- Linux-stable-mirror - lists.linaro.org

[PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map

by Jackie Liu

From: Radim Krčmář <rkrcmar(a)redhat.com> KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be bigger that the maximal number of VCPUs, resulting in out-of-bounds access. Found by syzkaller: BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...] Write of size 1 by task a.out/27101 CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [...] Call Trace: [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905 [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495 [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86 [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360 [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222 [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235 [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670 [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668 [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999 [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099 Reported-by: Dmitry Vyukov <dvyukov(a)google.com> Cc: stable(a)vger.kernel.org Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023") Reviewed-by: Paolo Bonzini <pbonzini(a)redhat.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> Signed-off-by: Jackie Liu <liuyun01(a)kylinos.cn> --- arch/x86/kvm/ioapic.c | 2 +- arch/x86/kvm/ioapic.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c index ec62df3..d25cbac 100644 --- a/arch/x86/kvm/ioapic.c +++ b/arch/x86/kvm/ioapic.c @@ -94,7 +94,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic) { ioapic->rtc_status.pending_eoi = 0; - bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS); + bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID); } static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic); diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h index 7d2692a..1cc6e54 100644 --- a/arch/x86/kvm/ioapic.h +++ b/arch/x86/kvm/ioapic.h @@ -42,13 +42,13 @@ struct kvm_vcpu; struct dest_map { /* vcpu bitmap where IRQ has been sent */ - DECLARE_BITMAP(map, KVM_MAX_VCPUS); + DECLARE_BITMAP(map, KVM_MAX_VCPU_ID); /* * Vector sent to a given vcpu, only valid when * the vcpu's bit in map is set */ - u8 vectors[KVM_MAX_VCPUS]; + u8 vectors[KVM_MAX_VCPU_ID]; }; -- 2.7.4

5 years, 12 months

1
1
0 0

[PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace

by Jackie Liu

From: Jason Gunthorpe <jgg(a)mellanox.com> mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes were written. Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp") Cc: <stable(a)vger.kernel.org> Acked-by: Leon Romanovsky <leonro(a)mellanox.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> Signed-off-by: Jackie Liu <liuyun01(a)kylinos.cn> --- drivers/infiniband/hw/mlx5/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index cfcfbb6..359d41e 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -861,7 +861,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, { struct mlx5_ib_resources *devr = &dev->devr; struct mlx5_core_dev *mdev = dev->mdev; - struct mlx5_ib_create_qp_resp resp; + struct mlx5_ib_create_qp_resp resp = {}; struct mlx5_create_qp_mbox_in *in; struct mlx5_ib_create_qp ucmd; int inlen = sizeof(*in); -- 2.7.4

5 years, 12 months

1
1
0 0

[PATCH] KVM: X86: Fix warning in handle_desc

by Wanpeng Li

From: Wanpeng Li <wanpengli(a)tencent.com> Reported by syzkaller: WARNING: CPU: 0 PID: 6544 at /home/kernel/data/kvm/arch/x86/kvm//vmx/vmx.c:4689 handle_desc+0x37/0x40 [kvm_intel] CPU: 0 PID: 6544 Comm: a.out Tainted: G OE 5.3.0-rc4+ #4 RIP: 0010:handle_desc+0x37/0x40 [kvm_intel] Call Trace: vmx_handle_exit+0xbe/0x6b0 [kvm_intel] vcpu_enter_guest+0x4dc/0x18d0 [kvm] kvm_arch_vcpu_ioctl_run+0x407/0x660 [kvm] kvm_vcpu_ioctl+0x3ad/0x690 [kvm] do_vfs_ioctl+0xa2/0x690 ksys_ioctl+0x6d/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x74/0x720 entry_SYSCALL_64_after_hwframe+0x49/0xbe When CR4.UMIP is set, guest should have UMIP cpuid flag. Current kvm set_sregs function doesn't have such check when userspace inputs sregs values. SECONDARY_EXEC_DESC is enabled on writes to CR4.UMIP in vmx_set_cr4 though guest doesn't have UMIP cpuid flag. The testcast triggers handle_desc warning when executing ltr instruction since guest architectural CR4 doesn't set UMIP. This patch fixes it by adding check for guest UMIP cpuid flag when get sreg inputs from userspace. Reported-by: syzbot+0f1819555fbdce992df9(a)syzkaller.appspotmail.com Fixes: 0367f205a3b7 ("KVM: vmx: add support for emulating UMIP") Cc: stable(a)vger.kernel.org Signed-off-by: Wanpeng Li <wanpengli(a)tencent.com> --- Note: syzbot report link https://lkml.org/lkml/2019/9/11/799 arch/x86/kvm/x86.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index f7cfd8e..83288ba 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -8645,6 +8645,10 @@ static int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) (sregs->cr4 & X86_CR4_OSXSAVE)) return -EINVAL; + if (!guest_cpuid_has(vcpu, X86_FEATURE_UMIP) && + (sregs->cr4 & X86_CR4_UMIP)) + return -EINVAL; + if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) { /* * When EFER.LME and CR0.PG are set, the processor is in -- 2.7.4

