1. 04 Aug, 2023 4 commits
    • Paolo Bonzini's avatar
      Merge tag 'kvmarm-fixes-6.5-2' of... · 251199f4
      Paolo Bonzini authored
      Merge tag 'kvmarm-fixes-6.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD
      
      KVM/arm64 fixes for 6.5, part #2
      
       - Fixes for the configuration of SVE/SME traps when hVHE mode is in use
      
       - Allow use of pKVM on systems with FF-A implementations that are v1.0
         compatible
      
       - Request/release percpu IRQs (arch timer, vGIC maintenance) correctly
         when pKVM is in use
      
       - Fix function prototype after __kvm_host_psci_cpu_entry() rename
      
       - Skip to the next instruction when emulating writes to TCR_EL1 on
         AmpereOne systems
      251199f4
    • Paolo Bonzini's avatar
      KVM: SEV: remove ghcb variable declarations · 63dbc67c
      Paolo Bonzini authored
      To avoid possible time-of-check/time-of-use issues, the GHCB should
      almost never be accessed outside dump_ghcb, sev_es_sync_to_ghcb
      and sev_es_sync_from_ghcb.  The only legitimate uses are to set the
      exitinfo fields and to find the address of the scratch area embedded
      in the ghcb.  Accessing ghcb_usage also goes through svm->sev_es.ghcb
      in sev_es_validate_vmgexit(), but that is because anyway the value is
      not used.
      
      Removing a shortcut variable that contains the value of svm->sev_es.ghcb
      makes these cases a bit more verbose, but it limits the chance of someone
      reading the ghcb by mistake.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      63dbc67c
    • Paolo Bonzini's avatar
      KVM: SEV: only access GHCB fields once · 7588dbce
      Paolo Bonzini authored
      A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger
      a double fetch race condition vulnerability and invoke the VMGEXIT
      handler recursively.
      
      sev_handle_vmgexit() maps the GHCB page using kvm_vcpu_map() and then
      fetches the exit code using ghcb_get_sw_exit_code().  Soon after,
      sev_es_validate_vmgexit() fetches the exit code again. Since the GHCB
      page is shared with the guest, the guest is able to quickly swap the
      values with another vCPU and hence bypass the validation. One vmexit code
      that can be rejected by sev_es_validate_vmgexit() is SVM_EXIT_VMGEXIT;
      if sev_handle_vmgexit() observes it in the second fetch, the call
      to svm_invoke_exit_handler() will invoke sev_handle_vmgexit() again
      recursively.
      
      To avoid the race, always fetch the GHCB data from the places where
      sev_es_sync_from_ghcb stores it.
      
      Exploiting recursions on linux kernel has been proven feasible
      in the past, but the impact is mitigated by stack guard pages
      (CONFIG_VMAP_STACK).  Still, if an attacker manages to call the handler
      multiple times, they can theoretically trigger a stack overflow and
      cause a denial-of-service, or potentially guest-to-host escape in kernel
      configurations without stack guard pages.
      
      Note that winning the race reliably in every iteration is very tricky
      due to the very tight window of the fetches; depending on the compiler
      settings, they are often consecutive because of optimization and inlining.
      
      Tested by booting an SEV-ES RHEL9 guest.
      
      Fixes: CVE-2023-4155
      Fixes: 291bd20d ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAndy Nguyen <theflow@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      7588dbce
    • Paolo Bonzini's avatar
      KVM: SEV: snapshot the GHCB before accessing it · 4e15a0dd
      Paolo Bonzini authored
      Validation of the GHCB is susceptible to time-of-check/time-of-use vulnerabilities.
      To avoid them, we would like to always snapshot the fields that are read in
      sev_es_validate_vmgexit(), and not use the GHCB anymore after it returns.
      
      This means:
      
      - invoking sev_es_sync_from_ghcb() before any GHCB access, including before
        sev_es_validate_vmgexit()
      
      - snapshotting all fields including the valid bitmap and the sw_scratch field,
        which are currently not caching anywhere.
      
      The valid bitmap is the first thing to be copied out of the GHCB; then,
      further accesses will use the copy in svm->sev_es.
      
