From: Greg Kroah-Hartman Date: Mon, 6 Nov 2023 11:34:11 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.329~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=670a3f959195f4e7633d6680765ae78f41bbe894;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch mmap-fix-error-paths-with-dup_anon_vma.patch x86-kvm-svm-always-update-the-x2avic-msr-interception.patch --- diff --git a/queue-6.1/mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch b/queue-6.1/mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch new file mode 100644 index 00000000000..dc8086d2b4d --- /dev/null +++ b/queue-6.1/mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch @@ -0,0 +1,47 @@ +From 51f625377561e5b167da2db5aafb7ee268f691c5 Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Thu, 28 Sep 2023 13:24:32 -0400 +Subject: mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer + +From: Liam R. Howlett + +commit 51f625377561e5b167da2db5aafb7ee268f691c5 upstream. + +The two users of mbind_range() are expecting that mbind_range() will +update the pointer to the previous VMA, or return an error. However, +set_mempolicy_home_node() does not call mbind_range() if there is no VMA +policy. The fix is to update the pointer to the previous VMA prior to +continuing iterating the VMAs when there is no policy. + +Users may experience a WARN_ON() during VMA policy updates when updating +a range of VMAs on the home node. + +Link: https://lkml.kernel.org/r/20230928172432.2246534-1-Liam.Howlett@oracle.com +Link: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/ +Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") +Signed-off-by: Liam R. Howlett +Reported-by: Yikebaer Aizezi +Closes: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/ +Reviewed-by: Lorenzo Stoakes +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Liam R. Howlett +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1525,8 +1525,10 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, + /* + * Only update home node if there is an existing vma policy + */ +- if (!new) ++ if (!new) { ++ prev = vma; + continue; ++ } + + /* + * If any vma in the range got policy other than MPOL_BIND diff --git a/queue-6.1/mmap-fix-error-paths-with-dup_anon_vma.patch b/queue-6.1/mmap-fix-error-paths-with-dup_anon_vma.patch new file mode 100644 index 00000000000..4b766645702 --- /dev/null +++ b/queue-6.1/mmap-fix-error-paths-with-dup_anon_vma.patch @@ -0,0 +1,91 @@ +From 824135c46b00df7fb369ec7f1f8607427bbebeb0 Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Fri, 29 Sep 2023 14:30:40 -0400 +Subject: mmap: fix error paths with dup_anon_vma() + +From: Liam R. Howlett + +commit 824135c46b00df7fb369ec7f1f8607427bbebeb0 upstream. + +When the calling function fails after the dup_anon_vma(), the +duplication of the anon_vma is not being undone. Add the necessary +unlink_anon_vma() call to the error paths that are missing them. + +This issue showed up during inspection of the error path in vma_merge() +for an unrelated vma iterator issue. + +Users may experience increased memory usage, which may be problematic as +the failure would likely be caused by a low memory situation. + +Link: https://lkml.kernel.org/r/20230929183041.2835469-3-Liam.Howlett@oracle.com +Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree") +Signed-off-by: Liam R. Howlett +Reviewed-by: Lorenzo Stoakes +Acked-by: Vlastimil Babka +Cc: Jann Horn +Cc: Matthew Wilcox (Oracle) +Cc: Suren Baghdasaryan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Liam R. Howlett +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -519,6 +519,7 @@ inline int vma_expand(struct ma_state *m + struct anon_vma *anon_vma = vma->anon_vma; + struct file *file = vma->vm_file; + bool remove_next = false; ++ struct vm_area_struct *anon_dup = NULL; + + if (next && (vma != next) && (end == next->vm_end)) { + remove_next = true; +@@ -530,6 +531,8 @@ inline int vma_expand(struct ma_state *m + error = anon_vma_clone(vma, next); + if (error) + return error; ++ ++ anon_dup = vma; + } + } + +@@ -602,6 +605,9 @@ inline int vma_expand(struct ma_state *m + return 0; + + nomem: ++ if (anon_dup) ++ unlink_anon_vmas(anon_dup); ++ + return -ENOMEM; + } + +@@ -629,6 +635,7 @@ int __vma_adjust(struct vm_area_struct * + int remove_next = 0; + MA_STATE(mas, &mm->mm_mt, 0, 0); + struct vm_area_struct *exporter = NULL, *importer = NULL; ++ struct vm_area_struct *anon_dup = NULL; + + if (next && !insert) { + if (end >= next->vm_end) { +@@ -709,11 +716,17 @@ int __vma_adjust(struct vm_area_struct * + error = anon_vma_clone(importer, exporter); + if (error) + return error; ++ ++ anon_dup = importer; + } + } + +- if (mas_preallocate(&mas, vma, GFP_KERNEL)) ++ if (mas_preallocate(&mas, vma, GFP_KERNEL)) { ++ if (anon_dup) ++ unlink_anon_vmas(anon_dup); ++ + return -ENOMEM; ++ } + + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (file) { diff --git a/queue-6.1/perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch b/queue-6.1/perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch index 74472275821..f3d30c3064d 100644 --- a/queue-6.1/perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch +++ b/queue-6.1/perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch @@ -55,14 +55,12 @@ Link: https://lore.kernel.org/r/20230916035640.1074422-1-irogers@google.com Signed-off-by: Namhyung Kim Signed-off-by: Sasha Levin --- - tools/perf/util/evlist.c | 5 +++-- + tools/perf/util/evlist.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c -index 6612b00949e70..ca08e6dc8b232 100644 --- a/tools/perf/util/evlist.c +++ b/tools/perf/util/evlist.c -@@ -252,6 +252,9 @@ static struct evsel *evlist__dummy_event(struct evlist *evlist) +@@ -252,6 +252,9 @@ static struct evsel *evlist__dummy_event .type = PERF_TYPE_SOFTWARE, .config = PERF_COUNT_SW_DUMMY, .size = sizeof(attr), /* to capture ABI version */ @@ -72,7 +70,7 @@ index 6612b00949e70..ca08e6dc8b232 100644 }; return evsel__new_idx(&attr, evlist->core.nr_entries); -@@ -278,8 +281,6 @@ struct evsel *evlist__add_aux_dummy(struct evlist *evlist, bool system_wide) +@@ -278,8 +281,6 @@ struct evsel *evlist__add_aux_dummy(stru evsel->core.attr.exclude_kernel = 1; evsel->core.attr.exclude_guest = 1; evsel->core.attr.exclude_hv = 1; @@ -81,6 +79,3 @@ index 6612b00949e70..ca08e6dc8b232 100644 evsel->core.system_wide = system_wide; evsel->no_aux_samples = true; evsel->name = strdup("dummy:u"); --- -2.42.0 - diff --git a/queue-6.1/series b/queue-6.1/series index af2a0d2e724..49ab61d54be 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -40,3 +40,6 @@ io_uring-kiocb_done-should-not-trust-ki_pos-if-read-.patch ceph_wait_on_conflict_unlink-grab-reference-before-d.patch power-supply-core-use-blocking_notifier_call_chain-t.patch perf-evlist-avoid-frequency-mode-for-the-dummy-event.patch +x86-kvm-svm-always-update-the-x2avic-msr-interception.patch +mm-mempolicy-fix-set_mempolicy_home_node-previous-vma-pointer.patch +mmap-fix-error-paths-with-dup_anon_vma.patch diff --git a/queue-6.1/x86-kvm-svm-always-update-the-x2avic-msr-interception.patch b/queue-6.1/x86-kvm-svm-always-update-the-x2avic-msr-interception.patch new file mode 100644 index 00000000000..74d88873ccd --- /dev/null +++ b/queue-6.1/x86-kvm-svm-always-update-the-x2avic-msr-interception.patch @@ -0,0 +1,56 @@ +From b65235f6e102354ccafda601eaa1c5bef5284d21 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Thu, 28 Sep 2023 20:33:51 +0300 +Subject: x86: KVM: SVM: always update the x2avic msr interception + +From: Maxim Levitsky + +commit b65235f6e102354ccafda601eaa1c5bef5284d21 upstream. + +The following problem exists since x2avic was enabled in the KVM: + +svm_set_x2apic_msr_interception is called to enable the interception of +the x2apic msrs. + +In particular it is called at the moment the guest resets its apic. + +Assuming that the guest's apic was in x2apic mode, the reset will bring +it back to the xapic mode. + +The svm_set_x2apic_msr_interception however has an erroneous check for +'!apic_x2apic_mode()' which prevents it from doing anything in this case. + +As a result of this, all x2apic msrs are left unintercepted, and that +exposes the bare metal x2apic (if enabled) to the guest. +Oops. + +Remove the erroneous '!apic_x2apic_mode()' check to fix that. + +This fixes CVE-2023-5090 + +Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") +Cc: stable@vger.kernel.org +Signed-off-by: Maxim Levitsky +Reviewed-by: Suravee Suthikulpanit +Tested-by: Suravee Suthikulpanit +Reviewed-by: Sean Christopherson +Message-Id: <20230928173354.217464-2-mlevitsk@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: SeongJae Park +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -822,8 +822,7 @@ void svm_set_x2apic_msr_interception(str + if (intercept == svm->x2avic_msrs_intercepted) + return; + +- if (avic_mode != AVIC_MODE_X2 || +- !apic_x2apic_mode(svm->vcpu.arch.apic)) ++ if (avic_mode != AVIC_MODE_X2) + return; + + for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {