From: Greg Kroah-Hartman Date: Mon, 26 Jul 2021 09:27:42 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.277~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=698928bd4be2574f8b4f0279218e91f97a0ed02d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: kvm-do-not-allow-mapping-valid-but-non-reference-counted-pages.patch kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch --- diff --git a/queue-4.19/kvm-do-not-allow-mapping-valid-but-non-reference-counted-pages.patch b/queue-4.19/kvm-do-not-allow-mapping-valid-but-non-reference-counted-pages.patch new file mode 100644 index 00000000000..827dc38accb --- /dev/null +++ b/queue-4.19/kvm-do-not-allow-mapping-valid-but-non-reference-counted-pages.patch @@ -0,0 +1,71 @@ +From f8be156be163a052a067306417cd0ff679068c97 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Thu, 24 Jun 2021 08:29:04 -0400 +Subject: KVM: do not allow mapping valid but non-reference-counted pages + +From: Nicholas Piggin + +commit f8be156be163a052a067306417cd0ff679068c97 upstream. + +It's possible to create a region which maps valid but non-refcounted +pages (e.g., tail pages of non-compound higher order allocations). These +host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family +of APIs, which take a reference to the page, which takes it from 0 to 1. +When the reference is dropped, this will free the page incorrectly. + +Fix this by only taking a reference on valid pages if it was non-zero, +which indicates it is participating in normal refcounting (and can be +released with put_page). + +This addresses CVE-2021-22543. + +Signed-off-by: Nicholas Piggin +Tested-by: Paolo Bonzini +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1489,6 +1489,13 @@ static bool vma_is_valid(struct vm_area_ + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, bool *writable, +@@ -1538,13 +1545,21 @@ static int hva_to_pfn_remapped(struct vm + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. + */ +- kvm_get_pfn(pfn); ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + + out: + pte_unmap_unlock(ptep, ptl); + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /* diff --git a/queue-4.19/kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch b/queue-4.19/kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch new file mode 100644 index 00000000000..55ed21f9e41 --- /dev/null +++ b/queue-4.19/kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch @@ -0,0 +1,87 @@ +From bd2fae8da794b55bf2ac02632da3a151b10e664c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 1 Feb 2021 05:12:11 -0500 +Subject: KVM: do not assume PTE is writable after follow_pfn + +From: Paolo Bonzini + +commit bd2fae8da794b55bf2ac02632da3a151b10e664c upstream. + +In order to convert an HVA to a PFN, KVM usually tries to use +the get_user_pages family of functinso. This however is not +possible for VM_IO vmas; in that case, KVM instead uses follow_pfn. + +In doing this however KVM loses the information on whether the +PFN is writable. That is usually not a problem because the main +use of VM_IO vmas with KVM is for BARs in PCI device assignment, +however it is a bug. To fix it, use follow_pte and check pte_write +while under the protection of the PTE lock. The information can +be used to fail hva_to_pfn_remapped or passed back to the +caller via *writable. + +Usage of follow_pfn was introduced in commit add6a0cd1c5b ("KVM: MMU: try to fix +up page faults before giving up", 2016-07-05); however, even older version +have the same issue, all the way back to commit 2e2e3738af33 ("KVM: +Handle vma regions with no backing page", 2008-07-20), as they also did +not check whether the PFN was writable. + +Fixes: 2e2e3738af33 ("KVM: Handle vma regions with no backing page") +Reported-by: David Stevens +Cc: 3pvd@google.com +Cc: Jann Horn +Cc: Jason Gunthorpe +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +[OP: backport to 4.19, adjust follow_pte() -> follow_pte_pmd()] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1495,9 +1495,11 @@ static int hva_to_pfn_remapped(struct vm + kvm_pfn_t *p_pfn) + { + unsigned long pfn; ++ pte_t *ptep; ++ spinlock_t *ptl; + int r; + +- r = follow_pfn(vma, addr, &pfn); ++ r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); + if (r) { + /* + * get_user_pages fails for VM_IO and VM_PFNMAP vmas and does +@@ -1512,14 +1514,19 @@ static int hva_to_pfn_remapped(struct vm + if (r) + return r; + +- r = follow_pfn(vma, addr, &pfn); ++ r = follow_pte_pmd(vma->vm_mm, addr, NULL, NULL, &ptep, NULL, &ptl); + if (r) + return r; ++ } + ++ if (write_fault && !pte_write(*ptep)) { ++ pfn = KVM_PFN_ERR_RO_FAULT; ++ goto out; + } + + if (writable) +- *writable = true; ++ *writable = pte_write(*ptep); ++ pfn = pte_pfn(*ptep); + + /* + * Get a reference here because callers of *hva_to_pfn* and +@@ -1534,6 +1541,8 @@ static int hva_to_pfn_remapped(struct vm + */ + kvm_get_pfn(pfn); + ++out: ++ pte_unmap_unlock(ptep, ptl); + *p_pfn = pfn; + return 0; + } diff --git a/queue-4.19/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch b/queue-4.19/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch new file mode 100644 index 00000000000..4fd629600af --- /dev/null +++ b/queue-4.19/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch @@ -0,0 +1,91 @@ +From 5a3c680aa2c12c90c44af383fe6882a39875ab81 Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Tue, 29 Jun 2021 17:14:19 -0700 +Subject: net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear + +From: Doug Berger + +commit 5a3c680aa2c12c90c44af383fe6882a39875ab81 upstream. + +Setting the EXT_ENERGY_DET_MASK bit allows the port energy detection +logic of the internal PHY to prevent the system from sleeping. Some +internal PHYs will report that energy is detected when the network +interface is closed which can prevent the system from going to sleep +if WoL is enabled when the interface is brought down. + +Since the driver does not support waking the system on this logic, +this commit clears the bit whenever the internal PHY is powered up +and the other logic for manipulating the bit is removed since it +serves no useful function. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 16 ++-------------- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 6 ------ + 2 files changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1189,7 +1189,8 @@ static void bcmgenet_power_up(struct bcm + + switch (mode) { + case GENET_POWER_PASSIVE: +- reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS); ++ reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS | ++ EXT_ENERGY_DET_MASK); + if (GENET_IS_V5(priv)) { + reg &= ~(EXT_PWR_DOWN_PHY_EN | + EXT_PWR_DOWN_PHY_RD | +@@ -2908,12 +2909,6 @@ static int bcmgenet_open(struct net_devi + + bcmgenet_set_hw_addr(priv, dev->dev_addr); + +- if (priv->internal_phy) { +- reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT); +- reg |= EXT_ENERGY_DET_MASK; +- bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT); +- } +- + /* Disable RX/TX DMA and flush TX queues */ + dma_ctrl = bcmgenet_dma_disable(priv); + +@@ -3632,7 +3627,6 @@ static int bcmgenet_resume(struct device + struct bcmgenet_priv *priv = netdev_priv(dev); + unsigned long dma_ctrl; + int ret; +- u32 reg; + + if (!netif_running(dev)) + return 0; +@@ -3664,12 +3658,6 @@ static int bcmgenet_resume(struct device + + bcmgenet_set_hw_addr(priv, dev->dev_addr); + +- if (priv->internal_phy) { +- reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT); +- reg |= EXT_ENERGY_DET_MASK; +- bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT); +- } +- + if (priv->wolopts) + bcmgenet_power_up(priv, GENET_POWER_WOL_MAGIC); + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -166,12 +166,6 @@ int bcmgenet_wol_power_down_cfg(struct b + reg |= CMD_RX_EN; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + +- if (priv->hw_params->flags & GENET_HAS_EXT) { +- reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT); +- reg &= ~EXT_ENERGY_DET_MASK; +- bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT); +- } +- + return 0; + } + diff --git a/queue-4.19/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch b/queue-4.19/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch new file mode 100644 index 00000000000..c207b228724 --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch @@ -0,0 +1,46 @@ +From 11527f3c4725640e6c40a2b7654e303f45e82a6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 1 Jul 2021 00:22:27 +0200 +Subject: net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 11527f3c4725640e6c40a2b7654e303f45e82a6c upstream. + +Commit 40cff8fca9e3 ("net: dsa: mv88e6xxx: Fix stats histogram mode") +introduced wrong .stats_set_histogram() method for Topaz family. + +The Peridot method should be used instead. + +Signed-off-by: Marek Behún +Fixes: 40cff8fca9e3 ("net: dsa: mv88e6xxx: Fix stats histogram mode") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3051,7 +3051,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_link_state = mv88e6352_port_link_state, + .port_get_cmode = mv88e6352_port_get_cmode, + .stats_snapshot = mv88e6390_g1_stats_snapshot, +- .stats_set_histogram = mv88e6095_g1_stats_set_histogram, ++ .stats_set_histogram = mv88e6390_g1_stats_set_histogram, + .stats_get_sset_count = mv88e6320_stats_get_sset_count, + .stats_get_strings = mv88e6320_stats_get_strings, + .stats_get_stats = mv88e6390_stats_get_stats, +@@ -3672,7 +3672,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_link_state = mv88e6352_port_link_state, + .port_get_cmode = mv88e6352_port_get_cmode, + .stats_snapshot = mv88e6390_g1_stats_snapshot, +- .stats_set_histogram = mv88e6095_g1_stats_set_histogram, ++ .stats_set_histogram = mv88e6390_g1_stats_set_histogram, + .stats_get_sset_count = mv88e6320_stats_get_sset_count, + .stats_get_strings = mv88e6320_stats_get_strings, + .stats_get_stats = mv88e6390_stats_get_stats, diff --git a/queue-4.19/series b/queue-4.19/series index 1d8f13d31e4..61e256dc122 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -108,3 +108,7 @@ ixgbe-fix-packet-corruption-due-to-missing-dma-sync.patch selftest-use-mmap-instead-of-posix_memalign-to-allocate-memory.patch nds32-fix-up-stack-guard-gap.patch drm-return-enotty-for-non-drm-ioctls.patch +kvm-do-not-assume-pte-is-writable-after-follow_pfn.patch +kvm-do-not-allow-mapping-valid-but-non-reference-counted-pages.patch +net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch +net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch