From: Greg Kroah-Hartman Date: Thu, 26 May 2022 12:16:09 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.18.1~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=32f41c97ea96b407157909908aab276f5f27f4b2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: kvm-x86-mmu-fix-null-pointer-dereference-on-guest-invpcid.patch kvm-x86-properly-handle-apf-vs-disabled-lapic-situation.patch --- diff --git a/queue-5.10/kvm-x86-mmu-fix-null-pointer-dereference-on-guest-invpcid.patch b/queue-5.10/kvm-x86-mmu-fix-null-pointer-dereference-on-guest-invpcid.patch new file mode 100644 index 00000000000..88a00b609c4 --- /dev/null +++ b/queue-5.10/kvm-x86-mmu-fix-null-pointer-dereference-on-guest-invpcid.patch @@ -0,0 +1,56 @@ +From 9f46c187e2e680ecd9de7983e4d081c3391acc76 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 20 May 2022 13:48:11 -0400 +Subject: KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID + +From: Paolo Bonzini + +commit 9f46c187e2e680ecd9de7983e4d081c3391acc76 upstream. + +With shadow paging enabled, the INVPCID instruction results in a call +to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the +invlpg callback is not set and the result is a NULL pointer dereference. +Fix it trivially by checking for mmu->invlpg before every call. + +There are other possibilities: + +- check for CR0.PG, because KVM (like all Intel processors after P5) + flushes guest TLB on CR0.PG changes so that INVPCID/INVLPG are a + nop with paging disabled + +- check for EFER.LMA, because KVM syncs and flushes when switching + MMU contexts outside of 64-bit mode + +All of these are tricky, go for the simple solution. This is CVE-2022-1789. + +Reported-by: Yongkang Jia +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +[fix conflict due to missing b9e5603c2a3accbadfec570ac501a54431a6bdba] +Signed-off-by: Vegard Nossum +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -5178,14 +5178,16 @@ void kvm_mmu_invpcid_gva(struct kvm_vcpu + uint i; + + if (pcid == kvm_get_active_pcid(vcpu)) { +- mmu->invlpg(vcpu, gva, mmu->root_hpa); ++ if (mmu->invlpg) ++ mmu->invlpg(vcpu, gva, mmu->root_hpa); + tlb_flush = true; + } + + for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) { + if (VALID_PAGE(mmu->prev_roots[i].hpa) && + pcid == kvm_get_pcid(vcpu, mmu->prev_roots[i].pgd)) { +- mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa); ++ if (mmu->invlpg) ++ mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa); + tlb_flush = true; + } + } diff --git a/queue-5.10/kvm-x86-properly-handle-apf-vs-disabled-lapic-situation.patch b/queue-5.10/kvm-x86-properly-handle-apf-vs-disabled-lapic-situation.patch new file mode 100644 index 00000000000..72f7a60663a --- /dev/null +++ b/queue-5.10/kvm-x86-properly-handle-apf-vs-disabled-lapic-situation.patch @@ -0,0 +1,71 @@ +From 2f15d027c05fac406decdb5eceb9ec0902b68f53 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Thu, 22 Apr 2021 11:29:48 +0200 +Subject: KVM: x86: Properly handle APF vs disabled LAPIC situation + +From: Vitaly Kuznetsov + +commit 2f15d027c05fac406decdb5eceb9ec0902b68f53 upstream. + +Async PF 'page ready' event may happen when LAPIC is (temporary) disabled. +In particular, Sebastien reports that when Linux kernel is directly booted +by Cloud Hypervisor, LAPIC is 'software disabled' when APF mechanism is +initialized. On initialization KVM tries to inject 'wakeup all' event and +puts the corresponding token to the slot. It is, however, failing to inject +an interrupt (kvm_apic_set_irq() -> __apic_accept_irq() -> !apic_enabled()) +so the guest never gets notified and the whole APF mechanism gets stuck. +The same issue is likely to happen if the guest temporary disables LAPIC +and a previously unavailable page becomes available. + +Do two things to resolve the issue: +- Avoid dequeuing 'page ready' events from APF queue when LAPIC is + disabled. +- Trigger an attempt to deliver pending 'page ready' events when LAPIC + becomes enabled (SPIV or MSR_IA32_APICBASE). + +Reported-by: Sebastien Boeuf +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20210422092948.568327-1-vkuznets@redhat.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +[Guoqing: backport to 5.10-stable ] +Signed-off-by: Guoqing Jiang +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 6 ++++++ + arch/x86/kvm/x86.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -297,6 +297,10 @@ static inline void apic_set_spiv(struct + + atomic_set_release(&apic->vcpu->kvm->arch.apic_map_dirty, DIRTY); + } ++ ++ /* Check if there are APF page ready requests pending */ ++ if (enabled) ++ kvm_make_request(KVM_REQ_APF_READY, apic->vcpu); + } + + static inline void kvm_apic_set_xapic_id(struct kvm_lapic *apic, u8 id) +@@ -2260,6 +2264,8 @@ void kvm_lapic_set_base(struct kvm_vcpu + if (value & MSR_IA32_APICBASE_ENABLE) { + kvm_apic_set_xapic_id(apic, vcpu->vcpu_id); + static_key_slow_dec_deferred(&apic_hw_disabled); ++ /* Check if there are APF page ready requests pending */ ++ kvm_make_request(KVM_REQ_APF_READY, vcpu); + } else { + static_key_slow_inc(&apic_hw_disabled.key); + atomic_set_release(&apic->vcpu->kvm->arch.apic_map_dirty, DIRTY); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11146,7 +11146,7 @@ bool kvm_arch_can_dequeue_async_page_pre + if (!kvm_pv_async_pf_enabled(vcpu)) + return true; + else +- return apf_pageready_slot_free(vcpu); ++ return kvm_lapic_enabled(vcpu) && apf_pageready_slot_free(vcpu); + } + + void kvm_arch_start_assignment(struct kvm *kvm) diff --git a/queue-5.10/series b/queue-5.10/series index b7d157746fb..06efea9e9d1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,2 +1,4 @@ lockdown-also-lock-down-previous-kgdb-use.patch staging-rtl8723bs-prevent-ssid-overflow-in-rtw_wx_set_scan.patch +kvm-x86-properly-handle-apf-vs-disabled-lapic-situation.patch +kvm-x86-mmu-fix-null-pointer-dereference-on-guest-invpcid.patch