From: Greg Kroah-Hartman Date: Mon, 19 Jul 2021 09:12:25 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.13.4~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=943512da8ab3389f08c0f3eac5828d8b77e5d02f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: kvm-mmio-fix-use-after-free-read-in-kvm_vm_ioctl_unregister_coalesced_mmio.patch kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch --- diff --git a/queue-5.4/kvm-mmio-fix-use-after-free-read-in-kvm_vm_ioctl_unregister_coalesced_mmio.patch b/queue-5.4/kvm-mmio-fix-use-after-free-read-in-kvm_vm_ioctl_unregister_coalesced_mmio.patch new file mode 100644 index 00000000000..f399b8bb841 --- /dev/null +++ b/queue-5.4/kvm-mmio-fix-use-after-free-read-in-kvm_vm_ioctl_unregister_coalesced_mmio.patch @@ -0,0 +1,128 @@ +From 23fa2e46a5556f787ce2ea1a315d3ab93cced204 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Sat, 26 Jun 2021 15:03:04 +0800 +Subject: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio + +From: Kefeng Wang + +commit 23fa2e46a5556f787ce2ea1a315d3ab93cced204 upstream. + +BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 +Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269 + +CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 + show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x110/0x164 lib/dump_stack.c:118 + print_address_description+0x78/0x5c8 mm/kasan/report.c:385 + __kasan_report mm/kasan/report.c:545 [inline] + kasan_report+0x148/0x1e4 mm/kasan/report.c:562 + check_memory_region_inline mm/kasan/generic.c:183 [inline] + __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 + kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 + kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 + __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] + el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] + do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 + el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 + el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 + el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 + +Allocated by task 4269: + stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 + kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 + kmem_cache_alloc_trace include/linux/slab.h:450 [inline] + kmalloc include/linux/slab.h:552 [inline] + kzalloc include/linux/slab.h:664 [inline] + kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 + kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 + __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] + el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] + do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 + el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 + el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 + el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 + +Freed by task 4269: + stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 + kasan_save_stack mm/kasan/common.c:48 [inline] + kasan_set_track+0x38/0x6c mm/kasan/common.c:56 + kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 + __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 + kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 + slab_free_hook mm/slub.c:1544 [inline] + slab_free_freelist_hook mm/slub.c:1577 [inline] + slab_free mm/slub.c:3142 [inline] + kfree+0x104/0x38c mm/slub.c:4124 + coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 + kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] + kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 + kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 + kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 + __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] + el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] + do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 + el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 + el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 + el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 + +If kvm_io_bus_unregister_dev() return -ENOMEM, we already call kvm_iodevice_destructor() +inside this function to delete 'struct kvm_coalesced_mmio_dev *dev' from list +and free the dev, but kvm_iodevice_destructor() is called again, it will lead +the above issue. + +Let's check the the return value of kvm_io_bus_unregister_dev(), only call +kvm_iodevice_destructor() if the return value is 0. + +Cc: Paolo Bonzini +Cc: kvm@vger.kernel.org +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Message-Id: <20210626070304.143456-1-wangkefeng.wang@huawei.com> +Cc: stable@vger.kernel.org +Fixes: 5d3c4c79384a ("KVM: Stop looking for coalesced MMIO zones if the bus is destroyed", 