diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-27 16:00:15 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-27 16:00:15 +0100 |
commit | 53d4c7854df301b89326213dad881cdb46d27024 (patch) | |
tree | b9a6deaeb0d324ce11a0cfd0b44608c49fd41ebf | |
parent | 2810e86cdb04d807f0c233b8c34ec713f1d0d8c5 (diff) | |
download | stable-queue-53d4c7854df301b89326213dad881cdb46d27024.tar.gz |
6.6-stable patches
added patches:
firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch
init-kconfig-lower-gcc-version-check-for-warray-bounds.patch
input-xpad-add-additional-hyperx-controller-identifiers.patch
kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch
kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch
6 files changed, 315 insertions, 0 deletions
diff --git a/queue-6.6/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch b/queue-6.6/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch new file mode 100644 index 0000000000..a562a8f9cb --- /dev/null +++ b/queue-6.6/firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch @@ -0,0 +1,72 @@ +From 575801663c7dc38f826212b39e3b91a4a8661c33 Mon Sep 17 00:00:00 2001 +From: Edmund Raile <edmund.raile@proton.me> +Date: Thu, 29 Feb 2024 14:47:59 +0000 +Subject: firewire: ohci: prevent leak of left-over IRQ on unbind + +From: Edmund Raile <edmund.raile@proton.me> + +commit 575801663c7dc38f826212b39e3b91a4a8661c33 upstream. + +Commit 5a95f1ded28691e6 ("firewire: ohci: use devres for requested IRQ") +also removed the call to free_irq() in pci_remove(), leading to a +leftover irq of devm_request_irq() at pci_disable_msi() in pci_remove() +when unbinding the driver from the device + +remove_proc_entry: removing non-empty directory 'irq/136', leaking at +least 'firewire_ohci' +Call Trace: + ? remove_proc_entry+0x19c/0x1c0 + ? __warn+0x81/0x130 + ? remove_proc_entry+0x19c/0x1c0 + ? report_bug+0x171/0x1a0 + ? console_unlock+0x78/0x120 + ? handle_bug+0x3c/0x80 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? remove_proc_entry+0x19c/0x1c0 + unregister_irq_proc+0xf4/0x120 + free_desc+0x3d/0xe0 + ? kfree+0x29f/0x2f0 + irq_free_descs+0x47/0x70 + msi_domain_free_locked.part.0+0x19d/0x1d0 + msi_domain_free_irqs_all_locked+0x81/0xc0 + pci_free_msi_irqs+0x12/0x40 + pci_disable_msi+0x4c/0x60 + pci_remove+0x9d/0xc0 [firewire_ohci + 01b483699bebf9cb07a3d69df0aa2bee71db1b26] + pci_device_remove+0x37/0xa0 + device_release_driver_internal+0x19f/0x200 + unbind_store+0xa1/0xb0 + +remove irq with devm_free_irq() before pci_disable_msi() +also remove it in fail_msi: of pci_probe() as this would lead to +an identical leak + +Cc: stable@vger.kernel.org +Fixes: 5a95f1ded28691e6 ("firewire: ohci: use devres for requested IRQ") +Signed-off-by: Edmund Raile <edmund.raile@proton.me> +Link: https://lore.kernel.org/r/20240229144723.13047-2-edmund.raile@proton.me +Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/firewire/ohci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -3773,6 +3773,7 @@ static int pci_probe(struct pci_dev *dev + return 0; + + fail_msi: ++ devm_free_irq(&dev->dev, dev->irq, ohci); + pci_disable_msi(dev); + + return err; +@@ -3800,6 +3801,7 @@ static void pci_remove(struct pci_dev *d + + software_reset(ohci); + ++ devm_free_irq(&dev->dev, dev->irq, ohci); + pci_disable_msi(dev); + + dev_notice(&dev->dev, "removing fw-ohci device\n"); diff --git a/queue-6.6/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch b/queue-6.6/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch new file mode 100644 index 0000000000..ede87690a8 --- /dev/null +++ b/queue-6.6/init-kconfig-lower-gcc-version-check-for-warray-bounds.patch @@ -0,0 +1,64 @@ +From 3e00f5802fabf2f504070a591b14b648523ede13 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Fri, 23 Feb 2024 09:08:27 -0800 +Subject: init/Kconfig: lower GCC version check for -Warray-bounds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook <keescook@chromium.org> + +commit 3e00f5802fabf2f504070a591b14b648523ede13 upstream. + +We continue to see false positives from -Warray-bounds even in GCC 10, +which is getting reported in a few places[1] still: + +security/security.c:811:2: warning: `memcpy' offset 32 is out of the bounds [0, 0] [-Warray-bounds] + +Lower the GCC version check from 11 to 10. + +Link: https://lkml.kernel.org/r/20240223170824.work.768-kees@kernel.org +Reported-by: Lu Yao <yaolu@kylinos.cn> +Closes: https://lore.kernel.org/lkml/20240117014541.8887-1-yaolu@kylinos.cn/ +Link: https://lore.kernel.org/linux-next/65d84438.620a0220.7d171.81a7@mx.google.com [1] +Signed-off-by: Kees Cook <keescook@chromium.org> +Reviewed-by: Paul Moore <paul@paul-moore.com> +Cc: Ard Biesheuvel <ardb@kernel.org> +Cc: Christophe Leroy <christophe.leroy@csgroup.eu> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Cc: Marc Aurèle La France <tsi@tuyoix.net> +Cc: Masahiro Yamada <masahiroy@kernel.org> +Cc: Nathan Chancellor <nathan@kernel.org> +Cc: Nhat Pham <nphamcs@gmail.com> +Cc: Petr Mladek <pmladek@suse.com> +Cc: Randy Dunlap <rdunlap@infradead.org> +Cc: Suren Baghdasaryan <surenb@google.