From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 May 2021 08:27:05 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.4.120~58
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=256e0939725ea17472d3b589b516ea157b63d44a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
---

diff --git a/queue-4.9/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch b/queue-4.9/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
new file mode 100644
index 00000000000..58eb9ea1716
--- /dev/null
+++ b/queue-4.9/kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
@@ -0,0 +1,44 @@
+From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 5 May 2021 23:48:17 +0200
+Subject: KVM: x86: Cancel pvclock_gtod_work on module removal
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 594b27e677b35f9734b1969d175ebc6146741109 upstream.
+
+Nothing prevents the following:
+
+  pvclock_gtod_notify()
+    queue_work(system_long_wq, &pvclock_gtod_work);
+  ...
+  remove_module(kvm);
+  ...
+  work_queue_run()
+    pvclock_gtod_work()	<- UAF
+
+Ditto for any other operation on that workqueue list head which touches
+pvclock_gtod_work after module removal.
+
+Cancel the work in kvm_arch_exit() to prevent that.
+
+Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6268,6 +6268,7 @@ void kvm_arch_exit(void)
+ 	cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE);
+ #ifdef CONFIG_X86_64
+ 	pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier);
++	cancel_work_sync(&pvclock_gtod_work);
+ #endif
+ 	kvm_x86_ops = NULL;
+ 	kvm_mmu_module_exit();
diff --git a/queue-4.9/series b/queue-4.9/series
index c52956f3e0d..500b6650491 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -211,3 +211,4 @@ acpi-scan-fix-a-memory-leak-in-an-error-handling-pat.patch
 usb-xhci-increase-timeout-for-hc-halt.patch
 usb-dwc2-fix-gadget-dma-unmap-direction.patch
 usb-core-hub-fix-race-condition-about-trsmrcy-of-resume.patch
+kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch