From 562f396014709e1312f9a295b137b6f63e179382 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 May 2024 14:09:15 +0200 Subject: [PATCH] 5.15-stable patches added patches: drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch netlink-annotate-data-races-around-sk-sk_err.patch netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch --- ...amdgpu_ras_query_error_status_helper.patch | 47 ++++++++ ...rror_code-for-rm-exception-injection.patch | 57 ++++++++++ ...annotate-data-races-around-sk-sk_err.patch | 96 ++++++++++++++++ ...less-accesses-to-nlk-max_recvmsg_len.patch | 107 ++++++++++++++++++ queue-5.15/series | 4 + 5 files changed, 311 insertions(+) create mode 100644 queue-5.15/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch create mode 100644 queue-5.15/kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch create mode 100644 queue-5.15/netlink-annotate-data-races-around-sk-sk_err.patch create mode 100644 queue-5.15/netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch diff --git a/queue-5.15/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch b/queue-5.15/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch new file mode 100644 index 00000000000..819e6b92263 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch @@ -0,0 +1,47 @@ +From b8d55a90fd55b767c25687747e2b24abd1ef8680 Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Tue, 26 Dec 2023 15:32:19 +0530 +Subject: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +commit b8d55a90fd55b767c25687747e2b24abd1ef8680 upstream. + +Return invalid error code -EINVAL for invalid block id. + +Fixes the below: + +drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176) + +Suggested-by: Hawking Zhang +Cc: Tao Zhou +Cc: Hawking Zhang +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +[Ajay: applied AMDGPU_RAS_BLOCK_COUNT condition to amdgpu_ras_query_error_status() + as amdgpu_ras_query_error_status_helper() not present in v5.15 + amdgpu_ras_query_error_status_helper() was introduced in 8cc0f5669eb6] +Signed-off-by: Ajay Kaher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -820,6 +820,9 @@ int amdgpu_ras_query_error_status(struct + if (!obj) + return -EINVAL; + ++ if (!info || info->head.block == AMDGPU_RAS_BLOCK_COUNT) ++ return -EINVAL; ++ + switch (info->head.block) { + case AMDGPU_RAS_BLOCK__UMC: + if (adev->umc.ras_funcs && diff --git a/queue-5.15/kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch b/queue-5.15/kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch new file mode 100644 index 00000000000..42ab4534506 --- /dev/null +++ b/queue-5.15/kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch @@ -0,0 +1,57 @@ +From 6c41468c7c12d74843bb414fc00307ea8a6318c3 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 22 Mar 2023 07:32:59 -0700 +Subject: KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection + +From: Sean Christopherson + +commit 6c41468c7c12d74843bb414fc00307ea8a6318c3 upstream. + +When injecting an exception into a vCPU in Real Mode, suppress the error +code by clearing the flag that tracks whether the error code is valid, not +by clearing the error code itself. The "typo" was introduced by recent +fix for SVM's funky Paged Real Mode. + +Opportunistically hoist the logic above the tracepoint so that the trace +is coherent with respect to what is actually injected (this was also the +behavior prior to the buggy commit). + +Fixes: b97f07458373 ("KVM: x86: determine if an exception has an error code only when injecting it.") +Cc: stable@vger.kernel.org +Cc: Maxim Levitsky +Signed-off-by: Sean Christopherson +Message-Id: <20230322143300.2209476-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +[nsaenz: backport to 5.15.y] +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Greg Kroah-Hartman +Acked-by: Sean Christopherson +--- + arch/x86/kvm/x86.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9134,13 +9134,20 @@ int kvm_check_nested_events(struct kvm_v + + static void kvm_inject_exception(struct kvm_vcpu *vcpu) + { ++ /* ++ * Suppress the error code if the vCPU is in Real Mode, as Real Mode ++ * exceptions don't report error codes. The presence of an error code ++ * is carried with the exception and only stripped when the exception ++ * is injected as intercepted #PF VM-Exits for AMD's Paged Real Mode do ++ * report an error code despite the CPU being in Real Mode. ++ */ ++ vcpu->arch.exception.has_error_code &= is_protmode(vcpu); ++ + trace_kvm_inj_exception(vcpu->arch.exception.nr, + vcpu->arch.exception.has_error_code, + vcpu->arch.exception.error_code, + vcpu->arch.exception.injected); + +- if (vcpu->arch.exception.error_code && !is_protmode(vcpu)) +- vcpu->arch.exception.error_code = false; + static_call(kvm_x86_queue_exception)(vcpu); + } + diff --git a/queue-5.15/netlink-annotate-data-races-around-sk-sk_err.patch b/queue-5.15/netlink-annotate-data-races-around-sk-sk_err.patch new file mode 100644 index 00000000000..e4faf748e1e --- /dev/null +++ b/queue-5.15/netlink-annotate-data-races-around-sk-sk_err.patch @@ -0,0 +1,96 @@ +From d0f95894fda7d4f895b29c1097f92d7fee278cb2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 3 Oct 2023 18:34:55 +0000 +Subject: netlink: annotate data-races around sk->sk_err + +From: Eric Dumazet + +commit d0f95894fda7d4f895b29c1097f92d7fee278cb2 upstream. + +syzbot caught another data-race in netlink when +setting sk->sk_err. + +Annotate all of them for good measure. + +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +write to 0xffff8881613bb220 of 4 bytes by task 28147 on cpu 0: +netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994 +sock_recvmsg_nosec net/socket.c:1027 [inline] +sock_recvmsg net/socket.c:1049 [inline] +__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229 +__do_sys_recvfrom net/socket.c:2247 [inline] +__se_sys_recvfrom net/socket.c:2243 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +write to 0xffff8881613bb220 of 4 bytes by task 28146 on cpu 1: +netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994 +sock_recvmsg_nosec net/socket.c:1027 [inline] +sock_recvmsg net/socket.c:1049 [inline] +__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229 +__do_sys_recvfrom net/socket.c:2247 [inline] +__se_sys_recvfrom net/socket.c:2243 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x00000000 -> 0x00000016 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 28146 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-00055-g9ed22ae6be81 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231003183455.3410550-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: yenchia.chen +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -352,7 +352,7 @@ static void netlink_overrun(struct sock + if (!(nlk->flags & NETLINK_F_RECV_NO_ENOBUFS)) { + if (!test_and_set_bit(NETLINK_S_CONGESTED, + &nlk_sk(sk)->state)) { +- sk->sk_err = ENOBUFS; ++ WRITE_ONCE(sk->sk_err, ENOBUFS); + sk_error_report(sk); + } + } +@@ -1591,7 +1591,7 @@ static int do_one_set_err(struct sock *s + goto out; + } + +- sk->sk_err = p->code; ++ WRITE_ONCE(sk->sk_err, p->code); + sk_error_report(sk); + out: + return ret; +@@ -2006,7 +2006,7 @@ static int netlink_recvmsg(struct socket + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { + ret = netlink_dump(sk); + if (ret) { +- sk->sk_err = -ret; ++ WRITE_ONCE(sk->sk_err, -ret); + sk_error_report(sk); + } + } +@@ -2442,7 +2442,7 @@ void netlink_ack(struct sk_buff *in_skb, + + skb = nlmsg_new(payload + tlvlen, GFP_KERNEL); + if (!skb) { +- NETLINK_CB(in_skb).sk->sk_err = ENOBUFS; ++ WRITE_ONCE(NETLINK_CB(in_skb).sk->sk_err, ENOBUFS); + sk_error_report(NETLINK_CB(in_skb).sk); + return; + } diff --git a/queue-5.15/netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch b/queue-5.15/netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch new file mode 100644 index 00000000000..19d146e797b --- /dev/null +++ b/queue-5.15/netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch @@ -0,0 +1,107 @@ +From a1865f2e7d10dde00d35a2122b38d2e469ae67ed Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 3 Apr 2023 21:46:43 +0000 +Subject: netlink: annotate lockless accesses to nlk->max_recvmsg_len + +From: Eric Dumazet + +commit a1865f2e7d10dde00d35a2122b38d2e469ae67ed upstream. + +syzbot reported a data-race in data-race in netlink_recvmsg() [1] + +Indeed, netlink_recvmsg() can be run concurrently, +and netlink_dump() also needs protection. + +[1] +BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg + +read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0: +netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg net/socket.c:1038 [inline] +__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194 +__do_sys_recvfrom net/socket.c:2212 [inline] +__se_sys_recvfrom net/socket.c:2208 [inline] +__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1: +netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg net/socket.c:1038 [inline] +____sys_recvmsg+0x156/0x310 net/socket.c:2720 +___sys_recvmsg net/socket.c:2762 [inline] +do_recvmmsg+0x2e5/0x710 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000000000 -> 0x0000000000001000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 + +Fixes: 9063e21fb026 ("netlink: autosize skb lengthes") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230403214643.768555-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: yenchia.chen +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1935,7 +1935,7 @@ static int netlink_recvmsg(struct socket + struct sock *sk = sock->sk; + struct netlink_sock *nlk = nlk_sk(sk); + int noblock = flags & MSG_DONTWAIT; +- size_t copied; ++ size_t copied, max_recvmsg_len; + struct sk_buff *skb, *data_skb; + int err, ret; + +@@ -1968,9 +1968,10 @@ static int netlink_recvmsg(struct socket + #endif + + /* Record the max length of recvmsg() calls for future allocations */ +- nlk->max_recvmsg_len = max(nlk->max_recvmsg_len, len); +- nlk->max_recvmsg_len = min_t(size_t, nlk->max_recvmsg_len, +- SKB_WITH_OVERHEAD(32768)); ++ max_recvmsg_len = max(READ_ONCE(nlk->max_recvmsg_len), len); ++ max_recvmsg_len = min_t(size_t, max_recvmsg_len, ++ SKB_WITH_OVERHEAD(32768)); ++ WRITE_ONCE(nlk->max_recvmsg_len, max_recvmsg_len); + + copied = data_skb->len; + if (len < copied) { +@@ -2219,6 +2220,7 @@ static int netlink_dump(struct sock *sk) + struct netlink_ext_ack extack = {}; + struct netlink_callback *cb; + struct sk_buff *skb = NULL; ++ size_t max_recvmsg_len; + struct module *module; + int err = -ENOBUFS; + int alloc_min_size; +@@ -2241,8 +2243,9 @@ static int netlink_dump(struct sock *sk) + cb = &nlk->cb; + alloc_min_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE); + +- if (alloc_min_size < nlk->max_recvmsg_len) { +- alloc_size = nlk->max_recvmsg_len; ++ max_recvmsg_len = READ_ONCE(nlk->max_recvmsg_len); ++ if (alloc_min_size < max_recvmsg_len) { ++ alloc_size = max_recvmsg_len; + skb = alloc_skb(alloc_size, + (GFP_KERNEL & ~__GFP_DIRECT_RECLAIM) | + __GFP_NOWARN | __GFP_NORETRY); diff --git a/queue-5.15/series b/queue-5.15/series index 86490018187..730febfc6fa 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -10,3 +10,7 @@ tls-extract-context-alloc-initialization-out-of-tls_set_sw_offload.patch net-tls-factor-out-tls_-crypt_async_wait.patch tls-fix-race-between-async-notify-and-socket-close.patch net-tls-handle-backlogging-of-crypto-requests.patch +netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch +netlink-annotate-data-races-around-sk-sk_err.patch +kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch +drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch -- 2.47.3