5 years, 12 months

2
2
0 0

mips patches for v4.4.y, v4.9.y, and v4.14.y

by Guenter Roeck

Hi Greg, please apply the following patches to v4.4.y, v4.9.y, and v4.14.y. 351fdddd3662 ("MIPS: VDSO: Prevent use of smp_processor_id()") 0648e50e548d ("MIPS: VDSO: Use same -m%-float cflag as the kernel proper") The second patch fixes the build error reported for decstation_defconfig and others by kernelci, and the first patch is needed to avoid a merge conflict (and it doesn't hurt to have it in the branch). Thanks, Guenter

5 years, 12 months

2
1
0 0

[PATCH] gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source

by Bartosz Golaszewski

From: Bartosz Golaszewski <bgolaszewski(a)baylibre.com> When emulating open-drain/open-source by not actively driving the output lines - we're simply changing their mode to input. This is wrong as it will then make it impossible to change the value of such line - it's now considered to actually be in input mode. If we want to still use the direction_input() callback for simplicity then we need to set FLAG_IS_OUT manually in gpiod_direction_output() and not clear it in gpio_set_open_drain_value_commit() and gpio_set_open_source_value_commit(). Fixes: c663e5f56737 ("gpio: support native single-ended hardware drivers") Cc: stable(a)vger.kernel.org Reported-by: Kent Gibson <warthog618(a)gmail.com> Signed-off-by: Bartosz Golaszewski <bgolaszewski(a)baylibre.com> --- drivers/gpio/gpiolib.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index cca749010cd0..6bb4191d3844 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -2769,8 +2769,10 @@ int gpiod_direction_output(struct gpio_desc *desc, int value) if (!ret) goto set_output_value; /* Emulate open drain by not actively driving the line high */ - if (value) - return gpiod_direction_input(desc); + if (value) { + ret = gpiod_direction_input(desc); + goto set_output_flag; + } } else if (test_bit(FLAG_OPEN_SOURCE, &desc->flags)) { ret = gpio_set_config(gc, gpio_chip_hwgpio(desc), @@ -2778,8 +2780,10 @@ int gpiod_direction_output(struct gpio_desc *desc, int value) if (!ret) goto set_output_value; /* Emulate open source by not actively driving the line low */ - if (!value) - return gpiod_direction_input(desc); + if (!value) { + ret = gpiod_direction_input(desc); + goto set_output_flag; + } } else { gpio_set_config(gc, gpio_chip_hwgpio(desc), PIN_CONFIG_DRIVE_PUSH_PULL); @@ -2787,6 +2791,17 @@ int gpiod_direction_output(struct gpio_desc *desc, int value) set_output_value: return gpiod_direction_output_raw_commit(desc, value); + +set_output_flag: + /* + * When emulating open-source or open-drain functionalities by not + * actively driving the line (setting mode to input) we still need to + * set the IS_OUT flag or otherwise we won't be able to set the line + * value anymore. + */ + if (ret == 0) + set_bit(FLAG_IS_OUT, &desc->flags); + return ret; } EXPORT_SYMBOL_GPL(gpiod_direction_output); @@ -3147,8 +3162,6 @@ static void gpio_set_open_drain_value_commit(struct gpio_desc *desc, bool value) if (value) { err = chip->direction_input(chip, offset); - if (!err) - clear_bit(FLAG_IS_OUT, &desc->flags); } else { err = chip->direction_output(chip, offset, 0); if (!err) @@ -3178,8 +3191,6 @@ static void gpio_set_open_source_value_commit(struct gpio_desc *desc, bool value set_bit(FLAG_IS_OUT, &desc->flags); } else { err = chip->direction_input(chip, offset); - if (!err) - clear_bit(FLAG_IS_OUT, &desc->flags); } trace_gpio_direction(desc_to_gpio(desc), !value, err); if (err < 0) -- 2.21.0

