1. 20 Dec, 2018 3 commits
  2. 18 Dec, 2018 12 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20181218' of git://git.kernel.dk/linux-block · 62393dbc
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Correct an ioctl direction for the zoned ioctls"
      
      * tag 'for-linus-20181218' of git://git.kernel.dk/linux-block:
        uapi: linux/blkzoned.h: fix BLKGETZONESZ and BLKGETNRZONES definitions
      62393dbc
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.20-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · e738441e
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Fix the ACPI APEI error path, which previously queued several
        uninitialized events (Yanjiang Jin)"
      
      * tag 'pci-v4.20-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI/AER: Queue one GHES event, not several uninitialized ones
      e738441e
    • Eduardo Habkost's avatar
      kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs · 0e1b869f
      Eduardo Habkost authored
      Some guests OSes (including Windows 10) write to MSR 0xc001102c
      on some cases (possibly while trying to apply a CPU errata).
      Make KVM ignore reads and writes to that MSR, so the guest won't
      crash.
      
      The MSR is documented as "Execution Unit Configuration (EX_CFG)",
      at AMD's "BIOS and Kernel Developer's Guide (BKDG) for AMD Family
      15h Models 00h-0Fh Processors".
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEduardo Habkost <ehabkost@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      0e1b869f
    • Wanpeng Li's avatar
      KVM: X86: Fix NULL deref in vcpu_scan_ioapic · dcbd3e49
      Wanpeng Li authored
      Reported by syzkaller:
      
          CPU: 1 PID: 5962 Comm: syz-executor118 Not tainted 4.20.0-rc6+ #374
          Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
          RIP: 0010:kvm_apic_hw_enabled arch/x86/kvm/lapic.h:169 [inline]
          RIP: 0010:vcpu_scan_ioapic arch/x86/kvm/x86.c:7449 [inline]
          RIP: 0010:vcpu_enter_guest arch/x86/kvm/x86.c:7602 [inline]
          RIP: 0010:vcpu_run arch/x86/kvm/x86.c:7874 [inline]
          RIP: 0010:kvm_arch_vcpu_ioctl_run+0x5296/0x7320 arch/x86/kvm/x86.c:8074
          Call Trace:
      	 kvm_vcpu_ioctl+0x5c8/0x1150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2596
      	 vfs_ioctl fs/ioctl.c:46 [inline]
      	 file_ioctl fs/ioctl.c:509 [inline]
      	 do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
      	 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
      	 __do_sys_ioctl fs/ioctl.c:720 [inline]
      	 __se_sys_ioctl fs/ioctl.c:718 [inline]
      	 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
      	 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT14 msr
      and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
      However, irqchip is not initialized by this simple testcase, ioapic/apic
      objects should not be accessed.
      
      This patch fixes it by also considering whether or not apic is present.
      
      Reported-by: syzbot+39810e6c400efadfef71@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      dcbd3e49
    • Cfir Cohen's avatar
      KVM: Fix UAF in nested posted interrupt processing · c2dd5146
      Cfir Cohen authored
      nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It
      caches the kmap()ed page object and pointer, however, it doesn't handle
      errors correctly: it's possible to cache a valid pointer, then release
      the page and later dereference the dangling pointer.
      
      I was able to reproduce with the following steps:
      
      1. Call vmlaunch with valid posted_intr_desc_addr but an invalid
      MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed
      pi_desc_page and pi_desc. Later the invalid EFER value fails
      check_vmentry_postreqs() which fails the first vmlaunch.
      
      2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr
      (I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages
      pi_desc_page is unmapped and released and pi_desc_page is set to NULL
      (the "shouldn't happen" clause). Due to the invalid
      posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and
      nested_get_vmcs12_pages() returns. It doesn't return an error value so
      vmlaunch proceeds. Note that at this time we have a dangling pointer in
      vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs.
      
      3. Issue an IPI in L2 guest code. This triggers a call to
      vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which
      dereferences the dangling pointer.
      
      Vulnerable code requires nested and enable_apicv variables to be set to
      true. The host CPU must also support posted interrupts.
      
      Fixes: 5e2f30b7 "KVM: nVMX: get rid of nested_get_page()"
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAndy Honig <ahonig@google.com>
      Signed-off-by: default avatarCfir Cohen <cfir@google.com>
      Reviewed-by: default avatarLiran Alon <liran.alon@oracle.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      c2dd5146
    • Eric Biggers's avatar
      KVM: fix unregistering coalesced mmio zone from wrong bus · 987d1149
      Eric Biggers authored
      If you register a kvm_coalesced_mmio_zone with '.pio = 0' but then
      unregister it with '.pio = 1', KVM_UNREGISTER_COALESCED_MMIO will try to
      unregister it from KVM_PIO_BUS rather than KVM_MMIO_BUS, which is a
      no-op.  But it frees the kvm_coalesced_mmio_dev anyway, causing a
      use-after-free.
      
      Fix it by only unregistering and freeing the zone if the correct value
      of 'pio' is provided.
      
      Reported-by: syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com
      Fixes: 0804c849 ("kvm/x86 : add coalesced pio support")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      987d1149
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ddfbab46
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Three fixes: The t10-pi one is a regression from the 4.19 release, the
        qla2xxx one is a 4.20 merge window regression and the bnx2fc is a very
        old bug"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: t10-pi: Return correct ref tag when queue has no integrity profile
        scsi: bnx2fc: Fix NULL dereference in error handling
        Revert "scsi: qla2xxx: Fix NVMe Target discovery"
      ddfbab46
    • Trond Myklebust's avatar
      SUNRPC: Remove xprt_connect_status() · abc13275
      Trond Myklebust authored
      Over the years, xprt_connect_status() has been superseded by
      call_connect_status(), which now handles all the errors that
      xprt_connect_status() does and more. Since the latter converts
      all errors that it doesn't recognise to EIO, then it is time
      for it to be retired.
      Reported-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      abc13275
    • Trond Myklebust's avatar
      SUNRPC: Fix a race with XPRT_CONNECTING · cf76785d
      Trond Myklebust authored
      Ensure that we clear XPRT_CONNECTING before releasing the XPRT_LOCK so that
      we don't have races between the (asynchronous) socket setup code and
      tasks in xprt_connect().
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      cf76785d
    • Trond Myklebust's avatar
      SUNRPC: Fix disconnection races · 0445f92c
      Trond Myklebust authored
      When the socket is closed, we need to call xprt_disconnect_done() in order
      to clean up the XPRT_WRITE_SPACE flag, and wake up the sleeping tasks.
      
      However, we also want to ensure that we don't wake them up before the socket
      is closed, since that would cause thundering herd issues with everyone
      piling up to retransmit before the TCP shutdown dance has completed.
      Only the task that holds XPRT_LOCKED needs to wake up early in order to
      allow the close to complete.
      Reported-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Reported-by: default avatarScott Mayhew <smayhew@redhat.com>
      Cc: Chuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      0445f92c
    • Mimi Zohar's avatar
      ima: cleanup the match_token policy code · 1a9430db
      Mimi Zohar authored
      Start the policy_tokens and the associated enumeration from zero,
      simplifying the pt macro.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a9430db
    • Linus Torvalds's avatar
      security: don't use a negative Opt_err token index · 94c13f66
      Linus Torvalds authored
      The code uses a bitmap to check for duplicate tokens during parsing, and
      that doesn't work at all for the negative Opt_err token case.
      
      There is absolutely no reason to make Opt_err be negative, and in fact
      it only confuses things, since some of the affected functions actually
      return a positive Opt_xyz enum _or_ a regular negative error code (eg
      -EINVAL), and using -1 for Opt_err makes no sense.
      
      There are similar problems in ima_policy.c and key encryption, but they
      don't have the immediate bug wrt bitmap handing, and ima_policy.c in
      particular needs a different patch to make the enum values match the
      token array index.  Mimi is sending that separately.
      
      Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
      Reported-by: default avatarEric Biggers <ebiggers@kernel.org>
      Fixes: 5208cc83 ("keys, trusted: fix: *do not* allow duplicate key options")
      Fixes: 00d60fd3 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
      Cc: James Morris James Morris <jmorris@namei.org>
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Cc: Peter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      94c13f66
  3. 17 Dec, 2018 2 commits
  4. 16 Dec, 2018 1 commit
  5. 14 Dec, 2018 21 commits
  6. 13 Dec, 2018 1 commit