From: Greg Kroah-Hartman Date: Mon, 19 Jul 2021 12:15:07 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.13.4~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57e3cfaa997f7347b526c651095ff3c6a93ad707;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch scsi-core-fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch tracing-do-not-reference-char-as-a-string-in-histograms.patch --- diff --git a/queue-4.14/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch b/queue-4.14/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch new file mode 100644 index 00000000000..35aa85e0af3 --- /dev/null +++ b/queue-4.14/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch @@ -0,0 +1,49 @@ +From f85d40160691881a17a397c448d799dfc90987ba Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Tue, 29 Jun 2021 01:26:32 +0800 +Subject: KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() + +From: Lai Jiangshan + +commit f85d40160691881a17a397c448d799dfc90987ba upstream. + +When the host is using debug registers but the guest is not using them +nor is the guest in guest-debug state, the kvm code does not reset +the host debug registers before kvm_x86->run(). Rather, it relies on +the hardware vmentry instruction to automatically reset the dr7 registers +which ensures that the host breakpoints do not affect the guest. + +This however violates the non-instrumentable nature around VM entry +and exit; for example, when a host breakpoint is set on vcpu->arch.cr2, + +Another issue is consistency. When the guest debug registers are active, +the host breakpoints are reset before kvm_x86->run(). But when the +guest debug registers are inactive, the host breakpoints are delayed to +be disabled. The host tracing tools may see different results depending +on what the guest is doing. + +To fix the problems, we clear %db7 unconditionally before kvm_x86->run() +if the host has set any breakpoints, no matter if the guest is using +them or not. + +Signed-off-by: Lai Jiangshan +Message-Id: <20210628172632.81029-1-jiangshanlai@gmail.com> +Cc: stable@vger.kernel.org +[Only clear %db7 instead of reloading all debug registers. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7237,6 +7237,8 @@ static int vcpu_enter_guest(struct kvm_v + set_debugreg(vcpu->arch.eff_db[3], 3); + set_debugreg(vcpu->arch.dr6, 6); + vcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_RELOAD; ++ } else if (unlikely(hw_breakpoint_active())) { ++ set_debugreg(0, 7); + } + + kvm_x86_ops->run(vcpu); diff --git a/queue-4.14/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch b/queue-4.14/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch new file mode 100644 index 00000000000..79ac9c4d4eb --- /dev/null +++ b/queue-4.14/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch @@ -0,0 +1,44 @@ +From 4bf48e3c0aafd32b960d341c4925b48f416f14a5 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jun 2021 16:05:46 -0700 +Subject: KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled + +From: Sean Christopherson + +commit 4bf48e3c0aafd32b960d341c4925b48f416f14a5 upstream. + +Ignore the guest MAXPHYADDR reported by CPUID.0x8000_0008 if TDP, i.e. +NPT, is disabled, and instead use the host's MAXPHYADDR. Per AMD'S APM: + + Maximum guest physical address size in bits. This number applies only + to guests using nested paging. When this field is zero, refer to the + PhysAddrSize field for the maximum guest physical address size. + +Fixes: 24c82e576b78 ("KVM: Sanitize cpuid") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20210623230552.4027702-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -649,8 +649,14 @@ static inline int __do_cpuid_ent(struct + unsigned virt_as = max((entry->eax >> 8) & 0xff, 48U); + unsigned phys_as = entry->eax & 0xff; + +- if (!g_phys_as) ++ /* ++ * Use bare metal's MAXPHADDR if the CPU doesn't report guest ++ * MAXPHYADDR separately, or if TDP (NPT) is disabled, as the ++ * guest version "applies only to guests using nested paging". ++ */ ++ if (!g_phys_as || !tdp_enabled) + g_phys_as = phys_as; ++ + entry->eax = g_phys_as | (virt_as << 8); + entry->edx = 0; + /* diff --git a/queue-4.14/scsi-core-fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch b/queue-4.14/scsi-core-fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch new file mode 100644 index 00000000000..2d068cbed2c --- /dev/null +++ b/queue-4.14/scsi-core-fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch @@ -0,0 +1,96 @@ +From 93aa71ad7379900e61c8adff6a710a4c18c7c99b Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Thu, 1 Jul 2021 13:56:59 -0600 +Subject: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid + +From: Tyrel Datwyler + +commit 93aa71ad7379900e61c8adff6a710a4c18c7c99b upstream. + +Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") +changed the allocation logic to call put_device() to perform host cleanup +with the assumption that IDA removal and stopping the kthread would +properly be performed in scsi_host_dev_release(). However, in the unlikely +case that the error handler thread fails to spawn, shost->ehandler is set +to ERR_PTR(-ENOMEM). + +The error handler cleanup code in scsi_host_dev_release() will call +kthread_stop() if shost->ehandler != NULL which will always be the case +whether the kthread was successfully spawned or not. In the case that it +failed to spawn this has the nasty side effect of trying to dereference an +invalid pointer when kthread_stop() is called. The following splat provides +an example of this behavior in the wild: + +scsi host11: error handler thread failed to spawn, error = -4 +Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) +BUG: Kernel NULL pointer dereference on read at 0x0000010c +Faulting instruction address: 0xc00000000818e9a8 +Oops: Kernel access of bad area, sig: 11 [#1] +LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries +Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region + hash dm_log dm_mod fuse overlay squashfs loop +CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 +NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 +REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) +MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 +XER: 20040001 +CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 +GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc +GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 +GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff +GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 +GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 +GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 +GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 +GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc +NIP [c00000000818e9a8] kthread_stop+0x38/0x230 +LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 +Call Trace: +[c000000033bb2c48] 0xc000000033bb2c48 (unreliable) +[c0000000089846e8] scsi_host_dev_release+0x98/0x160 +[c00000000891e960] device_release+0x60/0x100 +[c0000000087e55c4] kobject_release+0x84/0x210 +[c00000000891ec78] put_device+0x28/0x40 +[c000000008984ea4] scsi_host_alloc+0x314/0x430 +[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] +[c000000008110104] vio_bus_probe+0xa4/0x4b0 +[c00000000892a860] really_probe+0x140/0x680 +[c00000000892aefc] driver_probe_device+0x15c/0x200 +[c00000000892b63c] device_driver_attach+0xcc/0xe0 +[c00000000892b740] __driver_attach+0xf0/0x200 +[c000000008926f28] bus_for_each_dev+0xa8/0x130 +[c000000008929ce4] driver_attach+0x34/0x50 +[c000000008928fc0] bus_add_driver+0x1b0/0x300 +[c00000000892c798] driver_register+0x98/0x1a0 +[c00000000810eb60] __vio_register_driver+0x80/0xe0 +[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] +[c0000000080121d0] do_one_initcall+0x60/0x2d0 +[c000000008261abc] do_init_module+0x7c/0x320 +[c000000008265700] load_module+0x2350/0x25b0 +[c000000008265cb4] __do_sys_finit_module+0xd4/0x160 +[c000000008031110] system_call_exception+0x150/0x2d0 +[c00000000800d35c] system_call_common+0xec/0x278 + +Fix this be nulling shost->ehandler when the kthread fails to spawn. + +Link: https://lore.kernel.org/r/20210701195659.3185475-1-tyreld@linux.ibm.com +Fixes: 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") +Cc: stable@vger.kernel.org +Reviewed-by: Ming Lei +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -499,6 +499,7 @@ struct Scsi_Host *scsi_host_alloc(struct + shost_printk(KERN_WARNING, shost, + "error handler thread failed to spawn, error = %ld\n", + PTR_ERR(shost->ehandler)); ++ shost->ehandler = NULL; + goto fail; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 3e96dae60d5..0430978d2dc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -227,3 +227,7 @@ media-gspca-sunplus-fix-zero-length-control-requests.patch media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch jfs-fix-gpf-in-difree.patch smackfs-restrict-bytes-count-in-smk_set_cipso.patch +kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch +kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch +scsi-core-fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch +tracing-do-not-reference-char-as-a-string-in-histograms.patch diff --git a/queue-4.14/tracing-do-not-reference-char-as-a-string-in-histograms.patch b/queue-4.14/tracing-do-not-reference-char-as-a-string-in-histograms.patch new file mode 100644 index 00000000000..432f2c5fcf6 --- /dev/null +++ b/queue-4.14/tracing-do-not-reference-char-as-a-string-in-histograms.patch @@ -0,0 +1,105 @@ +From 704adfb5a9978462cd861f170201ae2b5e3d3a80 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 15 Jul 2021 00:02:06 -0400 +Subject: tracing: Do not reference char * as a string in histograms + +From: Steven Rostedt (VMware) + +commit 704adfb5a9978462cd861f170201ae2b5e3d3a80 upstream. + +The histogram logic was allowing events with char * pointers to be used as +normal strings. But it was easy to crash the kernel with: + + # echo 'hist:keys=filename' > events/syscalls/sys_enter_openat/trigger + +And open some files, and boom! + + BUG: unable to handle page fault for address: 00007f2ced0c3280 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1173fa067 P4D 1173fa067 PUD 1171b6067 PMD 1171dd067 PTE 0 + Oops: 0000 [#1] PREEMPT SMP + CPU: 6 PID: 1810 Comm: cat Not tainted 5.13.0-rc5-test+ #61 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 +v03.03 07/14/2016 + RIP: 0010:strlen+0x0/0x20 + Code: f6 82 80 2a 0b a9 20 74 11 0f b6 50 01 48 83 c0 01 f6 82 80 2a 0b +a9 20 75 ef c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 <80> 3f 00 74 +10 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 + + RSP: 0018:ffffbdbf81567b50 EFLAGS: 00010246 + RAX: 0000000000000003 RBX: ffff93815cdb3800 RCX: ffff9382401a22d0 + RDX: 0000000000000100 RSI: 0000000000000000 RDI: 00007f2ced0c3280 + RBP: 0000000000000100 R08: ffff9382409ff074 R09: ffffbdbf81567c98 + R10: ffff9382409ff074 R11: 0000000000000000 R12: ffff9382409ff074 + R13: 0000000000000001 R14: ffff93815a744f00 R15: 00007f2ced0c3280 + FS: 00007f2ced0f8580(0000) GS:ffff93825a800000(0000) +knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f2ced0c3280 CR3: 0000000107069005 CR4: 00000000001706e0 + Call Trace: + event_hist_trigger+0x463/0x5f0 + ? find_held_lock+0x32/0x90 + ? sched_clock_cpu+0xe/0xd0 + ? lock_release+0x155/0x440 + ? kernel_init_free_pages+0x6d/0x90 + ? preempt_count_sub+0x9b/0xd0 + ? kernel_init_free_pages+0x6d/0x90 + ? get_page_from_freelist+0x12c4/0x1680 + ? __rb_reserve_next+0xe5/0x460 + ? ring_buffer_lock_reserve+0x12a/0x3f0 + event_triggers_call+0x52/0xe0 + ftrace_syscall_enter+0x264/0x2c0 + syscall_trace_enter.constprop.0+0x1ee/0x210 + do_syscall_64+0x1c/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Where it triggered a fault on strlen(key) where key was the filename. + +The reason is that filename is a char * to user space, and the histogram +code just blindly dereferenced it, with obvious bad results. + +I originally tried to use strncpy_from_user/kernel_nofault() but found +that there's other places that its dereferenced and not worth the effort. + +Just do not allow "char *" to act like strings. + +Link: https://lkml.kernel.org/r/20210715000206.025df9d2@rorschach.local.home + +Cc: Ingo Molnar +Cc: Andrew Morton +Cc: Masami Hiramatsu +Cc: Tzvetomir Stoyanov +Cc: stable@vger.kernel.org +Acked-by: Namhyung Kim +Acked-by: Tom Zanussi +Fixes: 79e577cbce4c4 ("tracing: Support string type key properly") +Fixes: 5967bd5c4239 ("tracing: Let filter_assign_type() detect FILTER_PTR_STRING") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -375,7 +375,9 @@ static struct hist_field *create_hist_fi + if (WARN_ON_ONCE(!field)) + goto out; + +- if (is_string_field(field)) { ++ /* Pointers to strings are just pointers and dangerous to dereference */ ++ if (is_string_field(field) && ++ (field->filter_type != FILTER_PTR_STRING)) { + flags |= HIST_FIELD_FL_STRING; + + if (field->filter_type == FILTER_STATIC_STRING) +@@ -864,8 +866,6 @@ static inline void add_to_key(char *comp + field = key_field->field; + if (field->filter_type == FILTER_DYN_STRING) + size = *(u32 *)(rec + field->offset) >> 16; +- else if (field->filter_type == FILTER_PTR_STRING) +- size = strlen(key); + else if (field->filter_type == FILTER_STATIC_STRING) + size = field->size; +