5 years, 12 months

1
1
0 0

Re: [PATCH v2] powerpc/xive: Fix bogus error code returned by OPAL

by Greg Kurz

On Thu, 12 Sep 2019 07:30:49 +0000 Sasha Levin <sashal(a)kernel.org> wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: 4.12+ > > The bot has tested the following trees: v5.2.14, v4.19.72, v4.14.143. > > v5.2.14: Build OK! > v4.19.72: Failed to apply! Possible dependencies: > 75d9fc7fd94e ("powerpc/powernv: move OPAL call wrapper tracing and interrupt handling to C") > This is the only dependency indeed. > v4.14.143: Failed to apply! Possible dependencies: > 104daea149c4 ("kconfig: reference environment variables directly and remove 'option env='") > 21c54b774744 ("kconfig: show compiler version text in the top comment") > 315bab4e972d ("kbuild: fix endless syncconfig in case arch Makefile sets CROSS_COMPILE") > 3298b690b21c ("kbuild: Add a cache for generated variables") > 4e56207130ed ("kbuild: Cache a few more calls to the compiler") > 75d9fc7fd94e ("powerpc/powernv: move OPAL call wrapper tracing and interrupt handling to C") > 8f2133cc0e1f ("powerpc/pseries: hcall_exit tracepoint retval should be signed") > 9a234a2e3843 ("kbuild: create directory for make cache only when necessary") > d677a4d60193 ("Makefile: support flag -fsanitizer-coverage=trace-cmp") > e08d6de4e532 ("kbuild: remove kbuild cache") > e17c400ae194 ("kbuild: shrink .cache.mk when it exceeds 1000 lines") > e501ce957a78 ("x86: Force asm-goto") > e9666d10a567 ("jump_label: move 'asm goto' support test to Kconfig") > That's quite a lot of patches to workaround a hard to hit skiboot bug. As an alternative, the patch can be backported so that it applies the following change: -OPAL_CALL(opal_xive_allocate_irq, OPAL_XIVE_ALLOCATE_IRQ); +OPAL_CALL(opal_xive_allocate_irq_raw, OPAL_XIVE_ALLOCATE_IRQ); to "arch/powerpc/platforms/powernv/opal-wrappers.S" instead of "arch/powerpc/platforms/powernv/opal-call.c" . BTW, this could also be done for 4.19.y . > > NOTE: The patch will not be queued to stable trees until it is upstream. > > How should we proceed with this patch? > Michael ? > -- > Thanks, > Sasha

5 years, 12 months

3
3
0 0

stable-rc/linux-4.9.y boot: 114 boots: 0 failed, 105 passed with 9 offline (v4.9.193-21-g2b9f5e7cd4e8)

by kernelci.org bot

stable-rc/linux-4.9.y boot: 114 boots: 0 failed, 105 passed with 9 offline (v4.9.193-21-g2b9f5e7cd4e8) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.9.y/kernel/v4.9.… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.9.y/kernel/v4.9.193-21-… Tree: stable-rc Branch: linux-4.9.y Git Describe: v4.9.193-21-g2b9f5e7cd4e8 Git Commit: 2b9f5e7cd4e8f73a7ee95b5b6a877842e00ea94f Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 57 unique boards, 22 SoC families, 14 builds out of 197 Offline Platforms: arm64: defconfig: gcc-8 apq8016-sbc: 1 offline lab arm: multi_v7_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sun5i-r8-chip: 1 offline lab davinci_all_defconfig: gcc-8 dm365evm,legacy: 1 offline lab qcom_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sunxi_defconfig: gcc-8 sun5i-r8-chip: 1 offline lab sun7i-a20-bananapi: 1 offline lab --- For more info write to <info(a)kernelci.org>

5 years, 12 months

1
0
0 0

stable-rc/linux-4.4.y boot: 101 boots: 2 failed, 87 passed with 11 offline, 1 conflict (v4.4.193-18-g8cf87db9cf54)

by kernelci.org bot

stable-rc/linux-4.4.y boot: 101 boots: 2 failed, 87 passed with 11 offline, 1 conflict (v4.4.193-18-g8cf87db9cf54) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.4.y/kernel/v4.4.… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.4.y/kernel/v4.4.193-18-… Tree: stable-rc Branch: linux-4.4.y Git Describe: v4.4.193-18-g8cf87db9cf54 Git Commit: 8cf87db9cf54cf6dfec1f630cebd7980bc5750e1 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 48 unique boards, 18 SoC families, 13 builds out of 190 Boot Regressions Detected: arm: davinci_all_defconfig: gcc-8: da850-evm: lab-baylibre-seattle: new failure (last pass: v4.4.193) dm365evm,legacy: lab-baylibre-seattle: new failure (last pass: v4.4.193) Boot Failures Detected: arm64: defconfig: gcc-8: qcom-qdf2400: 1 failed lab arm: davinci_all_defconfig: gcc-8: da850-evm: 1 failed lab Offline Platforms: arm64: defconfig: gcc-8 apq8016-sbc: 1 offline lab arm: multi_v7_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sun5i-r8-chip: 1 offline lab sun7i-a20-bananapi: 1 offline lab sunxi_defconfig: gcc-8 sun5i-r8-chip: 1 offline lab davinci_all_defconfig: gcc-8 dm365evm,legacy: 1 offline lab qcom_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab Conflicting Boot Failure Detected: (These likely are not failures as other labs are reporting PASS. Needs review.) arm: exynos_defconfig: exynos5422-odroidxu3: lab-baylibre: FAIL (gcc-8) lab-collabora: PASS (gcc-8) --- For more info write to <info(a)kernelci.org>

5 years, 12 months

1
0
0 0

stable-rc/linux-4.14.y boot: 129 boots: 0 failed, 118 passed with 11 offline (v4.14.144-25-g3b0b9274c371)

by kernelci.org bot

stable-rc/linux-4.14.y boot: 129 boots: 0 failed, 118 passed with 11 offline (v4.14.144-25-g3b0b9274c371) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.14.y/kernel/v4.1… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.14.y/kernel/v4.14.144-2… Tree: stable-rc Branch: linux-4.14.y Git Describe: v4.14.144-25-g3b0b9274c371 Git Commit: 3b0b9274c37144cd94043acf4e29a55bf535dce9 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 68 unique boards, 23 SoC families, 13 builds out of 201 Offline Platforms: arm64: defconfig: gcc-8 apq8016-sbc: 1 offline lab arm: multi_v7_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sun5i-r8-chip: 1 offline lab sun7i-a20-bananapi: 1 offline lab sunxi_defconfig: gcc-8 sun5i-r8-chip: 1 offline lab davinci_all_defconfig: gcc-8 dm365evm,legacy: 1 offline lab qcom_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab --- For more info write to <info(a)kernelci.org>

5 years, 12 months

1
0
0 0

stable-rc/linux-5.2.y boot: 145 boots: 2 failed, 133 passed with 10 offline (v5.2.15-49-g08e7f5e8f180)

by kernelci.org bot

stable-rc/linux-5.2.y boot: 145 boots: 2 failed, 133 passed with 10 offline (v5.2.15-49-g08e7f5e8f180) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-5.2.y/kernel/v5.2.… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-5.2.y/kernel/v5.2.15-49-g… Tree: stable-rc Branch: linux-5.2.y Git Describe: v5.2.15-49-g08e7f5e8f180 Git Commit: 08e7f5e8f180bcd94e3cd96ffd6f0bb9df43ca13 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 85 unique boards, 28 SoC families, 17 builds out of 209 Boot Failures Detected: arm64: defconfig: gcc-8: meson-gxl-s905d-p230: 1 failed lab arm: multi_v7_defconfig: gcc-8: exynos5800-peach-pi: 1 failed lab Offline Platforms: arm64: defconfig: gcc-8 apq8016-sbc: 1 offline lab arm: multi_v7_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab sun5i-r8-chip: 1 offline lab sunxi_defconfig: gcc-8 sun5i-r8-chip: 1 offline lab sun7i-a20-bananapi: 1 offline lab davinci_all_defconfig: gcc-8 dm365evm,legacy: 1 offline lab qcom_defconfig: gcc-8 qcom-apq8064-cm-qs600: 1 offline lab qcom-apq8064-ifc6410: 1 offline lab exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab --- For more info write to <info(a)kernelci.org>

5 years, 12 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror