From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 10:56:15 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.280~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6b5681f4272306d7ed71317a371f42c146d7fd6a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch --- diff --git a/queue-5.4/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch b/queue-5.4/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch new file mode 100644 index 00000000000..b25eb406e1a --- /dev/null +++ b/queue-5.4/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch @@ -0,0 +1,85 @@ +From 85cd39af14f498f791d8aab3fbd64cd175787f1a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 4 Aug 2021 05:28:52 -0400 +Subject: KVM: Do not leak memory for duplicate debugfs directories + +From: Paolo Bonzini + +commit 85cd39af14f498f791d8aab3fbd64cd175787f1a upstream. + +KVM creates a debugfs directory for each VM in order to store statistics +about the virtual machine. The directory name is built from the process +pid and a VM fd. While generally unique, it is possible to keep a +file descriptor alive in a way that causes duplicate directories, which +manifests as these messages: + + [ 471.846235] debugfs: Directory '20245-4' with parent 'kvm' already present! + +Even though this should not happen in practice, it is more or less +expected in the case of KVM for testcases that call KVM_CREATE_VM and +close the resulting file descriptor repeatedly and in parallel. + +When this happens, debugfs_create_dir() returns an error but +kvm_create_vm_debugfs() goes on to allocate stat data structs which are +later leaked. The slow memory leak was spotted by syzkaller, where it +caused OOM reports. + +Since the issue only affects debugfs, do a lookup before calling +debugfs_create_dir, so that the message is downgraded and rate-limited. +While at it, ensure kvm->debugfs_dentry is NULL rather than an error +if it is not created. This fixes kvm_destroy_vm_debugfs, which was not +checking IS_ERR_OR_NULL correctly. + +Cc: stable@vger.kernel.org +Fixes: 536a6f88c49d ("KVM: Create debugfs dir and stat files for each VM") +Reported-by: Alexey Kardashevskiy +Suggested-by: Greg Kroah-Hartman +Acked-by: Greg Kroah-Hartman +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -635,6 +635,8 @@ static void kvm_destroy_vm_debugfs(struc + + static int kvm_create_vm_debugfs(struct kvm *kvm, int fd) + { ++ static DEFINE_MUTEX(kvm_debugfs_lock); ++ struct dentry *dent; + char dir_name[ITOA_MAX_LEN * 2]; + struct kvm_stat_data *stat_data; + struct kvm_stats_debugfs_item *p; +@@ -643,8 +645,20 @@ static int kvm_create_vm_debugfs(struct + return 0; + + snprintf(dir_name, sizeof(dir_name), "%d-%d", task_pid_nr(current), fd); +- kvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir); ++ mutex_lock(&kvm_debugfs_lock); ++ dent = debugfs_lookup(dir_name, kvm_debugfs_dir); ++ if (dent) { ++ pr_warn_ratelimited("KVM: debugfs: duplicate directory %s\n", dir_name); ++ dput(dent); ++ mutex_unlock(&kvm_debugfs_lock); ++ return 0; ++ } ++ dent = debugfs_create_dir(dir_name, kvm_debugfs_dir); ++ mutex_unlock(&kvm_debugfs_lock); ++ if (IS_ERR(dent)) ++ return 0; + ++ kvm->debugfs_dentry = dent; + kvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries, + sizeof(*kvm->debugfs_stat_data), + GFP_KERNEL_ACCOUNT); +@@ -4367,7 +4381,7 @@ static void kvm_uevent_notify_change(uns + } + add_uevent_var(env, "PID=%d", kvm->userspace_pid); + +- if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) { ++ if (kvm->debugfs_dentry) { + char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT); + + if (p) { diff --git a/queue-5.4/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch b/queue-5.4/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch new file mode 100644 index 00000000000..38b9288895c --- /dev/null +++ b/queue-5.4/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch @@ -0,0 +1,57 @@ +From fa7a549d321a4189677b0cea86e58d9db7977f7b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Jul 2021 17:37:49 -0400 +Subject: KVM: x86: accept userspace interrupt only if no event is injected + +From: Paolo Bonzini + +commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream. + +Once an exception has been injected, any side effects related to +the exception (such as setting CR2 or DR6) have been taked place. +Therefore, once KVM sets the VM-entry interruption information +field or the AMD EVENTINJ field, the next VM-entry must deliver that +exception. + +Pending interrupts are processed after injected exceptions, so +in theory it would not be a problem to use KVM_INTERRUPT when +an injected exception is present. However, DOSEMU is using +run->ready_for_interrupt_injection to detect interrupt windows +and then using KVM_SET_SREGS/KVM_SET_REGS to inject the +interrupt manually. For this to work, the interrupt window +must be delayed after the completion of the previous event +injection. + +Cc: stable@vger.kernel.org +Reported-by: Stas Sergeev +Tested-by: Stas Sergeev +Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request") +Reviewed-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3638,8 +3638,17 @@ static int kvm_cpu_accept_dm_intr(struct + + static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu) + { +- return kvm_arch_interrupt_allowed(vcpu) && +- kvm_cpu_accept_dm_intr(vcpu); ++ /* ++ * Do not cause an interrupt window exit if an exception ++ * is pending or an event needs reinjection; userspace ++ * might want to inject the interrupt manually using KVM_SET_REGS ++ * or KVM_SET_SREGS. For that to work, we must be at an ++ * instruction boundary and with no events half-injected. ++ */ ++ return (kvm_arch_interrupt_allowed(vcpu) && ++ kvm_cpu_accept_dm_intr(vcpu) && ++ !kvm_event_needs_reinjection(vcpu) && ++ !vcpu->arch.exception.pending); + } + + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, diff --git a/queue-5.4/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch b/queue-5.4/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch new file mode 100644 index 00000000000..c51a8172362 --- /dev/null +++ b/queue-5.4/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch @@ -0,0 +1,54 @@ +From d5aaad6f83420efb8357ac8e11c868708b22d0a9 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 4 Aug 2021 14:46:09 -0700 +Subject: KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds + +From: Sean Christopherson + +commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream. + +Take a signed 'long' instead of an 'unsigned long' for the number of +pages to add/subtract to the total number of pages used by the MMU. This +fixes a zero-extension bug on 32-bit kernels that effectively corrupts +the per-cpu counter used by the shrinker. + +Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit +kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus +an unsigned 32-bit value on 32-bit kernels. As a result, the value used +to adjust the per-cpu counter is zero-extended (unsigned -> signed), not +sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to +4294967295 and effectively corrupts the counter. + +This was found by a staggering amount of sheer dumb luck when running +kvm-unit-tests on a 32-bit KVM build. The shrinker just happened to kick +in while running tests and do_shrink_slab() logged an error about trying +to free a negative number of objects. The truly lucky part is that the +kernel just happened to be a slightly stale build, as the shrinker no +longer yells about negative objects as of commit 18bb473e5031 ("mm: +vmscan: shrink deferred objects proportional to priority"). + + vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460 + +Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation") +Cc: stable@vger.kernel.org +Cc: Ben Gardon +Signed-off-by: Sean Christopherson +Message-Id: <20210804214609.1096003-1-seanjc@google.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2143,7 +2143,7 @@ static int is_empty_shadow_page(u64 *spt + * aggregate version in order to make the slab shrinker + * faster + */ +-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr) ++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr) + { + kvm->arch.n_used_mmu_pages += nr; + percpu_counter_add(&kvm_total_used_mmu_pages, nr); diff --git a/queue-5.4/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch b/queue-5.4/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch new file mode 100644 index 00000000000..6eeb8e4ede5 --- /dev/null +++ b/queue-5.4/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch @@ -0,0 +1,53 @@ +From 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 Mon Sep 17 00:00:00 2001 +From: Wei Shuyu +Date: Mon, 28 Jun 2021 15:15:08 +0800 +Subject: md/raid10: properly indicate failure when ending a failed write request + +From: Wei Shuyu + +commit 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 upstream. + +Similar to [1], this patch fixes the same bug in raid10. Also cleanup the +comments. + +[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending + a failed write request") +Cc: stable@vger.kernel.org +Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty") +Signed-off-by: Wei Shuyu +Acked-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 2 -- + drivers/md/raid10.c | 4 ++-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -452,8 +452,6 @@ static void raid1_end_write_request(stru + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R1BIO_WriteError, &r1_bio->state); +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -470,12 +470,12 @@ static void raid10_end_write_request(str + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R10BIO_WriteError, &r10_bio->state); + else { ++ /* Fail the request */ ++ set_bit(R10BIO_Degraded, &r10_bio->state); + r10_bio->devs[slot].bio = NULL; + to_put = bio; + dec_rdev = 1; diff --git a/queue-5.4/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch b/queue-5.4/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch new file mode 100644 index 00000000000..43e94e59af3 --- /dev/null +++ b/queue-5.4/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch @@ -0,0 +1,32 @@ +From e39cdacf2f664b09029e7c1eb354c91a20c367af Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Tue, 22 Jun 2021 07:11:31 +0000 +Subject: pcmcia: i82092: fix a null pointer dereference bug + +From: Zheyu Ma + +commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream. + +During the driver loading process, the 'dev' field was not assigned, but +the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map' +function. + +Signed-off-by: Zheyu Ma +CC: +[linux@dominikbrodowski.net: shorten commit message, add Cc to stable] +Signed-off-by: Dominik Brodowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/i82092.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pcmcia/i82092.c ++++ b/drivers/pcmcia/i82092.c +@@ -106,6 +106,7 @@ static int i82092aa_pci_probe(struct pci + for (i = 0;i