From: Greg Kroah-Hartman Date: Sun, 24 Jul 2022 15:48:53 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.10.133~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e4e99cb73714c393e1e06943a1cfa159bbb18cc3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: kvm-don-t-null-dereference-ops-destroy.patch --- diff --git a/queue-5.18/kvm-don-t-null-dereference-ops-destroy.patch b/queue-5.18/kvm-don-t-null-dereference-ops-destroy.patch new file mode 100644 index 00000000000..c4a1fe214ba --- /dev/null +++ b/queue-5.18/kvm-don-t-null-dereference-ops-destroy.patch @@ -0,0 +1,47 @@ +From e8bc2427018826e02add7b0ed0fc625a60390ae5 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 1 Jun 2022 03:43:28 +0200 +Subject: KVM: Don't null dereference ops->destroy + +From: Alexey Kardashevskiy + +commit e8bc2427018826e02add7b0ed0fc625a60390ae5 upstream. + +A KVM device cleanup happens in either of two callbacks: +1) destroy() which is called when the VM is being destroyed; +2) release() which is called when a device fd is closed. + +Most KVM devices use 1) but Book3s's interrupt controller KVM devices +(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during +the machine execution. The error handling in kvm_ioctl_create_device() +assumes destroy() is always defined which leads to NULL dereference as +discovered by Syzkaller. + +This adds a checks for destroy!=NULL and adds a missing release(). + +This is not changing kvm_destroy_devices() as devices with defined +release() should have been removed from the KVM devices list by then. + +Suggested-by: Paolo Bonzini +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -4299,8 +4299,11 @@ static int kvm_ioctl_create_device(struc + kvm_put_kvm_no_destroy(kvm); + mutex_lock(&kvm->lock); + list_del(&dev->vm_node); ++ if (ops->release) ++ ops->release(dev); + mutex_unlock(&kvm->lock); +- ops->destroy(dev); ++ if (ops->destroy) ++ ops->destroy(dev); + return ret; + } + diff --git a/queue-5.18/series b/queue-5.18/series index 265b83a0fd4..4cb7110afef 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -129,3 +129,4 @@ selftests-gpio-fix-include-path-to-kernel-headers-fo.patch gpio-gpio-xilinx-fix-integer-overflow.patch kvm-selftests-fix-target-thread-to-be-migrated-in-rseq_test.patch spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch +kvm-don-t-null-dereference-ops-destroy.patch