      Fixes: 291bd20d ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4e15a0dd
  2. 29 Jul, 2023 21 commits
  3. 28 Jul, 2023 1 commit
  4. 26 Jul, 2023 8 commits
  5. 23 Jul, 2023 6 commits
    • Linus Torvalds's avatar
      Linux 6.5-rc3 · 6eaae198
      Linus Torvalds authored
      6eaae198
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 3b4e48b8
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Swapping the ring buffer for snapshotting (for things like irqsoff)
         can crash if the ring buffer is being resized. Disable swapping when
         this happens. The missed swap will be reported to the tracer
      
       - Report error if the histogram fails to be created due to an error in
         adding a histogram variable, in event_hist_trigger_parse()
      
       - Remove unused declaration of tracing_map_set_field_descr()
      
      * tag 'trace-v6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/histograms: Return an error if we fail to add histogram to hist_vars list
        ring-buffer: Do not swap cpu_buffer during resize process
        tracing: Remove unused extern declaration tracing_map_set_field_descr()
      3b4e48b8
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v6.5' of... · 12a5336c
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Fix stale help text in gconfig
      
       - Support *.S files in compile_commands.json
      
       - Flatten KBUILD_CFLAGS
      
       - Fix external module builds with Rust so that temporary files are
         created in the modules directories instead of the kernel tree
      
      * tag 'kbuild-fixes-v6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: rust: avoid creating temporary files
        kbuild: flatten KBUILD_CFLAGS
        gen_compile_commands: add assembly files to compilation database
        kconfig: gconfig: correct program name in help text
        kconfig: gconfig: drop the Show Debug Info help text
      12a5336c
    • Miguel Ojeda's avatar
      kbuild: rust: avoid creating temporary files · df01b7cf
      Miguel Ojeda authored
      `rustc` outputs by default the temporary files (i.e. the ones saved
      by `-Csave-temps`, such as `*.rcgu*` files) in the current working
      directory when `-o` and `--out-dir` are not given (even if
      `--emit=x=path` is given, i.e. it does not use those for temporaries).
      
      Since out-of-tree modules are compiled from the `linux` tree,
      `rustc` then tries to create them there, which may not be accessible.
      
      Thus pass `--out-dir` explicitly, even if it is just for the temporary
      files.
      
      Similarly, do so for Rust host programs too.
      Reported-by: default avatarRaphael Nestler <raphael.nestler@gmail.com>
      Closes: https://github.com/Rust-for-Linux/linux/issues/1015Reported-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Tested-by: Raphael Nestler <raphael.nestler@gmail.com> # non-hostprogs
      Tested-by: Andrea Righi <andrea.righi@canonical.com> # non-hostprogs
      Fixes: 295d8398 ("kbuild: specify output names separately for each emission type from rustc")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMiguel Ojeda <ojeda@kernel.org>
      Tested-by: default avatarMartin Rodriguez Reboredo <yakoyoku@gmail.com>
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      df01b7cf
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 269f4a4b
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "ARM:
      
         - Avoid pKVM finalization if KVM initialization fails
      
         - Add missing BTI instructions in the hypervisor, fixing an early
           boot failure on BTI systems
      
         - Handle MMU notifiers correctly for non hugepage-aligned memslots
      
         - Work around a bug in the architecture where hypervisor timer
           controls have UNKNOWN behavior under nested virt
      
         - Disable preemption in kvm_arch_hardware_enable(), fixing a kernel
           BUG in cpu hotplug resulting from per-CPU accessor sanity checking
      
         - Make WFI emulation on GICv4 systems robust w.r.t. preemption,
           consistently requesting a doorbell interrupt on vcpu_put()
      
         - Uphold RES0 sysreg behavior when emulating older PMU versions
      
         - Avoid macro expansion when initializing PMU register names,
           ensuring the tracepoints pretty-print the sysreg
      
        s390:
      
         - Two fixes for asynchronous destroy
      
        x86 fixes will come early next week"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: s390: pv: fix index value of replaced ASCE
        KVM: s390: pv: simplify shutdown and fix race
        KVM: arm64: Fix the name of sys_reg_desc related to PMU
        KVM: arm64: Correctly handle RES0 bits PMEVTYPER<n>_EL0.evtCount
        KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption
        KVM: arm64: Add missing BTI instructions
        KVM: arm64: Correctly handle page aging notifiers for unaligned memslot
        KVM: arm64: Disable preemption in kvm_arch_hardware_enable()
        KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm
        KVM: arm64: timers: Use CNTHCTL_EL2 when setting non-CNTKCTL_EL1 bits
      269f4a4b
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 15b593ba
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Bug and regression fixes for 6.5-rc3 for ext4's mballoc and jbd2's
        checkpoint code"
      
      * tag 'ext4_for_linus-6.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix rbtree traversal bug in ext4_mb_use_preallocated
        ext4: fix off by one issue in ext4_mb_choose_next_group_best_avail()
        ext4: correct inline offset when handling xattrs in inode body
        jbd2: remove __journal_try_to_free_buffer()
        jbd2: fix a race when checking checkpoint buffer busy
        jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint
        jbd2: remove journal_clean_one_cp_list()
        jbd2: remove t_checkpoint_io_list
        jbd2: recheck chechpointing non-dirty buffer
      15b593ba