2021-04-20) +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/coalesced_mmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/coalesced_mmio.c ++++ b/virt/kvm/coalesced_mmio.c +@@ -190,7 +190,6 @@ int kvm_vm_ioctl_unregister_coalesced_mm + coalesced_mmio_in_range(dev, zone->addr, zone->size)) { + r = kvm_io_bus_unregister_dev(kvm, + zone->pio ? KVM_PIO_BUS : KVM_MMIO_BUS, &dev->dev); +- kvm_iodevice_destructor(&dev->dev); + + /* + * On failure, unregister destroys all devices on the +@@ -200,6 +199,7 @@ int kvm_vm_ioctl_unregister_coalesced_mm + */ + if (r) + break; ++ kvm_iodevice_destructor(&dev->dev); + } + } + diff --git a/queue-5.4/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch b/queue-5.4/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch new file mode 100644 index 00000000000..9997501f537 --- /dev/null +++ b/queue-5.4/kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch @@ -0,0 +1,49 @@ +From f85d40160691881a17a397c448d799dfc90987ba Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Tue, 29 Jun 2021 01:26:32 +0800 +Subject: KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() + +From: Lai Jiangshan + +commit f85d40160691881a17a397c448d799dfc90987ba upstream. + +When the host is using debug registers but the guest is not using them +nor is the guest in guest-debug state, the kvm code does not reset +the host debug registers before kvm_x86->run(). Rather, it relies on +the hardware vmentry instruction to automatically reset the dr7 registers +which ensures that the host breakpoints do not affect the guest. + +This however violates the non-instrumentable nature around VM entry +and exit; for example, when a host breakpoint is set on vcpu->arch.cr2, + +Another issue is consistency. When the guest debug registers are active, +the host breakpoints are reset before kvm_x86->run(). But when the +guest debug registers are inactive, the host breakpoints are delayed to +be disabled. The host tracing tools may see different results depending +on what the guest is doing. + +To fix the problems, we clear %db7 unconditionally before kvm_x86->run() +if the host has set any breakpoints, no matter if the guest is using +them or not. + +Signed-off-by: Lai Jiangshan +Message-Id: <20210628172632.81029-1-jiangshanlai@gmail.com> +Cc: stable@vger.kernel.org +[Only clear %db7 instead of reloading all debug registers. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8271,6 +8271,8 @@ static int vcpu_enter_guest(struct kvm_v + set_debugreg(vcpu->arch.eff_db[3], 3); + set_debugreg(vcpu->arch.dr6, 6); + vcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_RELOAD; ++ } else if (unlikely(hw_breakpoint_active())) { ++ set_debugreg(0, 7); + } + + kvm_x86_ops->run(vcpu); diff --git a/queue-5.4/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch b/queue-5.4/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch new file mode 100644 index 00000000000..c978aea4a25 --- /dev/null +++ b/queue-5.4/kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch @@ -0,0 +1,44 @@ +From 4bf48e3c0aafd32b960d341c4925b48f416f14a5 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jun 2021 16:05:46 -0700 +Subject: KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled + +From: Sean Christopherson + +commit 4bf48e3c0aafd32b960d341c4925b48f416f14a5 upstream. + +Ignore the guest MAXPHYADDR reported by CPUID.0x8000_0008 if TDP, i.e. +NPT, is disabled, and instead use the host's MAXPHYADDR. Per AMD'S APM: + + Maximum guest physical address size in bits. This number applies only + to guests using nested paging. When this field is zero, refer to the + PhysAddrSize field for the maximum guest physical address size. + +Fixes: 24c82e576b78 ("KVM: Sanitize cpuid") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20210623230552.4027702-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -745,8 +745,14 @@ static inline int __do_cpuid_func(struct + unsigned virt_as = max((entry->eax >> 8) & 0xff, 48U); + unsigned phys_as = entry->eax & 0xff; + +- if (!g_phys_as) ++ /* ++ * Use bare metal's MAXPHADDR if the CPU doesn't report guest ++ * MAXPHYADDR separately, or if TDP (NPT) is disabled, as the ++ * guest version "applies only to guests using nested paging". ++ */ ++ if (!g_phys_as || !tdp_enabled) + g_phys_as = phys_as; ++ + entry->eax = g_phys_as | (virt_as << 8); + entry->edx = 0; + entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..5e5d13c4a68 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,3 @@ +kvm-mmio-fix-use-after-free-read-in-kvm_vm_ioctl_unregister_coalesced_mmio.patch +kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch +kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch