From bc488893497c8e672d08986a6d2471e957d36a91 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 1 Sep 2021 11:50:29 +0200 Subject: [PATCH] 5.4-stable patches added patches: arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch --- ...ngler-fix-gpio-reserved-ranges-85-88.patch | 35 ++++++++ ...e-when-deleting-device-by-invalid-id.patch | 79 +++++++++++++++++++ ...not-reserved-for-all-tdp-shadow-mmus.patch | 49 ++++++++++++ ...-mt7530-fix-vlan-traffic-leaks-again.patch | 40 ++++++++++ queue-5.4/series | 4 + 5 files changed, 207 insertions(+) create mode 100644 queue-5.4/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch create mode 100644 queue-5.4/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch create mode 100644 queue-5.4/kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch create mode 100644 queue-5.4/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch diff --git a/queue-5.4/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch b/queue-5.4/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch new file mode 100644 index 00000000000..d2617f990a6 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch @@ -0,0 +1,35 @@ +From f890f89d9a80fffbfa7ca791b78927e5b8aba869 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Thu, 15 Apr 2021 21:39:13 +0200 +Subject: arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88 + +From: Petr Vorel + +commit f890f89d9a80fffbfa7ca791b78927e5b8aba869 upstream. + +Reserve GPIO pins 85-88 as these aren't meant to be accessible from the +application CPUs (causes reboot). Yet another fix similar to +9134586715e3, 5f8d3ab136d0, which is needed to allow angler to boot after +3edfb7bd76bd ("gpiolib: Show correct direction from the beginning"). + +Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support") + +Signed-off-by: Petr Vorel +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20210415193913.1836153-1-petr.vorel@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts ++++ b/arch/arm64/boot/dts/qcom/msm8994-angler-rev-101.dts +@@ -30,3 +30,7 @@ + }; + }; + }; ++ ++&msmgpio { ++ gpio-reserved-ranges = <85 4>; ++}; diff --git a/queue-5.4/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch b/queue-5.4/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch new file mode 100644 index 00000000000..0e25a485874 --- /dev/null +++ b/queue-5.4/btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch @@ -0,0 +1,79 @@ +From e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 6 Aug 2021 18:24:15 +0800 +Subject: btrfs: fix NULL pointer dereference when deleting device by invalid id + +From: Qu Wenruo + +commit e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 upstream. + +[BUG] +It's easy to trigger NULL pointer dereference, just by removing a +non-existing device id: + + # mkfs.btrfs -f -m single -d single /dev/test/scratch1 \ + /dev/test/scratch2 + # mount /dev/test/scratch1 /mnt/btrfs + # btrfs device remove 3 /mnt/btrfs + +Then we have the following kernel NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 9 PID: 649 Comm: btrfs Not tainted 5.14.0-rc3-custom+ #35 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:btrfs_rm_device+0x4de/0x6b0 [btrfs] + btrfs_ioctl+0x18bb/0x3190 [btrfs] + ? lock_is_held_type+0xa5/0x120 + ? find_held_lock.constprop.0+0x2b/0x80 + ? do_user_addr_fault+0x201/0x6a0 + ? lock_release+0xd2/0x2d0 + ? __x64_sys_ioctl+0x83/0xb0 + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +[CAUSE] +Commit a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return +btrfs_device directly") moves the "missing" device path check into +btrfs_rm_device(). + +But btrfs_rm_device() itself can have case where it only receives +@devid, with NULL as @device_path. + +In that case, calling strcmp() on NULL will trigger the NULL pointer +dereference. + +Before that commit, we handle the "missing" case inside +btrfs_find_device_by_devspec(), which will not check @device_path at all +if @devid is provided, thus no way to trigger the bug. + +[FIX] +Before calling strcmp(), also make sure @device_path is not NULL. + +Fixes: a27a94c2b0c7 ("btrfs: Make btrfs_find_device_by_devspec return btrfs_device directly") +CC: stable@vger.kernel.org # 5.4+ +Reported-by: butt3rflyh4ck +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2168,7 +2168,7 @@ int btrfs_rm_device(struct btrfs_fs_info + + if (IS_ERR(device)) { + if (PTR_ERR(device) == -ENOENT && +- strcmp(device_path, "missing") == 0) ++ device_path && strcmp(device_path, "missing") == 0) + ret = BTRFS_ERROR_DEV_MISSING_NOT_FOUND; + else + ret = PTR_ERR(device); diff --git a/queue-5.4/kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch b/queue-5.4/kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch new file mode 100644 index 00000000000..86d0a7ebb37 --- /dev/null +++ b/queue-5.4/kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Sep 1 11:30:02 AM CEST 2021 +From: Sean Christopherson +Date: Tue, 22 Jun 2021 10:56:47 -0700 +Subject: KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs + +From: Sean Christopherson + +commit 112022bdb5bc372e00e6e43cb88ee38ea67b97bd upstream + +Mark NX as being used for all non-nested shadow MMUs, as KVM will set the +NX bit for huge SPTEs if the iTLB mutli-hit mitigation is enabled. +Checking the mitigation itself is not sufficient as it can be toggled on +at any time and KVM doesn't reset MMU contexts when that happens. KVM +could reset the contexts, but that would require purging all SPTEs in all +MMUs, for no real benefit. And, KVM already forces EFER.NX=1 when TDP is +disabled (for WP=0, SMEP=1, NX=0), so technically NX is never reserved +for shadow MMUs. + +Fixes: b8e8c8303ff2 ("kvm: mmu: ITLB_MULTIHIT mitigation") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20210622175739.3610207-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +[sudip: use old path] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4666,7 +4666,15 @@ static void reset_rsvds_bits_mask_ept(st + void + reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context) + { +- bool uses_nx = context->nx || ++ /* ++ * KVM uses NX when TDP is disabled to handle a variety of scenarios, ++ * notably for huge SPTEs if iTLB multi-hit mitigation is enabled and ++ * to generate correct permissions for CR0.WP=0/CR4.SMEP=1/EFER.NX=0. ++ * The iTLB multi-hit workaround can be toggled at any time, so assume ++ * NX can be used by any non-nested shadow MMU to avoid having to reset ++ * MMU contexts. Note, KVM forces EFER.NX=1 when TDP is disabled. ++ */ ++ bool uses_nx = context->nx || !tdp_enabled || + context->mmu_role.base.smep_andnot_wp; + struct rsvd_bits_validate *shadow_zero_check; + int i; diff --git a/queue-5.4/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch b/queue-5.4/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch new file mode 100644 index 00000000000..2aa83773780 --- /dev/null +++ b/queue-5.4/net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch @@ -0,0 +1,40 @@ +From 7428022b50d0fbb4846dd0f00639ea09d36dff02 Mon Sep 17 00:00:00 2001 +From: DENG Qingfang +Date: Wed, 11 Aug 2021 17:50:43 +0800 +Subject: net: dsa: mt7530: fix VLAN traffic leaks again + +From: DENG Qingfang + +commit 7428022b50d0fbb4846dd0f00639ea09d36dff02 upstream. + +When a port leaves a VLAN-aware bridge, the current code does not clear +other ports' matrix field bit. If the bridge is later set to VLAN-unaware +mode, traffic in the bridge may leak to that port. + +Remove the VLAN filtering check in mt7530_port_bridge_leave. + +Fixes: 474a2ddaa192 ("net: dsa: mt7530: fix VLAN traffic leaks") +Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530") +Signed-off-by: DENG Qingfang +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mt7530.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -842,11 +842,8 @@ mt7530_port_bridge_leave(struct dsa_swit + /* Remove this port from the port matrix of the other ports + * in the same bridge. If the port is disabled, port matrix + * is kept and not being setup until the port becomes enabled. +- * And the other port's port matrix cannot be broken when the +- * other port is still a VLAN-aware port. + */ +- if (dsa_is_user_port(ds, i) && i != port && +- !dsa_port_is_vlan_filtering(&ds->ports[i])) { ++ if (dsa_is_user_port(ds, i) && i != port) { + if (dsa_to_port(ds, i)->bridge_dev != bridge) + continue; + if (priv->ports[i].enable) diff --git a/queue-5.4/series b/queue-5.4/series index f7fa7196d18..0583cb40776 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -38,3 +38,7 @@ btrfs-fix-race-between-marking-inode-needs-to-be-logged-and-log-syncing.patch vt_kdsetmode-extend-console-locking.patch bpf-track-contents-of-read-only-maps-as-scalars.patch bpf-fix-cast-to-pointer-from-integer-of-different-size-warning.patch +net-dsa-mt7530-fix-vlan-traffic-leaks-again.patch +kvm-x86-mmu-treat-nx-as-used-not-reserved-for-all-tdp-shadow-mmus.patch +arm64-dts-qcom-msm8994-angler-fix-gpio-reserved-ranges-85-88.patch +btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch -- 2.47.3