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + init/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -876,14 +876,14 @@ config CC_IMPLICIT_FALLTHROUGH + default "-Wimplicit-fallthrough=5" if CC_IS_GCC && $(cc-option,-Wimplicit-fallthrough=5) + default "-Wimplicit-fallthrough" if CC_IS_CLANG && $(cc-option,-Wunreachable-code-fallthrough) + +-# Currently, disable gcc-11+ array-bounds globally. ++# Currently, disable gcc-10+ array-bounds globally. + # It's still broken in gcc-13, so no upper bound yet. +-config GCC11_NO_ARRAY_BOUNDS ++config GCC10_NO_ARRAY_BOUNDS + def_bool y + + config CC_NO_ARRAY_BOUNDS + bool +- default y if CC_IS_GCC && GCC_VERSION >= 110000 && GCC11_NO_ARRAY_BOUNDS ++ default y if CC_IS_GCC && GCC_VERSION >= 100000 && GCC10_NO_ARRAY_BOUNDS + + # + # For architectures that know their GCC __int128 support is sound diff --git a/queue-6.6/input-xpad-add-additional-hyperx-controller-identifiers.patch b/queue-6.6/input-xpad-add-additional-hyperx-controller-identifiers.patch new file mode 100644 index 0000000000..ec2376d362 --- /dev/null +++ b/queue-6.6/input-xpad-add-additional-hyperx-controller-identifiers.patch @@ -0,0 +1,45 @@ +From dd50f771af20fb02b1aecde04fbd085c872a9139 Mon Sep 17 00:00:00 2001 +From: Max Nguyen <maxwell.nguyen@hp.com> +Date: Sun, 3 Mar 2024 14:13:52 -0800 +Subject: Input: xpad - add additional HyperX Controller Identifiers + +From: Max Nguyen <maxwell.nguyen@hp.com> + +commit dd50f771af20fb02b1aecde04fbd085c872a9139 upstream. + +Add additional HyperX device identifiers to xpad_device and xpad_table. + +Suggested-by: Chris Toledanes<chris.toledanes@hp.com> +Reviewed-by: Carl Ng <carl.ng@hp.com> +Signed-off-by: Max Nguyen <maxwell.nguyen@hp.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/44ad5ffa-76d8-4046-94ee-2ef171930ed2@gmail.com +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/input/joystick/xpad.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -130,7 +130,12 @@ static const struct xpad_device { + { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, ++ { 0x03f0, 0x038D, "HyperX Clutch", 0, XTYPE_XBOX360 }, /* wired */ ++ { 0x03f0, 0x048D, "HyperX Clutch", 0, XTYPE_XBOX360 }, /* wireless */ + { 0x03f0, 0x0495, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE }, ++ { 0x03f0, 0x07A0, "HyperX Clutch Gladiate RGB", 0, XTYPE_XBOXONE }, ++ { 0x03f0, 0x08B6, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE }, /* v2 */ ++ { 0x03f0, 0x09B4, "HyperX Clutch Tanto", 0, XTYPE_XBOXONE }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +@@ -463,6 +468,7 @@ static const struct usb_device_id xpad_t + { USB_INTERFACE_INFO('X', 'B', 0) }, /* Xbox USB-IF not-approved class */ + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 controller */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ ++ XPAD_XBOX360_VENDOR(0x03f0), /* HP HyperX Xbox 360 controllers */ + XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One controllers */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster Xbox 360 controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft Xbox 360 controllers */ diff --git a/queue-6.6/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch b/queue-6.6/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch new file mode 100644 index 0000000000..97e0a32c5e --- /dev/null +++ b/queue-6.6/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch @@ -0,0 +1,67 @@ +From 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Fri, 16 Feb 2024 17:34:30 -0800 +Subject: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() + +From: Sean Christopherson <seanjc@google.com> + +commit 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 upstream. + +Do the cache flush of converted pages in svm_register_enc_region() before +dropping kvm->lock to fix use-after-free issues where region and/or its +array of pages could be freed by a different task, e.g. if userspace has +__unregister_enc_region_locked() already queued up for the region. + +Note, the "obvious" alternative of using local variables doesn't fully +resolve the bug, as region->pages is also dynamically allocated. I.e. the +region structure itself would be fine, but region->pages could be freed. + +Flushing multiple pages under kvm->lock is unfortunate, but the entire +flow is a rare slow path, and the manual flush is only needed on CPUs that +lack coherency for encrypted memory. + +Fixes: 19a23da53932 ("Fix unsynchronized access to sev members through svm_register_enc_region") +Reported-by: Gabe Kirkpatrick <gkirkpatrick@google.com> +Cc: Josh Eads <josheads@google.com> +Cc: Peter Gonda <pgonda@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <seanjc@google.com> +Message-Id: <20240217013430.2079561-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/kvm/svm/sev.