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1832,6 +1832,7 @@ bool tcp_add_backlog(struct sock *sk, st
+ #ifdef CONFIG_TLS_DEVICE
+ tail->decrypted != skb->decrypted ||
+ #endif
++ !mptcp_skb_can_collapse(tail, skb) ||
+ thtail->doff != th->doff ||
+ memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th)))
+ goto no_coalesce;
--- /dev/null
+From 388e3741508d6db3034c544b534400a94cc2c8a1 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 16 Oct 2023 14:42:50 +0200
+Subject: x86/sev: Check for user-space IOIO pointing to kernel space
+
+From: Joerg Roedel <jroedel@suse.de>
+
+Upstream commit: 63e44bc52047f182601e7817da969a105aa1f721
+
+Check the memory operand of INS/OUTS before emulating the instruction.
+The #VC exception can get raised from user-space, but the memory operand
+can be manipulated to access kernel memory before the emulation actually
+begins and after the exception handler has run.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler")
+Reported-by: Tom Dohrmann <erbse.13@gmx.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/sev-es.c | 5 +++++
+ arch/x86/kernel/sev-es-shared.c | 31 +++++++++++++++++++++++++++++--
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/boot/compressed/sev-es.c
++++ b/arch/x86/boot/compressed/sev-es.c
+@@ -111,6 +111,11 @@ static enum es_result vc_ioio_check(stru
+ return ES_OK;
+ }
+
++static bool fault_in_kernel_space(unsigned long address)
++{
++ return false;
++}
++
+ #undef __init
+ #undef __pa
+ #define __init
+--- a/arch/x86/kernel/sev-es-shared.c
++++ b/arch/x86/kernel/sev-es-shared.c
+@@ -217,6 +217,23 @@ fail:
+ asm volatile("hlt\n");
+ }
+
++static enum es_result vc_insn_string_check(struct es_em_ctxt *ctxt,
++ unsigned long address,
++ bool write)
++{
++ if (user_mode(ctxt->regs) && fault_in_kernel_space(address)) {
++ ctxt->fi.vector = X86_TRAP_PF;
++ ctxt->fi.error_code = X86_PF_USER;
++ ctxt->fi.cr2 = address;
++ if (write)
++ ctxt->fi.error_code |= X86_PF_WRITE;
++
++ return ES_EXCEPTION;
++ }
++
++ return ES_OK;
++}
++
+ static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
+ void *src, char *buf,
+ unsigned int data_size,
+@@ -224,7 +241,12 @@ static enum es_result vc_insn_string_rea
+ bool backwards)
+ {
+ int i, b = backwards ? -1 : 1;
+- enum es_result ret = ES_OK;
++ unsigned long address = (unsigned long)src;
++ enum es_result ret;
++
++ ret = vc_insn_string_check(ctxt, address, false);
++ if (ret != ES_OK)
++ return ret;
+
+ for (i = 0; i < count; i++) {
+ void *s = src + (i * data_size * b);
+@@ -245,7 +267,12 @@ static enum es_result vc_insn_string_wri
+ bool backwards)
+ {
+ int i, s = backwards ? -1 : 1;
+- enum es_result ret = ES_OK;
++ unsigned long address = (unsigned long)dst;
++ enum es_result ret;
++
++ ret = vc_insn_string_check(ctxt, address, true);
++ if (ret != ES_OK)
++ return ret;
+
+ for (i = 0; i < count; i++) {
+ void *d = dst + (i * data_size * s);
--- /dev/null
+From 988a710b13132a1ca92ee3158937297989ece7b5 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 21 Jun 2023 17:42:42 +0200
+Subject: x86/sev: Check IOBM for IOIO exceptions from user-space
+
+From: Joerg Roedel <jroedel@suse.de>
+
+Upstream commit: b9cb9c45583b911e0db71d09caa6b56469eb2bdf
+
+Check the IO permission bitmap (if present) before emulating IOIO #VC
+exceptions for user-space. These permissions are checked by hardware
+already before the #VC is raised, but due to the VC-handler decoding
+race it needs to be checked again in software.
+
+Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
+Reported-by: Tom Dohrmann <erbse.13@gmx.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Tom Dohrmann <erbse.13@gmx.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/sev-es.c | 5 +++++
+ arch/x86/kernel/sev-es-shared.c | 22 +++++++++++++++-------
+ arch/x86/kernel/sev-es.c | 27 +++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/boot/compressed/sev-es.c
++++ b/arch/x86/boot/compressed/sev-es.c
+@@ -106,6 +106,11 @@ static enum es_result vc_read_mem(struct
+ return ES_OK;
+ }
+
++static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
++{
++ return ES_OK;
++}
++
+ #undef __init
+ #undef __pa
+ #define __init
+--- a/arch/x86/kernel/sev-es-shared.c
++++ b/arch/x86/kernel/sev-es-shared.c
+@@ -281,6 +281,9 @@ static enum es_result vc_insn_string_wri
+ static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
+ {
+ struct insn *insn = &ctxt->insn;
++ size_t size;
++ u64 port;
++
+ *exitinfo = 0;
+
+ switch (insn->opcode.bytes[0]) {
+@@ -289,7 +292,7 @@ static enum es_result vc_ioio_exitinfo(s
+ case 0x6d:
+ *exitinfo |= IOIO_TYPE_INS;
+ *exitinfo |= IOIO_SEG_ES;
+- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
++ port = ctxt->regs->dx & 0xffff;
+ break;
+
+ /* OUTS opcodes */
+@@ -297,41 +300,43 @@ static enum es_result vc_ioio_exitinfo(s
+ case 0x6f:
+ *exitinfo |= IOIO_TYPE_OUTS;
+ *exitinfo |= IOIO_SEG_DS;
+- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
++ port = ctxt->regs->dx & 0xffff;
+ break;
+
+ /* IN immediate opcodes */
+ case 0xe4:
+ case 0xe5:
+ *exitinfo |= IOIO_TYPE_IN;
+- *exitinfo |= (u8)insn->immediate.value << 16;
++ port = (u8)insn->immediate.value & 0xffff;
+ break;
+
+ /* OUT immediate opcodes */
+ case 0xe6:
+ case 0xe7:
+ *exitinfo |= IOIO_TYPE_OUT;
+- *exitinfo |= (u8)insn->immediate.value << 16;
++ port = (u8)insn->immediate.value & 0xffff;
+ break;
+
+ /* IN register opcodes */
+ case 0xec:
+ case 0xed:
+ *exitinfo |= IOIO_TYPE_IN;
+- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
++ port = ctxt->regs->dx & 0xffff;
+ break;
+
+ /* OUT register opcodes */
+ case 0xee:
+ case 0xef:
+ *exitinfo |= IOIO_TYPE_OUT;
+- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
++ port = ctxt->regs->dx & 0xffff;
+ break;
+
+ default:
+ return ES_DECODE_FAILED;
+ }
+
++ *exitinfo |= port << 16;
++
+ switch (insn->opcode.bytes[0]) {
+ case 0x6c:
+ case 0x6e:
+@@ -341,12 +346,15 @@ static enum es_result vc_ioio_exitinfo(s
+ case 0xee:
+ /* Single byte opcodes */
+ *exitinfo |= IOIO_DATA_8;
++ size = 1;
+ break;
+ default:
+ /* Length determined by instruction parsing */
+ *exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16
+ : IOIO_DATA_32;
++ size = (insn->opnd_bytes == 2) ? 2 : 4;
+ }
++
+ switch (insn->addr_bytes) {
+ case 2:
+ *exitinfo |= IOIO_ADDR_16;
+@@ -362,7 +370,7 @@ static enum es_result vc_ioio_exitinfo(s
+ if (insn_has_rep_prefix(insn))
+ *exitinfo |= IOIO_REP;
+
+- return ES_OK;
++ return vc_ioio_check(ctxt, (u16)port, size);
+ }
+
+ static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
+--- a/arch/x86/kernel/sev-es.c
++++ b/arch/x86/kernel/sev-es.c
+@@ -448,6 +448,33 @@ static enum es_result vc_slow_virt_to_ph
+ return ES_OK;
+ }
+
++static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
++{
++ BUG_ON(size > 4);
++
++ if (user_mode(ctxt->regs)) {
++ struct thread_struct *t = ¤t->thread;
++ struct io_bitmap *iobm = t->io_bitmap;
++ size_t idx;
++
++ if (!iobm)
++ goto fault;
++
++ for (idx = port; idx < port + size; ++idx) {
++ if (test_bit(idx, iobm->bitmap))
++ goto fault;
++ }
++ }
++
++ return ES_OK;
++
++fault:
++ ctxt->fi.vector = X86_TRAP_GP;
++ ctxt->fi.error_code = 0;
++
++ return ES_EXCEPTION;
++}
++
+ /* Include code shared with pre-decompression boot stage */
+ #include "sev-es-shared.c"
+
--- /dev/null
+From bb543abcb1fb0cba2ba7b7916ac7092678ba0a15 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Thu, 5 Oct 2023 11:06:36 +0200
+Subject: x86/sev: Disable MMIO emulation from user mode
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba
+
+A virt scenario can be constructed where MMIO memory can be user memory.
+When that happens, a race condition opens between when the hardware
+raises the #VC and when the #VC handler gets to emulate the instruction.
+
+If the MOVS is replaced with a MOVS accessing kernel memory in that
+small race window, then write to kernel memory happens as the access
+checks are not done at emulation time.
+
+Disable MMIO emulation in user mode temporarily until a sensible use
+case appears and justifies properly handling the race window.
+
+Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions")
+Reported-by: Tom Dohrmann <erbse.13@gmx.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Tom Dohrmann <erbse.13@gmx.de>
+Cc: <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/sev-es.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/sev-es.c
++++ b/arch/x86/kernel/sev-es.c
+@@ -970,6 +970,9 @@ static enum es_result vc_handle_mmio(str
+ enum es_result ret;
+ long *reg_data;
+
++ if (user_mode(ctxt->regs))
++ return ES_UNSUPPORTED;
++
+ switch (insn->opcode.bytes[0]) {
+ /* MMIO Write */
+ case 0x88:
projects / thirdparty / kernel / stable-queue.git / commitdiff