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -1975,20 +1975,22 @@ int sev_mem_enc_register_region(struct k + goto e_free; + } + +- region->uaddr = range->addr; +- region->size = range->size; +- +- list_add_tail(®ion->list, &sev->regions_list); +- mutex_unlock(&kvm->lock); +- + /* + * The guest may change the memory encryption attribute from C=0 -> C=1 + * or vice versa for this memory range. Lets make sure caches are + * flushed to ensure that guest data gets written into memory with +- * correct C-bit. ++ * correct C-bit. Note, this must be done before dropping kvm->lock, ++ * as region and its array of pages can be freed by a different task ++ * once kvm->lock is released. + */ + sev_clflush_pages(region->pages, region->npages); + ++ region->uaddr = range->addr; ++ region->size = range->size; ++ ++ list_add_tail(®ion->list, &sev->regions_list); ++ mutex_unlock(&kvm->lock); ++ + return ret; + + e_free: diff --git a/queue-6.6/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch b/queue-6.6/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch new file mode 100644 index 0000000000..2b987d4451 --- /dev/null +++ b/queue-6.6/kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch @@ -0,0 +1,62 @@ +From 910c57dfa4d113aae6571c2a8b9ae8c430975902 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <seanjc@google.com> +Date: Wed, 14 Feb 2024 17:00:03 -0800 +Subject: KVM: x86: Mark target gfn of emulated atomic instruction as dirty + +From: Sean Christopherson <seanjc@google.com> + +commit 910c57dfa4d113aae6571c2a8b9ae8c430975902 upstream. + +When emulating an atomic access on behalf of the guest, mark the target +gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This +fixes a bug where KVM effectively corrupts guest memory during live +migration by writing to guest memory without informing userspace that the +page is dirty. + +Marking the page dirty got unintentionally dropped when KVM's emulated +CMPXCHG was converted to do a user access. Before that, KVM explicitly +mapped the guest page into kernel memory, and marked the page dirty during +the unmap phase. + +Mark the page dirty even if the CMPXCHG fails, as the old data is written +back on failure, i.e. the page is still written. The value written is +guaranteed to be the same because the operation is atomic, but KVM's ABI +is that all writes are dirty logged regardless of the value written. And +more importantly, that's what KVM did before the buggy commit. + +Huge kudos to the folks on the Cc list (and many others), who did all the +actual work of triaging and debugging. + +Fixes: 1c2361f667f3 ("KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses") +Cc: stable@vger.kernel.org +Cc: David Matlack <dmatlack@google.com> +Cc: Pasha Tatashin <tatashin@google.com> +Cc: Michael Krebs <mkrebs@google.com> +base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64 +Reviewed-by: Jim Mattson <jmattson@google.com> +Link: https://lore.kernel.org/r/20240215010004.1456078-2-seanjc@google.com +Signed-off-by: Sean Christopherson <seanjc@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/kvm/x86.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7840,6 +7840,16 @@ static int emulator_cmpxchg_emulated(str + + if (r < 0) + return X86EMUL_UNHANDLEABLE; ++ ++ /* ++ * Mark the page dirty _before_ checking whether or not the CMPXCHG was ++ * successful, as the old value is written back on failure. Note, for ++ * live migration, this is unnecessarily conservative as CMPXCHG writes ++ * back the original value and the access is atomic, but KVM's ABI is ++ * that all writes are dirty logged, regardless of the value written. ++ */ ++ kvm_vcpu_mark_page_dirty(vcpu, gpa_to_gfn(gpa)); ++ + if (r) + return X86EMUL_CMPXCHG_FAILED; + diff --git a/queue-6.6/series b/queue-6.6/series index 02cc7c9f51..baffb29868 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -207,3 +207,8 @@ mm-mmap-fix-vma_merge-case-7-with-vma_ops-close.patch selftests-mptcp-diag-return-ksft_fail-not-test_cnt.patch usb-typec-tpcm-fix-port_reset-behavior-for-self-powered-devices.patch cgroup-cpuset-fix-retval-in-update_cpumask.patch +input-xpad-add-additional-hyperx-controller-identifiers.patch +init-kconfig-lower-gcc-version-check-for-warray-bounds.patch +firewire-ohci-prevent-leak-of-left-over-irq-on-unbind.patch +kvm-x86-mark-target-gfn-of-emulated-atomic-instruction-as-dirty.patch +kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch |